Okay guys I need some help with my PCC load balance config.
I would like to load balance all unmarked traffic via WAN2 & WAN4.
WAN 1, 3, and 5 should only be used for for IP’s marked in the adress list TO-WAN1,3,5 etc.
WAN 1 to 5 is on separate routers connected to two different ISP’s.
This config used to work without any issues that were apparent to me, but for the last week or so I had to disable the two PCC mangle rules and route all unmarked traffic via WAN4.
What am I doing wrong here?
# oct/22/2020 17:57:06 by RouterOS 6.45.9
# model = CCR1009-7G-1C-1S+
/interface bridge
add name=bridge-loopback
add fast-forward=no name=bridge-ospf
add fast-forward=no name=bridge1
/interface ethernet
set [ find default-name=combo1 ] disabled=yes
set [ find default-name=ether1 ] comment=WAN1
set [ find default-name=ether2 ] comment=WAN2
set [ find default-name=ether3 ] comment=WAN4
set [ find default-name=ether4 ] comment=WAN3
set [ find default-name=ether5 ] comment=LAN
set [ find default-name=ether6 ] comment=WAN5
set [ find default-name=ether7 ]
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface vlan
add interface=bridge1 name="vlan21" vlan-id=21
add interface=bridge1 name="vlan24" vlan-id=24
add interface=bridge1 name="vlan5" vlan-id=5
add interface=bridge1 name="vlan10" vlan-id=10
add interface=bridge1 name="vlan55" vlan-id=55
/interface list
add name=WAN
add name=LAN
add name=VPN
/ip pool
add name=bridge1 ranges=10.50.0.100-10.50.0.200
add name=vlan10 ranges=10.50.11.10-10.50.11.254
add name=VPN ranges=10.50.200.180-10.50.200.182
/ip dhcp-server
add add-arp=yes address-pool=bridge1 authoritative=after-2sec-delay disabled=no \
interface=bridge1 lease-time=1d name=bridge1
add add-arp=yes address-pool=vlan10 disabled=no interface=vlan10 \
lease-time=1d name=vlan10
/interface bridge port
add bridge=bridge1 interface=ether5
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-pppoe=yes \
use-ip-firewall-for-vlan=yes
/ip firewall connection tracking
set loose-tcp-tracking=no
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set accept-source-route=yes allow-fast-path=no rp-filter=loose
/interface list member
add interface=bridge1 list=LAN
add interface=vlan10 list=LAN
add interface=ether3 list=WAN
add interface=vlan55 list=LAN
add interface=vlan5 list=LAN
add interface=ether4 list=WAN
add interface=ether1 list=WAN
add interface=ether2 list=WAN
add interface=ether6 list=WAN
add interface=vlan21 list=LAN
add interface=vlan24 list=LAN
add interface=bridge-loopback list=VPN
/interface pppoe-server server
add authentication=mschap2 default-profile=SISC disabled=no interface=\
vlan10 max-mru=1500 max-mtu=1500 mrru=1500 one-session-per-host=yes \
service-name=vlan10
/ip accounting
set account-local-traffic=yes enabled=yes threshold=6500
/ip address
add address=10.50.0.1/24 interface=bridge1 network=10.50.0.0
add address=10.0.0.1 interface=bridge-ospf network=10.0.0.1
add address=10.50.55.1 interface="vlan55" network=10.50.55.2
add address=10.50.16.1 interface="vlan5" network=10.50.16.2
add address=10.50.11.1/24 interface=vlan10 network=10.50.11.0
add address=10.7.0.1/24 interface=ether4 network=10.7.0.0
add address=10.5.1.1 interface=ether1 network=10.5.1.2
add address=10.5.2.1 interface=ether2 network=10.5.2.2
add address=10.5.3.1 interface=ether3 network=10.5.3.2
add address=10.50.21.1 interface=vlan21 network=10.50.21.2
add address=10.7.1.1/24 interface=ether6 network=10.7.1.0
add address=10.50.24.1 interface=vlan24 network=10.50.24.2
add address=10.50.200.1/24 interface=bridge-loopback network=10.50.200.0
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d cache-size=131072KiB \ max-concurrent-queries=100000 max-concurrent-tcp-sessions=10000 servers=\
8.8.8.8,8.8.4.4
/ip firewall address-list
add address=10.50.0.0/16 list=local
add address=10.60.0.0/16 list=local
add address=10.0.0.0/24 list=local
add address=10.105.0.0/24 list=local
add address=10.108.0.0/24 list=local
add address=10.7.0.0/24 list=WAN
add address=10.7.1.0/24 list=WAN
add address=10.5.1.0/30 list=WAN
add address=10.5.2.0/30 list=WAN
add address=10.5.3.0/30 list=WAN
add address=41.221.5.104/29 list=voip
add address=41.221.5.224/27 list=voip
add address=41.221.6.224/29 list=voip
add address=154.119.166.64/27 list=voip
add address=154.70.244.128/27 list=voip
add address=41.221.5.0/24 list=voip
add address=35.180.63.0/24 list=voip
add address=192.168.0.0/16 list=rfc-1918
add address=172.16.0.0/12 list=rfc-1918
add address=0.0.0.0/8 list=rfc-1918
add address=224.0.0.0/3 list=rfc-1918
add address=10.50.55.2 list=TO-WAN1
add address=10.50.10.38 list=TO-WAN1
add address=10.50.12.24 list=TO-WAN1
add address=10.50.10.53 list=TO-WAN1
add address=10.50.12.34 list=TO-WAN1
add address=10.50.10.20 list=TO-WAN1
add address=10.50.10.28 list=TO-WAN1
add address=10.50.10.39 list=TO-WAN1
add address=10.50.12.39 list=TO-WAN1
add address=10.50.12.36 list=TO-WAN1
add address=10.105.0.0/24 list=VPN
add address=10.108.0.0/24 list=VPN
add address=172.168.88.0/24 list=VPN
/ip firewall filter
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="Accept established related" \
connection-state=established,related
add action=accept chain=input comment="Allow IPSEC VPN on these ports" \
dst-address=10.7.0.1 dst-port=500,4500 in-interface=ether4 protocol=udp
add action=accept chain=input comment="Allow IPSEC VPN on these ports" \
dst-address=10.7.0.1 in-interface=ether4 protocol=ipsec-esp
add action=accept chain=input comment="Accept local network" \
in-interface-list=LAN
add action=accept chain=input comment="Accept input from IPSEC VPN" \
src-address=10.50.200.0/24
add action=drop chain=input comment="Drop all connections"
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log-prefix=Invalid
add action=accept chain=forward comment="Accept established related" \
connection-state=established,related
add action=accept chain=forward comment="Allow IPSEC VPN - Default rules" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="Allow IPSEC VPN - Default rules" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment="Port forward for CCTV" \
dst-port=8000 protocol=tcp
add action=accept chain=forward comment="Port forward for CCTV" \
dst-port=8001 protocol=tcp
add action=accept chain=forward comment="Port forward for CCTV" \
dst-port=8002 protocol=tcp
add action=accept chain=forward comment="Port forward for CCTV" \
dst-port=8003 protocol=tcp
add action=accept chain=forward comment="Port forward for CCTV" \
dst-port=8004 protocol=tcp
add action=accept chain=forward comment="Port forward for CCTV" \
dst-port=8005 protocol=tcp
add action=accept chain=forward comment="Port forward for CCTV" \
dst-port=8006 protocol=tcp
add action=accept chain=forward comment="Port forward for CCTV" \
dst-port=8007 protocol=tcp
add action=accept chain=forward comment="Port forward for CCTV" \
dst-port=8008 protocol=tcp
add action=accept chain=forward comment="Port forward for CCTV" \
dst-port=8009 protocol=tcp
add action=accept chain=forward comment="Port forward for CCTV" \
dst-port=8010 protocol=tcp
add action=accept chain=forward comment="Port forward for CCTV" \
dst-port=9999 in-interface=ether1 protocol=tcp
add action=accept chain=forward comment="Port forward for CCTV" \
dst-port=55414 in-interface=ether1 protocol=tcp
add action=accept chain=forward comment="Port forward for CCTV" \
dst-port=55415 in-interface=ether1 protocol=tcp
add action=accept chain=forward comment=\
"Port Forward for client" dst-port=3671 in-interface=ether4 \
protocol=tcp
add action=accept chain=forward comment=\
"Port Forward for client" dst-port=3671 in-interface=ether4 \
protocol=udp
add action=accept chain=forward comment="Allow VPN" \
dst-address=10.60.0.0/24 src-address=10.50.0.0/24
add action=accept chain=forward comment="Allow LAN to VPN" \
dst-address=10.50.0.0/24 src-address=10.60.0.0/24
add action=accept chain=forward comment="Allow VPN" \
src-address=172.168.88.1
add action=accept chain=forward comment="Allow VPN" \
dst-address=172.168.88.1
add action=accept chain=forward dst-address=\
10.50.12.49 src-address=10.50.10.60
add action=accept chain=forward dst-address=\
10.50.10.60 src-address=10.50.12.49
add action=accept chain=forward \
dst-address=10.50.25.21 src-address=10.50.12.53
add action=accept chain=forward \
dst-address=10.50.12.53 src-address=10.50.25.21
add action=accept chain=forward dst-address=\
10.50.10.24 src-address=10.50.55.2
add action=accept chain=forward dst-address=\
10.50.25.23 src-address=10.50.55.2
add action=accept chain=forward dst-address=\
10.50.55.2 src-address=10.50.25.23
add action=accept chain=forward \
dst-address=10.50.55.2 src-address=10.50.10.66
add action=accept chain=forward dst-address=10.50.10.66 \
src-address=10.50.55.2
add action=accept chain=forward dst-address=\
10.108.0.10 src-address=10.50.10.66
add action=accept chain=forward dst-address=\
10.50.10.66 src-address=10.108.0.10
add action=accept chain=forward dst-address=\
10.50.10.66 src-address=10.105.0.10
add action=accept chain=forward dst-address=\
10.105.0.10 src-address=10.50.10.66
add action=accept chain=forward dst-address=10.50.254.1
add action=accept chain=forward src-address=10.50.254.1
add action=accept chain=forward src-address=10.50.10.24
add action=accept chain=forward src-address=10.50.200.0/24
add action=accept chain=forward dst-address=10.50.10.24
add action=accept chain=forward dst-address=10.50.0.10
add action=accept chain=forward src-address=10.50.0.10
add action=accept chain=forward dst-address=10.50.0.108
add action=accept chain=forward src-address=10.50.0.108
add action=accept chain=forward dst-address=197.97.79.157
add action=accept chain=forward src-address=10.50.14.45
add action=accept chain=forward dst-address=\
10.50.12.60 src-address=10.50.12.59
add action=drop chain=forward comment="Block RFC1918" dst-address-list=\
rfc-1918 log-prefix=RFC1918
add action=accept chain=forward comment="Allow user access to internet" \
out-interface-list=WAN src-address-list=local
add action=drop chain=forward comment="Drop Forward" connection-state=""
/ip firewall mangle
add action=accept chain=prerouting comment="Accept traffic from LAN" \
dst-address=10.5.1.0/24 in-interface-list=LAN
add action=accept chain=prerouting comment="Accept traffic from LAN" \
dst-address=10.5.2.0/24 in-interface-list=LAN
add action=accept chain=prerouting comment="Accept traffic from LAN" \
dst-address=10.5.3.0/24 in-interface-list=LAN
add action=accept chain=prerouting comment="Accept traffic from LAN" \
dst-address=10.7.0.0/24 in-interface-list=LAN
add action=accept chain=prerouting comment="Accept traffic from LAN" \
dst-address=10.7.1.0/24 in-interface-list=LAN
add action=accept chain=prerouting comment="Accept traffic from LAN" \
dst-address-list=local src-address-list=local
add action=accept chain=prerouting comment=IPSEC ipsec-policy=in,ipsec
add action=mark-connection chain=input comment=\
"Mark all connections that are initiated from WAN" connection-mark=\
no-mark in-interface=ether1 new-connection-mark=WAN1-to-ROS passthrough=\
no
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
ether2 new-connection-mark=WAN2-to-ROS passthrough=no
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
ether3 new-connection-mark=WAN4-to-ROS passthrough=no
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
ether4 new-connection-mark=WAN3-to-ROS passthrough=no
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
ether6 new-connection-mark=WAN5-to-ROS passthrough=no
add action=mark-routing chain=output comment=\
"Mark routing for router's replies" connection-mark=WAN1-to-ROS \
new-routing-mark=to_wan1 passthrough=no
add action=mark-routing chain=output connection-mark=WAN2-to-ROS \
new-routing-mark=to_wan2 passthrough=no
add action=mark-routing chain=output connection-mark=WAN3-to-ROS \
new-routing-mark=to_wan3 passthrough=no
add action=mark-routing chain=output connection-mark=WAN4-to-ROS \
new-routing-mark=to_wan4 passthrough=no
add action=mark-routing chain=output connection-mark=WAN5-to-ROS \
new-routing-mark=to_wan5 passthrough=no
add action=mark-connection chain=prerouting comment=\
"Mark connection for traffic to specific WAN" connection-mark=no-mark \
dst-address-type=!local in-interface-list=LAN new-connection-mark=\
LAN-to-WAN1 passthrough=yes src-address-list=TO-WAN1
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface-list=LAN new-connection-mark=\
LAN-to-WAN2 passthrough=yes src-address-list=TO-WAN2
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface-list=LAN new-connection-mark=\
LAN-to-WAN3 passthrough=yes src-address-list=TO-WAN3
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface-list=LAN new-connection-mark=\
LAN-to-WAN4 passthrough=yes src-address-list=TO-WAN4
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface-list=LAN new-connection-mark=\
LAN-to-WAN5 passthrough=yes src-address-list=TO-WAN5
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-list=voip dst-address-type=!local in-interface-list=LAN \
new-connection-mark=LAN-to-WAN5 passthrough=yes src-address-list=local
add action=mark-connection chain=prerouting comment=\
"Load balance Facebook - via WAN3 + WAN5" connection-mark=no-mark \
dst-address-list=facebook dst-address-type=!local in-interface-list=LAN \
new-connection-mark=LAN-to-WAN5 passthrough=yes \
per-connection-classifier=src-address:2/0 src-address-list=local
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-list=facebook dst-address-type=!local in-interface-list=LAN \
new-connection-mark=LAN-to-WAN3 passthrough=yes \
per-connection-classifier=src-address:2/1 src-address-list=local
add action=mark-connection chain=prerouting comment=\
"Load balance Games - via WAN3 + WAN5" connection-mark=no-mark \
dst-address-list=games dst-address-type=!local in-interface-list=LAN \
new-connection-mark=LAN-to-WAN5 passthrough=yes \
per-connection-classifier=src-address:2/0 src-address-list=local
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-list=games dst-address-type=!local in-interface-list=LAN \
new-connection-mark=LAN-to-WAN3 passthrough=yes \
per-connection-classifier=src-address:2/1 src-address-list=local
add action=mark-connection chain=prerouting comment="PCC Override" \
connection-mark=no-mark dst-address-list=!local dst-address-type=!local \
in-interface-list=LAN new-connection-mark=LAN-to-WAN4 passthrough=yes \
src-address-list=local
add action=mark-connection chain=prerouting comment=\
"Load balance - WAN2 + WAN4" connection-mark=no-mark disabled=yes \
dst-address-list=!local dst-address-type=!local in-interface-list=LAN \
new-connection-mark=LAN-to-WAN2 passthrough=yes \
per-connection-classifier=src-address:2/0 src-address-list=local
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes dst-address-list=!local dst-address-type=!local in-interface-list=LAN \
new-connection-mark=LAN-to-WAN4 passthrough=yes \
per-connection-classifier=src-address:2/1 src-address-list=local
add action=mark-routing chain=prerouting comment=\
"Mark the routes for LAN traffic to specific gateway" connection-mark=\
LAN-to-WAN1 dst-address-list=!local in-interface-list=LAN \
new-routing-mark=to_wan1 passthrough=no src-address-list=local
add action=mark-routing chain=prerouting connection-mark=LAN-to-WAN2 \
dst-address-list=!local in-interface-list=LAN new-routing-mark=to_wan2 \
passthrough=no src-address-list=local
add action=mark-routing chain=prerouting connection-mark=LAN-to-WAN3 \
dst-address-list=!local in-interface-list=LAN new-routing-mark=to_wan3 \
passthrough=no src-address-list=local
add action=mark-routing chain=prerouting connection-mark=LAN-to-WAN4 \
dst-address-list=!local in-interface-list=LAN new-routing-mark=to_wan4 \
passthrough=no src-address-list=local
add action=mark-routing chain=prerouting connection-mark=LAN-to-WAN5 \
dst-address-list=!local in-interface-list=LAN new-routing-mark=to_wan5 \
passthrough=no src-address-list=local
add action=mark-connection chain=forward comment=\
"Mark all connections for NAT inbound" connection-state=new in-interface=\
ether1 new-connection-mark=WAN1_pfw passthrough=no
add action=mark-connection chain=forward connection-state=new in-interface=\
ether2 new-connection-mark=WAN2_pfw passthrough=no
add action=mark-connection chain=forward connection-state=new in-interface=\
ether3 new-connection-mark=WAN4_pfw passthrough=no
add action=mark-connection chain=forward connection-state=new in-interface=\
ether4 new-connection-mark=WAN3_pfw passthrough=no
add action=mark-connection chain=forward connection-state=new in-interface=\
ether6 new-connection-mark=WAN5_pfw passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN1_pfw \
in-interface-list=LAN new-routing-mark=to_wan1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN2_pfw \
in-interface-list=LAN new-routing-mark=to_wan2 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN3_pfw \
in-interface-list=LAN new-routing-mark=to_wan3 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN4_pfw \
in-interface-list=LAN new-routing-mark=to_wan4 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN5_pfw \
in-interface-list=LAN new-routing-mark=to_wan5 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="Masquarade IPSEC VPN" \
ipsec-policy=out,none src-address=10.50.200.0/24
add action=dst-nat chain=dstnat comment="Port forward for CCTV" \ dst-port=8005 \
in-interface=ether1 protocol=tcp to-addresses=10.50.55.2 to-ports=8005
add action=dst-nat chain=dstnat comment="Port forward for CCTV" \
dst-port=8000 in-interface=ether1 protocol=tcp to-addresses=10.50.55.2 \
to-ports=8000
add action=dst-nat chain=dstnat comment="Port forward for CCTV" dst-port=8001 \
in-interface=ether1 protocol=tcp to-addresses=10.50.55.2 to-ports=8001
add action=dst-nat chain=dstnat comment="Port forward for CCTV" \
dst-port=9999 in-interface=ether1 protocol=tcp to-addresses=10.50.10.38 \
to-ports=9999
add action=dst-nat chain=dstnat comment="Port forward for CCTV" \
dst-port=55414 in-interface=ether1 protocol=tcp to-addresses=10.50.10.38 \
to-ports=55414
add action=dst-nat chain=dstnat comment="Port forward for CCTV" \
dst-port=55415 in-interface=ether1 protocol=tcp to-addresses=10.50.10.38 \
to-ports=55415
add action=dst-nat chain=dstnat comment="Port forward for CCTV" \
dst-port=8000 in-interface-list=WAN protocol=tcp to-addresses=10.50.10.53 \
to-ports=8000
add action=dst-nat chain=dstnat comment="Port forward for CCTV" \
dst-port=8001 in-interface-list=WAN protocol=tcp to-addresses=10.50.10.20 \
to-ports=8001
add action=dst-nat chain=dstnat comment="Port forward for CCTV" \
dst-port=8002 in-interface-list=WAN protocol=tcp \
to-addresses=10.50.10.28 to-ports=8002
add action=dst-nat chain=dstnat comment="Port forward for CCTV" \
dst-port=8003 in-interface-list=WAN protocol=tcp to-addresses=10.50.10.28 to-ports=8003
add action=dst-nat chain=dstnat comment="Port forward for CCTV" \
dst-port=8004 in-interface-list=WAN protocol=tcp to-addresses=10.50.55.2 to-ports=8004
add action=dst-nat chain=dstnat comment="Port forward for CCTV" \
dst-port=8006 in-interface-list=WAN protocol=tcp to-addresses=10.50.10.57 to-ports=8006
add action=dst-nat chain=dstnat comment="Port forward for CCTV" \
dst-port=8007 in-interface-list=WAN protocol=tcp to-addresses=10.50.22.25 to-ports=8007
add action=dst-nat chain=dstnat comment="Port forward for CCTV" \ dst-port=8008 in-interface-list=WAN protocol=tcp to-addresses=10.50.12.59 to-ports=8008
add action=dst-nat chain=dstnat comment="Port forward for CCTV" \
dst-port=8009 in-interface-list=WAN protocol=tcp to-addresses=10.50.12.60 to-ports=8009
add action=dst-nat chain=dstnat comment="Port forward for CCTV" \ dst-port=8010 in-interface-list=WAN protocol=tcp to-addresses=10.50.12.27 to-ports=8010
add action=dst-nat chain=dstnat comment=\
"Port forward for CCTV" dst-port=3671 in-interface=ether4 \
protocol=tcp to-addresses=10.50.10.44 to-ports=3671
add action=dst-nat chain=dstnat comment=\
"Port forward for CCTV" dst-port=3671 in-interface=ether4 \
protocol=udp to-addresses=10.50.10.44 to-ports=3671
add action=masquerade chain=srcnat comment=WAN1 out-interface=ether1
add action=masquerade chain=srcnat comment=WAN2 out-interface=ether2
add action=masquerade chain=srcnat comment=WAN4 out-interface=ether3
add action=masquerade chain=srcnat comment=WAN3 out-interface=ether4
add action=masquerade chain=srcnat comment=WAN5 out-interface=ether6
/ip route
add comment=WAN1_load distance=3 gateway=10.5.1.2 routing-mark=to_wan1
add comment=WAN2_load distance=3 gateway=10.5.2.2 routing-mark=to_wan2
add comment=WAN3_load distance=3 gateway=10.7.0.2 routing-mark=to_wan3
add comment=WAN4_load distance=3 gateway=10.5.3.2 routing-mark=to_wan4
add comment=WAN5_load distance=3 gateway=10.7.1.2 routing-mark=to_wan5
add comment=WAN4_failover distance=4 gateway=10.5.3.2
add comment=WAN2_failover distance=5 gateway=10.5.2.2
add comment=WAN1_failover distance=6 gateway=10.5.1.2
add comment=WAN5_failover distance=7 gateway=10.7.1.2
add comment=WAN3_failover distance=8 gateway=10.7.0.2
add distance=1 dst-address=10.60.0.0/16 gateway=172.168.88.1
add distance=1 dst-address=10.105.0.0/24 gateway=10.50.55.2
add distance=1 dst-address=10.108.0.0/24 gateway=10.50.55.2