Just setup PCC load balance for 2 ISP connections. It’s working great, balancing the traffic…only problem is that I can only ping the second ISP from remote and as well I cannot winbox into the ISP that the ping does not respond to. Is this a simple route issue? an suggestion would be appreciated.
Thanks.
Can you post /ip route print detail /ip address print detail /ip firewall export
Yes absolutely. Here is the info you requested. thanks.
/ip route> print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 gateway=70.76.0.1
gateway-status=70.76.0.1 reachable via WAN1 check-gateway=ping
distance=1 scope=30 target-scope=10 routing-mark=to_WAN1
1 A S dst-address=0.0.0.0/0 gateway=216.197.184.254
gateway-status=216.197.184.254 reachable via WAN2 check-gateway=ping
distance=1 scope=30 target-scope=10 routing-mark=to_WAN2
2 A S dst-address=0.0.0.0/0 gateway=216.197.184.254
gateway-status=216.197.184.254 reachable via WAN2 check-gateway=ping
distance=1 scope=30 target-scope=10
3 S dst-address=0.0.0.0/0 gateway=70.76.0.1
gateway-status=70.76.0.1 reachable via WAN1 check-gateway=ping
distance=2 scope=30 target-scope=10
4 ADC dst-address=70.76.0.0/24 pref-src=70.76.0.251 gateway=WAN1
gateway-status=WAN1 reachable distance=0 scope=10
5 ADC dst-address=192.168.2.0/24 pref-src=192.168.2.1 gateway=bridge1
gateway-status=bridge1 reachable distance=0 scope=10
/ip address> print detail
Flags: X - disabled, I - invalid, D - dynamic
0 address=70.76.0.251/24 network=70.76.0.0 interface=WAN1
actual-interface=WAN1
1 address=192.168.2.1/24 network=192.168.2.0 interface=bridge1
actual-interface=bridge1
2 address=216.197.184.175/24 network=216.197.184.0 interface=WAN2
actual-interface=WAN2
/ip firewall> export
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s
tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=
10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s
tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s
udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here"
disabled=yes
/ip firewall mangle
add action=mark-connection chain=input disabled=no in-interface=WAN1
new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=input disabled=no in-interface=WAN2
new-connection-mark=WAN2_conn passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1_conn disabled=no
new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_conn disabled=no
new-routing-mark=to_WAN2 passthrough=yes
add action=accept chain=prerouting disabled=no dst-address=70.76.0.0/24
in-interface=bridge1
add action=accept chain=prerouting disabled=no dst-address=216.197.184.0/24
in-interface=bridge1
add action=mark-connection chain=prerouting disabled=no dst-address-type=!local
in-interface=bridge1 new-connection-mark=WAN2_conn passthrough=yes
per-connection-classifier=src-address:2/1
add action=mark-connection chain=prerouting disabled=no dst-address-type=!local
in-interface=bridge1 new-connection-mark=WAN1_conn passthrough=yes
per-connection-classifier=src-address:2/0
add action=mark-routing chain=prerouting connection-mark=WAN1_conn disabled=no
in-interface=bridge1 new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn disabled=no
in-interface=bridge1 new-routing-mark=to_WAN2 passthrough=yes
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here"
disabled=yes
add action=masquerade chain=srcnat disabled=no out-interface=WAN1
add action=masquerade chain=srcnat disabled=no out-interface=WAN2
add action=masquerade chain=srcnat comment="masquerade hotspot network"
disabled=no src-address=192.168.2.0/24
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no
There you go...hope this helps you.
Cheers!
Does this provide any insight into my problem?
Thanks
You forgot to do the mangle rules in the output chain.
can you please explain what mangle rules are missing, appreciate that.
Thank you.
Something like:
add action=mark-routing chain=output connection-mark=LINE1 disabled=no new-routing-mark=TO_LINE1 passthrough=yes
add action=mark-routing chain=output connection-mark=LINE2 disabled=no new-routing-mark=TO_LINE2 passthrough=yes
http://forum.mikrotik.com/t/pcc-load-balance-2-diferent-isp/52643/1
thanks for the suggestion but if you see above in the mangle config I have set already what you mentioned…
add action=mark-routing chain=output connection-mark=WAN1_conn disabled=no
new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_conn disabled=no
new-routing-mark=to_WAN2 passthrough=yes
Still without luck I am not able to winbox into this router on both ISP connections. only one is successful to connect with. it’s odd.
Any other ideas?
Thank you.
Hello, problem still persists, any other suggestions please. appreciate it.
Thanks.
if you seem to have all the required rules, check if you are not re-marking the traffic later on. also, check weather you really have all the settings set up correctly. The pointers other gave before are correct ones:
mark connection on input and assign mark so that input interface can be recognized afterwards and then in output mark packets with routing mark, so that connection data packets are forwarded in correct direction. Fact that you can connect only over one WAN mean directly, that you have some error in packet routing marking.