PCC load balancing on OS7

Dear All,

I am a begginer and need your help.

I have Mikrotik with OS7.

I want to connect to WAN lines to it to carry load balancing + load failure

I also have a VPN connection that is being used to communicate with the remote Radius server using ports 1812, 1813 and 1700

WAN 1 IP: 196.22.54.138/30
WAN2: IP: 192.168.1.1
VPN Local IP: 192.168.200.232 and VPN Server IP: 192.168.200.1
Radius Server: 192.168.10.243

Currently 1 WAN is being connected and VPN is working fine no problem. I want to add a 2nd WAN to load balance it.

I followed the official video on youtube here “https://www.youtube.com/watch?v=nlb7XAv57tw&t=169s&pp=ygUQUENDIG1pa3JvdGlrIG9zNw%3D%3D”

however when I was done. The hotspot page didn’t open to the users not sure why?

Can you help me please.

BR
Ahmed

Try this one
https://youtu.be/LPKzelijfeQ

IF the second video does not get you all the way, then post your config
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.)

Confirm users are coming inbound on the VPN to your router ( mikrotik is hosting VPN using its services ) not to servers on the lan.

Apologies I did not receive or missed a notification that you guys replied to my post.

Now my PCC + Hotspot is working fine however one last issue I couldn’t resolve it


I have

1- 2 WANs (2 Starlinks terminals one is 192.168.1.0/24) loaded balanced using PCC

2- Hotspot + Remote Radius Server for Hotspot Authentication.

MK Router is connected to the Radius using VPN. (VPN is used only to connect Hotspot with the Remote Radius Server for authentication only)

After configuring the PCC as soon as I connect the 2nd WAN link to the Mikrtoik, VPN goes down.

Basically, VPN works well only if 1 WAN is connected.

Below is the Mikrotik Config




/interface bridge add name=Hotspot
/interface ethernet set [ find default-name=ether1 ] comment=WAN1 name=WAN1
/interface ethernet set [ find default-name=ether2 ] comment=WAN2 name=WAN2
/ip hotspot profile add dns-name=netvsat.hotspot hotspot-address=10.0.0.1 html-directory=hotspot3 login-by=cookie,http-chap,http-pap,mac-cookie name=hsprof1 radius-interim-update=2m use-radius=yes
/ip pool add name=hs-pool-13 ranges=10.0.0.2-10.0.255.254
/ip dhcp-server add address-pool=hs-pool-13 interface=Hotspot name=dhcp1
/ip hotspot add address-pool=hs-pool-13 addresses-per-mac=1 disabled=no interface=Hotspot name=hotspot1 profile=hsprof1
/port set 0 name=serial0
/interface sstp-client add authentication=mschap2 connect-to=185.155.X97.XX disabled=no keepalive-timeout=10 name=SSTP-TO-RADIUS profile=default-encryption user=RB-3011-Dalgo-PCC
/routing table add disabled=no fib name=ISP1
/routing table add disabled=no fib name=ISP2
/interface bridge port add bridge=Hotspot interface=ether3
/interface bridge port add bridge=Hotspot interface=ether4
/interface bridge port add bridge=Hotspot interface=ether5
/interface bridge port add bridge=Hotspot interface=ether6
/interface bridge port add bridge=Hotspot interface=ether7
/interface bridge port add bridge=Hotspot interface=ether8
/interface bridge port add bridge=Hotspot interface=ether9
/interface bridge port add bridge=Hotspot interface=ether10
/ip neighbor discovery-settings set discover-interface-list=!dynamic
/ip address add address=10.0.0.1/16 interface=Hotspot network=10.0.0.0
/ip cloud set ddns-enabled=yes
/ip dhcp-client add add-default-route=no interface=WAN1
/ip dhcp-client add interface=WAN2

/ip dhcp-server network add address=10.0.0.0/16 comment=“hotspot network” gateway=10.0.0.1
/ip dns set servers=8.8.8.8,8.8.4.4

/ip firewall filter add action=passthrough chain=unused-hs-chain comment=“place hotspot rules here” disabled=yes
/ip firewall mangle add action=change-ttl chain=postrouting new-ttl=set:1 out-interface=Hotspot passthrough=yes
/ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark connection-state=new in-interface=WAN1 new-connection-mark=ISP1_conn passthrough=yes
/ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark connection-state=new in-interface=WAN2 new-connection-mark=ISP2_conn passthrough=yes
/ip firewall mangle add action=mark-routing chain=output connection-mark=ISP1_conn new-routing-mark=ISP1 passthrough=yes
/ip firewall mangle add action=mark-routing chain=output connection-mark=ISP2_conn new-routing-mark=ISP2 passthrough=yes
/ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark connection-state=new dst-address-type=!local hotspot=auth in-interface=Hotspot new-connection-mark=ISP1_conn passthrough=yes per-connection-classifier=src-address-and-port:2/0
/ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark connection-state=new dst-address-type=!local hotspot=auth in-interface=Hotspot new-connection-mark=ISP2_conn passthrough=yes per-connection-classifier=src-address-and-port:2/1
/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=ISP1_conn in-interface=Hotspot new-routing-mark=ISP1 passthrough=yes
/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=ISP2_conn in-interface=Hotspot new-routing-mark=ISP2 passthrough=yes
/ip firewall nat add action=passthrough chain=unused-hs-chain comment=“place hotspot rules here” disabled=yes
/ip firewall nat add action=masquerade chain=srcnat comment=“masquerade hotspot network” src-address=10.0.0.0/16

/ip hotspot user add name=admin
/ip ipsec profile set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route add disabled=no dst-address=192.168.200.0/24 gateway=192.168.200.1 routing-table=main suppress-hw-offload=no
/ip route add disabled=no distance=1 dst-address=192.168.10.0/24 gateway=192.168.200.1 pref-src=“” routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add check-gateway=ping disabled=no dst-address=0.0.0.0/0 gateway=WAN1 routing-table=ISP1 suppress-hw-offload=no
/ip route add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=WAN2 pref-src=“” routing-table=ISP2 scope=30 suppress-hw-offload=no target-scope=10
/ip route add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=WAN2 pref-src=“” routing-table=main suppress-hw-offload=no
/ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=WAN1 routing-table=main suppress-hw-offload=no
/ip route add disabled=no distance=1 dst-address=185.155.X97.XX/32 gateway=WAN2 routing-table=*402 scope=30 suppress-hw-offload=no target-scope=10
/radius add address=192.168.200.253 disabled=yes require-message-auth=no service=hotspot src-address=192.168.200.186 timeout=3s
/radius add address=192.168.10.242 require-message-auth=no service=hotspot src-address=192.168.200.186 timeout=3s
/radius incoming set accept=yes port=1700
/system clock set time-zone-name=Africa/Kigali
/system identity set name=Mikrotik-Dalgo-PCC
/system note set show-at-login=no
/system ntp client set enabled=yes
/system ntp client servers add address=time.google.com
/system ntp client servers add address=time.windows.com
/system routerboard settings set enter-setup-on=delete-key

Attached is the Diagram of the scenario

Question: How to make the VPN connection to the Radius server to work with PCC using 2 WANs ?

Not sure I understand but will look…
Do you send vpn traffic to WAN1 or WAN2??
Do you do any port forwarding on WAN1 or WAN2??
Maybe I misunderstood how you use VPN??

/ip firewall mangle
add action=change-ttl chain=postrouting new-ttl=set:1 out-interface=Hotspot passthrough=yes { no idea what this does but will leave it alone }
{ four rules for traffic to ROUTER
add action=mark-connection chain=input connection-mark=no-mark in-interface=WAN1 new-connection-mark=ISP1_conn passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark in-interface=WAN2 new-connection-mark=ISP2_conn passthrough=yes
add action=mark-routing chain=output connection-mark=ISP1_conn new-routing-mark=ISP1 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP2_conn new-routing-mark=ISP2 passthrough=yes
{ four rules for pcc traffic }
add action=mark-connection chain=forward connection-mark=no-mark dst-address-type=!local hotspot=auth in-interface=Hotspot
new-connection-mark=ISP1_pcc passthrough=yes per-connection-classifier=src-address-and-port:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local hotspot=auth in-interface=Hotspot
new-connection-mark=ISP2_pcc passthrough=yes per-connection-classifier=src-address-and-port:2/1
add action=mark-routing chain=prerouting connection-mark=ISP1_pcc new-routing-mark=ISP1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=ISP2_pcc new-routing-mark=ISP2 passthrough=no

/ip firewall nat add action=masquerade chain=srcnat comment=“masquerade hotspot network” out-interface-list=WAN
Sadly your config is incomplete no firewall rules etc… and no lists so you will have to make it two rules out-interface=wan1 / out-interface=wan2

Discussion: Do not need new connection, do not need to put in-hotspot on routing-mark rule, as is already done in mark-connection rule!
I prefer forward chain for mark-connection rule its more accurate.
also I have different mark connection rule, for troubleshooting and logging purposes, it makes it much clearer which traffic is being shown.

ROUTES need work!!! We cannot use gateway=interface for these rules, they need to be gateway IPs……
If static fine, if dynamic, will need scripts to keep them updated… So right now they are placeholders but not correct.

/ip route
{main table}
add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=WAN1 routing-table=main
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=WAN2 routing-table=main
{special tables} (check gateway=ping is useless, there is only one entry in each table)
add dst-address=0.0.0.0/0 gateway=WAN1 routing-table=ISP1
add dst-address=0.0.0.0/0 gateway=WAN2 routing-table=ISP2

{no idea what these tables are for ???)
add dst-address=192.168.200.0/24 gateway=192.168.200.1 routing-table=main
add dst-address=192.168.10.0/24 gateway=192.168.200.1 pref-src=“” routing-table=main
add dst-address=185.155.X97.XX/32 gateway=WAN2 routing-table=*402 <----- This one is showing an error too!!!

Anav,

Thank you for your reply.

I have hotspot by using Starlink terminal. Authentication is done by using a Remote Radius Server (In a different country) that is why I need to establish a VPN connection between my Mikrotik and the Radius server.

First Starlink now it is 192.168.1.1/24 connected to Ether 1: 192.168.1.2
Second Starlink now it is: 192.16.2.1/24 connected to Ether 2: 192.168.2.1

Ether 3 to Ether 10 is bridged for my Hotspot with IP assigned to bridge is: 10.0.0.1/16


Remote Radius Server assume it is 38.242.235.250

VPN server so I can access the radius assume it is 38.242.235.249
VPN DHCP Server is: 192.168.200.1
Mikortik will get 192.16.200.2 from the remote VPN server.


Suppose I want to do PCC load balancing + Hotspot + VPN connection used only for Hotspot Radius authentication only.

Mikrotik is OS7
Router is RB-3011

I did exactly the official PCC for OS7 from Mikrotik but without Hotspot and added hotspot=auth in every pcc rule but the mobile users had exlamination mark with “Connected, but no internet connection” don’t know why


https://www.youtube.com/watch?v=nlb7XAv57tw


We can ignore the VPN for now. The question is:

How do you apple PCC on OS7 + Hotspot ?

Post your latest config please.

Hello, I’m also trying to set PCC on my CCR2004. But keep getting issues with my routing tables. I have all my 3 starlinks in bypass so my ip is dynamic and even if I type the gateway in the routing table it comes back as inactive.
In case you find a solution kindly share because it’s really turned into a headache.

With version 7 firmware there is no need to PCC similar wan throughputs, ECMP works just as well and is much easier to implement.