PCC over 3 WAN, but only 1 Gateway

Szandor72 · September 8, 2011, 1:30pm

Dear all,

I have applied the PCC Tutorial from here: http://wiki.mikrotik.com/wiki/Manual:PCC

PCC seemed the perfect solution for my network setup.

Here is what my configuration looks like this (please ignore network and broadcast values, I have changed those randomly):

/ ip address
add address=192.168.50.1/24 network=192.168.50.0 broadcast=192.168.50.255 interface=eth5
add address=1.2.3.167/26 network=255.255.255.192 broadcast=1.2.3.191 interface=eth1-ISP1
add address=1.2.3.168/26 network=255.255.255.192 broadcast=1.2.3.191 interface=eth2-ISP2
add address=1.2.3.169/26 network=255.255.255.192 broadcast=1.2.3.191 interface=eth3-ISP3

/ ip firewall mangle
add chain=prerouting dst-address=1.2.3.128/26  action=accept in-interface=eth5

add chain=prerouting in-interface=eth1-ISP1 connection-mark=no-mark action=mark-connection new-connection-mark=wan-ISP1
add chain=prerouting in-interface=eth2-ISP2 connection-mark=no-mark action=mark-connection new-connection-mark=wan-ISP2
add chain=prerouting in-interface=eth3-ISP3 connection-mark=no-mark action=mark-connection new-connection-mark=wan-ISP3

add chain=prerouting  in-interface=eth5 connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:3/0 action=mark-connection new-connection-mark=wan-ISP1 
add chain=prerouting  in-interface=eth5 connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:3/1 action=mark-connection new-connection-mark=wan-ISP2
add chain=prerouting  in-interface=eth5 connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:3/2 action=mark-connection new-connection-mark=wan-ISP3
add chain=prerouting connection-mark=wan-ISP1 in-interface=eth5 action=mark-routing new-routing-mark=to_wan-ISP1 
add chain=prerouting connection-mark=wan-ISP2 in-interface=eth5 action=mark-routing new-routing-mark=to_wan-ISP2 
add chain=prerouting connection-mark=wan-ISP3 in-interface=eth5 action=mark-routing new-routing-mark=to_wan-ISP3 
add chain=output connection-mark=wan-ISP1  action=mark-routing new-routing-mark=to_wan-ISP1      
add chain=output connection-mark=wan-ISP2  action=mark-routing new-routing-mark=to_wan-ISP2 
add chain=output connection-mark=wan-ISP3  action=mark-routing new-routing-mark=to_wan-ISP3 

/ ip route
add dst-address=0.0.0.0/0 gateway=1.2.3.129 routing-mark=to_wan-ISP1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=1.2.3.129 routing-mark=to_wan-ISP2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=1.2.3.129 routing-mark=to_wan-ISP3 check-gateway=ping

add dst-address=0.0.0.0/0 gateway=1.2.3.129 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=1.2.3.129 distance=2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=1.2.3.129 distance=3 check-gateway=ping

/ ip firewall nat 
add chain=srcnat out-interface=eth1-ISP1 action=masquerade
add chain=srcnat out-interface=eth2-ISP2 action=masquerade
add chain=srcnat out-interface=eth3-ISP3 action=masquerade

As you can see, I added only one gateway as for all my wans, the gateway is the same. Unfortunately, this results in only one line being used (eth1) and the other two lines idle away.

Still I want to balance traffic equally over those three lines. If you could enlighten me as to how to change my configuration in order to achieve balancing, I’d much appreciate it.

Your sincerely,
Sz

fewi · September 8, 2011, 1:39pm

I can’t remember if this works, but try defining the outbound interface. Replace this:

/ ip route
add dst-address=0.0.0.0/0 gateway=1.2.3.129 routing-mark=to_wan-ISP1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=1.2.3.129 routing-mark=to_wan-ISP2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=1.2.3.129 routing-mark=to_wan-ISP3 check-gateway=ping

add dst-address=0.0.0.0/0 gateway=1.2.3.129 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=1.2.3.129 distance=2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=1.2.3.129 distance=3 check-gateway=ping

with this:

/ ip route
add dst-address=0.0.0.0/0 gateway=1.2.3.129%eth1-ISP routing-mark=to_wan-ISP1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=1.2.3.129%eth2-ISP routing-mark=to_wan-ISP2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=1.2.3.129%eth3-ISP routing-mark=to_wan-ISP3 check-gateway=ping

add dst-address=0.0.0.0/0 gateway=1.2.3.129%eth1-ISP distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=1.2.3.129%eth2-ISP distance=2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=1.2.3.129%eth3-ISP distance=3 check-gateway=ping

The preferred solution would be to get three IPs from your ISP that are not on the same network.

Szandor72 · September 8, 2011, 3:07pm

I have asked my provider who hast often fulfilled my requests, but alas - not this time. They cannot grant me my wish this time.

So I tried, what you suggested. This is what my IP routes look like now:

Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          217.8.49.129%et...        1
 2 A S  0.0.0.0/0                          217.8.49.129%et...        1
 4 A S  0.0.0.0/0                          217.8.49.129%et...        1
 6 A S  0.0.0.0/0                          217.8.49.129%et...        1
 7   S  0.0.0.0/0                           217.8.49.129%et...        2
 8   S  0.0.0.0/0                           217.8.49.129%et...        3
12 ADC  192.168.50.0/24    192.168.50.1    eth5                      0
13 ADC  217.8.49.128/26    217.8.49.169    eth3-6901                 0
                                           eth2-6801         
                                           eth1-6501

(I removed deactivated lines)

WinBox says in the route list that all eth are reachable. I can ping the outside world from the router. But my LAN Clients cant reach lick. It might be something obvious but I just can’t see why this is happening.

Shouldn’t entries 7 and 8 not also be at least A S - active static routes if your code example had worked?

Feklar · September 8, 2011, 3:11pm

I’ve heard the method works for two, never tired it, but when people have tried it with 3 or more it breaks down. It could be that you can’t use the method with 3 or more default routes like that.

Szandor72 · September 8, 2011, 5:18pm

After spending the last hours with research on the topic in the forums here, it seems that the notation gateway=1.2.3.4%eth1 is the path to follow.

But I still can figure out why I can ping from the router using the new config but cannot access the Internet on the client-side.

Szandor72 · September 13, 2011, 4:10am

Solved.

@fewi: Specifying gateway%interface works like a charm. I had to remove the failover though in order to get it to work.

As far as I can tell, PCC with 3 WANs works with my LAN.

cubitihon · September 14, 2011, 2:45pm

can you give me correct file this. mail mail: trungnq81@gmail.com

thanks

Szandor72 · September 14, 2011, 11:04pm

After disabling failsafe, dns stopped working. After enabling it again, pcc still did its job. Amazing - but still I’d like to know how this worked. Anyone able to spread some light?

@cubitihon: The config is the same as in my first post, I only changed the gateway lines according to Feklar’s post. Good luck, mate.