PCC+ppppoe-server+pppoe_wanclient+Port Forward & changeip.com script

cicserver · March 30, 2015, 3:38am

Greetings to all,
My setup is as follows.

2 DSL links, modems are configured in bridge mode. Mikrotik is dialing the ISP Wan connection which are pppoe. This server is also configured as pppoe server for client end. I have configured PCC (source base address approach) for load balancing the wan links. All working fine. Now I want to route WEB server and other few ports to the local windows machine. WWW Service on mikrotik have different port. I have created port forward rule for both wan links but its not working.Following is my config.

/ip firewall mangle
add action=accept chain=prerouting disabled=no in-interface=pppoe-out1
add action=accept chain=prerouting disabled=no in-interface=pppoe-out2

add action=mark-connection chain=prerouting disabled=no dst-address-type=!local new-connection-mark=wan1_conn passthrough=yes per-connection-classifier=src-address:2/0 src-address=192.168.0.1/24
add action=mark-connection chain=prerouting disabled=no dst-address-type=!local new-connection-mark=wan2_conn passthrough=yes per-connection-classifier=src-address:2/1 src-address=192.168.0.1/24

add action=mark-routing chain=prerouting connection-mark=wan1_conn disabled=no new-routing-mark=to_wan1 passthrough=yes src-address=192.168.0.1/24
add action=mark-routing chain=prerouting connection-mark=wan2_conn disabled=no new-routing-mark=to_wan2 passthrough=yes src-address=192.168.0.1/24

/ip firewall nat
add action=dst-nat chain=dstnat comment="Route WEB port 80 to local windows server" disabled=no dst-port=80 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.0.10 to-ports=3389
add action=dst-nat chain=dstnat comment="Route WEB port 80 to local windows server" disabled=no dst-port=80 in-interface=pppoe-out2 protocol=tcp to-addresses=192.168.0.10 to-ports=3389

add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out1 src-address=192.168.0.1/24
add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out2 src-address=192.168.0.1/24

/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-mark=to_wan1 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=pppoe-out2 routing-mark=to_wan2 scope=30 target-scope=10

I am also running changeip.com ddns script, will it work ?
what rules should I add there? any help please?

ZeroByte · March 30, 2015, 3:52am

I think the mangle “Accept” rules in prerouting chain for in-interface(s) pppoe-out1 / pppoe-out2 are the reason you’re having trouble. I suppose this is an attempt to speed things up and skip rule-processing. Add another matcher to these two rules connection-mark=!no-mark

Then you need to go ahead and connection mark wan_1 and wan_2 for inbound packets from pppoe-out1 / pppoe-out2 because if the request comes in on 1, but PCC decides to send the reply out on 2, then the remote user is going to drop the reply packets from your server because they’re coming from the wrong public IP.

If you want to keep from doing unnecessary checks, make all connection mark / pcc rules be a chain “mark connections”
and put the pcc logic / inbound pppoe1/pppoe2 rules in there.
Then make rule 1 in the prerouting chain be a simple connection-mark=!no-mark → jump to “mark connections”
At the end of mark connections, put a “return” rule so that the individual packets can still get marked.
Leave the packet mark rules in the main prerouting chain as always.

cicserver · March 30, 2015, 4:38am

I know you have given right info, but dueto my lack of knowledge, I am unable to understand. Can you please give some rules examples
does these two accept rules are necessary? I ahve just copied the pcc script from the internet and working fine, its just PORT FORWARDING issue

ZeroByte · March 30, 2015, 7:44pm

I understand - but the PCC configuration is causing the port forwarding issue.

Here is the problem in a diagram:

User  1.1.1.101 -------http request ---------> 12.12.12.12 [pppoe1] ----------> 192.168.0.10
             _                                                                   /
            |\                                                                reply
              \                                                                /
                ------http reply (wrong src)--- 13.13.13.13 [pppoe2] <---------

See the problem? If the incoming connections aren’t marked for whichever interface they arrive on, and then go out the wrong port, the reply will have the wrong source IP on it, and the user’s computer will drop the packets because it never asked to talk to 13.13.13.13 . . . .

Try changing mangle table to this:

/ip firewall mangle
add action=jump chain=prerouting jump-target=DoConnectionMark connection-mark=no-mark
add action=mark-routing chain=prerouting connection-mark=wan1_conn new-routing-mark=to_wan1 
add action=mark-routing chain=prerouting connection-mark=wan2_conn new-routing-mark=to_wan2

add action=mark-connection chain=DoConnectionMark in-interface=pppoe-out1 new-connection-mark=wan1_conn
add action=mark-connection chain=DoConnectionMark in-interface=pppoe-out1 new-connection-mark=wan1_conn
add action=mark-connection chain=DoConnectionMark new-connection-mark=wan1_conn per-connection-classifier=src-address:2/0
add action=mark-connection chain=DoConnectionMark new-connection-mark=wan2_conn per-connection-classifier=src-address:2/1
add action=return

add action=jump chain=output jump-target=DoConnectionMark connection-mark=no-mark
add action=mark-routing chain=output connection-mark=wan1_conn new-routing-mark=to_wan1 
add action=mark-routing chain=output connection-mark=wan2_conn new-routing-mark=to_wan2

Also, you will need to add the LAN network to both routing tables:

Change the gateway= part to use the correct interface.

/ip route add dst-address=192.168.0.0/24 gateway=LAN  routing-mark=to_wan1
/ip route add dst-address=192.168.0.0/24 gateway=LAN  routing-mark=to_wan2

This makes sure that inbound packets will be able to find the LAN when they’re added to the forced routing tables.

With all of this in place, your PCC routing should remain intact, but pinholes should be forced to send replies out whichever public IP interface the requests came in through.

cicserver · April 13, 2015, 3:45am

ZeroByte:

cicserver:

I know you have given right info, but dueto my lack of knowledge, I am unable to understand. Can you please give some rules examples
does these two accept rules are necessary? I ahve just copied the pcc script from the internet and working fine, its just PORT FORWARDING issue

I understand - but the PCC configuration is causing the port forwarding issue.

Here is the problem in a diagram:
User  1.1.1.101 -------http request ---------> 12.12.12.12 [pppoe1] ----------> 192.168.0.10
             _                                                                   /
            |\                                                                reply
              \                                                                /
                ------http reply (wrong src)--- 13.13.13.13 [pppoe2] <---------
See the problem? If the incoming connections aren’t marked for whichever interface they arrive on, and then go out the wrong port, the reply will have the wrong source IP on it, and the user’s computer will drop the packets because it never asked to talk to 13.13.13.13 . . . .

Try changing mangle table to this:
/ip firewall mangle
add action=jump chain=prerouting jump-target=DoConnectionMark connection-mark=no-mark
add action=mark-routing chain=prerouting connection-mark=wan1_conn new-routing-mark=to_wan1 
add action=mark-routing chain=prerouting connection-mark=wan2_conn new-routing-mark=to_wan2

add action=mark-connection chain=DoConnectionMark in-interface=pppoe-out1 new-connection-mark=wan1_conn
add action=mark-connection chain=DoConnectionMark in-interface=pppoe-out1 new-connection-mark=wan1_conn
add action=mark-connection chain=DoConnectionMark new-connection-mark=wan1_conn per-connection-classifier=src-address:2/0
add action=mark-connection chain=DoConnectionMark new-connection-mark=wan2_conn per-connection-classifier=src-address:2/1
add action=return

add action=jump chain=output jump-target=DoConnectionMark connection-mark=no-mark
add action=mark-routing chain=output connection-mark=wan1_conn new-routing-mark=to_wan1 
add action=mark-routing chain=output connection-mark=wan2_conn new-routing-mark=to_wan2
Also, you will need to add the LAN network to both routing tables:

Change the gateway= part to use the correct interface.
/ip route add dst-address=192.168.0.0/24 gateway=LAN  routing-mark=to_wan1
/ip route add dst-address=192.168.0.0/24 gateway=LAN  routing-mark=to_wan2
This makes sure that inbound packets will be able to find the LAN when they’re added to the forced routing tables.

With all of this in place, your PCC routing should remain intact, but pinholes should be forced to send replies out whichever public IP interface the requests came in through.

Thank you so much for your time and efforts appreciate it