PCC with 6 DSL lines?

RAHQGideon · September 22, 2010, 10:46am

Hi Guys

I am doing PCC Load Balancing with 6 WAN/DSL lines and it works. What I want to know is what is the best way to configure the clasifier in the NAT? I am running a single RB1100 router for my internet gateway with the 6 DSL’s attached with only 1 RB800 router behind it (ether01)wich has all the wireless interfaces on it. I am still marking al port 443 traffic to route through its own gatway for banking sites. Can someone tell me if this config is right.

Thanks

  /ip firewall mangle
add action=mark-routing chain=prerouting comment=HTTPS disabled=no dst-port=\
    443 new-routing-mark="HTTPS 443" passthrough=yes protocol=tcp
add action=mark-connection chain=input comment="" disabled=no in-interface=\
    ether02 new-connection-mark=lb1_conn passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=\
    ether03 new-connection-mark=lb2_conn passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=\
    ether05 new-connection-mark=adsl5_conn passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=\
    ether06 new-connection-mark=adsl6_conn passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=\
    ether07 new-connection-mark=adsl7_conn passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=\
    ether08 new-connection-mark=adsl8.1_conn passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=lb1_conn \
    disabled=no new-routing-mark=to_lb1 passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=lb2_conn \
    disabled=no new-routing-mark=to_lb2 passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=adsl5.1_conn \
    disabled=no new-routing-mark=to_adsl5.1 passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=adsl6.1_conn \
    disabled=no new-routing-mark=to_adsl6.1 passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=adsl7.1_conn \
    disabled=no new-routing-mark=to_adsl7.1 passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=adsl8.1_conn \
    disabled=no new-routing-mark=to_adsl8.1 passthrough=yes
add action=accept chain=prerouting comment="" disabled=no dst-address=\
    172.168.0.0/24 in-interface=ether01
add action=accept chain=prerouting comment="" disabled=no dst-address=\
    172.168.2.0/24 in-interface=ether01
add action=accept chain=prerouting comment="" disabled=no dst-address=\
    172.168.5.0/24 in-interface=ether01
add action=accept chain=prerouting comment="" disabled=no dst-address=\
    172.168.6.0/24 in-interface=ether01
add action=accept chain=prerouting comment="" disabled=no dst-address=\
    172.168.7.0/24 in-interface=ether01
add action=accept chain=prerouting comment="" disabled=no dst-address=\
    172.168.8.0/24 in-interface=ether01
add action=mark-connection chain=prerouting comment="" disabled=no \
    dst-address-type=!local in-interface=ether01 new-connection-mark=lb1_conn \
    passthrough=yes per-connection-classifier=dst-address-and-port:6/0
add action=mark-connection chain=prerouting comment="" disabled=no \
    dst-address-type=!local in-interface=ether01 new-connection-mark=lb2_conn \
    passthrough=yes per-connection-classifier=dst-address-and-port:6/1
add action=mark-connection chain=prerouting comment="" disabled=no \
    dst-address-type=!local in-interface=ether01 new-connection-mark=\
    adsl5.1_conn passthrough=yes per-connection-classifier=\
    dst-address-and-port:6/2
add action=mark-connection chain=prerouting comment="" disabled=no \
    dst-address-type=!local in-interface=ether01 new-connection-mark=\
    adsl6.1_conn passthrough=yes per-connection-classifier=\
    dst-address-and-port:6/3
add action=mark-connection chain=prerouting comment="" disabled=no \
    dst-address-type=!local in-interface=ether01 new-connection-mark=\
    adsl7.1_conn passthrough=yes per-connection-classifier=\
    dst-address-and-port:6/4
add action=mark-connection chain=prerouting comment="" disabled=no \
    dst-address-type=!local in-interface=ether01 new-connection-mark=\
    adsl8.1_conn passthrough=yes per-connection-classifier=\
    dst-address-and-port:6/5
add action=mark-routing chain=prerouting comment="" connection-mark=lb1_conn \
    disabled=no in-interface=ether01 new-routing-mark=to_lb1 passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=lb2_conn \
    disabled=no in-interface=ether01 new-routing-mark=to_lb2 passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=\
    adsl5.1_conn disabled=no in-interface=ether01 new-routing-mark=to_adsl5.1 \
    passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=\
    adsl6.1_conn disabled=no in-interface=ether01 new-routing-mark=to_adsl6.1 \
    passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=\
    adsl7.1_conn disabled=no in-interface=ether01 new-routing-mark=to_adsl7.1 \
    passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=\
    adsl8.1_conn disabled=no in-interface=ether01 new-routing-mark=to_adsl8.1 \
    passthrough=yes
add action=mark-connection chain=prerouting comment="ICMP Traffic " disabled=\
    no new-connection-mark=icmp-con passthrough=yes protocol=icmp
add action=mark-packet chain=prerouting comment="" connection-mark=icmp-con \
    disabled=no new-packet-mark=icmp-pac passthrough=yes protocol=icmp
add action=mark-connection chain=prerouting comment=HTTPTraffic disabled=no \
    dst-port=0-65535 new-connection-mark=HTTP-con passthrough=yes protocol=\
    tcp
add action=mark-packet chain=prerouting comment="" connection-mark=HTTP-con \
    disabled=no dst-port=0-65535 new-packet-mark=HTTP-pac passthrough=yes \
    protocol=tcp
add action=mark-connection chain=prerouting comment="p2p traffic" disabled=no \
    new-connection-mark=p2p-con p2p=all-p2p passthrough=yes
add action=mark-packet chain=prerouting comment="" connection-mark=p2p-con \
    disabled=no new-packet-mark=p2p-flow p2p=all-p2p passthrough=yes
add action=mark-connection chain=prerouting comment="SMTP Traffic" disabled=\
    no dst-port=25 new-connection-mark=smtp-con passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting comment="" connection-mark=smtp-con \
    disabled=no dst-port=25 new-packet-mark=smtp-flow passthrough=yes \
    protocol=tcp

[/size]

fewi · September 22, 2010, 12:15pm

As long as the items in the HTTPS chain don’t have passthrough set to yes you are probably find. If they do passthrough the packet will return to the calling chain at the end of the custom chain and then your connection and routing marks will be overwritten as if the HTTPS chain never happened.

RAHQGideon · September 22, 2010, 1:13pm

Each interface has its own 0.0.0.0/24 route for its routing mark. Does there need to be one without a routing mark pointing to one of the WAN ports (Everyting else like in Per Traffic Load Balancing) ? Reason I am asking I cannot ping websites from the router says “no route to host”.

RAHQGideon · September 23, 2010, 8:09am

I am clearly doing something wrong here. Youtube and streaming audio keeps hanging. I dont know if my connection clasifier is causing this. What would be the best config here?

dst adress and port
both adresses

RAHQGideon · September 27, 2010, 10:00am

At least tell me what Clasifier you guys are using?

fewi · September 27, 2010, 2:13pm

http://wiki.mikrotik.com/wiki/How_PCC_works_(beginner)

That article describes in detail how PCC works, including the classifiers. From there you should be able to figure out what classifiers to use to make connections that require stable endpoints work.

RAHQGideon · September 27, 2010, 6:22pm

Hi fewi

Thanks I have read this before and aprieciate your effort. But I would like to know what other users using PCC have found to be the best. I have got the connection a bit better but am still strugleing with youtube and some downloads hanging.

Regards

Chupaka · September 28, 2010, 10:11am

the best one is ‘src-address’ =) user is stuck to some uplink and will not move to another one

RAHQGideon · September 28, 2010, 3:09pm

Thanks Chupaka. src adress and port or src adress only. Bear in mind I have only 1 router connected to the gatway router doing the PCC.

fewi · September 28, 2010, 3:26pm

src-address is the most stable. Because of that it will take more end users to balance load fairly. If you only have two end users, for example, both of their src-address hashes could end up being the same mod 6, and you’d only use one DSL line for both. If you have lots of users it should work fine. src-address-and-port will be more random and distribute load better, but will also be less stable for end users and they might have problems. It’s a trade off. What exactly works for you you’ll have to find out by experiment.

Feklar · September 28, 2010, 4:38pm

We like to use scr-address and dst-address as the classifier. This gives a fair amount of randomness and is stable, anytime an end user goes to a web site, (assuming it always resolves to the same IP) they always go out of the same connection.

fnkysknky · October 3, 2010, 9:02am

I do the same and it works very well, no problems reported by users and a nice balance of traffic.

RAHQGideon · October 4, 2010, 12:32pm

I have been running it with both adresses for a couple of days and it looks ok. I am getting downloads that hang quite frequently, any ideas what can cause this?

Chupaka · October 5, 2010, 8:47am

does it hang on start of download or during the download?

RAHQGideon · October 5, 2010, 11:46am

Sometimes at the start sometime half way, there is no way of telling realy. Youtube also hangs about half way through. I am finding PCC very unstable.

Chupaka · October 6, 2010, 9:26am

PCC can’t be unstable. probably, your config is unstable - we didn’t see it. at first, try ‘src-address’ as classifier. also, I saw a few times how people setup PCC balancing with ECMP routes, and actually ECMP was working, not PCC-based balancing…

RAHQGideon · October 7, 2010, 9:31am

This is my current config, please tel me what I am doing wrong. My src adress is always the same as there is only 1 router connected to this RB. Thanks !

Mangle

add action=mark-routing chain=prerouting comment=HTTPS disabled=no dst-port=443 new-routing-mark="HTTPS 443" passthrough=no protocol=tcp
add action=mark-routing chain=prerouting comment=POP3 disabled=no dst-port=110 new-routing-mark="POP3 110" passthrough=no protocol=tcp
add action=mark-connection chain=input comment="" disabled=no in-interface=ether01 new-connection-mark=adsl5.1_conn passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=ether02 new-connection-mark=adsl6.1_conn passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=ether03 new-connection-mark=adsl7.1_conn passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=ether04 new-connection-mark=adsl8.1_conn passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=ether05 new-connection-mark=adsl9.1_conn passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=adsl5.1_conn disabled=no new-routing-mark=to_adsl5.1 passthrough=no
add action=mark-routing chain=output comment="" connection-mark=adsl6.1_conn disabled=no new-routing-mark=to_adsl6.1 passthrough=no
add action=mark-routing chain=output comment="" connection-mark=adsl7.1_conn disabled=no new-routing-mark=to_adsl7.1 passthrough=no
add action=mark-routing chain=output comment="" connection-mark=adsl8.1_conn disabled=no new-routing-mark=to_adsl8.1 passthrough=no
add action=mark-routing chain=output comment="" connection-mark=adsl9.1_conn disabled=no new-routing-mark=to_adsl9.1 passthrough=no
add action=accept chain=prerouting comment="" disabled=no dst-address=172.168.5.0/24 in-interface=local
add action=accept chain=prerouting comment="" disabled=no dst-address=172.168.6.0/24 in-interface=local
add action=accept chain=prerouting comment="" disabled=no dst-address=172.168.7.0/24 in-interface=local
add action=accept chain=prerouting comment="" disabled=no dst-address=172.168.8.0/24 in-interface=local
add action=accept chain=prerouting comment="" disabled=no dst-address=172.168.9.0/24 in-interface=local
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-list="!Bypass PCC" dst-address-type=!local in-interface=local new-connection-mark=\
    adsl5.1_conn passthrough=yes per-connection-classifier=both-addresses:5/0
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-list="!Bypass PCC" dst-address-type=!local in-interface=local new-connection-mark=\
    adsl6.1_conn passthrough=yes per-connection-classifier=both-addresses:5/1
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-list="!Bypass PCC" dst-address-type=!local in-interface=local new-connection-mark=\
    adsl7.1_conn passthrough=yes per-connection-classifier=both-addresses:5/2
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-list="!Bypass PCC" dst-address-type=!local in-interface=local new-connection-mark=\
    adsl8.1_conn passthrough=yes per-connection-classifier=both-addresses:5/3
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-list="!Bypass PCC" dst-address-type=!local in-interface=local new-connection-mark=\
    adsl9.1_conn passthrough=yes per-connection-classifier=both-addresses:5/4
add action=mark-routing chain=prerouting comment="" connection-mark=adsl5.1_conn disabled=no in-interface=local new-routing-mark=to_adsl5.1 passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=adsl6.1_conn disabled=no in-interface=local new-routing-mark=to_adsl6.1 passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=adsl7.1_conn disabled=no in-interface=local new-routing-mark=to_adsl7.1 passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=adsl8.1_conn disabled=no in-interface=local new-routing-mark=to_adsl8.1 passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=adsl9.1_conn disabled=no in-interface=local new-routing-mark=to_adsl9.1 passthrough=yes

Nat

add action=masquerade chain=srcnat comment="" disabled=no out-interface=ether01
add action=masquerade chain=srcnat comment="" disabled=no out-interface=ether02
add action=masquerade chain=srcnat comment="" disabled=no out-interface=ether03
add action=masquerade chain=srcnat comment="" disabled=no out-interface=ether04
add action=masquerade chain=srcnat comment="" disabled=no out-interface=ether05
add action=masquerade chain=srcnat comment="" disabled=no out-interface=ether07
add action=masquerade chain=srcnat comment="" disabled=no out-interface=ether08

Routes

add comment="HTTPS Traffic" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=196.214.57.97 routing-mark="HTTPS 443" scope=30 target-scope=10
add comment="POP3 Traffic LB2" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.168.2.2 routing-mark="POP3 110" scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.168.5.2 routing-mark=to_adsl5.1 scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.168.6.2 routing-mark=to_adsl6.1 scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.168.7.2 routing-mark=to_adsl7.1 scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.168.8.2 routing-mark=to_adsl8.1 scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.168.9.2 routing-mark=to_adsl9.1 scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.168.5.2 scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=172.168.6.2 scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=3 dst-address=0.0.0.0/0 gateway=172.168.7.2 scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=4 dst-address=0.0.0.0/0 gateway=172.168.8.2 scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=5 dst-address=0.0.0.0/0 gateway=172.168.9.2 scope=30 target-scope=10
add comment="Router Deafault Route" disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=172.168.2.2 scope=30 target-scope=10

[/size]

Chupaka · October 8, 2010, 6:07pm

so, you do double NAT - on both routes? that’s wrong. don’t NAT on first router, use ‘src-address’ as classifier and recheck

RAHQGideon · October 9, 2010, 9:12am

If I disable the NAT on the router behind the gateway everything dies. My mail server is also attached to this and I cant ping it then.

ps. If i use src adress all internet traffic goes through 1 dsl connection. The rest goes to 0kbps

Chupaka · October 11, 2010, 1:34pm

make a drwaing of your network. also, check ‘traceroute’ from the client to the Internet with first NAT enabled and disabled