Port Forward not working with PCC Load Balancing

netbits · May 9, 2013, 2:46pm

I’m trying to setup a port forward rule with my pcc setup, but its not working 100%. My port forwards are working through WAN1, but not through WAN2 or WAN3. It only works through WAN2 when I disable WAN1. I’m a bit of noob when it comes to this sort of routing, so any help would be awesome.

My config is as follows:

/ip firewall mangle
add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_conn
add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_conn
add chain=input in-interface=WAN3 action=mark-connection new-connection-mark=WAN3_conn

add chain=output connection-mark=WAN1_conn action=mark-routing new-routing-mark=to_WAN1
add chain=output connection-mark=WAN2_conn action=mark-routing new-routing-mark=to_WAN2
add chain=output connection-mark=WAN3_conn action=mark-routing new-routing-mark=to_WAN3

add chain=prerouting dst-address=10.1.1.0/30 action=accept in-interface=17216
add chain=prerouting dst-address=10.2.2.0/30 action=accept in-interface=17216
add chain=prerouting dst-address=10.3.3.0/30 action=accept in-interface=17216

add chain=prerouting dst-address-type=!local in-interface=17216 per-connection-classifier=both-addresses-and-ports:3/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=17216 per-connection-classifier=both-addresses-and-ports:3/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=17216 per-connection-classifier=both-addresses-and-ports:3/2 action=mark-connection new-connection-mark=WAN3_conn passthrough=yes

add chain=prerouting connection-mark=WAN1_conn in-interface=17216 action=mark-routing new-routing-mark=to_WAN1
add chain=prerouting connection-mark=WAN2_conn in-interface=17216 action=mark-routing new-routing-mark=to_WAN2
add chain=prerouting connection-mark=WAN3_conn in-interface=17216 action=mark-routing new-routing-mark=to_WAN3


/ip route
add dst-address=0.0.0.0/0 gateway=10.1.1.1 routing-mark=to_WAN1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.2.2.1 routing-mark=to_WAN2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.3.3.1 routing-mark=to_WAN3 check-gateway=ping

add dst-address=0.0.0.0/0 gateway=10.1.1.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.2.2.1 distance=2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.3.3.1 distance=3 check-gateway=ping


/ip firewall nat
add chain=srcnat out-interface=WAN1 action=masquerade
add chain=srcnat out-interface=WAN2 action=masquerade
add chain=srcnat out-interface=WAN3 action=masquerade

add action=dst-nat chain=dstnat dst-port=80,10000 in-interface=WAN1 protocol=tcp to-addresses=172.16.0.2
add action=dst-nat chain=dstnat dst-port=80,6802,6803 in-interface=WAN2 protocol=tcp to-addresses=172.16.10.200
add action=dst-nat chain=dstnat dst-port=25,143,1111,22,110 in-interface=WAN3 protocol=tcp to-addresses=172.16.10.100

netbits · May 10, 2013, 9:49am

From what I understand I’m missing something or something is not right in my marketing. Can someone please help me?

CelticComms · May 10, 2013, 2:18pm

This input chain and output chain rules are affecting traffic to/from the router itself - do you realize that? e.g. Input/output does not refer to traffic WAN<>LAN.

netbits · May 10, 2013, 3:20pm

So how would I fix it?

cicserver · May 13, 2013, 8:12am

I am also using port forwarding with PCC and it works without any difficulty,
I have dual wan PCC setup. its something like below . . .

DSL1 |
| >>>> RB750 as PCC >>>> RB450G as pppoe server >>> Users
DSL2 |

I wanted to access RB450g Web server (which is running on port 1234)
First I created port forwarding rule on DSL which forward port 1234 to RB750, and I have added following dst-nat rule as below on RB750.

/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-port=1234 in-interface=WAN1 protocol=tcp to-addresses=192.168.5.3 to-ports=1234
add action=dst-nat chain=dstnat disabled=no dst-port=1234 in-interface=WAN2 protocol=tcp to-addresses=192.168.5.3 to-ports=1234

192.168.5.3 is RB450G IP address.

Now when I try to access public ip of dsl1 , it simply forward my request to rb750, which again forward it to RB405G and its working fine for me

netbits · May 13, 2013, 7:42pm

I’ve revised my config and still can’t get my port forward to work to work on all the lines.

Here is my setup:

[admin@Core Router] > /ip address print 
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         INTERFACE
 0   172.16.0.1/16      172.16.0.0      17216
 1   172.17.0.1/16      172.17.0.0      17217
 2   10.1.1.2/29        10.1.1.0        WAN1
 3   10.2.2.2/29        10.2.2.0        WAN2
 4   10.3.3.2/29        10.3.3.0        WAN3

/ip route print detail 
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 0 A S  dst-address=0.0.0.0/0 gateway=10.1.1.1 gateway-status=10.1.1.1 reachable via  WAN1 check-gateway=ping distance=1 scope=30 target-scope=10 routing-mark=to_WAN1 
 1 A S  dst-address=0.0.0.0/0 gateway=10.2.2.1 gateway-status=10.2.2.1 reachable via  WAN2 check-gateway=ping distance=1 scope=30 target-scope=10 routing-mark=to_WAN2 
 2   S  dst-address=0.0.0.0/0 gateway=10.3.3.1 gateway-status=10.3.3.1 unreachable check-gateway=ping distance=1 scope=30 target-scope=10 routing-mark=to_WAN3 
 3 A S  dst-address=0.0.0.0/0 gateway=10.1.1.1 gateway-status=10.1.1.1 reachable via  WAN1 check-gateway=ping distance=1 scope=30 target-scope=10 
 4   S  dst-address=0.0.0.0/0 gateway=10.2.2.1 gateway-status=10.2.2.1 reachable via  WAN2 check-gateway=ping distance=2 scope=30 target-scope=10 
 5   S  dst-address=0.0.0.0/0 gateway=10.3.3.1 gateway-status=10.3.3.1 unreachable check-gateway=ping distance=3 scope=30 target-scope=10 
 6 ADC  dst-address=10.1.1.0/29 pref-src=10.1.1.2 gateway=WAN1 gateway-status=WAN1 reachable distance=0 scope=10 
 7 ADC  dst-address=10.2.2.0/29 pref-src=10.2.2.2 gateway=WAN2 gateway-status=WAN2 reachable distance=0 scope=10 
 8  DC  dst-address=10.3.3.0/29 pref-src=10.3.3.2 gateway=WAN3 gateway-status=WAN3 unreachable distance=0 scope=255 
 9 ADC  dst-address=172.16.0.0/16 pref-src=172.16.0.1 gateway=17216 gateway-status=17216 reachable distance=0 scope=10 
10 ADC  dst-address=172.17.0.0/16 pref-src=172.17.0.1 gateway=17217 gateway-status=17217 reachable distance=0 scope=10

/ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=output action=mark-routing new-routing-mark=to_WAN1 passthrough=yes connection-mark=WAN1_conn 
 1   chain=output action=mark-routing new-routing-mark=to_WAN2 passthrough=yes connection-mark=WAN2_conn 
 2   chain=output action=mark-routing new-routing-mark=to_WAN3 passthrough=yes connection-mark=WAN3_conn 
 3   chain=prerouting action=accept dst-address=10.1.1.0/29 in-interface=17216 
 4   chain=prerouting action=accept dst-address=10.2.2.0/29 in-interface=17216 
 5   chain=prerouting action=accept dst-address=10.3.3.0/29 in-interface=17216 
 6   chain=prerouting action=accept dst-address=10.1.1.0/29 in-interface=17217 
 7   chain=prerouting action=accept dst-address=10.2.2.0/29 in-interface=17217 
 8   chain=prerouting action=accept dst-address=10.3.3.0/29 in-interface=17217 
 9   chain=input action=mark-connection new-connection-mark=WAN1_conn passthrough=yes in-interface=WAN1 connection-mark=no-mark 
10   chain=input action=mark-connection new-connection-mark=WAN2_conn passthrough=yes in-interface=WAN2 connection-mark=no-mark 
11   chain=input action=mark-connection new-connection-mark=WAN3_conn passthrough=yes in-interface=WAN3 connection-mark=no-mark 
12   chain=prerouting action=mark-connection new-connection-mark=WAN1_conn passthrough=yes dst-address-type=!local in-interface=17216 connection-mark=no-mark per-connection-classifier=both-addresses:3/0 
13   chain=prerouting action=mark-connection new-connection-mark=WAN2_conn passthrough=yes dst-address-type=!local in-interface=17216 connection-mark=no-mark per-connection-classifier=both-addresses:3/1 
14   chain=prerouting action=mark-connection new-connection-mark=WAN3_conn passthrough=yes dst-address-type=!local in-interface=17216 connection-mark=no-mark per-connection-classifier=both-addresses:3/2 
15   chain=prerouting action=mark-connection new-connection-mark=WAN1_conn passthrough=yes dst-address-type=!local in-interface=17217 connection-mark=no-mark per-connection-classifier=both-addresses:3/0 
16   chain=prerouting action=mark-connection new-connection-mark=WAN2_conn passthrough=yes dst-address-type=!local in-interface=17217 connection-mark=no-mark per-connection-classifier=both-addresses:3/1 
17   chain=prerouting action=mark-connection new-connection-mark=WAN3_conn passthrough=yes dst-address-type=!local in-interface=17217 connection-mark=no-mark per-connection-classifier=both-addresses:3/2 
18   chain=prerouting action=mark-routing new-routing-mark=to_WAN1 passthrough=yes in-interface=17216 connection-mark=WAN1_conn 
19   chain=prerouting action=mark-routing new-routing-mark=to_WAN2 passthrough=yes in-interface=17216 connection-mark=WAN2_conn 
20   chain=prerouting action=mark-routing new-routing-mark=to_WAN3 passthrough=yes in-interface=17216 connection-mark=WAN3_conn 
21   chain=prerouting action=mark-routing new-routing-mark=to_WAN1 passthrough=yes in-interface=17217 connection-mark=WAN1_conn 
22   chain=prerouting action=mark-routing new-routing-mark=to_WAN2 passthrough=yes in-interface=17217 connection-mark=WAN2_conn 
23   chain=prerouting action=mark-routing new-routing-mark=to_WAN3 passthrough=yes in-interface=17217 connection-mark=WAN3_conn

 /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; NAT:
     chain=srcnat action=masquerade out-interface=WAN1 
 1   chain=srcnat action=masquerade out-interface=WAN2 
 2   chain=srcnat action=masquerade out-interface=WAN3 
 3   ;;; WAN1 Port Forwards:
     chain=dstnat action=dst-nat to-addresses=172.16.0.2 to-ports=80 protocol=tcp in-interface=WAN1 dst-port=80 
 4   chain=dstnat action=dst-nat to-addresses=172.16.0.2 to-ports=10000 protocol=tcp in-interface=WAN1 dst-port=10000 
 5   chain=dstnat action=dst-nat to-addresses=172.16.10.200 to-ports=6802 protocol=tcp in-interface=WAN1 dst-port=6802 
 6   chain=dstnat action=dst-nat to-addresses=172.16.10.200 to-ports=6803 protocol=tcp in-interface=WAN1 dst-port=6803 
 7   ;;; WAN2 Port Forwards:
     chain=dstnat action=dst-nat to-addresses=172.16.10.200 to-ports=80 protocol=tcp in-interface=WAN2 dst-port=80 
 8   chain=dstnat action=dst-nat to-addresses=172.16.10.200 to-ports=6802 protocol=tcp in-interface=WAN2 dst-port=6802 
 9   chain=dstnat action=dst-nat to-addresses=172.16.10.200 to-ports=6803 protocol=tcp in-interface=WAN2 dst-port=6803 
10   ;;; WAN3 Port Forwards:
     chain=dstnat action=dst-nat to-addresses=172.16.10.100 to-ports=25 protocol=tcp in-interface=WAN3 dst-port=25 
11   chain=dstnat action=dst-nat to-addresses=172.16.10.100 to-ports=143 protocol=tcp in-interface=WAN3 dst-port=143 
12   chain=dstnat action=dst-nat to-addresses=172.16.10.100 to-ports=1111 protocol=tcp in-interface=WAN3 dst-port=1111 
13   chain=dstnat action=dst-nat to-addresses=172.16.10.100 to-ports=22 protocol=tcp in-interface=WAN3 dst-port=22 
14   chain=dstnat action=dst-nat to-addresses=172.16.10.100 to-ports=110 protocol=tcp in-interface=WAN3 dst-port=110

I followed the advice on http://forum.mikrotik.com/t/port-forwarding-with-pcc/41642/1 Please can someone help? I’m not sure what I am missing?