I try for days now how to route the incoming connection to specific gateway .i have two wan gateways with dynamic IP from different ISPs.
The 1st wan is with pppoe and the 2nd wan is lan(dhcp client)from modem.The load balance works great between them but when i activate the 2nd wan in order to get more speed
i am unable to access ftp and cctv dvr from outside.when wan2 is closed all are working 100%.there is a conflict between external dynamic ips and thats why i have these problem.
i dont know how to solve it.i would like to request your help please.
You need to mangle incoming connections by routing mark and route the replies back to the right wan. At the moment you are using most probably default routing to the first wan…
Thank you very much for your reply, but i dont know how to do that.Also i noticed that when i do a speedtest or checking my external ip the ip changes some times either to the one provider and either to the 2nd provider.I would like to show me how i can keep the IP from the 1st provider.But the speed each time is the same,no problem with that .
Thank you for your time helping me ! i appreciate that.I really do.
You should provide anonymized full export. Then someone will point at the place where you need to make changes.
of course,
/ip firewall mangle
add action=accept chain=prerouting dst-address=10.10.10.0/24 in-interface=bridge1 log-prefix=“”
add action=mark-connection chain=input in-interface=pppoe-out1 log-prefix=“” new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=bridge1 log-prefix=“” new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:4/0
add action=mark-routing chain=output connection-mark=WAN1_conn log-prefix=“” new-routing-mark=to_WAN1 passthrough=yes
add action=mark-connection chain=input in-interface=WAN2 log-prefix=“” new-connection-mark=WAN2_conn passthrough=yes
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=bridge1 log-prefix=“” new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:4/1
add action=mark-routing chain=output connection-mark=WAN2_conn log-prefix=“” new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn in-interface=bridge1 log-prefix=“” new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN1_conn in-interface=bridge1 log-prefix=“” new-routing-mark=to_WAN1 passthrough=yes
add action=mark-packet chain=prerouting connection-mark=All_Download disabled=yes in-interface=pppoe-out1 log-prefix=“” new-packet-mark=All_Download passthrough=no
add action=mark-connection chain=prerouting connection-bytes=262146-4294967295 disabled=yes in-interface=pppoe-out1 log-prefix=“” new-connection-mark=All_Download passthrough=yes protocol=tcp src-port=21,80
/ip firewall nat
add action=masquerade chain=srcnat log-prefix=“” out-interface=WAN2
add action=masquerade chain=srcnat log-prefix=“” out-interface=pppoe-out1
add action=dst-nat chain=dstnat comment=“DVR 1200” dst-port=1200 in-interface=pppoe-out1 log-prefix=“” protocol=tcp to-addresses=10.10.10.33 to-ports=1200
/ip route
add distance=1 gateway=pppoe-out1 routing-mark=to_WAN1 scope=10
add distance=1 gateway=192.168.1.1 routing-mark=to_WAN2 scope=10
add check-gateway=ping disabled=yes distance=1 gateway=10.10.10.10%pppoe-out1 scope=10
add check-gateway=ping disabled=yes distance=2 gateway=192.168.1.1%WAN2 scope=10
/ip firewall nat
add action=masquerade chain=srcnat log-prefix=“” out-interface=WAN2
add action=masquerade chain=srcnat log-prefix=“” out-interface=pppoe-out1
add action=dst-nat chain=dstnat comment=“DVR 1200” dst-port=1200 in-interface=pppoe-out1 log-prefix=“” protocol=tcp to-addresses=10.10.10.33 to-ports=1200
the limit rules at ports 80 & 21 are disabled and the mangle rules for them also
Anyone could help me please ?
You mark incoming connections only to router itself, but when you forward port inside, the connection does not get any mark. Change those two rules with chain=input to chain=prerouting. Also only set connection mark when there isn’t one already, i.e. add connection-mark=no-mark to rules.
i’ve changed these two from input to prerouting but i dont understand where to set no-mark to rules.could you be more specific?
also i would like only the external IP from the 1st provider (pppoe-out1) to show up.For example if i make a speedtest sometimes shows up the 1st IP and sometimes the external IP from the second provider.Today i noticed when trying to download a torrent it takes bandwidth only from the 2nd ISP not from both.When i do a speedtest shows the bandwidth from both wans together(all OK) and one more when trying an openvpn connection if i dont disable one of the 2 wans i cannot register because somewhere it conflicts.Thanks for your time sir helping me.
Add connection-mark=no-mark condition to all rules where you set connection mark. Because if you don’t, the new connection from WAN will first get e.g. WAN1_conn mark, but first reply packet from bridge1 will be matched by one of your PCC rules and the connection might end up with the other mark and then routed to wrong WAN.
i did it as you advised me but know the 2nd wan (wan2) doesn’t gives bandwidth.here is my mangle table print:
Flags: X - disabled, I - invalid, D - dynamic
0 D chain=forward action=change-mss new-mss=1440 tcp-flags=syn protocol=tcp out-interface=all-ppp tcp-mss=1441-65535
1 D chain=forward action=change-mss new-mss=1440 tcp-flags=syn protocol=tcp in-interface=all-ppp tcp-mss=1441-65535
2 chain=prerouting action=accept dst-address=10.10.10.0/24 in-interface=bridge1 log=no log-prefix=“”
3 chain=prerouting action=mark-connection new-connection-mark=no-mark passthrough=no in-interface=pppoe-out1 log=no log-prefix=“”
4 chain=prerouting action=mark-connection new-connection-mark=no-mark passthrough=yes dst-address-type=!local in-interface=bridge1 per-connection-classifier=both-addresses-and-ports:2/0 log=no log-prefix=“”
5 chain=output action=mark-routing new-routing-mark=no-mark passthrough=no log=no log-prefix=“”
6 chain=prerouting action=mark-connection new-connection-mark=wan2_conn passthrough=no in-interface=WAN2 log=no log-prefix=“”
7 chain=prerouting action=mark-connection new-connection-mark=wan2_conn passthrough=yes dst-address-type=!local in-interface=bridge1 per-connection-classifier=both-addresses-and-ports:2/1 log=no log-prefix=“”
8 chain=output action=mark-routing new-routing-mark=to_WAN2 passthrough=no log=no log-prefix=“”
9 chain=prerouting action=mark-routing new-routing-mark=to_WAN1 passthrough=no in-interface=bridge1 log=no log-prefix=“”
10 chain=prerouting action=mark-routing new-routing-mark=to_WAN2 passthrough=no in-interface=bridge1 log=no log-prefix=“”
11 XI chain=prerouting action=mark-packet new-packet-mark=All_Download passthrough=no connection-mark=All_Download in-interface=pppoe-out1 log=no log-prefix=“”
12 XI chain=prerouting action=mark-connection new-connection-mark=All_Download passthrough=yes protocol=tcp connection-bytes=262146-4294967295 in-interface=pppoe-out1 src-port=21,80 log=no log-prefix=“”
13 XI ;;; in wan1,out wan1
chain=input action=mark-connection new-connection-mark=wan1_conn passthrough=yes in-interface=pppoe-out1 log=no log-prefix=“”
14 XI ;;; in wan1,out wan1
chain=output action=mark-routing new-routing-mark=wan1_traffic passthrough=no connection-mark=pppoe-out1 log=no log-prefix=“”
15 XI ;;; in wan2,out wan2
chain=input action=mark-connection new-connection-mark=wan2_conn passthrough=yes in-interface=WAN2 log=no log-prefix=“”
16 XI ;;; in wan2,out wan2
chain=output action=mark-routing new-routing-mark=wan2_traffic passthrough=no connection-mark=wan2_conn log=no log-prefix=“”
17 XI ;;; pfw wan1, out wan1
chain=forward action=mark-connection new-connection-mark=wan1_pfw passthrough=no connection-state=new in-interface=pppoe-out1 log=no log-prefix=“”
18 XI ;;; pfw wan1, out wan1
chain=prerouting action=mark-routing new-routing-mark=wan1_traffic passthrough=no connection-mark=wan1_pfw in-interface=bridge1 log=no log-prefix=“”
19 XI ;;; pfw wan2, out wan2
chain=forward action=mark-connection new-connection-mark=wan2_pfw passthrough=no connection-state=new in-interface=WAN2 log=no log-prefix=“”
20 XI ;;; pfw wan2, out wan2
chain=prerouting action=mark-routing new-routing-mark=wan2_traffic passthrough=no connection-mark=wan2_pfw in-interface=bridge1 log=no log-prefix=“”
It doesn’t look like what I’ve suggested. What I meant was to take connection marking rules from your original config, add connection-mark=no-mark (*1) to them, and not touch anything else:
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=pppoe-out1 \
new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge1 \
new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:4/0
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=WAN2 \
new-connection-mark=WAN2_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge1 \
new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:4/1
(*1) “connection-mark” is condition (“only use this rule when connection has this mark”, where “no-mark” means “doesn’t have any specific mark”) and “new-connection-mark” is action (“set this mark”). Together “connection-mark=no-mark new-connection-mark=” means “set connection mark , but only when connection doesn’t have any other mark yet”. That’s what I was explaining, once you get an incoming connection from WAN marked, you need to prevent outgoing rules (with in-interface=bridge1) from changing the mark.
ok… maybe i misunderstand your words …but i am trying everything each time…please check if now my mangle rules are correct.if no, please write me down the exact
rules because i don’t want to be wearing. But even here in the Forum i wrote the post reply 3 times because every time my external ip changes from the 1st provider to the 2nd needs to relogin 
if are correct ,then no luck 
thank you for your efforts !
Flags: X - disabled, I - invalid, D - dynamic
0 D chain=forward action=change-mss new-mss=1440 tcp-flags=syn protocol=tcp out-interface=all-ppp tcp-mss=1441-65535
1 D chain=forward action=change-mss new-mss=1440 tcp-flags=syn protocol=tcp in-interface=all-ppp tcp-mss=1441-65535
2 chain=prerouting action=accept dst-address=10.10.10.0/24 in-interface=bridge1 log=no log-prefix=""
3 chain=prerouting action=mark-connection new-connection-mark=no-mark passthrough=yes connection-mark=no-mark in-interface=pppoe-out1 log=no log-prefix=""
4 chain=prerouting action=mark-connection new-connection-mark=WAN1_conn passthrough=yes dst-address-type=!local connection-mark=no-mark in-interface=bridge1 per-connection-classifier=both-addresses-and-ports:2/0 log=no log-prefix=""
5 chain=output action=mark-routing new-routing-mark=to_WAN1 passthrough=yes connection-mark=WAN1_conn log=no log-prefix=""
6 chain=prerouting action=mark-connection new-connection-mark=no-mark passthrough=yes connection-mark=no-mark in-interface=WAN2 log=no log-prefix=""
7 chain=prerouting action=mark-connection new-connection-mark=WAN2_conn passthrough=yes dst-address-type=!local connection-mark=no-mark in-interface=bridge1 per-connection-classifier=both-addresses-and-ports:2/1 log=no log-prefix=""
8 chain=output action=mark-routing new-routing-mark=to_WAN2 passthrough=yes connection-mark=WAN2_conn log=no log-prefix=""
9 chain=prerouting action=mark-routing new-routing-mark=to_WAN1 passthrough=yes connection-mark=WAN1_conn in-interface=bridge1 log=no log-prefix=""
10 chain=prerouting action=mark-routing new-routing-mark=to_WAN2 passthrough=yes connection-mark=WAN2_conn in-interface=bridge1 log=no log-prefix=""
In rule #3 change new-connection-mark=no-mark to new-connection-mark=WAN1_conn.
In rule #6 change new-connection-mark=no-mark to new-connection-mark=WAN2_conn.
(Do NOT touch connection-mark=no-mark in both #3 and #6)
This will take care of incoming connections getting routed back correctly.
About changing address, it’s the result of both-addresses-and-ports in per-connection-classifier, because even when you connect to same server and same port and your internal address stays the same, your source port changes for every request. Try to use both-addresses instead.
It works now like a charm ! Thank you very much !
About changing address, when i choose both-addresses (rules 4 and 7) only WAN2 works.Any idea for that?
From the manual:
PCC takes selected fields from IP header, and with the help of a hashing algorithm converts selected fields into 32-bit value. This value then is divided by a specified Denominator and the remainder then is compared to a specified Remainder, if equal then packet will be captured.
If you use both-addresses it will take your source address and target server’s address and make decisions based on them. So when going to some server, your PC will only use one WAN. And when going to another server, it might use the other WAN. From your point of view, it will be pretty much random, but statistically it will be 50/50. And another PC in same LAN may have it different. Your previous both-addresses-and-ports could use both WANs even for same target server, because source port changes for every connection. But then you have the problem with changing public addresses for every request and some servers don’t like that.
In short, you have to choose if you prefer non-changing address or better chance to have combined bandwidth of both connections.