problem using a forum with pcc load balance

RouterOS General
1

I have combine two equal ADSL line using PCC. There is a forum (http://www.****.com) and when I login to the forum, the forum sign me out and I have to login again. Next , I try to connect to one of the modems directly and I was able to use the forum normally. Next, I connect to the other ADSL modem and the forum log me out.

I think the forum doesn’t allow the user to login from two ip address.

what should I do?


Note: the code that I am using

/ip firewall address-list
add list=exempt-from-pcc address=192.168.9.168/32
add list=exempt-from-pcc address=192.168.3.168/32

/ip firewall mangle
add chain=prerouting dst-address-list=exempt-from-pcc action=accept


/ip address
add address=192.168.9.60/24 broadcast=192.168.9.255 comment="" disabled=no interface=wan1 network=192.168.9.0
add address=192.168.3.60/24 broadcast=192.168.3.255 comment="" disabled=no interface=wan2 network=192.168.3.0
add address=192.168.1.168/24 broadcast=192.168.1.255 comment="" disabled=no interface=lan network=192.168.1.0

/ip firewall mangle
add action=mark-connection chain=input comment="" disabled=no in-interface=wan1 new-connection-mark=wan1_conn passthrough=yes    
add action=mark-connection chain=input comment="" disabled=no in-interface=wan2 new-connection-mark=wan2_conn passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=wan1_conn disabled=no new-routing-mark=wan1 passthrough=yes    
add action=mark-routing chain=output comment="" connection-mark=wan2_conn disabled=no new-routing-mark=wan2 passthrough=yes
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local in-interface=lan new-connection-mark=wan2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0  
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local in-interface=lan new-connection-mark=wan1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting comment="" connection-mark=wan1_conn disabled=no in-interface=lan new-routing-mark=wan1 passthrough=yes    
add action=mark-routing chain=prerouting comment="" connection-mark=wan2_conn disabled=no in-interface=lan new-routing-mark=wan2 passthrough=yes

/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.9.168 routing-mark=wan1 scope=30 target-scope=10    
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.3.168 routing-mark=wan2 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.9.168 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.3.168 scope=30 target-scope=10

/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=wan1
add action=masquerade chain=srcnat comment="" disabled=no out-interface=wan2
/ip dns set allow-remote-requests=no cache-max-ttl=1w cache-size=2048KiB max-udp-packet-size=512
2

In PCC classifier use src-address.

3

before I have the fallowing code to access the modem page of the two modems.

/ip firewall address-list
add list=exempt-from-pcc address=192.168.9.168/32
add list=exempt-from-pcc address=192.168.3.168/32
/ip firewall mangle
add chain=prerouting dst-address-list=exempt-from-pcc action=accept

I have added the fallowing line

/ip firewall address-list
add list=exempt-from-pcc address=x.x.x.x/32

where x.x.x.x is the IP of the forum.

now it is working but it is a bit slow. The forum might be the one that is slow

4

/ip firewall address-list
add list=exempt-from-pcc address=x.x.x.x/32

This way, your forum will make use of your default route.
You will still have problems with secure sites and some game servers unless you make use of src-address in PCC classifier.

5

how to do that?

6

Have a look at Mikrotik wiki PCC, they have nice example and description.

7

It turn out that there is many forums that have the same problem as that forum ( Does not allow user to login from two diffrent IPs in the same time). Do I have to add thier IPs one by one as my users requested?

8

You’ve been told the solution twice already in this thread: use src-address as the classifier. The manuals outline how.
http://wiki.mikrotik.com/wiki/Manual:PCC#Theory
http://wiki.mikrotik.com/wiki/How_PCC_works_(beginner)

9

Do you mean that I should add

that I should change “the per-connection-classifier” from both-addresses-and-ports to src-address-and-port.

or just add the code:

/ip firewall mangle add chain=prerouting action=mark-connection \
 new-connection-mark=1st_conn per-connection-classifier=src-address-and-port:3/0
/ip firewall mangle add chain=prerouting action=mark-connection \
  new-connection-mark=2nd_conn per-connection-classifier=src-address-and-port:3/1
/ip firewall mangle add chain=prerouting action=mark-connection \
  new-connection-mark=3rd_conn per-connection-classifier=src-address-and-port:3/2

Note : all src addresses are 192.168.1.60 because I am using two different router for combining the two line and for the hotspot.

10

No, you should change it to src-address and remove all masquerade rules on the Hotspot router so that the real source addresses are seen. You don’t need NAT on that router, and should only NAT when it is absolutely required. src-address-and-port doesn’t help you as per the beginner link - browsers choose random source ports for HTTP requests.
When you remove the NAT rule you probably will have to insert a route to the customer Hotspot network on the PCC router with a next hop equal to the IP address on the directly connected Hotspot router interface, which presumably is 192.168.1.60. That is so that the PCC router can find the Hotspot users via that connection.

11

the internet stop working when I remove masquerade rules in the hotspot+PPPoE router

In one router , I have combine the two ADSL line and in the second router, I have WAN that is connected to the LAN of the first router and LAN for hotspot and PPPoE.

the forum now is working after adding its ip to exempt-from-pcc list.

what kind of secure sites that Egate is talking about? (I heard there is problem with user having accounts on hosting sites; they say that they can not login to the control panel of their sites)

Note: the WAN of hotspot router is 192.168.1.60 and LAN of dual WAN Mikrotik router is 192.168.1.168

In the hotspot router , there is route for 192.168.1.168

12

Did you insert a route to the Hotspot network and all other relevant networks on the PCC router? It sounds like you didn’t.

Post the output of “/ip route print detail”, “/ip address print detail”, “/ip firewall nat export”, and “/interface print detail” from both routers if these general instructions aren’t sufficient and you need specific, step by step help.

Egate is talking about any site that does session wide source address verification.

13

Hotspot router:

/ip route print detail
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 0 A S  dst-address=0.0.0.0/0 gateway=192.168.1.168 
        gateway-status=192.168.1.168 reachable wan distance=1 scope=30 
        target-scope=10 

 1 ADC  dst-address=192.168.1.0/24 pref-src=192.168.1.60 gateway=wan 
        gateway-status=wan reachable distance=0 scope=10 

 2 ADC  dst-address=192.168.2.0/24 pref-src=192.168.2.1 gateway=lan 
        gateway-status=lan reachable distance=0 scope=10 

 3 ADC  dst-address=192.168.5.254/32 pref-src=192.168.2.5 gateway=<pppoe-saif> 
        gateway-status=<pppoe-saif> reachable distance=0 scope=10




/ip address print detail
Flags: X - disabled, I - invalid, D - dynamic 
 0   address=192.168.2.1/24 network=192.168.2.0 interface=lan 
     actual-interface=lan 

 1   address=192.168.1.60/24 network=192.168.1.0 interface=wan 
     actual-interface=wan 

3 D address=192.168.2.5/32 network=192.168.5.254 interface=<pppoe-xxx> 
     actual-interface=<pppoe-xxx>




/ip firewall nat export

/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    disabled=no src-address=192.168.2.0/24
add action=redirect chain=dstnat comment="Transparent Proxy" disabled=\
    yes dst-port=80 protocol=tcp to-ports=8080
add action=masquerade chain=srcnat comment="masquerade pppoe network" \
    disabled=no src-address=192.168.5.0/24




/interface print detail
Flags: D - dynamic, X - disabled, R - running, S - slave 
 0  R  name="wan" type="ether" mtu=1500 

 1  R  name="lan" type="ether" mtu=1500 l2mtu=1600 

 2 DR  name="<pppoe-xxx>" type="pppoe-in" mtu=1460



Dual WAN router (with PCC):

/ip route print detail
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 0 A S  dst-address=0.0.0.0/0 gateway=192.168.9.168 
 0 A S  dst-address=0.0.0.0/0 gateway=192.168.9.168 
        gateway-status=192.168.9.168 reachable wan1 check-gateway=ping 
        distance=1 scope=30 target-scope=10 routing-mark=wan1 

 1 A S  dst-address=0.0.0.0/0 gateway=192.168.3.168 
        gateway-status=192.168.3.168 reachable wan2 check-gateway=ping 
        distance=1 scope=30 target-scope=10 routing-mark=wan2 

 2 A S  dst-address=0.0.0.0/0 gateway=192.168.9.168 
        gateway-status=192.168.9.168 reachable wan1 check-gateway=ping 
        distance=1 scope=30 target-scope=10 

 3   S  dst-address=0.0.0.0/0 gateway=192.168.3.168 
        gateway-status=192.168.3.168 reachable wan2 check-gateway=ping 
        distance=2 scope=30 target-scope=10 

 4 ADC  dst-address=192.168.1.0/24 pref-src=192.168.1.168 gateway=lan 
        gateway-status=lan reachable distance=0 scope=10 

 5 ADC  dst-address=192.168.3.0/24 pref-src=192.168.3.60 gateway=wan2 
        gateway-status=wan2 reachable distance=0 scope=10 

 6 ADC  dst-address=192.168.9.0/24 pref-src=192.168.9.60 gateway=wan1 
        gateway-status=wan1 reachable distance=0 scope=10




/ip address print detail
Flags: X - disabled, I - invalid, D - dynamic 
 0   address=192.168.1.168/24 network=192.168.1.0 interface=lan actual-interface=lan 

 1   address=192.168.9.60/24 network=192.168.9.0 interface=wan1 actual-interface=wan1 

 2   address=192.168.3.60/24 network=192.168.3.0 interface=wan2 actual-interface=wan2




/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=wan1
add action=masquerade chain=srcnat disabled=no out-interface=wan2




/interface print detail
Flags: D - dynamic, X - disabled, R - running, S - slave 
 0  R  name="wan1" type="ether" mtu=1500 l2mtu=1526 

 1  R  name="lan" type="ether" mtu=1500 l2mtu=1522 

 2  R  name="wan2" type="ether" mtu=1500 l2mtu=1522 

 3     name="ether4" type="ether" mtu=1500 l2mtu=1522 

 4     name="ether5" type="ether" mtu=1500 l2mtu=1522
14

On the Hotspot router disable ALL NAT, including the transparent proxy:

/ip firewall nat { disable [find] };

On the Hotspot router prevent all other Hotspot proxying, this should be the only active NAT rule:

/ip firewall nat add chain=pre-hotspot hotspot=auth dst-address-type=!local action=accept

On the PCC router add a route to the Hotspot/PPPoE network:

/ip route add dst-address=192.168.2.0/24 gateway=192.168.1.60

Then change the PCC classifier to “src-address” (just "scr-address, no other option will fix your problem).

That is it. It’s the only general solution to your problem, if you don’t use that you will forever be making exemptions and some sites won’t work for your customers. You can’t use a transparent or manually configured proxy with this.

15

I did this and the internet stop working

16

/ip firewall nat
add action=masquerade chain=srcnat comment=“” disabled=no out-interface=wan1
add action=masquerade chain=srcnat comment=“” disabled=no out-interface=wan2

You should probably have this enabled. Sounds like natting is disabled on ADSL modem. Definitely disable transparent proxy

17

I can’t help you if the only feedback is “it doesn’t work”.

Good luck with your issue.

18

I have reboot the routers. PPPoE is the one that stop working and I had to enabled the masquerade for it .

/ip firewall nat
add action=masquerade chain=srcnat comment="masquerade pppoe network" \
    disabled=no src-address=192.168.5.0/24

another thing for PCC router in the mangle prerouting chain should I use src-address only or src-address-and-port?

19

Yes, of course. NAT should be turned off on the Hotspot router ONLY. It’s necessary on the PCC router.

Again, you should use ‘src-address’. Read the “How PCC works (beginner)” link again. ‘src-address-and-port’ includes the source port in the decision, the source port is random, so it doesn’t help your issue with getting all hits to that forum on the same WAN connection. Only ‘src-address’ is going to keep that stable.

20

thank you fewi. I just hope that the heavy download users are split between the two ADSL line because now each user traffic goes through one line only