using a Mikrotik RB951G-2HnD and firmware 6.35 and have not been able to get PCC to work reliably, specifically with the business.facebook.com portal. what’s happening is some users are able to get to this site with no problem while others can’t, instead they just get a time out. the users who are able to get to this site do not reliably connect, as it can also time out at what seems to be a random time. In both cases as soon as I disable PCC (disable routes for WAN2) the site loads up immediately. I have switched my PCC rules to use ‘src-address’ and have also included a ‘prerouting’ to exclude any traffic headed to 173.252.64.0/18, which should be all of business.facebook.com’s usable IPs, but none of these have been effective. Below is a copy of my config… I have a feeling something might either be out of order or something is missing. Can anyone please either put an end to this misery one way or another for me? Thanks
01. # may/02/2016 15:07:32 by RouterOS 6.35
02. # software id = 57Z0-I1YV
03. #
04. /ip pool
05. add name=default-dhcp ranges=192.168.88.10-192.168.88.254
06. /ip address
07. add address=192.168.88.1/24 comment=defconf interface=bridge-local network=192.168.88.0
08. add address=192.168.200.1/24 interface=LAN network=192.168.200.0
09. add address=100.37.200.202/24 interface=WAN1 network=100.37.200.0
10. add address=65.23.200.230/29 interface=WAN2 network=65.23.200.224
11. /ip dhcp-client
12. add comment=defconf dhcp-options=hostname,clientid interface=WAN1
13. /ip dhcp-server
14. add address-pool=default-dhcp disabled=no interface=bridge-local name=defconf
15. /ip dhcp-server network
16. add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
17. /ip dns
18. set servers=192.168.200.5,192.168.200.4,192.168.200.6
19. /ip dns static
20. add address=192.168.88.1 name=router
21. /ip firewall address-list
22. add address=173.252.64.0/18 comment="business.facebook.com 173.252.64.0/18 [173.252.64.0 through 173.252.127.255]" list=exempted-from-pcc
23. /ip neighbor discovery settings
24. set default=no
25. /ip firewall filter
26. add chain=input comment="defconf: accept ICMP" protocol=icmp
27. add chain=input comment="defconf: accept established,related" connection-state=established,related
28. add action=drop chain=input comment="defconf: drop all from WAN" in-interface=WAN1
29. add action=drop chain=input comment="defconf: drop all from WAN" in-interface=WAN2
30. add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
31. add chain=forward comment="defconf: accept established,related" connection-state=established,related
32. add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
33. add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=WAN1
34. add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=WAN2
35. add chain=input comment="Accept established connections" connection-state=established
36. add chain=input comment="Accept related connections" connection-state=related
37. add action=drop chain=input comment="Drop invalid connections" connection-state=invalid
38. add chain=input comment=UDP protocol=udp
39. add chain=input comment="Allow limited pings" limit=50/5s,2:packet protocol=icmp
40. add action=drop chain=input comment="Drop excess pings" protocol=icmp
41. add chain=input comment="SSH for secure shell" dst-port=2220 protocol=tcp
42. add chain=input comment=winbox dst-port=8220 protocol=tcp
43. add chain=input comment="From our private LAN" src-address=192.168.200.0/24
44. add action=drop chain=input comment="detect and drop port scan connections" protocol=tcp psd=21,3s,3,1
45. add action=tarpit chain=input comment="suppress DoS attack" connection-limit=3,32 protocol=tcp src-address-list=black_list
46. add action=add-src-to-address-list address-list=black_list address-list-timeout=1d chain=input comment="detect DoS attack" connection-limit=10,32 protocol=tcp
47. add action=jump chain=input comment="jump to chain ICMP" jump-target=ICMP protocol=icmp
48. add action=jump chain=input comment="jump to chain services" jump-target=services
49. add chain=input comment="Allow Broadcast Traffic" dst-address-type=broadcast
50. add action=log chain=input comment="Log everything else" log-prefix="DROP INPUT"
51. add action=drop chain=input comment="Drop everything else"
52. add chain=ICMP comment="0:0 and limit for 5pac/s" icmp-options=0 limit=5,5:packet protocol=icmp
53. add chain=ICMP comment="3:3 and limit for 5pac/s" icmp-options=3:3 limit=5,5:packet protocol=icmp
54. add chain=ICMP comment="3:4 and limit for 5pac/s" icmp-options=3:4 limit=5,5:packet protocol=icmp
55. add chain=ICMP comment="8:0 and limit for 5pac/s" icmp-options=8 limit=5,5:packet protocol=icmp
56. add chain=ICMP comment="11:0 and limit for 5pac/s" icmp-options=11 limit=5,5:packet protocol=icmp
57. add action=drop chain=ICMP comment="Drop everything else" protocol=icmp
58. /ip firewall mangle
59. add action=mark-routing chain=output connection-mark=WAN1_conn new-routing-mark=to_WAN1
60. add action=mark-routing chain=output connection-mark=WAN2_conn new-routing-mark=to_WAN2
61. add chain=prerouting dst-address=100.37.200.0/24 in-interface=bridge-local
62. add chain=prerouting dst-address=65.23.200.224/29 in-interface=bridge-local
63. add chain=prerouting comment="exempt IP addresses listed in 'exempted-from-pcc' Address List" connection-mark=no-mark dst-address-list=exempted-from-pcc
64. add action=mark-connection chain=input connection-mark=no-mark in-interface=WAN1 new-connection-mark=WAN1_conn passthrough=no
65. add action=mark-connection chain=input connection-mark=no-mark in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=no
66. add action=mark-connection chain=forward connection-mark=no-mark in-interface=WAN1 new-connection-mark=WAN1_conn passthrough=no
67. add action=mark-connection chain=forward connection-mark=no-mark in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=no
68. add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge-local new-connection-mark=WAN1_conn per-connection-classifier=src-address:3/0
69. add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge-local new-connection-mark=WAN1_conn per-connection-classifier=src-address:3/1
70. add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge-local new-connection-mark=WAN2_conn per-connection-classifier=src-address:3/2
71. add action=mark-routing chain=prerouting connection-mark=WAN1_conn in-interface=bridge-local new-routing-mark=to_WAN1
72. add action=mark-routing chain=prerouting connection-mark=WAN2_conn in-interface=bridge-local new-routing-mark=to_WAN2
73. /ip firewall nat
74. add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=WAN1 to-addresses=100.37.200.0/24
75. add action=masquerade chain=srcnat out-interface=WAN2 to-addresses=65.23.200.224/29
76. add action=dst-nat chain=dstnat dst-port=443 in-interface=WAN2 protocol=tcp to-addresses=192.168.200.99 to-ports=443
77. add action=dst-nat chain=dstnat dst-port=1723 in-interface=WAN1 protocol=tcp to-addresses=192.168.200.15 to-ports=1723
78. add action=dst-nat chain=dstnat dst-port=443 in-interface=WAN1 protocol=tcp to-addresses=192.168.200.15 to-ports=443
79. /ip route
80. add check-gateway=ping distance=1 gateway=100.37.200.1%WAN1 routing-mark=to_WAN1
81. add check-gateway=ping disabled=yes distance=1 gateway=65.23.200.225%WAN2 routing-mark=to_WAN2
82. add check-gateway=ping distance=1 gateway=100.37.200.1%WAN1
83. add comment="route for IP addresses listed in 'exempted-from-pcc' Address List" distance=3 gateway=100.37.200.1%WAN1
84. add check-gateway=ping disabled=yes distance=2 gateway=65.23.200.225%WAN2
85. /ip ssh
86. set strong-crypto=yes