Server disconnecting because it says Your IP address has changed 2 WAN PCC Load Balancing

Hi everyone,

I’m having a problem, i have 2 internet providers which i configured a PCC load balance for, the problem is that i have a Koha server accesible through internet, but it logs me out because it says that the ip changed. Assuming the load balance is the problem, how could i solve this?

Using internet from my mobile phone works fine, but when using internet from my local network gives me the problem, thats why i assume there a problem with my configuration.

/ip firewall mangle
add action=accept chain=prerouting comment=\
    "No Balancear Trafico Privado" dst-address-list=RFC1918 \
    src-address-list=RFC1918
add action=accept chain=prerouting dst-address=x.x.x.x \
    in-interface-list=LAN
add action=accept chain=prerouting dst-address=x.x.x.x \
    in-interface-list=LAN
add action=mark-connection chain=prerouting comment=\
    "Marcado de Conexiones Originadas en Internet" connection-mark=\
    no-mark connection-state=new in-interface=ether1-WAN1 \
    new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new in-interface=ether2-WAN2 new-connection-mark=\
    WAN2_conn passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1_conn \
    new-routing-mark=ISP1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_conn \
    new-routing-mark=ISP2 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new dst-address-type=!local in-interface=bridge1 \
    new-connection-mark=WAN1_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:7/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new dst-address-type=!local in-interface=bridge1 \
    new-connection-mark=WAN1_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:7/1
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new dst-address-type=!local in-interface=bridge1 \
    new-connection-mark=WAN1_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:7/2
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new dst-address-type=!local in-interface=bridge1 \
    new-connection-mark=WAN1_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:7/3
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new dst-address-type=!local in-interface=bridge1 \
    new-connection-mark=WAN1_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:7/4
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new dst-address-type=!local in-interface=bridge1 \
    new-connection-mark=WAN2_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:7/5
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new dst-address-type=!local in-interface=bridge1 \
    new-connection-mark=WAN2_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:7/6
add action=mark-routing chain=prerouting connection-mark=WAN1_conn \
    in-interface=bridge1 new-routing-mark=ISP1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN2_conn \
    in-interface=bridge1 new-routing-mark=ISP2 passthrough=no

Because of this:
per-connection-classifier=both-addresses-and-ports

Skip ports part or it will result in a possible different WAN to be chosen.
You want all connections from source A towards source B to be using the same WAN, regardless of ports.

So:
per-connection-classifier=both-addresses on all relevant rules.

Disagree.
Two different requirements are being discussed.
1-PCC which is for load balancing traffic originating on the LAN
2-Server traffic which is originated outside of the LAN.

No need to change PCC settings.
Instead, one probably should adjust mangle rules to ensure
→ any traffic coming in on WANX heading for a LAN server goes back out WANX

(torch that )

So, I already tried doing this, its seems to solve that particular problem but load balancing stops working properly, mostly affecting internet access, since one of my ISP gives me a lower bandwidth

@Mesquite:
it IS a PCC problem if connections between two same addresses but different ports are being sent over different WAN because of the classifier.

BTW, don’t believe me, believe this guy who you also have referenced quite often already:
https://mum.mikrotik.com/presentations/US12/steve.pdf

Common problems: Strange http issues, some images load, other don’t, problems with some secure sites

Solution: Try using “both addresses” or “source address “ for PCC classifier. While “both addresses and ports” gives the greatest chance for randomization and better possibility for even distribution, it can create these types of issues.

@ctorres
That’s another issue.

Keep in mind PCC is NOT load balancing to the extreme.
It will do SOME load balancing but depending on the classifiers/dividers you use.

If for some reason you need to stay with both-addresses, then you may need to revisit your pcc rules. Add more weight to the WAN you want to use the most.
Another option you have is the use mangling to favor a certain WAN connection for specific targets.

In general I would agree with you, the basic rules of thumb
both addresses-ports → gives best spread but may inherit problems in banking.
single address–>ensures banking and certain sites work with less issues, but connections not spread out so evenly

However he has specifically stated the issue in relation to a server, and thus I would tackle that first as a better solution,.
as the external traffic to the LAN and its return traffic is removed from the PCC traffic more cleanly.
What the OP is really saying is that external originated traffic is getting caught up in PCC traffic, which is wrong.