uplink router using PCC

undecided · June 24, 2015, 6:41am

Hi all, I’m trying to add additional WAN connections on my RB1100, I have all ports in use using PCC, now I want to add an uplink router and change the weighting on the primary router to spread my WAN connections over the primary router and the uplink router. I have created a /30 subnet to connect a port on the the primary to the uplink, I’ve removed NAT from this port and have set static routes on both routers, I can ping the routers from each other, I can ping my LAN from the uplink router but cannot ping the uplink router from my LAN. I cant get internet traffic to pass over to the uplink router, I can ping the internet from my uplink router too. I’ve exported the config from both routers, I’ve removed the non essential configs. Any pointers/help much appreciated.

Ether1 is my LAN
Cyta12 is one of my WAN’s on the primary router
Uplink is my connection to the uplink router.

Primary router config:
/ip address
add address=172.16.1.254/16 interface=ether1 network=172.16.0.0
add address=10.2.2.1/30 interface=cyta12 network=10.2.2.0
add address=192.168.4.1/30 interface=uplink network=192.168.4.0

/ip firewall filter
add chain=input in-interface=ether1 protocol=icmp
add chain=input in-interface=uplink protocol=icmp
add chain=input connection-state=established in-interface=cyta12
add chain=input connection-state=related in-interface=cyta12
add chain=input connection-state=established in-interface=uplink
add chain=input connection-state=related in-interface=uplink

/ip firewall mangle
add chain=prerouting dst-address=10.2.2.0/30 in-interface=ether1
add chain=prerouting dst-address=192.168.4.0/30 in-interface=ether1
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=cyta12 new-connection-mark=cyta12_conn
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=uplink new-connection-mark=uplink_conn
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local hotspot=“” in-interface=ether1 new-connection-mark=cyta12_conn per-connection-classifier=src-address:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local hotspot=“” in-interface=ether1 new-connection-mark=uplink_conn per-connection-classifier=src-address:2/1
add action=mark-routing chain=prerouting connection-mark=cyta12_conn in-interface=ether1 new-routing-mark=to_cyta12
aad action=mark-routing chain=prerouting connection-mark=uplink_conn in-interface=ether1 new-routing-mark=to_uplink
add action=mark-routing chain=output connection-mark=cyta12_conn hotspot=“” new-routing-mark=to_cyta12
add action=mark-routing chain=output connection-mark=uplink_conn hotspot=“” new-routing-mark=to_uplink

/ip firewall nat
add action=masquerade chain=srcnat out-interface=cyta12 to-addresses=10.2.2.1

/ip route
add check-gateway=ping distance=1 gateway=10.2.2.2 routing-mark=to_cyta12
add check-gateway=ping distance=1 gateway=192.168.4.2 routing-mark=uplink
add check-gateway=ping distance=2 gateway=10.2.2.2
add check-gateway=ping distance=3 gateway=192.168.4.2

Uplink router config:
/ip address
add address=192.168.4.2/30 interface=ether1 network=192.168.4.0
add address=10.1.1.1/30 interface=cyta13 network=10.1.1.0

/ip firewall filter
add chain=input in-interface=ether1 protocol=icmp
add chain=input in-interface=cyta13 protocol=icmp
add chain=input connection-state=established in-interface=cyta13
add chain=input connection-state=related in-interface=cyta13

/ip firewall mangle
add chain=prerouting dst-address=10.1.1.0/30 in-interface=ether1
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=cyta13 new-connection-mark=cyta13_conn
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local hotspot=“” in-interface=ether1 new-connection-mark=cyta13_conn per-connection-classifier=src-address:1/0
add action=mark-routing chain=prerouting connection-mark=cyta13_conn in-interface=ether1 new-routing-mark=to_cyta13
add action=mark-routing chain=output connection-mark=cyta13_conn hotspot=“” new-routing-mark=to_cyta13

/ip firewall nat
add action=masquerade chain=srcnat out-interface=cyta13

/ip route
add check-gateway=ping distance=1 gateway=10.1.1.2 routing-mark=to_cyta13
add check-gateway=ping distance=1 gateway=10.1.1.2
add check-gateway=ping distance=1 dst-address=172.16.0.0/16 gateway=192.168.4.1

undecided · June 25, 2015, 12:21pm

Bump, Anyone have an idea for me?

pukkita · June 25, 2015, 4:54pm

Need some time to get an idea in order to try to give pointers, but, in the meanwhile, make sure you’re not mixing firewalling with routing with PCC’ing everything at the first try, have you trying going step by step then veryfing the current before proceeding to the next?

IMHO, order is routing, PCC’ing, then firewalling. Have you tested after each of these steps?

galaxynet · June 25, 2015, 7:59pm

Undecided -
First thing I noticed was that you mark your connections and then add a routing mark, what I didn’t see was whether or not passthrough was enabled as each connection was evaluated…this is important.

Second thing I noticed was that you have no /ip route rules listed… Not sure how you plan to route data out an interface without either designating a route in the /ip route rule table, or, also in /ip route rule table, telling the router to lookup a routing table…

That’s just for starters…look over your config and make sure you have the above conditions/evaluations set correctly and come back with you ‘new’ config and we’ll go from there.

Thom

undecided · June 26, 2015, 6:12am

Thanks both, I think it’s the routing rules, the PCC and firewalling currently configured on my primary router is a working config with two WAN’s, I will check both your suggestions and revert. Thanks!