Why does PCC break "google.com/maps" - or does it for you?

RouterOS General
1

Does PCC break “google.com/maps” for you, or it just me ?

I can literally type in google.com/maps watch the doughnut and nothing happens - disable all my mangle rules and the map loads instantly into the dead page - I can then enable the mange rules and move the map to a new position and it remains uncompleted (white) squares.

Anyone got the bottom of that ?

add action=mark-connection chain=prerouting connection-mark=no-mark connection-state=new disabled=yes in-interface=lte1 new-connection-mark=\
    LTE_conn passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark connection-state=new disabled=yes in-interface=ether5 new-connection-mark=\
    EE_conn passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=yes dst-address-list=!connected-subnets dst-address-type=!local \
    dst-port=80,443 in-interface-list=all-lans new-connection-mark=LTE_conn passthrough=yes per-connection-classifier=both-addresses:2/0 \
    protocol=tcp
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=yes dst-address-list=!connected-subnets dst-address-type=!local \
    dst-port=80,443 in-interface-list=all-lans new-connection-mark=EE_conn passthrough=yes per-connection-classifier=both-addresses:2/1 \
    protocol=tcp
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=yes dst-address-list=!connected-subnets dst-address-type=!local \
    dst-port=80,443 in-interface-list=all-lans new-connection-mark=LTE_conn passthrough=yes per-connection-classifier=both-addresses:2/0 \
    protocol=udp
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=yes dst-address-list=!connected-subnets dst-address-type=!local \
    dst-port=80,443 in-interface-list=all-lans new-connection-mark=EE_conn passthrough=yes per-connection-classifier=both-addresses:2/1 \
    protocol=udp
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=yes dst-address-list=!connected-subnets dst-address-type=!local \
    in-interface-list=all-lans new-connection-mark=LTE_conn nth=2,1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=yes dst-address-list=!connected-subnets dst-address-type=!local \
    in-interface-list=all-lans new-connection-mark=EE_conn nth=2,1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=LTE_conn disabled=yes in-interface-list=all-lans new-routing-mark=LTE passthrough=no
add action=mark-routing chain=prerouting connection-mark=EE_conn disabled=yes in-interface-list=all-lans new-routing-mark=EE passthrough=no
add action=mark-routing chain=output connection-mark=LTE_conn disabled=yes new-routing-mark=LTE passthrough=no
add action=mark-routing chain=output connection-mark=EE_conn disabled=yes new-routing-mark=EE passthrough=no
2

Suggest you post the entire config, as you probably have multiple errors.
Your mangle rules are all over the map.

Can you also state why you have mangling rules besides the 4 rules for LB?

3

Thank you, herewith full config.

[admin@MikroTik] /terminal> :export
# may/16/2024 14:53:02 by RouterOS 7.3.1
#
/interface bridge
add admin-mac=xxxxx auto-mac=no comment=defconf name=bridge
/interface lte
set [ find ] allow-roaming=no band="" name=lte1 nr-band=""
/interface ethernet
set [ find default-name=ether1 ] arp=reply-only
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country="united kingdom" disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=ATSS wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee country="united kingdom" disabled=no distance=indoors \
    frequency=auto installation=indoor mode=ap-bridge ssid=ATSS wireless-protocol=802.11
/interface vlan
add interface=ether1 name=vlan2 vlan-id=2
add interface=ether1 name=vlan3 vlan-id=3
add interface=ether1 name=vlan4 vlan-id=4
add interface=ether1 name=vlan5 vlan-id=5
add interface=ether1 name=vlan6 vlan-id=6
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=all-lans
/interface lte apn
set [ find default=yes ] name=EE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=profile supplicant-identity=MikroTik
/interface wireless
add mac-address=1A:FD:74:13:93:68 master-interface=wlan2 name=wlan3 security-profile=profile ssid="ATSS Guest"
add mac-address=1A:FD:74:13:93:67 master-interface=wlan1 name=wlan4 security-profile=profile ssid="ATSS Guest"
/ip dhcp-server
add add-arp=yes interface=bridge lease-time=5d name=defconf
/ip dhcp-server option
add code=254 name="Delivery Optimization" value=0x30363637306261382d366461632d343066372d383661352d376233323731646361366430
add code=6 name="DNS Servers" value="'192.168.1.130''192.168.1.119''192.168.1.120'"
add code=67 name="UEFI Boot File" value=0x5c626f6f745c783634756566695c7764736d6766772e656669
add code=67 name="BIOS boot File" value=0x5c626f6f745c7836345c7764736e62702e636f6d
add code=6 name="LAN DNS Servers" value="'192.168.1.1'"
/ip dhcp-server option sets
add name="VMNets UEFI Boot" options="DNS Servers,UEFI Boot File,Delivery Optimization"
add name=LANNets options="Delivery Optimization,UEFI Boot File,LAN DNS Servers"
add name="VMNets BIOS BOOT" options="DNS Servers,BIOS boot File,Delivery Optimization"
/ip pool
add name=dhcp_VLAN2 ranges=192.169.1.20-192.169.1.254
add name=dhcp_VLAN3 ranges=192.170.1.20-192.170.1.254
add name=dhcp_VLAN4 ranges=192.171.1.20-192.171.1.254
add name=dhcp_VLAN5 ranges=192.172.1.20-192.172.1.254
add name=dhcp_VLAN6 ranges=192.173.1.20-192.173.1.254
/routing table
add disabled=no fib name=LTE
add disabled=no fib name=EE
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=wlan3
add bridge=bridge interface=wlan4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
add interface=ether5 list=WAN
add interface=bridge list=all-lans
add interface=vlan2 list=all-lans
add interface=vlan3 list=all-lans
add interface=vlan4 list=all-lans
add interface=vlan5 list=all-lans
add interface=vlan6 list=all-lans
/interface wireless access-list
add ap-tx-limit=2000000 interface=wlan4
add ap-tx-limit=2000000 interface=wlan3
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=192.168.1.0
add address=192.169.1.1/24 interface=vlan2 network=192.169.1.0
add address=192.170.1.1/24 interface=vlan3 network=192.170.1.0
add address=192.171.1.1/24 interface=vlan4 network=192.171.1.0
add address=192.172.1.1/24 interface=vlan5 network=192.172.1.0
add address=192.173.1.1/24 interface=vlan6 network=192.173.1.0
add address=192.168.254.250/24 interface=ether5 network=192.168.254.0
/ip dhcp-server
add add-arp=yes address-pool=dhcp_VLAN2 dhcp-option-set=*1 interface=vlan2 lease-time=1w3d name=dhcp2
add add-arp=yes address-pool=dhcp_VLAN3 dhcp-option-set=*1 interface=vlan3 lease-time=1w3d10m name=dhcp3
add add-arp=yes address-pool=dhcp_VLAN4 dhcp-option-set=*1 interface=vlan4 lease-time=1w3d10m name=dhcp4
add add-arp=yes address-pool=dhcp_VLAN5 dhcp-option-set=*1 interface=vlan5 lease-time=1w3d10m name=dhcp5
add add-arp=yes address-pool=dhcp_VLAN6 dhcp-option-set=*1 interface=vlan6 lease-time=1w3d10m name=dhcp6
/ip dhcp-server lease
[Redacted]
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dhcp-option-set=LANNets gateway=192.168.1.1 netmask=24 next-server=192.168.1.124
add address=192.169.1.0/24 dhcp-option-set="VMNets UEFI Boot" gateway=192.169.1.1 netmask=24 next-server=192.168.1.124
add address=192.170.1.0/24 dhcp-option-set="VMNets UEFI Boot" gateway=192.170.1.1 netmask=24 next-server=192.168.1.124
add address=192.171.1.0/24 dhcp-option-set="VMNets UEFI Boot" gateway=192.171.1.1 netmask=24 next-server=192.168.1.124
add address=192.172.1.0/24 dhcp-option-set="VMNets UEFI Boot" gateway=192.172.1.1 netmask=24 next-server=192.168.1.124
add address=192.173.1.0/24 dhcp-option-set="VMNets UEFI Boot" gateway=192.173.1.1 netmask=24 next-server=192.168.1.124
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.1.118 list=LanServers
add address=192.168.1.119 list=LanServers
add address=192.168.1.120 list=LanServers
add address=192.168.1.121 list=LanServers
add address=192.168.1.125 list=LanServers
add address=192.168.1.126 list=LanServers
add address=192.168.1.130 list=LanServers
add address=192.168.1.0/24 list=connected-subnets
add address=192.169.1.0/24 list=connected-subnets
add address=192.170.1.0/24 list=connected-subnets
add address=192.171.1.0/24 list=connected-subnets
add address=192.172.1.0/24 list=connected-subnets
add address=192.173.1.0/24 list=connected-subnets
/ip firewall filter
add action=jump chain=forward comment="jump to kid-control rules" jump-target=kid-control
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!all-lans
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=input disabled=yes dst-port=53 in-interface-list=all-lans protocol=udp
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward disabled=yes dst-port=443 out-interface-list=WAN protocol=tcp src-address-list=LanServers
add action=drop chain=forward disabled=yes dst-address-type="" dst-port=443 in-interface=vlan2 out-interface-list=WAN protocol=tcp
add action=drop chain=forward disabled=yes dst-port=443 in-interface=vlan3 out-interface-list=WAN protocol=tcp
add action=drop chain=forward disabled=yes dst-port=443 in-interface=vlan4 out-interface-list=WAN protocol=tcp
add action=drop chain=forward disabled=yes dst-port=443 in-interface=vlan5 out-interface-list=WAN protocol=tcp
add action=drop chain=forward disabled=yes dst-port=443 in-interface=vlan6 out-interface-list=WAN protocol=tcp
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark connection-state=new in-interface=lte1 new-connection-mark=LTE_conn passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark connection-state=new in-interface=ether5 new-connection-mark=EE_conn passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=!connected-subnets dst-address-type=!local dst-port=80,443 in-interface-list=all-lans new-connection-mark=LTE_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0 protocol=tcp
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=!connected-subnets dst-address-type=!local dst-port=80,443 in-interface-list=all-lans new-connection-mark=EE_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1 protocol=tcp
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=!connected-subnets dst-address-type=!local dst-port=80,443 in-interface-list=all-lans new-connection-mark=LTE_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0 protocol=udp
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=!connected-subnets dst-address-type=!local dst-port=80,443 in-interface-list=all-lans new-connection-mark=EE_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1 protocol=udp
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=!connected-subnets dst-address-type=!local in-interface-list=all-lans new-connection-mark=LTE_conn nth=2,1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=!connected-subnets dst-address-type=!local in-interface-list=all-lans new-connection-mark=EE_conn nth=2,1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=LTE_conn in-interface-list=all-lans new-routing-mark=LTE passthrough=no
add action=mark-routing chain=prerouting connection-mark=EE_conn in-interface-list=all-lans new-routing-mark=EE passthrough=no
add action=mark-routing chain=output connection-mark=LTE_conn new-routing-mark=LTE passthrough=no
add action=mark-routing chain=output connection-mark=EE_conn new-routing-mark=EE passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.254.254 pref-src=0.0.0.0 routing-table=EE scope=10 suppress-hw-offload=no  target-scope=10
add disabled=no dst-address=0.0.0.0/0 gateway=lte1 pref-src=0.0.0.0 routing-table=LTE suppress-hw-offload=no
add disabled=no distance=3 dst-address=0.0.0.0/0 gateway=192.168.254.254 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/London
/system leds settings
set all-leds-off=after-1h
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system scheduler
add interval=1d name=reboot-1am on-event="/system reboot" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date= apr/22/2024 start-time=01:00:00
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
/tool graphing
set store-every=24hours
/tool graphing interface
add interface=lte1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sms
set port=lte1
/tool sniffer
set memory-limit=1000KiB

I am using the other mangling rules to avoid https connections from switching WAN link when a new session is set up or a redirect occurs which does break it. HTTPS tcp and UDP is catered for. I was having serious issues before those rules were added (which I found in another post elsewhere).
The nth 2,1 just splits any target which will do multi connection to consume both WAN links, steam and speedtest both do so and I get full WAN saturation of the links in those specific cases (I am very new to PCC and these are the only cases so far).
The other three are the standard packet routing via interface x leave by interface x rules.

I should explain the reason for the 443 drop rules. These are activated to prevent Windows Update on patch Tuesday from pulling the same update, like 40 times over our cellular link. So they are disabled most of the month

4

Too complicated for me to analyze then. Someone with greater knowledge will have to provide assistance.
I also was unaware that PCC used Nth and not aware that one could split sessions on the MT device.
To ensure banking goes smoothly the recommendation for pCC is to use only source addresses vice both source and destination addresses or something like that.

5

Currently you have this

per-connection-classifier=both-addresses-and-ports

Best to use

per-connection-classifier=both-addresses

Otherwise every new port (source or destination), might result in new channel.

And if that doesn’t work, it might indeed be needed to go for source address only.

6

Let me give that a go. Failing that I’ll need to use WAN2 as backup.

7

Yeah - so using “source address” only does fix it in the two HTTP TCP rules.
Shame as we get less true balancing like that - so perhaps I’ll have a site list of sensitive sites which need that and use another pair of rules, so only the sensitive sites get nailed like that.