why Input & Output rules (Please help)

RouterOS General
1

Dear Sir,
why do I need to add input and output rules in Mangle for PCC LoadBalancing?
but without these rules, my PCC Loadbalancing working fine.
ip firewall mangle
add action=mark-connection chain=input comment=“” disabled=no in-interface=WAN1 new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=input comment=“” disabled=no in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=yes
add action=mark-routing chain=output comment=“” connection-mark=WAN1_conn disabled=no new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output comment=“” connection-mark=WAN2_conn disabled=no new-routing-mark=to_WAN2 passthrough=yes

PCC Loadbalancing also works fine with these rules.
Why the above rules..?

ip firewall mangle
add action=accept chain=prerouting comment=“” disabled=no dst-address=192.168.1.0/24
add action=accept chain=prerouting comment=“” disabled=no dst-address=192.168.2.0/24
add action=mark-connection chain=prerouting comment=“” disabled=no dst-address-type=!local new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:4/0 src-address=10.0.0.1-10.0.0.255
add action=mark-connection chain=prerouting comment=“” disabled=no dst-address-type=!local new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:4/1 src-address=10.0.0.1-10.0.0.255
add action=mark-routing chain=prerouting comment=“” connection-mark=WAN1_conn disabled=no new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting comment=“” connection-mark=WAN2_conn disabled=no new-routing-mark=to_WAN2 passthrough=yes

2

Input is new traffic entering from the outside and need to be connection marked to be able to answer back to the outside through the correct WAN of two.

Output is traffic originating from the router self. It looks to me that this traffic will only use WAN2 here. It is connection marked so that on return it will answer back trough WAN2. WAN1 is for output a dummy and not used.

3

Thanks for your answer,
well I understand.
WAN1 is for output as a dummy and is not used. (Please explain this).

please let me know do I make Input & output rules or not.
below mentioned configuration is enough?
Because it working fine.

I want to use both WANs simultaneously (as PCC load balance)
What is the best practice?


ip firewall mangle
add action=accept chain=prerouting comment=“” disabled=no dst-address=192.168.1.0/24
add action=accept chain=prerouting comment=“” disabled=no dst-address=192.168.2.0/24
add action=mark-connection chain=prerouting comment=“” disabled=no dst-address-type=!local new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:4/0 src-address=10.0.0.1-10.0.0.255
add action=mark-connection chain=prerouting comment=“” disabled=no dst-address-type=!local new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:4/1 src-address=10.0.0.1-10.0.0.255
add action=mark-routing chain=prerouting comment=“” connection-mark=WAN1_conn disabled=no new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting comment=“” connection-mark=WAN2_conn disabled=no new-routing-mark=to_WAN2 passthrough=yes

4

If you dont have incoming requests to the router or servers on LAN (from external users),
then


create two tables.

Rule to mark connections
one prerouting PCC rule for WAN1 and LAN
one prerouting PCC rule for WAN2 and LAN

Then matching rules to mark routes
prerouting Traffic with connection mark1 to routemark in-interface-list=LAN ( or src-address=10.0.0.0/24 ) ( or in-interface=bridge )
prerouting traffic with connection mark2 to routemark in-interface-list=LAN ( or src-address=10.0.0.0/24 ) ( or in-interface=bridge )

Then ensure two extra routes for the above.
isp1 route standard table=main
isp2 route standard table=main
isp1 route table=useWAN1
isp2 route table=useWAN1

++++++++++++++++++++++++++++++
Why is that not working for you??


The first two rules you have in the post above seem completely useless in this regard.

5

Post can’t be deleted.

6

I want to resolve my problem

7

Then what is your problem? You wrote in the OP that all was working.

IN = external new traffic incoming
OUT = traffic generated by the router itself or encrypted traffic als generated by the router (policy)
FORWARD = internal network to the outside and there you have your PCC lines. Connection marking allows to traffic to stick to the correct WAN.

So you can’t send one part of the connection through a different WAN. You have to stick to the used WAN for that connection. PCC is distribution and not equal loadbalancing.

8

It seems to be clear now.

9

talking to yourself again? :wink: