Internet connection breaks for PCC setup when 2nd connection added

dimm0k · Sun Apr 17, 2016 11:39 pm

Currently have a 25Mbps and a 10Mbps connection from two different providers that is set up with PCC on a Mikrotik RB951G-2HnD. Behind the Mikrotik is a Windows server that is giving out IP addresses to the local LAN, as well as providing DNS services to the local LAN. Issue I'm facing is if I run the setup with only one connection, either the 25 or the 10, everything runs fine. As soon as I connect the 25 or the 10 to work together, everything slows to a crawl... sometimes the web pages don't even load fully. My current configuration for the Mikrotik can be found here

# apr/17/2016 16:26:24 by RouterOS 6.35
# software id = 57Z0-I1YV
#
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=65.23.200.230/24 interface=Verizon network=65.23.200.0
add address=192.168.200.1/24 interface=LAN network=192.168.200.0
add address=100.37.200.202/24 interface=VerizonFIOS network=100.37.200.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=VerizonFIOS
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/ip dhcp-server lease
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set servers=198.6.100.6,198.6.1.125,71.250.0.12,68.237.161.12
/ip dns static
add address=192.168.200.1 name=router
/ip firewall address-list
add address=100.37.200.0/24 list=Connected
add address=65.23.200.0/24 list=Connected
add address=192.168.200.0/24 list=Connected
add address=192.168.200.0/24 list=LAN
/ip neighbor discovery settings
set default=no
/ip settings
set rp-filter=strict
/ip firewall filter
add chain=input comment="defconf: accept ICMP" protocol=icmp
add chain=input comment="defconf: accept establieshed,related" connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=VerizonFIOS
add action=drop chain=input comment="added to replicate for 2nd WAN" in-interface=Verizon
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=VerizonFIOS
add action=drop chain=forward comment="added to replicate for 2nd WAN" connection-nat-state=!dstnat connection-state=new in-interface=Verizon
add chain=input comment="Accept established connections" connection-state=established
add chain=input comment="Accept related connections" connection-state=related
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid
add chain=input comment=UDP protocol=udp
add chain=input comment="Allow limited pings" limit=50/5s,2:packet protocol=icmp
add action=drop chain=input comment="Drop excess pings" protocol=icmp
add chain=input comment="SSH for secure shell" dst-port=2220 protocol=tcp
add chain=input comment=winbox dst-port=8220 protocol=tcp
add chain=input comment="From our private LAN" src-address=192.168.200.0/24
add action=drop chain=input comment="detect and drop port scan connections" protocol=tcp psd=21,3s,3,1
add action=tarpit chain=input comment="suppress DoS attack" connection-limit=3,32 protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list address-list-timeout=1d chain=input comment="detect DoS attack" connection-limit=10,32 protocol=tcp
add action=jump chain=input comment="jump to chain ICMP" jump-target=ICMP protocol=icmp
add action=jump chain=input comment="jump to chain services" jump-target=services
add chain=input comment="Allow Broadcast Traffic" dst-address-type=broadcast
add action=log chain=input comment="Log everything else" log-prefix="DROP INPUT"
add action=drop chain=input comment="Drop everything else"
add chain=ICMP comment="0:0 and limit for 5pac/s" icmp-options=0 limit=5,5:packet protocol=icmp
add chain=ICMP comment="3:3 and limit for 5pac/s" icmp-options=3:3 limit=5,5:packet protocol=icmp
add chain=ICMP comment="3:4 and limit for 5pac/s" icmp-options=3:4 limit=5,5:packet protocol=icmp
add chain=ICMP comment="8:0 and limit for 5pac/s" icmp-options=8 limit=5,5:packet protocol=icmp
add chain=ICMP comment="11:0 and limit for 5pac/s" icmp-options=11 limit=5,5:packet protocol=icmp
add action=drop chain=ICMP comment="Drop everything else" protocol=icmp
/ip firewall mangle
add chain=prerouting comment="used for PCC load balancing" dst-address=100.37.200.0/24 in-interface=bridge
add chain=prerouting dst-address=65.23.200.0/24 in-interface=bridge
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=VerizonFIOS new-connection-mark=VerizonFIOS_conn
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=Verizon new-connection-mark=Verizon_conn
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge new-connection-mark=VerizonFIOS_conn per-connection-classifier=both-addresses:3/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge new-connection-mark=VerizonFIOS_conn per-connection-classifier=src-address:3/1
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge new-connection-mark=Verizon_conn per-connection-classifier=both-addresses:3/2
add action=mark-routing chain=prerouting connection-mark=VerizonFIOS_conn in-interface=bridge new-routing-mark=to_VerizonFIOS
add action=mark-routing chain=prerouting connection-mark=Verizon_conn in-interface=bridge new-routing-mark=to_Verizon
add action=mark-routing chain=output connection-mark=VerizonFIOS_conn new-routing-mark=to_VerizonFIOS
add action=mark-routing chain=output connection-mark=Verizon_conn new-routing-mark=to_Verizon
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=VerizonFIOS
add action=masquerade chain=srcnat out-interface=Verizon
add action=dst-nat chain=dstnat dst-port=80 in-interface=VerizonFIOS protocol=tcp to-addresses=192.168.200.99 to-ports=80
add action=dst-nat chain=dstnat dst-port=1723 in-interface=VerizonFIOS protocol=tcp to-addresses=192.168.200.15 to-ports=1723
/ip route
add check-gateway=ping comment="used for bandwidth based load balancing" disabled=yes distance=1 gateway=100.37.200.1 routing-mark=VerizonFIOS_Route
add check-gateway=ping comment="used for bandwidth based load balancing" disabled=yes distance=1 gateway=65.23.200.225 routing-mark=Verizon_Route
add check-gateway=ping distance=1 gateway=100.37.200.1 routing-mark=to_VerizonFIOS
add check-gateway=ping distance=1 gateway=65.23.200.225 routing-mark=to_Verizon
add check-gateway=ping distance=1 gateway=100.37.200.1
add check-gateway=ping distance=2 gateway=65.23.200.225
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2220
set api disabled=yes
set winbox address=192.168.200.0/24,192.168.88.0/24 port=8220
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes


[nmok@MikroTik] /ip firewall> /interface export
# apr/17/2016 16:28:19 by RouterOS 6.35
# software id = 57Z0-I1YV
#
/interface ethernet
set [ find default-name=ether3 ] name=LAN
set [ find default-name=ether2 ] disabled=yes name=Verizon
set [ find default-name=ether1 ] name=VerizonFIOS
set [ find default-name=ether4 ] master-port=LAN
set [ find default-name=ether5 ] master-port=LAN
/interface bridge port
add bridge=bridge comment=defconf disabled=yes interface=Verizon
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment="moved Bridge to port 3 for uniformity so ports 1 and 2 can be used for WAN - NM" interface=LAN

EDIT1: noticed the below

add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge new-connection-mark=VerizonFIOS_conn per-connection-classifier=both-addresses:3/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge new-connection-mark=VerizonFIOS_conn per-connection-classifier=src-address:3/1
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge new-connection-mark=Verizon_conn per-connection-classifier=both-addresses:3/2

and changed to

add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge new-connection-mark=VerizonFIOS_conn per-connection-classifier=src-address:3/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge new-connection-mark=VerizonFIOS_conn per-connection-classifier=src-address:3/1
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge new-connection-mark=Verizon_conn per-connection-classifier=src-address:3/2

would like some confirmation on possible edits needed for my configuration as I can't try it remotely now without risking a loss of connection...

busty · Sat Jan 27, 2018 9:19 am

Hello
it's almost 2 years but i had maybe same issues while i was working with PCC. not sure if disabling fasttrack for all connection helps also in your case but you can try - if it's current.

Sat Feb 10, 2018 2:56 am

PCC is not designed to work with rp-filter enabled

https://wiki.mikrotik.com/wiki/Manual:PCC#Notes

disable rp-filter and test your setup

Internet connection breaks for PCC setup when 2nd connection added

Internet connection breaks for PCC setup when 2nd connection added

Re: Internet connection breaks for PCC setup when 2nd connection added

Re: Internet connection breaks for PCC setup when 2nd connection added

Who is online