Community discussions

 
ElTRiC
just joined
Topic Author
Posts: 17
Joined: Mon Mar 11, 2019 7:49 pm

Trying to setup load balancing with PCC, router doesn't use ISP2

Mon Mar 11, 2019 8:04 pm

Hello people,

I've bought a hAP lite router to provide load-balancing on two ISP (DSL and LTE).
First I've tried with ECMP, load blanacing worked but I also had huge timeout and certificates not working. So I tried PCC.
I'm on like my 5th try, everything seems fine, failover works but the router never uses the second ISP to lad-balance network traffic.
I have triple checked my config, with systemzone tutorials, mikrotik WIKI and honestly I can't understand why it won't work :(

Here is my config , I hope someone can help (replaced sensitive information with xxxx).
# mar/11/2019 18:41:51 by RouterOS 6.43.8
# software id = 9ZJP-QWH1
#
# model = RouterBOARD 941-2nD
# serial number = A1C309C13EC4
/interface bridge
add admin-mac=xxxx auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=\
    xxxx wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether3 ] name=Disabled
set [ find default-name=ether4 ] name=LAN_LOGIN_GATE
set [ find default-name=ether2 ] name=WAN_4G
set [ find default-name=ether1 ] name=WAN_DSL
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=\
    xxxx wpa2-pre-shared-key=xxxx
/ip pool
add name=dhcp ranges=192.168.0.10-192.168.0.220
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=LAN_LOGIN_GATE
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=WAN_DSL list=WAN
add interface=WAN_4G list=WAN
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=\
    192.168.0.0
add address=192.168.2.100/24 interface=WAN_DSL network=192.168.2.0
add address=192.168.1.100/24 interface=WAN_4G network=192.168.1.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=WAN_DSL
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=208.67.222.222,208.67.220.220
/ip dns static
add address=192.168.0.1 name=router.lan
add address=192.168.2.1 name=mabox.bytel.fr
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.2.0/24 in-interface=\
    bridge
add action=accept chain=prerouting dst-address=192.168.1.0/24 in-interface=\
    bridge
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN_DSL new-connection-mark=WAN_DSL_conn passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN_4G new-connection-mark=WAN_4G_conn passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge new-connection-mark=\
    WAN_DSL_conn passthrough=no per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge new-connection-mark=\
    WAN_4G_conn passthrough=no per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=WAN_DSL_conn \
    in-interface=bridge new-routing-mark=to_WAN_DSL passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN_4G_conn \
    in-interface=bridge new-routing-mark=to_WAN_4G passthrough=no
add action=mark-routing chain=output connection-mark=WAN_DSL_conn \
    new-routing-mark=to_WAN_DSL passthrough=no
add action=mark-routing chain=output connection-mark=WAN_4G_conn \
    new-routing-mark=to_WAN_4G passthrough=no
add action=fasttrack-connection chain=forward connection-mark=!WAN_4G_conn \
    connection-state=established,related
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN_4G
add action=masquerade chain=srcnat out-interface=WAN_4G
/ip route
add check-gateway=ping distance=1 gateway=192.168.2.1 routing-mark=to_WAN_DSL
add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=to_WAN_4G
add check-gateway=ping distance=1 gateway=192.168.2.1
add check-gateway=ping distance=2 gateway=192.168.1.1
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=WAN_DSL type=external
add interface=WAN_4G type=external
/system clock
set time-zone-name=Europe/Paris
/system ntp client
set enabled=yes primary-ntp=178.249.167.0 secondary-ntp=212.83.158.83 \
    server-dns-names=""
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
WeWiNet
Member Candidate
Member Candidate
Posts: 159
Joined: Thu Sep 27, 2018 4:11 pm

Re: Trying to setup load balancing with PCC, router doesn't use ISP2

Tue Mar 12, 2019 5:50 pm

You masquerade twice WAN 4G! and not DSL?
3rd and 4th route, increase the distance by one for each (only keep the routing marking routes at distance 1)
In mangle you need to set passthrough "yes" as you mangle packets afterwards further.
if you use PCC with both address mode, need to put RP filter mode to "loose" (in firewall/tracking settings somewhere).

Please report back progress
WeWiNet

**
MTCNA
hapac2, map, hap-lite, ltap-mini, RB4011 :-) !!!
 
ElTRiC
just joined
Topic Author
Posts: 17
Joined: Mon Mar 11, 2019 7:49 pm

Re: Trying to setup load balancing with PCC, router doesn't use ISP2

Tue Mar 12, 2019 9:23 pm

You masquerade twice WAN 4G! and not DSL?
3rd and 4th route, increase the distance by one for each (only keep the routing marking routes at distance 1)
In mangle you need to set passthrough "yes" as you mangle packets afterwards further.
if you use PCC with both address mode, need to put RP filter mode to "loose" (in firewall/tracking settings somewhere).

Please report back progress
Masquerade had some weird glitch, or I fumbled around with copy/paste because both wan were ofc masquerade ^^

Changed stuff you told me, but now browsing is veeery slow and got timeouts on SSL/TLS :(
it works fine when disabling one WAN... (needed to do this to post here)

Here after the new config :
/ip settings
set rp-filter=loose
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=WAN_DSL list=WAN
add interface=WAN_4G list=WAN
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=\
    192.168.0.0
add address=192.168.2.100/24 interface=WAN_DSL network=192.168.2.0
add address=192.168.1.100/24 interface=WAN_4G network=192.168.1.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=WAN_DSL
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=208.67.222.222,208.67.220.220
/ip dns static
add address=192.168.0.1 name=router.lan
add address=192.168.2.1 name=mabox.bytel.fr
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.2.0/24 in-interface=\
    bridge
add action=accept chain=prerouting dst-address=192.168.1.0/24 in-interface=\
    bridge
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN_DSL new-connection-mark=WAN_DSL_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN_4G new-connection-mark=WAN_4G_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge new-connection-mark=\
    WAN_DSL_conn passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge new-connection-mark=\
    WAN_4G_conn passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=WAN_DSL_conn \
    in-interface=bridge new-routing-mark=to_WAN_DSL passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN_4G_conn \
    in-interface=bridge new-routing-mark=to_WAN_4G passthrough=yes
add action=mark-routing chain=output connection-mark=WAN_DSL_conn \
    new-routing-mark=to_WAN_DSL passthrough=yes
add action=mark-routing chain=output connection-mark=WAN_4G_conn \
    new-routing-mark=to_WAN_4G passthrough=yes
add action=fasttrack-connection chain=forward connection-mark=!WAN_4G_conn \
    connection-state=established,related
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN_4G
add action=masquerade chain=srcnat out-interface=WAN_DSL
/ip route
add check-gateway=ping distance=1 gateway=192.168.2.1 routing-mark=to_WAN_DSL
add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=to_WAN_4G
add check-gateway=ping distance=2 gateway=192.168.2.1
add check-gateway=ping distance=2 gateway=192.168.1.1
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=WAN_DSL type=external
add interface=WAN_4G type=external
/system clock
set time-zone-name=Europe/Paris
/system ntp client
set enabled=yes primary-ntp=178.249.167.0 secondary-ntp=212.83.158.83 \
    server-dns-names=""
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
WeWiNet
Member Candidate
Member Candidate
Posts: 159
Joined: Thu Sep 27, 2018 4:11 pm

Re: Trying to setup load balancing with PCC, router doesn't use ISP2

Wed Mar 13, 2019 10:11 am

SSL / https breaks if you do not set connection tracking (RP filter) to loose mode.

Or if that is not the case, first try with PCC "source address only" and see if that works.
Normally SSL should then work.
WeWiNet

**
MTCNA
hapac2, map, hap-lite, ltap-mini, RB4011 :-) !!!
 
ElTRiC
just joined
Topic Author
Posts: 17
Joined: Mon Mar 11, 2019 7:49 pm

Re: Trying to setup load balancing with PCC, router doesn't use ISP2

Wed Mar 13, 2019 8:23 pm

SSL / https breaks if you do not set connection tracking (RP filter) to loose mode.

Or if that is not the case, first try with PCC "source address only" and see if that works.
Normally SSL should then work.
/ip settings
set rp-filter=loose
It's already set on loose. Where can I set "PCC "source address only"" ?
 
WeWiNet
Member Candidate
Member Candidate
Posts: 159
Joined: Thu Sep 27, 2018 4:11 pm

Re: Trying to setup load balancing with PCC, router doesn't use ISP2

Thu Mar 14, 2019 12:36 pm

To use mangle you need to disable fast track firewall connection. !!!
Remove tha firewall rule and reboot!!!
Without that packets will bypass mangle!

Please check again.

PCC: In the settings Firewall - Mangle - Advance settings - Per Connection Classifier , you select "source" or "both".

But I am pretty sure your issue is Fasttrack.
WeWiNet

**
MTCNA
hapac2, map, hap-lite, ltap-mini, RB4011 :-) !!!
 
ElTRiC
just joined
Topic Author
Posts: 17
Joined: Mon Mar 11, 2019 7:49 pm

Re: Trying to setup load balancing with PCC, router doesn't use ISP2

Mon Mar 18, 2019 5:55 pm

I have disabled fastrack, but to be honest I already tried that before because I have found a topic about fasttrack and pcc and it was told there that if you exclude wan2 from fasttrack it can work...
viewtopic.php?t=110560#p586865
But... I created this exclusion rule in mangle and not in filter rules, maybe that's the issue ?
Need to test more...

Another question, can I force an IP or (better for me) a mac adress to use only a selected WAN ? Actually it's to force my DSL tvbox to use dsl only, my whitebox to use dsl only and one server to use lte only because upload is way better.
 
ElTRiC
just joined
Topic Author
Posts: 17
Joined: Mon Mar 11, 2019 7:49 pm

Re: Trying to setup load balancing with PCC, router doesn't use ISP2

Mon Mar 18, 2019 6:04 pm

Update. It seems to work with fasttrack disabled, I was able to speedtest WAN_4G while WAN_DSL was on as well !
Now I'll do some test later with fasttrack on only for dsl.
If you have some idea how to force an ip or mac adress through a specific wan it would be awesome ! :)

Thanks for your help so far ;)
 
anav
Forum Guru
Forum Guru
Posts: 2971
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Trying to setup load balancing with PCC, router doesn't use ISP2

Mon Mar 18, 2019 8:38 pm

Well the easiest would probably be not to mangle that traffic from that IP address and then it will get routed out the main table on the route where wan distance=1.
Thus if you wanted user x to use WAN3, and you had no other funky requirements.
Just set distance =1 for wan3, 2 for wan1, 3 for wan2, 4 for wan4 and so on.............. the order is arbitrary anyway.

In mangle rules
Ensure this is a first rule
/ip firewall mangle.
add action=accept source address=specific IP address (or source-address-list if you have a few) \
out-interface-list=WAN.

Thus this traffic will exit out the mangle rules and thus not be marked and thus will use the main routing table......... That is my GUESS.
YES, I do not know for sure............. Think of it as an educated rumour LOL.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
ElTRiC
just joined
Topic Author
Posts: 17
Joined: Mon Mar 11, 2019 7:49 pm

Re: Trying to setup load balancing with PCC, router doesn't use ISP2

Tue Mar 19, 2019 5:24 pm

I've found this : https://wiki.mikrotik.com/wiki/Policy_Base_Routing
Is it the same process with a single IP and not some content (even if I think about using this to force youtube through WAN_4G :p )
 
ElTRiC
just joined
Topic Author
Posts: 17
Joined: Mon Mar 11, 2019 7:49 pm

Re: Trying to setup load balancing with PCC, router doesn't use ISP2

Wed Mar 20, 2019 5:40 pm

Hum this morning I had a first issue with failover.
My WAN boxes don't have bridge option, so I access to it through a local IP (192.168.1.1 or 192.168.2.1).
Problem, if internet doesn't connect/work/whatever the local adress is still answering and mikrotik does consider that WAN is UP even if it's not.
I don't see any other options than ping or arp in "check gateway" route options, like giving a DNS server to check... Any idea for me ?
 
cloneako
just joined
Posts: 2
Joined: Fri Jun 28, 2019 9:52 am

Re: Trying to setup load balancing with PCC, router doesn't use ISP2

Fri Jun 28, 2019 5:02 pm

Hi sir ElTRiC can you help me. can you share you config... I'm just a newbie when it comes with mikrotik.. and I need to reconfigure my old hap lite with dual isp all in LTE with 5mbs and 10mbs speed.
thank you in advance
 
ElTRiC
just joined
Topic Author
Posts: 17
Joined: Mon Mar 11, 2019 7:49 pm

Re: Trying to setup load balancing with PCC, router doesn't use ISP2

Fri Jul 12, 2019 12:20 pm

Hi sir ElTRiC can you help me. can you share you config... I'm just a newbie when it comes with mikrotik.. and I need to reconfigure my old hap lite with dual isp all in LTE with 5mbs and 10mbs speed.
thank you in advance
Hi Cloneako,

Sorry for late answer, still need my config shared ?
 
cloneako
just joined
Posts: 2
Joined: Fri Jun 28, 2019 9:52 am

Re: Trying to setup load balancing with PCC, router doesn't use ISP2

Thu Jul 18, 2019 6:11 pm

Yes sir. I still need it..

Who is online

Users browsing this forum: No registered users and 28 guests