Page 1 of 1

PCC (Dual WAN) not working on hAPAC2

Posted: Sat Nov 03, 2018 3:41 pm
by huntah
Hi,

can anyone confirm if PCC (Dual WAN) has problems on hAP-AC2?
I have tried ROS6.42.9 and latest currunt 6.43.4.
Then I used the same Mangle Rules on Hap-Lite and it worked. Using ROS6.44beta28..


WAN1: DHCP-Client no default route (Cable with static IP assigned)
WAN2: DHCP-Client no default route (Fiber with static IP assigned)

Created an interface-list=PCC-LIST
later there will be multiple VLANs.. But for now only bridge (ether2,ether3 and wlan3) is in PCC.

I can see packets being marked (to_ISP1 and to_ISP2) but I cannot ping the WAN2 IP (route distance 2)
As soon as I disable (or unplug) WAN1, WAN2 starts to work (So failover is working ok!)

Any help/pointers would be greatly appriciated.
If someone has DualWAN working on hAP-AC2 please share how did you manage it and which version of ROS are you using.
/ip firewall mangle
add action=mark-connection chain=input comment="Dual WAN Load Balancing w/ Fail Over" in-interface=ether1-wan new-connection-mark=WAN1_mark passthrough=no
add action=mark-connection chain=input comment="Dual WAN Load Balancing w/ Fail Over" in-interface=ether4-wan2 new-connection-mark=WAN2_mark passthrough=no

add action=mark-routing chain=output comment="Dual WAN Load Balancing w/ Fail Over" connection-mark=WAN1_mark new-routing-mark=to_ISP1 passthrough=no
add action=mark-routing chain=output comment="Dual WAN Load Balancing w/ Fail Over" connection-mark=WAN2_mark new-routing-mark=to_ISP2 passthrough=no

add chain=prerouting comment="Dual WAN Load Balancing w/ Fail Over" dst-address=192.168.20.0/24 in-interface-list=PCC-LIST
add chain=prerouting comment="Dual WAN Load Balancing w/ Fail Over" dst-address=192.168.15.0/24 in-interface-list=PCC-LIST

add action=mark-connection chain=prerouting comment="Dual WAN Load Balancing w/ Fail Over" dst-address-type=!local in-interface-list=PCC-LIST new-connection-mark=WAN1_mark per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting comment="Dual WAN Load Balancing w/ Fail Over" dst-address-type=!local in-interface-list=PCC-LIST new-connection-mark=WAN2_mark per-connection-classifier=both-addresses-and-ports:2/1

add action=mark-routing chain=prerouting comment="Dual WAN Load Balancing w/ Fail Over" connection-mark=WAN1_mark in-interface-list=PCC-LIST new-routing-mark=to_ISP1 passthrough=no
add action=mark-routing chain=prerouting comment="Dual WAN Load Balancing w/ Fail Over" connection-mark=WAN2_mark in-interface-list=PCC-LIST new-routing-mark=to_ISP2 passthrough=no


/ip route
add check-gateway=ping comment="WAN1 GW" distance=1 gateway=192.168.20.1 routing-mark=to_ISP1
add check-gateway=ping comment="WAN2 GW" distance=1 gateway=192.168.15.1 routing-mark=to_ISP2
add check-gateway=ping comment="Normal Default Route excep for 'Distance set to 1'" distance=1 gateway=192.168.20.1
add check-gateway=ping distance=2 gateway=192.168.15.1

Re: PCC (Dual WAN) not working on hAPAC2

Posted: Sun Nov 04, 2018 2:49 am
by schrotn
Enable passthrough on the first 4 rules.
That tells the table to keep working on that packet. With passthrough=no, you are telling the firewall to tag the packet then stop worrying about it.
For PCC to work, it needs to tag the packet and keep processing it.

Re: PCC (Dual WAN) not working on hAPAC2

Posted: Sun Nov 04, 2018 11:09 am
by huntah
It does not matter if I set it to passthrough :/
Also in Wiki there are not passthrough enabled..
https://wiki.mikrotik.com/wiki/Manual:PCC
As I said it works on hAP-lite just not hAP-AC2.
Have you tried it on hAP-AC2.. has anyone?

Re: PCC (Dual WAN) not working on hAPAC2

Posted: Sun Nov 04, 2018 11:17 am
by xvo
It does not matter if I set it to passthrough :/
Also in Wiki there are not passthrough enabled..
https://wiki.mikrotik.com/wiki/Manual:PCC
As I said it works on hAP-lite just not hAP-AC2.
Have you tried it on hAP-AC2.. has anyone?
Passthrough=yes is the default setting.

Re: PCC (Dual WAN) not working on hAPAC2

Posted: Sun Nov 04, 2018 1:51 pm
by huntah
Ah OK.. did not know that in the wiki.. But tried several scripts but none work on live system with hAP-AC2 so passthrough is definitly an oversight on my side...
I just dont get it why it does work on hAP-lite even though it was set incorrectly..

I have just got one spare hAP-AC2 and will try the setup in the lab.
Then post both exports and findings..

Re: PCC (Dual WAN) not working on hAPAC2

Posted: Sun Nov 04, 2018 6:35 pm
by huntah
OK now I am totally confused :)

It kinda works on both devices in my lab. On both there are problems with some sites loading all the images ...or not loaded entirely. Subjective guess it happens more often on hAP-AC2..

Steps to reprodude:
1. Reset config to default
2. remove ether4 from bridge
3. rename ether1 to ether1-wan
4. rename ether4 to ether4-wan2
5. add dhcp-client to ether4-wan2
6. Set both dhcp-clients to "Add default route" to "NO"
7. Add ether4 to interface-list WAN
8. Paste the script below (from https://wiki.mikrotik.com/wiki/Manual:PCC)

Script Assumes the following DHCP-Server config for WAN interfaces (configured on another device..):
1. WAN1 IP 192.168.20.x/24
2. WAN2 IP 192.168.15.x/24
3. WAN1GW: 192.168.20.1
4. WAN2GW: 192.168.15.1

Try multiple websites from my test notebook via WLAN
Also whenever I try to traceroute the host the first host is * * *.
Dont know why.. it has to be something from Mangle...

/interface list
add name=PCC-LIST
/interface list member
add interface=bridge list=PCC-LIST


/ ip firewall mangle
add chain=prerouting dst-address=192.168.20.0/24  action=accept in-interface-list=PCC-LIST
add chain=prerouting dst-address=192.168.15.0/24  action=accept in-interface-list=PCC-LIST
add chain=prerouting in-interface=ether1-wan connection-mark=no-mark action=mark-connection new-connection-mark=ISP1_conn
add chain=prerouting in-interface=ether4-wan2 connection-mark=no-mark action=mark-connection new-connection-mark=ISP2_conn
add chain=prerouting  in-interface-list=PCC-LIST connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:2/0 action=mark-connection new-connection-mark=ISP1_conn 
add chain=prerouting  in-interface-list=PCC-LIST connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:2/1 action=mark-connection new-connection-mark=ISP2_conn
add chain=prerouting connection-mark=ISP1_conn in-interface-list=PCC-LIST action=mark-routing new-routing-mark=to_ISP1
add chain=prerouting connection-mark=ISP2_conn in-interface-list=PCC-LIST action=mark-routing new-routing-mark=to_ISP2
add chain=output connection-mark=ISP1_conn action=mark-routing new-routing-mark=to_ISP1     
add chain=output connection-mark=ISP2_conn action=mark-routing new-routing-mark=to_ISP2

/ ip route
add dst-address=0.0.0.0/0 gateway=192.168.20.1 routing-mark=to_ISP1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.15.1 routing-mark=to_ISP2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.20.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.15.1 distance=2 check-gateway=ping

Re: PCC (Dual WAN) not working on hAPAC2

Posted: Sun Nov 04, 2018 7:08 pm
by huntah
I was searcing the forum and came across this:
viewtopic.php?t=110560

I have disabled the fastrack and now it is much better.

Must fasttrack be disabled with PCC? Can someone confirm this..

Re: PCC (Dual WAN) not working on hAPAC2

Posted: Mon Nov 05, 2018 12:00 am
by xvo
https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack

"firewall filter and mangle rules will not be applied for FastTracked traffic"

Re: PCC (Dual WAN) not working on hAPAC2  [SOLVED]

Posted: Mon Nov 05, 2018 10:29 am
by huntah
I have found the problem

it was in RP Filter which was enabled on the Live Router!

Wiki has a note about that :) I should RTFM more carefully!
Note: PCC setups is not designed to work if RP Filter is enabled
On another note..If I set it to Loose it works..
Will the default FW rules in forward chain be enough to prevent spoofing attacks?
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN