Community discussions

MikroTik App
 
Tw0kings
just joined
Topic Author
Posts: 7
Joined: Fri Feb 02, 2018 11:29 am

PCC With 2 WANs mangle rules

Tue May 11, 2021 1:29 pm

Hi, i have problems with PCC configuration. As soon i enable Mangle rules i have difficulties to connect internet. For example no ping to internet from MGMT subnetwork.
At the moment failover between WAN1 and WAN2 works, but no load balancing.
I'm stuck and cant find out where or what i should change.

My Scheme
2 connections: from same ISP.
ISP cable modem1 in bridge configuration-->CAPaCRouter1Ether2 as WAN1
ISP cable modem2 in bridge configuration-->CAPaCRouter2Ether2_Vlan3-->Switch-->CAPaCRouter1Ether1 Vlan3 as WAN2

Here is CAPaCRouter1 configuration

add interface=bridge name=InternetVlan10 vlan-id=10
add interface=ether1 name=Internet_VLAN3 vlan-id=3
add interface=bridge name=KaameradVLAN20 vlan-id=20
add interface=bridge name=MGMTVlan99 vlan-id=99
add interface=bridge name=SuperuserVLAN40 vlan-id=40
add interface=bridge name=UksedVLAN30 vlan-id=30
add interface=bridge name=VoIP_VLAN50 vlan-id=50

/interface ethernet switch port
set 0 vlan-header=add-if-missing vlan-mode=secure
set 2 vlan-mode=secure

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MGMT
add name=ALLLAN
add name=WAN1
add name=WAN2

/ip pool
add name=MGMTvlan99 ranges=192.168.99.100-192.168.99.120
add name=InternetVLAN10 ranges=192.168.10.20-192.168.10.254
add name=KaameradVLAN20 ranges=192.168.20.50-192.168.20.99
add name=UksedVLAN30 ranges=192.168.30.50-192.168.30.99
add name=SuperuserVLAN40 ranges=192.168.40.50-192.168.40.99
add name=VoIP_VLAN50 ranges=192.168.50.10-192.168.50.20

/ip dhcp-server
add address-pool=MGMTvlan99 disabled=no interface=MGMTVlan99 lease-time=3d \
name=MGMTVlan99
add address-pool=InternetVLAN10 disabled=no interface=InternetVlan10 \
lease-time=30m name=InternetVLAN10
add address-pool=KaameradVLAN20 disabled=no interface=KaameradVLAN20 \
lease-time=30m name=KaameradVLAN20
add address-pool=UksedVLAN30 disabled=no interface=UksedVLAN30 lease-time=30m \
name=UksedVLAN30
add address-pool=SuperuserVLAN40 disabled=no interface=SuperuserVLAN40 \
lease-time=30m name=SuperuserVLAN40
add address-pool=VoIP_VLAN50 disabled=no interface=VoIP_VLAN50 name=\
VoIP_VLAN50

/interface bridge port
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=wlan3
add bridge=bridge interface=ether1

/ip neighbor discovery-settings
set discover-interface-list=MGMT

/ip settings
set rp-filter=strict tcp-syncookies=yes

/interface ethernet switch vlan
add independent-learning=no ports=ether1,switch1-cpu switch=switch1 vlan-id=\
10
add independent-learning=no ports=ether1,switch1-cpu switch=switch1 vlan-id=\
20
add independent-learning=no ports=ether1,switch1-cpu switch=switch1 vlan-id=\
30
add independent-learning=no ports=ether1,switch1-cpu switch=switch1 vlan-id=\
40
add independent-learning=no ports=ether1,switch1-cpu switch=switch1 vlan-id=\
99
add independent-learning=no ports=ether1,switch1-cpu switch=switch1 vlan-id=3
add independent-learning=no ports=ether1,switch1-cpu switch=switch1 vlan-id=\
50

/interface list member
add comment=defconf interface=Internet_VLAN3 list=WAN
add interface=MGMTVlan99 list=MGMT
add interface=InternetVlan10 list=LAN
add interface=KaameradVLAN20 list=LAN
add interface=SuperuserVLAN40 list=LAN
add interface=UksedVLAN30 list=LAN
add interface=ether2 list=WAN
add interface=InternetVlan10 list=ALLLAN
add interface=KaameradVLAN20 list=ALLLAN
add interface=MGMTVlan99 list=ALLLAN
add interface=SuperuserVLAN40 list=ALLLAN
add interface=UksedVLAN30 list=ALLLAN
add interface=ether2 list=WAN1
add interface=Internet_VLAN3 list=WAN2

/ip address
add address=192.168.99.22/24 interface=MGMTVlan99 network=192.168.99.0
add address=192.168.10.1/24 interface=InternetVlan10 network=192.168.10.0
add address=192.168.20.1/24 interface=KaameradVLAN20 network=192.168.20.0
add address=192.168.30.1/24 interface=UksedVLAN30 network=192.168.30.0
add address=192.168.40.1/24 interface=SuperuserVLAN40 network=192.168.40.0
add address=192.168.50.1/24 interface=VoIP_VLAN50 network=192.168.50.0
add address=192.168.3.2/24 interface=Internet_VLAN3 network=192.168.3.0

/ip dhcp-client
Script!!


/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.99.22 gateway=192.168.10.1 \
netmask=24
add address=192.168.20.0/24 dns-server=192.168.99.22 gateway=192.168.20.1 \
netmask=24
add address=192.168.30.0/24 dns-server=192.168.99.22 gateway=192.168.30.1 \
netmask=24
add address=192.168.40.0/24 dns-server=192.168.99.22 gateway=192.168.40.1 \
netmask=24
add address=192.168.50.0/24 dns-server=192.168.99.22 gateway=192.168.50.1 \
netmask=24
add address=192.168.99.0/24 dns-server=192.168.99.22 gateway=192.168.99.22 \
netmask=24

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4

/ip firewall address-list
add address=212.7.26.0/24 comment=wan0 list=wanSubnets; From script
add address=192.168.10.0/24 comment="Lubatud sisevorgu aadressi vahemik" \
list="Lubatud aadressid"
add address=192.168.20.0/24 comment="Lubatud sisevorgu aadressi vahemik" \
list="Lubatud aadressid"
add address=192.168.30.0/24 comment="Lubatud sisevorgu aadressi vahemik" \
list="Lubatud aadressid"
add address=192.168.40.0/24 comment="Lubatud sisevorgu aadressi vahemik" \
list="Lubatud aadressid"
add address=192.168.99.0/24 comment="MGMT IP vahemik" list=MGMT
add address=192.168.50.0/24 comment="Lubatud sisevorgu aadressi vahemik" \
list="Lubatud aadressid"
add address=192.168.99.0/24 comment="Lubatud sisevorgu aadressi vahemik" \
list="Lubatud aadressid"

/ip firewall mangle
add action=accept chain=prerouting dst-address-list="Lubatud aadressid" \
in-interface-list=ALLLAN log-prefix="accept prerout"
add action=accept chain=prerouting dst-address-list=wanSubnets \
in-interface-list=ALLLAN
add action=accept chain=prerouting dst-address=192.168.3.0/24 \
in-interface-list=ALLLAN
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface-list=WAN1 new-connection-mark=wan1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface-list=WAN2 new-connection-mark=wan2_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface-list=ALLLAN new-connection-mark=\
wan1_conn passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface-list=ALLLAN new-connection-mark=\
wan2_conn passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=wan1_conn \
in-interface-list=ALLLAN new-routing-mark=to_wan1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wan2_conn \
in-interface-list=ALLLAN new-routing-mark=to_wan2 passthrough=yes
add action=mark-routing chain=output connection-mark=wan1_conn \
new-routing-mark=to_wan1 passthrough=no
add action=mark-routing chain=output connection-mark=wan2_conn \
new-routing-mark=to_wan2 passthrough=no

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface-list=WAN1
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface-list=WAN2


/ip route
add check-gateway=ping comment=to_wan1 distance=1 gateway=8.8.8.8 \
routing-mark=to_wan1
add check-gateway=ping comment=to_wan1 distance=2 gateway=8.8.4.4 \
routing-mark=to_wan1
add check-gateway=ping comment=" to_wan2" distance=1 gateway=8.8.4.4 \
routing-mark=to_wan2
add check-gateway=ping comment=" to_wan2" distance=2 gateway=8.8.8.8 \
routing-mark=to_wan2
add check-gateway=ping comment=to_wan1 distance=1 gateway=8.8.8.8
add check-gateway=ping comment=" to_wan2" distance=2 gateway=8.8.4.4
add check-gateway=ping comment=" to_wan2" distance=1 dst-address=8.8.4.4/32 \
gateway=192.168.3.1 scope=10
add check-gateway=ping comment=to_wan1 distance=1 dst-address=8.8.8.8/32 \
gateway=212.7.26.1 scope=10

Maybe problem is that Ether1 interface is a bridge port and with that hardware i cant achieve what i want. Do i need more ports?
 
issme
just joined
Posts: 13
Joined: Wed Sep 16, 2020 11:38 pm

Re: PCC With 2 WANs mangle rules

Tue May 11, 2021 9:32 pm

Under /ip settings you have rp-filter set to strict ; this does not work correctly with routing tables per https://wiki.mikrotik.com/wiki/Manual:I ... Properties

Try setting your rp-filter to loose and see if that helps resolve.
 
Tw0kings
just joined
Topic Author
Posts: 7
Joined: Fri Feb 02, 2018 11:29 am

Re: PCC With 2 WANs mangle rules

Thu May 13, 2021 4:56 pm

Under /ip settings you have rp-filter set to strict ; this does not work correctly with routing tables per https://wiki.mikrotik.com/wiki/Manual:I ... Properties

Try setting your rp-filter to loose and see if that helps resolve.
Thank You issme!
Seems it helped.

I have question, if i monitor my firewall i don't see any hits on those mangle rules

add action=accept chain=prerouting dst-address-list=wanSubnets \
in-interface-list=ALLLAN
add action=accept chain=prerouting dst-address=192.168.3.0/24 \
in-interface-list=ALLLAN

Why is it so?

Who is online

Users browsing this forum: Bing [Bot], outtahere and 52 guests