PCC with 6 DSL lines?

RAHQGideon · Wed Sep 22, 2010 1:46 pm

Hi Guys

I am doing PCC Load Balancing with 6 WAN/DSL lines and it works. What I want to know is what is the best way to configure the clasifier in the NAT? I am running a single RB1100 router for my internet gateway with the 6 DSL's attached with only 1 RB800 router behind it (ether01)wich has all the wireless interfaces on it. I am still marking al port 443 traffic to route through its own gatway for banking sites. Can someone tell me if this config is right.

Thanks

  /ip firewall mangle
add action=mark-routing chain=prerouting comment=HTTPS disabled=no dst-port=\
    443 new-routing-mark="HTTPS 443" passthrough=yes protocol=tcp
add action=mark-connection chain=input comment="" disabled=no in-interface=\
    ether02 new-connection-mark=lb1_conn passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=\
    ether03 new-connection-mark=lb2_conn passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=\
    ether05 new-connection-mark=adsl5_conn passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=\
    ether06 new-connection-mark=adsl6_conn passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=\
    ether07 new-connection-mark=adsl7_conn passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=\
    ether08 new-connection-mark=adsl8.1_conn passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=lb1_conn \
    disabled=no new-routing-mark=to_lb1 passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=lb2_conn \
    disabled=no new-routing-mark=to_lb2 passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=adsl5.1_conn \
    disabled=no new-routing-mark=to_adsl5.1 passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=adsl6.1_conn \
    disabled=no new-routing-mark=to_adsl6.1 passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=adsl7.1_conn \
    disabled=no new-routing-mark=to_adsl7.1 passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=adsl8.1_conn \
    disabled=no new-routing-mark=to_adsl8.1 passthrough=yes
add action=accept chain=prerouting comment="" disabled=no dst-address=\
    172.168.0.0/24 in-interface=ether01
add action=accept chain=prerouting comment="" disabled=no dst-address=\
    172.168.2.0/24 in-interface=ether01
add action=accept chain=prerouting comment="" disabled=no dst-address=\
    172.168.5.0/24 in-interface=ether01
add action=accept chain=prerouting comment="" disabled=no dst-address=\
    172.168.6.0/24 in-interface=ether01
add action=accept chain=prerouting comment="" disabled=no dst-address=\
    172.168.7.0/24 in-interface=ether01
add action=accept chain=prerouting comment="" disabled=no dst-address=\
    172.168.8.0/24 in-interface=ether01
add action=mark-connection chain=prerouting comment="" disabled=no \
    dst-address-type=!local in-interface=ether01 new-connection-mark=lb1_conn \
    passthrough=yes per-connection-classifier=dst-address-and-port:6/0
add action=mark-connection chain=prerouting comment="" disabled=no \
    dst-address-type=!local in-interface=ether01 new-connection-mark=lb2_conn \
    passthrough=yes per-connection-classifier=dst-address-and-port:6/1
add action=mark-connection chain=prerouting comment="" disabled=no \
    dst-address-type=!local in-interface=ether01 new-connection-mark=\
    adsl5.1_conn passthrough=yes per-connection-classifier=\
    dst-address-and-port:6/2
add action=mark-connection chain=prerouting comment="" disabled=no \
    dst-address-type=!local in-interface=ether01 new-connection-mark=\
    adsl6.1_conn passthrough=yes per-connection-classifier=\
    dst-address-and-port:6/3
add action=mark-connection chain=prerouting comment="" disabled=no \
    dst-address-type=!local in-interface=ether01 new-connection-mark=\
    adsl7.1_conn passthrough=yes per-connection-classifier=\
    dst-address-and-port:6/4
add action=mark-connection chain=prerouting comment="" disabled=no \
    dst-address-type=!local in-interface=ether01 new-connection-mark=\
    adsl8.1_conn passthrough=yes per-connection-classifier=\
    dst-address-and-port:6/5
add action=mark-routing chain=prerouting comment="" connection-mark=lb1_conn \
    disabled=no in-interface=ether01 new-routing-mark=to_lb1 passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=lb2_conn \
    disabled=no in-interface=ether01 new-routing-mark=to_lb2 passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=\
    adsl5.1_conn disabled=no in-interface=ether01 new-routing-mark=to_adsl5.1 \
    passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=\
    adsl6.1_conn disabled=no in-interface=ether01 new-routing-mark=to_adsl6.1 \
    passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=\
    adsl7.1_conn disabled=no in-interface=ether01 new-routing-mark=to_adsl7.1 \
    passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=\
    adsl8.1_conn disabled=no in-interface=ether01 new-routing-mark=to_adsl8.1 \
    passthrough=yes
add action=mark-connection chain=prerouting comment="ICMP Traffic " disabled=\
    no new-connection-mark=icmp-con passthrough=yes protocol=icmp
add action=mark-packet chain=prerouting comment="" connection-mark=icmp-con \
    disabled=no new-packet-mark=icmp-pac passthrough=yes protocol=icmp
add action=mark-connection chain=prerouting comment=HTTPTraffic disabled=no \
    dst-port=0-65535 new-connection-mark=HTTP-con passthrough=yes protocol=\
    tcp
add action=mark-packet chain=prerouting comment="" connection-mark=HTTP-con \
    disabled=no dst-port=0-65535 new-packet-mark=HTTP-pac passthrough=yes \
    protocol=tcp
add action=mark-connection chain=prerouting comment="p2p traffic" disabled=no \
    new-connection-mark=p2p-con p2p=all-p2p passthrough=yes
add action=mark-packet chain=prerouting comment="" connection-mark=p2p-con \
    disabled=no new-packet-mark=p2p-flow p2p=all-p2p passthrough=yes
add action=mark-connection chain=prerouting comment="SMTP Traffic" disabled=\
    no dst-port=25 new-connection-mark=smtp-con passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting comment="" connection-mark=smtp-con \
    disabled=no dst-port=25 new-packet-mark=smtp-flow passthrough=yes \
    protocol=tcp

[/size]

fewi · Wed Sep 22, 2010 3:15 pm

As long as the items in the HTTPS chain don't have passthrough set to yes you are probably find. If they do passthrough the packet will return to the calling chain at the end of the custom chain and then your connection and routing marks will be overwritten as if the HTTPS chain never happened.

RAHQGideon · Wed Sep 22, 2010 4:13 pm

Each interface has its own 0.0.0.0/24 route for its routing mark. Does there need to be one without a routing mark pointing to one of the WAN ports (Everyting else like in Per Traffic Load Balancing) ? Reason I am asking I cannot ping websites from the router says "no route to host".

RAHQGideon · Thu Sep 23, 2010 11:09 am

I am clearly doing something wrong here. Youtube and streaming audio keeps hanging. I dont know if my connection clasifier is causing this. What would be the best config here?

dst adress and port
both adresses

RAHQGideon · Mon Sep 27, 2010 1:00 pm

At least tell me what Clasifier you guys are using?

fewi · Mon Sep 27, 2010 5:13 pm

http://wiki.mikrotik.com/wiki/How_PCC_works_(beginner)

That article describes in detail how PCC works, including the classifiers. From there you should be able to figure out what classifiers to use to make connections that require stable endpoints work.

RAHQGideon · Mon Sep 27, 2010 9:22 pm

Hi fewi

Thanks I have read this before and aprieciate your effort. But I would like to know what other users using PCC have found to be the best. I have got the connection a bit better but am still strugleing with youtube and some downloads hanging.

Regards

Chupaka · Tue Sep 28, 2010 1:11 pm

the best one is 'src-address' =) user is stuck to some uplink and will not move to another one

RAHQGideon · Tue Sep 28, 2010 6:09 pm

Thanks Chupaka. src adress and port or src adress only. Bear in mind I have only 1 router connected to the gatway router doing the PCC.

fewi · Tue Sep 28, 2010 6:26 pm

src-address is the most stable. Because of that it will take more end users to balance load fairly. If you only have two end users, for example, both of their src-address hashes could end up being the same mod 6, and you'd only use one DSL line for both. If you have lots of users it should work fine. src-address-and-port will be more random and distribute load better, but will also be less stable for end users and they might have problems. It's a trade off. What exactly works for you you'll have to find out by experiment.

Feklar · Tue Sep 28, 2010 7:38 pm

We like to use scr-address and dst-address as the classifier. This gives a fair amount of randomness and is stable, anytime an end user goes to a web site, (assuming it always resolves to the same IP) they always go out of the same connection.

fnkysknky · Sun Oct 03, 2010 12:02 pm

We like to use scr-address and dst-address as the classifier. This gives a fair amount of randomness and is stable, anytime an end user goes to a web site, (assuming it always resolves to the same IP) they always go out of the same connection.

I do the same and it works very well, no problems reported by users and a nice balance of traffic.

RAHQGideon · Mon Oct 04, 2010 3:32 pm

I have been running it with both adresses for a couple of days and it looks ok. I am getting downloads that hang quite frequently, any ideas what can cause this?

Chupaka · Tue Oct 05, 2010 11:47 am

does it hang on start of download or during the download?

RAHQGideon · Tue Oct 05, 2010 2:46 pm

Sometimes at the start sometime half way, there is no way of telling realy. Youtube also hangs about half way through. I am finding PCC very unstable.

Chupaka · Wed Oct 06, 2010 12:26 pm

PCC can't be unstable. probably, your config is unstable - we didn't see it. at first, try 'src-address' as classifier. also, I saw a few times how people setup PCC balancing with ECMP routes, and actually ECMP was working, not PCC-based balancing...

RAHQGideon · Thu Oct 07, 2010 12:31 pm

This is my current config, please tel me what I am doing wrong. My src adress is always the same as there is only 1 router connected to this RB. Thanks !

Mangle

add action=mark-routing chain=prerouting comment=HTTPS disabled=no dst-port=443 new-routing-mark="HTTPS 443" passthrough=no protocol=tcp
add action=mark-routing chain=prerouting comment=POP3 disabled=no dst-port=110 new-routing-mark="POP3 110" passthrough=no protocol=tcp
add action=mark-connection chain=input comment="" disabled=no in-interface=ether01 new-connection-mark=adsl5.1_conn passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=ether02 new-connection-mark=adsl6.1_conn passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=ether03 new-connection-mark=adsl7.1_conn passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=ether04 new-connection-mark=adsl8.1_conn passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=ether05 new-connection-mark=adsl9.1_conn passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=adsl5.1_conn disabled=no new-routing-mark=to_adsl5.1 passthrough=no
add action=mark-routing chain=output comment="" connection-mark=adsl6.1_conn disabled=no new-routing-mark=to_adsl6.1 passthrough=no
add action=mark-routing chain=output comment="" connection-mark=adsl7.1_conn disabled=no new-routing-mark=to_adsl7.1 passthrough=no
add action=mark-routing chain=output comment="" connection-mark=adsl8.1_conn disabled=no new-routing-mark=to_adsl8.1 passthrough=no
add action=mark-routing chain=output comment="" connection-mark=adsl9.1_conn disabled=no new-routing-mark=to_adsl9.1 passthrough=no
add action=accept chain=prerouting comment="" disabled=no dst-address=172.168.5.0/24 in-interface=local
add action=accept chain=prerouting comment="" disabled=no dst-address=172.168.6.0/24 in-interface=local
add action=accept chain=prerouting comment="" disabled=no dst-address=172.168.7.0/24 in-interface=local
add action=accept chain=prerouting comment="" disabled=no dst-address=172.168.8.0/24 in-interface=local
add action=accept chain=prerouting comment="" disabled=no dst-address=172.168.9.0/24 in-interface=local
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-list="!Bypass PCC" dst-address-type=!local in-interface=local new-connection-mark=\
    adsl5.1_conn passthrough=yes per-connection-classifier=both-addresses:5/0
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-list="!Bypass PCC" dst-address-type=!local in-interface=local new-connection-mark=\
    adsl6.1_conn passthrough=yes per-connection-classifier=both-addresses:5/1
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-list="!Bypass PCC" dst-address-type=!local in-interface=local new-connection-mark=\
    adsl7.1_conn passthrough=yes per-connection-classifier=both-addresses:5/2
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-list="!Bypass PCC" dst-address-type=!local in-interface=local new-connection-mark=\
    adsl8.1_conn passthrough=yes per-connection-classifier=both-addresses:5/3
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-list="!Bypass PCC" dst-address-type=!local in-interface=local new-connection-mark=\
    adsl9.1_conn passthrough=yes per-connection-classifier=both-addresses:5/4
add action=mark-routing chain=prerouting comment="" connection-mark=adsl5.1_conn disabled=no in-interface=local new-routing-mark=to_adsl5.1 passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=adsl6.1_conn disabled=no in-interface=local new-routing-mark=to_adsl6.1 passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=adsl7.1_conn disabled=no in-interface=local new-routing-mark=to_adsl7.1 passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=adsl8.1_conn disabled=no in-interface=local new-routing-mark=to_adsl8.1 passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=adsl9.1_conn disabled=no in-interface=local new-routing-mark=to_adsl9.1 passthrough=yes

Nat

add action=masquerade chain=srcnat comment="" disabled=no out-interface=ether01
add action=masquerade chain=srcnat comment="" disabled=no out-interface=ether02
add action=masquerade chain=srcnat comment="" disabled=no out-interface=ether03
add action=masquerade chain=srcnat comment="" disabled=no out-interface=ether04
add action=masquerade chain=srcnat comment="" disabled=no out-interface=ether05
add action=masquerade chain=srcnat comment="" disabled=no out-interface=ether07
add action=masquerade chain=srcnat comment="" disabled=no out-interface=ether08

Routes

add comment="HTTPS Traffic" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=196.214.57.97 routing-mark="HTTPS 443" scope=30 target-scope=10
add comment="POP3 Traffic LB2" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.168.2.2 routing-mark="POP3 110" scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.168.5.2 routing-mark=to_adsl5.1 scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.168.6.2 routing-mark=to_adsl6.1 scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.168.7.2 routing-mark=to_adsl7.1 scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.168.8.2 routing-mark=to_adsl8.1 scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.168.9.2 routing-mark=to_adsl9.1 scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.168.5.2 scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=172.168.6.2 scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=3 dst-address=0.0.0.0/0 gateway=172.168.7.2 scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=4 dst-address=0.0.0.0/0 gateway=172.168.8.2 scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=5 dst-address=0.0.0.0/0 gateway=172.168.9.2 scope=30 target-scope=10
add comment="Router Deafault Route" disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=172.168.2.2 scope=30 target-scope=10

[/size]

Chupaka · Fri Oct 08, 2010 9:07 pm

what I am doing wrong. My src adress is always the same as there is only 1 router connected to this RB. Thanks !

so, you do double NAT - on both routes? that's wrong. don't NAT on first router, use 'src-address' as classifier and recheck

RAHQGideon · Sat Oct 09, 2010 12:12 pm

If I disable the NAT on the router behind the gateway everything dies. My mail server is also attached to this and I cant ping it then.

ps. If i use src adress all internet traffic goes through 1 dsl connection. The rest goes to 0kbps

Chupaka · Mon Oct 11, 2010 4:34 pm

make a drwaing of your network. also, check 'traceroute' from the client to the Internet with first NAT enabled and disabled

RAHQGideon · Thu Oct 14, 2010 3:51 pm

Does this help?

[img]

Network.jpg

[/img]

Chupaka · Fri Oct 15, 2010 7:31 am

should work with NAT only on RB1100 =)

also, check 'traceroute' from the client to the Internet with first NAT enabled and disabled

RAHQGideon · Tue Oct 19, 2010 5:40 pm

Ok i have only 1 nat now on my RB1100. Src adress is now the client router ip. Tried src sdress as the clasifier with no luck. Still having major issues with downloads and streaming but I think my ISP is screwing me around. Changing ISP's this week.

WirelessRudy · Sat Oct 30, 2010 1:50 am

ok, been reading this with interest.

I am doing similar. PCC for two ADSL lines.
Indeed like fewi wrote, you have to make sure all clienst traffic knocks at the door of the router performing PCC with their src address and port. If you want to do PCC you want different source addresses and ports isn't it?

Off course in this case your rb1100 has to have all networks from your clients in its routing table with one gateway, the rb1000. Hereafter the rb1000 takes care with routing of distributing the return trafic back to the clienst requesting it.
But this is all relative basic routing procedure.

What I don't understand is that some people write PCC based on src AND dst address works fine.
Imaging this:

Client with A sends a request to internet bank server xxx.xxx.xxx.xxx on port 80
This request goes out over WAN1 because PCC told it to do so. It gest WAN1 IP from NAT.
Bankserver xxx.xxx.xxx.xxx responds with sending clients browser data to build authentication page which also gives browser new IP for secure bank server with IP xxx.xxx.xxx.yyy and port 443. Server registrates IP of client (the IP belinging to WAN1)
Client logs into authentication website. By pressing ´send´ this data is now https and goes to a secure server. The rb1100 ´sees´ this conection as ´new´ (because new src-dst address combination) and might use WAN2 to send this traffic out).

Now Bankserver as an extra security measure checks original authentication request client IP agains login client IP and if they are not the same close the connection.
Your authentication failed. (After all, this might be a ´break-in attempt from criminal trying to steal your money with your account details.)

The problem is that not all secure server systems work that way. And also PCC might give user same WAN each time by luck and everything works. When I started to use it on 150+ clients it took some weeks to realize people's complaints about ´erratic´ behaviour of browsing was due to this. (Not only banking sites are effected. Also some web based mail servers, social sites etc.)

I hen tried "src-address + port" combination but soon found out it is also not working because as I showed, even the port jump in one session might jump to other WAN due this PCC.
I changed PCC in ´src-address´ only and the problem dissapeared.

Still two consideration on this:
1. Some internet services, like rapidshare, don't like it when their subscribed clients use different IP's all the time. I actually had one client that showed me an e-mail from them with a log of his inlog-IP's which were indeed my 5 (!) different WAN IP's I used at the time. Each individual time he logged in it came from different IP address in a period of days. (I actually have a problem with this behaviour. What if client is world traveler that uses hotspots around the world to log in? He was a ´premium´ client and payed for the service but after some months he was still denied access!)
I had to set him up a dedicated router for the rapidshare servers, so that traffic always uses one dedicated WAN. He is not getting warnings from Rapidshare any more so one more happy client!

2. Negative impact I stil have now is that first WAN1 consistently gets more traffic then WAN2
I have seen topic about this before but don't seem to find it anymore..

This last issue is still a query for me. I can change the router markers for the PCC so actuall lines are swapped but the first PCC rule in mangle just seems to collect more traffic then the following PCC markers. I haven't found a solucion for this.
(I have 150+ users going through this process so although on a short time period some disbalance can be expected (one client doing heavy downloads while others are not doing much) over a period of several days it should balance out well. But I still see a consistent heavier traffic use produced by the first PCC then the second.

PCC with 6 DSL lines?

PCC with 6 DSL lines?

Re: PCC with 6 DSL lines?

Re: PCC with 6 DSL lines?

Re: PCC with 6 DSL lines?

Re: PCC with 6 DSL lines?

Re: PCC with 6 DSL lines?

Re: PCC with 6 DSL lines?

Re: PCC with 6 DSL lines?

Re: PCC with 6 DSL lines?

Re: PCC with 6 DSL lines?

Re: PCC with 6 DSL lines?

Re: PCC with 6 DSL lines?

Re: PCC with 6 DSL lines?

Re: PCC with 6 DSL lines?

Re: PCC with 6 DSL lines?

Re: PCC with 6 DSL lines?

Re: PCC with 6 DSL lines?

Re: PCC with 6 DSL lines?

Re: PCC with 6 DSL lines?

Re: PCC with 6 DSL lines?

Re: PCC with 6 DSL lines?

Re: PCC with 6 DSL lines?

Re: PCC with 6 DSL lines?

Re: PCC with 6 DSL lines?

Who is online