problem using a forum with pcc load balance

namo · Sat Jul 02, 2011 5:16 pm

I have combine two equal ADSL line using PCC. There is a forum (http://www.****.com) and when I login to the forum, the forum sign me out and I have to login again. Next , I try to connect to one of the modems directly and I was able to use the forum normally. Next, I connect to the other ADSL modem and the forum log me out.

I think the forum doesn't allow the user to login from two ip address.

what should I do?

Note: the code that I am using

/ip firewall address-list
add list=exempt-from-pcc address=192.168.9.168/32
add list=exempt-from-pcc address=192.168.3.168/32

/ip firewall mangle
add chain=prerouting dst-address-list=exempt-from-pcc action=accept


/ip address
add address=192.168.9.60/24 broadcast=192.168.9.255 comment="" disabled=no interface=wan1 network=192.168.9.0
add address=192.168.3.60/24 broadcast=192.168.3.255 comment="" disabled=no interface=wan2 network=192.168.3.0
add address=192.168.1.168/24 broadcast=192.168.1.255 comment="" disabled=no interface=lan network=192.168.1.0

/ip firewall mangle
add action=mark-connection chain=input comment="" disabled=no in-interface=wan1 new-connection-mark=wan1_conn passthrough=yes    
add action=mark-connection chain=input comment="" disabled=no in-interface=wan2 new-connection-mark=wan2_conn passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=wan1_conn disabled=no new-routing-mark=wan1 passthrough=yes    
add action=mark-routing chain=output comment="" connection-mark=wan2_conn disabled=no new-routing-mark=wan2 passthrough=yes
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local in-interface=lan new-connection-mark=wan2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0  
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local in-interface=lan new-connection-mark=wan1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting comment="" connection-mark=wan1_conn disabled=no in-interface=lan new-routing-mark=wan1 passthrough=yes    
add action=mark-routing chain=prerouting comment="" connection-mark=wan2_conn disabled=no in-interface=lan new-routing-mark=wan2 passthrough=yes

/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.9.168 routing-mark=wan1 scope=30 target-scope=10    
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.3.168 routing-mark=wan2 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.9.168 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.3.168 scope=30 target-scope=10

/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=wan1
add action=masquerade chain=srcnat comment="" disabled=no out-interface=wan2
/ip dns set allow-remote-requests=no cache-max-ttl=1w cache-size=2048KiB max-udp-packet-size=512

Egate · Sat Jul 02, 2011 8:13 pm

In PCC classifier use src-address.

namo · Sun Jul 03, 2011 2:00 pm

before I have the fallowing code to access the modem page of the two modems.

/ip firewall address-list
add list=exempt-from-pcc address=192.168.9.168/32
add list=exempt-from-pcc address=192.168.3.168/32
/ip firewall mangle
add chain=prerouting dst-address-list=exempt-from-pcc action=accept

I have added the fallowing line

/ip firewall address-list
add list=exempt-from-pcc address=x.x.x.x/32

where x.x.x.x is the IP of the forum.

now it is working but it is a bit slow. The forum might be the one that is slow

Egate · Sun Jul 03, 2011 5:47 pm

/ip firewall address-list
add list=exempt-from-pcc address=x.x.x.x/32

This way, your forum will make use of your default route.
You will still have problems with secure sites and some game servers unless you make use of src-address in PCC classifier.

namo · Sat Jul 09, 2011 1:25 pm

/ip firewall address-list
add list=exempt-from-pcc address=x.x.x.x/32
This way, your forum will make use of your default route.
You will still have problems with secure sites and some game servers unless you make use of src-address in PCC classifier.

how to do that?

Egate · Sat Jul 09, 2011 4:02 pm

Have a look at Mikrotik wiki PCC, they have nice example and description.

namo · Sun Jul 10, 2011 4:22 am

It turn out that there is many forums that have the same problem as that forum ( Does not allow user to login from two diffrent IPs in the same time). Do I have to add thier IPs one by one as my users requested?

fewi · Sun Jul 10, 2011 4:40 am

You've been told the solution twice already in this thread: use src-address as the classifier. The manuals outline how.
http://wiki.mikrotik.com/wiki/Manual:PCC#Theory
http://wiki.mikrotik.com/wiki/How_PCC_works_(beginner)

namo · Mon Jul 11, 2011 6:37 am

You've been told the solution twice already in this thread: use src-address as the classifier. The manuals outline how.
http://wiki.mikrotik.com/wiki/Manual:PCC#Theory
http://wiki.mikrotik.com/wiki/How_PCC_works_(beginner)

Do you mean that I should add

that I should change "the per-connection-classifier" from both-addresses-and-ports to src-address-and-port.

or just add the code:

/ip firewall mangle add chain=prerouting action=mark-connection \
 new-connection-mark=1st_conn per-connection-classifier=src-address-and-port:3/0
/ip firewall mangle add chain=prerouting action=mark-connection \
  new-connection-mark=2nd_conn per-connection-classifier=src-address-and-port:3/1
/ip firewall mangle add chain=prerouting action=mark-connection \
  new-connection-mark=3rd_conn per-connection-classifier=src-address-and-port:3/2

Note : all src addresses are 192.168.1.60 because I am using two different router for combining the two line and for the hotspot.

fewi · Mon Jul 11, 2011 6:47 am

No, you should change it to src-address and remove all masquerade rules on the Hotspot router so that the real source addresses are seen. You don't need NAT on that router, and should only NAT when it is absolutely required. src-address-and-port doesn't help you as per the beginner link - browsers choose random source ports for HTTP requests.
When you remove the NAT rule you probably will have to insert a route to the customer Hotspot network on the PCC router with a next hop equal to the IP address on the directly connected Hotspot router interface, which presumably is 192.168.1.60. That is so that the PCC router can find the Hotspot users via that connection.

namo · Mon Jul 11, 2011 7:28 am

the internet stop working when I remove masquerade rules in the hotspot+PPPoE router

In one router , I have combine the two ADSL line and in the second router, I have WAN that is connected to the LAN of the first router and LAN for hotspot and PPPoE.

the forum now is working after adding its ip to exempt-from-pcc list.

what kind of secure sites that Egate is talking about? (I heard there is problem with user having accounts on hosting sites; they say that they can not login to the control panel of their sites)

Note: the WAN of hotspot router is 192.168.1.60 and LAN of dual WAN Mikrotik router is 192.168.1.168

In the hotspot router , there is route for 192.168.1.168

fewi · Mon Jul 11, 2011 7:48 am

Did you insert a route to the Hotspot network and all other relevant networks on the PCC router? It sounds like you didn't.

Post the output of "/ip route print detail", "/ip address print detail", "/ip firewall nat export", and "/interface print detail" from both routers if these general instructions aren't sufficient and you need specific, step by step help.

Egate is talking about any site that does session wide source address verification.

namo · Mon Jul 11, 2011 9:44 am

Did you insert a route to the Hotspot network and all other relevant networks on the PCC router? It sounds like you didn't.

Post the output of "/ip route print detail", "/ip address print detail", "/ip firewall nat export", and "/interface print detail" from both routers if these general instructions aren't sufficient and you need specific, step by step help.

Egate is talking about any site that does session wide source address verification.

Hotspot router:

/ip route print detail
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 0 A S  dst-address=0.0.0.0/0 gateway=192.168.1.168 
        gateway-status=192.168.1.168 reachable wan distance=1 scope=30 
        target-scope=10 

 1 ADC  dst-address=192.168.1.0/24 pref-src=192.168.1.60 gateway=wan 
        gateway-status=wan reachable distance=0 scope=10 

 2 ADC  dst-address=192.168.2.0/24 pref-src=192.168.2.1 gateway=lan 
        gateway-status=lan reachable distance=0 scope=10 

 3 ADC  dst-address=192.168.5.254/32 pref-src=192.168.2.5 gateway=<pppoe-saif> 
        gateway-status=<pppoe-saif> reachable distance=0 scope=10

/ip address print detail
Flags: X - disabled, I - invalid, D - dynamic 
 0   address=192.168.2.1/24 network=192.168.2.0 interface=lan 
     actual-interface=lan 

 1   address=192.168.1.60/24 network=192.168.1.0 interface=wan 
     actual-interface=wan 

3 D address=192.168.2.5/32 network=192.168.5.254 interface=<pppoe-xxx> 
     actual-interface=<pppoe-xxx>

/ip firewall nat export

/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    disabled=no src-address=192.168.2.0/24
add action=redirect chain=dstnat comment="Transparent Proxy" disabled=\
    yes dst-port=80 protocol=tcp to-ports=8080
add action=masquerade chain=srcnat comment="masquerade pppoe network" \
    disabled=no src-address=192.168.5.0/24

/interface print detail
Flags: D - dynamic, X - disabled, R - running, S - slave 
 0  R  name="wan" type="ether" mtu=1500 

 1  R  name="lan" type="ether" mtu=1500 l2mtu=1600 

 2 DR  name="<pppoe-xxx>" type="pppoe-in" mtu=1460

Dual WAN router (with PCC):

/ip route print detail
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 0 A S  dst-address=0.0.0.0/0 gateway=192.168.9.168 
 0 A S  dst-address=0.0.0.0/0 gateway=192.168.9.168 
        gateway-status=192.168.9.168 reachable wan1 check-gateway=ping 
        distance=1 scope=30 target-scope=10 routing-mark=wan1 

 1 A S  dst-address=0.0.0.0/0 gateway=192.168.3.168 
        gateway-status=192.168.3.168 reachable wan2 check-gateway=ping 
        distance=1 scope=30 target-scope=10 routing-mark=wan2 

 2 A S  dst-address=0.0.0.0/0 gateway=192.168.9.168 
        gateway-status=192.168.9.168 reachable wan1 check-gateway=ping 
        distance=1 scope=30 target-scope=10 

 3   S  dst-address=0.0.0.0/0 gateway=192.168.3.168 
        gateway-status=192.168.3.168 reachable wan2 check-gateway=ping 
        distance=2 scope=30 target-scope=10 

 4 ADC  dst-address=192.168.1.0/24 pref-src=192.168.1.168 gateway=lan 
        gateway-status=lan reachable distance=0 scope=10 

 5 ADC  dst-address=192.168.3.0/24 pref-src=192.168.3.60 gateway=wan2 
        gateway-status=wan2 reachable distance=0 scope=10 

 6 ADC  dst-address=192.168.9.0/24 pref-src=192.168.9.60 gateway=wan1 
        gateway-status=wan1 reachable distance=0 scope=10

/ip address print detail
Flags: X - disabled, I - invalid, D - dynamic 
 0   address=192.168.1.168/24 network=192.168.1.0 interface=lan actual-interface=lan 

 1   address=192.168.9.60/24 network=192.168.9.0 interface=wan1 actual-interface=wan1 

 2   address=192.168.3.60/24 network=192.168.3.0 interface=wan2 actual-interface=wan2

/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=wan1
add action=masquerade chain=srcnat disabled=no out-interface=wan2

/interface print detail
Flags: D - dynamic, X - disabled, R - running, S - slave 
 0  R  name="wan1" type="ether" mtu=1500 l2mtu=1526 

 1  R  name="lan" type="ether" mtu=1500 l2mtu=1522 

 2  R  name="wan2" type="ether" mtu=1500 l2mtu=1522 

 3     name="ether4" type="ether" mtu=1500 l2mtu=1522 

 4     name="ether5" type="ether" mtu=1500 l2mtu=1522

fewi · Mon Jul 11, 2011 5:20 pm

On the Hotspot router disable ALL NAT, including the transparent proxy:

/ip firewall nat { disable [find] };

On the Hotspot router prevent all other Hotspot proxying, this should be the only active NAT rule:

/ip firewall nat add chain=pre-hotspot hotspot=auth dst-address-type=!local action=accept

On the PCC router add a route to the Hotspot/PPPoE network:

/ip route add dst-address=192.168.2.0/24 gateway=192.168.1.60

Then change the PCC classifier to "src-address" (just "scr-address, no other option will fix your problem).

That is it. It's the only general solution to your problem, if you don't use that you will forever be making exemptions and some sites won't work for your customers. You can't use a transparent or manually configured proxy with this.

namo · Mon Jul 11, 2011 11:11 pm

I did this and the internet stop working

Egate · Tue Jul 12, 2011 12:00 am

/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=wan1
add action=masquerade chain=srcnat comment="" disabled=no out-interface=wan2

You should probably have this enabled. Sounds like natting is disabled on ADSL modem. Definitely disable transparent proxy

fewi · Tue Jul 12, 2011 3:57 am

I can't help you if the only feedback is "it doesn't work".

Good luck with your issue.

namo · Tue Jul 12, 2011 7:37 am

I have reboot the routers. PPPoE is the one that stop working and I had to enabled the masquerade for it .

/ip firewall nat
add action=masquerade chain=srcnat comment="masquerade pppoe network" \
    disabled=no src-address=192.168.5.0/24

another thing for PCC router in the mangle prerouting chain should I use src-address only or src-address-and-port?

fewi · Tue Jul 12, 2011 2:01 pm

Yes, of course. NAT should be turned off on the Hotspot router ONLY. It's necessary on the PCC router.

Again, you should use 'src-address'. Read the "How PCC works (beginner)" link again. 'src-address-and-port' includes the source port in the decision, the source port is random, so it doesn't help your issue with getting all hits to that forum on the same WAN connection. Only 'src-address' is going to keep that stable.

namo · Wed Jul 13, 2011 8:23 am

Yes, of course. NAT should be turned off on the Hotspot router ONLY. It's necessary on the PCC router.

Again, you should use 'src-address'. Read the "How PCC works (beginner)" link again. 'src-address-and-port' includes the source port in the decision, the source port is random, so it doesn't help your issue with getting all hits to that forum on the same WAN connection. Only 'src-address' is going to keep that stable.

thank you fewi. I just hope that the heavy download users are split between the two ADSL line because now each user traffic goes through one line only

fewi · Wed Jul 13, 2011 2:47 pm

Indeed. It is, however, the only generic solution available to you.

Though you could of course single out heavy download users and manually assign PCC marks. That's much more feasible than tracking all clustered secure sites and forums.

namo · Sat Jul 16, 2011 10:17 am

Indeed. It is, however, the only generic solution available to you.

Though you could of course single out heavy download users and manually assign PCC marks. That's much more feasible than tracking all clustered secure sites and forums.

thank you few.

Now since each user go to one line. Should I change the distance to both 1 in

/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.9.168 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.3.168 scope=30 target-scope=10

Egate · Sat Jul 16, 2011 10:26 pm

Nope. This is for your default route. No influence on PCC route used. however all router data, like DNS and data not router marked, will only go through default route 192.168.9.168 unless it should go down for some reason, then the alternative will be used.

namo · Sun Jul 17, 2011 8:52 am

thank you for your help. Now everything is fine expect when one of internet connection is off. The traffic doesn't go to the second line since the modem of the first line is on (there is respond from the modem and there is ADSL connection but there is no internet).

Egate · Sun Jul 17, 2011 10:51 am

If you put ADSL modem in bridge mode and make PPPoE connection with mikrotik, through the modem, this will solve this. Make use off PPPoE instead of Ether. Will also just have to Nat the PPPoE connection on Mikrotik, since ADSL modem wont do it in bridge mode.

namo · Mon Jul 18, 2011 9:33 am

If you put ADSL modem in bridge mode and make PPPoE connection with mikrotik, through the modem, this will solve this. Make use off PPPoE instead of Ether. Will also just have to Nat the PPPoE connection on Mikrotik, since ADSL modem wont do it in bridge mode.

I have modem-router and I look for away to put them in bridge mode.

other than adding two PPPoE clients in PPP in Winbox. What should I add?

my current route

/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.9.168 routing-mark=wan1 scope=30 target-scope=10   
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.3.168 routing-mark=wan2 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.9.168 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.3.168 scope=30 target-scope=10

should I replace 192.168.9.168 with pppoe-out1 interface and 192.168.3.168 with pppoe-out2 interface? Do I need to replace wan1 and wan2 interfaces to pppoe-out1 and pppoe-out2 interface in firewall mangle too?

In short, after bridging the two modem, what changes that I should made in dual wan Mikrotik router?

Egate · Mon Jul 18, 2011 4:41 pm

I have modem-router and I look for away to put them in bridge mode.

This will be a setting on the modem-router itself.

should I replace 192.168.9.168 with pppoe-out1 interface

Yes in the following rules.

add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.9.168 routing-mark=wan1 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.3.168 routing-mark=wan2 scope=30 target-scope=10

Replace ip with the interface name, like pppoe-out1. This will only of cause work if the PPPoE connection is made from mikrotik.

namo · Fri Jul 29, 2011 9:24 pm

/ip firewall nat add chain=pre-hotspot hotspot=auth dst-address-type=!local action=accept

this code has cause the internet to stop working in some of the computers and when I disabled it, the internet work with those users.

why is this happening with those users?

problem using a forum with pcc load balance

problem using a forum with pcc load balance

Re: problem using a forum with pcc load blance

Re: problem using a forum with pcc load blance

Re: problem using a forum with pcc load blance

Re: problem using a forum with pcc load blance

Re: problem using a forum with pcc load blance

Re: problem using a forum with pcc load blance

Re: problem using a forum with pcc load balance

Re: problem using a forum with pcc load balance

Re: problem using a forum with pcc load balance

Re: problem using a forum with pcc load balance

Re: problem using a forum with pcc load balance

Re: problem using a forum with pcc load balance

Re: problem using a forum with pcc load balance

Re: problem using a forum with pcc load balance

Re: problem using a forum with pcc load balance

Re: problem using a forum with pcc load balance

Re: problem using a forum with pcc load balance

Re: problem using a forum with pcc load balance

Re: problem using a forum with pcc load balance

Re: problem using a forum with pcc load balance

Re: problem using a forum with pcc load balance

Re: problem using a forum with pcc load balance

Re: problem using a forum with pcc load balance

Re: problem using a forum with pcc load balance

Re: problem using a forum with pcc load balance

Re: problem using a forum with pcc load balance

Re: problem using a forum with pcc load balance

Who is online