Community discussions

MikroTik App
  4. RouterOS
  5. General

Exclusion from PCC load balancing

Post Reply
 
rotten777
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 99
Joined: Thu Dec 17, 2009 5:21 am

Exclusion from PCC load balancing

Mon Aug 05, 2013 11:12 pm

I'm using PCC load balancing to balance two circuits and I'm having a problem with authenticated sites... for whatever reason the site balances over to another link and the site has to be reauthenticated.

Is there a way to force web traffic connections to specific domains to one circuit or the other? Or is there something broken in my PCC setup that is still moving connections even when a session is established?

thanks in advance
Top
 
User avatar
cbrown
Trainer
Trainer
Posts: 1839
Joined: Thu Oct 14, 2010 8:57 pm
Contact:
Contact cbrown

Exclusion from PCC load balancing

Tue Aug 06, 2013 3:39 am

It sounds like you might have something messed up in your rules. Post /export compact
Top
 
rotten777
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 99
Joined: Thu Dec 17, 2009 5:21 am

Re: Exclusion from PCC load balancing

Tue Aug 06, 2013 3:52 am

It sounds like you might have something messed up in your rules. Post /export compact
Code: Select all
# aug/05/2013 20:49:18 by RouterOS 6.1
# software id = LQCC-ADHK
#
/interface wireless
set 0 band=2ghz-b/g/n country="united states" frequency=2437 l2mtu=2290 mode=\
    bridge ssid=MGMT
/interface ethernet
set 0 name=ether1-shclan
set 1 name=ether2-smglan
set 2 name=ether3-voiplan
set 3 name=ether4-dsl
set 4 name=ether5-t1
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods=\
    passthrough group-ciphers=tkip,aes-ccm group-key-update=1h mode=\
    dynamic-keys unicast-ciphers=tkip,aes-ccm wpa2-pre-shared-key=5T7tznvpaJ
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
    mac-cookie-timeout=3d
/ip pool
add name=mgmtpool ranges=192.168.99.2-192.168.99.254
add name=shclan ranges=192.168.1.100-192.168.1.199
add name=smglan ranges=192.168.100.100-192.168.100.199
/ip dhcp-server
add address-pool=mgmtpool authoritative=yes disabled=no interface=wlan1 \
    lease-time=12h name=wlan-dhcp
add address-pool=shclan authoritative=yes disabled=no interface=ether1-shclan \
    lease-time=1d name=shclan
add address-pool=smglan authoritative=yes disabled=no interface=ether2-smglan \
    lease-time=1d name=smglan
/system logging action
set 3 remote=192.168.1.147
/ip address
add address=192.168.1.1/24 interface=ether1-shclan network=192.168.1.0
add address=ip.add.re.ss/29 interface=ether5-t1 network=ip.add.re.ss
add address=192.168.100.1/24 interface=ether2-smglan network=192.168.100.0
add address=192.168.200.1/24 interface=ether3-voiplan network=192.168.200.0
add address=192.168.99.1/24 interface=wlan1 network=192.168.99.0
add address=ip.add.re.ss/25 comment="xxx DSL" interface=ether4-dsl \
    network=ip.add.re.ss

/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.10 domain=intergy.local \
    gateway=192.168.1.1 wins-server=192.168.1.10
add address=192.168.99.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.99.1 \
    netmask=24 ntp-server=129.6.15.28
add address=192.168.100.0/24 dns-server=192.168.100.10 domain=intergy.local \
    gateway=192.168.100.1 wins-server=192.168.100.10
/ip dns
set allow-remote-requests=yes cache-size=5000KiB max-udp-packet-size=512 \
    servers=221.132.112.8,8.8.8.8
/ip dns static
add address=192.168.1.1 name=router
/ip firewall filter
add chain=input comment="accept winbox always" dst-port=8291 protocol=tcp
add action=drop chain=input connection-state=invalid
add chain=input connection-state=established
add chain=input connection-state=related
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
    protocol=tcp src-address-list=ftp_blacklist
add action=add-dst-to-address-list address-list=ftp_blacklist chain=output \
    content="530 Login incorrect" dst-address-list=ftp_stage3 protocol=tcp
add action=add-dst-to-address-list address-list=ftp_stage3 \
    address-list-timeout=1m chain=output content="530 Login incorrect" \
    dst-address-list=ftp_stage2 protocol=tcp
add action=add-dst-to-address-list address-list=ftp_stage2 \
    address-list-timeout=1m chain=output content="530 Login incorrect" \
    dst-address-list=ftp_stage1 protocol=tcp
add action=add-dst-to-address-list address-list=ftp_stage1 \
    address-list-timeout=1m chain=output content="530 Login incorrect" \
    protocol=tcp
add action=drop chain=input comment=ddos src-address=86.122.170.64
add action=drop chain=input comment=ddos src-address=220.178.18.67
add action=jump chain=input comment="jump to filter_226" dst-address=\
    ip.add.re.ss jump-target=filter_226
add chain=filter_226 comment="winbox and ssh" dst-port=22,8291,3389,3390,3391 \
    protocol=tcp
add action=drop chain=filter_226
/ip firewall mangle
add action=mark-connection chain=input in-interface=ether5-t1 \
    new-connection-mark=ether5-t1_conn
add action=mark-connection chain=input in-interface=ether4-dsl \
    new-connection-mark=ether4-dsl_conn
add action=mark-routing chain=output connection-mark=ether5-t1_conn \
    new-routing-mark=to_ether5-t1
add action=mark-routing chain=output connection-mark=ether4-dsl_conn \
    new-routing-mark=to_ether4-dsl
add chain=prerouting dst-address=ip.add.re.ss/29 in-interface=ether1-shclan
add chain=prerouting dst-address=ip.add.re.ss/25 in-interface=ether1-shclan
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=ether1-shclan new-connection-mark=ether5-t1_conn \
    per-connection-classifier=both-addresses-and-ports:4/0
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=ether1-shclan new-connection-mark=ether4-dsl_conn \
    per-connection-classifier=both-addresses-and-ports:4/1
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=ether1-shclan new-connection-mark=ether4-dsl_conn \
    per-connection-classifier=both-addresses-and-ports:4/2
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=ether1-shclan new-connection-mark=ether4-dsl_conn \
    per-connection-classifier=both-addresses-and-ports:4/3
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=ether1-shclan new-connection-mark=ether4-dsl_conn \
    per-connection-classifier=both-addresses-and-ports:4/4
add action=mark-routing chain=prerouting connection-mark=ether5-t1_conn \
    in-interface=ether1-shclan new-routing-mark=to_ether5-t1
add action=mark-routing chain=prerouting connection-mark=ether4-dsl_conn \
    in-interface=ether1-shclan new-routing-mark=to_ether4-dsl
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether5-t1
add action=masquerade chain=srcnat out-interface=ether4-dsl
add action=src-nat chain=srcnat comment=DSL out-interface=\
    ether4-dsl src-address=192.168.1.101 to-addresses=ip.add.re.ss
add action=masquerade chain=srcnat comment="out T1" disabled=no \
    out-interface=ether5-t1
add action=dst-nat chain=dstnat comment="SHC Terminal Services" dst-address=\
    ip.add.re.ss dst-port=3390 protocol=tcp to-addresses=192.168.1.12 \
    to-ports=3390
add action=masquerade chain=srcnat comment="SHC Terminal Services Hairpin" \
    dst-address=192.168.1.12 dst-port=3390 out-interface=ether1-shclan \
    protocol=tcp src-address=192.168.1.0/24
add action=dst-nat chain=dstnat comment="SMG Terminal Services" dst-address=\
    ip.add.re.ss dst-port=3389 protocol=tcp to-addresses=192.168.100.15 \
    to-ports=3389
add action=masquerade chain=srcnat comment="SMG Terminal Services Hairpin" \
    dst-address=192.168.100.15 dst-port=3389 out-interface=ether2-smglan \
    protocol=tcp src-address=192.168.100.0/24
add action=dst-nat chain=dstnat comment="HeartCentrix RDP" dst-address=\
    ip.add.re.ss dst-port=3391 protocol=tcp to-addresses=192.168.1.13 \
    to-ports=3389
add action=masquerade chain=srcnat comment="Heart Centrix Hairpin" \
    dst-address=192.168.1.13 dst-port=3391 out-interface=ether1-shclan \
    protocol=tcp src-address=192.168.1.0/24 to-addresses=0.0.0.0
add action=dst-nat chain=dstnat comment="SHC Terminal Services - DSL" \
    dst-address=ip.add.re.ss dst-port=3390 protocol=tcp to-addresses=\
    192.168.1.12 to-ports=3390
add action=masquerade chain=srcnat comment=\
    "SHC Terminal Services Hairpin - DSL" dst-address=192.168.1.12 dst-port=\
    3390 out-interface=ether1-shclan protocol=tcp src-address=192.168.1.0/24
add action=dst-nat chain=dstnat comment="SMG terminal Services - DSL" \
    dst-address=ip.add.re.ss dst-port=3389 protocol=tcp to-addresses=\
    192.168.100.15 to-ports=3389
add action=masquerade chain=srcnat comment=\
    "SMG Terminal Services Hairpin - DSL" dst-address=192.168.100.15 \
    dst-port=3389 out-interface=ether2-smglan protocol=tcp src-address=\
    192.168.100.0/24
add action=dst-nat chain=dstnat comment="HeartCentrix RDP - DSL" dst-address=\
    ip.add.re.ss dst-port=3391 protocol=tcp to-addresses=192.168.1.13 \
    to-ports=3389
add action=masquerade chain=srcnat comment="Heart Centrix Hairpin - DSL" \
    dst-address=192.168.1.13 dst-port=3391 out-interface=ether1-shclan \
    protocol=tcp src-address=192.168.1.0/24 to-addresses=0.0.0.0
/ip route
add check-gateway=ping disabled=no distance=1 gateway=ip.add.re.ss \
    routing-mark=to_ether5-t1
add check-gateway=ping distance=1 gateway=ip.add.re.ss routing-mark=\
    to_ether4-dsl
add check-gateway=ping distance=2 gateway=ip.add.re.ss
add check-gateway=ping disabled=no distance=1 gateway=ip.add.re.ss
/ip service
set telnet disabled=yes
set www disabled=yes
set api disabled=yes
/ip upnp
set allow-disable-external-interface=no show-dummy-rule=no
/system clock
set time-zone-name=America/New_York
/system identity
set name=shc-rt00
/system leds
set 0 interface=wlan1
/system logging
set 1 action=echo
set 2 action=echo
add action=echo topics=dhcp
add action=remote topics=error
add action=remote topics=warning
add action=remote topics=critical
add action=echo topics=account
/system ntp client
set enabled=yes mode=unicast primary-ntp=129.6.15.28
Top
 
User avatar
c0d3rSh3ll
Long time Member
Long time Member
Posts: 557
Joined: Mon Jul 25, 2011 9:42 pm
Location: [admin@Chile] >

Re: Exclusion from PCC load balancing

Thu Aug 08, 2013 9:21 am

set your pcc rules in the mangle with dst-address.
Top
 
User avatar
cbrown
Trainer
Trainer
Posts: 1839
Joined: Thu Oct 14, 2010 8:57 pm
Contact:
Contact cbrown

Re: Exclusion from PCC load balancing

Thu Aug 08, 2013 3:08 pm

Try setting your per-conneciton-classifier=both-addresses instead of both-addresses-and-ports. Also, having 5 pcc rules it should be :5/0 :5/1 :5/2 :5/3 and :5/4
Top
Post Reply

Who is online

Users browsing this forum: iDaemon, Semrush [Bot] and 222 guests
  4. RouterOS
  5. General