Hello all
I am attaching here my working firewall rules for 2 WAN PCC mangling. The fast-track rule took me so long to understand that my mangling rules were ok, and I was struggling in vain. Of course, the routing table in version 7 is another major change that you have to consider.
Change your address in teh address table according to what you are using in your LAN.
The firewall rules have a complete basic working firewall with bogons protection ICM, TCP, UPD jump filters DDoS attack protection (simple) and brute force protection.
If someone would like just to use two WAN as failover with firewall rules, those rules are inside disabled.
Bellow following some rules disabled and description of them.
Is not working in the PCC mangling - It's the default rule. Ignore or disable it if you have it already.
============================================================================
Line 114-115: add action=fasttrack-connection chain=forward comment="Protect the LAN devices FastTra\
ck Default Rule - not applicable to Mangling PCC" connection-state=established,related disabled=yes \
hw-offload=yes Is not working in the PCC mangling
Rules that ONLY need to be applied if you are using the router as simple failover for two WAN (ENABLE it to firewall filters)
==========================================================================================
Line 131-134: add action=reject chain=forward comment="Firewall Filter Failover" connection-mark=WAN2_conn disabled=yes \
out-interface=ether1-WAN1 reject-with=icmp-network-unreachable
add action=reject chain=forward connection-mark=WAN1_conn disabled=yes out-interface=ether2-WAN2 \
reject-with=icmp-network-unreachable
This was my IBPX that I wanted to get out of my mangling rules.
=================================================
Line 195 -196: add action=accept chain=prerouting comment="Enter address from sites that you wish to exempt from PCC" \
disabled=yes dst-address-list=sites-exempted-from-pcc src-address=192.168.200.134
You might need to use this route also to work with un-mangled IP addresses:
add disabled=no distance=3 dst-address=0.0.0.0/0 gateway=192.168.1.1 pref-src=0.0.0.0 routing-table=main scope=255 suppress-hw-offload=no target-scope=10
Rules in mangling to be applied if used as WAN failover. Disable everything else
=============================================================
Line 201-204: add action=mark-connection chain=prerouting comment="Failover With Firewall Marking" connection-mark=\
no-mark disabled=yes in-interface=ether1-WAN1 new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=yes in-interface=ether2-WAN2 \
new-connection-mark=WAN2_conn passthrough=yes
NAT works either with this rule or with the other two rules (enabled) for each WAN Ethernet in PCC mangling (Not failover-There, we have other rules below).
======================================================================================================================
Line 223: add action=masquerade chain=srcnat disabled=yes out-interface-list=WAN--> works either with thsi ruel or with teh other two rules for each WAN ethernet.
Rules in routing and NAT if you wish failover two WAN Disable everything else.
============================================================
Line 226: add action=src-nat chain=srcnat comment="failover rules" disabled=yes out-interface=ether1-WAN1 \
Line 228: add action=src-nat chain=srcnat disabled=yes out-interface=ether2-WAN2 to-addresses=192.168.2.2
Line 240: add check-gateway=ping comment="Failover routes" disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=\
Line 242: add comment="Failover routes" disabled=yes distance=2 dst-address=0.0.0.0/0 gateway=192.168.2.1 pref-src=\
If you have any questions please feel free to ask.
If Guru's have commends, please feel free to fire them to me.