First the errors - your configuration looks as if you wanted to change all the mark names to match your needs but missed some occurrences:
- In the first rule you've posted, there should be new-connection-mark=wan1 instead of current new-connection-mark=wan1-conn
- in the 10th rule, there should be connection-mark=wan2 instead of current connection-mark=Systec_conn
1-my 2 wan link doesn't respond simultaneously. I want user from outside can access to published service by both wan links.
With the errors above fixed, this should start working properly. Whenever a packet comes in via one of the WAN interfaces, the connection to which it belongs or which it establishes gets marked with a connection-mark
later used to assign a routing-mark
to a response packet belonging to this connection so that response packet is routed out via that same WAN interface.
2- can I force upload through wan2 ?
Explain better what you mean by upload. You can control through which of the WANs a new session initiated by a device in your LAN will be established. Whether that session will later be used for download or upload is a different question. So you can configure that particular devices in your LAN will always use one particular WAN, or that sessions towards a particular remote server will always use one particular WAN, or a combination of both. But if the same LAN device connects to the same port of the same remote server once for download and once for upload, there is no way to choose a different WAN for download than for upload.
3- by pcc I cant access Mikrotik (winbox) from the internet !!
With the errors above fixed, this should start working properly.
4-how can I force some services like rdp and citrix use wan2 ?
To "force some services to use a particular WAN" actually means to override the PCC rules for those connections. To do so, you have to place mangle rules assigning a connection-mark
based on some conditions (e.g., the remote TCP port) before the PCC rules in chain=prerouting
in /ip firewall mangle
. Plus you have to add one condition to all these rules except the topmost one and the PCC rules as well: connection-mark=no-mark
. This is necessary to prevent later rules from rewriting connection-marks already assigned by earlier rules if their conditions eventually match.
Also, bear in mind that connections initiated from WAN side and those matching the exception rules as described above use the bandwidth on their respective WANs and the PCC rules have no way to accommodate to it. So let's say you use two PCC rules (:3/0
) to send traffic to WAN2 which has 4 Mbit/s bandwidth and one PCC rule (:3/2
) to send traffic to WAN1 which has 2 Mbit/s bandwidth, but if the other rules send all their traffic to WAN2 and that traffic already has 4 Mbit/s, the PCC rules will nevertheless send 2/3 of the remaining traffic to WAN2.
5- I have ipip tunnel to my branch. what is pcc affect to the tunnel?
One point is how the transport packets of the tunnel will be routed. IPIP uses no ports so PCC rules can only work with IP addresses and always send the tunnel from the same source to the same destination through the same WAN. There may be an issue if PCC chooses the wrong WAN for the IPIP tunnel, so better to place an explicit rule in front of the PCC rules as described just above.
Another point is that unless you set up an exceptional handling for packets which should go via the tunnel, the PCC rules along with routing-marking rules will redirect that traffic to WANs.
The simplest and most reliable way is to use /ip route rule
to tell the routing to ignore, for the traffic which should go through the ipip tunnel, the routing-mark
eventually assigned and thus route that traffic using the default routing table:
ip route rule add action=lookup-only-in-table table=main dst-address=the.subnet.behind.ipip/mask
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.