Community discussions

MikroTik App
 
User avatar
gkounis
just joined
Topic Author
Posts: 23
Joined: Mon May 28, 2018 8:44 pm
Location: Chalkida Evia
Contact:

PCC mangle and IP telephone center

Tue Aug 16, 2022 9:50 pm

Hell forum
I have successfully made a ppc mangling on a router, but I have a PBX on a specific address that used two IP providers numbers.
The problem is that when mangling, the PBX does not work properly. One provider is down not accessible and works only when the mangling rules are disabled.
I suspect that could be a fault of the connections that makes two connection s through wan1 or wan2 when registers to the ip providers. So I need to add a rule to send the address of the pbx 192.168.20.134 to only wan1, maybe.
I am attaching my code below for your references. Simple DHCP with two wans and a simple firewall.
There is a script to clear connections as the yeastar PBX sometimes need that to work properly so it's scheduled.
Is anyone able to suggest something here?


# aug/16/2022 21:49:19 by RouterOS 7.4.1
# software id = XUGM-0HS9
# model = 960PGS
# serial number = A51509797D94
/interface ethernet
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp ranges=192.168.200.11-192.168.200.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp interface=GNEMS name=dhcp1
/routing table
add fib name=to_WAN1
add fib name=to_WAN2
/interface bridge port
add bridge=GNEMS ingress-filtering=no interface=ether3
add bridge=GNEMS ingress-filtering=no interface=ether4
add bridge=GNEMS ingress-filtering=no interface=ether5
add bridge=GNEMS ingress-filtering=no interface=sfp1
/interface bridge settings
set use-ip-firewall=yes
/interface list member
add interface=WAN1 list=WAN
add interface=GNEMS list=LAN
add interface=WAN2 list=WAN
/ip address
add address=192.168.200.1/24 interface=GNEMS network=192.168.200.0
add address=192.168.3.2/24 interface=WAN1 network=192.168.3.0
add address=192.168.2.2/24 interface=WAN2 network=192.168.2.0
/ip arp
add address=192.168.200.134 comment=thlefoniko interface=GNEMS mac-address=F4:B5:49:F3:45:34
/ip dhcp-server network
add address=192.168.200.0/24 dns-server=208.67.220.220,208.67.222.222 gateway=192.168.200.1
/ip dns
set allow-remote-requests=yes servers=208.67.222.222,208.67.220.220
/ip firewall address-list
add address=192.168.200.2-192.168.200.254 list="allowed_to _router"
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
/ip firewall filter
add action=accept chain=input comment="Protect the router itself" connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment="Protect the LAN devices FastTrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface=GNEMS log=yes log-prefix=!public_from_LAN \
out-interface=!GNEMS
add action=drop chain=forward comment="Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix=!NAT
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp protocol=icmp
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface-list=WAN log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface=GNEMS log=yes log-prefix=LAN_!LAN src-address=!192.168.200.0/24
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types"
/ip firewall mangle
add action=accept chain=prerouting disabled=yes dst-address=192.168.2.0/24 in-interface=GNEMS
add action=accept chain=prerouting disabled=yes dst-address=192.168.3.0/24 in-interface=GNEMS
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=yes in-interface=WAN1 new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=yes in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=yes dst-address-type=!local in-interface=GNEMS new-connection-mark=WAN1_conn passthrough=yes \
per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=yes dst-address-type=!local in-interface=GNEMS new-connection-mark=WAN2_conn passthrough=yes \
per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=WAN1_conn disabled=yes in-interface=GNEMS new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn disabled=yes in-interface=GNEMS new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1_conn disabled=yes new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_conn disabled=yes new-routing-mark=to_WAN2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN1
add action=masquerade chain=srcnat out-interface=WAN2
/ip route
add check-gateway=ping disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=192.168.3.1 pref-src="" routing-table=to_WAN1 scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.3.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.2.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=192.168.2.1 pref-src=0.0.0.0 routing-table=to_WAN2 scope=30 suppress-hw-offload=no target-scope=10
/system clock
set time-zone-name=Europe/Athens
/system identity
set name=GNEMSROUTER
add dont-require-permissions=no name="clear connection for IPBX" owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
"/ip firewall connection remove [find]"
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: PCC mangle and IP telephone center

Tue Aug 16, 2022 10:57 pm

Is anyone able to suggest something here?
Exempt the outgoing traffic of the PBX from the PCC handling by inserting a mangle/prerouting rule matching on the IP address of the PBX as src-address and assigning the desired connection-mark value before (above) the PCC rules.

Once you do that, don't forget to remove the already established connections of the PBX (or disconnect the PBX for a minute), as the PBX most likely keeps updating the incorrectly marked connections so although they don't succeed, they never disappear on their own.

Who is online

Users browsing this forum: abdulschizo, Ahrefs [Bot], maxslug and 73 guests