Hello all
I am attaching here my working firewall rules for 2 WAN PCC mangling. The fast-track rule took me so long to understand that my mangling rules were ok, and I was struggling in vain. Of course, the routing table in version 7 is another major change that you have to consider.
Change your address in teh address table according to what you are using in your LAN.
The firewall rules have a complete basic working firewall with bogons protection ICM, TCP, UPD jump filters DDoS attack protection (simple) and brute force protection.
If someone would like just to use two WAN as failover with firewall rules, those rules are inside disabled.
Bellow following some rules disabled and description of them.

Is not working in the PCC mangling - It's the default rule. Ignore or disable it if you have it already.
============================================================================
Line 114-115: add action=fasttrack-connection chain=forward comment="Protect the LAN devices FastTra\
ck Default Rule - not applicable to Mangling PCC" connection-state=established,related disabled=yes \
hw-offload=yes Is not working in the PCC mangling

Rules that ONLY need to be applied if you are using the router as simple failover for two WAN (ENABLE it to firewall filters)
==========================================================================================
Line 131-134: add action=reject chain=forward comment="Firewall Filter Failover" connection-mark=WAN2_conn disabled=yes \
out-interface=ether1-WAN1 reject-with=icmp-network-unreachable
add action=reject chain=forward connection-mark=WAN1_conn disabled=yes out-interface=ether2-WAN2 \
reject-with=icmp-network-unreachable

This was my IBPX that I wanted to get out of my mangling rules.
=================================================
Line 195 -196: add action=accept chain=prerouting comment="Enter address from sites that you wish to exempt from PCC" \
disabled=yes dst-address-list=sites-exempted-from-pcc src-address=192.168.200.134
You might need to use this route also to work with un-mangled IP addresses:
add disabled=no distance=3 dst-address=0.0.0.0/0 gateway=192.168.1.1 pref-src=0.0.0.0 routing-table=main scope=255 suppress-hw-offload=no target-scope=10

Rules in mangling to be applied if used as WAN failover. Disable everything else
=============================================================
Line 201-204: add action=mark-connection chain=prerouting comment="Failover With Firewall Marking" connection-mark=\
no-mark disabled=yes in-interface=ether1-WAN1 new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=yes in-interface=ether2-WAN2 \
new-connection-mark=WAN2_conn passthrough=yes

NAT works either with this rule or with the other two rules (enabled) for each WAN Ethernet in PCC mangling (Not failover-There, we have other rules below).
======================================================================================================================
Line 223: add action=masquerade chain=srcnat disabled=yes out-interface-list=WAN--> works either with thsi ruel or with teh other two rules for each WAN ethernet.

Rules in routing and NAT if you wish failover two WAN Disable everything else.
============================================================
Line 226: add action=src-nat chain=srcnat comment="failover rules" disabled=yes out-interface=ether1-WAN1 \
Line 228: add action=src-nat chain=srcnat disabled=yes out-interface=ether2-WAN2 to-addresses=192.168.2.2
Line 240: add check-gateway=ping comment="Failover routes" disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=\
Line 242: add comment="Failover routes" disabled=yes distance=2 dst-address=0.0.0.0/0 gateway=192.168.2.1 pref-src=\

If you have any questions please feel free to ask.
If Guru's have commends, please feel free to fire them to me.

Some modification in the firewall filter rules. I forgot the invalid in the invalid input rule and was not able to access the router through winbox with its IP. Was possible with its MAC
It's essential to have a valid firewall when making mangling also instead of using the default configuration and i consider myself a basic user still so supporting basic user out there also.
Mikrotik is a huge beast....
========================================================================
# aug/26/2022 12:31:40 by RouterOS 7.4.1
# model = 960PGS

/ip firewall filter
add action=accept chain=input comment="Starting rules to protect Router Allow Established connections" connection-state=established,related
add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid
add action=accept chain=input comment="Allow router from inside LAN" in-interface-list=!WAN src-address-list=allowed_to_router
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=drop chain=input comment="Drop everything else"
add action=drop chain=forward comment="DISABLE CONSTANTLY Bandwidth management Rule 100Mbps on WAN" disabled=yes limit=!100M,100M:bit out-interface-list=WAN
add action=reject chain=forward comment="Firewall Filter Failover" connection-mark=WAN2_conn disabled=yes out-interface=ether1-WAN1 reject-with=icmp-network-unreachable
add action=reject chain=forward connection-mark=WAN1_conn disabled=yes out-interface=ether2-WAN2 reject-with=icmp-network-unreachable
add action=fasttrack-connection chain=forward comment="FastTrack Default Rule - not applicable to Mangling PCC" connection-state=established,related disabled=yes hw-offload=yes
add action=fasttrack-connection chain=forward comment="Protect the LAN devices Fast track for PCC mangling" connection-state=established,related hw-offload=yes \
in-interface-list=LAN src-address=!192.168.200.0/24
add action=accept chain=forward comment="Allow already established, related connections" connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid protocol=tcp
add action=accept chain=forward comment="Accept tries to reach WAN router addesses from LAN (access ISP routers from inside LAN)" in-interface=GNEMS log-prefix=!public_from_LAN out-interface-list=\
WAN
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface=GNEMS log=yes log-prefix=!public_from_LAN out-interface=\
!GNEMS
add action=drop chain=forward comment="Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix=!NAT
add action=jump chain=forward comment="jump to UDP filters" jump-target=udp protocol=udp
add action=jump chain=forward comment="jump to TCP filters" jump-target=tcp protocol=tcp
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp protocol=icmp
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface-list=WAN log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" dst-address-list=not_in_internet in-interface-list=WAN log-prefix=!public
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface=GNEMS log=yes log-prefix=LAN_!LAN src-address=!192.168.200.0/24
add action=jump chain=forward comment="DDOS Protect" connection-state=new jump-target=block-ddos
add action=return chain=block-ddos dst-limit=32,42,src-and-dst-addresses/10s
add action=add-src-to-address-list address-list=ddoser address-list-timeout=10m chain=block-ddos
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content="530 Login incorrect" protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=accept chain=icmp comment="ICMP filters echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types"
add action=drop chain=tcp comment="TCP filters deny TFTP" dst-port=69 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=111 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=135 protocol=tcp
add action=drop chain=tcp comment="deny NBT" dst-port=137-139 protocol=tcp
add action=drop chain=tcp comment="deny cifs" dst-port=445 protocol=tcp
add action=drop chain=tcp comment="deny NFS" dst-port=2049 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=12345-12346 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=20034 protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" dst-port=3133 protocol=tcp
add action=drop chain=tcp comment="deny DHCP" dst-port=67-68 protocol=tcp
add action=drop chain=udp comment="TCP filters deny TFTP" dst-port=69 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=111 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=135 protocol=udp
add action=drop chain=udp comment="deny NBT" dst-port=137-139 protocol=udp
add action=drop chain=udp comment="deny NFS" dst-port=2049 protocol=udp
add action=drop chain=udp comment="deny BackOriffice" dst-port=3133 protocol=udp

yeah your firewall is crap, you would be better served to use defaults and if mangling works from that be happy, then add in any other required rules for actual needed traffic flow.......... not cute youtube video garbage.

Thanks for your criticism. It works ok. As concerning my videos, I don't care, as they also work as they should. If you don't like them, watch Netflix mate. The firewall is made by default in wiki. Nice talk Anav

Code: Select all

add action=drop chain=tcp comment="deny NetBus" dst-port=12345-12346 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=20034 protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" dst-port=3133 protocol=tcp

Really??? Really??? Really???

Really you still use Windows 95???

Thats fine, just dont want anybody to get the idea that FLUFF is required. It may be pretty, but its still FLUFF.

I need you feedback to find out what is outdated and what is wrong people. It took a lot of time to get the info that fast track do not work with PCC mangling

After feedback and soem more reading I have removed totally UDP and TCP jumps(if you have any feedback please send it as it might need soem filtering drops but i dont knwo which)
My firewall for PCC mangling is teh following:

FASTTRACKING removed totally

# aug/27/2022 11:44:41 by RouterOS 7.4.1
# model = 960PGS
# serial number = A51509797D94
/ip firewall filter
add action=accept chain=input comment="Starting rules to protect Router Allow Established connections" connection-state=established,related
add action=accept chain=input comment="Allow router from inside LAN" in-interface-list=!WAN src-address-list=allowed_to_router
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid
add action=drop chain=input comment="Drop everything else"
add action=accept chain=forward comment="Allow already established, related connections" connection-state=established,related
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp protocol=icmp
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid protocol=tcp
add action=accept chain=forward comment="Accept tries to reach WAN router addesses from LAN (access ISP routers from inside LAN)" in-interface=GNEMS log-prefix=!public_from_LAN out-interface-list=\
WAN
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface=GNEMS log=yes log-prefix=!public_from_LAN out-interface=\
!GNEMS
add action=drop chain=forward comment="Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix=!NAT
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface-list=WAN log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" dst-address-list=not_in_internet in-interface-list=WAN log-prefix=!public
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface=GNEMS log=yes log-prefix=LAN_!LAN src-address=!192.168.200.0/24
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content="530 Login incorrect" protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=accept chain=icmp comment="ICMP filters echo reply" icmp-options=0:0 limit=5,10:packet protocol=icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="protocol unreachable" icmp-options=3:2 protocol=icmp
add action=accept chain=icmp comment="port unreachable" icmp-options=3:3 protocol=icmp
add action=accept chain=icmp comment="host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 limit=5,10:packet protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0-255 protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types"

For the firewall based on the followings:

https://help.mikrotik.com/docs/display/ ... t+Firewall

https://wiki.mikrotik.com/wiki/Manual:I ... all/Filter

Rules are evaluated in order from top to bottom, so after #5 unconditionally drops everything (not allowed before it), all following rules in chain=input are not reachable, i.e. useless. But it's no big loss. Protecting router's own FTP server against bruteforcing is nonsense, because it's unlikely that you even need it enabled, and almost sure that you don't need it accessible from internet. So just disable whole FTP server, it's much better protection. SSH has slightly higher chance that you want it, but most people don't. And this way of blocking is not great, it just counts connections and can't distinguish between failed and successful logins.

Extra hot air there Sob! ;-P Short version - crap.

For PCC I use this resource..........
https://mum.mikrotik.com/presentations/US12/steve.pdf

I used the same mate.
Did you check it?

Wont look at your firewall rules but will look at the mangles and can compare side by side........
What I see that is different is in yellow from dischers bible! And I present them in the order of Dischers doc................
In other words you didnt actually follow the guide?

(1) Why add the in-interfaces??
add action=accept chain=prerouting comment=\
"allow usage of the default routing table for traffic to connected networks" dst-address=\
192.168.1.0/24 in-interface=GNEMS
add action=accept chain=prerouting dst-address=192.168.2.0/24 in-interface=GNEMS

(2) Assigning 2:0 and 2:1 looks good!

(3) Why the passthrough difference??
add action=mark-routing chain=prerouting comment="specify the in-interface option" connection-mark=\
WAN1_conn in-interface=GNEMS new-routing-mark=to_WAN1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN2_conn in-interface=GNEMS new-routing-mark=\
to_WAN2 passthrough=no

(4) Why the passthrough difference??
add action=mark-routing chain=output connection-mark=WAN1_conn new-routing-mark=to_WAN1 passthrough=no
add action=mark-routing chain=output connection-mark=WAN2_conn new-routing-mark=to_WAN2 passthrough=no

(5) Why the passthrough difference and these rules you have in a different order from the guide?
add action=mark-connection chain=prerouting comment=\
"mark all new incoming connections, to remember what was the interface" connection-mark=no-mark \
in-interface=ether1-WAN1 new-connection-mark=WAN1_conn passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether2-WAN2 \
new-connection-mark=WAN2_conn passthrough=no

(6) For routes they look okay jut not sure if one puts the check-gateway ping on the standard route or the mangle route or doesnt matter.

"Overall I would get rid of all the disabled rules it made reading/troubleshooting way harder.
The rule, below at the start of the mangling section, I didnt comment on but assuming that you have some purpose for...................

add action=accept chain=prerouting comment="Enter address to equipment that you wish to exempt from PCC" \
src-address-list=users-exempted-from-pcc

As concerning the passthrough rules you are right, but it is debatable whether they have to be used or not in the given rules.
I also checked the following. So it's a mix mach between the two.

https://help.mikrotik.com/docs/display/ ... 3%28PCC%29

The last comment on the rule is for my IPBX to avoid connection marking and leave by default WAN which is one of the two in order not to lose the IP provider's registration every time a connection is changing.
Thanks for your comments!!