Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Port forwarding trouble with PCC load balancing

Post Reply
 
lego11
just joined
Topic Author
Posts: 17
Joined: Wed Apr 24, 2024 4:14 pm

Port forwarding trouble with PCC load balancing

Wed Apr 24, 2024 10:20 pm

Hello guys. First of all sorry for my ignorance, I'm not an IT expert and all my studies were in the field of geology. And it's the first time using RouterOS!
I just converted my homelab from a (very power hungry) PFSense setup to a RB3011. I like it very much and have been able to replicate most of the stuff the PFSense firewall did, but then it all ground to a halt when I tried to implement the dual WAN setup.

Here is the network's schematic.
Image

PF_AIR is a 100/20 Mbit point to point wireless link.
PF_FTTC as the name implies is a 60/20 Mbit FTTC VDSL connection.
There is also a "last resort" LTE connection called TIM, but I'm honestly not that interested in that one for the moment (I'd like to sort the port forwarding before).

How I had implemented this on PFSense: PF_AIR and PF_FTTC had equal cost in the gateway parameters, and then I added normal port forwarding rules from both connections (so basically I had duplicate rules: one for port 80 for PF_FTTC; and another for port 80 for PF_AIR).

How I tried replicating this on RouterOS: I followed this guide: https://www.paolodaniele.it/mikrotik-ag ... n-con-pcc/ for PCC (I had to adjust the syntax because that guide was written for RouterOS 6), then I attempted to add port forwarding rules via the NAT tab in the firewall (dst-nat etc.). It appeared to work, but a day later it didn't anymore (see below). So I searched in the forums and found this: viewtopic.php?t=77466. But that didn't work either. Then, I tried another forum post: viewtopic.php?t=129799 but to no avail either..

What works: The PCC appears to work as both connections get similar usage when looking at the statistics.
What does NOT work: Port forwarding is extremely erratic. Sometimes it works perfectly through both connections, sometimes only HTTP(S) works, sometimes it only works from PF_AIR, sometimes SSH works through PF_FTTC but not PF_AIR. And what's even more troubling, is that when, for example, SSH works only through PF_FTTC for me, if I ask a friend, it might only work through PF_AIR for him! Same goes for HTTP.

This is the config:
Code: Select all
# 2024-04-24 15:20:29 by RouterOS 7.14.3
# software id = Y09A-7J23
#
# model = RB3011UiAS
# serial number = ##############
/disk
add parent=usb1 partition-number=1 partition-offset=512 partition-size=\
    "30 765 219 328" type=partition
/interface bridge
add admin-mac=B8:69:F4:98:60:FB auto-mac=no name=bridge-LAN port-cost-mode=\
    short
/interface ethernet
set [ find default-name=ether1 ] name=ether1-PF_AIR
set [ find default-name=ether2 ] name=ether2-TIM
set [ find default-name=ether5 ] name=ether5-LAN2
/interface wireguard
add comment=back-to-home-vpn listen-port=10434 mtu=1420 name=back-to-home-vpn
/interface vlan
add interface=bridge-LAN name=vlan10-Ospiti vlan-id=10
add interface=bridge-LAN name=vlan11-IoT vlan-id=11
add interface=bridge-LAN name=vlan13-Inaffidabile vlan-id=13
/interface pppoe-client
add add-default-route=yes interface=ether1-PF_AIR name=PF-AIR user=\
    air218@pianetafibra.it
add add-default-route=yes disabled=no interface=sfp1 name=PF-FTTC \
    use-peer-dns=yes user=fttc4250
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip dhcp-server option
add code=160 name=160_Polycom value=\
    "' http://172.16.20.215/provisioning/m1c2up6299fyn4'"
/ip pool
add name=dhcp ranges=172.16.30.2-172.16.30.254
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=dhcp_pool2 ranges=192.168.12.2-192.168.12.254
add name=dhcp_pool3 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool4 ranges=192.168.11.2-192.168.11.254
add name=dhcp_pool5 ranges=192.168.13.2-192.168.13.254
/ip dhcp-server
add address-pool=dhcp interface=bridge-LAN lease-time=23h59m59s name=LAN_DHCP
add address-pool=dhcp_pool2 interface=ether5-LAN2 name=LAN2_DHCP
add address-pool=dhcp_pool3 interface=vlan10-Ospiti name=Ospiti_DHCP
add address-pool=dhcp_pool4 interface=vlan11-IoT name=IoT_DHCP
add address-pool=dhcp_pool5 interface=vlan13-Inaffidabile name=\
    Inaffidabile_DHCP
/ip smb users
add name=admin
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/queue simple
add comment="Limite Ospiti" max-limit=1M/7M name=Ospiti target=\
    192.168.10.0/24
add comment="Limite AptDis" max-limit=1M/10M name=AptDis target=\
    192.16.12.0/24
add comment="Limite Inaffidabile" max-limit=500k/5M name=Inaffidabile target=\
    192.168.13.0/24
/routing table
add disabled=no fib name=to_FTTC
add disabled=no fib name=to_AIR
/ip smb
set comment=MIKROTIK domain=WORKGROUP interfaces=bridge-LAN
/interface bridge port
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether6 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether7 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether8 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether9 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether10 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf disabled=yes ingress-filtering=no \
    interface=sfp1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge-LAN tagged=vlan10-Ospiti,vlan11-IoT,vlan13-Inaffidabile \
    vlan-ids=10,11,13
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge-LAN list=LAN
add interface=PF-FTTC list=WAN
add interface=PF-AIR list=WAN
/interface ovpn-server server
set auth=sha256,sha512 certificate=a-centauri cipher=\
    blowfish128,aes256-cbc,aes256-gcm enabled=yes protocol=udp \
    redirect-gateway=def1
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern V N protocol instead
set authentication=pap,chap,mschap1,mschap2 enabled=yes
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=172.16.20.1/16 comment=LAN interface=bridge-LAN network=\
    172.16.0.0
add address=192.168.12.1/24 comment=LAN2 interface=ether5-LAN2 network=\
    192.168.12.0
add address=192.168.10.1/24 comment=Ospiti interface=vlan10-Ospiti network=\
    192.168.10.0
add address=192.168.11.1/24 comment=IoT interface=vlan11-IoT network=\
    192.168.11.0
add address=192.168.13.1/24 comment=Inaffidabile interface=\
    vlan13-Inaffidabile network=192.168.13.0
add address=192.168.2.1/24 comment=TIM interface=ether2-TIM network=\
    192.168.2.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes
/ip dhcp-server lease
add address=172.16.20.161 mac-address=BC:DD:C2:44:1E:DA server=LAN_DHCP
add address=172.16.20.233 client-id=1:b8:27:eb:f7:41:9f comment=Marconi \
    mac-address=B8:27:EB:F7:41:9F server=LAN_DHCP
add address=172.16.30.244 dhcp-option=160_Polycom mac-address=\
    64:16:7F:0B:F6:FA server=LAN_DHCP
add address=172.16.20.235 client-id=1:b8:27:eb:be:70:8f mac-address=\
    B8:27:EB:BE:70:8F server=LAN_DHCP
add address=172.16.20.212 client-id=1:b8:27:eb:cf:86:71 mac-address=\
    B8:27:EB:CF:86:71 server=LAN_DHCP
add address=172.16.25.42 client-id=1:0:60:35:6:f0:16 mac-address=\
    00:60:35:06:F0:16 server=LAN_DHCP
add address=172.16.22.100 client-id=\
    ff:11:e4:49:24:0:1:0:1:2d:a7:ed:cd:bc:24:11:e4:49:24 mac-address=\
    BC:24:11:E4:49:24 server=LAN_DHCP
add address=172.16.20.215 client-id=1:bc:24:11:9e:f2:3 mac-address=\
    BC:24:11:9E:F2:03 server=LAN_DHCP
add address=172.16.20.211 client-id=\
    ff:11:6e:18:77:0:1:0:1:2d:a5:b3:f5:bc:24:11:6e:18:77 mac-address=\
    BC:24:11:6E:18:77 server=LAN_DHCP
add address=172.16.20.160 client-id=1:d8:3a:dd:a7:d6:5e comment=Helios \
    mac-address=D8:3A:DD:A7:D6:5E server=LAN_DHCP
add address=172.16.20.230 comment=SunFire mac-address=00:03:BA:16:77:13 \
    server=LAN_DHCP
add address=172.16.23.1 client-id=1:0:a0:c5:b9:35:b1 mac-address=\
    00:A0:C5:B9:35:B1 server=LAN_DHCP
/ip dhcp-server network
add address=172.16.0.0/16 comment=LAN dns-server=172.16.20.211,172.16.20.210 \
    gateway=172.16.20.1 netmask=16
add address=192.168.10.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
    192.168.10.1
add address=192.168.11.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
    192.168.11.1
add address=192.168.12.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
    192.168.12.1
add address=192.168.13.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
    192.168.13.1
/ip dns static
add address=172.16.20.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=input comment="Deny SSH from WAN" dst-port=22 \
    in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="Deny telnet from WAN" dst-port=23 \
    in-interface-list=WAN protocol=tcp
/ip firewall mangle
add action=mark-connection chain=forward comment="PF-AIR Forward" disabled=\
    yes in-interface=PF-AIR new-connection-mark=AIR_conn passthrough=yes
add action=mark-connection chain=forward comment="PF-FTTC forward" disabled=\
    yes in-interface=PF-FTTC new-connection-mark=FTTC_conn passthrough=yes
add action=mark-connection chain=prerouting comment="PF-AIR PortForward" \
    disabled=yes dst-address-type=!local in-interface=PF-AIR \
    new-connection-mark=AIR_conn passthrough=yes
add action=mark-connection chain=prerouting comment="PF-FTTC PortForward" \
    disabled=yes dst-address-type=!local in-interface=PF-FTTC \
    new-connection-mark=FTTC_conn passthrough=yes
add action=mark-connection chain=input in-interface=PF-FTTC \
    new-connection-mark=FTTC_conn
# PF-AIR not ready
add action=mark-connection chain=input in-interface=PF-AIR \
    new-connection-mark=AIR_conn
add action=mark-routing chain=output connection-mark=FTTC_conn \
    new-routing-mark=to_FTTC
add action=mark-routing chain=output connection-mark=AIR_conn \
    new-routing-mark=to_AIR
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=bridge-LAN new-connection-mark=FTTC_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=bridge-LAN new-connection-mark=AIR_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=FTTC_conn \
    in-interface=bridge-LAN new-routing-mark=to_FTTC
add action=mark-routing chain=prerouting connection-mark=AIR_conn \
    in-interface=bridge-LAN new-routing-mark=to_AIR
/ip firewall nat
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
add action=dst-nat chain=dstnat comment="SunFire HTTPS" dst-port=443 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=\
    443
add action=dst-nat chain=dstnat comment="SunFire FTP" dst-port=21 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=21
add action=dst-nat chain=dstnat comment="SunFire HTTP" dst-port=80 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=80
add action=dst-nat chain=dstnat comment="SunFire SSH" dst-port=2222 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=22
add action=dst-nat chain=dstnat comment="Webmin sunfire" dst-port=10000 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=\
    10000
add action=dst-nat chain=dstnat comment=Minecraft dst-port=25565 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.220 to-ports=\
    25565
add action=dst-nat chain=dstnat comment="Minecraft Dynmap" dst-port=8123 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.220 to-ports=\
    8123
add action=dst-nat chain=dstnat comment="SSH Pi5 JVital" dst-port=52233 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.160 to-ports=22
add action=masquerade chain=srcnat out-interface=PF-FTTC
# PF-AIR not ready
add action=masquerade chain=srcnat out-interface=PF-AIR
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add check-gateway=ping dst-address=0.0.0.0/0 gateway=PF-FTTC routing-table=\
    to_FTTC
add check-gateway=ping dst-address=0.0.0.0/0 gateway=PF-AIR routing-table=\
    to_AIR
/ip service
set www-ssl address=0.0.0.0/0 certificate=a-centauri disabled=no tls-version=\
    only-1.2
/ip smb shares
add directory=usb1-part1 name=USB1 valid-users=guest
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=PF-AIR type=external
/ppp aaa
set use-radius=yes
/ppp secret
add name=vpn
add name=J2 profile=default-encryption
/radius
add accounting-backup=yes address=172.16.20.216 comment=RADIUS service=\
    ppp,login,hotspot,ipsec,dot1x
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=MikroTik-VR
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes use-local-clock=yes
/system ntp client servers
add address=time.inrim.it
add address=ntp1.inrim.it
/tool graphing interface
add allow-address=172.16.0.0/16
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Thank you a LOT in advance for any pointers you might give me!
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19612
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Port forwarding trouble with PCC load balancing

Thu Apr 25, 2024 4:36 pm

Many config errors, but conceptually the biggest problem so far is that you assign VLANS, but dont assign them to any ports.
Why do you have them if they are not going to any ports?
You dont assign vlans to vlan ids in /interface bridge vlans, you assign (tagged or untagged bridge or wlan ports)

So right now you have what I call the bridge vlan to ports 5-spf1 untagged aka going to dumb devices that cannot read vlan tags.
Where do vlans 10,11,13 go? On which ports, to which devices?
Top
 
lego11
just joined
Topic Author
Posts: 17
Joined: Wed Apr 24, 2024 4:14 pm

Re: Port forwarding trouble with PCC load balancing

Thu Apr 25, 2024 8:29 pm

Hi, and first of all thanks for the reply. Here is a diagram of the port setup:
Image

The rationale for my setup:
  • I have several managed switches that "untag" the VLANs as needed for that particular port
  • I use Multi SSIDs on access points, so those needs tagged VLANs
  • I never bothered to remove the internal switch of the Mikrotik, for two reasons: 1 the first time I tried, I locked myself out due to inexperience, and 2 because it is handy to have an extra port with all tagged VLANs so I can test stuff quickly with the laptop.
But the VLANs work fine (at least, I didn't notice anything wrong with them?) The main problem is the port forwarding, and none of the servers in question are on a VLAN anyway!
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19612
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Port forwarding trouble with PCC load balancing

Thu Apr 25, 2024 8:30 pm

Yup was just asking where the vlans went because it was a mystery LOL and your ether6 setting was misleading..

Since you have vpn connections coming to the router and also port forward to VLAN, and PCC
you need three sets of mangles.
One for VPN
One of PF
One for PCC

Another issue I see is duplicate use of 443, you have it seems an HTTPS server for port 443, but you attempt to also use SSTP on 443 to the router.
I have removed sstp to the router.
Last edited by anav on Thu Apr 25, 2024 11:10 pm, edited 1 time in total.
Top
 
lego11
just joined
Topic Author
Posts: 17
Joined: Wed Apr 24, 2024 4:14 pm

Re: Port forwarding trouble with PCC load balancing

Thu Apr 25, 2024 8:51 pm

Yep, the only connection to the managed switch in normal circumstances is on eth6.

I've been told over on Reddit to add two rules, and my mangle rules look like this now. But that still doesn't work...
Code: Select all
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=PF-FTTC new-connection-mark=FTTC_conn
# PF-AIR not ready
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=PF-AIR new-connection-mark=AIR_conn
add action=mark-connection chain=input in-interface=PF-FTTC \
    new-connection-mark=FTTC_conn
# PF-AIR not ready
add action=mark-connection chain=input in-interface=PF-AIR \
    new-connection-mark=AIR_conn
add action=mark-routing chain=output connection-mark=FTTC_conn \
    new-routing-mark=to_FTTC
add action=mark-routing chain=output connection-mark=AIR_conn \
    new-routing-mark=to_AIR
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge-LAN new-connection-mark=\
    FTTC_conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge-LAN new-connection-mark=\
    AIR_conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=FTTC_conn \
    in-interface=bridge-LAN new-routing-mark=to_FTTC
add action=mark-routing chain=prerouting connection-mark=AIR_conn \
    in-interface=bridge-LAN new-routing-mark=to_AIR
(PF-AIR is down otherwise people can't access my website)
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19612
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Port forwarding trouble with PCC load balancing

Thu Apr 25, 2024 11:11 pm

Working on it, on ip routes at the moment. To gain better control visibility of routes, not using default routes in pppoe settings...
Its not clear to me if you wanted ether2 to be PCCd as well ?? Its a separate LAN but did you want it PCCd??
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19612
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Port forwarding trouble with PCC load balancing

Thu Apr 25, 2024 11:30 pm

Most mods/changed.............

/interface vlan
add interface=bridge-LAN name=vlanbridge vlan-id=5
add interface=bridge-LAN name=vlan10-Ospiti vlan-id=10
add interface=bridge-LAN name=vlan11-IoT vlan-id=11
add interface=bridge-LAN name=vlan13-Inaffidabile vlan-id=13

/interface pppoe-client
add add-default-route=no interface=ether1-PF_AIR name=PF-AIR user=\
air218@pianetafibra.it
add add-default-route=no interface=sfp1 name=PF-FTTC \
use-peer-dns=yes user=fttc4250

/ip dhcp-server
add address-pool=dhcp interface=vlanbridge lease-time=23h59m59s name=LAN_DHCP

/interface bridge port
add bridge=bridge-LAN ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether6 comment="only trunk port"
add bridge=bridge-LAN ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether7 pvid=5
add bridge=bridge-LAN ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether8 pvid=5
add bridge=bridge-LAN ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether9 pvid=5
add bridge=bridge-LAN ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether10 pvid=5
add bridge=bridge-LAN ingress-filtering=yes frame-types=admit-priority-and-untagged interface=sfp1 pvid=5

/interface bridge vlan
add bridge=bridge-LAN tagged=bridge-LAN,ether6 vlan-ids=10,11,13
add bridge=bridge-LAN tagged=bridge-LAN,ether6 untagged=ether7,ether8,ether9,ether10,spf1 vlan-ids=5

/interface list member
add interface=PF-FTTC list=WAN
add interface=PF-AIR list=WAN
add interface=vlanbridge list=LAN
ad vlan1--Ospiti list=LAN
add interface=vlan11-IoT list=LAN
add interface=vlan13-Inaffidabile list=LAN
add interface=ether5-LAN2 list=LAN

/ip address
add address=172.16.20.1/16 comment=LAN interface=vlanbridge network=\
172.16.0.0

/ip dhcp-server network
add address=172.16.0.0/16 comment=LAN dns-server=172.16.20.211,172.16.20.210 \
gateway=172.16.20.1 { netmask removed not required! }

/ip firewall address-list { mostly from static DHCP leases }
add address=adminIP1 list=Authorized comment="Admin desktop"
add address=adminIP2 list=Authorized comment="Admin laptop"
add address=adminIP3 list=Authorized comment="Admin smartphone/ipad"
add address=adminIP4 list=Authorized comment="Admin BTH remote"
add address=172.16.20.160/32 list=MyServers
add address=172.16.20.220/32 list=MyServers

/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input src-address-list=Authorized comment="Admin access only"
add action=accept chain=input comment="DNS & NTP services" dst-port=53,123 protocol=udp in-interface-list=LAN
add action=accept chain=input comment="DNS services" dst-port=53 protocol=udp in-interface-list=LAN
add action=drop chain=input comment="Drop All Else" { put this rule in last so you dont lock yourself out }
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"

/ip firewall mangle { order is important }
{ Mangling for VPN Connection To the Router }
add action=mark-connection chain=input connection-mark=no-mark in-interface=PF-AIR \
new-connection-mark=Air_conn passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark in-interface=PF-FTTC \
new-connection-mark=FTTC_conn passthrough=yes
add action=mark-routing chain=output connection-mark=AIR_conn \
new-routing-mark=to_AIR passthrough=no
add action=mark-routing chain=output connection-mark=FTTC_conn \
new-routing-mark=to_FTTC passthrough=no
{ Mangling for LAN Server Traffic }
add action=mark-connection chain=forward connection-mark=no-mark in-interface=PF-AIR \
dst-address-list=[color=#8000BFMyServers[/color] new-connection-mark=W1-2-Servers passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark in-interface=PF=FTTC \
dst-address-list=MyServers new-connection-mark=W2-2 Servers passthrough=yes
add action=mark-routing chain=prerouting connection-mark=W1-2-Servers \
new-routing-mark=to_AIR passthrough=no
add action=mark-routing chain=prerouting connection-mark=W2-2-Servers \
new-routing-mark=to_FTTC passthrough=no
{ Mangling for PCC }
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface-list=LAN \
new-connection-mark=pcc-wan1 dst-address-type=!local \
per-connection-classifier= both-addresses-and-ports:2/0 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface-list=LAN \
new-connection-mark=pcc-wan2 dst-address-type=!local \
per-connection-classifier= both-addresses-and-ports:2/1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=pcc-wan1 \
new-routing-mark=to_AIR passthrough=no
add action=mark-routing chain=prerouting connection-mark=pcc-wan2 \
new-routing-mark=to_FTTC passthrough=no

/ip firewall nat
add action=masquerade chain=srcnat out-interface=PF-AIR
add action=masquerade chain=srcnat out-interface=PF-FTTC
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24


/ip route
add check-gateway=ping distance=1 dst-address=0.0.0.0 gateway=PF-AIR routing-table=main
add check-gateway=ping distance=2 dst-address=0.0.0.0 gateway=PF-FTTC routing-table=main
add dst-address=0.0.0.0/0 gateway=PF-FTTC routing-table=to_AIR
add check-gateway=ping dst-address=0.0.0.0/0 gateway=PF-AIR routing-table=to_FTTC

/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Top
 
lego11
just joined
Topic Author
Posts: 17
Joined: Wed Apr 24, 2024 4:14 pm

Re: Port forwarding trouble with PCC load balancing

Fri Apr 26, 2024 10:34 am

Hi and thanks for your work, I tried applying the config but that didn't work (I didn't touch the VLANs yet, but that shouldn't affect stuff for the port forwarding).

Now, I can no longer reach the Internet at all (and port forwarding doesn't work). It says, that the static routes are invalid. Here is the config:
Code: Select all
/ip route
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/32 gateway=\
    PF-AIR pref-src="" routing-table=main suppress-hw-offload=no
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/32 gateway=\
    PF-FTTC pref-src="" routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=PF-FTTC pref-src="" \
    routing-table=to_FTTC suppress-hw-offload=no
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    PF-AIR pref-src="" routing-table=to_AIR suppress-hw-offload=no

/ip firewall mangle
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
    PF-AIR new-connection-mark=AIR_conn passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
    PF-FTTC new-connection-mark=FTTC_conn passthrough=yes
add action=mark-routing chain=output connection-mark=AIR_conn \
    new-routing-mark=to_AIR passthrough=no
add action=mark-routing chain=output connection-mark=FTTC_conn \
    new-routing-mark=to_FTTC passthrough=no
add action=mark-connection chain=forward connection-mark=no-mark \
    dst-address-list=MyServers in-interface=PF-AIR new-connection-mark=\
    W1-2-Servers passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark \
    dst-address-list=MyServers in-interface=PF-FTTC new-connection-mark=\
    W2-2-Servers passthrough=yes
add action=mark-routing chain=prerouting connection-mark=W1-2-Servers \
    new-routing-mark=to_AIR passthrough=no
add action=mark-routing chain=prerouting connection-mark=W2-2-Servers \
    new-routing-mark=to_FTTC passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface-list=LAN new-connection-mark=\
    pcc-wan1 passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface-list=LAN new-connection-mark=\
    pcc-wan2 passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=pcc-wan1 \
    new-routing-mark=to_AIR passthrough=no
add action=mark-routing chain=prerouting connection-mark=pcc-wan2 \
    new-routing-mark=to_FTTC passthrough=no

/ip firewall nat
add action=masquerade chain=srcnat out-interface=PF-AIR
add action=masquerade chain=srcnat out-interface=PF-FTTC
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
add action=dst-nat chain=dstnat comment="SunFire HTTPS" dst-port=443 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=\
    443
add action=dst-nat chain=dstnat comment="SunFire FTP" dst-port=21 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=21
add action=dst-nat chain=dstnat comment="SunFire HTTP" dst-port=80 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=80
add action=dst-nat chain=dstnat comment="SunFire SSH" dst-port=2222 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=22
add action=dst-nat chain=dstnat comment="Webmin sunfire" dst-port=10000 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=\
    10000
add action=dst-nat chain=dstnat comment=Minecraft dst-port=25565 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.220 to-ports=\
    25565
add action=dst-nat chain=dstnat comment="Minecraft Dynmap" dst-port=8123 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.220 to-ports=\
    8123
add action=dst-nat chain=dstnat comment="SSH Pi5 JVital" dst-port=52233 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.160 to-ports=22
    
/ip route
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/32 gateway=\
    PF-AIR pref-src="" routing-table=main suppress-hw-offload=no
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/32 gateway=\
    PF-FTTC pref-src="" routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=PF-FTTC pref-src="" \
    routing-table=to_FTTC suppress-hw-offload=no
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    PF-AIR pref-src="" routing-table=to_AIR suppress-hw-offload=no
Regarding the TIM connection, since it's bandwidth metered in the original PFSense setup it had a lower priority so it only became the default route if both unmetered PPPoEs failed. But it should accept port forwarding, because that allows me to troubleshoot stuff it stuff goes really wrong. But again, it's something really optional... i'd rather get PCC and port forwarding on the PPPoEs working first... :)
Top
 
lego11
just joined
Topic Author
Posts: 17
Joined: Wed Apr 24, 2024 4:14 pm

Re: Port forwarding trouble with PCC load balancing

Sat Apr 27, 2024 11:46 pm

Hi, I did a few more tries, but to no avail.
I though the problem lied here:
Code: Select all
/ip route
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/32 gateway=\
    PF-AIR pref-src="" routing-table=main suppress-hw-offload=no
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/32 gateway=\
    PF-FTTC pref-src="" routing-table=main suppress-hw-offload=no
Because a destination address of 0.0.0.0/32 doesn't really make sense, but even after adjusting that to 0.0.0.0/0 it still doesn't work at all. I'm at a loss :?

Thanks again
Top
 
lego11
just joined
Topic Author
Posts: 17
Joined: Wed Apr 24, 2024 4:14 pm

Re: Port forwarding trouble with PCC load balancing

Wed May 01, 2024 1:13 pm

Hi, no ideas?
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19612
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Port forwarding trouble with PCC load balancing

Wed May 01, 2024 3:06 pm

Not until you post a complete config, dont work from snippets
Top
 
lego11
just joined
Topic Author
Posts: 17
Joined: Wed Apr 24, 2024 4:14 pm

Re: Port forwarding trouble with PCC load balancing

Wed May 01, 2024 9:05 pm

The config I initially tried was exactly as you provided it, minus the VLAN, IPSec and other LAN only parts. And I had to correct a few mistakes like I told in the post above. As I've said, I'd rather have first a working config for the actual topic title (PCC and port forwarding), and only later fix the VPNs and the rest which I don't really need anyway.

Since the config you provided clearly didn't work, I tried in a different manner, and that also didn't work.

The current config is as follows:
Code: Select all
# 2024-04-24 03:02:21 by RouterOS 7.14.3
# software id = Y09A-7J23
#
# model = RB3011UiAS
# serial number = 8EED09900013
/disk
add parent=usb1 partition-number=1 partition-offset=512 partition-size=\
    "30 765 219 328" type=partition
/interface bridge
add admin-mac=B8:69:F4:98:60:FB auto-mac=no name=bridge-LAN port-cost-mode=\
    short
/interface ethernet
set [ find default-name=ether1 ] name=ether1-PF_AIR
set [ find default-name=ether2 ] name=ether2-TIM
set [ find default-name=ether5 ] name=ether5-LAN2
/interface wireguard
add comment=back-to-home-vpn listen-port=10434 mtu=1420 name=back-to-home-vpn
/interface vlan
add interface=bridge-LAN name=vlan10-Ospiti vlan-id=10
add interface=bridge-LAN name=vlan11-IoT vlan-id=11
add interface=bridge-LAN name=vlan13-Inaffidabile vlan-id=13
/interface pppoe-client
add add-default-route=yes default-route-distance=2 interface=ether1-PF_AIR \
    name=PF-AIR user=air218@pianetafibra.it
add add-default-route=yes default-route-distance=2 disabled=no interface=sfp1 \
    name=PF-FTTC use-peer-dns=yes user=fttc4250
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip dhcp-server option
add code=160 name=160_Polycom value=\
    "' http://172.16.20.215/provisioning/m1c2up6299fyn4'"
/ip pool
add name=dhcp ranges=172.16.30.2-172.16.30.254
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=dhcp_pool2 ranges=192.168.12.2-192.168.12.254
add name=dhcp_pool3 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool4 ranges=192.168.11.2-192.168.11.254
add name=dhcp_pool5 ranges=192.168.13.2-192.168.13.254
/ip dhcp-server
add address-pool=dhcp interface=bridge-LAN lease-time=23h59m59s name=LAN_DHCP
add address-pool=dhcp_pool2 interface=ether5-LAN2 name=LAN2_DHCP
add address-pool=dhcp_pool3 interface=vlan10-Ospiti name=Ospiti_DHCP
add address-pool=dhcp_pool4 interface=vlan11-IoT name=IoT_DHCP
add address-pool=dhcp_pool5 interface=vlan13-Inaffidabile name=\
    Inaffidabile_DHCP
/ip smb users
add name=admin
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/queue simple
add comment="Limite Ospiti" max-limit=1M/7M name=Ospiti target=\
    192.168.10.0/24
add comment="Limite AptDis" max-limit=1M/10M name=AptDis target=\
    192.16.12.0/24
add comment="Limite Inaffidabile" max-limit=500k/5M name=Inaffidabile target=\
    192.168.13.0/24
/routing table
add disabled=no fib name=to_FTTC
add disabled=no fib name=to_AIR
/ip smb
set comment=MIKROTIK domain=WORKGROUP interfaces=bridge-LAN
/interface bridge port
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether6 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether7 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether8 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether9 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether10 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf disabled=yes ingress-filtering=no \
    interface=sfp1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge-LAN tagged=vlan10-Ospiti,vlan11-IoT,vlan13-Inaffidabile \
    vlan-ids=10,11,13
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge-LAN list=LAN
add interface=PF-FTTC list=WAN
add interface=PF-AIR list=WAN
/interface ovpn-server server
set auth=sha256,sha512 certificate=a-centauri cipher=\
    blowfish128,aes256-cbc,aes256-gcm enabled=yes protocol=udp \
    redirect-gateway=def1
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern V N protocol instead
set authentication=pap,chap,mschap1,mschap2 enabled=yes
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=172.16.20.1/16 comment=LAN interface=bridge-LAN network=\
    172.16.0.0
add address=192.168.12.1/24 comment=LAN2 interface=ether5-LAN2 network=\
    192.168.12.0
add address=192.168.10.1/24 comment=Ospiti interface=vlan10-Ospiti network=\
    192.168.10.0
add address=192.168.11.1/24 comment=IoT interface=vlan11-IoT network=\
    192.168.11.0
add address=192.168.13.1/24 comment=Inaffidabile interface=\
    vlan13-Inaffidabile network=192.168.13.0
add address=192.168.2.1/24 comment=TIM interface=ether2-TIM network=\
    192.168.2.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes
/ip dhcp-server lease
add address=172.16.20.161 mac-address=BC:DD:C2:44:1E:DA server=LAN_DHCP
add address=172.16.20.233 client-id=1:b8:27:eb:f7:41:9f comment=Marconi \
    mac-address=B8:27:EB:F7:41:9F server=LAN_DHCP
add address=172.16.30.244 dhcp-option=160_Polycom mac-address=\
    64:16:7F:0B:F6:FA server=LAN_DHCP
add address=172.16.20.235 client-id=1:b8:27:eb:be:70:8f mac-address=\
    B8:27:EB:BE:70:8F server=LAN_DHCP
add address=172.16.20.212 client-id=1:b8:27:eb:cf:86:71 mac-address=\
    B8:27:EB:CF:86:71 server=LAN_DHCP
add address=172.16.25.42 client-id=1:0:60:35:6:f0:16 mac-address=\
    00:60:35:06:F0:16 server=LAN_DHCP
add address=172.16.22.100 client-id=\
    ff:11:e4:49:24:0:1:0:1:2d:a7:ed:cd:bc:24:11:e4:49:24 mac-address=\
    BC:24:11:E4:49:24 server=LAN_DHCP
add address=172.16.20.215 client-id=1:bc:24:11:9e:f2:3 mac-address=\
    BC:24:11:9E:F2:03 server=LAN_DHCP
add address=172.16.20.211 client-id=\
    ff:11:6e:18:77:0:1:0:1:2d:a5:b3:f5:bc:24:11:6e:18:77 mac-address=\
    BC:24:11:6E:18:77 server=LAN_DHCP
add address=172.16.20.230 comment=SunFire mac-address=00:03:BA:16:77:13 \
    server=LAN_DHCP
add address=172.16.20.160 comment=Helios mac-address=D8:3A:DD:A7:D6:5E \
    server=LAN_DHCP
add address=172.16.23.1 client-id=1:0:a0:c5:b9:35:b1 mac-address=\
    00:A0:C5:B9:35:B1 server=LAN_DHCP
/ip dhcp-server network
add address=172.16.0.0/16 comment=LAN dns-server=172.16.20.211,172.16.20.210 \
    gateway=172.16.20.1 netmask=16
add address=192.168.10.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
    192.168.10.1
add address=192.168.11.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
    192.168.11.1
add address=192.168.12.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
    192.168.12.1
add address=192.168.13.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
    192.168.13.1
/ip dns static
add address=172.16.20.1 comment=defconf name=router.lan
/ip firewall address-list
add address=172.16.20.230 comment=Sunfire list=MyServers
add address=172.16.20.220 comment=Minecraft list=MyServers
add address=172.16.20.218 comment=GLaDOS list=MyServers
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=input comment="Deny SSH from WAN" dst-port=22 \
    in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="Deny telnet from WAN" dst-port=23 \
    in-interface-list=WAN protocol=tcp
/ip firewall mangle
add action=mark-connection chain=forward connection-mark=no-mark disabled=yes \
    dst-address-list=MyServers in-interface=PF-AIR new-connection-mark=\
    PF-AIR-Servers passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark disabled=yes \
    dst-address-list=MyServers in-interface=PF-FTTC new-connection-mark=\
    PF-FTTC-Servers passthrough=yes
add action=mark-routing chain=prerouting connection-mark=PF-AIR-Servers \
    new-routing-mark=to_AIR passthrough=no
add action=mark-routing chain=prerouting connection-mark=PF-FTTC-Servers \
    new-routing-mark=to_FTTC passthrough=no
add action=mark-connection chain=input in-interface=PF-FTTC \
    new-connection-mark=FTTC_conn
# PF-AIR not ready
add action=mark-connection chain=input in-interface=PF-AIR \
    new-connection-mark=AIR_conn
add action=mark-routing chain=output connection-mark=FTTC_conn \
    new-routing-mark=to_FTTC
add action=mark-routing chain=output connection-mark=AIR_conn \
    new-routing-mark=to_AIR
add action=mark-connection chain=prerouting comment="Ospiti solo AIR" \
    dst-address-type=!local in-interface=vlan10-Ospiti new-connection-mark=\
    AIR_conn passthrough=yes
add action=mark-connection chain=prerouting comment="LAN2 solo PF-AIR" \
    dst-address-type=!local in-interface=ether5-LAN2 new-connection-mark=\
    AIR_conn passthrough=yes
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=bridge-LAN new-connection-mark=FTTC_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=bridge-LAN new-connection-mark=AIR_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=FTTC_conn \
    in-interface=bridge-LAN new-routing-mark=to_FTTC
add action=mark-routing chain=prerouting connection-mark=AIR_conn \
    in-interface=bridge-LAN new-routing-mark=to_AIR
/ip firewall nat
add action=masquerade chain=srcnat out-interface=PF-FTTC
# PF-AIR not ready
add action=masquerade chain=srcnat out-interface=PF-AIR
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
add action=dst-nat chain=dstnat comment="SunFire HTTPS" dst-port=443 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=\
    443
add action=dst-nat chain=dstnat comment="SunFire HTTP" dst-port=80 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=80
add action=dst-nat chain=dstnat comment="SunFire SSH" dst-port=2222 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=22
add action=dst-nat chain=dstnat comment="Webmin sunfire" dst-port=10000 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=\
    10000
add action=dst-nat chain=dstnat comment=Minecraft dst-port=25565 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.220 to-ports=\
    25565
add action=dst-nat chain=dstnat comment="Minecraft Dynmap" dst-port=8123 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.220 to-ports=\
    8123
/ip route
add check-gateway=none disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    PF-FTTC pref-src="" routing-table=to_FTTC suppress-hw-offload=no
add check-gateway=none disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    PF-AIR pref-src="" routing-table=to_AIR suppress-hw-offload=no
/ip service
set www-ssl address=0.0.0.0/0 certificate=a-centauri disabled=no tls-version=\
    only-1.2
/ip smb shares
add directory=usb1-part1 name=USB1 valid-users=guest
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=PF-AIR type=external
/ppp aaa
set use-radius=yes
/ppp secret
add name=vpn
add name=J2 profile=default-encryption
/radius
add accounting-backup=yes address=172.16.20.216 comment=RADIUS service=\
    ppp,login,hotspot,ipsec,dot1x
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=MikroTik-VR
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes use-local-clock=yes
/system ntp client servers
add address=time.inrim.it
add address=ntp1.inrim.it
/tool graphing interface
add allow-address=172.16.0.0/16
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
There is clearly a problem with the static routes, because when check-gateway is set to anything but none, the route is marked as unreachable as I wrote 4 days ago.

Now with the current config (the one I posted above) there is a different behavior:
  • If the first two mangle routes (mark connections to MyServers) are DISABLED, and both PPPoEs are ENABLED, port forwarding works most of the times (e.g. maybe on HTTP it works, but next refresh might not load) and PCC works.
  • If the first two mangle routes are ENABLED, and both PPPoEs are ENABLED, port forwarding NEVER works but PCC works
  • If it's set as currently (one PPPoE enabled, first two mangle routes disabled) port forwarding works but obviously PCC doesn't.
Now I really don't want to abuse the forum as a way to get a config done by others, so that's why I concentrated on the PCC/Port forwarding side (I don't get why I was ghosted tho...).
Really, I can fix the VLAN stuff later, once I know how to properly set PCC up for port forwarding... that's the real hurdle now.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19612
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Port forwarding trouble with PCC load balancing

Wed May 01, 2024 9:27 pm

Well your setup is wrong with regard to the LAN and vlans so PCC doesnt matter at all until the LAN is fixed.
You are mixing up dhcp from bridge and then you have vlans going nowhere........
So Please be clear,
What are your ports connected to.
ether2 ( stand alone subnet not on the bridge )?
ether3-sfp1 [ which one(s) only have a single subnet going to a dumb device like a PC ] [ which one(s) are to smart devices and have one or more vlans tagged ]
+++++++++++++++

Once a coherent LAN exists then we can move forward.
Top
 
lego11
just joined
Topic Author
Posts: 17
Joined: Wed Apr 24, 2024 4:14 pm

Re: Port forwarding trouble with PCC load balancing

Wed May 01, 2024 10:26 pm

Hi, Diagram below
Image
  • SFP1: No IP address, only used for PPPoE PF-FTTC. WAN
  • ether1: No IP address, only used for PPPoE PF-AIR. WAN
  • ether2: 192.168.2.1/24, this is connected to an LTE router. -> TIM. WAN
  • ether3: unused
  • ether4: unused
  • ether5: 192.168.12.1/24. This goes to a single access point in another apartment (hence the separated subnet, which I've called LAN2) 80 meters away. So that's why it's not a VLAN. -> LAN2
  • ether6 through ether10: all members of bridge-LAN. This is connected to a managed HP switch, and NEEDS to have both the untagged LAN (172.16.0.0/16; 172.16.20.1) as well as the 3 tagged VLANs 10, 11 and 13 that go to separate subnets.
I hope I've managed to explain it this time!

Thanks again
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19612
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Port forwarding trouble with PCC load balancing

Wed May 01, 2024 11:23 pm

Okay so that is much clearer, thanks!
Ether2 is for a third wan connection but not in the mix at the moment.
Ether3,4 not used.
Ether5, separate subnet NOT on the bridge but part of the LAN overall.
Ether6-10 WHERE IT GOES WRONG.

First you should not attempt to have the bridge trying to give out DHCP on ports 6-10 and also expect to have vlans using eth6-10 at the same time.
Knowing that all are going to the SAME managed switch, means ONLY port is required.

/interface bridge ports
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether6
/interface bridge vlans
add bridge=bridge tagged=bridge,ether6 vlan-ids=10,11,13,16

16 is basically taking your current bridge subnet construct and simply turning into a vlan............ real quick and easy.

However, what is not clear to me is why have you separated out Ether 5 from being on the bridge??? I can sort of understand Eth5 being an off bridge way to access the router for backup config so that works for me.


++++++++++++++++++++++++++++++++++

Now in terms of PCC I can only recommend NOT using default routes, to access check-gateway=ping properly in manual routes.
with default routes = no
Only major changes noted:


# model = RB3011UiAS

/interface vlan
add interface=bridge-LAN name=vlan16-bridge=16

/interface pppoe-client
add add-default-route=no default-route-distance=1 interface=ether1-PF_AIR \
name=PF-AIR user=air218@pianetafibra.it
add add-default-route=no default-route-distance=1 disabled=no interface=sfp1 \
name=PF-FTTC use-peer-dns=yes user=fttc4250

/ip dhcp-server
add address-pool=dhcp interface=vlan16-bridge lease-time=23h59m59s name=LAN_DHCP

/interface bridge port
add bridge=bridge-LAN ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether6

/interface bridge vlan
add bridge=bridge-LAN tagged=bridge-LAN,ether6 vlan-ids=10,11,13,16

/interface list member
add interface=PF-FTTC list=WAN
add interface=PF-AIR list=WAN
add interface=ether5-LAN2 list=LAN
add interface=vlan10-Ospiti list=LAN
add interface=vlan11-IoT list=LAN
add interface=vlan13-Inaffidabile list=LAN
add interface=vlan16-bridge list=LAN

/ip address
add address=172.16.20.1/16 comment=LAN interface=vlan16-bridge network=\
172.16.0.0

/ip dhcp-server network
add address=172.16.0.0/16 comment=LAN dns-server=172.16.20.211,172.16.20.210 \
gateway=172.16.20.1 netmask=16 <----- REMOVE NETMASK ENTRY!!!

/ip firewall address-list
add address=172.16.20.230 comment="Sunfire" list=MyServers
add address=172.16.20.220 comment="Minecraft" list=MyServers
add address=172.16.20.218 comment="GLaDOS" list=MyServers
add address=172.16.20.211 comment="DNS" list=DNServers
add address=172.16.20.210 comment="DNS" list=DNServers

/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="Drop All Else" { put this rule in last so you dont lock yourself out }
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="access dns" in-interface-list=LAN dst-address-list=DNServers
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"

/ip firewall mangle
{ Mangling for VPN Connection To the Router }
add action=mark-connection chain=input connection-mark=no-mark in-interface=PF-AIR \
new-connection-mark=Air_conn passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark in-interface=PF-FTTC \
new-connection-mark=FTTC_conn passthrough=yes
add action=mark-routing chain=output connection-mark=AIR_conn \
new-routing-mark=to_AIR passthrough=no
add action=mark-routing chain=output connection-mark=FTTC_conn \
new-routing-mark=to_FTTC passthrough=no
{ Mangling for External LAN Server Traffic }
add action=mark-connection chain=forward connection-mark=no-mark in-interface=PF-AIR \
dst-address-list=[color=#8000BFMyServers[/color] new-connection-mark=W1-to-Servers passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark in-interface=PF=FTTC \
dst-address-list=MyServers new-connection-mark=W2-to Servers passthrough=yes
add action=mark-routing chain=prerouting connection-mark=W1-to-Servers \
new-routing-mark=to_AIR passthrough=no
add action=mark-routing chain=prerouting connection-mark=W2-to-Servers \
new-routing-mark=to_FTTC passthrough=no
{ Mangling for PCC }
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface-list=LAN \
new-connection-mark=pcc-wan1 dst-address-type=!local \
per-connection-classifier= both-addresses-and-ports:2/0 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface-list=LAN \
new-connection-mark=pcc-wan2 dst-address-type=!local \
per-connection-classifier= both-addresses-and-ports:2/1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=pcc-wan1 \
new-routing-mark=to_AIR passthrough=no
add action=mark-routing chain=prerouting connection-mark=pcc-wan2 \
new-routing-mark=to_FTTC passthrough=no

/ip route
add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=PF-FTTC routing-table=main
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=PF-AIR routing-table=main
add dst-address=0.0.0.0/0 gateway=PF-FTTC routing-table=to_FTTC
add dst-address=0.0.0.0/0 gateway=PF-AIR routing-table=to_AIR

/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN

+++++++++++++++++++++++++++++++++++++++++++
Top
 
lego11
just joined
Topic Author
Posts: 17
Joined: Wed Apr 24, 2024 4:14 pm

Re: Port forwarding trouble with PCC load balancing

Thu May 02, 2024 12:33 am

Hi and thanks again for the config!
However, what is not clear to me is why have you separated out Ether 5 from being on the bridge??? I can sort of understand Eth5 being an off bridge way to access the router for backup config so that works for me.
It's simply a historical situation, it was always like this. That 80m cable was directly connected to the old PFSense router (I ran out of ports on the old 24 port switch before I replaced it with the current 48 port HP switch, so I just connected it to a spare port on the quad NIC I had on the PFsense router).

I'll replace the config tomorrow and let you know.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19612
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Port forwarding trouble with PCC load balancing

Thu May 02, 2024 1:39 am

What I would do is keep ether5 for off bridge configuration of the router, No need for DHCP pools, etc, just keep the IP address only and ensure its part of managment interface and LAN interface.
Then just plug in PC or laptop change nic card ipv4 settings to an address within the range and you have access to config the router.
Top
 
lego11
just joined
Topic Author
Posts: 17
Joined: Wed Apr 24, 2024 4:14 pm

Re: Port forwarding trouble with PCC load balancing

Thu May 02, 2024 11:02 am

I think you've misunderstood the LAN structure again. Basically I need an untagged LAN which is the main one (172.16.0.0/16) and FOUR other separate LANs on their separate subnets (that being: vlan 10, vlan 11, vlan 13 AND the out of the bridge ether5) that need to talk to each other ONLY via firewall rules but are otherwise isolated (I've yet to setup these rules, because port forwarding still doesn't work).I might as well remove all these and keep only 172.16.0.0/16 for now, if it makes it easier. The router config ports shouldn't be reachable from any other LANs except 172.16.0.0/16!!

That's why I still don't get why you want me to create an extra tagged VLAN 16 when there clearly is no need. The LAN part works, it's the WAN part that doesn't.

And with your latest config, I can't reach the Internet at all no matter what. Here it is. Again, please don't fixate on the LAN, otherwise I'll simply remove all other subnets for now until I can get PCC+port forward to work...
Code: Select all
# 2024-04-24 16:59:46 by RouterOS 7.14.3
# software id = Y09A-7J23
#
# model = RB3011UiAS
# serial number = 8EED09900013
/disk
add parent=usb1 partition-number=1 partition-offset=512 partition-size=\
    "30 765 219 328" type=partition
/interface bridge
add admin-mac=B8:69:F4:98:60:FB auto-mac=no name=bridge-LAN port-cost-mode=\
    short
/interface ethernet
set [ find default-name=ether1 ] name=ether1-PF_AIR
set [ find default-name=ether2 ] name=ether2-TIM
set [ find default-name=ether5 ] name=ether5-LAN2
/interface wireguard
add comment=back-to-home-vpn listen-port=10434 mtu=1420 name=back-to-home-vpn
/interface vlan
add interface=bridge-LAN name=vlan10-Ospiti vlan-id=10
add interface=bridge-LAN name=vlan11-IoT vlan-id=11
add interface=bridge-LAN name=vlan13-Inaffidabile vlan-id=13
/interface pppoe-client
add disabled=no interface=ether1-PF_AIR name=PF-AIR user=\
    air218@pianetafibra.it
add disabled=no interface=sfp1 name=PF-FTTC use-peer-dns=yes user=fttc4250
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip dhcp-server option
add code=160 name=160_Polycom value=\
    "' http://172.16.20.215/provisioning/m1c2up6299fyn4'"
/ip pool
add name=dhcp ranges=172.16.30.2-172.16.30.254
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=dhcp_pool2 ranges=192.168.12.2-192.168.12.254
add name=dhcp_pool3 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool4 ranges=192.168.11.2-192.168.11.254
add name=dhcp_pool5 ranges=192.168.13.2-192.168.13.254
/ip dhcp-server
add address-pool=dhcp interface=bridge-LAN lease-time=23h59m59s name=LAN_DHCP
add address-pool=dhcp_pool2 interface=ether5-LAN2 name=LAN2_DHCP
add address-pool=dhcp_pool3 interface=vlan10-Ospiti name=Ospiti_DHCP
add address-pool=dhcp_pool4 interface=vlan11-IoT name=IoT_DHCP
add address-pool=dhcp_pool5 interface=vlan13-Inaffidabile name=\
    Inaffidabile_DHCP
/ip smb users
add name=admin
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/queue simple
add comment="Limite Ospiti" max-limit=1M/7M name=Ospiti target=\
    192.168.10.0/24
add comment="Limite AptDis" max-limit=1M/10M name=AptDis target=\
    192.16.12.0/24
add comment="Limite Inaffidabile" max-limit=500k/5M name=Inaffidabile target=\
    192.168.13.0/24
/routing table
add disabled=no fib name=to_FTTC
add disabled=no fib name=to_AIR
/ip smb
set comment=MIKROTIK domain=WORKGROUP interfaces=bridge-LAN
/interface bridge port
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether6 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether7 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether8 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether9 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether10 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf disabled=yes ingress-filtering=no \
    interface=sfp1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge-LAN tagged=vlan10-Ospiti,vlan11-IoT,vlan13-Inaffidabile \
    vlan-ids=10,11,13
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge-LAN list=LAN
add interface=PF-FTTC list=WAN
add interface=PF-AIR list=WAN
/interface ovpn-server server
set auth=sha256,sha512 certificate=a-centauri cipher=\
    blowfish128,aes256-cbc,aes256-gcm enabled=yes protocol=udp \
    redirect-gateway=def1
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern V N protocol instead
set authentication=pap,chap,mschap1,mschap2 enabled=yes
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=172.16.20.1/16 comment=LAN interface=bridge-LAN network=\
    172.16.0.0
add address=192.168.12.1/24 comment=LAN2 interface=ether5-LAN2 network=\
    192.168.12.0
add address=192.168.10.1/24 comment=Ospiti interface=vlan10-Ospiti network=\
    192.168.10.0
add address=192.168.11.1/24 comment=IoT interface=vlan11-IoT network=\
    192.168.11.0
add address=192.168.13.1/24 comment=Inaffidabile interface=\
    vlan13-Inaffidabile network=192.168.13.0
add address=192.168.2.1/24 comment=TIM interface=ether2-TIM network=\
    192.168.2.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes
/ip dhcp-server lease
add address=172.16.20.161 mac-address=BC:DD:C2:44:1E:DA server=LAN_DHCP
add address=172.16.20.233 client-id=1:b8:27:eb:f7:41:9f comment=Marconi \
    mac-address=B8:27:EB:F7:41:9F server=LAN_DHCP
add address=172.16.30.244 dhcp-option=160_Polycom mac-address=\
    64:16:7F:0B:F6:FA server=LAN_DHCP
add address=172.16.20.235 client-id=1:b8:27:eb:be:70:8f mac-address=\
    B8:27:EB:BE:70:8F server=LAN_DHCP
add address=172.16.20.212 client-id=1:b8:27:eb:cf:86:71 mac-address=\
    B8:27:EB:CF:86:71 server=LAN_DHCP
add address=172.16.25.42 client-id=1:0:60:35:6:f0:16 mac-address=\
    00:60:35:06:F0:16 server=LAN_DHCP
add address=172.16.22.100 client-id=\
    ff:11:e4:49:24:0:1:0:1:2d:a7:ed:cd:bc:24:11:e4:49:24 mac-address=\
    BC:24:11:E4:49:24 server=LAN_DHCP
add address=172.16.20.215 client-id=1:bc:24:11:9e:f2:3 mac-address=\
    BC:24:11:9E:F2:03 server=LAN_DHCP
add address=172.16.20.211 client-id=\
    ff:11:6e:18:77:0:1:0:1:2d:a5:b3:f5:bc:24:11:6e:18:77 mac-address=\
    BC:24:11:6E:18:77 server=LAN_DHCP
add address=172.16.20.230 comment=SunFire mac-address=00:03:BA:16:77:13 \
    server=LAN_DHCP
add address=172.16.20.160 comment=Helios mac-address=D8:3A:DD:A7:D6:5E \
    server=LAN_DHCP
add address=172.16.23.1 client-id=1:0:a0:c5:b9:35:b1 mac-address=\
    00:A0:C5:B9:35:B1 server=LAN_DHCP
/ip dhcp-server network
add address=172.16.0.0/16 comment=LAN dns-server=172.16.20.211,172.16.20.210 \
    gateway=172.16.20.1
add address=192.168.10.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
    192.168.10.1
add address=192.168.11.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
    192.168.11.1
add address=192.168.12.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
    192.168.12.1
add address=192.168.13.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
    192.168.13.1
/ip dns static
add address=172.16.20.1 comment=defconf name=router.lan
/ip firewall address-list
add address=172.16.20.230 comment=Sunfire list=MyServers
add address=172.16.20.220 comment=Minecraft list=MyServers
add address=172.16.20.218 comment=GLaDOS list=MyServers
add address=172.16.20.211 comment=DNS list=DNServers
add address=172.16.20.210 comment=DNS list=DNServers
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="Drop All Else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=\
    LAN out-interface-list=WAN
add action=accept chain=forward comment="access dns" dst-address-list=\
    DNServers in-interface-list=LAN
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat
/ip firewall mangle
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
    PF-AIR new-connection-mark=Air_conn passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
    PF-FTTC new-connection-mark=FTTC_conn passthrough=yes
add action=mark-routing chain=output connection-mark=AIR_conn \
    new-routing-mark=to_AIR passthrough=no
add action=mark-routing chain=output connection-mark=FTTC_conn \
    new-routing-mark=to_FTTC passthrough=no
add action=mark-connection chain=forward connection-mark=no-mark \
    dst-address-list=MyServers in-interface=PF-AIR new-connection-mark=\
    W1-to-Servers passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark \
    dst-address-list=MyServers in-interface=PF-FTTC new-connection-mark=\
    W2-to-Servers passthrough=yes
add action=mark-routing chain=prerouting connection-mark=W1-to-Servers \
    new-routing-mark=to_AIR passthrough=no
add action=mark-routing chain=prerouting connection-mark=W2-to-Servers \
    new-routing-mark=to_FTTC passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface-list=LAN new-connection-mark=\
    pcc-wan1 passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface-list=LAN new-connection-mark=\
    pcc-wan2 passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=pcc-wan1 \
    new-routing-mark=to_AIR passthrough=no
add action=mark-routing chain=prerouting connection-mark=pcc-wan2 \
    new-routing-mark=to_FTTC passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=PF-FTTC
add action=masquerade chain=srcnat out-interface=PF-AIR
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
add action=dst-nat chain=dstnat comment="SunFire HTTPS" dst-port=443 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=\
    443
add action=dst-nat chain=dstnat comment="SunFire HTTP" dst-port=80 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=80
add action=dst-nat chain=dstnat comment="SunFire SSH" dst-port=2222 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=22
add action=dst-nat chain=dstnat comment="Webmin sunfire" dst-port=10000 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=\
    10000
add action=dst-nat chain=dstnat comment=Minecraft dst-port=25565 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.220 to-ports=\
    25565
add action=dst-nat chain=dstnat comment="Minecraft Dynmap" dst-port=8123 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.220 to-ports=\
    8123
/ip route
add check-gateway=none disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    PF-FTTC pref-src="" routing-table=main suppress-hw-offload=no
add check-gateway=none disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    PF-AIR pref-src="" routing-table=main suppress-hw-offload=no
add dst-address=0.0.0.0/0 gateway=PF-FTTC routing-table=to_FTTC
add dst-address=0.0.0.0/0 gateway=PF-AIR routing-table=to_AIR
/ip service
set www-ssl address=0.0.0.0/0 certificate=a-centauri disabled=no tls-version=\
    only-1.2
/ip smb shares
add directory=usb1-part1 name=USB1 valid-users=guest
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=PF-AIR type=external
/ppp aaa
set use-radius=yes
/ppp secret
add name=vpn
add name=J2 profile=default-encryption
/radius
add accounting-backup=yes address=172.16.20.216 comment=RADIUS service=\
    ppp,login,hotspot,ipsec,dot1x
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=MikroTik-VR
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes use-local-clock=yes
/system ntp client servers
add address=time.inrim.it
add address=ntp1.inrim.it
/tool graphing interface
add allow-address=172.16.0.0/16
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
The routes get marked as unreachable as in the screenshot below
Schermata del 2024-05-02 09-51-20.png
If I disable check-gateway=ping, the routes are no longer unreachable, but I still can't browse the internet either.

Thanks
You do not have the required permissions to view the files attached to this post.
Top
 
lego11
just joined
Topic Author
Posts: 17
Joined: Wed Apr 24, 2024 4:14 pm

Re: Port forwarding trouble with PCC load balancing

Fri May 03, 2024 1:42 pm

Hi, i've tried factory resetting everything and discarding all the VLANs and the 2nd LAN for now, (just as a test)
but that didn't work either

tested config:
Code: Select all
# 2024-04-24 16:59:46 by RouterOS 7.14.3
# software id = Y09A-7J23
#
# model = RB3011UiAS
# serial number = 8EED09900013
/disk
add parent=usb1 partition-number=1 partition-offset=512 partition-size=\
    "30 765 219 328" type=partition
/interface bridge
add admin-mac=B8:69:F4:98:60:FB auto-mac=no name=bridge-LAN port-cost-mode=\
    short
/interface ethernet
set [ find default-name=ether1 ] name=ether1-PF_AIR
/interface wireguard
add comment=back-to-home-vpn listen-port=10434 mtu=1420 name=back-to-home-vpn
/interface pppoe-client
add disabled=no interface=ether1-PF_AIR name=PF-AIR user=\
    air218@pianetafibra.it
add disabled=no interface=sfp1 name=PF-FTTC use-peer-dns=yes user=fttc4250
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip dhcp-server option
add code=160 name=160_Polycom value=\
    "' http://172.16.20.215/provisioning/m1c2up6299fyn4'"
/ip pool
add name=dhcp ranges=172.16.30.2-172.16.30.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge-LAN lease-time=23h59m59s name=LAN_DHCP
    Inaffidabile_DHCP
/ip smb users
add name=admin
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/routing table
add disabled=no fib name=to_FTTC
add disabled=no fib name=to_AIR
/ip smb
set comment=MIKROTIK domain=WORKGROUP interfaces=bridge-LAN
/interface bridge port
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether2 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether3 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether4 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether5 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether6 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether7 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether8 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether9 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether10 \
    internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge-LAN list=LAN
add interface=PF-FTTC list=WAN
add interface=PF-AIR list=WAN
/interface ovpn-server server
set auth=sha256,sha512 certificate=a-centauri cipher=\
    blowfish128,aes256-cbc,aes256-gcm enabled=yes protocol=udp \
    redirect-gateway=def1
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern V N protocol instead
set authentication=pap,chap,mschap1,mschap2 enabled=yes
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=172.16.20.1/16 comment=LAN interface=bridge-LAN network=\
    172.16.0.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes
/ip dhcp-server lease
add address=172.16.20.161 mac-address=BC:DD:C2:44:1E:DA server=LAN_DHCP
add address=172.16.20.233 client-id=1:b8:27:eb:f7:41:9f comment=Marconi \
    mac-address=B8:27:EB:F7:41:9F server=LAN_DHCP
add address=172.16.30.244 dhcp-option=160_Polycom mac-address=\
    64:16:7F:0B:F6:FA server=LAN_DHCP
add address=172.16.20.235 client-id=1:b8:27:eb:be:70:8f mac-address=\
    B8:27:EB:BE:70:8F server=LAN_DHCP
add address=172.16.20.212 client-id=1:b8:27:eb:cf:86:71 mac-address=\
    B8:27:EB:CF:86:71 server=LAN_DHCP
add address=172.16.25.42 client-id=1:0:60:35:6:f0:16 mac-address=\
    00:60:35:06:F0:16 server=LAN_DHCP
add address=172.16.22.100 client-id=\
    ff:11:e4:49:24:0:1:0:1:2d:a7:ed:cd:bc:24:11:e4:49:24 mac-address=\
    BC:24:11:E4:49:24 server=LAN_DHCP
add address=172.16.20.215 client-id=1:bc:24:11:9e:f2:3 mac-address=\
    BC:24:11:9E:F2:03 server=LAN_DHCP
add address=172.16.20.211 client-id=\
    ff:11:6e:18:77:0:1:0:1:2d:a5:b3:f5:bc:24:11:6e:18:77 mac-address=\
    BC:24:11:6E:18:77 server=LAN_DHCP
add address=172.16.20.230 comment=SunFire mac-address=00:03:BA:16:77:13 \
    server=LAN_DHCP
add address=172.16.20.160 comment=Helios mac-address=D8:3A:DD:A7:D6:5E \
    server=LAN_DHCP
add address=172.16.23.1 client-id=1:0:a0:c5:b9:35:b1 mac-address=\
    00:A0:C5:B9:35:B1 server=LAN_DHCP
/ip dhcp-server network
add address=172.16.0.0/16 comment=LAN dns-server=172.16.20.211,172.16.20.210 \
    gateway=172.16.20.1
/ip dns static
add address=172.16.20.1 comment=defconf name=router.lan
/ip firewall address-list
add address=172.16.20.230 comment=Sunfire list=MyServers
add address=172.16.20.220 comment=Minecraft list=MyServers
add address=172.16.20.218 comment=GLaDOS list=MyServers
add address=172.16.20.211 comment=DNS list=DNServers
add address=172.16.20.210 comment=DNS list=DNServers
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="Drop All Else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=\
    LAN out-interface-list=WAN
add action=accept chain=forward comment="access dns" dst-address-list=\
    DNServers in-interface-list=LAN
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat
/ip firewall mangle
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
    PF-AIR new-connection-mark=Air_conn passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
    PF-FTTC new-connection-mark=FTTC_conn passthrough=yes
add action=mark-routing chain=output connection-mark=AIR_conn \
    new-routing-mark=to_AIR passthrough=no
add action=mark-routing chain=output connection-mark=FTTC_conn \
    new-routing-mark=to_FTTC passthrough=no
add action=mark-connection chain=forward connection-mark=no-mark \
    dst-address-list=MyServers in-interface=PF-AIR new-connection-mark=\
    W1-to-Servers passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark \
    dst-address-list=MyServers in-interface=PF-FTTC new-connection-mark=\
    W2-to-Servers passthrough=yes
add action=mark-routing chain=prerouting connection-mark=W1-to-Servers \
    new-routing-mark=to_AIR passthrough=no
add action=mark-routing chain=prerouting connection-mark=W2-to-Servers \
    new-routing-mark=to_FTTC passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface-list=LAN new-connection-mark=\
    pcc-wan1 passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface-list=LAN new-connection-mark=\
    pcc-wan2 passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=pcc-wan1 \
    new-routing-mark=to_AIR passthrough=no
add action=mark-routing chain=prerouting connection-mark=pcc-wan2 \
    new-routing-mark=to_FTTC passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=PF-FTTC
add action=masquerade chain=srcnat out-interface=PF-AIR
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
add action=dst-nat chain=dstnat comment="SunFire HTTPS" dst-port=443 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=\
    443
add action=dst-nat chain=dstnat comment="SunFire HTTP" dst-port=80 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=80
add action=dst-nat chain=dstnat comment="SunFire SSH" dst-port=2222 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=22
add action=dst-nat chain=dstnat comment="Webmin sunfire" dst-port=10000 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=\
    10000
add action=dst-nat chain=dstnat comment=Minecraft dst-port=25565 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.220 to-ports=\
    25565
add action=dst-nat chain=dstnat comment="Minecraft Dynmap" dst-port=8123 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.220 to-ports=\
    8123
/ip route
add check-gateway=none disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    PF-FTTC pref-src="" routing-table=main suppress-hw-offload=no
add check-gateway=none disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    PF-AIR pref-src="" routing-table=main suppress-hw-offload=no
add dst-address=0.0.0.0/0 gateway=PF-FTTC routing-table=to_FTTC
add dst-address=0.0.0.0/0 gateway=PF-AIR routing-table=to_AIR
/ip service
set www-ssl address=0.0.0.0/0 certificate=a-centauri disabled=no tls-version=\
    only-1.2
/ip smb shares
add directory=usb1-part1 name=USB1 valid-users=guest
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=PF-AIR type=external
/ppp aaa
set use-radius=yes
/ppp secret
add name=vpn
add name=J2 profile=default-encryption
/radius
add accounting-backup=yes address=172.16.20.216 comment=RADIUS service=\
    ppp,login,hotspot,ipsec,dot1x
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=MikroTik-VR
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes use-local-clock=yes
/system ntp client servers
add address=time.inrim.it
add address=ntp1.inrim.it
/tool graphing interface
add allow-address=172.16.0.0/16
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19612
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Port forwarding trouble with PCC load balancing

Fri May 03, 2024 3:43 pm

This could be the error we were not seeing.........
/ip address
add address=172.16.20.1/16 comment=LAN interface=bridge-LAN network=\
172.16.0.0

I think it should be:
/ip address
add address=172.16.20.1/16 comment=LAN interface=bridge-LAN network=\
172.16.20.0 ????

I am not good with larger subnets but I think thats right.


Also this is not critical but should be modified from:
add check-gateway=none disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
PF-FTTC pref-src="" routing-table=main suppress-hw-offload=no
add check-gateway=none disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
PF-AIR pref-src="" routing-table=main suppress-hw-offload=no
add dst-address=0.0.0.0/0 gateway=PF-FTTC routing-table=to_FTTC
add dst-address=0.0.0.0/0 gateway=PF-AIR routing-table=to_AIR

add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=\
PF-FTTC pref-src="" routing-table=main suppress-hw-offload=no
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=\
PF-AIR pref-src="" routing-table=main suppress-hw-offload=no
add dst-address=0.0.0.0/0 gateway=PF-FTTC routing-table=to_FTTC
add dst-address=0.0.0.0/0 gateway=PF-AIR routing-table=to_AIR
Top
 
lego11
just joined
Topic Author
Posts: 17
Joined: Wed Apr 24, 2024 4:14 pm

Re: Port forwarding trouble with PCC load balancing

Fri May 03, 2024 5:03 pm

Hi!
This could be the error we were not seeing.........
In my previous iterations (I used PFSense, Ubiquiti and Sophos hardware) it never caused a problem, but I also don't see why it would. If the subnet is /16 (255.255.0.0) then any IP from 172.16.0.0 to 172.16.254.254 should be reachable... so I attempted changing it to 172.16.0.1, but it didn't change anything... all the symptoms remained the same.
I also tried yet another factory reset, left the router address to the default 192.168.88.1, but that ALSO didn't work!! :( :( :(
add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=\
PF-FTTC pref-src="" routing-table=main suppress-hw-offload=no
As I've stated in the previous message, if I have check-gateway=ping set, the route gets marked as invalid, unreachable and obviously can't reach the Internet.

Image

If I then set check-gateway=none, then the routes get marked as available, but I STILL can't reach the internet...
Should I try contacting Mikrotik support directly?
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19612
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Port forwarding trouble with PCC load balancing

Fri May 03, 2024 5:37 pm

Sounds more like a PPPOE ISP problem, perhaps they are blocking ICMP.
Otherwise out of ideas, perhaps someone else can do bettter.
Top
 
lego11
just joined
Topic Author
Posts: 17
Joined: Wed Apr 24, 2024 4:14 pm

Re: Port forwarding trouble with PCC load balancing

Fri May 03, 2024 7:17 pm

Okay, I'll try contacting my ISP. They use Mikrotiks internally so I think they should be able to help...
Top
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3593
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Port forwarding trouble with PCC load balancing

Fri May 03, 2024 7:31 pm

Do you have "Use Default Route" enabled on the PPPoE interface? One thing you can do there is make sure that's check, but use a higher distance like 11 and 12 respectively. Right now there is only interface routes, no IP route to internet. You can then have lower distance= value for static entries with the check-gateway=yes, or use /tool/netwatch rule to enable/disable routes is alternative approach.

Leave the network address as default /16 so 172.16.0.0 (but if you clear it in winbox, it will use this same default for /16).
FWIW, is you google for "subnet calculator" these often help figure what ranges/network/broadcast IP go to what /16 /24 etc.
Top
 
lego11
just joined
Topic Author
Posts: 17
Joined: Wed Apr 24, 2024 4:14 pm

Re: Port forwarding trouble with PCC load balancing

Fri May 03, 2024 8:26 pm

Hi!
Do you have "Use Default Route" enabled on the PPPoE interface?
Following advice from anav I had disabled it. But to get on the Internet, I need to have it enabled.
One thing you can do there is make sure that's check, but use a higher distance like 11 and 12 respectively.
I did try that, and it does work, but port forwarding doesn't.
/tool/netwatch rule to enable/disable routes is alternative approach.
How would that help in my case? I'd need load balancing, it looks like that one is more tailored towards failover, or am I wrong?
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19612
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Port forwarding trouble with PCC load balancing

Fri May 03, 2024 11:42 pm

Ammo are you saying that for PPPOE one cannot decline the default route and use manual routes ???
Also if that is true then how do you manage check-gateway=ping on the main route ( is that available on the PPOE DHCP client settings somewhere)???
Top
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3593
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Port forwarding trouble with PCC load balancing

Sat May 04, 2024 12:47 am

You can use a script on PPP profile to add/update static entires for the check-gateway=ping, similar to /ip/dhcp-client script ... but a two-step profile via a new /ppp/profile with a script to set check-gateway, and that new PPP profile linked in the PPPoE interface. But this complexity is why I suggested netwatch to disable a route and route rule for the netwatch hosts to set to WAN1 or WAN2 table, with script to disable that route is somewhat easier IMO than extra ppp profile with script.... All the PCC stuff is same for load balancing.

FWIW, you can use both script and the "add default gateway" checkbox at some time, IF the default route distance in PPPoE is higher than static ones updated by script. This lets you disable the static routes if something goes wrong to use the dynamic default gateway at distance=11...

But first problem here is the routing table will NOT work if the same valid route does not exist in main table – so the inactive route in main for sure would cause WAN route tables to not work.

Now why the dst-nat isn't working, IDK. The needed mangle for chain=input connection marking is there, which is all that should be needed.

Maybe the OP can post his /routing/route/print here as the have more detail than just /ip/route/print...
Top
 
lego11
just joined
Topic Author
Posts: 17
Joined: Wed Apr 24, 2024 4:14 pm

Re: Port forwarding trouble with PCC load balancing

Sun May 05, 2024 11:39 am

Hi, another experiment.
Configuration 1: PF-AIR disabled, port forwarding works fine, I can reach the internet. Obviously load balancing doesn't work.
Code: Select all

# 2024-04-26 19:51:28 by RouterOS 7.14.3
# software id = Y09A-7J23
#
# model = RB3011UiAS
# serial number = 8EED09900013
/disk
add parent=usb1 partition-number=1 partition-offset=512 partition-size=\
    "30 765 219 328" type=partition
/interface bridge
add admin-mac=B8:69:F4:98:60:FB auto-mac=no name=bridge-LAN port-cost-mode=\
    short
/interface ethernet
set [ find default-name=ether1 ] name=ether1-PF_AIR
set [ find default-name=ether2 ] name=ether2-TIM
set [ find default-name=ether5 ] name=ether5-LAN2
/interface wireguard
add comment=back-to-home-vpn listen-port=10434 mtu=1420 name=back-to-home-vpn
/interface vlan
add interface=bridge-LAN name=vlan10-Ospiti vlan-id=10
add interface=bridge-LAN name=vlan11-IoT vlan-id=11
add interface=bridge-LAN name=vlan13-Inaffidabile vlan-id=13
/interface pppoe-client
add add-default-route=yes default-route-distance=11 interface=ether1-PF_AIR \
    name=PF-AIR user=air218@pianetafibra.it
add add-default-route=yes default-route-distance=11 disabled=no interface=\
    sfp1 name=PF-FTTC use-peer-dns=yes user=fttc4250
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip dhcp-server option
add code=160 name=160_Polycom value=\
    "' http://172.16.20.215/provisioning/m1c2up6299fyn4'"
/ip pool
add name=dhcp ranges=172.16.30.2-172.16.30.254
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=dhcp_pool2 ranges=192.168.12.2-192.168.12.254
add name=dhcp_pool3 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool4 ranges=192.168.11.2-192.168.11.254
add name=dhcp_pool5 ranges=192.168.13.2-192.168.13.254
/ip dhcp-server
add address-pool=dhcp interface=bridge-LAN lease-time=23h59m59s name=LAN_DHCP
add address-pool=dhcp_pool2 interface=ether5-LAN2 name=LAN2_DHCP
add address-pool=dhcp_pool3 interface=vlan10-Ospiti name=Ospiti_DHCP
add address-pool=dhcp_pool4 interface=vlan11-IoT name=IoT_DHCP
add address-pool=dhcp_pool5 interface=vlan13-Inaffidabile name=\
    Inaffidabile_DHCP
/ip smb users
add name=admin
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/queue simple
add comment="Limite Ospiti" max-limit=1M/7M name=Ospiti target=\
    192.168.10.0/24
add comment="Limite AptDis" max-limit=1M/10M name=AptDis target=\
    192.16.12.0/24
add comment="Limite Inaffidabile" max-limit=500k/5M name=Inaffidabile target=\
    192.168.13.0/24
/routing table
add disabled=no fib name=to_FTTC
add disabled=no fib name=to_AIR
/ip smb
set comment=MIKROTIK domain=WORKGROUP interfaces=bridge-LAN
/interface bridge port
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether6 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether7 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether8 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether9 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether10 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf disabled=yes ingress-filtering=no \
    interface=sfp1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge-LAN tagged=vlan10-Ospiti,vlan11-IoT,vlan13-Inaffidabile \
    vlan-ids=10,11,13
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge-LAN list=LAN
add interface=PF-FTTC list=WAN
add interface=PF-AIR list=WAN
/interface ovpn-server server
set auth=sha256,sha512 certificate=a-centauri cipher=\
    blowfish128,aes256-cbc,aes256-gcm enabled=yes protocol=udp \
    redirect-gateway=def1
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern V N protocol instead
set authentication=pap,chap,mschap1,mschap2 enabled=yes
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=172.16.20.1/16 comment=LAN interface=bridge-LAN network=\
    172.16.0.0
add address=192.168.12.1/24 comment=LAN2 interface=ether5-LAN2 network=\
    192.168.12.0
add address=192.168.10.1/24 comment=Ospiti interface=vlan10-Ospiti network=\
    192.168.10.0
add address=192.168.11.1/24 comment=IoT interface=vlan11-IoT network=\
    192.168.11.0
add address=192.168.13.1/24 comment=Inaffidabile interface=\
    vlan13-Inaffidabile network=192.168.13.0
add address=192.168.2.1/24 comment=TIM interface=ether2-TIM network=\
    192.168.2.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes
/ip dhcp-server lease
add address=172.16.20.161 mac-address=BC:DD:C2:44:1E:DA server=LAN_DHCP
add address=172.16.20.233 client-id=1:b8:27:eb:f7:41:9f comment=Marconi \
    mac-address=B8:27:EB:F7:41:9F server=LAN_DHCP
add address=172.16.30.244 dhcp-option=160_Polycom mac-address=\
    64:16:7F:0B:F6:FA server=LAN_DHCP
add address=172.16.20.235 client-id=1:b8:27:eb:be:70:8f mac-address=\
    B8:27:EB:BE:70:8F server=LAN_DHCP
add address=172.16.20.212 client-id=1:b8:27:eb:cf:86:71 mac-address=\
    B8:27:EB:CF:86:71 server=LAN_DHCP
add address=172.16.25.42 client-id=1:0:60:35:6:f0:16 mac-address=\
    00:60:35:06:F0:16 server=LAN_DHCP
add address=172.16.22.100 client-id=\
    ff:11:e4:49:24:0:1:0:1:2d:a7:ed:cd:bc:24:11:e4:49:24 mac-address=\
    BC:24:11:E4:49:24 server=LAN_DHCP
add address=172.16.20.215 client-id=1:bc:24:11:9e:f2:3 mac-address=\
    BC:24:11:9E:F2:03 server=LAN_DHCP
add address=172.16.20.211 client-id=\
    ff:11:6e:18:77:0:1:0:1:2d:a5:b3:f5:bc:24:11:6e:18:77 mac-address=\
    BC:24:11:6E:18:77 server=LAN_DHCP
add address=172.16.20.230 comment=SunFire mac-address=00:03:BA:16:77:13 \
    server=LAN_DHCP
add address=172.16.20.160 comment=Helios mac-address=D8:3A:DD:A7:D6:5E \
    server=LAN_DHCP
add address=172.16.23.1 client-id=1:0:a0:c5:b9:35:b1 mac-address=\
    00:A0:C5:B9:35:B1 server=LAN_DHCP
/ip dhcp-server network
add address=172.16.0.0/16 comment=LAN dns-server=172.16.20.211,172.16.20.210 \
    gateway=172.16.20.1 netmask=16
add address=192.168.10.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
    192.168.10.1
add address=192.168.11.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
    192.168.11.1
add address=192.168.12.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
    192.168.12.1
add address=192.168.13.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
    192.168.13.1
/ip dns static
add address=172.16.20.1 comment=defconf name=router.lan
/ip firewall address-list
add address=172.16.20.230 comment=Sunfire list=MyServers
add address=172.16.20.220 comment=Minecraft list=MyServers
add address=172.16.20.218 comment=GLaDOS list=MyServers
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=input comment="Deny SSH from WAN" dst-port=22 \
    in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="Deny telnet from WAN" dst-port=23 \
    in-interface-list=WAN protocol=tcp
/ip firewall mangle
add action=mark-connection chain=forward connection-mark=no-mark disabled=yes \
    dst-address-list=MyServers in-interface=PF-AIR new-connection-mark=\
    PF-AIR-Servers passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark disabled=yes \
    dst-address-list=MyServers in-interface=PF-FTTC new-connection-mark=\
    PF-FTTC-Servers passthrough=yes
add action=mark-routing chain=prerouting connection-mark=PF-AIR-Servers \
    new-routing-mark=to_AIR passthrough=no
add action=mark-routing chain=prerouting connection-mark=PF-FTTC-Servers \
    new-routing-mark=to_FTTC passthrough=no
add action=mark-connection chain=input in-interface=PF-FTTC \
    new-connection-mark=FTTC_conn
# PF-AIR not ready
add action=mark-connection chain=input in-interface=PF-AIR \
    new-connection-mark=AIR_conn
add action=mark-routing chain=output connection-mark=FTTC_conn \
    new-routing-mark=to_FTTC
add action=mark-routing chain=output connection-mark=AIR_conn \
    new-routing-mark=to_AIR
add action=mark-connection chain=prerouting comment="Ospiti solo AIR" \
    dst-address-type=!local in-interface=vlan10-Ospiti new-connection-mark=\
    AIR_conn passthrough=yes
add action=mark-connection chain=prerouting comment="LAN2 solo PF-AIR" \
    dst-address-type=!local in-interface=ether5-LAN2 new-connection-mark=\
    AIR_conn passthrough=yes
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=bridge-LAN new-connection-mark=FTTC_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=bridge-LAN new-connection-mark=AIR_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=FTTC_conn \
    in-interface=bridge-LAN new-routing-mark=to_FTTC
add action=mark-routing chain=prerouting connection-mark=AIR_conn \
    in-interface=bridge-LAN new-routing-mark=to_AIR
/ip firewall nat
add action=masquerade chain=srcnat out-interface=PF-FTTC
# PF-AIR not ready
add action=masquerade chain=srcnat out-interface=PF-AIR
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
add action=dst-nat chain=dstnat comment="SunFire HTTPS" dst-port=443 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=\
    443
add action=dst-nat chain=dstnat comment="SunFire HTTP" dst-port=80 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=80
add action=dst-nat chain=dstnat comment="SunFire SSH" dst-port=2222 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=22
add action=dst-nat chain=dstnat comment="Webmin sunfire" dst-port=10000 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=\
    10000
add action=dst-nat chain=dstnat comment=Minecraft dst-port=25565 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.220 to-ports=\
    25565
add action=dst-nat chain=dstnat comment="Minecraft Dynmap" dst-port=8123 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.220 to-ports=\
    8123
add action=dst-nat chain=dstnat comment="SSH Pi5 Jvital" dst-port=52233 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.160 to-ports=22
/ip route
add check-gateway=none disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    PF-FTTC pref-src="" routing-table=to_FTTC suppress-hw-offload=no
add check-gateway=none disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    PF-AIR pref-src="" routing-table=to_AIR suppress-hw-offload=no
/ip service
set www-ssl address=0.0.0.0/0 certificate=a-centauri disabled=no tls-version=\
    only-1.2
/ip smb shares
add directory=usb1-part1 name=USB1 valid-users=guest
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=PF-AIR type=external
/ppp aaa
set use-radius=yes
/ppp secret
add name=vpn
add name=J2 profile=default-encryption
/radius
add accounting-backup=yes address=172.16.20.216 comment=RADIUS service=\
    ppp,login,hotspot,ipsec,dot1x
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=MikroTik-VR
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes use-local-clock=yes
/system ntp client servers
add address=time.inrim.it
add address=ntp1.inrim.it
/tool graphing interface
add allow-address=172.16.0.0/16
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
routing print:
Code: Select all

Flags: U - UNREACHABLE, A - ACTIVE; c - CONNECT, s - STATIC, v - VPN; H - HW-O>
Columns: DST-ADDRESS, GATEWAY, AFI, DISTANCE, SCOPE, TARGET-SCOPE
    DST-ADDRESS          GATEWAY              AFI   DISTANCE  SCOPE  TA
Av  0.0.0.0/0            PF-FTTC              ip4         11     30  10
Ac  83.136.110.254/32    PF-FTTC              ip4          0     10    
Ac  172.16.0.0/16        bridge-LAN           ip4          0     10    
Ac  192.168.2.0/24       ether2-TIM           ip4          0     10    
Ac  192.168.10.0/24      vlan10-Ospiti        ip4          0     10    
Ac  192.168.11.0/24      vlan11-IoT           ip4          0     10    
Ac  192.168.12.0/24      ether5-LAN2          ip4          0     10    
Ac  192.168.13.0/24      vlan13-Inaffidabile  ip4          0     10    
Ac  192.168.216.0/24     back-to-home-vpn     ip4          0     10    
As  0.0.0.0/0            PF-FTTC              ip4          1     30  10
UsH 0.0.0.0/0            PF-AIR               ip4          1     30  10
A H ether1-PF_AIR                             link         0           
A H ether2-TIM                                link         0           
A H ether5-LAN2                               link         0           
A H sfp1                                      link         0           
A H ether6                                    link         0           
A H bridge-LAN                                link         0           
A H PF-FTTC                                   link         0           
A H lo                                        link         0           
A H back-to-home-vpn                          link         0           
A H vlan10-Ospiti                             link         0           
A H vlan11-IoT                                link         0           
A H vlan13-Inaffidabile                       link         0
Configuration 2: I enable PF-AIR, but NOT the first two mangle rules below:
Schermata del 2024-05-05 10-28-32.png
Results: Load balancing works very well (speedtest.net gives 150Mbit/s and 30Mbit/s, so they're clearly getting summed up) but port forwarding doesn't work all the times. Sometimes I can reach a server only through a particular connection (either PF-AIR or PF-FTTC, it seems random) and sometimes I can't reach it at all, and sometimes it works through both. This changes in a matter of seconds.
Code: Select all
# 2024-04-26 19:55:16 by RouterOS 7.14.3
# software id = Y09A-7J23
#
# model = RB3011UiAS
# serial number = 8EED09900013
/disk
add parent=usb1 partition-number=1 partition-offset=512 partition-size=\
    "30 765 219 328" type=partition
/interface bridge
add admin-mac=B8:69:F4:98:60:FB auto-mac=no name=bridge-LAN port-cost-mode=\
    short
/interface ethernet
set [ find default-name=ether1 ] name=ether1-PF_AIR
set [ find default-name=ether2 ] name=ether2-TIM
set [ find default-name=ether5 ] name=ether5-LAN2
/interface wireguard
add comment=back-to-home-vpn listen-port=10434 mtu=1420 name=back-to-home-vpn
/interface vlan
add interface=bridge-LAN name=vlan10-Ospiti vlan-id=10
add interface=bridge-LAN name=vlan11-IoT vlan-id=11
add interface=bridge-LAN name=vlan13-Inaffidabile vlan-id=13
/interface pppoe-client
add add-default-route=yes default-route-distance=11 disabled=no interface=\
    ether1-PF_AIR name=PF-AIR user=air218@pianetafibra.it
add add-default-route=yes default-route-distance=11 disabled=no interface=\
    sfp1 name=PF-FTTC use-peer-dns=yes user=fttc4250
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip dhcp-server option
add code=160 name=160_Polycom value=\
    "' http://172.16.20.215/provisioning/m1c2up6299fyn4'"
/ip pool
add name=dhcp ranges=172.16.30.2-172.16.30.254
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=dhcp_pool2 ranges=192.168.12.2-192.168.12.254
add name=dhcp_pool3 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool4 ranges=192.168.11.2-192.168.11.254
add name=dhcp_pool5 ranges=192.168.13.2-192.168.13.254
/ip dhcp-server
add address-pool=dhcp interface=bridge-LAN lease-time=23h59m59s name=LAN_DHCP
add address-pool=dhcp_pool2 interface=ether5-LAN2 name=LAN2_DHCP
add address-pool=dhcp_pool3 interface=vlan10-Ospiti name=Ospiti_DHCP
add address-pool=dhcp_pool4 interface=vlan11-IoT name=IoT_DHCP
add address-pool=dhcp_pool5 interface=vlan13-Inaffidabile name=\
    Inaffidabile_DHCP
/ip smb users
add name=admin
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/queue simple
add comment="Limite Ospiti" max-limit=1M/7M name=Ospiti target=\
    192.168.10.0/24
add comment="Limite AptDis" max-limit=1M/10M name=AptDis target=\
    192.16.12.0/24
add comment="Limite Inaffidabile" max-limit=500k/5M name=Inaffidabile target=\
    192.168.13.0/24
/routing table
add disabled=no fib name=to_FTTC
add disabled=no fib name=to_AIR
/ip smb
set comment=MIKROTIK domain=WORKGROUP interfaces=bridge-LAN
/interface bridge port
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether6 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether7 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether8 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether9 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether10 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf disabled=yes ingress-filtering=no \
    interface=sfp1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge-LAN tagged=vlan10-Ospiti,vlan11-IoT,vlan13-Inaffidabile \
    vlan-ids=10,11,13
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge-LAN list=LAN
add interface=PF-FTTC list=WAN
add interface=PF-AIR list=WAN
/interface ovpn-server server
set auth=sha256,sha512 certificate=a-centauri cipher=\
    blowfish128,aes256-cbc,aes256-gcm enabled=yes protocol=udp \
    redirect-gateway=def1
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern V N protocol instead
set authentication=pap,chap,mschap1,mschap2 enabled=yes
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=172.16.20.1/16 comment=LAN interface=bridge-LAN network=\
    172.16.0.0
add address=192.168.12.1/24 comment=LAN2 interface=ether5-LAN2 network=\
    192.168.12.0
add address=192.168.10.1/24 comment=Ospiti interface=vlan10-Ospiti network=\
    192.168.10.0
add address=192.168.11.1/24 comment=IoT interface=vlan11-IoT network=\
    192.168.11.0
add address=192.168.13.1/24 comment=Inaffidabile interface=\
    vlan13-Inaffidabile network=192.168.13.0
add address=192.168.2.1/24 comment=TIM interface=ether2-TIM network=\
    192.168.2.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes
/ip dhcp-server lease
add address=172.16.20.161 mac-address=BC:DD:C2:44:1E:DA server=LAN_DHCP
add address=172.16.20.233 client-id=1:b8:27:eb:f7:41:9f comment=Marconi \
    mac-address=B8:27:EB:F7:41:9F server=LAN_DHCP
add address=172.16.30.244 dhcp-option=160_Polycom mac-address=\
    64:16:7F:0B:F6:FA server=LAN_DHCP
add address=172.16.20.235 client-id=1:b8:27:eb:be:70:8f mac-address=\
    B8:27:EB:BE:70:8F server=LAN_DHCP
add address=172.16.20.212 client-id=1:b8:27:eb:cf:86:71 mac-address=\
    B8:27:EB:CF:86:71 server=LAN_DHCP
add address=172.16.25.42 client-id=1:0:60:35:6:f0:16 mac-address=\
    00:60:35:06:F0:16 server=LAN_DHCP
add address=172.16.22.100 client-id=\
    ff:11:e4:49:24:0:1:0:1:2d:a7:ed:cd:bc:24:11:e4:49:24 mac-address=\
    BC:24:11:E4:49:24 server=LAN_DHCP
add address=172.16.20.215 client-id=1:bc:24:11:9e:f2:3 mac-address=\
    BC:24:11:9E:F2:03 server=LAN_DHCP
add address=172.16.20.211 client-id=\
    ff:11:6e:18:77:0:1:0:1:2d:a5:b3:f5:bc:24:11:6e:18:77 mac-address=\
    BC:24:11:6E:18:77 server=LAN_DHCP
add address=172.16.20.230 comment=SunFire mac-address=00:03:BA:16:77:13 \
    server=LAN_DHCP
add address=172.16.20.160 comment=Helios mac-address=D8:3A:DD:A7:D6:5E \
    server=LAN_DHCP
add address=172.16.23.1 client-id=1:0:a0:c5:b9:35:b1 mac-address=\
    00:A0:C5:B9:35:B1 server=LAN_DHCP
/ip dhcp-server network
add address=172.16.0.0/16 comment=LAN dns-server=172.16.20.211,172.16.20.210 \
    gateway=172.16.20.1 netmask=16
add address=192.168.10.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
    192.168.10.1
add address=192.168.11.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
    192.168.11.1
add address=192.168.12.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
    192.168.12.1
add address=192.168.13.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
    192.168.13.1
/ip dns static
add address=172.16.20.1 comment=defconf name=router.lan
/ip firewall address-list
add address=172.16.20.230 comment=Sunfire list=MyServers
add address=172.16.20.220 comment=Minecraft list=MyServers
add address=172.16.20.218 comment=GLaDOS list=MyServers
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=input comment="Deny SSH from WAN" dst-port=22 \
    in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="Deny telnet from WAN" dst-port=23 \
    in-interface-list=WAN protocol=tcp
/ip firewall mangle
add action=mark-connection chain=forward connection-mark=no-mark disabled=yes \
    dst-address-list=MyServers in-interface=PF-AIR new-connection-mark=\
    PF-AIR-Servers passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark disabled=yes \
    dst-address-list=MyServers in-interface=PF-FTTC new-connection-mark=\
    PF-FTTC-Servers passthrough=yes
add action=mark-routing chain=prerouting connection-mark=PF-AIR-Servers \
    new-routing-mark=to_AIR passthrough=no
add action=mark-routing chain=prerouting connection-mark=PF-FTTC-Servers \
    new-routing-mark=to_FTTC passthrough=no
add action=mark-connection chain=input in-interface=PF-FTTC \
    new-connection-mark=FTTC_conn
add action=mark-connection chain=input in-interface=PF-AIR \
    new-connection-mark=AIR_conn
add action=mark-routing chain=output connection-mark=FTTC_conn \
    new-routing-mark=to_FTTC
add action=mark-routing chain=output connection-mark=AIR_conn \
    new-routing-mark=to_AIR
add action=mark-connection chain=prerouting comment="Ospiti solo AIR" \
    dst-address-type=!local in-interface=vlan10-Ospiti new-connection-mark=\
    AIR_conn passthrough=yes
add action=mark-connection chain=prerouting comment="LAN2 solo PF-AIR" \
    dst-address-type=!local in-interface=ether5-LAN2 new-connection-mark=\
    AIR_conn passthrough=yes
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=bridge-LAN new-connection-mark=FTTC_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=bridge-LAN new-connection-mark=AIR_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=FTTC_conn \
    in-interface=bridge-LAN new-routing-mark=to_FTTC
add action=mark-routing chain=prerouting connection-mark=AIR_conn \
    in-interface=bridge-LAN new-routing-mark=to_AIR
/ip firewall nat
add action=masquerade chain=srcnat out-interface=PF-FTTC
add action=masquerade chain=srcnat out-interface=PF-AIR
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
add action=dst-nat chain=dstnat comment="SunFire HTTPS" dst-port=443 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=\
    443
add action=dst-nat chain=dstnat comment="SunFire HTTP" dst-port=80 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=80
add action=dst-nat chain=dstnat comment="SunFire SSH" dst-port=2222 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=22
add action=dst-nat chain=dstnat comment="Webmin sunfire" dst-port=10000 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=\
    10000
add action=dst-nat chain=dstnat comment=Minecraft dst-port=25565 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.220 to-ports=\
    25565
add action=dst-nat chain=dstnat comment="Minecraft Dynmap" dst-port=8123 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.220 to-ports=\
    8123
add action=dst-nat chain=dstnat comment="SSH Pi5 Jvital" dst-port=52233 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.160 to-ports=22
/ip route
add check-gateway=none disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    PF-FTTC pref-src="" routing-table=to_FTTC suppress-hw-offload=no
add check-gateway=none disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    PF-AIR pref-src="" routing-table=to_AIR suppress-hw-offload=no
/ip service
set www-ssl address=0.0.0.0/0 certificate=a-centauri disabled=no tls-version=\
    only-1.2
/ip smb shares
add directory=usb1-part1 name=USB1 valid-users=guest
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=PF-AIR type=external
/ppp aaa
set use-radius=yes
/ppp secret
add name=vpn
add name=J2 profile=default-encryption
/radius
add accounting-backup=yes address=172.16.20.216 comment=RADIUS service=\
    ppp,login,hotspot,ipsec,dot1x
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=MikroTik-VR
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes use-local-clock=yes
/system ntp client servers
add address=time.inrim.it
add address=ntp1.inrim.it
/tool graphing interface
add allow-address=172.16.0.0/16
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Routing print:
Code: Select all

Flags: A - ACTIVE; c - CONNECT, s - STATIC, v - VPN; H - HW-OFFLOADED; + - ECMP
Columns: DST-ADDRESS, GATEWAY, AFI, DISTANCE, SCOPE, TARGET-SCOPE
     DST-ADDRESS          GATEWAY              AFI   DISTANCE  SCOPE  TA
Av + 0.0.0.0/0            PF-AIR               ip4         11     30  10
Av + 0.0.0.0/0            PF-FTTC              ip4         11     30  10
Ac   83.136.109.254/32    PF-AIR               ip4          0     10    
Ac   83.136.110.254/32    PF-FTTC              ip4          0     10    
Ac   172.16.0.0/16        bridge-LAN           ip4          0     10    
Ac   192.168.2.0/24       ether2-TIM           ip4          0     10    
Ac   192.168.10.0/24      vlan10-Ospiti        ip4          0     10    
Ac   192.168.11.0/24      vlan11-IoT           ip4          0     10    
Ac   192.168.12.0/24      ether5-LAN2          ip4          0     10    
Ac   192.168.13.0/24      vlan13-Inaffidabile  ip4          0     10    
Ac   192.168.216.0/24     back-to-home-vpn     ip4          0     10    
As   0.0.0.0/0            PF-FTTC              ip4          1     30  10
As   0.0.0.0/0            PF-AIR               ip4          1     30  10
A H  ether1-PF_AIR                             link         0           
A H  ether2-TIM                                link         0           
A H  ether5-LAN2                               link         0           
A H  sfp1                                      link         0           
A H  ether6                                    link         0           
A H  bridge-LAN                                link         0           
A H  PF-FTTC                                   link         0
Configuration 3: same as config 2 but this time the two mangle rules below are enabled:
Schermata del 2024-05-05 10-33-04.png
Code: Select all
# 2024-04-26 19:59:42 by RouterOS 7.14.3
# software id = Y09A-7J23
#
# model = RB3011UiAS
# serial number = 8EED09900013
/disk
add parent=usb1 partition-number=1 partition-offset=512 partition-size=\
    "30 765 219 328" type=partition
/interface bridge
add admin-mac=B8:69:F4:98:60:FB auto-mac=no name=bridge-LAN port-cost-mode=\
    short
/interface ethernet
set [ find default-name=ether1 ] name=ether1-PF_AIR
set [ find default-name=ether2 ] name=ether2-TIM
set [ find default-name=ether5 ] name=ether5-LAN2
/interface wireguard
add comment=back-to-home-vpn listen-port=10434 mtu=1420 name=back-to-home-vpn
/interface vlan
add interface=bridge-LAN name=vlan10-Ospiti vlan-id=10
add interface=bridge-LAN name=vlan11-IoT vlan-id=11
add interface=bridge-LAN name=vlan13-Inaffidabile vlan-id=13
/interface pppoe-client
add add-default-route=yes default-route-distance=11 disabled=no interface=\
    ether1-PF_AIR name=PF-AIR user=air218@pianetafibra.it
add add-default-route=yes default-route-distance=11 disabled=no interface=\
    sfp1 name=PF-FTTC use-peer-dns=yes user=fttc4250
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip dhcp-server option
add code=160 name=160_Polycom value=\
    "' http://172.16.20.215/provisioning/m1c2up6299fyn4'"
/ip pool
add name=dhcp ranges=172.16.30.2-172.16.30.254
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=dhcp_pool2 ranges=192.168.12.2-192.168.12.254
add name=dhcp_pool3 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool4 ranges=192.168.11.2-192.168.11.254
add name=dhcp_pool5 ranges=192.168.13.2-192.168.13.254
/ip dhcp-server
add address-pool=dhcp interface=bridge-LAN lease-time=23h59m59s name=LAN_DHCP
add address-pool=dhcp_pool2 interface=ether5-LAN2 name=LAN2_DHCP
add address-pool=dhcp_pool3 interface=vlan10-Ospiti name=Ospiti_DHCP
add address-pool=dhcp_pool4 interface=vlan11-IoT name=IoT_DHCP
add address-pool=dhcp_pool5 interface=vlan13-Inaffidabile name=\
    Inaffidabile_DHCP
/ip smb users
add name=admin
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/queue simple
add comment="Limite Ospiti" max-limit=1M/7M name=Ospiti target=\
    192.168.10.0/24
add comment="Limite AptDis" max-limit=1M/10M name=AptDis target=\
    192.16.12.0/24
add comment="Limite Inaffidabile" max-limit=500k/5M name=Inaffidabile target=\
    192.168.13.0/24
/routing table
add disabled=no fib name=to_FTTC
add disabled=no fib name=to_AIR
/ip smb
set comment=MIKROTIK domain=WORKGROUP interfaces=bridge-LAN
/interface bridge port
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether6 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether7 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether8 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether9 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether10 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf disabled=yes ingress-filtering=no \
    interface=sfp1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge-LAN tagged=vlan10-Ospiti,vlan11-IoT,vlan13-Inaffidabile \
    vlan-ids=10,11,13
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge-LAN list=LAN
add interface=PF-FTTC list=WAN
add interface=PF-AIR list=WAN
/interface ovpn-server server
set auth=sha256,sha512 certificate=a-centauri cipher=\
    blowfish128,aes256-cbc,aes256-gcm enabled=yes protocol=udp \
    redirect-gateway=def1
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern V N protocol instead
set authentication=pap,chap,mschap1,mschap2 enabled=yes
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=172.16.20.1/16 comment=LAN interface=bridge-LAN network=\
    172.16.0.0
add address=192.168.12.1/24 comment=LAN2 interface=ether5-LAN2 network=\
    192.168.12.0
add address=192.168.10.1/24 comment=Ospiti interface=vlan10-Ospiti network=\
    192.168.10.0
add address=192.168.11.1/24 comment=IoT interface=vlan11-IoT network=\
    192.168.11.0
add address=192.168.13.1/24 comment=Inaffidabile interface=\
    vlan13-Inaffidabile network=192.168.13.0
add address=192.168.2.1/24 comment=TIM interface=ether2-TIM network=\
    192.168.2.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes
/ip dhcp-server lease
add address=172.16.20.161 mac-address=BC:DD:C2:44:1E:DA server=LAN_DHCP
add address=172.16.20.233 client-id=1:b8:27:eb:f7:41:9f comment=Marconi \
    mac-address=B8:27:EB:F7:41:9F server=LAN_DHCP
add address=172.16.30.244 dhcp-option=160_Polycom mac-address=\
    64:16:7F:0B:F6:FA server=LAN_DHCP
add address=172.16.20.235 client-id=1:b8:27:eb:be:70:8f mac-address=\
    B8:27:EB:BE:70:8F server=LAN_DHCP
add address=172.16.20.212 client-id=1:b8:27:eb:cf:86:71 mac-address=\
    B8:27:EB:CF:86:71 server=LAN_DHCP
add address=172.16.25.42 client-id=1:0:60:35:6:f0:16 mac-address=\
    00:60:35:06:F0:16 server=LAN_DHCP
add address=172.16.22.100 client-id=\
    ff:11:e4:49:24:0:1:0:1:2d:a7:ed:cd:bc:24:11:e4:49:24 mac-address=\
    BC:24:11:E4:49:24 server=LAN_DHCP
add address=172.16.20.215 client-id=1:bc:24:11:9e:f2:3 mac-address=\
    BC:24:11:9E:F2:03 server=LAN_DHCP
add address=172.16.20.211 client-id=\
    ff:11:6e:18:77:0:1:0:1:2d:a5:b3:f5:bc:24:11:6e:18:77 mac-address=\
    BC:24:11:6E:18:77 server=LAN_DHCP
add address=172.16.20.230 comment=SunFire mac-address=00:03:BA:16:77:13 \
    server=LAN_DHCP
add address=172.16.20.160 comment=Helios mac-address=D8:3A:DD:A7:D6:5E \
    server=LAN_DHCP
add address=172.16.23.1 client-id=1:0:a0:c5:b9:35:b1 mac-address=\
    00:A0:C5:B9:35:B1 server=LAN_DHCP
/ip dhcp-server network
add address=172.16.0.0/16 comment=LAN dns-server=172.16.20.211,172.16.20.210 \
    gateway=172.16.20.1 netmask=16
add address=192.168.10.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
    192.168.10.1
add address=192.168.11.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
    192.168.11.1
add address=192.168.12.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
    192.168.12.1
add address=192.168.13.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
    192.168.13.1
/ip dns static
add address=172.16.20.1 comment=defconf name=router.lan
/ip firewall address-list
add address=172.16.20.230 comment=Sunfire list=MyServers
add address=172.16.20.220 comment=Minecraft list=MyServers
add address=172.16.20.218 comment=GLaDOS list=MyServers
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=input comment="Deny SSH from WAN" dst-port=22 \
    in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="Deny telnet from WAN" dst-port=23 \
    in-interface-list=WAN protocol=tcp
/ip firewall mangle
add action=mark-connection chain=forward connection-mark=no-mark \
    dst-address-list=MyServers in-interface=PF-AIR new-connection-mark=\
    PF-AIR-Servers passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark \
    dst-address-list=MyServers in-interface=PF-FTTC new-connection-mark=\
    PF-FTTC-Servers passthrough=yes
add action=mark-routing chain=prerouting connection-mark=PF-AIR-Servers \
    new-routing-mark=to_AIR passthrough=no
add action=mark-routing chain=prerouting connection-mark=PF-FTTC-Servers \
    new-routing-mark=to_FTTC passthrough=no
add action=mark-connection chain=input in-interface=PF-FTTC \
    new-connection-mark=FTTC_conn
add action=mark-connection chain=input in-interface=PF-AIR \
    new-connection-mark=AIR_conn
add action=mark-routing chain=output connection-mark=FTTC_conn \
    new-routing-mark=to_FTTC
add action=mark-routing chain=output connection-mark=AIR_conn \
    new-routing-mark=to_AIR
add action=mark-connection chain=prerouting comment="Ospiti solo AIR" \
    dst-address-type=!local in-interface=vlan10-Ospiti new-connection-mark=\
    AIR_conn passthrough=yes
add action=mark-connection chain=prerouting comment="LAN2 solo PF-AIR" \
    dst-address-type=!local in-interface=ether5-LAN2 new-connection-mark=\
    AIR_conn passthrough=yes
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=bridge-LAN new-connection-mark=FTTC_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=bridge-LAN new-connection-mark=AIR_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=FTTC_conn \
    in-interface=bridge-LAN new-routing-mark=to_FTTC
add action=mark-routing chain=prerouting connection-mark=AIR_conn \
    in-interface=bridge-LAN new-routing-mark=to_AIR
/ip firewall nat
add action=masquerade chain=srcnat out-interface=PF-FTTC
add action=masquerade chain=srcnat out-interface=PF-AIR
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
add action=dst-nat chain=dstnat comment="SunFire HTTPS" dst-port=443 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=\
    443
add action=dst-nat chain=dstnat comment="SunFire HTTP" dst-port=80 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=80
add action=dst-nat chain=dstnat comment="SunFire SSH" dst-port=2222 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=22
add action=dst-nat chain=dstnat comment="Webmin sunfire" dst-port=10000 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=\
    10000
add action=dst-nat chain=dstnat comment=Minecraft dst-port=25565 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.220 to-ports=\
    25565
add action=dst-nat chain=dstnat comment="Minecraft Dynmap" dst-port=8123 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.220 to-ports=\
    8123
add action=dst-nat chain=dstnat comment="SSH Pi5 Jvital" dst-port=52233 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.160 to-ports=22
/ip route
add check-gateway=none disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    PF-FTTC pref-src="" routing-table=to_FTTC suppress-hw-offload=no
add check-gateway=none disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    PF-AIR pref-src="" routing-table=to_AIR suppress-hw-offload=no
/ip service
set www-ssl address=0.0.0.0/0 certificate=a-centauri disabled=no tls-version=\
    only-1.2
/ip smb shares
add directory=usb1-part1 name=USB1 valid-users=guest
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=PF-AIR type=external
/ppp aaa
set use-radius=yes
/ppp secret
add name=vpn
add name=J2 profile=default-encryption
/radius
add accounting-backup=yes address=172.16.20.216 comment=RADIUS service=\
    ppp,login,hotspot,ipsec,dot1x
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=MikroTik-VR
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes use-local-clock=yes
/system ntp client servers
add address=time.inrim.it
add address=ntp1.inrim.it
/tool graphing interface
add allow-address=172.16.0.0/16
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Routing table:
Code: Select all

[admin@MikroTik-VR] > /routing/route/print   
Flags: A - ACTIVE; c - CONNECT, s - STATIC, v - VPN; H - HW-OFFLOADED; + - ECMP
Columns: DST-ADDRESS, GATEWAY, AFI, DISTANCE, SCOPE, TARGET-SCOPE
     DST-ADDRESS          GATEWAY              AFI   DISTANCE  SCOPE  TA
Av + 0.0.0.0/0            PF-AIR               ip4         11     30  10
Av + 0.0.0.0/0            PF-FTTC              ip4         11     30  10
Ac   83.136.109.254/32    PF-AIR               ip4          0     10    
Ac   83.136.110.254/32    PF-FTTC              ip4          0     10    
Ac   172.16.0.0/16        bridge-LAN           ip4          0     10    
Ac   192.168.2.0/24       ether2-TIM           ip4          0     10    
Ac   192.168.10.0/24      vlan10-Ospiti        ip4          0     10    
Ac   192.168.11.0/24      vlan11-IoT           ip4          0     10    
Ac   192.168.12.0/24      ether5-LAN2          ip4          0     10    
Ac   192.168.13.0/24      vlan13-Inaffidabile  ip4          0     10    
Ac   192.168.216.0/24     back-to-home-vpn     ip4          0     10    
As   0.0.0.0/0            PF-FTTC              ip4          1     30  10
As   0.0.0.0/0            PF-AIR               ip4          1     30  10
A H  ether1-PF_AIR                             link         0           
A H  ether2-TIM                                link         0           
A H  ether5-LAN2                               link         0           
A H  sfp1                                      link         0           
A H  ether6                                    link         0           
A H  bridge-LAN                                link         0           
A H  PF-FTTC                                   link         0
If I use the connection tracker, I see some of what I believe are incoming port forwarding connections (that I initiated from my phone) get stuck in TIMED WAIT.
Schermata del 2024-05-05 10-38-43.png
Thanks again
You do not have the required permissions to view the files attached to this post.
Top
 
lego11
just joined
Topic Author
Posts: 17
Joined: Wed Apr 24, 2024 4:14 pm

Re: Port forwarding trouble with PCC load balancing

Tue May 07, 2024 3:38 pm

Hi, no ideas still? ...
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19612
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Port forwarding trouble with PCC load balancing

Tue May 07, 2024 3:59 pm

Nope, the fw rules and mangle rules are not as I put them so cannot really help much more.
Top
 
lego11
just joined
Topic Author
Posts: 17
Joined: Wed Apr 24, 2024 4:14 pm

Re: Port forwarding trouble with PCC load balancing

Wed May 08, 2024 9:36 pm

Honestly it's a bit ridiculous, because it never worked, even when I copied the rules 1:1 (which I had to fix anyway because there were several mistakes), as demonstrated in post N°19 viewtopic.php?t=207035#p1073101
It's baffling that Mikrotik can't do something that PFSense did so easily and effortlessly.
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 29 guests
  4. RouterOS
  5. Beginner Basics