Professional Documents
Culture Documents
com/wiki/Manual:PCC
Refer to the full scenario and configuration there, this post only discusses changes to the configuration
shown in the manual. All sections that are changed are posted here in their entirety, i.e. the mangle
section here are the ONLY rules that should exist in the wiki's scenario extended to what is outlined
below.
Now, let's add a web server at 19.168.0.100 that is supposed to be reachable on ports tcp/80 and tcp/443
via both WAN circuits. To give an example for your original requirement of mail being sent out via specific
circuits let's also make up a pretend policy that every time anyone on the LAN connects to 1.1.1.1/32 this
must happen via wlan1, and every time anyone on the LAN connects to 2.2.2.2/32 this must happen via
wlan2.
The port forwarding happens via the usual NAT rules, but you need two rules, one for each WAN
interface. You must also make sure to mark the connection at the time it is being established so you can
route traffic back out that interface. Also, you need to make sure that you don't overwrite the marks
applied at that time later on for return packets when PCC becomes active. This is easily achieved by only
applying PCC rules to previously unmarked connections, this is checked by adding a new qualifier:
connection-mark=no-mark.
The policy routing based on LAN traffic to specific destination IPs (1.1.1.1 and 2.2.2.2) is simple: add
connection marks based on the IPs before the PCC section. Since we've already established that the
PCC rules will be adjusted to only apply to previously unmarked packets, PCC wont remark.
Here the changed mangle section in its entirety:
action=accept in-interface=Local
action=accept in-interface=Local
# mark web server connections established from WAN to LAN coming in wlan1 accordingly. If you
have static IPs, you can also refer to them here as dst-address.
add chain=prerouting connection-state=new in-interface=wlan1 protocol=tcp dst-port=80,443
action=mark-connection new-connection-mark=wlan1_conn
# mark web server connections established from WAN to LAN coming in wlan2 accordingly
add chain=prerouting connection-state=new in-interface=wlan2 protocol=tcp dst-port=80,443
action=mark-connection new-connection-mark=wlan2_conn
# force traffic to 1.1.1.1/32 out wlan1
add chain=prerouting dst-address=1.1.1.1/32 in-interface=Local action=mark-connection newconnection-mark=wlan1_conn passthrough=yes
# force traffic to 2.2.2.2/32 out wlan2
add chain=prerouting dst-address=2.2.2.2/32 in-interface=Local action=mark-connection newconnection-mark=wlan2_conn passthrough=yes
# apply PCC, but only to connections that aren't marked yet
And here the changed NAT section in its entirety, adding the port forwarding for the web server at
192.168.0.100. Forwarding by interface only - that makes it easy to use this for dynamically addresses
interfaces. Replace with IPs if you wish.
And firewall filter rules. This is a very, very simple rule set that assumes that there is no router access
from the WAN, that hosts at 192.168.10, .11, and .12 have full administrative access to the router, and
that other LAN hosts can talk to the router for DNS and NTP. DHCP can't be firewalled, so that will be a
service offered to clients. All traffic initiated from LAN to WAN is permitted, traffic from WAN to LAN can
only be initiated to the web server at 192.168.0.100.
This was all written together in a text editor and not tested in a lab, so it may contain errors. It should,
however, get you started.
Please post any corrections back here, or whether it worked for you. Once it is determined to be correct
I'll copy it over to a wiki article since this question comes up a lot. I have no use for PCC so I'm unlikely to
try it out myself.
This is the real config used in my home router RB750G (5.0rc10) connected to two ISP over ethernet +
vpn. There are 5 interfaces:
local-isp1
local-isp2
inet1-isp1
inet2-isp2
So there are 1 internal and 4 external interfaces. We expect that there are some static routes obtained
from dhcp. We want to send an outgoing packet to the interface local-isp1 or local-isp2 if there is a
specific static route for that packet in the main routing table. Otherwise we send the packet to the
interface inet1-isp1 or inet2-isp2 using PCC load balancing and failover. Actually we do so called russian
pppoe/l2tp. Srcnat is working on all 4 external interfaces. Incoming connections are allowed for some
services (torrent client). All outgoing packets belonging to incoming connections are sent to the external
interface from which the connection was initiated.
We use queue trees to prioritize all incoming and outgoing traffic via inet1-isp1 and inet2-isp2 interfaces.
The only reliable way to distinguish p2p traffic from other traffic is to bind all p2p applications to separate
ip address. Note that we limit all queue trees to 9 Mbps despite we have 10 Mbps internet connections.
This is required for correct work of incoming traffic prioritization.
/interface pppoe-client
add ac-name="" add-default-route=no allow=chap,mschap1,mschap2 \
dial-on-demand=no disabled=no interface=local-isp2 max-mru=1492 \
max-mtu=1492 mrru=2048 name=inet2-isp2 password=XXXXXXXX profile=\
inet2 service-name="" use-peer-dns=no user=XXXXXXXX
/ip firewall filter
add action=accept chain=input comment="Allow established connections" \
connection-state=established disabled=no
add action=accept chain=input comment=\
"Allow all traffic from the local network" disabled=no in-interface=lan
add action=accept chain=input comment="Allow ICMP packets" disabled=no \
protocol=icmp
add action=drop chain=input comment="Deny all other traffic" disabled=no
add action=accept chain=forward comment=\
"Allow all outgoing traffic received from the local network" disabled=no \
in-interface=lan
add action=jump chain=forward comment=\
"Process incoming traffic going to the local network" disabled=no \
jump-target=forward-in out-interface=lan
add action=drop chain=forward comment="Deny all other traffic" disabled=no
add action=accept chain=forward-in comment="Allow established connections" \
connection-state=established disabled=no
add action=accept chain=forward-in comment="Allow related connections" \
connection-state=related disabled=no
add action=accept chain=forward-in comment=\
"Allow connections to torrent client" disabled=no dst-address=\
192.168.0.13 dst-port=12345 protocol=udp
add action=accept chain=forward-in comment=\
"Allow connections to torrent client" disabled=no dst-address=\
192.168.0.13 dst-port=12345 protocol=tcp
add action=drop chain=forward-in comment="Deny all other traffic" disabled=no
/ip firewall mangle
add action=jump chain=prerouting comment="Choose the outgoing interface for th\
e packets received from the local network" disabled=no in-interface=lan \
jump-target=choose-out-iface
add action=mark-connection chain=prerouting comment="Bind the whole connection\
\_to the interface inet1 if at least one packet\
\nbelonging to the connection is received from the interface inet1" \
disabled=no in-interface=inet1-isp1 new-connection-mark=inet1 \
passthrough=no
add action=mark-connection chain=prerouting comment="Bind the whole connection\
\_to the interface inet2 if at least one packet\
\nbelonging to the connection is received from the interface inet2" \
disabled=no in-interface=inet2-isp2 new-connection-mark=inet2 \
passthrough=no
add action=jump chain=output comment="Choose the outgoing interface for the pa\
ckets originated from the router itself" disabled=no jump-target=\
choose-out-iface
add action=mark-routing chain=choose-out-iface comment="Send the packets belon\
ging to the connection bound to the interface inet1\
\nto the interface inet1" connection-mark=inet1 disabled=no \
new-routing-mark=inet1 passthrough=no
add action=mark-routing chain=choose-out-iface comment="Send the packets belon\
ging to the connection bound to the interface inet2\
\nto the interface inet2" connection-mark=inet2 disabled=no \
new-routing-mark=inet2 passthrough=no
add action=mark-routing chain=choose-out-iface comment="Send some of the packe\
ts belonging to unbound connections to the interface inet2\
\naccording to PCC. All the remaining packets will be sent to the interfac\
e inet1." disabled=no new-routing-mark=inet2 passthrough=no \
per-connection-classifier=both-addresses:2/1
add action=jump chain=forward comment="Adjust tcp mss on vpn connections" \
disabled=no jump-target=tcp-mss-adjust protocol=tcp tcp-flags=syn
add action=jump chain=forward comment=\
"Mark the packets going to the interface inet1 for QoS" disabled=no \
jump-target=qos-inet-out out-interface=inet1-isp1
add action=jump chain=forward comment=\
"Mark the packets received from the interface inet1 for QoS" disabled=no \
in-interface=inet1-isp1 jump-target=qos-inet1-in
add action=jump chain=forward comment=\
"Mark the packets going to the interface inet2 for QoS" disabled=no \
jump-target=qos-inet-out out-interface=inet2-isp2
add action=jump chain=forward comment=\
"Mark the packets received from the interface inet2 for QoS" disabled=no \
in-interface=inet2-isp2 jump-target=qos-inet2-in
add action=change-mss chain=tcp-mss-adjust comment=\
"Adjust tcp mss on the interface inet1" disabled=no new-mss=1420 \
out-interface=inet1-isp1 protocol=tcp tcp-flags=syn tcp-mss=1421-65535
add action=change-mss chain=tcp-mss-adjust comment=\
"Adjust tcp mss on the interface inet1" disabled=no in-interface=\
inet1-isp1 new-mss=1420 protocol=tcp tcp-flags=syn tcp-mss=1421-65535
add action=return chain=tcp-mss-adjust comment=\
"Return to the chain \"forward\"" disabled=no
add action=mark-packet chain=qos-inet-out comment="Mark p2p traffic" \
disabled=no new-packet-mark=inet-out-p2p passthrough=no src-address=\
192.168.0.13
add action=mark-packet chain=qos-inet-out comment="Mark server traffic" \
disabled=no new-packet-mark=inet-out-server passthrough=no src-address=\
192.168.0.5
add action=mark-packet chain=qos-inet1-in comment="Mark p2p traffic" \
disabled=no dst-address=192.168.0.13 new-packet-mark=inet1-in-p2p \
passthrough=no
add action=mark-packet chain=qos-inet1-in comment="Mark server traffic" \
disabled=no dst-address=192.168.0.5 new-packet-mark=inet1-in-server \
passthrough=no
add action=mark-packet chain=qos-inet1-in comment="Mark other traffic" \
disabled=no new-packet-mark=inet1-in-other passthrough=no
add action=mark-packet chain=qos-inet2-in comment="Mark p2p traffic" \
disabled=no dst-address=192.168.0.13 new-packet-mark=inet2-in-p2p \
passthrough=no
add action=mark-packet chain=qos-inet2-in comment="Mark server traffic" \
disabled=no dst-address=192.168.0.5 new-packet-mark=inet2-in-server \
passthrough=no
add action=mark-packet chain=qos-inet2-in comment="Mark other traffic" \
disabled=no new-packet-mark=inet2-in-other passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT on all external interfaces" \
disabled=no out-interface=!lan
add action=dst-nat chain=dstnat comment="Port mapping for torrent client" \
disabled=no dst-port=12345 in-interface=!lan protocol=udp to-addresses=\
192.168.0.13
add action=dst-nat chain=dstnat comment="Port mapping for torrent client" \
disabled=no dst-port=12345 in-interface=!lan protocol=tcp to-addresses=\
192.168.0.13
/routing filter
add action=discard chain=dynamic-in comment=\
"Discard all dynamic default routes" disabled=no invert-match=no prefix=\
0.0.0.0/0
/ip route rule
add action=lookup disabled=no table=main
add action=lookup-only-in-table disabled=no routing-mark=inet2 table=inet2
add action=lookup-only-in-table disabled=no table=inet1
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=127.127.127.1 \
routing-mark=inet1 scope=30 target-scope=10
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=127.127.127.2 \
routing-mark=inet1 scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=127.127.127.2 \
routing-mark=inet2 scope=30 target-scope=10
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=127.127.127.1 \
routing-mark=inet2 scope=30 target-scope=10
add comment="Remote host to monitor inet1" disabled=no distance=1 \
dst-address=81.19.66.61/32 gateway=127.127.127.101 scope=10 target-scope=\
10
priority=8 queue=vpn
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=9M name=inet1-out-other packet-mark=no-mark parent=inet1-out \
priority=4 queue=vpn
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=9M \
max-limit=9M name=inet2-out-server packet-mark=inet-out-server parent=\
inet2-out priority=1 queue=vpn
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=9M name=inet2-out-p2p packet-mark=inet-out-p2p parent=inet2-out \
priority=8 queue=vpn
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=9M name=inet2-out-other packet-mark=no-mark parent=inet2-out \
priority=4 queue=vpn
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=9M \
max-limit=9M name=inet1-in-server packet-mark=inet1-in-server parent=\
inet1-in priority=1 queue=vpn
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=9M name=inet1-in-p2p packet-mark=inet1-in-p2p parent=inet1-in \
priority=8 queue=vpn
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=9M name=inet1-in-other packet-mark=inet1-in-other parent=\
inet1-in priority=4 queue=vpn
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=9M \
max-limit=9M name=inet2-in-server packet-mark=inet2-in-server parent=\
inet2-in priority=1 queue=vpn
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=9M name=inet2-in-p2p packet-mark=inet2-in-p2p parent=inet2-in \
priority=8 queue=vpn
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=9M name=inet2-in-other packet-mark=inet2-in-other parent=\
inet2-in priority=4 queue=vpn
In short, use the following routing as is. Just replace 127.127.127.101 and 127.127.127.102 with your real
gateways and routing marks "inet1" and "inet2" with your own. Other ip addresses should not be
changed.