Syed Jahanzaib Personal Blog to Share Knowledge !

April 14, 2012

Howto Exempt any User / Website from Mikrotik PCC [Part-1]

Filed under: Mikrotik Related — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 11:32 AM

Another updated working example [may-2017]

I recently deployed Dual WAN P.C.C configuration  at a local The scenario is something like below . . .


The problem they were facing of one particular Banking web site name , The best method to resolve such P.C.C issues is to use src-address as classifier, this way user WAN ip won’t be change and they will be stick to 1 wan for there session. But in above scenario I cant use src-address as users are not directly hitting PCC. So I made a workaround and exempted the user and in one case , the destination website from being processed by the P.C.C

The simple theory is to make a address with the user ip or the destination web site IP address. and then create an rule in mangle to exempt it from P.C.C, Then create a new default route in with your desired WAN selected , for that traffic which is exempted from P.C.C

Important:  Move this rule above of other PCC rules, so it will accept the data before PCC catches it.


To Exempt Any User IP from PCC Rule,

/ip firewall address-list
add list=usere-exempted-from-pcc address=

Now create Mangle Rule to accept traffic from above list, then PCC will not precess this user ip address , and Mikrotik will use the Default route for this user Traffic. (We will add it later)


/ip firewall mangle
add action=accept chain=prerouting disabled=no src-address-list=user-exempted-from-pcc

To Exempt Any Web Site from PCC, first track its IP Address (or pool), then add it in exempt list.

/ip firewall address-list
add list=site-exempted-from-pcc address=

( is for test purpose)

Now create its mangle rule

/ip firewall mangle
add action=accept chain=prerouting disabled=no dst-address-list=site-exempted-from-pcc

Adding Route for Un-Marked Traffic

You have to add Default ROUTE rule to tell Mikrotik to use this ROUTE as default route for all other UNMARKED traffic not processed / marked by the PCC. and in this route, you can bind exempted traffic request to always go through Specific Link only.

/ip route
add comment=”Default Route For Un-Marked Traffic” disabled=no distance=3 dst-address= gateway= scope=30 target-scope=10

(Change IP Address as per your network configuration)




  1. kindly paste the script of mangle rule


    Comment by cruise-bb — April 14, 2012 @ 1:01 PM

  2. is there anther method for the NTH …???


    Comment by Ahmed Elassal — April 15, 2012 @ 10:37 AM

  3. Thanks for theseThanks for these useful tips and articles. useful tips and articles.


    Comment by Pooya — April 17, 2012 @ 8:26 PM

  4. I am also facing problem in skype. Kindly tell me how to overcome that issue.


    Comment by Muhammad Fawad — April 23, 2012 @ 3:34 PM

    • hmmm, try to pinpoint SKYPE IP pool, then mark this pool, and dedicate any wan for it.


      Comment by Syed Jahanzaib / Pinochio~:) — April 25, 2012 @ 10:57 AM

      • i am also having same issue with skype and garena users ….
        all i want to know is how can i forward udp port of garena to wan 4….

        i am using pcc load balancing mikrotik version 3.6 with hotspot.

        is there any method to clasify upd connections so that i can clasify udp port and forward all trafric to wan 4.
        and block all other ports for wan 4.


        Comment by billy — May 6, 2012 @ 4:50 PM

  5. Asalam o Alikum Jahanzaib bhai,,

    i wonder if it is effected on older version lyk v3???

    Jazaak`Allah and keep up the great work… 🙂


    Comment by ZJ — June 22, 2012 @ 1:51 AM

  6. Jahanzaib bhai, i`ve got a problem.. when i configure my route for unmarked traffic with distance 3, it doesn`t get active.. it only show active when i change its distance from 3 to 1, what could b possible reason for this.. please guide me… and beside that,, my traffic is not even transferring from that route completely as well.. please guide me as you always do..


    Comment by ZJ — June 25, 2012 @ 1:39 PM

  7. Sir..where r you :((


    Comment by ZJ — July 4, 2012 @ 7:05 PM

  8. Hello Dear
    Thanks for the nice and helpful information.

    Is there anyone, who can help me to know how I can shape the bandwidth of my user while they only use internet? While they use intranet my mikrotik shapping that bw also.


    Comment by Halimul Alam — August 7, 2012 @ 6:51 PM

  9. Respected Sir,

    I am using 2 evo devices in my load balancer. I am getting issue regarding skype. Is there any way to solve this issue.

    Thank you.

    Muhammad Fawad


    Comment by Muhammad Fawad — November 28, 2012 @ 6:03 PM

  10. how can i move this rule above the pcc rules


    Comment by waqar — December 3, 2012 @ 5:59 PM

  11. To Exempt Any User IP from PCC Rule is not working. I am using your script. Please guide me.


    Comment by waqar — December 4, 2012 @ 3:57 PM

  12. thanks for your articles. They are helpful.
    I have followed this guide to exclude a range of IP balancing public, but there is no way that I work.
    I still balanced out. The rule is the principle of all the rules.


    Comment by Ariel — May 16, 2013 @ 4:11 PM

  13. Great !! thanks


    Comment by Hassam — January 13, 2014 @ 11:12 AM

  14. Assalammualaikum Syed Jahanzaib,

    Thanks for the great tutorials you have in your blog, JazakAllah Khair.

    Now I’m facing a problem (I shoould say optimization).

    I have an internal DMZ connected to Mikrotik (Ether8). This once was a Gateway for my LAN network.

    After I got 7 new uplink (Ether1 > Ether7), I made a PCC Load-Balance (using your guide from this blog), Alhamdulillah… everything works… but,

    Suddenly my LAN cannot ping my internal DMZ on Ether8.

    I follow this page guide as a references, but none work for me…

    I really appriciate your knowledge sharing in mikrotik config, I’m new to mikrotik and networking stuff…


    Comment by Muhammad Amirul — August 7, 2014 @ 8:56 AM

  15. I have no result still facing problem to login webmail


    Comment by Fazal Md Khan Rubel — January 1, 2015 @ 5:06 PM

  16. Not

    /ip firewall mangle
    add action=accept chain=prerouting disabled=no src-address-list=site-exempted-from-pcc

    It should be for website:
    /ip firewall mangle
    add action=accept chain=prerouting disabled=no dst-address-list=site-exempted-from-pcc


    Comment by Fazal Md Khan Rubel — January 27, 2015 @ 1:50 PM

  17. Thanks Dear,
    Usually you focus on delivery good value on your posts.
    How to Improve Yourself


    Comment by Hesham Saad — February 29, 2016 @ 12:20 AM

  18. hy man, congrats for your amazing work, it is rly apreciatd
    i was having problems with bank websites too, but in my scenario i’ve just modified the PCC rules with the dst-port: !443 cuz banksites mostly uses https, but i will try that solution of yours

    sry for my bad english…


    Comment by damguidorizzi — November 9, 2016 @ 12:23 AM

  19. Thanks for the post, it’s really helpful


    Comment by Enakhe — April 21, 2017 @ 5:49 PM

  20. Dear Jahanzaib every thing is working fine except accessing of winbox from wan.I am using 3 wans for load balancing (PCC).Load balancing is working excellent with the help of your this tutorial.But winbox is not accessing from any wan.Cloud is enable on mikrotik.Without load balancing winbox is accessing mikrotik from wan.Please give me solution.Thanks


    Comment by Rai Usman Liaqat — March 2, 2020 @ 11:09 PM

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: