Syed Jahanzaib Personal Blog to Share Knowledge !

May 26, 2017

Howto bypass specific client from PCC & route to specific WAN link [Part-2]

Filed under: Mikrotik Related — Tags: , , , — Syed Jahanzaib / Pinochio~:) @ 11:57 AM

Distribution.jpg


Scenario:

Since many asked the same query, so rather to reply individually, here is one method I used at one OP & it works fine. You may opt for others solution which ever is easy for you. the thing is it should work thats it:)]

We have configured Mikrotik as 3 wan load balancer [DSL links]. PPPoE Server is configured as well. All working Good. Now we have introduced premium package for dedicated users & we want to route them via newly added 4th WAN link only so there service should work smoothly even in peak times as well. therefore we need to bypass this group from the PCC & route them to 4th WAN link which has dedicated CIR bandwidth.

Solution:

There are always different ways to achieve any task. It depends on the Operator expertise, & network scenario as well.

Copy Paste WILL Not work !

Every network is different ~ I am sharing this code so you should learn concepts. Minimize copy paste culture, invent your solutions by understanding logic’s & implement it by modifying or creating code. 

Drink Wiki & you shall succeed 😀

~ zaiB

In this example I am showing one example, [You may opt for others which ever is easy for you. the thing is it should work that’s it:) ]

  1. make pppoe pool-1 in address list. [This one for general clients = 172,16.0.1-172,16.0.255 ]
  2. make pppoe pool-2 in address list  [This one for dedicated clients = 172,16.1.1-172,16.1.255 ]
  3. when you will create normal users , assign them pppoe pool-1
  4. when you will create dedicated users , assign them pppoe pool-2
  5. In your Mangle rules, where you mark connections (classifier section] , make sure you specify pppoe pool-1 list in source address list. Also you need to duplicate this rule, and in source address list, select pool-2, basically we will mark connections for both pools, and assign them different marking connection name.
  6. now in mark routing section, repeat above, and mark routing for both marked connections.
  7. in Nat, create natting rules so traffic can be natted by all 4 wan links. you can trim this by single rule as well 🙂
  8. in Routes, create rules for all marked packets, for normal clients, user wan1-3, for dedicated clients marked packets, route them specific wan link [like wan4]

* Working Example


/ip pool
# General users pppoe profile pool, which will be routed in 3 wan links
add name=pool-1 ranges=172.16.0.1-172.16.0.254
# Dedicated users pppoe profile pool, which will be routed via wan-4 link only
add name=pool-2 ranges=172.16.1.1-172.16.1.254

/ip firewall address-list
# General users pool list, which will be routed in 3 wan links
add address=172.16.0.1-172.16.0.255 list=pool-1
# Dedicated users pool list , which will be routed via wan-4 link only
add address=172.16.1.1-172.16.1.255 list=pool-2

/ip firewall mangle

add action=accept chain=prerouting comment=PCC in-interface=pppoe-out-1
add action=accept chain=prerouting comment=PCC in-interface=pppoe-out-2
add action=accept chain=prerouting comment=PCC in-interface=pppoe-out-3
add action=accept chain=prerouting comment=PCC in-interface=pppoe-out-4

# Marking connections for dedicated clients from pool-2 address list, to be routed via WAN-3 link only
add action=mark-connection chain=prerouting comment="Mark pool-2 dedicated Users Connections" new-connection-mark=pool2-conn passthrough=yes src-address-list=15mb-pool-list
add action=mark-routing chain=prerouting comment="Mark pool-2 dedicated Users Routing Pkts" connection-mark=pool2-conn dst-address-type="" log-prefix=20mb_ new-routing-mark=pool2-route passthrough=yes

# Marking connections for general users clients from pool-1 address list, to be distributed among 3 wan link
add action=mark-connection chain=prerouting comment=PCC_MARK_CONNECTION dst-address-type=!local new-connection-mark=wan1_conn passthrough=yes per-connection-classifier=src-address:3/0 src-address-list=pool-1
add action=mark-connection chain=prerouting comment=PCC_MARK_CONNECTION dst-address-type=!local new-connection-mark=wan2_conn passthrough=yes per-connection-classifier=src-address:3/1 src-address-list=pool-1
add action=mark-connection chain=prerouting comment=PCC_MARK_CONNECTION dst-address-type=!local new-connection-mark=wan3_conn passthrough=yes per-connection-classifier=src-address:3/2 src-address-list=pool-1

# Marking routing form above marked conections, for general users
add action=mark-routing chain=prerouting comment=PCC_MARK_ROUTING connection-mark=wan1_conn new-routing-mark=to_wan1 passthrough=yes
add action=mark-routing chain=prerouting comment=PCC_MARK_ROUTING connection-mark=wan2_conn new-routing-mark=to_wan2 passthrough=yes
add action=mark-routing chain=prerouting comment=PCC_MARK_ROUTING connection-mark=wan3_conn new-routing-mark=to_wan3 passthrough=yes

/ip firewall nat
# Allow natting for dedicated clients, to be nat via wan-4
add action=masquerade chain=srcnat comment="ALLOW NATTING FOR POOL-2 Dedicated USERS " out-interface=pppoe-out-4 src-address-list=pool-2
# Allow natting for general clients, to be nat via wan link number 1-2-3
add action=masquerade chain=srcnat comment=NATTING_DSL_1 out-interface=pppoe-out-1 src-address-list="pool-1"
add action=masquerade chain=srcnat comment=NATTING_DSL_2 out-interface=pppoe-out-2 src-address-list="pool-1"
add action=masquerade chain=srcnat comment=NATTING_DSL_3 out-interface=pppoe-out-3 src-address-list="pool-1"

/ip route
# Route for general users marked traffic - to be passed via 3 wan links
add check-gateway=ping distance=1 gateway=pppoe-out-1 routing-mark=to_wan1
add check-gateway=ping distance=1 gateway=pppoe-out-2 routing-mark=to_wan2
add check-gateway=ping distance=1 gateway=pppoe-out-3 routing-mark=to_wan3

# Route for dedicated users marked traffic - to be passed via wan-4 link only
add comment="Route Rule for dedicated users to go via WAN-4 only " distance=1 gateway=pppoe-out-4 routing-mark=pool2-route


Regard’s
Syed Jahanzaib

April 14, 2012

Howto Exempt any User / Website from Mikrotik PCC [Part-1]

Filed under: Mikrotik Related — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 11:32 AM

Another updated working example [may-2017]

https://aacable.wordpress.com/2017/05/26/howto-bypass-specific-client-from-pcc-route-to-specific-wan-link-part-2/

I recently deployed Dual WAN P.C.C configuration  at a local cable.network. The scenario is something like below . . .

USERS  >>  MIKROTIK  PPPOE SERVER >>> MIKROTIK RB 750 PCC with 2 DSL Link>>> INTERNET

The problem they were facing of one particular Banking web site name bankalhabib.com , The best method to resolve such P.C.C issues is to use src-address as classifier, this way user WAN ip won’t be change and they will be stick to 1 wan for there session. But in above scenario I cant use src-address as users are not directly hitting PCC. So I made a workaround and exempted the user and in one case , the destination website from being processed by the P.C.C

The simple theory is to make a address with the user ip or the destination web site IP address. and then create an rule in mangle to exempt it from P.C.C, Then create a new default route in with your desired WAN selected , for that traffic which is exempted from P.C.C

Important:  Move this rule above of other PCC rules, so it will accept the data before PCC catches it.

=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x

To Exempt Any User IP from PCC Rule,

/ip firewall address-list
add list=usere-exempted-from-pcc address=172.16.0.2/32

Now create Mangle Rule to accept traffic from above list, then PCC will not precess this user ip address , and Mikrotik will use the Default route for this user Traffic. (We will add it later)

Example:

/ip firewall mangle
add action=accept chain=prerouting disabled=no src-address-list=user-exempted-from-pcc

To Exempt Any Web Site from PCC, first track its IP Address (or pool), then add it in exempt list.

/ip firewall address-list
add list=site-exempted-from-pcc address=108.59.160.167/32

(108.59.160.167/32 is mywanip.com for test purpose)

Now create its mangle rule

/ip firewall mangle
add action=accept chain=prerouting disabled=no dst-address-list=site-exempted-from-pcc


Adding Route for Un-Marked Traffic

You have to add Default ROUTE rule to tell Mikrotik to use this ROUTE as default route for all other UNMARKED traffic not processed / marked by the PCC. and in this route, you can bind exempted traffic request to always go through Specific Link only.

/ip route
add comment=”Default Route For Un-Marked Traffic” disabled=no distance=3 dst-address=0.0.0.0/0 gateway=101.11.11.36 scope=30 target-scope=10

(Change IP Address as per your network configuration)


=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x


			

%d bloggers like this: