Using PCC to load balance across multiple non bonded links.

August 24, 2009scripts, software, Uncategorizedadsl, balancing, balencing, config, ECMP, equal cost multipath router, firewall, load, load-balancing, load-balencing, mangling, mikrotik, pcc, ROS, router OS, routeros, routing, rules, v3.28Omega-00

This is my ongoing work at using multiple ADSL services and the Mikrotik PCC rules along with some inbound mangling to allow a single router to load balance traffic across as many non bonded links as required.

Updated: 7th Jan 2010 – notes: added static routing marks for inbound traffic as inbound should never fall over to backup routes, while outbound should go over whatever is available. Also cleaned up routing order so it’s easier to read.

Note that none of this config requires the use of IP addresses at all, as it simply uses the pppoe-client interfaces and your lan interface to mark traffic. In my example wan1-pppoe,wan2-pppoe,wan3-pppoe are used and lan

3-PCC-Mikrotik

/ip route
add check-gateway=arp comment="WAN 3  - Distance 1" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wan3-pppoe routing-mark=wan3
add check-gateway=arp comment="WAN 2  - Distance 1" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wan2-pppoe routing-mark=wan2
add check-gateway=arp comment="WAN 1  - Distance 1" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wan1-pppoe routing-mark=wan1
add check-gateway=arp comment="WAN 1  - Distance 2" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=wan2-pppoe routing-mark=wan1
add check-gateway=arp comment="WAN 2  - Distance 2" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=wan3-pppoe routing-mark=wan2
add check-gateway=arp comment="WAN 3  - Distance 2" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=wan1-pppoe routing-mark=wan3
add check-gateway=arp comment="WAN 1  - Distance 3" disabled=no distance=3 dst-address=0.0.0.0/0 gateway=wan3-pppoe routing-mark=wan1
add check-gateway=arp comment="WAN 2  - Distance 3" disabled=no distance=3 dst-address=0.0.0.0/0 gateway=wan1-pppoe routing-mark=wan2
add check-gateway=arp comment="WAN 3  - Distance 3" disabled=no distance=3 dst-address=0.0.0.0/0 gateway=wan2-pppoe routing-mark=wan3
add check-gateway=arp comment="Default Route - Distance 1" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wan1-pppoe
add check-gateway=arp comment="Default Route - Distance 2" disabled=no distance=3 dst-address=0.0.0.0/0 gateway=wan3-pppoe
add check-gateway=arp comment="Default Route - Distance 3" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=wan2-pppoe
add check-gateway=arp comment="Static Route - WAN1" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wan1-pppoe routing-mark=static-wan1
add check-gateway=arp comment="Static Route - WAN2" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=wan2-pppoe routing-mark=static-wan2
add check-gateway=arp comment="Static Route - WAN3" disabled=no distance=3 dst-address=0.0.0.0/0 gateway=wan3-pppoe routing-mark=static-wan3

/ip firewall mangle
add action=mark-connection chain=input comment="Mark new inbound connection wan1" connection-state=new disabled=no in-interface=wan1-pppoe new-connection-mark=wan1 \
passthrough=yes
add action=mark-connection chain=input comment="Mark new inbound connection wan2" connection-state=new disabled=no in-interface=wan2-pppoe new-connection-mark=wan2 \
passthrough=yes
add action=mark-connection chain=input comment="Mark new inbound connection wan3" connection-state=new disabled=no in-interface=wan3-pppoe new-connection-mark=wan3 \
passthrough=yes
add action=mark-connection chain=prerouting comment="Mark established inbound connection wan1" connection-state=established disabled=no in-interface=wan1-pppoe \
new-connection-mark=wan1 passthrough=yes
add action=mark-connection chain=prerouting comment="Mark established inbound connection wan2" connection-state=established disabled=no in-interface=wan2-pppoe \
new-connection-mark=wan2 passthrough=yes
add action=mark-connection chain=prerouting comment="Mark established inbound connection wan3" connection-state=established disabled=no in-interface=wan3-pppoe \
new-connection-mark=wan3 passthrough=yes
add action=mark-connection chain=prerouting comment="Mark related inbound connection wan1" connection-state=related disabled=no in-interface=wan1-pppoe \
new-connection-mark=wan1 passthrough=yes
add action=mark-connection chain=prerouting comment="Mark related inbound connection wan2" connection-state=related disabled=no in-interface=wan2-pppoe \
new-connection-mark=wan2 passthrough=yes
add action=mark-connection chain=prerouting comment="Mark related inbound connection wan3" connection-state=related disabled=no in-interface=wan3-pppoe \
new-connection-mark=wan3 passthrough=yes
add action=mark-routing chain=output comment="Mark new inbound route wan1" connection-mark=wan1 disabled=no new-routing-mark=static-wan1 passthrough=no
add action=mark-routing chain=output comment="Mark new inbound route wan2" connection-mark=wan2 disabled=no new-routing-mark=static-wan2 passthrough=no
add action=mark-routing chain=output comment="Mark new inbound route wan3" connection-mark=wan3 disabled=no new-routing-mark=static-wan3 passthrough=no
add action=mark-connection chain=prerouting comment="Mark traffic that isn't local with PCC mark rand (3 possibilities) - option 1" connection-state=new disabled=no \
dst-address-type=!local in-interface=lan new-connection-mark=wan1_pcc_conn passthrough=yes per-connection-classifier=both-addresses:3/0
add action=mark-connection chain=prerouting comment="Mark traffic that isn't local with PCC mark rand (3 possibilities) - option 2" connection-state=new disabled=no \
dst-address-type=!local in-interface=lan new-connection-mark=wan2_pcc_conn passthrough=yes per-connection-classifier=both-addresses:3/1
add action=mark-connection chain=prerouting comment="Mark traffic that isn't local with PCC mark rand (3 possibilities) - option 3" connection-state=new disabled=no \
dst-address-type=!local in-interface=lan new-connection-mark=wan3_pcc_conn passthrough=yes per-connection-classifier=both-addresses:3/2
add action=mark-connection chain=prerouting comment="Mark established traffic that isn't local with PCC mark rand (3 possibilities) - option 1" connection-state=\
established disabled=no dst-address-type=!local in-interface=lan new-connection-mark=wan1_pcc_conn passthrough=yes per-connection-classifier=\
both-addresses:3/0
add action=mark-connection chain=prerouting comment="Mark established traffic that isn't local with PCC mark rand (3 possibilities) - option 2" connection-state=\
established disabled=no dst-address-type=!local in-interface=lan new-connection-mark=wan2_pcc_conn passthrough=yes per-connection-classifier=\
both-addresses:3/1
add action=mark-connection chain=prerouting comment="Mark established traffic that isn't local with PCC mark rand (3 possibilities) - option 3" connection-state=\
established disabled=no dst-address-type=!local in-interface=lan new-connection-mark=wan3_pcc_conn passthrough=yes per-connection-classifier=\
both-addresses:3/2
add action=mark-connection chain=prerouting comment="Mark related traffic that isn't local with PCC mark rand (3 possibilities) - option 1" connection-state=related \
disabled=no dst-address-type=!local in-interface=lan new-connection-mark=wan1_pcc_conn passthrough=yes per-connection-classifier=both-addresses:3/0
add action=mark-connection chain=prerouting comment="Mark related traffic that isn't local with PCC mark rand (3 possibilities) - option 2" connection-state=related \
disabled=no dst-address-type=!local in-interface=lan new-connection-mark=wan2_pcc_conn passthrough=yes per-connection-classifier=both-addresses:3/1
add action=mark-connection chain=prerouting comment="Mark related traffic that isn't local with PCC mark rand (3 possibilities) - option 3" connection-state=related \
disabled=no dst-address-type=!local in-interface=lan new-connection-mark=wan3_pcc_conn passthrough=yes per-connection-classifier=both-addresses:3/2
add action=mark-routing chain=prerouting comment="Mark routing for  PCC mark - option 1" connection-mark=wan1_pcc_conn disabled=no new-routing-mark=wan1 passthrough=\
yes
add action=mark-routing chain=prerouting comment="Mark routing for  PCC mark - option 2" connection-mark=wan2_pcc_conn disabled=no new-routing-mark=wan2 passthrough=\
yes
add action=mark-routing chain=prerouting comment="Mark routing for  PCC mark - option 3" connection-mark=wan3_pcc_conn disabled=no new-routing-mark=wan3 passthrough=\
yes

101 thoughts on “Using PCC to load balance across multiple non bonded links.”

Hennie says:

December 7, 2009 at 5:09 pm

What is the difference between this config and the one in the wiki, does it load balance more efficiently? Does it drop links?
admin says:

December 7, 2009 at 5:23 pm

hey Hennie,

This config is my own that was originally created as part of my experimentation with the PCC rules, the dropping links thing I mentioned on the forum was specifically related to 4.X whereas 3.28-3.30 work fine.
This config also allows fallover in the event that any of the pppoe connections dropout or disconnect the routing adjusts to continue piping traffic out the other 2 links.

The first section of the mangle rules are explicitly made to allow inbound connections such as winbox/ftp/http/etc basically anything you want to forward to an internal user will work correctly and be forwarded back out the same link (including anything added by upnp rules)

This is a 3 link setup but it can be modified to work the same way with 2 or 4 links quite easily.

In the example the interface “hotspot-bridge” is the users interface and the ppoe interfaces are obviously the internet connections, if you plan on using it for multiple interfaces and/or ip ranges you will need to adjust the rules accordingly.
Hennie says:

December 7, 2009 at 7:13 pm

This one seems to work better than the one in the official wiki.
Vicente says:

December 11, 2009 at 5:31 am

Hi, first fo all let me thankyou for posting this example, with yours I have tried 3 examples and I always get more traffic in the first WAN, do you have the same problem? I downgraded to 3.30 and still have the same problem.

Regards.
Dr.Ahmed Mohamed says:

December 11, 2009 at 2:31 pm

I have done the above configuration , i have 2 ADSL lines 2MB each….seems that one of them is the only one loading traffic and another seems to be having very little activity….any ideas??
here is my configuration

MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK

MikroTik RouterOS 3.30 (c) 1999-2009 http://www.mikrotik.com/

[admin@MikroTik] > ip
[admin@MikroTik] /ip> firewall
[admin@MikroTik] /ip firewall> mangle
[admin@MikroTik] /ip firewall mangle> print
Flags: X – disabled, I – invalid, D – dynamic
0 ;;; Mark new inbound connection WAN1
chain=input action=mark-connection new-connection-mark=wan1
passthrough=yes connection-state=new in-interface=LinkDotNet

1 ;;; Mark new inbound connection wan2
chain=input action=mark-connection new-connection-mark=wan2
passthrough=yes connection-state=new in-interface=TeData

2 ;;; Mark established inbound connection wan1
chain=prerouting action=mark-connection new-connection-mark=wan1
passthrough=yes connection-state=established in-interface=LinkDotNet

3 ;;; Mark established inbound connection wan2
chain=prerouting action=mark-connection new-connection-mark=wan2
passthrough=yes connection-state=established in-interface=TeData

4 ;;; Mark related inbound connection wan1
chain=prerouting action=mark-connection new-connection-mark=wan1
passthrough=yes connection-state=related in-interface=LinkDotNet

5 ;;; Mark related inbound connection wan2
chain=prerouting action=mark-connection new-connection-mark=wan2
passthrough=yes connection-state=related in-interface=TeData

6 ;;; Mark new inbound route wan1
chain=output action=mark-routing new-routing-mark=wan1 passthrough=yes
connection-mark=wan1

7 ;;; Mark new inbound route wan2
chain=output action=mark-routing new-routing-mark=wan2 passthrough=yes
connection-mark=wan2

8 chain=prerouting action=mark-connection new-connection-mark=wan1_pcc_conn
passthrough=yes connection-state=new dst-address-type=!local
in-interface=LAN per-connection-classifier=both-addresses:2/0

9 chain=prerouting action=mark-connection new-connection-mark=wan2_pcc
passthrough=yes connection-state=new dst-address-type=!local
in-interface=LAN per-connection-classifier=src-address:2/1

10 chain=prerouting action=mark-connection new-connection-mark=wan1_pcc_conn
passthrough=yes connection-state=established dst-address-type=!local
in-interface=LAN per-connection-classifier=both-addresses:2/0

11 chain=prerouting action=mark-connection new-connection-mark=wan2_pcc
passthrough=yes connection-state=established dst-address-type=!local
in-interface=LAN per-connection-classifier=both-addresses:2/1

12 chain=prerouting action=mark-connection new-connection-mark=wan1_pcc_conn
passthrough=yes connection-state=related dst-address-type=!local
in-interface=LAN per-connection-classifier=both-addresses:2/0

13 chain=prerouting action=mark-connection new-connection-mark=wan2_pcc
passthrough=yes connection-state=related dst-address-type=!local
in-interface=LAN per-connection-classifier=both-addresses:2/1

14 chain=prerouting action=mark-routing new-routing-mark=wan1 passthrough=ye>
connection-mark=wan1_pcc_conn

15 chain=prerouting action=mark-routing new-routing-mark=wan2 passthrough=ye>
connection-mark=wan2_pcc

[admin@MikroTik] /ip firewall mangle> /ip
[admin@MikroTik] /ip> firewall
[admin@MikroTik] /ip firewall> nat
[admin@MikroTik] /ip firewall nat> print
Flags: X – disabled, I – invalid, D – dynamic
0 ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough

1 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=192.168.80.0/24

2 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=192.168.88.0/24
[admin@MikroTik] /ip firewall nat> /ip
[admin@MikroTik] /ip> route
[admin@MikroTik] /ip route> print
Flags: X – disabled, A – active, D – dynamic, C – connect, S – static, r – rip, b – bgp, o – ospf, m – mme,
B – blackhole, U – unreachable, P – prohibit
# DST-ADDRESS PREF-SRC GATEWAY-STATE GATEWAY DISTANCE INTERFACE
0 A S ;;; WAN 1 – Distance 1
0.0.0.0/0 reachable LinkDotNet 1 LinkDotNet
1 S ;;; WAN 1 – Distance 2
0.0.0.0/0 reachable TeData 2 TeData
2 A S ;;; WAN 2 – Distance 1
0.0.0.0/0 reachable TeData 1 TeData
3 S ;;; WAN 2 – Distance 2
0.0.0.0/0 reachable LinkDotNet 2 LinkDotNet
4 S ;;; Default Route – Distance 2
0.0.0.0/0 reachable TeData 2 TeData
5 A S ;;; Default Route – Distance 1
0.0.0.0/0 reachable LinkDotNet 1 LinkDotNet
6 ADC 41.130.0.1/32 41.130.11.54 0 LinkDotNet
7 ADC 163.121.170.22/32 196.202.112.105 0 TeData
8 ADC 192.168.80.0/24 192.168.80.1 0 wlan1
9 ADC 192.168.88.0/24 192.168.88.1 0 LAN
[admin@MikroTik] /ip route>
Ekkas says:

December 11, 2009 at 9:09 pm

Why do you have separate rules for established & related?
In the Nth wiki it says that once a connection is marked, all realated should be automatically marked as well?
Then on the last part, your passthrough=yes, I suppose it should be no, however since it’s the last it does not matter.
admin says:

December 11, 2009 at 9:38 pm

You’re probably correct, I created these rules when PCC was a pre-release and I didn’t have full access to the wiki that was since written, I’ll have to give it a further try and see if I need the established or related sections.
Hennie says:

December 11, 2009 at 10:59 pm

Hey admin, I see what you mean by version 4.x giving issues. I have 4.3 and I can’t port forward anything using standard NAT rules. It just won’t work. I think I’ll try and go back to 3.30 if I can. Thanx but try and test it with 4.x as that will be great, I’ve found this setup to work the best by far…
Nico says:

January 14, 2010 at 10:54 pm

I presume the following is a typo?

add action=mark-connection chain=prerouting comment=”Mark related inbound connection wan1″ connection-state=related disabled=no in-interface=wan1-pppoe \
new-connection-mark=wan2 passthrough=yes

and should be: new-connection-mark=wan1?

Thank you for your work.
admin says:

January 14, 2010 at 10:57 pm

Indeed it was, thanks for pointing it out. Guide has been updated.
prozak says:

January 16, 2010 at 11:59 am

Hey admin.
i have 5 dsl connections and i want to split them in 50 PCs. But i wanna load balance by traffic type. 2 dsl lines for http and 3 for gaming.
prozak says:

January 17, 2010 at 6:19 am

i was thinking the following(please correct the lines if any errors)
-=-=-=-=-=-==-=-=-=-=-=
/ ip address
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local
add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=wlan1
add address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=wlan2
add address=10.113.0.2/24 network=10.113.0.0 broadcast=10.113.0.255 interface=wlan3
add address=10.114.0.2/24 network=10.114.0.0 broadcast=10.114.0.255 interface=wlan4
/ ip firewall mangle
add chain=input in-interface=wlan1 action=mark-connection new-connection-mark=wlan1_conn
add chain=input in-interface=wlan2 action=mark-connection new-connection-mark=wlan2_conn
add chain=input in-interface=wlan3 action=mark-connection new-connection-mark=wlan3_conn
add chain=input in-interface=wlan4 action=mark-connection new-connection-mark=wlan4_conn

add chain=output connection-mark=wlan1_conn action=mark-routing new-routing-mark=to_wlan1
add chain=output connection-mark=wlan2_conn action=mark-routing new-routing-mark=to_wlan2
add chain=output connection-mark=wlan3_conn action=mark-routing new-routing-mark=to_wlan3
add chain=output connection-mark=wlan4_conn action=mark-routing new-routing-mark=to_wlan4

add chain=prerouting dst-address=10.111.0.0/24 action=accept in-interface=Local
add chain=prerouting dst-address=10.112.0.0/24 action=accept in-interface=Local
add chain=prerouting dst-address=10.113.0.0/24 action=accept in-interface=Local
add chain=prerouting dst-address=10.114.0.0/24 action=accept in-interface=Local

add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:2/0 \
action=mark-connection new-connection-mark=wlan1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:2/1 \
action=mark-connection new-connection-mark=wlan2_conn passthrough=yes

add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:2/0 \
action=mark-connection new-connection-mark=wlan3_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:2/1 \
action=mark-connection new-connection-mark=wlan4_conn passthrough=yes

add chain=prerouting connection-mark=wlan1_conn in-interface=Local action=mark-routing new-routing-mark=to_wlan1
add chain=prerouting connection-mark=wlan2_conn in-interface=Local action=mark-routing new-routing-mark=to_wlan2
add chain=prerouting connection-mark=wlan3_conn in-interface=Local action=mark-routing new-routing-mark=to_wlan3
add chain=prerouting connection-mark=wlan4_conn in-interface=Local action=mark-routing new-routing-mark=to_wlan4

add chain=prerouting connection-mark=wlan3_conn in-interface=Local action=mark-routing new-routing-mark=”http1″ dst-port=80 protocol=tcp
add chain=prerouting connection-mark=wlan4_conn in-interface=Local action=mark-routing new-routing-mark=”http2″ dst-port=80 protocol=tcp

/ ip route
add dst-address=0.0.0.0/0 gateway=10.111.0.1 routing-mark=to_wlan1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.112.0.1 routing-mark=to_wlan2 check-gateway=ping

add dst-address=0.0.0.0/0 gateway=10.111.0.1 routing-mark=”http1″ check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.112.0.1 routing-mark=”http2″ check-gateway=ping

add dst-address=0.0.0.0/0 gateway=10.113.0.1 routing-mark=to_wlan3 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.114.0.1 routing-mark=to_wlan4 check-gateway=ping

add dst-address=0.0.0.0/0 gateway=10.111.0.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.112.0.1 distance=2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.113.0.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.114.0.1 distance=2 check-gateway=ping

/ ip firewall nat
add chain=srcnat out-interface=wlan1 action=masquerade
add chain=srcnat out-interface=wlan2 action=masquerade
add chain=srcnat out-interface=wlan3 action=masquerade
add chain=srcnat out-interface=wlan4 action=masquerade

please tell me is this correct 😀 ?
admin says:

January 17, 2010 at 11:14 am

This has some corrections, specifically in the ip route section and in the way you created your PCC rules (because you have 4 outbound routes you need the PCC rule to pick out of 4 possible rules)

/ ip address add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=wlan1 add address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=wlan2 add address=10.113.0.2/24 network=10.113.0.0 broadcast=10.113.0.255 interface=wlan3 add address=10.114.0.2/24 network=10.114.0.0 broadcast=10.114.0.255 interface=wlan4 / ip firewall mangle add chain=input in-interface=wlan1 action=mark-connection new-connection-mark=wlan1_conn add chain=input in-interface=wlan2 action=mark-connection new-connection-mark=wlan2_conn add chain=input in-interface=wlan3 action=mark-connection new-connection-mark=wlan3_conn add chain=input in-interface=wlan4 action=mark-connection new-connection-mark=wlan4_conn
add chain=output connection-mark=wlan1_conn action=mark-routing new-routing-mark=to_wlan1 add chain=output connection-mark=wlan2_conn action=mark-routing new-routing-mark=to_wlan2 add chain=output connection-mark=wlan3_conn action=mark-routing new-routing-mark=to_wlan3 add chain=output connection-mark=wlan4_conn action=mark-routing new-routing-mark=to_wlan4 add chain=prerouting dst-address=10.111.0.0/24 action=accept in-interface=Local add chain=prerouting dst-address=10.112.0.0/24 action=accept in-interface=Local add chain=prerouting dst-address=10.113.0.0/24 action=accept in-interface=Local add chain=prerouting dst-address=10.114.0.0/24 action=accept in-interface=Local add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:4/0 \ action=mark-connection new-connection-mark=wlan1_conn passthrough=yes add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:4/1 \ action=mark-connection new-connection-mark=wlan2_conn passthrough=yes add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:4/2 \ action=mark-connection new-connection-mark=wlan3_conn passthrough=yes add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:4/3 \ action=mark-connection new-connection-mark=wlan4_conn passthrough=yes add chain=prerouting connection-mark=wlan1_conn in-interface=Local action=mark-routing new-routing-mark=to_wlan1 add chain=prerouting connection-mark=wlan2_conn in-interface=Local action=mark-routing new-routing-mark=to_wlan2 add chain=prerouting connection-mark=wlan3_conn in-interface=Local action=mark-routing new-routing-mark=to_wlan3 add chain=prerouting connection-mark=wlan4_conn in-interface=Local action=mark-routing new-routing-mark=to_wlan4 add chain=prerouting connection-mark=wlan3_conn in-interface=Local action=mark-routing new-routing-mark="http1" dst-port=80 protocol=tcp add chain=prerouting connection-mark=wlan4_conn in-interface=Local action=mark-routing new-routing-mark="http2" dst-port=80 protocol=tcp / ip route add dst-address=0.0.0.0/0 gateway=10.111.0.1 routing-mark=to_wlan1 check-gateway=ping add dst-address=0.0.0.0/0 gateway=10.112.0.1 routing-mark=to_wlan2 check-gateway=ping add dst-address=0.0.0.0/0 gateway=10.113.0.1 routing-mark=to_wlan3 check-gateway=ping add dst-address=0.0.0.0/0 gateway=10.114.0.1 routing-mark=to_wlan4 check-gateway=ping add dst-address=0.0.0.0/0 gateway=10.111.0.1 routing-mark="http1" check-gateway=ping add dst-address=0.0.0.0/0 gateway=10.112.0.1 routing-mark="http2" check-gateway=ping add dst-address=0.0.0.0/0 gateway=10.111.0.1 distance=1 check-gateway=ping add dst-address=0.0.0.0/0 gateway=10.112.0.1 distance=2 check-gateway=ping add dst-address=0.0.0.0/0 gateway=10.113.0.1 distance=3 check-gateway=ping add dst-address=0.0.0.0/0 gateway=10.114.0.1 distance=4 check-gateway=ping
/ ip firewall nat add chain=srcnat out-interface=wlan1 action=masquerade add chain=srcnat out-interface=wlan2 action=masquerade add chain=srcnat out-interface=wlan3 action=masquerade add chain=srcnat out-interface=wlan4 action=masquerade
prozak says:

January 18, 2010 at 12:51 am

so my extra port80 monitoring on wlan3 and wlan 4 and redirecting to wlan1-wlan2 is correct?
prozak says:

January 19, 2010 at 1:59 am

and btw, is this suitable for gaming?
ffernandes says:

February 19, 2010 at 10:42 am

will this pcc work nice in my rb450g?

add action=mark-connection chain=input comment=”Input – New” connection-state=new disabled=no in-interface=pppoe-out1 new-connection-mark=pppoe_out1 \
passthrough=yes
add action=mark-connection chain=input comment=”” connection-state=new disabled=no in-interface=pppoe-out2 new-connection-mark=pppoe_out2 \
passthrough=yes
add action=mark-connection chain=prerouting comment=”Input – Established” connection-state=established disabled=no in-interface=pppoe-out1 new-connection-mark=pppoe_out1 passthrough=yes
add action=mark-connection chain=prerouting comment=”” connection-state=established disabled=no in-interface=pppoe-out2 new-connection-mark=pppoe_out2 passthrough=yes
add action=mark-connection chain=prerouting comment=”Input – Related” connection-state=related disabled=no in-interface=pppoe-out1 new-connection-mark=pppoe_out1 passthrough=yes
add action=mark-connection chain=prerouting comment=”” connection-state=related disabled=no in-interface=pppoe-out2 new-connection-mark=pppoe_out2 passthrough=yes
add action=mark-routing chain=output comment=”Output – Route Marking” connection-mark=pppoe-out1 disabled=no new-routing-mark=pppoe_out1 passthrough=no
add action=mark-routing chain=output comment=”” connection-mark=pppoe-out2 disabled=no new-routing-mark=pppoe_out2 passthrough=no
add action=mark-connection chain=prerouting comment=”Prerouting – New” connection-state=new disabled=no \
dst-address-type=!local in-interface=ether1 new-connection-mark=pppoe_out1_conn passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting comment=”” connection-state=new disabled=no \
dst-address-type=!local in-interface=ether1 new-connection-mark=pppoe_out2_conn passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-connection chain=prerouting comment=”Prerouting – Established” connection-state=\
established disabled=no dst-address-type=!local in-interface=ether1 new-connection-mark=pppoe_out1 passthrough=yes per-connection-classifier=\
both-addresses:2/0
add action=mark-connection chain=prerouting comment=”” connection-state=\
established disabled=no dst-address-type=!local in-interface=ether1 new-connection-mark=pppoe_out2 passthrough=yes per-connection-classifier=\
both-addresses:2/1
add action=mark-connection chain=prerouting comment=”Prerouting – Related” connection-state=related \
disabled=no dst-address-type=!local in-interface=ether1 new-connection-mark=pppoe_out1 passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting comment=”” connection-state=related \
disabled=no dst-address-type=!local in-interface=ether1 new-connection-mark=pppoe-out2 passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting comment=”Prerouting – Route Marking ” connection-mark=pppoe_out1 disabled=no new-routing-mark=pppoe_out1 passthrough=\
yes
add action=mark-routing chain=prerouting comment=”” connection-mark=pppoe-out2 disabled=no new-routing-mark=pppoe_out2 passthrough=\
yes

does it miss much?
its for a 2 adsl line … same provider…. same gateway
admin says:

February 19, 2010 at 10:54 am

The way I’ve setup my PCC uses the “both-addresses” option. So any traffic from (for example) 1.1.1.1 to 9.9.9.9 will always go via the same link once the first connection is made, regardless of the port used. It should be ok and I’ve yet to find a game that doesn’t like it.
Toni says:

May 3, 2010 at 8:00 am

Hello admin
Have you encouter any problem with the poker on facebook? I have used the setup on the Mikrotik Wiki, but looks like it does not work with the poker on facebook.
Thank you, Toni
Birkot says:

May 13, 2010 at 1:38 am

hi omega-00, very good your contributions to the community Mikrotik, a question, this setting automatically accepts DHCP on the WAN, is necessary to make a script to failover? or failover is automatic with check-gateway=ping
admin says:

May 13, 2010 at 4:47 am

Hi Birkot,

With the routes I’ve listed in the example, each has 2 backup routes that it’ll failover to if one or more aren’t working.
Eg: if the adsl3 line disconnects and goes offline, any routes with that as ‘distance=1’ will now be marked as invalid/down so it’ll fall back to any higher distanced routes (distance=2 and then distance=3 and so on).

In this case we’ve given each of the main routes wan1, wan2, wan3, 2 backup routes for each.. so other than end user connections breaking and re-connecting (msn, vpn’s etc) you’ve got no actual downtime as everything just shifts over to one of the other connections until the broken one comes back online.

Regards,
Omega-00
admin says:

May 13, 2010 at 4:48 am

You’d have to give me more information about what poker etc, but I’ve yet to find an application that doesn’t work for it so long as you use the both-addresses option.
Birkot says:

May 14, 2010 at 11:51 am

hi omega-oo, I used the PCC for 3 WAN configuration does not work, I have a RB/750G, I can not connect to internet with this configuration and I’ve done no wrong, this is my configuration:

You can review and coreg, please.

[admin@MikroTik] /ip route> print
Flags: X – disabled, A – active, D – dynamic, C – connect, S – static, r – rip, b – bgp, o – ospf, m – mme,
B – blackhole, U – unreachable, P – prohibit
# DST-ADDRESS PREF-SRC GATEWAY-STATE GATEWAY DISTANCE INTERFACE
0 S ;;; WAN 3 – Distance 1
0.0.0.0/0 unreachable wan3 1 wan3
1 A S ;;; WAN 1 – Distance 1
0.0.0.0/0 reachable wan1 1 wan1
2 S ;;; WAN 2 – Distance 1
0.0.0.0/0 unreachable wan2 1 wan2
3 S ;;; WAN 2 – Distance 2
0.0.0.0/0 unreachable wan3 2 wan3
4 S ;;; Default Route – Distance 3
0.0.0.0/0 unreachable wan2 2 wan2
5 S ;;; WAN 1 – Distance 2
0.0.0.0/0 unreachable wan2 2 wan2
6 S ;;; WAN 3 – Distance 3
0.0.0.0/0 unreachable wan2 3 wan2
7 ADS 0.0.0.0/0 reachable 201.211.128.1 0 wan1
8 S ;;; Default Route – Distance 2
0.0.0.0/0 unreachable wan3 3 wan3
9 S ;;; WAN 1 – Distance 3
0.0.0.0/0 unreachable wan3 3 wan3
10 S ;;; Default Route – Distance 1
0.0.0.0/0 reachable wan1 1 wan1
11 A S ;;; WAN 3 – Distance 2
0.0.0.0/0 reachable wan1 2 wan1
12 A S ;;; WAN 2 – Distance 3
0.0.0.0/0 reachable wan1 3 wan1
13 A S ;;; Static Route – WAN1
0.0.0.0/0 reachable wan1 1 wan1
14 S ;;; Static Route – WAN2
0.0.0.0/0 unreachable wan2 2 wan2
15 S ;;; Static Route – WAN3
0.0.0.0/0 unreachable wan3 3 wan3
16 ADC 192.168.1.0/32 192.168.1.1 0 Local
17 ADC 201.211.128.0/19 201.211.137.176 0 wan1

[admin@MikroTik] /ip firewall mangle> print
Flags: X – disabled, I – invalid, D – dynamic
0 ;;; Mark new inbound connection wan1
chain=input action=mark-connection new-connection-mark=wan1 passthrough=yes connection-state=new in-interface=wan1

1 ;;; Mark new inbound connection wan2
chain=input action=mark-connection new-connection-mark=wan2 passthrough=yes connection-state=new in-interface=wan2

2 ;;; Mark new inbound connection wan3
chain=input action=mark-connection new-connection-mark=wan3 passthrough=yes connection-state=new in-interface=wan3

3 ;;; Mark established inbound connection wan1
chain=prerouting action=mark-connection new-connection-mark=wan1 passthrough=yes connection-state=established in-interface=wan1

4 ;;; Mark established inbound connection wan2
chain=prerouting action=mark-connection new-connection-mark=wan2 passthrough=yes connection-state=established in-interface=wan2

5 ;;; Mark established inbound connection wan3
chain=prerouting action=mark-connection new-connection-mark=wan3 passthrough=yes connection-state=established in-interface=wan3

6 ;;; Mark related inbound connection wan1
chain=prerouting action=mark-connection new-connection-mark=wan1 passthrough=yes connection-state=related in-interface=wan1

7 ;;; Mark related inbound connection wan2
chain=prerouting action=mark-connection new-connection-mark=wan2 passthrough=yes connection-state=related in-interface=wan2

8 ;;; Mark related inbound connection wan3
chain=prerouting action=mark-connection new-connection-mark=wan3 passthrough=yes connection-state=related in-interface=wan3

9 ;;; Mark new inbound route wan1
chain=output action=mark-routing new-routing-mark=static-wan1 passthrough=no connection-mark=wan1

10 ;;; Mark new inbound route wan2
chain=output action=mark-routing new-routing-mark=static-wan2 passthrough=no connection-mark=wan2

11 ;;; Mark new inbound route wan3
chain=output action=mark-routing new-routing-mark=static-wan3 passthrough=no connection-mark=wan3

12 ;;; Mark traffic that isn’t local with PCC mark rand (3 possibilities) – option 1
chain=prerouting action=mark-connection new-connection-mark=wan1_pcc_conn passthrough=yes connection-state=new
dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/0

13 ;;; Mark traffic that isn’t local with PCC mark rand (3 possibilities) – option 2
chain=prerouting action=mark-connection new-connection-mark=wan2_pcc_conn passthrough=yes connection-state=new
dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/1

14 ;;; Mark traffic that isn’t local with PCC mark rand (3 possibilities) – option 3
chain=prerouting action=mark-connection new-connection-mark=wan3_pcc_conn passthrough=yes connection-state=new
dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/2

15 ;;; Mark established traffic that isn’t local with PCC mark rand (3 possibilities) – option 1
chain=prerouting action=mark-connection new-connection-mark=wan1_pcc_conn passthrough=yes connection-state=established
dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/0

16 ;;; Mark established traffic that isn’t local with PCC mark rand (3 possibilities) – option 2
chain=prerouting action=mark-connection new-connection-mark=wan2_pcc_conn passthrough=yes connection-state=established
dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/1

17 ;;; Mark established traffic that isn’t local with PCC mark rand (3 possibilities) – option 3
chain=prerouting action=mark-connection new-connection-mark=wan3_pcc_conn passthrough=yes connection-state=established
dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/2

18 ;;; Mark related traffic that isn’t local with PCC mark rand (3 possibilities) – option 1
chain=prerouting action=mark-connection new-connection-mark=wan1_pcc_conn passthrough=yes connection-state=related
dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/0

19 ;;; Mark related traffic that isn’t local with PCC mark rand (3 possibilities) – option 2
chain=prerouting action=mark-connection new-connection-mark=wan2_pcc_conn passthrough=yes connection-state=related
dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/1

20 ;;; Mark related traffic that isn’t local with PCC mark rand (3 possibilities) – option 3
chain=prerouting action=mark-connection new-connection-mark=wan3_pcc_conn passthrough=yes connection-state=related
dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/2

21 ;;; Mark routing for PCC mark – option 1
chain=prerouting action=mark-routing new-routing-mark=wan1 passthrough=yes connection-mark=wan1_pcc_conn

22 ;;; Mark routing for PCC mark – option 2
chain=prerouting action=mark-routing new-routing-mark=wan2 passthrough=yes connection-mark=wan2_pcc_conn

23 ;;; Mark routing for PCC mark – option 3
chain=prerouting action=mark-routing new-routing-mark=wan3 passthrough=yes connection-mark=wan3_pcc_conn

[admin@MikroTik] /ip firewall mangle> /ip firewall nat
[admin@MikroTik] /ip firewall nat> print
0 X ;;; default configuration
chain=srcnat action=masquerade out-interface=wan1

1 chain=srcnat action=masquerade out-interface=wan1

2 chain=srcnat action=masquerade out-interface=wan2

3 chain=srcnat action=masquerade out-interface=wan3

[admin@MikroTik] /ip firewall nat> /ip dhcp-client
[admin@MikroTik] /ip dhcp-client> print
Flags: X – disabled, I – invalid
# INTERFACE USE-PEER-DNS ADD-DEFAULT-ROUTE STATUS ADDRESS
0 ;;; default configuration
wan1 yes yes bound 201.211.137.176/19
1 wan2 yes yes searching…
2 wan3 yes yes searching..

[admin@MikroTik] /ip dhcp-client> /ip dhcp-server
[admin@MikroTik] /ip dhcp-server> print
Flags: X – disabled, I – invalid
# NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP
0 X default wan2 default-dhcp 3d
1 dhcp1 Local dhcp_pool1 3d

[admin@MikroTik] /ip dhcp-server> /ip address
[admin@MikroTik] /ip address> print
Flags: X – disabled, I – invalid, D – dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 X ;;; default configuration
192.168.88.1/24 192.168.88.0 192.168.88.255 wan2
1 192.168.1.1/32 192.168.1.0 192.168.1.255 Local
2 D 201.211.137.176/19 201.211.128.0 201.211.159.255 wan1
nicholas says:

July 8, 2010 at 12:56 am

Hi! can you update the config for 4 adsl? thanks
admin says:

July 8, 2010 at 1:30 am

Hey Nicholas,
I’ll email you a 4-dsl version shortly. 🙂
nicholas says:

July 8, 2010 at 1:57 pm

Hi omega-00,

Thanks for fast response.

My setup is for cyber cafe with 45PCs using RB/750G, I have little knowledge about RouterOS, please help me to write the complete config including the pppoe dial up for 4 adsl line (with dynamic ip), and also the required ip route and ip firewall nat config. please help me to make it work, your help is much appreciated. Thank you.
nicholas says:

July 10, 2010 at 12:42 pm

Hi omega-00,

Loaded your 4-dsl config, it is working great, thanks.
Wimpie says:

July 16, 2010 at 9:17 pm

Hi there. I would like to thank you ever so much for this script ! I am currently load balancing accross 10 interfaces on RB1100, and its working like a charm ! I have two questions if I may:
1. I am using static DSL lines, so I have this router connected straight with public ip’s. I would like to implement my firewall on any incoming traffic on all of my incoming lines, for any traffic. I did add a rule for each port, on the connection state ‘new’, but then the mangle rule of this config doesnt mark the ‘static-wanpppoe’on th output chain. What would be the way forward ?
2. This balances traffic evenly accross all interfaces. I currently have 4mbps lines on all the interfaces, so this is not a problem. But lets presume I will get 2 lines on 10 mbps, and 1 line on 4mbps, will this config be intelligent enough to push through the amount of traffic allowed by each line, or would the config be different in concept ? Once again, thank you !
admin says:

July 16, 2010 at 9:27 pm

Hi Wimpie,

1. If you’re just trying to use firewall rules you should be fine to tag them using the in or out interface flag or alternatively the src or dst address flags, however if you’re adding more mangle rules you have to take note of the passthrough option on the routing rules.

2. If you’re working with connections of different speeds the easiest way would be to divide your PCC rules up further. Eg: say you have 2 x 1Mbps connections and 1 x 2Mbps connections, divide this by the lowest common denominator and you have 4 x 1Mbps blocks. You then create 1 PCC rule for each block, where 2 of those blocks will be pointing to the 2Mbps connection.

I hope I’ve made myself understandable here, it’s a bit to wrap your head around 🙂
Wimpie says:

July 19, 2010 at 4:42 pm

Will try to get that through my thick skull……At the moment I luckily dont need it, but in South Africa we might be getting 10mbps lines, which will upgrade my current 4mbps, and as I will most probably do them 1 by 1, I will have to look at this. Once again, fantastic work, the Internet has never been this good !!
Wimpie says:

July 29, 2010 at 7:26 pm

Hey there

I have two more questions if I may:
As you know, port 443 doesn’t like to get a changed IP once the connection has been established. I did try to send my 443 traffic straight through the PCC rules, but it didn’t work. I ended up mangling the 443 traffic, and sending it out through a spesific interface, which works well. Any thoughts ?

Then, I have a strange problem. As you know I have 10 lines with your configuration, and I can see that the traffic is evenly balanced accross all the lines. My problem is, we have bad DSL here. I want to disable the interface, when the Internet via that interface is currently offline. When I am doing a ping / traceroute, out of 10 lines, 7 I can ping / traceroute to any host from my RB1100. But from 3 of the interfaces, I can’t. It just times out, although the Internet is flowing through there from the internal side. I looks like it has something to do that the request is coming from the Mikrotik itself. Thoughts ?
SlotZero says:

August 6, 2010 at 12:35 pm

Admin or Nicholas,

First of all hats off to you Admin for a wonderful job and others too keeping Admin’s mind crunching with new ideas and how to make the config better. 🙂
I would really appreciate it if either Nicholas or Admin could please send the 4dsl config. Thank you
Wimpie says:

August 6, 2010 at 6:49 pm

Hi there

Still no answer ?
admin says:

August 6, 2010 at 8:11 pm

Hi Wimpie, sorry I’ve been away for the last 2 weeks interstate, following up on everything now 😉
Slot Zero says:

August 7, 2010 at 7:55 pm

It’s great when you get to travel. I hope your travel was not just all work and no play. Hope you had fun. Oh yes I am really really waiting in anticipation for the 4 ADSL config. Umm btw will this config be any different if the four DSLs are from different providers.
Wimpie says:

August 13, 2010 at 4:12 pm

Cool thanx man, I posted something earlier. I will check for replies every now and then. Once again, great work !
admin says:

August 13, 2010 at 4:49 pm

Hi Slot,

Emailed you a copy. Config shouldn’t be any different using different providers unless you’re getting a higher speed from one provider than another.
In that case you expand the config out and skew it to prefer a particular link. So if you had 2 DSL’s you’d use the 3 DSL config and make it use the faster DSL for 2/3 parts.

Regards,
Omega-00
Wimpie says:

August 17, 2010 at 3:39 pm

Hi Omega….I think I have made a plan with my issue above, but would like to get your input, so that I can see if I made a stupid plan or a decent one.
admin says:

August 18, 2010 at 12:40 am

Ah sorry, I thought I emailed you a reply.

Anyway, the config I use (in specific the “per-connection-classifier=both-addresses” bit) pushes connections to the same address out via the same link, provided you’re using that any connections from a user to a set ip address shouldn’t change unless the adsl drops out and forces them out another connection.

– Omega-00
Slot Zero says:

August 18, 2010 at 12:55 am

Hi Omega-00,

Thank you very much. No problem you are a busy guy. We are just absolutely lucky that we get to see whole configs not just bits and pieces of your experience and research. Once again thank you very much. Cheers
Wimpie says:

August 18, 2010 at 4:25 pm

Hi Omega
Is that something I have to do on the client side ? I have mangled my 443 traffic, and now the banking works fine. Without the rule, just with the rules in your config, it cuts me out of the banking.
Wimpie Knoetze says:

September 1, 2010 at 6:10 pm

Hi Omega

I just to check something with you. I have grouped my rules in the mangle, but I am not sure how this is affecting my performance. I will give you the order, and you can correct me please ?

For example:
2 x wan lines (wan1,wan2), and lan
order from top:
new inbound – wan1
established – wan1
related – wan1
routing mark – wan1 connections

new inbound – wan2
established – wan2
related – wan2
routing mark – wan2 connections

pcc – lan option 1 – conn mark wan1 – new
pcc – lan option 1 – conn mark wan1 – establish
pcc – lan option 1 – conn mark wan1 – related
conn mark – mark routing – wan1

pcc – lan option 1 – conn mark wan1 – new
pcc – lan option 1 – conn mark wan1 – establish
pcc – lan option 1 – conn mark wan1 – related
conn mark – mark routing – wan1

Please let me know
Thank you
PS: I can also send you the config if that is easier for you.
admin says:

September 4, 2010 at 5:35 pm

I normally work it the same way (as the ordering is important to the way inbound traffic is affected)
1. Inbound marking for wan interfaces
2. pcc marking for all internal traffic heading out
3. any other QoS rules or mangling that uses passthrough=no
Wimpie Knoetze says:

October 5, 2010 at 5:07 pm

Hi there
Do you think there is a way to script this ? So that I can just give the amount of Interfaces, and stick to some standard on the naming, and let a script add all the rules accordingly ?
admin says:

October 7, 2010 at 9:44 am

I could probably work on something however for more links the the links would have to be all the same speed for it to work without modification.
Wimpie Knoetze says:

October 11, 2010 at 7:50 pm

All my lines are the same speed, so yes that would work for me. Should I work on it myself ? Im a noobie to scripting, but I guess I could get there….
admin says:

October 11, 2010 at 8:52 pm

The trick would just be to do everything recursively and pre-label the interfaces you wanted it to apply to.

Eg: use a script that assigns a variable to “interfaces” to match the number of interfaces you want. Then for each rule, run through $interfaces number of times.

I will get around to it later this week however scripting comes in very handy, you could probably do it yourself in a couple of hours using previous bits of script I’ve done as examples 😉
Wimpie Knoetze says:

October 13, 2010 at 5:42 pm

Thank you very much, I will try it and if I may, will ask you for tips. I will have to use some sort of loop, and some sort of array ? Which commands should I investigate for that ?
Mantzouranis Panagiotis says:

October 19, 2010 at 4:29 pm

Hi, I am using a similar configuration, although i do not use pcc at the moment, only route traffic based on destination port and I would like to ask you a question. I have trouble rerouting incoming traffic back to the same interface. My difference is I do not use dsl routers in bridge mode but as normal routers. That means that the dsl routers nat the traffic to mikrotik (which again nats the traffic to clients) I port forward all ports from dsl routers (192.168.1.254, 192.168.2.254 etc) to mikrotik wlan interfaces (192.168.1.1, 192.168.2.1 etc). I can connect to services (e.g. remote desktop) to a specific client computer, but only through the default route of that specific client.

Using
/ ip firewall mangle
add chain=input in-interface=wlan1 action=mark-connection new-connection-mark=wlan1_conn
add chain=input in-interface=wlan2 action=mark-connection new-connection-mark=wlan2_conn
add chain=input in-interface=wlan3 action=mark-connection new-connection-mark=wlan3_conn
add chain=input in-interface=wlan4 action=mark-connection new-connection-mark=wlan4_conn

add chain=output connection-mark=wlan1_conn action=mark-routing new-routing-mark=to_wlan1
add chain=output connection-mark=wlan2_conn action=mark-routing new-routing-mark=to_wlan2
add chain=output connection-mark=wlan3_conn action=mark-routing new-routing-mark=to_wlan3
add chain=output connection-mark=wlan4_conn action=mark-routing new-routing-mark=to_wlan4

Only enables me to connect to mikrotik from any wlan connection, but I still cannot connect to clients. How do I mark connections/packets coming from the wlan interfaces and route them back to the same interface?
calamarman says:

October 26, 2010 at 4:29 pm

I, i don’t undertand the diference marking the rules with new, estableshed and related, i think that works only marking without estate connections,. Is this correct?
Usman says:

November 9, 2010 at 12:28 pm

Good