MikroTik Load Balancing with PCC (Per Connection Classifier): Complete Configuration Guide

Byadmin
Share
Tweet
Share
Pin
0 Shares
Multiple ISP connections sit idle while your primary link struggles under heavy load. This scenario wastes money and bandwidth. MikroTik PCC (Per Connection Classifier) solves this problem by distributing traffic across all available WAN links.

What You Will Learn

  • How PCC classifies and distributes network connections
  • Complete configuration steps for dual and multi-WAN setups
  • Failover integration with load balancing
  • Troubleshooting common PCC issues
  • Production-ready scripts you can deploy immediately

Target Audience

  • Network engineers managing multi-WAN environments
  • Systems administrators responsible for network infrastructure
  • IT professionals implementing redundant internet connections
  • MikroTik users seeking to maximize bandwidth utilization

2. Understanding Per Connection Classifier (PCC) in MikroTik RouterOS

2.1 What is PCC and How Does It Work?

Per Connection Classifier (PCC) is a MikroTik firewall matcher that divides traffic into equal streams. PCC uses a hashing algorithm to assign each connection to a specific group based on selected fields.

How PCC Hashing Works

  1. PCC takes selected fields from each packet (source address, destination address, ports)
  2. The router applies a hashing algorithm to these fields
  3. The result is divided by the specified denominator
  4. The remainder determines which group receives the connection

PCC Classification Fields

Field Description Use Case
src-address Source IP address only All traffic from one host uses same WAN
dst-address Destination IP address only All traffic to one server uses same WAN
src-port Source port only Rarely used alone
dst-port Destination port only Rarely used alone
both-addresses Source and destination addresses Recommended for most scenarios
both-ports Source and destination ports Used with both-addresses
both-addresses-and-ports All four fields combined Maximum distribution granularity

2.2 PCC vs. Other Load Balancing Methods

ECMP (Equal Cost Multi-Path)

  • How it works: Multiple routes with same distance; router alternates between them
  • Pros: Simple configuration; built into routing table
  • Cons: Per-packet distribution can break sessions; no session persistence
  • Best for: Simple setups with stateless traffic

NTH Load Balancing

  • How it works: Counts packets and routes every Nth packet to specific gateway
  • Pros: Predictable distribution pattern
  • Cons: Can break TCP sessions; uneven distribution under varying loads
  • Best for: Legacy configurations; specific packet-based requirements

Bonding/Link Aggregation

  • How it works: Combines multiple interfaces into single logical interface
  • Pros: True bandwidth aggregation; single IP address
  • Cons: Requires support from both ends; typically for same ISP links
  • Best for: Data center connections; same-provider links

Why Choose PCC

  • Maintains session persistence (same connection always uses same WAN)
  • Works with different ISPs and IP addresses
  • Provides true load distribution across connections
  • Integrates easily with failover mechanisms
  • Scales to multiple WAN connections

2.3 Key Benefits of MikroTik PCC Load Balancing

  • Session Persistence: Each connection stays on the same WAN throughout its lifetime
  • Proportional Distribution: Traffic distributes evenly across all links
  • Flexibility: Choose classification method based on network requirements
  • Failover Ready: Combine with route checking for automatic failover
  • Cost Effective: Maximize existing bandwidth investments

3. Prerequisites: Preparing for MikroTik PCC Configuration

3.1 Hardware and Software Requirements

RouterOS Version

  • Minimum: RouterOS 6.0 or higher
  • Recommended: RouterOS 6.49.x or 7.x (latest stable)
  • License: Level 4 or higher required for full functionality

Recommended Router Models

Network Size Recommended Models Throughput Capacity
Small Office (1-25 users) hEX (RB750Gr3), hAP ac² Up to 500 Mbps
Medium Business (25-100 users) RB4011, RB5009, CCR1009 Up to 2 Gbps
Enterprise (100+ users) CCR1036, CCR2004, CCR2116 Up to 10+ Gbps

3.2 Network Topology Planning

Sample Network Diagram

                    ┌─────────────┐
                    │   ISP 1     │
                    │ 100 Mbps    │
                    └──────┬──────┘
                           │ ether1 (WAN1)
                           │ 192.168.1.2/24
                           │ GW: 192.168.1.1
    ┌──────────────────────┴──────────────────────┐
    │                                             │
    │           MikroTik Router                   │
    │                                             │
    │   ether3 (LAN): 10.0.0.1/24                 │
    │                                             │
    └──────────────────────┬──────────────────────┘
                           │ ether2 (WAN2)
                           │ 192.168.2.2/24
                           │ GW: 192.168.2.1
                    ┌──────┴──────┐
                    │   ISP 2     │
                    │  50 Mbps    │
                    └─────────────┘

IP Addressing Scheme

Interface Role IP Address Gateway
ether1 WAN1 (ISP 1) 192.168.1.2/24 192.168.1.1
ether2 WAN2 (ISP 2) 192.168.2.2/24 192.168.2.1
ether3 LAN 10.0.0.1/24 N/A

3.3 ISP Connection Requirements

Information Needed from Each ISP

  • Public IP address (static preferred; dynamic works with additional configuration)
  • Subnet mask
  • Gateway IP address
  • DNS servers (optional; can use public DNS)
  • Contracted bandwidth

Static vs. Dynamic IP Considerations

  • Static IP: Simpler configuration; consistent NAT behavior
  • Dynamic IP (DHCP): Requires script to update routes when IP changes
  • PPPoE: Common for DSL; creates dynamic interface

4. Step-by-Step MikroTik PCC Load Balancing Configuration

4.1 Initial Router Setup and Interface Configuration

1: Reset Router to Default (Optional)

/system reset-configuration no-defaults=yes skip-backup=yes

2: Name the Interfaces

/interface set ether1 name=WAN1 comment="ISP 1 - 100 Mbps"
/interface set ether2 name=WAN2 comment="ISP 2 - 50 Mbps"
/interface set ether3 name=LAN comment="Local Network"

3: Assign IP Addresses

# WAN1 IP Address
/ip address add address=192.168.1.2/24 interface=WAN1 comment="ISP 1"

# WAN2 IP Address
/ip address add address=192.168.2.2/24 interface=WAN2 comment="ISP 2"

# LAN IP Address
/ip address add address=10.0.0.1/24 interface=LAN comment="Local Network"

4: Configure DNS

/ip dns set servers=8.8.8.8,8.8.4.4,1.1.1.1 allow-remote-requests=yes

5: Configure DHCP Server for LAN (Optional)

# Create DHCP Pool
/ip pool add name=dhcp-pool ranges=10.0.0.100-10.0.0.254

# Create DHCP Network
/ip dhcp-server network add address=10.0.0.0/24 gateway=10.0.0.1 dns-server=10.0.0.1

# Create DHCP Server
/ip dhcp-server add name=dhcp-lan interface=LAN address-pool=dhcp-pool disabled=no

4.2 Configuring Mangle Rules for PCC Traffic Classification

Mangle rules classify traffic and mark connections for routing decisions. This section creates the core PCC logic.

1: Mark Incoming Connections from Each WAN

These rules mark connections initiated from external sources. They ensure return traffic uses the same WAN.

# Mark connections coming in through WAN1
/ip firewall mangle add chain=prerouting in-interface=WAN1 connection-mark=no-mark \
    action=mark-connection new-connection-mark=WAN1_conn passthrough=yes \
    comment="Mark incoming WAN1 connections"

# Mark connections coming in through WAN2
/ip firewall mangle add chain=prerouting in-interface=WAN2 connection-mark=no-mark \
    action=mark-connection new-connection-mark=WAN2_conn passthrough=yes \
    comment="Mark incoming WAN2 connections"

2: Apply PCC Classification for Outgoing Traffic

These rules distribute new outgoing connections across both WAN links using PCC.

# PCC rule for WAN1 (remainder 0 of 2)
/ip firewall mangle add chain=prerouting in-interface=LAN connection-mark=no-mark \
    dst-address-type=!local per-connection-classifier=both-addresses:2/0 \
    action=mark-connection new-connection-mark=WAN1_conn passthrough=yes \
    comment="PCC: Mark for WAN1"

# PCC rule for WAN2 (remainder 1 of 2)
/ip firewall mangle add chain=prerouting in-interface=LAN connection-mark=no-mark \
    dst-address-type=!local per-connection-classifier=both-addresses:2/1 \
    action=mark-connection new-connection-mark=WAN2_conn passthrough=yes \
    comment="PCC: Mark for WAN2"

3: Create Routing Marks Based on Connection Marks

# Route mark for WAN1 connections
/ip firewall mangle add chain=prerouting connection-mark=WAN1_conn \
    action=mark-routing new-routing-mark=route_WAN1 passthrough=yes \
    comment="Route via WAN1"

# Route mark for WAN2 connections
/ip firewall mangle add chain=prerouting connection-mark=WAN2_conn \
    action=mark-routing new-routing-mark=route_WAN2 passthrough=yes \
    comment="Route via WAN2"

4: Handle Router-Generated Traffic (Output Chain)

# Mark routing for router's own traffic via WAN1
/ip firewall mangle add chain=output connection-mark=WAN1_conn \
    action=mark-routing new-routing-mark=route_WAN1 passthrough=yes \
    comment="Output: Route via WAN1"

# Mark routing for router's own traffic via WAN2
/ip firewall mangle add chain=output connection-mark=WAN2_conn \
    action=mark-routing new-routing-mark=route_WAN2 passthrough=yes \
    comment="Output: Route via WAN2"

Understanding the PCC Syntax

per-connection-classifier=both-addresses:2/0
  • both-addresses: Classification field (source + destination IP)
  • 2: Denominator (total number of groups/WAN links)
  • 0: Remainder (which group this rule matches: 0, 1, 2, etc.)

4.3 Creating Routing Tables for Each WAN Connection

1: Add Default Routes with Routing Marks

# Default route for WAN1 traffic
/ip route add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=route_WAN1 \
    check-gateway=ping distance=1 comment="Default route WAN1"

# Default route for WAN2 traffic
/ip route add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-mark=route_WAN2 \
    check-gateway=ping distance=1 comment="Default route WAN2"

2: Add Fallback Default Routes

These routes handle traffic when one WAN fails.

# Primary fallback route (WAN1)
/ip route add dst-address=0.0.0.0/0 gateway=192.168.1.1 distance=1 \
    check-gateway=ping comment="Fallback route WAN1"

# Secondary fallback route (WAN2)
/ip route add dst-address=0.0.0.0/0 gateway=192.168.2.1 distance=2 \
    check-gateway=ping comment="Fallback route WAN2"

4.4 Implementing NAT Rules for Multi-WAN Setup

Source NAT (Masquerade) Rules

# Masquerade traffic going out WAN1
/ip firewall nat add chain=srcnat out-interface=WAN1 action=masquerade \
    comment="NAT for WAN1"

# Masquerade traffic going out WAN2
/ip firewall nat add chain=srcnat out-interface=WAN2 action=masquerade \
    comment="NAT for WAN2"

Why Masquerade Instead of src-nat

  • Masquerade automatically uses the outgoing interface’s IP address
  • Works with dynamic IP addresses (DHCP, PPPoE)
  • Simpler configuration for multi-WAN setups
  • For static IPs with high traffic, src-nat is slightly more efficient

5. Advanced MikroTik PCC Configuration Techniques

5.1 Weighted Load Balancing with PCC

When WAN links have different bandwidths, distribute traffic proportionally.

Example: 100 Mbps (WAN1) + 50 Mbps (WAN2) = 2:1 Ratio

# Remove previous PCC rules first
/ip firewall mangle remove [find comment~"PCC:"]

# Weighted PCC: WAN1 gets 2 parts, WAN2 gets 1 part (total 3)
# WAN1 - remainder 0
/ip firewall mangle add chain=prerouting in-interface=LAN connection-mark=no-mark \
    dst-address-type=!local per-connection-classifier=both-addresses:3/0 \
    action=mark-connection new-connection-mark=WAN1_conn passthrough=yes \
    comment="PCC: WAN1 part 1"

# WAN1 - remainder 1
/ip firewall mangle add chain=prerouting in-interface=LAN connection-mark=no-mark \
    dst-address-type=!local per-connection-classifier=both-addresses:3/1 \
    action=mark-connection new-connection-mark=WAN1_conn passthrough=yes \
    comment="PCC: WAN1 part 2"

# WAN2 - remainder 2
/ip firewall mangle add chain=prerouting in-interface=LAN connection-mark=no-mark \
    dst-address-type=!local per-connection-classifier=both-addresses:3/2 \
    action=mark-connection new-connection-mark=WAN2_conn passthrough=yes \
    comment="PCC: WAN2 part 1"

Weighted Distribution Table

WAN1 Bandwidth WAN2 Bandwidth Ratio Denominator WAN1 Remainders WAN2 Remainders
100 Mbps 100 Mbps 1:1 2 0 1
100 Mbps 50 Mbps 2:1 3 0, 1 2
100 Mbps 25 Mbps 4:1 5 0, 1, 2, 3 4
100 Mbps 33 Mbps 3:1 4 0, 1, 2 3

5.2 Integrating Failover with PCC Load Balancing

Method 1: Using check-gateway on Routes

The routes configured earlier include check-gateway=ping. This method:

  • Pings the gateway every 10 seconds
  • Marks route as unreachable after 2 failed pings
  • Traffic automatically shifts to available routes

Method 2: Using Netwatch for Enhanced Monitoring

Netwatch monitors external hosts and runs scripts when status changes.

# Create address lists for WAN status
/ip firewall address-list add list=WAN1_up address=192.168.1.2
/ip firewall address-list add list=WAN2_up address=192.168.2.2

# Netwatch for WAN1 - Monitor external host via WAN1
/tool netwatch add host=8.8.8.8 interval=10s timeout=2s \
    up-script="/ip firewall address-list enable [find list=WAN1_up]" \
    down-script="/ip firewall address-list disable [find list=WAN1_up]" \
    comment="Monitor WAN1"

# Netwatch for WAN2 - Monitor external host via WAN2
/tool netwatch add host=8.8.4.4 interval=10s timeout=2s \
    up-script="/ip firewall address-list enable [find list=WAN2_up]" \
    down-script="/ip firewall address-list disable [find list=WAN2_up]" \
    comment="Monitor WAN2"

Netwatch Considerations

  • Netwatch sends ICMP from router’s primary route
  • Use routing marks in scripts for accurate per-WAN monitoring
  • Monitor different hosts for each WAN to avoid false positives

5.3 Excluding Specific Traffic from Load Balancing

Bypass PCC for VPN Traffic

# Create address list for VPN servers
/ip firewall address-list add list=VPN_Servers address=203.0.113.10 comment="Corporate VPN"
/ip firewall address-list add list=VPN_Servers address=203.0.113.20 comment="Backup VPN"

# Force VPN traffic through WAN1 only (add before PCC rules)
/ip firewall mangle add chain=prerouting dst-address-list=VPN_Servers \
    action=mark-connection new-connection-mark=WAN1_conn passthrough=yes \
    comment="Force VPN via WAN1" place-before=0

Force Specific Services Through Designated WAN

# Force VOIP traffic (SIP) through WAN1 for consistent NAT
/ip firewall mangle add chain=prerouting protocol=udp dst-port=5060-5061 \
    action=mark-connection new-connection-mark=WAN1_conn passthrough=yes \
    comment="Force SIP via WAN1" place-before=0

# Force all traffic from specific server through WAN2
/ip firewall mangle add chain=prerouting src-address=10.0.0.50 \
    action=mark-connection new-connection-mark=WAN2_conn passthrough=yes \
    comment="Server 10.0.0.50 via WAN2" place-before=0

Exclude Local and Private Networks

# Create address list for private networks
/ip firewall address-list add list=PrivateNetworks address=10.0.0.0/8
/ip firewall address-list add list=PrivateNetworks address=172.16.0.0/12
/ip firewall address-list add list=PrivateNetworks address=192.168.0.0/16

# Exclude private destinations from PCC (add before PCC rules)
/ip firewall mangle add chain=prerouting dst-address-list=PrivateNetworks \
    action=accept comment="Skip PCC for private networks" place-before=0

5.4 PCC with More Than Two WAN Connections

Three WAN Configuration Example

# Interface setup
/interface set ether1 name=WAN1
/interface set ether2 name=WAN2
/interface set ether3 name=WAN3
/interface set ether4 name=LAN

# IP Addresses
/ip address add address=192.168.1.2/24 interface=WAN1
/ip address add address=192.168.2.2/24 interface=WAN2
/ip address add address=192.168.3.2/24 interface=WAN3
/ip address add address=10.0.0.1/24 interface=LAN

# Mangle - Mark incoming connections
/ip firewall mangle add chain=prerouting in-interface=WAN1 connection-mark=no-mark \
    action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
/ip firewall mangle add chain=prerouting in-interface=WAN2 connection-mark=no-mark \
    action=mark-connection new-connection-mark=WAN2_conn passthrough=yes
/ip firewall mangle add chain=prerouting in-interface=WAN3 connection-mark=no-mark \
    action=mark-connection new-connection-mark=WAN3_conn passthrough=yes

# Mangle - PCC for 3 WANs (denominator = 3)
/ip firewall mangle add chain=prerouting in-interface=LAN connection-mark=no-mark \
    dst-address-type=!local per-connection-classifier=both-addresses:3/0 \
    action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
/ip firewall mangle add chain=prerouting in-interface=LAN connection-mark=no-mark \
    dst-address-type=!local per-connection-classifier=both-addresses:3/1 \
    action=mark-connection new-connection-mark=WAN2_conn passthrough=yes
/ip firewall mangle add chain=prerouting in-interface=LAN connection-mark=no-mark \
    dst-address-type=!local per-connection-classifier=both-addresses:3/2 \
    action=mark-connection new-connection-mark=WAN3_conn passthrough=yes

# Mangle - Routing marks
/ip firewall mangle add chain=prerouting connection-mark=WAN1_conn \
    action=mark-routing new-routing-mark=route_WAN1 passthrough=yes
/ip firewall mangle add chain=prerouting connection-mark=WAN2_conn \
    action=mark-routing new-routing-mark=route_WAN2 passthrough=yes
/ip firewall mangle add chain=prerouting connection-mark=WAN3_conn \
    action=mark-routing new-routing-mark=route_WAN3 passthrough=yes

# Routes with routing marks
/ip route add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=route_WAN1 \
    check-gateway=ping distance=1
/ip route add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-mark=route_WAN2 \
    check-gateway=ping distance=1
/ip route add dst-address=0.0.0.0/0 gateway=192.168.3.1 routing-mark=route_WAN3 \
    check-gateway=ping distance=1

# Fallback routes
/ip route add dst-address=0.0.0.0/0 gateway=192.168.1.1 distance=1 check-gateway=ping
/ip route add dst-address=0.0.0.0/0 gateway=192.168.2.1 distance=2 check-gateway=ping
/ip route add dst-address=0.0.0.0/0 gateway=192.168.3.1 distance=3 check-gateway=ping

# NAT rules
/ip firewall nat add chain=srcnat out-interface=WAN1 action=masquerade
/ip firewall nat add chain=srcnat out-interface=WAN2 action=masquerade
/ip firewall nat add chain=srcnat out-interface=WAN3 action=masquerade

6. Troubleshooting MikroTik PCC Load Balancing Issues

6.1 Common PCC Configuration Problems

Problem 1: All Traffic Uses One WAN

Symptoms:

  • One WAN shows high traffic; other WAN shows minimal traffic
  • Mangle rule counters show uneven distribution

Solutions:

  • Verify mangle rule order (incoming connection marks must come first)
  • Check that connection-mark=no-mark is set on PCC rules
  • Confirm dst-address-type=!local is present
  • Clear connection tracking table: /ip firewall connection remove [find]

Problem 2: Asymmetric Routing Issues

Symptoms:

  • Some websites load partially or not at all
  • Connections time out intermittently
  • HTTPS sites fail more than HTTP

Solutions:

  • Ensure incoming connection marking rules exist for both WANs
  • Verify return traffic uses the same WAN as incoming traffic
  • Check NAT rules are applied to both outgoing interfaces

Problem 3: Sessions Breaking Mid-Connection

Symptoms:

  • Downloads fail partway through
  • Video streaming buffers excessively
  • Banking/secure sites report connection errors

Solutions:

  • Use both-addresses instead of both-addresses-and-ports
  • Check connection tracking timeout values
  • Verify no conflicting firewall rules exist

Problem 4: Failover Not Working

Symptoms:

  • Network goes down when one WAN fails
  • Traffic doesn’t shift to available WAN

Solutions:

  • Confirm check-gateway=ping on routes
  • Verify gateway is pingable when WAN is working
  • Check fallback routes exist without routing-mark
  • Test by disconnecting WAN cable

6.2 Diagnostic Commands and Tools

View Connection Marks Distribution

# Count connections per mark
:put "WAN1 connections: $[/ip firewall connection print count-only where connection-mark=WAN1_conn]"
:put "WAN2 connections: $[/ip firewall connection print count-only where connection-mark=WAN2_conn]"

Check Mangle Rule Counters

/ip firewall mangle print stats

Monitor Real-Time Traffic per Interface

# Using Torch
/tool torch interface=WAN1
/tool torch interface=WAN2

# Using interface monitor
/interface monitor-traffic WAN1,WAN2

View Active Connections

# Show all connections with marks
/ip firewall connection print where connection-mark~"WAN"

# Show connections for specific source
/ip firewall connection print where src-address~"10.0.0.100"

Test Routing for Specific Traffic

# Check which route a packet would use
/ip route check 8.8.8.8 routing-mark=route_WAN1
/ip route check 8.8.8.8 routing-mark=route_WAN2

Packet Sniffer for Deep Analysis

/tool sniffer set interface=WAN1 filter-ip-address=10.0.0.100/32
/tool sniffer start
# Wait for traffic
/tool sniffer stop
/tool sniffer packet print

6.3 Verifying Load Distribution Accuracy

First Method: Multiple Simultaneous Connections Test

  1. Open multiple browser tabs on a client device
  2. Navigate to different websites (different destination IPs)
  3. Check connection table for mark distribution

Second Method: External IP Verification

  • Visit https://whatismyip.com from multiple devices
  • Each device should potentially show different public IPs
  • Same device visiting same site will show consistent IP (session persistence)

Third Method: Bandwidth Test per WAN

# Test WAN1 throughput
/tool bandwidth-test address=speedtest.server.com routing-mark=route_WAN1

# Test WAN2 throughput
/tool bandwidth-test address=speedtest.server.com routing-mark=route_WAN2

7. Performance Optimization for MikroTik PCC

7.1 Tuning Connection Tracking

Adjust Connection Tracking Timeouts

/ip firewall connection tracking set \
    tcp-established-timeout=1d \
    tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s \
    tcp-fin-wait-timeout=10s \
    tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s \
    tcp-syn-sent-timeout=5s \
    tcp-time-wait-timeout=10s \
    udp-timeout=10s \
    udp-stream-timeout=3m \
    icmp-timeout=10s \
    generic-timeout=10m

Increase Connection Table Size

# Check current settings
/ip firewall connection tracking print

# Increase max entries (default is 262144)
/ip firewall connection tracking set max-entries=524288

Monitor Connection Table Usage

/ip firewall connection print count-only

7.2 Hardware Acceleration Considerations

FastTrack and PCC

Important: FastTrack bypasses mangle rules. This breaks PCC functionality.

# Check if FastTrack is enabled
/ip firewall filter print where action=fasttrack-connection

# Disable FastTrack for PCC to work
/ip firewall filter disable [find action=fasttrack-connection]

FastPath Considerations

  • FastPath is partially compatible with connection tracking
  • Works with NAT and simple firewall rules
  • Monitor CPU usage to determine if optimization is needed

CPU Usage Optimization Tips

  • Use hardware-accelerated routers (CCR series) for high throughput
  • Minimize complex regex in firewall rules
  • Use address lists instead of multiple individual rules
  • Place frequently matched rules at top of chain

7.3 Monitoring and Logging Best Practices

Enable SNMP for External Monitoring

/snmp set enabled=yes contact="admin@company.com" location="Server Room"
/snmp community set public read-access=yes write-access=no addresses=10.0.0.0/24

Create Graphing for Bandwidth Visualization

/tool graphing interface add interface=WAN1 store-on-disk=yes
/tool graphing interface add interface=WAN2 store-on-disk=yes
/tool graphing interface add interface=LAN store-on-disk=yes

Configure Email Alerts for Link Failures

# Configure email settings
/tool e-mail set server=smtp.company.com port=587 \
    from=mikrotik@company.com user=mikrotik@company.com password=secretpassword

# Add alert script to Netwatch
/tool netwatch set [find comment="Monitor WAN1"] \
    down-script=":log warning \"WAN1 is DOWN\"; /tool e-mail send to=\"admin@company.com\" subject=\"Alert: WAN1 Down\" body=\"WAN1 link has failed.\""

8. Real-World MikroTik PCC Use Cases and Examples

8.1 Small Business Dual-WAN Setup

Scenario

  • Business: Small office with 15 employees
  • WAN1: Fiber 100/100 Mbps (Primary)
  • WAN2: Cable 50/10 Mbps (Backup)
  • Requirements: Load balancing with automatic failover
  • Router: MikroTik hEX (RB750Gr3)

Configuration Approach

  • Equal PCC distribution (both links provide adequate bandwidth)
  • VoIP phones forced through fiber (WAN1) for quality
  • Failover with check-gateway
# Complete small business configuration
/interface set ether1 name=WAN1-Fiber
/interface set ether2 name=WAN2-Cable
/interface set ether3 name=LAN

/ip address add address=203.0.113.2/30 interface=WAN1-Fiber
/ip address add address=198.51.100.2/30 interface=WAN2-Cable
/ip address add address=192.168.1.1/24 interface=LAN

# Mark VoIP phones to use fiber only
/ip firewall address-list add list=VoIP-Phones address=192.168.1.50-192.168.1.60

/ip firewall mangle add chain=prerouting src-address-list=VoIP-Phones \
    action=mark-connection new-connection-mark=WAN1_conn passthrough=yes \
    comment="VoIP via Fiber only"

# Standard PCC rules
/ip firewall mangle add chain=prerouting in-interface=WAN1-Fiber connection-mark=no-mark \
    action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
/ip firewall mangle add chain=prerouting in-interface=WAN2-Cable connection-mark=no-mark \
    action=mark-connection new-connection-mark=WAN2_conn passthrough=yes

/ip firewall mangle add chain=prerouting in-interface=LAN connection-mark=no-mark \
    dst-address-type=!local per-connection-classifier=both-addresses:2/0 \
    action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
/ip firewall mangle add chain=prerouting in-interface=LAN connection-mark=no-mark \
    dst-address-type=!local per-connection-classifier=both-addresses:2/1 \
    action=mark-connection new-connection-mark=WAN2_conn passthrough=yes

/ip firewall mangle add chain=prerouting connection-mark=WAN1_conn \
    action=mark-routing new-routing-mark=route_WAN1 passthrough=yes
/ip firewall mangle add chain=prerouting connection-mark=WAN2_conn \
    action=mark-routing new-routing-mark=route_WAN2 passthrough=yes

/ip route add dst-address=0.0.0.0/0 gateway=203.0.113.1 routing-mark=route_WAN1 check-gateway=ping
/ip route add dst-address=0.0.0.0/0 gateway=198.51.100.1 routing-mark=route_WAN2 check-gateway=ping
/ip route add dst-address=0.0.0.0/0 gateway=203.0.113.1 distance=1 check-gateway=ping
/ip route add dst-address=0.0.0.0/0 gateway=198.51.100.1 distance=2 check-gateway=ping

/ip firewall nat add chain=srcnat out-interface=WAN1-Fiber action=masquerade
/ip firewall nat add chain=srcnat out-interface=WAN2-Cable action=masquerade

8.2 Enterprise Multi-WAN with Failover Priority

Scenario

  • Business: Corporate office with 200 employees
  • WAN1: Dedicated fiber 500/500 Mbps
  • WAN2: Business cable 200/20 Mbps
  • WAN3: LTE backup 50/20 Mbps (emergency only)
  • Requirements: Weighted load balancing on WAN1+WAN2; WAN3 for failover only
  • Router: MikroTik CCR1009-7G-1C-1S+

Configuration Approach

  • Weighted PCC: WAN1 gets 5 parts, WAN2 gets 2 parts (5:2 ratio)
  • WAN3 excluded from PCC; used only when both WAN1 and WAN2 fail
  • Corporate VPN traffic forced through WAN1
# Enterprise configuration excerpt - key differences from basic setup

# Weighted PCC for WAN1 and WAN2 (5:2 ratio = 7 total parts)
# WAN1 gets remainders 0, 1, 2, 3, 4
# WAN2 gets remainders 5, 6

/ip firewall mangle add chain=prerouting in-interface=LAN connection-mark=no-mark \
    dst-address-type=!local per-connection-classifier=both-addresses:7/0 \
    action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
/ip firewall mangle add chain=prerouting in-interface=LAN connection-mark=no-mark \
    dst-address-type=!local per-connection-classifier=both-addresses:7/1 \
    action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
/ip firewall mangle add chain=prerouting in-interface=LAN connection-mark=no-mark \
    dst-address-type=!local per-connection-classifier=both-addresses:7/2 \
    action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
/ip firewall mangle add chain=prerouting in-interface=LAN connection-mark=no-mark \
    dst-address-type=!local per-connection-classifier=both-addresses:7/3 \
    action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
/ip firewall mangle add chain=prerouting in-interface=LAN connection-mark=no-mark \
    dst-address-type=!local per-connection-classifier=both-addresses:7/4 \
    action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
/ip firewall mangle add chain=prerouting in-interface=LAN connection-mark=no-mark \
    dst-address-type=!local per-connection-classifier=both-addresses:7/5 \
    action=mark-connection new-connection-mark=WAN2_conn passthrough=yes
/ip firewall mangle add chain=prerouting in-interface=LAN connection-mark=no-mark \
    dst-address-type=!local per-connection-classifier=both-addresses:7/6 \
    action=mark-connection new-connection-mark=WAN2_conn passthrough=yes

# WAN3 (LTE) failover routes - higher distance values
/ip route add dst-address=0.0.0.0/0 gateway=192.168.3.1 distance=10 check-gateway=ping \
    comment="WAN3 LTE - Emergency failover only"

8.3 ISP/WISP Customer Load Balancing

Scenario

  • Business: Wireless ISP serving rural customers
  • Uplinks: Two 1 Gbps transit connections
  • Requirements: Distribute customer traffic across both uplinks
  • Router: MikroTik CCR2004-1G-12S+2XS

Key Differences for ISP Deployments

  • Use src-address classifier to keep each customer on consistent uplink
  • Implement per-customer bandwidth management alongside PCC
  • Consider BGP for true multi-homing if using provider-assigned IPs
# ISP-specific PCC using src-address for customer consistency
/ip firewall mangle add chain=prerouting in-interface=bridge-customers \
    connection-mark=no-mark dst-address-type=!local \
    per-connection-classifier=src-address:2/0 \
    action=mark-connection new-connection-mark=Transit1_conn passthrough=yes

/ip firewall mangle add chain=prerouting in-interface=bridge-customers \
    connection-mark=no-mark dst-address-type=!local \
    per-connection-classifier=src-address:2/1 \
    action=mark-connection new-connection-mark=Transit2_conn passthrough=yes

9. MikroTik PCC Load Balancing Best Practices

Configuration Best Practices

  • Document everything: Add comments to every mangle rule, route, and NAT entry
  • Use descriptive names: Name interfaces clearly (WAN1-Fiber, WAN2-Cable)
  • Test in lab first: Build and validate configuration before production deployment
  • Backup before changes: Export configuration before modifications

Operational Best Practices

  • Monitor continuously: Set up SNMP monitoring and bandwidth graphs
  • Test failover regularly: Disconnect each WAN monthly to verify failover works
  • Review logs: Check system logs for connection tracking issues
  • Update RouterOS: Keep firmware current for security and bug fixes

Security Best Practices

  • Implement firewall rules: PCC does not replace proper firewall configuration
  • Protect management access: Restrict Winbox/SSH to specific IPs
  • Disable unused services: Turn off Telnet, FTP, and other unneeded services

Scalability Best Practices

  • Plan for growth: Design configuration to easily add third or fourth WAN
  • Use address lists: Group exceptions in address lists for easy management
  • Document IP scheme: Maintain network documentation separate from router config

Commands Checklist Before Going Live

# Verify configuration
/ip address print
/ip route print
/ip firewall mangle print
/ip firewall nat print

# Test connectivity through each WAN
/ping 8.8.8.8 routing-table=route_WAN1 count=5
/ping 8.8.8.8 routing-table=route_WAN2 count=5

# Backup configuration
/export file=pcc-config-backup
/system backup save name=pcc-full-backup

10. Complete MikroTik PCC Configuration Script

Copy and customize this complete configuration script for your deployment.

Dual-WAN PCC Load Balancing Script

#################################################
# MikroTik PCC Load Balancing Configuration
# Dual-WAN Setup with Failover
# Version: 1.0
# Last Updated: 2024
#################################################

#----- VARIABLES - CUSTOMIZE THESE -----#
:local wan1Interface "ether1"
:local wan2Interface "ether2"
:local lanInterface "ether3"

:local wan1Address "192.168.1.2/24"
:local wan1Gateway "192.168.1.1"
:local wan2Address "192.168.2.2/24"
:local wan2Gateway "192.168.2.1"
:local lanAddress "10.0.0.1/24"

#----- INTERFACE NAMING -----#
/interface set $wan1Interface name=WAN1 comment="ISP 1"
/interface set $wan2Interface name=WAN2 comment="ISP 2"
/interface set $lanInterface name=LAN comment="Local Network"

#----- IP ADDRESSES -----#
/ip address add address=$wan1Address interface=WAN1 comment="WAN1 IP"
/ip address add address=$wan2Address interface=WAN2 comment="WAN2 IP"
/ip address add address=$lanAddress interface=LAN comment="LAN IP"

#----- DNS CONFIGURATION -----#
/ip dns set servers=8.8.8.8,8.8.4.4,1.1.1.1 allow-remote-requests=yes

#----- MANGLE RULES -----#
# Mark incoming connections from each WAN
/ip firewall mangle add chain=prerouting in-interface=WAN1 connection-mark=no-mark \
    action=mark-connection new-connection-mark=WAN1_conn passthrough=yes \
    comment="Mark incoming WAN1 connections"

/ip firewall mangle add chain=prerouting in-interface=WAN2 connection-mark=no-mark \
    action=mark-connection new-connection-mark=WAN2_conn passthrough=yes \
    comment="Mark incoming WAN2 connections"

# PCC Classification for outgoing traffic
/ip firewall mangle add chain=prerouting in-interface=LAN connection-mark=no-mark \
    dst-address-type=!local per-connection-classifier=both-addresses:2/0 \
    action=mark-connection new-connection-mark=WAN1_conn passthrough=yes \
    comment="PCC: Assign to WAN1"

/ip firewall mangle add chain=prerouting in-interface=LAN connection-mark=no-mark \
    dst-address-type=!local per-connection-classifier=both-addresses:2/1 \
    action=mark-connection new-connection-mark=WAN2_conn passthrough=yes \
    comment="PCC: Assign to WAN2"

# Create routing marks
/ip firewall mangle add chain=prerouting connection-mark=WAN1_conn \
    action=mark-routing new-routing-mark=route_WAN1 passthrough=yes \
    comment="Route mark for WAN1"

/ip firewall mangle add chain=prerouting connection-mark=WAN2_conn \
    action=mark-routing new-routing-mark=route_WAN2 passthrough=yes \
    comment="Route mark for WAN2"

# Output chain for router-generated traffic
/ip firewall mangle add chain=output connection-mark=WAN1_conn \
    action=mark-routing new-routing-mark=route_WAN1 passthrough=yes \
    comment="Output routing WAN1"

/ip firewall mangle add chain=output connection-mark=WAN2_conn \
    action=mark-routing new-routing-mark=route_WAN2 passthrough=yes \
    comment="Output routing WAN2"

#----- ROUTES -----#
# Routes with routing marks
/ip route add dst-address=0.0.0.0/0 gateway=$wan1Gateway routing-mark=route_WAN1 \
    check-gateway=ping distance=1 comment="WAN1 marked route"

/ip route add dst-address=0.0.0.0/0 gateway=$wan2Gateway routing-mark=route_WAN2 \
    check-gateway=ping distance=1 comment="WAN2 marked route"

# Fallback routes
/ip route add dst-address=0.0.0.0/0 gateway=$wan1Gateway distance=1 \
    check-gateway=ping comment="WAN1 fallback"

/ip route add dst-address=0.0.0.0/0 gateway=$wan2Gateway distance=2 \
    check-gateway=ping comment="WAN2 fallback"

#----- NAT -----#
/ip firewall nat add chain=srcnat out-interface=WAN1 action=masquerade \
    comment="NAT WAN1"

/ip firewall nat add chain=srcnat out-interface=WAN2 action=masquerade \
    comment="NAT WAN2"

#----- BASIC FIREWALL (Optional but recommended) -----#
/ip firewall filter add chain=input connection-state=established,related action=accept \
    comment="Accept established connections"
/ip firewall filter add chain=input connection-state=invalid action=drop \
    comment="Drop invalid connections"
/ip firewall filter add chain=input in-interface=LAN action=accept \
    comment="Accept from LAN"
/ip firewall filter add chain=input action=drop \
    comment="Drop all other input"

/ip firewall filter add chain=forward connection-state=established,related action=accept \
    comment="Accept established forward"
/ip firewall filter add chain=forward connection-state=invalid action=drop \
    comment="Drop invalid forward"
/ip firewall filter add chain=forward in-interface=LAN action=accept \
    comment="Accept forward from LAN"
/ip firewall filter add chain=forward action=drop \
    comment="Drop all other forward"

#----- VERIFICATION COMMANDS -----#
:log info "PCC Configuration Complete"
:log info "Run these commands to verify:"
:log info "/ip firewall mangle print"
:log info "/ip route print"
:log info "/ip firewall connection print"

#################################################
# END OF CONFIGURATION
#################################################

Post-Installation Verification Commands

# Check mangle rules are active
/ip firewall mangle print stats where chain=prerouting

# Verify routes are reachable
/ip route print where gateway-status~"reachable"

# Test connectivity
/ping 8.8.8.8 count=5
/ping 1.1.1.1 count=5

# Check connection distribution
:put "WAN1: $[/ip firewall connection print count-only where connection-mark=WAN1_conn]"
:put "WAN2: $[/ip firewall connection print count-only where connection-mark=WAN2_conn]"

11. Conclusion

Key Takeaways

  • PCC provides session-persistent load balancing across multiple WAN connections
  • Proper mangle rule ordering is critical for correct operation
  • Combine PCC with check-gateway for automatic failover
  • FastTrack must be disabled for PCC to function
  • Weighted distribution accommodates unequal bandwidth links
  • Always test configuration in lab environment before production deployment

Next Steps

  1. Set up a lab environment to test PCC configuration
  2. Document your network topology and IP addressing
  3. Customize the provided scripts for your specific requirements
  4. Implement monitoring to verify load distribution
  5. Schedule regular failover tests to ensure reliability

Related Topics to Explore

  • MikroTik QoS and bandwidth management with PCC
  • BGP multi-homing for enterprise networks
  • VPN configuration over load-balanced connections
  • MikroTik scripting for advanced automation

12. Additional Resources

Official MikroTik Documentation

Related Concepts

Topic Description
ECMP Equal Cost Multi-Path routing for simpler load distribution
Policy-Based Routing Route traffic based on source, destination, or protocol
Recursive Routing Enhanced failover detection using recursive routes
VRRP Virtual Router Redundancy Protocol for gateway failover

Check our list of MikroTik guides

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *