BALANCEO PCC

Hola estaba leyendo foros sobre balanceo pcc, tengo un problema que a veces puedo acceder a mi equipo de borde (router gestionador de clientes con pppoe) y otras veces no me da acceso o tengo que cambiar de ip publica con una vpn, quisiera saber cual es el error.
Me dicen que las conexiones entrantes no son las mismas que las salientes, me podrían ayudar.

# feb/09/2022 23:07:33 by RouterOS 6.49.1
# software id = RD6D-2ITU
#
# model = 951Ui-2HnD
# serial number = 8A3809911A9D
/interface ethernet
set [ find default-name=ether1 ] name=ISP1
set [ find default-name=ether2 ] name=ISP2
set [ find default-name=ether3 ] advertise=100M-half,100M-full name=LAN
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 country=no_country_set \
frequency-mode=manual-txpower ssid=MikroTik station-roaming=enabled
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/ip neighbor discovery-settings
set discover-interface-list=all
/ip address
add address=192.168.2.2/24 interface=ISP1 network=192.168.2.0
add address=192.168.3.2/24 interface=ISP2 network=192.168.3.0
add address=192.168.100.1/24 interface=LAN network=192.168.100.0
/ip dns
set servers=8.8.8.8
/ip firewall filter
add action=accept chain=input connection-state=established,related protocol=\
tcp
add action=accept chain=forward protocol=tcp
/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.2.0/24 in-interface=\
LAN
add action=accept chain=prerouting dst-address=192.168.3.0/24 in-interface=\
LAN
add action=mark-connection chain=prerouting in-interface=ISP1 \
new-connection-mark=isp1_con passthrough=yes
add action=mark-connection chain=prerouting in-interface=ISP2 \
new-connection-mark=isp2_con passthrough=yes
add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=LAN new-connection-mark=isp1_con passthrough=yes \
per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=LAN new-connection-mark=isp2_con passthrough=yes \
per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=isp1_con \
in-interface=LAN new-routing-mark=to_isp1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=isp2_con \
in-interface=LAN new-routing-mark=to_isp2 passthrough=yes
add action=mark-routing chain=output connection-mark=isp1_con \
new-routing-mark=to_isp1 passthrough=yes
add action=mark-routing chain=output connection-mark=isp2_con \
new-routing-mark=to_isp2 passthrough=yes
add action=accept chain=prerouting disabled=yes dst-address=192.168.2.0/30
add action=accept chain=prerouting disabled=yes dst-address=192.168.3.0/30
add action=mark-connection chain=prerouting disabled=yes in-interface=ISP1 \
new-connection-mark=isp1_con passthrough=yes
add action=mark-connection chain=prerouting disabled=yes in-interface=ISP2 \
new-connection-mark=isp2_con passthrough=yes
add action=mark-connection chain=prerouting disabled=yes dst-address-type=\
!local in-interface=LAN new-connection-mark=isp1_con passthrough=yes \
per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting disabled=yes dst-address-type=\
!local in-interface=LAN new-connection-mark=isp2_con passthrough=yes \
per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=isp1_con disabled=\
yes in-interface=LAN new-routing-mark=to_isp1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=isp2_con disabled=\
yes in-interface=LAN new-routing-mark=to_isp2 passthrough=yes
add action=mark-routing chain=output connection-mark=isp1_con disabled=yes \
new-routing-mark=to_isp1 passthrough=yes
add action=mark-routing chain=output connection-mark=isp2_con disabled=yes \
new-routing-mark=to_isp2 passthrough=yes
add action=accept chain=prerouting disabled=yes dst-address=192.168.2.0/30
add action=accept chain=prerouting disabled=yes dst-address=192.168.3.0/30
add action=mark-connection chain=prerouting disabled=yes in-interface=ISP1 \
new-connection-mark=isp1_con passthrough=yes
add action=mark-connection chain=prerouting disabled=yes in-interface=ISP2 \
new-connection-mark=isp2_con passthrough=yes
add action=mark-connection chain=prerouting disabled=yes dst-address-type=\
!local in-interface=LAN new-connection-mark=isp1_con passthrough=yes \
per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting disabled=yes dst-address-type=\
!local in-interface=LAN new-connection-mark=isp2_con passthrough=yes \
per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=isp1_con disabled=\
yes in-interface=LAN new-routing-mark=to_isp1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=isp2_con disabled=\
yes in-interface=LAN new-routing-mark=to_isp2 passthrough=yes
add action=mark-routing chain=output connection-mark=isp1_con disabled=yes \
new-routing-mark=to_isp1 passthrough=yes
add action=mark-routing chain=output connection-mark=isp2_con disabled=yes \
new-routing-mark=to_isp2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ISP1
add action=masquerade chain=srcnat out-interface=ISP2
add action=dst-nat chain=dstnat disabled=yes dst-port=9012 in-interface=ISP1 \
protocol=tcp to-addresses=192.168.100.2 to-ports=9012
add action=dst-nat chain=dstnat dst-port=8023 in-interface=ISP1 protocol=tcp \
to-addresses=192.168.100.2 to-ports=8023
add action=dst-nat chain=dstnat comment=oDOO dst-address=192.168.2.2 \
dst-port=8728 protocol=tcp to-addresses=192.168.100.2 to-ports=8728
add action=dst-nat chain=dstnat dst-port=8008 in-interface=ISP1 protocol=tcp \
to-addresses=192.168.100.2 to-ports=8008
add action=dst-nat chain=dstnat comment=GESTION-CLIENTE dst-port=9090 \
in-interface=ISP1 protocol=tcp to-addresses=192.168.100.2 to-ports=9090
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add check-gateway=ping distance=1 gateway=192.168.2.1 routing-mark=to_isp1
add check-gateway=ping disabled=yes distance=1 gateway=192.168.2.1 \
routing-mark=to_isp1
add check-gateway=ping disabled=yes distance=1 gateway=192.168.2.1 \
routing-mark=to_isp1
add check-gateway=ping distance=1 gateway=192.168.3.1 routing-mark=to_isp2
add check-gateway=ping disabled=yes distance=1 gateway=192.168.3.1 \
routing-mark=to_isp2
add check-gateway=ping disabled=yes distance=1 gateway=192.168.3.1 \
routing-mark=to_isp2
add check-gateway=ping distance=1 gateway=192.168.2.1
add check-gateway=ping comment=ISP1 distance=1 gateway=192.168.2.1 scope=10
add check-gateway=ping distance=2 gateway=192.168.3.1
add check-gateway=ping comment=ISP2 distance=2 gateway=192.168.3.1 scope=10
add check-gateway=ping disabled=yes distance=1 gateway=192.168.2.1
add check-gateway=ping disabled=yes distance=2 gateway=192.168.3.1
add comment=Check-ISP1 distance=1 dst-address=1.1.1.1/32 gateway=192.168.2.1
add comment=Check-ISP2 distance=1 dst-address=8.8.4.4/32 gateway=192.168.3.1
/ip service
set telnet disabled=yes
set www port=9022
set ssh port=65522
/ip smb
set allow-guests=no
/system clock
set time-zone-name=America/Guayaquil
/system identity
set name=BALANCEADOR-VENCEDORES
/system scheduler
add interval=2m30s name="Enable/Disable Routes" on-event=\
"Enable/Disable Routes" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-time=\
startup
/system script
add dont-require-permissions=yes name="Enable/Disable Routes" owner=tecnico \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="#set variables\r\
\n:local pingcount 2\r\
\n:local pingip [:resolve \"www.google.com\"]\r\
\n:local Gateways \"192.168.2.1,192.168.3.1\r\
\n:local Gateway [:toarray \$Gateways]\r\
\n\r\
\n#Setup Log File\r\
\n:if ([/system logging action print count-only where name=GatewaysCheck]=\
0) do={/system logging action add name=GatewaysCheck target=disk disk-file\
-name=\"Gateways Check\" disk-lines-per-file=10000}\r\
\n:if ([/system logging print count-only where action=GatewaysCheck]=0) do\
={/system logging add topics=script action=GatewaysCheck}\r\
\n\r\
\n:if ([/ip route print count-only where dst-address=\"\$pingip/32\"]=0) d\
o={/ip route add dst-address=(\$pingip) gateway=(192.168.3.1) comment=\"Ga\
teway Check\"};\r\
\n\r\
\n:foreach k in \$Gateway do={\r\
\n#Test Gateways:\r\
\n/ip route set [find dst-address=\"\$pingip/32\"] disabled=no gateway=\$k\
\_comment=\"Checking Gateway \$k ...\";\r\
\n:delay 1000ms;\r\
\n:if ([/ip route get [find dst-address=\"\$pingip/32\"] gateway-status] =\
\_\"\$k unreachable\") do={:log info (\"Router \$k not present or unconfig\
ured\")} else={\r\
\n:local pingresult [/ping \$pingip count=\$pingcount];\r\
\n# Gateway enable/disable:\r\
\n:if (\$pingresult=0) do={:foreach i in=[/ip route find gateway=\$k] do={\
/ip route set \$i disabled=yes}};\r\
\n:if (\$pingresult>0) do={:foreach i in=[/ip route find gateway=\$k] do={\
:if ([/ip route get \$i disabled]) do={/ip route set \$i disabled=no}}};\r\
\n:if (\$pingresult=0) do={:log info (\"Gateway \$k Down! \$pingresult / \
\$pingcount\")} else={:log info (\"Gateway \$k Up \$pingresult / \$pingcou\
nt\")};\r\
\n:delay 3000ms;\r\
\n}\r\
\n}\r\
\n/ip route remove [find dst-address=\"\$pingip/32\"]"
/tool graphing resource
add
add
/tool netwatch
add down-script="/ip route set [find comment=ISP1] disabled=yes" host=8.8.4.4 \
interval=10s up-script="ip route set [find comment=ISP1] disabled=no"
add down-script="/ip route set [find comment=ISP2] disabled=yes" host=1.1.1.1 \
interval=10s up-script="ip route set [find comment=ISP2] disabled=no"
/tool romon
set enabled=yes
 
Prueba con esta config para el mangle, las rutas y, de momento, desactiva el forwarding de puertos en el NAT y deja únicamente las reglas de masquerade, por intentar ver de dónde viene el problema. Te he comentado las instrucciones, para que veas lo que hacen. Deshabilita también todo el tema del scripting
Código:
/interface ethernet
set [ find default-name=ether1 ] name=ISP1
set [ find default-name=ether2 ] name=ISP2
set [ find default-name=ether3 ] advertise=100M-half,100M-full name=LAN

/ip address
# Define WANs
add address=192.168.2.2/30 interface=ISP1
add address=192.168.3.2/30 interface=ISP2
# Define LAN
add address=192.168.100.1/24 interface=LAN

/ip firewall mangle
# Accept traffic from LAN to uptream WAN routers
add action=accept chain=prerouting dst-address=192.168.2.0/24 in-interface=LAN
add action=accept chain=prerouting dst-address=192.168.3.0/24 in-interface=LAN

# Mark connections in prerouting (WAN to LAN), only for non marked (new) connections
add action=mark-connection chain=prerouting in-interface=ISP1 \
connection-mark=no-mark new-connection-mark=isp1_con passthrough=yes
add action=mark-connection chain=prerouting in-interface=ISP2 \
connection-mark=no-mark new-connection-mark=isp2_con passthrough=yes

# Mark connections in a balanced way, in prerouting (LAN to WAN), only for non marked (new) connections
add action=mark-connection chain=prerouting dst-address-type=!local \
connection-mark=no-mark in-interface=LAN new-connection-mark=isp1_con passthrough=yes \
per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting dst-address-type=!local \
connection-mark=no-mark in-interface=LAN new-connection-mark=isp2_con passthrough=yes \
per-connection-classifier=both-addresses:2/1

# Mark routing in prerouting (LAN to WAN), for those with a connection mark
add action=mark-routing chain=prerouting connection-mark=isp1_con \
in-interface=LAN new-routing-mark=to_isp1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=isp2_con \
in-interface=LAN new-routing-mark=to_isp2 passthrough=no

# Mark routing output (Router to WAN), for those with a connection mark
add action=mark-routing chain=output connection-mark=isp1_con \
new-routing-mark=to_isp1 passthrough=no
add action=mark-routing chain=output connection-mark=isp2_con \
new-routing-mark=to_isp2 passthrough=no

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ISP1
add action=masquerade chain=srcnat out-interface=ISP2

/ip route
# Balanced routes
add check-gateway=ping distance=1 gateway=192.168.2.1 routing-mark=to_isp1
add check-gateway=ping distance=1 gateway=192.168.3.1 routing-mark=to_isp2
# Default route
distance=1 gateway=192.168.2.1
# Backup route
distance=2 gateway=192.168.3.1

Saludos!
 
Arriba