Community discussions

MikroTik App
  4. RouterOS
  5. Forwarding Protocols

Route rules in ROS7

Post Reply
 
Illinory
just joined
Topic Author
Posts: 2
Joined: Fri Nov 24, 2023 1:38 pm

Route rules in ROS7

Fri Nov 24, 2023 2:00 pm

Hello.

I'm using 7.12 Stable and have a question about the functionality of the routing rules.
The test circuit is something like this.
From the uplink network you need to route via src-addr to VRFs (VLANs) identical in addressing.
In ROS6, a similar problem was solved through ip rules.
Image
Code: Select all
/interface ethernet
set [ find default-name=ether1 ] comment=to-vrf
set [ find default-name=ether2 ] comment=to-uplink
set [ find default-name=ether13 ] comment=management

# VLAN for identical net
/interface vlan
add interface=ether1 name=vlan106 vlan-id=106
add interface=ether1 name=vlan115 vlan-id=115

#create VFRs
/ip vrf
add interfaces=vlan106 name=vrf106
add interfaces=vlan115 name=vrf115
add interfaces=ether2 name=vrf_uplink

# nets in VRF106 and VRF115 identical
/ip address
add address=10.150.201.1/24 interface=ether2 network=10.150.201.0
add address=192.168.3.30/24 interface=ether13 network=192.168.3.0
add address=10.150.200.63/24 interface=vlan106 network=10.150.200.0
add address=10.150.200.63/24 interface=vlan115 network=10.150.200.0

# VRF106 and VRF115 nave defualt
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.3.2%ether13@main pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.150.200.1@vrf106 pref-src=0.0.0.0 routing-table=vrf106 scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=10.225.0.0/16 gateway=10.150.201.2@vrf_uplink routing-table=vrf_uplink suppress-hw-offload=no
add disabled=no distance=1 dst-address=10.225.0.0/16 gateway=10.150.201.2@vrf_uplink pref-src=0.0.0.0 routing-table=vrf106 scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.225.0.0/16 gateway=10.150.201.2@vrf_uplink pref-src="" routing-table=vrf115 scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.150.200.1@vrf115 pref-src="" routing-table=vrf115 scope=30 suppress-hw-offload=no target-scope=10
If you hang markings in firewall prerouting, there are no problems, but this is not an option.
Code: Select all
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=vrf115 passthrough=no src-address=10.225.1.0/24
And here’s the question - how does the routing rule work in ROS7?
This doesn’t work anymore, sniffer shows that Mikrotik doesn’t even try, it sends net unreachable.
I tried to specify Routing mark, Interface and even 0.0.0.0/0 as dst-address in any combination. It has no effect.
Code: Select all
routing rule
add action=lookup-only-in-table disabled=no src-address=10.225.1.0/24 table=vrf106
add action=lookup-only-in-table disabled=no src-address=10.225.2.0/24 table=vrf115
Top
 
Illinory
just joined
Topic Author
Posts: 2
Joined: Fri Nov 24, 2023 1:38 pm

Re: Route rules in ROS7

Fri Dec 08, 2023 2:27 pm

It seems that rules only work for traffic from vrf main.
And also after changes in rules you need to disable/enable this rule.
Otherwise it won't work.

Checked at 7.13rc3.
Top
 
jackspprow
just joined
Posts: 1
Joined: Fri Dec 08, 2023 6:33 pm

Re: Route rules in ROS7

Fri Dec 08, 2023 6:35 pm

It looks like you are trying to implement policy-based routing in RouterOS version 7.12 using routing rules. The routing rule configuration you've provided seems correct, and it should work for policy-based routing. However, you mentioned that it's not working as expected.

Here are a few things to check and consider:

Routing Rule Evaluation Order:

Make sure that the routing rules are evaluated in the correct order. Rules are processed from the top down, and the first matching rule is applied. Ensure that the rules for vrf106 and vrf115 are placed in the correct order based on your requirements.
Source Address Matching:

Check the source addresses specified in the routing rules. Confirm that the actual source addresses match the addresses specified in the rules.
Destination Address in Routing Rules:

In RouterOS, routing rules usually don't specify the destination address directly. The destination is determined based on the routing table associated with the routing mark. Ensure that the destination is correctly determined based on the routing mark.
Check Routing Table Associations:

Verify that the routing tables (vrf106 and vrf115) are correctly associated with the respective interfaces (vlan106 and vlan115). Use the print detail command to check the details of the routing tables and associated interfaces.
bash
Copy code
/ip route print detail
Ensure Correct Network Address in Routes:

Double-check that the network addresses specified in the routes are correct, especially in the ip route entries.
Use a Specific Source IP for Testing:

When testing, try using a specific source IP address for your tests to ensure that you are matching the correct source in the routing rules.
Logging for Troubleshooting:

You can add logging to the routing rules for troubleshooting. For example:
bash
Copy code
/ip route rule
add action=lookup-only-in-table disabled=no src-address=10.225.1.0/24 table=vrf106 log=yes
add action=lookup-only-in-table disabled=no src-address=10.225.2.0/24 table=vrf115 log=yes
This will log matches to the system log, and you can then check the logs for any information on why a particular rule is not matching.
Top
Post Reply

Who is online

Users browsing this forum: Ahrefs [Bot], AshuGite and 3 guests
  4. RouterOS
  5. Forwarding Protocols