2 isp

sorinbuda · June 10, 2006, 9:29am

Would you please take a look and tell me what is wrong here?

[admin@crosslink] ip firewall address-list> print
Flags: X - disabled, D - dynamic 
 #   LIST       ADDRESS                        
 0   isp1    81.180.0.0/15                  
 1   isp1    80.96.0.0/15                   
 2   isp1    85.120.0.0/14

[admin@crosslink] ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=prerouting dst-address-list=isp1 action=mark-routing new-routing-mark=isp1 passthrough=yes 
 1   chain=prerouting dst-address-list=!isp1 action=mark-routing new-routing-mark=isp2 passthrough=no

[admin@crosslink] ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf 
 #     DST-ADDRESS        PREF-SRC        G GATEWAY         DISTANCE INTERFACE        ROUTING MARK 
 0 ADC xxx.xxx.0.1/32    xxx.xxx.17.200                              interface isp1
 1 ADC xxx.xxx.93.0/26   xxx.xxx.93.20                               interface isp2      
 2 ADC 192.168.0.0/22    192.168.0.1                                 interface local
 3 A S 0.0.0.0/0                          r xxx.xxx.93.1             interface isp2       
 4 A S 0.0.0.0/0                          r xxx.xxx.0.1              interface isp1   isp1

[admin@crosslink] ip dns> print
            primary-dns: xxx.xxx.xxx.25 DNS isp1
          secondary-dns: xxx.xxx.xxx.20 1DNS isp2
  allow-remote-requests: yes
             cache-size: 2048KiB
          cache-max-ttl: 1w
             cache-used: 244KiB

I would like to route the entire traffic comming from/gowing to ISP1 trough ISP1 gateway and the rest of the traffic trough ISP2 gateway.
However I am making a mistake somewhere. Any help?

zaherhamiyah · June 10, 2006, 9:55am

i dont have much time to read all of your config but i advice increase your DNS cache to 10MB=10240KB

advantz · June 10, 2006, 12:38pm

where is nat code?

I assume you are using src-nat?

sorinbuda · June 10, 2006, 1:14pm

here it is:

[admin@crosslink] ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=srcnat src-address=192.168.0.0/22 action=masquerade

sorinbuda · June 12, 2006, 9:50am

any ideea? regarding this issue?
2 internet service providers, 1 LAN, routing traffic based on Address List

sorinbuda · June 12, 2006, 7:07pm

I changed the nat rules
still no result

[admin@crosslink] ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0 chain=srcnat connection-mark=isp1 action=src-nat to-addresses=xxx.xxx.17.200 to-ports=0-65535 

 1 chain=srcnat connection-mark=isp2 action=src-nat to-addresses=xxx.xxx.93.20 to-ports=0-65535

Mitak · June 12, 2006, 7:37pm

/ip firewall mangle

Mark isp1 connection:
add chain=prerouting src-address-list=isp1 action=mark-connection new-connection-mark=isp1_conn passthrough=yes

Mark isp1 packets:
add chain=prerouting connection-mark=isp1_conn action=mark-packet new-packet-mark=isp1_p

do same for isp2:
add chain=prerouting src-address-list=!isp1 action=mark-connection new-connection-mark=isp2_conn passthrough=yes

add chain=prerouting connection-mark=isp2_conn action=mark-packet new-packet-mark=isp2_p

routing mark:

add chain=prerouting packet-mark=isp1_p action=mark-routing new-routing-mark=isp1_r
add chain=prerouting packet-mark=isp2_p action=mark-routing new-routing-mark=isp2_r

now add the routing rules:

/ip route
1st remove the default gateway:

remove [/ip route find dst 0.0.0.0/0]

and add the isp1 gateway:
add gateway=ISP1_GATEWAY routing-mark=isp1_r
add gateway=ISP2_GATEWAY routing-mark=isp2_r

just replace ISP1_GATEWAY and ISP2_GATEWAY with your gateways, ant that`s all!

now, add a masquerade rule:

/ip firewall nat
add chain=srcnat src-address=192.168.0.0/24 action=masquerade

just replace 192.168.0.0/24 network with your network, ant that`s all!

sorinbuda · June 13, 2006, 4:46pm

thank you, but
somewhere there is still a problem

here it is the configuration now:

[admin@crosslink] ip firewall address-list> print 
Flags: X - disabled, D - dynamic 
 #   LIST       ADDRESS                        
 0   isp1    81.180.0.0/15                  
 1   isp1    80.96.0.0/15                    
 2   isp1    85.120.0.0/14

[admin@crosslink] ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=prerouting src-address-list=isp1 action=mark-connection 
     new-connection-mark=isp1_conn passthrough=yes 

 1   chain=prerouting connection-mark=isp1_conn action=mark-packet 
     new-packet-mark=isp1_pack passthrough=no 

 2   chain=prerouting packet-mark=isp1_pack action=mark-routing 
     new-routing-mark=isp1_route passthrough=no 

 3   chain=prerouting src-address-list=!isp1 action=mark-connection 
     new-connection-mark=isp2_conn passthrough=yes 

 4   chain=prerouting connection-mark=isp2_conn action=mark-packet 
     new-packet-mark=isp2_pack passthrough=no 

 5   chain=prerouting packet-mark=isp2_pack action=mark-routing 
     new-routing-mark=isp2_route passthrough=no

[admin@crosslink] ip dns> print 
            primary-dns: xxx.xxx.xxx.25 DNS isp1 
          secondary-dns: xxx.xxx.xxx.20 1DNS isp2 
  allow-remote-requests: yes 
             cache-size: 2048KiB 
          cache-max-ttl: 1w 
             cache-used: 244KiB

[admin@crosslink] ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf 
 #     DST-ADDRESS        PREF-SRC        G GATEWAY         DISTANCE INTERFACE     
 0 ADC xxx.xxx.0.1/32        xxx.xxx.xxx.xxx                              isp1 interface
 1 ADC xxx.xxx.93.0/26     xxx.xxx.93.20                               isp2 interface       
 2 ADC 192.168.0.0/22    192.168.0.1                             Lan       
 3 A S 0.0.0.0/0                          r gatewayISP2              isp2       (routing-mark=isp2_route)
 4 A S 0.0.0.0/0                          r gatewayISP1                 isp1 (routing-mark=isp1_route)

[pentagrama@crosslink] ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=srcnat src-address=192.168.0.0/22 action=masquerade

thank you once again

Mitak · June 13, 2006, 9:24pm

hm… try:

/ip firewall mangle

set 1 passthrough=yes
set 4 passthrough=yes

sorinbuda · June 14, 2006, 6:49am

I tried that as well
I 've got the same problem

Does it matter that I’m connecting to ISP1 via Ethernet and to ISP2 via PPoE?

joeri91942 · June 14, 2006, 9:05am

Not sure I completely understand what you want to do, you stated that you want to "entire traffic comming from/gowing to ISP1 trough ISP1 gateway "… how would you know what IPs are under a certains ISPs control?

If you are saying that you want incoming traffic to your router’s external ISP1 interface to be returned the way it arrived (for example a published web server) you wold be better of marking traffic on what interface it arrives on instead of the IP.

Also you need to first do a connection-mark (to be able to track replies) and then mark packets that match the connection-mark, on packet mark rules you should set passthrough=no so that later rules doesn’t change your marks.

Search my posts for a thread discussing policy based routing, you should be able to figure out how to do it from that

Best regards

/Jörgen

sorinbuda · June 14, 2006, 9:44am

Not sure I completely understand what you want to do, you stated that you want to "entire traffic comming from/gowing to ISP1 trough ISP1 gateway "… how would you know what IPs are under a certains ISPs control?

Yes, that is what I would like to do. I know all addresses alocated to ISP1 from http://www.ripe.net and I inserted them in an Address List.

joeri91942 · June 14, 2006, 10:15am

Then it should be enough with just static routes…

/Jörgen

Mitak · June 14, 2006, 11:52am

http://forum.mikrotik.com//viewtopic.php?t=8870

http://wiki.mikrotik.com/wiki/Improved_Load_Balancing_over_Multiple_Gateways

sorinbuda · June 18, 2006, 11:54am

any neaws regarding this problem?
has enybody tried such configuration?