BGP PBR instead of ECMP

SwaggerRO · October 9, 2024, 5:16pm

Hi all,

I’m running a CCR1009-7G-1C-1S+ on ROS 6.49.17.

I have 3 upstreams, each one with a sepparate ethernet port.

U1 is on combo1
U2 is on eth1 and eth2 (LACP)
U3 is on eth3.

I’m looking to be using PBR instead of ECMP.

Each upstream is giving me a Default Route via BGP.

I’ve tried filtering (dropping) the 0.0.0.0/0 received from each peer (so 3x0.0.0.0/0) and setting a manual route for 0.0.0.0/0 with each neighbor’s IP Address (or gateway), everything works just fine.

I want to use instead PBR and not ECMP, because I’m running voice-related hosting and in some cases I’m having some garbled audio or lost packets due to an upstream, so I would prefer the PBR for each upstream instead of just throwing all the traffic originated from my ASN to ECMP so Mikrotik will decide where it goes.

I’m not using NAT since I’m announcing 2x /24 subnets from my ASN.

I’ve tried the following:

/ip firewall mangle
add chain=prerouting src-address=192.168.1.1 action=mark-routing new-routing-mark=to_ISP1 passthrough=no
add chain=prerouting src-address=192.168.2.2 action=mark-routing new-routing-mark=to_ISP2 passthrough=no
add chain=prerouting src-address=192.168.3.3 action=mark-routing new-routing-mark=to_ISP3 passthrough=no

/ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=ISP1
add dst-address=0.0.0.0/0 gateway=192.168.2.2 routing-table=ISP2
add dst-address=0.0.0.0/0 gateway=192.168.3.3 routing-table=ISP3

But I think it’s to easy to be true, because… it’s not working .

Am I missing something? Is there something else that I should do?

Thank you!

mrz · October 9, 2024, 6:37pm

It is not working probably because marks “to_ISPX” are not the same “ISPX”

SwaggerRO · October 9, 2024, 6:39pm

Well, what’s coming from ISP1 I want to route it out through ISP1. ISP2 to ISP2, ISP3 to ISP3.

Currently, what’s coming in it’s going out ECMP, so no control over how it goes out of my network.

mrz · October 9, 2024, 7:01pm

Well of course, but for that you need to use the correct names, as I mentioned previously.

Larsa · October 9, 2024, 7:25pm

@SwaggerRO - What @mrz meant, to be more precise, is that the ‘new-routing-mark’ name needs to match the ‘routing-table’ name. So, for example:

/ip firewall mangle
add chain=prerouting src-address=192.168.1.1 action=mark-routing new-routing-mark=to_ISP1 passthrough=no
add chain=prerouting src-address=192.168.2.2 action=mark-routing new-routing-mark=to_ISP2 passthrough=no
add chain=prerouting src-address=192.168.3.3 action=mark-routing new-routing-mark=to_ISP3 passthrough=no

/ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=to_ISP1
add dst-address=0.0.0.0/0 gateway=192.168.2.2 routing-table=to_ISP2
add dst-address=0.0.0.0/0 gateway=192.168.3.3 routing-table=to_ISP3

anav · October 13, 2024, 6:20pm

What purty colours!!
Version 6.
/ip firewall mangle
add chain=forward action=mark-connections connection-mark=no-mark dst-address-type=!local src-address=192.168.1.0/24 new-connection-mark=stream1 passthrough=yes
add chain=forward action=mark-connections connection-mark=no-mark dst-address-type=!local src-address=192.168.2.0/24 new-connection-mark=stream2 passthrough=yes
add chain=forward action=mark-connections connection-mark=no-mark dst-address-type=!local src-address=192.168.3.0/24 new-connection-mark=stream3 passthrough=yes
add chain=prerouting action=mark-routing connection-mark=stream1 new-routing-mark=to_ISP1 passthrough=no
add chain=prerouting action=mark-routing connection-mark=stream2 new-routing-mark=to_ISP2 passthrough=no
add chain=prerouting action=mark-routing connection-mark=stream3 new-routing-mark=to_ISP3 passthrough=no

/ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1 table=main
add distance=2 dst-address=0.0.0.0/0 gateway=192.168.2.2 table=main
add distance=3 dst-address=0.0.0.0/0 gateway=192.168.3.3 table=main
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=to_ISP1 table=main
add dst-address=0.0.0.0/0 gateway=192.168.2.2 routing-mark=to_ISP2 table=main
add dst-address=0.0.0.0/0 gateway=192.168.3.3 routing-mark=to_ISP3 table=main

++++++++++++++++
Version 7

/routing table
add fib name=to_ISP1
add fib name=to_ISP2
add fib name=to_ISP3

/ip firewall mangle
add chain=forward action=mark-connections connection-mark=no-mark dst-address-type=!local src-address=192.168.1.0/24 new-connection-mark=stream1 passthrough=yes
add chain=forward action=mark-connections connection-mark=no-mark dst-address-type=!local src-address=192.168.2.0/24 new-connection-mark=stream2 passthrough=yes
add chain=forward action=mark-connections connection-mark=no-mark dst-address-type=!local src-address=192.168.3.0/24 new-connection-mark=stream3 passthrough=yes
add chain=prerouting action=mark-routing connection-mark=stream1 new-routing-mark=to_ISP1 passthrough=no
add chain=prerouting action=mark-routing connection-mark=stream2 new-routing-mark=to_ISP2 passthrough=no
add chain=prerouting action=mark-routing connection-mark=stream3 new-routing-mark=to_ISP3 passthrough=no

/ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=main
add distance=2 dst-address=0.0.0.0/0 gateway=192.168.2.2 routing-table=main
add distance=3 dst-address=0.0.0.0/0 gateway=192.168.3.3 routing-table=main
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=to_ISP1
add dst-address=0.0.0.0/0 gateway=192.168.2.2 routing-table=to_ISP2
add dst-address=0.0.0.0/0 gateway=192.168.3.3 routing-table=to_ISP3