I’m trying to make my main mikrotik router route outbound traffic to two different providers based off of the source IP. We’re changing providers, and I can’t send one provider’s IPs out a second provider’s link. As such, as we migrate, I want more and more traffic to go to my “B” provider. In Cisco, this would look like:
interface Ethernet0
description To Office Ethernet
ip address $Mikrotik-IP 255.255.255.0
no ip directed-broadcast
no ip mroute-cache
ip policy route-map proxy-redir
!
access-list 110 permit ip B.B.1.0 0.0.0.255 any
route-map proxy-redir permit 10
match ip address 110
set ip next-hop $Provider-B
ip route 0.0.0.0 0.0.0.0 $Provider-A
Here’s a picture of roughly what I’m dealing with layout-wise:
All of the documentation I’ve seen has to do with dual providers in a NAT scenario, but where that falls short for me is that those packets hit the prerouting and output chains (which is required for IP/Firewall/Mangle). I’m just using the forwarding chain, so mangling is out for me. Short of sticking a Cisco 2621 in there, do I have any easy way to do this?
You can add prerouting rules to existing forward rules without issue. Both chains will be processed. Chains are not like ACLs where if a packet matches an entry in a chain other chains aren’t processed - only the current chain is shortcircuited (if passthrough is set to the default of ‘no’).
I’m going to use 192.168.1.0/24 and 192.168.2.0/24 as example IP space that should go out via provider B. Provider B’s gateway is 2.2.2.2 and provider A’s gateway is 1.1.1.1. I find example IPs easier to read than letters masking out octets.
# make an address list for source IPs to be policy routed. this is equivalent to your ACL 110
/ip firewall address-list
add list=to-provider-B address=192.168.1.0/24
add list=to-provider-A address=192.168.2.0/24
# add a routing mark for all packets coming in via the LAN interface sourced from the to-provider-B address list with a routing mark
# this is equivalent to the policy map - it matches the packets, and sets a maker (though it doesn't set the next hop IP - it just sets a marker)
# if the match logic is complicated you can save router resources by using connection marks. unless you're starved for resources
# keep it simple here since it's temporary
/ip firewall mangle
add chain=prerouting in-interface=LAN src-address-list=to-provider-B action=mark-routing new-routing-mark=to-provider-B
# now set routes. one for packets with the routing mark (this actually sets the next hop IP based on the mark), one as a default route to provider A
# the route mark route has a lower distance, but only packets that have the mark will match.
# everything else falls through to the default as a floating static of sorts
/ip route
add routing-mark=to-provider-B dst-address=0.0.0.0/0 gateway=2.2.2.2 distance=1
add dst-address=0.0.0.0/0 gateway=1.1.1.1 distance=2
Any forward chain actions will still be processed for the packets just fine. The only caveat is that destination NAT happens after prerouting, so the IP address might be different in forward if you’re using destination NAT - but your topic title indicates there’s no NAT taking place.
It doesn’t seem to be doing the trick. I’m still seeing the traffic go through to the default (non-tagged) route. One thing that strikes me a bit different is that I’m just using one interface to relay (inherited network design), could that be part of the problem? I wouldn’t expect any of the router logic to be any different due to going in and out on the same interface, but I’ve seen crazier things.
Can you post the output of “/ip address print detail”, “/ip route print detail”, “/ip route export”, “/interface print detail”, and “/ip firewall export”?
