Hello,
I have a local ISP connection that is failing to tracert to a certain ip address. The traffic to this ip address uses a specific port. My setup is as follows.
Ether 1 : 10.0.0.1/30 (WAN1)
Ether 2 : 10.10.0.1/30 (WAN2)
Ether 3 : 192.168.10.1/24 (LAN)
Ether 1 is the local ISP that is failing to reach this address. Ether 2 is another connection that is able to connect to the service.
How do I get all that specific traffic to only go through ether 2?
Thanks in advance.
Hi ,
Just add a single default route towards ether2 or you can use mangle rules for routing mark/route map.
sorry, being a bit of a nab myself i have been unable to get it working correctly. I have so far marked the connection, packet and route for smtp in mangle. Please could you send step by step info on how to get only smtp traffic through ether 2. that being said, I will need other specific web addresses and forwarded in the same manner at some stage.
thanks in advance.
/ip firewall mangle add chain=prerouting protocol=tcp dst-port=25 action=mark-routing new-routing-mark=smtp
/ip route add gateway=ether2 routing-mark=smtp
you can make it more specific by adding dst-address= in mangle rule.
Thanks so much! will be trying this tomo. will get back to you.
Hi. I have tested and have been unsuccessful. For testing purposes i am using icmp in the code below instead of smtp. Included in this is my PPC settings. When i try to ping through ether2 from the mikrotik i get timeouts and dest host unreachable errors. I find it strange that the route dealing with 192.168.16.1 (ether2) is listed as static but not active.
0 A S 0.0.0.0/0 87.xxx.xxx.25 1
1 A S 0.0.0.0/0 192.168.16.1 1
2 A S 0.0.0.0/0 ether2 1
3 A S 0.0.0.0/0 87.xxx.xxx.25 1
4 S 0.0.0.0/0 192.168.16.1 2
5 ADC 87.xxx.xxx.24/29 87.xxx.xxx.27 ether1 0
6 ADC 192.168.1.0/24 192.168.1.1 ether3 0
7 ADC 192.168.16.0/24 192.168.16.222 ether2 0
0 chain=prerouting action=accept dst-address=87.xxx.xxx.24/29 in-interface=ether3
1 chain=prerouting action=accept dst-address=192.168.16.0/24 in-interface=ether3
2 chain=prerouting action=mark-connection new-connection-mark=new conn ether1 passthrough=yes in-interface=ether1 connection-mark=no-mark
3 chain=prerouting action=mark-connection new-connection-mark=new conn ether2 passthrough=yes in-interface=ether2 connection-mark=no-mark
4 chain=prerouting action=mark-connection new-connection-mark=ether1conn passthrough=yes dst-address-type=!local in-interface=ether3 connection-mark=no-mark
per-connection-classifier=both-addresses:2/0
5 chain=prerouting action=mark-connection new-connection-mark=ether2conn passthrough=yes dst-address-type=!local in-interface=ether3 connection-mark=no-mark
per-connection-classifier=both-addresses:2/1
6 chain=prerouting action=mark-routing new-routing-mark=toether1 passthrough=yes in-interface=ether3 connection-mark=ether1conn
7 chain=prerouting action=mark-routing new-routing-mark=toether2 passthrough=yes in-interface=ether3 connection-mark=ether2conn
8 chain=output action=mark-routing new-routing-mark=to ether 1 passthrough=yes connection-mark=ether1conn
9 chain=output action=mark-routing new-routing-mark=to ether 2 passthrough=yes connection-mark=ether2conn
10 X chain=prerouting action=mark-routing new-routing-mark=icmp passthrough=no protocol=icmp
Your help would be greatly appreciated.
Hi,
why didn’t u enable passthrough=yes in 10 Rule…
I tried with and without pass through for testing. reconfirmed that this morning. When i specify ether 2 for icmp, dest. host unreachable errors come from the ip assigned to that interface.
any ideas? thanks for the help so far.
i have edited my code again
/ip firewall mangle add chain=prerouting protocol=tcp dst-port=25 place-before=0 action=mark-routing new-routing-mark=smtp
/ip route add gateway=ether2 routing-mark=smtp
so delete old rule and try this one…
or let try once by disabling other rule…
What about adding 2 forward rules allowing traffic from ether1 to ether2 and the other way around?
I am not sure but isn’t the default forward behavior “drop”?
Hi all Experts, i have configure Mikrotik- CCR1036RM with 7 WAN Connection using PCC… but i am facing problem.. in all bank websites Govt Websites, and outlook, and webmail… because all are using SSL .. when we login receive msg your ip address change and not able to login… now we want only using WAN Interface-7 for Outlook, webmail, https websites to bypass load-balancing … please help in this case.. what steps i need… i am new with Mikrotik so please little bit make it easy for me . thank you
you can use(policy routing rule) after you mark in route
in this way you link an ip to a wan