Hi
I’m a bit stumped here
I have multiple gatways on my 450, they all work (i.e. disable one, all trafic goes to enabled one) until I try to use themn with marked-routes.
I have traffic being marked, with routing-mark (I have verified this by looking at the stats in ip firewall). So the marking is working, and the interfaces are working. As soon as I try to add a marked route, all that marked traffic then stops (only for that traffic that falls into the marked group).
All I want is traffic from one subnet to go out one interface. And later, to make that traffic higher priority. And then if it all works to do packet/service based marking, but I need this to work first (this is my proof of concept if you will, just based on IPs for now). I’ve looked at the FAQs, followed them as best I can, but I am still stuck and so I’ve decided to ask here.
Basically, soon as I try to add a marked route (to one of the existing gateway interfaces), any of that traffic that is supposed to go there, doesn’t go anywhere.
Here is an example:
[admin@RR_gate] /ip address> p
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 192.168.2.1/24 192.168.2.0 192.168.2.255 e2
1 192.168.0.1/24 192.168.0.0 192.168.0.255 e4-168-0-1
2 192.168.1.1/24 192.168.1.0 192.168.1.255 e3
3 D ww.xx.yy.zz/24 xx.yy.zz.0 xx.yy.zz.255 e1-gateway
4 D aa.bb.cc.dd/24 aa.bb.cc.0 aa.bb.cc.255 e5-gateway2
address lists:
[admin@RR_gate] /ip firewall address-list> p
Flags: X - disabled, D - dynamic
# LIST ADDRESS
0 LAN-SUBNET 192.168.0.0/24
1 DMZ-SUBNET 192.168.1.0/24
2 VOIP-SUBNET 192.168.2.0/24
mangle rules: (note I added rule 2 just to be really sure)
[admin@RR_gate] /ip firewall mangle> p
Flags: X - disabled, I - invalid, D - dynamic
0 chain=prerouting action=mark-routing new-routing-mark=voip passthrough=no src-address-list=VOIP-SUBNET dst-address-list=""
1 chain=prerouting action=mark-routing new-routing-mark=voip passthrough=no dst-address-list=VOIP-SUBNET
2 X chain=prerouting action=mark-routing new-routing-mark=other passthrough=no src-address-list=!VOIP-SUBNET
nat:
[admin@RR_gate] /ip firewall nat> p
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Added by webbox
chain=srcnat action=masquerade out-interface=e1-gateway
1 chain=srcnat action=masquerade out-interface=e5-gateway2
routes (before adding the marked route):
[admin@RR_gate] /ip route> p
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY-STATE GATEWAY DISTANCE INTERFACE
0 ADS 0.0.0.0/0 reachable ww.xx.yy.zz 0 e1-gateway
1 DS 0.0.0.0/0 reachable aa.bb.cc.dd 0 e5-gateway2
2 ADC ww.xx.yy.0/24 ww.xx.yy.zz 0 e1-gateway
3 ADC 192.168.0.0/24 192.168.0.1 0 e4-168-0-1
4 ADC 192.168.1.0/24 192.168.1.1 0 e3
5 ADC 192.168.2.0/24 192.168.2.1 0 e2
6 ADC aa.bb.cc.0/24 aa.bb.cc.dd 0 e5-gateway2
So now, the above all works, just that all traffic goes through whichever of the gateways is enabled first.
Now, from what I’ve read, all I need to do is:
add gateway=aa.bb.cc.dd routing-mark=voip
But when I do, all that traffic in that marked group… doesn’t go out. (everything else still does, that is not marked)
I’ve seen other examples which add a routing rule (which I dont think I need, but I tried anyways and still doesn’t work), I’ve seen other examples which dont have the default gateway pre-existing, I’ve tried deleting the original routes and only having the marked route, etc. etc.
what am I dong wrong ?!?!