help understand route rules

davidfs · September 2, 2009, 7:57am

hi,
I’m trying to setup an rb1000 with routeros 3.28.

I’ve 2 isp connections, A and B, and the router is not natted (it has the public ip’s assigned)

At first stage of configuration, I’m trying to make the router connect to other public sites (ping, or ssh),
and make them go through A or B. Just to make sure that ipsec and dnat services will go through the isp from which they came.

Assuming @ipA, @ipB, @gwA and @gwB be the public ip’s and the gateways respectively:

Routes and rules are:

/ip route
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    @gwA,@gwB scope=30 target-scope=10
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    @gwA pref-src=@ipA routing-mark=adsl1 scope=30 \
    target-scope=10
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    @gwB pref-src=@ipB routing-mark=adsl2 scope=30 \
    target-scope=10
/ip route rule
add action=lookup comment="" disabled=yes src-address=@ipA/32 \
    table=adsl1
add action=lookup comment="" disabled=yes src-address=@ipB/32 table=\
    adsl2

(Think this is a common configuration)
And there are no rules in mangle, nat or filter.

Well, I think I don’t understand how the router works, when it decides from where to send packets.

example1: ping http://www.google.com
packets go either isp A or B.
example2: ping http://www.google.com src-address=@ipA
packets go either isp A or B
example2: ping http://www.google.com src-address=@ipB
packets go either isp A or B

I thought route rules are applied in routing decision, so it should send the packets with correct source ip.

which would be the correct configuration?

SurferTim · September 2, 2009, 6:39pm

So far, so good. I know that sounds strange, but stay with me. It looks as if it is doing what you asked. Since you have nothing in mangle, there are no routing-marks. So the two gateways with routing-mark set will not be used.

The default gateway has two gateways, separated by a comma. That means it will “take turns” with them.

If you want to use the other two routes, then you will need to decide what nets/protocols will be marked.
Look in the docs under “mangle”.

davidfs · September 3, 2009, 10:43am

Ok,
Mangle is needed, but, route rules?
They are used for something?

I thought specifying src-address in ping would be enough (together with rules) to make ping go by A or B.

If I add these rules…

/ip firewall mangle
add action=mark-routing chain=output comment="" connection-state=new \
    disabled=no new-routing-mark=adsl1 passthrough=yes src-address=\
    @ipA
add action=mark-routing chain=output comment="" connection-state=new \
    disabled=no new-routing-mark=adsl2 passthrough=yes src-address=\
    @ipB

The behavior is the same: pings are going through ISP A or B no matter which src-address is specified.
Also, in packet count, I can see the rule matched is not the correct: (I ping with src-address=@ipA but matched rule is src-address=@ipB, and packet leaves by ISP B)

But these rules above are the same of route rules…, or not?
These output mangle rules are correct?

another thing I see is that route decision is taken after output chain according to
http://www.mikrotik.com/testdocs/ros/3.0/qos/flow.php

but Before according to
http://wiki.mikrotik.com/wiki/Packet_Flow

If the correct one is in wiki, then mangle rules in output does not affect the routing decision.
(and therefore, route rules are applied first)

I’m Lost.

the Key point is that If I configure IPSEC with one of the two addresses as src-address in policy, how can be sure that address will be used (if ping doesn’t).?

mrz · September 3, 2009, 11:31am

Your mangle rules are correct. Currently ping src-address is broken that is why it looks like mangle is not matching properly, wait for next version where it will be fixed.

SurferTim · September 3, 2009, 11:51am

I am not certain those rules are correct. I use the routing-mark in mangle for exactly this purpose, and to get that connection to routing-mark correctly, I use “chain=prerouting”. Am I wrong?

mrz · September 3, 2009, 12:03pm

routing mark works in prerouting and output chains, so the rule is correct. In this case as ping is generated by router it can’t be marked in prerouting.

davidfs · September 3, 2009, 12:05pm

thanks mrz for confirming this point.
But what about route rules? (they are applied, or not, )
and what about routing decision on wiki or http://www.mikrotik.com.?

Someone can confirm if there is a documentation error?

Remember I am pinging from router so the chains involved here are output and postrouting.

SurferTim · September 3, 2009, 12:35pm

My bad on the test ping. I see you would be using input/output chains (router). But wouldn’t you need to include prerouting or forward for the rules to apply to the actual interfaces?

mrz · September 3, 2009, 1:25pm

Diagram in old manual is wrong. Routing decision should be before output as it is shown in wiki.

SurferTim · September 3, 2009, 1:37pm

I did not see the diagram in the wiki.
Input and output chains affect only those connections inbound to and outbound from the router OS. It would not routing-mark anything from any interfaces, would it? I mean, that IS the intent, isn’t it?

ADD: To be clear, an output chain routing mark would not mark a connection between an interface and any other interface.

davidfs · September 3, 2009, 2:27pm

No. the intent IS make clear the whole process. If I need to mark, I’ll mark.
At a later stage, I’ll have to mark routes and connections, but I’ve to make sure how the things work. I don’t want to begin marking thinks just to mark, because it’s easy to mess up things.
I’m little experienced in linux, and thought it would be easy to substitute it with mikrotik (the whole infrastructure is in production now with linux, so I’ve applied route rules, marked connections, configured ipsec, etc.). But there are little differences that complicates the things (also I make a lot of mistakes due to years of “thinking in linux”)

I dont think any routing mark would mark any connection (routing mark marks routing, connection marks marks connection),

I’ve done another test to see how route rules are applied. (because ping src-address is broken)

Assuming no rules in mangle, nat or filter…
and the rutes and route rules as in the first post…

/ip route
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    @gwA,@gwB scope=30 target-scope=10
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    @gwA pref-src=@ipA routing-mark=adsl1 scope=30 \
    target-scope=10
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    @gwB pref-src=@ipB routing-mark=adsl2 scope=30 \
    target-scope=10
/ip route rule
add action=lookup comment="" disabled=yes src-address=@ipA/32 \
    table=adsl1
add action=lookup comment="" disabled=yes src-address=@ipB/32 table=\
    adsl2

Pinging from external ip, to @ipA and to @ipB shows the results as expected (the responses go through ispA and ispB
respectively)
But if I remove route rules, a ping to @ipA can be responded through ispB (although with src-address =@ipA) which confuses me (a packet with src-address =@ipA should NEVER be sent to ispB)
Maybe this is the meaning of route rules?
And if it is this way, why I need to mark-connection in input and mark-routing the previous connection in output as is shown in ECMP load balancing

SurferTim · September 3, 2009, 2:35pm

My bad. Mark away. I am new at this.

Chupaka · November 18, 2009, 5:19pm

in general, it can be send to any default gateway, if you haven’t forbid it =) so you need to create necessary rules

eugenevdm · December 27, 2009, 6:27am

Are you referring to this diagram saying it’s wrong?
http://www.mikrotik.com/testdocs/ros/3.0/qos/flow_content.php#.2

Please could you direct us to the correct diagram in Wiki where it’s correct.

Chupaka · December 27, 2009, 9:11am

here’s correct diagram: http://wiki.mikrotik.com/wiki/Packet_Flow