Hello,
I need to direct all trial users to a seperate WAN interface.
Current setup is:
eth1 = WAN
eth2 = LAN
eth5 = Hotspot
Hotspot users can login and access internet.
Lan users can access internet.
I need to add a 2nd WAN interface on eth3 that is just used for trial users.
I imagine that can be done with mangle rules but have no idea how?
Thanks,
Gary.
Hi Gary,
Something along these lines should work.
Lets say your hotspot user range is 192.168.0.0/24
/ip route
add dst-address=0.0.0.0/0 routing-mark=force-via-wan2 gateway=
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=force-via-wan2 src-address=192.168.0.0/24 dst-address-type=!local
add action=mark-routing chain=prerouting connection-mark=force-via-wan2 new-routing-mark=force-via-wan2Don’t forget to add a NAT rule for the traffic out that interface!
Hi,
Thanks for the reply.
I think that would add all hotspot users to the 2ng gateway?
I need to just move the Trial users to 2nd gateway.
I have created a Trail User Profile ‘TrialUser’ and chosen that as the Trial user profile for the Hotspot server.
Within this ‘TrialUser’ profile you can add users to an address list which I called ‘Trial’.
I was thinking that I could then use a mangle rule with a routing mark ‘Trial’, and a route rule to send them to 2nd gateway.
Needless to say I can’t get this working. Could you give me any further advice?
I was
Been Playing around with this and searching forums for a few days now.
I have added the address list ‘TrialUser’ to Trail user profile.
The list get populated when a Trail user logs in.
I have added a mangle rule to add routing mark ‘TrialRoute’, and change main default route to include the same mark (so there’s just the one marked route for testing).
The traffic doesn’t go out the marked route.
If I add another rule after the above with forward as chain and route mark=‘TrialRoute’ it sees the marked traffic. Switch chain to Post routing and it does not see the traffic.
Anyone got any ideas that may help? I’m totally stuck at moment.
So what about something like this:
/ip route
add dst-address=0.0.0.0/0 routing-mark=forced-routing gateway=
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=forced-routing src-address-list=trial-users dst-address-type=!local
add action=mark-routing chain=prerouting connection-mark=forced-routing new-routing-mark=forced-routingNoting the use of the address list to determine what gets tagged and sent out.
Feel free to paste some of your current config from /ip route and /ip firewall mangle here so we can see exactly what’s going on at the moment.
With normal gateway route Port 2 LAN can access Internet. Hotspot users on Port 5 LAN can access internet (connected to switch and APs).
This is the Trial User hotspot profile:
/ip hotspot user profile
add add-mac-cookie=no address-list=TrialUser idle-timeout=none keepalive-timeout=2m name=Trial shared-users=100
/ip hotspot profile
add dns-name=hotspot.net hotspot-address=172.16.10.1 login-by=http-chap,trial name=hsprof1 trial-user-profile=TrialTried this without success:
/ip route
add distance=1 gateway=192.168.2.1 routing-mark=TrialRoute(This is the only gateway for testing purposes).
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=TrialRoute
src-address-list=TrialUser
add action=passthrough chain=prerouting comment=“CHECK PREROUTE MARK” routing-mark=TrialRoute
add action=passthrough chain=postrouting comment=“CHECK POSTROUTE MARK” routing-mark=TrialRouteThe 2 passthrough’s were just for monitoring if packets getting through system. When a trial user is logged in the CHECK PREROUTE MARK gets traffic, however, CHECK POSTROUTE MARK does not show traffic.
Next tried this:
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=TrialConn
src-address-list=TrialUser
add action=mark-routing chain=prerouting connection-mark=TrialConn
new-routing-mark=TrialRoute
add action=passthrough chain=prerouting comment=“CHECK PREROUTE MARK” routing-mark=TrialRoute
add action=passthrough chain=postrouting comment=“CHECK POSTROUTE MARK” routing-mark=TrialRouteAgain no traffic passes the gateway and when a trial user is logged in CHECK POST ROUTE MARK does not show traffic.
Next tried this add packet mark to trial user (hotspot user profile) and then add route mark:
Dynamic mangle:
[admin@MikroTik] /ip firewall mangle> print dynamic
Flags: X - disabled, I - invalid, D - dynamic
0 D chain=hotspot action=mark-packet new-packet-mark=Trial-hs-pk-in
passthrough=yes src-address=172.16.10.238
1 D chain=hotspot action=mark-packet new-packet-mark=Trial-hs-pk-out
passthrough=yes dst-address=172.16.10.238mangle:
add action=mark-routing chain=hotspot comment=“tr hs pk in” new-routing-mark=
TrialRoute packet-mark=Trial-hs-pk-in
add action=mark-routing chain=hotspot comment=“tr hs pk out” new-routing-mark=
TrialRoute packet-mark=Trial-hs-pk-out
add action=passthrough chain=postrouting comment=“CHECK PREROUTE MARK”
routing-mark=TrialRoute
add action=passthrough chain=prerouting comment=“CHECK POSTROUTE MARK”
routing-mark=TrialRouteNothing gets traffic here at all.
Confused.
Now even more confused as I just tried adding a simple trialuser mark to my local lan and packets were not routed to gateway with trial mark…
/ip route
add distance=1 gateway=192.168.2.1 routing-mark=TrialRoute
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=TrialRoute
src-address=192.168.2.0/24I am really stuck here!
Add me on skype if you’d like and I can run over it with you - is my skype user.
Thanks - I’m in UK though…
I really don’t understand what I am doing wrong.
Just spent 30 minutes following guides including variations of mark packet / connection / route and I cant get it to work at all - not even to route a LAN to a default route with a route mark…
I am using ros 6.1.
I felt sure that the following would work but it doesn’t for me.
/ip route
add distance=1 gateway=192.168.2.1 routing-mark=MainPCs/ip firewall mangle
add action=mark-packet chain=prerouting new-packet-mark=MainPCPacket
src-address=192.168.88.0/24
add action=mark-connection chain=prerouting new-connection-mark=MainPCConn
packet-mark=MainPCPacket
add action=mark-routing chain=prerouting connection-mark=MainPCConn
new-routing-mark=MainPCsAny help would be much appreciated.