How to mark packets going from router itself

miro10hr · March 4, 2015, 2:02pm

Hi,

I have simple setup like this

http://wiki.mikrotik.com/wiki/Load_Balancing_over_Multiple_Gateways

Basically I have two outgoing interfaces and two different gateways, A and B. I have two LAN segments as well. I want to direct LAN1 segment over gateway A and LAN2 segment over gateway B.
Configuration is like in the example. Packets from LAN1 segment are (routing) marked as A and from LAN2 segment as B. In routing table there are two routes, one for packets with routing mark A and one for packets with routing marks B.

Everything is OK when packets are arriving from LAN interface, they are properly marked.

But I have problems with DNS. Router is resolving DNS requests so the packets that are originating in router itself do not have any marks and therefore do not have any route to follow in routing table.

How can I mark the packets going from router itself with some routing mark? For example I want to mark all the traffic from router itself with routing mark A.

How to do that?

What chain should I use?

Fabian · March 4, 2015, 2:49pm

If i’m not mistaken you should be able to set a route for 0.0.0.0/0 in the routing table (not firewall) for all traffic originating from the router.

miro10hr · March 4, 2015, 3:11pm

Hm,

I’m not sure if I understand the answer. I have two 0.0.0.0/0 routes in the routing table, one for routing marks A and another for routing marks B.

The problem is that traffic originating in router itself gets no routing mark so doesn’t know which route to use. And I’m interested how to mark it with routing mark (A or B).

Fabian · March 4, 2015, 3:30pm

Well, it’s not really an answer to your question, but the easy fix is by just adding a default route in the default routing table.

routing table A
0.0.0.0/0 → ISP-A

routing table B
0.0.0.0/0 → ISB-B

default routing table
0.0.0.0/0 → ISB-A

the latter is being used for unmarked traffic

miro10hr · March 4, 2015, 11:23pm

My situation is more complicated but I didn’t want to go into details.

One gateway is added dynamically over dhcp (dhcp client) and I’m using routing filters with dynamic-in chain to dedicate this default route to routing mark A.
Other gateway for routing mark B is static but this connection can be used only part of the day.

So everytime this dynamic default gateway changes I should manually change default gateway for non marked packets which is impossible.

I could use scripting but want to leave that as last resort.

To make long story short I’m really interested is it possible to mark traffic originating from router itself and if it is, how to do it.

lcm · March 5, 2015, 9:12pm

ok, another approach should be:

/ip route add dst-address=0.0.0.0/0 gateway=ether1,192.168.0.1 check-gateway=ping

miro10hr · March 6, 2015, 8:58am

As I said the gateway IP address is not static, it changes depending what address router gets from dhcp.

I suppose the address 192.168.0.1 in this example you posted is static gateway address. So the problem is I can’t put static IP address of gateway as it changes.

lcm · March 6, 2015, 11:15am

In the example, we have a intetrface and a static address. You can set the interface as gateway.

miro10hr · March 6, 2015, 1:12pm

Unfortunately you can’t. It doesn’t work for ethernet connections.

http://forum.mikrotik.com/t/creating-route-with-gateway-interface/85567/1

Fritzman · January 19, 2019, 7:17am

Has anyone found a solution? We have the same problem!
Dynamic (DHCP) WAN address + route mark but the router itself needs a route as well.

tslytsly · January 19, 2019, 8:45am

You can do this in /ip firewall mangle

You need an output chain rule.
In the advanced tab specify connection type is not local.
This will only apply to the router itself. Output is only for traffic originating in the router.
I would post code, but on a mobile.

tslytsly · January 19, 2019, 9:11am

Something like this:

add action=mark-routing chain=output comment="Mark Output From Router that is not local" dst-address-type=!local new-routing-mark=TestRoute passthrough=yes

Fritzman · January 19, 2019, 9:18am

Thanks, could you please explain this a bit more?
We have two output rules:

add chain=output connection-mark=ISP1_conn action=mark-routing new-routing-mark=to_ISP1     
add chain=output connection-mark=ISP2_conn action=mark-routing new-routing-mark=to_ISP2

https://wiki.mikrotik.com/wiki/Manual:PCC

You say we have to add a third “output” rule in the mangle?

Fritzman · January 19, 2019, 9:24am

Thanks, added this rule, but now we are unable to connet to the router from LAN (only via MAC address).

tslytsly · January 19, 2019, 9:35am

Hmm, that didn’t happen on mine.

Remove this

dst-address-type=!local

And put

dst-address!=<yourLANIPrange>