ip firewall mangle and ip route

oanoan1980 · June 4, 2017, 3:11pm

Hello,

Can some please explain what is this below lines mean and what it does?

add chain=prerouting connection-mark=ISP1_conn in-interface=LAN action=mark-routing
new-routing-mark=to_ISP1
add chain=prerouting connection-mark=ISP2_conn in-interface=LAN action=mark-routing
new-routing-mark=to_ISP2
add chain=output connection-mark=ISP1_conn action=mark-routing new-routing-mark=to_ISP1
add chain=output connection-mark=ISP2_conn action=mark-routing new-routing-mark=to_ISP2

From what i think, the first two lines wants to mark the routing as “to_ISP1” and “to_ISP2” so that the last two lines can link “ISP1_conn” and “ISP2_conn” to “to_ISP1” and “to_ISP2” and finally we can use it here for IP Route below:

add dst-address=0.0.0.0/0 gateway=10.111.0.1 routing-mark=to_ISP1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.112.0.1 routing-mark=to_ISP2 check-gateway=ping

Thanks!

Below is original:

/ ip address
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=LAN
add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=ISP1
add address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=ISP2

/ ip firewall mangle
add chain=prerouting dst-address=10.111.0.0/24 action=accept in-interface=LAN
add chain=prerouting dst-address=10.112.0.0/24 action=accept in-interface=LAN
add chain=prerouting in-interface=ISP1 connection-mark=no-mark action=mark-connection
new-connection-mark=ISP1_conn
add chain=prerouting in-interface=ISP2 connection-mark=no-mark action=mark-connection
new-connection-mark=ISP2_conn
add chain=prerouting in-interface=LAN connection-mark=no-mark dst-address-type=!local
per-connection-classifier=both-addresses:2/0 action=mark-connection new-connection-mark=ISP1_conn
add chain=prerouting in-interface=LAN connection-mark=no-mark dst-address-type=!local
per-connection-classifier=both-addresses:2/1 action=mark-connection new-connection-mark=ISP2_conn
add chain=prerouting connection-mark=ISP1_conn in-interface=LAN action=mark-routing
new-routing-mark=to_ISP1
add chain=prerouting connection-mark=ISP2_conn in-interface=LAN action=mark-routing
new-routing-mark=to_ISP2
add chain=output connection-mark=ISP1_conn action=mark-routing new-routing-mark=to_ISP1
add chain=output connection-mark=ISP2_conn action=mark-routing new-routing-mark=to_ISP2

/ ip route
add dst-address=0.0.0.0/0 gateway=10.111.0.1 routing-mark=to_ISP1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.112.0.1 routing-mark=to_ISP2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.111.0.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.112.0.1 distance=2 check-gateway=ping

/ ip firewall nat
add chain=srcnat out-interface=ISP1 action=masquerade
add chain=srcnat out-interface=ISP2 action=masquerade

Discmandj · June 4, 2017, 4:40pm

Hi, this is a Dual wan Bandwidth with failover .
So it will add the 2 isp speed to use them together if you have 10 MBits download on isp 1 and isp 2 5 MBits you get 15 MBits speed on your LAN interface . If one isp connection fail you will always surf internet over the second isp.

Gesendet von iPhone mit Tapatalk

oanoan1980 · June 5, 2017, 8:50am

Could you please explain this four lines. I would like to understand it and use this for future use.
Thank very much in advance.

add chain=prerouting connection-mark=ISP1_conn in-interface=LAN action=mark-routing
new-routing-mark=to_ISP1
add chain=prerouting connection-mark=ISP2_conn in-interface=LAN action=mark-routing
new-routing-mark=to_ISP2
add chain=output connection-mark=ISP1_conn action=mark-routing new-routing-mark=to_ISP1
add chain=output connection-mark=ISP2_conn action=mark-routing new-routing-mark=to_ISP2

oanoan1980 · June 5, 2017, 3:27pm

Could someone please help to explain.
I am strucked for not understand it for a month now. Really appreciated.

Thank you.

ZeroByte · June 5, 2017, 3:41pm

In english, the first two rules say this:

Before making a routing decision… (prerouting chain)
If the packet’s connection-mark is ISP1_conn, then set the routing mark on the packet to be “to-ISP1”
If the packet’s connection-mark is ISP2_conn, then set the routing mark on the packet to be “to-ISP2”

rules 3 and 4 say the same thing, but are in the OUTPUT chain. PREROUTING only affects traffic originating outside the router (whether it’s going to be forwarded or else processed locally). If the router generates packets itself - say the router is going to ping some remote host to test gateway reachability… those don’t go through PREROUTING. They go through OUTPUT. You need all 4 of these rules so that all traffic follows a consistent policy.

There must be other rules elsewhere which assign connection marks because these rules don’t create the connection marks - they just use them as the decision-making point.

oanoan1980 · June 5, 2017, 4:35pm

Thank you so much for the explanation.

ZeroByte:

In english, the first two rules say this:

Before making a routing decision… (prerouting chain)
If the packet’s connection-mark is ISP1_conn, then set the routing mark on the packet to be “to-ISP1”
If the packet’s connection-mark is ISP2_conn, then set the routing mark on the packet to be “to-ISP2”

rules 3 and 4 say the same thing, but are in the OUTPUT chain. PREROUTING only affects traffic originating outside the router (whether it’s going to be forwarded or else processed locally). If the router generates packets itself - say the router is going to ping some remote host to test gateway reachability… those don’t go through PREROUTING. They go through OUTPUT. You need all 4 of these rules so that all traffic follows a consistent policy.

There must be other rules elsewhere which assign connection marks because these rules don’t create the connection marks - they just use them as the decision-making point.

oanoan1980 · June 8, 2017, 2:57pm

Dear ZeroByte,

Could you please tell me if my understanding is rigth.
Please answer for 2 questions below. Thank so much in advance.

Below this - the 4 lines here is just mark the routing path. And not make it route yet. Correct?

add chain=prerouting connection-mark=ISP1_conn in-interface=LAN action=mark-routing
new-routing-mark=to_ISP1
add chain=prerouting connection-mark=ISP2_conn in-interface=LAN action=mark-routing
new-routing-mark=to_ISP2
add chain=output connection-mark=ISP1_conn action=mark-routing new-routing-mark=to_ISP1
add chain=output connection-mark=ISP2_conn action=mark-routing new-routing-mark=to_ISP2

And below this is when we use the mark that we mark it on the above. Correct?

/ ip route
add dst-address=0.0.0.0/0 gateway=10.111.0.1 routing-mark=to_ISP1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.112.0.1 routing-mark=to_ISP2 check-gateway=ping

This is what i got from Wiki Miktrotik for using PCC 2wan and 1 lan. (In below attachment).

/ Ip Address
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=LAN
add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=ISP1
add address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=ISP2

/ ip firewall mangle
add chain=prerouting dst-address=10.111.0.0/24 action=accept in-interface=LAN
add chain=prerouting dst-address=10.112.0.0/24 action=accept in-interface=LAN
add chain=prerouting in-interface=ISP1 connection-mark=no-mark action=mark-connection
new-connection-mark=ISP1_conn
add chain=prerouting in-interface=ISP2 connection-mark=no-mark action=mark-connection
new-connection-mark=ISP2_conn
add chain=prerouting in-interface=LAN connection-mark=no-mark dst-address-type=!local
per-connection-classifier=both-addresses:2/0 action=mark-connection new-connection-mark=ISP1_conn
add chain=prerouting in-interface=LAN connection-mark=no-mark dst-address-type=!local
per-connection-classifier=both-addresses:2/1 action=mark-connection new-connection-mark=ISP2_conn
add chain=prerouting connection-mark=ISP1_conn in-interface=LAN action=mark-routing
new-routing-mark=to_ISP1
add chain=prerouting connection-mark=ISP2_conn in-interface=LAN action=mark-routing
new-routing-mark=to_ISP2
add chain=output connection-mark=ISP1_conn action=mark-routing new-routing-mark=to_ISP1
add chain=output connection-mark=ISP2_conn action=mark-routing new-routing-mark=to_ISP2

/ ip route
add dst-address=0.0.0.0/0 gateway=10.111.0.1 routing-mark=to_ISP1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.112.0.1 routing-mark=to_ISP2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.111.0.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.112.0.1 distance=2 check-gateway=ping

/ ip firewall nat
add chain=srcnat out-interface=ISP1 action=masquerade
add chain=srcnat out-interface=ISP2 action=masquerade

ZeroByte:

In english, the first two rules say this:

Before making a routing decision… (prerouting chain)
If the packet’s connection-mark is ISP1_conn, then set the routing mark on the packet to be “to-ISP1”
If the packet’s connection-mark is ISP2_conn, then set the routing mark on the packet to be “to-ISP2”

rules 3 and 4 say the same thing, but are in the OUTPUT chain. PREROUTING only affects traffic originating outside the router (whether it’s going to be forwarded or else processed locally). If the router generates packets itself - say the router is going to ping some remote host to test gateway reachability… those don’t go through PREROUTING. They go through OUTPUT. You need all 4 of these rules so that all traffic follows a consistent policy.

There must be other rules elsewhere which assign connection marks because these rules don’t create the connection marks - they just use them as the decision-making point.

ZeroByte · June 8, 2017, 4:11pm

correct on both.