Hi,
I’d like to know if marked packet is routable with other OS than Mikrotik
for example:
Mikrotik 1 —> (Linux router) → Mikrotik 2
Can marked packed in Mikrotik 1 reach target Mikrotik 2 ? So, does exist packet mark in IP level ?
Or
Marked packet exist only in one ethernet segment and in next hoop the packet must be internally remarked by Mikrotik router again ?
Mikrotik 1 → (Mikrotik router) → Mikrotik 2
JRoot
pakcet marks (and connection/routing marks, for the matter) are internal to the router only.
I am not 100% sure if I understand, my problem is this:
I have one Mikrotik router in one subnet and second Mikrotik router in other subnet, like I described.
Both subnets are routed through Linux router:
Mikrotik 1 <—> Linux <----> Mikrotik 2 .
It seems by your answer that when I mark packet in Mikrotik 1 then I cannot detect this mark in Mikrotik 2
Is it true ?
For some reasons there must stay Linux router and cannot be superseeded by Mikrotik router.
But, I can to change Linux router to ethernet bridge and make one subnet from both.
If Linux will be in bridge mode, can Mikrotik 2 detect marks from Mikrotik 1 ?
Thanks !
JRoot
no, packet and connection marks are all internal only, nothing gets modified on the packet. you could get a little tricky and play with DSCP / TOS values or some other value that gets stuffed into the packet that could be detected on the next router - or use a different vlan for each type and then unwrap at router 2. theres a few possibilties just depends on what you are trying to accomplish. Tell us the end goal and we’ll see if there is an easy solution.
How do you stuff info into a packet?
just some thoughts:
change tos/dscp values and detect them next hop.
change ttl to be something encoded, decode them next hop.
send that traffic using same physical wire but down a different vlan.
depends on your needs really.
But Mikrotik is a form of a linux router… if you take out the linux router that is already there you can still tell the bosses that its a linux router… you can even put it on the same hardware.
Anyway, I suggest you make an EOIP tunnel between the two mikrotiks, and then you can do a number fo things from there including passing vlan tags and so on.
What exactly are you aiming to achieve?
Well, I have LAN subnetted in three networks. One (LAN1) is handled by MT1 which also has internet connection, other two are handled by MT2 (LAN2 and LAN3). Network is configured with plain routing, nothing fancy.
I have local DC HUB connected to LAN3.
MT1 handles all internet connections and I want to set it up to allow internet only to those clients that are connected to local DC hub.
It is not problem to mark connections to DC hub on router which to clients are connected. That means MT1 knows which users connected to LAN1 are connected to DC hub and it handles them properly, but it cannot know which clients in LAN2 and LAN3 are connected to DC hub so it cannot handle them. Right now, I had to set MT2 to handle internet connections for clients on LAN2 and LAN3.
What I want, is a mean to let MT1 know if any user in network is connected to DC hub, so it can handle all of them.
pedja -
This sounds way more complicated than it needs to be…and there are at least 4 ways I can think of off the top of my head to do this.
If you only want certain clients to be able to access the Internet then put them all in the same subnet, i.e. 192.168.0.0/25 - this would let anyone with an IP of 192.168.0.1-192.168.0.128 be able to access the Internet via MT1 when you add either a masq rule or src-nat rule that limits the src-nat’ing address to 192.168.0.0/25
If they are on different subnets, i.e. 192.168.0.0/24 and 192.168.1.0/24 the same would apply only the src-nat or masq would require two rules to handle both subnets for the purposes on going to the Internet. Three different subnets - three rules…
Now if for some reason you can’t group your clients then you can individually add them to separate masq /src-nat rules, i.e. your want 192.168.1.10 & 15 and 27 to have access but not anyone else. Then src-nat = 192.168.1.10 (and then 15 and 27) masq out interface Internet, or src-nat to Internet IP.
R/
Thanks for your efforts, but you missed the point.
Idea is that MT automatically grant or revoke internet access to users according to if they are are connected to local DC-HUB. It has nothing to do with their IP addresses.
Actually I already have address list containing list of clients that are connected to HUB. Problem is that lists are located on wrong MT’s, not the one that has to grant acccess.
pedja -
I think you actually missed the point - routers are not clairvoyant - you have to tell them something is allowed or not allowed. How do you expect a router to know if something is connected to something else? All a router knows is if something is connected to it (doesn’t care if it’s by a hub, switch, or a piece string) and where to send something according to its routing table.
The point I was making - since you have a routed network already - is to send all Internet requests to MT1 (this is simple in a properly routed network), there you get to decide whether or not that client gets access to the Internet.
That is mu goal, to make MT1 decide, but it cannot decide as it does not have needed information: if user is connected to local HUB.