mangle rule

RouterOS Beginner Basics
1

I need a mangle rule to add two routes for two DSL lines with different gateways
to be delivered to two ip ranges

I have two external NIC cards and one internal card

I have router OS Ver 3.22 on HP P4 machine

Please help

2

A lot of people read my message but no one try to help

Is there are an error in my message

Why ?

3

You’re not giving any details, or what you’ve tried so far. Additionally not even a day has passed.

Are you trying to route one network out one DSL line, and another network out the second? Are you trying to load-balance the two lines? If so, read the wiki PCC article.

4

first thanks for your replay
In fact I have two DSL lines with two routers one is cisco and the other is speed linksys

The out line from cisco router ( 172.30.7.225 ) is connected to the wan card of MK. server and the lan card of the MK
is connected to network switch to provide INTERNET to 60 client ( 172.30.7.20 to 172.30.7.80 ).

The other line from linksys router (220.200.200.1 ) is connected to the same network switch and deliver internet to
another 30 client ( 220.200.200.20 to 220.200.200.50 ) direct without MK. Server

I add third NIC to My MK. server and connect the line from linksys router to it (NIC address 220.200.200.5 )

Now I want to have route for first wan card to provide internet to ( 172.30.7.20 to 172.30.7.80 ) clients and another route for the second wan card provide internet to ( 220.200.200.20 to 220.200.200.50 ) clients.

the two DSL lines are from different ISP this means I have two DNS one for each line.

Can you help me

5

Use mangle rules to apply a connection-mark to traffic from LAN 1 so you can identify it. Apply the same connection-mark to traffic coming into WAN 1 so you can make sure it leaves the same way. Repeat for LAN 2 and WAN 2 with a different connection mark. Then apply two routing-marks depending on the connection mark the flow has. Create two routes for those routing marks pointing out to the respective WAN gateways.

6

http://blog.butchevans.com/2008/09/mikrotik-policy-routing-implementation-example/

7

great thanks to Mr. fewi and Mr.butche the site you give is great

1.jpg
1.jpg633×225 24.1 KB

I made all the address as in the example exactly but not work these are the codes

/interface ethernet
set 0 arp=enabled auto-negotiation=yes cable-settings=default comment=""
disable-running-check=yes disabled=no full-duplex=yes mac-address=
00:0C:29:F5:79:16 mtu=1500 name=Internal speed=100Mbps
set 1 arp=enabled auto-negotiation=yes cable-settings=default comment=""
disable-running-check=yes disabled=no full-duplex=yes mac-address=
00:0C:29:F5:79:20 mtu=1500 name=ISPONE speed=100Mbps
set 2 arp=enabled auto-negotiation=yes cable-settings=default comment=""
disable-running-check=yes disabled=no full-duplex=yes mac-address=
00:0C:29:F5:79:2A mtu=1500 name=ISPTWO speed=100Mbps

/ip address
add address=10.10.10.2/30 broadcast=10.10.10.3 comment="" disabled=no
interface=ISPONE network=10.10.10.0
add address=10.10.11.2/30 broadcast=10.10.11.3 comment="" disabled=no
interface=ISPTWO network=10.10.11.0
add address=192.168.1.1/24 broadcast=192.168.1.255 comment="" disabled=no
interface=Internal network=192.168.1.0
add address=192.168.0.1/24 broadcast=192.168.0.255 comment="" disabled=no
interface=Internal network=192.168.0.0

/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=
!ISPONE
add action=redirect chain=dstnat comment="" disabled=no dst-port=80
in-interface=Internal protocol=tcp to-ports=8080
add action=redirect chain=dstnat comment="" disabled=no dst-port=80 protocol=
tcp to-ports=8080

/ip firewall mangle
add action=mark-routing chain=prerouting comment="" disabled=no
new-routing-mark=ISP1 passthrough=no src-address=192.168.0.0/24
add action=mark-routing chain=prerouting comment="" disabled=no
new-routing-mark=ISP2 passthrough=no src-address=192.168.1.0/24

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.10.11.1
routing-mark=ISP2 scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.10.10.1 scope=30
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.10.10.1
routing-mark=ISP1 scope=30 target-scope=10

/ip route rule
add action=lookup comment="" disabled=no dst-address=192.168.0.0/24 table=
main
add action=lookup comment="" disabled=no dst-address=192.168.1.0/24 table=
main
add action=lookup comment="" disabled=no dst-address=10.10.10.0/30 table=main
add action=lookup comment="" disabled=no dst-address=10.10.11.0/30 table=main
add action=lookup comment="" disabled=no src-address=10.10.10.0/30 table=ISP1
add action=lookup comment="" disabled=no src-address=10.10.11.0/30 table=ISP2
add action=lookup comment="" disabled=no routing-mark=ISP1 table=ISP1
add action=lookup comment="" disabled=no routing-mark=ISP2 table=ISP2



I try to browse from a pc with
IP 192.168.1.2
GW 192.168.1.1
DNS 192.168.1.1
but it is not work


I try to browse from another pc with
IP 192.168.0.2
GW 192.168.0.1
DNS 192.168.0.1
also it is not work

can you tell me what is wrong ?

Thanks

8

I forget to tell you that in the two subnet
192.168.0.0/24 and 192.168.1.0/24
INTERNET is not working

9

Are your ISP gateway IPs actually 10.10.11.1 and 10.10.10.1 just like in the blog you copied from? You need to adjust the example given there to your situation.

10

Yes I adjust the ISP gateways (these routers are in my site and I can change there IP’s as I want)
as 10.10.11.1 and 10.10.10.1
2.jpg
I have two DSL lines connected to two routers ( cisco - linksys ), these routers are in my site
so I can change thier IP’s as I want

Thanks

11

This looks like your NAT rules are not correct.

12

This is the nat rules you posted. You need one of 2 things:

  1. you MUST nat traffic that leaves the router on ISPONE and ISPTWO interfaces
  2. You MUST set up static routes to the 192.168.0.0/24 and 192.168.1.0/24 networks in the 2 ISP routers.

Not both, but one or the other.

13

Thank Mr. Butch Evans

Can you help me with nat rules as I do not know how to nat traffic that leaves
the router ( I have MK 3.22 Not MK router ) on ISPONE and ISPTWO interfaces

And about the ISP router the static routes from where to where

14

Did you even look to see if the Mikrotik documentation would help you with this? I have given you a COMPLETE script to load balance. I don’t mean to be short with you here, but don’t you agree that it would be better if you UNDERSTOOD your own network?

/ip firewall nat
add chain=srcnat out-interface=ISPONE action=masquerade
add chain=srcnat out-interface=ISPTWO action=masquerade
15

Mr Butch Evans

I am very sorry for disturbance But, I was thinking that the required nat rules is
special for this matter.

I add that nat rules but still not working the new nats are

/ip firewall nat
add action=masquerade chain=srcnat comment=“” disabled=no out-interface=ISPONE
add action=masquerade chain=srcnat comment=“” disabled=no out-interface=ISPTWO
add action=redirect chain=dstnat comment=“” disabled=no dst-port=80
in-interface=Internal protocol=tcp to-ports=8080
add action=redirect chain=dstnat comment=“” disabled=no dst-port=80 protocol=
tcp to-ports=8080

By the way I am not using hotspot only web proxy and the cash settings are

enabled: yes
src-address: 0.0.0.0
port: 8080
parent-proxy: 0.0.0.0
parent-proxy-port: 0
cache-administrator: “webmaster”
max-cache-size: unlimited
cache-on-disk: yes
max-client-connections: 600
max-server-connections: 600
max-fresh-time: 3d
serialize-connections: no
always-from-cache: no
cache-hit-dscp: 4
cache-drive: primary-master

then what is wrong ?

16

This configuration is not designed to work with web proxy. I overlooked that in your config. You can use the new PCC option for the mangle section, which is discussed in great detail here: http://forum.mikrotik.com/t/new-firewall-matcher-pcc/28077/1

In order to load balance with web proxy, you have to mangle based on streams in the output chain. In order to do that, you MUST use the PCC option to sort traffic.

17

I try to made the setting as that in the PCC example.
but the MK3.22 is accept these two rules

add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:2/0
action=mark-connection new-connection-mark=wlan1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:2/1
action=mark-connection new-connection-mark=wlan2_conn passthrough=yes

MK do not accpet “per-connection-classifier” this option is not there

If I want to work with the same way you disscused in your page
http://blog.butchevans.com/2008/09/mikrotik-policy-routing-implementation-example/
what I need else

18

Turn off web proxy and the nat rules that redirect traffic to the web proxy.

19

Ok I Turn off web proxy and the nat rules that redirect traffic to the web proxy
but it is not working ( this never work with me before even with one DSL line ).

If you have a copy of backup file or settings file for the machine that you try
your example on it please send it.

my email is
am.steen@gmail.com

20

I try many times before to run MK with webproxy disabled but I fail
is there is some way to run MK without webproxy?
the attached file contains all my MK. settings
please check if you have some time
butche.rsc (14.9 KB)