Multiple Default Routes

glazza · March 18, 2011, 4:26am

Hi All

We are currently trying to setup a management network for our Network, that will have multiple default routes.

One of the paths is delivered via a GSM network (using an external GSM Router) - therefore the mikrotik has following interfaces:

/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes \
    comment="" disabled=no forward-delay=15s l2mtu=1522 max-message-age=20s \
    mtu=1500 name="LAN Bridge" priority=0x8000 protocol-mode=none \
    transmit-hold-count=6
/interface ethernet
set 0 arp=enabled auto-negotiation=yes comment="Connection to GPRS Router" \
    disabled=no full-duplex=yes l2mtu=1526 mac-address=00:0C:42:75:D3:D1 mtu=\
    1500 name=ether1 speed=100Mbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    "Connection to Management Network" disabled=no full-duplex=yes l2mtu=1522 \
    mac-address=00:0C:42:75:D3:D2 master-port=none mtu=1500 name=ether2 \
    speed=100Mbps
/interface l2tp-client
add add-default-route=no allow=pap,chap,mschap1,mschap2 comment="" \
    connect-to=192.168.30.115 dial-on-demand=no disabled=no max-mru=1460 \
    max-mtu=1460 mrru=disabled name=l2tp-out1 password=xxxx profile=\
    default-encryption user=fara

With the following Addressing:

/ip address
add address=192.168.1.121/24 broadcast=192.168.1.255 comment="" disabled=no \
    interface=ether1 network=192.168.1.0
add address=172.17.254.241/28 broadcast=172.17.254.255 comment="" disabled=no \
    interface="LAN Bridge" network=172.17.254.240
add address=172.17.253.2/30 broadcast=172.17.253.3 comment="" disabled=no \
    interface=ether2 network=172.17.253.0

With the following Routes

/ip route
add check-gateway=ping comment="Default Route (Primary)" disabled=\
    no distance=1 dst-address=0.0.0.0/0 gateway=172.17.253.1 scope=30 \
    target-scope=10
add comment="Default Route (Backup)" disabled=no distance=2 \
    dst-address=0.0.0.0/0 gateway=172.17.253.5 scope=30 target-scope=10
add comment="" disabled=no distance=1 dst-address=192.168.30.115/32 gateway=\
    192.168.1.50 scope=30 target-scope=10
add comment="Specific Route to PPTP Server forcing out GPRS Router" disabled=\
    no distance=1 dst-address=192.168.30.115/32 gateway=192.168.1.50 scope=30 \
    target-scope=10

Now I have been adding routes like the following:

add comment="Default Route to GPRS Router for Local Traffic" disabled=no \
    distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.50 routing-mark=direct \
    scope=30 target-scope=10

I then have a mangle rule that marks all traffic coming in ether1 as direct (I have tried a few of these)…

The issue is, I can never get the MT to reply using this interface. If both the L2TP tunnel, and ether2 are down, you can not ping the public IP of the GSM Modem (which is configured to pass all traffic to the MT). By using torch I can see that the data is reaching the interface, but the reply is never sent back.

Any ideas, anyone?

Cheers

mrz · March 18, 2011, 6:41am

You have to mark incoming connections and ensure that correct routing mark is set in output chain if packets destination is router itselft. Examples can be found here:
http://wiki.mikrotik.com/wiki/PCC

glazza · March 18, 2011, 9:00am

Thanks - I had a look… and Im pretty sure I have tried this… I would have thought in my case, this would have worked (ping been received on ether1, and reply going no where)… I see this has marking the inbound connection on ether1, and ensuring the reply goes out ether1… and would then use to_ether1 route table…

/ip firewall mangle
add action=mark-connection chain=input comment="" disabled=no \
    in-interface=ether1 new-connection-mark=ether1_conn passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=\
    ether1_conn disabled=no new-routing-mark=to_ether1 passthrough=yes

But it didnt work… so I extended it to this…

/ip firewall mangle
add action=mark-connection chain=input comment="" disabled=no \
    in-interface=ether1 new-connection-mark=ether1_conn passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=\
    ether1_conn disabled=no new-routing-mark=to_ether1 passthrough=yes
add action=accept chain=prerouting comment="" disabled=no dst-address=\
    192.168.1.0/24 in-interface="LAN Bridge"
add action=mark-connection chain=prerouting comment="" disabled=no \
    dst-address-type=!local new-connection-mark=ether1_conn passthrough=\
    yes per-connection-classifier=both-addresses:2/0
add action=mark-routing chain=prerouting comment="" connection-mark=\
    ether1_conn disabled=no in-interface="LAN Bridge" new-routing-mark=\
    to_ether1 passthrough=yes

But got the same result… the routes are (not most are currently disable for troubleshooting reasons):

add check-gateway=ping comment=\
    "Default Route to GPRS Router for Local Traffic" disabled=no distance=\
    1 dst-address=0.0.0.0/0 gateway=192.168.1.50 routing-mark=to_ether1 \
    scope=30 target-scope=10
add check-gateway=ping comment="Default Route (Primary)" \
    disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=172.17.253.1 \
    scope=30 target-scope=10
add comment="Default Route (Backup)" disabled=yes distance=2 \
    dst-address=0.0.0.0/0 gateway=172.17.253.5 scope=30 target-scope=10
add comment="" disabled=no distance=1 dst-address=192.168.30.115/32 \
    gateway=192.168.1.50 scope=30 target-scope=10
add comment="Specific Route to PPTP Server forcing out GPRS Router" \
    disabled=no distance=1 dst-address=192.168.30.115/32 gateway=\
    192.168.1.50 scope=30 target-scope=10

Thanks

glazza · March 19, 2011, 5:54am

Just thought I would add to this - if I remove the route marking on the route, everything works as expected… however this then effects the other routes so isnt a solution, more an observation.

So any ideas, anyone?

glazza · March 19, 2011, 10:03pm

It appears that there needs to be a matching route in the default routing table… if this doesnt exisit it appears the Mikrotik doesnt go looking for Routing marks… Could someone confirm this?

As a work around, the following has got things working for me:

/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes \
    comment="" disabled=no forward-delay=15s l2mtu=65535 max-message-age=20s \
    mtu=1500 name=NULL0 priority=0x8000 protocol-mode=none \
    transmit-hold-count=6

/ip address
add address=10.255.255.9/30 broadcast=10.255.255.11 comment="IP for NULL0" disabled=no \
    interface=NULL0 network=10.255.255.8

/ip route
add comment="Default Route to NULL Interface that is always avaliable - requir\
    ed for routing marks to work correctly" disabled=no distance=200 \
    dst-address=0.0.0.0/0 gateway=10.255.255.10 scope=30 target-scope=10