Other default route for specific vlan

robertjan · June 12, 2013, 9:25am

Hi,

My setup is following, I have multiple vlan’s, they all go to internet by a default 0.0.0.0/0 route.
But one other vlan need to go to an PPTP client gateway.
Is it possible to route specific source addresses to an other default route?

I can both work in WinBox and Terminal.

Looking forward to hear from you.

Kind regards,
Robert-Jan

jandafields · June 12, 2013, 11:30am

Of course, just go to IP → ROUTES and you can setup all the routes you want for specific interfaces or networks.

robertjan · June 19, 2013, 12:08pm

Thanks,
Could you please tell me how to do this?
I have a first default route ‘0.0.0.0/0 to ether1-gateway’ to the internet. Second route to 0.0.0.0/0 with gateway pptp-out1. I want some ip ranges to go over the pptp-out1 and the other over the ether1.

How could I set this up, is it something with Routing Marks?

------ Edit: -----
I have implemented routing marks as explained at
http://blog.butchevans.com/2008/09/mikrotik-policy-routing-implementation-example/

When I ping 8.8.8.8 from my client for example, I can see the packets coming back (torch) at the pptp-out1 interface: source: 8.8.8.8, dest. 192.168.10.37. This is the IP of my client. But the ping packets are not going through the router! Do I need some route for packets to come back to the client? The router knows the subnet is available at a specific vlan..

Thanks in advance.
Kind regards,
Robert-Jan

CelticComms · June 19, 2013, 1:41pm

If you are using routing marks make sure that you have a route back to the originating network (VLAN subnet) with the relevant routing mark. A route is typically added to the main (no mark) table by virtue of the IP address/netmask being set on the interface. Make an additional manual entry that looks similar but has your chosen routing mark.

robertjan · June 20, 2013, 6:01pm

Hi CelticComms,

Thanks for the information. Still I can’t get it working, hope you will help me with it, I’m still learning..
To start, I have these connections:

Default gateway [ether1]
VPN A [pptp-out1] (connecting to a Linux VPN server, the client has internet access, I tested it)
VPN B [pptp-out2] (connecting to a second Linux VPN server, the client has internet access, I tested it)
VLAN 10: 192.168.10.0/24
— webserver: 192.168.10.37
— voip server: 192.168.10.88

I want the following three things:

All traffic goes via ether1 through masquerading srcnat. Works OK.
Web traffic (dst :80) to go to the webserver (192.168.10.37), this all works really well via VPN_B
VoIP traffic (dst :5060-tcp/udp, :10000_20000-udp) to go through VPN_A, this goes wrong.

This is because the VoIP server initiates the connection. Strange enough I can see the packets comming back at VPN_A!
mikrotik torch vpn_a.jpg
The packets already have the right destination address, so that’s easy.

This is my route list:
mikrotik route list.jpg
As you already suggested, I have added some rules to mark the packets on their way back (line 8 ).
mikrotik firewall.JPG
Lines 1,2 are marked ‘main’
Lines 3,4 are marked ‘VPN_B’
Lines 5,6 are marked ‘main’
Lines 7,8 are marked ‘VPN_A’

Could you please look over it and tell me where I’m wrong? I have at both the webserver and VoIP server the same problems, also ping packets behave the same.

Looking forward to hear from you. Thanks in advance.

Kind regards,
Robert-Jan

robertjan · June 23, 2013, 7:26pm

Little bump, can anyone please help me out?
I would really appreciate it!

CelticComms · June 23, 2013, 8:34pm

Try upload your config using /export output - it gives a more comprehensive picture than screenshots. It looks as if you added a rule to mark packets headed for the relevant subnet - but that was not what I meant. What I meant was to have a valid route to the subnet for the relevant routing table (i.e. a routing entry with the relevant routing mark).

robertjan · June 24, 2013, 8:52am

Thanks for your answer. I have added the configuration file, hope you can help me. (for your info; I have replaced the passwords and external ip’s by xxx)

I have marked the packets with a routing mark, I thought you meant that. And as said, it almost seems to work!
export.rsc (26.8 KB)

CelticComms · June 24, 2013, 11:44am

Try adding routes to the relevant source subnets which have the associated routing mark.

e.g. - Add a route to 192.168.10.0/24 with routing mark = VPN_B (same interface etc. as existing dynamiclayy created route in main table.

The documentation mentions that main is a default/fallback routing table but I have seen situations where adding an explicit entry with a specific routing mark fixes problems.

robertjan · June 26, 2013, 7:27am

I have tried to create an extra route to 192.168.10.37 (client) with routing mark = VPN_B with a distance of 1.

But, this does not work. What am I doing wrong? When I ping from 192.168.10.37 to 8.8.8.8 almost everything works. I can see the packets coming into the VPN_B torch with the right destination address..
MikroTik route.jpg

CelticComms · June 26, 2013, 11:57am

Make that route to 192.168.10.0/24 rather than a single IP and then upload the current config again.

robertjan · June 27, 2013, 8:48am

No, unfortunately that was not the right solution. Here is the current config.
config.rsc (28 KB)