I have un mk RB532A at home, and i have a mange marking all packets from one of lan ips with TOS.
4 chain=prerouting action=mark-packet new-packet-mark=sirc passthrough=yes
src-address=192.168.0.35
5 chain=prerouting action=change-dscp new-dscp=6 passthrough=yes
in the datacenter our GW is a MK RB1100AHx2 and have one mangle to mark route to all packets with this TOS
2 X ;;; TOS
chain=prerouting action=mark-routing new-routing-mark=route1
passthrough=no src-address=169.254.107.14 dscp=6
but i dont know why this mangle not work, only counts some packets not all.
Any idea?
Thanks
I don understand the purpose of rule 4. Can you post your desired outcome? It looks like your rule set would change all traffic to have DSCP 6.
Also it seems that all traffic from one ip will use a custom routing table called route1
Yes thats the idea, the all trafic from this ip must go to the specified route.
Do you have a route with that name? Also do you have traffic going else ware?
Yes, and the route is working fine because are other connections working with this.
if i do this:
3 X ;;;
chain=prerouting action=mark-routing new-routing-mark=route1
passthrough=no src-address=169.254.107.14
instead of:
2 X ;;; TOS
chain=prerouting action=mark-routing new-routing-mark=route1
passthrough=no src-address=169.254.107.14 dscp=6
but the last mk seems dont read well the tos or packet marks
works fine and all traffic is routed fine.
but i want just mark some traffic from my lan, not all.
I am sure that adding the condition of dscp=6 does work.
Are you trying to separate DSCP6 traffic from to one IP to go out one gateway and non DSCP6 out another gateway?
I cannot infer from your examples what your goal is.
Earlier you said you want all traffic from one IP to go to one place. I would not recommend adding any conditions other then the source IP because the extra conditions would only serve to further limit the match which isn’t your goal furthermore takes more processing time to check more criteria.
This is the rule you would want in order to mark all traffic from that IP.
chain=prerouting action=mark-routing new-routing-mark=route1
passthrough=no src-address=169.254.107.14
( I am supposing that the IP your talking about is an example only. That IP range is not something I would recommend using for internal use and obviously would not be publicly routable. http://packetlife.net/blog/2008/sep/24/169-254-0-0-addresses-explained/ )
the reason of mark some packets is i want to force route of one of lan ips, see the mangle of first mk, i want only force route of packets from 192.168.0.35, leaving the others (192.168.0.0/24) without mark to follow the default route.
if there is only 1 mk im sure will work fine, but there is 2 mk routers, and seems that the second dont read well the mark of first.
and if in the second router i mark route as you say, this works but the problem is the marked packets from first mk.
i dont know how explaint it better
Do you have two gateways of which your MikroTik is doing NAT for both? If so you probably want to use NAT rather then mangle.
Packet marks do not stay with the packet. You cannot pass a routing mark between routers. If I had two ajacent routers I would use two layer2 networks to pre-sort the traffic for the second router… for instance, the regular traffic could arrive at the second router as untagged and the special traffic could go through a VLAN. This way you could use the mangle rule to add a routing mark to send it over a VLAN then on the NAT router you could do a mangle rule on all traffic on the VLAN interface to NAT it out the secondary connection…
Here is how to explain it better: Don’t use the MikroTik terms, just explain what you want… like: I have a router in my shop that routes to my house where my internet connection is. I want the shop router to have full internet access but not have access to anything in the house… etc. What I need is a story problem so I can get my head around what your trying to accomplish. In real terms your not trying to accomplish NAT or Routing or mangles… your trying to reliably move packets from one place to another, know what I mean? I need to know what type of a network your trying to build. What are your functional goals?
By the way, DSCP bits do change the packets so changing the bit may cause routers & switches to handle your traffic differently even outside of your network. DSCP 6 is a very unusual QoS value. If you want to know more about DSCP, I found this chart very helpful: http://www.netcontractor.pl/blog/?tag=dscp
Yes we have multiple gateways and the second mk is doing nat (masquerade) for each of them.
I attach a resumed image of our network.
I hope it helps
Do you have an internet connection connection to both locations or just one of them?
Is MK2 running as a router or a bridge?
If your goal is to simply have internet at the location that the MK2 router is at then you can just be sure that UBNT M5, MK AP Bridge WDS and MK 2 area all in the same layer 2 network and you don’t need any layer 3 services (no routing). If you need the two locations to have different subnets then you will need to have at least one device doing routing.
the mk 2 is the gateway to internet of mk 1
mk 2 is as router.
Does MK1 need to run in router mode?
It sound to me a lot like my home network. I have an office in my barn without a direct internet connection and a house with internet. I have a bridge connecting the two locations so that I can have internet at both locations. I have the bridge configured as a true layer 2 bridge (WDS) and the RB2011 that I have in the barn has all ethernet and the wireless configured as members of a bridge. I don’t do any routeing on my secondary MikroTik. I have a standard NAT setup on my gateway router except that I am port forwarding web traffic to my laptop internally via DST-NAT so that I can demo web sites that I am working on to people outside of my network.
Yes need be as router the mk1
and have lot of ports forwards too.
the tos and packet mark from one mk to ther keep or disapear?
Packet marks disappear between routers tos is preserved. A route mark is just a software thing in the mikrotik. The tos is part of the packet header.
Thanks for the info, so this should work liks is now.