PBR base on destination ip address-list

RouterOS General
4

ok, this time, I test my configure for 2 hours, I think it works fine.

/interface ethernet
set [ find default-name=ether1 ] name=ether1-ISP-1
set [ find default-name=ether2 ] name=ether2-ISP-2

/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5

/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=124.127.1.2/30 interface=ether1-ISP-1 network=124.127.1.0
add address=114.240.2.2/30 interface=ether2-ISP-2 network=114.240.2.0

/ip firewall address-list
add address=1.2.4.0/24 list=list_ISP-2
add address=8.129.0.0/16 list=list_ISP-2
add address=14.204.0.0/15 list=list_ISP-2

/ip firewall nat
add action=masquerade chain=srcnat comment="NAT44 for WAN1" out-interface=ether1-ISP-1
add action=masquerade chain=srcnat comment="NAT44 for WAN2" out-interface=ether2-ISP-2
add action=dst-nat chain=dstnat comment="OpenVPN TAP server" dst-port=1194 in-interface-list=
WAN-ports protocol=tcp to-addresses=192.168.88.10 to-ports=1194
add action=dst-nat chain=dstnat comment="iperf server" dst-port=5201 in-interface-list=WAN-ports
protocol=tcp to-addresses=192.168.88.10 to-ports=5201

/ip firewall mangle

PBR interface needs config "Accept", if not, it will drop packet.

in my example, there is a port mapping set in LAN, a debian server direct link to bridge port.

But when I config accept everything, OVPN tun server in my router lost one client,

firewall cannot mark all connections. traffic from that client always no-mark.

add action=accept chain=prerouting comment="Accept dst-nat traffic from ISP-2" connection-mark=
no-mark connection-state=new dst-port=1194,5201 in-interface=ether2-ISP-2 protocol=tcp
add action=accept chain=prerouting comment="Accept masquerade traffic from ISP-2"
connection-nat-state=srcnat in-interface=ether2-ISP-2

mark connection in when traffic arrived PBR interface, thank anav,

RouterOS v7.0.5 Dual PPPoE Wan Setup. - #23 by anav

that is very great idea, traffic only in/out router and traffic forward from/to LAN needs 2 different marks,

I was use one at first, make traffic loop.

add action=mark-connection chain=prerouting comment="from ISP-2 mark connection"
connection-mark=no-mark in-interface=ether2-ISP-2 new-connection-mark=ISP-2-in-connection
passthrough=yes
add action=mark-routing chain=output comment="ISP-2 reply PBRouting mark" connection-mark=
ISP-2-in-connection new-routing-mark=ISP-2-PBR passthrough=yes

mark traffic from LAN and router itself

add action=mark-connection chain=output comment=
"base on dst-ip address-list ISP-2-PBR-connection mark -- router itself" connection-mark=
no-mark dst-address-list=List_ISP-2 new-connection-mark=ISP-2-in-connection
passthrough=yes src-address-type=local
add action=mark-connection chain=prerouting comment=
"base on dst-ip address-list ISP-2-PBR-connection mark traffic from LAN" connection-mark=no-mark
connection-nat-state=!dstnat dst-address-list=List_ISP-2 in-interface-list=LAN
new-connection-mark=ISP-2-PBR-connection passthrough=yes
add action=mark-routing chain=prerouting comment="ISP-2 routing mark by packet"
disabled=yes new-routing-mark=ISP-2-PBR packet-mark=ISP-2-PBR-packet passthrough=yes

/routing table
add disabled=no fib name=ISP-2-PBR

/routing rule
add action=lookup-only-in-table disabled=no routing-mark=ISP-2-PBR table=ISP-2-PBR
add action=lookup disabled=no routing-mark=main table=main

/ip route
add check-gateway=arp disabled=no distance=1 dst-address=0.0.0.0/0 gateway=124.127.1.1
pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=arp disabled=no distance=2 dst-address=0.0.0.0/0 gateway=114.240.2.1
pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=arp disabled=no distance=1 dst-address=0.0.0.0/0 gateway=114.240.2.1
pref-src="" routing-table=ISP-2-PBR scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=arp disabled=no distance=2 dst-address=0.0.0.0/0 gateway=124.127.1.1
pref-src="" routing-table=ISP-2-PBR scope=30 suppress-hw-offload=no target-scope=10

I wrote some note in configure, thank anav again.