PBR issues with 2 eth in same lan

RouterOS General
1

Hello,
i have an issue with a very simple setup:
there are two ISPs, A and B, and two ether interfaces in the SAME subnet (192.168.0.1/24 and 192.168.0.2/24).

i want that traffic from stations that goes to ether1 uses ISP A, traffic to ether 2 goes to ISP B, nothing more than that…(by simply changing the default gw of a station i pick which isp to use)

ISP A is a pppoe dynamic ip and ISP b static ip ethernet.

so i created a mangle rule:

/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes in-interface=ether1lan log-prefix="" new-routing-mark=isp1 passthrough=no
add action=mark-routing chain=prerouting disabled=yes in-interface=ether2lan2 log-prefix="" new-routing-mark=isp2 passthrough=no

then i added two routes with the scope values as default, without touching the dynamically generated one, for the pppoe one i used the interface name:

/ip route
add distance=1 gateway=a.b.c.d routing-mark=isp2
add distance=1 gateway="ISP 2 PPPoE" routing-mark=isp2

no route shows unreachable.

the moment i enable the first mangle rule, i lose all connectivity to the routerboard, ping to ether1 is lost(have to connect winbox via MAC) and ping from the utik to the lan is lost as well, i see the traffic coutning up so it’s marking, but something breaks inbetween.

changing passthrough made no difference. disabling the ether2 IP and mangle rule also made no difference.

any ideas?, am i doing something wrong by just using “in-interface”?, do i need to specifically list the lan address range?

2

interesting i found out that if i enable the 2nd interface then the traffic dies… even if the interface is not yet physically connected…

what is going on!?!

3

The loss of connectivity is because you don’t have your LAN IP range excluded from PBR and/or included in every policy’s routing table.

This command will fix that problem:
/ip route rule add dst=192.168.0.0/16 action=lookup-only-in-table table=main

4

interesting, at first it didn’t work UNTIL i physically connected the ether2 interface and went link up, THEN it started responding to ping and forwarding traffic, any idea why?

5

now the traffic from etherr1 to wan1 works, but the PBR is not working for the 2nd ISP, i see the mangle numb ers rising but i think i’m missing or doing something wrong on the masquerade…
i forgot to add that i do have a 3rd network but that one is on a different interface and subnet so that one should be easier to fix, that one is the 192.168.1.0 and can be forgotten for now

here’s config:

/ip firewall mangle
add action=mark-routing chain=prerouting in-interface=ether1lan log-prefix="" new-routing-mark=arnet passthrough=no
add action=mark-routing chain=prerouting in-interface=ether2lan2 log-prefix="" new-routing-mark=integra passthrough=no




/ip firewall nat
add action=masquerade chain=srcnat disabled=yes log-prefix="" out-interface=ether5integra routing-mark=integra
add action=masquerade chain=srcnat log-prefix="" src-address=10.10.10.0/24
add action=masquerade chain=srcnat log-prefix="" out-interface="Arnet VDSL PPPoE" src-address=192.168.1.0/24
add action=masquerade chain=srcnat disabled=yes log-prefix="" out-interface="Arnet VDSL PPPoE"

the disabled rules where tests and the older rules before all this is the last one

/ip route
add distance=1 gateway=a.b.c.d.e routing-mark=integra
add distance=1 gateway="Arnet VDSL PPPoE" routing-mark=arnet
/ip route rule
add dst-address=10.10.10.0/24 table=main
6

Your two-eth-one-lan configuration… are the two eth’s connected by a bridge interface?
You may need to go enable use-ip-firewall=yes on the bridge settings, because w/o that, the two etherX interfaces aren’t IP interfaces.

7

no, of course they’re not bridged, if they where bridged it would be like having two ip on the same interface which is where the problem originated.

if each of the etherx has an ip address assigned to it, how come they aren’t ip interfaces?