Policy Based Routing

RouterOS Beginner Basics
1

Hello,

I have a problem and hope you can maybe help me.
My config is following:

I have a CCR1009-8G-1S-1S+, with different vlans.
On one of these vlans are my computers and on another net are my “webserver”.
Now have I 2 ISP.
I want use one for all vlans and one for the webserver.
I have used for that following mangle rule:

add action=mark-routing chain=prerouting comment=“Client 1 ueber DSL B” disabled=no new-routing-mark=dslB passthrough=yes src-address=10.10.90.2

It works, but now I have the problem that I have no more connection from my computer to my webserver.
Has anyone a idea what is the problem and how to solve it?


Thanks
lg stonie

2

Maybe your other routing table does not have route to your computer? If so, either add it, or (IMHO better) add rule in /ip route rule to look for route to your computer only in main table.

3

But when I deactivate the mangle rule, than the connection works as it should.
Or must I do other settings in the route with activated mangle rule?

4

/ip route rule add dst-address=192.168.0.0/16 action=lookup-only-in-table table=main
(Or if you’re using 10.x.x.x space internally, then replace the 192.168.0.0/16 with 10.0.0.0/8)

I recommend using a large CIDR block like that in one rule so that-
a) there are fewer rules for your router to check
b) they work whenever you add/remove/change some of your LAN segments

If you don’t do this step above, then you need to add your local IP ranges to every routing table in your router, or else make early-exit rules which don’t route-mark the packets whose destination IP is one of your LANs.

The routing rule is the most straightforward, succinct, understandable way to do it.

5

Thank you for your help, but unfortunately it doesn’t work :confused:
The only thing I want is following:
webserver over ISP1.
All other pc’s over ISP2.
And if ISP2 fails than fallback to ISP1, only in this direction. If ISP1 fails than bad luck :laughing:

And connection from all networks to and from webserver (restriction are done over firewall rules).
I have no idea how to achive that :confused:
Before I get my second ISP everything works fine, but that gives me headache since some time.

If it helps to find the problem, here my config:
nat:

Flags: X - disabled, I - invalid, D - dynamic
0 ;;; QSC
chain=srcnat action=masquerade out-interface=pppoe-out1 log=no log-prefix=“”

1 ;;; Skytron
chain=srcnat action=masquerade out-interface=ether6 log=no log-prefix=“”

2 ;;; OVPN
chain=dstnat action=dst-nat to-addresses=10.10.15.2 to-ports=1194 protocol=udp
in-interface=pppoe-out1 dst-port=1194 log=yes log-prefix=“”

3 ;;; webserver
chain=dstnat action=dst-nat to-addresses=10.10.90.2 to-ports=443 protocol=tcp
in-interface=pppoe-out1 dst-port=443 log=yes log-prefix=“”

mangle

Flags: X - disabled, I - invalid, D - dynamic
0 D chain=forward action=change-mss new-mss=1440 passthrough=yes tcp-fl
protocol=tcp out-interface=all-ppp tcp-mss=1441-65535 log=no
log-prefix=“”

1 D chain=forward action=change-mss new-mss=1440 passthrough=yes tcp-fl
protocol=tcp in-interface=all-ppp tcp-mss=1441-65535 log=no log-pre

2 ;;; webserver ueber QSC
chain=prerouting action=mark-routing new-routing-mark=to_QSC
passthrough=yes src-address=10.10.90.2 log=no log-prefix=“”

Filter Rules

Flags: X - disabled, I - invalid, D - dynamic
0 ;;; allow already established or related connections
chain=input action=accept connection-state=established,related log=no log-prefix=“”

1 ;;; allow ICMP
chain=input action=accept protocol=icmp log=no log-prefix=“”

2 ;;; Drop everthing else expect from LAN
chain=input action=drop src-address=10.10.20.3 in-interface=!vlan20 log=no log-prefix=“”

3 ;;; allow already established or related connections
chain=forward action=accept connection-state=established,related log=no log-prefix=“”

4 ;;; Drop invalid connections
chain=forward action=drop connection-state=invalid log=no log-prefix=“”

5 ;;; allow connections from Managment Mikrotik Switch
chain=forward action=accept in-interface=vlan10 log=no log-prefix=“”

6 ;;; allow connections from Server
chain=forward action=accept in-interface=vlan15 log=no log-prefix=“”

7 ;;; allow connections from LAN
chain=forward action=accept in-interface=vlan20 log=no log-prefix=“”

8 ;;; Allow connection from DMZ (Vitocom)
chain=forward action=accept in-interface=vlan30 out-interface=pppoe-out1 log=no log-prefix=“”

9 ;;; Allow DNS from DMZ (Vitocom) to LAN
chain=forward action=accept protocol=udp dst-address=10.10.15.2 in-interface=vlan30 out-interface=vlan15 dst-port=53 log=yes log-prefix=“”

10 ;;; allow connections from Mobydick
chain=forward action=accept in-interface=vlan35 log=no log-prefix=“”

11 ;;; allow connections from BUS
chain=forward action=accept in-interface=vlan45 log=no log-prefix=“”

12 ;;; Allow connection for Guests
chain=forward action=accept in-interface=vlan60 out-interface=pppoe-out1 log=no log-prefix=“”

13 ;;; Allow DNS for Guests to LAN
chain=forward action=accept protocol=udp dst-address=10.10.15.2 in-interface=vlan60 out-interface=vlan15 dst-port=53 log=yes log-prefix=“”

14 ;;; Allow connection from DMZ (Webserver)
chain=forward action=accept in-interface=ether7 out-interface=pppoe-out1 log=no log-prefix=“”

15 ;;; Allow DNS und NTP from DMZ to LAN
chain=forward action=accept protocol=udp src-address=10.10.90.2 dst-address=10.10.15.2 in-interface=ether7 out-interface=vlan15 dst-port=53,123 log=yes log-prefix=“”

16 ;;; Allow LDAPs, MySQL from DMZ to LAN
chain=forward action=accept protocol=tcp src-address=10.10.90.2 dst-address=10.10.15.2 in-interface=ether7 out-interface=vlan15 dst-port=636,3306,389 log=yes log-prefix=“”

17 ;;; Allow PowerChute Network Shutdown
chain=forward action=accept protocol=udp src-address=10.10.90.2 dst-address=10.10.10.8 in-interface=ether7 out-interface=vlan10 dst-port=3052 log=yes log-prefix=“”

18 ;;; Allow Cifs to fs01
chain=forward action=accept protocol=tcp src-address=10.10.90.2 dst-address=10.10.15.3 in-interface=ether7 out-interface=vlan15 dst-port=139,445 log=yes log-prefix=“”

19 ;;; Allow input connection to Webserver
chain=forward action=accept protocol=tcp dst-address=10.10.90.2 out-interface=ether7 dst-port=443 log=no log-prefix=“”

20 ;;; OpenVPN
chain=forward action=accept protocol=udp dst-address=10.10.15.2 out-interface=vlan15 dst-port=1194 log=no log-prefix=“”

21 ;;; Deny ICMP Type 8
chain=forward action=reject reject-with=icmp-host-unreachable protocol=icmp in-interface=!vlan20 out-interface=vlan20 icmp-options=8:0-255 log=no log-prefix=“”

22 ;;; Deny ICMP Type 17
chain=forward action=reject reject-with=icmp-host-unreachable protocol=icmp in-interface=!vlan20 out-interface=vlan20 icmp-options=17:0-255 log=no log-prefix=“”

23 ;;; Deny ICMP Type 15
chain=forward action=reject reject-with=icmp-host-unreachable protocol=icmp in-interface=!vlan20 out-interface=vlan20 icmp-options=15:0-255 log=no log-prefix=“”

24 ;;; Deny ICMP Type 30
chain=forward action=reject reject-with=icmp-host-unreachable protocol=icmp in-interface=!vlan20 out-interface=vlan20 icmp-options=30:0-255 log=no log-prefix=“”

25 ;;; TCP port 0 DDoS protection
chain=forward action=drop protocol=tcp port=0 log=no log-prefix=“”

26 ;;; UDP port 0 DDoS protection
chain=forward action=drop protocol=udp port=0 log=no log-prefix=“”

27 ;;; Drop everthing else
chain=forward action=drop log=no log-prefix=“”

routes

Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 192.168.0.1 1
1 A S 0.0.0.0/0 211.135.132.8 1
2 A S 0.0.0.0/0 192.168.0.1 1
3 S 0.0.0.0/0 211.135.132.8 2
4 A S 10.8.0.0/24 10.10.15.2 4
5 ADC 10.10.10.0/24 10.10.10.1 vlan10 0
6 ADC 10.10.15.0/24 10.10.15.1 vlan15 0
7 ADC 10.10.20.0/24 10.10.20.1 vlan20 0
8 ADC 10.10.30.0/24 10.10.30.1 vlan30 0
9 ADC 10.10.35.0/24 10.10.35.1 vlan35 0
10 ADC 10.10.45.0/24 10.10.45.1 vlan45 0
11 ADC 10.10.60.0/24 10.10.60.1 vlan60 0
12 ADC 10.10.90.0/24 10.10.90.1 ether7 0
13 ADC 192.168.0.0/24 192.168.0.103 ether6 0
14 ADC 211.135.132.8/32 91.212.12.51 pppoe-out1 0

route rules

Flags: X - disabled, I - inactive
0 dst-address=10.10.0.0/24 action=lookup-only-in-table table=main

6

Your route rule is wrong.
It should be 10.10.0.0/16 at the very least - but probably just use 10.0.0.0/8

The reason is that if any host in any network OTHER than 10.10.0.X tries to reach the server, then the server’s replies will not have any route to reach it due to policy routing.

7

You are realy realy my hero :smiley: .
Thank you very much. Such a simple thing and I try it since half a year to get it work :open_mouth: .

May I ask you if you have time and pleasure to have al look over my filter rules.
If there is anything that is not in the right position. Or there is somthing to improve.
Only if it makes no circumstances for you :wink:

My knowledge from networks and mikrotik is unfortunately not so big. The most things are copied togheter.
Im realy happy that you helped me, and that it works again.

Thank you :slight_smile:

8

Filter rule 2 is broken.
As your filter rules stand right now, your router is accessible from the entire Internet, and that’s almost certainly not what you want.

You should replace it with two rules:
chain=input in-interface=wan1 action=drop
chain=input in-interface=wan2 action=drop

If you access the router from outside your network, then these rules would break that - you could either make a whitelist of addresses that are allowed to connect to the router, or else white-list a particular service (such as Winbox) from the outside.

9

Thanks a lot. Thats definitely not what I want :wink:
I have changed it to:

Flags: X - disabled, I - invalid, D - dynamic
0 ;;; allow already established or related connections
chain=input action=accept connection-state=established,related log=no
log-prefix=“”

1 ;;; allow ICMP
chain=input action=accept protocol=icmp log=no log-prefix=“”

2 ;;; Drop everthing else expect from LAN (skytron)
chain=input action=drop in-interface=ether6 log=no log-prefix=“”

3 ;;; Drop everthing else expect from LAN (QSC)
chain=input action=drop in-interface=pppoe-out1 log=no log-prefix=“”

4 ;;; allow already established or related connections
chain=forward action=accept connection-state=established,related log=no
log-prefix=“”

5 ;;; Drop invalid connections
chain=forward action=drop connection-state=invalid log=no log-prefix=“”

6 ;;; allow connections from Managment Mikrotik Switch
chain=forward action=accept in-interface=vlan10 log=no log-prefix=“”

7 ;;; allow connections from Server
chain=forward action=accept in-interface=vlan15 log=no log-prefix=“”

8 ;;; allow connections from LAN
chain=forward action=accept in-interface=vlan20 log=no log-prefix=“”

9 ;;; Allow connection from DMZ (Vitocom)
chain=forward action=accept in-interface=vlan30 out-interface=pppoe-out1
log=no log-prefix=“”

10 ;;; Allow DNS from DMZ (Vitocom) to LAN
chain=forward action=accept protocol=udp dst-address=10.10.15.2
in-interface=vlan30 out-interface=vlan15 dst-port=53 log=yes
log-prefix=“”

11 ;;; allow connections from Mobydick
chain=forward action=accept in-interface=vlan35 log=no log-prefix=“”

12 ;;; allow connections from BUS
chain=forward action=accept in-interface=vlan45 log=no log-prefix=“”

13 ;;; Allow connection for Guests
chain=forward action=accept in-interface=vlan60 out-interface=pppoe-out1
log=no log-prefix=“”

14 ;;; Allow DNS for Guests to LAN
chain=forward action=accept protocol=udp dst-address=10.10.15.2
in-interface=vlan60 out-interface=vlan15 dst-port=53 log=yes
log-prefix=“”

15 ;;; Allow connection from DMZ (Webserver)
chain=forward action=accept in-interface=ether7 out-interface=pppoe-out1
log=no log-prefix=“”

16 ;;; Allow DNS und NTP from DMZ to LAN
chain=forward action=accept protocol=udp src-address=10.10.90.2
dst-address=10.10.15.2 in-interface=ether7 out-interface=vlan15
dst-port=53,123 log=yes log-prefix=“”

17 ;;; Allow LDAPs, MySQL from DMZ to LAN
chain=forward action=accept protocol=tcp src-address=10.10.90.2
dst-address=10.10.15.2 in-interface=ether7 out-interface=vlan15
dst-port=636,3306,389 log=yes log-prefix=“”

18 ;;; Allow PowerChute Network Shutdown
chain=forward action=accept protocol=udp src-address=10.10.90.2
dst-address=10.10.10.8 in-interface=ether7 out-interface=vlan10
dst-port=3052 log=yes log-prefix=“”

19 ;;; Allow Cifs to fs01
chain=forward action=accept protocol=tcp src-address=10.10.90.2
dst-address=10.10.15.3 in-interface=ether7 out-interface=vlan15
dst-port=139,445 log=yes log-prefix=“”

20 ;;; Allow input connection to Webserver
chain=forward action=accept protocol=tcp dst-address=10.10.90.2
out-interface=ether7 dst-port=443 log=no log-prefix=“”

21 ;;; OpenVPN
chain=forward action=accept protocol=udp dst-address=10.10.15.2
out-interface=vlan15 dst-port=1194 log=no log-prefix=“”

22 ;;; Deny ICMP Type 8
chain=forward action=reject reject-with=icmp-host-unreachable
protocol=icmp in-interface=!vlan20 out-interface=vlan20
icmp-options=8:0-255 log=no log-prefix=“”

23 ;;; Deny ICMP Type 17
chain=forward action=reject reject-with=icmp-host-unreachable
protocol=icmp in-interface=!vlan20 out-interface=vlan20
icmp-options=17:0-255 log=no log-prefix=“”

24 ;;; Deny ICMP Type 15
chain=forward action=reject reject-with=icmp-host-unreachable
protocol=icmp in-interface=!vlan20 out-interface=vlan20
icmp-options=15:0-255 log=no log-prefix=“”

25 ;;; Deny ICMP Type 30
chain=forward action=reject reject-with=icmp-host-unreachable
protocol=icmp in-interface=!vlan20 out-interface=vlan20
icmp-options=30:0-255 log=no log-prefix=“”

26 ;;; TCP port 0 DDoS protection
chain=forward action=drop protocol=tcp port=0 log=no log-prefix=“”

27 ;;; UDP port 0 DDoS protection
chain=forward action=drop protocol=udp port=0 log=no log-prefix=“”

28 ;;; Drop everthing else
chain=forward action=drop log=no log-prefix=“”

Any more holes that I dont want, or is it okay now?

10

Input chain seems fine.
Not really looking too deeply to your forwarding policy, since I’m not sure what all behaviors you want enforced, etc.