Policy Routing?

SteveD · May 14, 2005, 12:11am

Is Policy Routing available in 2.9? I haven’t been able to find anything similar to 2.8 although its still in the mangle setup.

Thanks!

Steve

palmczak · May 14, 2005, 1:08am

yes it is available.

But now it is integrated. Use the new action “mark routing” and then route on the mark.

Still figuring it out myself.

Joe

SteveD · May 14, 2005, 1:21am

Thanks for the info. What I’m trying to do is setup two different routes to the Internet but I can’t figure out how to add two default gateways (even using mark routing). If I try to add a new gateway route using a mark routing tag, it just overwrites the original default gateway.

Also, what’s the use of a second gateway address when you configure thru winbox? If I click the arrow, another space opens up and I can enter a second IP. Haven’t figured out why yet?

SteveD · May 15, 2005, 3:52am

Solved in RC2. Works great.

billr · May 18, 2005, 3:15pm

Hi,

I’ve ..sort of.. got policy routing going in 2.9 … But can you elaborate on how you use the MARK and how to ensure the ip range you specify goes to the correct gateway..

I want to do exactly what you say you have done… but am kinda hazy on it !! There is not yet a 2.9 policy routing manual to read..

Many thanks..

billr · May 18, 2005, 7:37pm

Steve,

Could you post an example of your mark and mangle chains please as I am really floundering here !!

Cheers.

SteveD · May 18, 2005, 11:23pm

Sure thing.

First thing you do is create an address list of the IP’s you want to route out your secondary gateway. Do that thru IP / Firewall / Address List in Winbox.

Then add your mangle:

chain=prerouting in-interface=lan1 src-address-list=dsl_out action=mark-routing new-routing-mark=dsl

lan1 is the interface the clients are coming in on in this example

In Winbox add a route as follows:

Destination: 0.0.0.0/0
Gateway: a.b.c.d (whatever your secondary gateway’s ip is)
Mark: dsl

This only worked in RC2 so make sure you’re on the latest.

billr · May 19, 2005, 6:33am

Thanks a million..

At least it is a start - before I was totally stuffed.
And thanks for the WINBOX examples, I use Winbox but the manuals mention the command line (ok you can translate but this is better)

MANY thanks again.

I will try to let you know how I get on..

Cheers, Bill

billr · May 19, 2005, 9:32am

One final point, I have (obviously) TWO in - interfaces, and one out.

To correspond with your example, I would assume those addresses NOT routed via my secondary gateway would go via the primary gateway??

Have I got it yet ??!!

Cheers and many thanks again.

SteveD · May 19, 2005, 11:06am

Those addresses not route-marked will follow the original routes.

One other thing you should be aware of is the route-marked packets will not see any other routes in your router either.

And if you don’t have a spare Tik box to test things on, get one. Saves a lot of grief.

billr · May 19, 2005, 1:36pm

Ok I guess I could do with a ..little.. more help - sorry.
(BTW I help run a small wISP, I am at the end of the line and have a couple more routes into the wISP if I screw up the MT box - I am getting used to wiping the routing table and restarting from a plugged in terminal )

a) The address - list. In the drop down box I call it (say) ADSL.

b) MANGLE is the thing that gets me.. In-interface is ether1 for me. SRC-address-list is what ?? ADSL ??
Action mark-routing is obvious
new-routing-mark= ADSL again ??

c) Then the new route is ok, the secondary gateway is ether1, and the mark is ADSL.

Only trouble is, I think I have got the mangled mangled up. Because it does not work..

Sorry to be such a dimwit but I am mainly the radio guy, and the computer IP person a long way second…

Cheers !!

SteveD · May 19, 2005, 10:42pm

In Winbox:

Mangle Rule

General Tab:
Chain: Prerouting
In Interface: ether1

Advanced Tab:
Src. Address List: ADSL

Action Tab:
Action: mark routing
New Routing Mark: adsl

You shouldn’t have anything else in the Mangle Tabs selected. If you set it up that way, you should see the packet/byte counts increasing and you should be seeing traffic on the Statistics Tab. If you don’t, the only thing I can think of is you don’t have the right addresses in your ADSL Address List?

billr · May 20, 2005, 9:35am

Thanks, I had the wrong IN-INTERFACE specified in the MANGLE.
I was specifying the ‘out interface’ ie the secondary gateway.

Whereas when I specify the main interface everything comes in on it works wonderfully.

I can change my PC ip and see the route change from the ethernet/DSL to the wireless/wISP.

SO - very many thanks.

PS this is routed via the ethernet/DSL line !!

changeip · May 30, 2005, 5:06am

I am trying to route port 25 and others out a different connection using routing marks. The mangle counters are increasing so I know the packets are getting marked, but it seems the routing table is not routing based on mark. I cannot use address lists with source/dest ports. Previously in 2.8 we had to mark the connection, mark the flow, and then setup the route table to handle that. When importing the configuration into 2.9 we lost some of that config so I’m trying to figure out what to add back. For started I just want anything coming in on 2nd connection to route right back out the second connection, but it’s not using the route i’ve setup. Is there no more marking the connection and then the flow, you simply mangle and add the routing mark once? We are using NAT on both connections, and all src-nats are setup as previously were in 2.8 (using masq).

If I can get this working correctly I will post configs for others to use.

[admin@mikroHome] ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=prerouting in-interface=3-coxRes action=mark-routing new-routing-mark=coxres 
 1   chain=prerouting in-interface=2-sony action=mark-routing new-routing-mark=coxres 

[admin@mikroHome] ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 1   chain=srcnat out-interface=3-coxRes action=masquerade 
 2   chain=srcnat out-interface=1-coxBiz action=masquerade 

[admin@mikroHome] ip route> print terse
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf 
 0 A S dst-address=10.10.10.0/24 gateway=10.10.10.1 interface=onboard-inside gateway-state=reachable distance=1 scope=255 target-scope=10 routing-mark=
            coxres 
 1 ADC dst-address=10.10.10.0/24 prefsrc=10.10.10.1 interface=onboard-inside scope=10 target-scope=0 
 2 A S dst-address=10.10.20.0/24 gateway=10.10.20.1 interface=4-hotty gateway-state=reachable distance=1 scope=255 target-scope=10 routing-mark=coxres 
 3 ADC dst-address=10.10.20.0/24 prefsrc=10.10.20.254 interface=4-hotty scope=10 target-scope=0 
 4 A S dst-address=10.10.30.0/24 gateway=10.10.30.1 interface=2-sony gateway-state=reachable distance=1 scope=255 target-scope=10 routing-mark=coxres 
 5 ADC dst-address=10.10.30.0/24 prefsrc=10.10.30.1 interface=2-sony scope=10 target-scope=0 
 6 ADC dst-address=68.8.24.0/23 prefsrc=68.8.25.137 interface=3-coxRes scope=10 target-scope=0 
 7 ADC dst-address=68.15.xx.xx/27 prefsrc=68.15.19.51 interface=1-coxBiz scope=10 target-scope=0 
 8 ADC dst-address=192.168.2.0/24 prefsrc=192.168.2.1 interface=wlan1 scope=200 target-scope=0 
 9 A S dst-address=0.0.0.0/0 gateway=68.15.19.33 interface=1-coxBiz gateway-state=reachable distance=1 scope=255 target-scope=10 
10 A S dst-address=0.0.0.0/0 gateway=68.8.24.1 interface=3-coxRes gateway-state=reachable distance=1 scope=255 target-scope=10 routing-mark=coxres

Thanks,
Sam

changeip · May 31, 2005, 7:24pm

Can someone from MT confirm that policy routing is not completed in rc4? I am having troubles routing based on route-mark, and it seems in your manual there are options that are not in rc4 yet (nexthop, static route, etc).

http://www.mikrotik.com/docs/ros/2.9/ip/route

I am not able to route based on route-mark set on the mangle process. I don’t know if this is a config problem (posted above) or simply that it is not completed yet.

I will assume for now that policy routing is not complete in rc4 and quit working on it for now.

Sam

tbutcher · May 31, 2005, 7:26pm

Thanks for the info but shouldn’t the chain=input not prerouting?

Tim

changeip · May 31, 2005, 7:55pm

I’ve tried both and every other combination. Seems as though the mangle count is incrementing but its not taking the right route… so i think policy routing is ignoring route-marks in certain cases somehow.

Sam

tbutcher · May 31, 2005, 9:41pm

If you read the docs for v2.9 it uses forward and mark-connection and mark-packet to mark P2P traffic.

http://www.mikrotik.com/docs/ros/2.9/ip/mangle

Tim

changeip · May 31, 2005, 10:08pm

I read that already. I am not trying to use mangling to shape bandwidth, etc. I am trying to use policy routing using the new ‘new-routing-mark’ action. As I mentioned before, the old way of marking the connection and then the flow is outdated for policy routing I believe.

Sam

changeip · June 1, 2005, 3:09pm

Let me re-word what the problem is after some testing last night. In Mangle I can setup new-route-mark when using a source ip address, and it will work. When I setup a mangle rule specifying an incoming interface only, it does not work. I need to mark all packets coming from one isp to go out the same isp. I should be able to new-route-mark anything coming in that interface so it will go back out that same interface, right? Worked in 2.8.

Sam