recursive routing not wokring

celyr · October 25, 2022, 9:07am

Hello!

I’m trying to setup recursive routing for wan failover.
I have one pppoe connection and the other one via a local router.

This is the configuration:

/routing/table
add fib name=to_PPPOE
add fib name=to_Router
 
/ip/firewall/mangle
add chain=output connection-state=new connection-mark=no-mark action=mark-connection new-connection-mark=PPPOE_conn out-interface=PPPOE
add chain=output connection-mark=PPPOE_conn action=mark-routing new-routing-mark=to_PPPOE out-interface=PPPOE
add chain=output connection-state=new connection-mark=no-mark action=mark-connection new-connection-mark=Router_conn out-interface=Router
add chain=output connection-mark=Router_conn action=mark-routing new-routing-mark=to_Router out-interface=Router


/ip/route/
add dst-address=8.8.8.8 scope=10 gateway=PPPOE_router
add dst-address=1.1.1.1 scope=10 gateway=Router_router

/ip/route/
add distance=1 gateway=8.8.8.8 routing-table=to_PPPOE target-scope=11 check-gateway=ping
add distance=2 gateway=1.1.1.1 routing-table=to_PPPOE target-scope=11 check-gateway=ping


/ip/route/
add distance=1 gateway=1.1.1.1 routing-table=to_Router target-scope=11 check-gateway=ping
add distance=2 gateway=8.8.8.8 routing-table=to_Router target-scope=11 check-gateway=ping

But when i setup it and remove the default routes it allows me to ping only 1.1.1.1 and 8.8.8.8 it doesn’t work for anything else (example 8.8.4.4) it goes in timeout most of times.

Any suggestion or anything I’m missing ? I tried rebooting the routerboard (I have a RB3011UiAS with RouterOS 7.5) but the problem is still there.

Thanks

celyr · October 25, 2022, 10:23pm

I don’t exactly know what was wrong in this configuration.
It come from official mikrotik documentation website and it’s not working.

This works:

/ip/route/
add dst-address=1.1.1.1 scope=10 gateway=GW1
add distance=1 gateway=1.1.1.1 target-scope=11 check-gateway=ping

/ip/route/
add dst-address=8.8.8.8 scope=10 gateway=GW2
add distance=2 gateway=8.8.8.8 target-scope=11 check-gateway=ping

shalak · February 14, 2023, 3:53am

Have you ever figured out what was wrong? I’m facing similar issues, and I fully understand the way you set it up - this is the exact way The Network Berg showed in his video. But I don’t get the “official way” (and it also doesn’t work, just like for you).

anav · June 24, 2024, 9:45pm

(1) Tables seem OKAY.

/routing/table
add fib name=to_PPPOE
add fib name=to_Router

(2) MangleS WHY, you do not say and thus the limited snippets you present has no context and its rather lame…

But the most common reason is for traffic to the router itself, perhaps vpn etc…

/ip/firewall/mangle
add chain=input action=mark-connection connection-mark=no-mark in-interface=PPPOE
new-connection-mark=PPPOE_conn passthrough=yes
add chain=input action=mark-connection connection-mark=no-mark in-interface=ether2**???**
new-connection-mark=WAN2_conn passthrough=yes
+++++++++++++++++++++++++
add chain=prerouting action=mark-routing connection-mark=PPPOE_conn
new-routing-mark=to_PPPOE passthrough=no
add chain=prerouting action=mark-routing connection-mark=WAN2_conn
new-routing-mark=to_Router passthrough=no

If its for another reason…how the heck should we know???

We also need proper routes,
/ip route
add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=1.1.1.1 routing-table=main scope=10 target-scope=12 comment=ISP1
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=8.8.8.8 routing-table=main scope=10 target-scope=12 comment=ISP2
+++++++++++
add distance=1 dst-address=1.1.1.1/32 gateway=pppoe-out1 routing-table=main scope=10 target-scope=11
add distance=2 dst-address=8.8.8.8/32 gateway=gwyISP2 routing-table=main scope=10 target-scope=11
Now we need special table routes.
add dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-table=to_PPP0E
add dst-address=0.0.0.0/0 gateway=gwyISP2 routing-table=to_Router

NOTE ENSURE for IP DNS servers you use different ones than recursive so use 8.8.4.4 and 9.9.9.9 for example.

anav · June 24, 2024, 9:47pm

If you are mangling for port forwarding reason, then you can ignore the mangling above and focus on the below:

/ip firewall address-list
add address=server1/32 list=MyServers
add address=server2/32 list=MyServers
etc…

/ip/firewall/mangle
add chain=forward action=mark-connection connection-mark=no-mark in-interface=PPPOE
new-connection-mark=PPPOE_conn dst-address=192.168.1.0/24 passthrough=yes
add chain forward forward action=mark-connection connection-mark=no-mark in-interface=ether2???
new-connection-mark=WAN2_conn dst-address=192.168.1.0/24 passthrough=yes
+++++++++++++++++++++++++
add chain=prerouting action=mark-routing connection-mark=PPPOE_conn
src-address-list=MyServers new-routing-mark=to_PPPOE passthrough=no
add chain=prerouting action=mark-routing connection-mark=WAN2_conn
src-address-list=MyServers new-routing-mark=to_Router passthrough=no

K0NCTANT1N · June 29, 2024, 8:33am

My conf may not be ideal, but it works fine in my opinion.

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN


/interface list member
add comment=defconf interface=bridge list=LAN
add comment=myconf interface=ether1 list=WAN
add comment=myconf interface=lte1 list=WAN

/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1 verify-doh-cert=yes

/routing table
add disabled=no fib name=ISP1
add disabled=no fib name=ISP2

/ip firewall mangle
add action=accept chain=prerouting comment="allow usage of default routing tab\
    le for traffic to ISP1 connected networks" dst-address=192.168.178.0/24 \
    in-interface=bridge
add action=accept chain=prerouting comment="allow usage of default routing tab\
    le for traffic to ISP2 connected networks" dst-address=192.168.0.0/24 \
    in-interface=bridge
add action=mark-connection chain=prerouting comment=\
    "all new connections from ISP1 marked with ISP1-Conn" connection-mark=\
    no-mark connection-state=new in-interface=ether1 new-connection-mark=\
    ISP1-Conn passthrough=yes src-address-type=""
add action=mark-connection chain=prerouting comment=\
    "all new connections from ISP2 marked with ISP2-Conn" connection-mark=\
    no-mark connection-state=new in-interface=lte1 new-connection-mark=\
    ISP2-Conn passthrough=yes src-address-type=""
add action=mark-routing chain=output comment=\
    "route ISP1 connections back through ISP1" connection-mark=ISP1-Conn \
    new-routing-mark=ISP1 passthrough=no
add action=mark-routing chain=output comment=\
    "route ISP2 connections back through ISP2" connection-mark=ISP2-Conn \
    new-routing-mark=ISP2 passthrough=no
add action=mark-connection chain=prerouting comment=\
    "divide traffic from LAN into two groups ISP1" connection-mark=no-mark \
    connection-state=new dst-address-type=!local in-interface=bridge \
    new-connection-mark=ISP1-Conn passthrough=yes per-connection-classifier=\
    src-address-and-port:2/0
add action=mark-connection chain=prerouting comment=\
    "divide traffic from LAN into two groups ISP2" connection-mark=no-mark \
    connection-state=new dst-address-type=!local in-interface=bridge \
    new-connection-mark=ISP2-Conn passthrough=yes per-connection-classifier=\
    src-address-and-port:2/1
add action=mark-routing chain=prerouting comment=\
    "route ISP1 connections through ISP1" connection-mark=ISP1-Conn \
    in-interface=bridge new-routing-mark=ISP1 passthrough=no
add action=mark-routing chain=prerouting comment=\
    "route ISP2 connections through ISP2" connection-mark=ISP2-Conn \
    in-interface=bridge new-routing-mark=ISP2 passthrough=no

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=redirect chain=dstnat comment="myconf: DNS redirect" dst-port=53 \
    in-interface-list=LAN protocol=tcp to-addresses=192.168.188.1
add action=redirect chain=dstnat comment="myconf: DNS redirect" dst-port=53 \
    in-interface-list=LAN protocol=udp to-addresses=192.168.188.1

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.178.1 \
    pref-src="" routing-table=ISP1 scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.0.1 \
    pref-src="" routing-table=ISP2 scope=30 suppress-hw-offload=no \
    target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    4.2.2.1 pref-src="" routing-table=main scope=10 suppress-hw-offload=no \
    target-scope=12
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    4.2.2.2 pref-src="" routing-table=main scope=10 suppress-hw-offload=no \
    target-scope=12
add disabled=no distance=1 dst-address=4.2.2.1/32 gateway=192.168.178.1 \
    pref-src="" routing-table=main scope=10 suppress-hw-offload=no \
    target-scope=11
add disabled=no distance=2 dst-address=4.2.2.2/32 gateway=192.168.0.1 \
    pref-src="" routing-table=main scope=10 suppress-hw-offload=no \
    target-scope=11

/queue type
add kind=fq-codel name=fq-codel
add kind=cake name=cake
/queue simple
add comment="ISP1 download/upload limit" dst=ether1 max-limit=10M/30M name=\
    queue-ISP1 queue=fq-codel/fq-codel target=bridge total-queue=fq-codel
add comment="ISP2 download/upload limit" dst=lte1 max-limit=30M/50M name=\
    queue-ISP2 queue=fq-codel/fq-codel target=bridge total-queue=fq-codel

anav · June 29, 2024, 1:44pm

Looks okay, I would be a bit more accurate in description.

(1) For example the first two rules seem to be for the purpose of allowing traffic between connected networks on the router.
I would personally do it this way
/ip firewall address-list
add address=LANsubnetA list=Connected
add address=LANsubnetB list=Connected
etc…
add address=ISPsubnet1 list=Connected
add address=ISPsubnet2 list=Connected

Mangle rule
add action=accept chain=prerouting dst-address-list=Connected src-address-list=Connected

(2) The second set of rules should be clearly stated in terms of purpose. The purpose is to ensure traffic heading TO the router is returned via the same ISP.
Input chain and output chain are accurate ( prerouting and output also works but is not as accurate).
There is no need to state connection-state=new ( adds nothing to the configuration or traffic flow )

(3) The Mangles for PCC are pretty standard. Again connection-state=new is NOT required. I personally using different connection marks.
Mainly because if there are issues and you want to log sniff and see traffic flow, you will not be able to distinguish the connection marks from two completely different routing processes.
Finally, in the Routing Mangles in PCC, there is no need to state in-interface=bridge it adds nothing in your context.

(4) Looking at Routes… Seems fine as well. I personally would not use both 4.2.2.1 and 4.2.2.2 as if that DNS entity has an outage likely both could be down so use independent DNS checkers such as 9.9.9.9 for ISP2 as that is the point of recursive anyway…