route ip to specific gateway

jvvita · March 9, 2019, 8:00pm

Guys,

I am using routerOS 6.43.7.

I have two ISP, and I wanted to route the traffic from one IP address in my LAN (192.168.1.28) to ISP2, maintaining all communication through ISP1.

I have searched this forums and tried setting mangle rules. But I cannot make the traffic from said IP go through ISP2.

this is the code I found and used. My interfaces are connected as bridge, as per default setting of routerOS

/ ip firewall mangle
add chain=prerouting dst-address=100.171.114.216/29 action=accept in-interface=bridge
add chain=prerouting dst-address=192.168.88.0/24 action=accept in-interface=bridge
add chain=prerouting in-interface=ISP1 connection-mark=no-mark action=mark-connection
new-connection-mark=ISP1_conn
add chain=prerouting in-interface=ISP2 connection-mark=no-mark action=mark-connection
new-connection-mark=ISP2_conn

add chain=prerouting in-interface=bridge connection-mark=no-mark dst-address-type=!local action=mark-connection new-connection-mark=ISP1_conn
add chain=prerouting in-interface=bridge connection-mark=no-mark dst-address-type=!local src-address=192.168.1.28 action=mark-connection new-connection-mark=ISP2_conn
add chain=prerouting connection-mark=ISP1_conn in-interface=bridge action=mark-routing
new-routing-mark=to_ISP1
add chain=prerouting connection-mark=ISP2_conn in-interface=bridge action=mark-routing
new-routing-mark=to_ISP2
add chain=output connection-mark=ISP1_conn action=mark-routing new-routing-mark=to_ISP1
add chain=output connection-mark=ISP2_conn action=mark-routing new-routing-mark=to_ISP2

/ ip route
add dst-address=0.0.0.0/0 gateway=192.168.88.1 routing-mark=to_ISP1
add dst-address=0.0.0.0/0 gateway=100.171.114.217 routing-mark=to_ISP2
add dst-address=0.0.0.0/0 gateway=192.168.88.1 distance=1
add dst-address=0.0.0.0/0 gateway=100.171.114.217 distance=2

/ ip firewall nat
add chain=srcnat out-interface=ISP1 action=masquerade
add chain=srcnat out-interface=ISP2 action=masquerade

sebastia · March 10, 2019, 10:49pm

Hey

try this

isp1 is default → no need to mangle for it

/ ip firewall mangle
add chain=prerouting in-interface=bridge connection-mark=no-mark dst-address-type=!local src-address=192.168.1.28 action=mark-connection new-connection-mark=ISP2_conn passthrough=yes
add chain=prerouting connection-mark=ISP2_conn in-interface=bridge action=mark-routing new-routing-mark=to_ISP2

/ ip route
add dst-address=0.0.0.0/0 gateway=100.171.114.217 routing-mark=to_ISP2
add dst-address=0.0.0.0/0 gateway=192.168.88.1 distance=1
add dst-address=0.0.0.0/0 gateway=100.171.114.217 distance=2

/ ip firewall nat 
add chain=srcnat out-interface=ISP1 action=masquerade
add chain=srcnat out-interface=ISP2 action=masquerade

Van9018 · March 11, 2019, 9:11pm

If it’s specifically 1 LAN IP that gets to use ISP2 exclusively, then you could skip the connection-marking and just apply routing marks.

anav · March 11, 2019, 11:18pm

do you mean simply
add chain=prerouting in-interface=bridge source-address=(singleLANIP) dst-address-type=!local action=mark-routing new-routing-mark=to_ISP2

Yes its one less rule but is it more efficient??

Van9018 · March 12, 2019, 12:15am

I doubt it. If ISP2 is exclusive to the webserver, I’d think of this as a one-to-one NAT where all but HTTP is firewalled. If thinking of this as a one-to-one nat, it feels a bit more semantic to not have connection-marking rules. If familiarizing myself with the config and at first glance I saw connection-marking rules, it would make me think there is load balancing or failover.

anav · March 12, 2019, 12:31am

Well the real question is how you can route mark nothing LOL?
The other methods include either identifying traffic as either packets or connections(more efficient).

Sob · March 12, 2019, 1:39am

The order of rules is clearly wrong. Add the implicit src-address and look at it:

/ip firewall mangle
add chain=prerouting in-interface=bridge connection-mark=no-mark dst-address-type=!local src-address=<any> action=mark-connection new-connection-mark=ISP1_conn
add chain=prerouting in-interface=bridge connection-mark=no-mark dst-address-type=!local src-address=192.168.1.28 action=mark-connection new-connection-mark=ISP2_conn

So first packet from 192.168.1.28 arrives and guess what, first rule matches and connection gets mark ISP1_conn. Next rule will be checked too, but connection-mark=no-mark no longer matches. Swap the rules and connections from 192.168.1.28 will get ISP2_conn mark as you want.

That’s nothing against what others wrote, if this is everything you need, it can be achieved using smaller config. I’m just pointing out obvious mistake.