Routing and mangle

pablomar · February 11, 2021, 2:50pm

I have 2 ISP, one for employes and other for “guest” users. Nat for employes working fine going on ISP1, but when I try to setup the guest NAT to go on ISP 2, I can’t make it work with mangle.

I’ve doing this config in other routers with no problems

/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=Invitados passthrough=no src-address=172.17.10.0/24
/ip route
add distance=1 gateway=186.190.200.129 routing-mark=Invitados
/ip firewall nat
add action=masquerade chain=srcnat out-interface="ether1 - Coyspu" routing-mark=Invitados src-address=172.17.10.0/24

Now I make it work adding a route rule (making mangle unnecessary), but I can’t figure out why mangle isn’t working

/ip route rule
add interface=bridge_invitados src-address=172.17.10.0/24 table=Invitados

Anybody can help? I missing something?

anav · February 11, 2021, 6:26pm

Why do you need to mangle anything…
If ISP 1 is the main ISP for business uses… for MAIN LAN.
and ISP 2 is the secondary ISP for guest … GUEST LAN lets say subnet 192.168.0.0/24 or vlan40 (not sure what you have setup for guest users).

Just add a third route in the routing table.

You should have two routes already.
MAIN ROUTE ISP1 lets say distance=5
MAIN ROUTE ISP2 lets say distance=10

In this way any new traffic on either LAN will automatically go out ISP1
Now add a third route

Step1
MAIN ROUTE ISP2 distance=10 ROUTING MARK=GuestUsers

Now add a routing rule
Step 2
[either]Source address=192.168.0.0/24
[or) Interface=vlan40
Action: Lookup Only in Table
Table: GuestUsers (pull down option)

Thats it!! What this tells the router is that for any outgoing traffic from the prescribed source address or interface use the Third Routing Rule for guest users.

sindy · February 13, 2021, 6:12pm

Have you disabled the action=fasttrack-connection rule in chain forward of /ip firewall filter on this router? Fasttracked connections bypass mangle rules (and a whole lot of other packet handling steps, skipping them is the essence of fasttracking). /ip route rule items are not skipped by fasttracking, which makes them a better choice for simple policy routing tasks.

msatter · February 13, 2021, 6:47pm

You do not need the marking in Mangle because NAT is doing the work here and you don’t need the extra marking.

https://wiki.mikrotik.com/wiki/Manual%3AIP/Firewall/NAT#Masquerade_2

Marking is needed if both ISP gateway’s are on the same ether port.

anav · February 14, 2021, 7:33pm

Whatsa matter, msatter?? Lost the bubble LOL?

Natting has nothing to do with routing. I even know that you have to tell the router damn well near everything on this godforsaken wet dream OS for mkx and others…

Perhaps I am the one with loose marbles LOL. I thought NATTING was to tell the router, for outgoing traffic on this ISP, please attach the public IP of this WAN to outgoing traffic and when the traffic returns I will know where to send it etc…
The routing tells the router, hey traffic coming from this source needs to go out this ISP.

Two different functions…right?

msatter · February 14, 2021, 9:08pm

My Dreambox satellite receivers are running DreamOS

pablomar · February 17, 2021, 12:56pm

Thanks, I made other instalations using mangle for this, but in this router a cant make it to work, now is working using a route rule.
Is not a installation made by mi from scratch, I’ll continue looking.

anav · February 17, 2021, 6:04pm

So lets summarize ;-)))
msatter:0, anav:1