Hello!
On CCR1009-8G-1S-1S+, v6.34.6, have a config:
/ip address
add address=1.1.1.209/29 interface="eth1-ISP1" network=1.1.1.208 comment="ISP1 29 block, first IP"
add address=1.1.1.210/29 interface="eth1-ISP1" network=1.1.1.208 comment="ISP1 29 block, second IP"
add address=2.2.2.209/32 interface="ISP2(pppoe)" comment="ISP2 global IP"
add address=192.168.201.2/24 interface=LAN-LACP1 network=192.168.201.0 comment="router LAN net, connected to L3 switch"
Routing rules
Pppoe distance = 1, ISP2-pppoe is default out, ISP1 for service only
/ip route
add distance=1 gateway=1.1.1.214 pref-src=1.1.1.209 routing-mark=ISP1
add distance=1 gateway="ISP2(pppoe)" routing-mark=ISP2
add comment="static IPS1" distance=2 gateway=1.1.1.214 pref-src=1.1.1.209
add comment="default, dynamic pppoe IPS2" distance=1 gateway=10.10.10.1 pref-src=2.2.2.209
add comment="to LAN, L3 switch" distance=1 dst-address=192.168.0.0/16 gateway=192.168.201.1
/ip route rule
add action=lookup disabled=no dst-address=1.1.1.208/29 !interface !routing-mark !src-address table=main
add action=lookup disabled=no dst-address=2.2.2.209/32 !interface !routing-mark !src-address table=main
add action=lookup disabled=no dst-address=192.168.0.0/16 !interface !routing-mark !src-address table=main
add action=lookup disabled=no !dst-address !interface !routing-mark src-address=1.1.1.208/29 table=ISP1
add action=lookup disabled=no !dst-address !interface !routing-mark src-address=2.2.2.209/32 table=ISP2
add action=lookup disabled=no !dst-address !interface routing-mark=ISP1 !src-address table=ISP1
add action=lookup disabled=no !dst-address !interface routing-mark=ISP2 !src-address table=ISP2
add action=lookup comment=srv1 disabled=no !dst-address !interface !routing-mark src-address=192.168.100.2/32 table=ISP1
add action=lookup comment=srv2 disabled=no !dst-address !interface !routing-mark src-address=192.168.100.3/32 table=ISP1
add action=lookup comment=srv3 disabled=no !dst-address !interface !routing-mark src-address=192.168.100.4/32 table=ISP1
NAT and mangle for service RDP on ISP1 channel!
/ip firewall nat
add action=src-nat chain=srcnat comment="RDP station src-nat" out-interface="eth1-ISP1" protocol=tcp src-address=192.168.100.100 src-port=3389 to-addresses=1.1.1.210
add action=dst-nat chain=dstnat comment="RDP station on second IP dst-nat" dst-address=1.1.1.210 dst-port=3389 in-interface="eth1-ISP1" protocol=tcp to-addresses=192.168.100.100 to-ports=3389
/ip firewall mangle
add action=mark-connection chain=forward connection-mark=no-mark dst-address=192.168.100.100 dst-port=3389 new-connection-mark=rdp-connection out-interface=LAN-LACP1 protocol=tcp comment="RDP mark connection that forwarded to LAN"
add action=mark-packet chain=forward connection-mark=rdp-connection in-interface="eth1-ISP1" new-packet-mark=rdp-packet-wan1 passthrough=no comment="mark downloaded through WAN1->LAN"
add action=mark-packet chain=forward connection-mark=rdp-connection in-interface="ISP2(pppoe)" new-packet-mark=rdp-packet-wan2 passthrough=no comment="mark downloaded through PPPoE->LAN"
add action=mark-packet chain=postrouting connection-mark=rdp-connection new-packet-mark=rdp-packet-upld out-interface=!LAN-LACP1 passthrough=no comment="mark packets from LAN to-> !LAN(i.e. out/uploaded through WAN1 or WAN2)"
Queue tree use HTB Interface. catch RDP packets
/queue tree
add max-limit=2G name=LAN-download parent=LAN-LACP1 queue=default comment="download queue on LAN interface, but we have two ISP"
add limit-at=19M max-limit=19M name=WAN1-download parent=LAN-download priority=1 queue=default comment="Download limit-at for ISP1"
add limit-at=100k max-limit=2M name=rdp-download-wan1 packet-mark=rdp-packet-wan1 parent=WAN1-download priority=3 comment="Queue for rdp connection. dst-nat configure only for ISP1 at now"
add limit-at=94M max-limit=94M name=WAN2-download parent=LAN-download queue=default comment="Download limit-at for ISP2"
add limit-at=100k max-limit=2M name=rdp-download-wan2 packet-mark=rdp-packet-wan2 parent=WAN2-download priority=3 comment="queue for RDP throught ISP2, not in use now"
add max-limit=19M name=WAN1-upload parent="eth1-ISP1" queue=default comment="catch upload ISP1 on ethernet interface"
add limit-at=100k max-limit=2M name=rdp-upload-wan1 packet-mark=rdp-packet-upld parent=WAN1-upload priority=3 comment="RDP on ISP1 in use, BUT not catch traffic!"
add max-limit=94M name=WAN2-upload parent="ISP2(pppoe)" queue=default comment="catch upload on ISP2 pppoe interface"
add limit-at=100k max-limit=2M name=rdp-upload-wan2 packet-mark=rdp-packet-upld parent=WAN2-upload priority=3 comment="RDP on ISP2 not in use, BUT queue have a traffic!"
Real traffic go through ISP1!
But default route for RDP station is ISP2 (I’am not use mark routing rules, only PBR)!
Routing work fine. Connect to RDP station _ISP1(second IP)->dst-nat->LAN->rdp-statio_n and from rdp-station->LAN->src-nat->ISP1(second IP), but queue tree on Interface upload has incorrect way, through ISP2 upload queue! Look at the avg.rate on screen
It’s in routing rules some mistakes?? Use HTB global, HTB interface or use simple queue ? Need best practices!
How to correctly configure routing rules for few ISP, use or not routing mark?
Have a good day!