source routing

sergey · September 2, 2013, 9:50pm

Hello

I have 3 networks:
192.168.100.0/24 (LAN1)
192.168.101.0/24 (LAN2)
192.168.102.0/24 (LAN3)

There is an interface 192.168.100.1/22 on the router. Also there are 3 ISP connected to the router.
The policy must be:

LAN1 uses 1st available connection
LAN2 always goes via 2nd ISP
LAN3 always goes via 3rd ISP

Configuration:

/ip firewall mangle
add action=mark-connection chain=forward in-interface=bridge-lan new-connection-mark=from_lan2 src-address=192.168.101.0/24
add action=mark-connection chain=forward in-interface=bridge-lan new-connection-mark=from_lan3 src-address=192.168.102.0/24
add action=mark-routing chain=prerouting connection-mark=from_lan2 in-interface=bridge-lan new-routing-mark=to_isp2
add action=mark-routing chain=prerouting connection-mark=from_lan3 in-interface=bridge-lan new-routing-mark=to_isp3

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether8 src-address=192.168.100.0/22
add action=masquerade chain=srcnat out-interface=ether9 src-address=192.168.100.0/22
add action=masquerade chain=srcnat out-interface=ether10 src-address=192.168.100.0/22

/ip route
add distance=1 gateway=109.86.229.254 routing-mark=to_isp1
add distance=1 gateway=37.229.191.254 routing-mark=to_isp2
add check-gateway=ping distance=1 gateway=8.8.8.8
add check-gateway=ping distance=2 gateway=8.8.4.4
add distance=1 dst-address=8.8.4.4/32 gateway=37.229.191.254 scope=10
add distance=1 dst-address=8.8.8.8/32 gateway=109.86.229.254 scope=10

ISP3 disconnected at the moment (there is no route to it)

The problem that clients from LAN2 (192.168.101.0/24) do not have access to Inet. Bit if I disconnect cable connected to ISP1, Inet becomes available for LAN1 and LAN2.

/ip route print 
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          109.86.229.254            1
 1 A S  0.0.0.0/0                          37.229.191.254            1
 2 A S  0.0.0.0/0                          8.8.8.8                   1
 3   S  0.0.0.0/0                          8.8.4.4                   2
 4 A S  8.8.4.4/32                         37.229.191.254            1
 5 A S  8.8.8.8/32                         109.86.229.254            1
 6 ADC  37.229.128.0/18    37.229.156.88   ether9                    0
 7 ADC  109.86.229.0/24    109.86.229.211  ether8                    0
 8 ADC  192.168.100.0/22   192.168.100.1   bridge-lan                0

Any ideas what it may be?

Thanks!

pcunite · September 3, 2013, 3:28am

Verify that ping actually might still be working which would cause the expected action to fail.

sergey · September 3, 2013, 8:03am

You are right. Ping does work.

sergey · September 3, 2013, 9:43pm

It is final configuration with 3rd connection but it still does not work as expected

/ip route
add distance=1 gateway=109.86.229.254 routing-mark=to_isp1
add distance=1 gateway=37.229.191.254 routing-mark=to_isp2
add distance=1 gateway=192.168.252.1 routing-mark=to_isp3
add check-gateway=ping distance=1 gateway=8.8.8.8
add check-gateway=ping distance=2 gateway=8.8.4.4
add distance=3 gateway=192.168.252.1
add distance=1 dst-address=8.8.4.4/32 gateway=37.229.191.254 scope=10
add distance=1 dst-address=8.8.8.8/32 gateway=109.86.229.254 scope=10

pcunite · September 4, 2013, 1:48pm

Have you read this?

http://mum.mikrotik.com/presentations/US12/tomas.pdf

sergey · September 4, 2013, 2:15pm

I have read the doc quickly. Thanks.

Do you mean to use different routing tables? main for directly connected networks:

add distance=1 gateway=109.86.229.254 routing-mark=to_isp1
add distance=1 gateway=37.229.191.254 routing-mark=to_isp2
add distance=1 gateway=192.168.252.1 routing-mark=to_isp3

and create other table for dgw:

add check-gateway=ping distance=1 gateway=8.8.8.8
add check-gateway=ping distance=2 gateway=8.8.4.4
add distance=1 dst-address=8.8.4.4/32 gateway=37.229.191.254 scope=10
add distance=1 dst-address=8.8.8.8/32 gateway=109.86.229.254 scope=10

?

sergey · September 4, 2013, 9:06pm

I have replaced

add action=mark-connection chain=forward in-interface=bridge-lan new-connection-mark=from_lan2 src-address=192.168.101.0/24
add action=mark-connection chain=forward in-interface=bridge-lan new-connection-mark=from_lan3 src-address=192.168.102.0/24

by

add action=mark-connection chain=prerouting in-interface=bridge-lan new-connection-mark=from_lan2 src-address=192.168.101.0/24
add action=mark-connection chain=prerouting in-interface=bridge-lan new-connection-mark=from_lan3 src-address=192.168.102.0/24

(changed forward chain to prerouting chain) in mangletable and everyting seems fine

Thanks all for help!

pcunite · September 4, 2013, 11:33pm

Awesome!

Here is a cool link about chains that I’m reading very slowly. I’m finding it helpful in addition to the official packet flow diagrams MikroTik provides.

sergey · September 5, 2013, 8:39am

Thanks for the useful links.

I know about packet flow in iptables and use this diagram but unfortunately I forget some things periodically like this time.
But official MikroTik packet flow diagram is awesome! Thank you very much for it!