Special route to the internet for specific Ports/IPs/MACs

danilabagroff · March 22, 2018, 11:27am

Hi community!

I need a hand with my Mikrotiks. Thank you in advance.
I have two RB2011UiAS(A, B) in the same network(ISP’s network).

Router A
ether1(WAN): 10.33.126.100, gw 10.33.126.1
Local network: 10.1.0.0/24

Router B
ether1(WAN): 10.33.126.101, gw 10.33.126.1
Local network: 10.3.0.0/24
Significant machines in the local network are connected to ether2(10.3.0.11), ether3(10.3.0.12), ether4(10.3.0.13), ether5(10.3.0.14)

Between A and B I setup GRE tunnel (A: 172.16.0.1, B: 172.16.0.2)

Finally, What I need to achieve:
Machines on ether2, ether3, ether4 and 5(or by their IP addresses, MACs) have to go to the Internet via RouterA(172.16.0.1), but at the same time they have to use others routes in the table to reach 10.7.0.0/24(OpenVPN network via default ISP gw) and 10.2.0.0/24(via OpenVPN gw).

Should I better make a scheme?

Anumrak · March 22, 2018, 11:40am

Just make static routing to exact destinations?

danilabagroff · March 22, 2018, 12:33pm

You mean I need to change default route for these machines to 172.16.0.1 and other routes make static?
If so I do not see how to make a route in webfig just for specific sources.

solar77 · March 22, 2018, 1:41pm

add distance=1 dst-address=0.0.0.0/0  gateway=172.16.0.1
add distance=1 dst-address=10.7.0.0/24  gateway=10.33.126.1
add distance=1 dst-address=10.2.0.0/24  gateway=10.33.126.1

this is on Router B, IP, Route

danilabagroff · March 22, 2018, 1:53pm

add distance=1 dst-address=0.0.0.0/0  gateway=172.16.0.1
add distance=1 dst-address=10.7.0.0/24  gateway=10.33.126.1
add distance=1 dst-address=10.2.0.0/24  gateway=10.33.126.1

this is on Router B, IP, Route

Thank you! But I need these routes just for specific machines, not for all from B’s network.

solar77 · March 22, 2018, 2:09pm

Ok, then you will have to mark routing in Firewall, Mangle

then create routing rules so those with specific routing mark goes to a particular gateway:
it would be something like this

add disabled=no distance=1 gateway=ATS routing-mark=ATS

danilabagroff · March 22, 2018, 5:47pm

Oh, this is exactly what I need
Which chain should I choose: output or prerouting?

solar77 · March 22, 2018, 6:23pm

prerouting chain

danilabagroff · March 22, 2018, 6:53pm

Something is not right

Mangle

/ip firewall mangle print
 chain=prerouting action=mark-routing new-routing-mark=FWAN passthrough=yes in-interface=bridge log=no log-prefix=""

Routing table

/ip route print  
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 X S  0.0.0.0/0                          gw1-tun                   1
 1 ADS  0.0.0.0/0                          10.33.126.1               1
 2   S  10.1.0.0/24                        10.7.0.1                  1
 3   S  10.2.0.0/24                        10.7.0.2                  1
 4 ADC  10.3.0.0/24        10.3.0.1        bridge                    0
 5 ADC  172.16.1.0/30      172.16.1.2      gw1-tun                   0

GRE tunnel

/interface gre> print 
Flags: X - disabled, R - running 
 0  R name="gw1-tun" mtu=auto actual-mtu=1476 local-address=0.0.0.0 remote-address=10.33.92.196 keepalive=10s,10 dscp=inherit clamp-tcp-mss=yes dont-fragment=no 
      allow-fast-path=yes

solar77 · March 22, 2018, 8:18pm

place your mangle rule at top, passthrough=no and set source IP to the PC you wish to route to FWAN. From that PC you can then test if this works.
enable log on the rule so you can watch the packet and make sure it goes out to the correct gateway.

I’d use Ip address instead of interface as Gateway.

I’ve not used GRE tunnel before but if it is like PPP, you will have ensure172.16.0.0/30 on Router A is masqurated as well.