Community discussions

MikroTik App
 
tvagge
newbie
Topic Author
Posts: 26
Joined: Tue May 22, 2018 2:37 pm

RouterOS - Route traffic through specific gateway problem

Mon Jul 08, 2019 10:10 am

Hi guys,

I'm in front of this working configuration:
/ip address
add address=10.24.14.1/23 disabled=no interface=LAN network=10.24.14.0
add address=10.4.14.2/24 disabled=no interface=WAN1 network=10.4.14.0
add address=10.30.52.242/24 disabled=no interface=WAN2 network=10.30.52.0
add address=10.1.1.2/24 disabled=no interface=WAN2 network=10.1.1.0

/ip firewall filter
add action=accept chain=input disabled=no dst-address=10.30.52.242 dst-port=\
    8080 in-interface=WAN2 protocol=tcp
add action=accept chain=output disabled=no out-interface=WAN2 protocol=tcp \
    src-address=10.24.14.21 src-port=8080

/ip firewall mangle
add action=mark-connection chain=prerouting disabled=no in-interface=WAN1 \
    new-connection-mark=WAN1_connection passthrough=yes
add action=mark-connection chain=prerouting disabled=no in-interface=WAN2 \
    new-connection-mark=WAN2_connection passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN1_connection \
    disabled=no in-interface=LAN new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_connection \
    disabled=no in-interface=LAN new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_connection \
    disabled=no new-routing-mark=to_WAN2 passthrough=yes

/ip firewall nat
add action=masquerade chain=srcnat disabled=no src-address=10.24.14.0/23
add action=masquerade chain=srcnat disabled=no out-interface=WAN2
add action=masquerade chain=srcnat disabled=no out-interface=WAN1
add action=dst-nat chain=dstnat disabled=no dst-address=10.30.52.242 \
    dst-port=8080 in-interface=WAN1 protocol=tcp to-addresses=10.24.14.21 \
    to-ports=8080
add action=dst-nat chain=dstnat disabled=no dst-address=10.30.52.242 \
    dst-port=8080 in-interface=WAN2 protocol=tcp to-addresses=10.24.14.21 \
    to-ports=8080

/ip route
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=10.30.52.1 \
    routing-mark=to_WAN2 scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.4.14.1 scope=30 \
    target-scope=10
add disabled=no distance=1 dst-address=10.2.60.59/32 gateway=10.1.1.138 \
    scope=30 target-scope=10
add comment=ROUTE1 disabled=no distance=1 dst-address=10.50.14.0/24 gateway=\
    10.30.52.1 scope=30 target-scope=10
add comment=ROUTE2 disabled=no distance=1 dst-address=10.50.14.80/32 \
    gateway=10.30.52.1 scope=30 target-scope=10
add comment=ROUTE3 disabled=no distance=1 dst-address=10.50.147.11/32 \
    gateway=10.30.52.1 scope=30 target-scope=10
add comment=ROUTE4 disabled=no distance=1 dst-address=10.50.147.16/32 \
    gateway=10.30.52.1 scope=30 target-scope=10
add comment=ROUTE5 disabled=no distance=1 dst-address=10.19.25.0/24 \
    gateway=10.30.52.1 scope=30 target-scope=10
add comment=ROUTE6 disabled=no distance=1 dst-address=84.225.251.238/32 \
    gateway=10.30.52.1 scope=30 target-scope=10
When I try to add this in ip/route:
add disabled=no distance=1 dst-address=10.2.60.59/32 gateway=10.1.1.138 scope=30 target-scope=10
the packets never reach the selected gateway (10.1.1.138). All the other routes are working fine. I cant really see what seems to be the problem. Can anyone help please?

*** Note ***
10.30.52.242/24 Network -> Gateway: 10.30.52.1
10.1.1.2/24 Network -> Gateway: 10.1.1.138
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1648
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: RouterOS - Route traffic through specific gateway problem

Tue Jul 09, 2019 1:17 am

try adding Routing-Mark=to_Wan2 to the route you are trying to add
MTCNA, MTCTCE, MTCRE & MTCINE
 
tvagge
newbie
Topic Author
Posts: 26
Joined: Tue May 22, 2018 2:37 pm

Re: RouterOS - Route traffic through specific gateway problem

Tue Jul 09, 2019 8:30 am

try adding Routing-Mark=to_Wan2 to the route you are trying to add
Hi,

Done that, still not working... When I use tracert to 10.2.60.59 with routing-mark=to_Wan2, it routes through 10.4.14.1 gateway...
 
tvagge
newbie
Topic Author
Posts: 26
Joined: Tue May 22, 2018 2:37 pm

Re: RouterOS - Route traffic through specific gateway problem

Wed Jul 10, 2019 4:34 pm

Hi again,

I still cant figure out what seems to be the problem, can anyone help me?
 
tvagge
newbie
Topic Author
Posts: 26
Joined: Tue May 22, 2018 2:37 pm

Re: RouterOS - Route traffic through specific gateway problem

Fri Jul 19, 2019 1:30 pm

Back again, still problem exists, anyone can help me on that please?
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1648
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: RouterOS - Route traffic through specific gateway problem

Sun Jul 21, 2019 12:34 am

Start by getting routing only working first, I.e disable mangle and route marking rules.
Once routing is still not working, then troubleshoot from there, if working, then add mangle rules and see where it breaks
MTCNA, MTCTCE, MTCRE & MTCINE
 
tvagge
newbie
Topic Author
Posts: 26
Joined: Tue May 22, 2018 2:37 pm

Re: RouterOS - Route traffic through specific gateway problem

Mon Oct 21, 2019 10:26 am

Hi guys,

I'm coming back on this, has anyone any solution to this problem? I didnt manage to solve it. Please note that the router serves a 1000 clients network, it's on production, so I have a very little room space for radical changes on the existing configuration
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1648
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: RouterOS - Route traffic through specific gateway problem

Thu Oct 24, 2019 1:04 am

It is a bit late here now, i.e. 12:00 am, I will map out your config in the morning and see if I find anything
MTCNA, MTCTCE, MTCRE & MTCINE
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1648
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: RouterOS - Route traffic through specific gateway problem

Fri Oct 25, 2019 11:15 pm

EDIT, sorry, my brain is tired and made a mistake in previous post:

The below rules is wrong, as you are port forwarding these, so you need to accept dstnat connection NAT state for forward chain.

/ip firewall filter
add action=accept chain=input disabled=no dst-address=10.30.52.242 dst-port=\
8080 in-interface=WAN2 protocol=tcp
add action=accept chain=output disabled=no out-interface=WAN2 protocol=tcp \
src-address=10.24.14.21 src-port=8080


Then I had a quick look and not experiencing the same problem, doing a trace route from PC1 to PC2 seems to go via correct gateway
RouteGW.JPG
The config I have on MT-CHR-1 as per config you posted:
[admin@MT-CHR-1] > export
# oct/25/2019 19:56:45 by RouterOS 6.44.3
# software id =
#
#
#
/interface ethernet
set [ find default-name=ether3 ] name=LAN
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.24.14.2-10.24.15.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=LAN name=dhcp1
/ip address
add address=10.24.14.1/23 interface=LAN network=10.24.14.0
add address=10.4.14.2/24 interface=WAN1 network=10.4.14.0
add address=10.30.52.242/24 interface=WAN2 network=10.30.52.0
add address=10.1.1.2/24 interface=WAN2 network=10.1.1.0
/ip dhcp-client
add disabled=no interface=WAN1
/ip dhcp-server network
add address=10.24.14.0/23 gateway=10.24.14.1
/ip firewall filter
add action=accept chain=input dst-address=10.30.52.242 dst-port=8080 \
    in-interface=WAN2 protocol=tcp
add action=accept chain=output out-interface=WAN2 protocol=tcp src-address=\
    10.24.14.21 src-port=8080
/ip firewall mangle
add action=mark-connection chain=prerouting in-interface=WAN1 \
    new-connection-mark=WAN1_connection passthrough=yes
add action=mark-connection chain=prerouting in-interface=WAN2 \
    new-connection-mark=WAN2_connection passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN1_connection \
    in-interface=LAN new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_connection \
    in-interface=LAN new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_connection \
    new-routing-mark=to_WAN2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat src-address=10.24.14.0/23
add action=masquerade chain=srcnat out-interface=WAN2
add action=masquerade chain=srcnat out-interface=WAN1
add action=dst-nat chain=dstnat dst-address=10.30.52.242 dst-port=8080 \
    in-interface=WAN1 protocol=tcp to-addresses=10.24.14.21 to-ports=8080
add action=dst-nat chain=dstnat dst-address=10.30.52.242 dst-port=8080 \
    in-interface=WAN2 protocol=tcp to-addresses=10.24.14.21 to-ports=8080
/ip route
add distance=2 gateway=10.30.52.1 routing-mark=to_WAN2
add distance=1 gateway=10.4.14.1
add distance=1 dst-address=10.2.60.59/32 gateway=10.1.1.138
add comment=ROUTE5 distance=1 dst-address=10.19.25.0/24 gateway=10.30.52.1
add comment=ROUTE1 distance=1 dst-address=10.50.14.0/24 gateway=10.30.52.1
add comment=ROUTE2 distance=1 dst-address=10.50.14.80/32 gateway=10.30.52.1
add comment=ROUTE3 distance=1 dst-address=10.50.147.11/32 gateway=10.30.52.1
add comment=ROUTE4 distance=1 dst-address=10.50.147.16/32 gateway=10.30.52.1
add comment=ROUTE6 distance=1 dst-address=84.225.251.238/32 gateway=\
    10.30.52.1
/system identity
set name=MT-CHR-1
You do not have the required permissions to view the files attached to this post.
MTCNA, MTCTCE, MTCRE & MTCINE
 
tvagge
newbie
Topic Author
Posts: 26
Joined: Tue May 22, 2018 2:37 pm

Re: RouterOS - Route traffic through specific gateway problem

Mon Oct 28, 2019 12:43 am

Hi, thank you for your reply,

Well it still doesnt work... As you posted in your trace command, it goes through 10.24.14.1, then it goes through 10.1.1.138, with very high pings and after that it continues with timeouts for ever..
The strange thing is that when I'm on the LAN side (10.24.14.1/23), I cant ping the gateway 10.1.1.138 (timeouts), nor can I access its web interface (https://10.1.1.138)
I didnt understand also this line:
The below rules is wrong, as you are port forwarding these, so you need to accept dstnat connection NAT state for forward chain.
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1648
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: RouterOS - Route traffic through specific gateway problem

Mon Oct 28, 2019 10:05 pm

I should have included in my previous post, ignore the high ping rates and time outs, my gns3 setup was broken at the time.

The purpose of my screenshot was more to show the route taken.

Is there no firewall rules blocking icmp on 10.1.1.138?
MTCNA, MTCTCE, MTCRE & MTCINE
 
tvagge
newbie
Topic Author
Posts: 26
Joined: Tue May 22, 2018 2:37 pm

Re: RouterOS - Route traffic through specific gateway problem

Mon Oct 28, 2019 10:34 pm

Well, you have my entire config, no firewall rules
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1648
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: RouterOS - Route traffic through specific gateway problem

Tue Oct 29, 2019 12:56 pm

Well, you have my entire config, no firewall rules

I can only find config for 10.24.14.1?
MTCNA, MTCTCE, MTCRE & MTCINE
 
tvagge
newbie
Topic Author
Posts: 26
Joined: Tue May 22, 2018 2:37 pm

Re: RouterOS - Route traffic through specific gateway problem

Tue Oct 29, 2019 1:19 pm

Well, you have my entire config, no firewall rules

I can only find config for 10.24.14.1?
Can you please elaborate (explain more) on this? Is something missing?
 
tvagge
newbie
Topic Author
Posts: 26
Joined: Tue May 22, 2018 2:37 pm

Re: RouterOS - Route traffic through specific gateway problem

Tue Oct 29, 2019 1:31 pm

Here's what I'm getting:

Image

No need to say that the end target (10.2.60.59) is up and working

Route command:
add disabled=no distance=1 dst-address=10.2.60.59/32 gateway=10.1.1.138 scope=30 target-scope=10
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1648
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: RouterOS - Route traffic through specific gateway problem

Thu Oct 31, 2019 1:48 pm

Seems you have made some progress, in your OP you stated the packet never reaches 10.1.1.138 and from the trace route now it does.

I dont know what device 10.2.60.59 is and can only assume it is a PC/Workstation/Server, then my assumption would be that there are:
1. Firewall on this device blocking ICMP, or
2. That device does not know how to get back to from where you are doing trace route, i.e. it does not have a default route or default route is pointing to some other device
MTCNA, MTCTCE, MTCRE & MTCINE

Who is online

Users browsing this forum: Kajikhanvli and 31 guests