Community discussions

MikroTik App
 
User avatar
senseivita
newbie
Topic Author
Posts: 35
Joined: Fri Jan 01, 2021 4:20 am

Policy Routing/FIB

Wed Apr 21, 2021 11:40 pm

I use several network appliances in the network to do what Mikrotik can't or just is too cumbersome to do, I'm sure it'll get easier with time and some of these will disappear.

Meanwhile though, I have this devices chained routing from one to the next and I'd like to reorganize this into a pseudo star topology with Mikrotik in the center so it has visibility into every hop the traffic makes from devices to device. I can't just connect everything like that because all traffic would exit to the default route. My inbound interfaces for IPv4 and IPv6 are tunneled, for instance; there's no chance traffic would exit back the same way because they're not supposed to be default routes.

Image

Reading up the docs I found out that this information is in the Forwarding Information Base but I guess it's more like a concept than an actual thing in Winbox but I did find this:

Image

Is that the correct place to assign gateways per interface?

If it is, if traffic not coming from the set default gateway for an interface or source range of addresses, would a route back would still be created or would it try to route over the default gateway too??

Thanks!
 
User avatar
senseivita
newbie
Topic Author
Posts: 35
Joined: Fri Jan 01, 2021 4:20 am

Re: Policy Routing/FIB

Sat Apr 24, 2021 7:07 am

I think I can solve it using Mangle rules to mark traffic on an interface and then the rules section in IP/Routes to match the traffic and force it to a gateway.

The only problem is that since router has visibility at every point I'm afraid on the way back it might skip the gateways altogether and sends it directly to the destination (asymmetricaly routing it).

I could create more of these Mangle rules but I want for other traffic to escape into the network at any hop without having to go through the processing done at each hop if it's not needed. Is there a way to do this?
 
elbob2002
Member Candidate
Member Candidate
Posts: 253
Joined: Tue May 15, 2018 8:15 pm
Location: Ireland

Re: Policy Routing/FIB

Sat Apr 24, 2021 8:19 am

That is indeed the right place.

Here's an example of mine. First is my default routes. You can see I have some of them duplicated with a routing mark:
1.PNG
At the moment I only have two routes with a policy applied (marked as 4G and UBNT) and you can see how I set the source:
2.PNG
Here's what it looks like. Mine is a subnet but it can also be a single IP address.
3.PNG
Destination can be what ever you want it to be as well. A Subnet, An IP address etc. In my example you can see that traffic from subnet 192.168.200.0/24 gets routed through gateway 172.20.0.29 instead of the default gateway 172.20.1.1

It's a much simpler solution than messing about with Mangle rules.
You do not have the required permissions to view the files attached to this post.
 
User avatar
senseivita
newbie
Topic Author
Posts: 35
Joined: Fri Jan 01, 2021 4:20 am

Re: Policy Routing/FIB

Sun Apr 25, 2021 3:06 am

Thanks for answering, that's such a relief. I already set it up halfway --routes are not enforced yet-- I only need to figure out a way to enforce traffic within the chain if, say, another device that introduces traffic in the middle of the line this traffic continues right on line but this device is able to communicate with any other host on the network directly as well.

I sketched up examples of the network in terms of subnets pre- and post-CHR:
Image

I didn't add enough stops because it takes forever drawing even these simple shapes, just imagine there's more "REVERSE PROXY" boxes and traffic must stop on each one, so it's all within 10.0.0.0/8 but any one of them could also be a tunnel out so it's a gateway as well. The easiest out is adding a route from the edge to 10.0.0.0/8 not through 192.168.41.2 but through 10.18.0.22 (or several since they'd overlap) but that would turn CHR into back an L3 switch, a fancier L3 switch than the boxes in the rack with fans and blinking lights, I want CHR to make these decisions so I can start using the really cool tools it has, The Dude, AAA, all that.

I need to find some other way of classifying traffic because just by using subnets I can lock down traffic that doesn't necessarily need to go through all the hops. The good thing is that CHR has way too many ways of doing this, the bad is that the wiki talks in form of CLI, which is easy to understand but not to visualize so you don't quite get the bigger picture. ...and why I'm using actual pictures to help myself.

Thank you so much again, at least know I have confirmation and something to fall back on up. :)

Who is online

Users browsing this forum: anav and 38 guests