Community discussions

MikroTik App
 
miankamran7100
Member Candidate
Member Candidate
Topic Author
Posts: 251
Joined: Tue Sep 17, 2019 9:28 am

PBR - issues

Sat Apr 10, 2021 6:58 am

Hello
Dear all
Hope you are doing well. I'm facing issues when deploy PBR.
I have a 2-WAN
1-LAN with pppoe server
IP assign to LAN
(172.30.30.1/24)
(172.40.40.1/24)

Wan1 user on this network (172.30.30.0/24)
Wan2 user on this network (172.40.40.0724

I have deploy Policy Base Routing
Rule for WAN-1 user
Mangles Prerouting src address (172.30.30.0/24) mark routing new connection mark = Wan1.
Rule for WAN-2 user
Mangles Prerouting src address (172.40.40.0/24) mark routing new connection mark = Wan2.
Mark in IP routes.
But I'm unable to access pppoe user's router remotely.
And even unable to access my Wireless ubnt & Mikrotik Access Point in web browser
IP of Mikrotik and Ubnt wireless Access point in this network 172.20.20.0/24.
Help..!!
 
joegoldman
Forum Veteran
Forum Veteran
Posts: 766
Joined: Mon May 27, 2013 2:05 am

Re: PBR - issues

Mon Apr 12, 2021 5:28 am

Please post full /export (hide any info you feel you need to) so people can review it
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: PBR - issues

Mon Apr 12, 2021 6:43 am

But I'm unable to access pppoe user's router remotely.
And even unable to access my Wireless ubnt & Mikrotik Access Point in web browser
IP of Mikrotik and Ubnt wireless Access point in this network 172.20.20.0/24.
Help..!!
Policy based routing is always taken very literally and so you have to be careful.

In your case you have subnet1 and subnet2, and subnet1 is configured to go out wan1 and subnet2 is configured to go out wan2. This may seem like what you want but you have to consider all traffic.

For instance, suppose you have traffic that is supposed to be sent from subnet1 to subnet2. Since all traffic sent from subnet1 is forced out wan1 by policy routing, the packets will never make it to subnet2, since the router thinks "with no exceptions, any packet sent from subnet1 MUST be sent out wan1 regardless of where it was supposed to go originally". What you probably actually meant was "any packets that were originally supposed to go from subnet1 to the internet must be sent out wan1" rather than "any packets that are sent from subnet1 to anywhere must be sent out wan1".

In this scenario, imagine you have a third subnet for management purposes where you are located (call it subnet3), and you use this subnet for your computer that you use to access your customers radios etc. So when you want to log into a customer radio, you, on subnet3, sends a packet to subnet1 to log in. The radio on subnet1 sends the response back towards you, but now when the response gets back to the router on its way to you, the router sees this packet from subnet1 and says "with no exceptions, every single packet sent from subnet1 has to be sent out wan1" due to the policy routing rule. So the response packet to your computer with the device login page is now sent out wan1 instead of to your computer on subnet3. As a result, you will never get the login page and will be unable to log into the devices, which is exactly what is happening here, so I am certain that this is the problem.

What you have to do is carefully think about what packets from subnet1 and subnet2 should NOT go out wan1 and wan2 and make sure those are excluded from the policy routing rules by some means. This is accomplished by making a more detailed and nuanced mark routing rule rather than just saying "everything from src subnet1 goes out wan1".
 
miankamran7100
Member Candidate
Member Candidate
Topic Author
Posts: 251
Joined: Tue Sep 17, 2019 9:28 am

Re: PBR - issues

Fri Apr 23, 2021 7:42 am

Thanks to all of your comments..!

But I have solved my issues with my own efforts (Leart by experience)
I have 2 Network in same RB
Some user on network 1 and some on network 2
I just want to access clients modems / router remotely when I'm on network 1 or 2.
It may be call Vrf leaking.

But I solve this
By adding rules in
Ip
Routes
Rules
And
Now done.



Thanks all of you

Who is online

Users browsing this forum: GoogleOther [Bot] and 14 guests