Community discussions

MikroTik App
  4. RouterOS
  5. Forwarding Protocols

Policy Base Routing problem

Post Reply
 
flexus
just joined
Topic Author
Posts: 22
Joined: Wed Feb 16, 2011 11:35 pm
Location: Ukraine

Policy Base Routing problem

Thu Sep 19, 2013 6:04 pm

Hi there!
I want to go on some website via vpn, not over my main internet connection. I find simple manual, Policy Base Routing (http://wiki.mikrotik.com/wiki/Policy_Base_Routing) with good example, as i need. I did everything according to instructions, figured.
Code: Select all
ip firewall Mangle add chain=prerouting src-address=192.168.150.0/24 content=facebook action=mark-routing new-routing-mark=Through_VPN
interface pptp-client add connect-to=My VPN Connection allow=pap,chap,mschap1,mschap2 name="My VPN" user=Reza Moghadam password=Reza Moghadam add-default-route=no
Ip Route Add Dst-Address=0.0.0.0/0 Gateway="My VPN" Routing-Mark=Through_VPN
ip firewall nat chain=srcnat src-address=192.168.150.0/24 out-interface="My VPN" action=masquerade
But it didnt work. Website is unreachable.
Any ideas?
Thank you!

PS: Using RB750G with RoS 6.04
Last edited by flexus on Fri Sep 20, 2013 7:48 pm, edited 2 times in total.
Top
 
flexus
just joined
Topic Author
Posts: 22
Joined: Wed Feb 16, 2011 11:35 pm
Location: Ukraine

Re: Policy Base Routing problem

Fri Sep 20, 2013 6:28 pm

bump!
Top
 
flexus
just joined
Topic Author
Posts: 22
Joined: Wed Feb 16, 2011 11:35 pm
Location: Ukraine

Re: Policy Base Routing problem

Wed Sep 25, 2013 5:59 pm

Nobody dont know? Or I make mistake somewhere while describe my problem? Help plz.
Top
 
biomesh
Long time Member
Long time Member
Posts: 563
Joined: Fri Feb 10, 2012 8:25 pm

Re: Policy Base Routing problem

Wed Sep 25, 2013 6:05 pm

You should make sure your vpn connection works before trying the PBR. From your first post, it looks like you just copied from the wiki - which is just an example. You will need to replace a lot of information in the example with your VPN IP address, credentials, along with your subnet, packet marking criteria, etc.
Top
 
flexus
just joined
Topic Author
Posts: 22
Joined: Wed Feb 16, 2011 11:35 pm
Location: Ukraine

Re: Policy Base Routing problem

Fri Sep 27, 2013 1:10 pm

Np, look at my config.
Code: Select all
[b]/interface pptp-client add connect-to=blablalba allow=pap,chap,mschap1,mschap2 name="Comodo" user=1 password=2 add-default-route=no[/b]

/ip firewall mangle
add action=mark-connection chain=prerouting dst-address=192.168.88.1 dst-port=53 layer7-protocol=pandora.com new-connection-mark=forwarded-dns protocol=udp
add action=mark-connection chain=prerouting dst-address=192.168.88.1 dst-port=53 layer7-protocol=last.fm new-connection-mark=forwarded-dns protocol=udp
add action=mark-connection chain=prerouting dst-address=192.168.88.1 dst-port=53 layer7-protocol=lastfm.ru new-connection-mark=forwarded-dns protocol=udp
add action=mark-connection chain=prerouting dst-address=192.168.88.1 dst-port=53 layer7-protocol=pandora.com new-connection-mark=forwarded-dns protocol=tcp
add action=mark-connection chain=prerouting dst-address=192.168.88.1 dst-port=53 layer7-protocol=lastfm.ru new-connection-mark=forwarded-dns protocol=tcp
add action=mark-connection chain=prerouting dst-address=192.168.88.1 dst-port=53 layer7-protocol=last.fm new-connection-mark=forwarded-dns protocol=tcp
add action=mark-connection chain=prerouting dst-address=192.168.88.1 dst-port=53 layer7-protocol=rdio.com new-connection-mark=forwarded-dns protocol=udp
add action=mark-connection chain=prerouting dst-address=192.168.88.1 dst-port=53 layer7-protocol=rdio.com new-connection-mark=forwarded-dns protocol=tcp
add action=mark-connection chain=prerouting disabled=yes dst-address=192.168.88.1 dst-port=53 layer7-protocol=tunlr.net new-connection-mark=forwarded-dns protocol=udp
add action=mark-connection chain=prerouting disabled=yes dst-address=192.168.88.1 dst-port=53 layer7-protocol=tunlr.net new-connection-mark=forwarded-dns protocol=tcp
[b]add action=mark-routing chain=prerouting content=2ip new-routing-mark=comodo passthrough=no src-address=192.168.88.0/24[/b]

/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" src-address=192.168.88.0/24
[b]add action=masquerade chain=srcnat comment=through_comodo out-interface=Comodo src-address=192.168.88.0/24[/b]
add action=dst-nat chain=dstnat comment=:::http://tunlr.net:::DNS:::LAYER7 connection-mark=forwarded-dns to-addresses=69.197.169.9

/ip route print
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 [b]0 A S  0.0.0.0/0                          Comodo                    1[/b]
 1 ADS  0.0.0.0/0                          10.40.0.1                 1
 2 ADC  10.40.0.1/32       xx.xx.xx.xx  pppoe-out1                0
 3 ADC  10.80.22.0/24      10.80.22.61     ether1-gateway            0
 [b]4 ADC  172.20.2.1/32      172.20.2.156    Comodo                    0[/b]
 5 ADC  192.168.88.0/24    192.168.88.1    ether2-local-ma...        0
 6 ADC  192.168.88.210/32  192.168.88.1    <pptp-xxx>              0
 7 ADC  192.168.137.0/24   192.168.137.231 ether1-gateway            0

/ip route
[b]add distance=1 gateway=Comodo routing-mark=comodo[/b]

/ip address print  
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                              
 0   ;;; default configuration
     192.168.88.1/24    192.168.88.0    ether2-local-master                    
 1   ;;; Static Ether1 IP
     192.168.137.231/24 192.168.137.0   ether1-gateway                         
 2 D 10.80.22.61/24     10.80.22.0      ether1-gateway                         
 3 D 91.xxx.114.xxx/32  10.40.0.1       pppoe-out1                             
[b] 4 D 172.20.2.158/32    172.20.2.1      Comodo [/b]                                
 5 D 192.168.88.1/32    192.168.88.210  <pptp-xyz>
When i disable prerouting mark rule or routing rule - web site is reachable. Also, in masqaraude rule with out interface Comodo no traffic at all.

Do you see mistake in config?

Thank you.
Top
 
MrYan
Member Candidate
Member Candidate
Posts: 160
Joined: Sat Feb 27, 2010 6:13 pm

Re: Policy Base Routing problem

Fri Sep 27, 2013 3:24 pm

It may be because you need to mark all packets with the routing-mark and context= doesn't do this. Perhaps setting a connection-mark and then applying routing-mark based on this (in the outbound direction only) would help.


Matt.
Top
 
biomesh
Long time Member
Long time Member
Posts: 563
Joined: Fri Feb 10, 2012 8:25 pm

Re: Policy Base Routing problem

Fri Sep 27, 2013 6:04 pm

Here is the wiki sample
Code: Select all
/ip firewall mangle add chain=prerouting src-address=192.168.150.0/24 content=facebook action=mark-routing new-routing-mark=Through_VPN
/interface pptp-client add connect-to=My VPN Connection allow=pap,chap,mschap1,mschap2 name="My VPN" user=Reza Moghadam password=Reza Moghadam add-default-route=no
/ip route add dst-address=0.0.0.0/0 Gateway="My VPN" Routing-Mark=Through_VPN
/ip firewall nat chain=srcnat src-address=192.168.150.0/24 out-interface="My VPN" action=masquerade
Here is yours
Code: Select all
/ip firewall mangle add action=mark-routing chain=prerouting content=2ip new-routing-mark=comodo passthrough=no src-address=192.168.88.0/24
/interface pptp-client add connect-to=blablalba allow=pap,chap,mschap1,mschap2 name="Comodo" user=1 password=2 add-default-route=no
/ip route add distance=1 gateway=Comodo routing-mark=comodo
/ip firewall nat add action=masquerade chain=srcnat comment=through_comodo out-interface=Comodo src-address=192.168.88.0/24
Looks like the only thing different is your route. Can you change yours to
Code: Select all
/ip route add dst-address=0.0.0.0/0 gateway=Comodo routing-mark=comodo
to see if it makes any difference?
Top
 
flexus
just joined
Topic Author
Posts: 22
Joined: Wed Feb 16, 2011 11:35 pm
Location: Ukraine

Re: Policy Base Routing problem

Fri Sep 27, 2013 11:39 pm

Here is the wiki sample
Code: Select all
/ip route add dst-address=0.0.0.0/0 gateway=Comodo routing-mark=comodo
to see if it makes any difference?
No, no difference.
Top
 
biomesh
Long time Member
Long time Member
Posts: 563
Joined: Fri Feb 10, 2012 8:25 pm

Re: Policy Base Routing problem

Sat Sep 28, 2013 12:44 am

I would change your content criteria and perhaps see if any traffic will work over your vpn connection. If you remove the content option and set the src-address to just one IP address, see if you can get it to work. This would just mean you need a better way to identify the traffic.
Top
 
flexus
just joined
Topic Author
Posts: 22
Joined: Wed Feb 16, 2011 11:35 pm
Location: Ukraine

Re: Policy Base Routing problem

Sat Feb 22, 2014 4:08 am

Ok. Trying to do this thing via layer-7 protocol.
Code: Select all
/ip firewall layer7-protocol add name=2ip.ru regexp=2ip.ru

add action=mark-routing chain=prerouting comment="" disabled=no layer7-protocol="2ip.ru" new-routing-mark="comodo" passthrough=yes

ip route add dst-address=0.0.0.0/0 gateway="myvpn1" routing-mark=comodo
Still not working, web site 2ip.ru unreachable. But must working and showing vpn's ip address.
Any ideas, again :) ?
Top
 
Sentello
just joined
Posts: 1
Joined: Mon Sep 29, 2014 1:03 pm

Re: Policy Base Routing problem

Mon Sep 29, 2014 1:07 pm

Hi,
did you solve this problem?
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 3 guests
  4. RouterOS
  5. Forwarding Protocols