Community discussions

 
safiullahtariq
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 81
Joined: Sun Apr 06, 2014 9:21 pm
Location: Lahore Pakistan

Packet Marking Readable in other Mikrotik

Thu Nov 03, 2016 8:00 pm

Hello All,

Hope you are all doing fine.

I have a question, I have a Mikrotik router working as Multi WAN Failover and another mikrotik which has 1 WAN port (from the multiwan) and other LAN ports.

I am running 2 networks, I want the traffic of 1 network to pass through number 1 ISP of WAN router and also prioritize traffic for some reason. And the other network's traffic to pass via the other 2 IPs connected to Multiwan. For this I will have to mark routing. I want to do some packet marking for queuing also, but the LAN router has only 1 WAN port which cannot differentiate which ISP its going through, so ultimately I have to do the queuing and routing on the WAN router.

Question: If I mark packets/traffic/routing on the LAN router, will they be readable by the WAN router so that it can make different routes for traffic ?

Please give me an idea on how to do this.

Best Regards
 
jarda
Forum Guru
Forum Guru
Posts: 7604
Joined: Mon Oct 22, 2012 4:46 pm

Re: Packet Marking Readable in other Mikrotik

Thu Nov 03, 2016 11:35 pm

No. These marks are internal and are not modifying packets at all. Try dscp instead.
 
safiullahtariq
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 81
Joined: Sun Apr 06, 2014 9:21 pm
Location: Lahore Pakistan

Re: Packet Marking Readable in other Mikrotik

Sat Nov 05, 2016 4:55 pm

No. These marks are internal and are not modifying packets at all. Try dscp instead.
Thank you for the idea. but im not sure if DSCP marking can be used in IP>Routes ?

OR am i making stupid sense ?
Please guide...please show me the path, ill try to do the walking.

Best Regards,
 
jarda
Forum Guru
Forum Guru
Posts: 7604
Joined: Mon Oct 22, 2012 4:46 pm

Re: Packet Marking Readable in other Mikrotik

Sat Nov 05, 2016 10:25 pm

It is not possible directly, but you can mangle the coneection by connection mark first, then all related packets by routing mark and finally to route all packets according to the routing mark by routing rule.
 
safiullahtariq
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 81
Joined: Sun Apr 06, 2014 9:21 pm
Location: Lahore Pakistan

Re: Packet Marking Readable in other Mikrotik

Tue Nov 15, 2016 10:41 pm

Thanks for your reply, we have finally managed to get 1 router RB2011 and use it for WAN and LAN both purposes.

Now im getting a strange issue.
I have multi wan configured which is working successfully.
I have 2 networks running on the same port.
192.x.x.x and 10.x.x.x.
10.x.x.x is for Servers and 192. is for normal users.

What i want to do is, force the users traffic through a specific ISP(WAN port). I have marked connection first and then gave a routing mark to that IP series; and then in /ip route I have forced the traffic to go through that specific ISP via a routing mark. But when I do that, users are not able to access the internal server from the 10.x.x.x network (cant even ping that server).
And my NAT rules dont work as expected - meaning i also have public IPs and that are natted to my internet servers, I cant access them from that internal network.Accessing them from outside the network is working alright.
/ip addresses
address=10.x.x.x/24 interface=LAN
address=192.x.x.x/24 interface=LAN

/ip firewall mangle 
chain=prerouting action=mark-connection new-connection-mark=Local User Connection passthrough=yes src-address=192.168.20.0/24 log=no log-prefix="pre-" 
chain=prerouting action=mark-connection new-connection-mark=Local User Connection passthrough=yes dst-address=192.168.20.0/24 log=no log-prefix="pre-" 
chain=prerouting action=mark-routing new-routing-mark=Local Users passthrough=no connection-mark=Local User Connection
/ip route
dst-address=0.0.0.0/0 gateway=192.168.10.1 routing-mark=Local Users
Mangle rules are applied after the multi wan failover rules.
Your advice is important, please reply.
 
Sob
Forum Guru
Forum Guru
Posts: 4807
Joined: Mon Apr 20, 2009 9:11 pm

Re: Packet Marking Readable in other Mikrotik

Wed Nov 16, 2016 6:35 pm

If your only route with "Local Users" mark is 0.0.0.0/0, then everything with this mark is sent there. Try an exception:
/ip route rule
add action=lookup-only-in-table dst-address=10.x.x.x/24 table=main
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
stoser
Member Candidate
Member Candidate
Posts: 107
Joined: Sun Aug 21, 2016 12:04 am

Re: Packet Marking Readable in other Mikrotik

Wed Nov 16, 2016 11:49 pm

safiullahtariq: If I understand you correctly, then you need for internal souce addresses to NOT be routed out the WAN when accessing Internal (or DMZ) servers/services. What I do in such cases is simply bypass the rest of the mangle rules when I detect that source and destination addresses are internal. I put a mangle rule above the rules that mangle connection marks and routing marks associated with external addresses. This mangle rule will simply "accept" (action=accept) traffic from a source address that is internal, to a destination address that is internal (or DMZ). Please note that by accepting that traffic, no other rules will be applied or processed, so it's the same as having passthrough = NO. Whether this can work for you depends on the complexity of your mangle rules. You can still apply rules further up, to apply routing marks and such, or you can just use the main routing table for internal routes.

Hope you find this helpful. Kind regards.

PS. Also, now that I read @Sob's solution, I see it is more elegant than mine. I recommend you try Sob's solution first, and I'll be changing my mangle bypass rules rules to routing exception rules soon ... Thanks Sob.
 
safiullahtariq
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 81
Joined: Sun Apr 06, 2014 9:21 pm
Location: Lahore Pakistan

Re: Packet Marking Readable in other Mikrotik

Sat Nov 19, 2016 10:59 pm

Sob's reply and solution is very elegant and worked like a charm.

Thanks a million for this help.
Best Regards.

Who is online

Users browsing this forum: Google [Bot] and 79 guests