Community discussions

MikroTik App
 
fewdenis
just joined
Topic Author
Posts: 1
Joined: Fri Apr 26, 2019 1:00 pm

Help using mangle vs policy routing rule - second isp

Thu Dec 31, 2020 3:18 pm

Hi all,
which is the main difference between using policy routing rule instead using mangle to route traffic to a second isp?
I have a CCR1016 and ROS 6.46.8.
What i'm tring to do is to routing a subnet trought a second gateway ISP.

this is the network schema
Image

My problem is that if i use mangle and routing marks it won't works.
this is not working conf:
# dec/31/2020 11:48:33 by RouterOS 6.46.8
# software id = E400-S2IH
#
# model = CCR1016-12G
# serial number = D5440C7FBF61
/interface bridge
add name=Lan
add name=bridge_Privato
add name=bridge_Pubblico
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Swisscom
set [ find default-name=ether2 ] name=ether2-Cablecom
set [ find default-name=ether3 ] name=ether3-WIFI
set [ find default-name=ether4 ] name=ether4-Lan
set [ find default-name=ether8 ] name=ether8-HA
/interface vlan
add interface=ether3-WIFI name=vlan_Privato vlan-id=41
add interface=ether3-WIFI name=vlan_Pubblico vlan-id=42
add interface=ether1-Swisscom name=vlan_swisscom vlan-id=12
/interface list
add name=LAN
add name=WAN
/ip pool
add name=pool_Lan ranges=192.168.1.120-192.168.1.220
add name=pool_privato ranges=10.0.41.100-10.0.41.200
add name=pool_Pubblico ranges=10.0.42.100-10.0.42.200
add name=Pool_VPN_FPSRocco ranges=10.155.0.100-10.155.0.250
/ip dhcp-server
add address-pool=pool_Lan disabled=no interface=Lan lease-time=1h name=\
server_lan
add address-pool=pool_privato disabled=no interface=bridge_Privato name=\
server_Privato
add address-pool=pool_Pubblico disabled=no interface=bridge_Pubblico name=\
server_Pubblico
/interface bridge port
add bridge=Lan interface=ether3-WIFI
add bridge=Lan interface=ether4-Lan
add bridge=bridge_Privato interface=vlan_Privato
add bridge=bridge_Pubblico interface=vlan_Pubblico
add bridge=Lan interface=ether10
add bridge=Lan interface=ether8-HA
/ip firewall connection tracking
set enabled=yes
/ip settings
set allow-fast-path=no rp-filter=strict tcp-syncookies=yes
/interface list member
add interface=Lan list=LAN
add interface=bridge_Privato list=LAN
add interface=vlan_swisscom list=WAN
add interface=bridge_Pubblico list=LAN
add interface=ether2-Cablecom list=WAN
add interface=ether1-Swisscom list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=Lan network=192.168.1.0
add address=192.168.8.2/24 interface=vlan_swisscom network=192.168.8.0
add address=10.0.41.1/24 comment=defconf interface=bridge_Privato network=\
10.0.41.0
add address=10.0.42.1/24 comment=defconf interface=bridge_Pubblico network=\
10.0.42.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add add-default-route=no disabled=no interface=ether2-Cablecom use-peer-dns=\
no
/ip dhcp-server lease
add address=192.168.1.253 client-id=1:48:8f:5a:f1:33:87 mac-address=\
48:8F:5A:F1:33:87 server=server_lan
/ip dhcp-server network
add address=10.0.41.0/24 dns-server=10.0.41.1 domain=sanrocco.local gateway=\
10.0.41.1
add address=10.0.42.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.0.42.1
add address=192.168.1.0/24 dns-server=192.168.1.112,192.168.1.114 domain=\
sanrocco.local gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=192.168.1.112,192.168.1.114
/ip firewall address-list
add address=46.88.77.96/27 list=Allowed
add address=76.55.208.25 list=Allowed
add address=192.168.1.0/24 list=DDosExeption
add address=192.168.1.112 list=DDosExeption
add address=192.168.1.114 list=DDosExeption
add address=192.168.1.0/24 list=private_ipv4
add address=10.0.41.0/24 list=private_ipv4
add address=192.168.1.112 list=DNSServer
add address=192.168.1.114 list=DNSServer
add address=10.0.42.0/24 list=private_ipv4
add address=10.0.42.0/24 list=ToCablecom
add address=10.0.41.0/24 list=ToSwisscom
add address=192.168.1.0/24 list=ToSwisscom
add address=192.168.8.0/24 list=Connected
add address=192.168.0.0/24 list=Connected
/ip firewall filter
add action=accept chain=input comment="--0-1-- Allowed IP" src-address-list=\
Allowed
add action=accept chain=forward comment="--0-2-- Allowed IP" \
src-address-list=Allowed
add action=accept chain=input comment="Allow OpenVPN" dst-port=1194 \
in-interface-list=WAN protocol=tcp
add action=drop chain=forward comment="Isolate Pubblic Network" \
connection-state=new dst-address=192.168.1.0/24 src-address=10.0.42.0/24
add action=accept chain=output comment="--10-0-- Firewall Rule" disabled=yes
add action=accept chain=input comment=\
"--10-1-- defconf: accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="--10-2-- defconf: drop invalid" \
connection-state=invalid
add action=drop chain=input comment=\
"--10-3-- defconf: drop all not coming from LAN" in-interface-list=!LAN \
src-address=!10.155.0.0/24
add action=accept chain=forward comment=\
"--10-4-- defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment=\
"--10-5-- defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=\
"--10-6-- defconf: fasttrack" connection-state=established,related \
disabled=yes
add action=accept chain=forward comment=\
"--10-7-- defconf: accept established,related, untracked" \
connection-state=established,related,untracked
add action=drop chain=forward comment="--10-8-- defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"--10-9-- defconf: drop all from WAN not DSTNATed" connection-nat-state=\
!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=output comment="--10-0-- Firewall Rule" disabled=yes
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=\
!private_ipv4 new-routing-mark=ToCablecom \
src-address-list=ToCablecom
add action=mark-routing chain=prerouting dst-address-list=\
!private_ipv4 new-routing-mark=ToSwisscom \
src-address-list=ToSwisscom
/ip firewall nat
add action=masquerade chain=srcnat dst-address-list=!private_ipv4 \
ipsec-policy=out,none out-interface-list=WAN src-address=192.168.1.0/24
add action=masquerade chain=srcnat dst-address-list=!private_ipv4 \
ipsec-policy=out,none out-interface-list=WAN src-address=10.0.41.0/24
add action=masquerade chain=srcnat dst-address-list=!private_ipv4 \
ipsec-policy=out,none out-interface-list=WAN src-address=10.0.42.0/24
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add check-gateway=ping distance=1 gateway=192.168.0.1 routing-mark=ToCablecom
add check-gateway=ping distance=1 gateway=192.168.8.1 routing-mark=ToSwisscom
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
But adding a "policy routing rule" in the /ip route and removing the mangle mark it works

This is the working config:
# dec/31/2020 11:48:33 by RouterOS 6.46.8
# software id = E400-S2IH
#
# model = CCR1016-12G
# serial number = D5440C7FBF61
/interface bridge
add name=Lan
add name=bridge_Privato
add name=bridge_Pubblico
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Swisscom
set [ find default-name=ether2 ] name=ether2-Cablecom
set [ find default-name=ether3 ] name=ether3-WIFI
set [ find default-name=ether4 ] name=ether4-Lan
set [ find default-name=ether8 ] name=ether8-HA
/interface vlan
add interface=ether3-WIFI name=vlan_Privato vlan-id=41
add interface=ether3-WIFI name=vlan_Pubblico vlan-id=42
add interface=ether1-Swisscom name=vlan_swisscom vlan-id=12
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool_Lan ranges=192.168.1.120-192.168.1.220
add name=pool_privato ranges=10.0.41.100-10.0.41.200
add name=pool_Pubblico ranges=10.0.42.100-10.0.42.200
add name=Pool_VPN_FPSRocco ranges=10.155.0.100-10.155.0.250
/ip dhcp-server
add address-pool=pool_Lan disabled=no interface=Lan lease-time=1h name=\
server_lan
add address-pool=pool_privato disabled=no interface=bridge_Privato name=\
server_Privato
add address-pool=pool_Pubblico disabled=no interface=bridge_Pubblico name=\
server_Pubblico
/interface bridge port
add bridge=Lan interface=ether3-WIFI
add bridge=Lan interface=ether4-Lan
add bridge=bridge_Privato interface=vlan_Privato
add bridge=bridge_Pubblico interface=vlan_Pubblico
add bridge=Lan interface=ether10
add bridge=Lan interface=ether8-HA
/ip firewall connection tracking
set enabled=yes
/ip settings
set allow-fast-path=no rp-filter=strict tcp-syncookies=yes
/interface list member
add interface=Lan list=LAN
add interface=bridge_Privato list=LAN
add interface=vlan_swisscom list=WAN
add interface=bridge_Pubblico list=LAN
add interface=ether2-Cablecom list=WAN
add interface=ether1-Swisscom list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=Lan network=192.168.1.0
add address=192.168.8.2/24 interface=vlan_swisscom network=192.168.8.0
add address=10.0.41.1/24 comment=defconf interface=bridge_Privato network=\
10.0.41.0
add address=10.0.42.1/24 comment=defconf interface=bridge_Pubblico network=\
10.0.42.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add add-default-route=no disabled=no interface=ether2-Cablecom use-peer-dns=\
no
/ip dhcp-server lease
add address=192.168.1.253 client-id=1:48:8f:5a:f1:33:87 mac-address=\
48:8F:5A:F1:33:87 server=server_lan
/ip dhcp-server network
add address=10.0.41.0/24 dns-server=10.0.41.1 domain=sanrocco.local gateway=\
10.0.41.1
add address=10.0.42.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.0.42.1
add address=192.168.1.0/24 dns-server=192.168.1.112,192.168.1.114 domain=\
sanrocco.local gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=192.168.1.112,192.168.1.114
/ip firewall address-list
add address=46.88.77.96/27 list=Allowed
add address=76.55.208.25 list=Allowed
add address=192.168.1.0/24 list=DDosExeption
add address=192.168.1.112 list=DDosExeption
add address=192.168.1.114 list=DDosExeption
add address=192.168.1.0/24 list=private_ipv4
add address=10.0.41.0/24 list=private_ipv4
add address=192.168.1.112 list=DNSServer
add address=192.168.1.114 list=DNSServer
add address=10.0.42.0/24 list=private_ipv4
add address=10.0.42.0/24 list=ToCablecom
add address=10.0.41.0/24 list=ToSwisscom
add address=192.168.1.0/24 list=ToSwisscom
add address=192.168.8.0/24 list=Connected
add address=192.168.0.0/24 list=Connected
/ip firewall filter
add action=accept chain=input comment="--0-1-- Allowed IP" src-address-list=\
Allowed
add action=accept chain=forward comment="--0-2-- Allowed IP" \
src-address-list=Allowed
add action=accept chain=input comment="Allow OpenVPN" dst-port=1194 \
in-interface-list=WAN protocol=tcp
add action=drop chain=forward comment="Isolate Pubblic Network" \
connection-state=new dst-address=192.168.1.0/24 src-address=10.0.42.0/24
add action=accept chain=output comment="--10-0-- Firewall Rule" disabled=yes
add action=accept chain=input comment=\
"--10-1-- defconf: accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="--10-2-- defconf: drop invalid" \
connection-state=invalid
add action=drop chain=input comment=\
"--10-3-- defconf: drop all not coming from LAN" in-interface-list=!LAN \
src-address=!10.155.0.0/24
add action=accept chain=forward comment=\
"--10-4-- defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment=\
"--10-5-- defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=\
"--10-6-- defconf: fasttrack" connection-state=established,related \
disabled=yes
add action=accept chain=forward comment=\
"--10-7-- defconf: accept established,related, untracked" \
connection-state=established,related,untracked
add action=drop chain=forward comment="--10-8-- defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"--10-9-- defconf: drop all from WAN not DSTNATed" connection-nat-state=\
!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=output comment="--10-0-- Firewall Rule" disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat dst-address-list=!private_ipv4 \
ipsec-policy=out,none out-interface-list=WAN src-address=192.168.1.0/24
add action=masquerade chain=srcnat dst-address-list=!private_ipv4 \
ipsec-policy=out,none out-interface-list=WAN src-address=10.0.41.0/24
add action=masquerade chain=srcnat dst-address-list=!private_ipv4 \
ipsec-policy=out,none out-interface-list=WAN src-address=10.0.42.0/24
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add check-gateway=ping distance=1 gateway=192.168.0.1 routing-mark=ToCablecom
add check-gateway=ping distance=1 gateway=192.168.8.1
add check-gateway=ping distance=2 gateway=192.168.0.1
/ip route rule
add action=lookup-only-in-table interface=bridge_Pubblico table=ToCablecom
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
I can't understand why...

Who is online

Users browsing this forum: santasimos and 139 guests