Community discussions

MikroTik App
 
zainamjed90
just joined
Topic Author
Posts: 9
Joined: Mon Aug 02, 2021 12:41 pm

STATIC ROUTING WITH PBR FOR MULTI WAN

Sun Sep 05, 2021 1:05 pm

Currently i am facing the same issue i have multiple site on which i have done static routing with the mikrotik router but when i do the PBR for 2 WAN far end cannot reach the 172.13.2.1/24,172.13.3.1/24 only the accessible ip series is 172.13.1.1/24 . If PBR work then static routing stop if static routing work PBR Stop working .

# sep/05/2021 14:56:04 by RouterOS 6.48.4

/interface ethernet
set [ find default-name=ether1 ] comment="Nayatel WAN" l2mtu=1596 \
    mac-address=48:8F:5A:A3:EA:2F
set [ find default-name=ether2 ] comment=LAN l2mtu=1596 mac-address=\
    48:8F:5A:A3:EA:30
set [ find default-name=ether3 ] comment="Nayatel CIR" l2mtu=1596 \
    mac-address=48:8F:5A:A3:EA:31
set [ find default-name=ether4 ] l2mtu=1596 mac-address=48:8F:5A:A3:EA:32
set [ find default-name=ether5 ] l2mtu=1596 mac-address=48:8F:5A:A3:EA:33
set [ find default-name=ether6 ] comment="NEXLINK DATA LINK HO"
set [ find default-name=ether7 ] comment="NEXLINK DATA LINK FIEDMIC"
set [ find default-name=ether8 ] comment="Wireless Air Fiber"
set [ find default-name=ether10 ] comment="FIEDMIC TOWER"
/interface vlan
add interface=ether8 name="GATWALA Data Link" vlan-id=90
add interface=ether6 name="Headoffice to Server Room Nexlink" vlan-id=50
add interface=ether8 name="OILMILL Data Link" vlan-id=80
add interface=ether7 name="SERVER ROOM TO FIEDMIC" vlan-id=40
add interface=ether8 name="SERVER ROOM TO HO" vlan-id=30
/interface ethernet switch port
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
set 12 default-vlan-id=0
set 14 default-vlan-id=0
set 15 default-vlan-id=0
/interface list
add name=WAN
add name=LAN
add name=test
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/system logging action
set 1 disk-file-name=flash/log
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=WAN
/ip address
add address=103.55.X.X comment="NAYATEL CIR" interface=ether3 network=\
    103.55.X.X
add address=203.X.X.X comment="SERVER ROOM PC" interface=ether3 \
    network=203.X.X.X
add address=203.X.X.X interface=ether3 network=203.99.X.X
add address=203.X.X.X interface=ether3 network=203.99.X.X
add address=192.169.10.10/30 comment="FIEDMIC WIRELESS LINK" interface=\
    ether10 network=192.169.10.8
add address=192.169.10.13/30 comment="WIRELESS LINK HEADOFFICE" interface=\
    "SERVER ROOM TO HO" network=192.169.10.12
add address=203.X.X.X/29 comment="MIKROTIK ACCESS" interface=ether3 \
    network=203.X.X.X
add address=172.13.1.1/16 comment="SERVER ROOM LAN" interface=ether2 network=\
    172.13.0.0
add address=192.167.10.10/30 comment="data link nexlink to fiedmic" \
    interface="SERVER ROOM TO FIEDMIC" network=192.167.10.8
add address=192.166.10.13/30 comment="Gatwala Data Link" interface=\
    "GATWALA Data Link" network=192.166.10.12
add address=192.161.10.13/30 comment="Oil Mill Data Link" interface=\
    "OILMILL Data Link" network=192.161.10.12
add address=192.167.10.13/30 comment="DATA LINK NEXLINK TO HO" interface=\
    "Headoffice to Server Room Nexlink" network=192.167.10.12
add address=172.30.1.10/30 interface=ether1 network=172.30.1.8
/ip dhcp-client
add disabled=no interface=ether1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=172.13.22.11 list="Shared Users"
add address=172.13.3.1 list="Shared Users"
add address=172.13.3.4 list=CIR-Users
add address=172.13.3.2 list=CIR-Users
add address=172.13.3.5 list=CIR-Users
add address=172.13.4.1 list=CIR-Users
add address=172.13.4.2 list="Shared Users"
add address=172.13.2.4 list="Shared Users"
add address=172.13.2.1 list="Shared Users"
add address=172.13.2.2 list="Shared Users"
add address=172.13.2.3 list="Shared Users"
add address=172.13.2.5 list="Shared Users"
/ip firewall filter
add action=accept chain=input dst-port=8219 in-interface=ether3 protocol=tcp
add action=accept chain=input dst-port=81 in-interface=ether3 port="" \
    protocol=tcp
/ip firewall mangle
add action=accept chain=prerouting dst-address=172.12.0.0/16
add action=accept chain=prerouting dst-address=172.13.0.0/16
add action=accept chain=prerouting dst-address=172.14.0.0/16
add action=accept chain=prerouting dst-address=172.15.0.0/16
add action=accept chain=prerouting dst-address=172.16.0.0/16
add action=mark-connection chain=input in-interface=ether1 \
    new-connection-mark=Shared-Nayatel passthrough=yes
add action=mark-connection chain=input in-interface=ether3 \
    new-connection-mark=CIR-Nayatel passthrough=yes
add action=mark-routing chain=prerouting connection-mark=CIR-Nayatel \
    in-interface=ether2 new-routing-mark=TO_CIR-Nayatel passthrough=yes \
    src-address-list=CIR-Users
add action=mark-routing chain=prerouting connection-mark=Shared-Nayatel \
    in-interface=ether2 new-routing-mark=TO_Shared-Nayatel passthrough=yes \
    src-address-list="Shared Users"
add action=mark-routing chain=output connection-mark=CIR-Nayatel \
    new-routing-mark=TO_CIR-Nayatel passthrough=yes
add action=mark-routing chain=output connection-mark=Shared-Nayatel \
    new-routing-mark=TO_Shared-Nayatel passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat src-address=172.13.0.0/16
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether3
add action=src-nat chain=srcnat disabled=yes src-address=172.13.3.2 \
    to-addresses=203.X.X.X
add action=src-nat chain=srcnat disabled=yes src-address=172.13.3.12 \
    to-addresses=203.X.X.X
add action=src-nat chain=srcnat disabled=yes log=yes src-address=172.13.4.1 \
    to-addresses=203.X.X.X
add action=dst-nat chain=dstnat dst-address=203.X.X.X dst-port=3389 \
    protocol=tcp to-addresses=172.13.3.2 to-ports=3389
add action=dst-nat chain=dstnat dst-address=203.X.X.X dst-port=8100 \
    protocol=tcp to-addresses=172.13.3.2 to-ports=8100
add action=dst-nat chain=dstnat dst-address=203.X.X.X dst-port=1433 \
    protocol=tcp to-addresses=172.13.3.2 to-ports=1433
add action=dst-nat chain=dstnat dst-address=203.X.X.X dst-port=44503 \
    protocol=tcp to-addresses=172.13.3.2 to-ports=44053
add action=dst-nat chain=dstnat dst-address=203.X.X.X dst-port=3389 \
    protocol=tcp to-addresses=172.13.3.12 to-ports=3389
add action=dst-nat chain=dstnat dst-address=203.X.X.X dst-port=3389 \
    protocol=tcp to-addresses=172.13.4.1 to-ports=3389
add action=dst-nat chain=dstnat dst-address=203.X.X.X dst-port=40000 \
    protocol=tcp to-addresses=172.13.3.2 to-ports=40000
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes ports=5060,5061,1720,2493
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=1 gateway=103.X.X.X routing-mark=TO_CIR-Nayatel
add distance=1 gateway=172.30.1.9 routing-mark=TO_Shared-Nayatel
add check-gateway=ping distance=1 gateway=103.X.X.X
add check-gateway=ping distance=2 gateway=172.30.1.9
add comment=Fiedmic distance=30 dst-address=172.12.0.0/16 gateway=\
    192.169.10.9
add comment="Fiedmic PC" disabled=yes distance=30 dst-address=172.12.2.0/24 \
    gateway=192.169.10.9
add comment="Fiedmic IP Phones" disabled=yes distance=30 dst-address=\
    172.12.5.0/24 gateway=192.169.10.9
add comment="Fiedmic Camera " disabled=yes distance=30 dst-address=\
    172.12.6.0/24 gateway=192.169.10.9
add comment="FIEDMIC Attedence Machine" disabled=yes distance=30 dst-address=\
    172.12.9.0/24 gateway=192.169.10.9
add distance=30 dst-address=172.14.1.0/24 gateway=192.169.10.14
add distance=30 dst-address=172.14.2.0/24 gateway=192.169.10.14
add distance=30 dst-address=172.14.4.0/24 gateway=192.169.10.14
add distance=30 dst-address=172.14.5.0/24 gateway=192.169.10.14
add distance=30 dst-address=172.14.6.0/24 gateway=192.169.10.14
add distance=30 dst-address=172.14.9.0/24 gateway=192.169.10.14
add distance=30 dst-address=172.14.10.0/24 gateway=192.169.10.14
add distance=30 dst-address=172.15.0.0/16 gateway=192.169.10.14
add check-gateway=ping distance=30 dst-address=172.16.0.0/16 gateway=\
    192.166.10.14
add distance=30 dst-address=192.161.10.12/30 gateway="OILMILL Data Link" \
    scope=10
add distance=30 dst-address=192.167.10.8/30 gateway="SERVER ROOM TO FIEDMIC" \
    scope=10
add distance=30 dst-address=192.167.10.12/30 gateway=\
    "Headoffice to Server Room Nexlink" scope=10
add distance=30 dst-address=192.169.10.8/30 gateway=ether10 scope=10
add distance=30 dst-address=192.169.10.12/30 gateway="SERVER ROOM TO HO" \
    scope=10
/ip route rule
add action=lookup-only-in-table dst-address=172.12.0.0/16 table=main
add action=lookup-only-in-table dst-address=172.15.0.0/16 table=main
add action=lookup-only-in-table dst-address=172.16.0.0/16 table=main
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=81
set ssh disabled=yes
set api disabled=yes
set winbox port=8219
set api-ssl disabled=yes
/ip traffic-flow
set cache-entries=64k enabled=yes
/system clock
set time-zone-name=Asia/Karachi
/system identity
set name="Server ROOM Internet "
Last edited by zainamjed90 on Sun Sep 05, 2021 5:27 pm, edited 1 time in total.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: STATIC ROUTING WITH PBR FOR MULTI WAN

Sun Sep 05, 2021 3:44 pm

While it is better to open your own topic than to piggyback a very loosely related existing one, it needs more than just copy-paste. The intro "I am facing the same issue" looks weird in an OP.

What I can see is that you only assign a connection-mark value in chain input, whereas you translate a connection-mark value into a routing-mark value in chain prerouting. That cannot work as chain input only handles packets for the router itself, whereas chain prerouting handles the packets before the initial phase of routing that distinguishes packets for the router itself from those to be forwarded. And dst-nat takes place after mangle in prerouting, so the dst-nated packets towards LAN IPs end up in chain forward, not input. So you never translate the in-interface into a connection-mark value for dst-nated traffic. See this diagram for details.

Off topic:
  • it is better to use a text editor to systematically obfuscate your public IP addresses, replacing e.g. the first two bytes and leaving the rest unchanged. Because you have obfuscated the second bytes of your own address, but kept the mask of /30 and kept the full address of the gateway, which reveals the complete address. So better use public.ip-1.10.25, public.ip-2.30.41 when posting.
  • are you aware that 192.169.x.x are not private IPs?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: STATIC ROUTING WITH PBR FOR MULTI WAN

Sun Sep 05, 2021 3:51 pm

  • are you aware that 192.169.x.x are not private IPs?

Neither are the rest of 192.16x.0.0/yy he's using for other interfaces/networks. Nor is 172.13.0.0/16 (server room subnet)
OP seems to successfully avoid the private address space of 192.168.0.0/16, kudos for that.
 
zainamjed90
just joined
Topic Author
Posts: 9
Joined: Mon Aug 02, 2021 12:41 pm

Re: STATIC ROUTING WITH PBR FOR MULTI WAN

Sun Sep 05, 2021 5:38 pm

Thank you for guiding for the next post will take care about the instruction you gave further the ip scheme which i am using is for Point to Point Interfaces if it is not recommended please advice which scheme to be used. For the connection marking should i use prerouting and then use connection mark none and the mark connection for the proper working. Basically i have multi site on which static routing is done the device config which i shared i the center point for all the sites at the same site i have two ISP connection as soon i mark routing for few isp to move on isp1 and other isp2 then the static routing stops working
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: STATIC ROUTING WITH PBR FOR MULTI WAN

Sun Sep 05, 2021 7:17 pm

It's not "static routing versus PBR". It's rather "static routing with PBR".

In the configuration you've posted, traffic forwarded by the router never gets any connection-mark, hence it never gets any routing-mark, so it should keep using routing table main. Only the own traffic of the router always gets a connection-mark in mangle in chain input, and this connection-mark is later translated into routing-mark by the mangle rules in chain output.

So do I read it correctly that you've posted the configuration in the state where "static routing works and PBR doesn't"? If so, what rules do you add to get to the state "PBR works but static routing doesn't"?
 
zainamjed90
just joined
Topic Author
Posts: 9
Joined: Mon Aug 02, 2021 12:41 pm

Re: STATIC ROUTING WITH PBR FOR MULTI WAN

Sun Sep 05, 2021 7:23 pm

Yes i could not elaborate previously thank you for understanding yes same is happening as soon i active the route with mark routes entry the static routing stop working. Please let me know which config to be changed .

It's not "static routing versus PBR". It's rather "static routing with PBR".

In the configuration you've posted, traffic forwarded by the router never gets any connection-mark, hence it never gets any routing-mark, so it should keep using routing table main. Only the own traffic of the router always gets a connection-mark in mangle in chain input, and this connection-mark is later translated into routing-mark by the mangle rules in chain output.

So do I read it correctly that you've posted the configuration in the state where "static routing works and PBR doesn't"? If so, what rules do you add to get to the state "PBR works but static routing doesn't"?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: STATIC ROUTING WITH PBR FOR MULTI WAN

Sun Sep 05, 2021 7:51 pm

as soon i active the route with mark routes entry the static routing stop working. Please let me know which config to be changed .
In the configuration you've posted, the two routes with routing-mark are not disabled. Is what you posted the exact configuration state when "far end cannot reach the 172.13.2.1/24,172.13.3.1/24"?

If yes, what is that "far end" which cannot connect to 172.13.x.y - something in the internet, i.e. the traffic from there comes to 203.99.xx.xx and is dst-nated to the 172.13.x.y?
 
zainamjed90
just joined
Topic Author
Posts: 9
Joined: Mon Aug 02, 2021 12:41 pm

Re: STATIC ROUTING WITH PBR FOR MULTI WAN

Sun Sep 05, 2021 8:11 pm

yes correct the marked routes which are enabled and My far end is basically the network on 172.14.0.0/16,172.14.0.0/16 these mikrtotik devices don't get the response 172.13.2.1/24,172.13.3.1/24.

as soon i active the route with mark routes entry the static routing stop working. Please let me know which config to be changed .
In the configuration you've posted, the two routes with routing-mark are not disabled. Is what you posted the exact configuration state when "far end cannot reach the 172.13.2.1/24,172.13.3.1/24"?

If yes, what is that "far end" which cannot connect to 172.13.x.y - something in the internet, i.e. the traffic from there comes to 203.99.xx.xx and is dst-nated to the 172.13.x.y?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: STATIC ROUTING WITH PBR FOR MULTI WAN

Sun Sep 05, 2021 8:25 pm

Nothing in the configuration explains why the mere presence of the routes with routing-mark should affect forwarding between 172.13.0.0/16 and 172.14.0.0/16.

Did it work before the upgrade to 6.48.4?
 
zainamjed90
just joined
Topic Author
Posts: 9
Joined: Mon Aug 02, 2021 12:41 pm

Re: STATIC ROUTING WITH PBR FOR MULTI WAN

Sun Sep 05, 2021 8:42 pm

Not tried on the previous version shall i downgrade ? . Further for more clarity i am drawing the network diagram for all the network site .

Nothing in the configuration explains why the mere presence of the routes with routing-mark should affect forwarding between 172.13.0.0/16 and 172.14.0.0/16.

Did it work before the upgrade to 6.48.4?
 
zainamjed90
just joined
Topic Author
Posts: 9
Joined: Mon Aug 02, 2021 12:41 pm

Re: STATIC ROUTING WITH PBR FOR MULTI WAN

Wed Sep 08, 2021 2:32 pm

Attaching Network Diagram for more clarity please review
Nothing in the configuration explains why the mere presence of the routes with routing-mark should affect forwarding between 172.13.0.0/16 and 172.14.0.0/16.

Did it work before the upgrade to 6.48.4?
You do not have the required permissions to view the files attached to this post.
 
zainamjed90
just joined
Topic Author
Posts: 9
Joined: Mon Aug 02, 2021 12:41 pm

Re: STATIC ROUTING WITH PBR FOR MULTI WAN

Wed Sep 15, 2021 9:07 am

As discussed sharing the network diagram
Nothing in the configuration explains why the mere presence of the routes with routing-mark should affect forwarding between 172.13.0.0/16 and 172.14.0.0/16.

Did it work before the upgrade to 6.48.4?
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: deadmaus911, dervomsee, Google [Bot], onnyloh and 80 guests