Community discussions

MUM Europe 2020
 
User avatar
omidkosari
Trainer
Trainer
Topic Author
Posts: 617
Joined: Fri Sep 01, 2006 4:18 pm
Location: Iran , Karaj
Contact:

Routing priority

Wed Nov 12, 2008 10:17 pm

We now when an interface with an ip creates , mikrotik automatically creates a dynamic route for that interface .
How we can create a route with higher priority for that ip .
        DST-ADDRESS   PREF-SRC        GATEWAY-STATE GATEWAY                  DISTANCE   INTERFACE
ADC  11.22.33.44/32    1.2.3.4                                                                      0         <pppoe-1234>
Now we want to for example route all traffic or just port 80 traffic to 5.6.7.8 instead of <pppoe-1234>

The question looks strange a little but this is only way for implementing TPROXY in a complex network which the squid should not be the main gateway or bridged ?

Please share your knowledge
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8320
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Routing priority

Wed Nov 12, 2008 11:16 pm

why not just add another routes table with some routing-mark? and use mangle to decide, which route should be used
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
changeip
Forum Guru
Forum Guru
Posts: 3804
Joined: Fri May 28, 2004 5:22 pm

Re: Routing priority

Wed Nov 12, 2008 11:18 pm

You can also use the dynamic-in chain in the routing filters to change the distance on a dynamic route as it is learned.
Colo and Wholesale Bandwidth Available! Sales at SanDiegoBroadband dot com
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8320
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Routing priority

Wed Nov 12, 2008 11:23 pm

does connected routes have distance? O_o

can you filter locally generated routes?..
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
changeip
Forum Guru
Forum Guru
Posts: 3804
Joined: Fri May 28, 2004 5:22 pm

Re: Routing priority

Thu Nov 13, 2008 12:05 am

with routing filters and the dynamic-in chain you should be able to. specify type=connect.
Colo and Wholesale Bandwidth Available! Sales at SanDiegoBroadband dot com
 
User avatar
omidkosari
Trainer
Trainer
Topic Author
Posts: 617
Joined: Fri Sep 01, 2006 4:18 pm
Location: Iran , Karaj
Contact:

Re: Routing priority

Thu Nov 13, 2008 8:56 am

You can also use the dynamic-in chain in the routing filters to change the distance on a dynamic route as it is learned.
with routing filters and the dynamic-in chain you should be able to. specify type=connect.
Thanks a lot for professional answer . I think such valuable answers is very useful in the forum . I am going to try and false on it :wink:
 
User avatar
omidkosari
Trainer
Trainer
Topic Author
Posts: 617
Joined: Fri Sep 01, 2006 4:18 pm
Location: Iran , Karaj
Contact:

Re: Routing priority

Thu Nov 13, 2008 10:52 am

May i request a bit more explain please .
I have tested many combinations of arguments but no success .
chain=dynamic-in prefix=11.22.33.44 prefix-length=0-32 protocol=connect invert-match=no action=passthrough set-distance=1

I also changed the value of "action" , "scope" , "target-scope" etc.
if it applies successfully the distance value of dynamic interface should be changed to new value or it remains 0 in the "/ip route print" ?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5950
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Routing priority

Thu Nov 13, 2008 11:14 am

As far as I know You cannot change the administrative distance of a connected interface. It will always be 0.
 
User avatar
omidkosari
Trainer
Trainer
Topic Author
Posts: 617
Joined: Fri Sep 01, 2006 4:18 pm
Location: Iran , Karaj
Contact:

Re: Routing priority

Thu Nov 13, 2008 11:23 am

So what the chain=dynamic-in and type=connect means ? are they useless ?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5950
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Routing priority

Thu Nov 13, 2008 1:15 pm

FYI: To filter connected routes you have to use chain=connected-in without types.
But as I mentioned previously it is not possible to change connected route distance.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5950
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Routing priority

Thu Nov 13, 2008 1:18 pm

Connected routes can be replaced by static routes with more specific netmask. However you already have /32 route. Maybe it's time to reorganize your network.
 
User avatar
omidkosari
Trainer
Trainer
Topic Author
Posts: 617
Joined: Fri Sep 01, 2006 4:18 pm
Location: Iran , Karaj
Contact:

Re: Routing priority

Thu Nov 13, 2008 1:30 pm

My final goal is route port 80 traffic to another ip , not change distance . if you now better way i will use that.
I exactly want to for example route all traffic or just port 80 traffic to 5.6.7.8 instead of <pppoe-1234> as i mentioned before
 
Muqatil
Trainer
Trainer
Posts: 574
Joined: Mon Mar 03, 2008 1:03 pm
Location: London - UK
Contact:

Re: Routing priority

Thu Nov 13, 2008 1:39 pm

mangle routing-mark traffic dst-port=80 as HTTP
then route HTTP to another gateway
Renato Bernardi

skype: medtech5
 
User avatar
omidkosari
Trainer
Trainer
Topic Author
Posts: 617
Joined: Fri Sep 01, 2006 4:18 pm
Location: Iran , Karaj
Contact:

Re: Routing priority

Thu Nov 13, 2008 1:55 pm

I did it also
dst-address=0.0.0.0/0 gateway=5.6.7.8 distance=1 scope=255 target-scope=10 routing-mark=test-route
the problem is this
dst-address=11.22.33.44 gateway=5.6.7.8 distance=1 scope=255 target-scope=10 routing-mark=test-route
the above line not working because
ADC  dst-address=11.22.33.44 pref-src=10.10.10.10 interface=<pppoe-1234> distance=0 scope=10
the distance=0 so it has higher priority
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8320
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Routing priority

Thu Nov 13, 2008 7:02 pm

hmmm... they are in different routing tables, so they cannot affect each other...
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
omidkosari
Trainer
Trainer
Topic Author
Posts: 617
Joined: Fri Sep 01, 2006 4:18 pm
Location: Iran , Karaj
Contact:

Re: Routing priority

Thu Nov 13, 2008 7:18 pm

Please suggest a solution . i am sure there is a way .
 
changeip
Forum Guru
Forum Guru
Posts: 3804
Joined: Fri May 28, 2004 5:22 pm

Re: Routing priority

Thu Nov 13, 2008 9:33 pm

can you just dst-NAT port 80 to 5.6.7.8 ?
Colo and Wholesale Bandwidth Available! Sales at SanDiegoBroadband dot com
 
User avatar
omidkosari
Trainer
Trainer
Topic Author
Posts: 617
Joined: Fri Sep 01, 2006 4:18 pm
Location: Iran , Karaj
Contact:

Re: Routing priority

Thu Nov 13, 2008 9:39 pm

tried already . again we have same problem .
dst-address=11.22.33.44 gateway=5.6.7.8 distance=1 scope=255 target-scope=10 routing-mark=test-route
if the above line works , we can use dst-nat instead of route which i will use after finding solution.
 
User avatar
omidkosari
Trainer
Trainer
Topic Author
Posts: 617
Joined: Fri Sep 01, 2006 4:18 pm
Location: Iran , Karaj
Contact:

Re: Routing priority

Thu Nov 13, 2008 9:55 pm

the only way i could implement is a little strange but i describe it . it is not useful but works .
assume i have not ip address 11.22.33.44 on any interface but i have created
chain=srcnat action=src-nat to-addresses=11.22.33.44 src-address=192.168.0.0/24
so i have not any route to 11.22.33.44 in my routing table because i have not this ip address on any interface.
then i mangled and mark-routing them
chain=prerouting action=mark-routing new-routing-mark=test passthrough=yes src-address=192.168.0.0/24
and route it
dst-address=0.0.0.0/0 gateway=5.6.7.8 distance=1 scope=255 target-scope=10 routing-mark=test
The above two lines could also be in one line dst-nat like this
chain=dstnat action=dst-nat to-addresses=5.6.7.8 to-ports=8080 protocol=tcp src-address=192.168.0.0/24 dst-port=80
but the key is this line . which also is the problem
dst-address=11.22.33.44 gateway=5.6.7.8 distance=1 scope=255 target-scope=10
this works but i have not that ip on any interface so the distance=1 is highest priority . but as i mentioned it is not useful and it is just a test in lab
 
User avatar
omidkosari
Trainer
Trainer
Topic Author
Posts: 617
Joined: Fri Sep 01, 2006 4:18 pm
Location: Iran , Karaj
Contact:

Re: Routing priority

Fri Nov 14, 2008 10:22 am

Any suggest from mikrotik team ? or other professionals ?
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8320
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Routing priority

Fri Nov 14, 2008 12:03 pm

please describe in more detail, what exactly you want. 'change gateway' and 'dst-nat' are absolutely different things!
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
omidkosari
Trainer
Trainer
Topic Author
Posts: 617
Joined: Fri Sep 01, 2006 4:18 pm
Location: Iran , Karaj
Contact:

Re: Routing priority

Fri Nov 14, 2008 1:29 pm

I have implemented balabit tproxy on squid box ( ip address 5.6.7.8 ) and redirect port 80 traffic to squid . we can do that with dst-nat to squids tproxy port or route it to squid and iptables (with TPROXY patch) redirect it to squids tproxy port.
Then squid should virtually connect to internet with clients ip and problem begins here . if squid wants to connect with clients ip (for example 11.22.33.44) and mikrotik automatically creates
ADC  dst-address=11.22.33.44 pref-src=10.10.10.10 interface=<pppoe-1234> distance=0 scope=10
so squid can not connect to internet with ip address 11.22.33.44 .
if we could change distance to more value or any other way then we could add a route with higher priority for port 80 to route to squid .

now ?
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8320
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Routing priority

Fri Nov 14, 2008 4:00 pm

oh, I see... I think, the problem is not where you are looking it...

I think, your packets go from user to proxy normally. general question is that: can you ensure the packets are returned to user via proxy, not directly to user from internet gateway?

please describe your network structure
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
Mplsguy
MikroTik Support
MikroTik Support
Posts: 226
Joined: Fri Jun 06, 2008 5:06 pm

Re: Routing priority

Fri Nov 14, 2008 4:22 pm

Even if you could create such route your setup would not work anyway, because traffic coming back from squid box (it would have destination address of client if I understand you correctly) would be routed back to squid box due to that "high priority" route.

I guess you can try to make this setup like this:
- add mangle rule: dst-port=80 src-address=<clients> in-interface=!squidinterface new-routing-mark=to-squid (this catches traffic from clients that should go to squid - you have to make sure that rule does not match traffic comming from squid to internet!)
- add mangle rule: src-port=80 dst-address=<clients> in-interface=internet new-routing-mark=to-squid (this catches traffic coming back from internet that should go to squid - you have to make sure that rule does not match traffic comming from squid to clients)
- create default route with routing-mark=to-squid gateway=<squidbox>
 
User avatar
omidkosari
Trainer
Trainer
Topic Author
Posts: 617
Joined: Fri Sep 01, 2006 4:18 pm
Location: Iran , Karaj
Contact:

Re: Routing priority

Sat Nov 15, 2008 2:24 pm

Even if you could create such route your setup would not work anyway, because traffic coming back from squid box (it would have destination address of client if I understand you correctly) would be routed back to squid box due to that "high priority" route.

I guess you can try to make this setup like this:
- add mangle rule: dst-port=80 src-address=<clients> in-interface=!squidinterface new-routing-mark=to-squid (this catches traffic from clients that should go to squid - you have to make sure that rule does not match traffic comming from squid to internet!)
- add mangle rule: src-port=80 dst-address=<clients> in-interface=internet new-routing-mark=to-squid (this catches traffic coming back from internet that should go to squid - you have to make sure that rule does not match traffic comming from squid to clients)
- create default route with routing-mark=to-squid gateway=<squidbox>
Thank you veryyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy much . You are the boss . The problem solved . i can't believe it .

Now a little problem happens . the users behind NAT have problem . what is your suggestion . When i did my strange implementation which described in this post http://forum.mikrotik.com/viewtopic.php ... 21#p135121 the NAT users were working but now they can't.
 
Mplsguy
MikroTik Support
MikroTik Support
Posts: 226
Joined: Fri Jun 06, 2008 5:06 pm

Re: Routing priority

Mon Nov 17, 2008 2:41 pm

Please explain the problem some more - what exactly do you want to achieve, current network diagram, where users are connected, where is NAT taking place.

Who is online

Users browsing this forum: MSN [Bot] and 51 guests