Page 1 of 1

Routing priority

Posted: Wed Nov 12, 2008 10:17 pm
by omidkosari
We now when an interface with an ip creates , mikrotik automatically creates a dynamic route for that interface .
How we can create a route with higher priority for that ip .
        DST-ADDRESS   PREF-SRC        GATEWAY-STATE GATEWAY                  DISTANCE   INTERFACE
ADC  11.22.33.44/32    1.2.3.4                                                                      0         <pppoe-1234>
Now we want to for example route all traffic or just port 80 traffic to 5.6.7.8 instead of <pppoe-1234>

The question looks strange a little but this is only way for implementing TPROXY in a complex network which the squid should not be the main gateway or bridged ?

Please share your knowledge

Re: Routing priority

Posted: Wed Nov 12, 2008 11:16 pm
by Chupaka
why not just add another routes table with some routing-mark? and use mangle to decide, which route should be used

Re: Routing priority

Posted: Wed Nov 12, 2008 11:18 pm
by changeip
You can also use the dynamic-in chain in the routing filters to change the distance on a dynamic route as it is learned.

Re: Routing priority

Posted: Wed Nov 12, 2008 11:23 pm
by Chupaka
does connected routes have distance? O_o

can you filter locally generated routes?..

Re: Routing priority

Posted: Thu Nov 13, 2008 12:05 am
by changeip
with routing filters and the dynamic-in chain you should be able to. specify type=connect.

Re: Routing priority

Posted: Thu Nov 13, 2008 8:56 am
by omidkosari
You can also use the dynamic-in chain in the routing filters to change the distance on a dynamic route as it is learned.
with routing filters and the dynamic-in chain you should be able to. specify type=connect.
Thanks a lot for professional answer . I think such valuable answers is very useful in the forum . I am going to try and false on it :wink:

Re: Routing priority

Posted: Thu Nov 13, 2008 10:52 am
by omidkosari
May i request a bit more explain please .
I have tested many combinations of arguments but no success .
chain=dynamic-in prefix=11.22.33.44 prefix-length=0-32 protocol=connect invert-match=no action=passthrough set-distance=1

I also changed the value of "action" , "scope" , "target-scope" etc.
if it applies successfully the distance value of dynamic interface should be changed to new value or it remains 0 in the "/ip route print" ?

Re: Routing priority

Posted: Thu Nov 13, 2008 11:14 am
by mrz
As far as I know You cannot change the administrative distance of a connected interface. It will always be 0.

Re: Routing priority

Posted: Thu Nov 13, 2008 11:23 am
by omidkosari
So what the chain=dynamic-in and type=connect means ? are they useless ?

Re: Routing priority

Posted: Thu Nov 13, 2008 1:15 pm
by mrz
FYI: To filter connected routes you have to use chain=connected-in without types.
But as I mentioned previously it is not possible to change connected route distance.

Re: Routing priority

Posted: Thu Nov 13, 2008 1:18 pm
by mrz
Connected routes can be replaced by static routes with more specific netmask. However you already have /32 route. Maybe it's time to reorganize your network.

Re: Routing priority

Posted: Thu Nov 13, 2008 1:30 pm
by omidkosari
My final goal is route port 80 traffic to another ip , not change distance . if you now better way i will use that.
I exactly want to for example route all traffic or just port 80 traffic to 5.6.7.8 instead of <pppoe-1234> as i mentioned before

Re: Routing priority

Posted: Thu Nov 13, 2008 1:39 pm
by Muqatil
mangle routing-mark traffic dst-port=80 as HTTP
then route HTTP to another gateway

Re: Routing priority

Posted: Thu Nov 13, 2008 1:55 pm
by omidkosari
I did it also
dst-address=0.0.0.0/0 gateway=5.6.7.8 distance=1 scope=255 target-scope=10 routing-mark=test-route
the problem is this
dst-address=11.22.33.44 gateway=5.6.7.8 distance=1 scope=255 target-scope=10 routing-mark=test-route
the above line not working because
ADC  dst-address=11.22.33.44 pref-src=10.10.10.10 interface=<pppoe-1234> distance=0 scope=10
the distance=0 so it has higher priority

Re: Routing priority

Posted: Thu Nov 13, 2008 7:02 pm
by Chupaka
hmmm... they are in different routing tables, so they cannot affect each other...

Re: Routing priority

Posted: Thu Nov 13, 2008 7:18 pm
by omidkosari
Please suggest a solution . i am sure there is a way .

Re: Routing priority

Posted: Thu Nov 13, 2008 9:33 pm
by changeip
can you just dst-NAT port 80 to 5.6.7.8 ?

Re: Routing priority

Posted: Thu Nov 13, 2008 9:39 pm
by omidkosari
tried already . again we have same problem .
dst-address=11.22.33.44 gateway=5.6.7.8 distance=1 scope=255 target-scope=10 routing-mark=test-route
if the above line works , we can use dst-nat instead of route which i will use after finding solution.

Re: Routing priority

Posted: Thu Nov 13, 2008 9:55 pm
by omidkosari
the only way i could implement is a little strange but i describe it . it is not useful but works .
assume i have not ip address 11.22.33.44 on any interface but i have created
chain=srcnat action=src-nat to-addresses=11.22.33.44 src-address=192.168.0.0/24
so i have not any route to 11.22.33.44 in my routing table because i have not this ip address on any interface.
then i mangled and mark-routing them
chain=prerouting action=mark-routing new-routing-mark=test passthrough=yes src-address=192.168.0.0/24
and route it
dst-address=0.0.0.0/0 gateway=5.6.7.8 distance=1 scope=255 target-scope=10 routing-mark=test
The above two lines could also be in one line dst-nat like this
chain=dstnat action=dst-nat to-addresses=5.6.7.8 to-ports=8080 protocol=tcp src-address=192.168.0.0/24 dst-port=80
but the key is this line . which also is the problem
dst-address=11.22.33.44 gateway=5.6.7.8 distance=1 scope=255 target-scope=10
this works but i have not that ip on any interface so the distance=1 is highest priority . but as i mentioned it is not useful and it is just a test in lab

Re: Routing priority

Posted: Fri Nov 14, 2008 10:22 am
by omidkosari
Any suggest from mikrotik team ? or other professionals ?

Re: Routing priority

Posted: Fri Nov 14, 2008 12:03 pm
by Chupaka
please describe in more detail, what exactly you want. 'change gateway' and 'dst-nat' are absolutely different things!

Re: Routing priority

Posted: Fri Nov 14, 2008 1:29 pm
by omidkosari
I have implemented balabit tproxy on squid box ( ip address 5.6.7.8 ) and redirect port 80 traffic to squid . we can do that with dst-nat to squids tproxy port or route it to squid and iptables (with TPROXY patch) redirect it to squids tproxy port.
Then squid should virtually connect to internet with clients ip and problem begins here . if squid wants to connect with clients ip (for example 11.22.33.44) and mikrotik automatically creates
ADC  dst-address=11.22.33.44 pref-src=10.10.10.10 interface=<pppoe-1234> distance=0 scope=10
so squid can not connect to internet with ip address 11.22.33.44 .
if we could change distance to more value or any other way then we could add a route with higher priority for port 80 to route to squid .

now ?

Re: Routing priority

Posted: Fri Nov 14, 2008 4:00 pm
by Chupaka
oh, I see... I think, the problem is not where you are looking it...

I think, your packets go from user to proxy normally. general question is that: can you ensure the packets are returned to user via proxy, not directly to user from internet gateway?

please describe your network structure

Re: Routing priority

Posted: Fri Nov 14, 2008 4:22 pm
by Mplsguy
Even if you could create such route your setup would not work anyway, because traffic coming back from squid box (it would have destination address of client if I understand you correctly) would be routed back to squid box due to that "high priority" route.

I guess you can try to make this setup like this:
- add mangle rule: dst-port=80 src-address=<clients> in-interface=!squidinterface new-routing-mark=to-squid (this catches traffic from clients that should go to squid - you have to make sure that rule does not match traffic comming from squid to internet!)
- add mangle rule: src-port=80 dst-address=<clients> in-interface=internet new-routing-mark=to-squid (this catches traffic coming back from internet that should go to squid - you have to make sure that rule does not match traffic comming from squid to clients)
- create default route with routing-mark=to-squid gateway=<squidbox>

Re: Routing priority

Posted: Sat Nov 15, 2008 2:24 pm
by omidkosari
Even if you could create such route your setup would not work anyway, because traffic coming back from squid box (it would have destination address of client if I understand you correctly) would be routed back to squid box due to that "high priority" route.

I guess you can try to make this setup like this:
- add mangle rule: dst-port=80 src-address=<clients> in-interface=!squidinterface new-routing-mark=to-squid (this catches traffic from clients that should go to squid - you have to make sure that rule does not match traffic comming from squid to internet!)
- add mangle rule: src-port=80 dst-address=<clients> in-interface=internet new-routing-mark=to-squid (this catches traffic coming back from internet that should go to squid - you have to make sure that rule does not match traffic comming from squid to clients)
- create default route with routing-mark=to-squid gateway=<squidbox>
Thank you veryyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy much . You are the boss . The problem solved . i can't believe it .

Now a little problem happens . the users behind NAT have problem . what is your suggestion . When i did my strange implementation which described in this post http://forum.mikrotik.com/viewtopic.php ... 21#p135121 the NAT users were working but now they can't.

Re: Routing priority

Posted: Mon Nov 17, 2008 2:41 pm
by Mplsguy
Please explain the problem some more - what exactly do you want to achieve, current network diagram, where users are connected, where is NAT taking place.