Policy Routing?

SteveD · Sat May 14, 2005 3:11 am

Is Policy Routing available in 2.9? I haven't been able to find anything similar to 2.8 although its still in the mangle setup.

Thanks!

Steve

palmczak · Sat May 14, 2005 4:08 am

yes it is available.

But now it is integrated. Use the new action "mark routing" and then route on the mark.

Still figuring it out myself.

Joe

SteveD · Sat May 14, 2005 4:21 am

Thanks for the info. What I'm trying to do is setup two different routes to the Internet but I can't figure out how to add two default gateways (even using mark routing). If I try to add a new gateway route using a mark routing tag, it just overwrites the original default gateway.

Also, what's the use of a second gateway address when you configure thru winbox? If I click the arrow, another space opens up and I can enter a second IP. Haven't figured out why yet?

SteveD · Sun May 15, 2005 6:52 am

Solved in RC2. Works great.

billr · Wed May 18, 2005 6:15 pm

Hi,

I've ..sort of.. got policy routing going in 2.9 ..... But can you elaborate on how you use the MARK and how to ensure the ip range you specify goes to the correct gateway..

I want to do exactly what you say you have done... but am kinda hazy on it !! There is not yet a 2.9 policy routing manual to read..

Many thanks..

billr · Wed May 18, 2005 10:37 pm

Steve,

Could you post an example of your mark and mangle chains please as I am really floundering here !!

Cheers.

SteveD · Thu May 19, 2005 2:23 am

Sure thing.

First thing you do is create an address list of the IP's you want to route out your secondary gateway. Do that thru IP / Firewall / Address List in Winbox.

Then add your mangle:

chain=prerouting in-interface=lan1 src-address-list=dsl_out action=mark-routing new-routing-mark=dsl

lan1 is the interface the clients are coming in on in this example

In Winbox add a route as follows:

Destination: 0.0.0.0/0
Gateway: a.b.c.d (whatever your secondary gateway's ip is)
Mark: dsl

This only worked in RC2 so make sure you're on the latest.

billr · Thu May 19, 2005 9:33 am

Thanks a million..

At least it is a start - before I was totally stuffed.
And thanks for the WINBOX examples, I use Winbox but the manuals mention the command line (ok you can translate but this is better)

MANY thanks again.

I will try to let you know how I get on..

Cheers, Bill

billr · Thu May 19, 2005 12:32 pm

One final point, I have (obviously) TWO in - interfaces, and one out.

To correspond with your example, I would assume those addresses NOT routed via my secondary gateway would go via the primary gateway??

Have I got it yet ??!!

Cheers and many thanks again.

SteveD · Thu May 19, 2005 2:06 pm

Those addresses not route-marked will follow the original routes.

One other thing you should be aware of is the route-marked packets will not see any other routes in your router either.

And if you don't have a spare Tik box to test things on, get one. Saves a lot of grief.

billr · Thu May 19, 2005 4:36 pm

Ok I guess I could do with a ..little.. more help - sorry.
(BTW I help run a small wISP, I am at the end of the line and have a couple more routes into the wISP if I screw up the MT box - I am getting used to wiping the routing table and restarting from a plugged in terminal

)

a) The address - list. In the drop down box I call it (say) ADSL.

b) MANGLE is the thing that gets me.. In-interface is ether1 for me. SRC-address-list is what ?? ADSL ??
Action mark-routing is obvious
new-routing-mark= ADSL again ??

c) Then the new route is ok, the secondary gateway is ether1, and the mark is ADSL.

Only trouble is, I think I have got the mangled **mangled up**. Because it does not work..

Sorry to be such a dimwit but I am mainly the radio guy, and the computer IP person a long way second...

Cheers !!

SteveD · Fri May 20, 2005 1:42 am

In Winbox:

Mangle Rule

General Tab:
Chain: Prerouting
In Interface: ether1

Advanced Tab:
Src. Address List: ADSL

Action Tab:
Action: mark routing
New Routing Mark: adsl

You shouldn't have anything else in the Mangle Tabs selected. If you set it up that way, you should see the packet/byte counts increasing and you should be seeing traffic on the Statistics Tab. If you don't, the only thing I can think of is you don't have the right addresses in your ADSL Address List?

billr · Fri May 20, 2005 12:35 pm

Thanks, I had the wrong IN-INTERFACE specified in the MANGLE.
I was specifying the 'out interface' ie the secondary gateway.

Whereas when I specify the main interface everything comes in on it works wonderfully.

I can change my PC ip and see the route change from the ethernet/DSL to the wireless/wISP.

SO - very many thanks.

PS this is routed via the ethernet/DSL line !!

changeip · Mon May 30, 2005 8:06 am

I am trying to route port 25 and others out a different connection using routing marks. The mangle counters are increasing so I know the packets are getting marked, but it seems the routing table is not routing based on mark. I cannot use address lists with source/dest ports. Previously in 2.8 we had to mark the connection, mark the flow, and then setup the route table to handle that. When importing the configuration into 2.9 we lost some of that config so I'm trying to figure out what to add back. For started I just want anything coming in on 2nd connection to route right back out the second connection, but it's not using the route i've setup. Is there no more marking the connection and then the flow, you simply mangle and add the routing mark once? We are using NAT on both connections, and all src-nats are setup as previously were in 2.8 (using masq).

If I can get this working correctly I will post configs for others to use.

[admin@mikroHome] ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=prerouting in-interface=3-coxRes action=mark-routing new-routing-mark=coxres 
 1   chain=prerouting in-interface=2-sony action=mark-routing new-routing-mark=coxres 

[admin@mikroHome] ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 1   chain=srcnat out-interface=3-coxRes action=masquerade 
 2   chain=srcnat out-interface=1-coxBiz action=masquerade 

[admin@mikroHome] ip route> print terse
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf 
 0 A S dst-address=10.10.10.0/24 gateway=10.10.10.1 interface=onboard-inside gateway-state=reachable distance=1 scope=255 target-scope=10 routing-mark=
            coxres 
 1 ADC dst-address=10.10.10.0/24 prefsrc=10.10.10.1 interface=onboard-inside scope=10 target-scope=0 
 2 A S dst-address=10.10.20.0/24 gateway=10.10.20.1 interface=4-hotty gateway-state=reachable distance=1 scope=255 target-scope=10 routing-mark=coxres 
 3 ADC dst-address=10.10.20.0/24 prefsrc=10.10.20.254 interface=4-hotty scope=10 target-scope=0 
 4 A S dst-address=10.10.30.0/24 gateway=10.10.30.1 interface=2-sony gateway-state=reachable distance=1 scope=255 target-scope=10 routing-mark=coxres 
 5 ADC dst-address=10.10.30.0/24 prefsrc=10.10.30.1 interface=2-sony scope=10 target-scope=0 
 6 ADC dst-address=68.8.24.0/23 prefsrc=68.8.25.137 interface=3-coxRes scope=10 target-scope=0 
 7 ADC dst-address=68.15.xx.xx/27 prefsrc=68.15.19.51 interface=1-coxBiz scope=10 target-scope=0 
 8 ADC dst-address=192.168.2.0/24 prefsrc=192.168.2.1 interface=wlan1 scope=200 target-scope=0 
 9 A S dst-address=0.0.0.0/0 gateway=68.15.19.33 interface=1-coxBiz gateway-state=reachable distance=1 scope=255 target-scope=10 
10 A S dst-address=0.0.0.0/0 gateway=68.8.24.1 interface=3-coxRes gateway-state=reachable distance=1 scope=255 target-scope=10 routing-mark=coxres

Thanks,
Sam

changeip · Tue May 31, 2005 10:24 pm

Can someone from MT confirm that policy routing is not completed in rc4? I am having troubles routing based on route-mark, and it seems in your manual there are options that are not in rc4 yet (nexthop, static route, etc).

http://www.mikrotik.com/docs/ros/2.9/ip/route

I am not able to route based on route-mark set on the mangle process. I don't know if this is a config problem (posted above) or simply that it is not completed yet.

I will assume for now that policy routing is not complete in rc4 and quit working on it for now.

Sam

tbutcher · Tue May 31, 2005 10:26 pm

Thanks for the info but shouldn't the chain=input not prerouting?

Tim

changeip · Tue May 31, 2005 10:55 pm

I've tried both and every other combination. Seems as though the mangle count is incrementing but its not taking the right route... so i think policy routing is ignoring route-marks in certain cases somehow.

Sam

tbutcher · Wed Jun 01, 2005 12:41 am

If you read the docs for v2.9 it uses forward and mark-connection and mark-packet to mark P2P traffic.

http://www.mikrotik.com/docs/ros/2.9/ip/mangle

Tim

changeip · Wed Jun 01, 2005 1:08 am

I read that already. I am not trying to use mangling to shape bandwidth, etc. I am trying to use policy routing using the new 'new-routing-mark' action. As I mentioned before, the old way of marking the connection and then the flow is outdated for policy routing I believe.

Sam

changeip · Wed Jun 01, 2005 6:09 pm

Let me re-word what the problem is after some testing last night. In Mangle I can setup new-route-mark when using a source ip address, and it will work. When I setup a mangle rule specifying an incoming interface only, it does not work. I need to mark all packets coming from one isp to go out the same isp. I should be able to new-route-mark anything coming in that interface so it will go back out that same interface, right? Worked in 2.8.

Sam

Butcher · Thu Jun 02, 2005 2:22 am

I have 2 ISP conections one is the frame freay 2M RX/TX with 255 public adress that I wanna to use and other on is DSL 2M RX 256K TX. I need to configure my MT to route all trafic through frame relay conection and spesific incoming ports and protocols (HTTP, FTP,POP3,SMTP,ICMP..ect) through my DSL. I know that is problem for meny and if some one can show ONE example it will solve that problem for others. Best it will be step by step exemple. I try to show how its look`s like:

I will be glad if any one help us. Ofcourse we are talking about MT 2.9
THX

randyloveless · Thu Jun 02, 2005 9:59 am

changip

did you get your routing working . i have or have been playing with this same issue. is it we are doing something wrong ?

Randy

tbutcher · Thu Jun 02, 2005 10:35 am

butcher,

we have a very similar setup and are using the following to route HTTP traffic over our dsl line.

Set you default gateway to the frame realy. In routes set destination to 0.0.0.0/0 and gateway to 195.117.127.1

Setup up a mangle rule for each traffic type. In firewall create a new managle rule with chain input, protocl tcp, dst. port 80, in interface LAN, action mark routing, routing mark HTTP.

Then in routes set HTTP to go via the dsl line. Goto routes, add new route, destination 0.0.0.0/0, gateway 83.16.190.105, mark HTTP.

Repeat for the other traffic types you need. Remember you will have to setup NAT rules if needed for both lines.

Works for us but let me know how you get one.

Tim

billr · Thu Jun 02, 2005 11:50 pm

a) It seems there are several ways to achieve policy routing, possibly also depending on the version - rc2 or rc4 - you are using. WOULD someone from MT comment - is there a difference, or are we just getting it wrong...

b) I also thought input chain applied to traffic into the router, not passing through the router ... in some way this does not seem to be the case (I can confirm a policy route with an input mangle rule does route through the router, whereas I (mis)understood it was for traffic to the router (ie ssh login etc).

Confused !!

tbutcher · Fri Jun 03, 2005 12:12 am

Billr,

Try looking on the internet for chain types there is a lot of good info.

Tim

Policy Routing?

Policy Routing?

same problem

Who is online