Community discussions

MikroTik App
  4. RouterOS
  5. General

Is a default route needed when policy routing? - confused

Post Reply
 
User avatar
hilton
Long time Member
Long time Member
Topic Author
Posts: 634
Joined: Thu Sep 07, 2006 5:12 pm
Location: Jozi (aka Johannesburg), South Africa

Is a default route needed when policy routing? - confused

Fri Aug 21, 2009 5:32 pm

My aim is to route traffic via certain wan connections depending on the type of connection.

In other words, route http and https traffic via wan1 and all other via wan2.

This works but I don't understand why I need a default route. Please bear with me as I share my set-up.

Two WAN connections via ADSL with dynamic addresses. Clients are on the LAN and are NATted.
Code: Select all
/ip firewall nat
add action=masquerade chain=srcnat comment=\
    "masquerade allowed local addresses via wan1" disabled=no 
    out-interface=wan1 src-address-list=local-allowed
add action=masquerade chain=srcnat comment=\
    "masquerade allowed local addresses via wan2" disabled=no \
    out-interface=wan2 src-address-list=local-allowed
Then my mangle rules;

Firstly I mark my connections
Code: Select all
/ip firewall mangle
add action=jump chain=prerouting comment="" connection-state=new disabled=no \
    jump-target=tcp-services protocol=tcp
add action=jump chain=prerouting comment="" connection-state=new disabled=no \
    jump-target=udp-services protocol=udp
add action=jump chain=prerouting comment="" connection-state=new disabled=no \
    jump-target=other-services

add action=mark-connection chain=tcp-services comment=http disabled=no \
    dst-port=80 new-connection-mark=http passthrough=no protocol=tcp \
    src-port=1024-65535
add action=mark-connection chain=tcp-services comment=https disabled=no \
    dst-port=443 new-connection-mark=https passthrough=no protocol=tcp \
    src-port=1024-65535
add action=mark-connection chain=tcp-services comment=http disabled=no \
    dst-port=8080 new-connection-mark=http passthrough=no protocol=tcp \
    src-port=1024-65535
add action=mark-connection chain=tcp-services comment="other tcp" disabled=no \
    new-connection-mark=other-tcp passthrough=no protocol=tcp
add action=mark-connection chain=udp-services comment="other udp" \
    connection-state=new disabled=no new-connection-mark=other-udp \
    passthrough=no protocol=udp
add action=mark-connection chain=other-services comment=other disabled=no \
    new-connection-mark=other passthrough=no
Then I mark the packets;
Code: Select all
add action=mark-packet chain=prerouting comment="" connection-mark=http \
    disabled=no new-packet-mark=http passthrough=no
add action=mark-packet chain=prerouting comment="" connection-mark=https \
    disabled=no new-packet-mark=https passthrough=no
add action=mark-packet chain=prerouting comment="" connection-mark=other \
    disabled=no new-packet-mark=other passthrough=no
add action=mark-packet chain=prerouting comment="" connection-mark=other-tcp \
    disabled=no new-packet-mark=other-tcp passthrough=no
add action=mark-packet chain=prerouting comment="" connection-mark=other-udp \
    disabled=no new-packet-mark=other-udp passthrough=no
Then I mark the routing;
Code: Select all
add action=mark-routing chain=prerouting comment=http disabled=no \
    new-routing-mark=http packet-mark=http passthrough=no
add action=mark-routing chain=prerouting comment=https disabled=no \
    new-routing-mark=https packet-mark=https passthrough=no
add action=mark-routing chain=prerouting comment=other-tcp disabled=no \
    new-routing-mark=other-tcp packet-mark=other-tcp passthrough=no
add action=mark-routing chain=prerouting comment=other-udp disabled=no \
    new-routing-mark=other-udp packet-mark=other-udp passthrough=no
add action=mark-routing chain=prerouting comment=other disabled=no \
    new-routing-mark=other packet-mark=other passthrough=no
Then I add the routes;
Code: Select all
/ip route
add comment="default route" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wan1
add comment=http disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wan2 \
    routing-mark=http
add comment=https disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wan2 \
    routing-mark=https
add comment=other disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wan1 \
    routing-mark=other
add comment=other-tcp disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    wan1 routing-mark=other-tcp
add comment=other-udp disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    wan1 routing-mark=other-udp
Now here's my question;

Why do I need this routing rule?
Code: Select all
add comment="default route" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wan1
I would have thought that by identifying 'everything else' via connection-mark, then packet-mark, then route-mark, the traffic would simply obey the routing rules and go via wan1 whereas http and https goes via wan2.

This all 'sort-of' works but only if I enable the default rule. I just don't see why if I've marked all other traffic and then routed it, do I need this default rule.

For some other reason, I seem to have load balanced everything rather than policy routing based on marked connections.

My guess is that I'm not catching all the packets somehow.

Thanks for staying with me.
Top
 
changeip
Forum Guru
Forum Guru
Posts: 3830
Joined: Fri May 28, 2004 5:22 pm

Re: Is a default route needed when policy routing? - confused

Fri Aug 21, 2009 11:12 pm

you need the main table for anything on the output chain for one... the router itself can't talk to things if you don't have that. I can't explain it very well, but basically you are not marking everything so things are still using the main table.
Top
 
User avatar
hilton
Long time Member
Long time Member
Topic Author
Posts: 634
Joined: Thu Sep 07, 2006 5:12 pm
Location: Jozi (aka Johannesburg), South Africa

Re: Is a default route needed when policy routing? - confused

Mon Aug 24, 2009 2:02 pm

Sam thanks for that. I left the default route in place and didn't try and tag 'other' and this works although I don't understand why I'm not catching all the other traffic.

Anyway I now have this new problem/issue.

I have a normal ADSL account and then a 'local only' ADSL account where I stipulate local IPs in the routing table. Like this.
Code: Select all
ip route
add comment="default route" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wan_2
add comment=http disabled=no distance=1 dst-address=0.0.0.0/0 gateway=adsl \
    routing-mark=http
add disabled=no distance=2 dst-address=32.106.152.0/24 gateway=adsl_loc
add disabled=no distance=2 dst-address=32.106.153.0/24 gateway=adsl_loc
There is the default route via wan_2 and a few local only ADSL routes and then a route where I mark 'http' traffic.

Now what I want is traffic to go via the gateway specified with the routing mark of 'http' except when a local route should kick in and route via a local ADSL account. I've played with 'distance' but I can't get the local routes to take preference over the routing marked route.

Clear as mud?

Please help.

Thanks.
Top
 
SurferTim
Forum Guru
Forum Guru
Posts: 4636
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: Is a default route needed when policy routing? - confused

Mon Aug 24, 2009 2:21 pm

Have you considered reversing your logic? Maybe you should routing-mark the other gateway traffic and leave the interface you want as the default unmarked.

You will need a default gateway unless you routing-mark everything.

ADD: Just so you know...like a straight beats two-of-a-kind in poker, a routing-mark beats a distance.
Top
 
User avatar
hilton
Long time Member
Long time Member
Topic Author
Posts: 634
Joined: Thu Sep 07, 2006 5:12 pm
Location: Jozi (aka Johannesburg), South Africa

Re: Is a default route needed when policy routing? - confused

Mon Aug 24, 2009 3:02 pm

Have you considered reversing your logic? Maybe you should routing-mark the other gateway traffic and leave the interface you want as the default unmarked.
This would indeed be the easier way to go except that I'm trying to catch encrypted bittorrents and I can't so figured it's easier to route that nasty traffic via the slower of the two WANs.
You will need a default gateway unless you routing-mark everything.
This is what I was trying to do originally but failed miserably. I thought the process was mark some specific traffic and then mark all the rest as 'other' but enabling this 'other' routing forces everything to go pear-shaped.
ADD: Just so you know...like a straight beats two-of-a-kind in poker, a routing-mark beats a distance.
Ah, that would make sense then. Thanks for this tip.
Top
 
SurferTim
Forum Guru
Forum Guru
Posts: 4636
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: Is a default route needed when policy routing? - confused

Mon Aug 24, 2009 3:25 pm

Now I see. What I would do is reverse your logic in "/ip firewall mangle" and add a "/ip firewall filter chain=forward" rule to allow port 80 but block all others. Or block the bittorrent ports and allow all others. I think maybe you are using the routing-mark, when a filter may be better.
Top
 
changeip
Forum Guru
Forum Guru
Posts: 3830
Joined: Fri May 28, 2004 5:22 pm

Re: Is a default route needed when policy routing? - confused

Mon Aug 24, 2009 6:02 pm

something i ran into a while back that I have made standard practice, although I see others without it and so I'm not sure now. I've always had to add my local LAN ranges into alternate routing tables, ie; duplicate the connected routes from main table to your policy routing tables. It seemed like without it my setups didnt work 100% right. I can imagine that icmp replies, etc that aren't part of the initial conversation would fall thru to main table. Can you try adding those connected routes to your alternate tables and see? Since there is no next hop on those I would always use the routers IP on that interface.
Top
Post Reply

Who is online

Users browsing this forum: bananaboy1101, deadpete, mrz, Semrush [Bot] and 83 guests
  4. RouterOS
  5. General