Community discussions

MikroTik App
 
tombrdfrd66
Member Candidate
Member Candidate
Topic Author
Posts: 243
Joined: Sat Jan 10, 2009 12:09 am
Location: New Zealand

Which chain?

Wed Jan 27, 2010 6:28 am

All our subscribers arrive at the gateway via PPTP tunnels, and have statically assigned IP addresses. Internet connection from the gateway is via two dsl modems. I'd like to route one group of subscribers out through modem A and another group through modem B.

The PPTP network is 172.16.4.0/24. If I split this into /26 subnets can I use Mangle to route-mark packets from the 172.16.4.0/26 network for Modem A and packets from the 172.16.4.64/26 network for Modem B? ie. does the route-mark survive the termination of the tunnel? Would it be better to use packet marking, or connection marking?

What's the correct chain to use, prerouting or forward?

With what address are the packets forwarded out of the gateway to the modem - that of the PPtP server (172.16.4.1), the router's interface to the modem, or the IP of the originating source? For accounting purposes it's necessary that all responses pass back through the tunnel.

Thanks for reading.
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6263
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: Which chain?

Wed Jan 27, 2010 4:23 pm

just set up address-list with one part of your customers in one and other part in other, that way you can even swap customers if you see, that someone is heavy and other link is not that congested.

and use address-list to mangle packets

EDIT:

since you will be adjusting routing with mangle, you should mark packets with routing marks in prerouting, since that is before routing decisions, as name implies
 
tombrdfrd66
Member Candidate
Member Candidate
Topic Author
Posts: 243
Joined: Sat Jan 10, 2009 12:09 am
Location: New Zealand

Re: Which chain?

Sat Feb 13, 2010 3:10 am

Thanks Janisk.

I followed your instructions and it works - but it works too well and has thrown up another problem.

I've group A on subnet 172.16.4.0/28 and group B on subnet 172.16.4.64/28. Incoming packets from group A's subnet are picked up by the address list and allocated routing mark 'A' and ditto group B with routing mark 'B'. I've a default route for packets route-marked 'A' through gateway A, and a default route for those marked 'B' through gateway B.

That works, but unfortunately it seems that packets from group A addressed to group B are also being sent out of the 'A' gateway rather than routed internally to group B, and vice versa, - presumably because of the routing mark - although there is a route to 172.16.4.0/24 via interface 172.16.4.1

Is there a way around this?
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Which chain?

Sat Feb 13, 2010 6:42 pm

something like
/ip fi man add chain=prerouting dst-address=172.16.4.0/28 action=accept
/ip fi man add chain=prerouting dst-address=172.16.4.64/28 action=accept
so now you don't mark routing for internal subnets
 
tombrdfrd66
Member Candidate
Member Candidate
Topic Author
Posts: 243
Joined: Sat Jan 10, 2009 12:09 am
Location: New Zealand

Re: Which chain?

Tue Mar 09, 2010 12:21 am

Thanks Chupaka.

Wouldn't one entry:

/ip fi man add chain=prerouting dst-address=172.16.4.0/24 action=accept

achieve the same thing? Or is that too simple?

Edit: Trying to think this think through, don't we have a problem here in that practically everything arriving at the router is going to have a destination address of 172.16.4.1, as that's the address of the PPTP server. So this rule will by-pass the route marking?

Or does the chain=prerouting only kick in after the PPP wrapper has been stripped?
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Which chain?

Tue Mar 09, 2010 4:58 pm

Wouldn't one entry:

/ip fi man add chain=prerouting dst-address=172.16.4.0/24 action=accept

achieve the same thing? Or is that too simple?
well, if you don't use 172.16.4.16/28, 172.16.4.32/28, etc - then those rules are almost the same :)
Edit: Trying to think this think through, don't we have a problem here in that practically everything arriving at the router is going to have a destination address of 172.16.4.1, as that's the address of the PPTP server. So this rule will by-pass the route marking?

Or does the chain=prerouting only kick in after the PPP wrapper has been stripped?
you don't need to mark encapsulated packets, after striping they will be again in prerouting chain - that's what you need
 
tombrdfrd66
Member Candidate
Member Candidate
Topic Author
Posts: 243
Joined: Sat Jan 10, 2009 12:09 am
Location: New Zealand

Re: Which chain?

Tue Mar 09, 2010 10:05 pm

Thanks Chupaka.

Who is online

Users browsing this forum: amt, cyrq, Erbit, jaclaz, lurker888, smirgo and 102 guests