Community discussions

MikroTik App
 
dineshplp
newbie
Topic Author
Posts: 32
Joined: Wed Jan 09, 2008 7:09 am

Policy based routing using two uplinks

Sun Oct 30, 2011 4:46 pm

Hi....
I have a two uplinks and i want to do routing as follows....
request from specific ip x.x.x.x should go from uplink 1 whereas every other request should go through uplink 2..... No need of load balancing or anything.....
 
silence012
just joined
Posts: 16
Joined: Wed Mar 04, 2009 4:49 pm

Re: Policy based routing using two uplinks

Sun Oct 30, 2011 8:29 pm

Hi,

Try read this post.
You can configure one IP addresses range to go through first gateway, and another through second.

http://wiki.mikrotik.com/wiki/Load_Bala ... e_Gateways

Regards,
Branko
 
dineshplp
newbie
Topic Author
Posts: 32
Joined: Wed Jan 09, 2008 7:09 am

Re: Policy based routing using two uplinks

Sun Oct 30, 2011 8:43 pm

Thanks for the reply....
My confusion is this that I want to use lets say 192.168.100.x to go through uplink 1 and everything else should go via uplink 2.... Everything else here includes all private IP ranges except 192.168.100.x.... Shouldn't there be anything like wildcard mask....
We have like 2-3 clients who needs to go via uplink 1 and remaining needs to go via uplink 2.... The IP addressing we used is quite messy so we are really not in a situation to redesign the whole IP scheme....
So simply a single IP or two needs uplink 1 and everything else needs uplink 2.... Hope you got what I mean to say....
 
User avatar
skillful
Trainer
Trainer
Posts: 552
Joined: Wed Sep 06, 2006 1:42 pm
Location: Abuja, Nigeria
Contact:

Re: Policy based routing using two uplinks

Sun Oct 30, 2011 11:13 pm

You need to create an address list containing all the address you want to go through uplink1
/ip firewall address-list
add address=192.168.100.x disabled=no list=uplink1
add address=192.168.100.y disabled=no list=uplink1
Now create a mangle rule to mark all packets that should go through uplink1
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=no dst-address-type=!local new-routing-mark=uplink1 passthrough=yes src-address-list=to_uplink1
Finally create a policy route for uplink1 and a default route for all other packets
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=uplink1 routing-mark=to_uplink1 scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=uplink2 scope=30 target-scope=10
Don't forget to add masquerade rules for uplink1 and uplink2.

NB: Replace 192.168.100.x, 192.168.100.y, uplink1 and uplink2 with the appropriate values.
 
dineshplp
newbie
Topic Author
Posts: 32
Joined: Wed Jan 09, 2008 7:09 am

Re: Policy based routing using two uplinks

Tue Nov 08, 2011 8:16 am

Thanks...

Works good! :D
 
mm690
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Sat Aug 21, 2010 8:38 pm

Re: Policy based routing using two uplinks

Tue Nov 08, 2011 5:32 pm

I have many of these selective based policey routes.


Dont forget to add a rule in your routes with the marked connection.

Also VERY important, make sure that rule is above your main rule or else it wont get seen first and your new routes will goto default gateway instead
 
User avatar
robyhr
newbie
Posts: 25
Joined: Fri May 25, 2007 8:03 pm
Location: Croatia
Contact:

Re: Policy based routing using two uplinks

Fri Apr 20, 2012 11:25 am

i have a question about policy based routing. we have 3 ISPs, and 3 links to internet. i have set required policies, and everything works as intended.

only thing is, i dont know what to do with default route. i have PPTP server on mikrotik, and some of our clients come from ISP1 link, and other from ISP2. what do i need to add to router so we can have both policy based routing working, and still accept PPTP clients on both links? if a add default route without routing mark to ISP1, then we can accept PPTP conenctions from ISP1 and not from ISP2, but if i change it to ISP2, my PPTP clients cant connect from ISP1. how can i accept both?

thanks for your help
 
User avatar
skillful
Trainer
Trainer
Posts: 552
Joined: Wed Sep 06, 2006 1:42 pm
Location: Abuja, Nigeria
Contact:

Re: Policy based routing using two uplinks

Sun Apr 22, 2012 6:41 pm

In addition to your existing configurations, you need to add routing marks that ensures that all packets entering the router from a particular interface leaves by that interface.

/ip firewall mangle
add action=mark-connection chain=input connection-mark=no-mark disabled=no in-interface=ISP1 new-connection-mark=ISP1 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP1 disabled=no new-routing-mark=ISP1 passthrough=no

add action=mark-connection chain=input connection-mark=no-mark disabled=no in-interface=ISP2 new-connection-mark=ISP2 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP2 disabled=no new-routing-mark=ISP2 passthrough=no

add action=mark-connection chain=input connection-mark=no-mark disabled=no in-interface=ISP3 new-connection-mark=ISP3 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP3 disabled=no new-routing-mark=ISP3 passthrough=no

NB: Replace the colored text with the appropriate interface name and moved the rules to the top.


Now create policy routes to force the packets to go out on the appropriate gateway

/ip route
add check-gateway=ping disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=ISP1_Gateway routing-mark=ISP1 scope=30 target-scope=10

add check-gateway=ping disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=ISP2_Gateway routing-mark=ISP2 scope=30 target-scope=10

add check-gateway=ping disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=ISP3_Gateway routing-mark=ISP3 scope=30 target-scope=10

NB: Replace the colored text with the appropriate gateway IP address
 
tonci
just joined
Posts: 10
Joined: Sat Jul 11, 2015 2:07 pm

Re: Policy based routing using two uplinks

Wed Jul 07, 2021 11:31 pm

Hi to all,
My scenario is following:
I have one RB as defgw and one ISP (bridge ppoe). Server services are hosted on hypervisor and one of them would be Firewall appliance that I want to be new-defgw for selected workstations. FWall has two standard interfaces public/private and each of them has its own vlan (VL-fw-priv and VL-FW-pub). So, I have 3 vlans : 1 LAN local, 2 VL-FW-priv, 3 VL-FW-pub.
So, my plan would be to redirect LAN-local workstation traffic from RB to FW-private interface as new gw and then from FW-public back to RB and then to ISP . (see pdf attached)
Traffic should go from RB to FW-appliance, then back to RB and then to ISP.
FW has static route to LAN-local so there is no need to NAT workstation traffic to FW-private interface. FW can reach/ping LAN-local devices.
I set up routing-mark for LAN devices, added default-route for this routing mark but the result/success is very partial_
- pinging/tracerte 8.8.8.8 goes correctly -> WorkSt -> RB -> FW-private -> FW-pub -> (RB) VL-FW-pub IP addr -> ISP -> .... 8.8.8.8
- google search responds very quickly
- BUT, common browsing does not work , very few pages loads very slow , but the other not at all ...
If I put workstation in FW-priv vlan and define FW-private IP as defgw , it responds in real time, works perfect
Config:
/ip firewall mangle
add action=mark-routing chain=prerouting in-interface=bridge-lan \
    new-routing-mark=to-kvc passthrough=no src-address-list=kvc-client
/ip route
add distance=1 gateway=10.168.14.2 routing-mark=to-kvc scope=30


Tracing route to dns.google [8.8.8.8]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 192.168.17.1 .............. OK! RB-IP LAN-local defgw
2 11 ms <1 ms 1 ms 10.168.14.2 .............. OK! FW-priv-IP
3 1 ms 1 ms <1 ms 10.168.15.1 .............. OK! RB-VL-FW-pub-IP
4 1 ms 1 ms 1 ms 10.10.10.1 .............. OK! ... ISP
5 1 ms 1 ms 1 ms 10.200.4.189
6 2 ms 1 ms 1 ms vd36-n229-h8.loc-b.akton.net [81.17.229.8]
7 2 ms 1 ms 1 ms cr72-1-n229-h40.loc-b.akton.net [81.17.229.40]



Any help would be very appreciate

Thank you very much in advance
BR
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Policy based routing using two uplinks

Thu Jul 08, 2021 3:35 pm

Actually the response to the original OP has an alternative solution that is simpler and does not involve mangling and thus one doesnt lose fastrack etc....

0.0.0.0/0 gateway of ISP1 check-gateway=ping distance=5
0.0.0.0/0 gateway of ISP2 distance=10

So the two routes, ISP1 will always be chosen in the main table as it has a lower distance.
Failover can occur in case ISP1 is not available if desired

To ensure one or two IP addresses only use ISP2 then add additional routes (copies of main table route with addition of routing-mark)
0.0.0.0/0 gateway of ISP2 distance=10 routing mark=user1
0.0.0.0/0 gateway of ISP2 distance=10 routing mark=user2

Then add corresponding Route rules.
source-address=LANIP of user1
Action= Lookup in table
Table= user1

source-address=LANIP of user2
Action= Lookup in table
Table= user2

DONE and without any mangling.
If one changes ACTION to lookup ONLY in table, then if ISP2 is not available those two users would not kick over to ISP1 at all and would have no internet access.
 
tonci
just joined
Posts: 10
Joined: Sat Jul 11, 2015 2:07 pm

Re: Policy based routing using two uplinks

Thu Jul 08, 2021 8:16 pm

anav thank you . yes !!! ... route rules solved everything ... it seems it works exactly how it should .... The question remains : why it did not work with mangle ... or how it would work with mangle .... but this is not high priority any more :)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Policy based routing using two uplinks

Thu Jul 08, 2021 10:47 pm

Mangle is very powerful but also a nightmare to config for many.
Keep in mind you can also identify or target PC by the entire subnet if required 192.168.0.0/24 for example.
Also one can use an interface as the input source be it an etherport, wlan, vlan or any interface created.
 
brishisharma
just joined
Posts: 15
Joined: Mon Sep 22, 2014 5:41 am

Re: Policy based routing using two uplinks

Wed Sep 22, 2021 4:54 pm

Actually the response to the original OP has an alternative solution that is simpler and does not involve mangling and thus one doesnt lose fastrack etc....

0.0.0.0/0 gateway of ISP1 check-gateway=ping distance=5
0.0.0.0/0 gateway of ISP2 distance=10

So the two routes, ISP1 will always be chosen in the main table as it has a lower distance.
Failover can occur in case ISP1 is not available if desired

To ensure one or two IP addresses only use ISP2 then add additional routes (copies of main table route with addition of routing-mark)
0.0.0.0/0 gateway of ISP2 distance=10 routing mark=user1
0.0.0.0/0 gateway of ISP2 distance=10 routing mark=user2

Then add corresponding Route rules.
source-address=LANIP of user1
Action= Lookup in table
Table= user1

source-address=LANIP of user2
Action= Lookup in table
Table= user2

DONE and without any mangling.
If one changes ACTION to lookup ONLY in table, then if ISP2 is not available those two users would not kick over to ISP1 at all and would have no internet access.
I have tried this and it is not working without mangle, Please explain in details.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Policy based routing using two uplinks

Wed Sep 22, 2021 5:39 pm

Please provide your config
/export hide-sensitive file=anynameyouwish

Who is online

Users browsing this forum: bp0, miks, rplant, Victoravv and 77 guests