Community discussions

 
mk0000
newbie
Topic Author
Posts: 48
Joined: Thu Jun 25, 2009 8:55 am

Routing Problem

Sat Mar 03, 2012 9:24 am

Hi,

i have a problem with the following Problem:

One RB 450G (IP: 192.168.0.5) with 100 PC's and 2 WAN-Ports (Port1 and Port4).
On Port1 there is a Fritzbox (192.168.0.1) and on Port4 there is a Fritzbox (192.168.0.2)
Alle LAN-Ports from the RB 450G are a bridge.
All PC's from the other LAN-Ports has the following IP-Configuration:

IP: 192.168.0.x/24
Gateway and DNS: 192.168.0.5

Route:
0.0.0.0/0 goes to 192.168.0.1

One Client (192.168.0.140) will now switch to the second-WAN-Port (Port4).
I have test it with the firewall:

Mangle:
Prerouting Src-Address 192.168.0.140 and mark routing for Example GroupB.

Then i add a Route:
0.0.0.0/0 goes to 192.168.0.2 with Routing Mark GroupB

But the Traffic goes over the Port1 (192.168.0.1).

Can everyone help me?
 
rodolfo
Long time Member
Long time Member
Posts: 543
Joined: Sat Jul 05, 2008 11:50 am

Re: Routing Problem

Sat Mar 03, 2012 11:18 am

post your configuration (ip address, ip firewall mangle, ip route)
rodolfo
IZ0UQV
 
mk0000
newbie
Topic Author
Posts: 48
Joined: Thu Jun 25, 2009 8:55 am

Re: Routing Problem

Sun Mar 04, 2012 1:52 pm

Hi rodolfo,

my configuration from the RB 450G:


/ip address
# ADDRESS NETWORK INTERFACE
0 192.168.0.5/24 192.168.0.0 bridge1

/ip firewall mangle
0 chain=prerouting action=mark-packet new-packet-mark=connection
passthrough=yes protocol=tcp

1 chain=prerouting action=mark-packet new-packet-mark=conn passthrough=no
packet-mark=connection

2 X chain=prerouting action=mark-routing new-routing-mark=GroupB passthrough=no
src-address=192.168.0.140

/ip route
0 A S dst-address=0.0.0.0/0 gateway=192.168.0.2 gateway-status=ether4 reachable
distance=1 scope=30 target-scope=10 routing-mark=GroupB

1 A S dst-address=0.0.0.0/0 gateway=192.168.0.1
gateway-status=192.168.0.1 reachable bridge1 distance=1 scope=30
target-scope=10

2 ADC dst-address=192.168.0.0/24 pref-src=192.168.0.5 gateway=bridge1
gateway-status=bridge1 reachable distance=0 scope=10


The PC's at the the LAN-Port 2,3 and 5 are at other switches and has the following configuration:

IP: 192.168.0.x/24 (x = 60 - 140)
DNS + Gateway: 192.168.0.5

Where can help me?
 
User avatar
cybercoder
Member Candidate
Member Candidate
Posts: 176
Joined: Tue Dec 07, 2010 11:20 pm
Location: Guilan, Iran
Contact:

Re: Routing Problem

Sun Mar 04, 2012 2:49 pm

set the use of IP FIREWALL on bridge to enable first,
if it didn't work then change the specific policy route's mangle chain from pre-routing to forward, too.

study the packet flow diagram will help you to make your own policy implementation decisions well.
http://wiki.mikrotik.com/wiki/Manual:Packet_Flow
Any sufficiently advanced technology is indistinguishable from magic. ( Arthur C Clarke )
Mikrotik certified consultant
Microsoft Certified Technology Specialist, Microsoft Certified IT Proffessional
http://www.netd.ir
 
mk0000
newbie
Topic Author
Posts: 48
Joined: Thu Jun 25, 2009 8:55 am

Re: Routing Problem

Sun Mar 04, 2012 3:12 pm

hello cybercoder,

the firewall on the brigde is enable.
When i change pre-routing to forward, it come a error-message:
Couldn't change Mangle Rule - routing-mark allowed only in output and prerouting chains.
 
User avatar
cybercoder
Member Candidate
Member Candidate
Posts: 176
Joined: Tue Dec 07, 2010 11:20 pm
Location: Guilan, Iran
Contact:

Re: Routing Problem

Sun Mar 04, 2012 3:15 pm

yes yse the error message is true the routing mark only works in routing time! i made mistake
Any sufficiently advanced technology is indistinguishable from magic. ( Arthur C Clarke )
Mikrotik certified consultant
Microsoft Certified Technology Specialist, Microsoft Certified IT Proffessional
http://www.netd.ir
 
User avatar
cybercoder
Member Candidate
Member Candidate
Posts: 176
Joined: Tue Dec 07, 2010 11:20 pm
Location: Guilan, Iran
Contact:

Re: Routing Problem

Sun Mar 04, 2012 3:17 pm

allow to pass the traffic through the router in second mangle chain, i think it will work

the second is meaning number 1 not 2
Any sufficiently advanced technology is indistinguishable from magic. ( Arthur C Clarke )
Mikrotik certified consultant
Microsoft Certified Technology Specialist, Microsoft Certified IT Proffessional
http://www.netd.ir
 
mk0000
newbie
Topic Author
Posts: 48
Joined: Thu Jun 25, 2009 8:55 am

Re: Routing Problem

Sun Mar 04, 2012 3:20 pm

Example?
 
User avatar
cybercoder
Member Candidate
Member Candidate
Posts: 176
Joined: Tue Dec 07, 2010 11:20 pm
Location: Guilan, Iran
Contact:

Re: Routing Problem

Sun Mar 04, 2012 3:50 pm

i mentioned to the second mangle you sent :
1 chain=prerouting action=mark-packet new-packet-mark=conn passthrough=no packet-mark=connection
change the passthrough to yes
Any sufficiently advanced technology is indistinguishable from magic. ( Arthur C Clarke )
Mikrotik certified consultant
Microsoft Certified Technology Specialist, Microsoft Certified IT Proffessional
http://www.netd.ir
 
mk0000
newbie
Topic Author
Posts: 48
Joined: Thu Jun 25, 2009 8:55 am

Re: Routing Problem

Sun Mar 04, 2012 7:33 pm

passthorugh is activated but the traffic goes over 192.168.0.1 and not over 192.168.0.2

Help?!
 
User avatar
cybercoder
Member Candidate
Member Candidate
Posts: 176
Joined: Tue Dec 07, 2010 11:20 pm
Location: Guilan, Iran
Contact:

Re: Routing Problem

Sun Mar 04, 2012 7:45 pm

chain=prerouting src-address=192.168.0.140 action=mark-connection new-connection-mark=GroupBC passthrough=yes
chain=prerouting connection-mark=GroupBC action=mark-routing new-routing-mark=GroupB passthrough=no
Replace mangles with these optimal mangle.
Any sufficiently advanced technology is indistinguishable from magic. ( Arthur C Clarke )
Mikrotik certified consultant
Microsoft Certified Technology Specialist, Microsoft Certified IT Proffessional
http://www.netd.ir
 
mk0000
newbie
Topic Author
Posts: 48
Joined: Thu Jun 25, 2009 8:55 am

Re: Routing Problem

Sun Mar 04, 2012 9:18 pm

The same Problem :(
 
User avatar
cybercoder
Member Candidate
Member Candidate
Posts: 176
Joined: Tue Dec 07, 2010 11:20 pm
Location: Guilan, Iran
Contact:

Re: Routing Problem

Sun Mar 04, 2012 9:24 pm

are there count up for your specific mangle?
Any sufficiently advanced technology is indistinguishable from magic. ( Arthur C Clarke )
Mikrotik certified consultant
Microsoft Certified Technology Specialist, Microsoft Certified IT Proffessional
http://www.netd.ir
 
mk0000
newbie
Topic Author
Posts: 48
Joined: Thu Jun 25, 2009 8:55 am

Re: Routing Problem

Sun Mar 04, 2012 9:52 pm

Yes, but the traffic goes over 192.168.0.1.
 
User avatar
cybercoder
Member Candidate
Member Candidate
Posts: 176
Joined: Tue Dec 07, 2010 11:20 pm
Location: Guilan, Iran
Contact:

Re: Routing Problem

Sun Mar 04, 2012 9:55 pm

i am online by yahoo messenger : vahid_yid
Any sufficiently advanced technology is indistinguishable from magic. ( Arthur C Clarke )
Mikrotik certified consultant
Microsoft Certified Technology Specialist, Microsoft Certified IT Proffessional
http://www.netd.ir
 
mk0000
newbie
Topic Author
Posts: 48
Joined: Thu Jun 25, 2009 8:55 am

Re: Routing Problem

Tue Mar 06, 2012 10:32 am

I have test it with 5 Clients.
One Clients goes over the second Gateway all other over the first Gateway.
The Mangle-Entries count up but nothing over the second Gateway.
Is there a special Entrie or other things i have disremember?

The Config
IP-Address
 #   ADDRESS            NETWORK         INTERFACE                                
 0   192.168.0.5/24     192.168.0.0     bridge1    

Bridge
 0  R name="bridge1" mtu=1500 l2mtu=1520 arp=enabled 
      mac-address=00:0C:42:59:1D:2E protocol-mode=rstp priority=0x8000 
      auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s 
      forward-delay=15s transmit-hold-count=6 ageing-time=5m 

 #    INTERFACE               BRIDGE               PRIORITY  PATH-COST    HORIZON
 0    ether1                  bridge1                  0x80         10       none
 1    ether2                  bridge1                  0x80         10       none
 2    ether5                  bridge1                  0x80         10       none
 3    ether3                  bridge1                  0x80         10       none
 4    ether4                  bridge1                  0x80         10       none

DNS
servers: 192.168.0.1,192.168.0.2
  allow-remote-requests: yes
    max-udp-packet-size: 512
             cache-size: 2048KiB
          cache-max-ttl: 1w
             cache-used: 1712KiB

Firewall Filter: nothing
Firewall Nat: nothing
Firewall Mangle: 
 0   chain=prerouting action=mark-packet new-packet-mark=connection 
     passthrough=yes protocol=tcp 

 1   chain=prerouting action=mark-packet new-packet-mark=conn passthrough=no 
     packet-mark=connection 

 2   ;;;
     chain=prerouting action=mark-routing new-routing-mark=GroupB 
     passthrough=yes src-address=192.168.0.140 

 3   ;;;
     chain=prerouting action=mark-routing new-routing-mark=GroupB 
     passthrough=yes src-address=192.168.0.94 

 4   ;;; 
     chain=prerouting action=mark-routing new-routing-mark=GroupB 
     passthrough=yes src-address=192.168.0.111 

 5   ;;;
     chain=prerouting action=mark-routing new-routing-mark=GroupB 
     passthrough=yes src-address=192.168.0.112 

Route
 0 A S  dst-address=0.0.0.0/0 gateway=192.168.0.2 
        gateway-status=192.168.0.2 reachable bridge1 distance=1 scope=30 
        target-scope=10 routing-mark=GroupB 

 1 A S  dst-address=0.0.0.0/0 gateway=192.168.0.1 
        gateway-status=192.168.0.1 reachable bridge1 distance=1 scope=30 
        target-scope=10 

 2 ADC  dst-address=192.168.0.0/24 pref-src=192.168.0.5 gateway=bridge1 
        gateway-status=bridge1 reachable distance=0 scope=10 

Where is the Problem?

Is there a way for a client, gateway and DNS to change through the firewall?
 
User avatar
cybercoder
Member Candidate
Member Candidate
Posts: 176
Joined: Tue Dec 07, 2010 11:20 pm
Location: Guilan, Iran
Contact:

Re: Routing Problem

Tue Mar 06, 2012 10:38 am

0   chain=prerouting action=mark-packet new-packet-mark=connection
     passthrough=yes protocol=tcp

1   chain=prerouting action=mark-packet new-packet-mark=conn passthrough=no
     packet-mark=connection
You should Mark the connections first, then the packets of those connection!

when you don't allow to pass the traffic in this scenario, how the next mangle rule can work?
I think i sent an optimal mangle
Any sufficiently advanced technology is indistinguishable from magic. ( Arthur C Clarke )
Mikrotik certified consultant
Microsoft Certified Technology Specialist, Microsoft Certified IT Proffessional
http://www.netd.ir
 
mk0000
newbie
Topic Author
Posts: 48
Joined: Thu Jun 25, 2009 8:55 am

Re: Routing Problem

Tue Mar 06, 2012 11:07 am

I have disable these two Mangle's and will test it or can i sort the Mangle's ?

Who is online

Users browsing this forum: MSN [Bot] and 105 guests