MikroTik

Posted: **Tue Sep 03, 2013 12:50 am**

Hello

I have 3 networks:
192.168.100.0/24 (LAN1)
192.168.101.0/24 (LAN2)
192.168.102.0/24 (LAN3)

There is an interface 192.168.100.1/22 on the router. Also there are 3 ISP connected to the router.
The policy must be:
- LAN1 uses 1st available connection
- LAN2 always goes via 2nd ISP
- LAN3 always goes via 3rd ISP

Configuration:

/ip firewall mangle
add action=mark-connection chain=forward in-interface=bridge-lan new-connection-mark=from_lan2 src-address=192.168.101.0/24
add action=mark-connection chain=forward in-interface=bridge-lan new-connection-mark=from_lan3 src-address=192.168.102.0/24
add action=mark-routing chain=prerouting connection-mark=from_lan2 in-interface=bridge-lan new-routing-mark=to_isp2
add action=mark-routing chain=prerouting connection-mark=from_lan3 in-interface=bridge-lan new-routing-mark=to_isp3

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether8 src-address=192.168.100.0/22
add action=masquerade chain=srcnat out-interface=ether9 src-address=192.168.100.0/22
add action=masquerade chain=srcnat out-interface=ether10 src-address=192.168.100.0/22

/ip route
add distance=1 gateway=109.86.229.254 routing-mark=to_isp1
add distance=1 gateway=37.229.191.254 routing-mark=to_isp2
add check-gateway=ping distance=1 gateway=8.8.8.8
add check-gateway=ping distance=2 gateway=8.8.4.4
add distance=1 dst-address=8.8.4.4/32 gateway=37.229.191.254 scope=10
add distance=1 dst-address=8.8.8.8/32 gateway=109.86.229.254 scope=10

ISP3 disconnected at the moment (there is no route to it)

The problem that clients from LAN2 (192.168.101.0/24) do not have access to Inet. Bit if I disconnect cable connected to ISP1, Inet becomes available for LAN1 and LAN2.

/ip route print 
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          109.86.229.254            1
 1 A S  0.0.0.0/0                          37.229.191.254            1
 2 A S  0.0.0.0/0                          8.8.8.8                   1
 3   S  0.0.0.0/0                          8.8.4.4                   2
 4 A S  8.8.4.4/32                         37.229.191.254            1
 5 A S  8.8.8.8/32                         109.86.229.254            1
 6 ADC  37.229.128.0/18    37.229.156.88   ether9                    0
 7 ADC  109.86.229.0/24    109.86.229.211  ether8                    0
 8 ADC  192.168.100.0/22   192.168.100.1   bridge-lan                0

Any ideas what it may be?

Thanks!

Posted: **Tue Sep 03, 2013 6:28 am**

Verify that ping actually might still be working which would cause the expected action to fail.

Posted: **Tue Sep 03, 2013 11:03 am**

You are right. Ping does work.

Posted: **Wed Sep 04, 2013 12:43 am**

It is final configuration with 3rd connection but it still does not work as expected

/ip route
add distance=1 gateway=109.86.229.254 routing-mark=to_isp1
add distance=1 gateway=37.229.191.254 routing-mark=to_isp2
add distance=1 gateway=192.168.252.1 routing-mark=to_isp3
add check-gateway=ping distance=1 gateway=8.8.8.8
add check-gateway=ping distance=2 gateway=8.8.4.4
add distance=3 gateway=192.168.252.1
add distance=1 dst-address=8.8.4.4/32 gateway=37.229.191.254 scope=10
add distance=1 dst-address=8.8.8.8/32 gateway=109.86.229.254 scope=10

Posted: **Wed Sep 04, 2013 4:48 pm**

Have you read this?

http://mum.mikrotik.com/presentations/US12/tomas.pdf

Posted: **Wed Sep 04, 2013 5:15 pm**

I have read the doc quickly. Thanks.

Do you mean to use different routing tables? main for directly connected networks:

add distance=1 gateway=109.86.229.254 routing-mark=to_isp1
add distance=1 gateway=37.229.191.254 routing-mark=to_isp2
add distance=1 gateway=192.168.252.1 routing-mark=to_isp3

and create other table for dgw:

add check-gateway=ping distance=1 gateway=8.8.8.8
add check-gateway=ping distance=2 gateway=8.8.4.4
add distance=1 dst-address=8.8.4.4/32 gateway=37.229.191.254 scope=10
add distance=1 dst-address=8.8.8.8/32 gateway=109.86.229.254 scope=10

?

Posted: **Thu Sep 05, 2013 12:06 am**

I have replaced

add action=mark-connection chain=forward in-interface=bridge-lan new-connection-mark=from_lan2 src-address=192.168.101.0/24
add action=mark-connection chain=forward in-interface=bridge-lan new-connection-mark=from_lan3 src-address=192.168.102.0/24

by

add action=mark-connection chain=prerouting in-interface=bridge-lan new-connection-mark=from_lan2 src-address=192.168.101.0/24
add action=mark-connection chain=prerouting in-interface=bridge-lan new-connection-mark=from_lan3 src-address=192.168.102.0/24

(changed forward chain to prerouting chain) in mangletable and everyting seems fine

Thanks all for help!

Posted: **Thu Sep 05, 2013 2:33 am**

... changed forward to prerouting in mangle table and everyting seems fine ...

Awesome!

Here is a cool link about chains that I'm reading very slowly. I'm finding it helpful in addition to the official packet flow diagrams MikroTik provides.

Posted: **Thu Sep 05, 2013 11:39 am**

Thanks for the useful links.

I know about packet flow in iptables and use this diagram but unfortunately I forget some things periodically like this time.
But official MikroTik packet flow diagram is awesome! Thank you very much for it!

MikroTik

source routing

source routing

Re: source routing

Re: source routing

Re: source routing

Re: source routing

Re: source routing

Re: source routing

Re: source routing

Re: source routing