Community discussions

MUM Europe 2020
 
User avatar
thavinci
Member
Member
Topic Author
Posts: 334
Joined: Sat Aug 04, 2007 4:40 pm
Location: Johannessburg
Contact:

Policy Based Routing

Thu Mar 06, 2008 1:01 pm

Im hoping someone can assist with a delaima im having.

I have a system that has two seperate external interfaces.


The one being the main interface through which all traffic for the internet goes through.
The second that is also connected to a differant router.

The issue im having is that i have a default route setup that works perfectly for the main interface.
However there are no comms on the second , because of lacking routes.

What i want to acheive is the following....

If traffic enters on the second interface it must be routed back out that interface to that particular router.


The main interface will stay the way it is currently with it set with the default route.


What i did attampt to do is the following , which didn't work....

Create Mange rule, Chain prerouting ,In. Interface being the second interface, action mark routing , New Routing Mark external.

Then i created a route with destination 0.0.0.0/0 with the appropriate gateway for the second interface with the routing Mark external.


Not working :/

If i ping the second interface from the net no response, mark routing packets are however couting up.
http://www.thavinci.za.net

echo "Demo license expired!"
echo "Please reinstall the router."
echo
kill -WINCH 1
exit
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: Policy Based Routing

Thu Mar 06, 2008 4:15 pm

Greetings!

I will presume the interfaces are ether1 and ether 2, so that is what I will use.
If:
ether1 IP = 10.0.0.2/24
ether2 IP = 10.0.1.2/24
and:
your gateway is 10.0.0.1 and 10.0.1.1 respectively
then:
/ip route add gateway=10.0.0.1
/ip route add gateway=10.0.1.1

That should assign the appropriate gateway to the correct interface. You must assign the IP addresses first!
 
User avatar
thavinci
Member
Member
Topic Author
Posts: 334
Joined: Sat Aug 04, 2007 4:40 pm
Location: Johannessburg
Contact:

Re: Policy Based Routing

Thu Mar 06, 2008 4:48 pm

Both interfaces have there appropriate ip addresses...

Doing that i would create two default routes which can cause my traffic flow too alter.


The current "main" interface has its address assigned and its default gateway.
This is used currently and working.

Simply adding the default gateway for the secondary interface would couse traffic to possibly be routed out the incorrect interface.
What im trying to achieve is ONLY and ONLY to route traffic to the secondary interface's gateway when the source is coming in from the secondary interface.

eg.. secondary interface has ip of 66.110.110.3 this is publicly assessable and you can attempt to ping it from outside you will get routed all the way to this ip , however the router has a different default gateway thereby routing the response of the ping through the main interface. Simply adding the default gateway for interface two WILL solve the problem but create new unwanted ones.

The router should be able to detect that the packets came into that interface and therefore specifically route it to its gateway based on that.


Thanks
http://www.thavinci.za.net

echo "Demo license expired!"
echo "Please reinstall the router."
echo
kill -WINCH 1
exit
 
changeip
Forum Guru
Forum Guru
Posts: 3804
Joined: Fri May 28, 2004 5:22 pm

Re: Policy Based Routing

Thu Mar 06, 2008 6:37 pm

one thing most people miss is that in your second routing table you need to recreate many routes, including your local connected routes. Simply adding a default route and thats it will cause it to not find the route it needs and use the main table eventually.

you need to mark connections, mark packets, and then mark routes.

add chain=prerouting action=mark-connection new-connection-mark=in-pip-conn \
passthrough=yes in-interface=l2tp-pip comment="" disabled=yes

add chain=prerouting action=mark-packet new-packet-mark=in-pip-packet \
passthrough=yes connection-mark=in-pip-conn comment="" disabled=yes

add chain=prerouting action=mark-routing new-routing-mark=out-pip \
passthrough=yes packet-mark=in-pip-packet comment="" disabled=yes

and make sure your alternate routing table knows about your local subnet. Typically you will put the next-hop as your local IP on those ones. if you need an example I will post one, let me know.
Colo and Wholesale Bandwidth Available! Sales at SanDiegoBroadband dot com
 
User avatar
thavinci
Member
Member
Topic Author
Posts: 334
Joined: Sat Aug 04, 2007 4:40 pm
Location: Johannessburg
Contact:

Re: Policy Based Routing

Thu Mar 06, 2008 7:41 pm

I do not need to recreate any routes for local subnets as the second interface has got a public assessable ip and is infact directly on the net. Hosts on the net Only need to get hold of this machine, nothing further.



I have tried youre advise and no joy...

Following has been done....


3 chain=prerouting action=mark-connection new-connection-mark=External passthrough=yes in-interface=External

4 chain=prerouting action=mark-packet new-packet-mark=External_pack passthrough=yes in-interface=External connection-mark=External

5 chain=prerouting action=mark-routing new-routing-mark=External_route passthrough=yes packet-mark=External_pack



And in routing

1 A S 0.0.0.0/0 reachable *routeriphere* 1 External

And this has the routing mark External_route


*Note all Counters for the connection mark/packet mark & routing mark is counting as traffic hits the interface....
http://www.thavinci.za.net

echo "Demo license expired!"
echo "Please reinstall the router."
echo
kill -WINCH 1
exit
 
changeip
Forum Guru
Forum Guru
Posts: 3804
Joined: Fri May 28, 2004 5:22 pm

Re: Policy Based Routing

Thu Mar 06, 2008 7:48 pm

Hosts on the net Only need to get hold of this machine, nothing further
Hosts on the net only need to reach the router, or a machine behind it ? Trust me, you need more than just a single default route in the external table. You also need to additional mangle rules for traffic hitting the router itself, ie ICMP, etc.
Colo and Wholesale Bandwidth Available! Sales at SanDiegoBroadband dot com
 
User avatar
thavinci
Member
Member
Topic Author
Posts: 334
Joined: Sat Aug 04, 2007 4:40 pm
Location: Johannessburg
Contact:

Re: Policy Based Routing

Thu Mar 06, 2008 8:38 pm

Only the router. Nothing Else.
http://www.thavinci.za.net

echo "Demo license expired!"
echo "Please reinstall the router."
echo
kill -WINCH 1
exit
 
User avatar
thavinci
Member
Member
Topic Author
Posts: 334
Joined: Sat Aug 04, 2007 4:40 pm
Location: Johannessburg
Contact:

Re: Policy Based Routing

Thu Mar 06, 2008 8:48 pm

I will make a diagram in little while, just need to get visio...
http://www.thavinci.za.net

echo "Demo license expired!"
echo "Please reinstall the router."
echo
kill -WINCH 1
exit
 
changeip
Forum Guru
Forum Guru
Posts: 3804
Joined: Fri May 28, 2004 5:22 pm

Re: Policy Based Routing

Thu Mar 06, 2008 10:17 pm

so in your external routing table do you have the public IP subnet listed? How is it supposed to talk to the default gateway if its next hop isnt in the routing table ? here are some rules on a system that i had to fix the input chain to work with icmp, etc. There is a DSL and a T1 connection at play here...

/ip firewall mangle

add action=mark-connection chain=prerouting comment="inbound DSL connections" \
disabled=no in-interface=1-DSL new-connection-mark=in-dsl-conn \
passthrough=yes
add action=mark-packet chain=prerouting comment="" connection-mark=in-dsl-conn \
disabled=no new-packet-mark=in-dsl-packet passthrough=yes
add action=mark-connection chain=prerouting comment="inbound T1 connections" \
disabled=no in-interface=2-T1 new-connection-mark=in-t1-conn \
passthrough=yes
add action=mark-packet chain=prerouting comment="" connection-mark=in-t1-conn \
disabled=no new-packet-mark=in-t1-packet passthrough=yes
add action=mark-packet chain=input comment="" connection-mark=in-t1-conn \
disabled=no new-packet-mark=in-t1-packet passthrough=yes
add action=mark-packet chain=output comment="" connection-mark=in-t1-conn \
disabled=no new-packet-mark=in-t1-packet passthrough=yes
add action=mark-routing chain=prerouting comment="" disabled=no \
new-routing-mark=t1 packet-mark=in-t1-packet passthrough=yes
add action=mark-routing chain=input comment="" disabled=no new-routing-mark=t1 \
packet-mark=in-t1-packet passthrough=yes
add action=mark-routing chain=output comment="" disabled=no \
new-routing-mark=t1 packet-mark=in-t1-packet passthrough=yes

and then this had to be added:

/ip route rule
add action=lookup comment="" disabled=no routing-mark=t1 table=t1

This works perfect - pings coming in one interface go back out the right interface, etc.
Colo and Wholesale Bandwidth Available! Sales at SanDiegoBroadband dot com
 
User avatar
thavinci
Member
Member
Topic Author
Posts: 334
Joined: Sat Aug 04, 2007 4:40 pm
Location: Johannessburg
Contact:

Re: Policy Based Routing

Thu Mar 06, 2008 11:40 pm

First off please forgive the really crass way i had to depict this...
Seems my visio 2003 didn't want to work on vista, very odd..

Image


Here is a very bad hand-drawn pic of how the setup looks...

Now:

*The Mikrotik can ping R2 as it's on the same network
*Hosts on the internet can ping R2 but not 66.110.111.2
*Let's say for arguments sake i want to access the web interface Mikrotik provides on the 66.110.111.2 address
*The normall flow of traffic is from the PC's to the Mikrotik, to the server, which in turn NATS the traffic using 66.110.110.3 as the external IP.
*Both Server and Mikrotik Run OSPF however default routes are static
*Default route on Mikrotik is 192.168.1.1, so ALL traffic with unknown destination end up at the server.


Suspicions:
Traffic comes in through R2 and is able to reach the Mikrotik router however because no other routes exist for hosts on the internet , it uses the default route sending traffic to the server for the replies breaking comms.
I have tested by specifiying a static route to my system at home to go to the R2 router and comms works fully.
Thus the need to use policy based routing to ONLY route traffic to R2 as the default gateway , IF the traffic originated from it in the first place.

Thank you for the example, i have tried messing about , but am still unable to get it right.
Don't know what im missing....
http://www.thavinci.za.net

echo "Demo license expired!"
echo "Please reinstall the router."
echo
kill -WINCH 1
exit
 
User avatar
thavinci
Member
Member
Topic Author
Posts: 334
Joined: Sat Aug 04, 2007 4:40 pm
Location: Johannessburg
Contact:

Re: Policy Based Routing

Fri Mar 07, 2008 9:11 am

I have found in a sense what i want to do obviously the difference being im from the outside (internet) and instead of using src ip address i use src interface.

http://wiki.mikrotik.com/wiki/Load_Bala ... e_Gateways

I have followed this with no result.

Keep in mind that a specific route to a particular internet host on the net does work.
So problem lies solely with the policy based routing.
http://www.thavinci.za.net

echo "Demo license expired!"
echo "Please reinstall the router."
echo
kill -WINCH 1
exit
 
User avatar
thavinci
Member
Member
Topic Author
Posts: 334
Joined: Sat Aug 04, 2007 4:40 pm
Location: Johannessburg
Contact:

Re: Policy Based Routing

Fri Mar 07, 2008 9:30 am

http://www.mikrotik.com/testdocs/ros/2. ... notfound=6&


Another help, although it didnt work.
I tried all variations, now ive gone back to my original setup as per mikrotik guides.

Image

The Default route for all Routing marks "External_r_mark"

Image
Image

The mangle rules marking the packets.
http://www.thavinci.za.net

echo "Demo license expired!"
echo "Please reinstall the router."
echo
kill -WINCH 1
exit
 
User avatar
thavinci
Member
Member
Topic Author
Posts: 334
Joined: Sat Aug 04, 2007 4:40 pm
Location: Johannessburg
Contact:

Re: Policy Based Routing

Fri Mar 07, 2008 9:32 am

Thanks for advice so far "changeip" but haven't been able to get it working you're way either.
I MUST be missing something simple!
http://www.thavinci.za.net

echo "Demo license expired!"
echo "Please reinstall the router."
echo
kill -WINCH 1
exit
 
User avatar
thavinci
Member
Member
Topic Author
Posts: 334
Joined: Sat Aug 04, 2007 4:40 pm
Location: Johannessburg
Contact:

Re: Policy Based Routing

Fri Mar 07, 2008 10:10 am

Man talk about over posting!
Just really keen to get the problem sroted out!
Made that visio....


Image
http://www.thavinci.za.net

echo "Demo license expired!"
echo "Please reinstall the router."
echo
kill -WINCH 1
exit
 
User avatar
thavinci
Member
Member
Topic Author
Posts: 334
Joined: Sat Aug 04, 2007 4:40 pm
Location: Johannessburg
Contact:

Re: Policy Based Routing

Wed Mar 19, 2008 8:59 am

Solved it.....



It can be achieved easily:
1) mark all necessary connections in mangle chain INPUT (specify in_interface, dst-address etc)
2) mark all packets (with routing mark) from this connections in the mangle chain OUTPUT
3) create a default route for this routing mark
http://www.thavinci.za.net

echo "Demo license expired!"
echo "Please reinstall the router."
echo
kill -WINCH 1
exit
 
Inssomniak
Member
Member
Posts: 326
Joined: Fri Apr 13, 2007 11:21 pm

Re: Policy Based Routing

Mon Mar 24, 2008 4:06 am

does this work on dsl interfaces that are PPPoE?

I remember for some reason I tried this and it didnt work
 
User avatar
thavinci
Member
Member
Topic Author
Posts: 334
Joined: Sat Aug 04, 2007 4:40 pm
Location: Johannessburg
Contact:

Re: Policy Based Routing

Mon Mar 24, 2008 11:59 am

Will work for any interface, it's simply routing.
http://www.thavinci.za.net

echo "Demo license expired!"
echo "Please reinstall the router."
echo
kill -WINCH 1
exit
 
mangust
Member Candidate
Member Candidate
Posts: 224
Joined: Thu Jun 14, 2007 11:14 am

Re: Policy Based Routing

Thu Apr 10, 2008 1:27 pm

[quote="thavinci"]Solved it.....

Like you said ...
/ip firewall mangle add chain=input action=mark-connection new-connection-mark=conn-mark-isp2 passthrough=yes in-interface=isp2
/ip firewall mangle add chain=output action=mark-routing new-routing-mark=routing-mark-isp2 passthrough=yes connection-mark=conn-mark-isp2
/ip route add gateway=ISP2-GW-IP routing-mark=routing-mark-isp2

It's not working :(

Do you have a real working example ? Could you share it to me :) ??
 
User avatar
thavinci
Member
Member
Topic Author
Posts: 334
Joined: Sat Aug 04, 2007 4:40 pm
Location: Johannessburg
Contact:

Re: Policy Based Routing

Thu Apr 10, 2008 2:53 pm

Sorry to here you not coming rite, but unfortunately thats exactly what i did and it's working on two different locations for me now.

Will double check for you as soon as i get a moment.
http://www.thavinci.za.net

echo "Demo license expired!"
echo "Please reinstall the router."
echo
kill -WINCH 1
exit
 
User avatar
thavinci
Member
Member
Topic Author
Posts: 334
Joined: Sat Aug 04, 2007 4:40 pm
Location: Johannessburg
Contact:

Re: Policy Based Routing

Tue Apr 22, 2008 4:45 pm

Don't know if you still need that example, but here is screen shots of how i do it.
100% fully working.

Image
Image
Image


Lemme know if you come rite...
http://www.thavinci.za.net

echo "Demo license expired!"
echo "Please reinstall the router."
echo
kill -WINCH 1
exit
 
conradzane
just joined
Posts: 1
Joined: Mon Nov 17, 2008 9:48 am

Re: Policy Based Routing

Tue Nov 25, 2008 6:02 pm

Hey Thavinci,

I have tried your solution, but cannot get it working either.
I can even see the connections on being forward from the DSL router to the second interface on the mikrotik router with stats tcp syn received, but its not responding with squat.
If you want i can post some screen shots of the config to show you what I have done.

-Conrad-
 
bmeier
just joined
Posts: 3
Joined: Mon Jun 02, 2008 8:17 pm

Re: Policy Based Routing

Sat Dec 04, 2010 10:27 pm

Hey guys,

I believe the reason this is not working is that the mangle rules for connection/packet/routing marks need to be in the PREROUTING chain, no INPUT or OUTPUT as the marks will be applied at stages in the network stack that make them irrelevant. IE - By the time they are applied, they will not be evaluated before they arrive at their destination.

I'm using this implementation to provide multiple routes and failover between my cable connection and WiMAX.

What I recommend is the following (replacing necessary values in <>):

/ip firewall mangle
add chain=prerouting action=mark-connection new-connection-mark=ISP1 passthrough=yes in-interface=<ISP1_INTERFACE>
add chain=prerouting action=mark-routing new-routing-mark=ISP1 passthrough=yes connection-mark=ISP1
add chain=prerouting action=mark-connection new-connection-mark=ISP2 passthrough=yes in-interface=<ISP2_INTERFACE>
add chain=prerouting action=mark-routing new-routing-mark=ISP1 passthrough=yes connection-mark=ISP2

/ip route
add dst-address=0.0.0.0/0 gateway=<ISP1_GATEWAY> distance=1 scope=30 target-scope=10 routing-mark=ISP1
add dst-address=0.0.0.0/0 gateway=<ISP2_GATEWAY> distance=1 scope=30 target-scope=10 routing-mark=ISP2
add dst-address=<LAN_SUBNET> gateway=<LAN_INTERFACE> distance=1 scope=30 target-scope=10 routing-mark=ISP1
add dst-address=<LAN_SUBNET> gateway=<LAN_INTERFACE> distance=1 scope=30 target-scope=10 routing-mark=ISP2

/ip route rule
add routing-mark=ISP1 action=lookup table=ISP1
add routing-mark=ISP2 action=lookup table=ISP2

Who is online

Users browsing this forum: alvar0rodrig0, selimadn, venthyl and 93 guests