Community discussions

MikroTik App
 
magovec
just joined
Topic Author
Posts: 1
Joined: Mon Mar 21, 2022 3:03 pm

ROS 7.1, correct mark-routing and routing tables rules

Mon Mar 21, 2022 4:46 pm

Hi,
in terms of routing mark/tables what worked for me in v6 (PCC and load balancing) does not work in v7. I have read multiple threads here and tried many different setups with just partial luck. My target situation I want to achieve is simple:
- 2 WANs, static IPs both
- failover with ping check, using external IP (e.g. 8.8.8.8, recursive resolve not the nearest GW via ping)
- runing multiple servers in LAN, thus routing is neccessary using marking incoming connections
- some exceptions for specific LAN IPs to prefer outbound WAN (192.168.5.20 in the setup below)
- do not need load-balancing

As I was struggling to get it working I went several steps back and removed proper fail over in this setup just to concentrate on the routing. So I set it up as I thought to be a simple setup - two routing tables, 2 routing table entries with specified routing-table attribute and the whole thing with mangling to correctly mark packets. But it does not work. I always need to add also entries to "main" routing table in order to get it work, which turns out that packets are then routed per this main table only and not properly following marking rules. So I played a lot with routing rules and tried several different setups witch always resulted either that they did not have effect or it cut me off the router completely (even local LAN access).

The simple setup is as follows:
/routing table
add fib name=to_WAN1
add fib name=to_WAN2

/ip route
add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=192.168.209.1
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=10.80.2.113 pref-src=0.0.0.0 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add check-gateway=ping dst-address=0.0.0.0/0 gateway=192.168.209.1 routing-table=to_WAN1
add check-gateway=ping dst-address=0.0.0.0/0 gateway=10.80.2.113 routing-table=to_WAN2

/ip firewall mangle
add action=accept chain=input dst-address=192.168.209.0/24 in-interface-list=LAN
add action=accept chain=input dst-address=10.80.2.112/29 in-interface-list=LAN
add action=mark-routing chain=prerouting comment=exceptional-IP dst-address-list=!not_internet in-interface-list=LAN new-routing-mark=\
    to_WAN2 passthrough=yes src-address=192.168.5.20
add action=mark-connection chain=prerouting in-interface=WAN1 new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=prerouting in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1_conn new-routing-mark=to_WAN1 passthrough=no
add action=mark-routing chain=output connection-mark=WAN2_conn new-routing-mark=to_WAN2 passthrough=no

/ip firewall nat
add action=src-nat chain=srcnat ipsec-policy=out,none out-interface=WAN1 to-addresses=192.168.209.2
add action=src-nat chain=srcnat ipsec-policy=out,none out-interface=WAN2 to-addresses=10.80.2.115
Please help me with this or point me to the right thread here in forum because all of them I read were a bit different - mainly because they work with the assumption there are several LAN subnets and routing to different ISPs is based on these subnets (source IPs), but I want to apply it completely.

Many thanks

Who is online

Users browsing this forum: No registered users and 12 guests