Community discussions

MikroTik App
 
cbera
just joined
Topic Author
Posts: 13
Joined: Fri Dec 16, 2016 6:10 pm

Routing mark and Os7 with two isp

Mon Mar 20, 2023 7:18 pm

Hi all, I have the following situation on a RB750 (RouterOS v6) to manage 2 isp for two networks divided according to two "source access lists". In this way the 192.168.1.0/24 class goes out with isp 1 TIM, while 192.168.4.0/24 goes out with isp2 VODAFONE (and with the lists I can customize any single host).
Everything works. It also works as a failover in case of lack of one of the two connectivity
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=192.168.4.1/24 interface=bridge1 network=192.168.4.0
add address=192.168.1.3/32 interface=eth2-WAN2 network=192.168.1.2

/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.1.0/24
add action=masquerade chain=srcnat src-address=192.168.4.0/24

/ip firewall address-list
add address=192.168.1.0/24 list=TIM
add address=192.168.4.0/24 list=VODAFONE
add address=192.168.1.31 list=VODAFONE

/ip firewall mangle
add action=mark-routing chain=prerouting log=no log-prefix="" new-routing-mark=isp1 passthrough=yes src-address-list=TIM 
add action=mark-routing chain=prerouting log=no log-prefix="" new-routing-mark=isp2 passthrough=yes src-address-list=VODAFONE
	
/ip route
add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.2 routing-mark=isp2 scope=30 target-scope=10
add distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-mark=isp1 scope=30 target-scope=10
add distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 scope=30 target-scope=10
add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.2 scope=30 target-scope=10

/ip route rule
add action=lookup-only-in-table dst-address=192.168.0.0/16 table=main
Now I need to migrate this config on a RB5009 with Router OS v7. I made the following changes, but the second class 192.168.4.0/24 does not exit correctly with the isp2 while the first has several errors in establishing connections. Internal routing does not work on OVPN client connections that worked with double isp on previous config on rb750 (but working if i set only one gateway with isp1).
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=192.168.4.1/24 interface=bridge1 network=192.168.4.0
add address=192.168.1.3 interface=eth2-WAN2 network=192.168.1.2

/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.1.0/24
add action=masquerade chain=srcnat src-address=192.168.4.0/24

/ip firewall address-list
add address=192.168.1.0/24 list=TIM
add address=192.168.4.0/24 list=VODAFONE
add address=192.168.1.31 list=VODAFONE

/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=isp1 passthrough=yes src-address-list=TIM
add action=mark-routing chain=prerouting new-routing-mark=isp2 passthrough=yes src-address-list=VODAFONE

/routing table
add fib name=isp1
add fib name=isp2

/ip route
add check-gateway=ping disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.2 pref-src="" routing-table=isp2 scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 pref-src=0.0.0.0 routing-table=isp1 scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.2 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10

/ip route rule
add action=lookup-only-in-table disabled=no dst-address=192.168.0.0/16 table=main
Where am I doing wrong?
Thanks
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Routing mark and Os7 with two isp

Mon Mar 20, 2023 9:38 pm

/ip route
add check-gateway=ping disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.2 pref-src="" routing-table=isp2 scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 pref-src=0.0.0.0 routing-table=isp1 scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.2 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
 
rplant
Member Candidate
Member Candidate
Posts: 282
Joined: Fri Sep 29, 2017 11:42 am

Re: Routing mark and Os7 with two isp  [SOLVED]

Tue Mar 21, 2023 5:47 am

Hi,
Routing has changed a bit.

Direct matching routes with routing table entries in the route table are used first.
/ip route
add check-gateway=ping [b]disabled=no[/b] distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.2 pref-src="" routing-table=isp2 scope=30 suppress-hw-offload=no target-scope=10

/routing rule
add action=lookup-only-in-table disabled=no dst-address=192.168.0.0/16 table=main
If a packet with routing-table = isp2 is received by the router, it WILL use the above route entry and ignore the routing rule.

A couple of options:
1. Make packet route marking more specific.
/ip firewall mangle
add action=mark-routing chain=prerouting log=no log-prefix="" new-routing-mark=isp2 passthrough=yes src-address-list=VODAFONE dst-address=!192.168.0.0/16
2. Redirect the routing lookup via the rules which works much like it used too.
/ip firewall mangle
add action=mark-routing chain=prerouting log=no log-prefix="" new-routing-mark=rule-isp2 passthrough=yes src-address-list=VODAFONE

/ip route
add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.2 routing-mark=isp2 scope=30 target-scope=10

/routing rule
add action=lookup-only-in-table disabled=no dst-address=192.168.0.0/16 table=main
add dst-address=0.0.0.0/0 routing-mark=rule-isp2 action=lookup table=isp2

3. Can also fully specify all routes for routing-mark=isp2
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Routing mark and Os7 with two isp

Tue Mar 21, 2023 1:07 pm

I see nothing wrong with your setup; but would change the sourcenat rules as its not clear which WAN they refer to and thus not sure if they would work right.
From:
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.1.0/24
add action=masquerade chain=srcnat src-address=192.168.4.0/24

TO
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN1
{ adding src-address is optional but not required }
add action=masquerade chain=srcnat out-interface=WAN2
{ adding src-address is optional but not required }

OR BETTER since wan2 is a fixed/static wanip.
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN1
add action=src-nat chain=srcnat dst-address=192.168.1.3 out-interface=eth2-WAN2


But I have an issue as to why your LAN1 and WAN2 are in the same subnet............also problematic
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=192.168.4.1/24 interface=bridge1 network=192.168.4.0
add address=192.168.1.3/32 interface=eth2-WAN2 network=192.168.1.2

Then to top it off, and worse you add the ISP2 address to one of the LAN firewall address lists and not the one with the same subnet???
/ip firewall address-list
add address=192.168.1.0/24 list=TIM
add address=192.168.4.0/24 list=VODAFONE
add address=192.168.1.31 list=VODAFONE

YOU REALLY NEED TO SORT THIS OUT FIRST!!!
Last edited by anav on Tue Mar 21, 2023 1:34 pm, edited 5 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Routing mark and Os7 with two isp

Tue Mar 21, 2023 1:16 pm

Would also agree with the previous poster that your rules are a bit funny to have worked well in the past.........
Agree with your approach using firewall address lists as you state its not just whole subnets but subnets plus or minus a number of folks that may change from time to time. Much easier to adjust a firewall address list and smarter, then to keep changing whole rules.

Additional destination address in mangle rule suggested above, is also a smart move IF YOU NEED LAN to LAN traffic because what it does is only mark traffic NOT headed for the other subnet(s). In this way LAN to LAN traffic is not affected by your mangling. You could get away with not adding the additional dst part by creating two ROUTING RULES,
to ensure LAN1 could reach LAN2 and LAN2 could reach LAN1.

However as stated, it was not clear if you needed LAN1 to LAN2 traffic or vice versa and if NOT then you can skip the previous posters addition of destination address in mangle rules.

/ip firewall mangle
add action=mark-routing chain=prerouting log=no log-prefix="" new-routing-mark=isp1 passthrough=yes src-address-list=TIM
add action=mark-routing chain=prerouting log=no log-prefix="" new-routing-mark=isp2 passthrough=yes src-address-list=VODAFONE

In terms of routing standard routes plus two mangled routes should suffice without any need for routing rules!!
/ip route
add dst-address=0.0.0.0/0 gateway=WAN1 routing table=main
add dst-address=0.0.0.0/0 gateway=WAN2 routing-table=main
add dst-address=0.0.0.0/0 gateway=WAN1 routing table=isp1
add dst-address=0.0.0.0/0 gateway=WAN2 routing-table=isp2


What you have not detailed is any requirements for the relationship between the two wans?
Did you want any failover, if WAN1 was to go down move all LAN1 to WAN2 and vice versa if WAN2 was to go down, move all LAN2 to WAN1 etc. ?????
 
cbera
just joined
Topic Author
Posts: 13
Joined: Fri Dec 16, 2016 6:10 pm

Re: Routing mark and Os7 with two isp

Wed Mar 22, 2023 11:16 am

/ip route
add check-gateway=ping disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.2 pref-src="" routing-table=isp2 scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 pref-src=0.0.0.0 routing-table=isp1 scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.2 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10

Sorry, this is a mistake due to some tests I was doing. The production configuration does not have the "disable=yes"
Last edited by cbera on Wed Mar 22, 2023 11:18 am, edited 1 time in total.
 
cbera
just joined
Topic Author
Posts: 13
Joined: Fri Dec 16, 2016 6:10 pm

Re: Routing mark and Os7 with two isp

Wed Mar 22, 2023 11:17 am

Hi,
Routing has changed a bit.

Direct matching routes with routing table entries in the route table are used first.
/ip route
add check-gateway=ping [b]disabled=no[/b] distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.2 pref-src="" routing-table=isp2 scope=30 suppress-hw-offload=no target-scope=10

/routing rule
add action=lookup-only-in-table disabled=no dst-address=192.168.0.0/16 table=main
If a packet with routing-table = isp2 is received by the router, it WILL use the above route entry and ignore the routing rule.

A couple of options:
1. Make packet route marking more specific.
/ip firewall mangle
add action=mark-routing chain=prerouting log=no log-prefix="" new-routing-mark=isp2 passthrough=yes src-address-list=VODAFONE dst-address=!192.168.0.0/16
2. Redirect the routing lookup via the rules which works much like it used too.
/ip firewall mangle
add action=mark-routing chain=prerouting log=no log-prefix="" new-routing-mark=rule-isp2 passthrough=yes src-address-list=VODAFONE

/ip route
add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.2 routing-mark=isp2 scope=30 target-scope=10

/routing rule
add action=lookup-only-in-table disabled=no dst-address=192.168.0.0/16 table=main
add dst-address=0.0.0.0/0 routing-mark=rule-isp2 action=lookup table=isp2

3. Can also fully specify all routes for routing-mark=isp2


Solution 2, is working very well for me. Thank you very much
 
cbera
just joined
Topic Author
Posts: 13
Joined: Fri Dec 16, 2016 6:10 pm

Re: Routing mark and Os7 with two isp

Wed Mar 22, 2023 11:23 am

I see nothing wrong with your setup; but would change the sourcenat rules as its not clear which WAN they refer to and thus not sure if they would work right.
From:
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.1.0/24
add action=masquerade chain=srcnat src-address=192.168.4.0/24

TO
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN1
{ adding src-address is optional but not required }
add action=masquerade chain=srcnat out-interface=WAN2
{ adding src-address is optional but not required }

OR BETTER since wan2 is a fixed/static wanip.
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN1
add action=src-nat chain=srcnat dst-address=192.168.1.3 out-interface=eth2-WAN2


But I have an issue as to why your LAN1 and WAN2 are in the same subnet............also problematic
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=192.168.4.1/24 interface=bridge1 network=192.168.4.0
add address=192.168.1.3/32 interface=eth2-WAN2 network=192.168.1.2

Then to top it off, and worse you add the ISP2 address to one of the LAN firewall address lists and not the one with the same subnet???
/ip firewall address-list
add address=192.168.1.0/24 list=TIM
add address=192.168.4.0/24 list=VODAFONE
add address=192.168.1.31 list=VODAFONE

YOU REALLY NEED TO SORT THIS OUT FIRST!!!

Right, there are a few conceptual errors. I will correct. Thanks
 
cbera
just joined
Topic Author
Posts: 13
Joined: Fri Dec 16, 2016 6:10 pm

Re: Routing mark and Os7 with two isp

Wed Mar 22, 2023 11:28 am

Would also agree with the previous poster that your rules are a bit funny to have worked well in the past.........
Agree with your approach using firewall address lists as you state its not just whole subnets but subnets plus or minus a number of folks that may change from time to time. Much easier to adjust a firewall address list and smarter, then to keep changing whole rules.

Additional destination address in mangle rule suggested above, is also a smart move IF YOU NEED LAN to LAN traffic because what it does is only mark traffic NOT headed for the other subnet(s). In this way LAN to LAN traffic is not affected by your mangling. You could get away with not adding the additional dst part by creating two ROUTING RULES,
to ensure LAN1 could reach LAN2 and LAN2 could reach LAN1.

However as stated, it was not clear if you needed LAN1 to LAN2 traffic or vice versa and if NOT then you can skip the previous posters addition of destination address in mangle rules.

/ip firewall mangle
add action=mark-routing chain=prerouting log=no log-prefix="" new-routing-mark=isp1 passthrough=yes src-address-list=TIM
add action=mark-routing chain=prerouting log=no log-prefix="" new-routing-mark=isp2 passthrough=yes src-address-list=VODAFONE

In terms of routing standard routes plus two mangled routes should suffice without any need for routing rules!!
/ip route
add dst-address=0.0.0.0/0 gateway=WAN1 routing table=main
add dst-address=0.0.0.0/0 gateway=WAN2 routing-table=main
add dst-address=0.0.0.0/0 gateway=WAN1 routing table=isp1
add dst-address=0.0.0.0/0 gateway=WAN2 routing-table=isp2


What you have not detailed is any requirements for the relationship between the two wans?
Did you want any failover, if WAN1 was to go down move all LAN1 to WAN2 and vice versa if WAN2 was to go down, move all LAN2 to WAN1 etc. ?????

The goal is to have two distinct classes that don't speak to each other and have nothing in common. I have two isps, I would like isp1 to provide LAN1 (1.x) and isp2 to provide LAN2. (4.x).
There are no constraints, in fact they allow a failover of one of the two networks if the other fails.
Finally, I would like to have the possibility to decide the exit isp of a specific client (by ip). So with this configuration, do I also mark the internal lan-to-lan routing?

Who is online

Users browsing this forum: No registered users and 22 guests