Community discussions

MikroTik App
 
lcpwc
just joined
Topic Author
Posts: 16
Joined: Thu Apr 26, 2018 1:49 pm

Routing tables, RIB, FIB and Mangle

Wed Dec 22, 2021 1:38 am

Hello,
we are doing a POC where we need to configure a multiple ISP configuration (2 ISP).
I've read several pages both on wiki about this configuration, but still miss the "theory" behind that.

To keep simple, let's assume rOS < 7.1 (I saw 7.1 contains several changes)

Here are the points I'd like to confirm/explain:
1) Mikrotik always does PBR. There is an "hidden" routing rule which force main table usage if no other rules apply
2) A different routing table can be selected via routing rules OR via mangle rules (we would like to use the latter)
3) Mangle rules with action=mark-routing seems to work only in PREROUTING or OUTPUT chains (not able to find an article in wiki)
4) in examples, I've always seen mark-connection first and then mark-routing, but I cannot figure out why we cannot simply use mark-routing

So we did this simple test with a routerboard connected to 2 different ISP (both public IPs, using private in example)
/ip address add interface=ether1 address=10.10.10.1/24
/ip address add interface=ether2 address=192.168.10.1/24

/ip route add gateway=10.10.10.254 routing-mark=ISP1
/ip route add gateway=192.168.10.254 routing-mark=ISP2

/ip firewall mangle add chain=prerouting in-interface=ether1 connection-mark=no-mark action=mark-connection new-connection-mark=from_ISP1
/ip firewall mangle add chain=prerouting in-interface=ether2 connection-mark=no-mark action=mark-connection new-connection-mark=from_ISP2

/ip firewall mangle add chain=prerouting connection-mark=from_ISP1 action=mark-routing new-routing-mark=ISP1
/ip firewall mangle add chain=prerouting connection-mark=from_ISP2 action=mark-routing new-routing-mark=ISP2
As first test, we want to connect to routerboard IP addresses using ISP1 address or ISP2 address (192.168.10.1 and 10.10.10.1)
In my mind, when packet arrives to routerboard, connection is marked (confirmed in firewall connections tab) and then packets belonging to same connection are forced to use ISP1 or ISP2 routing table which contains the proper "default route".
Needles to say, it didn't work, but I cannot understand the missing step in my flow.
Have read several articles on the forum, but was unable to join them in a single "packet flow", hence I'm asking your help.
Thanks in advance.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Routing tables, RIB, FIB and Mangle

Wed Dec 22, 2021 6:59 pm

1) I guess you can say that. Other way would be saying that it defaults to main routing table. But it's true that there are some other hidden things, for example traffic to local destinations (IP addresses assigned to router) always goes to router, and you can't override it with routing rules (but it's possible with action=route in mangle).
2) ... or VRF
3) It's obvious, selecting route is routing decision, other chains are after that, so they can't change it anymore (see https://wiki.mikrotik.com/wiki/Manual:P ... ng_Diagram)
4) Direct mark-routing would be ok for some static things, e.g. client A always using ISP1 and client B always using ISP2. But try to make e.g. port forwarding to same internal server, which should work from both ISPs, it wouldn't be possible.

As for your failed experiment, if you were testing router itself, you need to mark routing in chain=output.

Who is online

Users browsing this forum: No registered users and 16 guests