Re: New routing-mark (table) format changed from v6 to v7, internet works if table is main only. Help please!

darkguy2008 · Sat Jan 08, 2022 8:05 am

Hey all,

Long-time lurker here, first-time poster from at least a couple weeks ago. Some TL;DR background: I have two ISPs that I want to load-balance using PCC. I recently bought a RG750 GR3 hEX and I'm pretty happy with it so far. Bear in mind I've mainly been a software developer for +20 years, so while I do have some networking background, it isn't too deep. I've learned a ton this couple weeks with Mikrotik though, so that's why I'm here as there's something I'm failing to understand:

Most of the tutorials I find online talk about using routing-mark in routes, however, v7 seems to have changed this so now we have to use routing tables. Sadly those tutorials (or well, presentations) haven't been updated since then, and it's kinda hard to find "translations" from v6 to v7, or an online tool or something that would do the translation.

I've followed these two:
https://es.slideshare.net/tipumadhu/mik ... y-solution (Slides 23-24)
https://mum.mikrotik.com//presentations ... 153633.pdf (Slides 26-36)

I've also tested this in v6 and it worked, but I want to use v7 as I need Wireguard. Anyways, it is my understanding that by setting the 0.0.0.0/0 route with a routing-mark of ISP1 or ISP2 would make it work. The commands did work in v6. Now, in v7 the commands throw an error and I read around that I need to replace routing-mark with routing-table, and create some routing tables with the desired name and marked as "FIB" (whatever that means or does).

In theory it should work but it doesn't: I have to set the 0.0.0.0/0 routes as routing-table main for them to work. If I mark them as ISP1 or ISP2, I don't have internet.

So I'm a bit confused: I assume that when I set the 0.0.0.0/0 routes to the main table, it goes to the routing tables and sends the connections to the specified routing mark using that routing table list? Or in other words, how can we translate this bit of code:

/ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=ISP1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-table=ISP2 check-gateway=ping

Or the slides from the presentations into v7 format so it works as intended? Right now routing-table has to be main otherwise it won't work, but then, I'm assuming that creating the routing tables isn't doing anything, right?

Sorry for the confusion but I'm confused too, so any pointers are greatly appreciated. I also have other questions, but I'd like to get this sorted out first

Thanks in advance!

darkguy2008 · Sun Jan 09, 2022 1:52 am

Okay so this can be marked as solved, I ended up fixing it myself while waiting for this post to be approved...

For those who are struggling like me to get their PCC working using info from RouterOS v6 into v7, here's what I did, following this awesome presentation: https://mum.mikrotik.com/presentations/US12/steve.pdf

/ip dns
set allow-remote-requests=yes servers=1.1.1.1

/routing table
add fib name=WAN1
add fib name=WAN2

/ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=main scope=30 target-scope=10
add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-table=main scope=30 target-scope=10
add dst-address=0.0.0.0/0 gateway=8.8.8.8 routing-table=WAN1 scope=10 target-scope=30 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=8.8.4.4 routing-table=WAN2 scope=10 target-scope=30 check-gateway=ping
add dst-address=8.8.8.8/32 gateway=192.168.1.1 routing-table=WAN1 scope=30 target-scope=10 check-gateway=ping
add dst-address=8.8.4.4/32 gateway=192.168.2.1 routing-table=WAN2 scope=30 target-scope=10 check-gateway=ping

/ip firewall nat
add chain=srcnat out-interface=ether2_WAN1 action=masquerade
add chain=srcnat out-interface=ether3_WAN2 action=masquerade

/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.1.0/24
add action=accept chain=prerouting dst-address=192.168.2.0/24
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=ether1_LAN new-connection-mark=WAN1 passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=ether1_LAN new-connection-mark=WAN2 passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=WAN1 in-interface=ether1_LAN new-routing-mark=WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2 in-interface=ether1_LAN new-routing-mark=WAN2 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1 new-routing-mark=WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2 new-routing-mark=WAN2 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether1 new-connection-mark=WAN1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether2 new-connection-mark=WAN2 passthrough=yes

The /ip route and /routing table parts are the most important. I basically had to add a new route to 0.0.0.0/0 using the WAN addresses as gateways BUT in the main table. So basically what you do for PCC to work is this:

Create the routing tables (WAN1, WAN2)
Create a route where 0.0.0.0/0 will go to 192.168.1.1 in the routing table main (line 1)
Create a route where 0.0.0.0/0 will go to 192.168.2.1 in the routing table main (line 2), this makes both WANs be load-balanced.
Create a route to a server to check as internet gateway, in this case setting 8.8.8.8 as the 0.0.0.0/0 (internet) gateway in the routing table WAN1 (line 3)
Create a route to a server to check as internet gateway, in this case setting 8.8.4.4 as the 0.0.0.0/0 (internet) gateway in the routing table WAN2 (line 4)
Create a route where 8.8.8.8 can only go out from the WAN1 gateway (line 5)
Create a route where 8.8.4.4 can only go out from the WAN2 gateway (line 6)

So basically the way I understood it works is like this, using https://help.mikrotik.com/docs/display/ ... 46/Fib.png as reference:

A packet will need to go out to the internet, the router decides where to send it, WAN1 or WAN2. It checks the routing tables for WAN1 or WAN2. Let's assume WAN1 is picked (maybe due to the firewall mangle rules?)
In the routing table for WAN1, it says that the packet should go to 8.8.8.8 because the scope for that entry is scope 10, and aims to go to a static route (target-scope 30)
The route 8.8.8.8/32 is found (scope=30) and it says it should go through WAN1's gateway (192.168.1.1)
There are no more entries found in the routing table, so the "next hop" is in the main table, therefore...
Routing table main says that internet can go out from either WAN1 or WAN2. Since the next hop is aimed for WAN1 (192.168.1.1) then it goes from there.

Maybe I'm wrong, maybe I'm not, but all I know it works as intended, so here's the solution I found. I've tested this failover setup by disconnecting the cables every now and then and internet just has a hiccup for a couple of seconds before resuming, so in my experience, it works good for me. Using two WAN links 200/10, I get about 350-390 mbps download in fast.com and around 20mbps upload.

Of course, any suggestions / corrections are welcome, I'm no expert by any means, I just found out that I needed to add the 0.0.0.0/0 routes for both WAN interfaces in the main routing table, which was the step I was missing. Lines 3-6 are from the presentation (or RouterOS v6) so I needed to add the first two extra lines for it to work.

Thanks all!

Re: New routing-mark (table) format changed from v6 to v7, internet works if table is main only. Help please! [SOLVED]

New routing-mark (table) format changed from v6 to v7, internet works if table is main only. Help please!

Re: New routing-mark (table) format changed from v6 to v7, internet works if table is main only. Help please! [SOLVED]

Who is online