The most logical thing you need to do is write on the topic where you found those rules,This sample config was made by someone
Thank you for the response. This existing routing config in a running (production) MT was done by someone who is no longer reachable right now, hence, the non-techie owner of the network has ask me for help to check if the said config is correct or needs to improve.The most logical thing you need to do is write on the topic where you found those rules,This sample config was made by someone
or ask whoever wrote it.
On the forum are already present dozen of examples and some are well explained.
Thank you very much Sir.
Thank you Sir Anav.Will look at this tomorrow, too fried tonight to make sense of it, but good questions!!!
Just to confirm you have three groups of users, each should use a different wan as their primary.
There is no concern for incoming traffic externally originated, this setup is for outgoing traffic originated on the LANs?
Also , what I dont understand is why are you mangling if all the groups of users involved are whole subnets?
One should be able to avoid mangling and use routing rules etc........
Are all the addresses on the lists above local subnets behind the router ? Assuming yes.
ANother question, do any of the users need to access other subnets on the router. Since we are directing all users out a specific wan, we need to know if there any exceptions, when going outside ones own subnet. For example is their a shared printer or a local server that users will be crossing over in terms of subnets to get to............???
Just to confirm you have three groups of users, each should use a different wan as their primary.
There is no concern for incoming traffic externally originated, this setup is for outgoing traffic originated on the LANs?
Also , what I dont understand is why are you mangling if all the groups of users involved are whole subnets?
One should be able to avoid mangling and use routing rules etc........
Are all the addresses on the lists above local subnets behind the router ? Assuming yes.
ANother question, do any of the users need to access other subnets on the router. Since we are directing all users out a specific wan, we need to know if there any exceptions, when going outside ones own subnet. For example is their a shared printer or a local server that users will be crossing over in terms of subnets to get to............???
VERSION 6
dst-address=0.0.0.0/0 gateway=10.10.10.10 scope=10 target-scope=14 table=main distance=5
dst-address=0.0.0.0/0 gateway=10.10.10.10 scope=10 target-scope=14 routing-mark=ISP1_route distance=5
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add check-gateway=ping dst-address=10.10.10.10/32 gateway=9.9.9.9 scope=10 target-scope=13
add dst-address=9.9.9.9/32 gateway=PrimaryISP-gatewayIP scope=10 target-scope=12
add check-gateway=ping dst-address=10.10.10.10/32 gateway=1.0.0.1 scope=10 target-scope=13
add dst-address=1.0.0.1/32 gateway=PrimaryISP-gatewayIP scope=10 target-scope=12
..................................................................................................................................................
dst-address=0.0.0.0/0 gateway=10.10.10.10 scope=10 target-scope=14 table=main distance=10
dst-address=0.0.0.0/0 gateway=10.10.10.10 scope=10 target-scope=14 routing-mark=ISP2_route distance=10
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add check-gateway=ping dst-address=10.10.10.10/32 gateway=9.9.9.9 scope=10 target-scope=13
add dst-address=9.9.9.9/32 gateway=SecondarISP-gatewayIP scope=10 target-scope=12
add check-gateway=ping dst-address=10.10.10.10/32 gateway=1.0.0.1 scope=10 target-scope=13
add dst-address=1.0.0.1/32 gateway=SecondaryISP-gatewayIP scope=10 target-scope=12
......................................................................................................................................................
dst-address=0.0.0.0/0 gateway=10.10.10.10 scope=10 target-scope=14 table=main distance=20
dst-address=0.0.0.0/0 gateway=10.10.10.10 scope=10 target-scope=14 routing-mark=ISP3_route distance=20
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add check-gateway=ping dst-address=10.10.10.10/32 gateway=9.9.9.9 scope=10 target-scope=13
add dst-address=9.9.9.9/32 gateway=TertiaryISP-gatewayIP scope=10 target-scope=12
add check-gateway=ping dst-address=10.10.10.10/32 gateway=1.0.0.1 scope=10 target-scope=13
add dst-address=1.0.0.1/32 gateway=TertiaryISP-gatewayIP scope=10 target-scope=12
/ip routing rules
add src-address=subnetA action=lookup table=ISP1_route comment=standard
add src-address=subnetB action=lookup table=ISP1_route comment=standard
add src-address=subnetC action=lookup table=ISP2_route comment=vip
add src-address=subnetD action=lookup table=ISP2_route comment=vip
add src-address=subnetC action=lookup table=ISP3_route comment=others
add src-address=subnetD action=lookup table=ISP3_route comment=others
Thank you very much for pointing me to the right tab Sir. I surely overlooked it.In v6 it's in IP->Routes on Rules tab.
jajajaja I'm not an expert and that is the reason I personally avoid mangling, its more complex and since normally one cannot use fastrack with mangling, (sometimes one can work around mangling but often not) and thus performance will be slower (although probably a home user would never notice). I use it when I dont have another choice. Keep it simple!!Thank you very much for pointing me to the right tab Sir. I surely overlooked it.In v6 it's in IP->Routes on Rules tab.
Now i just need to understand how to properly use the Routing Rules to replace my Mangle Rules.
By the way, may i know why Anav and the other experts here preferred to use the routing rules instead of mangling? What are the advantages and disadvantages between the two?
Hi Sir, noted on this. Will try to implement this config ASAP once my client (the network owner) has already sent an advisory to their subscribers for a scheduled system maintenance. This is to ensure the end users are aware of a possible service downtime.You can use any numbers for distance as long as they are separated.
I setup the scope and target scope numbers such that they are also legal for Vers7 when you switch.
The only difference between V6 and V7 for this particular config would be the need to create 3 tables and
on the second IP route for each ISPX, use table= vice routing-mark=
........Code: Select allVERSION 6 dst-address=0.0.0.0/0 gateway=10.10.10.10 scope=10 target-scope=14 table=main distance=5 dst-address=0.0.0.0/0 gateway=10.10.10.10 scope=10 target-scope=14 routing-mark=ISP1_route distance=5 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ add check-gateway=ping dst-address=10.10.10.10/32 gateway=9.9.9.9 scope=10 target-scope=13 add dst-address=9.9.9.9/32 gateway=PrimaryISP-gatewayIP scope=10 target-scope=12 add check-gateway=ping dst-address=10.10.10.10/32 gateway=1.0.0.1 scope=10 target-scope=13 add dst-address=1.0.0.1/32 gateway=PrimaryISP-gatewayIP scope=10 target-scope=12 .................................................................................................................................................. dst-address=0.0.0.0/0 gateway=10.10.10.10 scope=10 target-scope=14 table=main distance=10 dst-address=0.0.0.0/0 gateway=10.10.10.10 scope=10 target-scope=14 routing-mark=ISP2_route distance=10 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ add check-gateway=ping dst-address=10.10.10.10/32 gateway=9.9.9.9 scope=10 target-scope=13 add dst-address=9.9.9.9/32 gateway=SecondarISP-gatewayIP scope=10 target-scope=12 add check-gateway=ping dst-address=10.10.10.10/32 gateway=1.0.0.1 scope=10 target-scope=13 add dst-address=1.0.0.1/32 gateway=SecondaryISP-gatewayIP scope=10 target-scope=12 ...................................................................................................................................................... dst-address=0.0.0.0/0 gateway=10.10.10.10 scope=10 target-scope=14 table=main distance=20 dst-address=0.0.0.0/0 gateway=10.10.10.10 scope=10 target-scope=14 routing-mark=ISP3_route distance=20 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ add check-gateway=ping dst-address=10.10.10.10/32 gateway=9.9.9.9 scope=10 target-scope=13 add dst-address=9.9.9.9/32 gateway=TertiaryISP-gatewayIP scope=10 target-scope=12 add check-gateway=ping dst-address=10.10.10.10/32 gateway=1.0.0.1 scope=10 target-scope=13 add dst-address=1.0.0.1/32 gateway=TertiaryISP-gatewayIP scope=10 target-scope=12 /ip routing rules add src-address=subnetA action=lookup table=ISP1_route comment=standard add src-address=subnetB action=lookup table=ISP1_route comment=standard add src-address=subnetC action=lookup table=ISP2_route comment=vip add src-address=subnetD action=lookup table=ISP2_route comment=vip add src-address=subnetC action=lookup table=ISP3_route comment=others add src-address=subnetD action=lookup table=ISP3_route comment=others
.....
This should do it. All standard users will follow the route rules and go out ISP1, all vip users will go out ISP2 and all others users will go out ISP3.
Case1: IF ISP1 goes down the router will look for the next available route and will find it in the main table and since ISP2 is lower in distance it will be chosen and if ISP2 is not available it will choose ISP3. IF ISP2 comes back on line the users will be directed back through ISP2 and if ISP1 comes back on line the users will go to their original ISP1.
Case2: IF ISP2 goes doen the router will look for the next available route and it will be ISP1, and then ISP3 etc.
Case3: IF ISP3 goes down, the router will look for the next available route it will e ISP1, and then ISP2 etc.
VERSION 7 Differences.
/ip tables
add name=ISP1-route fib
add name=ISP2-route fib
add name=ISP3-route fib
dst-address=0.0.0.0/0 gateway=10.10.10.10 scope=10 target-scope=14 table=ISP1_route distance=5
dst-address=0.0.0.0/0 gateway=10.10.10.10 scope=10 target-scope=14 table=ISP2_route distance=10
dst-address=0.0.0.0/0 gateway=10.10.10.10 scope=10 target-scope=14 table=ISP3_route distance=20
hahaha well, you wouldn't be a "forum guru" here if you are not an expert (at least on some functions of MT) yet. and second, you can't write a well organized mikrotik configuration guide if your knowledge on the subject is only limited. hehejajajaja I'm not an expert and that is the reason I personally avoid mangling, its more complex and since normally one cannot use fastrack with mangling, (sometimes one can work around mangling but often not) and thus performance will be slower (although probably a home user would never notice). I use it when I dont have another choice. Keep it simple!!
Thank you very much for pointing me to the right tab Sir. I surely overlooked it.
Now i just need to understand how to properly use the Routing Rules to replace my Mangle Rules.
By the way, may i know why Anav and the other experts here preferred to use the routing rules instead of mangling? What are the advantages and disadvantages between the two?
....
rules.jpg
Routing rules work only with IP adresses. Mangling is more flexible, because you can use any condition allowed by firewall, so you can e.g. route all http(s) traffic (ports 80 and 443) to one ISP and everything else to another. You can't do that with routing rules. But routing rules are compatible with FastTrack, while mangling is not. Sometimes it's also good that they stay aside from firewall (if you have a lot of other stuff there). And they should be faster, but I don't have any numbers how much.By the way, may i know why Anav and the other experts here preferred to use the routing rules instead of mangling? What are the advantages and disadvantages between the two?
Sir, may i know where i can select the option to "table=main" under /ip route tab in Router0S 6.49.6? i can only see the "routing mark" dropdown menu, though when i click the dropdown i can see the route rules i made and there's also an option for "main" but it's not under the table selection menu but from the routing mark selection menu. are the "routing mark" & "table" options the same in ROS 6?About performance, see the last sentence in my previous post, sir.
Combination of routing rules and routing marks is possible. One unfortunate thing is that they recently changed their priorities (see viewtopic.php?p=956630#p956630), so if you configure something in v6, it may break when you upgrade to v7.
so if i am going to configure this settingstable main is a v7 view, default table is the V6 view.
In other words in V7 we specifcy which table, in V6, we specify the routing mark.
please pardon me but as much as i want to post an exported complete config, i can't do it for now because i don't have any desktop pc or laptop here to use. currently i only have an android phone i used to check and configure the MT via mobile app winbox. i already tried to copy the text from the terminal/CLI of the app but it can't.Looks good from my perspective.
Now to see if it works
probably should post complete config /export (minus serial number and any pubic WANIP info - seems its all private)
Hi Sir Anav,Looks good from my perspective.
Now to see if it works
probably should post complete config /export (minus serial number and any pubic WANIP info - seems its all private)
Please post the actual config, you have differences in your presentation which do not help......
/ip route
add dst-address=0.0.0.0/0 gateway=10.1.1.1 scope=10 target-scope=14 routing-mark=main distance=5
add dst-address=0.0.0.0/0 gateway=10.1.1.1 scope=10 target-scope=14 routing-mark=ISP1_route distance=5
add dst-address=0.0.0.0/0 gateway=10.2.2.2 scope=10 target-scope=14 routing-mark=main distance=10
add dst-address=0.0.0.0/0 gateway=10.2.2.2 scope=10 target-scope=14 routing-mark=ISP2_route distance=10
dst-address=0.0.0.0/0 gateway=10.3.3.3 scope=10 target-scope=14 routing-mark=main distance=20
dst-address=0.0.0.0/0 gateway=10.3.3.3 scope=10 target-scope=14 routing-mark=ISP3_route distance=20
Hi Sir, yes i tried it already. when i plug back ethernet for WAN2 the two recursive routes (with real dns addresses)Yes its perplexing.
If the WAN2 is up, then any new connections/sessions would be directed out WAN2.
Can you confirm that when you plug ethernet back in for WAN2, that the IP routes for WAN2 become available (goes from blue to black), never mind testing users.
If it does not, there is an issue with acquiring perhaps a new wan gateway IP???
Still removing the routes and reapplying the routes shouldnt fix the issue if that is what it is??
ip route
add comment="Virtual Route ISP1 - (to-ISP1_primary_route)" distance=5 \
gateway=10.1.1.1 routing-mark=to-ISP1_route scope=10 target-scope=14
add comment="Virtual Route ISP2 - (to-ISP2_primary_route)" distance=10 \
gateway=10.2.2.2 routing-mark=to-ISP2_route scope=10 target-scope=14
add comment="Virtual Route ISP3 - (to-ISP3_route)" distance=20 gateway=\
10.3.3.3 routing-mark=to-ISP3_route scope=10 target-scope=14
add comment="Virtual Route ISP1 - (main table)" distance=5 gateway=10.1.1.1 \
scope=10 target-scope=14
add comment="Virtual Route ISP2 - (main table)" distance=10 gateway=10.2.2.2 \
scope=10 target-scope=14
add comment="Virtual Route ISP3 - (main table)" distance=20 gateway=10.3.3.3 \
scope=10 target-scope=14
add comment="Tertiary Route _ ISP3-A" distance=1 dst-address=1.1.1.1/32 \
gateway=XXX.XXX.XXX.121 scope=10 target-scope=12
add comment="Primary Route _ ISP1-A" distance=1 dst-address=9.9.9.9/32 \
gateway=192.168.1.1 scope=10 target-scope=12
add check-gateway=ping comment="Monitoring ISP1-A" distance=1 dst-address=\
10.1.1.1/32 gateway=9.9.9.9 scope=10 target-scope=13
add check-gateway=ping comment="Monitoring ISP1-B" distance=1 dst-address=\
10.1.1.1/32 gateway=76.76.19.19 scope=10 target-scope=13
add check-gateway=ping comment="Monitoring ISP2-B" distance=1 dst-address=\
10.2.2.2/32 gateway=94.140.14.14 scope=10 target-scope=13
add check-gateway=ping comment="Monitoring ISP2-A" distance=1 dst-address=\
10.2.2.2/32 gateway=208.67.222.222 scope=10 target-scope=13
add check-gateway=ping comment="Monitoring ISP3-A" distance=1 dst-address=\
10.3.3.3/32 gateway=1.1.1.1 scope=10 target-scope=13
add check-gateway=ping comment="Monitoring ISP3-B" distance=1 dst-address=\
10.3.3.3/32 gateway=76.76.2.0 scope=10 target-scope=13
add comment="Tertiary Route _ ISP3-B" distance=1 dst-address=76.76.2.0/32 \
gateway=XXX.XXX.XXX.121 scope=10 target-scope=12
add comment="Primary Route _ ISP1-B" distance=1 dst-address=76.76.19.19/32 \
gateway=192.168.1.1 scope=10 target-scope=12
add comment="Secondary Route _ ISP2-B" distance=1 dst-address=94.140.14.14/32 \
gateway=XXX.XXX.XXX.89 scope=10 target-scope=12
add comment="Secondary Route _ ISP2-A" distance=1 dst-address=\
208.67.222.222/32 gateway=XXX.XXX.XXX.89 scope=10 target-scope=12
add comment="Virtual Route ISP1 - (main table)" distance=5 gateway=10.1.1.1 \
scope=10 target-scope=14
add comment="Virtual Route ISP1 - (to-ISP1_primary_route)" distance=5 \
gateway=10.1.1.1 routing-mark=to-ISP1_route scope=10 target-scope=14
add check-gateway=ping comment="Monitoring ISP1-A" distance=1 dst-address=\
10.1.1.1/32 gateway=9.9.9.9 scope=10 target-scope=13
add comment="Primary Route _ ISP1-A" distance=1 dst-address=9.9.9.9/32 \
gateway=192.168.1.1 scope=10 target-scope=12
add check-gateway=ping comment="Monitoring ISP1-B" distance=1 dst-address=\
10.1.1.1/32 gateway=76.76.19.19 scope=10 target-scope=13
add comment="Primary Route _ ISP1-B" distance=1 dst-address=76.76.19.19/32 \
gateway=192.168.1.1 scope=10 target-scope=12
add comment="Virtual Route ISP2 - (main table)" distance=10 gateway=10.2.2.2 \
scope=10 target-scope=14
add comment="Virtual Route ISP2 - (to-ISP2_primary_route)" distance=10 \
gateway=10.2.2.2 routing-mark=to-ISP2_route scope=10 target-scope=14
add check-gateway=ping comment="Monitoring ISP2-A" distance=1 dst-address=\
10.2.2.2/32 gateway=208.67.222.222 scope=10 target-scope=13
add comment="Secondary Route _ ISP2-A" distance=1 dst-address=\
208.67.222.222/32 gateway=XXX.XXX.XXX.89 scope=10 target-scope=12
add check-gateway=ping comment="Monitoring ISP2-B" distance=1 dst-address=\
10.2.2.2/32 gateway=94.140.14.14 scope=10 target-scope=13
add comment="Secondary Route _ ISP2-B" distance=1 dst-address=94.140.14.14/32 \
gateway=XXX.XXX.XXX.89 scope=10 target-scope=12
add comment="Virtual Route ISP3 - (main table)" distance=20 gateway=10.3.3.3 \
scope=10 target-scope=14
add comment="Virtual Route ISP3 - (to-ISP3_route)" distance=20 gateway=\
10.3.3.3 routing-mark=to-ISP3_route scope=10 target-scope=14
add check-gateway=ping comment="Monitoring ISP3-A" distance=1 dst-address=\
10.3.3.3/32 gateway=1.1.1.1 scope=10 target-scope=13
add comment="Tertiary Route _ ISP3-A" distance=1 dst-address=1.1.1.1/32 \
gateway=XXX.XXX.XXX.121 scope=10 target-scope=12
add check-gateway=ping comment="Monitoring ISP3-B" distance=1 dst-address=\
10.3.3.3/32 gateway=76.76.2.0 scope=10 target-scope=13
add comment="Tertiary Route _ ISP3-B" distance=1 dst-address=76.76.2.0/32 \
gateway=XXX.XXX.XXX.121 scope=10 target-scope=12
The question was not about what the users were experiencing.
I wanted to know what IP routes showed in terms of being active or inactive.
When you pulled the plug on the WAN2 etherport, all its associated routes should have turned from black to blue, and when you plugged ether2 back on they should have turned
from blue to black.
In addition in IP DHCP client settings, you would see the status of the connection at any given point in time and can monitor what happens before you pull the plug, after you pull the plug, and when you put the plug back in.
With regards to interpreting what is available, i was able to confirm it by creating three PPPoE accounts with each under different subnet based on the three groups of subnets i made in the /ip route rules tab.Two possibilities.
a. your interpreting information as to what is up or down or available incorrectly or MORE LIKELY
b. there is something wrong on the config format, nothing you have done as there are no errors I can see, so it must be the design............
What you have looks good to me so there must be a flaw in the design.................. ( back to the drawing board )
Hi Sir Anav!What you have looks good to me so there must be a flaw in the design.................. ( back to the drawing board )
One step at a time, I have to figure what you did first, and why it works and then my guess is that we will need additional routing rules to allow such traffic.
Hi Sir Anav, what i meant is that any LAN IP under any LAN subnet can assess to any LAN IP under any LAN subnet. In short, it's an open communication within the entire LAN but access is only granted to a specific device (MAC address).Can you be clearer?
Do you mean you specifically?
What are the requirements..................
Is it a case of .......
user with IP X, on subnet B needs access to ??
user with IP Y, on subnet C needs access to ??
Subnet B needs access to Subnet Y??????
as requested sir, here is my current config with recursive failover routes and routing rules implemented.Can you please post your latest........ cheers
Alex
I am not really caring about white listing etc.......
So you have three IP addresses that require access to other LANs and this is the only cross LAN commmunication required by those behind the router?
Are the three IPs within the same subnet and if so which one.
Are the three IPs set statically in DHCP leases (wont change)?
Hi Sir Anav, I as the admin needs to access the LAN devices (customers PPPoE ONT/ONU devices as well as some AP devices (used for the hotspot). And i need to have the access wherever i go as long as there is an available ONT/ONU or AP that is connected to the LAN in which my mobile device (laptop or smartphone) can connect to.What I meant was plainly stated.
You as the admin require to access different LAN devices, if we are to make special rules we need to know how many IPs they are and where are they coming from?
If its just you the admin or its an entire subnett that needs access to other LAN devices its probably doable within routing rules otherwise mangling comes into the picture.
So please answer the question
who needs what from where to where................. then we can design accordingly.
What I meant was plainly stated.
You as the admin require to access different LAN devices, if we are to make special rules we need to know how many IPs they are and where are they coming from?
If its just you the admin or its an entire subnett that needs access to other LAN devices its probably doable within routing rules otherwise mangling comes into the picture.
So please answer the question
who needs what from where to where................. then we can design accordingly.