Community discussions

MikroTik App
 
nikk
just joined
Topic Author
Posts: 12
Joined: Thu Jul 02, 2020 6:22 am

Assistance Policy based routing

Mon Dec 12, 2022 8:53 am

Hi,

I have 2x WAN connections and trying to get certain traffic to only go out on specific WAN. I understand this is done thru Policy based routing. But I have not been successful with the various instructions I found on the net. Attached is a default factory router setup with a minimal configuration that I wanted to start with, which is recursive route failover solution that is already in place. So with a policy based routing solution (or any other suggested solution) I am hoping to be able to test it by using traceroute within the router and be able see it go out the specific WAN interface. Thanks in advance.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Assistance Policy based routing

Mon Dec 12, 2022 1:37 pm

When it comes to blocking allowing controlling traffic types it gets murky for me. All I know is that its near impossible to block traffic these days........
User traffic by IP is fairly straight forward but not what you are asking. Perhaps someone else can be of assistance.
 
nikk
just joined
Topic Author
Posts: 12
Joined: Thu Jul 02, 2020 6:22 am

Re: Assistance Policy based routing

Wed Dec 14, 2022 8:46 am

When it comes to blocking allowing controlling traffic types it gets murky for me. All I know is that its near impossible to block traffic these days........
User traffic by IP is fairly straight forward but not what you are asking. Perhaps someone else can be of assistance.
Thanks for the response @anav. While still hoping someone else has an idea for the original request, I am interested in your comment on controlling user traffic by IP. Is that something that is still straightforward to apply on top of the configuration that I have above?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Assistance Policy based routing

Wed Dec 14, 2022 2:33 pm

:Yup should be.....
Basically consists of creating
a. table
b. additional route
c. routing rule

See Para J. - viewtopic.php?t=182373
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3250
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Assistance Policy based routing

Wed Dec 14, 2022 3:46 pm

:Yup should be.....
Basically consists of creating
a. table
b. additional route
c. routing rule

See Para J. - viewtopic.php?t=182373
@anav's "Plan J" instruction are pretty good.

Couple side notes on "J"
- Likely the destination address in the /ip/route lines should use your 8.8.8.8 and 1.1.1.1 "routes", not the interface name WAN1 and WAN2 – this because you're using recursive routing WITH policy routing. Otherwise directed traffic would not be protected in case the interface is up with no internet (which is what recursive routing gets you).
- If you want the "policy directed traffic" (e.g. the IP or subnet your picking to send to a specific LAN) to be able to also use the LAN, not just only going to internet, you can a "safety rule" first in /routing rule that filters on destination address of your LANs (192.168.88.0/24) that explicitly go does "lookup" in "main" – since "first rule wins", this can go first. What this does is say if it going to a local address, bypass the policy routing rules for WANs. That's so they don't get forced out the WAN address by the policy rule since the new routing table only have 0.0.0.0/0 to a WAN, that includes local address too. If you want the "directed traffic" in a rule only go out a WAN, then you want that BEFORE this safetly rule, as that cause it lose LAN/VLAN access since 0.0.0.0/0 matches, well, all traffic including local addresses.
- If you need to do direct traffic out a specific WAN by port/protocol/etc, not IP address, you'd need to use the "Mangle" approach, as that has more advanced filters (and also more complex mechanics to setup). But for this host goes WAN1, that host goes out WAN2, the policy routing is a more "visible" way to do this (e.g. firewall rules aren't always easy to read/see the routing rules defined within the mange section). Both approach do the same thing at the end, traffic goes out a selected WAN.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Assistance Policy based routing

Wed Dec 14, 2022 4:28 pm

More simply stated....... less confusing....

If you need your local users to reach other, LAN1 to reach LAN2,
then you need additional route rules PRIOR to the wan rules, otherwise all LAN1 and all LAN2 traffic will be forced out a WAN interface.

Order of rules counts!!

add dst-address=subnetA action=lookup-only-in-table table=main
add dst-address=subnetB action=lookup-only-in-table table=main
add src-address=subnetA action=lookup table=useWAN1
add src-address=subnetB action=lookup table=useWAN1
add src-address=subnetC action=lookup-only-in-table table=useWAN2


In this case any local subnet wanting to reach subnet A, or B, will be permitted and not be dropped.
 
nikk
just joined
Topic Author
Posts: 12
Joined: Thu Jul 02, 2020 6:22 am

Re: Assistance Policy based routing

Sat Dec 17, 2022 2:02 pm

Thanks for the pointers and examples. I did a quick config and managed to see some traffic route manipulation. Will evaluate this solution as an alternative approach to the original request.

Who is online

Users browsing this forum: No registered users and 41 guests