I've got a router deployed and I'm using mangle rules to mark traffic from the various attached subnets and then I'm using policy rules to route the traffic out 1 of 2 WAN connections. This is working as I'd like and I'm happy with that. I had to add policy based routes so that the subnets could talk to each other but after working through that everything is working locally. My problem is that I have VPN users coming in via PPtP on another subnet and they can't see anything. I've tried setting a policy for that traffic as well but to no avail. Any ideas how to make this work?

Mangle rules and routing rules follow.

VPN subnet is 192.168.17.0/24 with a local address of 192.168.17.1 and various remote IPs assigned as users login.

[admin@rtr2] > ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=prerouting action=mark-routing new-routing-mark=PC-subnet
passthrough=yes src-address=172.16.101.0/24

1 chain=prerouting action=mark-routing new-routing-mark=server-subnet
passthrough=yes src-address=192.168.16.0/24

2 chain=prerouting action=mark-routing new-routing-mark=apc-subnet
passthrough=yes src-address=192.168.0.0/24

3 chain=prerouting action=mark-routing new-routing-mark=vpn passthrough=yes
src-address=192.168.17.0/24
[admin@rtr2] > ip route print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 gateway=x.x.x.166 interface=ether7
gateway-state=reachable distance=1 scope=30 target-scope=10
routing-mark=PC-subnet

1 A S dst-address=0.0.0.0/0 gateway=x.x.x.170 interface=ether6
gateway-state=reachable distance=1 scope=30 target-scope=10

2 A S dst-address=0.0.0.0/0 gateway=x.x.x.166 interface=ether7
gateway-state=reachable distance=1 scope=30 target-scope=10
routing-mark=server-subnet

3 ADC dst-address=10.10.10.1/32 pref-src=10.10.10.21 interface=pptp-out1
distance=0 scope=10

4 A S dst-address=x.x.x.2/32 gateway=10.10.10.1 interface=pptp-out1
gateway-state=reachable distance=1 scope=30 target-scope=10

5 ADC dst-address=x.x.x.164/30 pref-src=x.x.x.165 interface=ether7
distance=0 scope=10

6 ADC dst-address=x.x.x.168/30 pref-src=x.x.x.169 interface=ether6
distance=0 scope=10

7 A S dst-address=172.16.100.0/24 gateway=172.16.100.1 interface=ether2
gateway-state=reachable distance=1 scope=30 target-scope=10
routing-mark=server-subnet

8 ADC dst-address=172.16.100.0/24 pref-src=172.16.100.1 interface=ether2
distance=0 scope=10

9 A S dst-address=172.16.101.0/24 gateway=172.16.101.1 interface=ether3
gateway-state=reachable distance=1 scope=30 target-scope=10
routing-mark=server-subnet

10 ADC dst-address=172.16.101.0/24 pref-src=172.16.101.1 interface=ether3
distance=0 scope=10

11 ADC dst-address=172.16.102.0/24 pref-src=172.16.102.1 interface=ether4
distance=0 scope=10

12 A S dst-address=172.16.102.0/24 gateway=172.16.102.1 interface=ether4
gateway-state=reachable distance=1 scope=30 target-scope=10
routing-mark=PC-subnet

13 A S dst-address=172.16.102.0/24 gateway=172.16.102.1 interface=ether4
gateway-state=reachable distance=1 scope=30 target-scope=10
routing-mark=server-subnet

14 A S dst-address=192.168.0.0/24 gateway=10.10.10.1 interface=pptp-out1
gateway-state=reachable distance=1 scope=30 target-scope=10
routing-mark=server-subnet

15 A S dst-address=192.168.0.0/24 gateway=10.10.10.1 interface=pptp-out1
gateway-state=reachable distance=1 scope=30 target-scope=10

16 A S dst-address=192.168.1.2/32 gateway=192.168.16.5 interface=ether1
gateway-state=reachable distance=1 scope=30 target-scope=10
routing-mark=PC-subnet

17 A S dst-address=192.168.16.0/24 gateway=192.168.16.1 interface=ether1
gateway-state=reachable distance=1 scope=30 target-scope=10
routing-mark=PC-subnet

18 A S dst-address=192.168.16.0/24 gateway=192.168.16.1 interface=ether1
gateway-state=reachable distance=1 scope=30 target-scope=10
routing-mark=apc-subnet

19 ADC dst-address=192.168.16.0/24 pref-src=192.168.16.1 interface=ether1
distance=0 scope=10

20 ADC dst-address=192.168.17.210/32 pref-src=192.168.17.1
interface=<pptp-wdavis> distance=0 scope=10

[admin@rtr2] >




Any help would be greatly appreciated.

Thank you,
Craig Russell

In case anyone else hits this problem. This is the solution that I came up with. Now that it is done and working, it makes a whole lot of sense and is fairly simple.

Basically, I wrote mangle rules that mark packets from the nets that I didn't want to be routed differently with the marker "no-change" and I set these rules to NOT passthrough. ie,

chain pre-routing src-address 172.16.101.0/24 dst-address "some other local net" action mark-routing new-routing-mark no-change passthrough no

This has the affect of basically jumping out of the pre-routing chain when traffic from this subnet destined for another local subnet is encountered. This way, I can still use all of the dynamically created routes from local subnets. The final mangle rule is as follows:
chain pre-routing src-address 172.16.101.0/24 dst-address 0.0.0.0/0 action mark-routing new-routing-mark "gateway #2" passthrough no

Since I have mangle rules for all of the other local 'nets without passthrough, any traffic that makes it to this point is destined for the internet and I want to mark it to go through gateway 2. The last step is to add a route statement with this routing mark:

add route 0.0.0.0/0 gateway x.x.x.x routing-mark "gateway #2"

This tells routeros to send all traffic with that routing mark out to the x.x.x.x gateway, which in my case is a cable modem with a static IP address.


The rules above are typed from memory and not taken directly from my config but they give the general idea. If anyone would like the actual config I can paste it in here.

I'm not sure if I was missing something in all of the posts and wiki entries that talked about this. My issue was that I've got 4 local subnets plus a subnet dedicated to VPN that I needed to route around normally. But I needed to seperate my internet traffic over my three WAN links. All of the how-tos that I found told you how to divide your traffic over the links, but all of these solutions broke internal routing so that the various subnets could no longer see each other.

Craig, why don't you write a wiki article on this? It would be rather useful.

Thanks for the effort.

I'm just getting started with MT (v3.19) and have 2 ISP connections on 2 interfaces along with 5 interfaces bridged for my local 192.168.1.x network. Trying to cull through dozens of forum posts and the documentation about how to deal with the bridge, masquerade, and policy based routing because I want to send VOIP, email, and HTTP traffic to one ISP (with VOIP prioritized) and P2P traffic to the other ISP. I'm wondering if you ever wrote that Wiki on how to do this stuff as someone suggested. Thanks.

I never did write the Wiki, however, if I were to do this over again I would probably attempt to use this feature

http://wiki.mikrotik.com/wiki/PCC

This is supposed to fix the issue with multiple gateways. I would try this first, if you would like, I'd be happy to send you the config that I used.

Craig

It says it's available with v3.24 so I guess I could upgrade. I'm not sure this will do exactly what I want (pick out VOIP, P2P, EMAIL, HTTP and send them selectively to one of my 2 ISPs) but it's worth a try. So yes, I'd appreciate a copy of your config--thanks. Do you need my email or do you want to just post the config here?

<<Brad>>