We're trying to do some policy routing on our lines. We can distinguish traffic by port easy and mark routing of packets, that works quite well.
But we are having problems in marking web traffic, like it ignores all routing marks. We are using caching web-proxy, so packets are auctally generated inside mt. We found out that we could not mark for routing packets generated locally by mt (tried /system telnet for example).
Is it possible to route web-proxy traffic through an arbitrary interface?
Thanks
Mikrotik 2.9.7 and 2.9.8 with masquerade, hotspot, queue trees and much more. I hope there's nothing wrong on those things.
I have tried something like this:
Then have a default route assigned by dhcp-client or pppoe-client, and a static route that i want to mark route.
And it works, but only for packets going through the router, not for packets generated at the router (eg with /system telnet or ping).
I have tried setting it on all chains.
I have tried something like this:
Code: Select all
/ip firewall mangle add chain=prerouting dst-address=80.80.80.80 action=mark-routing routing-mark=r2Code: Select all
/add dst-address=0.0.0.0/0 gateway=82.82.82.82 scope=255 target-scope=10 routing-mark=r2 comment="" disabled=noI have tried setting it on all chains.
Why prerouting? Look into manual to schema that describes packet flow through Mikrotik (http://www.mikrotik.com/docs/ros/2.9/ip/flow).
Yeah
I also tried output, as suggested by that and neither worked.
I still send packets from default gateway insted of marked one.
I still send packets from default gateway insted of marked one.
Hm, I think that mangle rule should contain src-address of public Mikrotik interface and dst-port 80. If you use proxy server, everything works like this: client from private network connects to proxy server and transfer his HTTP request (connection is destined to private proxy server address). Then proxy server connects to internet web server through its public interface, so this is why I suppose you can recognize those outgoing proxy connections by source address (public Mikrotik interface) and destination port.
I also tried output, as suggested by that and neither worked.
I still send packets from default gateway insted of marked one.
I agree with LatinSuD!!!
I have also tried to do policy routing on the traffic generated by the Mikrotik itself (version 2.9.10), but it is a big no-go
It is possible to do connection as well as routing marking in the output chain, but Mikrotik does not even try to take this routing mark into account.
This means that in order to be able to initiate traffic from within the Mikrotik itself (like for the NTP client to connect to a NTP server) you need to have a gateway specified without routing mark. 
Is this a Mikrotik oversight or a bug or a feature?!?
(Yes, I *have* read the manual, and seen / understod the drawing scheme so please spare me the besser-wisser remarks that is sadly overwhelming this forum!
)
This is the routing table in my system:
The mangle chain looks like this:
Both rule #7 and 8 work, the counter gets incremented as traffic is initiated from Mikrotik (via the terminal), BUT if the routing rule #5 as per above does not exist / is disabled then none of this traffic will exit Mikrotik, the answer "no route to host" is shown in the Mikrotik terminal.
Strange
Code: Select all
[admin@MikroTik] ip route> print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf
0 ADC dst-address=85.xx.xx.xx/30 prefsrc=85.xx.xx.xx interface=1-2 Bond
scope=10 target-scope=0
1 ADC dst-address=192.168.1.0/24 prefsrc=192.168.1.254 interface=3-Internal
scope=10 target-scope=0
2 ADC dst-address=195.xx.xx.xx/30 prefsrc=195.xx.xx.xx interface=1-2 Bond
scope=10 target-scope=0
3 A S dst-address=0.0.0.0/0 gateway=85.xx.xx.xx interface=1-2 Bond
gateway-state=reachable scope=255 target-scope=10
routing-mark=route_ISP1
4 A S dst-address=0.0.0.0/0 gateway=195.xx.xx.xx interface=1-2 Bond
gateway-state=reachable scope=255 target-scope=10
routing-mark=route_ISP2
5 A S dst-address=0.0.0.0/0 gateway=85.xx.xx.xx interface=1-2 Bond
gateway-state=reachable scope=255 target-scope=10
[admin@MikroTik] ip route>
The mangle chain looks like this:
Code: Select all
[admin@MikroTik] ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic
.
.
.
7 ;;; Mark traffic initiated by Mikrotik
chain=output out-interface=1-2 Bond connection-state=new
action=mark-connection new-connection-mark=conn_Mikrotik passthrough=yes
8 chain=output out-interface=1-2 Bond connection-mark=conn_Mikrotik
action=mark-routing new-routing-mark=route_ISP1 passthrough=no
[admin@MikroTik] ip firewall mangle>
Both rule #7 and 8 work, the counter gets incremented as traffic is initiated from Mikrotik (via the terminal), BUT if the routing rule #5 as per above does not exist / is disabled then none of this traffic will exit Mikrotik, the answer "no route to host" is shown in the Mikrotik terminal.
Strange
Who is online
Users browsing this forum: Bing [Bot], Google [Bot] and 73 guests