Routing Problem

mk0000 · Sat Mar 03, 2012 9:24 am

Hi,

i have a problem with the following Problem:

One RB 450G (IP: 192.168.0.5) with 100 PC's and 2 WAN-Ports (Port1 and Port4).
On Port1 there is a Fritzbox (192.168.0.1) and on Port4 there is a Fritzbox (192.168.0.2)
Alle LAN-Ports from the RB 450G are a bridge.
All PC's from the other LAN-Ports has the following IP-Configuration:

IP: 192.168.0.x/24
Gateway and DNS: 192.168.0.5

Route:
0.0.0.0/0 goes to 192.168.0.1

One Client (192.168.0.140) will now switch to the second-WAN-Port (Port4).
I have test it with the firewall:

Mangle:
Prerouting Src-Address 192.168.0.140 and mark routing for Example GroupB.

Then i add a Route:
0.0.0.0/0 goes to 192.168.0.2 with Routing Mark GroupB

But the Traffic goes over the Port1 (192.168.0.1).

Can everyone help me?

rodolfo · Sat Mar 03, 2012 11:18 am

post your configuration (ip address, ip firewall mangle, ip route)

mk0000 · Sun Mar 04, 2012 1:52 pm

Hi rodolfo,

my configuration from the RB 450G:

/ip address
# ADDRESS NETWORK INTERFACE
0 192.168.0.5/24 192.168.0.0 bridge1

/ip firewall mangle
0 chain=prerouting action=mark-packet new-packet-mark=connection
passthrough=yes protocol=tcp

1 chain=prerouting action=mark-packet new-packet-mark=conn passthrough=no
packet-mark=connection

2 X chain=prerouting action=mark-routing new-routing-mark=GroupB passthrough=no
src-address=192.168.0.140

/ip route
0 A S dst-address=0.0.0.0/0 gateway=192.168.0.2 gateway-status=ether4 reachable
distance=1 scope=30 target-scope=10 routing-mark=GroupB

1 A S dst-address=0.0.0.0/0 gateway=192.168.0.1
gateway-status=192.168.0.1 reachable bridge1 distance=1 scope=30
target-scope=10

2 ADC dst-address=192.168.0.0/24 pref-src=192.168.0.5 gateway=bridge1
gateway-status=bridge1 reachable distance=0 scope=10

The PC's at the the LAN-Port 2,3 and 5 are at other switches and has the following configuration:

IP: 192.168.0.x/24 (x = 60 - 140)
DNS + Gateway: 192.168.0.5

Where can help me?

cybercoder · Sun Mar 04, 2012 2:49 pm

set the use of IP FIREWALL on bridge to enable first,
if it didn't work then change the specific policy route's mangle chain from pre-routing to forward, too.

study the packet flow diagram will help you to make your own policy implementation decisions well.
http://wiki.mikrotik.com/wiki/Manual:Packet_Flow

mk0000 · Sun Mar 04, 2012 3:12 pm

hello cybercoder,

the firewall on the brigde is enable.
When i change pre-routing to forward, it come a error-message:
Couldn't change Mangle Rule - routing-mark allowed only in output and prerouting chains.

cybercoder · Sun Mar 04, 2012 3:15 pm

yes yse the error message is true the routing mark only works in routing time! i made mistake

cybercoder · Sun Mar 04, 2012 3:17 pm

allow to pass the traffic through the router in second mangle chain, i think it will work

the second is meaning number 1 not 2

mk0000 · Sun Mar 04, 2012 3:20 pm

Example?

cybercoder · Sun Mar 04, 2012 3:50 pm

i mentioned to the second mangle you sent :

1 chain=prerouting action=mark-packet new-packet-mark=conn passthrough=no packet-mark=connection

change the passthrough to yes

mk0000 · Sun Mar 04, 2012 7:33 pm

passthorugh is activated but the traffic goes over 192.168.0.1 and not over 192.168.0.2

Help?!

cybercoder · Sun Mar 04, 2012 7:45 pm

chain=prerouting src-address=192.168.0.140 action=mark-connection new-connection-mark=GroupBC passthrough=yes
chain=prerouting connection-mark=GroupBC action=mark-routing new-routing-mark=GroupB passthrough=no

Replace mangles with these optimal mangle.

mk0000 · Sun Mar 04, 2012 9:18 pm

The same Problem

cybercoder · Sun Mar 04, 2012 9:24 pm

are there count up for your specific mangle?

mk0000 · Sun Mar 04, 2012 9:52 pm

Yes, but the traffic goes over 192.168.0.1.

cybercoder · Sun Mar 04, 2012 9:55 pm

i am online by yahoo messenger : vahid_yid

mk0000 · Tue Mar 06, 2012 10:32 am

I have test it with 5 Clients.
One Clients goes over the second Gateway all other over the first Gateway.
The Mangle-Entries count up but nothing over the second Gateway.
Is there a special Entrie or other things i have disremember?

The Config

IP-Address
 #   ADDRESS            NETWORK         INTERFACE                                
 0   192.168.0.5/24     192.168.0.0     bridge1    

Bridge
 0  R name="bridge1" mtu=1500 l2mtu=1520 arp=enabled 
      mac-address=00:0C:42:59:1D:2E protocol-mode=rstp priority=0x8000 
      auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s 
      forward-delay=15s transmit-hold-count=6 ageing-time=5m 

 #    INTERFACE               BRIDGE               PRIORITY  PATH-COST    HORIZON
 0    ether1                  bridge1                  0x80         10       none
 1    ether2                  bridge1                  0x80         10       none
 2    ether5                  bridge1                  0x80         10       none
 3    ether3                  bridge1                  0x80         10       none
 4    ether4                  bridge1                  0x80         10       none

DNS
servers: 192.168.0.1,192.168.0.2
  allow-remote-requests: yes
    max-udp-packet-size: 512
             cache-size: 2048KiB
          cache-max-ttl: 1w
             cache-used: 1712KiB

Firewall Filter: nothing
Firewall Nat: nothing
Firewall Mangle: 
 0   chain=prerouting action=mark-packet new-packet-mark=connection 
     passthrough=yes protocol=tcp 

 1   chain=prerouting action=mark-packet new-packet-mark=conn passthrough=no 
     packet-mark=connection 

 2   ;;;
     chain=prerouting action=mark-routing new-routing-mark=GroupB 
     passthrough=yes src-address=192.168.0.140 

 3   ;;;
     chain=prerouting action=mark-routing new-routing-mark=GroupB 
     passthrough=yes src-address=192.168.0.94 

 4   ;;; 
     chain=prerouting action=mark-routing new-routing-mark=GroupB 
     passthrough=yes src-address=192.168.0.111 

 5   ;;;
     chain=prerouting action=mark-routing new-routing-mark=GroupB 
     passthrough=yes src-address=192.168.0.112 

Route
 0 A S  dst-address=0.0.0.0/0 gateway=192.168.0.2 
        gateway-status=192.168.0.2 reachable bridge1 distance=1 scope=30 
        target-scope=10 routing-mark=GroupB 

 1 A S  dst-address=0.0.0.0/0 gateway=192.168.0.1 
        gateway-status=192.168.0.1 reachable bridge1 distance=1 scope=30 
        target-scope=10 

 2 ADC  dst-address=192.168.0.0/24 pref-src=192.168.0.5 gateway=bridge1 
        gateway-status=bridge1 reachable distance=0 scope=10

Where is the Problem?

Is there a way for a client, gateway and DNS to change through the firewall?

cybercoder · Tue Mar 06, 2012 10:38 am

0   chain=prerouting action=mark-packet new-packet-mark=connection
     passthrough=yes protocol=tcp

1   chain=prerouting action=mark-packet new-packet-mark=conn passthrough=no
     packet-mark=connection

You should Mark the connections first, then the packets of those connection!

when you don't allow to pass the traffic in this scenario, how the next mangle rule can work?
I think i sent an optimal mangle

mk0000 · Tue Mar 06, 2012 11:07 am

I have disable these two Mangle's and will test it or can i sort the Mangle's ?

Routing Problem

Routing Problem

Re: Routing Problem

Re: Routing Problem

Re: Routing Problem

Re: Routing Problem

Re: Routing Problem

Re: Routing Problem

Re: Routing Problem

Re: Routing Problem

Re: Routing Problem

Re: Routing Problem

Re: Routing Problem

Re: Routing Problem

Re: Routing Problem

Re: Routing Problem

Re: Routing Problem

Re: Routing Problem

Re: Routing Problem

Who is online