Community discussions

MikroTik App
  4. RouterOS
  5. General

Problem with policy routing

Post Reply
 
harryenlared
just joined
Topic Author
Posts: 5
Joined: Fri Feb 15, 2013 10:29 pm

Problem with policy routing

Fri Feb 15, 2013 10:52 pm

Hello.

I have a problem with policy routing

This is the router configuration:
Code: Select all

/ip address
add interface=ether1 address=200.10.x.2/24
add interface=ether2 address=200.20.x.2/24

/ip route 
add dst-address=0.0.0.0/0 gateway=200.10.x.1 pref-src=200.10.x.2
add dst-address=0.0.0.0/0 gateway=200.20.x.1 pref-src=200.20.x.2 routing-mark=policy

/ip firewall mangle
add chain=output action=mark-routing new-routing-mark=policy src-address=200.20.x.2
When the default route 200.10.x.1 is disabled, I have no connection to the router using 200.20.x.2.

Why the policy routing doesn't work?

Thanks in advance.
Top
 
cupis
Frequent Visitor
Frequent Visitor
Posts: 74
Joined: Sun Apr 10, 2011 1:25 am

Re: Problem with policy routing

Fri Feb 15, 2013 11:18 pm

I have a problem with policy routing

This is the router configuration:
Code: Select all
/ip address
add interface=ether1 address=200.10.x.2/24
add interface=ether2 address=200.20.x.2/24

/ip route 
add dst-address=0.0.0.0/0 gateway=200.10.x.1 pref-src=200.10.x.2
add dst-address=0.0.0.0/0 gateway=200.20.x.1 pref-src=200.20.x.2 routing-mark=policy

/ip firewall mangle
add chain=output action=mark-routing new-routing-mark=policy src-address=200.20.x.2
When the default route 200.10.x.1 is disabled, I have no connection to the router using 200.20.x.2.

Why the policy routing doesn't work?
You need to mark your traffic from 200.100.x.x/24 as having routing-mark "policy" otherwise it will not be allowed to use the second default route. Your mangle rule above will not do that, by the time you get to "output" it is too late to make this decision.

Something like:
Code: Select all
/ip firewall mangle add chain=prerouting src-address=200.20.x.x/24 action=mark-routing new-routing-mark=policy
Top
 
harryenlared
just joined
Topic Author
Posts: 5
Joined: Fri Feb 15, 2013 10:29 pm

Re: Problem with policy routing

Sun Feb 17, 2013 4:50 pm

Thank you for your reply.

The prerouting rule works for forwarded packages, but I need to enter into the router:
e.g.: ssh 200.20.x.2

This is something like this:

---> input ----> Local process ---> Output ----> Routing adjustment ---> Routing decision --->

You can see in http://wiki.mikrotik.com/wiki/Manual:Pa ... _decisions
"Routing adjustment: this is a workaround that allows to set-up policy routing in mangle chain output"

So, routing adjustment seems not to work in my configuration.
Top
 
cupis
Frequent Visitor
Frequent Visitor
Posts: 74
Joined: Sun Apr 10, 2011 1:25 am

Re: Problem with policy routing

Sun Feb 17, 2013 5:58 pm

The prerouting rule works for forwarded packages, but I need to enter into the router:
e.g.: ssh 200.20.x.2
And this doesn't work when the main link is down, correct?

If so, add something like this:
Code: Select all
/ip firewall mangle add chain=input interface=ether2 action=mark-connection new-connection-mark=policy
This will mark any traffic coming into the router on ether2, on the input chain (i.e. traffic to 200.20.x.2 specifically) so that it will use the second default route to send return traffic. I don't have a device handy I can test this on at the moment, but that may resolve the issue for you.
Top
 
miahac
Long time Member
Long time Member
Posts: 516
Joined: Wed Dec 14, 2005 5:04 pm
Location: Wichita, KS

Re: Problem with policy routing

Wed Oct 21, 2015 6:05 am

I am having the same problem with packets initiated from the router i.e. l2tp connections. Did you find an answer?

http://forum.mikrotik.com/viewtopic.php?f=14&t=101095
Top
Post Reply
  4. RouterOS
  5. General