I'm really struggling with getting traffic to route to specific gateways depending on the internal IP Block/Network. My company has acquired a WISP that was designed and deployed by a couple of individuals not really familiar with Networking. So I've inherited a network set up with no routing protocols, only Class C networks from one edge to the other (including mgmt), bridged interfaces on the actual PTP links/hops, and so on. My particular problem right now has got me really struggling for an answer. Simply put, I have two active gateways (CenturyLink and AT&T). The AT&T pop are a cluster of T1's that I want to turn down. My Level3 pop is a 10G circuit. I want to move as much traffic off the AT&T T1's onto Level3. Move the static IP customers to a new IP Block and in the end drop the T1's. And so my problem, no matter what I do I cannot get customer traffic to move to another route. The router has a slew of Route Rules, Mangle, and Masq rules. I've cleared out most of the Route Rules and unneeded SrcNat's.
What I've tried, as the examples are found everywhere here, blogs, etc, I've set up a couple of Mangle rules to Mark Packet for an internal sourced IP address. I then add a routing mark to traffic with the packet mark. I've added a default route to Level3 for all traffic with said routing mark. I don't know what I'm missing. BTW, I have three IP blocks which I successfully employed the same procedure and routed that traffic back to the CenturyLink pop. Inter network routing works, I deployed an OSPF layer with /30's to get some control of the internal routing and changed the default gateways on all internal routers to use the new /30 hops. Any networks toward the Level3 pop I I specifically add a static route, routes fine. Below are the key config snippets. Here's an idea of what I'm working with. No doubt you have questions. Any, I mean any, help/suggestions you have I will greatly appreciate! I did trim down the config considerably and obfuscate some IP addresses, but all the basics are here. I hope I didn't chop it up too much. I'm happy to provide more information as needed. I'm not a long time Mikrotik guy, I do have my Mikrotik Certs and a Cisco Certs and 30 or so years with Cisco and Network topologies. While in principle, practice I think I have what I need in place, I must be missing something.
Thank you so much...!
Code: Select all
[admin@mr1.rtr] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
1 12.x.x.2/25 12.x.x.0 eth1_WAN
41 192.168.50.1/24 192.168.50.0 eth2_local1
43 192.168.51.1/24 192.168.51.0 eth2_local1
41 192.168.52.1/24 192.168.52.0 eth2_local1
43 192.168.80.1/24 192.168.80.0 eth3_local2
41 192.168.81.1/24 192.168.81.0 eth3_local2
43 192.168.90.1/24 192.168.90.0 eth4_local3
41 192.168.91.1/24 192.168.91.0 eth4_local3
65 216.x.x.34/30 216.x.x.32 vlan558Code: Select all
[admin@mr1.rtr] > /ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
1 A S ;;; Route to ATT Circuits (T1's)
0.0.0.0/0 12.x.x.1 1
2 A S ;;; To CenturyLInk for Marked Traffic
0.0.0.0/0 10.9.0.30 10.9.0.29 1
;;; To Level3 for Marked Traffic
3 A S 0.0.0.0/0 216.x.x.33 1
64 ADC 12.x.x.0/25 12.x.x.2 eth1-WAN 0
105 ADC 192.168.50.0/24 192.168.50.1 eth2_local1 0
106 ADC 192.168.51.0/24 192.168.51.1 eth2_local1 0
107 ADC 192.168.52.0/24 192.168.52.1 eth2_local1 0
119 ADC 192.168.80.0/24 192.168.80.1 eth3_local2 0
120 ADC 192.168.81.0/24 192.168.81.1 eth3_local2 0
124 ADC 192.168.90.0/24 192.168.90.1 eth4_local3 0
126 ADC 192.168.91.0/24 192.168.91.1 eth4_local3 0
131 ADC 216.x.x.32/30 216.x.x.34 vlan558 0Code: Select all
[admin@mr1.rtr] > /ip firewall address-list print
Flags: X - disabled, D - dynamic
# LIST ADDRESS TIMEOUT
8 ToCenturyLink 192.168.80.0/24
10 ToCenturyLink 192.168.81.0/24
12 ToLevel3 192.168.90.0/24
13 ToLevel3 192.168.91.0/24 Code: Select all
[admin@mr1.rtr] > /ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; To CenturyLink - Mark Packet - See Address Lists
chain=prerouting action=mark-packet new-packet-mark=ToCenturyLinkPM
passthrough=yes src-address-list=ToCenturyLink
1 X ;;; To CenturyLink - Mark Route with marked packets
chain=prerouting action=mark-routing new-routing-mark=ToCenturyLinkRM
passthrough=no packet-mark=ToCenturyLinkPM
14 ;;; To Level3 - Mark Packet - See Address Lists
chain=prerouting action=mark-packet new-packet-mark=ToLevel3PM
passthrough=yes src-address-list=ToLevel3
15 ;;; To Level3 - Mark Route with marked packets
chain=prerouting action=mark-routing new-routing-mark=ToLevel3RM
passthrough=yes packet-mark=ToLevel3PMCode: Select all
[admin@mr1.rtr] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
88 chain=srcnat action=masquerade src-address=192.168.50.0/24
89 chain=srcnat action=masquerade src-address=192.168.51.0/24
90 chain=srcnat action=masquerade src-address=192.168.52.0/24
91 chain=srcnat action=masquerade src-address=192.168.80.0/24
92 chain=srcnat action=masquerade src-address=192.168.81.0/24
93 chain=srcnat action=masquerade src-address=192.168.90.0/24
94 chain=srcnat action=masquerade src-address=192.168.91.0/24
96 ;;; Main masquerade rule. Do not disable!
chain=srcnat action=masquerade to-addresses=0.0.0.0
out-interface=eth1_WAN 
