IP routes

cpresto · Sun Nov 18, 2007 12:18 am

Hi all,
I have a MT configured with two IP address (on two different subnets) on the same interface (172.22.1.254/24 and 172.22.2.254/24), this interface is connected with two different router:
ETH4 172.22.1.254 --> 172.22.1.1/24
ETH4 172.22.2.254 --> 172.22.2.1/24

Mangle separates known traffic (dest port < 1024) from unknown one (dest port > 1024), and queues are applied to unknown traffic. If I specify two different gateways for known and unknown traffic, with routing mark, (e.g. 172.22.1.1 for known and 172.22.2.1 for unknown) the whole traffic through MT pratically stops and queues are not matched. If only one default gateway is specified (with no mark routing), everything works fine (also queues)...

Any advice

Chupaka · Sun Nov 18, 2007 3:33 am

in what chain do you mangle?

cpresto · Mon Nov 19, 2007 5:59 pm

I've made a Jump in prerouting chain: if dest port is < 1024 flow jumps to "known" chain, otherwise it jumps to "unknown" chain.

andrewluck · Mon Nov 19, 2007 7:09 pm

Code please.

Regards

Andrew

cpresto · Tue Nov 20, 2007 2:19 pm

Here below the used code

# nov/20/2007 13:17:35 by RouterOS 2.9.48
# software id = TH16-XS0
#
/ ip firewall mangle 
add chain=forward action=log connection-state=new dst-address=!172.21.254.6 \
    protocol=!icmp src-address-list=PPPoE_clienti log-prefix="serro" \
    comment="######    log traffico clienti" disabled=yes 
add chain=input action=accept dst-port=8291 protocol=tcp comment="######    \
    WinBox" disabled=no 
add chain=prerouting action=accept dst-port=8291 protocol=tcp comment="" \
    disabled=no 
add chain=forward action=accept dst-port=8291 protocol=tcp comment="" \
    disabled=no 
add chain=output action=accept src-port=8291 protocol=tcp comment="" \
    disabled=no 
add chain=input action=accept dst-port=8000 protocol=tcp comment="######    \
    Gestione web apparati" disabled=no 
add chain=prerouting action=accept dst-port=8000 protocol=tcp comment="" \
    disabled=no 
add chain=forward action=accept dst-port=8000 protocol=tcp comment="" \
    disabled=no 
add chain=prerouting action=jump jump-target=known protocol=icmp \
    comment="######    Marca ICMP" disabled=no 
add chain=prerouting action=jump jump-target=known dst-port=0-1024 \
    protocol=tcp dst-address-list=!rapidshare comment="######    TCP < 1024" \
    disabled=no 
add chain=prerouting action=jump jump-target=known dst-port=0-1024 \
    protocol=udp dst-address-list=!rapidshare comment="######    UDP < 1024" \
    disabled=no 
add chain=prerouting action=jump jump-target=known dst-port=5900-5901 \
    protocol=tcp comment="######    VNC" disabled=no 
add chain=prerouting action=jump jump-target=known dst-port=8083 protocol=tcp \
    comment="####   Pagina Clienti sospesi" disabled=no 
add chain=prerouting action=jump jump-target=known dst-address=65.54.239.20 \
    comment="######    Server login MSN" disabled=no 
add chain=prerouting action=jump jump-target=known dst-port=1200-1281 \
    protocol=tcp comment="######    Porte MSN" disabled=no 
add chain=prerouting action=jump jump-target=known dst-port=1862 protocol=tcp \
    comment="" disabled=no 
add chain=prerouting action=jump jump-target=known dst-port=1863 protocol=tcp \
    comment="" disabled=no 
add chain=prerouting action=jump jump-target=known dst-port=2210 protocol=tcp \
    comment="" disabled=no 
add chain=prerouting action=jump jump-target=known dst-port=9000-9010 \
    protocol=tcp comment="" disabled=no 
add chain=prerouting action=jump jump-target=known dst-address=195.110.124.133 \
    comment="######    Sito Ministero ASAPO" disabled=no 
add chain=prerouting action=jump jump-target=known dst-port=3389 protocol=tcp \
    comment="######    Desktop Remoto WINDOWS" disabled=no 
add chain=prerouting action=jump jump-target=known src-port=3389 protocol=tcp \
    comment="" disabled=no 
add chain=prerouting action=jump jump-target=known dst-address=144.15.251.38 \
    comment="######    VPN La Spada" disabled=no 
add chain=prerouting action=jump jump-target=known src-address=192.168.9.16 \
    comment="######    Mark Cipriano come Known" disabled=no 
add chain=prerouting action=jump jump-target=known dst-port=14601-14603 \
    protocol=tcp comment="######    Porte del sito Photocity" disabled=no 
add chain=prerouting action=jump jump-target=known dst-port=6550 protocol=tcp \
    comment="######    Porte utilizzate da Supermarket GM  " disabled=no 
add chain=prerouting action=jump jump-target=known src-port=6550 protocol=tcp \
    comment="" disabled=no 
add chain=prerouting action=jump jump-target=known dst-port=6551 protocol=tcp \
    comment="" disabled=no 
add chain=prerouting action=jump jump-target=known src-port=6551 protocol=tcp \
    comment="" disabled=no 
add chain=prerouting action=jump jump-target=known dst-port=6996 protocol=tcp \
    comment="" disabled=no 
add chain=prerouting action=jump jump-target=known src-port=6996 protocol=tcp \
    comment="" disabled=no 
add chain=prerouting action=jump jump-target=known src-address=192.168.9.17 \
    comment="######    Carroccio - Problema uNICREDIT bANCA °°° pROVARE PORTA \
    3117" disabled=no 
add chain=prerouting action=passthrough connection-mark=!known comment="TEST" \
    disabled=yes 
add chain=prerouting action=passthrough packet-mark=!known comment="" \
    disabled=yes 
add chain=prerouting action=mark-connection new-connection-mark=unknown \
    passthrough=yes dst-address-list=rapidshare comment="######    Rapidshare" \
    disabled=no 
add chain=prerouting action=mark-connection new-connection-mark=unknown \
    passthrough=yes src-address-list=rapidshare comment="" disabled=no 
add chain=prerouting action=mark-connection new-connection-mark=unknown \
    passthrough=yes connection-mark=!known comment="######    Traffico \
    UNKNOWN" disabled=no 
add chain=prerouting action=mark-packet new-packet-mark=unknown \
    passthrough=yes connection-mark=unknown comment="" disabled=no 
add chain=prerouting action=mark-routing new-routing-mark=unknown \
    passthrough=no connection-mark=unknown comment="" disabled=no 
add chain=postrouting action=change-mss new-mss=1360 tcp-flags=syn \
    protocol=tcp src-address-list=Small_MSS comment="######    Change MSS" \
    disabled=no 
add chain=postrouting action=change-mss new-mss=1360 tcp-flags=syn \
    protocol=tcp dst-address-list=Small_MSS comment="" disabled=no 
add chain=known action=passthrough \
    comment="########################################                         \
    CHAIN KNOWN                         \
    ###########################################" disabled=no 
add chain=known action=mark-connection new-connection-mark=known \
    passthrough=yes comment="" disabled=no 
add chain=known action=mark-packet new-packet-mark=known passthrough=yes \
    connection-mark=!known comment="" disabled=no 
add chain=known action=mark-routing new-routing-mark="vs NICOLA" \
    passthrough=no src-address=88.149.204.133 connection-mark=known \
    dst-address-list=!managment comment="H.Terme" disabled=no 
add chain=known action=mark-routing new-routing-mark="vs Cassisi" \
    passthrough=yes src-address=192.168.9.0/24 connection-mark=known \
    comment="" disabled=no 
add chain=known action=mark-routing new-routing-mark="vs Cassisi" \
    passthrough=yes src-address=192.168.9.0/24 packet-mark=known comment="" \
    disabled=no 
add chain=known action=mark-routing new-routing-mark=unknown passthrough=no \
    src-address=192.168.9.90 dst-address-list=!managment comment="" \
    disabled=yes 
add chain=known action=mark-routing new-routing-mark=unknown passthrough=no \
    src-address=192.168.9.69 comment="" disabled=yes 
add chain=unknown action=passthrough \
    comment="########################################                         \
    CHAIN UNKNOWN                         \
    ###########################################" disabled=no 
add chain=unknown action=mark-connection new-connection-mark=unknown \
    passthrough=yes comment="" disabled=no 
add chain=unknown action=mark-packet new-packet-mark=unknown passthrough=yes \
    comment="" disabled=no 
add chain=unknown action=mark-routing new-routing-mark=unknown passthrough=yes \
    comment="" disabled=no 
add chain=known action=mark-routing new-routing-mark="vs Cassisi" \
    passthrough=yes src-address=192.168.9.0/24 comment="" disabled=yes 
add chain=known action=return comment="" disabled=no 
add chain=unknown action=return comment="" disabled=yes

IP routes

IP routes

Re: IP routes

Re: IP routes

Re: IP routes

Re: IP routes