Page 1 of 1
RouterOS - Route traffic through specific gateway problem
Posted: Mon Jul 08, 2019 10:10 am
by tvagge
Hi guys,
I'm in front of this working configuration:
/ip address
add address=10.24.14.1/23 disabled=no interface=LAN network=10.24.14.0
add address=10.4.14.2/24 disabled=no interface=WAN1 network=10.4.14.0
add address=10.30.52.242/24 disabled=no interface=WAN2 network=10.30.52.0
add address=10.1.1.2/24 disabled=no interface=WAN2 network=10.1.1.0
/ip firewall filter
add action=accept chain=input disabled=no dst-address=10.30.52.242 dst-port=\
8080 in-interface=WAN2 protocol=tcp
add action=accept chain=output disabled=no out-interface=WAN2 protocol=tcp \
src-address=10.24.14.21 src-port=8080
/ip firewall mangle
add action=mark-connection chain=prerouting disabled=no in-interface=WAN1 \
new-connection-mark=WAN1_connection passthrough=yes
add action=mark-connection chain=prerouting disabled=no in-interface=WAN2 \
new-connection-mark=WAN2_connection passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN1_connection \
disabled=no in-interface=LAN new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_connection \
disabled=no in-interface=LAN new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_connection \
disabled=no new-routing-mark=to_WAN2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat disabled=no src-address=10.24.14.0/23
add action=masquerade chain=srcnat disabled=no out-interface=WAN2
add action=masquerade chain=srcnat disabled=no out-interface=WAN1
add action=dst-nat chain=dstnat disabled=no dst-address=10.30.52.242 \
dst-port=8080 in-interface=WAN1 protocol=tcp to-addresses=10.24.14.21 \
to-ports=8080
add action=dst-nat chain=dstnat disabled=no dst-address=10.30.52.242 \
dst-port=8080 in-interface=WAN2 protocol=tcp to-addresses=10.24.14.21 \
to-ports=8080
/ip route
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=10.30.52.1 \
routing-mark=to_WAN2 scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.4.14.1 scope=30 \
target-scope=10
add disabled=no distance=1 dst-address=10.2.60.59/32 gateway=10.1.1.138 \
scope=30 target-scope=10
add comment=ROUTE1 disabled=no distance=1 dst-address=10.50.14.0/24 gateway=\
10.30.52.1 scope=30 target-scope=10
add comment=ROUTE2 disabled=no distance=1 dst-address=10.50.14.80/32 \
gateway=10.30.52.1 scope=30 target-scope=10
add comment=ROUTE3 disabled=no distance=1 dst-address=10.50.147.11/32 \
gateway=10.30.52.1 scope=30 target-scope=10
add comment=ROUTE4 disabled=no distance=1 dst-address=10.50.147.16/32 \
gateway=10.30.52.1 scope=30 target-scope=10
add comment=ROUTE5 disabled=no distance=1 dst-address=10.19.25.0/24 \
gateway=10.30.52.1 scope=30 target-scope=10
add comment=ROUTE6 disabled=no distance=1 dst-address=84.225.251.238/32 \
gateway=10.30.52.1 scope=30 target-scope=10
When I try to add this in ip/route:
add disabled=no distance=1 dst-address=10.2.60.59/32 gateway=10.1.1.138 scope=30 target-scope=10
the packets never reach the selected gateway (10.1.1.138). All the other routes are working fine. I cant really see what seems to be the problem. Can anyone help please?
*** Note ***
10.30.52.242/24 Network -> Gateway: 10.30.52.1
10.1.1.2/24 Network -> Gateway: 10.1.1.138
Re: RouterOS - Route traffic through specific gateway problem
Posted: Tue Jul 09, 2019 1:17 am
by CZFan
try adding Routing-Mark=to_Wan2 to the route you are trying to add
Re: RouterOS - Route traffic through specific gateway problem
Posted: Tue Jul 09, 2019 8:30 am
by tvagge
try adding Routing-Mark=to_Wan2 to the route you are trying to add
Hi,
Done that, still not working... When I use tracert to 10.2.60.59 with routing-mark=to_Wan2, it routes through 10.4.14.1 gateway...
Re: RouterOS - Route traffic through specific gateway problem
Posted: Wed Jul 10, 2019 4:34 pm
by tvagge
Hi again,
I still cant figure out what seems to be the problem, can anyone help me?
Re: RouterOS - Route traffic through specific gateway problem
Posted: Fri Jul 19, 2019 1:30 pm
by tvagge
Back again, still problem exists, anyone can help me on that please?
Re: RouterOS - Route traffic through specific gateway problem
Posted: Sun Jul 21, 2019 12:34 am
by CZFan
Start by getting routing only working first, I.e disable mangle and route marking rules.
Once routing is still not working, then troubleshoot from there, if working, then add mangle rules and see where it breaks
Re: RouterOS - Route traffic through specific gateway problem
Posted: Mon Oct 21, 2019 10:26 am
by tvagge
Hi guys,
I'm coming back on this, has anyone any solution to this problem? I didnt manage to solve it. Please note that the router serves a 1000 clients network, it's on production, so I have a very little room space for radical changes on the existing configuration
Re: RouterOS - Route traffic through specific gateway problem
Posted: Thu Oct 24, 2019 1:04 am
by CZFan
It is a bit late here now, i.e. 12:00 am, I will map out your config in the morning and see if I find anything
Re: RouterOS - Route traffic through specific gateway problem
Posted: Fri Oct 25, 2019 11:15 pm
by CZFan
EDIT, sorry, my brain is tired and made a mistake in previous post:
The below rules is wrong, as you are port forwarding these, so you need to accept dstnat connection NAT state for forward chain.
/ip firewall filter
add action=accept chain=input disabled=no dst-address=10.30.52.242 dst-port=\
8080 in-interface=WAN2 protocol=tcp
add action=accept chain=output disabled=no out-interface=WAN2 protocol=tcp \
src-address=10.24.14.21 src-port=8080
Then I had a quick look and not experiencing the same problem, doing a trace route from PC1 to PC2 seems to go via correct gateway
RouteGW.JPG
The config I have on MT-CHR-1 as per config you posted:
[admin@MT-CHR-1] > export
# oct/25/2019 19:56:45 by RouterOS 6.44.3
# software id =
#
#
#
/interface ethernet
set [ find default-name=ether3 ] name=LAN
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.24.14.2-10.24.15.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=LAN name=dhcp1
/ip address
add address=10.24.14.1/23 interface=LAN network=10.24.14.0
add address=10.4.14.2/24 interface=WAN1 network=10.4.14.0
add address=10.30.52.242/24 interface=WAN2 network=10.30.52.0
add address=10.1.1.2/24 interface=WAN2 network=10.1.1.0
/ip dhcp-client
add disabled=no interface=WAN1
/ip dhcp-server network
add address=10.24.14.0/23 gateway=10.24.14.1
/ip firewall filter
add action=accept chain=input dst-address=10.30.52.242 dst-port=8080 \
in-interface=WAN2 protocol=tcp
add action=accept chain=output out-interface=WAN2 protocol=tcp src-address=\
10.24.14.21 src-port=8080
/ip firewall mangle
add action=mark-connection chain=prerouting in-interface=WAN1 \
new-connection-mark=WAN1_connection passthrough=yes
add action=mark-connection chain=prerouting in-interface=WAN2 \
new-connection-mark=WAN2_connection passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN1_connection \
in-interface=LAN new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_connection \
in-interface=LAN new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_connection \
new-routing-mark=to_WAN2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat src-address=10.24.14.0/23
add action=masquerade chain=srcnat out-interface=WAN2
add action=masquerade chain=srcnat out-interface=WAN1
add action=dst-nat chain=dstnat dst-address=10.30.52.242 dst-port=8080 \
in-interface=WAN1 protocol=tcp to-addresses=10.24.14.21 to-ports=8080
add action=dst-nat chain=dstnat dst-address=10.30.52.242 dst-port=8080 \
in-interface=WAN2 protocol=tcp to-addresses=10.24.14.21 to-ports=8080
/ip route
add distance=2 gateway=10.30.52.1 routing-mark=to_WAN2
add distance=1 gateway=10.4.14.1
add distance=1 dst-address=10.2.60.59/32 gateway=10.1.1.138
add comment=ROUTE5 distance=1 dst-address=10.19.25.0/24 gateway=10.30.52.1
add comment=ROUTE1 distance=1 dst-address=10.50.14.0/24 gateway=10.30.52.1
add comment=ROUTE2 distance=1 dst-address=10.50.14.80/32 gateway=10.30.52.1
add comment=ROUTE3 distance=1 dst-address=10.50.147.11/32 gateway=10.30.52.1
add comment=ROUTE4 distance=1 dst-address=10.50.147.16/32 gateway=10.30.52.1
add comment=ROUTE6 distance=1 dst-address=84.225.251.238/32 gateway=\
10.30.52.1
/system identity
set name=MT-CHR-1
Re: RouterOS - Route traffic through specific gateway problem
Posted: Mon Oct 28, 2019 12:43 am
by tvagge
Hi, thank you for your reply,
Well it still doesnt work... As you posted in your trace command, it goes through 10.24.14.1, then it goes through 10.1.1.138, with very high pings and after that it continues with timeouts for ever..
The strange thing is that when I'm on the LAN side (10.24.14.1/23), I cant ping the gateway 10.1.1.138 (timeouts), nor can I access its web interface (
https://10.1.1.138)
I didnt understand also this line:
The below rules is wrong, as you are port forwarding these, so you need to accept dstnat connection NAT state for forward chain.
Re: RouterOS - Route traffic through specific gateway problem
Posted: Mon Oct 28, 2019 10:05 pm
by CZFan
I should have included in my previous post, ignore the high ping rates and time outs, my gns3 setup was broken at the time.
The purpose of my screenshot was more to show the route taken.
Is there no firewall rules blocking icmp on 10.1.1.138?
Re: RouterOS - Route traffic through specific gateway problem
Posted: Mon Oct 28, 2019 10:34 pm
by tvagge
Well, you have my entire config, no firewall rules
Re: RouterOS - Route traffic through specific gateway problem
Posted: Tue Oct 29, 2019 12:56 pm
by CZFan
Well, you have my entire config, no firewall rules
I can only find config for 10.24.14.1?
Re: RouterOS - Route traffic through specific gateway problem
Posted: Tue Oct 29, 2019 1:19 pm
by tvagge
Well, you have my entire config, no firewall rules
I can only find config for 10.24.14.1?
Can you please elaborate (explain more) on this? Is something missing?
Re: RouterOS - Route traffic through specific gateway problem
Posted: Tue Oct 29, 2019 1:31 pm
by tvagge
Here's what I'm getting:
No need to say that the end target (10.2.60.59) is up and working
Route command:
add disabled=no distance=1 dst-address=10.2.60.59/32 gateway=10.1.1.138 scope=30 target-scope=10
Re: RouterOS - Route traffic through specific gateway problem
Posted: Thu Oct 31, 2019 1:48 pm
by CZFan
Seems you have made some progress, in your OP you stated the packet never reaches 10.1.1.138 and from the trace route now it does.
I dont know what device 10.2.60.59 is and can only assume it is a PC/Workstation/Server, then my assumption would be that there are:
1. Firewall on this device blocking ICMP, or
2. That device does not know how to get back to from where you are doing trace route, i.e. it does not have a default route or default route is pointing to some other device