MikroTik

Community discussions
https://forum.mikrotik.com/

Problem with policy routing

https://forum.mikrotik.com/viewtopic.php?t=69944

Page 1 of 1

Problem with policy routing

Posted: Fri Feb 15, 2013 10:52 pm
by harryenlared
Hello.

I have a problem with policy routing

This is the router configuration:
Code: Select all

/ip address
add interface=ether1 address=200.10.x.2/24
add interface=ether2 address=200.20.x.2/24

/ip route 
add dst-address=0.0.0.0/0 gateway=200.10.x.1 pref-src=200.10.x.2
add dst-address=0.0.0.0/0 gateway=200.20.x.1 pref-src=200.20.x.2 routing-mark=policy

/ip firewall mangle
add chain=output action=mark-routing new-routing-mark=policy src-address=200.20.x.2
When the default route 200.10.x.1 is disabled, I have no connection to the router using 200.20.x.2.

Why the policy routing doesn't work?

Thanks in advance.

Re: Problem with policy routing

Posted: Fri Feb 15, 2013 11:18 pm
by cupis
I have a problem with policy routing

This is the router configuration:
Code: Select all
/ip address
add interface=ether1 address=200.10.x.2/24
add interface=ether2 address=200.20.x.2/24

/ip route 
add dst-address=0.0.0.0/0 gateway=200.10.x.1 pref-src=200.10.x.2
add dst-address=0.0.0.0/0 gateway=200.20.x.1 pref-src=200.20.x.2 routing-mark=policy

/ip firewall mangle
add chain=output action=mark-routing new-routing-mark=policy src-address=200.20.x.2
When the default route 200.10.x.1 is disabled, I have no connection to the router using 200.20.x.2.

Why the policy routing doesn't work?
You need to mark your traffic from 200.100.x.x/24 as having routing-mark "policy" otherwise it will not be allowed to use the second default route. Your mangle rule above will not do that, by the time you get to "output" it is too late to make this decision.

Something like:
Code: Select all
/ip firewall mangle add chain=prerouting src-address=200.20.x.x/24 action=mark-routing new-routing-mark=policy

Re: Problem with policy routing

Posted: Sun Feb 17, 2013 4:50 pm
by harryenlared
Thank you for your reply.

The prerouting rule works for forwarded packages, but I need to enter into the router:
e.g.: ssh 200.20.x.2

This is something like this:

---> input ----> Local process ---> Output ----> Routing adjustment ---> Routing decision --->

You can see in http://wiki.mikrotik.com/wiki/Manual:Pa ... _decisions
"Routing adjustment: this is a workaround that allows to set-up policy routing in mangle chain output"

So, routing adjustment seems not to work in my configuration.

Re: Problem with policy routing

Posted: Sun Feb 17, 2013 5:58 pm
by cupis
The prerouting rule works for forwarded packages, but I need to enter into the router:
e.g.: ssh 200.20.x.2
And this doesn't work when the main link is down, correct?

If so, add something like this:
Code: Select all
/ip firewall mangle add chain=input interface=ether2 action=mark-connection new-connection-mark=policy
This will mark any traffic coming into the router on ether2, on the input chain (i.e. traffic to 200.20.x.2 specifically) so that it will use the second default route to send return traffic. I don't have a device handy I can test this on at the moment, but that may resolve the issue for you.

Re: Problem with policy routing

Posted: Wed Oct 21, 2015 6:05 am
by miahac
I am having the same problem with packets initiated from the router i.e. l2tp connections. Did you find an answer?

http://forum.mikrotik.com/viewtopic.php?f=14&t=101095
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/