Community discussions

MikroTik App
 
etr102
just joined
Topic Author
Posts: 5
Joined: Sat Aug 19, 2017 5:44 pm

Routing based on SOURCE IP or SOURCE interface?

Sun Aug 20, 2017 6:21 pm

With my setup, I have two separate PPPoE interfaces. (We'll call them pppoe-out1 and pppoe-out2). I have a switch plugged into ether3 with a bunch of hosts. I have another switch plugged into ether5 with more hosts. I need to have all of the traffic from ether3 go out through pppoe-out1 and all the traffic from ether5 go out through pppoe-out2.

I've read a few snippets here and there about how setting up a mangle rule to mark the packets and then set up static routes to route based on the mangle mark? Is this possible or advisable to do? How would I go about this?

Any other solutions?
 
pe1chl
Forum Guru
Forum Guru
Posts: 9010
Joined: Mon Jun 08, 2015 12:09 pm

Re: Routing based on SOURCE IP or SOURCE interface?

Sun Aug 20, 2017 8:47 pm

/ip route rule
setup rules for the source address and a lookup in a second table
set a default route via the second interface in that second table
 
etr102
just joined
Topic Author
Posts: 5
Joined: Sat Aug 19, 2017 5:44 pm

Re: Routing based on SOURCE IP or SOURCE interface?

Tue Aug 22, 2017 5:54 am

/ip route rule
setup rules for the source address and a lookup in a second table
set a default route via the second interface in that second table
Sorry your wording is a little confusing. Can you provide me an example of what you mean?
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: Routing based on SOURCE IP or SOURCE interface?

Wed Sep 27, 2017 7:44 am

route rules are a simplified way to do policy routing, as opposed to the "mainstream" method of using action=mark-routing new-routing-mark=ISP2 on mangle table rules.

Basically, the thing you want to do is make some route rules which list your local addresses (both LANs and both WANs) and set the action is to lookup in table "main"
i.e. - for your own stuff, don't do anything fancy.
Let's say pppoe1 is isp1 and you let it install the default GW route into the main routing table.
You'll want to set pppoe2 to use a larger admin distance on its default GW route so that the main table will use isp1....
Then make a static default GW route with dst=pppoe2 as the main route (lowest distance value) and optionally a second one with pppoe1 as a backup default GW (higher admin distance value) for the "isp2" routing table. (routing-mark=isp2)
Once those exist, you can make a route rule which says if the source IP is from lan2, then action=lookup-only-in-table table=isp2
So long as this rule comes after the ones that force local addresses to always be looked up in the main table, you're done.
 
PowerPlay
just joined
Posts: 3
Joined: Mon Feb 05, 2018 5:33 pm

Re: Routing based on SOURCE IP or SOURCE interface?

Fri Feb 09, 2018 8:36 am

route rules are a simplified way to do policy routing, as opposed to the "mainstream" method of using action=mark-routing new-routing-mark=ISP2 on mangle table rules.
Hi ZeroByte,

I keep running into your posts in my search for answers. This topic gave me a working direction, I appreciate the help. If it's not too much trouble, would you mind weighing in here:

viewtopic.php?f=13&t=130469

I apologize if this is unorthodox, but I see no way of tagging you in my thread or PM'ing you on this board. Thank you.
 
millanbelsue
just joined
Posts: 16
Joined: Tue May 27, 2014 11:24 am

Re: Routing based on SOURCE IP or SOURCE interface?

Tue Nov 22, 2022 3:31 pm

Sorry but it is very dificult for me to configure it in a V7.3.1

I have a router with 3 Interface:
- Interface ETH1: Host with IP: 172.22.x.x/16 and host with 172.23.x.x/16
- Interface ETH2 (192.168.1.1/24: Connect to Firewall1 (192.168.1.2/24)
- Interface ETH3 (192.168.2.1/24: Connect to Firewall2 (192.168.2.2/24)

I need to sent to Firewall 1 the traffic with with IP source 172.22.x.x and to Firewall 2 the traffic with IP source 172.23.x.x
Any one can help me?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14413
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Routing based on SOURCE IP or SOURCE interface?

Thu Nov 24, 2022 11:48 pm

The basic idea is
TO DIRECT OUTGOING LAN TRAFFIC OUT A SPECIFIC WANIP

NEED DEFAULT ROUTES
dst-address=0.0.0.0/0 gwy=wan1-gwy table=main distance=1 check-gateway=ping
dst-address=0.0.0.0/0 gwy=wan2-gwy table=main distance=2 check-gateway=ping
dst-address=0.0.0.0/0 gwy=wan3-gwy table=main distance=3 check-gateway=ping

Now you can use this approach with distance to direct all users out 1, if 1 is down they go to 2, and if 2 is down they go to 3.
Then for specifc subnets to work around this you can use the below rules as well!
OR
If each WANIP needs a specific LANSUBNET ONLY and no failover needed then.........
dst-address=0.0.0.0/0 gwy=wan1-gwy table=main distance=1
dst-address=0.0.0.0/0 gwy=wan2-gwy table=main distance=1
dst-address=0.0.0.0/0 gwy=wan3-gwy table=main distance=1

Lets take the latter case and we have subnets A, B, C and A goes to 1, B goes to 2, and C goes to 3.

First step need 3 tables...
/routing table
add name=use-WAN1 fib
add name=use-WAN2 fib
add name=use-WAN3 fib

Second step need 3 additional routes to go along with the defaults.
add dst-address=0.0.0.0/0 gwy=WAN1-gwy table=use-WAN1
add dst-address=0.0.0.0/0 gwy=WAN2-gwy table=use-WAN2
add dst-address=0.0.0.0/0 gwy=WAN3-gwy table=use-WAN3

Then three routing rules.......
add src-address=subnetA action=lookup-only-in-table table=use-WAN1
add src-address=subnetB action=lookup-only-in-table table=use-WAN2
add src-address=subnetC action=lookup-only-in-table table=use-WAN3

If one wanted a subnet to go out another WAN if their WAN was not available for some reason, change action to
action=lookup and the router will go to the main table to see if any other routes are available/working.

+++++++++++++++++++++++++++++++++++++++++++++++++++++

Yuu should note that by using distance you can force all users to that WAN1 and thus dont need another route or table or route rule for any subnet needing this route direction.
However if you didnt want subnets to deviate to other subnets as failover, then no requirement for a distance approach. I like it because it can be more efficient and useful but each scenario is slightly different and nuanced.

++++++++++++++++++++++++++++++++++++++++++++++++++++

Another point, this DOES NOT cover the requirements where both incoming and outgoing traffic are involved. If you have traffic coming in on a particular WAN and you have adjusted the outgoing traffic rules, there may be a conflict. Therefore when controlling traffic both ways one really has to get into the mangle game to identify the traffic coming in on a particular wan to ensure it goes out the same wan.


Final point: Be careful of directing LAN users by the above method. IF you need LAN subnet A, to also be able to talk to SUBNET B, they will never reach B as you forced them out WAN1.

If you need internal traffic for subnets then simply add additional ROUTING RULES BEFORE (order counts) the wan rules.
ex.
add dst-address=subnetA action=lookup-only-in-table table=main { all subnets need access to LAN A }
add src-address=subnetA action=lookup-only-in-table table=use-WAN1
add src-address=subnetB action=lookup-only-in-table table=use-WAN2

add dst-address=subnetB src-address=subnetC action=lookup-only-in-table table=main { subnet C needs access to subnet B }
add src-address=subnetC action=lookup-only-in-table table=use-WAN3

note1: if your paying attention I don't really need the src-address=subnet C in the second addition, as the rule placement kinda will only effect subnet C anyway. :-)
note2. still need appropriate firewall rules.

Who is online

Users browsing this forum: No registered users and 6 guests