[Fwd: routing and marking and rules, oh my!]
Was wondering why my messages to this list weren't showing up. Figured out I was sending from wrong address :-( Anyway: I need to do something in RouterOS that I feel should be simple, but I can't seem to get my head around route rules and packet marking to make it happen. What I want to do is ensure that all traffic arriving on interface A is routed out interface B. All other traffic should be routed normally. That's it! Simple example, anyone? Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 231A B066 CF91 1216 4F0F F2AC CE25 B8AA 46DC CC4F Old fingerprint: 1DB8 0599 13F0 E774 3811 6CA6 D6D0 AFA9 D91A 004C
Using mangle, tag where src-address=x.x.x.x on prerouting chain, mark routing on output? - Andrew On 2 December 2014 at 20:44, Karl Auer <kauer@nullarbor.com.au> wrote:
Was wondering why my messages to this list weren't showing up. Figured out I was sending from wrong address :-(
Anyway:
I need to do something in RouterOS that I feel should be simple, but I can't seem to get my head around route rules and packet marking to make it happen.
What I want to do is ensure that all traffic arriving on interface A is routed out interface B. All other traffic should be routed normally.
That's it! Simple example, anyone?
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
GPG fingerprint: 231A B066 CF91 1216 4F0F F2AC CE25 B8AA 46DC CC4F Old fingerprint: 1DB8 0599 13F0 E774 3811 6CA6 D6D0 AFA9 D91A 004C
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Yep, basically what Andrew said. I have a couple of old /26's from one of my upstreams, which MUST go out their interface (else they don't make it back INTO their network due to ingress filtering). /ip firewall mangle add action=mark-routing chain=prerouting in-interface=vlan_1201 \ new-routing-mark=out-platform /ip route add check-gateway=ping distance=1 gateway=202.62.137.101 routing-mark=\ out-platform Then anything coming in interface vlan_1201 will go out the interface facing 202.62.137.101 On 3 December 2014 at 11:05, Andrew Cox <andrew.cox@bigair.net.au> wrote:
Using mangle, tag where src-address=x.x.x.x on prerouting chain, mark routing on output?
- Andrew
On 2 December 2014 at 20:44, Karl Auer <kauer@nullarbor.com.au> wrote:
Was wondering why my messages to this list weren't showing up. Figured out I was sending from wrong address :-(
Anyway:
I need to do something in RouterOS that I feel should be simple, but I can't seem to get my head around route rules and packet marking to make it happen.
What I want to do is ensure that all traffic arriving on interface A is routed out interface B. All other traffic should be routed normally.
That's it! Simple example, anyone?
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
GPG fingerprint: 231A B066 CF91 1216 4F0F F2AC CE25 B8AA 46DC CC4F Old fingerprint: 1DB8 0599 13F0 E774 3811 6CA6 D6D0 AFA9 D91A 004C
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
-- Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag@rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder
Hi Karl, Like Andrew said, mangle and packet mark is the way to do it: 1. match packets with connection-state=new arriving on interface A, add connection-mark=inboundA 2. match packets outbound with connection-mark=inboundA, add routing-mark=outboundB 3. create static route to 0.0.0.0/0 with routing-mark=outboundA to nxt hop of gateway to interface B Should do the job! :-) Only catch is for non connection-based traffic using udp, which although routerOS can try to maintain session state (check 'connection tracking' under firewall), it is usual for that to come unstuck for services that don't have conbsistent packet flow (especially SIP) - if you are using one of those protocols for your application, then you'll also need to add some further ticks with soiurce and destination ports to try to maintain control of the packets. Cheers! Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Karl Auer Sent: Tuesday, 2 December 2014 9:45 PM To: MikroTik Public Subject: [MT-AU Public] [Fwd: routing and marking and rules, oh my!]
Was wondering why my messages to this list weren't showing up. Figured out I was sending from wrong address :-(
Anyway:
I need to do something in RouterOS that I feel should be simple, but I can't seem to get my head around route rules and packet marking to make it happen.
What I want to do is ensure that all traffic arriving on interface A is routed out interface B. All other traffic should be routed normally.
That's it! Simple example, anyone?
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
GPG fingerprint: 231A B066 CF91 1216 4F0F F2AC CE25 B8AA 46DC CC4F Old fingerprint: 1DB8 0599 13F0 E774 3811 6CA6 D6D0 AFA9 D91A 004C
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
participants (4)
-
Andrew Cox
-
Damien Gardner Jnr
-
Karl Auer
-
Mike Everest