Mikrotik, choosing a preferred gateway based on Address Lists

M

Melkij2013-12-29 20:12:29

Mikrotik

Melkij, 2013-12-29 20:12:29

Classic story: I have Mikrotik, 2 providers (bridge-gw0 and bridge-gw1) and 2 own networks (192.168.5.0/24 and 192.168.0.0/24, bridge-home and bridge-dmz interfaces)
I want to be able to specify address list' s:
0) wan_only_gw0 and wan_only_gw1 - allow traffic only through the first and second providers, respectively. Without failover, if the provider is offline, then drop the traffic.
1) wan_failover_prefer_gw0 and wan_failover_prefer_gw1 - only failover, if both providers are available, then direct all traffic to the first or second provider respectively. If only one provider works, send traffic from both lists to it.
2) to all addresses not included in the listed lists - traffic balancing for both providers.
What is more correct?
My not-so-successful attempt:

/ip firewall mangle
add action=jump chain=prerouting connection-mark=no-mark dst-address-type=\
    !local in-interface=bridge-home jump-target=prerouting_wan
add action=mark-routing chain=prerouting connection-mark=to_astral0 \
    in-interface=bridge-home new-routing-mark=to_astral0
add action=mark-routing chain=prerouting connection-mark=to_astral1 \
    in-interface=bridge-home new-routing-mark=to_astral1
add action=mark-connection chain=prerouting_wan new-connection-mark=\
    to_astral0 passthrough=no src-address-list=wan_only_gw0
add action=mark-connection chain=prerouting_wan new-connection-mark=\
    to_astral1 passthrough=no src-address-list=wan_only_gw1
add action=mark-connection chain=prerouting_wan new-connection-mark=\
    to_astral0 passthrough=no src-address-list=wan_failover_prefer_gw0
add action=mark-connection chain=prerouting_wan new-connection-mark=\
    to_astral1 passthrough=no src-address-list=wan_failover_prefer_gw1
add action=mark-connection chain=prerouting_wan connection-mark=no-mark \
    new-connection-mark=to_astral0 passthrough=no per-connection-classifier=\
    both-addresses:2/0
add action=mark-connection chain=prerouting_wan connection-mark=no-mark \
    new-connection-mark=to_astral1 passthrough=no per-connection-classifier=\
    both-addresses:2/1
add action=return chain=prerouting_wan

/ip firewall filter
add action=drop chain=forward connection-mark=!to_astral0 connection-state=\
    new out-interface=bridge-gw0 src-address-list=wan_only_gw1
add action=drop chain=forward connection-mark=!to_astral1 connection-state=\
    new out-interface=bridge-gw1 src-address-list=wan_only_gw0

/ip route
add distance=1 gateway=192.168.7.1 routing-mark=to_astral1
add check-gateway=arp distance=1 gateway=172.23.152.1 routing-mark=to_astral0
add distance=1 gateway=172.23.152.1
add check-gateway=ping distance=2 gateway=192.168.7.1

In this case, in the wan_failover_prefer_gw1 list, the first ping before 8.8.8.8 leaves and returns, but there are no subsequent pings. Missed something banal?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

M

Melkij, 2014-01-02
@melkij

With such a mangle, it seems to work as desired.

/ip firewall mangle

add action=mark-connection chain=input comment="mark input gw0" in-interface=\
    bridge-gw0 new-connection-mark=to_astral0 passthrough=no
add action=mark-connection chain=input comment="mark input gw1" in-interface=\
    bridge-gw1 new-connection-mark=to_astral1 passthrough=no
add action=mark-routing chain=output connection-mark=to_astral0 \
    new-routing-mark=to_astral0 passthrough=no
add action=mark-routing chain=output connection-mark=to_astral1 \
    new-routing-mark=to_astral1 passthrough=no
add action=mark-connection chain=forward connection-mark=no-mark \
    in-interface=bridge-gw0 new-connection-mark=to_astral0 passthrough=no
add action=mark-connection chain=forward connection-mark=no-mark \
    in-interface=bridge-gw1 new-connection-mark=to_astral1 passthrough=no
add action=jump chain=prerouting comment="process home connmark" \
    connection-mark=no-mark dst-address-type=!local in-interface=bridge-home \
    jump-target=prerouting_wan
add action=jump chain=prerouting comment="process dmz connmark" \
    connection-mark=no-mark dst-address-type=!local in-interface=bridge-dmz \
    jump-target=prerouting_wan
add action=jump chain=prerouting comment="set routing marks from home" \
    connection-mark=!no-mark in-interface=bridge-home jump-target=\
    prerouting_markroute
add action=jump chain=prerouting comment="set routing marks from dmz" \
    connection-mark=!no-mark in-interface=bridge-dmz jump-target=\
    prerouting_markroute
add action=mark-connection chain=prerouting_wan comment="use only gw0 list" \
    connection-mark=no-mark new-connection-mark=to_astral0 src-address-list=\
    wan_only_gw0
add action=mark-connection chain=prerouting_wan comment="use only gw1 list" \
    connection-mark=no-mark new-connection-mark=to_astral1 src-address-list=\
    wan_only_gw1
add action=mark-connection chain=prerouting_wan comment="use prefer gw0 list" \
    connection-mark=no-mark new-connection-mark=to_astral0 src-address-list=\
    wan_failover_prefer_gw0
add action=mark-connection chain=prerouting_wan comment="use prefer gw1 list" \
    connection-mark=no-mark new-connection-mark=to_astral1 src-address-list=\
    wan_failover_prefer_gw1
add action=mark-connection chain=prerouting_wan comment=PCC connection-mark=\
    no-mark new-connection-mark=to_astral0 per-connection-classifier=\
    both-addresses:2/0
add action=mark-connection chain=prerouting_wan comment=PCC connection-mark=\
    no-mark new-connection-mark=to_astral1 per-connection-classifier=\
    both-addresses:2/1
add action=mark-routing chain=prerouting_markroute comment=\
    "mark packet to_astral0" connection-mark=to_astral0 new-routing-mark=\
    to_astral0
add action=mark-routing chain=prerouting_markroute comment=\
    "mark packet to_astral1" connection-mark=to_astral1 new-routing-mark=\
    to_astral1