Community discussions

MikroTik App
 
jo2jo
Forum Veteran
Forum Veteran
Topic Author
Posts: 970
Joined: Fri May 26, 2006 1:25 am

/ip route rules and mangle load balancing issues

Mon May 28, 2018 12:50 am

We have been trying to stream-line the load balancing on some MTs we inheareted, however on some
/ip route rules were manually added and we would like to remove them (but are having issues removing).

There are 2x internet uplinks, of equal speed, both with Pub IPs. All local clients are on 192.168.40.0/23

(relevant config exports):
/ip route
add distance=1 gateway=48.22.41.45
add distance=1 gateway=27.2.25.17 routing-mark=isp2-secondary
add distance=1 gateway=48.22.41.45 routing-mark=isp1-primary

/ip route rule
add dst-address=192.168.0.0/16 table=main
add routing-mark=isp2-secondary table=isp2-secondary

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-mainISP
add action=masquerade chain=srcnat out-interface=ether2-2ndISP

/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new dst-address-type=!local new-connection-mark=conn-main passthrough=yes per-connection-classifier=both-addresses:2/0 src-address-list=use_balance
add action=mark-connection chain=prerouting connection-state=new dst-address-type=!local new-connection-mark=conn-secondary passthrough=yes per-connection-classifier=both-addresses:2/1 src-address-list=use_balance

add action=mark-routing chain=prerouting connection-mark=conn-main new-routing-mark=isp1-primary passthrough=no
add action=mark-routing chain=prerouting connection-mark=conn-secondary new-routing-mark=isp2-secondary passthrough=no

when i disable /ip route rule dst-address=192.168.0.0/16 table=main , all traffic slows/stops (as i assume router stops being able to route to 192.168.40.0/23 local clients). Re-enabling it, traffic picks right back up.

My issue / question is:
1- how do i get rid of this routing rule? (i dont want any /ip route rules , entries)

2- any ideas as to why they were there/used in the first place as proper mangle rules were already inplace for load balancing?

(again, these are on MTs we recently inheareted, so we are trying to optimized/standarize their configs)
thanks
:beep :beep :beep
 
sindy
Forum Guru
Forum Guru
Posts: 4236
Joined: Mon Dec 04, 2017 9:19 pm

Re: /ip route rules and mangle load balancing issues

Mon May 28, 2018 10:19 am

1- how do i get rid of this routing rule? (i dont want any /ip route rules , entries)
By providing their functionality using some other means.

2- any ideas as to why they were there/used in the first place as proper mangle rules were already inplace for load balancing?
The second rule in my opinion is totally useless, as routing-mark and routing table name are the same thing so translating one to the other is effectively a NOP. Maybe it was not always like that, but I assume you have upgraded the machines to at least 6.40.8? So disabling that second routing rule should have no effect at all. First disable it and if the load balancing continues to work (you should see that by WAN interface traffic), delete it. But as said, if you run a contemporary version, there should be no issue.

The first rule is one of possible ways to make packets for LAN destinations be delivered while routing-marking controlled by connecton-marking is in use. The current marking rules assign routing-marks also to packets received via WAN, which makes the routing choose one of the user-defined routing tables and both of these contain only the default route, so these packets are sent back out via the WAN.

There are many other ways how to solve this:
  • you can add routes with dst-address=192.168.0.0/16 and gateway=your-LAN-interface-name to both user-defined routing tables
  • you can add a mangle rule action=accept dst-address=192.168.0.0/16 right before the first action=mark-routing one in mangle
  • you can add src-interface=your-LAN-interface-name to both action=mark-routing rules' condition lists
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: eworm, gervasio, Kindis, poduck, tdw, Zavi and 97 guests