Mikrotik

Mikrotik Policy Routing Based on Client IP Address

January 04, 2016

Mikrotik Policy Routing Based on Client IP Address


The complete script is as follows. The basic idea is taken from http://wiki.mikrotik.com/wiki/Load_Balancing_over_Multiple_Gateways, and i also take help from the blog of Syed Jahanzeb .Its a very nice GUI base tutorial to follow to achieve some advance subnet  base LB.


To accomplish this task, the simple logic is …
STEP#1: First we will create ADDRESS-LIST, and add our users in the list,
STEP#2: Then We have to add two IP Firewall Mangle rules to mark the packets originated from user 1 and user2.
STEP#3: Then we should specify two default routes (destination 0.0.0.0/0) with appropriate routing marks and gateways.
STEP#4: Then simple add one NAT rule for local ip series and Action masquerade.

/ip address
add address=192.168.20.1/24 disabled=no interface=LAN network=192.168.20.0
add address=192.168.2.1/24 disabled=no interface=WAN1 network=192.168.2.0
add address=192.168.0.1/24 disabled=no interface=WAN2 network=192.168.0.0

/ip firewall address-list
add address=192.168.20.6 disabled=no list=DSL1_USERS_LIST
add address=192.168.20.16 disabled=no list=DSL2_USERS_LIST

/ip firewall mangle
add action=mark-routing chain=prerouting disabled=no new-routing-mark=wan1_user passthrough=no src-address-list=DSL1_USERS_LIST
add action=mark-routing chain=prerouting disabled=no new-routing-mark=wan2_user passthrough=no src-address-list=DSL2_USERS_LIST

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-mark=wan1_user scope=30 target-scope=10
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.0.1 routing-mark=wan2_user scope=30 target-scope=10

/ip firewall nat
add action=masquerade chain=srcnat disabled=no src-address=192.168.20.0/24



Testing 

Test the setup by tracing the route to some web address on the Internet!
Go to user1 whose ip address is 192.168.20.6 and do tracert to any web site. for example yahoo.com (206.190.36.45) or if u r testing only (considering you dunt have access to dns serveR)

tracert -d 206.190.36.45



Results
=======================================
TESTING FROM DSL1_USERS_LIST = 192.168.20.6
=======================================

C:\Windows\system32>tracert -d 173.194.117.99
Tracing route to 173.194.117.99 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  192.168.20.1
  2     1 ms    <1 ms    <1 ms  192.168.2.1
  3   110 ms   109 ms   108 ms  173.194.117.99

Trace complete.

=======================================
TESTING FROM DSL1_USERS_LIST = 192.168.20.16
=======================================

C:\Windows\system32>tracert -d 173.194.117.99

Tracing route to 173.194.117.99 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  192.168.20.1
  2    <1 ms    <1 ms    <1 ms  192.168.0.1
  3     1 ms    <1 ms    <1 ms  10.10.20.1
  4     1 ms     1 ms     3 ms  192.168.12.1
  5     6 ms     5 ms     3 ms  39.42.192.1
  6     3 ms     4 ms    12 ms  10.0.3.226
  7     5 ms     5 ms    15 ms  10.0.3.89
  8    23 ms    24 ms    24 ms  10.2.1.10
  9    26 ms    25 ms    25 ms  182.184.23.29
 10    32 ms    32 ms    30 ms  221.120.251.21
 11    37 ms    37 ms    35 ms  202.125.128.170
 12     *        *        *     Request timed out.
 13   111 ms   111 ms   111 ms  209.85.245.95
 14   114 ms   111 ms   112 ms  209.85.244.111
 15   113 ms   113 ms   111 ms  173.194.117.99

Trace complete.


Post a Comment

0 Comments

About