MIKROTIK POLICY ROUTING BASED ON CLIENT IP ADDRESS

MIKROTIK Policy Routing based on Client IP Address

 
 
 
 
 

 

 
22 Votes

 

 

~!!!~   Article  By  Syed Jahanzaib   ~!!!~

 

Recently at a local cable.network setup, I was asked by the admin that he wanted to add an extra DSL line just for some specific users (VIP users who are paying some extra money for better speed, as the current single dsl is getting congested by the over subscribed users). he wanted to manage all users via single Mikrotik BOX.
I accomplished this task by adding 2nd DSL line with the Mikrotik BOX and few rules, and Alhamdolillah it worked fine :). I am sharing just a basic logic , You can take this idea and modify it according to your requirement, either use this logic and mix it with hotspot or pppoe base setup. In this example, user MAC-IP was binded.

Let us assume that we have 2 Users lists.

DSL1_USERS_LIST = 192.168.2.6
DSL2_USERS_LIST = 192.168.2.7

DSL1 Router IP = 192.168.5.2
DSL2 Router IP = 192.168.6.2

And we want that depending on the source IP address, Mikrotik send the traffic out through DSL-1 OR DSL-2.

To accomplish this task, the simple logic is …
STEP#1: First we will create ADDRESS-LIST, and add our users in the list,
STEP#2: Then We have to add two IP Firewall Mangle rules to mark the packets originated from user 1 and user2.
STEP#3: Then we should specify two default routes (destination 0.0.0.0/0) with appropriate routing marks and gateways.
STEP#4: Then simple add one NAT rule for local ip series and Action masquerade.

The complete script is as follows. The basic idea is taken from http://wiki.mikrotik.com/wiki/Load_Balancing_over_Multiple_Gateways, Its a very nice GUI base tutorial to follow to achieve some advance subnet  base LB.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
/ip address
add address=192.168.2.1/24 disabled=no interface=LAN network=192.168.2.0
add address=192.168.5.1/24 disabled=no interface=WAN1 network=192.168.5.0
add address=192.168.6.1/24 disabled=no interface=WAN2 network=192.168.6.0
 
/ip firewall address-list
add address=192.168.2.6 disabled=no list=DSL1_USERS_LIST
add address=192.168.2.7 disabled=no list=DSL2_USERS_LIST
 
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=no new-routing-mark=wan1_user passthrough=no src-address-list=DSL1_USERS_LIST
add action=mark-routing chain=prerouting disabled=no new-routing-mark=wan2_user passthrough=no src-address-list=DSL2_USERS_LIST
 
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.5.2 routing-mark=wan1_user scope=30 target-scope=10
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.6.2 routing-mark=wan2_user scope=30 target-scope=10
 
/ip firewall nat
add action=masquerade chain=srcnat disabled=no src-address=192.168.2.0/24

TESTING

 

Test the setup by tracing the route to some web address on the Internet!
Go to user1 whose ip address is 192.168.2.6 and do tracert to any web site. for example yahoo.com or if u r testing only (considering you dunt have access to dns serveR)

tracert -d 8.8.8.8

 

RESULT$

 
=======================================
TESTING FROM DSL1_USERS_LIST = 192.168.2.6
=======================================

 

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethernet NIC
Physical Address. . . . . . . . . : 00-xx-xx-xx-xx-xx
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.2.6
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.2.1
DNS Servers . . . . . . . . . . . : 192.168.2.1

C:\Documents and Settings\zaib>tracert yahoo.com

Tracing route to yahoo.com [209.191.122.70]
over a maximum of 30 hops

1     <1 ms     <1 ms     2 ms  192.168.2.1
2      2 ms      2 ms     3 ms  192.168.5.2
.
.

=======================================
TESTING FROM DSL2_USERS_LIST = 192.168.2.7
=======================================

 

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethernet NIC
Physical Address. . . . . . . . . : 00-xx-xx-xx-xx-xx
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.2.7
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.2.1
DNS Servers . . . . . . . . . . . : 192.168.2.1

C:\Documents and Settings\zaib>tracert yahoo.com

Tracing route to yahoo.com [209.191.122.70]
over a maximum of 30 hops

1     <1 ms     <1 ms     2 ms  192.168.2.1
2      2 ms      2 ms     3 ms  192.168.6.2
.
.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s