Mikrotik Connection Tracking

From My notepad
Jump to: navigation, search

Configuring a Mikrotik for multiple internet connections

Consider the following scenario: 

Interfaces:
  ether5   ISP 1   1.1.1.2/30   1.1.1.1   Default connection
  ether4   ISP 2   2.2.2.2/30   2.2.2.1
  ether3   ISP 3   3.3.3.2/30   3.3.3.1
  ether2   ISP 4   4.4.4.2/30   4.4.4.1
  ether1   LAN     10.10.10.1/24

There is a web server at 10.10.10.2 listening on tcp port 80.

We want the router to be able to answer on all interfaces, as well as NAT out all interfaces. To accomplish this we use connection tracking and route marking 

/ip address
add address=1.1.1.2/30 interface=ether5 disabled=no
add address=2.2.2.2/30 interface=ether4 disabled=no
add address=3.3.3.2/30 interface=ether3 disabled=no
add address=4.4.4.4.2/30 interface=ether2 disabled=no
add address=10.10.10.1/30 interface=ether1 disabled=no

/ip route
add dst-address=0.0.0.0/0 gateway=1.1.1.1 disabled=no
add dst-address=0.0.0.0/0 gateway=1.1.1.1 routing-mark=isp1 disabled=no
add dst-address=0.0.0.0/0 gateway=2.2.2.1 routing-mark=isp2 disabled=no
add dst-address=0.0.0.0/0 gateway=3.3.3.1 routing-mark=isp3 disabled=no
add dst-address=0.0.0.0/0 gateway=4.4.4.1 routing-mark=isp4 disabled=no

/ip firewall mangle
add chain=prerouting action=mark-connection new-connection-mark=isp1 passthrough=no connection-state=new in-interface=ether5 disabled=no
add chain=prerouting action=mark-connection new-connection-mark=isp2 passthrough=no connection-state=new in-interface=ether4 disabled=no
add chain=prerouting action=mark-connection new-connection-mark=isp3 passthrough=no connection-state=new in-interface=ether3 disabled=no
add chain=prerouting action=mark-connection new-connection-mark=isp4 passthrough=no connection-state=new in-interface=ether2 disabled=no

add chain=prerouting action=mark-routing new-routing-mark=isp1 passthrough=no in-interface=!ether5 connection-mark=isp1 disabled=no
add chain=prerouting action=mark-routing new-routing-mark=isp2 passthrough=no in-interface=!ether4 connection-mark=isp2 disabled=no
add chain=prerouting action=mark-routing new-routing-mark=isp3 passthrough=no in-interface=!ether3 connection-mark=isp3 disabled=no
add chain=prerouting action=mark-routing new-routing-mark=isp4 passthrough=no in-interface=!ether2 connection-mark=isp4 disabled=no

add chain=output action=mark-routing new-routing-mark=isp1 passthrough=no src-address=1.1.1.1/30 connection-mark=isp1 disabled=no
add chain=output action=mark-routing new-routing-mark=isp2 passthrough=no src-address=2.2.2.2/30 connection-mark=isp2 disabled=no
add chain=output action=mark-routing new-routing-mark=isp3 passthrough=no src-address=3.3.3.2/30 connection-mark=isp3 disabled=no
add chain=output action=mark-routing new-routing-mark=isp4 passthrough=no src-address=4.4.4.2/30 connection-mark=isp4 disabled=no

/ip firewall nat
add chain=srcnat action=masquerade out-interface=ether5 disabled=no
add chain=srcnat action=masquerade out-interface=ether4 disabled=no
add chain=srcnat action=masquerade out-interface=ether3 disabled=no
add chain=srcnat action=masquerade out-interface=ether2 disabled=no

add chain=dstnat action=dst-nat to-addresses=10.10.10.2 to-ports=80 in-interface=ether5 dst-port=80 protocol=tcp disabled=no
add chain=dstnat action=dst-nat to-addresses=10.10.10.2 to-ports=80 in-interface=ether4 dst-port=80 protocol=tcp disabled=no
add chain=dstnat action=dst-nat to-addresses=10.10.10.2 to-ports=80 in-interface=ether3 dst-port=80 protocol=tcp disabled=no
add chain=dstnat action=dst-nat to-addresses=10.10.10.2 to-ports=80 in-interface=ether2 dst-port=80 protocol=tcp disabled=no

You can provide connection failover by supplying

Multiple connection tracking template 

Replace the following text with the proper values:
 specific-route-mark
 specific-interface
 1.1.1.1/30

/ip firewall mangle
add chain=prerouting action=mark-connection new-connection-mark=specific-route-mark passthrough=no connection-state=new in-interface=specific-interface disabled=no
add chain=prerouting action=mark-routing new-routing-mark=specific-route-mark passthrough=no in-interface=!specific-interface connection-mark=specific-route-mark disabled=no
add chain=output action=mark-routing new-routing-mark=specific-route-mark passthrough=no src-address=1.1.1.1/30 connection-mark=specific-route-mark disabled=no

Make sure you add the corresponding routing tables.

Retrieved from "http://wiki.bluecrow.net/index.php?title=Mikrotik_Connection_Tracking&oldid=1095"
Personal tools