In this lab, I will be sharing with us on how to use Mikrotik routing mark to distribute packets across three internet links connected to a Mikrotik router. If you have multiple internet connections to a Mikrotik router from one or more ISPs , and you do not fancy the option of load-balancing across these links, then an option open to you is the use of Mikrotik routing mark to distribute packets across these ISP links.
Mikrotik routing mark allows an administrator to mark packets based on predefined attributes and set gateways. Routing mark is to Mikrotik what route-map is to Cisco. With Mikrotik routing mark, a network administrator can classify packets into groups based on source/destination IP addresses or other attributes and set different gateways for the groups. With this, users who match the criteria set for a particular group will have their internet-bound traffics routed out an ISP connection through the gateway set for that group.
Mikrotik routing mark can be implemented using the mangle rule feature in the firewall sub-menu in routerOS. To mark routing, you will have to mark users’ connections, packets, then routing. The routing marks are then selected and given gateways in the route sub-menu.
IP address configuration
add address=126.96.36.199/30 interface=ether1 comment=ISP1_link
add address=188.8.131.52/30 interface=ether2 comment=ISP2_link
add address=184.108.40.206/30 interface=ether3 comment=ISP2_link
add address=192.168.10.1/24 interface=ether4 comment=Sales_LAN
add address=192.168.20.1/24 interface=ether5 comment=HR_LAN
add address=192.168.30.1/24 interface=ether6 comment=Finance_LAN
IP firewall nat
add chain=srcnat out-interface=ether1 action=masquerade
add chain=srcnat out-interface=ether2 action=masquerade
add chain=srcnat out-interface=ether3 action=masquerade
To mark connections, packets and routing for sales enter the commands below. Note that the connection mark is used to mark the packets and the packet mark is in turn, used to mark the routes.
You may also like: Send YouTube packets out of one ISP and the rest packets via another ISP
Mikrotik routing mark configuration
SInce I have three LANs configured for this lab, I will use mangle rules to mark the connections, packets, and routing for the three LANs; sales, HR, and finance respectively, starting with sales.
Routing mark for sales
ip firewall mangle
add chain=prerouting src-address=192.168.10.0/24 action=mark-connection new-connection-mark=sales_conn
add chain=prerouting connection-mark=sales_conn action=mark-packet new-packet-mark=sales_packets
add chain=prerouting packet-mark=sales_packets action=mark-routing new-routing-mark=sales_route
Routing mark for HR
ip firewall mangle
add chain=prerouting src-address=192.168.20.0/24 action=mark-connection new-connection-mark=HR_conn
add chain=prerouting connection-mark=HR_conn action=mark-packet new-packet-mark=HR_packets
add chain=prerouting packet-mark=HR_packets action=mark-routing new-routing-mark=HR_route
Routing mark for Finance
ip firewall mangle
add chain=prerouting src-address=192.168.30.0/24 action=mark-connection new-connection-mark=finance_conn
add chain=prerouting connection-mark=finance_conn action=mark-packet new-packet-mark=finance_packets
add chain=prerouting packet-mark=finance_packets action=mark-routing new-routing-mark=finance_route
Having marked the routes, we will use the route sub-menu to set different gateways for all our LANs. See commands below.
Setting a gateway for each LAN
add dst-address=0.0.0.0/0 routing-mark=sales_route gateway=220.127.116.11
add dst-address=0.0.0.0/0 routing-mark=HR_route gateway=18.104.22.168
add dst-address=0.0.0.0/0 routing-mark=finance_route gateway=22.214.171.124
To read more on mangle rule, please click here to read mikrotik’s official documentation.