Master MikroTik Policy Routing - Rules or Marks?
HTML-код
- Опубликовано: 6 фев 2025
- #PolicyBasedRouting #mikrotik #mikrotikrouter
In this video, we dive deep into Policy-Based Routing (PBR) and how you can use it to control traffic flow on your network.
We cover three key topics:
What is Policy-Based Routing? - A clear explanation of PBR and how it can improve traffic management.
Routing Rules - Learn how to define and apply specific routing rules for different types of traffic.
Routing Marks with Mangle - A step-by-step lab showing how to use Mangle in MikroTik to set routing marks and control traffic effectively.
I’ve also included a live demo to show these concepts in action and walk you through the lab setup. Whether you're new to MikroTik or looking to enhance your network's traffic management, this video has you covered!
Make sure to like, subscribe, and leave your questions or thoughts in the comments!
Check more videos on my channel
/ @thenetworktrip
Connect with Wilmer Almazan
LinkedIN: / wilmeralmazan
Facebook: / nsswilmeralmazan
Twitter: / wilmer_almazan
Instagram: / wilmer_almazan
Personal Blog: thenetworktrip...
mikrotik
routeros 7
ospf
mtcna
mtcre
cybersecurity
routing
cloud computing
virtualization
switching
network automation
Have you tried Policy-Based Routing before? Share your experience or questions below!
Woow Wilmer, this is exactly the video and the explanation I was looking for! Very clear indeed. What I like the most about your videos is that you go into the details of a setup, and that you explain why you should choose one option over another. Thank you
Glad it was helpful!
Thanks for the video and the perfect explanation
As always thank you very very much Mr. Wilmer..!
Thank you for your support! 👍🏻
Valuable information. Thank you very much for your time
Thank you! It’s a pleasure
The emphasis on not mistakenly forcing private traffic out the routing rule is very important. I would add that its important to emphasize that one has to consider the traffic ORIGINATING from the subnet you are capturing, but also ANY RETURN TRAFFIC going back to other local private IP addresses. Minor change is that I would use lookup-only-in-table for local traffic rules.
One cute trick is the following entry which basically says any local traffic allow, and thus only one rule required.
add min-prefix=0 action=lookup-only-in-table table=main
If you want to get deep into using routing rules and wireguard be advised, the action parameter is meaningless because the router has no idea if the wireguard interface is up or down, unlike most of the other interfaces and so netwatch of some sort is probably required.
Great suggestion and good point, the min-prefix=0 will basically suppress the default route from that decision. 👌
If activate the load balance using pcc and add fasttrack, the loadbalance work normally?
Hello,
When using FastTrack, you must configure routing rules, as PCC (Per Connection Classifier) will not function in this setup.
"Mas claro, echale agua" as we say the latinamericans!!!! Thanks again Wilmer!!!!!
You bet!
I loved it!
Thank you so much!
@TheNetworkTrip great tutorial, thank you so much sir! ❤
Exactly what I looking for. Glad to find your channel.🔥
Did subscribe.
Very informative & Detailed video on topic.
Could you please create a new video for dual ISP load balancing using different mangle rules like PCC and discuss every points regarding all options available to differentiate traffic (src address, src & dst address, src address & port, src address & port && dst address & port)
it will be really helpful if you can teach us mark packet & mark routing with real world scenarios.
Hello!
It’s on my to-do list. Thanks for the suggestion.
Thanks for the insight
Glad it was helpful!
Good 👍
Typically one uses mark-connections to identify complex traffic needing routing and then routing marks to determine the route/table used. As you indicated, granularity is achieved by using mark-connections first or to identify other traffic one does not want to route but do something with. Its also more efficient in terms of traffic processing (CPU) in the granular need scenaro. By the way, when mangling traffic TO THE ROUTER ( aka for vpns), one can actually also use the output chain (more accurate) for marking routes vice prerouting.
Correct! The output chain will be for traffic "from the router" instead of "to the router"
🎉🎉🎉🎉thank you .
Welcome!!
nice video, thanks !!!!!
Glad you liked it!
What is the impact (at performance level) of use routing mark as a single mangle rule than marking connections and after that mark-routing of only connections marked before? Other scenario can be mark-connection --> mark-packets ---> mark-routing. What is the best procedure, upon your expertise?
Hello! For this specific scenario, the performance is pretty similar.
Extraño los videos en Español estimado Wilmer!
Hola!
Se vienen pronto, ya hay varios en edición. Saludos
Thanks sir
All the best!
i my case, when I connect my Mikrotic router to my home ISP router.
After I have followed your lab Routing instruction, with regard to the routing rules. My computer, sitting on one port inside the mikrotik Router Bridge, can not communicate with other IP inside my ISP router local LAN, but only the IP that is set on the Ether port 1. Am i missing some setting(config) on the Mikrotik hAP ac router ?
Hello!
The entries keeping in the main table your local networks should be missing something. Please make sure all your local networks are in the main table.
if i have output are vlan's in this case on new policy routing rule i can add them on interface and ignore src addres
does it work like that
Hello!
If you are referring to traffic leaving through VLAN interfaces, it won’t match these rules because that occurs after the routing process. You need to identify the traffic before it reaches the routing process, which is when it gets evaluated.
If you are referring to the output chain (traffic generated by the router itself), yes, we can use the same methods I demonstrated in the video.
How did you add ISP1 and ISP2 to GNS3? ISP1 has the tap0 interface. After the trace command, both ISPs output the address 192.168.100.254. How is it configured?
Hello! This is a simulation. The uplink router has 10.40.x.x and 10.50.x.x, that’s why the rest of the trace will look similar.
I Have Questions
how i can routing web url only in my router
hi can i intergrate PBR to ospf?
I have accomplished a similar effect with 2 ISPs just by creating separate src-nat rules. Besides the amount of rules needed, has this approach any advantage?
Hello!
That approach won’t work effectively unless you have different default routes set up in the routing table. The router needs to know not only where to forward the traffic but also which traffic to route through which ISP. srcnat happens after the routing decision
Nice question and contribution. N thanks Wilmer for the reply .
I added a comment, probably it gone into spam for adding link into it.
on mikrotik fourm viewtopic id 211706
routing policy rule not working as it should
Hello!
I checked the forum, if you are marking traffic coming from hotspot connections, make sure to do it just for the authenticated traffic (hotspot=auth)
@@TheNetworkTrip did you check the full code uploaded in that forum reply?
The problem is:
if i mark-route with src-address to new-mark-route it goes through routing policy rule
if i mark-route with hotspot user's packet-mark to new-mark-route it does not go through routing policy rule
this is the problem. could you explain a bit?
@@TheNetworkTrip As I ran more test on it, It seems bug in RouterOs, I reported as bug, but did not hear from support yet.
I’ll take a look at it
@@TheNetworkTrip i my case, when I connect my Mikrotic router to my home ISP router.
After I have followed your lab Routing instruction, with regard to the routing rules. My computer, sitting on one port inside the mikrotik Router Bridge, can not communicate with other IP inside my ISP router local LAN, but only the IP that is set on the Ether port 1. Am i missing some setting(config) on the Mikrotik hAP ac router ?