![[Policy Based Route 2] Mapping Paths with Mangle](https://sp-ao.shortpixel.ai/client/to_webp,q_glossy,ret_img,w_630,h_230/https://techsoftcenter.com/wp-content/uploads/2019/09/Policy-Based-Route-2-Mapping-Paths-with-Mangle.jpg)
[Policy Based Route 2] Mapping Paths with Mangle
This article is a continuation of the previous article. In the previous article, we discussed “Mapping paths with Route Rules” so in this article we will discuss [Policy Based Route 2] Mapping Paths with Mangle.
Mangle is one of the features found on the firewall menu. Mangle itself has a function to mark a connection or data packet, which passes through the router, into the router, or exits the router.
In yesterday’s case, we can map LAN-A connections using ISP-A and LAN-B using ISP-B using Routing Mark, but if we want more specific configurations such as mapping Browsing connections (HTTP, HTTPS) through ISP-A then connections FTP, E-mail using ISP-B then we can use additional configuration using Mangle – Routing Mark.
For more or less the same topology as last week, only, in this case, we will map the Browsing (HTTP, HTTPS), FTPand E-mail connections.
Configuration
We need to do a “basic-config” on the router so that the router can connect to the internet. More or less basic configuration as in the previous article. Friends can see the previous article on the following page: [Policy Based Route 1] Mapping Paths with Route Rules.
Before mapping, we can group Wlan1 and Wlan2 interfaces with the name “LAN” using the “Interface List” feature,
After successfully doing the basic configuration and LAN grouping interface, then the next step we can mark the browsing package (HTTP, HTTPS) using ISP-A and FTP, Email using ISP-B.
Mangle feature can be found on the IP menu >> Firewall >> Mangle. We can define the ports and protocols used, namely the HTTP, HTTPS, FTP and E-Mail ports.
Perform the same steps for FTP and Email connections, so that in Firewall Mangle we have 2 Mangle rules with Routing Mark “Browsing” and “FTP – Email”.
1 2 3 4 5 6 | / ip firewall mangle add action = mark-routing chain = prerouting comment = Browsing dst-port = 80,443 in interface-list = LAN new-routing-mark = Browsing passthrough = no protocol = tcp add action = mark-routing chain = prerouting comment = "FTP and E-mail" etc. port = 20,21,143,993,110,995,25,426 in-interface-list = LAN new-routing-mark = FTP-EMail pass-through = no protocol = tcp |
After marking the packet using Mangle, then the next step we can specify for Browsing packages (HTTP, HTTPS) using ISP-1 while the FTP connection, E-MAIL uses ISP-2 in the “Routing Mark” parameter for each Default Route.
Perform the same steps for the FTP and Email connection. So we have two Default Routes with FTP-Email and Browsing Mark Routing
Testing Phase
- Browsing Test: With the above configuration the following results are obtained when the client is browsing and opening the
Youtube.com(HTTPS) page:
Email Testing: Testing Email we can do monitoring with the torch tool to see whether the path used is appropriate or not. And the following results are obtained:
With the above configuration, we can map connections based on the port and protocol used. But for the above configuration, there are still a few configurations that are lacking, namely when the client wants to connect, for example, PING (ICMP), the client cannot do PING because on Mangle we do not define an ICMP connection.
As a solution for connections other than HTTP, HTTPS, FTP and E-MAIL, a “Default Route” is created with the destination 0.0.0.0/0 and using the ISP-1 gateway. That way when there is traffic other than what is defined on the mangle, it will be missed on ISP-1.
I hope it has been a useful article.