Mikrotik, выбор предпочтительного шлюза на основе Address Lists

Question

[Melkij]

Классическая история: есть микротик, 2 провайдера (bridge-gw0 и bridge-gw1) и 2 своих сети (192.168.5.0/24 и 192.168.0.0/24, интерфейсы bridge-home и bridge-dmz)

Хочу иметь возможность указывать address list'ы:
0) wan_only_gw0 и wan_only_gw1 - пускать трафик только через, соответственно, первого и второго провайдера. Без failover'а, если провайдер в отключке - то и трафик отбрасывать.
1) wan_failover_prefer_gw0 и wan_failover_prefer_gw1 - только failover, если оба провайдера доступны, то направлять весь трафик соответственно первому или второму провайдеру. Если провайдер работает только один - на него направлять трафик обоих списков.
2) всем адресам, не попавшим в перечисленные списки - балансировка трафика по обоим провайдерам.

Как правильнее?

Моя не очень удачная попытка:

/ip firewall mangle
add action=jump chain=prerouting connection-mark=no-mark dst-address-type=\
    !local in-interface=bridge-home jump-target=prerouting_wan
add action=mark-routing chain=prerouting connection-mark=to_astral0 \
    in-interface=bridge-home new-routing-mark=to_astral0
add action=mark-routing chain=prerouting connection-mark=to_astral1 \
    in-interface=bridge-home new-routing-mark=to_astral1
add action=mark-connection chain=prerouting_wan new-connection-mark=\
    to_astral0 passthrough=no src-address-list=wan_only_gw0
add action=mark-connection chain=prerouting_wan new-connection-mark=\
    to_astral1 passthrough=no src-address-list=wan_only_gw1
add action=mark-connection chain=prerouting_wan new-connection-mark=\
    to_astral0 passthrough=no src-address-list=wan_failover_prefer_gw0
add action=mark-connection chain=prerouting_wan new-connection-mark=\
    to_astral1 passthrough=no src-address-list=wan_failover_prefer_gw1
add action=mark-connection chain=prerouting_wan connection-mark=no-mark \
    new-connection-mark=to_astral0 passthrough=no per-connection-classifier=\
    both-addresses:2/0
add action=mark-connection chain=prerouting_wan connection-mark=no-mark \
    new-connection-mark=to_astral1 passthrough=no per-connection-classifier=\
    both-addresses:2/1
add action=return chain=prerouting_wan

/ip firewall filter
add action=drop chain=forward connection-mark=!to_astral0 connection-state=\
    new out-interface=bridge-gw0 src-address-list=wan_only_gw1
add action=drop chain=forward connection-mark=!to_astral1 connection-state=\
    new out-interface=bridge-gw1 src-address-list=wan_only_gw0

/ip route
add distance=1 gateway=192.168.7.1 routing-mark=to_astral1
add check-gateway=arp distance=1 gateway=172.23.152.1 routing-mark=to_astral0
add distance=1 gateway=172.23.152.1
add check-gateway=ping distance=2 gateway=192.168.7.1

В этом случае в списке wan_failover_prefer_gw1 первый ping до 8.8.8.8 уходит и возвращается, а вот последующих пингов нет. Упустил что-то банальное?

Answer 1

[Melkij]

Вот с таким mangle, кажется, работает как хотелось.

/ip firewall mangle

add action=mark-connection chain=input comment="mark input gw0" in-interface=\
    bridge-gw0 new-connection-mark=to_astral0 passthrough=no
add action=mark-connection chain=input comment="mark input gw1" in-interface=\
    bridge-gw1 new-connection-mark=to_astral1 passthrough=no
add action=mark-routing chain=output connection-mark=to_astral0 \
    new-routing-mark=to_astral0 passthrough=no
add action=mark-routing chain=output connection-mark=to_astral1 \
    new-routing-mark=to_astral1 passthrough=no
add action=mark-connection chain=forward connection-mark=no-mark \
    in-interface=bridge-gw0 new-connection-mark=to_astral0 passthrough=no
add action=mark-connection chain=forward connection-mark=no-mark \
    in-interface=bridge-gw1 new-connection-mark=to_astral1 passthrough=no
add action=jump chain=prerouting comment="process home connmark" \
    connection-mark=no-mark dst-address-type=!local in-interface=bridge-home \
    jump-target=prerouting_wan
add action=jump chain=prerouting comment="process dmz connmark" \
    connection-mark=no-mark dst-address-type=!local in-interface=bridge-dmz \
    jump-target=prerouting_wan
add action=jump chain=prerouting comment="set routing marks from home" \
    connection-mark=!no-mark in-interface=bridge-home jump-target=\
    prerouting_markroute
add action=jump chain=prerouting comment="set routing marks from dmz" \
    connection-mark=!no-mark in-interface=bridge-dmz jump-target=\
    prerouting_markroute
add action=mark-connection chain=prerouting_wan comment="use only gw0 list" \
    connection-mark=no-mark new-connection-mark=to_astral0 src-address-list=\
    wan_only_gw0
add action=mark-connection chain=prerouting_wan comment="use only gw1 list" \
    connection-mark=no-mark new-connection-mark=to_astral1 src-address-list=\
    wan_only_gw1
add action=mark-connection chain=prerouting_wan comment="use prefer gw0 list" \
    connection-mark=no-mark new-connection-mark=to_astral0 src-address-list=\
    wan_failover_prefer_gw0
add action=mark-connection chain=prerouting_wan comment="use prefer gw1 list" \
    connection-mark=no-mark new-connection-mark=to_astral1 src-address-list=\
    wan_failover_prefer_gw1
add action=mark-connection chain=prerouting_wan comment=PCC connection-mark=\
    no-mark new-connection-mark=to_astral0 per-connection-classifier=\
    both-addresses:2/0
add action=mark-connection chain=prerouting_wan comment=PCC connection-mark=\
    no-mark new-connection-mark=to_astral1 per-connection-classifier=\
    both-addresses:2/1
add action=mark-routing chain=prerouting_markroute comment=\
    "mark packet to_astral0" connection-mark=to_astral0 new-routing-mark=\
    to_astral0
add action=mark-routing chain=prerouting_markroute comment=\
    "mark packet to_astral1" connection-mark=to_astral1 new-routing-mark=\
    to_astral1