Selective Policy-Based Routing with Mikrotik RouterOS

This guide assumes that you have two Internet Connections of different or the same provider. Selective policy-based routing is useful when you want to route specific services to a dedicated or specific network or service provider (e.g all voip connections goes to provider “A” and all http connections goes to provider “B”).

Benefits of Policy-based routing

• Load sharing - when you want to separate the voice from data traffic, or assign bandwidth hunger services to a much bigger bandwidth pipe.
• Quality of Service - all network services will have a fair weighted share of bandwidth, such as network administrator will be able to classify what services would be routed or assign to a bigger bandwidth link.

Setting up Mikrotik RouterOS for Policy-based Routing

• Login to your Mikrotik winbox
• Once logged in, click on “IP -> Routes” then add a route
• Select the gateway where you want to route selected traffic or protocols, under the “Mark” input box enter the name of the route (we will be using the route name later for marking packet route), Click Ok.

After adding the route name in your routing table, we will now proceed to the packet mangling, where all packet alteration will be done.

• Click on “IP -> Firewall -> Mangle”, then click add. Under general tab, input your src address, destination address, protocol these are not required, only if you want to be too specific with your mangling rule.
• 
• Click on “Action” tab, then under Action, select the “Mark Routing” then enter the routing name where you want the traffic to be routed under the “New Routing Mark”.
  
• Lastly, Click ok.

To check if the traffic is routed to the desired link, perform a traceroute

Automatically find unathorized devices and block it on firewall

One of the features I like most in Mikrotik RouterOS is the ability to run custom scripts that will enable you to automate some things on router side. In a workplace where “bring your own device” is practiced, being able to control the registration of these devices on your network is very important especially for mobile devices - laptops, tablets and smartphones.
It’s becoming harder to control these device especially if they are in large number. Smartphone can be just placed inside a bag or pocket while it automatically connect through your access points where wireless key is known to the user and download unnecessary files on the internet thus wasting network bandwidth while increasing network security risk.
Now, if you happen to have a Mikrotik RouterOS in your network and is facing the same dilemma then probably the script below will help you solve it or least get you started on a better solution.

01

02	# Tested to work on RouterOS 5.19

03

04	:foreach i in=[/ip dhcp-server lease find dynamic=yes] do={

05	:local dynamicIP [/ip dhcp-server lease get $i address];

06	:local dynamicMAC [/ip dhcp-server lease get $i mac-address];

07	:local dynamicHOST [/ip dhcp-server lease get $i host-name];

08	:local macfound [/ip firewall filter find src-mac-address=$dynamicMAC];

09

10	:if ($macfound != "") do={

11	:log info ($dynamicMAC. " already filtered")

12

} else= {

13	/ip firewall filter add chain=forward src-mac-address=$dynamicMAC action=drop comment=($dynamicHOST . " - " . $dynamicMAC . " Unregistered device")

14	:log info ("Added " . $dynamicMAC. " to firewall filter")

15

}

16

}

Basically, the script will look for dynamic ip addresses inside the dhcp server leases table and search their mac address in the firewall filter table. If it’s not yet blocked then it will create an entry blocking the mac address to prevent it from sending traffic through your network.
To automatically execute the script periodically, you will need to add it on the scheduler, see example below:

1	/system scheduler add comment="Find unauthorized devices and block" disabled=no interval=5m  name=block_unauthorized_devices on-event=block_unauthorized_devices policy=read,write,test

You should be able to see on your log what devices are being blocked as the script finds one.