MIKROTIK Policy Routing based on Client IP Address

Recently at a local cable.network setup @ gulzar-e-hijri, an OP asked told me that he wanted to add an extra DSL line just for some specific users (VIP users who are paying some extra money for better speed, as the current single dsl is getting clogged by over subscribed users. He wanted to manage all users / link via single Mikrotik router-board.
I accomplished this task by adding 2nd DSL line with the Mikrotik BOX and few rules, and Alhamdolillah it worked fine :). I am just sharing basic logic on how i achieved it.

You can take this idea and modify it according to your requirement, either use this logic and mix it with hotspot or pppoe base setup. In this example, user MAC-IP was binded.

Let us assume that we have 2 Users lists.

DSL1_USERS_LIST = 192.168.2.6
DSL2_USERS_LIST = 192.168.2.7

DSL1 Router GW IP = 192.168.5.2
DSL2 Router GW IP = 192.168.6.2

Now we will route users through DSL-1 OR DSL-2 wan links based on there ip addresses.

To accomplish this task, the simple logic is …

1. STEP#1: First we will create ADDRESS-LIST, and add our users in the list,
2. STEP#2: Then We have to add two IP Firewall Mangle rules to mark the packets originated from user 1 and user2.
3. STEP#3: Then we should specify two default routes (destination 0.0.0.0/0) with appropriate routing marks and gateways.
4. STEP#4: Then simple add one NAT rule for local ip series and Action masquerade.

Code:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27

# Adding IP Address on interfaces like lan/wan # IP for LAN User Network Connectivity /ip address add address=192.168.2.1/24 disabled=no interface=LAN network=192.168.2.0 # IP for WAN DSL Connectivity add address=192.168.5.1/24 disabled=no interface=WAN1 network=192.168.5.0 add address=192.168.6.1/24 disabled=no interface=WAN2 network=192.168.6.0 # Create 2 Address lists and add ip as per required, you can add Range as well. # I am adding just 2 ips only /ip firewall address-list add address=192.168.2.6 disabled=no list=DSL1_USERS_LIST add address=192.168.2.7 disabled=no list=DSL2_USERS_LIST # Marking Users connection coming from specific address lists /ip firewall mangle add action=mark-routing chain=prerouting disabled=no new-routing-mark=wan1_user passthrough=no src-address-list=DSL1_USERS_LIST add action=mark-routing chain=prerouting disabled=no new-routing-mark=wan2_user passthrough=no src-address-list=DSL2_USERS_LIST # Create Routes for above marked packets so each marked packets goes via specific wan link only /ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.5.2 routing-mark=wan1_user scope=30 target-scope=10 add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.6.2 routing-mark=wan2_user scope=30 target-scope=10 # Finally create NAT rule so that users (ip range) internet can work /ip firewall nat add action=masquerade chain=srcnat disabled=no src-address=192.168.2.0/24 TESTING From Client PC # 1 whose ip address is 192.168.2.6, run TRACEROUTE command For example traceroute yahoo.com TESTING FROM DSL1_USERS_LIST = 192.168.2.6 Ethernet adapter Local Area Connection: Connection-specific DNS Suffix  . : Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethernet NIC Physical Address. . . . . . . . . : 00-xx-xx-xx-xx-xx Dhcp Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.2.6 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.2.1 DNS Servers . . . . . . . . . . . : 192.168.2.1 C:\Documents and Settings\zaib>tracert yahoo.com Tracing route to yahoo.com [209.191.122.70] over a maximum of 30 hops 1     <1 ms     <1 ms     2 ms  192.168.2.1 2      2 ms      2 ms     3 ms  192.168.5.2 TESTING FROM DSL2_USERS_LIST = 192.168.2.7 Ethernet adapter Local Area Connection: Connection-specific DNS Suffix  . : Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethernet NIC Physical Address. . . . . . . . . : 00-xx-xx-xx-xx-xx Dhcp Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.2.7 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.2.1 DNS Servers . . . . . . . . . . . : 192.168.2.1 C:\Documents and Settings\zaib>tracert yahoo.com Tracing route to yahoo.com [209.191.122.70] over a maximum of 30 hops 1     <1 ms     <1 ms     2 ms  192.168.2.1 2      2 ms      2 ms     3 ms  192.168.6.2 TESTING FROM DSL2_USERS_LIST = 192.168.2.7 Ethernet adapter Local Area Connection: Connection-specific DNS Suffix  . : Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethernet NIC Physical Address. . . . . . . . . : 00-xx-xx-xx-xx-xx Dhcp Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.2.7 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.2.1 DNS Servers . . . . . . . . . . . : 192.168.2.1 C:\Documents and Settings\zaib>tracert yahoo.com Tracing route to yahoo.com [209.191.122.70] over a maximum of 30 hops 1     <1 ms     <1 ms     2 ms  192.168.2.1 2      2 ms      2 ms     3 ms  192.168.6.2 Credits: https://aacable.wordpress.com/2011/10/27/mikrotik-policy-routing-based-on-client-ip-address/