We’re trying to do some policy routing on our lines. We can distinguish traffic by port easy and mark routing of packets, that works quite well.
But we are having problems in marking web traffic, like it ignores all routing marks. We are using caching web-proxy, so packets are auctally generated inside mt. We found out that we could not mark for routing packets generated locally by mt (tried /system telnet for example).
Is it possible to route web-proxy traffic through an arbitrary interface?
And it works, but only for packets going through the router, not for packets generated at the router (eg with /system telnet or ping).
I have tried setting it on all chains.
Hm, I think that mangle rule should contain src-address of public Mikrotik interface and dst-port 80. If you use proxy server, everything works like this: client from private network connects to proxy server and transfer his HTTP request (connection is destined to private proxy server address). Then proxy server connects to internet web server through its public interface, so this is why I suppose you can recognize those outgoing proxy connections by source address (public Mikrotik interface) and destination port.
I also tried output, as suggested by that and neither worked.
I still send packets from default gateway insted of marked one.
I agree with LatinSuD!!!
I have also tried to do policy routing on the traffic generated by the Mikrotik itself (version 2.9.10), but it is a big no-go
It is possible to do connection as well as routing marking in the output chain, but Mikrotik does not even try to take this routing mark into account. This means that in order to be able to initiate traffic from within the Mikrotik itself (like for the NTP client to connect to a NTP server) you need to have a gateway specified without routing mark.
Is this a Mikrotik oversight or a bug or a feature?!?
(Yes, I have read the manual, and seen / understod the drawing scheme so please spare me the besser-wisser remarks that is sadly overwhelming this forum! )
[admin@MikroTik] ip route> print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf
0 ADC dst-address=85.xx.xx.xx/30 prefsrc=85.xx.xx.xx interface=1-2 Bond
scope=10 target-scope=0
1 ADC dst-address=192.168.1.0/24 prefsrc=192.168.1.254 interface=3-Internal
scope=10 target-scope=0
2 ADC dst-address=195.xx.xx.xx/30 prefsrc=195.xx.xx.xx interface=1-2 Bond
scope=10 target-scope=0
3 A S dst-address=0.0.0.0/0 gateway=85.xx.xx.xx interface=1-2 Bond
gateway-state=reachable scope=255 target-scope=10
routing-mark=route_ISP1
4 A S dst-address=0.0.0.0/0 gateway=195.xx.xx.xx interface=1-2 Bond
gateway-state=reachable scope=255 target-scope=10
routing-mark=route_ISP2
5 A S dst-address=0.0.0.0/0 gateway=85.xx.xx.xx interface=1-2 Bond
gateway-state=reachable scope=255 target-scope=10
[admin@MikroTik] ip route>
The mangle chain looks like this:
[admin@MikroTik] ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic
.
.
.
7 ;;; Mark traffic initiated by Mikrotik
chain=output out-interface=1-2 Bond connection-state=new
action=mark-connection new-connection-mark=conn_Mikrotik passthrough=yes
8 chain=output out-interface=1-2 Bond connection-mark=conn_Mikrotik
action=mark-routing new-routing-mark=route_ISP1 passthrough=no
[admin@MikroTik] ip firewall mangle>
Both rule #7 and 8 work, the counter gets incremented as traffic is initiated from Mikrotik (via the terminal), BUT if the routing rule #5 as per above does not exist / is disabled then none of this traffic will exit Mikrotik, the answer “no route to host” is shown in the Mikrotik terminal.
This means that in order to be able to initiate traffic from within the Mikrotik itself (like for the NTP client to connect to a NTP server) you need to have a gateway specified without routing mark. 
