OKNET
March 27, 2017, 3:17pm
1
ether7: 192.168.1.1/24
/ip firewall mangle
chain=input action=mark-connection new-connection-mark=WAN2_conn passthrough=yes in-interface=ether7
chain=output action=mark-routing new-routing-mark=to_WAN2 passthrough=no connection-mark=WAN2_conn
/ip route
dst-address=0.0.0.0/0 gateway=192.168.1.254 gateway-status=192.168.1.254 reachable via ether7 distance=1 scope=30 target-scope=10 routing-mark=to_WAN2
dst-address=192.168.1.0/24 pref-src=192.168.1.1 gateway=ether7 gateway-status=ether7 reachable distance=0 scope=10
A pc 192.168.1.100 connected to a switch together with MT ether7 and gateway, cannot ping routerboard and vice-versa unless I disable the “output” mangle rule or remove routing-mark from default route.
Why is this ??
Thank you
OKNET
March 27, 2017, 3:43pm
2
It seems a routing take place inside the same “connected” network…why ?
OKNET
March 28, 2017, 7:43am
3
Sorry for this “up” …
I’m trying to solve this issue I have when managing routerboard from “WAN” side : locally. ethernet, not over internet with a NATted dsl router :
From few presentation abut pcc I usually adopt:
an accept rule to avoid marking for local traffic :
/ip firewall mangle add action=accept chain=prerouting disabled=no dst-address=192.168.1.0/24
When a connection is initiated from the internet through one of the ISPs we need to ensure that this connections is replied through the same ISP (from the same public IP)
/ip firewall mangle
chain=input action=mark-connection new-connection-mark=WAN2_conn passthrough=yes in-interface=ether7
chain=output action=mark-routing new-routing-mark=to_WAN2 passthrough=no connection-mark=WAN2_conn
PCC rules then follow…
Then I need a default route unmarked as well as a marked one :
dst-address=0.0.0.0/0 gateway=172.16.217.254 gateway-status=172.16.217.254 reachable via ether7 distance=1 scope=30 target-scope=10
dst-address=0.0.0.0/0 gateway=172.16.217.254 gateway-status=172.16.217.254 reachable via ether7 check-gateway=ping distance=1 scope=30 target-scope=10 routing-mark=to_WAN2
The problem is doing so I lose local connection from maintenance pc connected to wan side of routerboard
Any hint ?
Sob
March 29, 2017, 8:40pm
4
Some more details about IP addresses could perhaps help. I mean, first there’s 192.168.1.0/24, now 172.16.217.?/? came from somewhere, …
I’d start with rules like this, to make sure that locally connected subnets will always be looked up in main routing table where they have routes:
/ip route rule
add action=lookup-only-in-table dst-address=<locally connected subnet> table=main
