After mark routing enabled, VPN user can't see LAN pc's

RouterOS General
1

Hello

RB3011UiAS
os: 6.46.1

My configuration with LAN + WAN and VPN is working correctly
now i add wan2 with mark routing
and when the VPN user is connected, he can’t see any comuter on LAN, but internet is working fine.

If someone can tell my what i made wrong.

thank you


/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether10 src-address=\
192.168.0.0/22
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface=ether1 src-address=192.168.0.0/22
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24

Mark routing

/ip firewall address-list
add address=192.168.1.3 list=Use_WAN1
add address=192.168.1.7 list=Use_WAN1
add address=192.168.1.11 list=Use_WAN1
add address=192.168.0.0/22 list=Use_WAN2
add address=192.168.89.0/24 list=Use_WAN2 comment=VPN

/ip firewall mangle
add action=mark-routing chain=prerouting comment="Use WAN1" disabled=no log=no log-prefix="" new-routing-mark=To_WAN1 passthrough=no src-address-list=Use_WAN1
add action=mark-routing chain=prerouting comment="Use WAN2" disabled=no log=no log-prefix="" new-routing-mark=To_WAN2 passthrough=no src-address-list=Use_WAN2

/ip firewall nat
add action=masquerade chain=srcnat disabled=no log=no log-prefix="" out-interface=ether1 src-address=192.168.0.0/22
add action=masquerade chain=srcnat disabled=no log=no log-prefix="" out-interface=ether10 src-address=192.168.0.0/22

/ip route
add distance=1 gateway=18x.xxx.xxx.xxx routing-mark=To_WAN1
add distance=1 gateway=192.168.40.1 routing-mark=To_WAN2
2

The thing is that if a packet has got a routing-mark, and a route whose dst-address matches the packet’s destination address and whose routing-mark matches the one attached to the packet exists, that route is used. Since you only have the default route via the WAN’s gateway marked with To_WAN2, and you attach the routing-mark To_WAN2 to all packets matching the respective src-address-list no matter what their destination is, even packets for your connected subnets are sent out via WAN2 because no routes to local subnets marked with To_WAN2 exist.

There are several ways to deal with this:

  1. prevent packets for any local subnets from getting the routing-mark by adding dst-address-list=!local-subnets to the action=mark-routing rules (and populate the address list with the necessary rows), maybe it is enough to use dst-address=!192.168.0.0/16 instead.
  2. use /ip route rule add dst-address=192.168.0.0/16 action=lookup-only-in-table table=main to override the routing-mark assigned by the action=mark-routing rules for destination subnets (but you may actually need several rules depending on your network topology, you cannot use address lists in /ip route rule)
  3. add routes to local subnets with routing-mark=To_WAN2
3

I try the first one and its working fine.
thank you

just a question, why not 192.168.0.0/22 but muss be /16??
thank you

4

It was just an example in the absence of information about your overall network topology. If all your subnets which are not reachable via the WANs fit into 192.168.0.0/22, that one is of course sufficient.