Always default route without routingMark necessary?

RouterOS General
1

Hello
I have a router with 2 wan interfaces (pppoe and static IP) with the settings below.
I want to be able to enter the router from the outside in case some wan interface falls. I’ve got it to work but I don’t understand something:
Why if pppoe client is disabled I need to add line [2] (below) in /ip route?
Are not all connections that enter through ether1 marked and only the route with the WAN-K2-FO mark is used? Is it possible to work without adding that line [2]?

/ip address
add address=192.168.1.100/24 interface=ether1 network=192.168.1.0

/interface pppoe-client
add add-default-route=yes interface=wlan1-gateway keepalive-timeout=60 max-mru=1480 max-mtu=1480 name=pppoe-out1 password=password use-peer-dns=yes user=K2

/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes in-interface=pppoe-out1 new-routing-mark=nex passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN-K2-FO new-routing-mark=WAN-K2-FO passthrough=no
add action=mark-connection chain=input connection-mark=no-mark in-interface=ether1 new-connection-mark=WAN-K2-FO passthrough=no
add action=mark-routing chain=output connection-mark=WAN-K2-FO new-routing-mark=WAN-K2-FO passthrough=no

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=pppoe-out1
add action=src-nat chain=srcnat comment=K2-FO connection-mark=WAN-K2-FO out-interface=ether1 to-addresses=192.168.1.100
add action=masquerade chain=srcnat comment="K2-FO-from T" out-interface=ether1

add action=dst-nat chain=dstnat comment="To M" dst-port=9002 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.1 to-ports=80

/ip route
[1] add distance=1 gateway=192.168.1.1 routing-mark=WAN-K2-FO
[2] add distance=1 gateway=192.168.1.1

/ip settings
set rp-filter=loose tcp-syncookies=yes

Thank you.

2

LewisH95’s posts seem to me like preparing grounds (collecting karma) for some advertising or alike, throuh posting texts copied from the web which contain the keywords related to the topics but are not really relevant to what people ask. So you can ignore that post.


It’s slightly counter-intuitive. For packets sent by the router itself, i.e. handled by the output chain of the firewall, the mangling is done as late as after a route for the packet has already been found in the main routing table, and if the magnling results in assigning a routing-mark to the packet, the routing is done one more time, taking that routing-mark into account. So it doesn’t matter what the original route was, but there must be one, otherwise the output packets never get mangled. And since the only default route without a routing-mark is the one dynamically added by the PPPoE client, once it disappears as the /interface pppoe-client goes down, the packets aren’t routed anywhere.

So instead of adding the default route via 192.168.1.1 with distance=1, add it with distance=2 or higher. This will ensure that the route via PPPoE (which is added with distance=1 unless configured otherwise using the default-route-distance parameter of /interface pppoe-client) will always win whenever it will exist. You can also create an /interface bridge with no member interfaces and add it as a gateway of the default route with distance=2 if what I explain above sounds weird to you and you need a proof :slight_smile: