Does mangle mark-routing not do what I think it does?

Is mark routing currently bugged or is this intended? I’ve watched Youtube videos explaining that you can either using routing rules OR mangle mark-routing to select which routing table you will be using. I wanted to simulate a failover event with IPv6 and setup two routing tables one for the primary ISP and one for the secondary ISP. I have mangle rules that mark the route based on the src prefix. If it belongs to the secondary ISP than it should use the backup routing table.

I see packets going through the rule as the counter is ticking up but pings on my laptop are failing, however when I copy the rule into routing rules (based off src prefix), select the backup routing table and select “Only lookup in table” and enable it. Everything is working fine now. Not sure what is tracking this because now I can disable the rule and traffic still will be routed correctly for a decent bit of time or until I restart my router.

Is mangle supposed to alter which table is used for the lookup, or is it now supposed to be used in conjunction with routing rules with the route-mark option? I’ll post the export below, it’s just my test router.

/container mounts
add dst=/etc/dns name=dns_server src=/nvme1/container/dns_server/data
/interface bridge
add name=bridge priority=0x7000 vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] name=Up-Link
/interface 6to4
add comment="Hurricane Electric IPv6 Tunnel Broker" !keepalive local-address=67.212.101.191 mtu=1280 name=sit1 \
    remote-address=184.105.250.46
add comment=Route64 !keepalive local-address=67.212.101.191 mtu=1280 name=sit2 remote-address=118.91.187.67
/interface veth
add address=192.168.40.3/24 gateway=192.168.40.1 gateway6="" name=VETH_CLOUDFLARE_DDNS
add address=192.168.40.2/24 gateway=192.168.40.1 gateway6="" name=VETH_DNS_SERVER
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge name=DMZ vlan-id=50
add interface=bridge name=IoT vlan-id=30
add interface=bridge name=Management vlan-id=110
add interface=bridge name=Server vlan-id=40
add interface=bridge name=User vlan-id=10
/interface list
add name=WAN
add name=Untrusted
/interface wifi configuration
add channel.band=2ghz-ax datapath.bridge=bridge .vlan-id=30 disabled=no mode=ap name="Corkery's Router - IoT" \
    security.authentication-types=wpa2-psk .ft=no .ft-over-ds=no .management-protection=allowed .wps=disable ssid=\
    "Corkery's Router - IoT"
/interface wifi steering
add disabled=no name="Corkery's Steering Enabled" neighbor-group="dynamic-Corkery's Router-b11c4a23" rrm=yes wnm=yes
/interface wifi configuration
add channel.band=2ghz-ax .reselect-time=00:00:00 .width=20mhz datapath.vlan-id=10 disabled=no mode=ap name=\
    "Corkery's Router 2.4g" security.authentication-types=wpa3-psk .ft=yes .ft-over-ds=yes .management-protection=\
    required .wps=disable ssid="Corkery's Router" steering="Corkery's Steering Enabled" steering.rrm=no .wnm=no
add channel.band=5ghz-ax .frequency=5160-5850 .reselect-time=00:00:00 .skip-dfs-channels=disabled .width=20/40/80mhz \
    country="United States" datapath.bridge=bridge .vlan-id=10 disabled=no mode=ap name="Corkery's Router 5g" \
    security.authentication-types=wpa3-psk .ft=yes .ft-over-ds=yes .management-protection=required .wps=disable ssid=\
    "Corkery's Router" steering="Corkery's Steering Enabled" steering.rrm=no .wnm=no
/ip ipsec peer
add exchange-mode=ike2 name=Test passive=yes
/ip pool
add name=User-Pool ranges=192.168.10.2-192.168.10.254
add name=IoT-Pool ranges=192.168.30.2-192.168.30.254
add name=Managment-Pool ranges=192.168.110.2-192.168.110.254
add name=Server-Pool ranges=192.168.40.2-192.168.40.254
add name=DMZ-Pool ranges=192.168.50.2-192.168.50.254
/ip dhcp-server
add address-pool=User-Pool interface=User lease-time=1d name=User-DHCP
add address-pool=IoT-Pool interface=IoT lease-time=1d name=IoT-DHCP
add address-pool=Managment-Pool interface=Management lease-time=1d name=Management-DHCP
add address-pool=Server-Pool interface=Server lease-time=1d name=Server-DHCP
add address-pool=DMZ-Pool interface=DMZ lease-time=1d name=DMZ-DHCP
/port
set 0 name=serial0
/routing table
add disabled=no fib name=backup
/system logging action
add memory-lines=100 name=container target=memory
add name=wifi target=memory
add name=firewall target=memory
/container config
set registry-url=https://registry-1.docker.io
/container envs
add key=DNS_SERVER_DOMAIN name=dns_server value=dns-server
add key=IP6_PROVIDER name=cloudflare_ddns value=none
add key=DOMAINS name=cloudflare_ddns value=corkery.tech,caddy.corkery.tech
/interface bridge port
add bridge=bridge interface=sfp-sfpplus2
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=VETH_DNS_SERVER pvid=40
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=VETH_CLOUDFLARE_DDNS pvid=40
/interface bridge vlan
add bridge=bridge comment=User tagged=sfp-sfpplus2,bridge vlan-ids=10
add bridge=bridge tagged=sfp-sfpplus2,bridge vlan-ids=30
add bridge=bridge tagged=sfp-sfpplus2,bridge untagged=VETH_DNS_SERVER,VETH_CLOUDFLARE_DDNS vlan-ids=40
add bridge=bridge tagged=sfp-sfpplus2,bridge vlan-ids=50
add bridge=bridge tagged=sfp-sfpplus2,bridge vlan-ids=110
/interface list member
add interface=Up-Link list=WAN
add interface=IoT list=Untrusted
add interface=DMZ list=Untrusted
/interface wifi capsman
set ca-certificate=auto certificate=auto enabled=yes interfaces=Management package-path="" require-peer-certificate=yes \
    upgrade-policy=require-same-version
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration="Corkery's Router 2.4g" name-format=%I-2.4g \
    slave-configurations="Corkery's Router - IoT" slave-name-format=%I-2.4g-%v supported-bands=2ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration="Corkery's Router 5g" name-format=%I-5g \
    supported-bands=5ghz-ax
/ip address
add address=192.168.10.1/24 interface=User network=192.168.10.0
add address=192.168.30.1/24 interface=IoT network=192.168.30.0
add address=192.168.40.1/24 interface=Server network=192.168.40.0
add address=192.168.110.1/24 interface=Management network=192.168.110.0
add address=192.168.50.1/24 interface=DMZ network=192.168.50.0
add address=192.168.11.1/24 interface=wireguard1 network=192.168.11.0
/ip arp
add address=192.168.10.171 interface=User
/ip dhcp-client
add add-default-route=no interface=Up-Link
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.40.2 gateway=192.168.10.1
add address=192.168.30.0/24 dns-server=192.168.40.2 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=192.168.40.2 gateway=192.168.40.1
add address=192.168.50.0/24 dns-server=192.168.40.2 gateway=192.168.50.1
add address=192.168.110.0/24 dns-server=192.168.40.2 gateway=192.168.110.1
/ip dns
set mdns-repeat-ifaces=User,IoT servers=192.168.40.2
/ip firewall filter
add action=fasttrack-connection chain=forward comment="Fast-track established and related " connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward comment="Accept Established, Related, Untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="Drop Invalid" connection-state=invalid
add action=accept chain=forward comment="Allow DNS" dst-address=192.168.40.2 dst-port=53 protocol=udp
add action=accept chain=forward dst-address=192.168.40.8 dst-port=445 in-interface=DMZ out-interface=Server protocol=tcp \
    src-address=192.168.50.4
add action=drop chain=forward comment="Allow untrusted to egress through WAN only" connection-state=new disabled=yes \
    in-interface-list=Untrusted log=yes log-prefix="Drop untrusted" out-interface-list=!WAN
add action=drop chain=forward comment="Drop all WAN traffic" connection-nat-state=!dstnat connection-state=new \
    in-interface-list=WAN
add action=accept chain=input comment="Accept Established, Related, Untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="Drop Invalid" connection-nat-state="" connection-state=invalid
add action=accept chain=input comment="Allow Wireguard" dst-port=13231 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=drop chain=input comment="Drop all WAN traffic" connection-nat-state="" connection-state=new \
    in-interface-list=WAN log=yes log-prefix=Dropped
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Port forward Jellyfin" dst-port=8096 in-interface-list=WAN protocol=tcp \
    to-addresses=192.168.50.2 to-ports=8096
add action=dst-nat chain=dstnat dst-port=5055 in-interface-list=WAN protocol=tcp to-addresses=192.168.50.2 to-ports=5055
/ip ipsec identity
add peer=Test
/ip ipsec policy
add disabled=yes dst-address=0.0.0.0/0 peer=Test src-address=0.0.0.0/0 tunnel=yes
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=8.8.8.8 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=11
add disabled=no distance=1 dst-address=8.8.8.8/32 gateway=67.212.101.1 routing-table=main scope=10 suppress-hw-offload=\
    no target-scope=10
add disabled=no dst-address=0.0.0.0/0 gateway=Up-Link routing-table=backup suppress-hw-offload=no
/ipv6 route
add disabled=no distance=1 dst-address=2000::/3 gateway=sit1 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=2a11:6c7:f04:93::/64 gateway=sit2 routing-table=backup scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=2a11:6c7:1200:9310::/64 gateway=User routing-table=backup scope=10 \
    suppress-hw-offload=no target-scope=5
add disabled=no distance=1 dst-address=2000::/3 gateway=sit2 routing-table=backup scope=10 suppress-hw-offload=no \
    target-scope=5
/ipv6 address
add address=fd3d:c865:2fc0:10::1 interface=User
add address=fd3d:c865:2fc0:110::1 interface=Management
add address=fd3d:c865:2fc0:30::1 interface=IoT
add address=2001:470:39:218::2 advertise=no interface=sit1
add address=2001:470:4097:10::1 advertise=no interface=User
add address=2a11:6c7:f04:93::2 interface=sit2
add address=2001:470:4097:11::1 advertise=no interface=wireguard1
add address=2a11:6c7:1200:9310::1 interface=User
/ipv6 dhcp-client
add interface=Up-Link pool-name=CFU pool-prefix-length=58 request=prefix
/ipv6 firewall filter
add action=accept chain=forward comment="Allow Established, Related, Untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="Drop Invalid" connection-state=invalid
add action=drop chain=forward comment="Drop new connections from WAN" connection-state=new in-interface=sit1
add action=drop chain=input connection-state=new in-interface=sit1
/ipv6 firewall mangle
add action=mark-routing chain=prerouting log=yes log-prefix=Out new-routing-mark=backup passthrough=no src-address=\
    2a11:6c7:1200:9300::/56
add action=mark-routing chain=prerouting dst-address=2a11:6c7:1200:9300::/56 log=yes log-prefix=In new-routing-mark=\
    backup passthrough=no
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/routing rule
add action=lookup-only-in-table disabled=yes routing-mark=backup src-address=2a11:6c7:1200:9300::/56 table=backup
/system clock
set time-zone-name=America/Chicago
/system logging
add action=container topics=container
add action=wifi topics=wireless,!info
add topics=!container
add action=wifi topics=caps
add action=firewall topics=firewall
add topics=!wireless
add topics=!firewall
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.nist.gov
/system package update
set channel=testing
/system routerboard settings
set enter-setup-on=delete-key
/system script
/tool netwatch
add disabled=yes down-script=":global up 0\
    \n/system/script run Failover" host=2606:4700:4700::1111 interval=1s test-script="" type=icmp up-script=\
    ":global up 1\
    \n/system/script run Failover"
/tool romon
set enabled=yes
/tool sniffer
set filter-interface=Up-Link streaming-enabled=yes streaming-server=192.168.10.169

Yes, there seem to be an issue with IPv6 mangle mark routing in the current version (7.18.2). At least as recently as last year, I had no problem steering IPv6 connections to the right routing table with mangle mark-routing (no routing rules needed). Which means it worked last year. I’ve since changed my config to using routing rules only.

However, just this week, I had to help a friend with setting up PBR with IPv6, and to my surprise, IPv6 mangle mark-routing no longer produced the desired result: The connections had the right marks, the rules’ counters were properly increasing (and logging showed they are correctly hit), but the connections all used the main routing table.

I had to add additional routing rules (with the routing marks as condition) to have the marked connections use the right tables. I don’t know since when has this behavior changed that way.

Not specifically about IPv6, but my understanding is that routing rules are more efficient compared to mangle rules. So, if you can achieve what you need with just the rules (looking at your config, you can), it would probably be preferred unless you don’t care about CPU load. The documentation even discourages using both at the same time (https://help.mikrotik.com/docs/spaces/ROS/pages/59965508/Policy+Routing):

It is not recommended to use both methods at the same time or you should know exactly what you are doing. If you really do need to use both mangle and routing rules in the same setup then keep in mind that mangle has higher priority, meaning if the mangle marked traffic can be resolved in the table then route rules will never see this traffic.

Of course, this is not to say the mark-routing bug shouldn’t be fixed. I don’t use IPv6 and can’t reproduce, but it works correctly for me with IPv4.

I’ve switched to routing rules until this is fixed. I’ve reported the issue, ticket SUP-188365

Is this issue present in 7.18.2 ?

That is correct, it looks like a problem and they are aware of it. They said it will be fixed in a future release. The direct quote from support is

Thank you for the report, currently there is an issue that apart from ipv6 mangle marking rules, routing rule is required, too. This will be fixed in the future.