Hello
I have two ISPs, both static. I have GRE/IPSec tunnels I’d like to have up on both circuits simultaneously. I think I’m having trouble in properly mangling traffic in the output chain. See configs below:
/ip firewall mangle
add action=mark-connection chain=input connection-mark=no-mark in-interface=vlan-100_comcast log-prefix="" new-connection-mark=conn_comcast passthrough=yes
add action=mark-routing chain=output connection-mark=conn_comcast log-prefix="" new-routing-mark=route_comcast passthrough=yes
add action=mark-routing chain=prerouting connection-mark=conn_comcast log-prefix="" new-routing-mark=route_comcast passthrough=no
add action=mark-connection chain=input connection-mark=no-mark in-interface=pppoe_centurylink log-prefix="" new-connection-mark=conn_centurylink passthrough=yes
add action=mark-routing chain=output connection-mark=conn_centurylink log-prefix="" new-routing-mark=route_centurylink passthrough=yes
add action=mark-routing chain=prerouting connection-mark=conn_centurylink log-prefix="" new-routing-mark=route_centurylink passthrough=no
add action=jump chain=prerouting jump-target=mangle_out-lan log-prefix="" src-address=192.168.3.0/25
add action=mark-connection chain=mangle_out-lan connection-mark=no-mark log-prefix="" new-connection-mark=conn_lan passthrough=yes
add action=mark-packet chain=mangle_out-lan connection-mark=conn_lan log-prefix="" new-packet-mark=packet_out-lan passthrough=yes
add action=mark-routing chain=mangle_out-lan log-prefix="" new-routing-mark=route_comcast packet-mark=packet_out-lan passthrough=no
add action=jump chain=prerouting jump-target=mangle_out-wlan log-prefix="" src-address=192.168.3.128/26
add action=mark-connection chain=mangle_out-wlan connection-mark=no-mark log-prefix="" new-connection-mark=conn_wlan passthrough=yes
add action=mark-packet chain=mangle_out-wlan connection-mark=conn_wlan log-prefix="" new-packet-mark=packet_out-wlan passthrough=yes
add action=mark-routing chain=mangle_out-wlan log-prefix="" new-routing-mark=route_comcast packet-mark=packet_out-wlan passthrough=no
add action=jump chain=prerouting jump-target=mangle_out-guest log-prefix="" src-address=192.168.3.192/27
add action=mark-connection chain=mangle_out-guest connection-mark=no-mark log-prefix="" new-connection-mark=conn_guest passthrough=yes
add action=mark-packet chain=mangle_out-guest connection-mark=conn_guest log-prefix="" new-packet-mark=packet_out-guest passthrough=yes
add action=mark-routing chain=mangle_out-guest log-prefix="" new-routing-mark=route_centurylink packet-mark=packet_out-guest passthrough=no
add action=jump chain=prerouting jump-target=mangle_out-vpn log-prefix="" src-address=192.168.3.224/27
add action=mark-connection chain=mangle_out-vpn connection-mark=no-mark log-prefix="" new-connection-mark=conn_vpn passthrough=yes
add action=mark-packet chain=mangle_out-vpn connection-mark=conn_vpn log-prefix="" new-packet-mark=packet_out-vpn passthrough=yes
add action=mark-routing chain=mangle_out-vpn log-prefix="" new-routing-mark=route_comcast packet-mark=packet_out-vpn passthrough=no
/ip firewall nat
add action=src-nat chain=srcnat log-prefix="" out-interface=vlan-100_comcast routing-mark=route_comcast to-addresses=1.1.1.2
add action=src-nat chain=srcnat log-prefix="" out-interface=pppoe_centurylink routing-mark=route_centurylink to-addresses=2.2.2.2
/ip route
add distance=1 gateway=2.2.2.1 pref-src=2.2.2.2 routing-mark=route_centurylink
add distance=1 gateway=1.1.1.1 pref-src=1.1.1.2 routing-mark=route_comcast
add distance=100 gateway=1.1.1.1
add distance=1 dst-address=10.4.20.48/28 gateway=172.16.64.2
add distance=1 dst-address=10.4.22.32/27 gateway=172.16.64.2
add comment=LAN distance=1 dst-address=192.168.3.0/25 gateway=172.16.64.2
add comment=WLAN distance=1 dst-address=192.168.3.128/26 gateway=172.16.64.2
add comment=Guest distance=1 dst-address=192.168.3.192/27 gateway=172.16.64.2
/ip address
add address=172.16.64.1/29 interface=ether1 network=172.16.64.0
add address=10.4.10.50/28 interface=vlan-42_management network=10.4.10.48
add address=1.1.1.2/30 interface=vlan-100_comcast network=1.1.1.0
add address=172.16.240.2/30 interface=gre-01-comcast network=172.16.240.0
add address=2.2.2.2/29 interface=pppoe_centurylink network=2.2.2.0
It all works, so long as I have the non-marked gateway added. Without that, traffic from the router isn’t marked. I understand that I should need an action similar to:
add action=mark-routing chain=output new-routing-mark=route_comcast
But adding this means deciding somehow what traffic that applies to, as it tends to mess with local traffic destined for the router, as well. Using the dst-address-type will apply to any address on any of the router’s interfaces, so I don’t think that’s what I need; do I need to maintain an address list of local networks and match against that? Seems a little silly, so I’m hoping there’s a better way.
So, basically I’d like to know what I need in order to move traffic destined to/coming from the router (DNS, NTP, GRE, IPSec, PPTP, etc) between route marks. Let me know if I can provide anything else. Thanks!
Edit:
I should add GRE/IPSec config:
/interface gre
add !keepalive local-address=2.2.2.2 name=gre-01-centurylink remote-address=3.3.3.2
add !keepalive local-address=1.1.1.2 name=gre-01-comcast remote-address=3.3.3.2
/ip ipsec peer
add address=3.3.3.2/32 enc-algorithm=aes-128 local-address=1.1.1.2 nat-traversal=no secret=123
add address=3.3.3.2/32 enc-algorithm=aes-128 local-address=2.2.2.2 nat-traversal=no secret=123
/ip ipsec policy
add dst-address=3.3.3.2/32 protocol=gre sa-dst-address=3.3.3.2 sa-src-address=1.1.1.2 src-address=1.1.1.2/32
add dst-address=3.3.3.2/32 protocol=gre sa-dst-address=3.3.3.2 sa-src-address=2.2.2.2 src-address=2.2.2.2/32