Issue with Routing to Container on MikroTik OS 7 Using Second IP

RouterOS General
1

Hi everyone,

I have a MikroTik router running RouterOS 7 with a secondary IP (94.101.xx.xx). I can ping this secondary IP and VPN protocols work fine, but I cannot get a response from my container IP (192.168.70.10). I think the issue might be related to firewall/mangle or routing.

Here is my current configuration:

Firewall Mangle:

1 ;;; for second ip dont delete
chain=prerouting action=mark-connection 
new-connection-mark=conn-game-server passthrough=yes 
dst-address=94.101.xx.xx log=no log-prefix=""

2 ;;; for second ip - dont delete
chain=output action=mark-routing new-routing-mark=second_main 
passthrough=yes connection-mark=conn-game-server log=no log-prefix=""

IP Route:

0.0.0.0/0 via 94.101.xx.1
Routing table: second_main

Firewall NAT:

2 ;;; webpage
chain=dstnat action=dst-nat to-addresses=192.168.70.10 to-ports=80 
protocol=tcp dst-address=94.101.xx.xx dst-port=80 log=no log-prefix=""

Issue:

  • Can ping 94.101.xx.xx (secondary IP)

  • VPN protocols work

  • Cannot access container IP 192.168.70.10

I suspect it’s a routing or firewall/mangle issue.

Has anyone dealt with a similar setup? How can I properly route traffic from my second IP to my container?

2

DSTNAT to the container at 192.168.70.10 means forwarding and the input and output chains are not involved. Your mark-routing rule on chain output will do nothing.

You need to put the mark-routing rule on the prerouting chain, and add additional conditions such as in-interface-list/in-interface or src-address to limit the direction to the response packets only.

3

=== VRF Setup ===

/interface vrf
add name=second_main interface=ether2-XX.XX.XX.XX comment="VRF for second IP"

=== IP Assignment in VRF ===

/ip address
add address=XX.XX.XX.XX/22 interface=ether2 vrf=second_main comment="Secondary public IP"

=== Default Route in VRF ===

Note: @main ensures gateway is resolved in main routing table if needed

/ip route
add dst-address=0.0.0.0/0 gateway=YY.YY.YY.YY@main vrf=second_main comment="Default route for second_main VRF"

=== Mangle to Mark Incoming Traffic for VRF Routing ===

/ip firewall mangle
add chain=prerouting in-interface=ether2-XX.XX.XX.XX
dst-address=XX.XX.XX.XX protocol=tcp dst-port=443
action=mark-routing new-routing-mark=second_main passthrough=yes comment="Mark SSTP traffic for VRF"

4

Not working only ICMP workes

5

What are you doing? Did you ask AI to butcher your setup and make it more complicated? Why the need for VRF? If you don't absolutely need VRF, remove the VRF and use a simple setup with secondary routing table.

Anyway, your mangle mark-routing rule uses wrong in-interface and other conditions. This is what I wrote above:

You use mark-routing with for the response traffic from the container to the outside internet. What do you think will happen when you use in-interface=ether2-XX.XX.XX.XX? and dst-address=WAN2IP? and dst-port=443? They aren't conditions that will be able to match the response traffic?

If you use in-interface, specify the bridge interface of your container. If you use src-address, use 192.168.70.10. And if you need to match the port, use src-port=443 (but why 443 suddenly when in the OP you used port 80?). However, you don't need all those conditions at once for the mark-routing rule. Only the connection-mark and either in-interface or src-address are enough.