Mangle Rules Help

mbethers · June 1, 2012, 10:05pm

I’m trying to configure a RB493 with two WAN interfaces on ether4 and ether7. I want to configure it so that traffic from the outside leaves on the interface that it came in on. I thought I had this figured out once before, but it is not working now. Here is what I’m using. Any help would be appreciated:

/ip firewall mangle
add action=mark-routing chain=prerouting comment=“mark local destinations to use main routing table”
disabled=no dst-address-list=localIPs new-routing-mark=main passthrough=yes

add action=mark-connection chain=prerouting comment=
“mark connections for traffic coming in on ether4” connection-state=new disabled=no
in-interface=ether4 new-connection-mark=ether4_con passthrough=yes

add action=mark-connection chain=prerouting comment=
“mark connections for traffic coming in on ether7” connection-state=new disabled=no
in-interface=ether7 new-connection-mark=ether7_con passthrough=yes

add action=mark-routing chain=prerouting comment=“mark ether4 connections as ether4” connection-mark=
ether4_con disabled=no new-routing-mark=ether4 passthrough=yes

add action=mark-routing chain=prerouting comment=“Mark ether7 connections as ether7” connection-mark=ether7_con
disabled=no new-routing-mark=ether7 passthrough=yes

add action=mark-routing chain=output comment=“mark ether4 connections as ether4” connection-mark=
ether4_con disabled=no new-routing-mark=ether4 passthrough=yes

add action=mark-routing chain=output comment=“Mark ether7 connections as ether7” connection-mark=Raven_con
disabled=no new-routing-mark=ether7 passthrough=yes

/ip route rule
add action=lookup comment=“” disabled=no routing-mark=main table=main
add action=lookup comment=“” disabled=no routing-mark=ether4 table=ether4
add action=lookup comment=“” disabled=no routing-mark=ether7 table=ether7

/ip route
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=x.x.x.x routing-mark=ether4
scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=y.y.y.y routing-mark=ether7
scope=30 target-scope=10

/ip firewall nat
add action=masquerade chain=srcnat comment=“” disabled=no out-interface=ether4
add action=masquerade chain=srcnat comment=“” disabled=no out-interface=ether7

cbrown · June 4, 2012, 11:41am

Try this instead.

http://wiki.mikrotik.com/wiki/Manual:PCC#Policy_routing

Feklar · June 4, 2012, 2:42pm

Your chains are wrong for the rules.

Use these for traffic coming to and from the router itself.

add action=mark-connection chain=input disabled=no in-interface=ether4 new-connection-mark=ether4_con passthrough=yes
add action=mark-connection chain=input disabled=no in-interface=ether7 new-connection-mark=ether7_con passthrough=yes
add action=mark-routing chain=output connection-mark=ether4_con disabled=no new-routing-mark=ether4 passthrough=no
add action=mark-routing chain=output connection-mark=ether7_con disabled=no new-routing-mark=ether7 passthrough=no

Use this set for traffic being forwarded over the router to something behind it:

add action=mark-connection chain=forward connection-state=new disabled=no in-interface=ether1 new-connection-mark=ether4_con passthrough=no
add action=mark-connection chain=forward connection-state=new disabled=no in-interface=ether2 new-connection-mark=ether7_con passthrough=no
add action=mark-routing chain=prerouting connection-mark=ether4_con disabled=no in-interface=LAN new-routing-mark=ether4 passthrough=no
add action=mark-routing chain=prerouting connection-mark=ether7_con disabled=no in-interface=LAN new-routing-mark=ether7 passthrough=no