This is placed at the very top, no further mangle rules would affect this (even if it were placed further down)
If I enable logging on the destination (also a mikrotik router) I can see packets are coming in from the device and hitting the destination router just fine, but the tunnel simple will not establish
If I don’t use mangle and instead use
/ip route add comment="Reach SSTP Servers Public IP via LTE" distance=1 dst-address=1.2.3.4/32 gateway=192.168.11.1
It works perfectly fine. It’s definitely not an issue with the LTE interface, or routing in the carriers network etc, it clearly works fine. However using mangle to specify it should use another routing table does not work
I can’t use a static IP in the main routing table because that public IP address is used for other purposes, I ‘only’ want the SSTP tunnel to establish over LTE, all other traffic should use the main link
Help?
I would expect it’s due to the fact that by the time a routing mark gets assigned in the output chain, the source address is already chosen - see the packet flow diagram. So although it seems strange, you have to use an action=masquerade rule for traffic sent by the router itself if you assign routing marks in output.
Bingo, you nailed it. Never would have thought that
I did log the packets at the server side and it shows the packets coming in from the ‘correct’ IP (NAT’d by the LTE router) and packets therefore should get sent back correctly. I guess thats not enough, and would have been a nightmare to troubleshoot
Since I don’t want to use this LTE interface for anything at all except as a backup tunnel, doing a very specific masquerade rule including protocol=tcp, dst-port=443 and dst-address=1.2.3.4 is enough
Sure it is not, because the response packets from the SSTP server reach the LTE router, the LTE router un-src-nats them, but as it has no specific route back to the IP of the primary WAN of the SSTP client Mikrotik, it sends them via its WAN gateway using its default route.