I have ros as pptp client, and I made a routing mark so when expected clients(192.168.10.181 here) access subnet(10.179.x.x) will use pptp tunnel. Somehow, if I add 0.0.0.0/0 routing mark=xxx, then it doesn’t work at all, because I have many subnets need to pass pptp tunnel to access.
Followings are my key conf.
ROS version: HAP AC2, 6.44.5
If I enable 0.0.0.0/0 in ip/routes, I can even not able to reach 10.179.0.0/16 even I set the distance is 2 for 0.0.0.0/0
Can some one help?
That should work. You are specifying the dst-address as the LAN subnet which won’t work.
Without self advertising too much I recently did a quick video on how to do policy based routing in the way you are using it here.
Looking at Mangle, are you seeing both rules counters increment?
Establish you are marking correctly first.
Looking at your mangle rules, I would have probably approached it like this;
#NAT (In my mind this adds another layer of security so you don't NAT traffic up the VPN that shouldn't go up there)
add action=masquerade chain=srcnat comment=pptp-tashi out-interface=tashivp connection-mark=conn_tashi routing-mark=route_ta
#Mangle (Rules have been simplified, why would you tell the router not to route to LAN traffic? If it's on the LAN then the router won't route it anyway)
add action=mark-connection chain=prerouting comment="nintendo switch" new-connection-mark=conn_tashi passthrough=yes src-address=192.168.10.181
add action=mark-routing chain=prerouting connection-mark=conn_tashi new-routing-mark=route_ta passthrough=no src-address=192.168.10.181
#route table (as per my initial post)
add distance=1 dst-address=0.0.0.0/0 gateway=tashivpn routing-mark=route_ta
The distance parameter only matters when several routes have exactly the same dst-address - otherwise a more narrow dst-address prefix matching the destination address of the packet always beats any wider one(s) also matching it.
I didn’t get from your description whether the client can reach 10.179.x.x if you only have a route with routing-mark=xxx for that single destination subnet, and no route with routing-mark=xxx for 0.0.0.0/0. If you cannot, I’d assume you have an action=fasttrack-connection rule in /ip firewall filter, which causes most packets to bypass the handing in mangle completely, and thus take the wrong route.
To avoid these ifs any maybes, it is always better to post the complete configuration following the hint in my automatic signature below.
The issue I experienced comes from my two requests
all clients need to access 10.179.0.0/16 that is behind pptp tunnel
some specified clients always use pptp tunnel.
At the beginning, I want to combine them into one group rule.
I finally figured it out. But I still don’t know why my conf was not working at first.
I don’t need use marking route when clients access 10.179.x.x, I add normal ip route is fine for that.
For clients need to use pptp tunnel, I use the marking route then everything is fine.