Mikotik routing marks

Hi!. everyone.

Got some problem, hope you can help handle it.

Have a pppoe link and a WAN both go through mikrotik
I did a routing mark so some users can use gateway1: pppoe link and others gateway2: WAN.
It’s all works, but receive this on WAN gateway out.

video streaming.
" File reported.
If you having this message all the time, some third party applications might be blocking the video. Try this browser
"
it is not happening on router WAN itself.

mangle: routing mark=route1 for pppoe, route2 for WAN
ip route 0.0.0.0/0 gateway pppoe link routing mark:route1
ip route 0.0.0.0/0 gateway WAN link routing mark:route2

What happens if you swap the routing mark for the device getting this message? Does it work through other gateway?

The problem is only on the gateway2. Any device going through that gateway receives the error.

Hi.
No clue for this issue?

Can you show us an export of your mangle rules?

I think the issue is you are not marking inbound traffic, just outbound so there is a possibility traffic is coming in through one WAN and then back out another hence getting this error.

Hi.

/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=routing-001
passthrough=no src-address-list=users1
add action=mark-routing chain=prerouting new-routing-mark=routing-002
passthrough=no src-address-list=users2

end then

/ip route
add distance=1 gateway=ADSL router IP routing-mark=routing-001
add distance=1 gateway=pppoe-link routing-mark=routing-002

Yes. I think you need to mark your inbound packets so that return traffic goes up the right interface.
Similar to the below, I’ve tried to copy your routing mark to make it more relevant to you. You’ll need to add these as well as your other rules, I’d put these above your other rules.

/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=WAN1 new-connection-mark=connection-001 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=connection-001 new-routing-mark=routing-001 passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=WAN2 new-connection-mark=connection-002 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=connection-002 new-routing-mark=routing-002 passthrough=no

Hi.
Okay, Thanks! I’ll try it. I will be back.

I tried above suggestion but not working. Traffic goes to gateway pppoe link.

Hi.
No one has a solution?

Looks like it should work as long as your source nat/masquerade rules are setup correctly. Any traffic leaving each interface should return via it given leaving packets will be presented with the IP of the egress interface.

How are your address lists defined, are they IP ranges for instance? So LAN1 (say 192.168.100.0/24) is users1 and LAN2 (say 192.168.200.0/24) is users2?

My guess is that there is a lack of definition around this part. If this is not clear you might need to mark connections first then mark routing, this way return traffic would be mapped to the connection, then a return routing rule required with the same routing mark. That some of this is working is confusing.

Does flipping the active default route out make any difference to which interface this has this problem associated?

I use one range for all.
One nat rule
all routes with routing marks are active.

I tried:
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=WAN2 new-connection-mark=connection-002 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=connection-002 new-routing-mark=routing-002 passthrough=no src-address-list=users2

/ip route
add distance=1 gateway=WAN2 routing-mark=routing-002
add distance=1 gateway=pppoe-link routing-mark=no

all users2 groups’s trafic go to gateway pppoe, despite routing mark. It should be going to WAN2

Is it normal? What is wrong?

Can we have two default routes to 0.0.0.0/0 active at the same time?
this might be related to the issue.

DO a full /export hide-sensitive so we can get an idea of your full setup.