PBR with remote LAN exlusion

gotor · April 11, 2017, 8:21am

Hi all.

I try to configure Policy Base routing for data from specified local address:port to route it through separate edge router (more details - on the scheme).

I’ve added route rules like:

/ip route add gateway=10.10.10.1 
/ip route add gateway=10.10.10.2 routing-mark=via_ISP2

and I try to add mangle rule for RDP traffic from host 172.20.0.123:

/ip firewall mangle add chain=prerouting src-address=172.20.0.123 dst-address=!172.16.0.0/24 src-port=3389 action=mark-routing \
new-routing-mark=via_ISP2 passthrough=no

Also specified port (3389/tcp) is published on external interfaces of both edge routers (1.1.1.1:3389 at edge_router_1 and 2.2.2.2:3389 at edge_router_2)
There is no NAT rules on central mikrotik, it configured on edge routers.

When I disable mangle rule - there is an access to 172.20.0.123 via RDP from both - external network (via edge_router_1) and from remote office (using address 172.20.0.123)
When I enable mangle rule - there is an access only from Internet (using address 2.2.2.2:3389), from remote office connection is timed out.

Can someone tell me, where I’ve got a mistake?

idlemind · April 12, 2017, 5:04am

Could you post:

/ip firewall mangle export

I’m curious if you got the class full mask by not specifying one if MikroTik made it a /32 like you’re likely expecting. You also could match based on the input interface.

gotor · April 12, 2017, 7:22am

I’ve resolved the issue - I didn’t know about NAT on remote network - all requests from remote LAN is been NATed to remote peer IP address, that does not belong to 172.16.0.0/24 subnet. This is explicit rule that doen’t shows in Firewall NAT rules.

So, remote VPN-peer IP address is 10.10.12.3, I’ve added the rule

/ip firewall mangle add chain=prerouting src-address=172.20.0.123 dst-address=!10.10.12.3 src-port=3389 action=mark-routing \
new-routing-mark=via_ISP2 passthrough=no

And for know everything is working fine.