and I have PPTP server on this mikrotik and pptp client connect successfully to server. I config routing for pptp client subnet on server. but there is no connection.after I just mark PPTP connection every thing is ok.
These two statements together don’t make sense to me. What exactly do you need to fix if everything is OK after marking the PPTP connection?
What happens is that you mark all outgoing connections using the PCC rules. So unless you
add routes to destinations accessible via the PPTP tunnel (dst-address=pptp.dst.sub.net/mask) with routing marks To_Shatel and To_Systec, or
use an /ip route rule add action=lookup-only-in-table table=main dst-address=pptp.dst.sub.net/mask to override the assigned routing-marks, or
make an exception mangle rule preventing the connections towards dst-address=ppto.dst.sub.net/mask from being connection-marked or routing-marked, or
assign dedicated connection and routing marks to connections towards dst-address=ppto.dst.sub.net/mask and a dedicated route with a dedicated routing-mark (which you apparently did),
there is no wonder that the route to pptp destinations in the default (main) routing table is not taken into account for the packets which should go to pptp destinations.
pptp client connect to systec wan address of pptp server.
I tested on by on seperatly:
add routes to destinations accessible via the PPTP tunnel (dst-address=pptp.dst.sub.net/mask) with routing marks To_Shatel and To_Systec, or
use an /ip route rule add action=lookup-only-in-table table=main dst-address=pptp.dst.sub.net/mask to override the assigned routing-marks, or
make an exception mangle rule preventing the connections towards dst-address=ppto.dst.sub.net/mask from being connection-marked or routing-marked, or
assign dedicated connection and routing marks to connections towards dst-address=ppto.dst.sub.net/mask and a dedicated route with a dedicated routing-mark (which you apparently did),
from lan 1 to lan 2 :
use an /ip route rule add action=lookup-only-in-table table=main dst-address=pptp.dst.sub.net/mask to override the assigned routing-marks
solved problem but pcc do not distribute any more after that!!
add routes to destinations accessible via the PPTP tunnel (dst-address=pptp.dst.sub.net/mask) with routing marks To_Shatel and To_Systec, or
and when I add route like below iand when I add route like below it didn’t work.t didn’t work.
A S 192.168.4.0/24 10.20.30.2 1 mark routing = TO_systec
make an exception mangle rule preventing the connections towards dst-address=ppto.dst.sub.net/mask from being connection-marked or routing-marked, or
assign dedicated connection and routing marks to connections towards dst-address=ppto.dst.sub.net/mask and a dedicated route with a dedicated routing-mark (which you apparently did)
I dont khow how to do it.
also when I add below mangel rule at the top it worked. but I dont khow why?
chain=prerouting action=accept dst-address=192.168.4.0/24
src-address-list=My Lan in-interface=ether3 log=no log-prefix=“”
this guide work also for lan 2 to lan 1
use an /ip route rule add action=lookup-only-in-table table=main dst-address=pptp.dst.sub.net/mask to override the assigned routing-marks
solved for lan 2 to lan 1 problem.
I want to khow that how do this by mangel.how to mark pptp and use that in routing by mark routing.
It seems to me that we don’t get each other properly. Please verify my understanding of your setup.
you have two WANs among which you want to distribute traffic between local devices and servers in the Internet using PCC
via one of those WANs, a PPTP tunnel to another site is established
you want to send the traffic between local devices and devices in the remote site’s LAN subnet via that PPTP tunnel; no PCC is assumed for this category of traffic because there is only one PPTP tunnel
Okay. So in that case I don’t get what you mean when you say that placing an exception rule for dst-address=the.remote.lan.subnet/mask in front of the PCC rules has prevented the PCC rules from working.
The idea is that by placing that rule in front of the PCC rules in the mangle table, with passthrough=no, you prevent packets for the LAN subnet of the remote site (which should be sent via the PPTP tunnel) from being connection marked and/or routing marked, so these connections will take the default (“main”) routing table. But all packets not matching the dst-address condition of this rule get further to the PCC rules (with passthrough=yes) and later to the action=mark-routing rules.
All the methods I’ve suggested have the same ultimate goal, they make packets towards the LAN subnet of the remote site be routed via the tunnel. Any of the following works:
preventing those packets from getting routing-marked at all (see above)
preventing those packets from being routed according to the already assigned routing mark by forcing them to use the default (“main”) routing table regardless their routing mark (this is what the /ip route rule does
providing a route via the PPTP tunnel also for routing-marked packets, i.e. adding a copy of such route with all routing-mark values which can be assigned
providing a dedicated routing-mark to those packets and a corresponding routing-marked route for them
The idea is that by placing that rule in front of the PCC rules in the mangle table, with passthrough=no, you prevent packets for the LAN subnet of the remote site (which should be sent via the PPTP tunnel) from being connection marked and/or routing marked, so these connections will take the default (“main”) routing table. But all packets not matching the dst-address condition of this rule get further to the PCC rules (with passthrough=yes) and later to the action=mark-routing rules.
the rules that you are taking about is below rules? just mark connection and route is enough or should use mark routing in added route in routing table?
0 X chain=prerouting action=mark-connection new-connection-mark=pptp-conn
passthrough=yes src-address-list=My Lan dst-address-list=PPTP
in-interface=ether3 log=no log-prefix=“”
1 X chain=prerouting action=mark-routing new-routing-mark=to-pptp
passthrough=no connection-mark=pptp-conn log=no log-prefix=“”
If I understand correctly all solution end to these point that pptp trafic Should not mark by pcc and if so, pptp traffic are handle by main routing table.
1- accept rule
for packets with no routing-mark assigned, only routes with no routing-mark are taken into account.
for packets with a routing-mark, routes with the same routing-mark are checked first; only if none of them matches, a second attempt is taken on routes with no routing-mark. This second attempt can be prevented by an /ip route rule with action=lookup-only-in-table (which can match on any combination of src-address, dst-address, and routing-mark)
even routes to “connected” subnets, i.e. those added dynamically with distance=0, are ignored by packets with a routing-mark assigned if a matching route with the same routing-mark exists for these packets.
Firewall rule chains of a given table are passed top to bottom. So the order of the rules in the chain matters. The /ip route rule list is also passed top to bottom, so the order also matters.
the connection-mark, if assigned to one packet belonging to a trackable connection, is then automatically re-assigned to all subsequent packets belonging to the same trackable connection as they arrive. On the contrary, the routing-mark is assigned only to the current packet, so it is not automatically inherited by other packets belonging to the same connection.
To be able to move further, which point of the above was new to you or you are not sure what I had in mind by that point?
I have full end to end (lan 1 to lan 2 and vice versa) connectivity by these 3 method:
1- just add these below 2 rule at the top of the pcc mangels : note that I just add and dont use "new-routing-mark=to-pptp " in added route to pptp subnet 192.168.4.0/24 as picture above shows.
for packets with a routing-mark, routes with the same routing-mark are checked first
if I dont specify "new-routing-mark=to-pptp " in
A S 192.168.4.0/24 10.20.30.2 1
it worked !! why?
0 X chain=prerouting action=mark-connection new-connection-mark=pptp-conn
passthrough=yes src-address-list=My Lan dst-address-list=PPTP
in-interface=ether3 log=no log-prefix=“”
1 X chain=prerouting action=mark-routing new-routing-mark=to-pptp
passthrough=no connection-mark=pptp-conn log=no log-prefix=“”
but when I use “new-routing-mark=to-pptp” in “ADC 10.20.30.2/32 10.20.30.1 0” is still working just from mikrotik 1 to lan 2 “admin prohibited” occure.
2- also by adding below accept rule in mangel it worked !! why?
So here a routing mark to-pptp was assigned to the packets, but as no route with the same routing-mark existed, the packets were routed according to routes without any routing mark, i.e. according to the default (“main”) routing table.
In 2. it worked because, as I wrote before:
So that action=accept rule in the /ip firewall mangle was likely before the action=mark-connection or at least before the action=mark-routing rules, so packet matching that rule were accepted and thus did not proceed to those further rules in the same chain (prerouting), and therefore did not get any routing-mark.
