Ping not working in policy based routing

ecea · May 19, 2016, 2:41pm

Hello.

I have a CCR with two WAN interfaces and several private networks that connect to Internet through one of the WAN interfaces. Routing decision is based on IP address and managed with routing-marks that are set on prerouting chain.

Almost everything works except that I can’t ping from one host to any of the router interfaces. I can view the router web admin, I can ping 8.8.8.8 and even ping the gateway on 192.168.1.1 but can’t ping 192.168.6.1 from any host on 192.168.5.0/24.

If I disable the routing rule saying that 192.158.6.0/24 goes through E2Fibra1 the ping works so I assume that the problem is related with routing rules but I’m really lost.

What I’m doing wrong?

Thanks a lot.

# may/19/2016 08:34:36 by RouterOS 6.35.1
# software id = FX2S-7PMX
#
/interface ethernet
set [ find default-name=ether1 ] name=E1Fibra0
set [ find default-name=ether2 ] name=E2Fibra1
set [ find default-name=ether3 ] name=E3administracion
set [ find default-name=ether4 ] name=E4electricidad
set [ find default-name=ether5 ] name=E5informatica
set [ find default-name=ether6 ] name=E6profesores
set [ find default-name=ether7 ] name=E7alumnos
set [ find default-name=ether8 ] name=E8config
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=pool_dhcp_profesores ranges=192.168.6.100-192.168.6.254
add name=pool_dhcp_alumnos ranges=192.168.7.210-192.168.7.254
/ip dhcp-server
add address-pool=pool_dhcp_profesores disabled=no interface=E6profesores \
    lease-time=6h name=dhcp1-profesores
add address-pool=pool_dhcp_alumnos disabled=no interface=E7alumnos \
    lease-time=50m name=dhcp2-alumnos
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=\
    E8config network=192.168.88.0
add address=192.168.0.2/24 interface=E1Fibra0 network=192.168.0.0
add address=192.168.3.1/24 comment="Red dpto Administracion" interface=\
    E3administracion network=192.168.3.0
add address=192.168.6.1/24 comment="Red profesores" interface=E6profesores \
    network=192.168.6.0
add address=192.168.7.1/24 comment="Red alumnos" interface=E7alumnos network=\
    192.168.7.0
add address=192.168.4.1/24 comment="Red del dpto. de electricidad" interface=\
    E4electricidad network=192.168.4.0
add address=192.168.5.1/24 comment="Red dpto. Inform\E1tica" interface=\
    E5informatica network=192.168.5.0
add address=192.168.1.2/24 interface=E2Fibra1 network=192.168.1.0
/ip dhcp-server network
add address=192.168.6.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.6.1
add address=192.168.7.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.7.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall mangle
add action=mark-routing chain=prerouting in-interface=E3administracion \
    new-routing-mark=ADMIN passthrough=no
add action=mark-routing chain=prerouting in-interface=E4electricidad \
    new-routing-mark=ELEC passthrough=no
add action=mark-routing chain=prerouting in-interface=E5informatica \
    new-routing-mark=INFO passthrough=no
add action=mark-routing chain=prerouting in-interface=E6profesores \
    new-routing-mark=PROF passthrough=no
add action=mark-routing chain=prerouting in-interface=E7alumnos \
    new-routing-mark=ALUM passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=E1Fibra0
add action=masquerade chain=srcnat out-interface=E2Fibra1
/ip route
add comment="Administraci\F3n sale por Fibra1" distance=1 gateway=192.168.1.1 \
    routing-mark=ADMIN
add comment="Electricidad sale por Fibra0" distance=1 gateway=192.168.0.1 \
    routing-mark=ELEC
add comment="Inform\E1tica sale por Fibra1" distance=1 gateway=192.168.1.1 \
    routing-mark=INFO
add comment="Profesores salen por Fibra0" distance=1 gateway=192.168.0.1 \
    routing-mark=PROF
add comment="Alumnos salen por Fibra0" distance=1 gateway=192.168.0.1 \
    routing-mark=ALUM
add comment="Todo lo dem\E1s sale por Fibra0" distance=2 gateway=192.168.0.1
/lcd
set time-interval=hour
/system clock
set time-zone-name=Europe/Madrid
/system leds
set 0 interface=sfp-sfpplus1
set 1 interface=sfp-sfpplus1
set 2 interface=sfp1
/system resource irq rps
set sfp-sfpplus1 disabled=no
set sfp1 disabled=no
set E5informatica disabled=no
set E6profesores disabled=no
set E7alumnos disabled=no
set E8config disabled=no
/system routerboard settings
set cpu-frequency=1200MHz memory-frequency=1066DDR protected-routerboot=\
    disabled
/tool graphing interface
add
/tool graphing resource
add
/tool romon port
add

ecea · May 24, 2016, 3:11pm

Hello.

I happily solved the problem adding dst-address-type=!local in the mangle rules so it looks like this:

add action=mark-routing chain=prerouting in-interface=E3administracion  dst-address-type=!local new-routing-mark=ADMIN passthrough=no

Now packets to te router itself aren’t marked with any routing mark and everything seems to work ok.

But I can’t understand why it didn’t work before I added the dst-address-type=!local option. I think I don’t really understand routeros’ routing process when routing marks are set. Does anyone have any clue or a least a good resource to learn how mikrotik routing works.

Thanks a lot.