Policy Base Routing not working

RouterOS Beginner Basics
1

I am still new to RouterOS, today I try to setup a PPTP client on the CCR1009 which connect to office vpn server, I want only specific IP go through the PPTP connection only. The CCR1009 ip range is 192.168.11.0/24, office’s vpn server give out 192.168.10.2 to the CCR1009’s PPTP client, and the office router IP is 192.168.1.1

I setup a mangle rule as follow:
/ip firewall mangle add action=mark-routing chain=prerouting dst-address=192.168.1.112 new-routing-mark=VPN_mark passthrough=no
and route:
/ip route add distance=1 dst-address=0.0.0.0/0 gateway=Office_VPN routing-mark=VPN_mark
and nat rules:
add action=masquerade chain=srcnat comment=“VPN NAT” out-interface=Office_VPN
I can ping the 192.168.1.1 but cannot ping or connect to the 192.168.1.112

but if I use a static route I can ping the 192.168.1.112:
/ip route add distance=1 dst-address=192.168.1.0/24 gateway=JAhome_VPN

Why the routing mark didn’t working?

2

I am also not that good in this. If you only use routing then you have route also the returning package.

I use connection marking for this because I am lazy. :wink:

3

May you teach me how to use connection marking for policy base routing? still pulling my hair out :frowning:

4

Figure out I had rp_filter set to strict so it won’t work, if I set rp_filter to loose then it will work correctly, but I had no idea why rp_filter=strict will work for static route but not policy routing.

5

Because you have better interface for your packets with source address of your directly connected network. Maybe :slight_smile:

6

Interesting, so policy base route is not 100% identical to static route…?

7

Of course not. Static route is a direction for destination network and PBR is managing with source network.

8

Thanks so much, I really need to study more about PBR vs static route :slight_smile: