Policy Base Routing problem

flexus · September 19, 2013, 3:04pm

Hi there!
I want to go on some website via vpn, not over my main internet connection. I find simple manual, Policy Base Routing (http://wiki.mikrotik.com/wiki/Policy_Base_Routing) with good example, as i need. I did everything according to instructions, figured.

ip firewall Mangle add chain=prerouting src-address=192.168.150.0/24 content=facebook action=mark-routing new-routing-mark=Through_VPN
interface pptp-client add connect-to=My VPN Connection allow=pap,chap,mschap1,mschap2 name="My VPN" user=Reza Moghadam password=Reza Moghadam add-default-route=no
Ip Route Add Dst-Address=0.0.0.0/0 Gateway="My VPN" Routing-Mark=Through_VPN
ip firewall nat chain=srcnat src-address=192.168.150.0/24 out-interface="My VPN" action=masquerade

But it didnt work. Website is unreachable.
Any ideas?
Thank you!

PS: Using RB750G with RoS 6.04

flexus · September 20, 2013, 3:28pm

bump!

flexus · September 25, 2013, 2:59pm

Nobody dont know? Or I make mistake somewhere while describe my problem? Help plz.

biomesh · September 25, 2013, 3:05pm

You should make sure your vpn connection works before trying the PBR. From your first post, it looks like you just copied from the wiki - which is just an example. You will need to replace a lot of information in the example with your VPN IP address, credentials, along with your subnet, packet marking criteria, etc.

flexus · September 27, 2013, 10:10am

Np, look at my config.

[b]/interface pptp-client add connect-to=blablalba allow=pap,chap,mschap1,mschap2 name="Comodo" user=1 password=2 add-default-route=no[/b]

/ip firewall mangle
add action=mark-connection chain=prerouting dst-address=192.168.88.1 dst-port=53 layer7-protocol=pandora.com new-connection-mark=forwarded-dns protocol=udp
add action=mark-connection chain=prerouting dst-address=192.168.88.1 dst-port=53 layer7-protocol=last.fm new-connection-mark=forwarded-dns protocol=udp
add action=mark-connection chain=prerouting dst-address=192.168.88.1 dst-port=53 layer7-protocol=lastfm.ru new-connection-mark=forwarded-dns protocol=udp
add action=mark-connection chain=prerouting dst-address=192.168.88.1 dst-port=53 layer7-protocol=pandora.com new-connection-mark=forwarded-dns protocol=tcp
add action=mark-connection chain=prerouting dst-address=192.168.88.1 dst-port=53 layer7-protocol=lastfm.ru new-connection-mark=forwarded-dns protocol=tcp
add action=mark-connection chain=prerouting dst-address=192.168.88.1 dst-port=53 layer7-protocol=last.fm new-connection-mark=forwarded-dns protocol=tcp
add action=mark-connection chain=prerouting dst-address=192.168.88.1 dst-port=53 layer7-protocol=rdio.com new-connection-mark=forwarded-dns protocol=udp
add action=mark-connection chain=prerouting dst-address=192.168.88.1 dst-port=53 layer7-protocol=rdio.com new-connection-mark=forwarded-dns protocol=tcp
add action=mark-connection chain=prerouting disabled=yes dst-address=192.168.88.1 dst-port=53 layer7-protocol=tunlr.net new-connection-mark=forwarded-dns protocol=udp
add action=mark-connection chain=prerouting disabled=yes dst-address=192.168.88.1 dst-port=53 layer7-protocol=tunlr.net new-connection-mark=forwarded-dns protocol=tcp
[b]add action=mark-routing chain=prerouting content=2ip new-routing-mark=comodo passthrough=no src-address=192.168.88.0/24[/b]

/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" src-address=192.168.88.0/24
[b]add action=masquerade chain=srcnat comment=through_comodo out-interface=Comodo src-address=192.168.88.0/24[/b]
add action=dst-nat chain=dstnat comment=:::http://tunlr.net:::DNS:::LAYER7 connection-mark=forwarded-dns to-addresses=69.197.169.9

/ip route print
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 [b]0 A S  0.0.0.0/0                          Comodo                    1[/b]
 1 ADS  0.0.0.0/0                          10.40.0.1                 1
 2 ADC  10.40.0.1/32       xx.xx.xx.xx  pppoe-out1                0
 3 ADC  10.80.22.0/24      10.80.22.61     ether1-gateway            0
 [b]4 ADC  172.20.2.1/32      172.20.2.156    Comodo                    0[/b]
 5 ADC  192.168.88.0/24    192.168.88.1    ether2-local-ma...        0
 6 ADC  192.168.88.210/32  192.168.88.1    <pptp-xxx>              0
 7 ADC  192.168.137.0/24   192.168.137.231 ether1-gateway            0

/ip route
[b]add distance=1 gateway=Comodo routing-mark=comodo[/b]

/ip address print  
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                              
 0   ;;; default configuration
     192.168.88.1/24    192.168.88.0    ether2-local-master                    
 1   ;;; Static Ether1 IP
     192.168.137.231/24 192.168.137.0   ether1-gateway                         
 2 D 10.80.22.61/24     10.80.22.0      ether1-gateway                         
 3 D 91.xxx.114.xxx/32  10.40.0.1       pppoe-out1                             
[b] 4 D 172.20.2.158/32    172.20.2.1      Comodo [/b]                                
 5 D 192.168.88.1/32    192.168.88.210  <pptp-xyz>

When i disable prerouting mark rule or routing rule - web site is reachable. Also, in masqaraude rule with out interface Comodo no traffic at all.

Do you see mistake in config?

Thank you.

MrYan · September 27, 2013, 12:24pm

It may be because you need to mark all packets with the routing-mark and context= doesn’t do this. Perhaps setting a connection-mark and then applying routing-mark based on this (in the outbound direction only) would help.

Matt.

biomesh · September 27, 2013, 3:04pm

Here is the wiki sample

/ip firewall mangle add chain=prerouting src-address=192.168.150.0/24 content=facebook action=mark-routing new-routing-mark=Through_VPN
/interface pptp-client add connect-to=My VPN Connection allow=pap,chap,mschap1,mschap2 name="My VPN" user=Reza Moghadam password=Reza Moghadam add-default-route=no
/ip route add dst-address=0.0.0.0/0 Gateway="My VPN" Routing-Mark=Through_VPN
/ip firewall nat chain=srcnat src-address=192.168.150.0/24 out-interface="My VPN" action=masquerade

Here is yours

/ip firewall mangle add action=mark-routing chain=prerouting content=2ip new-routing-mark=comodo passthrough=no src-address=192.168.88.0/24
/interface pptp-client add connect-to=blablalba allow=pap,chap,mschap1,mschap2 name="Comodo" user=1 password=2 add-default-route=no
/ip route add distance=1 gateway=Comodo routing-mark=comodo
/ip firewall nat add action=masquerade chain=srcnat comment=through_comodo out-interface=Comodo src-address=192.168.88.0/24

Looks like the only thing different is your route. Can you change yours to

/ip route add dst-address=0.0.0.0/0 gateway=Comodo routing-mark=comodo

to see if it makes any difference?

flexus · September 27, 2013, 8:39pm

No, no difference.

biomesh · September 27, 2013, 9:44pm

I would change your content criteria and perhaps see if any traffic will work over your vpn connection. If you remove the content option and set the src-address to just one IP address, see if you can get it to work. This would just mean you need a better way to identify the traffic.

flexus · February 22, 2014, 2:08am

Ok. Trying to do this thing via layer-7 protocol.

/ip firewall layer7-protocol add name=2ip.ru regexp=2ip.ru

add action=mark-routing chain=prerouting comment="" disabled=no layer7-protocol="2ip.ru" new-routing-mark="comodo" passthrough=yes

ip route add dst-address=0.0.0.0/0 gateway="myvpn1" routing-mark=comodo

Still not working, web site 2ip.ru unreachable. But must working and showing vpn’s ip address.
Any ideas, again ?

Sentello · September 29, 2014, 10:07am

Hi,
did you solve this problem?