Policy Routing Broken in Beta 9

RouterOS General
1

I’ve seen others post this recently within other posts, but it seems to be getting overlooked so I’m posting a specific thread on it.

Policy routing seems completely broken in the latest Beta 9 (though some others have pointed out that it stopped working at Beta 7). Routing marks are not obeyed as they should be. Additionally, the Preferred Source address is being ignored. This all worked in 2.9.

2

Policy rules based on adresses and such seem to be ok, problem are the routing marks. Marks are being ignored in both routing and policy rules.
I hope it will be fixed in next release.

3

try adding a routing rule (rule tab) that just specifies the same mark and the table name, this got it working for us… however in 2.9 you didnt have to do that.

Sam

4

I tried that. No joy. I also could not get anything route-marked on the output chain to obey anything.

5

Was I wrong to think that routing marks make sense only in prerouting chain, since after that packet is past the routing decision?

6

That’s correct for packets passing through the router. When it’s a packet originated on the router, the documentation shows that it goes through Mangle before the routing decision, thus a mangle rule on the output chain should be able to add a route mark which is subsequently used to policy route the packet.

http://www.mikrotik.com/testdocs/ros/2.9/ip/flow_content.php#6.35.2

7

I have policy routing working in b9, but it was a little quirky at first. Here are my rules that work - anything coming in the l2tp tunnel gets marked so it can leave thru the same tunnel using the public IP.

  • mark the incoming connection.
    /ip firewall mangle
    add action=mark-connection chain=prerouting comment=“”
    connection-state=new disabled=no in-interface=l2tp-PortableIP
    new-connection-mark=pip-conn passthrough=yes

  • mark packets from that connection on PREROUTING

add action=mark-packet chain=prerouting comment=“”
connection-mark=pip-conn disabled=no new-packet-mark=pip-packet
passthrough=yes

  • mark packets from that connection on OUTPUT

add action=mark-packet chain=output comment=“”
connection-mark=pip-conn disabled=no new-packet-mark=pip-packet
passthrough=yes

  • mark routing for those packets in PREROUTING

add action=mark-routing chain=prerouting comment=“” disabled=no
new-routing-mark=pip packet-mark=pip-packet passthrough=no

  • mark routing for those packets in INPUT

add action=mark-routing chain=input comment=“” disabled=no
new-routing-mark=pip packet-mark=pip-packet passthrough=yes

  • mark routing for those packets in OUTPUT

add action=mark-routing chain=output comment=“” disabled=no
new-routing-mark=pip packet-mark=pip-packet passthrough=yes

And then in the routing table I have this, which without this single rule it wouldn’t work at all:

/ip route rule
add action=lookup comment=“” disabled=no routing-mark=pip table=pip

Sam

8

This is still broken. Even with the simply policy rule of routing-mark=xxx table=xxx, the preferred source of the connected route is overriding the preferred source of the default route in the xxx table.

This is still broken even in RC4. Hopefully this gets fixed before “release”.