There are two actions: lookup, lookup-only-in-table
What are the differences ?
And how it differs if I put a routing mark in firewall mangle ?
“lookup - perform a lookup in routing tables.
lookup-only-in-table - perform lookup only in the specified routing table (see table parameter).”
https://help.mikrotik.com/docs/display/ROS/Policy+Routing#:~:text=lookup%20-%20perform%20a,table parameter).
"RouterOS gives you two options to choose from:
firewall mangle - it gives more control over the criteria to be used to steer traffic, for example, per connection or per packet balancing, etc. For more info on how to use mangle marking see Firewall Marking examples.
routing rules - a basic set of parameters that can be used to quickly steer traffic. This is the method we are going to use for our example."
https://help.mikrotik.com/docs/display/ROS/Policy+Routing#:~:text=RouterOS%20gives%20you,for%20our%20example.
Isn’t reading docs satisfying? 
Thank you, infabo!
I saw these docs, but it explains nothing - that’s why I’m asking here
lookup looks up first on the set table and if the address/route is not found has a look for it also in main/other table(s).
lookup-only-in-table looks up on the set table and if the address/route is not found gives up.
I believe we can say that you can do with mangle everything routing rules can do, but not the opposite.
Routing rules have less options, but when the available options fit your use case, it is better to use them as they are simpler, though AFAICT there can be “corner cases” where one approach works and the other does not or viceversa.
Routing rules have also the advantage of working with fasttrack, which mangle does not.
Check:
http://forum.mikrotik.com/t/time-to-learn-policy-routing/173337/1
Thanks, jaclaz!
So lookup action of a routing rule works just like route marking by firewall mangle ? Do I get it right ?
For most cases, yes.
Before the changes introduced in ROS 7.6 or so, it used to be that if you requested use of a routing table using a mangle rule, the effect was the same like requesting use of the same table using a routing rule with action=lookup, i.e. with the possible fallback to main if no route was available in the requested table. But you could use a routing rule to “fix” that - by making a routing rule with action=lookup-only-in-table match on a routing mark previously assigned by mangle rule. Whether this still has the same effect after that change, which has made it impossible for the routing rules to overwrite the routing table name assigned by mangle rules, is not clear to me, I haven’t tested yet.
I consider - visually - both routing rules and mangling as “sieves”.
https://www.globalgilson.com/blog/sieve-sizes
Routing rules - generally speaking - are sieves with larger sized openings (coarse series), mangle marks can catch smaller particles (fine series).
The help page is clear enough about them:
https://help.mikrotik.com/docs/display/ROS/Policy+Routing
It is not recommended to use both methods at the same time or you should know exactly what you are doing. If you really do need to use both mangle and routing rules in the same setup then keep in mind that mangle has higher priority, meaning if the mangle marked traffic can be resolved in the table then route rules will never see this traffic.
If you pass your material through a finer mesh first, there will be nothing that can be caught by the larger mesh below.
Generically speaking great advice, and analogies, however MT documentation is also generic and each scenario has its own quirks to consider and thus knowing how these functionalities interact is crucial to a successful config. Nothing wrong with using both at the same time if there is no overlap in traffic affected.
Routing rules - limited identify/capture abilities ( subnet, single IPs, etc. ) - Simpler, better for non-complex scenarios and doesn’t affect fasttrack.
Mangling rules - more granular identify/capture abilities ( the above plus so much more ) - Great for complex scenarios, but lose fasttrack for that traffic.
Hello, I have a question. I have a network, separated by VRF for management and web access. But I have a problem is that I have ping between VRFs, for example: I have a router that contains the two vrfs (vrf1 and vrf2) each vrf has its own different network and the gateways are in router. Now if I have a PC on vrf1 network 1 and I make the vrf2 gateway this ping is possible. This is counterintuitive because I understand that the vrfs are in different routing domains. And also if I ping vrf1’s PC from vrf2 with a source from its own network, I can reach it. Please help.