Prerouting/mark & vpn

nullx8 · November 18, 2013, 12:58am

Hopefully someone could help me on this.

I have 2 WAN connections, where the rb does also the ppp for.

Some ip in the lan do have a prerouting rule to mark all packets going to 0.0.0.0/0
The market packets will be forced to use a specified wan port for all traffic.

By thisw ay i have some devices always use thes secondary connection.

However, if i connect to the rb via vpn (using the other wan) i can not connect to any ip using the preroute rule (of course because packets beeing send out to the other

Could someone may help me in rewriting the prerouting to allow the incomming vpn routing to be correct ?

littlebill · November 18, 2013, 1:04am

Redirect for server
chain=prerouting action=mark-routing new-routing-mark=PPTP passthrough=yes
src-address=10.0.1.8 dst-address=!10.25.0.0/24

change your destination to whatever subnet you drop your vpn clients on. nothing will get mangled locally

nullx8 · November 18, 2013, 7:41am

oh yes that makes sense

the current preroute is like this

/ip firewall mangle
add action=mark-routing chain=prerouting comment=AppleTV dst-address=0.0.0.0/0
new-routing-mark=Out_133 passthrough=no src-address=172.16.67.20

i have just changed it to

chain=prerouting comment=AppleTV dst-address=!172.16.66.2/32 new-routing-mark=Out_133 src-address=172.16.67.20

next question, is it possible to add more as one dst entry ?
i dont want to copy rules for other endpoints.

nullx8 · November 18, 2013, 8:57am

sorry for beeing Stupid ..
forgot about adresslists

chain=prerouting comment="List for_133"
dst-address-list=!LocalNets new-routing-mark=Out_133 
src-address-list=for_133

that does it just well .. where “LocalNets” is also a list i added and included the pptp and local Endpoints.