problem with mangle dst-address-list for policy routing

solink · July 4, 2014, 7:10am

I have a mikrotik ros v5.22 box,and ISP1 is on eth3 as WAN1 and I setup a PPTP as WAN2

My purpose is routing some specified destination address which are set in address-list "DD" to eth3 WAN1

，other ip route to PPTP. My configure looks like below.
[admin@MikroTik] > /ip firewall mangle print

0 chain=prerouting action=mark-routing new-routing-mark=WAN-ETH3 passthrough=no dst-address-list=DD

1 chain=prerouting action=mark-routing new-routing-mark=WAN-PPTP passthrough=no dst-address-list=!DD

[admin@MikroTik] > /ip route print detail

0 A S dst-address=0.0.0.0/0 gateway=10.10.10.1 gateway-status=10.10.10.1 reachable via ether3 distance=1 scope=30
target-scope=10 routing-mark=WAN-ETH3

1 A S dst-address=0.0.0.0/0 gateway=pptp-out1 gateway-status=pptp-out1 reachable distance=1 scope=30 target-scope=10
routing-mark=WAN-PPTP

2 ADC dst-address=10.10.10.0/24 pref-src=10.10.10.189 gateway=ether3 gateway-status=ether3 reachable distance=0
scope=10

3 ADC dst-address=10.85.x.x/32 pref-src=10.85.x.x gateway=pptp-out1 gateway-status=pptp-out1 reachable distance=0 //PPTP port
scope=10

4 A S dst-address=173.255../32 gateway=10.10.10.1 gateway-status=10.10.10.1 reachable via ether3 distance=1 //for PPTP server
scope=30 target-scope=10

5 ADC dst-address=192.168.1.0/24 pref-src=192.168.1.1 gateway=ether1 gateway-status=ether1 reachable distance=0
scope=10
[admin@MikroTik] > /ip firewall address-list print

LIST ADDRESS

0 DD 119.167.151.251/32
1 DD 114.114.114.114/32
2 DD 31.13.0.0/16With above configure ,I can't route neither address-list "DD" or other IP from LAN,For example, PING 114.114.114.114 get timeout,and ping 8.8.4.4 get timeout too.

BUT.....

When I disable the second mangle rule
1 X chain=prerouting action=mark-routing new-routing-mark=WAN-PPTP passthrough=no dst-address-list=!DDNow I can ping the IP which in address-list "DD",for example,Ping 114.114.114.114 ok, Of course,ping 8.8.4.4 get timeout.

However,,I try to disable the fist mangle rule and enable the second mangle rule
0 X chain=prerouting action=mark-routing new-routing-mark=WAN-ETH3 passthrough=no dst-address-list=DD

1 chain=prerouting action=mark-routing new-routing-mark=WAN-PPTP passthrough=no dst-address-list=!DDI think I should can ping the ip out of address-list "DD",But I ping 114.114.114.114 timeout,ping 8.8.4.4 timeout.

Maybe some bugs with dst-address-list? Because I test with dst-address,,It's OK!
[admin@MikroTik] > /ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=prerouting action=mark-routing new-routing-mark=WAN-ETH3 passthrough=no dst-address=114.114.114.114

1 chain=prerouting action=mark-routing new-routing-mark=WAN-PPTP passthrough=no dst-address=8.8.4.4What's the reason,,somebody can give me identify problems!

rextended · July 4, 2014, 9:03am

First of all, do not double mark, double route, etc.

simply choice what out is your default route.

At this point you mark and route separated traffic on DD list…

Second: 5.22 is obsolete, upgrade to 6.15

solink · July 4, 2014, 3:12pm

After replaced the reverse dst-address-list “!D” with another dst-address-list,My double route-mask and double route

configure works! It seems the problem is ROS can resolve the “D” dst-address-list but can’t resolve the “!D” dst-address-list.

Solink