Routing mark block firewall filter rule?

cbera · June 16, 2017, 11:21am

Hi, i have this situation.

/ip firewall filter
add action=accept chain=forward dst-address-list=192.168.4.0/24 src-address=192.168.1.0/24
add action=accept chain=forward dst-address=192.168.1.0/24 src-address-list=192.168.4.0/24

Now i activate mark routing

/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=isp1 passthrough=yes src-address-list=lan1
add action=mark-routing chain=prerouting new-routing-mark=isp2 passthrough=yes src-address-list=lan2

/ip firewall address-list
add address=192.168.1.0/24 list=lan1
add address=192.168.4.0/24 list=lan2

Thats work fine. 192.168.0.1/24 select isp1 gateway and 192.168.4.0/24 select isp2 gateway.
But the first firewall rule not working when the mark routing is enable. For example, before mark routing i can ping any pc of lan1 from lan4…after mark routing enable i can’t (destination unreacheable).

Why??
Thanks

dirklehmannblogger · June 16, 2017, 11:53am

By the way: What the hack is mark routing?

Gesendet von meinem SM-G928F mit Tapatalk

sid5632 · June 16, 2017, 12:26pm

Your address list for lan2 has the wrong IP address - .1.4 instead of .4.0

cbera · June 16, 2017, 1:35pm

Sorry, typing error in the post (not on router os). I corrected

Sob · June 16, 2017, 1:50pm

I don’t think you meant dst-address-list=192.168.4.0/24 in firewall filter, either dst-address=192.168.4.0/24 or dst-address-list=lan2.

But the problem is most likely with finding correct route and this should fix it (change it to only your smaller subnets if you have more complex network):

/ip route rule
add action=lookup-only-in-table dst-address=192.168.0.0/16 table=main

cbera · June 16, 2017, 4:53pm

Yes, dst-address-list=lan2. Sorry

Sob:

But the problem is most likely with finding correct route and this should fix it (change it to only your smaller subnets if you have more complex network):
/ip route rule
add action=lookup-only-in-table dst-address=192.168.0.0/16 table=main

Thanks, its works! Can you explain me that this route rule do ?

Sob · June 16, 2017, 6:08pm

By default, routes go in main routing table. But you also have routing tables isp1 and isp2, both with (most likely) only one route to 0.0.0.0/0. Normally, when you don’t mark routing and you connect to e.g. 192.168.4.x, router looks in main routing table, finds a connected route to 192.168.4.0/24 and uses it. But when you mark routing with ispx mark, router looks only in ispx routing table. And it has only one route, so your packet to 192.168.4.x goes to ISP, only to be dropped sooner or later and you never hear back from it.

The rule tells router to use main routing table for given destination.

cbera · June 19, 2017, 7:35am

Thanks a lot