I pinging through Mikrotik from PC to 195.201.201.32, which in blocked list
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=blocked \
new-routing-mark=vpn passthrough=no
/ip route
add distance=5 gateway=vpn routing-mark=vpn
And it is not work… but if I change only route to
/ip route
add distance=5 dst-address=195.201.201.32/32 gateway=vpn
It’s works well. Where is error in the first route?
Do you have other mangle rules that could assign different routing mark to same packets, or don’t let them get to this rule?
No, it’s nothing in config with this route mark. It create only for blocked list and this schema. Moreover, it’s no mangle rules at all.
As I said, I ping 195.201.201.32 and with first rule I see reply in raw table. But no reply received at client. With edited rule client receive replies… Why?!
OK, I rename route mark only in mangle and route. No success…
And I don’t remove first rule, but add second, with big distance… And it’s works! Only for 195.201.201.32 unfortunately
add distance=5 gateway=vpn routing-mark=tovpn
add distance=20 dst-address=195.201.201.32/32 gateway=vpn
I have tested it and I can use ping from the tools menu and I put in the routing mark and source addres and I can block traffic by blackholing it.
Setting: distance=1 dst-address=0.0.0.0/0 routing-mark=test gateway=pppoe-out
Export:
/ip route
add distance=1 routing-mark=test gateway=pppoe-out type=blackhole
Tested from a client and marking icmp in mangle blackholes the packets.
It works for me.
It’s no problem to blackhole traffic 
But I can’t receive ping reply belong first rule… I see ping outgoing and no incomit after the raw table… Misterious…
I have looked at your other thread. You stated that you created a interface vpn with address 10.121.241.126.
You need to use NAT then to set she source address because otherwise the packet can’t find the way back to your VPN starting point.
By directly routing you also set a route back. This not my expertice and I never managed it to skip NAT.
Thank you for your time, but I create new thread to exlude unusable details.
Yes, I create additional rule for NAT, it used by both of this rules. But, I would like to focus on that fact: when I create route with route mark, I can’t receive ping reply. Only I setup direct route all parts of this traffic works well.
Moreover, I setup route with greater value of distance… And smaller value of distance ignored?
I concatenated two rules, dst-address and route-mark in one route, and it’s ignore reply again 
I can’t uderstand this situation and hope anybody help me to diagnose it…
Having different distances means nothing in this case - these two rules are in the different routing tables.
The fact that direct route (in the main table) is used, means that needed packets are never really marked by your mangle rule.
That would explain also why it doesn’t work with only marked route present.
I added second rule to mangle, logging packet with route mark tovpn. It’s counter increased as counter of the main mangle rule and I see outgoing packets in log… When I stopped ping, counter stopped too.
I created rule
/ip firewall raw
add action=passthrough chain=prerouting disabled=no in-interface=vpn log=\
yes protocol=icmp
and see reply in both cases
firewall,info prerouting: in:vpn out:(unknown 0), proto ICMP (type 0, code 0), 195.201.201.32->10.119.112.128, len 84
BUT, I see reply at client only if
add disabled=yes distance=20 dst-address=195.201.201.32/32 gateway=vpn
activated…
Post your whole /ip firewall section.
And /ip route as well.
Sorry for delay, I was ill, suppose, not COVID… so…
/ip firewall address-list
add address=2ip.ru list=blocked
add address=192.168.10.0-192.168.88.255 list=olegon
/ip firewall filter
add action=passthrough chain=forward disabled=yes log=yes protocol=icmp
add action=fasttrack-connection chain=forward dst-address=!192.168.88.2 src-address=!192.168.88.2
add action=fasttrack-connection chain=forward connection-state=established,related dst-address-list=olegon src-address-list=olegon
add action=jump chain=forward comment="many connections trap" connection-limit=128,24 dst-address=192.168.88.2 in-interface=wan jump-target=catch log=yes \
log-prefix=fuckconnect protocol=tcp tcp-flags=!ack
add action=jump chain=input comment="port scanners" connection-state=new dst-port=22,708,709,3128,3389,8291,8080 in-interface=wan jump-target=catch \
log-prefix=fuckscan protocol=tcp tcp-flags=""
add action=add-src-to-address-list address-list=banned address-list-timeout=1d chain=catch
add action=drop chain=catch
/ip firewall mangle
add action=passthrough chain=prerouting disabled=yes in-interface=vpn log=yes protocol=icmp
add action=mark-routing chain=prerouting connection-state=new dst-address-list=blocked new-routing-mark=tovpn passthrough=yes
/ip firewall nat
add action=netmap chain=dstnat dst-address=xxx.xxx.xxx.187 dst-port=80,443 protocol=tcp to-addresses=192.168.88.2
add action=redirect chain=dstnat dst-address=10.10.0.0/16 dst-port=80 in-interface=!wan protocol=tcp to-addresses=192.168.8.2 to-ports=8080
add action=netmap chain=dstnat dst-address=xxx.xxx.xxx.187 dst-port=6969 protocol=tcp to-addresses=192.168.88.70
add action=netmap chain=dstnat dst-address=xxx.xxx.xxx.187 dst-port=6969 protocol=udp to-addresses=192.168.88.70 to-ports=6969
add action=src-nat chain=srcnat dst-address=192.168.88.2 dst-port=80,443 protocol=tcp src-address=192.168.0.0/16 to-addresses=192.168.88.1
add action=src-nat chain=srcnat out-interface=wan src-address=192.168.0.0/16 to-addresses=xxx.xxx.xxx.187
add action=masquerade chain=srcnat out-interface=vpn src-address=192.168.0.0/16 to-addresses=10.119.112.128
/ip firewall raw
add action=drop chain=prerouting in-interface=wan src-address-list=banned
add action=drop chain=prerouting dst-address-list=banned
add action=passthrough chain=prerouting disabled=yes in-interface=vpn log=yes protocol=icmp
/ip route
add distance=5 gateway=vpn routing-mark=tovpn
add distance=1 dst-address=192.168.10.0/24 gateway=192.168.88.254 pref-src=192.168.88.1
add disabled=yes distance=20 dst-address=195.201.201.32/32 gateway=vpn
and current route table
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 vpn 5
1 ADS 0.0.0.0/0 xxx.xxx.xxx.1 10
2 ADC 10.119.64.1/32 10.119.112.128 vpn 0
3 ADC xxx.xxx.xxx.0/23 xxx.xxx.xxx.187 wan 0
4 A S 192.168.10.0/24 192.168.88.1 192.168.88.254 1
5 ADC 192.168.88.0/24 192.168.88.1 bridge 0
6 X S 195.201.201.32/32 vpn 20
xxx.xxx.xxx.1 - current main provider uplink
Ok.
I think I know what the problem is: you need to use address as a gateway, not interface.
It works for a /32 address, thinking that it’s just another end of ptp-link, but won’t work for destinations with wider mask.
I changed current /ip route
add distance=5 gateway=10.119.64.1 routing-mark=tovpn
without any success…
First of all: you can’t use mark-routinng for only the first packet.
Second: same thing about fasttrack - you can’t use it for traffic, that has to be mangled and routed through other routing table than main.
Oops… I forgot it after the some tests…
And replaced now to
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=blocked \
new-routing-mark=tovpn passthrough=yes
and disabled fasttrack rules at all… but without any success…
Does routing through vpn work if you make it the default route not only for marked traffic, but for all?
I can’t test it… Unfortunately, it’s main router, so I can’t pass all traffic to vpn. But, as I wrote above, packets goes to vpn and I see reply on router (see attached sniff). So packets goes to vpn and returned. But somehow lost in space, if I using route mark?
sniff.gz (255 Bytes)
Do adding the ip directly to the list instead of domain name change anything?
And another suggestion - is rp-filter set in ip settings?