Routing Policy Issue - Not Working as Expected

# scenario 1:
/ip firewall mangle add action=mark-routing chain=prerouting src-address=192.168.1.101 new-routing-mark=to_wan passthrough=no
/routing rule add action=lookup-only-in-table routing-mark=to_wan table=wan_route

# scenario 2:
/ip firewall mangle add 
add chain=prerouting action=jump in-interface=bridge jump-target=hotspot src-address=192.168.1.0/24
add chain=hotspot action=mark-packet new-packet-mark=modem src-address=192.168.1.101
add chain=prerouting action=mark-routing packet-mark=modem new-routing-mark=to_modem passthrough=no
/routing rule add action=lookup-only-in-table routing-mark=to_modem table=modem_route

# routes for both
/ip route
add dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-table=wan_route
add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-table=modem_route
add dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-table=main

(scenario 1) goes through routing policy rule as expected
but (scenario 2) not going through routing policy rule, it directly hitting to_modem (if exist or main) routes instead following routing policy rule

Could anyone explain what is wrong?

dont care about partial config in the slightest or commenting on so little information and a config is all interrelated.
Mangling depends upon well articulated requirements
identify devices/users ( internal, external, admin etc…)
identify traffic they need to execute

• config, with mangles or routing rules will fall out naturally.

Maybe related to:
https://help.mikrotik.com/docs/display/ROS/Policy+Routing

It is not recommended to use both methods at the same time or you should know exactly what you are doing. If you really do need to use both mangle and routing rules in the same setup then keep in mind that mangle has higher priority, meaning if the mangle marked traffic can be resolved in the table then route rules will never see this traffic.

Concur, OP is confused or trying to follow to many guides and not really understanding what is being done in them.

if that is true how (scenario 1) working?
i want to do it because there is no way to specify [lookup-only-in-table] in mangle so it fallback to main route, without routing rule policy.
how to achieve this (scenario 2)?

is there anyway to specify [lookup-only-in-table] in the mangle?
MT’s default behaviour is [lookup].

i want (scenario 2) to [lookup-only-in-table] not [lookup].

Any expert here to explain?

Your job is to provide the information requested so that assistance can be rendered.

• define requirements as previously explained
• provide complete config /export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )
• network diagram also helps.

I included my code, please check this now.
In this code iot_user hitting fiber_route , all ok, working as i expected
but modem_user and fiber_user not going through routing policy rule, instead these hitting main route

fiber = pppoe-out1
modem = ether2>dchp client > 192.168.2.1 gateway

# 2024-10-13 19:13:42 by RouterOS 7.16.1
# software id = XXXXXXX
#
# model = RB750Gr3
# serial number = XXXXXXXXXX


/interface bridge
add add-dhcp-option82=yes comment=LAN dhcp-snooping=yes fast-forward=no \
    igmp-snooping=yes name=bridge port-cost-mode=short


/interface ethernet
set [ find default-name=ether1 ] comment="WAN: Fiber"
set [ find default-name=ether2 ] comment="WAN: OutdoorModem"
set [ find default-name=ether5 ] comment=MAINTANENCE

/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot


/ip hotspot user profile
set [ find default=yes ] shared-users=20
add incoming-packet-mark=modem_packet name=modem outgoing-packet-mark=modem_packet
add incoming-packet-mark=fiber_packet name=fiber outgoing-packet-mark=fiber_packet


/ip hotspot profile
add hotspot-address=192.168.1.1 html-directory=flash/hotspot login-by=\
    http-chap,mac-cookie name=hotspot-profile


/ip hotspot
add addresses-per-mac=unlimited disabled=no interface=bridge name=\
    hotspot-server profile=hotspot-profile


/ip pool
add comment="All Connected Devices" name=hotspot-pool ranges=\
    192.168.1.2-192.168.1.254
add comment="All NonStatic Connected Devices" name=hotspot-non-static-pool \
    ranges=192.168.1.50-192.168.1.99


/ip dhcp-server
add add-arp=yes address-pool=hotspot-non-static-pool authoritative=\
    after-2sec-delay interface=bridge lease-time=1h name=hotspot-dhcp


/interface pppoe-client
add dial-on-demand=yes disabled=no interface=ether1 max-mtu=1500 name=\
    pppoe-out1 profile=default-encryption user=xxx


/routing table
add disabled=no fib name=modem_user
add disabled=no fib name=fiber_user
add disabled=no fib name=iot_user
add disabled=no fib name=modem_route
add disabled=no fib name=fiber_route


/interface bridge port
add bridge=bridge hw=no ingress-filtering=no interface=ether3 \
    internal-path-cost=10 path-cost=10
add bridge=bridge hw=no ingress-filtering=no interface=ether4 \
    internal-path-cost=10 path-cost=10


/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes

/ip address
add address=192.168.1.1/24 comment="All Connected Devices" interface=bridge \
    network=192.168.1.0


/ip dhcp-client
add add-default-route=no comment=OutdoorModem interface=ether2 use-peer-dns=\
    no use-peer-ntp=no

/ip dhcp-server lease
add address=192.168.1.101 comment=OrangePi mac-address=EA:10:BE:B0:99:CC \
    server=hotspot-dhcp

/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4



/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes



/ip firewall mangle
add action=accept chain=prerouting comment=\
    "Allow Hotspot LoginPage/Gateway To Lan" dst-address=192.168.1.1 \
    in-interface=bridge
add action=log chain=prerouting comment=\
    "----- hotspot config start here ----" disabled=yes 
add action=jump chain=prerouting comment=Hotspot \
    in-interface=bridge jump-target=hotspot src-address=192.168.1.0/24
add action=jump chain=forward comment=Hotspot  \
    in-interface=bridge jump-target=hotspot src-address=192.168.1.0/24
add action=mark-routing chain=prerouting comment="Allow LAN Access" \
    dst-address=192.168.1.0/24 new-routing-mark=main \
    passthrough=no src-address=192.168.1.0/24
add action=mark-routing chain=prerouting comment="Modem User" \
    new-routing-mark=modem_user packet-mark=modem_packet passthrough=no
add action=mark-routing chain=prerouting comment="Fiber User" \
    new-routing-mark=fiber_user packet-mark=fiber_packet \
    passthrough=no
add action=mark-routing chain=prerouting comment="IOT User" \
    new-routing-mark=iot_user \
    passthrough=no src-address=192.168.1.101-192.168.1.150
add action=log chain=prerouting comment="----- hotspot config end here ----" \
    disabled=yes
add action=log chain=prerouting comment=\
    "----- hotspot auto config start here ----" disabled=yes


/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="Fiber WAN" out-interface=\
    pppoe-out1
add action=masquerade chain=srcnat comment=Modem out-interface=ether2

/ip hotspot ip-binding
add address=192.168.1.101 comment=Pi server=hotspot-server to-address=\
    192.168.1.101 type=bypassed


/ip hotspot user
add name=FiberUser profile=fiber server=hotspot-server
add name=ModemUser profile=modem server=hotspot-server


/ip route
add comment="Modem Route" disabled=no distance=2 dst-address=0.0.0.0/0 \
    gateway=192.168.2.1 routing-table=modem_route scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="Fiber Route" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    pppoe-out1 routing-table=fiber_route scope=30 suppress-hw-offload=no \
    target-scope=10
add comment="Default" disabled=no distance=2 dst-address=0.0.0.0/0 \
    gateway=pppoe-out1 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10


/routing rule
add action=lookup-only-in-table comment="IOT User" disabled=no \
    routing-mark=iot_user table=fiber_route
add action=lookup-only-in-table comment="Fiber User" disabled=no \
    routing-mark=fiber_user table=fiber_route
add action=lookup-only-in-table comment="Modem User" disabled=no \
    routing-mark=modem_user table=modem_route

1. Suggest remove these unless you can justify with purpose…
   /interface bridge settings
   set allow-fast-path=no use-ip-firewall=yes

2. Why do you have fast forward=no for the normal bridge settings? ( Does it interfere with hotspot function?)

3. Missing route for modem2 table main…

/ip route
add distance=2 dst-address=0.0.0.0/0
gateway=pppoe-out1 routing-table=main scope=30
add distance=4 dst-address=0.0.0.0/0
gateway=192.168.2.1 routing-table=main
add comment=“Fiber Route” dst-address=0.0.0.0/0 gateway=
pppoe-out1 routing-table=fiber_route
add comment=“Modem Route” dst-address=0.0.0.0/0
gateway=192.168.2.1 routing-table=modem_route

MANGLING…
I understand the first rule which basically states for any user connecting to login gateway, allow this connection to occur.

I presume because you failed to provide any requirements information…
one cannot makes heads or tails of what you are trying to do after that…

Normally, forgetting hotspot, one would use three subnets, trusted, iot, guest and make them VLANS.
Or if you need to identify three different groups of users within a single subnet, not as easy, via source-address-lists.
One can easily work with address lists, or subnets, or interfaces,not sure what you are doing or how hotspot is involved.

Also one does not mangle and use routing rules unless one is very skilled as results may not be as expected.
Mangled traffic ignores routing rules for example.
’
In summary, without a detailed set of requirements on how the two WANS are to be used as would be described in requirements
(including primary secondary, or failover or load balancing, plus any vpns, or any port forwarding explained, not much more I can offer )

1 and 2. i want bridge device to go through firewall that why added following code (although removing them won’t affect hotspot)

/interface bridge settings 
    set allow-fast-path=no use-ip-firewall=yes

3. I do not know are you trying to tell, i am not talking about vlan or separate network, this is all about, routing policy rule, i do not want modem as main route, modem_user>modem_route specified in routing policy rule

• in iot_user case routing policy rule working
• in modem_user and fiber_user routing policy rule not working

why i want to achieve this?
reason 1: because, this is confusing me, why iot_user works and others don’t
reason 2: because, mangle doesn’t have [lookup-only-in-table] which is why it fall back to main, mangle default behavior is [lookup]

my requirement is: i want some user to go through modem, some through fiber based on hotspot user profile packet marking, out could be modem,fiber,vpn etc.
I just want to know why different behavior for same identical mangle rule coming from preroute with IP and with packet marking? why one is respecting routing policy rule, other not?
how to achieve [lookup-only-in-table] with mangle if routing policy is ignored?

I can still achieve by dropping with filter rule and mangle, but still question is why routing policy rule ignored? Is this a bug? Or intentional?

In version 6 it was [lookup] but in version 7 it now is [lookup-only-in-table].
In fact, even local routes are not examined when you have a routing mark, making it necessary to only apply the routing mark for traffic that will leave your local router and -network (e.g. make an address-list with your local addresses and exempt that).
Also, for IPv6 it is necessary to have a routing rule that says “routing mark X action lookup(-only-in-table) table X”.
Without that, routing marks do not work in IPv6. In IPv4 they work without it.

My version is 7 latest stable as of now. I can see it still MTs mangle route marking behave like [lookup] fallback to main if it can’t find route it is looking for.
leave ipv6 for now, just clarify one thing, why above example working two different way?
what am i missing?

.
As I ran more test on it, it seems a bug. I opened a support ticket as BUG, Lets see. What they say.
The problem is:
if i mark-route with src-address to new-mark-route it goes through routing policy rule
if i mark-route with hotspot user’s packet-mark to new-mark-route it does not go through routing policy rule

Note: not only hotspot user, if i use packet-mark to mark new-mark-route it does not go through routing policy rule
.

I don’t understand what you mean with “if it can’t find route it is looking for”.
You have destination 0.0.0.0/0 in your route tables so it ALWAYS can find the route that it is looking for.
The only issue will be that this may not be the route YOU expect it to find.
You need to make sure that the routing mark is only set for traffic that you already know is going outside.
So NOT traffic destined for the router itself (e.g. DNS service, hotspot service).

To work around that you NEED to have an exception list of addresses/networks you do not want to mark, OR you need to copy all routes created automatically in the main table (with C flag, “connected”) into all other tables.

You are not getting the point: See the code:

# scenario 1:
/ip firewall mangle add action=mark-routing chain=prerouting src-address=192.168.1.101 new-routing-mark=to_wan passthrough=no
/routing rule add action=lookup-only-in-table routing-mark=to_wan table=wan_route

# scenario 2:
/ip firewall mangle add 
add chain=prerouting action=jump in-interface=bridge jump-target=hotspot src-address=192.168.1.0/24
add chain=hotspot action=mark-packet new-packet-mark=modem src-address=192.168.1.101
add chain=prerouting action=mark-routing packet-mark=modem new-routing-mark=to_modem passthrough=no
/routing rule add action=lookup-only-in-table routing-mark=to_modem table=modem_route

# routes
/ip route
add dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-table=wan_route
add dst-address=0.0.0.0/0 gateway=modem_macvlan routing-table=modem_route
add dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-table=main

(scenario 1) goes through routing policy rule as expected hits to_wan>wan_route
(scenario 2) not going through routing policy rule, it directly hitting to_modem (if exist, if not exist main) routes instead of following routing policy rule which should be to_modem>modem_route

why would it hit main if routing policy rule is [lookup-only-in-table]. do you get it now? it should not hit main.