SIP phone does not work well when marking connection enabled

Hi
i have a strange problem here, and i struggle to find the root cause.

So, i have a configuration on wAP R AC.
fiber is connected to eth1 (through transcriber) and we have a pppoe on this fiber.
LTE is used as backup.

i have 3 routing tables:
main,
pppoe
4G

/routing table
add disabled=no fib name=4G
add disabled=no fib name=pppoe

on pppoe and 4g i just have a route with metric 1 to the gateway.
on the main routing table, i routes to do the failover:

/ip route
add dst-address=0.0.0.0/0 gateway=lte1 routing-table=4G
add dst-address=0.0.0.0/0 gateway=pppoe-net routing-table=pppoe
add distance=10 dst-address=80.67.169.12 gateway=pppoe-net scope=10 target-scope=11
add distance=11 dst-address=149.112.112.112 gateway=pppoe-net scope=10 target-scope=11
add check-gateway=ping distance=10 dst-address=0.0.0.0/0 gateway=80.67.169.12 scope=10 target-scope=12
add check-gateway=ping distance=11 dst-address=0.0.0.0/0 gateway=149.112.112.112 scope=10 target-scope=12
add disabled=no distance=99 dst-address=0.0.0.0/0 gateway=lte1 routing-table=main suppress-hw-offload=no

so when pppoe is unable to ping 80.67.169.12 and 149.112.112.112, the last route with distance 99 is used.
this works very well.


on the mangle, i also mark connections, so when we send a packet to lte for example, we’re sure it’s gonna go out though the same interface:

/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=pppoe-net new-connection-mark=fromPPPOE
add action=mark-routing chain=output connection-mark=fromPPPOE new-routing-mark=pppoe passthrough=no
add action=mark-routing chain=prerouting connection-mark=fromPPPOE in-interface-list=LAN new-routing-mark=pppoe passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=lte1 new-connection-mark=from4G
add action=mark-routing chain=output connection-mark=from4G new-routing-mark=4G passthrough=no
add action=mark-routing chain=prerouting connection-mark=from4G in-interface-list=LAN new-routing-mark=4G passthrough=no

this works very well.

now the problem: the fibre connection is down, so pppoe is down too.
the computers behind the mikrotik router use now lte as gateway as expected.
but 2 Fanvil SIP phones don’t works! sip to external server is working fine, but RTP does not works for example.
PC are OK, DECT phone are ok. but Fanvils deskphone, nope.

To test it deeper, i added a nat rule to access one of the fanvil phone from my office using http: it does not works at all.

now the strange this:
if i disable the rule “add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=lte1 new-connection-mark=from4G” it works fine !
remove the connection mark, and it’s working fine…
the phones will then works correctly, even if i enable the connection-mark again, for some minutes, then it will stop working again.

why ? why only with fanvil phones ?
i though connection marking and routing mark were internal only, packet is not modified as far as i understand it.

any idea ?

# 2025-02-27 09:15:28 by RouterOS 7.18
# software id = 6HC9-S9PL
#
# model = RBwAPGR-5HacD2HnD
# serial number = HEA08JQZDXQ
/interface bridge
add admin-mac=48:A9:8A:99:6E:A0 auto-mac=no comment=defconf name=bridge port-cost-mode=short
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band="" mtu=1300 network-mode=lte
/interface vlan
add interface=ether1 name=vlan_FTTH vlan-id=4001
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan_FTTH max-mru=1492 max-mtu=1492 name=pppoe-net user=username
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] add-default-route=no apn=telcomobile.com authentication=pap ip-type=ipv4 use-network-apn=no use-peer-dns=no user=username
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.1-192.168.1.253
/ip dhcp-server
add address-pool=dhcp interface=bridge name=server_dhcp
/queue type
add kind=fq-codel name=fq-codel
/routing table
add disabled=no fib name=4G
add disabled=no fib name=pppoe
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-net list=WAN
/interface ovpn-server server
add auth=sha1,md5 mac-address=FE:47:62:4A:9C:39 name=ovpn-server1
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.1.254/24 interface=bridge network=192.168.1.0
/ip dhcp-server lease
add address=192.168.1.102 mac-address=00:08:7B:21:C5:2C server=server_dhcp
add address=192.168.1.250 client-id=1:0:e2:69:5d:a9:88 mac-address=00:E2:69:5D:A9:88 server=server_dhcp
add address=192.168.1.126 client-id=1:1c:69:7a:b:9f:82 mac-address=1C:69:7A:0B:9F:82 server=server_dhcp
add address=192.168.1.100 client-id=1:c:38:3e:5b:b7:d6 mac-address=0C:38:3E:5B:B7:D6 server=server_dhcp
add address=192.168.1.101 client-id=1:c:38:3e:5b:b2:d2 mac-address=0C:38:3E:5B:B2:D2 server=server_dhcp
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.254
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9,8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=xxx.xxx.xxx.xxx comment=alpha list=office
add address=xxx.xxx.xxx.xxx comment=olivier list=office
add address=xxx.xxx.xxx.xxx comment=Jerome list=office
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="Acces Winbox office" dst-port=8291 log=yes log-prefix=winbox-ipc protocol=tcp src-address-list=office
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=pppoe-net new-connection-mark=fromPPPOE
add action=mark-routing chain=output connection-mark=fromPPPOE new-routing-mark=pppoe passthrough=no
add action=mark-routing chain=prerouting connection-mark=fromPPPOE in-interface-list=LAN new-routing-mark=pppoe passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=lte1 new-connection-mark=from4G
add action=mark-routing chain=output connection-mark=from4G new-routing-mark=4G passthrough=no
add action=mark-routing chain=prerouting connection-mark=from4G in-interface-list=LAN new-routing-mark=4G passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port="" in-interface-list=WAN protocol=tcp src-address=xxx.xxx.xxx.xxx to-addresses=192.168.1.101
/ip firewall service-port
set sip disabled=yes
/ip kid-control
add fri=0s-1d mon=0s-1d name=Monitor sat=0s-1d sun=0s-1d thu=0s-1d tue=0s-1d wed=0s-1d
/ip route
add dst-address=0.0.0.0/0 gateway=lte1 routing-table=4G
add dst-address=0.0.0.0/0 gateway=pppoe-net routing-table=pppoe
add distance=10 dst-address=80.67.169.12 gateway=pppoe-net scope=10 target-scope=11
add distance=11 dst-address=149.112.112.112 gateway=pppoe-net scope=10 target-scope=11
add check-gateway=ping distance=10 dst-address=0.0.0.0/0 gateway=80.67.169.12 scope=10 target-scope=12
add check-gateway=ping distance=11 dst-address=0.0.0.0/0 gateway=149.112.112.112 scope=10 target-scope=12
add disabled=no distance=99 dst-address=0.0.0.0/0 gateway=lte1 routing-table=main suppress-hw-offload=no
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Paris
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.europe.pool.ntp.org
add address=0.fr.pool.ntp.org
/system routerboard settings
set cpu-frequency=716MHz
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add disabled=no down-script=":log info \"Netwatch FAILURE\";\r\
    \n/system routerboard usb power-reset duration=5;" host=1.1.1.1 http-codes="" interval=10m name=NetTest start-delay=5s startup-delay=5m test-script="" timeout=3s type=tcp-conn

this is because in the 4g table you do not have the 192.168.1.0/24 network

/ip ro add dst-address=192.168.1.0/24 gateway=bridge routing-table=4g

You’re right i missed these routes.
but why does it works fine with other equipements ?

so, added the local network in these tables.
now NAT works fine.

i don’t understand it.
Question 1: why it works with other equipements ? whats the magik behing this ?
question 2: is there a way to dynamically add all local network in user made tables (like in main) ?

ad 1. contrack
ad 2. no but you can use routing policies to direct traffic to the main table → /routing/rule
https://help.mikrotik.com/docs/spaces/ROS/pages/59965508/Policy+Routing

1. Yes, but contrack should apply for all equipments, not only part of it ?
   talking about this, in the early stages of configuration i was not adding mangle rules and routing table.
   i was just adding the routes with gateway, to check currentl active route
   i though that contract would help me by sending packets to the correct gateway: if a packet was received by LTE interface, i was expecting it to go to LTE interface again. it was not the case. did i missed something?
   
   \
2. you mean doing this ?

/routing/rule/add dst-address=192.168.1.0/24 routing-mark=4G action=lookup table=main

what’s the difference with this ?

/ip/route add dst-address=192.168.1.0/24 gateway=bridge routing-table=4G

in both case, i have to set the routes manually.



edit: the customer confirm me that now the Fanvil sip phones work fine. thank you kind internet stranger !