[SOLVED] Source based routing disables access to mikrotik

LifWer · September 7, 2023, 1:12pm

Hello!
There is Mikrotik RB4011iGS+RM and two internet channels. The goal is to route some clients through second channel. I can do it with mangle rule, but in this case cleints have access to internet, but loses any access to mikrotik. What am I doing wrong, how to fix it?

/ip address
add address=172.29.50.254/24 interface=vlan10-bridge-if network=172.29.50.0
add address=172.29.59.254/24 interface=vlan80-bridge-if network=172.29.59.0
add address=200.200.200.230/30 interface=ether6 network=200.200.200.228

/ip dhcp-client
add interface=ether7

/ip route
add comment="Emergency route" distance=254 gateway=br-lo
add comment="Marked via arenda" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=200.200.200.229 pref-src="" routing-table=to_arenda scope=30 suppress-hw-offload=no target-scope=10
add comment="Access to VLAN80 (arenda) in its table" disabled=no dst-address=172.29.59.0/24 gateway=vlan80-bridge-if pref-src="" routing-table=to_arenda scope=10 suppress-hw-offload=no target-scope=10

/routing table
add fib name=to_arenda

/routing rule
add action=lookup dst-address=172.29.50.0/24 table=main
add action=lookup disabled=no dst-address=172.29.59.0/24 table=to_arenda

/ip firewall mangle
add action=mark-routing chain=prerouting comment="Arenda via arenda channel" dst-address-list=!no_forward_ipv4 new-routing-mark=to_arenda passthrough=no src-address-list=vlan80-arenda

anav · September 7, 2023, 1:17pm

Why do you need to mangle?
The snippet of config you show makes no sense to me.

a. routing rules (order is important)

add dst-address=other local subnet action=lookup only in table table=main comment=“to reach or return traffic to other local subnet”
add src-address=subnet for wan2 action=lookup table= to-arenda " to force subnet out wan2"

Done!!

What other access to the local router do you need for the users going out WAN2 ??

LifWer · September 7, 2023, 3:06pm

Without it clients in subnet for wan2 have no internet connection.

It’s quite complicated:

# 2023-09-07 17:51:26 by RouterOS 7.10.1
# software id = V66R-G2DD
#
# model = RB3011UiAS
# serial number = 783D060DC59E
/caps-man channel
add band=2ghz-b/g/n frequency=2442 name=2ghz
add band=5ghz-a/n/ac frequency=5700 name=5ghz
add band=5ghz-a/n/ac frequency=5300 name=5ghz-arenda
add band=2ghz-b/g/n frequency=2457 name=2ghz-arenda
/interface bridge
add comment="Loopback interface" name=br-lo
add arp=reply-only dhcp-snooping=yes name=bridge-vlan10 pvid=10 \
    vlan-filtering=yes
add arp=reply-only dhcp-snooping=yes name=bridge-vlan20 pvid=20 \
    vlan-filtering=yes
add arp=reply-only dhcp-snooping=yes name=bridge-vlan40 pvid=40 \
    vlan-filtering=yes
add arp=reply-only dhcp-snooping=yes name=bridge-vlan50 pvid=50 \
    vlan-filtering=yes
add arp=reply-only dhcp-snooping=yes name=bridge-vlan60 pvid=60 \
    vlan-filtering=yes
add arp=reply-only dhcp-snooping=yes name=bridge-vlan70 pvid=70 \
    vlan-filtering=yes
add dhcp-snooping=yes name=bridge-vlan80 pvid=80 vlan-filtering=yes
add dhcp-snooping=yes name=bridge-vlan91 pvid=91 vlan-filtering=yes
/interface wireguard
add listen-port=16701 mtu=1420 name=wg01
/interface vlan
add arp=reply-only interface=bridge-vlan10 name=vlan10-bridge-if vlan-id=10
add interface=ether1 name=vlan10-ether1-if vlan-id=10
add interface=sfp1 name=vlan10-sfp-if vlan-id=10
add arp=reply-only interface=bridge-vlan20 name=vlan20-bridge-if vlan-id=20
add interface=sfp1 name=vlan20-sfp-if vlan-id=20
add arp=reply-only interface=bridge-vlan40 name=vlan40-bridge-if vlan-id=40
add interface=ether1 name=vlan40-ether1-if vlan-id=40
add interface=sfp1 name=vlan40-sfp-if vlan-id=40
add arp=reply-only interface=bridge-vlan50 name=vlan50-bridge-if vlan-id=50
add interface=sfp1 name=vlan50-sfp-if vlan-id=50
add arp=reply-only interface=bridge-vlan60 name=vlan60-bridge-if vlan-id=60
add interface=ether1 name=vlan60-ether1-if vlan-id=60
add interface=sfp1 name=vlan60-sfp-if vlan-id=60
add arp=reply-only interface=bridge-vlan70 name=vlan70-bridge-if vlan-id=70
add interface=ether1 name=vlan70-ether1-if vlan-id=70
add interface=sfp1 name=vlan70-sfp-if vlan-id=70
add interface=bridge-vlan80 name=vlan80-bridge-if vlan-id=80
add interface=ether1 name=vlan80-ether1-if vlan-id=80
add interface=sfp1 name=vlan80-sfp-if vlan-id=80
add interface=bridge-vlan91 name=vlan91-bridge-if vlan-id=91
add interface=ether1 name=vlan91-ether1-if vlan-id=91
add interface=sfp1 name=vlan91-sfp-if vlan-id=91
/caps-man datapath
add bridge=bridge-vlan20 client-to-client-forwarding=no name=datapath-guest \
    vlan-id=20 vlan-mode=use-tag
add bridge=bridge-vlan80 client-to-client-forwarding=yes name=datapath-arenda \
    vlan-id=80 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=wifi-guest
add authentication-types=wpa2-psk encryption=aes-ccm name=wifi-arenda
/caps-man configuration
add channel=2ghz country=russia datapath=datapath-guest mode=ap name=\
    guest-wifi-2ghz security=wifi-guest ssid=2GHz
add channel=5ghz country=russia datapath=datapath-guest mode=ap name=\
    guest-wifi-5ghz security=wifi-guest ssid=5GHz
add channel=5ghz country=russia datapath=datapath-arenda mode=ap name=\
    arenda-wifi-5ghz security=wifi-arenda ssid=arenda5
add channel=2ghz country=russia datapath=datapath-arenda mode=ap name=\
    arenda-wifi-2ghz security=wifi-arenda ssid=arenda2
/interface list
add name=WAN
add name=LAN
add name=NTP
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=old-Gate
/ip pool
add name=pool-vlan10-office ranges=172.29.50.101-172.29.50.190
add name=pool-vlan20-guest ranges=172.29.51.101-172.29.51.190
add name=pool-ovpn ranges=172.29.52.51-172.29.52.120
add name=pool-vlan40-phones ranges=172.29.53.101-172.29.53.190
add name=pool-vlan50-cameras ranges=172.29.54.101-172.29.54.190
add name=pool-vlan60-services ranges=172.29.55.101-172.29.55.190
add name=pool-vlan91-management ranges=172.29.56.101-172.29.56.190
add name=pool-local-mgmt ranges=172.29.57.101-172.29.57.190
add name=pool-vlan70-skud ranges=172.29.58.101-172.29.58.190
add name=pool-vlan80-arenda ranges=172.29.59.101-172.29.59.190
/ip dhcp-server
add add-arp=yes address-pool=pool-vlan10-office interface=vlan10-bridge-if \
    lease-time=3h name=dhcp-vlan10-office
add add-arp=yes address-pool=pool-vlan20-guest interface=vlan20-bridge-if \
    lease-time=3h name=dhcp-vlan20-guest
add add-arp=yes address-pool=pool-vlan40-phones interface=vlan40-bridge-if \
    lease-time=3h name=dhcp-vlan40-phones
add add-arp=yes address-pool=pool-vlan50-cameras interface=vlan50-bridge-if \
    lease-time=3h name=dhcp-vlan50-cameras
add add-arp=yes address-pool=pool-vlan60-services interface=vlan60-bridge-if \
    lease-time=3h name=dhcp-vlan60-services
add add-arp=yes address-pool=pool-vlan91-management interface=\
    vlan91-bridge-if lease-time=3h name=dhcp-vlan91-management
add add-arp=yes address-pool=pool-local-mgmt interface=ether8 name=\
    dhcp-local-mgmt
add add-arp=yes address-pool=pool-vlan70-skud interface=vlan70-bridge-if \
    lease-time=3h name=dhcp-vlan70-skud
add add-arp=yes address-pool=pool-vlan80-arenda interface=vlan80-bridge-if \
    lease-time=3h name=dhcp-vlan80-arenda
/port
set 0 name=serial0
/ppp profile
set *0 use-ipv6=no
add local-address=172.29.52.254 name=ovpn remote-address=pool-ovpn use-ipv6=\
    no use-upnp=no
set *FFFFFFFE use-ipv6=no
/queue tree
add max-limit=18M name=DOWNLOAD parent=global
add max-limit=18M name=UPLOAD parent=global
/queue type
add kind=pcq name=SERVICE_DL pcq-classifier=dst-address \
    pcq-dst-address6-mask=64 pcq-src-address6-mask=64
add kind=pcq name=SIP_DL pcq-classifier=dst-address pcq-dst-address6-mask=64 \
    pcq-src-address6-mask=64
add kind=pcq name=OPERATING_DL pcq-classifier=dst-address \
    pcq-dst-address6-mask=64 pcq-src-address6-mask=64
add kind=pcq name=OTHER_DL pcq-classifier=dst-address pcq-dst-address6-mask=\
    64 pcq-src-address6-mask=64
add kind=pcq name=SERVICE_UL pcq-classifier=dst-address \
    pcq-dst-address6-mask=64 pcq-src-address6-mask=64
add kind=pcq name=SIP_UL pcq-classifier=dst-address pcq-dst-address6-mask=64 \
    pcq-src-address6-mask=64
add kind=pcq name=OPERATING_UL pcq-classifier=dst-address \
    pcq-dst-address6-mask=64 pcq-src-address6-mask=64
add kind=pcq name=OTHER_UL pcq-classifier=dst-address pcq-dst-address6-mask=\
    64 pcq-src-address6-mask=64
add kind=pcq name=WEB_DL pcq-classifier=dst-address pcq-dst-address6-mask=64 \
    pcq-src-address6-mask=64
add kind=pcq name=WEB_UL pcq-classifier=dst-address pcq-dst-address6-mask=64 \
    pcq-src-address6-mask=64
/queue tree
add name=SERVICE_DL packet-mark=SERVICE parent=DOWNLOAD priority=1 \
    queue=SERVICE_DL
add limit-at=1M max-limit=18M name=SIP_DL packet-mark=SIP parent=\
    DOWNLOAD priority=2 queue=SIP_DL
add name=OPERATING_DL packet-mark=OPERATING parent=DOWNLOAD priority=5 \
    queue=OPERATING_DL
add name=OTHER_DL packet-mark=OTHER parent=DOWNLOAD queue=OTHER_DL
add name=WEB_DL packet-mark=WEB parent=DOWNLOAD priority=3 queue=WEB_DL
add name=SERVICE_UL packet-mark=SERVICE parent=UPLOAD priority=1 queue=\
    SERVICE_UL
add limit-at=1M max-limit=18M name=SIP_UL packet-mark=SIP parent=UPLOAD \
    priority=2 queue=SIP_UL
add name=WEB_UL packet-mark=WEB parent=UPLOAD priority=3 queue=WEB_UL
add name=OPERATING_UL packet-mark=OPERATING parent=UPLOAD priority=5 \
    queue=OPERATING_UL
add name=OTHER_UL packet-mark=OTHER parent=UPLOAD queue=OTHER_UL
/routing table
add disabled=no fib name=to_main
add fib name=to_arenda
/interface ovpn-client
add auth=sha256 certificate=*1 cipher=aes256-cbc connect-to=200.200.200.210 \
    disabled=yes mac-address=02:93:29:76:69:39 name=n port=17300 protocol=\
    udp use-peer-dns=no user=o-gate verify-server-certificate=yes
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=vlan91-bridge-if
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=guest-wifi-2ghz \
    name-format=prefix-identity name-prefix=2G radio-mac=2C:C8:1B:97:B2:D4
add action=create-dynamic-enabled master-configuration=guest-wifi-5ghz \
    name-format=prefix-identity name-prefix=5G radio-mac=2C:C8:1B:97:B2:D5
add action=create-dynamic-enabled master-configuration=arenda-wifi-5ghz \
    name-format=prefix-identity name-prefix=5G radio-mac=48:A9:8A:0A:C6:53
add action=create-dynamic-enabled master-configuration=arenda-wifi-2ghz \
    name-format=prefix-identity name-prefix=2G radio-mac=48:A9:8A:0A:C6:52
/interface bridge filter
add action=drop chain=forward in-bridge=bridge-vlan10
add action=drop chain=forward in-bridge=bridge-vlan20
add action=drop chain=forward in-bridge=bridge-vlan40
add action=drop chain=forward in-bridge=bridge-vlan60
/interface bridge port
add bridge=bridge-vlan91 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether10 pvid=91
add bridge=bridge-vlan91 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether9 pvid=91
add bridge=bridge-vlan70 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5 pvid=70
add bridge=bridge-vlan70 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4 pvid=70
add bridge=bridge-vlan80 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3 pvid=80
add bridge=bridge-vlan91 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2 pvid=91
add bridge=bridge-vlan10 frame-types=admit-only-untagged-and-priority-tagged \
    interface=vlan10-sfp-if pvid=10
add bridge=bridge-vlan20 frame-types=admit-only-untagged-and-priority-tagged \
    interface=vlan20-sfp-if pvid=20
add bridge=bridge-vlan40 frame-types=admit-only-untagged-and-priority-tagged \
    interface=vlan40-sfp-if pvid=40
add bridge=bridge-vlan50 frame-types=admit-only-untagged-and-priority-tagged \
    interface=vlan50-sfp-if pvid=50
add bridge=bridge-vlan60 frame-types=admit-only-untagged-and-priority-tagged \
    interface=vlan60-sfp-if pvid=60
add bridge=bridge-vlan91 frame-types=admit-only-untagged-and-priority-tagged \
    interface=vlan91-sfp-if pvid=91
add bridge=bridge-vlan70 frame-types=admit-only-untagged-and-priority-tagged \
    interface=vlan70-sfp-if pvid=70
add bridge=bridge-vlan91 frame-types=admit-only-untagged-and-priority-tagged \
    interface=vlan91-ether1-if pvid=91
add bridge=bridge-vlan70 frame-types=admit-only-untagged-and-priority-tagged \
    interface=vlan70-ether1-if pvid=70
add bridge=bridge-vlan60 frame-types=admit-only-untagged-and-priority-tagged \
    interface=vlan60-ether1-if pvid=60
add bridge=bridge-vlan40 frame-types=admit-only-untagged-and-priority-tagged \
    interface=vlan40-ether1-if pvid=40
add bridge=bridge-vlan10 frame-types=admit-only-untagged-and-priority-tagged \
    interface=vlan10-ether1-if pvid=10
add bridge=bridge-vlan80 frame-types=admit-only-untagged-and-priority-tagged \
    interface=vlan80-sfp-if pvid=80
add bridge=bridge-vlan80 frame-types=admit-only-untagged-and-priority-tagged \
    interface=vlan80-ether1-if pvid=80
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=none
/ipv6 settings
set accept-redirects=no accept-router-advertisements=no disable-ipv6=yes \
    forward=no
/interface bridge vlan
add bridge=bridge-vlan10 tagged=bridge-vlan10 vlan-ids=10
add bridge=bridge-vlan20 tagged=bridge-vlan20 vlan-ids=20
add bridge=bridge-vlan40 tagged=bridge-vlan40 vlan-ids=40
add bridge=bridge-vlan50 tagged=bridge-vlan50 vlan-ids=50
add bridge=bridge-vlan60 tagged=bridge-vlan60 vlan-ids=60
add bridge=bridge-vlan91 tagged=bridge-vlan91 vlan-ids=91
add bridge=bridge-vlan70 tagged=bridge-vlan70 vlan-ids=70
add bridge=bridge-vlan80 tagged=bridge-vlan80 vlan-ids=80
/interface list member
add interface=ether7 list=WAN
add interface=vlan10-bridge-if list=LAN
add interface=vlan20-bridge-if list=LAN
add interface=vlan40-bridge-if list=LAN
add interface=vlan60-bridge-if list=LAN
add interface=vlan91-bridge-if list=LAN
add interface=vlan10-bridge-if list=NTP
add interface=vlan20-bridge-if list=NTP
add interface=vlan40-bridge-if list=NTP
add interface=vlan50-bridge-if list=NTP
add interface=vlan60-bridge-if list=NTP
add interface=vlan70-bridge-if list=NTP
add interface=vlan80-bridge-if list=NTP
add interface=vlan91-bridge-if list=NTP
add interface=ether6 list=WAN
/interface ovpn-server server
set certificate=o enabled=yes port=13900 protocol=udp
/interface wireguard peers
add allowed-address="172.30.65.0/24,172.30.50.0/24,172.30.53.0/24,172.30.54.0/\
    24,172.30.57.0/24,172.30.59.0/24,172.30.60.0/24,172.30.61.0/24" \
    endpoint-address=200.200.200.59 endpoint-port=17301 interface=wg01 \
    public-key="kPGT/8jIgaBAoF92gcjgS1oRZz76jsA5NFuADCRI6FY="
/ip address
add address=172.29.50.254/24 interface=vlan10-bridge-if network=172.29.50.0
add address=172.29.51.254/24 interface=vlan20-bridge-if network=172.29.51.0
add address=172.29.53.254/24 interface=vlan40-bridge-if network=172.29.53.0
add address=172.29.54.254/24 interface=vlan50-bridge-if network=172.29.54.0
add address=172.29.55.254/24 interface=vlan60-bridge-if network=172.29.55.0
add address=172.29.56.254/24 interface=vlan91-bridge-if network=172.29.56.0
add address=172.29.57.254/24 comment="Local MGMT" interface=ether8 network=\
    172.29.57.0
add address=172.30.65.101/24 interface=wg01 network=172.30.65.0
add address=172.29.58.254/24 interface=vlan70-bridge-if network=172.29.58.0
add address=172.29.59.254/24 interface=vlan80-bridge-if network=172.29.59.0
add address=200.200.200.230/30 interface=ether6 network=200.200.200.228
/ip arp
add address=172.29.55.100 interface=vlan60-bridge-if mac-address=\
    00:D8:61:6E:27:0F
add address=192.168.123.1 comment="LTE router" interface=vlan80-bridge-if \
    mac-address=A0:A3:F0:54:40:2A
add address=172.29.58.101 comment="SKUD controller" interface=\
    vlan70-bridge-if mac-address=00:25:0B:02:B3:B7
add address=172.29.58.102 comment="SKUD intercom with monitor (BAS-IP)" \
    interface=vlan70-bridge-if mac-address=70:69:79:EE:03:74
add address=172.29.58.103 comment="SKUD call panel" interface=\
    vlan70-bridge-if mac-address=70:69:79:EE:07:38
/ip dhcp-client
add interface=ether7
/ip dhcp-server config
set store-leases-disk=never
/ip dhcp-server lease
add address=172.29.50.101 client-id=1:a8:5e:45:b1:79:89 comment=O-GLBUH \
    mac-address=A8:5E:45:B1:79:89 server=dhcp-vlan10-office
add address=172.29.50.102 client-id=1:70:85:c2:9f:de:56 comment=O-BUH2 \
    mac-address=70:85:C2:9F:DE:56 server=dhcp-vlan10-office
add address=172.29.55.102 client-id=1:be:c9:1d:f9:4f:a4 comment=\
    "Consultant+ VM" mac-address=BE:C9:1D:F9:4F:A4 server=\
    dhcp-vlan60-services
add address=172.29.55.104 client-id=1:e4:e7:49:2:b7:9f comment=\
    "HP M402 - LAN" mac-address=E4:E7:49:02:B7:9F server=dhcp-vlan60-services
add address=172.29.55.101 client-id=1:0:17:c8:dd:5d:55 comment=\
    "Kyocera ECOSYS M5526cdw - LAN" mac-address=00:17:C8:DD:5D:55 server=\
    dhcp-vlan60-services
add address=172.29.58.101 comment="SKUD controller" mac-address=\
    00:25:0B:02:B3:B7 server=dhcp-vlan70-skud
add address=172.29.58.103 comment="SKUD call panel" mac-address=\
    70:69:79:EE:07:38 server=dhcp-vlan70-skud
add address=172.29.58.102 comment="SKUD intercom with monitor (BAS-IP)" \
    mac-address=70:69:79:EE:03:74 server=dhcp-vlan70-skud
/ip dhcp-server network
add address=172.29.50.0/24 dns-server=172.29.50.254 gateway=172.29.50.254 \
    netmask=24 ntp-server=172.29.50.254
add address=172.29.51.0/24 dns-server=172.29.51.254 gateway=172.29.51.254 \
    netmask=24 ntp-server=172.29.51.254
add address=172.29.53.0/24 dns-server=172.29.53.254 gateway=172.29.53.254 \
    netmask=24 ntp-server=172.29.53.254
add address=172.29.54.0/24 dns-server=172.29.54.254 gateway=172.29.54.254 \
    netmask=24 ntp-server=172.29.54.254
add address=172.29.55.0/24 dns-server=172.29.55.254 gateway=172.29.55.254 \
    netmask=24 ntp-server=172.29.55.254
add address=172.29.56.0/24 dns-server=172.29.56.254 gateway=172.29.56.254 \
    netmask=24 ntp-server=172.29.56.254
add address=172.29.57.0/24 dns-server=172.29.57.254 gateway=172.29.57.254 \
    netmask=24 ntp-server=172.29.57.254
add address=172.29.58.0/24 dns-server=172.29.58.254 gateway=172.29.58.254 \
    netmask=24 ntp-server=172.29.58.254
add address=172.29.59.0/24 dns-server=172.29.59.254 gateway=172.29.59.254 \
    netmask=24 ntp-server=172.29.59.254
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,212.45.0.3,212.45.2.5
/ip firewall address-list
add address=172.29.50.1-172.29.50.253 list=vlan10-office
add address=172.29.51.1-172.29.51.253 list=vlan20-guest
add address=172.29.52.31-172.29.52.50 list=ovpn-engineers
add address=172.29.53.1-172.29.53.253 list=vlan40-phones
add address=172.29.54.1-172.29.54.253 list=vlan50-cameras
add address=172.29.55.1-172.29.55.253 list=vlan60-services
add address=172.29.56.1-172.29.56.253 list=vlan91-management
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=172.29.50.1-172.29.57.253 list=LAN
add address=172.29.50.101-172.29.50.102 comment=\
    "Access to K+ from buh machines" list=k_plus
add address=172.30.61.0/24 list=n-mgmt
add address=172.30.53.31 comment="Engineer 1" list=k_plus
add address=172.29.52.78 comment=Glavbuh list=k_plus
add address=172.30.65.0/24 list=n-mgmt
add address=172.30.52.0/24 list=n-mgmt
add address=172.30.53.31 comment="Support from main office" list=user-support
add address=172.30.54.100 list=user-support
add address=172.30.59.100 list=user-support
add address=172.29.59.1-172.29.59.253 list=vlan80-arenda
add address=172.29.58.1-172.29.58.253 list=vlan70-skud
/ip firewall filter
add action=accept chain=input comment=Podstrahovka disabled=yes src-address=\
    172.29.57.31
add action=add-src-to-address-list address-list=KNOCK-1 address-list-timeout=\
    5s chain=input dst-port=10000 in-interface-list=WAN protocol=tcp
add action=add-src-to-address-list address-list=KNOCK-2 address-list-timeout=\
    5s chain=input dst-port=11000 in-interface-list=WAN protocol=tcp \
    src-address-list=KNOCK-1
add action=add-src-to-address-list address-list=KNOCK-ACCEPT \
    address-list-timeout=15s chain=input dst-port=52000 in-interface-list=WAN \
    protocol=tcp src-address-list=KNOCK-2
add action=accept chain=input comment="Accept established, related" \
    connection-state=established,related
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=fasttrack-connection chain=forward comment=\
    "Accept established, related" connection-state=established,related \
    disabled=yes hw-offload=yes
add action=accept chain=forward comment="Accept established, related" \
    connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=drop chain=forward comment="Drop bad forward IPs" \
    src-address-list=no_forward_ipv4
add action=drop chain=forward comment="Drop bad forward IPs" \
    dst-address-list=no_forward_ipv4
add action=drop chain=forward comment="Drop forward from cameras to internet" \
    out-interface-list=WAN src-address-list=vlan50-cameras
add action=drop chain=forward comment="Drop forward from SKUD to internet" \
    out-interface-list=WAN src-address-list=vlan70-skud
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment=\
    "Accept forward from LAN list to internet" in-interface-list=LAN \
    out-interface=ether7
add action=accept chain=forward comment=\
    "Accept forward from arendators network list to second internet channel" \
    in-interface=vlan80-bridge-if out-interface=ether6
add action=accept chain=forward comment=\
    "Accept forward from engineers (OpenVPN)" in-interface=all-ppp \
    src-address-list=ovpn-engineers
add action=accept chain=forward comment=\
    "Accept forward from glavbuh (OpenVPN) to her PC" dst-address=\
    172.29.50.101 src-address=172.29.52.78
add action=accept chain=forward comment=\
    "Allow forward from office to Kyocera ECOSYS M5526cdw (old)" dst-address=\
    172.29.55.101 in-interface=vlan10-bridge-if out-interface=\
    vlan60-bridge-if src-address-list=vlan10-office
add action=accept chain=forward comment=\
    "Allow forward from office to HP M402 - LAN" dst-address=172.29.55.104 \
    in-interface=vlan10-bridge-if out-interface=vlan60-bridge-if \
    src-address-list=vlan10-office
add action=accept chain=forward comment=\
    "Allow forward from consultant address list to consultant plus" disabled=\
    yes dst-address=172.29.55.102 in-interface=vlan10-bridge-if \
    out-interface=vlan60-bridge-if src-address-list=k_plus
add action=accept chain=forward comment="Allow forward to consultant plus" \
    disabled=yes dst-address=172.29.55.102 src-address-list=k_plus
add action=accept chain=forward comment=\
    "Allow forward from n mgmt vlan to mgmt vlan" dst-address=\
    172.29.56.0/24 in-interface=wg01 src-address=172.30.61.0/24
add action=accept chain=forward comment="Allow forward from n engineer 1" \
    dst-address=172.29.0.0/16 in-interface=wg01 src-address=172.30.53.31
add action=accept chain=forward comment=\
    "Allow forward from main office engineers to VLAN 10 (office)" \
    dst-address-list=vlan10-office in-interface=wg01 src-address-list=\
    user-support
add action=accept chain=forward comment=\
    "Allow forward from main office Perco VM (SKUD) to SKUD controller" \
    dst-address=172.29.58.101 in-interface=wg01 src-address=172.30.57.110
add action=accept chain=forward comment=\
    "Allow forward from SKUD controller to main office Perco VM (SKUD)" \
    dst-address=172.30.57.110 out-interface=wg01 src-address=172.29.58.101
add action=accept chain=forward comment=\
    "Allow forward from VLAN91 (MGMT) to everywhere" disabled=yes \
    in-interface=vlan91-bridge-if src-address-list=vlan91-management
add action=accept chain=forward comment=\
    "Accept forward from OpenVPN to internet" disabled=yes in-interface=\
    all-ppp out-interface-list=WAN
add action=accept chain=forward comment="Allow forward dstnat'ed" \
    connection-nat-state=dstnat connection-state=new
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
add action=drop chain=forward comment="Drop forward not dstnat'ed" \
    connection-nat-state=!dstnat disabled=yes
add action=drop chain=forward
add action=accept chain=input comment="Accept DNS from LAN" disabled=yes \
    dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Accept DNS and DHCP from LAN" \
    disabled=yes dst-port=53,67 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Accept DNS from VLAN10 (office)" \
    dst-address=172.29.50.254 dst-port=53 protocol=tcp src-address-list=\
    vlan10-office
add action=accept chain=input comment=\
    "Accept DNS and DHCP from VLAN10 (office)" dst-address=172.29.50.254 \
    dst-port=53,67 protocol=udp src-address-list=vlan10-office
add action=accept chain=input comment="Accept DNS from VLAN20 (guest)" \
    dst-address=172.29.51.254 dst-port=53 in-interface=vlan20-bridge-if \
    protocol=tcp src-address-list=vlan20-guest
add action=accept chain=input comment=\
    "Accept DNS and DHCP from VLAN20 (guest)" dst-address=172.29.51.254 \
    dst-port=53,67 in-interface=vlan20-bridge-if protocol=udp \
    src-address-list=vlan20-guest
add action=accept chain=input comment="Accept DHCP from OpenVPN" disabled=yes \
    dst-port=67 in-interface=all-ppp protocol=udp
add action=accept chain=input comment="Accept DNS from OpenVPN" dst-address=\
    172.29.52.254 dst-port=53 in-interface=all-ppp protocol=tcp src-address=\
    172.29.52.0/24
add action=accept chain=input comment="Accept DNS and DHCP from OpenVPN" \
    dst-address=172.29.52.254 dst-port=53,67 in-interface=all-ppp protocol=\
    udp src-address=172.29.52.0/24
add action=accept chain=input comment="Engineers input from OpenVPN" \
    dst-port=80,18111 in-interface=all-ppp protocol=tcp src-address-list=\
    ovpn-engineers
add action=accept chain=input comment="Accept DNS from VLAN40 (phones)" \
    dst-address=172.29.53.254 dst-port=53 in-interface=vlan40-bridge-if \
    protocol=tcp src-address-list=vlan40-phones
add action=accept chain=input comment=\
    "Accept DNS and DHCP from VLAN40 (phones)" dst-address=172.29.53.254 \
    dst-port=53,67 in-interface=vlan40-bridge-if protocol=udp \
    src-address-list=vlan40-phones
add action=accept chain=input comment="Accept DHCP from VLAN50 (cameras)" \
    dst-address=172.29.54.254 dst-port=67 in-interface=vlan50-bridge-if \
    protocol=udp src-address-list=vlan50-cameras
add action=accept chain=input comment="Accept DNS from VLAN60 (services)" \
    dst-address=172.29.55.254 dst-port=53 in-interface=vlan60-bridge-if \
    protocol=tcp src-address-list=vlan60-services
add action=accept chain=input comment=\
    "Accept DNS and DHCP from VLAN60 (services)" dst-address=172.29.55.254 \
    dst-port=53,67 in-interface=vlan60-bridge-if protocol=udp \
    src-address-list=vlan60-services
add action=accept chain=input comment="Accept DNS from VLAN80 (arenda)" \
    dst-address=172.29.59.254 dst-port=53 in-interface=vlan80-bridge-if \
    protocol=tcp src-address-list=vlan80-arenda
add action=accept chain=input comment=\
    "Accept DNS and DHCP from VLAN80 (arenda)" dst-address=172.29.59.254 \
    dst-port=53,67 in-interface=vlan80-bridge-if protocol=udp \
    src-address-list=vlan80-arenda
add action=accept chain=input comment=\
    "Accept DNS and DHCP from VLAN91 (management)" dst-address=172.29.56.254 \
    dst-port=53,67 in-interface=vlan91-bridge-if protocol=udp \
    src-address-list=vlan91-management
add action=accept chain=input comment="Accept input from VLAN91 (management)" \
    dst-address=172.29.56.254 dst-port=53,80,8291,18111 in-interface=\
    vlan91-bridge-if protocol=tcp src-address-list=vlan91-management
add action=accept chain=input comment=\
    "Accept DNS and DHCP from MGMT interface" dst-address=172.29.57.254 \
    dst-port=53,67 in-interface=ether8 protocol=udp src-address=\
    172.29.57.0/24
add action=accept chain=input comment="Accept input from MGMT interface" \
    dst-address=172.29.57.254 dst-port=80,8291,18111 in-interface=ether8 \
    protocol=tcp src-address=172.29.57.0/24
add action=accept chain=input comment=\
    "Accept input from  new office (MGMT VLAN over WireGuard)" \
    dst-address=172.30.65.101 dst-port=80,8291,18111 in-interface=wg01 \
    protocol=tcp src-address-list=n-mgmt
add action=accept chain=input comment=\
    "Accept input from  new office (MGMT VLAN over OpenVPN)" disabled=yes \
    dst-address=172.30.52.245 dst-port=80,8291,18111 in-interface=n \
    protocol=tcp src-address-list=n-mgmt
add action=accept chain=input comment="Accept OpenVPN" dst-port=13900 \
    in-interface=ether7 protocol=udp
add action=accept chain=input comment="Accept Wireguard" dst-port=16701 \
    in-interface=ether7 protocol=udp
add action=accept chain=input comment="Accept SSH from WAN" dst-port=18111 \
    in-interface=ether7 protocol=tcp src-address-list=KNOCK-ACCEPT
add action=accept chain=input comment="Accept SSH from WAN (tmp rule)" \
    dst-port=18111 protocol=tcp
add action=accept chain=input comment="Accept NTP from NTP list" dst-port=123 \
    in-interface-list=NTP protocol=udp
add action=accept chain=input comment="Accept ICMP" disabled=yes \
    in-interface-list=LAN protocol=icmp
add action=accept chain=input comment="Accept ICMP from VLAN10 (office)" \
    dst-address=172.29.50.254 protocol=icmp src-address-list=vlan10-office
add action=accept chain=input comment="Accept ICMP from VLAN20 (guest)" \
    dst-address=172.29.51.254 in-interface=vlan20-bridge-if protocol=icmp \
    src-address-list=vlan20-guest
add action=accept chain=input comment="Accept ICMP from OpenVPN" dst-address=\
    172.29.52.254 in-interface=all-ppp protocol=icmp src-address=\
    172.29.52.0/24
add action=accept chain=input comment="Accept ICMP from WireGuard" \
    dst-address=172.30.65.101 in-interface=wg01 protocol=icmp
add action=accept chain=input comment="Accept ICMP from VLAN40 (phones)" \
    dst-address=172.29.53.254 in-interface=vlan40-bridge-if protocol=icmp \
    src-address-list=vlan40-phones
add action=accept chain=input comment="Accept ICMP from VLAN50 (cameras)" \
    dst-address=172.29.54.254 in-interface=vlan50-bridge-if protocol=icmp \
    src-address-list=vlan50-cameras
add action=accept chain=input comment="Accept ICMP from VLAN60 (services)" \
    dst-address=172.29.55.254 in-interface=vlan60-bridge-if protocol=icmp \
    src-address-list=vlan60-services
add action=accept chain=input comment="Accept ICMP from VLAN80 (arenda)" \
    dst-address=172.29.59.254 in-interface=vlan80-bridge-if protocol=icmp \
    src-address-list=vlan80-arenda
add action=accept chain=input comment="Accept ICMP from VLAN91 (management)" \
    dst-address=172.29.56.254 in-interface=vlan91-bridge-if protocol=icmp \
    src-address-list=vlan91-management
add action=accept chain=input comment="Accept ICMP from MGMT interface" \
    dst-address=172.29.57.254 in-interface=ether8 protocol=icmp src-address=\
    172.29.57.0/24
add action=accept chain=input comment=\
    "Accept ICMP from  new office gate (over WireGuard)" disabled=yes \
    dst-address=172.30.65.101 in-interface=wg01 protocol=icmp src-address=\
    172.30.65.100
add action=accept chain=input comment=\
    "Accept ICMP from  new office (MGMT VLAN over WireGuard)" disabled=yes \
    dst-address=172.30.65.101 in-interface=wg01 protocol=icmp
add action=accept chain=input comment=\
    "Accept ICMP from  new office gate (over OpenVPN)" dst-address=\
    172.30.52.245 protocol=icmp
add action=drop chain=input connection-state=""
add action=accept chain=output comment="Accept output"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
/ip firewall mangle
add action=mark-packet chain=forward comment=\
    "Mark forward ICMP packets with SERVICE mark" new-packet-mark=SERVICE \
    passthrough=yes protocol=icmp
add action=mark-packet chain=postrouting comment=\
    "Mark DNS (TCP) packets with SERVICE mark" new-packet-mark=SERVICE \
    passthrough=yes port=53 protocol=tcp
add action=mark-packet chain=postrouting comment=\
    "Mark DNS (UDP) packets with SERVICE mark" new-packet-mark=SERVICE \
    passthrough=yes port=53 protocol=udp
add action=mark-packet chain=postrouting comment=\
    "Mark forward ICMP packets with SERVICE mark" new-packet-mark=SERVICE \
    packet-size=0-123 passthrough=yes protocol=tcp tcp-flags=ack
add action=mark-packet chain=forward comment=\
    "Mark forward SIP packets with SIP mark" dst-address-list=vlan70-phones \
    new-packet-mark=SIP passthrough=yes
add action=mark-packet chain=forward comment=\
    "Mark forward SIP packets with SIP mark" new-packet-mark=SIP passthrough=\
    yes src-address-list=vlan70-phones
add action=mark-packet chain=forward comment=\
    "Mark forward SSH packets with OPERATING mark" new-packet-mark=OPERATING \
    passthrough=yes port=22 protocol=tcp
add action=mark-packet chain=forward comment=\
    "Mark forward RDP packets with OPERATING mark" new-packet-mark=OPERATING \
    passthrough=yes port=3389 protocol=tcp
add action=mark-packet chain=forward comment=\
    "Mark forward WEB packets with WEB mark" new-packet-mark=WEB passthrough=\
    yes port=80,443 protocol=tcp
add action=mark-packet chain=prerouting comment=\
    "Mark input OpenVPN packets with OPERATING mark" new-packet-mark=\
    OPERATING passthrough=yes port=13900 protocol=udp
add action=mark-packet chain=prerouting comment=\
    "Mark input Wireguard packets with OPERATING mark" new-packet-mark=\
    OPERATING passthrough=yes port=16701 protocol=udp
add action=route chain=prerouting disabled=yes dst-address-list=\
    !no_forward_ipv4 in-interface=bridge-vlan80 passthrough=yes route-dst=\
    200.200.200.229 src-address-list=vlan80-arenda
add action=mark-connection chain=prerouting comment=\
    "Connmark in from  main" connection-mark=no-mark disabled=yes \
    in-interface=ether7 new-connection-mark=conn_main passthrough=no
add action=mark-connection chain=prerouting comment=\
    "Connmark in from  arenda" connection-mark=no-mark disabled=yes \
    in-interface=ether6 new-connection-mark=conn_arenda passthrough=no
add action=mark-routing chain=prerouting comment=\
    "Routemark transit out via  main" connection-mark=conn_main \
    disabled=yes dst-address-type=!local in-interface-list=!WAN \
    new-routing-mark=to_main passthrough=no
add action=mark-routing chain=prerouting comment=\
    "Routemark transit out via  arenda" connection-mark=\
    conn_arenda disabled=yes dst-address-type=!local in-interface-list=\
    !WAN new-routing-mark=to_arenda passthrough=no
add action=mark-routing chain=output comment=\
    "Routemark local out via  main" connection-mark=conn_main \
    disabled=yes dst-address-type=!local new-routing-mark=to_main \
    passthrough=no
add action=mark-routing chain=output comment=\
    "Routemark local out via  arenda" connection-mark=conn_arenda \
    disabled=yes dst-address-type=!local new-routing-mark=to_arenda \
    passthrough=no
add action=mark-routing chain=prerouting comment=\
    "Arenda via  arenda channel" disabled=yes dst-address-list=\
    !no_forward_ipv4 new-routing-mark=to_arenda passthrough=no \
    src-address-list=vlan80-arenda
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface=ether7 src-address-list=LAN
add action=masquerade chain=srcnat comment="Access for arendators network" \
    ipsec-policy=out,none out-interface=ether6 src-address-list=vlan80-arenda
/ip firewall raw
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \
    protocol=udp
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \
    protocol=tcp
/ip route
add comment="Emergency route" distance=254 gateway=br-lo
add disabled=yes distance=1 dst-address=172.30.61.0/24 gateway=172.30.52.254 \
    pref-src="" routing-table=main suppress-hw-offload=no
add dst-address=172.30.53.0/24 gateway=wg01
add dst-address=172.30.50.0/24 gateway=wg01
add dst-address=172.30.61.0/24 gateway=wg01
add dst-address=172.30.54.0/24 gateway=wg01
add dst-address=172.30.57.0/24 gateway=wg01
add dst-address=172.30.59.0/24 gateway=wg01
add dst-address=172.30.60.0/24 gateway=wg01
add dst-address=172.30.61.0/24 gateway=wg01
add comment="Marked via  arenda" disabled=no distance=1 dst-address=\
    0.0.0.0/0 gateway=200.200.200.229 pref-src="" routing-table=\
    to_arenda scope=30 suppress-hw-offload=no target-scope=10
add comment="Access to VLAN80 (arenda) in its table" disabled=no dst-address=\
    172.29.59.0/24 gateway=vlan80-bridge-if pref-src="" routing-table=\
    to_arenda scope=10 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address="172.29.57.0/24,172.29.56.0/24,172.29.52.0/24,172.30.52.0/24,1\
    72.30.61.0/24,172.30.65.0/24,127.0.0.1/32"
set ssh port=18111
set api disabled=yes
set winbox address=\
    172.29.57.0/24,172.29.56.0/24,172.30.61.0/24,172.30.65.0/24
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=local host-key-size=4096 strong-crypto=yes
/ipv6 firewall filter
add action=drop chain=forward
add action=drop chain=input
add action=drop chain=output
/lcd
set enabled=no
/lcd pin
set pin-number=5817
/ppp secret
add name=k.tolmacheva profile=ovpn remote-address=172.29.52.78 service=ovpn
/routing rule
add action=lookup-only-in-table disabled=no dst-address=172.29.50.0/24 table=\
    main
add action=lookup-only-in-table disabled=no dst-address=172.29.51.0/24 table=\
    main
add action=lookup-only-in-table disabled=no dst-address=172.29.52.0/24 table=\
    main
add action=lookup-only-in-table disabled=no dst-address=172.29.53.0/24 table=\
    main
add action=lookup-only-in-table disabled=no dst-address=172.29.54.0/24 table=\
    main
add action=lookup-only-in-table disabled=no dst-address=172.29.55.0/24 table=\
    main
add action=lookup-only-in-table disabled=no dst-address=172.29.56.0/24 table=\
    main
add action=lookup-only-in-table disabled=no dst-address=172.29.58.0/24 table=\
    main
add action=lookup disabled=yes dst-address=172.29.59.0/24 table=main
add action=lookup disabled=no dst-address=172.29.59.0/24 table=\
    to_arenda
/system identity
set name=old-Gate
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=200.200.200.8
add address=200.200.200.23
/system routerboard settings
set auto-upgrade=yes
/tool bandwidth-server
set enabled=no
/tool graphing interface
add allow-address=172.29.56.0/24 store-on-disk=no
/tool graphing resource
add allow-address=172.29.56.0/24 store-on-disk=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

Tried with same result: without mangle rule there is no internet connection on wan2 subnet.

DNS, NTP, ICMP

anav · September 7, 2023, 4:55pm

There is nothing stopping LAN users from accessing Router Services regardless of which WAN they go out of…
Not quite sure what the real issue is here…

Access to router services is determined by your input chain rules not by mangling or routing rules.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

If this is a home router setup, I would drastically simplify to get the core traffic required working and then add on things as really needed.
Would get rid of capsman, not use bridges for WANS , separate LANs into two bridges ports 3-5 and 6-10 and use vlans for all local subnets.
Would add on only needed traffic flows first before adding other stuff.

+++++++++++++++++++++++++++++++++++++++

No mangling required
/routing table
add fib name=to_arenda

/routing rule
add action=lookup src-address=subnet40 table=to_arenda

IF you need access to any other subnets from subnet40 ( traffic to or from other subnets), then put those subnets first in routing rules as indicated.

/routing rule
add action=lookup-only-in-table dst-address=subnet70 table=main
add action=lookup src-address=subnet40 action=lookup table=to_arenda

++++++++++++

The issue may be your regular IP routes.
add check-gateway=ping distance=5 dst-address=0.0.0.0/0 gateway=179.29.59.1 routing-table=main
add distance=10 dst-address=0.0.0.0/0 gateway=200.200.200.1 routing-table=main
add dst-address=0.0.0.0/0 gateway=200.200.200.1 routing-table=to-arenda

Shouldnt this IP address be in the format
/ip address
add address=200.200.200.230/30 interface=ether6 network=200.200.200.0

Why do you use local subnets that look like your WANIP address or very close…

for example if all your subnets are in the format. 10.10.10.X / 10.10.20.X etc…
you can make a rule.
add action=lookup-only-in table dst-address=10.10.10.0/17 table=main Instead of many single subnet rules

anav · September 7, 2023, 4:56pm

Too complex to ask a simple question…

pe1chl · September 7, 2023, 5:52pm

It is very important that you apply new-route-mark mangling that indicates a second routing table only to traffic that is actually going to internet.
When you apply it to packets that go to the internal network (incoming traffic) that traffic will not arrive.
So you must make sure that you configure your mangle rules accordingly.

In v6 some configurations could work that now fail in v7, because in v6 after looking up via the indicated routing table and finding no result, the router would additionally look in the main table. V7 lo longer does that. But it should not affect this case.

LifWer · September 8, 2023, 2:27pm

anav
Thank you for your time and answers!

It’s small office setup, so need to be online anytime. Some misconfig - different bridges for example - made because I need different bridge settings for different VLANs and didn’t find another way.

This question isn’t clear for me. With this address and mask network address will be 200.200.200.228. On the other hand help have this example without any explanation:

/ip address
add address=10.1.1.1/32 interface=ether1 network=172.16.1.1

Every WAN address in config export were replaced with 200.200.200.X. It is not real addresses.

Any other advises didn’t help.

pe1chl

That’s it! Added to the mangle rule dst-address-type=!local so it looks like this:

add action=mark-routing chain=prerouting comment="Arenda via arenda channel" dst-address-list=!no_forward_ipv4 dst-address-type=!local new-routing-mark=to_arenda passthrough=no src-address-list=vlan80-arenda

and it works!

Thank you for helping! Solved.

pe1chl · September 8, 2023, 3:55pm

Yeah I have already made a feature request to have an option to automatically add local routes to additional route tables (they only are automatically added to table main), but we’ll have to wait and see if that ever gets honored. In my environment this is also a regularly occurring problem.

http://forum.mikrotik.com/t/feature-requests/41609/1601