MT1 runs v7 for some time. I was reluctant to update MT0 to v7 but because the issues with OSPF I decided to do so.
After update I have strange situation. MT0 cannot ping any device in LAN1 except MT1 on his LAN1 IP.
I checked routing, it is ok. I actually have OSPF turned off before update and all is on static routing.
Firewall is also ok.
MT0 is NAT is all incoming connections are NATted properly to various devices in LAN1 and it works fine. The only thing that does not work is making any connection from MT0 to devices in LAN1.
I found it out because I have script that makes backup and sends it to email using local mail server which is in LAN1 - which failed after update.
Strange thing I noticed is when I set firewall rules on both MT0 and MT1 to monitor IMCP packets just to see what is going on. Ping goes from MT0 to pinged device, and reply comes back, but on MT0 connection is not in input chain but in forward chain, like router thinks it is not connection to itself but it should be forwarded somewhere else.
It worked fine before update to v7 and I noticed this immediately after update, before I did any changes to configuration.
ON MT0 I actually have two internet links and I have mangling that is marking connections in prerouting so it can pass responses back through originating link. I have this se years so I believe while MT was version 3 and it worked flawlessly. It did not catch connections originating to and from router itself on LAN interface.
It seems in V7 this same prerouting marking catches connections that have router as destination too, and then those connections are rerouted to internet links instead ending up in router.
When I disable this prerouting marking, connections from tourer to LAN0 works fine.
As temporary solution, I changed prerouting rule to avoid connections that are coming to router’s LAN IP. I do not like it, and I hope there is better way to handle this not involving using IP addresses.
Is there way to mark connection in prerouting but only if connection is going to be in forward chain?
Prerouting, as the name implies, takes place before a routing decision is made. At this point the router doesn’t know yet where the packet will go. The only solution I see is to use matchers based on IP or interface. I didn’t fully understand where you mark the connections, can you mark only on WAN interface?
I don’t know why it worked before since I didn’t use MikroTik until v7, but what it does there is basic Linux iptables/netfilter functionality.
Router has one LAN and two WAN interfaces. Prerouting rule marks all connections coming to LAN interface. Until v7 it did not catch incoming connections directed to router, just those that were going to WAN interfaces.
I agree how it behaves now is logical, but it would be good to have option to distinguish incoming connections that are directed to router itself not meant to be routed to other interfaces.
Wouldn’t the suggestion from @jaclaz work? Just do the marking in forward chain with the LAN interface matcher. I don’t know your overall design, but maybe you can achieve the same outcome without any marking and just using routing rules (which are more efficient).
When I was dealing with it it was required to do marking in prerouting. I will check if it now works in forward chain too.
This is bit complex setting requiring number of rules, so it have to wait opportunity when I can fiddle with it without interrupting regular network usage.