Community discussions

 
zelon
just joined
Topic Author
Posts: 13
Joined: Mon Nov 07, 2011 1:08 am

Routing mark through L2TPclient

Wed Sep 13, 2017 6:01 pm

I have 2 routers connected through L2TP. There's access from one side to another, both ways. My problem is

/ip firewall mangle add chain=prerouting content=some_name action=mark-routing new-routing-mark=Through_VPN

I've added

/ip Route Add Dst-Address=0.0.0.0/0 Gateway="My VPN" Routing-Mark=Through_VPN

This is not working. When I change mangle to

/ip firewall mangle add chain=prerouting src-address=host_or_subnet action=mark-routing new-routing-mark=Through_VPN

it works.

Any hints?
 
Sob
Forum Guru
Forum Guru
Posts: 3077
Joined: Mon Apr 20, 2009 9:11 pm

Re: Routing mark through L2TPclient

Wed Sep 13, 2017 6:15 pm

The content option searches for stuff inside packets. So if you need to mark routing just for single packets (e.g. udp dns queries), it can work. But not for anything more complex, e.g. whole tcp is out, because the content will be only in one packet and not in the rest belonging to connection. Even if you'd want to mark connection first, it still wouldn't work, because content would not be in very first packet, but only in some later one. And once the connection goes one way, you can't change it.
 
zelon
just joined
Topic Author
Posts: 13
Joined: Mon Nov 07, 2011 1:08 am

Re: Routing mark through L2TPclient

Wed Sep 13, 2017 9:04 pm

The content option searches for stuff inside packets. So if you need to mark routing just for single packets (e.g. udp dns queries), it can work. But not for anything more complex, e.g. whole tcp is out, because the content will be only in one packet and not in the rest belonging to connection. Even if you'd want to mark connection first, it still wouldn't work, because content would not be in very first packet, but only in some later one. And once the connection goes one way, you can't change it.
Indeed, I tried with connection mark, without success. It seems that only way to do it, is write a script which will ask dns for ip addresses for this domain and mark routes according to address list.
 
Sob
Forum Guru
Forum Guru
Posts: 3077
Joined: Mon Apr 20, 2009 9:11 pm

Re: Routing mark through L2TPclient

Thu Sep 14, 2017 5:27 am

You don't need a script, firewall's address list supports hostnames for some time now.

Who is online

Users browsing this forum: No registered users and 5 guests