I have the following problem with the mangle and the action=passthrough, I am routing all the traffic through the VPN, but with a JUMP rule I avoid using the VPN to get to the WEB Server. I put the network scheme:
- Config RB850gx2:
Code: Select all
[rtc@wispmikrotik] /ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; VPNPTP_Passthrough_VPN
chain=prerouting action=jump jump-target=passthrough_VPN src-address-list=hw-lan dst-address-list=hw-lan log=no log-prefix=""
1 ;;; Route_VPN
chain=prerouting action=mark-routing new-routing-mark=vpn_vpnptp passthrough=yes src-address-list=hw-lan dst-address-list=!Netflix log=no log-prefix=""
2 ;;; Passthrough_VPN
chain=passthrough_VPN [b]action=passthrough[/b] log=no log-prefix=""
With the action=passthrough it does not work, instead with the action=accept everything works correctly.
Code: Select all
[rtc@wispmikrotik] /ip firewall address-list> print
Flags: X - disabled, D - dynamic
# LIST ADDRESS
0 hw-lan 172.16.0.0/30
1 hw-lan 172.32.0.0/27
2 hw-lan 192.168.0.0/24
It is not assumed that the action=passthrough should to be " if packet is matched by the rule, increase counter and go to next rule"
Test with the action=passthrough:
PC traceroute Server WEB:
Code: Select all
pc:~$ traceroute 192.168.0.10 (Server WEB)
traceroute to 192.168.0.10 (192.168.0.10), 30 hops max, 38 byte packets
1 172.32.0.1 (172.32.0.1) 0.536 ms 0.434 ms 0.426 ms
2 10.95.95.1 (10.95.95.1) 32.369 ms 30.681 ms 31.700 ms
3^C
Test 2:
But if we put the action=accept in Rule 2 - mangle:
Code: Select all
pc:~$ traceroute 192.168.0.10 (Server WEB)
traceroute to 192.168.0.10 (192.168.0.10), 30 hops max, 38 byte packets
1 172.32.0.1 (172.32.0.1) 0.536 ms 0.434 ms 0.426 ms - Ubiquiti
2 172.16.0.1 (10.95.95.1) 32.369 ms 30.681 ms 31.700 ms - RB850gx2
3 192.168.0.10 (192.168.0.10) 1.070 ms 0.967 ms 0.992 ms - Server WEB
Regards.