Hi,

I've had a RB450 running RouterOS 5.26 which I now had to replace with a newer model.
On v5 I had a mangle rule like this:
I could then use that to match the packets after IPSec decryption:
However it seems that v6.33.3 drops the packet mark after decryption (the second rule never matches).
So how can this be achieved now?`

Regards

Max

This actually sounds like correct behavior to me because technically, the inner encapsulated packet is not the same packet as the tunnel packet it arrived in. If you follow the new packet flow diagram for v6, then you'll see that a loop happens whenever decapsulation occurs and then the inner packet is handled as if it had just arrived at the router natively.

I think you're going to need to start marking based on the remote source IP or something similar.

So, while I can no longer get the packet marking to work like in v5 there now seems to be a native replacement:
Setting it to "in,ipsec" will only match packets that were decrypted from IPSec.

So, while I can no longer get the packet marking to work like in v5 there now seems to be a native replacement:

Definitely looks very nice and tidy.