In what you've posted I cannot see anything that would explain the behaviour you describe. If I get the description right, the problem begins when you enable one of the routes with a routing-mark
, is that right? What is also not clear, is it only the Tik which cannot ping internet, or also the devices connected in various LANs?
Other than that, two points:
- your rules are overly complex because you don't make use of the benefits of address-list and interface list aggregators - you repeat the same set of 4 rules for each LANx whereas you could have just one instance of that set if you used in-interface-list=pcc-LAN, and LAN0, LAN3, LAN4, LAN5 and RAW were made member interfaces of that list.
- you seem to be affected by the common misunderstanding of the meaning of dst-address-type=!local. All IP addresses except the own ones of the Mikrotik itself match this condition. There is no address-type value connected-subnet which would match any addresses in a connected subnet, which is what you seem to actually expect from address-type value local, and you have to create an address-list for that purpose (or reach that goal in another way, e.g. using dst-address=!192.168.0.0/16 instead of an address list consisting of just a few particular subnets, which is often possible)
Another remark, the goal should be to minimize the number of rules a packet has to be inspected by as it is processed. So over time, I've settled on the following:
chain=prerouting connection-mark=no-mark action=jump jump-target=conn-mark
chain=prerouting connection-mark=CM1 action=mark-routing new-routing-mark=RM1 passthrough=no
chain=prerouting connection-mark=CMX action=mark-routing new-routing-mark=RMX passthrough=no
chain=conn-mark condition_list_1 connection-mark=no-mark action=mark-connection new-connection-mark=CM1
chain=conn-mark condition_list_X connection-mark=no-mark action=mark-connection new-connection-mark=CMX
chain=conn-mark connection-mark=no-mark action=mark-connection new-connection-mark=use-main
So this way, always only the first packet of each connection gets connection-marked; even if it matches none of the connection-mark assignment criteria, the connection gets marked with a "use-main" connection mark in order to avoid its subsequent packets from running through all the rules. After reaching the end of the chain=conn-mark
, the processing of that packet continues by the first rule following the action=jump
one, so the packet does get its routing-mark
(unless it got the "use-main" connection-mark). Packets belonging to already marked connections skip the first rule and go directly to the action=mark-routing
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.