Community discussions

just joined
Topic Author
Posts: 20
Joined: Fri Jan 22, 2016 2:47 pm

Always default route without routingMark necessary?

Tue Nov 05, 2019 4:29 pm

I have a router with 2 wan interfaces (pppoe and static IP) with the settings below.
I want to be able to enter the router from the outside in case some wan interface falls. I've got it to work but I don't understand something:
Why if pppoe client is disabled I need to add line [2] (below) in /ip route?
Are not all connections that enter through ether1 marked and only the route with the WAN-K2-FO mark is used? Is it possible to work without adding that line [2]?
/ip address
add address= interface=ether1 network=

/interface pppoe-client
add add-default-route=yes interface=wlan1-gateway keepalive-timeout=60 max-mru=1480 max-mtu=1480 name=pppoe-out1 password=password use-peer-dns=yes user=K2

/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes in-interface=pppoe-out1 new-routing-mark=nex passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN-K2-FO new-routing-mark=WAN-K2-FO passthrough=no
add action=mark-connection chain=input connection-mark=no-mark in-interface=ether1 new-connection-mark=WAN-K2-FO passthrough=no
add action=mark-routing chain=output connection-mark=WAN-K2-FO new-routing-mark=WAN-K2-FO passthrough=no

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=pppoe-out1
add action=src-nat chain=srcnat comment=K2-FO connection-mark=WAN-K2-FO out-interface=ether1 to-addresses=
add action=masquerade chain=srcnat comment="K2-FO-from T" out-interface=ether1

add action=dst-nat chain=dstnat comment="To M" dst-port=9002 in-interface=pppoe-out1 protocol=tcp to-addresses= to-ports=80

/ip route
[1] add distance=1 gateway= routing-mark=WAN-K2-FO
[2] add distance=1 gateway=

/ip settings
set rp-filter=loose tcp-syncookies=yes
Thank you.
just joined
Posts: 14
Joined: Thu Oct 31, 2019 1:01 pm

Re: Always default route without routingMark necessary?

Wed Nov 06, 2019 1:29 pm

In computer networking, the default route is a setting on a computer that defines the packet forwarding rule to use when no specific route can be determined for a given Internet Protocol (IP) destination address. All packets for destinations not established in the routing table are sent via the default route. Hope this information is helpful.
Forum Guru
Forum Guru
Posts: 3897
Joined: Mon Dec 04, 2017 9:19 pm

Re: Always default route without routingMark necessary?

Fri Nov 08, 2019 12:59 am

LewisH95's posts seem to me like preparing grounds (collecting karma) for some advertising or alike, throuh posting texts copied from the web which contain the keywords related to the topics but are not really relevant to what people ask. So you can ignore that post.

Why if pppoe client is disabled I need to add line [2] (below) in /ip route?
Are not all connections that enter through ether1 marked and only the route with the WAN-K2-FO mark is used? Is it possible to work without adding that line [2]?
It's slightly counter-intuitive. For packets sent by the router itself, i.e. handled by the output chain of the firewall, the mangling is done as late as after a route for the packet has already been found in the main routing table, and if the magnling results in assigning a routing-mark to the packet, the routing is done one more time, taking that routing-mark into account. So it doesn't matter what the original route was, but there must be one, otherwise the output packets never get mangled. And since the only default route without a routing-mark is the one dynamically added by the PPPoE client, once it disappears as the /interface pppoe-client goes down, the packets aren't routed anywhere.

So instead of adding the default route via with distance=1, add it with distance=2 or higher. This will ensure that the route via PPPoE (which is added with distance=1 unless configured otherwise using the default-route-distance parameter of /interface pppoe-client) will always win whenever it will exist. You can also create an /interface bridge with no member interfaces and add it as a gateway of the default route with distance=2 if what I explain above sounds weird to you and you need a proof :)
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: MSN [Bot] and 108 guests