Community discussions

MikroTik App
 
pdenardi
just joined
Topic Author
Posts: 1
Joined: Wed Jul 27, 2022 10:33 pm
Location: Argentina, Buenos Aires

[Firewall] Mangle does not mark correctly  [SOLVED]

Wed Jul 27, 2022 10:48 pm

Dear All,

I have a problem that arose after updating to the latest version 7.4 of RouterOS. What happens is that after upgrading from 7.2 to 7.4, I got an error when routing with mangle, which at first the Mikrotik did not have access to any computer on the network, but the computers could go to the internet through of the Mikrotik, this was solved by modifying the mangrove rules that existed at the time.

Now my problem occurs when connecting to a server on my network.

My LAN is in the 192.168.40.0/24 network and my servers are in 10.0.0.0/8, the LAN is marked with ISP1 and the servers with the ISP2 mark, the problem is when I want to connect (Example, 192.168.40.2 to 10.10 .11.10:8081) this routing should go through the "Main" brand but in the connections it is seen that it tries to go out with the ISP2 brand.

Image

What could be happening in this case? I share my mangle configuration.
/ip firewall mangle
add action=mark-routing chain=prerouting comment="Routing x Main" \
    connection-mark=no-mark dst-address-list=Vlans new-routing-mark=main \
    passthrough=no src-address-list=PrivateAdmins
add action=mark-routing chain=prerouting connection-mark=no-mark \
    dst-address-list=Servidores new-routing-mark=main passthrough=no \
    src-address-list=InternalNetworks
add action=accept chain=prerouting comment=Claro-ISP in-interface=ether1-Claro
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
    yes in-interface=ether1-Claro new-connection-mark=Claro-ISP_con \
    passthrough=yes
add action=mark-connection chain=prerouting comment="ISP-Principal-Claro(1)" \
    connection-mark=no-mark dst-address-type=!local new-connection-mark=\
    Claro-ISP_con passthrough=yes src-address-list=PrivateRed-Excep-Servidores
add action=mark-routing chain=prerouting comment="ISP-Principal-Claro(2)" \
    connection-mark=Claro-ISP_con dst-address-type="" new-routing-mark=\
    to_Claro-ISP passthrough=no src-address-list=PrivateRed-Excep-Servidores
add action=mark-routing chain=output connection-mark=Claro-ISP_con \
    new-routing-mark=to_Claro-ISP passthrough=no
add action=accept chain=prerouting comment=Telecentro-ISP in-interface=\
    ether2-Telecentro
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
    yes in-interface=ether2-Telecentro new-connection-mark=Telecentro-ISP_con \
    passthrough=yes
add action=mark-connection chain=prerouting comment=\
    "ISP-Principal-Telecentro(1)" connection-mark=no-mark dst-address-type=\
    !local new-connection-mark=Telecentro-ISP_con passthrough=yes \
    src-address-list=Servidores
add action=mark-routing chain=prerouting comment="ISP-Principal-Telecentro(2)" \
    connection-mark=Telecentro-ISP_con dst-address-type="" new-routing-mark=\
    to_Telecentro-ISP passthrough=no src-address-list=Servidores
add action=mark-routing chain=output connection-mark=Telecentro-ISP_con \
    new-routing-mark=to_Telecentro-ISP passthrough=no
add action=mark-packet chain=postrouting connection-mark=Claro-ISP_con \

Edited:

I already found the inconvenience that it presented, it was in two mangle policies that were marking all the incoming packets and the !local of Dst. Address Type would not be working as in previous versions. I don't know if the configuration was misapplied or if it is an issue.


Best regards,

Who is online

Users browsing this forum: Ahrefs [Bot], donkeyKong, ItchyAnkle, Soleous75 and 82 guests