So I recently updated my two MT routerboards in my office to 6.0rc11, and my port 80/443 traffic forwarding over a 10/1.5mbps best effort circuit. Topology is as such:



The pertinent mangle rules on the primary router (RB493) are as such:

[admin@router] > ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=prerouting action=mark-routing new-routing-mark=pcicomp passthrough=no
protocol=tcp src-address=10.0.0.134 <-------------- Not part of the policy for http, something different for PCI compliance

1 chain=prerouting action=mark-routing new-routing-mark=HTTP passthrough=no
protocol=tcp src-address=10.0.0.0/24 dst-address=!10.0.0.0/22
dst-address-list=!Public-IP-Block dst-port=80

2 chain=prerouting action=mark-routing new-routing-mark=HTTP passthrough=no
protocol=tcp src-address=10.0.0.0/24 dst-address=!10.0.0.0/22
dst-address-list=!Public-IP-Block dst-port=443

And the outbound routes:

[admin@router-Main] > ip route print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 ADS dst-address=0.0.0.0/0 gateway=x.x.x.1
gateway-status=x.x.x.1 reachable via ether1 distance=0
scope=30 target-scope=10 vrf-interface=ether1

1 S dst-address=0.0.0.0/0 gateway=10.0.2.250
gateway-status=10.0.2.250 inactive distance=1 scope=30
target-scope=10 routing-mark=HTTP

2 ADC dst-address=10.0.0.0/24 pref-src=10.0.0.1 gateway=ether2
gateway-status=ether2 reachable distance=0 scope=10

<output cut>

8 ADC dst-address=10.0.2.248/30 pref-src=10.0.2.249 gateway=ether3
gateway-status=ether3 reachable distance=0 scope=10

And then the routes from the RB433 handling the 80/433 traffic:

[admin@router-web] > ip route print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 ADS dst-address=0.0.0.0/0 gateway=x.x.x.1
gateway-status=x.x.x.1 reachable via ether1 distance=0
scope=30 target-scope=10 vrf-interface=ether1

1 A S dst-address=10.0.0.0/24 gateway=10.0.2.249
gateway-status=10.0.2.249 reachable via ether2 distance=1 scope=30
target-scope=10

2 ADC dst-address=10.0.2.248/30 pref-src=10.0.2.250 gateway=ether2
gateway-status=ether2 reachable distance=0 scope=10

I can ping between the two, the mangle rule counters are going up, and before the upgrade this was all configured exactly the same (The RB493 was at 5.11, the RB433 was at 5.9, I think), and all web traffic was routing properly. Any ideas what is wrong here? I see that the gateway-status for the route from the RB493 to the RB433 is inactive, although not unreachable, and if it's just that route that is misconfigured, any help would be greatly appreciated.

Anyone?

Hello,
i had similar glitch with policy routing and dual wan with ROS 6.rc11.
The cure was to remove ALL existing mangle rules on the router and rewrite from scratch.

That did it! Much thanks, zyzelis.

It didn't work because route with routing mark is not active.

1 S dst-address=0.0.0.0/0 gateway=10.0.2.250
gateway-status=10.0.2.250 inactive distance=1 scope=30
target-scope=10 routing-mark=HTTP

For the record, I messed with recreating the route, and did eventually get it to show as active, but it still wouldn't send traffic over the route. Only recreating the mangle rules fixed it.

It also seems worth mentioning that post-upgrade, the packet marks did not show up in Winbox in the "routing mark" field, and the HTTP mark only showed up after I edited the mangle rule. However, it still didn't work even then, it had to be re-written from scratch to work in this instance.