Community discussions

MikroTik App
 
hadizeid
just joined
Topic Author
Posts: 14
Joined: Wed Mar 14, 2012 7:20 am

Trying to redirect an address-list through an EOIP Tunnel

Fri Dec 08, 2023 11:30 am

Hello MikroTik Guru's.
Need you assistance here. Having and EOIP tunnel configured and was having an address-list traffic redirected through that tunnel which was working perfectly on v6 now after upgrading to v7 its broken.
tried to go through similar topics on the forum but still with no luck, will post the configuration here hoping some of the advanced users could help in sorting it out.
/interface eoip
add allow-fast-path=no mac-address=02:D3:D2:DC:FE:67 name=Home-VPN \
    remote-address=xxx.xxx.xxx.xxx tunnel-id=2
/interface vlan
add interface=ether13 name=vlan1 vlan-id=21
/interface pppoe-client
add disabled=no interface=vlan1 keepalive-timeout=60 name=Home-Internet user=\
    usernameofinternt
    
/ip address
add address=172.17.2.1/16 interface=Home-Bridge network=172.17.0.0
add address=10.255.255.2/30 interface=Home-VPN network=10.255.255.0

/ip firewall address-list
add address=172.17.3.15 comment="A71" disabled=yes list=TO-VPN-VPN
add address=172.17.3.228 comment="PC" disabled=yes list=TO-VPN-VPN
add address=172.17.3.3 comment="Ipad" disabled=yes list=TO-VPN-VPN
add address=172.17.3.26 comment="Phone" disabled=yes list=TO-VPN-VPN

/ip firewall filter
add action=fasttrack-connection chain=forward disabled=yes hw-offload=yes \
    in-interface=!Home-VPN routing-mark=!TO-VPN

/ip firewall mangle
add action=accept chain=prerouting connection-mark=no-mark connection-state=\
    established,related
add action=accept chain=prerouting connection-mark=no-mark connection-state=\
    established,related in-interface=Home-Internet
add action=mark-routing chain=prerouting connection-mark=handling-Home-Internet \
    new-routing-mark=Home-Internet
add action=mark-routing chain=prerouting connection-mark=handling-TO-VPN \
    new-routing-mark=TO-VPN
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new new-connection-mark=handling-TO-VPN passthrough=yes \
    src-address-list=TO-VPN-VPN
add action=accept chain=prerouting connection-state=established,related \
    in-interface=Home-Internet
add action=mark-routing chain=prerouting connection-mark=handling-Home-Internet \
    new-routing-mark=Home-Internet
add action=mark-routing chain=prerouting connection-mark=handling-TO-VPN \
    new-routing-mark=TO-VPN
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes
add action=masquerade chain=srcnat out-interface=Home-Internet
add action=masquerade chain=srcnat out-interface=Home-VPN
add action=masquerade chain=srcnat disabled=yes

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Home-Internet pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add dst-address=0.0.0.0/0 gateway=Home-VPN routing-table=TO-VPN
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Home-Internet pref-src="" \
    routing-table=Home-Internet scope=30 suppress-hw-offload=no target-scope=10
/routing bfd configuration
add disabled=no
/routing rule
add action=lookup disabled=no dst-address=172.17.0.0/16 table=main
add action=lookup disabled=no interface=Home-Internet min-prefix=0 table=main
add action=lookup-only-in-table disabled=no routing-mark=TO-VPN table=TO-VPN
add action=lookup disabled=no interface=Home-VPN min-prefix=0 src-address=\
    10.255.255.0/30 table=TO-VPN
add action=lookup-only-in-table disabled=no interface=Home-VPN routing-mark=\
    TO-VPN table=TO-VPN
appreciate your support and if any config is missing kindly advise
Thanks for you all
 
rplant
Member Candidate
Member Candidate
Posts: 267
Joined: Fri Sep 29, 2017 11:42 am

Re: Trying to redirect an address-list through an EOIP Tunnel

Sat Dec 09, 2023 1:13 am

Hi,

The order of route processing has changed a little.
If you mark a packet with a route mark, and there is a matching entry in the routing table.
It will use that entry, (and not look at the routing rules)

If you need things to go via the routing rules (which is usually good) you should mark
the packets with a different route mark.

eg. RULE-TO-VPN

Something like
mangle
add action=mark-routing chain=prerouting connection-mark=handling-TO-VPN \
    new-routing-mark=RULE-TO-VPN

routing rules
add action=lookup-only-in-table disabled=no routing-mark=RULE-TO-VPN table=TO-VPN
 
hadizeid
just joined
Topic Author
Posts: 14
Joined: Wed Mar 14, 2012 7:20 am

Re: Trying to redirect an address-list through an EOIP Tunnel

Sun Dec 10, 2023 9:07 pm

Still struggling in this setup.
any help or direction would be appreciated

Who is online

Users browsing this forum: FHTheron, gigabyte091, Google [Bot], StupidProgrammer and 17 guests