After reading it several times, I still have some question on [1].
Code: Select all
/ ip firewall mangle
add chain=prerouting dst-address=10.111.0.0/24 action=accept in-interface=LAN
add chain=prerouting dst-address=10.112.0.0/24 action=accept in-interface=LAN
How could be this last paragraph be better re-phrased ?With policy routing it is possible to force all traffic to the specific gateway, even if traffic is destined to the host (other that gateway) from the connected networks. This way routing loop will be generated and communications with those hosts will be impossible. To avoid this situation we need to allow usage of default routing table for traffic to connected networks
To me, IMHO, it could be logical to
1. introduce what dst-address-type is ie,
1a. explicitly define if 192.168.0.1/24, 10.111.0.2/24, 10.112.0.2/24 are of local address type or not.
2a. explicitly define if 10.111.0.12/24, 10.112.0.1/24 are of local address type or not.
2. Then introduce the block bellow
3. Then introduce the block accepting traffic to either 10.111.0.0/24 or 10.112.0.0/24 and give an explicit example of so-called traffic loop (is that a traffic loop is the first place or is the traffic unpredictably sent through the wrong interface ?).
Code: Select all
add chain=prerouting in-interface=LAN connection-mark=no-mark dst-address-type=!local \
per-connection-classifier=both-addresses:2/0 action=mark-connection new-connection-mark=ISP1_conn
add chain=prerouting in-interface=LAN connection-mark=no-mark dst-address-type=!local \
per-connection-classifier=both-addresses:2/1 action=mark-connection new-connection-mark=ISP2_conn
Is it correct to think that "if a replies to an outbound marked packet comes in, then it would be allocated the same mark as the original outbound packet" ?
If positive, what could be the difference between checking an unmarked packet or a NEW connection (as opposed to an ESTABLISHED one) ?
What should you prefer one or the other ?
Best regards
[1] https://wiki.mikrotik.com/wiki/Manual:PCC