yesterday I upgraded a CCR2004-1G-12S+2XS from 6.49.1 to 7.1. Of course the upgrade failed, the device ended up in a reboot loop, so I had to netinstall it with 7.1.
When I reconfigured the device I faced a problem with policy routing I'm currently unable to solve. I've done this many times before but this time I'm out of ideas what could be wrong.
My WAN is "VLAN0007", 88.XX.XX.48/29, .49 is the Gateway, .54 is the IP address of my Router; my LAN is "VLAN0086", 192.168.2.1/24.
In my tests I found out that ros dns forwarder isn't reachable from a vrf, so I decided to just use a separate routing table instead of adding VLAN0086 to a vrf.
Code: Select all
/routing table
add disabled=no fib name=VRF-DSL
Code: Select all
/ip/route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=88.XX.XX.49 pref-src="" routing-table=VRF-DSL scope=30 suppress-hw-offload=no target-scope=10
Code: Select all
/ip/route> pr det where routing-table=main
0 As dst-address=0.0.0.0/0 routing-table=main pref-src="" gateway=88.XX.XX.49 immediate-gw=88.XX.XX.49%VLAN0007 distance=1 scope=30 target-scope=10
suppress-hw-offload=no
DAc dst-address=88.XX.XX.48/29 routing-table=main gateway=VLAN0007 immediate-gw=VLAN0007 distance=0 scope=10 suppress-hw-offload=no
local-address=88.XX.XX.54%VLAN0007
DAc dst-address=192.168.2.0/24 routing-table=main gateway=VLAN0086 immediate-gw=VLAN0086 distance=0 scope=10 suppress-hw-offload=no
local-address=192.168.2.1%VLAN0086
I set up policy routing rules in mangle table (just used 1 IP for testing).
Code: Select all
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark connection-state=new dst-address-type=!local in-interface=VLAN0086 \
new-connection-mark=C_FROM_VLAN0086 passthrough=yes src-address=192.168.2.41
add action=mark-routing chain=prerouting connection-mark=C_FROM_VLAN0086 new-routing-mark=VRF-DSL passthrough=no
Finally there's a snat rule for VLAN0007.
Code: Select all
/ip firewall nat
add action=src-nat chain=srcnat out-interface=VLAN0007 to-addresses=88.XX.XX.54
When I try to ping a host on the internet from 192.168.2.41, the connection times out. I checked the connection tracking, all seems good.
SNAT works and the packet is correctly routed.
Note the Reply Bytes, so traffic is arriving and I get an answer from 8.8.8.8, but the reply packets are not arriving at 192.168.2.41.
Next I checked with the sniffer tool what is going on. So where are these reply packets, why are they not forwarded to 192.168.2.41? There are no other mangle rules, nat rules, routing rules, ipsec policies, nothing that could mess with the flow of packets in any way.
VLAN0086 is not added to a vrf, it is bound to the main routing table, so I don't need to set up any routing rules.
When I disable the connection-mark rule, traffic is sent using the main table and it immediately starts working.
As I mentioned before, I just netinstalled the router and did the config from scratch, and rebooted the router several times.
Any idea what I'm missing here? I have a CCR2004-16G-2S+ with a way more complex ruleset for policy routing, also running 7.1. Everything works fine on this device, so I don't think it has something to do with 7.1 in general. It is planned to add more internet uplinks to the router in the future, for those who are wondering why I'm currently using custom routing tables with just one ISP.