I have updated the ROS version to 7.1.1. I want to set up a killswitch for ipsec.
I took (this) article as a basis and want to customize the method for ROS7.1.
But in 7.1.1 the usage of routing marks changed. Now I need to add a table named as routing mark. I did so, but the packets are not filtered, but go to the default route of the main route table.
I attach the settings below :
Routing tables:
Code: Select all
/routing table
add disabled=no fib name=second
Firewall:
Code: Select all
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=195.201.201.32 new-routing-mark=second passthrough=no
Interface:
Code: Select all
/interface bridge
add admin-mac=48:8F:5A:28:05:7C auto-mac=no comment=defconf name=bridgeLocal
add name=my_blackhole protocol-mode=none
Routes:
Code: Select all
/ip route
add disabled=no distance=1 dst-address=195.201.201.32/32 gateway=my_blackhole pref-src=0.0.0.0 routing-table=\
second scope=30 suppress-hw-offload=no target-scope=10
Routes list:
Code: Select all
Flags: D - dynamic; X - disabled, I - inactive, A - active;
c - connect, s - static, r - rip, b - bgp, o - ospf, d - dhcp, v - vpn, m - modem, y - copy; H - hw-offloaded;
+ - ecmp
DAv dst-address=0.0.0.0/0 routing-table=main pref-src="" gateway=pppoe-out1 immediate-gw=pppoe-out1
distance=1 scope=30 target-scope=10 suppress-hw-offload=no
DAc dst-address=192.168.88.0/24 routing-table=main gateway=bridgeLocal immediate-gw=bridgeLocal distance=0
scope=10 suppress-hw-offload=no local-address=192.168.88.1%bridgeLocal
0 As dst-address=195.201.201.32/32 routing-table=second pref-src=0.0.0.0 gateway=my_blackhole
immediate-gw=my_blackhole distance=1 scope=30 target-scope=10 suppress-hw-offload=no
Route rules:
Code: Select all
/routing rule
add action=lookup disabled=no table=main
add action=lookup-only-in-table disabled=no routing-mark=second table=second
But packets go through the main table to the default gateway.
Need help...