Community discussions

MikroTik App
 
User avatar
AlexPebody
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Fri Nov 12, 2021 3:50 pm

ROS 7.6 Mangle LAN to LAN prerouting

Wed Dec 07, 2022 7:48 am

Hi guys, please tell me on CCR1009-7G-1C-1S+ ROS 6 Mangle LAN to LAN working fine, after upgrade to ROS 7.6 LAN ro LAN prerouting not working, please look rules below, thx!

On ROS 7.6 with LAN to LAN preroute mangle no any ping and wifi capsman not working too mecause dns and gw main CCR1009-7G-1C-1S+ not available, when LAN to LAN rule is disabled = all is ok, why? What new about this on ROS 7.6? Need some help.
WinBox (64bit) v7.6 on CCR1009-7G-1C-1S+ (tile).jpg
/ip firewall mangle
add action=mark-connection chain=prerouting comment="Preroute Mark ISP1" in-interface=ISP1 new-connection-mark=PRE1
add action=mark-connection chain=prerouting comment="Preroute Mark ISP2" in-interface=ISP2 new-connection-mark=PRE2

add action=mark-routing chain=prerouting comment="Routing Transit ISP1" connection-mark=PRE1 dst-address-type=!local in-interface-list=!WAN new-routing-mark=ISP1
add action=mark-routing chain=prerouting comment="Routing Transit ISP2" connection-mark=PRE2 dst-address-type=!local in-interface-list=!WAN new-routing-mark=ISP2

add action=mark-routing chain=output comment="Routing Output ISP1" connection-mark=PRE1 dst-address-type=!local new-routing-mark=ISP1
add action=mark-routing chain=output comment="Routing Output ISP2" connection-mark=PRE2 dst-address-type=!local new-routing-mark=ISP2
You do not have the required permissions to view the files attached to this post.
Last edited by AlexPebody on Wed Dec 07, 2022 4:34 pm, edited 1 time in total.
 
User avatar
AlexPebody
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Fri Nov 12, 2021 3:50 pm

Re: ROS 7.6 Mangle LAN to LAN prerouting

Wed Dec 07, 2022 8:14 am

I added this rules and added new Routing Table specially for LANs, who know, is this best way? )
/ip firewall mangle
add action=mark-connection chain=prerouting comment="LAN to LAN Mark" dst-address=192.168.0.0/16 in-interface-list=!WAN new-connection-mark=LanToLan passthrough=yes src-address=192.168.0.0/16
add action=mark-routing chain=prerouting comment="LAN to LAN Preroute" connection-mark=LanToLan dst-address=192.168.0.0/16 in-interface-list=!WAN new-routing-mark=LANs passthrough=yes src-address=192.168.0.0/16
Last edited by AlexPebody on Wed Dec 07, 2022 4:34 pm, edited 1 time in total.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: ROS 7.6 Mangle LAN to LAN prerouting  [SOLVED]

Wed Dec 07, 2022 2:56 pm

1) Verbose export = bad idea, too hard to read.
2) viewtopic.php?p=956630#p956630

In short, just don't mark routing for traffic destined to LANs.
 
User avatar
AlexPebody
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Fri Nov 12, 2021 3:50 pm

Re: ROS 7.6 Mangle LAN to LAN prerouting

Wed Dec 07, 2022 4:35 pm

In short, just don't mark routing for traffic destined to LANs.
I have some rules with 80 and 443 ports mangle to another routing table and the same I have local LAN web sites, and if I do not add rules for LAN to LAN all my traffic to 80 and 443 goes to 0.0.0.0/0 and do something rules for exactly not good idea, in ROS 6 all worked but in ROS 7.6 not. I added rules as I said, maybe you have some better solution? When I ahs tried add rule with main table I got stack ping and not available dns on my main Mikrotik router, but when I added new routing table for LANs onle, all works fine now. I asked about maybe have some better solution? ) Thx.

p.s. I am correct my messages without verbose, thx a lot.


2022-12-07 21-42-46 Routing Mark and route traffic to a different GW - MikroTik - Google Chrome.jpg
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: ROS 7.6 Mangle LAN to LAN prerouting

Wed Dec 07, 2022 11:22 pm

Again, just don't mark it. You can use e.g. this as first rule:
/ip firewall mangle
add chain=prerouting in-interface=!WAN dst-address=192.168.0.0/16 action=accept
Order of rules matters, so anything from LAN to 192.168.x.x will be accepted right away and no futher rules will touch it, so it won't get any routing mark.

Who is online

Users browsing this forum: johnson73, ramirez, wapbytez and 72 guests