Over the last few days I have tried to set up policy-based routing with a dual WAN setup. I used mangle rules to direct traffic to either one or the other WAN. Everything outbound appeared to work fine; mark routing worked and packets were leaving the right WAN interface. However, I could never get inbound packets to route back to my LAN from the secondary WAN interface. I could see the inbound packets in the prerouting chain, but not beyond that.
It turned out that my rp-filter IP setting was set to Strict. As per the documentation:
strict - Strict mode as defined in RFC3704 Strict Reverse Path. Each incoming packet is tested against the FIB and if the interface is not the best reverse path the packet check will fail. By default failed packets are discarded.
All I had to do was change the setting to Loose:
loose - Loose mode as defined in RFC3704 Loose Reverse Path. Each incoming packet's source address is also tested against the FIB and if the source address is not reachable via any interface the packet check will fail.
...and all is well. This is on OS 7.14.1. It took me a day to track this down so thought I'd share it with the community; perhaps it might help someone else as well.
Thanks.
TIP: Do not use rp-filter=Strict with Dual WAN policy-based routing [SOLVED]
Last edited by xtal on Sun Mar 24, 2024 5:59 pm, edited 1 time in total.
Re: Policy-based routing with dual WAN
Yup rp-filter=strict would do that. I can see how that how an esoteric /ip/setting like rp-filter might NOT be the first thought.
FWIW, "strict" shouldn't be the default... so someone changed rp-filter at some point. And docs the option:
FWIW, "strict" shouldn't be the default... so someone changed rp-filter at some point. And docs the option:
Warning: strict mode does not work with routing tables
Last edited by Amm0 on Sun Mar 24, 2024 5:46 pm, edited 1 time in total.
Re: Policy-based routing with dual WAN
Guilty as chargedYup rp-filter=strict would do that. I can see how that how an esoteric /ip/setting like rp-filter might be the first thought.
FWIW, "strict" shouldn't be the default... so someone changed rp-filter at some point.
I think I changed that over a year ago when only one WAN was in place.Re: Policy-based routing with dual WAN
I read your case. I figured it was something like... 
e.g. "strict" does seem like a good option, and no routing tables at that time.... And the dual WAN enough config, might think it was some firewall rule, etc. etc....
e.g. "strict" does seem like a good option, and no routing tables at that time.... And the dual WAN enough config, might think it was some firewall rule, etc. etc....
Re: Policy-based routing with dual WAN
Might want to change your title. Something like "TIP: Do not use rp-filter=strict with Dual WAN".
It's been years, but I have run into this one myself.
It's been years, but I have run into this one myself.
Re: Policy-based routing with dual WAN
Good point, and doneMight want to change your title. Something like "TIP: Do not use rp-filter=strict with Dual WAN".
It's been years, but I have run into this one myself.
Re: TIP: Do not use rp-filter=Strict with Dual WAN policy-based routing
Actually the learning point is dont change anything from defaults if you dont understand all possible ramifications.
So glad the MT documentation makes it crystal clear NOT, with gobblity gook speak...........
So glad the MT documentation makes it crystal clear NOT, with gobblity gook speak...........