Hi

I have some trouble getting secondary routing tables up and running and
I would appricate some help. What I'm trying to achive is the following:

Two routeros boxes, called mikro234 and mikro236, they each have two
interfaces used, one side towards the internet and one side towards the
trusted side. Over the internet side they have a ipsec connection
towards the other box over which it talks BGP so it can share routes
over the tunnel. As long as I import the routes from BGP into the main
routing table everything works fine although that's not what I want to
achive.

I would like to achive the following, the routes comming into routing
table from BGP should go into a different routing table. I will use that
routing table for traffic comming in on the trusted interfaces, or orginating
from the trusted interface on the routeros device. However I can't really get this
to work and I'am not really sure why.

I have done the following:

Mikro234:
/ip address
add address=10.0.1.1/24 broadcast=10.0.1.255 comment="" disabled=no interface=ether2 network=10.0.1.0
add address=1.2.3.234/25 broadcast=1.2.3.255 comment="" disabled=no interface=ether1 network=1.2.3.128
add address=172.20.0.6/30 broadcast=172.20.0.7 comment="" disabled=no interface=Tunnel2 network=172.20.0.4

/ip firewall mangle
add action=mark-routing chain=prerouting comment="" disabled=no new-routing-mark=trust passthrough=yes \
src-address=10.0.1.0/24
add action=mark-routing chain=output comment="" disabled=no new-routing-mark=trust passthrough=yes \
src-address=10.0.1.1

/ip route rule
add action=lookup comment="" disabled=no routing-mark=trust table=trust

/ip route print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 ADC dst-address=10.0.1.0/24 pref-src=10.0.1.1 interface=ether2 distance=0 scope=200

1 ADb dst-address=10.0.2.0/24 gateway=172.20.0.5 interface=Tunnel2 gateway-state=reachable
distance=20 scope=40 target-scope=10 routing-mark=trust bgp-as-path="65532"
bgp-origin=incomplete received-from=172.20.0.5

2 ADC dst-address=1.2.3.128/25 pref-src=1.2.3.234 interface=ether1 distance=0 scope=10

4 A S dst-address=172.20.0.4/30 gateway=172.20.0.6 interface=Tunnel2 gateway-state=reachable
distance=1 scope=30 target-scope=10 routing-mark=trust

5 ADC dst-address=172.20.0.4/30 pref-src=172.20.0.6 interface=Tunnel2 distance=0 scope=10

Mikro236:
/ip address
add address=1.2.3.236/25 broadcast=1.2.3.255 comment="" disabled=no interface=ether1 network=1.2.3.128
add address=172.20.0.5/30 broadcast=172.20.0.7 comment="" disabled=no interface=Tunnel_mik network=172.20.0.4
add address=10.0.2.1/24 broadcast=10.0.2.255 comment="" disabled=no interface=ether2 network=10.0.2.0

/ip firewall mangle
add action=mark-routing chain=prerouting comment="" disabled=no new-routing-mark=trust passthrough=yes src-address=10.0.2.0/24
add action=mark-routing chain=output comment="" disabled=no new-routing-mark=trust passthrough=yes src-address=10.0.2.1

/ip route rule
add action=lookup comment="" disabled=no routing-mark=trust table=trust

/ip route print detail
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 ADb dst-address=10.0.1.0/24 gateway=172.20.0.6 interface=Tunnel_mik gateway-state=reachable distance=20
scope=255 target-scope=10 routing-mark=trust bgp-as-path="65530" bgp-origin=incomplete
received-from=172.20.0.6

1 ADC dst-address=10.0.2.0/24 pref-src=10.0.2.1 interface=ether2 distance=0 scope=200

2 ADC dst-address=1.2.3.128/25 pref-src=1.2.3.236 interface=ether1 distance=0 scope=10

3 ADC dst-address=172.20.0.4/30 pref-src=172.20.0.5 interface=Tunnel_mik distance=0 scope=10

4 A S dst-address=172.20.0.4/30 gateway=172.20.0.5 interface=Tunnel_mik gateway-state=reachable distance=1
scope=255 target-scope=10 routing-mark=trust
So, the routes are in the correct table and I check both prerouting (for packets going into the router) and output
(for packages originating from the router) and I have a route rule in place that states what table it should use.

However, if I do the following on mikro234:
/ping 10.0.1.1
no route to host

Which is correct since there is no route for the 10.0.1.0/24 in the main routing table. If I do:
/ping 10.0.1.1 src-address=10.0.2.1
no route to host
And that seems wrong since it should check the output mangle rule and attach routing-mark=trust and then use the ip
route rule and match it towards the table trust and use the route in there. So my conclusion is that I missunderstod
or made a error. If someone could give me a helping hand that would be great!

The hardware used are two rb600 and the packages installed are the following:

# NAME VERSION SCHEDULED
0 routeros-powerpc 3.0rc10
1 system 3.0rc10
2 wireless 3.0rc10
3 X ipv6 3.0rc10
4 routerboard 3.0rc10
5 hotspot 3.0rc10
6 dhcp 3.0rc10
7 ppp 3.0rc10
8 advanced-tools 3.0rc10
9 routing 3.0rc10
10 security 3.0rc10

br
Hippo

1- i would first upgrade to 3.6 and see if its still a problem.

2- are you using '/routing filter' to get the bgp received routes into the alternate table ?

Hi

1) Upgraded to 3.6 on both devices and the problem is still occuring.

2) yes, I have a bgp filter in that looks like this:
0 chain=setmarktrust invert-match=no action=passthrough set-routing-mark="trust"

that I use to make sure that all routes I get from the bgp are inserted into the correct routing table.

However I did some more trouble shooting and noticed the following behavior.

If I connect a client with the ip of 10.0.1.5 to eth2 of mikro234 and try to ping 10.0.2.1 it's not working. However if I add a static route on the mikro236 device towards the tunnel for the ip address 10.0.1.5/32 over the tunnel I'm able to ping 10.0.2.1 from 10.0.1.5.

The following route was added:
1 A S dst-address=10.0.1.5/32 gateway=172.20.0.6 interface=Tunnel_mik gateway-state=reachable distance=1 scope=30
target-scope=10

That probably means that the problem is that outgoing traffic from the mikrotik (in this case the ICMP replies) are not checking the trust routing table but rather the main one. If that is the case, the problem should be that for some reason the following line is not working correctly (for the mikro236)

/ip firewall mangle add action=mark-routing chain=output comment="" disabled=no new-routing-mark=trust passthrough=yes src-address=10.0.2.1

So once again I'm clueless on how to fix the problem, any help or input will be appreciated!

More input, if I connect one client 10.0.1.5 to the mikro234 and one more client 10.0.2.5 to mikro236 they can ping each other without any problems so the problem really seem to be when packages are originating from the routeros device.