hi,
With 2 wan connections, A and B,
Which would be the rules in mangle to force a client (computer inside LAN) go through connection A or B?

I've tested with this configuration, but does not work as expected:
Routes: Firewall Note: I don't care input or output, because I'm just testing src-nat.
There are no more rules or rutes. The idea is to change connection mark to "client-adsl1" or "client-adsl2"
to force A or B

I'm doing a traceroute from client 172.16.0.200 (forced to adsl2) (client is also a routeros).
Sometimes (maybe 1/2) the second hop is @gwB but others it gaves me a timeout.
With packet sniffer I see packets going out through connection A with src-address @ipB.

Wich would be the configuration of mangle?
Do I need route rules?
Someone can explain why are packets going out through conn B with src-addres @ipA?
Someone has a similar setup and could post or send the rules?

I think this setup is fairly simple and should not be an "advanced" topic.

It is an advanced topic. Routing-mark is not for the casual user. I know about the theory and the real-world. I will ask only one more time...What is your intent? What differentiates the requirements from going out one route or the other? Is it an ip address? A specific ip range? Interface?

hi,
I'm glad to see you again.

Sorry if you think there is another intent other than explained in post.

I'll try to explain, but english is not my natural language (as you could have guessed).

I'm trying to ask questions as simple as I can, so it's more easy to understand. If I explain the whole configuration in one post, it would be more difficult for someone to understand the problem (I don't want to explain ipsec config, routing marks etc, just to ask: I can't ping)

What I'm trying to do is substitute the 5 linux boxes I currently have, with 5 mikrotik routerboard.
Because I like interface of configuration (someone less experienced can change configuration, open ports etc...), and among this, I don't want to have a PC 24 h/day running because is more easy to crash. Even if mikrotik routerboard crashes, it's easy to restore configuration to another.

Every mikrotik will be connected to 2 wan connections and will be installed on our 4 delegations and central, to provide vpn with ipsec, and internet sharing, with webproxy, snat a few services (some ftp, and mail), and dnat some others (for example a dynamic tunnel l2tp/ipsec from windows xp, so clients with dynamic addresses can connect to routing and remote access service on windows 2003, using their username and pw from domain).

There will be a tunnel between every delegation and the central, and also between delegations. (they are using own made software with distributed databases).
The tunnel will be using one wan connection, while webproxy and snat will use the other (THIS is why I need to Routing-mark, based on a combination of src-address, dst-address, sport, and dport, not only in prerouting but also in output).
And not happy with this, I want to be capable, in a certain moment, to reroute some traffic by the other connection. This way I could do a script that change it automatically. (for example if mail is going by connA and connA is down get mail by connB).
Queues will come later. and I'm discarding for the moment, to Load Balance.

This is the main scenario and is currently working with linux boxes (as I said).
And yes, I know routeros is not linux, but policy routing is policy routing ?
That's is: Routing by some other critera appart of destination address. (source address for example).

I think I've responded to all your questions:

What is your intent?

The above

What differentiates the requirements from going out one route or the other?

An ip address

Is it an ip address?

yes

A specific ip range?

May be

Interface?

Don't think (but who knows?).

These are a couple of the rules I use for this. Maybe they will help you see the logic.

/ip firewall mangle
add chain=prerouting action=mark-routing new-routing-mark=ether2out src-address=192.168.0.2
add chain=prerouting action=mark-routing new-routing-mark=ether1out src-address=192.168.1.0/24

Then use the routing-mark in these as needed:
/ip firewall nat
/ip firewall filter
/ip route

First rule marks 192.168.0.2 traffic for ether2, and the second marks the traffic for 192.168.1.0/24 net for ether1.

I always check the routing with this:
/tool torch (EDIT: change to /tool sniffer. I like it better)
set interface=ether1
start
(wait several seconds)
stop
/tool torch packet print

then the same on ether2.

I use this if traffic is slow:
/ip firewall filter
add chain=forward action=add-src-to-address-list address-list=ether1mark routing-mark=ether1out
add chain=forward action=add-src-to-address-list address-list=ether2mark routing-mark=ether2out

Then after a while I check in
/ip firewall address-list
to see if all is well.

/ip firewall mangle
add chain=prerouting action=mark-routing new-routing-mark=ether2out src-address=192.168.0.2

That's not the same as:? (mark connection first, then mark routing based on conn-mark).

So you don't mark connections just to mark routing?
Just to be courios, what version of routeros are using?

I am using a couple versions of RouterOS. I have 2.9.51 on my early RB133s, and 3.13 on most of the rest.

I use routing-mark for routing. The connection mark is not needed for the routing marks, only needed for packet marks. Connection marks are used mostly for bandwidth control (queues), QoS, and the like.

if your determining the route the user will take based on their source IP/block then save yourself time and just use a route rule... dont bother with routing-marks, etc.



Sam