After Upgrading our main MT Router to v3.6 some mangle rules that existed in 2.9.51 cannot be installed to v3.6.

Our network gateway router has two wan Ethernet interfaces and a lan interface. All internet data from the lan is masqueraded to the default routes (wan1 wan2) but wan2 gateway route requires a routing mark.

Routing marks are simply added by mangle rules that match to IP addresses from LAN
However since wan2 will only route data to the internet that has a packet mark the router itself cannot respond to ping requests etc from the internet from wan2 (the reply from the MT will not go out through wan2 because the reply packets lack routing marks)

In 2.9.51 you could have a mangle rule: which would catch all data destined to go out wan2 and ensure it had the correct routing mark to be routed out the wan2 gateway. With this enabled in v2.9.51 the router could respond to requests perfectly on wan2.

when upgrading to 3.6 all existing mangle rules (in fact all other settings) were imported etc but the above mangle rule from 2.9.51 was missing. So I tried to enter it manually to the newly upgraded 3.6 and... Is this a bug? or is it now by v3 design that we can no longer catch outgoing interfaces and apply routing marks so that they leave (routed) through the correct Ethernet interface.

I have tried many different workarounds in the last 24hrs, including other mangle rules to mark packets followed by another mangle rule to get those marked packets and mark the routing on them. So far no success.

Any ideas?

In v3.x routing marks are valid only in prerouting and output chains.

Do the same but on output chain this should help, i do mark-routing on output chain and set a src-address filter to the public ip MT has, and then when you ping that MT from the world it responds, however this rule doesn't make MT to use this routing mark to get outside (ie when you do ping yahoo.com from wibox this rule won't make him use this route)

B/R
Michal

Ok, Many thanks for your suggestion. I have come to this configuration that seems to work. So here I am marking all connections that come in from WAN2, then checking all outbound packets for this connection mark. If it has this connection mark then the rule below will add the correct WAN2 routing mark.

Your welcome

Ok, this just wont work. Version 3 will not let you add a routing mark that go out a particular interface. Its simply broken.

We have rolled back to 2.9.51 (again) because you CAN add route marks prior to leaving on a particular interface in that version.

When will this be fixed fo v3? no workarounds have a 100% success in this.

once a packet has determined and out-interface its too late to change that with a routing mark.

once a packet has determined and out-interface its too late to change that with a routing mark.

So it seems with V3.

Same in 2.8 and in 2.9! if you place packet mark rules in other chains it can be used only for furder matching in other chains - so basically it was useless, and it was not working.