Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
B
B
brar2016-05-27 19:54:24
Computer networks
brar, 2016-05-27 19:54:24

Is the gateway on a different subnet unreachable for tagged traffic?

Two Mikrotiks. Connected by GRE tunnel. Hosts from both subnets (192.168.99.0/24 and 192.168.77.0/24) see each other.
There was a need to redirect http traffic to squid (192.168.99.55). Added to the mangle table and to the routes (with the corresponding changes in subnet addresses):

/ip firewall mangle
chain=prerouting action=mark-routing new-routing-mark=web passthrough=yes protocol=tcp src-address=!192.168.99.55 dst-address=!192.168.99.0/24 
      src-address-list=http_to_squid dst-port=80

/ip route
 dst-address=0.0.0.0/0 gateway=192.168.99.55 distance=1 scope=30 target-scope=10 
        routing-mark=web

In the native subnet for the squid server, everything is fine. On the 192.168.77.0 subnet, the status of the gateway is unreachable , so the traffic is ignored.
From the router itself, the ping goes to 192.168.99.55. (And in general, I turned off the firewalls on both routers temporarily.)
As far as I understand, in ip routes, when creating a route, you cannot specify as the gateway address an address that does not belong to the subnets of the interfaces existing on the router.
In general, the question is how to correctly redirect http traffic to squid located on a different subnet?
A simple SNAT is not needed, since there will be only one host in the squid statistics - squid itself.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
B
brar, 2016-05-29
@brar

In general, I figured it out by reading the manual .
Value of gateway can be specified as an interface name instead of the nexthop IP address. Such route has the following special properties:
Unlike connected routes, routes with interface nexthops are not used for nexthop lookup.
And since I had a long-standing habit (for the convenience of addressing reconfiguration) to specify the interface name, and not the IP address, as the gateway to vpn subnets, such a gag arose.
In general, it worked as soon as I changed:
on the
And also changed the target-scope=30 value in the tagged traffic route to the squid:
Thanks to all.

Report
S
satoo, 2016-05-27
@satoo

1. Show from two Mikrotiks:
/ip route export
/ip firewall export
2. For routing, you can specify as the gateway address an address to which the router has direct access
3. Can a squid go up to 192.168.77.0/24 subnets?

Similar questions
N
Nicholas Komarov2015-09-12 20:58:38
How to Russify android? 6Reply
N
nrv2020-01-06 14:18:59
Distribution of the Internet from an Android smartphone received via WiFI via USB with access to a local network, how to organize? 1Reply
M
mad_DOG2015-08-31 17:42:40
What is better to use to create an analogue of the yandex market? 3Reply
V
Vyacheslav Belyaev2015-09-01 10:12:18
How to install Advisor+ on the server? 3Reply
A
Andrey Kazakov2015-09-01 19:39:56
Where is the best place to look for a developer? 4Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question