Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
B
B
brar2016-05-27 19:54:24
Computer networks
brar, 2016-05-27 19:54:24

Is the gateway on a different subnet unreachable for tagged traffic?

Two Mikrotiks. Connected by GRE tunnel. Hosts from both subnets (192.168.99.0/24 and 192.168.77.0/24) see each other.
There was a need to redirect http traffic to squid (192.168.99.55). Added to the mangle table and to the routes (with the corresponding changes in subnet addresses):

/ip firewall mangle
chain=prerouting action=mark-routing new-routing-mark=web passthrough=yes protocol=tcp src-address=!192.168.99.55 dst-address=!192.168.99.0/24 
      src-address-list=http_to_squid dst-port=80

/ip route
 dst-address=0.0.0.0/0 gateway=192.168.99.55 distance=1 scope=30 target-scope=10 
        routing-mark=web

In the native subnet for the squid server, everything is fine. On the 192.168.77.0 subnet, the status of the gateway is unreachable , so the traffic is ignored.
From the router itself, the ping goes to 192.168.99.55. (And in general, I turned off the firewalls on both routers temporarily.)
As far as I understand, in ip routes, when creating a route, you cannot specify as the gateway address an address that does not belong to the subnets of the interfaces existing on the router.
In general, the question is how to correctly redirect http traffic to squid located on a different subnet?
A simple SNAT is not needed, since there will be only one host in the squid statistics - squid itself.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
B
brar, 2016-05-29
@brar

In general, I figured it out by reading the manual .
Value of gateway can be specified as an interface name instead of the nexthop IP address. Such route has the following special properties:
Unlike connected routes, routes with interface nexthops are not used for nexthop lookup.
And since I had a long-standing habit (for the convenience of addressing reconfiguration) to specify the interface name, and not the IP address, as the gateway to vpn subnets, such a gag arose.
In general, it worked as soon as I changed:
on the
And also changed the target-scope=30 value in the tagged traffic route to the squid:
Thanks to all.

Report
S
satoo, 2016-05-27
@satoo

1. Show from two Mikrotiks:
/ip route export
/ip firewall export
2. For routing, you can specify as the gateway address an address to which the router has direct access
3. Can a squid go up to 192.168.77.0/24 subnets?

Similar questions
R
RGB2013-12-04 01:06:18
Does the anti-piracy law apply to content proxy service owners? 3Reply
A
Alexey2018-07-29 13:05:36
How to make a file server through a router with access from the "outside"? 3Reply
P
Pavel2013-12-04 19:30:56
Solving technical and other issues on home Internet from Rostelecom 4Reply
V
Vladimir Kivva2016-03-11 02:29:13
How can I pick up a multicast from a remote network via pptp? 1Reply
I
Ilya bow2020-07-18 14:46:47
What is the name of such a corrugated spiral (photo in question)? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question