Can't create killswitch on ROS7.1.1

RouterOS General
1

Hello everyone!
I have updated the ROS version to 7.1.1. I want to set up a killswitch for ipsec.
I took (this) article as a basis and want to customize the method for ROS7.1.
But in 7.1.1 the usage of routing marks changed. Now I need to add a table named as routing mark. I did so, but the packets are not filtered, but go to the default route of the main route table.
I attach the settings below :

Routing tables:

/routing table
add disabled=no fib name=second

Firewall:

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=195.201.201.32 new-routing-mark=second passthrough=no

Interface:

/interface bridge
add admin-mac=48:8F:5A:28:05:7C auto-mac=no comment=defconf name=bridgeLocal
add name=my_blackhole protocol-mode=none

Routes:

/ip route
add disabled=no distance=1 dst-address=195.201.201.32/32 gateway=my_blackhole pref-src=0.0.0.0 routing-table=\
    second scope=30 suppress-hw-offload=no target-scope=10

Routes list:

Flags: D - dynamic; X - disabled, I - inactive, A - active; 
c - connect, s - static, r - rip, b - bgp, o - ospf, d - dhcp, v - vpn, m - modem, y - copy; H - hw-offloaded; 
+ - ecmp 
   DAv   dst-address=0.0.0.0/0 routing-table=main pref-src="" gateway=pppoe-out1 immediate-gw=pppoe-out1 
         distance=1 scope=30 target-scope=10 suppress-hw-offload=no 

   DAc   dst-address=192.168.88.0/24 routing-table=main gateway=bridgeLocal immediate-gw=bridgeLocal distance=0 
         scope=10 suppress-hw-offload=no local-address=192.168.88.1%bridgeLocal 

 0  As   dst-address=195.201.201.32/32 routing-table=second pref-src=0.0.0.0 gateway=my_blackhole 
         immediate-gw=my_blackhole distance=1 scope=30 target-scope=10 suppress-hw-offload=no

Route rules:

/routing rule
add action=lookup disabled=no table=main
add action=lookup-only-in-table disabled=no routing-mark=second table=second

But packets go through the main table to the default gateway.
Need help…

2

Order of rules is important, first matching one will be used. So in this case it will always find route in main table. You need to move second one up.

3

The point is that I applied this rule to the second table.
I also marked the packet (new-routing-mark=second) so that it was sent to the second table search. It looks like the marking is not working.
If there were no marker, then the packet would pass in turn through the list in the routing table.

4

It’s the vernacular that made you misunderstand what @Sob wrote. The word “rule” is ambiguous.

How it works:

  • the packet passes through rules in chain prerouting of /ip firewall mangle, which assign it (or not) a routing table name.
  • next, the packet passes through the rules in /routing/rule. Like firewall rules, these routing rules are also matched first to last (top to bottom) and if conditions are met, the action is taken and further rules are not matched against.
    In the routing rules, routing-mark is a match condition, and table is the output value. If a packet matches none of the routing rules, its assigned routing mark (routing table name) does not change, therefore the packet is routed using the table assigned using mangle rules, or using table main if no routing mark has been assigned in mangle, or if no matching route can be found in the table assigned in mangle.
  • last, the packet is actually routed, using the routing table assigned as a result of all the previous manipulations.

So in step 1, your packet gets a routing-mark second.
In step 2, the packet matches the routing rule action=lookup table=main, because this rule doesn’t check any match conditions. So effectively, the routing mark second is removed here. And since the packet matched this rule, it is not matched against the next one.

So just remove the first routing rule and you should be good.

5

Thank’s!


I changed routing rules:

/routing rule
add action=lookup disabled=no routing-mark=second table=second
add action=lookup disabled=no table=main

Now everything works great!
Thank you all very much for your help!

6

Usually you give the solved status to member who helped you, and not to yourself.

7

Thanks, fixed

8

Hello,

could you please be so kind and post all the commands for the FULL solution ? I am not sure that I can put them together by myself. Many thanks!

9

Hello everyone.

can I please ask… What is this address ? 195.201.201.32
Could that be rewritten in a more elegant way, without citing a specific IP address, as such IP addresses can easily change when connecting to a different VPN ? Thanks a lot!