Correc routing mark

Hi,
Anybody can help me?

I use ProtonVPN, basically i use below rules,
For most site this rules work perfectly.

add action=mark-routing chain=prerouting comment="RotaVPS Full" \
    dst-address-list=!RedeLocal new-routing-mark=RotaProtonVPN \
    src-address-list=VPS
	
add comment=RotaProtonVPN---- disabled=no distance=5 dst-address=0.0.0.0/0 \
    gateway=10.2.0.1 routing-table=RotaProtonVPN scope=30 \
    suppress-hw-offload=no target-scope=11

But some sites, like reddit or paramountplus.com, dont work.
It works if i force full traffic, but i dont would like make this, incrase latency and decrease download/upload.

Quickly searching, i deduce this block occur because sharing looks like a cgnat.
Is there any other way to solve this issue?

Hey

the split is currently done based on dst-address, for that to work well you need to have knowledge of all involved addresses.
Seems as you miss some still for reddit and paramount, as when you forward all over vpn it does work.

So either update the dst-address list or use another discriminator.

Thanks for response.

dst-address-list=!RedeLocal is my local network (192.168.0.0), this rule is negative the execute except in destiny local network.
src-address-list=VPS (example 192.168.0.5) is my list of devices that they will use ProntonVPN.

Any host in src-address-list=VPS use Proton VPN.

Before more tests on paramountplus.com, i don’t know if there is a correlation, when i alter mtu, before long this work, after first request stop again.

When you post the config I will be happy to assist
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys)

Thank you.

add action=mark-routing chain=prerouting comment="RotaVPS Full" \
    dst-address-list=!RedeLocal new-routing-mark=RotaProtonVPN \
    src-address-list=VPS
	
add comment=RotaProtonVPN---- disabled=no distance=5 dst-address=0.0.0.0/0 \
    gateway=10.2.0.1 routing-table=RotaProtonVPN scope=30 \
    suppress-hw-offload=no target-scope=11

A very messy config. I wouldnt bother with regex layer7 attemtps to block social media, waste of time.
Also more rules disabled then enabled and the config should be removed of all noise that is not used.
Makes it very hard to spot errors.

1. Dont forget to add persistent-keep-alive to proton wireguard peer settings.
   2 No clue as to you WAN situation, it would appear you have two wans but not sure.
   PPPOE client and IP DHCP Client on ether2…

2. You have weird MTU settings all over the map and then a script for MTU that I dont understand under ppp profile.

3. You seem to have a subnet spread over two ports, ether5 and ether4, not even sure if this is legal LOL.

4. You have a set of complex firewall rules, that I cannot fathom so cannot help you there either.

5. In terms of routes I see the proton route, but not sure why you have any distance associated with it as its in its own table??

6. You have two mangle rules for proton VPN
   add action=mark-routing chain=prerouting comment=RotaVPN dst-address-list=
   RotaVPN new-routing-mark=RotaProtonVPN
   add action=mark-routing chain=prerouting comment=“RotaVPN Full”
   dst-address-list=!RedeLocal new-routing-mark=RotaProtonVPN
   src-address-list=VPN

However to be clear the first rule captures a small bit of traffic, to specific URLs to go through wireguard. It only states traffic heading towards
add address=abs.twimg.com comment=X list=RotaVPN
add address=api.x.com comment=X list=RotaVPN
add address=video.twimg.com comment=X list=RotaVPN

Can you confirm that the router in the source address list resolves these to IP addresses?
In other words, under the firewall address table there should be two entries, the one you entered and right below an associated resolved address!
MYWAN ADDRESS:xxbYYce5866.sn.mynetname.net
(D) MYWAN ADDRESS: 145.23.236.15

If SO, then that would seem to be okay. If an URL doesnt resolve, it should be removed.

THe second entry seems to state only a few IPs in the subnet need to go out wireguard. Seems to be okay, just added passthough=no for each rule.
I would do the following
add action=mark-routing chain=prerouting comment=RotaVPN dst-address-list=
RotaVPN new-routing-mark=RotaProtonVPN passthrough=no
add action=mark-routing chain=prerouting comment=“RotaVPN Full”
dst-address-list=!RedeLocal new-routing-mark=RotaProtonVPN
src-address-list=VPN passthrough=no


++++++++++++++++++++++++++++++

Overall Summary. You should scrap your entire config, its overly cooked and should be simplified starting from scratch. Unless its very clear and working for you of course.
a. draw a network diagram of devices and planned subnets (use vlans when it makes sense to do so and I believe it does in your case → http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1 )
b. IDENTIFY all user(s)/devices, internal and external and admin
c. IDENTIFY all the traffic they require to pass.
Provide details on WAN(s), type, throughput, static/dynamic, public/private etc. and any external traffic coming in.
Provide details on router services being used

1 - “I wouldnt bother with regex layer7…”
This rule exists to block in firewall rules “Bloqueio sem”, “Bloqueio sex” and "“Bloqueio sem dom” lock pc of my children.
released only on weekends.

2 - “it would appear you have two…”
Yes, i have two links, 2 wans.

3 - “You have weird MTU settings…”
This settings valid only my VPN local server on my mikrotik

4 - “You seem to have a subnet spread…”
I resolve divide my network, because i use ether5 wired network and ether4 to wifi network, my wifi router dont used as nat, used only transmitter wifi.

5 - “You have a set of complex firewall rules…”
Basically, on all “Interfaced List” internet, i drop all packages except, myvpn and ping (icmp), and drop all output except what is needed for sevices like vpn, cloud, etc.

6 - “In terms of routes I see the proton route…”
I use distance because i have two wans and proton, i use failover configuration, but in some cases i force to use especific out wan to access some services.
As I don’t want use ProtonVPN on all clients i decide create a “Routing Table” on mikrotik.
As there are 3 WANs (Wan1 dhcp, Wan2 pppoe, ProtonVPN), it is necessary to use distances.

7 - “You have two mangle rules…”
“RotaVPN Full” and “RotaVPN” are similar rules, both attempts to make it work.
On “RotaVPN” i put x.com on “RotaVPN” it is “Address Lists” to test and another sites, this works.
The problem is paramontplus.com, when add on list or activate “RotaVPN Full”
return erro 406, i dont understand why.
On “RotaVPN Full” Until resolve this problem on paramontplus.com i solate to my pc for tests

8 - “Can you confirm that the router…”
Yes, i am developer and i use it for “cheat” my dns resolver an redirect to my pc for tests, etc..

9 - “Seems to be okay, just added passthough=no…”
I altered this rule but paramontplus.com persists on error 406.

10 - “Overall Summary. You should scrap your entire config…”
For testing I could, but I don’t think it would make paramontplus.com work.

If disable routing mark “RotaProtonVPN” paramontplus.com works fine, on wan1 or wan2.
Obviously it is not a firewall rule, or routes problem, if i force second wan Address List “Claro” routing table “RotaClaro” paramontplus.com works perfectly.
Only if activate route mark to ProtonVPN return error 406.

If i use same server ProntonVPN directly in my pc or celullar paramontplus.com works

I believe it is a simple question, but I cannot see a solution.

For those interested, I finally resolved the question.
The paramountplus.com checks dns queries, To works correctly, is mandatory DNS queries over Proton VPN.
I did this using the rules below:

/ip firewall nat
add action=dst-nat chain=dstnat comment="Force DNS on List" dst-port=53 protocol=udp \
    src-address-list=VPN_LIST_IP to-addresses=10.2.0.1
add action=dst-nat chain=dstnat comment="Force DNS on List" dst-port=53 protocol=tcp \
    src-address-list=VPN_LIST_IP to-addresses=10.2.0.1

Thx for sharing