Custom Routing Table + Routing Mark not working

CTassisF · January 19, 2022, 6:54pm

(hAP ac^3 running 7.2rc1)

I have properly working IPv4 and IPv6 networks. IPv4 is NATed, IPv6 /64 prefix comes from WAN (PPPoE) via DHCPv6 PD and it is then Router Advertised to my LAN.

I wan’t to route some of the outgoing traffic via a WireGuard VPN using NAT. To do that I’ve:

created a new routing table;
added the 0.0.0.0/0 and ::/0 routes via the VPN interface to this new routing table;
added the nat rules;
added the mangle rules to do the mark-routing.

I can see the mangle firewall rule increasing the packets counter, but this is not working for IPv6. The marked IPv6 traffic is still going directly to the Internet, not via the VPN.

Interestingly, this same configuration is working fine for IPv4.

Am I doing anything wrong here? Or is it a bug with RouterOS v7?

Here are the relevant parts of my config:

/interface wireguard
add listen-port=51820 mtu=1432 name=vpn
/interface wireguard peers
add allowed-address=0.0.0.0/0,::/0 interface=vpn
/ip address
add address=172.16.0.2 interface=vpn network=172.16.0.2
/ipv6 address
add address=fd00:a:b:c:d:e:f:1234/128 advertise=no interface=vpn
/routing table
add fib name=vpn
/ip route
add dst-address=0.0.0.0/0 gateway=vpn routing-table=vpn
/ipv6 route
add dst-address=::/0 gateway=vpn routing-table=vpn
/ipv6 firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=vpn passthrough=no src-mac-address=AA:BB:CC:DD:EE:FF
/ipv6 firewall nat
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none out-interface=vpn

I also discovered by accident that if I mess with /routing/rule/ (like add and then remove some rules) the marked traffic will start going through the VPN, even after removing all rules in there. This makes me guess it is something related to routing cache?

Thanks in advance.

eworm · May 19, 2022, 10:26pm

I am trying exactly the same and it fails for me too.
Any progress on your configuration?

CTassisF · May 20, 2022, 1:27am

Yes! I was able to make it work.

Apparently to make it work you have to do both mark-connection and mark-routing:

/ipv6 firewall mangle
add action=jump chain=prerouting comment=prerouting-vpn dst-address-list=vpn jump-target=prerouting-vpn
add action=mark-connection chain=prerouting-vpn comment="mark-connection vpn" dst-address-list=!not-vpn new-connection-mark=vpn passthrough=yes
add action=mark-routing chain=prerouting-vpn comment="mark-routing vpn" connection-mark=vpn new-routing-mark=vpn passthrough=no
/ipv6 firewall nat
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none out-interface=vpn

(This config is slightly different from the other one I posted before. In this one I’m using address-lists to mark which traffic should and should not go through the VPN interface.)

Doing this way worked perfectly for me.

eworm · May 20, 2022, 8:48pm

Well, I have a configuration the reliably crashes the router…
Opened a support ticket (SUP-82649)… Will do further testing when this is resolved.

eworm · July 8, 2022, 9:54pm

Works for me now as well. My crash was fixed with:

*) firewall - fixed IPv6 NAT functionality when processing GRE traffic on TILE devices;

RomikB · January 29, 2024, 11:11pm

I have the same problem as topic author.
Connection mark didn’t help.
The marked IPv6 traffic is still going directly to the Internet, not via the VPN.
Can anyone suggest the solution?

RouterOS 7.13.3, hap ac

CTassisF · January 30, 2024, 12:24am

I was able to make this work with custom routing tables (and even VRFs) using the following configuration:

/ip firewall mangle add action=jump chain=prerouting comment="prerouting LAN" connection-mark=no-mark connection-state=new dst-address-list=!private dst-address-type=!local in-interface-list=LAN jump-target=prerouting-lan

/ip firewall mangle add action=jump chain=prerouting-lan comment=NordVPN dst-address-list=nordvpn jump-target=prerouting-nordvpn

/ip firewall mangle add action=mark-connection chain=prerouting-nordvpn comment="mark-connection nordvpn" dst-address-list=!not-nordvpn new-connection-mark=nordvpn

/ip firewall mangle add action=mark-routing chain=prerouting comment="mark-routing nordvpn" connection-mark=nordvpn in-interface-list=LAN new-routing-mark=nordvpn-vrf passthrough=no

/ip firewall mangle add action=mark-routing chain=prerouting comment="mark-routing main" connection-mark=nordvpn in-interface=nordvpn new-routing-mark=main passthrough=no

These same rules work for IPv6.

In this example I’m using a destination address list (dst-address-list=nordvpn) to mark which connections I want to go through the VPN, but you can use other methods too (like source IP address, for example).

The last rule is important to make sure the traffic that went through the VPN comes back to the main table (where my LAN is).

RomikB · January 30, 2024, 7:54am

Thank you, but this didn’t help me.
ipv4 works without problem but ipv6 not.
I try mark the connection before and try now again. Connection is marked, packets are marked, but routing is ignored.
Can it be a routing problem. Is routing require a more complex setting that for ipv4?

/ipv6 route add dst-address=::/0 gateway=vpn routing-table=vpn

KILLPC · March 28, 2024, 2:08pm

You need something like the bellow example i think

/routing/rule/add routing-mark=vpn table=vpn action=lookup-only-in-table

RomikB · July 4, 2024, 3:37pm

Is something changed in later updates?
Current config not working any more for me.

Please ignore this message, this time it was my fault in wireguard server configuration