Default routing and mangle with fasttrack

xilav · March 28, 2020, 7:45pm

Hello,
I’m a beginner and even if I’ve searched everywhere I don’t know how to solve my issue. I’ve a 2011UiAS-2HnD that I use as router for 2 WAN Network. One WAN network have to be routed to a set of port and the other one WAN to a set of another port. For doing that I’ve created two subnets ‘attached’ respectively to two bridges, and that’s working. I’ve then used the mangle to mark the packets. This is my export of the ip part in which I have issues (I’ve double nat because I must use a VDSL home router that out Italian provider give us, so there is no way to have the public IP on the WAN side):

/ip address
add address=192.168.0.1/24 comment="main network" interface=bridge-main \
    network=192.168.0.0
add address=192.168.3.2/24 comment="Public Network (WAN FastWeb Home)" \
    interface=ether5-gw-fastweb-home network=192.168.3.0
add address=192.168.4.2/24 comment="Public Network (WAN FastWeb Work)" \
    interface=ether4-gw-fastweb-work network=192.168.4.0
add address=192.168.1.1/26 comment="work network" interface=bridge-work \
    network=192.168.1.0
add address=192.168.1.65/26 comment="guest network" interface=bridge-guest \
    network=192.168.1.64

/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
add address=192.168.0.0/24 comment=\
    "Address allowed to establish connection to the router" list=\
    allowed_to_router
add address=192.168.1.64/26 list=guest_network
add address=192.168.0.55-192.168.0.69 list=iot_devices
add address=192.168.1.0/26 list=allowed_to_router

/ip firewall filter
add action=accept chain=input comment="default configuration" \
    connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=accept chain=forward comment=\
    "Allow only OpenDNS and my DNS as DNS from Guest Network" dst-address=\
    aaa.aaa.aaa.aaa dst-port=53 protocol=udp src-address=192.168.1.64/26
add action=accept chain=forward dst-address=156.154.70.4 dst-port=53 \
    protocol=udp src-address=192.168.1.64/26
add action=accept chain=forward dst-address=156.154.71.4 dst-port=53 \
    protocol=udp src-address=192.168.1.64/26
add action=drop chain=forward dst-port=53 protocol=udp src-address=\
    192.168.1.64/26
add action=accept chain=forward dst-address=aaa.aaa.aaa.aaa dst-port=53 \
    protocol=tcp src-address=192.168.1.64/26
add action=accept chain=forward dst-address=156.154.70.4 dst-port=53 \
    protocol=tcp src-address=192.168.1.64/26
add action=accept chain=forward dst-address=156.154.71.4 dst-port=53 \
    protocol=tcp src-address=192.168.1.64/26
add action=drop chain=forward dst-port=53 protocol=tcp src-address=\
    192.168.1.64/26
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
    log=yes log-prefix=invalid
add action=drop chain=forward comment=\
    "Drop packets from guest lan that do not have guest lan IP" \
    dst-address-list=not_in_internet log=yes log-prefix=LANGUEST_!LANGUEST \
    src-address=192.168.1.64/26
add action=accept chain=forward comment=\
    "Guest Network has to go to forward, no fasttrack to manage queue" \
    connection-state=established,related src-address-list=guest_network
add action=accept chain=forward connection-state=established,related \
    dst-address-list=guest_network
add action=accept chain=forward comment=\
    "iot devices have to go to forward, no fasttrack to manage queue" \
    connection-state=established,related src-address-list=iot_devices
add action=accept chain=forward connection-state=established,related \
    dst-address-list=iot_devices
add action=fasttrack-connection chain=forward comment=FastTrack \
    connection-state=established,related
	
/ip firewall mangle
add action=mark-routing chain=prerouting comment=\
    "Mangle Main Addresses to route to Home Fastweb modem" dst-address-list=\
    !not_in_internet new-routing-mark=from-main passthrough=no src-address=\
    192.168.0.0/24
add action=mark-routing chain=prerouting comment=\
    "Mangle Work Addresses to route to work Fastweb modem" dst-address-list=\
    !not_in_internet new-routing-mark=from-work passthrough=no src-address=\
    192.168.1.0/26
add action=mark-routing chain=prerouting comment=\
    "Mangle GuestAddresses to route to Home Fastweb modem" new-routing-mark=\
    from-guest passthrough=no src-address=192.168.1.64/26
	
/ip firewall nat
add action=masquerade chain=srcnat comment="main network - routing " \
    out-interface=ether5-gw-fastweb-home src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment=\
    "work network - routing fastweb work" out-interface=\
    ether4-gw-fastweb-work src-address=192.168.1.0/26
add action=masquerade chain=srcnat comment=\
    "guest network - routing fastweb home" out-interface=\
    ether5-gw-fastweb-home src-address=192.168.1.64/26
add action=dst-nat chain=dstnat comment="OpenVPN to TinkerBoard" dst-address=\
    192.168.3.2 dst-port=443 protocol=tcp to-addresses=192.168.0.22 to-ports=\
    443

/ip route
add distance=1 gateway=192.168.3.1 routing-mark=from-main
add distance=1 gateway=192.168.4.1 routing-mark=from-work
add distance=1 gateway=192.168.3.1 routing-mark=from-guest
add disabled=yes distance=2 gateway=192.168.3.1

This configuration works fine (I can browse Internet from the two lans at full speed without issue), the problem that I have is the following: as soon as I enable the default route to have my routerborad access to Internet (i.e. to check firmware updates) enabling the row

ip route add gateway=192.168.3.1

I browse a full speed only on the main and the guest network (the one that has the same gateway as default), but the other network can reach Internet but the speed falls from the full speed (80Mbit) to less than 1Mbit, basically only ping works.
To have this configuration working I have to disable the fasttrack in the firewall; this is not doable because I have the main WAN speed at 200Mbit and with my firewall rules at full internet speed without fasttrack I reach 100% routerboard CPU, compared to a maximum 5-10% of CPU with it enabled.
Is there any way to have fasttrack enabled with the default gateway set, or at least is possible to mark routerboard packets to Internet to have them ‘attached’ to a specific route instead of the default one?

Thanks in advance!

Steveocee · March 29, 2020, 5:11am

FT stops connection tracking which is why your mangle is not being made use of.
I dare say swallow down and buy a more powerful router so the CPU isn’t pinned.

xilav · March 29, 2020, 1:48pm

Thank you, for now I will keep as is with default routing disabled. So, what you recommend for a new router (withuot wifi,as now i’m using an external AP) for managing this kind of firewall rules considering that in a while I will have a new Gbit Internet connection and this is a home solution?

Steveocee · March 29, 2020, 2:28pm

RB4011 as a minimum without FT.
With FT a Hex would be fine (but of course you won’t have as much facility).