double connections with mangle rules and drop filter rules

aleab · May 11, 2024, 6:40am

Hello,
i have a CHR on cloud and monitor my customer’s mikrotik.
so basically on CHR i have an sstp server and on customer i add an sstp client.
works all fine.

now i have a customer with 2 WAN (primary + LTE)
so on CHR i create a rule to forward a secondary sstp server port to real.
for example sstp server port is 443 , i create a nat rule (dst nat) 444 to 443
in other words i have 2 ports with same sstp server.

on customer side
i have a classical sstp client with port 443 that works with primary connection and works fine. (sstp-client1)
i create a second sstp client with port 444 (sstp-client2)
for “force” secondary sstp client to LTE i use mangle rules + routing table

/ip route
add comment="FORCED LTE" distance=50 dst-address=0.0.0.0/0 gateway=10.93.188.255 \
    routing-table=_force_LTE
/routing table
add disabled=no fib name=_force_LTE

of course i script for changing gateway (dynamic) and works

then i use mangle rules

/ip firewall mangle
add action=mark-routing chain=output comment=\
    "sstp force LTE" dst-address-list=sstp-force-LTE \
    dst-port=444 new-routing-mark=_force_LTE passthrough=yes protocol=tcp
add action=mark-connection chain=input comment=\
    "MANGLE INPUT PER INCOMING CONN FAILOVER" in-interface=vlan_LTE \
    new-connection-mark=incoming_LTE passthrough=yes
add action=mark-routing chain=output comment=\
    "MANGLE OUTPUT PER INCOMING CONN FAILOVER" connection-mark=\
    incoming_LTE new-routing-mark=_force_LTE passthrough=yes
add action=mark-connection chain=forward comment=\
    "MANGLE INPUT PER INCOMING CONN FAILOVER" in-interface=vlan_LTE \
    new-connection-mark=incoming_LTE passthrough=yes
add action=mark-routing chain=prerouting comment=\
    "MANGLE OUTPUT PER INCOMING CONN SU FAILOVER" connection-mark=\
    incoming_LTE in-interface-list=LAN new-routing-mark=_force_LTE \
    passthrough=yes
/ip firewall address-list
add address=my.sstpserver.tld list=sstp-force-LTE

seems work but when LTE is down i can see (on CHR) sstp-client2 connected with primary wan.
because route is invalid i think…

so i thinked to block connections on port 444 from NOT LTE interface.

/ip firewall filter
add action=drop chain=output comment=\
    "DROP SSTP 444 FROM NOT LTE" disabled=no \
    dst-address-list=sstp-force-LTE dst-port=444 out-interface=!vlan_LTE \
    protocol=tcp

ok now
sstp-client1 can connect fine on sstp server (and is normal)
sstp-client2 can’t connect… i see in log
sstp-client2: terminating… - unable to connect
ecc…

but if i disable filter rules and LTE is online , sstp-client2 can connect to sstp server with LTE connection.
i double check, in connections (on customer side) and ip in ppp - active connections (on chr side)

in oter words my goal is be sure that primary connection is up and LTE is up…
on chr i have “the dude” with a TCP check on primary connection with public ipv4.
but LTE is CGNAT so i try to use this sstp-client2 , then check ping ip on chr/dude
but sstp-client2 is mandatory to use LTE.

thank you in advance

pe1chl · May 11, 2024, 8:12am

Remember that connections made before you change a firewall configuration can continue to run even when changes in the configuration would preclude that.
So you should be careful with “I do this and then I change that and now this or that” kind of testing.

anav · May 11, 2024, 1:19pm

I mainly use and recommend wireguard for monitoring, and I used to use SSTP as backup ( no need for certificate between two MT devices ) but recently moved to a more secure IP-IP with ipsec secret as a backup method.

By the way the nice thing about a wireguard connection on WAN1. If WAN1 fails, the wireguard protocol will switch to WAN2 after slight delay to WAN2.
The reason to have a backup on WAN2 is for immediate access vice waiting, and of course in case wireguard is completely messed up.

Typically the folks I work with have
CHR via wan1 - wireguard
CHR via wan2 - IP-IP
Work/home MT router via wan2 - wireguard.

aleab · May 11, 2024, 4:08pm

Thank you to all for answers.

@pe1chl
yes i try to disable and re enable sstp-client2 but nothing…
and also try to reboot firewall but connection fails…

@anav
thank you, i’m also for speedup use wireguard.
but in this case i don’t need to switch fast from wan1 to wan2.
i would monitor if wan1 is up (and i use remote TCP monitor with dude on chr)
and would monitor if wan2 is up (also is unused because wan1 is online).
because, if someone touch or forgot to pay sim i think have a backup but have not…

so my goal is monitor LTE without public ipv4, and used as failover…

for example i create a fake ip address on bridge (172.16.56.1)
create a same mangle rules output with src address 172.16.56.1 (fake ip) to mark routing “_force_LTE”
create a netwach with
host: 8.8.4.4
type: icmp
src address : 172.16.56.1 (fake ip)
and status is up
so is ok, in connections i see that NAT with LTE. perfect
now i create a filter rules (and put first of all)
cain : output
dst address: 8.8.4.4
protocol: icmp
out interface: ! vlan_LTE
action : drop

now netwatch status is down…
why???
packets should exit to vlan_LTE !!!

thank you