Dual wan: connection marks only when using mangle input

RouterOS General
1

Hi,

I dual WAN config (PPPoE & leased line with static public ips) on my RB750G running ROS 6.1
I tried to set up mangle rules to route a incoming connection over the WAN interface it was coming in.
I know, that I have to use mangle rules to mark the connection and to mark the routing.

It’s working, but I discovered a thing I cannot understand, I’ll refer to this later.

This is my IP address config:

Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         INTERFACE
 0   192.168.255.1/24   192.168.255.0   ether2
 1   212.6.176.98/27    212.6.176.96    ether5
 2   212.6.176.99/27    212.6.176.96    ether5
 3 D 188.99.233.49/32   188.99.224.1    pppoe-vodafone

The PPPoE interface “pppoe-vodafone” is running on ether1.
ether 5 is the interface for the leased line.

My mangle rules look like this:

Flags: X - disabled, I - invalid, D - dynamic
 0   ;;; accept direct connected claranet
     chain=prerouting action=accept dst-address=212.6.176.96/27

 1   ;;; mark connection claranet
     chain=input action=mark-connection new-connection-mark=cm_claranet passthrough=yes in-interface=ether5 connection-mark=no-mark

 2   ;;; mark connection claranet
     chain=prerouting action=mark-connection new-connection-mark=cm_claranet passthrough=yes in-interface=ether5 connection-mark=no-mark

 3   ;;; mark routing claranet
     chain=prerouting action=mark-routing new-routing-mark=rm_claranet passthrough=yes connection-mark=cm_claranet

 4   ;;; mark routing claranet
     chain=output action=mark-routing new-routing-mark=rm_claranet passthrough=yes connection-mark=cm_claranet

 5   ;;; mark connection vodafone
     chain=prerouting action=mark-connection new-connection-mark=cm_vodafone passthrough=yes dst-address-type="" in-interface=pppoe-vodafone
     connection-mark=no-mark

 6   ;;; mark connection vodafone
     chain=prerouting action=mark-connection new-connection-mark=cm_vodafone passthrough=yes dst-address-type=!local in-interface=ether2
     connection-mark=no-mark

 7   ;;; mark routing vodafone
     chain=prerouting action=mark-routing new-routing-mark=rm_vodafone passthrough=yes connection-mark=cm_vodafone

 8   ;;; mark routing vodafone
     chain=output action=mark-routing new-routing-mark=rm_vodafone passthrough=yes connection-mark=cm_vodafone

And my routing table looks like this:

Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
0 A S  dst-address=0.0.0.0/0 gateway=212.6.176.97 gateway-status=212.6.176.97 reachable via  ether5 check-gateway=ping distance=1 scope=30 target-scope=10 routing-mark=rm_claranet

1 ADS  dst-address=0.0.0.0/0 gateway=188.99.224.1 gateway-status=188.99.224.1 reachable via  pppoe-vodafone distance=1 scope=30 target-scope=10

2 ADC  dst-address=188.99.224.1/32 pref-src=188.99.255.192 gateway=pppoe-vodafone gateway-status=pppoe-vodafone reachable distance=0 scope=10

3 A S  dst-address=192.168.0.0/16 gateway=192.168.15.1 gateway-status=192.168.15.1 reachable via  ovpn-wa check-gateway=ping distance=1 scope=30 target-scope=10

4 ADC  dst-address=192.168.255.0/24 pref-src=192.168.255.1 gateway=ether2 gateway-status=ether2 reachable distance=0 scope=10

5 ADC  dst-address=212.6.176.96/27 pref-src=212.6.176.98 gateway=ether5 gateway-status=ether5 reachable distance=0 scope=10

I used http://wiki.mikrotik.com/wiki/ECMP_load_balancing_with_masquerade to set the correct mangle rules.
At least for my leased line I think I have the exact same situation: I want incoming traffic on this interface to leave it over the exact same interface to avoid a change of my public IP from external view.

Finally, my questions:

  1. In the ECMP load balancing article, they’re using the “prerouting” chain for marking the connections. This is fully understandable, but I my case, it only marks the connections over ether5 as I would expect it, if I set in in “input”. As you can see rule 1 and rule 2 in mangle table only differ in chain.

In “prerouting” it is not working, or more correct: Not all incoming connections will get marked, therefore no routing mark and won’t be routed over my marked route. I used http://forum.mikrotik.com/t/new-packet-flow-diagram/66252/1 (it’s the new packet flow diagram normis anounced some months ago) to understand the diffenrence, but placing the rule in mangle “prerouting” seems to be best choice for me. Nevertheless, it’s not working with prerouting.

Strange thing: marking the connection in “mangle prerouting” works on the PPPoE interface.

  1. Despite thinking I know the answer: I only want to achieve the “separation” of WAN traffic. No load balacing, no fallback. So a incoming mangle rule for each WAN interface should be sufficient, of cource I must set routing marks, but that’s it, right?

Thanks a lot.

Ape

2 ISP lines -> 2 networks -> 1 RB750
Multi ISP multi IP NAT forwarding problem
2

Or maybe I should have asked: Is there a difference in prerouting and input chain for an incoming connection which will be terminated in the router?

The packet flow diagram says no, because it’s “prerouting → routing decision → input”. Am I missing something?

Thanks.

Ape