DualWAN mangle IPSEC packetflow

vadimkara · July 4, 2023, 7:05am

I have mikrotik connected to filials through ipsec site to site esp tunnels. Router has 2 ISPs both has static white ips. ISP1 is main ISP2 is reserve.
Routes

    add check-gateway=ping comment="Infocom Mark" disabled=no distance=1 \
    dst-address=0.0.0.0/0 gateway=ISP1GW pref-src=0.0.0.0 \
    routing-table=Infocom scope=30 suppress-hw-offload=no target-scope=10
    add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    ISP1 pref-src="" routing-table=main scope=30 suppress-hw-offload=\
    no target-scope=10
    add check-gateway=ping comment="DCTel Mark" disabled=no distance=1 \
    dst-address=0.0.0.0/0 gateway=ISP2 pref-src=0.0.0.0 \
    routing-table=DCTel scope=30 suppress-hw-offload=no target-scope=10
    add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    ISP2 pref-src=0.0.0.0 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10

I am using ipsec policies whith 2 active peers(both my ISPs) for failover.

/ip ipsec policy
add dst-address=192.168.11.0/24 peer=co_infocom-infocom,co_dctel-dctel \
    proposal=ikev2_site-to-site_proposal src-address=192.168.1.0/24 tunnel=\
    yes
add dst-address=192.168.4.0/24 peer=step_infocom-infocom,step_dctel-dctel \
    proposal=ikev2_site-to-site_proposal src-address=192.168.1.0/24 tunnel=\
    yes

I and using mangle for Active DualWan.

This is working variant. Found Experimentaly

/ip firewall mangle
add action=mark-connection chain=input comment="Connmark in from Infocom" \
    connection-mark=no-mark in-interface=ether1-vib-Infocom \
    new-connection-mark=INFOCOM-conn passthrough=no
add action=mark-connection chain=input comment="Connmark in from DCTel" \
    connection-mark=no-mark in-interface=ether2-vib-DCTel \
    new-connection-mark=DCTEL-conn passthrough=no
add action=mark-connection chain=forward comment=\
    "Connmark forward from Infocom" connection-mark=no-mark in-interface=\
    ether1-vib-Infocom new-connection-mark=INFOCOM-conn-f passthrough=no
add action=mark-connection chain=forward comment=\
    "Connmark forward from DCTel" connection-mark=no-mark in-interface=\
    ether2-vib-DCTel new-connection-mark=DCTEL-conn-f passthrough=no
add action=mark-routing chain=output comment=\
    "Route marked local out via Infocom" connection-mark=INFOCOM-conn \
    dst-address-type=!local new-routing-mark=Infocom passthrough=no
add action=mark-routing chain=output comment=\
    "Route marked local out via DCTel" connection-mark=DCTEL-conn \
    dst-address-type=!local new-routing-mark=DCTel passthrough=no
add action=mark-routing chain=prerouting comment=\
    "Route marked transit out via Infocom" connection-mark=INFOCOM-conn-f \
    dst-address-type=!local in-interface-list=!WAN new-routing-mark=Infocom \
    passthrough=no
add action=mark-routing chain=prerouting comment=\
    "Route marked transit out via DCTel" connection-mark=DCTEL-conn-f \
    dst-address-type=!local in-interface-list=!WAN new-routing-mark=DCTel \
    passthrough=no

But I cant understand why classic variant not working(marking all packets in prerouting chain). I can ping and access other filials they can ping me but opening ports just hangs from filial to center.

/ip firewall mangle
add action=mark-connection chain=prerouting comment="Connmark in from Infocom" \
    connection-mark=no-mark in-interface=ether1-vib-Infocom \
    new-connection-mark=INFOCOM-conn passthrough=no
add action=mark-connection chain=prerouting comment="Connmark in from DCTel" \
    connection-mark=no-mark in-interface=ether2-vib-DCTel \
    new-connection-mark=DCTEL-conn passthrough=no
add action=mark-routing chain=output comment=\
    "Route marked local out via Infocom" connection-mark=INFOCOM-conn \
    dst-address-type=!local new-routing-mark=Infocom passthrough=no
add action=mark-routing chain=output comment=\
    "Route marked local out via DCTel" connection-mark=DCTEL-conn \
    dst-address-type=!local new-routing-mark=DCTel passthrough=no
add action=mark-routing chain=prerouting comment=\
    "Route marked transit out via Infocom" connection-mark=INFOCOM-conn \
    dst-address-type=!local in-interface-list=!WAN new-routing-mark=Infocom \
    passthrough=no
add action=mark-routing chain=prerouting comment=\
    "Route marked transit out via DCTel" connection-mark=DCTEL-conn \
    dst-address-type=!local in-interface-list=!WAN new-routing-mark=DCTel \
    passthrough=no

vadimkara · July 18, 2023, 8:46am

Anyone?

wiseroute · July 18, 2023, 9:27am

hello vadimkara,

. I can ping and access other filials they can ping me but opening ports just hangs from filial to center.

can you show us your ping and traceroute output, from the branch to the central, and vice versa?

if you have a tcping or tcptraceroute output would be nice.

dfdf · August 31, 2023, 3:14pm

yuo have to:
mark both output and prepouting
use routing tables for marks
also exclude ipsec from fasttrack

/ip firewall mangle add action=mark-connection chain=forward comment="mark ipsec connections to exclude them from fasttrack" ipsec-policy=out,ipsec new-connection-mark=ipsec
/ip firewall mangle add action=mark-connection chain=forward comment="mark ipsec connections to exclude them from fasttrack" ipsec-policy=in,ipsec new-connection-mark=ipsec

/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-mark=!ipsec connection-state=established,related hw-offload=yes

/routing table add fib name=wan.1.table
/routing table add fib name=wan.2.table

/ip route add check-gateway=ping disabled=no dst-address=0.0.0.0/0 gateway=1.1.1.1 routing-table=wan.1.table scope=10
/ip route add check-gateway=ping disabled=no dst-address=0.0.0.0/0 gateway=2.2.2.2 routing-table=wan.2.table scope=10

/routing rule add action=lookup-only-in-table disabled=no routing-mark=wan.1.table table=wan.1.table
/routing rule add action=lookup-only-in-table disabled=no routing-mark=wan.2.table table=wan.2.table

/ip firewall mangle add action=mark-connection chain=input connection-mark=no-mark in-interface-list=WAN.1 new-connection-mark=wan.1.toRouter passthrough=yes
/ip firewall mangle add action=mark-routing chain=output connection-mark=wan.1.toRouter new-routing-mark=wan.1.table passthrough=no
/ip firewall mangle add action=mark-connection chain=forward connection-mark=no-mark in-interface-list=WAN.1 new-connection-mark=wan.1.toLAN passthrough=yes
/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=wan.1.toLAN in-interface-list=LAN new-routing-mark=wan.1.table passthrough=no
/ip firewall mangle add action=mark-connection chain=input connection-mark=no-mark in-interface-list=WAN.2 new-connection-mark=wan.2.toRouter passthrough=yes
/ip firewall mangle add action=mark-routing chain=output connection-mark=wan.2.toRouter new-routing-mark=wan.2.table passthrough=no
/ip firewall mangle add action=mark-connection chain=forward connection-mark=no-mark in-interface-list=WAN.2 new-connection-mark=wan.2.toLAN passthrough=yes
/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=wan.2.toLAN in-interface-list=LAN new-routing-mark=wan.2.table passthrough=no