How can i mark outbound router packets with routing-mark?

sten · October 3, 2006, 4:51pm

I’m having a hard time trying to understand exactly which chain i can put my routing-mark rule to mark packets emitted from the router itself. I need to alter the gateway it uses for the administrative packets exiting the router itself. (but i don’t need to control source address necessarily)

Eugene · October 3, 2006, 7:36pm

output

changeip · October 3, 2006, 7:52pm

I’ve had times where this is ignored. I was unable to force icmp reply packets, generated at the router, to go out a specific route. I was also unable to mark l2tp tunnel packets i believe… seemed like the output route-marking wasn’t working for packets generated in the router. I think there are other posters with the same problem.

changeip · October 27, 2006, 12:14am

Okay, Im back to this one. I am banging my head against the wall trying to figure out how to get l2tp packets to go back out the same ip they came in on.

192.168.1.2 is the WAN side of the router. Making an l2tp connection to this IP works perfectly, because it is used as the preferred source on the way back out. No problems there.

I would like to allow clients to connect to 10.0.0.1 and 10.0.0.2 as well. What happens though is the l2tp handshake doesn’t work because RouterOS is replying with 192.168.1.2. I believe L2TP server always wants to place preferred-src address on the packets as they leave the interface.

Okay, I can configure policy routing to mark which IP they came in on and create routing tables for each, but that doesn’t work either. It seems any packets created on the router (output) cannot be route marked - I think.

Mark the packets for l2tp coming in:

add chain=prerouting dst-address=10.0.0.1 protocol=udp \
    dst-port=1701 action=mark-packet new-packet-mark=l2tp-1 \
    passthrough=yes comment="" disabled=yes 
add chain=prerouting dst-address=10.0.0.2 protocol=udp \
    dst-port=1701 action=mark-packet new-packet-mark=l2tp-2 \
    passthrough=yes comment="" disabled=yes 
add chain=prerouting dst-address=192.168.1.2 protocol=udp \
    dst-port=1701 action=mark-packet new-packet-mark=l2tp-242 \
    passthrough=yes comment="" disabled=yes

Then mark the connections:

add chain=prerouting packet-mark=l2tp-1 action=mark-connection \
    new-connection-mark=l2tp-1-conn passthrough=yes comment="" \
    disabled=yes 
add chain=prerouting packet-mark=l2tp-2 action=mark-connection \
    new-connection-mark=l2tp-2-conn passthrough=yes comment="" \
    disabled=yes 
add chain=prerouting packet-mark=l2tp-242 \
    action=mark-connection new-connection-mark=l2tp-242-conn \
    passthrough=yes comment="" disabled=yes

Then give em a routing mark:

add chain=prerouting connection-mark=l2tp-1-conn \
    action=mark-routing new-routing-mark=l2tp-1-route \
    passthrough=yes comment="" disabled=yes 
add chain=prerouting connection-mark=l2tp-2-conn \
    action=mark-routing new-routing-mark=l2tp-2-route \
    passthrough=yes comment="" disabled=yes 
add chain=prerouting connection-mark=l2tp-242-conn \
    action=mark-routing new-routing-mark=l2tp-242-route \
    passthrough=yes comment="" disabled=yes

and then the routing table (only route marked ones):

ip route> print routing-mark=l2tp-1-route 
 #      DST-ADDRESS        PREF-SRC        G GATEWAY        
 0 A S  0.0.0.0/0          10.0.0.1    r 192.168.1.1          
 1 A S  192.168.1.0/30                  r 192.168.1.2            


ip route> print routing-mark=l2tp-2-route  
 #      DST-ADDRESS        PREF-SRC        G GATEWAY       
 0 A S  0.0.0.0/0          10.0.0.2    r 192.168.1.1
 1 A S  192.168.1.0/30                  r 192.168.1.2             
 2 A S  204.16.174.0/24                    r 10.0.0.1            


ip route> print routing-mark=l2tp-242-route 
 #      DST-ADDRESS        PREF-SRC        G GATEWAY         
 0 A S  0.0.0.0/0          192.168.1.2  r 192.168.1.1              
 1 A S  192.168.1.0/30                  r 192.168.1.2              
 2 A S  204.16.174.0/24                    r 10.0.0.1

The packets leave the router with the WAN ip no matter what it seems. Is there any way to route-mark output traffic and have it work ? We would like to offer bonding services but being unable to setup more than 1 tunnel isn’t going to work : )

Sam

changeip · October 28, 2006, 12:20am

I think I figured out a workaround… I removed all mangle and routing stuff above and simply put in dst-nat rules with ‘action=redirect to port 1701’ and it seems to work. I think because the packets came in thru the NAT chain they are getting natted on the way back out appropriately. Cool!

Sam

taduikis · September 16, 2010, 6:31pm

Well, this looks almost my case, which I describe here:
http://forum.mikrotik.com/t/routing-issues-with-multiple-isps/40818/1

When I ping my router from a public address, it doesn’t know where to return the packet so I get a timeout..

normis · September 17, 2010, 12:40pm

you replied to a 4 year old problem

taduikis · September 17, 2010, 2:49pm

Well I wouldn’t exactly call this a problem. I’m sure it’s nothing wrong with Mikrotik itself. It’s just a complicated configuration issues which as you can see in that topic, are almost dealt with.