How do I policy route traffic from the firewall itself?

I'm trying to send specific traffic that originates from the firewall itself over a tunnel—in this case it's standard DNS traffic (i.e; UDP 53) but it could be anything else later as I make further progress setting up the firewall, which is a little confusing; ${Ref1}=" the documentation is both ambiguous and incomplete"—All three versions of it ({wiki|help|manual}.mikrotik.com) so maybe I have better luck from other users I thought.

Could you assist me with this and with policy routing in general, I suppose.

I'm not that much of a lost case, I know how to policy route in pfSense (and its orange twin), in OpenWRT, and in the GUI-less VyOS, and I knew how to do it in generic Linux (though I forgot since then), so you don't have to dumb it down that much, but I still need help, nevertheless.

Currently I'm doing policy routing, mostly by accident/luck, I think, because ${Ref1}, it seems to work most of the time but sometimes it doesn't.

First there's that FIB checkbox; all non-Mikrotik guides I've found say to check it because it makes the table available to the system. But in the documentation it isn't even addressed at all. Instead tables are set with some sort or [unexplained] link to the main table^[1] both with the same route. I found that the route still works with the FIB checkbox unchecked.

The next doubt I have about my setup is whether I may be hitting a limit; in Mangle | RouterOS Manual says that's there's a 4096 hard limit on packet marks. But the section is called Marking Connections, itself another type of mark, and mark routing being another more^[2].

The method I'm using is not routing rules but the one above, specifically mark routing in mangle rules to control the exit of the traffic by selecting a routing table at the prerouting stage, but this is forwarded traffic; there's no prerouting stage/chain when the traffic comes from the firewall itself.

Somehow I think postrouting may not be either because it's not for forwarded traffic which also goes through postrouting.

I'm reading the documentation again but I'm going through all of it, even the unrelated, because that's where usually the caveats are hidden, so it'll be a long time before I make the through that again.

Any guidance either detailed or big picture is much appreciated. Thanks!

1. See ${Ref1} ↩︎

2. See ${Ref1} ↩︎

The documentation obviously could be better. While simpler things are explained in an approachable manner, more advanced topics sort of assume (I guess) that you're already intimately familiar with the way Linux does things, and only describes Mikrotik's implementation. As always, it could be better.

The "wiki." one is mostly about the older v6 version of the software, which is based on a significantly older kernel, I think "help." is the current official, and there is move currently to "manual.", which I think is still work in progress.

Anyway, you should study the packet flow diagram, both the official one Packet Flow in RouterOS - RouterOS - MikroTik Documentation and the unofficial one The ultimate Mikrotik iptables flowchart

Yes, this is a Cisco-ism. Check it.

It is mangle/output.

Both forwarded and from-the-router (output) packets go through postrouting. But postrouting happens, well, post routing, so in that step the routing decision (as it was already made) cannot be influenced.

EDIT: As for limits: yes, there are three types of marks (packet - only for the singular packet, mostly used in queueing, connection - persistent for the tracked connection and routing) and all have limits. For routing marks, I believe the current limit is 1024. Maybe 1023... But you're definitely not at the limit.

Thank you-thank you-thank you!

I'm not sure I'm not at a limit though. I run a ton of servers including bittorrent, but at least I have certainty on essential things now, I should be able to figure it out now that I don't have to solve additional missing pieces.

Those diagrams are really nice, BTW. Thanks for sharing and thanks again for answering!

Glad to help.

You're certainly not at the limit for routing marks, because creating one routing table adds exactly one routing mark.

As to the number of connections that can be tracked at once, there is also a limit. This can be observed with the command /ip firewall connection tracking print, specifically the total-entries and max-entries fields. (This is one of the operations best done using the CLI.) Mikrotiks are fairly good at having adequate conntrack table sizes, it's mostly other manufacturers that cheap out on adding the necessary amount of RAM.

Could you more accurately describe the traffic flow, from the user perspective, who or what is leaving the router and for what purpose.

https://www.youtube.com/watch?v=ECRjxpb5IgE

https://www.youtube.com/watch?v=Cn22WiS98zk&pp=ygUMbWlrcm90aWsgdG9y

By the way, the standard way to do this for DNS is to simply specify the upstream DNS servers in the form of "8.8.8.8@mytunnelvrf". This has been available in newer versions of RouterOS for some time now, I don't recall from which version exactly.

And before you ask, most commonly you should use VRFs instead of adding additional "bare" routing tables for these scenarios. (Unfortunately the documentation for this is even more sparse, and it's harder to come by examples on the forum as well, but it's kind of clear that this is going to be the supported way going forward.) VRFs have their own routing tables by default. If you have additional needs, VRFs (or more correctly, their associated routing tables) can be mangled into and out of freely using mangle rules.