Mangle for excluding from VPN is incredible slow

Grumpy · September 13, 2023, 10:43am

Hi all,
I followed TNB’s tutorial[1] to configure Mullvad on a fresh purchased L009. Did it as described, ending up with two entries in the main route list:
0.0.0.0/0 →
WireGuard Endpoint → <ISP’s gateway.>
So far so good.

In between I figured out using a mangle could be the key to exclude one certain local host from going through VPN.
I’ve created:

a new routing table “foo” (FIB is checked)
a Mangle:prerouting, src: 0.0.0.0/0 or host’s IP or LAN Subnet, dst 0.0.0.0/0, src mac address <host’s mac address>, action: mark routing, new routing mark: “foo”
a new route in Route Table “foo” dst address 0.0.0.0/0, Gateway: < ISP’s gateway.>

The traffic is routed as desired but it’s incredible slow (max. 1MBit/s instead of 100+)
What I’m doing wrong? Thx for all ideas!

update: I tried vice versa mangle into the vpn but it’s still not the full speed.

[1] https://www.youtube.com/watch?v=pec1Ku2G2LE

update: It seems the solution was disabling the defcon fasttrack rule. Could someone please explain the correlation and possible impact? Thx in advance!.

mkx · September 13, 2023, 1:37pm

Mikrotik prepared a very extensive description of packet flow in ROS: https://help.mikrotik.com/docs/display/ROS/Packet+Flow+in+RouterOS

In short: fasttrack firewall filter rule marks connection for fasttracking. And subsequent packets (most of them) then bypass vast majority of packet processing stages, including mangle subsystem. Which means that with fasttrack rule enabled[*] most of packets will not get mangled and will thus (in your case) exit router via wrong WAN interface where they will likely be dropped. Only a fraction will manage to go via correct route and hence heavy retransmissions will happen.

[*] It is possible to exempt packets that have to be mangled from being fasttracked. Either construct a firewall filter rule that accepts packets which are then mangled and place that rule above the fasttrack rule; you can have multiple rules if that’s necessary. Or adjust fasttrack rule to skip the packets which have to be mangled … then the next rule (in default config) will accept them.

Grumpy · September 13, 2023, 2:55pm

Thank you very much for explanation. I gonna read and understand!

anav · September 13, 2023, 7:01pm

Two approaches.

a. Dont mangle, use routing rules instead with a table. (what I would do)
b. if mangling ensure in connection mark you state connection-mark=no-mark as one of the arguments.
then in the fastrack rule add at the end connection-mark=no-mark.

Thus all other traffic will get to use fastrack.

Grumpy · September 15, 2023, 4:18pm

Thx again for all ideas.
If i’ve some time, I gonna play around with VLAN. I love that device. What an awesome playground!

anav · September 15, 2023, 4:35pm

No need to turn fastrack off! even if mangling.
Routing Rules can be used in many cases instead of mangling.
General rule of thumb is that is if you have a whole subnet/vlan or a few subnets/vlans or one user or a few users, to deal with use Routing Rules
If you have a large number of users but not a total subnet or a group of users from various subnets/vlans mangling makes more sense.
If you need to describe the users by firewall address list, then mangling is the only option.