Mangle not working as expected

rleo79 · December 15, 2022, 11:22am

Hello everyone
may be you can help me in order to understand how mangle works on ROS 7.
I need to forward traffic from 2 internal hosts to a specific public IP (A.B.C.D) via VPN instead of internet.
So I created a new route table “verso_VPN” and some mangle rules:

/ip firewall mangle
add action=mark-connection chain=input comment=“pacchetti da VPN devono uscire con VPN” in-interface=l2tp-padova new-connection-mark=Connessione_VPN passthrough=no
add action=mark-routing chain=output comment=“Pacchetti per VPN” connection-mark=Connessione_VPN new-routing-mark=verso_VPN passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark in-interface=l2tp-padova new-connection-mark=DA_VPN_A_LAN passthrough=yes
add action=mark-routing chain=prerouting connection-mark=DA_VPN_A_LAN new-routing-mark=verso_VPN passthrough=yes src-address-list=GRUPPO_DISPOSITIVI_VOIP

I created

/ip firewall address-list
add address=192.168.1.65 comment=“Gateway 2N” list=GRUPPO_DISPOSITIVI_VOIP
add address=192.168.1.150 comment=“Gateway Patton” list=GRUPPO_DISPOSITIVI_VOIP

/ip route
add check-gateway=ping destination=A.B.C.D/32 comment=“Rotte in transito VPN” distance=1 gateway=l2tp-padova routing-mark=verso_VPN

Traffic to A.B.C.D is still going out from default route 0.0.0.0/0 instead of this specific one.
It seems that route is ignoring the routing table.
If I set

/ip route
add check-gateway=ping destination=A.B.C.D/32 comment=“Rotte in transito VPN” distance=1 gateway=l2tp-padova

packets are forwarded via VPN.

My need is to limit that behaviour only to specific internal LAN hosts.

Thank you

pe1chl · December 15, 2022, 8:08pm

Did you disable the fasttrack rule?

anav · December 15, 2022, 10:45pm

why not scrap mangling idea and try another method.

a. add table.
add table=useVPN fib

b. add route
add dst-address=0.0.0.0/0 gateway=VPN gateway IP or interface name, table=useVPN

c. add routing rules.
add src-address=host1 action=lookup-only-in-table table=useVPN
add src-address=host2 action=lookup-only-in-table table=useVPN

rleo79 · December 16, 2022, 9:58pm

I don’t see any fasttrack rule set.

Thank you, routing rules worked like a charm !

anav · December 17, 2022, 1:00am

Your forward chain filter rules should look something like this and in this order..

{forward chain}
(default rules)
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
(admin added rules)
add action=accept chain=forward comment=“allow internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“allow port forwarding” connection-nat-state=dstnat
add action=drop chain=forward

Sob · December 18, 2022, 1:35am

Original config should work for VPN->GRUPPO_DISPOSITIVI_VOIP connections, but not for GRUPPO_DISPOSITIVI_VOIP->VPN connections, because route marking rule requires connection mark that’s only assigned to VPN->GRUPPO_DISPOSITIVI_VOIP connections.