Mangle problems

Konev · May 20, 2017, 3:12am

Good day, i have found a problem, external IP address doesnt ping, from PC, which traffic pass through mangle rules.

Mangle:

/ip firewall mangle
add action=mark-routing chain=prerouting comment=Asterisk dst-address-list=!WorkSpace new-routing-mark=ABV-routing passthrough=no src-address=192.168.0.247
add action=mark-routing chain=prerouting comment="Evgeniy Panov" dst-address-list=!WorkSpace new-routing-mark=ABV-routing passthrough=no src-address=192.168.0.24
add action=mark-routing chain=prerouting comment=Docker dst-address-list=!WorkSpace new-routing-mark=ABV-routing passthrough=no src-address=192.168.0.239
add action=mark-routing chain=prerouting comment="WiFi users" dst-address-list=!WorkSpace new-routing-mark=ABV-routing passthrough=no src-address=10.1.0.0/16
add action=mark-routing chain=prerouting comment="Sergey Morev" dst-address-list=!WorkSpace new-routing-mark=DOMRU-routing passthrough=no src-address=192.168.0.111
add action=mark-routing chain=prerouting comment=Users dst-address-list=!WorkSpace new-routing-mark=DOMRU-routing passthrough=no src-address=192.168.0.20-192.168.0.110

add action=mark-connection chain=input in-interface=WAN-if1 new-connection-mark=ABV-con passthrough=no
add action=mark-connection chain=input in-interface=WAN-if2 new-connection-mark=DOMRU-con passthrough=no
add action=mark-routing chain=prerouting dst-address-list=!WorkSpace new-routing-mark=ATC passthrough=no src-address=192.168.0.191
add action=mark-routing chain=prerouting dst-address-list=!WorkSpace new-routing-mark=ATC passthrough=no src-address=192.168.0.192
add action=mark-routing chain=prerouting dst-address-list=!WorkSpace new-routing-mark=ABV-routing passthrough=yes src-address=192.168.0.24
add action=mark-routing chain=output connection-mark=ABV-con new-routing-mark=ABV-routing passthrough=no
add action=mark-routing chain=output connection-mark=DOMRU-con new-routing-mark=DOMRU-routing passthrough=no

If, we are try to ping 89.185.94.241 from 192.168.0.247 it return:

--- 89.185.94.241 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms

If, we are try to traceroute 89.185.94.241 from 192.168.0.247 it return:

traceroute to 89.185.94.241 (89.185.94.241), 30 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  *^C

Tracert from 89.185.94.241 to 192.168.0.247 goes to Internet:

 tool traceroute src-address=89.185.94.241 address=192.168.0.247
 # ADDRESS                          LOSS SENT    LAST     AVG    BEST   WORST STD-DEV STATUS                          
 1 89.185.94.254                      0%    1   0.7ms     0.7     0.7     0.7       0                                 
 2 89.185.92.33                       0%    1   1.1ms     1.1     1.1     1.1       0                                 
 3 10.221.221.1                       0%    1   0.7ms     0.7     0.7     0.7       0                                 
 4 37.60.16.186                       0%    1   0.6ms     0.6     0.6     0.6       0                                 
 5 195.218.253.241                    0%    1   1.7ms     1.7     1.7     1.7       0                                 
 6 79.104.245.102                     0%    1  29.6ms    29.6    29.6    29.6       0                                 
 7 79.104.250.66                      0%    1    36ms      36      36      36       0 <MPLS:L=407874,E=0>             
 8 79.104.226.254                     0%    1  32.8ms    32.8    32.8    32.8       0                                 
 9                                  100%    1 timeout                                                                 
10                                    0%    1     0ms

Route in network 192.168.0.0 has status DAC.

If we disable ip route rule

ip route rule print
Flags: X - disabled, I - inactive 
 0   src-address=89.185.94.241/32 dst-address=0.0.0.0/0 action=lookup table=ABV-routing 

 1   src-address=89.185.94.175/32 dst-address=0.0.0.0/0 action=lookup table=ABV-routing 

 2   src-address=109.194.175.23/32 dst-address=0.0.0.0/0 action=lookup table=DOMRU-routing

We are watch next result:

tool traceroute 192.168.0.247 src-address=89.185.94.241
 # ADDRESS                          LOSS SENT    LAST     AVG    BEST   WORST STD-DEV STATUS                          
 1 192.168.0.247                      0%    5   0.2ms     0.3     0.2     0.6     0.1

We can see that from router 192.168.0.247 trace are reachable, and vice versa:

traceroute to 89.185.94.241 (89.185.94.241), 30 hops max, 60 byte packets
 1  89.185.94.241 (89.185.94.241)  0.195 ms  0.258 ms  0.166 ms

But ping dont

--- 89.185.94.241 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 2998ms

Howewer, if we disable mangle rule:
add action=mark-routing chain=prerouting comment=Asterisk dst-address-list=!WorkSpace new-routing-mark=ABV-routing passthrough=no src-address=192.168.0.247

The ping will successful:

ping 89.185.94.241
PING 89.185.94.241 (89.185.94.241) 56(84) bytes of data.
64 bytes from 89.185.94.241: icmp_seq=1 ttl=64 time=0.318 ms
64 bytes from 89.185.94.241: icmp_seq=2 ttl=64 time=0.169 ms
64 bytes from 89.185.94.241: icmp_seq=3 ttl=64 time=0.200 ms

I supposed that, problem in mangle rules, but where ?
Echo tests are successful ONLY when Ip route rule and Mangle rule are disable