Mangle, Routing Marks, Interface matching in v3.6-3.9

airstream · March 26, 2008, 6:35am

After Upgrading our main MT Router to v3.6 some mangle rules that existed in 2.9.51 cannot be installed to v3.6.

Our network gateway router has two wan Ethernet interfaces and a lan interface. All internet data from the lan is masqueraded to the default routes (wan1 wan2)

chain=srcnat action=masquerade src-address=10.0.0.0/8

but wan2 gateway route requires a routing mark.

Routing marks are simply added by mangle rules that match to IP addresses from LAN

chain=prerouting action=mark-routing new-routing-mark=Even passthrough=no src-address=10.0.0.22

However since wan2 will only route data to the internet that has a packet mark the router itself cannot respond to ping requests etc from the internet from wan2 (the reply from the MT will not go out through wan2 because the reply packets lack routing marks)

In 2.9.51 you could have a mangle rule:

chain=forward action=mark-routing new-routing-mark=Even passthrough=no out-interface=WAN2 dst-address=0.0.0.0/0

which would catch all data destined to go out wan2 and ensure it had the correct routing mark to be routed out the wan2 gateway. With this enabled in v2.9.51 the router could respond to requests perfectly on wan2.

when upgrading to 3.6 all existing mangle rules (in fact all other settings) were imported etc but the above mangle rule from 2.9.51 was missing. So I tried to enter it manually to the newly upgraded 3.6 and…

[admin@MTKROUTER] /ip firewall mangle> add chain=forward action=mark-routing new-routing-mark=Even passthrough=no out-interface=WAN2 dst-address=0.0.0.0/0
failure: routing-mark allowed only in output and prerouting chains
[admin@MTKROUTER] /ip firewall mangle>

Is this a bug? or is it now by v3 design that we can no longer catch outgoing interfaces and apply routing marks so that they leave (routed) through the correct Ethernet interface.

I have tried many different workarounds in the last 24hrs, including other mangle rules to mark packets followed by another mangle rule to get those marked packets and mark the routing on them. So far no success.

Any ideas?

mrz · March 26, 2008, 9:30am

In v3.x routing marks are valid only in prerouting and output chains.

gacopl · March 27, 2008, 9:44am

Do the same but on output chain this should help, i do mark-routing on output chain and set a src-address filter to the public ip MT has, and then when you ping that MT from the world it responds, however this rule doesn’t make MT to use this routing mark to get outside (ie when you do ping yahoo.com from wibox this rule won’t make him use this route)

B/R
Michal

airstream · March 28, 2008, 3:26am

Ok, Many thanks for your suggestion. I have come to this configuration that seems to work.

chain=prerouting action=mark-connection new-connection-mark=Even passthrough=yes in-interface=WAN2

So here I am marking all connections that come in from WAN2, then checking all outbound packets for this connection mark. If it has this connection mark then the rule below will add the correct WAN2 routing mark.

chain=output action=mark-routing new-routing-mark=Even passthrough=no connection-mark=Even

gacopl · March 28, 2008, 10:05am

Your welcome

airstream · May 20, 2008, 8:34pm

Ok, this just wont work. Version 3 will not let you add a routing mark that go out a particular interface. Its simply broken.

We have rolled back to 2.9.51 (again) because you CAN add route marks prior to leaving on a particular interface in that version.

When will this be fixed fo v3? no workarounds have a 100% success in this.

changeip · May 21, 2008, 3:00am

once a packet has determined and out-interface its too late to change that with a routing mark.

airstream · May 21, 2008, 4:51am

So it seems with V3.

macgaiver · May 21, 2008, 12:18pm

Same in 2.8 and in 2.9! if you place packet mark rules in other chains it can be used only for furder matching in other chains - so basically it was useless, and it was not working.