Mangle & Routing RoS 7

dline · December 18, 2024, 2:30pm

Hello everybody!

I have RouterOS 7.17rc3 (try latest OS)
Main aim of router is NAT and routing traffic

Router have 1 default route via ether1 (static route) and 1 VPN connection
My task is: Router traffic to listed resources (dynamic changes with dns) via VPN connection

All work fine if setup Route Rule and set src_ip & routing table.
But if I want to use Mangle (src_address list, dst_address list) - it is now work.

How to fix is?

My current config is:

[dline-local@r-nat.dl-net.ru] > /export
# 2024-12-18 17:26:13 by RouterOS 7.17rc3
# system id = XxmLaV5VF4G
#

/ip vrf
add disabled=yes interfaces=vpn-de name=openai
/routing table
add disabled=no fib name=VPN

/ip firewall address-list
add address=api.openai.com list=route_to_vpn


/ip firewall mangle
add action=mark-connection chain=prerouting dst-address-list=route_to_vpn log=yes log-prefix="MARK CONNECTION OUT" new-connection-mark=conn-VPN
add action=mark-routing chain=prerouting connection-mark=conn-VPN connection-state="" dst-address-list=route_to_vpn log=yes log-prefix="MARK ROUTE OUT" new-routing-mark=VPN \
    passthrough=no
add action=mark-connection chain=prerouting in-interface=vpn-de log=yes log-prefix="MARK CONN IN" new-connection-mark=incoming-VPN
add action=mark-routing chain=prerouting connection-mark=incoming-VPN in-interface=vpn-de log=yes log-prefix="MARK ROUTE IN" new-routing-mark=main passthrough=no

/ip firewall nat
add action=masquerade chain=srcnat comment="OUT (Mangle)" log=yes log-prefix="NAT MANGLE" out-interface=vpn-de
add action=src-nat chain=srcnat comment=OUT dst-address=!10.0.0.0/8 log-prefix="NAT REG" out-interface=public src-address-list=!dedicated-white-ip to-addresses=white_ip

/ip route
add disabled=no distance=10 dst-address=0.0.0.0/0 gateway=white_ip pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.20.0.0/16 gateway=10.20.1.65 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=20 dst-address=0.0.0.0/0 gateway=192.168.41.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10 vrf-interface=vpn-de
add disabled=no dst-address=0.0.0.0/0 gateway=vpn-de routing-table=VPN suppress-hw-offload=no
add disabled=no distance=1 dst-address=1.0.0.1/32 gateway=vpn-de pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10

My logs:

r-nat: MARK CONNECTION OUT prerouting: in:nat out:(unknown 0), connection-state:new src-mac 42:fa:40:e4:85:ac, proto TCP (SYN), 10.20.5.154:46153->172.66.0.243:443, len 60

r-nat: MARK ROUTE OUT prerouting: in:nat out:(unknown 0), connection-mark:conn-VPN connection-state:new src-mac 42:fa:40:e4:85:ac, proto TCP (SYN), 10.20.5.154:46153->172.66.0.243:443, len 60

r-nat: VPN NAT LOG srcnat: in:nat out:vpn-de, connection-mark:conn-VPN connection-state:new src-mac 42:fa:40:e4:85:ac, proto TCP (SYN), 10.20.5.154:46153->172.66.0.243:443, len 60

r-nat: MARK CONN IN prerouting: in:vpn-de out:(unknown 0), connection-mark:conn-VPN connection-state:established,snat proto TCP (SYN,ACK), 172.66.0.243:443->192.168.41.50:46153, NAT 172.66.0.243:443->(192.168.41.50:46153->10.20.5.154:46153), len 60

r-nat: MARK ROUTE IN prerouting: in:vpn-de out:(unknown 0), connection-mark:incoming-VPN connection-state:established,snat proto TCP (SYN,ACK), 172.66.0.243:443->192.168.41.50:46153, NAT 172.66.0.243:443->(192.168.41.50:46153->10.20.5.154:46153), len 60

r-nat: MARK CONNECTION OUT prerouting: in:nat out:(unknown 0), connection-mark:incoming-VPN connection-state:established,snat src-mac 42:fa:40:e4:85:ac, proto TCP (SYN), 10.20.5.154:46153->172.66.0.243:443, NAT (10.20.5.154:46153->192.168.41.50:46153)->172.66.0.243:443, len 60

r-nat: MARK ROUTE OUT prerouting: in:nat out:(unknown 0), connection-mark:conn-VPN connection-state:established,snat src-mac 42:fa:40:e4:85:ac, proto TCP (SYN), 10.20.5.154:46153->172.66.0.243:443, NAT (10.20.5.154:46153->192.168.41.50:46153)->172.66.0.243:443, len 60

r-nat: MARK CONN IN prerouting: in:vpn-de out:(unknown 0), connection-mark:conn-VPN connection-state:established,snat proto TCP (SYN,ACK), 172.66.0.243:443->192.168.41.50:46153, NAT 172.66.0.243:443->(192.168.41.50:46153->10.20.5.154:46153), len 60

r-nat: MARK ROUTE IN prerouting: in:vpn-de out:(unknown 0), connection-mark:incoming-VPN connection-state:established,snat proto TCP (SYN,ACK), 172.66.0.243:443->192.168.41.50:46153, NAT 172.66.0.243:443->(192.168.41.50:46153->10.20.5.154:46153), len 60

r-nat: MARK CONN IN prerouting: in:vpn-de out:(unknown 0), connection-mark:incoming-VPN connection-state:established,snat proto TCP (SYN,ACK), 172.66.0.243:443->192.168.41.50:46153, NAT 172.66.0.243:443->(192.168.41.50:46153->10.20.5.154:46153), len 60

r-nat: MARK ROUTE IN prerouting: in:vpn-de out:(unknown 0), connection-mark:incoming-VPN connection-state:established,snat proto TCP (SYN,ACK), 172.66.0.243:443->192.168.41.50:46153, NAT 172.66.0.243:443->(192.168.41.50:46153->10.20.5.154:46153), len 60

dline · December 21, 2024, 3:28pm

Can anybody help me?

anav · December 21, 2024, 4:12pm

I would if I could understand what you were rambling about. I have no clue as to what you are trying to accomplish.

a. identify users/devices, groups of users/devices, including external and internat and admin
b. identify what traffic each needs
c. identify any vpn traffic or port fowarding traffic
d. discuss WANS how many types, static/dynamic, public private, purpose… and usage of each
e. network diagram helpful.
f. full config not snippets.

dline · March 1, 2025, 4:23pm

Hello!

All devices from LAN (10.0.0.0/8)
Traffic to api.openai.com via VPN connection, another else traffic via default gateway
?
3 ethernet connection (public, lan, lan-2). We have 10 IPs from different subnets on public interfaces, all of them are static.

Downgraded to RouterOS 6.49.18 (but also have same problem)
Full config here:

[dline-local@r-nat.dl-net.ru] > /export
# mar/01/2025 19:18:33 by RouterOS 6.49.18
# software id = 
#
#
#
/interface ethernet
set [ find default-name=ether2 ] disable-running-check=no name=nat
set [ find default-name=ether1 ] disable-running-check=no name=public
set [ find default-name=ether3 ] disable-running-check=no name=vmbr0.vlan3004
/interface list
add name=VPN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface sstp-client
add connect-to=vpn-server.com disabled=no max-mtu=1450 name=vpn-de password=password profile=default-encryption user=\
    user
/ip neighbor discovery-settings
set discover-interface-list=none protocol=""
/ip settings
set max-neighbor-entries=7168 rp-filter=strict tcp-syncookies=yes
/ip address
add address=10.20.1.66/27 interface=nat network=10.20.1.64
add address=45.130.150.31/24 comment=drh-node-01.dline-media.com interface=public network=45.130.150.0
add address=45.130.150.32/24 comment=drh-node-02.dline-media.com interface=public network=45.130.150.0
add address=45.130.150.30/24 comment=drh-connect.dline-media.com interface=public network=45.130.150.0
add address=45.130.150.33/24 comment=drh-node-03.dline-media.com interface=public network=45.130.150.0
add address=45.130.150.2/24 comment="NAT OUT" interface=public network=45.130.150.0
add address=45.130.150.200/24 comment=dci-manager interface=public network=45.130.150.0
add address=45.130.150.27/24 comment=bill.dline-media.com interface=public network=45.130.150.0
/ip dhcp-client
add add-default-route=no disabled=no interface=vmbr0.vlan3004 use-peer-dns=no
/ip dns
set servers=10.20.3.34
/ip firewall address-list
add address=45.130.150.0/24 list=DL-PUBLIC-IP
add address=88.151.117.0/24 list=DL-PUBLIC-IP
add address=api.openai.com list=route_to_vpn
add address=10.0.0.0/8 list=BOGON

/ip firewall mangle
add action=mark-connection chain=prerouting comment="from LAN" dst-address-list=route_to_vpn log=yes log-prefix="MC from LAN" new-connection-mark=conn-vpn passthrough=yes \
    src-address=10.0.0.0/8
add action=mark-routing chain=prerouting connection-mark=conn-vpn in-interface=!vpn-de log=yes log-prefix="MR (by MC)" new-routing-mark=to-vpn passthrough=no
add action=mark-connection chain=prerouting comment="from VPN" in-interface=vpn-de log=yes log-prefix="MC from VPN" new-connection-mark=conn-vpn passthrough=yes
add action=mark-routing chain=prerouting connection-mark=conn-vpn log=yes log-prefix="MR (by MC out)" new-routing-mark=to-vpn passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="OUT (vpn)" connection-mark=conn-vpn log=yes log-prefix=MASQ out-interface=vpn-de to-addresses=45.130.150.2
add action=src-nat chain=srcnat comment=OUT dst-address=!10.0.0.0/8 log-prefix="NAT REG" out-interface=public src-address-list=!dedicated-white-ip to-addresses=45.130.150.2
/ip route
add distance=1 gateway=vpn-de routing-mark=to-vpn
add distance=1 gateway=45.130.150.1
add comment="waf via r-fw" distance=1 dst-address=10.16.4.0/23 gateway=10.20.1.65
add distance=1 dst-address=10.16.4.28/32 gateway=vmbr0.vlan3004
add distance=1 dst-address=10.20.0.0/16 gateway=10.20.1.65
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=10.0.0.0/8
set api address=10.0.0.0/8
set winbox address=10.0.0.0/8
set api-ssl disabled=yes
/snmp
set contact=info@dline-media.com enabled=yes location=r-nat trap-generators="" trap-version=2
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=r-nat.dl-net.ru
/system logging
set 0 action=remote prefix=r-nat
set 1 action=remote prefix=r-nat
set 2 action=remote prefix=r-nat
set 3 action=remote prefix=r-nat
add action=echo topics=critical
add disabled=yes topics=!account
add prefix=r-nat topics=info
/system note
set show-at-login=no
/system package update
set channel=long-term

anav · March 1, 2025, 5:08pm

Sorry, one cannot mangle traffic by websites, this is not a DPI capable RoS/device.
You can mangle by interface, by IP, by port/protocol but not by .com

BartoszP · March 1, 2025, 5:13pm

@Dlinr:

please DO USE proper code tags otherwise we have to scroll dozens of screens of code.
There are not too many buttons in the editor. I’m sure that you have checked them all.
Zrzut ekranu 2025-03-01 165533.png