mangle rule with IF

saeed6668 · November 24, 2023, 9:01pm

hi . i got censorship in my country and i have almost break through it . but i got one problem . i have mangle in my network with updated address list so when the surfing website IP is in my country address list it will deny the mangle unless it will go through mangle and tunnel . but the problem is even those websites which are not restricted in my country like google.com are going through mangle and tunnel and this reduces the surfing speed . the firewall ip of my country censorship server is 10.10.34.35 . it means when i ping a censored website like facebook.com in my router it returns 10.10.34.35 . is there any way to use IF rule in mangle . i mean if the website typed in browser goes to 10.10.34.35 then it would use the tunnel otherwise it would use the non tunnel route . so i would use google.com through normal wan route and facebook.com through tunnel route

Amm0 · November 24, 2023, 9:07pm

You can use a “jump” action, based on the censorship IP and address-list. Along with two new chains, one for the “use-firewall” and “use-proxy”.

So not “IF”, but a goto…

saeed6668 · November 24, 2023, 9:20pm

thanks for your answer . can i have a link for tutorial on how to do it ?

sas2k · November 24, 2023, 9:27pm

I use same approach with mangle, ipsec tunnel, country ip list , but I managed to get speed of tunnel approx 190mbit\150mbit download and upload .
So it is almost as fast as isp.

What is the bottleneck in your case?
What kind of tunnel do you use?
What is your mikrotik model?

saeed6668 · November 24, 2023, 9:31pm

both chr . i use l2tp v3

sas2k · November 25, 2023, 7:41am

Licenced?
Mikrotik over chr without licence limited to 1 mbit!

On the vpn side I use 1 cpu, 512 ram, 5 gb hdd ubuntu + libreswan
Setup simple like this:
https://github.com/hwdsl2/setup-ipsec-vpn

On the client side I connect mikrotik devices as l2tp v2 ipsec client
I use ciphers rhat are supported by cpu, mtu 1400.
750gr3 or hex s produce approx 120\90 mbit upload and download.
Hap ac2, hap ac3 approx 140\120 mbit.
Rb4009 makes 190\150 mbit.

Ip address list for mangle contains 11000 records.
I think pretty decent perfornance.

Amm0 · November 25, 2023, 10:17pm

You asked about an “IF” but it’s a set of rules with matchers & actions, followed in order defined by RouterOS…there is no true “if” statement. The only option is the BASIC-like “goto” (or, “gosub”) via the action=jump (with a jump-target= to specify what “chain” to goto). And it’s the user defined chain (e.g. a new rule with something like “chain=route-via-vpn”) that has the mangle routing rules you need. These user defined chains are NOT run unless it’s it comes from a action=jump jump-target=… in /ip/firewall/mangle. There also an action=return that possible at the end of user defined chain, that let’s you go back to the where the jump originated. A return isn’t strictly needed unless there are more rules in the original “system” chain. RouterOS only “calls” the system chains (chain=forward, chain=prerouting, etc.), not the user defined ones (the user ones are used only if the come from some action=jump). RouterOS calls them based on the definition in the packet flow diagram: https://help.mikrotik.com/docs/display/ROS/Packet+Flow+in+RouterOS

The docs on mangle do describe the action= but are shy on examples: https://help.mikrotik.com/docs/display/ROS/Mangle

But there is some good discussion here about “mangle routing” that might give you some context and alternatives too:
http://forum.mikrotik.com/t/wireguard-and-mangle-routing/171071/1