Mangles blocking tracert result...!!

miankamran7100 · September 16, 2023, 11:23am

Dear all experts,
problem is that when I tracert google.com or tracert 8.8.8.8
At first, it shows timeout and resolves next as shown in the attachment. And when I disable the firewall Mangle rules.
it is working fine no timeout.
I have done PCC load balancing working well full ful fulfill my need according to this official Mikrotik video link
https://www.youtube.com/watch?v=nlb7XAv57tw.

what rule do I need to make for smooth tracert with mangles?

/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark
connection-state=new in-interface=ether1_WAN1 new-connection-mark=
wan1_Conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark
connection-state=new in-interface=ether2_WAN2 new-connection-mark=
wan2_Conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark
connection-state=new in-interface=ether3_WAN3 new-connection-mark=
wan3_Conn passthrough=yes
add action=mark-routing chain=output connection-mark=wan1_Conn
new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=wan2_Conn
new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=output connection-mark=wan3_Conn
new-routing-mark=to_WAN3 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark
connection-state=new dst-address-type=!local in-interface=Bridge_LAN
new-connection-mark=wan1_Conn passthrough=yes per-connection-classifier=
both-addresses:3/0
add action=mark-connection chain=prerouting connection-mark=no-mark
connection-state=new dst-address-type=!local in-interface=Bridge_LAN
new-connection-mark=wan2_Conn passthrough=yes per-connection-classifier=
both-addresses:3/1
add action=mark-connection chain=prerouting connection-mark=no-mark
connection-state=new dst-address-type=!local in-interface=Bridge_LAN
new-connection-mark=wan3_Conn passthrough=yes per-connection-classifier=
both-addresses:3/2
add action=mark-routing chain=prerouting connection-mark=wan1_Conn
in-interface=Bridge_LAN new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wan2_Conn
in-interface=Bridge_LAN new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wan3_Conn
in-interface=Bridge_LAN new-routing-mark=to_WAN3 passthrough=yes
add action=accept chain=prerouting dst-address=!192.168.8.0/24

mkx · September 16, 2023, 11:39am

Do you have fasttrack rule in firewall filter enabled? Fasttrack is not compatible with mangle.

miankamran7100 · September 16, 2023, 11:56am

No

anav · September 16, 2023, 3:11pm

He can still have fastrack on if desired.
simply add connection-mark=no-mark to the config line. ;-PP

What I dont understand is the last line of your mangling, whats its purpose??
add action=accept chain=prerouting dst-address=!192.168.8.0/24 ???

Small points:

output chain mangle rules passthrough=no is more appropriate
I personally prefer to use different connection marks for traffic coming in externally, to that going outbound from LAN ( the routing marks can be the same and usually are ).

Finally seeing only part of the config is generally useless to actually solving most issues.

miankamran7100 · September 16, 2023, 4:20pm

I have 2 wan and I have an L2TP client connected to my router and the src address in the L2TP client is WAN2 IP.
I have been able to ping LAN gateway 192.168.94.1 but am not able to ping other IPs like 192.168.94.43 etc.

Fill the src-address field in l2tp-client.
Use /ip route rule (lookup-only-in-table).

/interface l2tp-client
add connect-to=xxx.xx.xx.xx disabled=no name=L2TP_Client src-address=
192.168.57.11 use-ipsec=yes user=remote
/routing rule
add action=lookup-only-in-table disabled=no dst-address=182.176.86.181/32
src-address=192.168.57.11/32 table=to_WAN2

when I place this rule on 2nd last of mangles rule I can receive ping of all my LAN IP and when I place it on last of the mangles rule I’m not able to ping LAN IP only just gateway ping 192.168.94.1.

where to set this rule.
this rule also stop lan traffice which is out from wan2
add action=accept chain=prerouting dst-address=!192.168.94.0/24
add action=mark-routing chain=prerouting connection-mark=wan2_conn
new-routing-mark=to_WAN2 passthrough=yes src-address=192.168.94.0/24