matching traffic from the router itself in mangle

LaZyLion · September 9, 2015, 7:35am

Hi all

I’m playing with load balancing using pcc firewall rules in mangle
and I’ve noticed that when I do a ping, tool fetch, or any other traffic
from the console, it doesn’t get matched to any of my mangle rules.

I just tried and I can’t get of the chains in mangle to trap router initiated traffic,
including dns lookups.

I use google’s dns servers and my wan connections are equal so I’d like to
prevent things like dns traffic from going out the same port every time.

Other than doing pcc on dst-address=8.8.8.8

Am I missing something?
Any suggestions?

Thanks.

LL

bajodel · September 9, 2015, 8:48am

Probably you are marking/PPC forwarded traffic in mangle/prerouting chain; if you want to mark/PCC router originated traffic you must work on mangle/output chain also.

bajodel · September 12, 2015, 2:37am

Any news? Solved?

iperezandres · April 19, 2018, 9:42am

Not yet, I have the same problem. I have tried output chain and mark-routing but it is not working.

If there is no default route, the packets originated from the router itself do not get catched in any of the mangle rules and they do not show up in the connection tab.

Any suggestion? I have tried many different chain combinations unsuccessfully.

There is another thread with the same issue… : http://forum.mikrotik.com/t/match-router-originated-traffic/110985/5

sindy · April 19, 2018, 1:30pm

This picture says it all. Routing comes first, only then the packet passes through the output chain in various tables (conntrack, mangle, filter), and finally the routing is eventually “adjusted” (see the exploded Output chain).

Sob · April 19, 2018, 2:03pm

I’ve seen this before. When there’s no route to given destination in main routing table, RouterOS just says “no route to host” and doesn’t give you a chance to mark routing and use another routing table where such route exists. The workaround should be simple, just add fake route, e.g.:

/interface bridge
add fast-forward=no name=bridge1 protocol-mode=none
/ip route
add gateway=bridge1 comment="fake route"
add gateway=<real gw> routing-mark=<some mark>
/ip firewall mangle
add action=mark-routing chain=output new-routing-mark=<some mark>

Router will seemingly have route to any destination and it’s up to you what packets you mark and let them use the real gateway.

iperezandres · April 20, 2018, 7:15am

Very interesting approach, let me try it and get back to you. Thanks!

iperezandres · April 20, 2018, 10:21pm

Thank you Sob, that was very fine coding!
It worked like a charm. With the fake bridge, any connection from the router itself now shows up in the firewall connection tab, and once you have it there, it is catched by the mangle rules and it is easy to route it through the WAN that you want.
Awesome suggestion!!

iperezandres · November 21, 2018, 1:19pm

I found another approach instead of creating the fake-bridge.

First, you add a route with as many WANs as you have, so it also gives you fail over.

/ip route
add dst-address=0.0.0.0/0 gateway=ether1-wan1,ether2-wan2 distance=1 check-gateway=ping comment="ros route"

And then you add a rule in mangle to capture the traffic going from your connected IPs to the not connected IPs:

/ip firewall address-list
add address=192.168.1.0/24 list=Connected # WAN1 network
add address=192.168.88.0/24 list=Connected # WAN2 network
add address=192.168.100.0/23 list=Connected # LAN network
add address=192.168.100.0/23 list=LAN
add address=255.255.255.255 list=LAN
/ip firewall mangle
add action=mark-routing chain=output dst-address-list=!Connected new-routing-mark=route1 passthrough=no src-address-list=Connected

Hope it helps.