mikrotik to dns servers via isp2 by using mangle

amaranthvanni · August 19, 2024, 6:42am

why doesn’t it work?
/ip firewall mangle
add action=mark-connection chain=output connection-mark=no-mark connection-state=new protocol=udp dst-port=53 new-connection-mark=dns passthrough=yes
add action=mark-routing chain=output connection-mark=dns new-routing-mark=isp2_table passthrough=no

infabo · August 19, 2024, 7:51am

How are you testing it?

amaranthvanni · August 19, 2024, 7:54am

ip firewall/connections

infabo · August 19, 2024, 8:05am

That’s how you see the result. How is your procedure?

amaranthvanni · August 19, 2024, 8:12am

connections src.addr wan_ip_isp1:xxxxxx dst.addr 1.1.1.1:53 prot udp (ros 7.15.3)

anav · August 19, 2024, 1:55pm

It doesnt work because your requirements are not clearly stated.
Do you mean USE the DNS services of the router via WAN2 ( USE DNS server of the router )
OR
Do you mean use some DNS server you have on LAN via WAN2 ( port forward to DNS server on the LAN)

Finally, how do you propose or better WHY, are you proposing to use DNS services from external sources WITHOUT any encryption…
I would recommend NEVER to open up your DNS to the outside www…

infabo · August 19, 2024, 6:02pm

Still unclear how OP wants to utilize this. But most probably OP wants forward instead of output chain. Just a hip shot.

amaranthvanni · August 20, 2024, 5:46am

What could be unclear here?
Mikrotik as a DNS-server.
I’m trying to pass DNS-requests through gateway 2.
For this I use rules in the output-chain.
In the connections I see that the router continues to use gateway 1.

anav · August 20, 2024, 10:07am

Did you try this…dont think you need connection marks here.
/ip mangle
add chain=output dst-port=53 protocol=udp new-routing-mark=isp2_table passthrough=no
add chain=output dst-port=53 protocol=tcp new-routing-mark=isp2_table passthrough=no

assuming routes like
add dst-address=0.0.0.0/0 gw=ISP1-gwIP table=main ( primary )
add dst-address=0.0.0.0/0 gw=ISP2-gwIP table=main distance=2 ( secondary )
add dst-address=0.0.0.0/0 gw=ISP2-gwIP table=isp2_table

amaranthvanni · August 20, 2024, 11:41am

No that doesn’t work either

isp1 111.111.111.111
isp2 222.222.222.222

In connections src.addr 111.111.111.111:xxxxxx dst.addr 1.1.1.1:53 udp

/ip firewall mangle
add action=mark-connection chain=output connection-mark=no-mark connection-state=new protocol=udp dst-port=53 new-connection-mark=dns passthrough=yes
add action=mark-routing chain=output connection-mark=dns new-routing-mark=isp2_table passthrough=no

In connections table: connection mark dns
Moreover, the marking of connections works correctly, mark dns everywhere, but mark-routing doesn’t work

anav · August 20, 2024, 12:27pm

Then post complete config as the issue may be elsewhere
/export file=anynameyouwish ( minus router serial number any public wan IP information, keys etc. )

amaranthvanni · August 20, 2024, 1:11pm

With this rule in /routing/rule works correctly
dst-address=1.1.1.1/32 action=lookup table=isp2_table

in connections table 222.222.222.222:xxxxxx 1.1.1.1:53

Thus marking the route in the table Mangle does not work!

anav · August 20, 2024, 1:19pm

Not sure what you are getting at…
The routing rule is not about forcing internal router DNS services out WAN2.
Its strictly about forcing any query to 1.1.1.1 out WAN2.

In any case, since you dont want to provide config, I am outta here.

amaranthvanni · August 22, 2024, 11:56am

Connected a third provider for testing ISP3 port ether3

add table isp3_table
/routing table add fib name=isp3-table

add default route
/ip route add gateway=ether3 routing-table=isp3-table

add mangles
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark connection-state=new in-interface=ether3 new-connection-mark=conn_3
add action=mark-routing chain=prerouting connection-mark=conn_3 in-interface-list=LAN new-routing-mark=isp3_table passthrough=no
add action=mark-connection chain=output connection-mark=no-mark connection-state=new protocol=udp dst-port=53 new-connection-mark=conn_3
add action=mark-routing chain=output connection-mark=conn_3 new-routing-mark=isp3_table passthrough=no

I look at the logs, the traffic still goes through the first provider:
postrouting: in:(unknown 0) out:ether3, connection-mark:conn_3 connection-state:new proto UDP, 111.111.111.111:xxxxx->1.1.1.1:53, len 65
here 111.111.111.111 - is the address of the first provider ISP1

I do it for ipsec, like here https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Using_different_routing_table
/ip firewall mangle
add action=mark-connection chain=output connection-mark=no-mark connection-state=new dst-address=xxx.xxx.xxx.xxx dst-port=500,4500 new-connection-mark=conn_3 protocol=udp
add action=mark-connection chain=output connection-mark=no-mark dst-address=xxx.xxx.xxx.xxx new-connection-mark=conn_3 protocol=ipsec-esp
add action=mark-routing chain=output connection-mark=conn_3 new-routing-mark=isp3_table passthrough=no

The logs show the correct address of provider 3 (333.333.333.333):
postrouting: in:(unknown 0) out:ether3, connection-mark:conn_3 connection-state:established proto UDP, 333.333.333.333:4500->yyy.yyy.yyy.yyy:4500, len 316
NTP-server also only goes through the first provider! WG also only from the address of the 1st provider!

What am I doing wrong?