It is possible to control the output of Mikrotik’s own traffic with mangle rules?
What is the requirement in better detail.
a. identify user(s)/device(s), groups of users/devices
b. identify what traffic they should be allowed to execute.
c. identify any particular routes traffic should take
d. identify any traffic that the router needs to execute ( aka router services like VPN ).
Short answer: Yes, Long answer: Yes. Without more information,…
Yes. It’s covered by Packet Flow Diagram.
The “Mikrotik’s own traffic” is a “routing process” here going through LOCAL:
https://help.mikrotik.com/docs/display/ROS/Packet+Flow+in+RouterOS#PacketFlowinRouterOS-OverallPacketflowDiagram
And mangle can catch, among other places, the “output” chain:
https://help.mikrotik.com/docs/display/ROS/Packet+Flow+in+RouterOS#PacketFlowinRouterOS-Output
Or when a packet is > originated from the router (routing output)> :
The packet is originated from the router itself
the packet goes through the routing table to make a > routing decisionA packet enters the output process
process packet through the Bridge decision;
send the packet through connection tracking;
process packet through the Mangle output chain;
process packet through the Filter output chain;
send the packet to routing adjustment ( policy routing)The packet enters postrouting process;
- process packet through Mangle postrouting chain;
- process packet through NATs src-nat chain;
- if there is a hotspot undo any modifications made in hotspot-in;
- process packet through queue tree (HTB Global);
- process packet through simple queues;
Check if there is IPsec and then process through IPsec policies;
Specifically in the “Mangle Output” and “Mangle Input”, which break out the “Routing Decision” in first diagram:
The OUTPUT and INPUT part are clear from first diagram, but just to clarify…
PREROUTING chain is traffic going through ⒾⓀ
POSTROUTING chain is traffic going through 🅙🅛
e.g. from the “break-out” of top diagram of this post
Anav, thank you for your time and the incredible speed in responding.
It would be options C and D, but precisely for D. The intention is to make Mikrotik itself execute some script tasks that will use the VPN and some DNS queries.
I initially had doubts about knowing the possibility, now I’m going to research and study. Thanks a lot for the help.
Anm0, thank you for your time, incredible speed in putting together the material and responding.
You gave me a lot of content, Wow! Complex, I will need to assimilate the information and test a lot. Thank you very much for your help, you’ve already given me a lot of homework. lol!
In simple terms there are tools you can use.
What is common to both is needing a table and an IP route.
One is create a table
add fib table=utilizeWANX
Create the route
add dst-address=0.0.0.0/0 gateway=ISPX routing-table=utilizeWANX
Then you have two options:
a. use routing rule This basically states, that any traffic coming from WANX ( and since this includes responses to external traffic hitting WANX like vpn handshake, any response will be forced out the table to WANX and not follow the normal main table routes.
add action=lookup-only-in-table src-address=WANX-IP table=utilizeWANX
b. use mangling These rule mark traffic coming in a WAN, and force any return traffic with those marks to go out same WAN, regardless of priority on main table as we force the traffic out a separate table. This is also valid for any port forwardings coming in on WANX.
add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=WAN2 new-connection-mark=incomingWANX passthrough=yes
add action=mark-routing chain=output connection-mark=incomingWANX
new-routing-mark=utilizeWANX passthrough=no
and modify fastrack rule…
add action=fasttrack-connection chain=forward comment=Fasttrack
connection-state=established,related hw-offload=yes connection-mark=no-mark
These are just possible tools to consider, depending on how complex the config may be… some variations are expected.
Perfect, Anav.
Thanks for the examples. Two ways, the simple one like routing and the more complicated one like mangle.
I understood your explanation.
I’m the “big picture” guy … I’d listen to @anav if you want something working 
@anav – the connection-mark=no-mark is pretty cleaver way to be generic about what’s going through main routing table…
My middle name is clever, I will give you hint.
Anav “SINDY” Llama
For completeness, the reason for the “extra rule” for fasttrack comes later in the Packet Flow. RouterOS has a feature called “fastrack” that’s enabled in default firewall. This, essentially, does work when using routing tables… As you can see below, before the MANGLE PREROUTING, the FASTTRACKED? is checked … so traffic can “jump the shark”
Super helpful to describe where it fits !!!
It’s very satisfying to witness a conversation between intelligent people.
If I understand correctly, using no-mark on the connection marked in the connection state would disable fasttracked? This way it would use the mangle rules and not be ignored by the jump from fasttrack to fastpath.