packet mark, NAT works Firewall isnt

journeym · February 19, 2025, 9:58am

i created a set of mangle rules with layer7 content to drop acces to specific sites.
packets are marked, now im trying to setup a drop rule for firewall, and it just plainly doesnt work.
but if I setup NAT rule with the same packet mark the dns request fails (which is what im trying to do)
And yes, default fasttrack rule is disabled
So, this rule WORKS

[admin@faerun] > ip/firewall/nat/print        
Flags: X - disabled, I - invalid; D - dynamic 
19    chain=dstnat action=dst-nat to-addresses=0.0.0.0 packet-mark=philips_packet log=no log-prefix=""

But this doesnt (also including higher rules for context, the rule in question is 6)

[admin@faerun] > ip/firewall/filter/print 
Flags: X - disabled, I - invalid; D - dynamic 
 0    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked

 1    chain=input action=accept protocol=icmp src-address-list=vlan1 in-interface=bridge log=no log-prefix="" 

 2    chain=input action=accept protocol=tcp src-address=X.X.X.0/24 in-interface=ether1 dst-port=80 log=no log-prefix="" 

 3    chain=input action=accept src-address=X.X.X.130 log=no log-prefix="" 

 4 X  chain=input action=accept src-address=192.168.9.0/24 log=no log-prefix="" 

 5    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid 

 6    chain=output action=drop packet-mark=philips_packet log=no log-prefix=""

Mangle and layer 7 rules

[admin@faerun] > ip/firewall/layer7-protocol/print 
Columns: NAME, REGEXP
#  NAME            REGEXP           
1  philips update  nettvservices.com

[admin@faerun] > ip/firewall/mangle/print          
Flags: X - disabled, I - invalid; D - dynamic 
 2    chain=prerouting action=mark-connection new-connection-mark=philips passthrough=yes layer7-protocol=philips update protocol=udp connection-mark=no-mark 
      dst-port=53 log=no log-prefix="" 

 3    chain=prerouting action=mark-packet new-packet-mark=philips_packet passthrough=yes connection-mark=philips log=no log-prefix=""

panisk0 · February 19, 2025, 11:41am

You mixed everything up, you classify the traffic by DNS string, so it always marks your connections to the DNS server.

It’s easier to do this through the local DNS cache.

/ip dns set allow-remote-requests=yes
/ip dns static add address=127.0.0.1 name=philips.com type=A

/ip firewall nat add action=redirect chain=dstnat dst-port=53 in-interface-list=LAN protocol=udp to-ports=53

journeym · February 19, 2025, 12:36pm

it always marks your connections to the DNS server.

No, it doesnt. Other dns requests work fine even with NAT rule enabled
It still doesnt explain why firewall drop rule isnt working

panisk0 · February 19, 2025, 12:42pm

Make test rule:

/ip firewall mangle add action=add-dst-to-address-list address-list=al_WEB_philips chain=prerouting layer7-protocol=philips

& look to /ip/firewall/address-list
It might explain this to you.

journeym · February 19, 2025, 12:49pm

I tested and got my router local address in the list

So you’re basically saying that this guy is wrong? https://youtu.be/3LmQYIQ5RoA?t=467
It looks like an official Mikrotik channel

panisk0 · February 19, 2025, 12:53pm

and this too:

chain=output action=drop packet-mark=philips_packet log=no log-prefix=""

change

chain=forward action=drop packet-mark=philips_packet log=no log-prefix=""

journeym · February 19, 2025, 12:55pm

I tried with forward first, it doesnt work either way.

journeym · February 19, 2025, 12:57pm

All right, i got it, forgot the input drop rule, thanks for your help.

anav · February 19, 2025, 5:47pm

If you are trying to block IPs, then use firewall rules.
If you are trying to block by domain name aka popular sites you are wasting your time.