Hi,
For several years I used these simple Mangle rules on my RB750GL to do Policy Based Routing (routing certain traffic through a L2TP/IPsec VPN connection):
/ip firewall mangle
add action=mark-routing chain=prerouting comment="Source Based Marking" dst-address-list=!No_VPN new-routing-mark=VPN src-address-list=1_VPN
add action=mark-routing chain=prerouting comment="Destination Based Marking." dst-address-list=VPN_Dest new-routing-mark=VPN
Of course the downside is, that every packet gets checked. According to the Wiki and several forum posts, it is better to mark a new connection based on its first packet and then mark every packet belonging to that connection with the required routing mark. So I got:
/ip firewall mangle
add action=mark-connection chain=prerouting comment="Source Based Routing: Connection Mark" connection-state=new dst-address-list=!No_VPN new-connection-mark=VPN src-address-list=1_VPN
add action=mark-connection chain=prerouting comment="Destination Based Routing: Connection Mark" connection-state=new dst-address-list=VPN_Dest new-connection-mark=VPN
add action=mark-routing chain=prerouting comment="Source Based Routing: Routing Mark" connection-mark=VPN new-routing-mark=VPN
Only that is does not work. On the ‘Connections’ tab in the Firewall window of Winbox I can see that connections get marked, but they don’t get past syn sent/syn received and therefore never get established.
What am I missing here?
Thanks a lot!
Kind regards,
iBlueDragon
Yes, I enabled fasttrack with the following rule:
/ip firewall filter
add action=fasttrack-connection chain=forward comment="Fasttrack established & related" connection-state=established,related
Of course then I also got the related dynamic rules in Filter Rules and Mangle.
Do I need to disable fasttrack in order to use my rules? Is it possible to use both?
Thanks!
Have you tried disabling it to see if marking by state=new works properly now?
Per http://wiki.mikrotik.com/wiki/Manual:Wiki/Fasttrack
Fasttracked packets bypass firewall, > connection tracking> , […]
So it may have to do with your issue.
I deleted the fasttrack rule and rebooted to get rid of the dynamically created related fasttrack rules. But the mangling / routing still does not work. Same symptoms, connections get market but don’t get past syn sent…
My setup is quite simple. In front of the mangle rules in question are only two dynamically created rules which change TCP MSS and one rule to exclude packets with source and destination address inside my LAN from further mangling (for VPN clients). That’s it…
The fact that connections are left with state syn sent seem to point to far end VPN router replies getting lost, either by remote router problem, or local router reply packets routing problem (maybe wrong routing table? arp problem?).
Have you done a packet capture to see if replies are reaching the router, with and without connection-state=new in the mangle?
Have you tried just L2TP, without IPSec (just for testing)?
Sorry, it took me some time to do further testing and get back here.
For testing purposes, I set the default route to the VPN connection and used the mangle rules to route traffic to the PPPoE Internet connection. Of course the VPN connection did not come up, but for testing the mangling and routing to the PPPoE connection it did not matter. In the end I got the same result. Mangle rules checking every packet and setting the routing mark could be used to reroute the traffic. Mangle rules first marking the connection and then based on the connection mark setting the routing mark could not be used. The connections were stuck again with syn sent.
Using the built-in packet sniffer I can see packets coming back from the host I tried to reach. However, as the marking only exists within the router, I could not narrow down the problem. Are there other tools I can use for troubleshooting this issue?
But I got some progress with the following setup:
As I mainly want to exclude traffic to certain destinations from being routed through the VPN even if the source computer is generally routed through the VPN I built two new mangle rules. The first one marks new connections with destinations contained in the address list with the excluded destinations. The second rule just accepts packets from so marked connections excluding them from further mangling. This works as expected. Traceroutes from a source computer generally routed through VPN show that traffic to excluded destinations is routed through the direct Internet connection. I can also see these connections properly marked and established in the Connections tab.
I also set up my fasttrack rule again and it does not influence the mangling.
So in the end I still don’t know why my first rule set (from the first post) does not work. But the two new rules in combination with my old rules (checking every packet) gets me what I want…
Anyways, further advice in troubleshooting is still appreciated.
I have the same problem. Cannot forward some traffic to other interface via routing mark. Trying on RB433 with 6.35.4