Problem with traffic marking

Panbambaryla · April 9, 2022, 9:19pm

Hi,
I am struggling with a problem when I am tracing the path from LAN to ISP1 USER IP network where my first hop gives me * * * like this:

root@unifi:~# traceroute -In 5.5.2.45
traceroute to 5.5.2.45 (5.5.2.45), 30 hops max, 60 byte packets
 1  * * *
 2  5.5.2.45  0.443 ms * *

but it is enough if I turn on:

add comment="" distance=1 dst-address=192.168.1.0/24 gateway=bridge-LAN pref-src=192.168.1.254 routing-mark=to_WAN-MM

or disable the line:

add action=mark-routing chain=output comment="mark routing to WAN-MM" connection-mark=WAN-MM_in new-routing-mark=to_WAN-MM passthrough=no

and everything works as expected:

root@unifi:~# traceroute -In 5.5.2.45
traceroute to 5.5.2.45 (5.5.2.45), 30 hops max, 60 byte packets
 1  192.168.1.254  0.225 ms  0.220 ms  0.219 ms
 2  5.5.2.45  0.443 ms * *

Here is the packet sniffer result of this command:

#    TIME INTERFACE             SRC-ADDRESS      DST-ADDRESS     IP-PROTOCOL  SIZE CPU FP 
 5    3.96 sfp-plus-LAN          192.168.1.202    5.5.2.45        icmp           74   2 no 
 6    3.96 bridge-LAN            192.168.1.202    5.5.2.45        icmp           74   2 no 
 7    3.96 ether6-WAN-MM-ISP     192.168.1.254    192.168.1.202   icmp          102   2 no 
 8    3.96 sfp-plus-LAN          192.168.1.202    5.5.2.45        icmp           74   2 no 
 9    3.96 bridge-LAN            192.168.1.202    5.5.2.45        icmp           74   2 no 
10    3.96 ether6-WAN-MM-ISP     192.168.1.254    192.168.1.202   icmp          102   2 no 
11    3.96 sfp-plus-LAN          192.168.1.202    5.5.2.45        icmp           74   2 no 
12    3.96 bridge-LAN            192.168.1.202    5.5.2.45        icmp           74   2 no 
13    3.96 ether6-WAN-MM-ISP     192.168.1.254    192.168.1.202   icmp          102   2 no 
14    3.96 sfp-plus-LAN          192.168.1.202    5.5.2.45        icmp           74   2 no 
15    3.96 bridge-LAN            192.168.1.202    5.5.2.45        icmp           74   2 no 
16    3.96 bridge-WAN-OR         192.168.1.202    5.5.2.45        icmp           74   2 no 
17    3.96 sfp-plus-LAN          192.168.1.202    5.5.2.45        icmp           74   2 no 
18    3.96 bridge-LAN            192.168.1.202    5.5.2.45        icmp           74   2 no 
19    3.96 bridge-WAN-OR         192.168.1.202    5.5.2.45        icmp           74   2 no

So few packets come back from WAN-MM-ISP interface when the first ping with TTL=1 is sent. But why does router respond from this interface if traffic is sent to the other one? I won’t find peace if I won’t resolve this riddle… Everything works but cannot understand this strange behaviour.

Some remarks:

I don’t want to do connection-tracking on my user public IP scope, as there will be another router; just simple routing saving my CPU cycles
VLAN 30 is just prepared - so far the OFFICE traffic is sent untaged on bridge-LAN
all pings form inside and outside work fine to ROS interfaces and forwarded ones except this one traceroute

The configuration and a small diagram is attached to this post. Please, let me know your findings.
Thanks in advance.
Forum config.rsc (11.9 KB)
Forum diagram.jpg