Hi
I have a ECMP load balancing setup. ie. 0.0.0.0/0 gateway ----> 192.168.3.2 & 192.168.4.2
I want to mark connections (and subsequently packets) based on the route the connection is assigned by the ECMP setup.
Is there a way in mangle to identify the route ? I can see there are options for routing mark and routing table but i assume these are for when you are using routing marks to direct the route.
You can use connection marking during handling of the first response packet. The ECMP chooses “randomly” one of the gateways for the initial packet of a LAN->WAN connection, and once the first response arrives, you assign a connection-mark to it, which you will be translating to routing-mark for subsequent LAN->WAN packets of those connections. So you’ll have three routes:
gateway=192.168.3.1,192.168.4.1
gateway=192.168.3.1 routing-mark=wan1
gateway=192.168.4.1 routing-mark=wan2
Thanks Sindy. I don’t quite understand.
At what point in the chain does “the first response arrives”? at what criteria in mangle do i test it against so i can apply the corresponding routing mark? A basic example would be helpful. Thank you
First, sorry for mentioning additional routes and routing-mark at all, you obviously actually don’t need them as you want to mark the connections only to assign packet-mark to let the correct queue handle the packet, and ECMP itself works thanks to a routing cache, so sends packets to the same destination keep being sent using the same gateway and needs no routing-mark for that.
Second, there is no way to guess in advance which route the ECMP will choose for the initial packet of a connection, so you have to learn to live with the fact that these first packets will not be queued (or at least queued properly). The mangle rules below will assign the connection-mark to the connections depending on the WAN interface through which the response to the initial packet arrives.
/ip firewall mangle
add chain=prerouting in-interface-list=WAN connection-mark=no-mark action=jump jump-target=cmark-pre comment=“skip the connection-marking if the connection has already been marked”
add chain=prerouting connection-mark=wan1 action=mark-packet new-packet-mark=wan1
add chain=prerouting connection-mark=wan2 action=mark-packet new-packet-mark=wan2
add chain=cmark-pre in-interface=wan1-if-name action=mark-connection new-connection-mark=wan1
add chain=cmark-pre in-interface=wan2-if-name action=mark-connection new-connection-mark=wan2
An interface list WAN with members wan1-if-name and wan2-if-name must exist so that it worked. The rules assigning _packet-mark_s may be more complex, e.g. if you need to assign different _packet-mark_s to download and upload packets of the same connection.
If the two gateways are reachable through the same interface, there is a way too.
If there is no NAT between the WANs and the destination addresses, and the download packets may come through a different WAN interface than the one through which the upload of the same connection is being sent, there is no way to make it work and you’d have to use a controlled load distribution instead of ECMP.
That;s great. Thank you. I’ll give it a go.