I have two WAN interfaces and I want to route all NTP traffic through a specific WAN gateway.
I tried marking udp/123 traffic with via-lte mark in prerouting/input chains and then adding the routing mark based on the packets or connections that have the via-lte mark but this doesn’t seem to be working.
All the clients in the network can successfully use NTP but the NTP client in RouterOS was stuck on Waiting indefinitely. (This is because the ISP I am avoiding here blocks NTP Traffic).
and now all the clients on the network can use NTP and RouterOS can use NTP. Can someone here help me understand this rule? Suggestions to improve this are also welcome.
I had also added a log rule that simply logs all udp/123 traffic and I see stuff like this,
ntp input: in:lte-vlan out:(unknown 0), src-mac 54:0d:f9:f2:f8:de, proto UDP, p.q.r.s:123->a.b.c.d:123, NAT p.q.r.s:123->(x.y.z.w:123->a.b.c.d:123), len 76
where p.q.r.s is the address of time.windows.com
a.b.c.d is the address of the WAN interface I am trying to avoid and
x.y.z.w is the address of the WAN gateway I want to use.
The answer is here. In brief, packets sent and received by the router itself are processed by other firewall chains than packets the router just forwards.
What is not immediately clear from that diagram is that when the router itself sends a packet, first of all a route to the destination is found in routing table main. The source address is then assigned to the packet based on the out-interface chosen by routing. And only after this, the the packet passes through mangle, where a routing-mark may get assigned; if it is, the packet gets routed again, using the routing table indicated (this is called /routing adjustment/ on the diagram), but its source address does not change automatically. So there must be a the src-nat or mangle rule that changes the source address to the one of the interface actually used.
So as your (probably default) route in table main sends the NTP packets via “the WAN you want to avoid”, the initially assigned source address of the packet is the one of that WAN. And the “reply-to-address” is the one of the actual WAN used, assigned by the masquerade/src-nat rule.
Damn your fast LOL
Okay so instead of basing the route rule on source address of NTP client (IP xxx)
You are basing it on traffic heading to ??????? assuming you have put in addresses of NTP servers on the net??
Remember the PCs dont dictate which NTP servers are contacted by the Router, the ROUTER NTP server settings do that!!
in other words one has to match the entries for NTP server on RoS
SO................... It would look like this and you need the original MAIN route and the new route for the route rule to point to0!
ex.
/system ntp client
set enabled=yes primary-ntp=209.87.233.53 secondary-ntp=209.115.181.108
/system ntp server
set enabled=yes
/ip route rule
add dst-address=209.87.233.53 table=ntp lookup only in table
add dst-address=209.115.181.108 table=ntp lookup only in table.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
In any case I expect mKX to show up us to inform us that we are barking up a wrong packet flow tree.
The source IP that need the NTP info do not count, if the ISP on WAN1 block NTP,
the NTP servers defined on list (that are the dst-nation of the request started from PCs)
are forced to be reachable from lte-vlan gateway
Ahh yes you are quite correct, the OP is not using the NTP Server package for MT.
I wonder why not? So easy.
THe question remains, can I force NTP traffic for the MT provided NTP service out a specific WAN using the ruleset I provided but using rextendeds Destination address method, assuming that my source address version would not work ???
So if the Router is not providing NTP services,
and all LAN PCs are using NTP direct from the internet I can see how rextendeds approach looks good!!
However, since these are all LANIPs one could use interface… Lets say all users are on the bridge
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Answered my own question, the reason why the destination address works / Superior, is that the routing deviation is ONLY used when sending traffic to those destination.
If I did it my way ALL traffic from source addresses or interfaces identified would go out the wan, vice just the ntp traffic.
The rule I wrote working also for RouterOS itself (if IP set on NTP client are put obviously on route rule dst-address)
without change nothing.
If the output is generated from RouterOS, still go at the end on routing.
My rule are easy because nothing other count.
Simply I want that IP reachable by another WAN whitout worry about mangle, other routing tables or other things.
Yes, its all good ( I am also allergic to mangle). Destination address is the only choice, which surgically only sends traffic down the other WAN for packets heading to NTP servers, my attempt to use source or interface was wrong as it will send ALL traffic to the other wan.
We make a good team, I make a wrong idea, you come by with the right idea and we all learn something.
@Sindy, do we get a packet flow blessing or are you going to pretzel another suggestion???
I use at my home the /ip route rule to drop all ASN like Facebook / WhatsApp, Twitter, Instagram and some Google parts like Doubleclick and googleadservices.com
(but do not say that to @msatter )
The OP has asked for “all NTP traffic”, not “all traffic to a particular IP address”.
If you want traffic to a particular destination address to be sent via a particular WAN, you don’t need even a routing rule to choose another routing table - a mere route in routing table main is sufficient. If you want to use something else/more than source address, destination address, and in-interface as criteria to choose a route, you need mangle. Routing rules deal with the area between those two extremes.
Not…
Sorry, but my rules are structured on that way for change all gateway with one click, just on one position,
instead of open one-by-one single route to change each gateway for each IP…
About Doubleclick and googleadservices.com,
the IP are added by script, because are dynamically used and shared with youtube, gmail, google play, and other services.
