Route lookup rules: Broken?

Cablenut9 · July 30, 2021, 11:34pm

Here’s my configuration:

/ip firewall mangle
add action=mark-connection chain=prerouting comment="mark all traffic for vpn" connection-mark=no-mark dst-address=!192.168.1.0/24 dst-address-list="!Portforwarded Servers" in-interface-list=LAN ipsec-policy=in,none new-connection-mark=vpn1 passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:4/0 src-address=192.168.0.0/16 src-address-list="!Portforwarded Servers"
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address=!192.168.1.0/24 dst-address-list="!Portforwarded Servers" in-interface-list=LAN ipsec-policy=in,none new-connection-mark=vpn2 passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:4/1 src-address=192.168.1.0/24 src-address-list="!Portforwarded Servers"
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address=!192.168.1.0/24 dst-address-list="!Portforwarded Servers" in-interface-list=LAN ipsec-policy=in,none new-connection-mark=vpn3 passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:4/2 src-address=192.168.1.0/24 src-address-list="!Portforwarded Servers"
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address=!192.168.1.0/24 dst-address-list="!Portforwarded Servers" in-interface-list=LAN ipsec-policy=in,none new-connection-mark=vpn4 passthrough=yes per-connection-classifier=both-addresses:4/3 \
    src-address=192.168.1.0/24 src-address-list="!Portforwarded Servers"
add action=mark-connection chain=prerouting comment="exclude specific traffic from vpn routing" disabled=yes dst-address-list="!Portforwarded Servers" dst-port=443 new-connection-mark=no-mark passthrough=yes protocol=tcp src-address=192.168.1.0/24 src-address-list=\
    "!Portforwarded Servers"
add action=mark-routing chain=prerouting connection-mark=vpn1 in-interface-list=LAN passthrough=no
add action=mark-routing chain=prerouting connection-mark=vpn2 in-interface-list=LAN passthrough=no
add action=mark-routing chain=prerouting connection-mark=vpn3 in-interface-list=LAN passthrough=no
add action=mark-routing chain=prerouting connection-mark=vpn4 in-interface-list=LAN passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=wireguard1 new-connection-mark=vpn1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=wireguard2 new-connection-mark=vpn2 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=wireguard3 new-connection-mark=vpn3 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=wireguard4 new-connection-mark=vpn4 passthrough=yes
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=vpn1 suppress-hw-offload=no
add disabled=no dst-address=0.0.0.0/0 gateway=wireguard2 routing-table=vpn2 suppress-hw-offload=no
add disabled=no dst-address=0.0.0.0/0 gateway=wireguard3 routing-table=vpn3 suppress-hw-offload=no
add disabled=no dst-address=0.0.0.0/0 gateway=wireguard4 routing-table=vpn4 suppress-hw-offload=no
/routing table
add disabled=no name=vpn1
add disabled=no name=vpn2
add disabled=no name=vpn3
add disabled=no name=vpn4
/routing rule
add action=lookup disabled=no routing-mark=vpn1 table=vpn1
add action=lookup disabled=no routing-mark=vpn2 table=vpn2
add action=lookup disabled=no routing-mark=vpn3 table=vpn3
add action=lookup disabled=no routing-mark=vpn4 table=vpn4

I also set up four Wireguard tunnels for a VPN so I can have the traffic distributed over them. However, no traffic is getting to the WG tunnels after adding the rules in /ip/firewall/mangle to mark packets coming in. Is there a fix? Even before I added those rules in, only a few packets made it out each interface and no website/ping worked. However, I can ping 1.1.1.1 if I do it on one particular interface. It’s not a masquerade rule problem because I already added those in. I suspect a router reboot might fix it but I can’t do that right now.

Cablenut9 · July 31, 2021, 8:30pm

Bump! What I’m doing is basically a split tunnel VPN, which used to work but now it isn’t. However, the method I previously used was to have a single rule that marks routing and nothing else. Now, I’m marking connections and then marking routes for those connection marks.

Update: I fixed it by converting all the mangle rules to directly mark packets as it seems like connection marks don’t work very well in v7, or they’re being used wrong.

BartoszP · July 31, 2021, 11:29pm

Why are you “bumping” same day? It is not Mikrotik’s service forum, it’s users forum of volunteers.
You have to be more patient and wait for answers but you may not receive any.

Cablenut9 · July 31, 2021, 11:31pm

Maybe it has to do with time zones, but I made my first post yesterday night.

BartoszP · July 31, 2021, 11:36pm

Rephrasing: “Why are you bumping just 20 hours later?”

anav · August 1, 2021, 12:05am

Is it possible your config is broken and not route lookup rules?
In other words have you setup something similar on non beta firmware and it works fine?

Cablenut9 · August 1, 2021, 12:15am

Connection marking tended to work better on non-beta firmware, but the problem I found with it not marking connections is that it couldn’t match anything other than broadcasts and multicasts with any in-interface-list set.