Route traffic from subnet to another WAN

badsanta · November 23, 2020, 9:44pm

Hi,

I’m having trouble routing traffic for the hosts with IPs in subnet 10.13.13.0/24 (connected in ether4) through a dedicated WAN connection, connected in ether3

/ip address
add address=10.0.0.1/24 interface=bridge1 network=10.0.0.0
add address=10.13.13.1/24 interface=ether4-MAT network=10.13.13.0
add address=1.2.3.2/30 interface=ether3-VDF network=1.2.3.0

/ip route
add distance=1 gateway=1.2.3.1 routing-mark=VDF-route

/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether3-VDF src-address=10.13.13.0/24 to-addresses=1.2.3.2

This works for ICMP and UDP, but is horribly slow for TCP:

/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=VDF-route passthrough=no src-address=10.13.13.0/24

This should work, but the computers in 10.13.13.0/24 lose connection to the Internet:

/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether3-VDF new-connection-mark=VDF passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark new-connection-mark=VDF passthrough=yes src-address=10.13.13.0/24
add action=mark-routing chain=output connection-mark=VDF new-routing-mark=VDF-route passthrough=no

How can I fix it?

Thank you.

sindy · November 28, 2020, 6:40pm

If there is a rule with action=fasttrack-connection in chain forward of /ip firewall filter, disable it and see whether it helps with this setting. Fasttracked packets bypass mangle, so they get no routing-mark and thus use the wrong gateway. Not all packets belonging to fasttracked connections are actually fasttracked, which explains why it works at least somehow.

In this case, you assign the routing-mark only to packets sent by the router itself (as you use action=mark-routing only in chain output), which is not what you actually want. On the other hand, packets from 10.13.13.0/24 should thus use the other WAN connection, so without seeing the complete configuration it is hard to say why the devices in this subnet cannot get to internet. The only NAT rule you’ve shown won’t work for them as it is linked to out-interface=ether3, so if other NAT rules are non-existent or also narrowly targeted, this could be an explanation.