Hi.
I’ve recently upgraded RouterOS and the firmware on my RB951Ui-2HnD from v6 to v7 for the new WireGuard capability. The upgrade seems to have broken my mangle rule setup. To test what’s gone wrong I reset the configuration to the default and added just a single mangle rule that adds a routing mark “main” to every packet (I didn’t specify any criteria, but filtering by destination 0.0.0.0/0 didn’t work either). Upon enabling that rule, pinging the gateway (192.168.88.1) from my Windows computer fails with the following message:
Reply from 192.168.88.1: Destination host unreachable.
Layer 2 communication seems to work fine as DHCP successfully assigns the computer an IP, and I can connect WinBox to the router by specifying its MAC address. Looking at the Wireshark capture, the only packets coming from 192.168.88.1 are ICMP destination unreachable and MNDP broadcasts.
My understanding was that adding a routing mark selects which routing table is traversed during routing, which in this case should just be the default table. I also disabled the fasttrack rule in the firewall, to no avail.
What am I missing?
I got my setup working by creating an empty routing table, and setting the routing mark to that table instead of “main”. Since the table contains no routes, any packet with that mark seems to fall back to the main routing table, as expected.
It is not obvious to me from the documentation why “clearing” the routing mark by setting it to “main” does not work anymore compared to ROS v6.
(1) In V7 you need to separately create tables. /routing table add fib name=to-ISP1
add fib name=to-ISP2
(2) Mangle rules do not change, you still need new-routing-mark=to-ISPX
(3) Ip Routes change - you do NOT use route-marking in IP route, instead you use routing-table. /ip route
add dst-address=0.0.0.0/0 gateway=ISPX routing-table=to-ISPX
Thanks, but I’ve figured that much. That’s not what I had issues with.
In my original setup I first mark all traffic with “towan”. I then mark all traffic going to local networks with “main” to reset it back to the default table. Next I match on traffic with a routing mark “towan” and a list of outbound ports, and mark that traffic with “towan2”. I do this to bypass an outbound port filter in an upstream firewall.
In v7 I had to mark traffic going to local networks with a routing mark corresponding to an empty routing table I created instead of “main”.
Perhaps a better solution would be to create an address list of all local networks and match all traffic not in that list. I’m not sure if address lists are a new possibility in ROS v7, or if I just missed them in v6.
The reason that your setup works in v6 and not in v7 probably is that in v7 a routing mark means “lookup ONLY in this table” and in v6 it meant “lookup first in this table and then try table main”.
This subtle difference means that you NEED to either put explicit routes to the local networks in each routing table, or indeed make sure that you never apply a routing mark on traffic that is to be routed locally.
I have requested a feature to have the option to include local routes in a table created with “/routing table add”, best with an interface list. But although others agree it is a good idea it has not (yet) been implemented.
For now indeed you can use an address list, I also do that. These already existed for a long time (even before interface lists).
@pe1chl
Do you mean something like this at the start of mangle rules. /ip firewall mangle
add action=accept chain=prerouting in-interface-list=LAN dst-address-list=MyWANS
add action=accept chain=prerouting in-interface-list=LAN dst-address-type=local
Where the first rule accepts traffic from any LAN user to any other LAN users and MyWANs
are all the local subnets.
The second rule ensures local to Router traffic is permitted as well before any further
mangling shenanigans like load balancing.