Routing Mark - connection issues

RouterOS General
1

Hello,

I am using my mikrotik Router with 2 internetconnections and masquerading.
On a normal day i only use the main internet connection with this configuration:

/interface list member
add comment="Main Internet" interface=ether1 list=WAN
add interface=vlan178_wan_backup list=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
    out-interface-list=WAN 
/ip route
add comment="Main Route (cable)" disabled=no distance=5 gateway=x.201.72.1

To manually switch over all trafic to the secondary internet connection i only have to enable this route

/ip route
add comment="second Internet con" disabled=no distance=1 gateway=192.168.178.1

Both connections work pretty will with a decent speed.

Now i wanted to use the second internet connection for one host (192.168.1.100) only, all others should use the primary connection. So i disbaled the “backup Route” and added this:

/ip route
add comment="second Internet con Routing Mask" distance=1 gateway=192.168.178.1 routing-mark=backup

/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new disabled=no dst-address-type=\
    !local in-interface=bridge new-connection-mark=con_backup passthrough=yes src-address=\
    192.168.1.100
add action=mark-routing chain=prerouting comment="OneHost over backup" connection-mark=con_backup \
    disabled=no in-interface=bridge new-routing-mark=backup passthrough=yes

This works, but the speed is very very low. CPU Load of the router is 1%.
With the static route for the secondary internet connection i get 20Mbit Down, 10 MBit up, surfing is fast and easy.
With the routing mark route for the secondary internet connection the internet feels very slow.
Surfing web pages takes 10 times longer with the routing mark route. My feeling is that it takes a very long time to connect to a server. Often my browser shows up errors like “PR_END_OF_FILE_ERROR”.When connection is established, the speed is ok (like with the static route).

What am i doing wrong here?

Br

[Solved] Connection marking, multiple WAN = packet loss
2

Make sure you disable the “fasttrack” rule and “fastpath” setting in IP settings, then try again.

3

Problem solved.
I only changed this:

/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes

Thank you!!

What was the problem with fasttrack?

BR

4

I believe fasttrack will jump Queues, firewall filter and mangle rules.
It does this after the first packet is marked to be tracked for faster processing, by skipping those extra “unnecessary” steps.

In my case I managed to leave fasttrack Enabled but added to that rule:

connection-mark=no-mark
chain=forward action=fasttrack-connection connection-state=established,related connection-mark=no-mark log=no log-prefix=""

Also, I need to mark-connection in mangle whenever they need special filtering.

5

And where do you set the “no-mark” mark? Or is “no-mark” implicit set when no other mark is set in mangle ruleset?

6

The latter:
“If no-mark is set, rule will match any unmarked connection.”

7

It depends on how you apply the marks if that will work. When the mark is applied immediately at the start of the connection e.g. by matching source address it can work, but when your mark is determined later it can be too late for this to work.
(of course when the mark changes routing, it will fail anyway when it is applied later, so for this particular usage it may work fine)

Remember fasttrack is not compatible with advanced uses of the router including routing marks, so you have to choose between those.
But indeed in some use cases it may work with a “partial” fasttrack.