Routing mark uses wrong source address (RouterOS bug?)

RouterOS General
1

Hello,

I would like to send all packets for 192.0.2.1, udp, por 51522 over my lte interface. I have put the default route for the lte interface in routing table “default_wwan”:

[admin@SunGate1] > /ip/route/print where routing-table="default_wwan"
Flags: A - ACTIVE; s - STATIC
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#    DST-ADDRESS  GATEWAY  DISTANCE
2 As 0.0.0.0/0    lte1            1

Now assume for a moment that I ignore udp and port 51522 and I want all packets for 192.0.2.1 to be forwarded via lte interface. Then I can just create a simple routing rule:

[admin@SunGate1] > /routing/rule/print 
Flags: X - disabled, I - inactive 
 0 X dst-address=192.0.2.1/32 action=lookup table=default_wwan

All works as expected! However, I cannot do this because I additionally need to filter for udp/51522, so I create a mangle entry in the firewall:

[admin@SunGate1] > /ip/firewall/mangle/print 
Flags: X - disabled, I - invalid; D - dynamic 
[...]

 6    chain=output action=mark-routing new-routing-mark=default_wwan passthrough=no dst-address=192.0.2.1 
      log=no log-prefix=""

But now, when I ping 192.0.2.1, I indeed do see the ICMP echo request being sent through lte1 via the packet sniffer. However, the source address of the IP packets is not the address of the lte interface but the one of the default route! That makes zero sense. Of course, everything breaks.

I have tried adding pref-source to the default route, as well as adding an additional rule like this:

[admin@SunGate1] > /routing/rule/print       
Flags: X - disabled, I - inactive 
 0   routing-mark=default_wwan action=lookup-only-in-table table=default_wwan 
[...]

But none of them work.

This really can only be a bug in RouterOS? Or what am I doing wrong?

2

Mangle is for marking not for changing source addresses, for that, you have to use srcnat or masquerade on out interface.

3

I see, thanks!!

I tried it and it works:

[admin@SunGate1] > /ip/route/print where routing-table=default_wwan
Flags: A - ACTIVE; s - STATIC
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#    DST-ADDRESS  GATEWAY  DISTANCE
2 As 0.0.0.0/0    lte1            1
[admin@SunGate1] > 

[admin@SunGate1] > /ip/firewall/nat/print 
Flags: X - disabled, I - invalid; D - dynamic 
 0    chain=srcnat action=masquerade to-addresses=xx.xx.xx.xx 
      routing-mark=default_wwan log=no log-prefix="" 
[admin@SunGate1] > /ip/firewall/mangle/print 
Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=prerouting action=passthrough 

 1  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 2  D ;;; special dummy rule to show fasttrack counters
      chain=postrouting action=passthrough 

 3    chain=output action=mark-routing new-routing-mark=default_wwan 
      passthrough=no dst-address=192.0.2.1 protocol=udp dst-port=51522 log=no log-prefix="" 
[admin@SunGate1] >

But ugh, that’s ugly. Is there really no other way to set the route for a locally generated packet?
Why does this packet need to have the wrong source address in the first place?

Another question: Is there something like routing-mark but with only looking up on this one table?
Because right now, when lte1 is down, the packets still go through the main default gateway.

Thanks!!

4

Just got back to this after 3 weeks. All of a sudden this does not work any longer :frowning:

The following rule

 3    chain=output action=mark-routing new-routing-mark=default_wwan 
      passthrough=no dst-address=192.0.2.1 protocol=udp dst-port=51522 log=no log-prefix=""

does not match any longer (packet counter stays at zero), even though I mark the packets with route marking “default_wwan” in the output chain.

Why the heck could this not work any longer?

Tagged packets simply do not match any longer in srcnat chain for packets tagged in output chain!