Routing specific traffic from single host out secondary gateway

localloop · February 3, 2017, 9:21pm

Scenario:

RB2011 with two WAN connections:
pppoe
lte

There are two default routes.
0.0.0.0/0 with distance 1 sends all traffic out of pppoe
0.0.0.0/0 with distance 2 sends all traffic out lte in case of pppoe failing.

We have one host on the network that we want to use the lte as the primary out interface, but we want to send their amazon s3 backup traffic out the pppoe.

I’ve made an address-list named amazonips that contains all of amazon’s ip ranges.
I am mangling all traffic sent to amazonips so it marks the route as amazon.

/ip firewall mangle
add action=mark-connection chain=forward dst-address-list=amazonips new-connection-mark=amazon
add action=mark-routing chain=prerouting connection-mark=amazon new-routing-mark=amazon

I have a route that matches the routing mark amazon, which sends amazon traffic out the pppoe interface.

/ip route
add check-gateway=ping distance=1 gateway=pppoe-out1 routing-mark=amazon

My question is, how do I create a route which matches all other traffic from that single host, and sends it out the lte interface?
I tried marking the connection from the source IP for all traffic NOT sent to the amazonips address list. But when I created a route out the lte interface matching this routing mark the user lost all internet connectivity.

/ip firewall mangle
add action=mark-connection chain=forward dst-address-list=!amazonips new-connection-mark=carol-lte src-address=192.168.1.5
add action=mark-routing chain=prerouting connection-mark=carol-lte new-routing-mark=carol

/ip route
add check-gateway=ping distance=1 gateway=lte1 routing-mark=carol

What am I doing wrong?

Sob · February 4, 2017, 7:38pm

It’s too late to mark connection in forward chain, if you also need to mark routing for all its packets, because in forward chain, routing is already decided. What happens is that first packet takes default route and only following ones take marked route. And obviously it can’t work. So move connection marking to prerouting (and before route marking rules).

You can also save some processing with connection-mark=no-mark condition:

/ip firewall mangle
add chain=prerouting src-address=192.168.1.5 dst-address-list=amazonips \
    connection-mark=no-mark action=mark-connection new-connection-mark=amazon \
    passthrough=yes
add chain=prerouting src-address=192.168.1.5 \
    connection-mark=no-mark action=mark-connection new-connection-mark=carol-lte \
    passthrough=yes

localloop · February 5, 2017, 2:13pm

Sob:

It’s too late to mark connection in forward chain, if you also need to mark routing for all its packets, because in forward chain, routing is already decided. What happens is that first packet takes default route and only following ones take marked route. And obviously it can’t work. So move connection marking to prerouting (and before route marking rules).

You can also save some processing with connection-mark=no-mark condition:
/ip firewall mangle
add chain=prerouting src-address=192.168.1.5 dst-address-list=amazonips \
    connection-mark=no-mark action=mark-connection new-connection-mark=amazon \
    passthrough=yes
add chain=prerouting src-address=192.168.1.5 \
    connection-mark=no-mark action=mark-connection new-connection-mark=carol-lte \
    passthrough=yes

Thank you. I’ll be testing this Monday.

Sent from my Nexus 6P using Tapatalk

localloop · February 7, 2017, 7:11pm

Sob:

It’s too late to mark connection in forward chain, if you also need to mark routing for all its packets, because in forward chain, routing is already decided. What happens is that first packet takes default route and only following ones take marked route. And obviously it can’t work. So move connection marking to prerouting (and before route marking rules).

You can also save some processing with connection-mark=no-mark condition:
/ip firewall mangle
add chain=prerouting src-address=192.168.1.5 dst-address-list=amazonips \
    connection-mark=no-mark action=mark-connection new-connection-mark=amazon \
    passthrough=yes
add chain=prerouting src-address=192.168.1.5 \
    connection-mark=no-mark action=mark-connection new-connection-mark=carol-lte \
    passthrough=yes

Here are my new rules. Still losing internet connectivity on the PC. I’ve truncated some of the routing table for privacy reasons.

/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=amazonips new-connection-mark=amazon src-address=192.168.1.5
add action=mark-connection chain=prerouting connection-mark=no-mark new-connection-mark=carol-lte src-address=192.168.1.5
add action=mark-routing chain=prerouting connection-mark=amazon new-routing-mark=amazon
add action=mark-routing chain=prerouting connection-mark=carol-lte new-routing-mark=carol

/ip route
add check-gateway=ping distance=1 gateway=pppoe-out1 routing-mark=amazon
add check-gateway=ping distance=2 gateway=10.10.10.1 routing-mark=carol
add check-gateway=ping distance=4 gateway=10.10.10.1

Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          pppoe-out1                1
 1 A S  0.0.0.0/0                          10.10.10.1                2
 2 ADS  0.0.0.0/0                          #.#.#.#               3
 3   S  0.0.0.0/0                          10.10.10.1                4

Sob · February 11, 2017, 2:49am

I’m affraid I don’t see anything obviously wrong now.