Traffic route through Virtual Wifi (station) mode

RouterOS General
1

So my isp sometimes has odd issues where local loop latency spike to 2000ms+ on fiber and can last for few minutes to hours, packet loss etc. (hAP Lite, 6.41)

So what I have done to help bypass some this is type have my android phone host a hotspot over its cell network, lte/3g..etc. So far I have it as Virtual wifi interface (wlan2) under wlan1 as master,
mode=station, masterinterface=wlan1, securityprofile=(wpa2 psk profile for key of phone), made a masq rule under NAT chain=scrnat, outinterface=wlan2, action=masquerade, it connects it passes traffic though that instead of my (wan1) fibre, and it auto creates routes in route list in image below;

However I DO NOT want it route all of my networks traffic to it, just one ip address, in this case 10.0.0.8, I created a mangle rule with packet marking, chain=prerouting scraddress=10.0.0.8 action=markrouting new routing mark=3G passthrough=enabled, created route, dst-address=192.168.43.0/24 gateway=wlan2(reachable) distance=1 (cant set to 0) scope=10 targetscope=10 routing mark=3G, pref.source= 192.168.43.23 (tried leaving it blank, or 192.168.43.0)

This does not work for some reason any ideas? am I missing something?

I am able to do the same setup with pptp or l2tp vpn setup and it works fine I am able to route traffic from the src ip 10.0.0.8 but not over wlan2 interface.

2

Specify a gateway with IP address instead of interface in your route

3

Thanks, but did not make a difference

4

In your dhcp-client, uncheck add default route. Now add your own route.

/ip route add gateway=192.168.43.1 routing-mark=3G

Assuming the phones hotspot ip is 192.168.43.1.

5

Thanks, however the route is still added even if I set the dhcp-client to say no for default routes.

Still having same issues any how

6

Post the result of

/ip route export
7

[admin@MikroTik] > /ip route export

apr/22/2018 21:17:16 by RouterOS 6.41

software id = BTCY-AN6D

model = RouterBOARD 941-2nD

serial number = 5B3205A5E67D

/ip route
add disabled=yes distance=1 gateway=VPN-C routing-mark=VPN
add disabled=yes distance=1 gateway=VPN-dnsproxy routing-mark=VPN-N
add disabled=yes distance=1 dst-address=196.14.9.32/32 gateway=ether1-WAN routing-mark=VPN-N
add distance=1 gateway=192.168.43.1 routing-mark=3G
add disabled=yes distance=1 gateway=ether1-WAN

------------------------------------------------- update for previous post -------------------------------------------------------
So it does actually stop this route from being added

however when ever I set the routing marking the route list (3G) it doesn't work, when I remove the marking it works, by work I mean its passing all traffic its not routing out 10.0.0.8 traffic only.

but.. I cannot stop this route from being created (it's created when the virtual station wifi mode connects)

8

You need that second route. Try changing your mangle to

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=!10.0.0.0/24 \
    new-routing-mark=3G passthrough=no src-address=10.0.0.8
9

still no change

10

Actually, if you are using the router for DNS, disabling all default routes will cause the router to not be able to resolve DNS. Add a route for ether1 with a routing mark and then add another mangle rule for the whole 10.0.0.0/24 with the same routing mark. And then re-enable the add default route on the dhcp-client.

11

I have quicker way to check if its dns related, I cannot ping 8.8.8.8

but I’m not sure what you mean by “Add a route for ether1 with a routing mark and then add another mangle rule for the whole 10.0.0.0/24 with the same routing mark” my Ether1 is my ONT/fibre
device with its own IP, could you elaborate?

tracert with mangling disabled or no routing mark on the rule

Tracing route to google-public-dns-a.google.com [8.8.8.8]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 10.0.0.64
2 6 ms 3 ms 2 ms 192.168.43.1
3 * * * Request timed out.
4 142 ms 19 ms 18 ms 10.104.38.78
5 * * * Request timed out.
6 53 ms 17 ms 21 ms 10.104.195.35
…etc

Tracert with mangle rule enabled

Tracing route to google-public-dns-a.google.com [8.8.8.8]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 10.0.0.64
2 4 ms 2 ms 2 ms 192.168.43.1
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
rest all timed out for 19hops

12

This is what I meant:

/ip route
add gateway=192.168.43.1 routing-mark=WAN
add gateway=<ether1 IP address> routing-mark=WAN

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=!10.0.0.0/24 \
    new-routing-mark=3G passthrough=no src-address=10.0.0.8
add action=mark-routing chain=prerouting dst-address=!10.0.0.0/24 \
    new-routing-mark=WAN passthrough=no src-address=10.0.0.0/24

I noticed you did a TraceRoute from 10.0.0.64, you did change your mangle rule to this ip correct?

Maybe a /export hide-sensitve would give a better picture.

13

Ah, now that we see the correct info, things are more clear.

In DHCP client, disable add default route so it gets rid of below;

Leave the below alone, it is a direct connected route and is needed

Then create a mangle rule as per 2frogs, this will mark packets for routing,

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=!10.0.0.0/24 \
    new-routing-mark=3G passthrough=no src-address=10.0.0.8

Then create default route as per 2frogs, this will use the routing mark specified above for routing from the source address 10.0.0.8

/ip route add dst-Address=0.0.0.0/0 gateway=192.168.43.1 routing-mark=3G

From a routing perspective, above should work
If this does not work, check if you have fasttrack enable, if so disable it as it does not work with policy routing (It can, but gets complicated).
I have limited experience with phone hotspots, but with normal hotspots you have what they call “walled garden” settings, you might need to dig deeper into those settings if they exist

14

Shouldn’t the 192.168.43.1 be 3G marking not WAN on the routes ?

add gateway=192.168.43.1 routing-mark=WAN

Also the 10.0.0.64 is my Mikrotiks IP, guess its just windows/Cmd not showing the local ip first of the computer, but it is 10.0.0.8 as the src (the computer I’m on every day :stuck_out_tongue:)

and those rules didn’t work either just getting no traffic through put

I’ll try export and remove sensitive data, like mac white-lists and scripts some port knocking stuff and I’ll post it here.

15

Its MTN network (South Africa as well), anyway reason its not a walled garden is because if I don’t do any sort of packetmarking & routing the entire network works fine, I can access anything over Hotspot network just when I start doing route marking ..etc it derps.

16

Remove “dst-address=!10.0.0.0/24” from mangle rules and try again?

17

Sorry for the late reply, just been busy last couple days, But yeah disabling the dst-address does nothing ;/

18

So I was testing by cutting wifi connection out completely and using a dialed L2TP vpn conneciton on the router and a mangle rule, routes, nat…etc the basic stuff, and its not working either now… something is actively stopping the routing… its weird. Firewall rules prehaps?
firewall dump below, I’ve removed disabled and sensitive rules.

[admin@MikroTik] > ip firewall export 
# apr/27/2018 23:55:03 by RouterOS 6.42.1
# software id = BTCY-AN6D
#
# model = RouterBOARD 941-2nD
# serial number = 5B3205A5E67D
/ip firewall address-list
add address=10.0.0.0-10.0.0.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
add address=10.0.0.8 list="Sony XZ network"
add address=192.168.43.0-192.168.43.254 disabled=yes list=allowed_to_router

/ip firewall filter

add action=accept chain=input comment="default configuration" connection-state=established,related

add action=accept chain=input src-address-list=allowed_to_router



add action=accept chain=input comment=Winbox dst-port=8291 protocol=tcp src-address-list=Knocked-LO
add action=accept chain=input comment="Remote Mikrotik Webaccess" dst-port=80 log=yes protocol=tcp src-address-list=Knocked-LO
add action=drop chain=input

add action=reject chain=forward comment="Reject MS Telemetry" dst-address-list=MStelemetry log-prefix="M\$" out-interface=all-ethernet reject-with=icmp-host-prohibited
add action=drop chain=input comment="Attack Protection" dst-port=21,22,53 in-interface=ether1-WAN protocol=tcp
add action=drop chain=input dst-port=53 in-interface=ether1-WAN protocol=udp
add action=drop chain=input dst-port=23 in-interface=ether1-WAN protocol=tcp
add action=drop chain=input dst-port=23 in-interface=ether1-WAN protocol=udp
add action=drop chain=input dst-port=445 in-interface=ether1-WAN protocol=udp
add action=drop chain=input dst-port=445 in-interface=ether1-WAN protocol=tcp


add action=accept chain=input comment="Allow access to router from known network" disabled=yes src-address-list=safe

add action=drop chain=forward comment="Drop invalid" connection-state=invalid log-prefix=invalid
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface=bridge1-WIFI+ether2 \
    out-interface=!bridge1-WIFI+ether2
add action=drop chain=forward comment="Drop incoming packets that are not NATted" connection-nat-state=!dstnat connection-state=new in-interface=ether1-WAN
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=ether1-WAN src-address-list=not_in_internet
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" disabled=yes in-interface=bridge1-WIFI+ether2 src-address=!10.0.0.0/24
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=vpn-phone passthrough=yes src-address=10.0.0.75
add action=mark-routing chain=prerouting disabled=yes dst-address=!10.0.0.0/24 new-routing-mark=3G passthrough=no src-address=10.0.0.8
add action=accept chain=prerouting disabled=yes log-prefix=3G src-address=10.0.0.8


/ip firewall nat
add action=masquerade chain=srcnat comment="VPN MASQ" out-interface=VPN-dnsproxy
add action=masquerade chain=srcnat comment=MASQ out-interface=ether1-WAN
add action=masquerade chain=srcnat comment="3G MASQ" disabled=yes out-interface=wlan2

/ip firewall service-port
set irc ports=7000,6667
[admin@MikroTik] >
19

So I’ve appeared to have fixed it

/ip settings rp-filter=strict

turns out this is a bad idea Reverse Path Filtering (and should be set to no), guess the router thought it was being spoofed or something and just dropping packets no wonder my graph looked weird in traffic under the interface it was sending out packets (tx) but not allowing to be received (rx)?

I followed this guide: https://www.manitonetworks.com/networking/2017/7/25/mikrotik-router-hardening
to help with security a bit turns out it was a little too tight
Anyway, Thanks guys, @2frogs and @CZFan appreciate the help!