Using connection-mark in NAT rule doesn't work?

RouterOS General
1

Hello

I have an issue with using a connection-mark in a NAT rule. (Background: We have a webcam behind a static IP and I want to limit access, it should be reachable only if the right subdomain - let’s say webcam.domain.tld, revealed by the HTTP Host:-header - was used.)

I have the following basic NAT rule (works):
chain=dstnat action=dst-nat to-addresses=192.168.200.11 to-ports=80 protocol=tcp in-interface=pppoe-out1 dst-port=80

I have the following mangle rule (works):
chain=prerouting action=mark-connection new-connection-mark=webcam passthrough=yes protocol=tcp dst-address=<public_ip> layer7-protocol=webcam dst-port=80 connection-mark=no-mark

I have the following L7 protocol rule (works):

NAME REGEXP

0 webcam Host: webcam.domain.tld

I can see requests made via the webcam.domain.tld URL to get marked as webcam (in WinBox).

Now, when I change the NAT rule to have the requirement “connection-mark=webcam”, it does NOT work anymore. No connection gets marked (and NATed) anymore. :frowning:

It seems things are not happening in the order pre-routing, NAT?! Otherwise I would expect the mangle rule to still work?

EDIT: CCR, ROS 6.7

2

Simply set layer 7 protocol on nat without any type of mangle, are useless

/ip firewall layer7-protocol
add name=webcam.domain.tld regexp=webcam.domain.tld
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=1.1.1.1 dst-port=80 layer7-protocol=webcam.domain.tld protocol=tcp to-addresses=192.168.200.11 to-ports=80

I have not checked the layer7, write your on forum, but remember:

webcam.domain.tld is equal to:
webcam(any single character)domain(any single character)tld
(really do not matter)

3

Actually, this was my first approach. But since it did not work, I tried the step with the mangle rule inbetween, because there I could see that the connection actually gets marked (hence the rule worked). Or is there a more elegant method to troubleshoot an L7 regex?

webcam(any single character)domain(any single character)tld

Well, good point. I changed it to webcam.domain.tld now. (double backslashes when in terminal)

But something is really buggy with this L7 function; try the following:

/ip firewall layer7-protocol
add name=any regexp=.

Now add this to a working NAT rule, and it DOES NOT work anymore.

4

I hope you have writed your own layer7 rule,

webcam.domain.tld = exactly the content “webcam.domain.tld” on layer7

try this:

.webcam.domain.tld. = any layer 7 contain webcam.domain.tld

5

The L7 rule itself is working, I can verify this by checking the connections - as long as I do not use the rule in NAT. If I connect using www.domain.tld it’s not marked, when I connect to webcam.domain.tld it gets marked. Perfect.

The problem (bug?) is in the NAT rule. It doesn’t matter if I add connection-mark or directly l7-protocol there, the NAT stops working.

6

You try this?
/ip firewall nat
add action=dst-nat chain=dstnat content=webcam.domain.tld dst-address=1.1.1.1 dst-port=80 protocol=tcp to-addresses=192.168.200.11 to-ports=80

Sorry, but I can not experiment myself because actually I’m not at the office.

Remember: the layer7 check only the first 2k bit or the first 4 packet [the first happen]

7

Doesn’t work either. :frowning:

This feature seems to be a giant clusterf*ck… :imp:

8

9

since you tell router to just nat packet that marked with “webcam-mark”, and there is no packet to be nat at first packet (SYN) that have mark with “webcam-mark”. So, no connection can be established, and then no connection to be mark … IMHO