Very strange issue with mangle

shaoranrch · July 2, 2017, 10:50pm

Hello everyone,

Currently I’ve got a weird situation with some mangle rules, the rules in question are these:

/ip firewall mangle
add action=mark-connection chain=prerouting comment="##Start of MGMT Access Rules##" connection-mark=no-mark in-interface=ether10 \
    new-connection-mark=mgmt_connection passthrough=no
add action=accept chain=prerouting in-interface=ether10
add action=mark-routing chain=prerouting connection-mark=mgmt_connection new-routing-mark=mgmt passthrough=no
add action=mark-routing chain=output comment="##End of MGMT Access Rules##" connection-mark=mgmt_connection new-routing-mark=mgmt \
    passthrough=no

There are no other firewall rules placed in this router, it’s brand new just updated to the latest BFO (6.38.7 as of this writing).

Aside from these:

/ip address
add address=123.1.X.X/28 interface=ether10 network=123.1.X.X
add address=172.16.0.3/29 interface=ether9 network=172.16.0.0

And

/ip route add gateway=123.1.X.X routing-mark=mgmt

There’s nothing else in this router.

So, the idea here is to use ether10 is a management connection and nothing else, I don’t want the default route tied to this interface to be used for production traffic. However it’s not working, I am connecting via the local IP 172.16.0.3 using 172.16.0.2 to check the router functionality and trying to connect from the Internet to 123.1.X.X, I can see the traffic reaching the router via ether10, the rules catching traffic, I can see the connections being marked, however I can’t connect to the router.

If I use the same default route in the main table I can connect so there’s no issue with ports being blocked, my upstream, etc. I’ve also tried redoing all the rules, changing the naming convention for the marks, etc. Nothing seems to fix it.

If you wanna know, I’m doing this since RouterOS is not VRF aware for internal services or management, so I’m trying “to emulate” this.

I’ve used similar configurations in the past for load-balancers and they work, I don’t see any issue here but I’d like someone to review this maybe I’m currently overlooking something (not a good time haha),

Thank you.

Sob · July 3, 2017, 12:11am

No changes in /ip settings, for example rp-filter?

shaoranrch · July 3, 2017, 12:19am

Hi, none at all, I’ve even restarted the router to factory settings.

Enviado desde mi SAMSUNG-SM-G920A mediante Tapatalk

shaoranrch · July 5, 2017, 7:05pm

I figured out what happened, just in case anyone else needs to know it’s all about how MikroTik processes outgoing packets locally originated. If you check the packet-flow it happens after the routing decision, so basically the router checks the current table (in this case is the main) and since it doesn’t see a valid route (there’s no specific route and the only default route is inside the mgmt table) it just discards de packet. Adding an active default route to the main table (doesn’t really matter if it’s valid or not) fixes this, it sees a route then goes to the mangle-output as intended.

I didn’t notice this before because in the load balancers I always leave at least 1 default route in the routing table.

Anyway, to me, this isn’t a good solution, the ideal solution would be to have service aware VRFs because now I need to keep a default route in the main routing table for this pointing to a bridge to avoid other issues.