Community discussions

MikroTik App
 
Cablenut9
Long time Member
Long time Member
Topic Author
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Route lookup rules: Broken?

Sat Jul 31, 2021 2:34 am

Here's my configuration:
/ip firewall mangle
add action=mark-connection chain=prerouting comment="mark all traffic for vpn" connection-mark=no-mark dst-address=!192.168.1.0/24 dst-address-list="!Portforwarded Servers" in-interface-list=LAN ipsec-policy=in,none new-connection-mark=vpn1 passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:4/0 src-address=192.168.0.0/16 src-address-list="!Portforwarded Servers"
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address=!192.168.1.0/24 dst-address-list="!Portforwarded Servers" in-interface-list=LAN ipsec-policy=in,none new-connection-mark=vpn2 passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:4/1 src-address=192.168.1.0/24 src-address-list="!Portforwarded Servers"
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address=!192.168.1.0/24 dst-address-list="!Portforwarded Servers" in-interface-list=LAN ipsec-policy=in,none new-connection-mark=vpn3 passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:4/2 src-address=192.168.1.0/24 src-address-list="!Portforwarded Servers"
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address=!192.168.1.0/24 dst-address-list="!Portforwarded Servers" in-interface-list=LAN ipsec-policy=in,none new-connection-mark=vpn4 passthrough=yes per-connection-classifier=both-addresses:4/3 \
    src-address=192.168.1.0/24 src-address-list="!Portforwarded Servers"
add action=mark-connection chain=prerouting comment="exclude specific traffic from vpn routing" disabled=yes dst-address-list="!Portforwarded Servers" dst-port=443 new-connection-mark=no-mark passthrough=yes protocol=tcp src-address=192.168.1.0/24 src-address-list=\
    "!Portforwarded Servers"
add action=mark-routing chain=prerouting connection-mark=vpn1 in-interface-list=LAN passthrough=no
add action=mark-routing chain=prerouting connection-mark=vpn2 in-interface-list=LAN passthrough=no
add action=mark-routing chain=prerouting connection-mark=vpn3 in-interface-list=LAN passthrough=no
add action=mark-routing chain=prerouting connection-mark=vpn4 in-interface-list=LAN passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=wireguard1 new-connection-mark=vpn1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=wireguard2 new-connection-mark=vpn2 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=wireguard3 new-connection-mark=vpn3 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=wireguard4 new-connection-mark=vpn4 passthrough=yes
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=vpn1 suppress-hw-offload=no
add disabled=no dst-address=0.0.0.0/0 gateway=wireguard2 routing-table=vpn2 suppress-hw-offload=no
add disabled=no dst-address=0.0.0.0/0 gateway=wireguard3 routing-table=vpn3 suppress-hw-offload=no
add disabled=no dst-address=0.0.0.0/0 gateway=wireguard4 routing-table=vpn4 suppress-hw-offload=no
/routing table
add disabled=no name=vpn1
add disabled=no name=vpn2
add disabled=no name=vpn3
add disabled=no name=vpn4
/routing rule
add action=lookup disabled=no routing-mark=vpn1 table=vpn1
add action=lookup disabled=no routing-mark=vpn2 table=vpn2
add action=lookup disabled=no routing-mark=vpn3 table=vpn3
add action=lookup disabled=no routing-mark=vpn4 table=vpn4
I also set up four Wireguard tunnels for a VPN so I can have the traffic distributed over them. However, no traffic is getting to the WG tunnels after adding the rules in /ip/firewall/mangle to mark packets coming in. Is there a fix? Even before I added those rules in, only a few packets made it out each interface and no website/ping worked. However, I can ping 1.1.1.1 if I do it on one particular interface. It's not a masquerade rule problem because I already added those in. I suspect a router reboot might fix it but I can't do that right now.
 
Cablenut9
Long time Member
Long time Member
Topic Author
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: Route lookup rules: Broken?

Sat Jul 31, 2021 11:30 pm

Bump! What I'm doing is basically a split tunnel VPN, which used to work but now it isn't. However, the method I previously used was to have a single rule that marks routing and nothing else. Now, I'm marking connections and then marking routes for those connection marks.

Update: I fixed it by converting all the mangle rules to directly mark packets as it seems like connection marks don't work very well in v7, or they're being used wrong.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2865
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Route lookup rules: Broken?

Sun Aug 01, 2021 2:29 am

Why are you "bumping" same day? It is not Mikrotik's service forum, it's users forum of volunteers.
You have to be more patient and wait for answers but you may not receive any.
 
Cablenut9
Long time Member
Long time Member
Topic Author
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: Route lookup rules: Broken?

Sun Aug 01, 2021 2:31 am

Why are you "bumping" same day?
Maybe it has to do with time zones, but I made my first post yesterday night.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2865
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Route lookup rules: Broken?

Sun Aug 01, 2021 2:36 am

Rephrasing: "Why are you bumping just 20 hours later?"
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Route lookup rules: Broken?

Sun Aug 01, 2021 3:05 am

Is it possible your config is broken and not route lookup rules?
In other words have you setup something similar on non beta firmware and it works fine?
 
Cablenut9
Long time Member
Long time Member
Topic Author
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: Route lookup rules: Broken?

Sun Aug 01, 2021 3:15 am

In other words have you setup something similar on non beta firmware and it works fine?
Connection marking tended to work better on non-beta firmware, but the problem I found with it not marking connections is that it couldn't match anything other than broadcasts and multicasts with any in-interface-list set.

Who is online

Users browsing this forum: kkeyser and 17 guests