Community discussions

MikroTik App
 
User avatar
osc86
Member Candidate
Member Candidate
Topic Author
Posts: 197
Joined: Wed Aug 09, 2017 1:15 pm

Problem with Policy-Routing in 7.1 on CCR2004-1G-12S+2XS

Sun Dec 05, 2021 1:54 pm

Hello,
yesterday I upgraded a CCR2004-1G-12S+2XS from 6.49.1 to 7.1. Of course the upgrade failed, the device ended up in a reboot loop, so I had to netinstall it with 7.1.
When I reconfigured the device I faced a problem with policy routing I'm currently unable to solve. I've done this many times before but this time I'm out of ideas what could be wrong.
My WAN is "VLAN0007", 88.XX.XX.48/29, .49 is the Gateway, .54 is the IP address of my Router; my LAN is "VLAN0086", 192.168.2.1/24.

In my tests I found out that ros dns forwarder isn't reachable from a vrf, so I decided to just use a separate routing table instead of adding VLAN0086 to a vrf.
/routing table
add disabled=no fib name=VRF-DSL
I added a default gw to that table, pointing at the next-hop address of my ISP.
/ip/route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=88.XX.XX.49 pref-src="" routing-table=VRF-DSL scope=30 suppress-hw-offload=no target-scope=10
This is an output of the main routing table:
/ip/route> pr det where routing-table=main
 0  As   dst-address=0.0.0.0/0 routing-table=main pref-src="" gateway=88.XX.XX.49 immediate-gw=88.XX.XX.49%VLAN0007 distance=1 scope=30 target-scope=10 
         suppress-hw-offload=no 
   DAc   dst-address=88.XX.XX.48/29 routing-table=main gateway=VLAN0007 immediate-gw=VLAN0007 distance=0 scope=10 suppress-hw-offload=no 
         local-address=88.XX.XX.54%VLAN0007 
   DAc   dst-address=192.168.2.0/24 routing-table=main gateway=VLAN0086 immediate-gw=VLAN0086 distance=0 scope=10 suppress-hw-offload=no 
         local-address=192.168.2.1%VLAN0086 

I set up policy routing rules in mangle table (just used 1 IP for testing).
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark connection-state=new dst-address-type=!local in-interface=VLAN0086 \
    new-connection-mark=C_FROM_VLAN0086 passthrough=yes src-address=192.168.2.41
add action=mark-routing chain=prerouting connection-mark=C_FROM_VLAN0086 new-routing-mark=VRF-DSL passthrough=no
Firewall filter rules allow all traffic from VLAN0086 to VLAN0007, also established and related connections.
Finally there's a snat rule for VLAN0007.
/ip firewall nat
add action=src-nat chain=srcnat out-interface=VLAN0007 to-addresses=88.XX.XX.54

When I try to ping a host on the internet from 192.168.2.41, the connection times out. I checked the connection tracking, all seems good.
SNAT works and the packet is correctly routed.
Note the Reply Bytes, so traffic is arriving and I get an answer from 8.8.8.8, but the reply packets are not arriving at 192.168.2.41.
2021-12-05 at 11.39.22.png
Next I checked with the sniffer tool what is going on.
2021-12-05 at 11.43.58.png
So where are these reply packets, why are they not forwarded to 192.168.2.41? There are no other mangle rules, nat rules, routing rules, ipsec policies, nothing that could mess with the flow of packets in any way.
VLAN0086 is not added to a vrf, it is bound to the main routing table, so I don't need to set up any routing rules.
When I disable the connection-mark rule, traffic is sent using the main table and it immediately starts working.
As I mentioned before, I just netinstalled the router and did the config from scratch, and rebooted the router several times.
Any idea what I'm missing here? I have a CCR2004-16G-2S+ with a way more complex ruleset for policy routing, also running 7.1. Everything works fine on this device, so I don't think it has something to do with 7.1 in general. It is planned to add more internet uplinks to the router in the future, for those who are wondering why I'm currently using custom routing tables with just one ISP.
You do not have the required permissions to view the files attached to this post.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Problem with Policy-Routing in 7.1 on CCR2004-1G-12S+2XS  [SOLVED]

Sun Dec 05, 2021 9:10 pm

So where are these reply packets, why are they not forwarded to 192.168.2.41? There are no other mangle rules, nat rules, routing rules, ipsec policies, nothing that could mess with the flow of packets in any way.
The ping response packet from 8.8.8.8 will have the connection mark C_FROM_VLAN0086, so when it arrives at the router, the router will apply the routing mark to that packet and will send that packet to 88.XX.XX.49, as you have told it to. The ISP will then send it back to you, you will send it back to the ISP, and the packet will continue to loop until the TTL expires.
 
User avatar
osc86
Member Candidate
Member Candidate
Topic Author
Posts: 197
Joined: Wed Aug 09, 2017 1:15 pm

Re: Problem with Policy-Routing in 7.1 on CCR2004-1G-12S+2XS

Sun Dec 05, 2021 10:17 pm

Thanks mducharme!
I added the in-interface matcher to the second rule and it works. I tried a few different things, don’t know why I overlooked this.

Who is online

Users browsing this forum: No registered users and 17 guests