Community discussions

MikroTik App
  4. RouterOS
  5. Forwarding Protocols

Firewall Mangle - Action [passthrough vs accept]  [SOLVED]

Post Reply
 
wispmikrotik
Member Candidate
Member Candidate
Topic Author
Posts: 138
Joined: Tue Apr 25, 2017 10:43 am

Firewall Mangle - Action [passthrough vs accept]

Thu Apr 12, 2018 1:33 am

Hi,

I have the following problem with the mangle and the action=passthrough, I am routing all the traffic through the VPN, but with a JUMP rule I avoid using the VPN to get to the WEB Server. I put the network scheme:

Image

- Config RB850gx2:
Code: Select all
[rtc@wispmikrotik] /ip firewall mangle> print 
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; VPNPTP_Passthrough_VPN
      chain=prerouting action=jump jump-target=passthrough_VPN src-address-list=hw-lan dst-address-list=hw-lan log=no log-prefix="" 
 1    ;;; Route_VPN
      chain=prerouting action=mark-routing new-routing-mark=vpn_vpnptp passthrough=yes src-address-list=hw-lan dst-address-list=!Netflix log=no log-prefix="" 
 2    ;;; Passthrough_VPN
      chain=passthrough_VPN [b]action=passthrough[/b] log=no log-prefix=""

With the action=passthrough it does not work, instead with the action=accept everything works correctly.

Code: Select all
[rtc@wispmikrotik] /ip firewall address-list> print 
Flags: X - disabled, D - dynamic 
 #   LIST                                                ADDRESS                                           
 0   hw-lan                                             172.16.0.0/30                                   
 1   hw-lan                                             172.32.0.0/27                                   
 2   hw-lan                                             192.168.0.0/24

It is not assumed that the action=passthrough should to be " if packet is matched by the rule, increase counter and go to next rule"

Test with the action=passthrough:
PC traceroute Server WEB:
Code: Select all
pc:~$ traceroute 192.168.0.10 (Server WEB)
traceroute to 192.168.0.10 (192.168.0.10), 30 hops max, 38 byte packets
 1  172.32.0.1 (172.32.0.1)  0.536 ms  0.434 ms  0.426 ms
 2  10.95.95.1 (10.95.95.1)  32.369 ms  30.681 ms  31.700 ms 
 3^C
Here it is observed that it is routed through the VPN, ignoring the rule of JUMP (Rule 0) + Passthrough (Rule 2) -> NOK


Test 2:
But if we put the action=accept in Rule 2 - mangle:
Code: Select all
pc:~$ traceroute 192.168.0.10 (Server WEB)
traceroute to 192.168.0.10 (192.168.0.10), 30 hops max, 38 byte packets
 1  172.32.0.1 (172.32.0.1)  0.536 ms  0.434 ms  0.426 ms  - Ubiquiti
 2  172.16.0.1 (10.95.95.1)  32.369 ms  30.681 ms  31.700 ms  - RB850gx2
 3  192.168.0.10 (192.168.0.10)  1.070 ms  0.967 ms  0.992 ms   - Server WEB
Here it is observed -> OK


Regards.
Top
 
User avatar
AlainCasault
Trainer
Trainer
Posts: 632
Joined: Fri Apr 30, 2010 3:25 pm
Location: Prévost, QC, Canada
Contact:
Contact AlainCasault

Re: Firewall Mangle - Action [passthrough vs accept]

Thu Apr 12, 2018 2:16 am

Hello,

What's your question and what are you trying to achieve?

Ad you said, passthrough is only for accounting, nothing more.


Regards

Envoyé de mon LG-H812 en utilisant Tapatalk

Top
 
Sob
Forum Guru
Forum Guru
Posts: 9120
Joined: Mon Apr 20, 2009 9:11 pm

Re: Firewall Mangle - Action [passthrough vs accept]

Thu Apr 12, 2018 3:03 am

It is not assumed that the action=passthrough should to be " if packet is matched by the rule, increase counter and go to next rule"
And action=accept stops processing and does not go to next rule, so that's major difference.
Top
 
wispmikrotik
Member Candidate
Member Candidate
Topic Author
Posts: 138
Joined: Tue Apr 25, 2017 10:43 am

Re: Firewall Mangle - Action [passthrough vs accept]

Thu Apr 12, 2018 12:53 pm

Hello,

What's your question and what are you trying to achieve?

Ad you said, passthrough is only for accounting, nothing more.


Regards

Envoyé de mon LG-H812 en utilisant Tapatalk
Hi,

I need that when you get from rule 0 and make the jump and go to rule 2 action=passthrough follow the following rules.

With action=accept it does not work for me because it does not pass to rules 4,5,6 ...


Regards.
Top
 
wispmikrotik
Member Candidate
Member Candidate
Topic Author
Posts: 138
Joined: Tue Apr 25, 2017 10:43 am

Re: Firewall Mangle - Action [passthrough vs accept]

Thu Apr 12, 2018 12:55 pm

It is not assumed that the action=passthrough should to be " if packet is matched by the rule, increase counter and go to next rule"
And action=accept stops processing and does not go to next rule, so that's major difference.
Hi,

Of course, that's what I do not want, that does not pass the following rules. On the contrary, I need you to do a passthrough and go through the following rules.

Regards.
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9120
Joined: Mon Apr 20, 2009 9:11 pm

Re: Firewall Mangle - Action [passthrough vs accept]  [SOLVED]

Thu Apr 12, 2018 4:51 pm

To tell the truth, I'm little lost in the description in first post.

You have jump in prerouting and target chain has only one rule with action=passthrough, so it basically does nothing, only increases counter for passthrough rule, reaches end of chain and returns to prerouting, where it continues with next rule.

If you use action=accept instead, it actually starts to do something, and stops processing for packets matching "src-address-list=hw-lan dst-address-list=hw-lan" from jump rule. Jump to another chain is still useless, because when there's only one rule, you can add required action directly to first rule, instead of jump.

But now you also write about rules 4,5,6 ... but you didn't show them to us, at least where exactly they are, if in prerouting or in passthrough_VPN chain. So try to add few more details and then you'll have a chance to get better answers.
Top
 
User avatar
AlainCasault
Trainer
Trainer
Posts: 632
Joined: Fri Apr 30, 2010 3:25 pm
Location: Prévost, QC, Canada
Contact:
Contact AlainCasault

Re: Firewall Mangle - Action [passthrough vs accept]

Thu Apr 12, 2018 5:57 pm

I agree with Sob.

Give us meat to work on. What you want is totally unclear.

Regards,

Sent from Tapatalk

Top
 
wispmikrotik
Member Candidate
Member Candidate
Topic Author
Posts: 138
Joined: Tue Apr 25, 2017 10:43 am

Re: Firewall Mangle - Action [passthrough vs accept]

Thu Apr 12, 2018 7:16 pm

To tell the truth, I'm little lost in the description in first post.

You have jump in prerouting and target chain has only one rule with action=passthrough, so it basically does nothing, only increases counter for passthrough rule, reaches end of chain and returns to prerouting, where it continues with next rule.

If you use action=accept instead, it actually starts to do something, and stops processing for packets matching "src-address-list=hw-lan dst-address-list=hw-lan" from jump rule. Jump to another chain is still useless, because when there's only one rule, you can add required action directly to first rule, instead of jump.

But now you also write about rules 4,5,6 ... but you didn't show them to us, at least where exactly they are, if in prerouting or in passthrough_VPN chain. So try to add few more details and then you'll have a chance to get better answers.

Hi @Sob,

You are absolutely right Sob, I did not show it all the rules, rules 4, 5, 6 are simply a marked QoS of connection + marking of packets, he just said that by modifying the rules to the action=action, you have clarified the details.
Code: Select all
[rtc@wispmikrotik] /ip firewall mangle> print 
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; VPNPTP_Passthrough_VPN
      chain=prerouting action=accept src-address-list=hw-lan dst-address-list=hw-lan log=no log-prefix="" 
 1    ;;; Route_VPN
      chain=prerouting action=mark-routing new-routing-mark=vpn_vpnptp passthrough=yes src-address-list=hw-lan dst-address-list=!Netflix log=no log-prefix="" 
2, 3, 4, 5 --> QoS
With rule 0 I get that the packets that go from the PC to the WEB server do not go through the VPN link (Rule 1) since it coincides with the rule 0 and the action=accept does not follow the rules below (Rule 1, 2, 3 ..)

Thank you very much to both of you.
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 13 guests
  4. RouterOS
  5. Forwarding Protocols