Hi all
I'm playing with load balancing using pcc firewall rules in mangle
and I've noticed that when I do a ping, tool fetch, or any other traffic
from the console, it doesn't get matched to any of my mangle rules.
I just tried and I can't get of the chains in mangle to trap router initiated traffic,
including dns lookups.
I use google's dns servers and my wan connections are equal so I'd like to
prevent things like dns traffic from going out the same port every time.
Other than doing pcc on dst-address=8.8.8.8
Am I missing something?
Any suggestions?
Thanks.
LL
Re: matching traffic from the router itself in mangle
Probably you are marking/PPC forwarded traffic in mangle/prerouting chain; if you want to mark/PCC router originated traffic you must work on mangle/output chain also.I'm playing with load balancing using pcc firewall rules in mangle
.. router initiated traffic, including dns lookups.
Re: matching traffic from the router itself in mangle
Any news? Solved?
-
-
iperezandres
Frequent Visitor
- Posts: 61
- Joined:
- Location: Madrid
- Contact:
Re: matching traffic from the router itself in mangle
Not yet, I have the same problem. I have tried output chain and mark-routing but it is not working.
If there is no default route, the packets originated from the router itself do not get catched in any of the mangle rules and they do not show up in the connection tab.
Any suggestion? I have tried many different chain combinations unsuccessfully.
There is another thread with the same issue... : viewtopic.php?f=2&t=124197&p=655335#p655335
If there is no default route, the packets originated from the router itself do not get catched in any of the mangle rules and they do not show up in the connection tab.
Any suggestion? I have tried many different chain combinations unsuccessfully.
There is another thread with the same issue... : viewtopic.php?f=2&t=124197&p=655335#p655335
Re: matching traffic from the router itself in mangle
This picture says it all. Routing comes first, only then the packet passes through the output chain in various tables (conntrack, mangle, filter), and finally the routing is eventually "adjusted" (see the exploded Output chain).If there is no default route, the packets originated from the router itself do not get catched in any of the mangle rules and they do not show up in the connection tab.
Last edited by sindy on Thu Apr 19, 2018 5:30 pm, edited 1 time in total.
Re: matching traffic from the router itself in mangle
I've seen this before. When there's no route to given destination in main routing table, RouterOS just says "no route to host" and doesn't give you a chance to mark routing and use another routing table where such route exists. The workaround should be simple, just add fake route, e.g.:
Router will seemingly have route to any destination and it's up to you what packets you mark and let them use the real gateway.
Code: Select all
/interface bridge
add fast-forward=no name=bridge1 protocol-mode=none
/ip route
add gateway=bridge1 comment="fake route"
add gateway=<real gw> routing-mark=<some mark>
/ip firewall mangle
add action=mark-routing chain=output new-routing-mark=<some mark>-
-
iperezandres
Frequent Visitor
- Posts: 61
- Joined:
- Location: Madrid
- Contact:
Re: matching traffic from the router itself in mangle
Very interesting approach, let me try it and get back to you. Thanks!
-
-
iperezandres
Frequent Visitor
- Posts: 61
- Joined:
- Location: Madrid
- Contact:
Re: matching traffic from the router itself in mangle
Thank you Sob, that was very fine coding!
It worked like a charm. With the fake bridge, any connection from the router itself now shows up in the firewall connection tab, and once you have it there, it is catched by the mangle rules and it is easy to route it through the WAN that you want.
Awesome suggestion!!
It worked like a charm. With the fake bridge, any connection from the router itself now shows up in the firewall connection tab, and once you have it there, it is catched by the mangle rules and it is easy to route it through the WAN that you want.
Awesome suggestion!!
-
-
iperezandres
Frequent Visitor
- Posts: 61
- Joined:
- Location: Madrid
- Contact:
Re: matching traffic from the router itself in mangle
I found another approach instead of creating the fake-bridge.
First, you add a route with as many WANs as you have, so it also gives you fail over.
And then you add a rule in mangle to capture the traffic going from your connected IPs to the not connected IPs:
Hope it helps.
First, you add a route with as many WANs as you have, so it also gives you fail over.
Code: Select all
/ip route
add dst-address=0.0.0.0/0 gateway=ether1-wan1,ether2-wan2 distance=1 check-gateway=ping comment="ros route"
Code: Select all
/ip firewall address-list
add address=192.168.1.0/24 list=Connected # WAN1 network
add address=192.168.88.0/24 list=Connected # WAN2 network
add address=192.168.100.0/23 list=Connected # LAN network
add address=192.168.100.0/23 list=LAN
add address=255.255.255.255 list=LAN
/ip firewall mangle
add action=mark-routing chain=output dst-address-list=!Connected new-routing-mark=route1 passthrough=no src-address-list=Connected