Community discussions

 
Zoolander06
just joined
Topic Author
Posts: 22
Joined: Thu Jan 03, 2019 5:26 pm

Routing mangle rule block output traffic

Mon Apr 29, 2019 11:56 am

Hello folks,

I have a weird problem with a RB2011 router : I have two WAN interface, and two LAN interfaces, I wanted to force each LAN interface to go out from a specific WAN interface, as I often do without any problem.
So I created mangle rules to mark connections, then to mark routes, and I created routes with the routing marks I added.
And I can't access internet anymore. If I disable the 'mark_routing' mangle rules, I can access to internet via the default route.
I've looked for a solution for two days, and found nothing, I don't understant, since I've done the exact same things as I always do.
Could you please help me with that ?

Here is my test configuration (with only one mangle rule for testing purpose) :
# apr/29/2019 10:44:15 by RouterOS 6.44.3
# software id = U8RI-93GB
#
# model = 2011UiAS-2HnD
# serial number = 91E10A61F47B
/interface bridge
add admin-mac=74:4D:28:3A:8A:17 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] arp=proxy-arp speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether7 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether8 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether9 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether10 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface pptp-server
add name=pptp-in1 user=""
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk group-ciphers=tkip,aes-ccm \
    management-protection=allowed mode=dynamic-keys name=profile1 \
    supplicant-identity=MikroTik unicast-ciphers=tkip,aes-ccm
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    disabled=no distance=indoors frequency=auto mode=ap-bridge \
    security-profile=profile1 ssid=Livebox-MAISTRE wireless-protocol=802.11
/ip ipsec peer
add address=86.205.82.175/32 name=Cannes
/ip ipsec proposal
set [ find default=yes ] lifetime=8h
/ip pool
add name=pool_DATA ranges=192.168.6.20-192.168.6.150
add name=pool_VOIP ranges=192.168.250.100-192.168.250.149
/ip dhcp-server
add address-pool=pool_DATA disabled=no interface=bridge name=dhcp_DATA
add address-pool=pool_VOIP disabled=no interface=ether3 name=dhcp_VOIP
/ppp profile
add change-tcp-mss=yes name=adsl use-compression=no use-encryption=no \
    use-mpls=no
/interface pppoe-client
add allow=pap,chap disabled=no interface=ether1 name=pppoe-out1 profile=adsl \
    user=ip19041853505@srvc
/queue tree
add max-limit=5M name=download-data parent=bridge priority=1 queue=default
add max-limit=5M name=download-voip parent=ether3 priority=1 queue=default
add max-limit=800k name=upload-wan1 parent=pppoe-out1 priority=1 queue=\
    default
add max-limit=4M name=upload-wan2 parent=ether2 priority=1 queue=default
add limit-at=600k max-limit=800k name=download-voip-sip-rtp packet-mark=\
    VoIP-pkt parent=download-voip priority=1 queue=default
add max-limit=4M name=download-voip-common packet-mark=Data-pkt parent=\
    download-voip queue=default
add max-limit=4500k name=donwload-data-common packet-mark=Data-pkt parent=\
    download-data queue=default
add limit-at=600k max-limit=800k name=upload-wan1-sip-rtp packet-mark=\
    VoIP-pkt parent=upload-wan1 priority=1 queue=default
add max-limit=800k name=upload-wan1-common packet-mark=Data-pkt parent=\
    upload-wan1 queue=default
add limit-at=600k max-limit=800k name=upload-wan2-sip-rtp packet-mark=\
    VoIP-pkt parent=upload-wan2 priority=1 queue=default
add max-limit=4M name=upload-wan2-common packet-mark=Data-pkt parent=\
    upload-wan2 queue=default
/interface bridge port
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=LAN1 interface=bridge list=LAN
add comment=WAN1 interface=pppoe-out1 list=WAN
add comment="LAN 2" interface=ether3 list=LAN
add comment="WAN 2" interface=ether2 list=WAN
/interface pptp-server server
set enabled=yes
/ip address
add address=192.168.6.254/24 comment=LAN_DATA interface=bridge network=\
    192.168.6.0
add address=192.168.250.254/24 comment=LAN_VOIP interface=ether3 network=\
    192.168.250.0
add address=10.0.1.2/24 comment=WAN_4G interface=ether2 network=10.0.1.0
/ip dhcp-server network
add address=192.168.6.0/24 comment=LAN_DATA dns-server=8.8.8.8,8.8.4.4 \
    gateway=192.168.6.254
add address=192.168.250.0/24 comment=LAN_VOIP dns-server=8.8.8.8,8.8.4.4 \
    gateway=192.168.250.254
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="Accept IPSEC connections" dst-port=\
    500,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="accept remote web admin" dst-port=8080 \
    in-interface-list=WAN protocol=tcp
add action=accept chain=input dst-port=1723 in-interface-list=WAN protocol=\
    tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-mark=no-mark connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting comment="mark SIP connections" \
    dst-port=5060 in-interface=ether3 new-connection-mark=VoIP-conn \
    passthrough=yes protocol=udp
add action=mark-connection chain=prerouting comment="mark RTP connections" \
    in-interface=ether3 new-connection-mark=VoIP-conn passthrough=yes \
    protocol=udp src-port=40000-40019
add action=mark-connection chain=prerouting dst-port=40000-40019 \
    in-interface-list=WAN new-connection-mark=VoIP-conn passthrough=yes \
    protocol=udp
add action=mark-packet chain=postrouting comment=\
    "mark VoIP packets (SIP and RTP)" connection-mark=VoIP-conn \
    new-packet-mark=VoIP-pkt passthrough=yes
add action=mark-connection chain=prerouting comment=TEST connection-mark=\
    no-mark dst-address=!192.168.6.0/24 in-interface-list=LAN \
    new-connection-mark=TEST-Conn passthrough=yes src-address=192.168.6.131
add action=mark-connection chain=prerouting comment="mark Data connections" \
    connection-mark=no-mark in-interface-list=LAN new-connection-mark=\
    Data-conn passthrough=yes
add action=mark-packet chain=postrouting comment="mark Data packets" \
    connection-mark=Data-conn new-packet-mark=Data-pkt passthrough=yes
add action=mark-connection chain=input comment="mark connections from wan1" \
    connection-mark=no-mark in-interface=pppoe-out1 new-connection-mark=\
    In-wan1-conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=pppoe-out1 new-connection-mark=In-wan1-conn passthrough=yes
add action=mark-connection chain=input comment="mark connections from wan2" \
    connection-mark=no-mark in-interface=ether2 new-connection-mark=\
    In-wan2-conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=ether2 new-connection-mark=In-wan2-conn passthrough=yes
add action=mark-packet chain=input comment="mark packets from wan1" \
    connection-mark=In-wan1-conn new-packet-mark=Data-pkt passthrough=yes
add action=mark-packet chain=postrouting connection-mark=In-wan1-conn \
    new-packet-mark=Data-pkt passthrough=yes
add action=mark-packet chain=input comment="mark packets from wan2" \
    connection-mark=In-wan2-conn new-packet-mark=Data-pkt passthrough=yes
add action=mark-packet chain=postrouting connection-mark=In-wan2-conn \
    new-packet-mark=Data-pkt passthrough=yes
add action=mark-routing chain=prerouting comment=TEST connection-mark=\
    TEST-Conn new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output comment=\
    "mark route for connections from wan1" connection-mark=In-wan1-conn \
    disabled=yes new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=In-wan1-conn \
    disabled=yes new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output comment=\
    "mark route for connections from wan2" connection-mark=In-wan2-conn \
    disabled=yes new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=In-wan2-conn \
    disabled=yes new-routing-mark=to_WAN2 passthrough=yes
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.2.0/24 src-address=\
    192.168.6.0/24
add action=accept chain=srcnat dst-address=192.168.251.0/24 src-address=\
    192.168.250.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=accept chain=dstnat dst-address=192.168.6.0/24 src-address=\
    192.168.2.0/24
add action=accept chain=dstnat dst-address=192.168.250.0/24 src-address=\
    192.168.251.0/24
add action=dst-nat chain=dstnat dst-port=37777,80,554 in-interface-list=WAN \
    protocol=tcp to-addresses=192.168.6.155
add action=dst-nat chain=dstnat dst-port=37778 in-interface-list=WAN \
    protocol=udp to-addresses=192.168.6.155
add action=dst-nat chain=dstnat dst-port=8181 in-interface-list=WAN log=yes \
    protocol=tcp to-addresses=192.168.250.250 to-ports=443
/ip firewall service-port
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
/ip ipsec identity
add peer=Cannes
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.2.0/24 sa-dst-address=86.205.82.175 sa-src-address=\
    195.216.142.200 src-address=192.168.6.0/24 tunnel=yes
add dst-address=192.168.251.0/24 sa-dst-address=86.205.82.175 sa-src-address=\
    195.216.142.200 src-address=192.168.250.0/24 tunnel=yes
/ip route
add check-gateway=ping distance=1 gateway=10.0.1.1 routing-mark=to_WAN2
add check-gateway=ping distance=1 gateway=pppoe-out1 routing-mark=to_WAN1
add check-gateway=ping distance=1 gateway=10.0.1.1
add check-gateway=ping distance=3 gateway=pppoe-out1
/ip service
set www port=8080
/ip ssh
set forwarding-enabled=remote
/ppp secret
add local-address=192.168.250.254 name=zoolander remote-address=192.168.250.80 \
    service=pptp
/system clock
set time-zone-name=Europe/Rome
/system ntp client
set enabled=yes server-dns-names=fr.pool.ntp.org
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Thanks a lot !

Joris
 
Zoolander06
just joined
Topic Author
Posts: 22
Joined: Thu Jan 03, 2019 5:26 pm

Re: Routing mangle rule block output traffic

Mon Apr 29, 2019 12:07 pm

Plus, I don't know if it's related, but probably, my dst-nat rules don't work at all.

Joris
 
Zoolander06
just joined
Topic Author
Posts: 22
Joined: Thu Jan 03, 2019 5:26 pm

Re: Routing mangle rule block output traffic

Mon Apr 29, 2019 12:18 pm

Hey,

I just solved my problem : I haven't specified a in. interface in my mangle rule, so I assume that incoming packets from the wan were be routed by my output route, and that's why it didn't work...

Joris

Who is online

Users browsing this forum: No registered users and 74 guests