Community discussions

MikroTik App
 
tmcnulty1982
just joined
Topic Author
Posts: 11
Joined: Sat Feb 13, 2016 11:29 pm

Simple policy routing question

Fri May 10, 2019 4:24 pm

Hi,

We have two WAN connections. One is used as primary internet and one has a lower priority route that's used as a backup internet connection (not load balanced).

We'd like the ability to send traffic from certain LAN IPs through the backup internet connection at all times, even when the primary internet is still online.

I found https://wiki.mikrotik.com/wiki/Policy_Base_Routing and am trying to adapt this for our setup (i.e., the same process but without a VPN connection).

Here are the relevant rules:

Code: Select all

/ip firewall address-list add address=<LAN_IP> comment=laptop-enet list=BACKUP_INTERNET
/ip firewall mangle add action=mark-routing chain=prerouting new-routing-mark=BACKUP_INTERNET passthrough=no src-address-list=BACKUP_INTERNET
/ip route add distance=1 gateway=<BACKUP_INTERNET_GATEWAY_IP> routing-mark=BACKUP_INTERNET
/ip route add distance=1 gateway=<PRIMARY_INTERNET_GATEWAY_IP>
/ip route add distance=10 gateway=<BACKUP_INTERNET_GATEWAY_IP>

This works fine for some things, but certain HTTPS connections get terminated almost immediately. It is very domain-specific, i.e., a URL will always succeed or always fail. This appears as a "connection reset" message in the browser, and looks like this in curl (github.githubassets.com always fails):

Code: Select all

$ curl -v -I https://github.githubassets.com/assets/frameworks-a2fba223d5af91496cac70d4ec3624df.css
* Trying 185.199.109.154...
* TCP_NODELAY set
* Connected to github.githubassets.com (185.199.109.154) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to github.githubassets.com:443
* stopped the pause stream!
* Closing connection 0
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to github.githubassets.com:443

Yet with the same firewall configuration, github.com works fine:

Code: Select all

$ curl -v -I https://github.com/
* Trying 192.30.253.113...
* TCP_NODELAY set
* Connected to github.com (192.30.253.113) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: businessCategory=Private Organization; jurisdictionCountryName=US; jurisdictionStateOrProvinceName=Delaware; serialNumber=5157550; C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=github.com
* start date: May 8 00:00:00 2018 GMT
* expire date: Jun 3 12:00:00 2020 GMT
* subjectAltName: host "github.com" matched cert's "github.com"
* issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 Extended Validation Server CA
* SSL certificate verify ok.
> HEAD / HTTP/1.1
> Host: github.com
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
<snip>

From the primary internet connection (or when the entire office has been moved over to the backup internet connection), it github.githubassets.com works fine, too

Code: Select all

$ curl -v -I https://github.githubassets.com/assets/frameworks-a2fba223d5af91496cac70d4ec3624df.css
* Trying 185.199.109.154...
* TCP_NODELAY set
* Connected to github.githubassets.com (185.199.109.154) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=*.githubassets.com
* start date: Oct 29 00:00:00 2018 GMT
* expire date: Nov 2 12:00:00 2020 GMT
* subjectAltName: host "github.githubassets.com" matched cert's "*.githubassets.com"
* issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 High Assurance Server CA
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f8d4b808a00)
> HEAD /assets/frameworks-a2fba223d5af91496cac70d4ec3624df.css HTTP/2
> Host: github.githubassets.com
> User-Agent: curl/7.54.0
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 200
HTTP/2 200
<snip>

What could be causing this and/or what is the "correct" way to accomplish what we are trying to do?

Thank you in advance!
 
sindy
Forum Guru
Forum Guru
Posts: 4267
Joined: Mon Dec 04, 2017 9:19 pm

Re: Simple policy routing question

Fri May 10, 2019 10:16 pm

I would first disable all the policy routing and set for a while the backup route as primary (or shut down the primary's WAN interface, whatever) to see whether the issue persists or not. If it does, it is most likely some MTU issue on the secondary WAN's route; if it doesn't, there is an issue in the policy routing.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
tmcnulty1982
just joined
Topic Author
Posts: 11
Joined: Sat Feb 13, 2016 11:29 pm

Re: Simple policy routing question

Mon May 13, 2019 4:03 pm

Hello and thanks very much for the reply!

I would first disable all the policy routing and set for a while the backup route as primary (or shut down the primary's WAN interface, whatever) to see whether the issue persists or not. If it does, it is most likely some MTU issue on the secondary WAN's route; if it doesn't, there is an issue in the policy routing.

When failing over to the backup internet the normal way (not using a routing mark), the issue does not exist. Also, the two routes are identical except for the distance and routing-mark parameters (I have not simplified the rules for the purposes of this post):

Code: Select all

/ip route add distance=1 gateway=<BACKUP_INTERNET_GATEWAY_IP> routing-mark=BACKUP_INTERNET
/ip route add distance=10 gateway=<BACKUP_INTERNET_GATEWAY_IP>
 
sindy
Forum Guru
Forum Guru
Posts: 4267
Joined: Mon Dec 04, 2017 9:19 pm

Re: Simple policy routing question

Mon May 13, 2019 4:05 pm

In that case, publish the complete configuration, following the hints regarding anonymisation in my automatic signature.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: Bing [Bot], hexma, Zacharias and 142 guests