Community discussions

MikroTik App
 
antiqued4
just joined
Topic Author
Posts: 20
Joined: Mon Jan 13, 2020 1:50 pm

Mangle problems after update 6.46.7

Thu Oct 15, 2020 10:04 pm

Hello guys, so here in the company we have 2 internet links, both with Fixed Public IP. I want to access a server here from the company through my Two IP. So I made two rules of mark connection marking the entry of each PPPoE and created two rules of Mark Router with these marks of connection and the ip of my internal network in the Scr-Address tab. Everything was working, and I ended up not using it for a while and now that I went to use it is not working anymore, what was done was updated the version of RB only. Now looking at my mangle table, there is a count of packets in the connection mark, but in the route mark it is zeroed. The connection mark of Link1 works perfectly, only the two does not, if someone can help me.
 0    ;;; Mark Connection Link1
      chain=prerouting action=mark-connection new-connection-mark=Link1-Conn passthrough=yes connection-mark=no-mark in-interface=PPPoE-Empire log=no log-prefix="" 

 1    ;;; Mark Connection Link2
      chain=prerouting action=mark-connection new-connection-mark=Link2-Conn passthrough=yes connection-mark=no-mark in-interface=PPPoE-Ampernet log=no log-prefix="" 

 2    ;;; Rooute Link1
      chain=prerouting action=mark-routing new-routing-mark=Link1-Route passthrough=yes src-address=192.168.90.0/24 connection-mark=Link1-Conn log=no log-prefix="" 

 3    ;;; Route Link2
      chain=prerouting action=mark-routing new-routing-mark=Link2-Route passthrough=yes src-address=192.168.90.0/24 connection-mark=Link2-Conn log=no log-prefix="" 

 4    ;;; Mark Link1 Out
      chain=output action=mark-routing new-routing-mark=Link1-Route passthrough=yes connection-mark=Link1-Conn log=no log-prefix="" 

 5    ;;; Mark Link2 Out
      chain=output action=mark-routing new-routing-mark=Link2-Route passthrough=yes connection-mark=Link2-Con log=no log-prefix="" 

If you notice, the package count is at zero in the rules of the second link, and I already checked the marks, as you can see in the code.


Image
 
sindy
Forum Guru
Forum Guru
Posts: 5968
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mangle problems after update 6.46.7

Thu Oct 15, 2020 10:23 pm

No wonder that your "Mark Link2 Out" rule never counts, as you refer to connection-mark=Link2-Con (single n in the end) in that rule, while the rule assigning the connection-mark to the traffic coming in via in-interface=PPPoE-Ampernet assigns a connection mark Link2-Conn (double n in the end).
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
antiqued4
just joined
Topic Author
Posts: 20
Joined: Mon Jan 13, 2020 1:50 pm

Re: Mangle problems after update 6.46.7

Thu Oct 15, 2020 10:28 pm

No wonder that your "Mark Link2 Out" rule never counts, as you refer to connection-mark=Link2-Con (single n in the end) in that rule, while the rule assigning the connection-mark to the traffic coming in via in-interface=PPPoE-Ampernet assigns a connection mark Link2-Conn (double n in the end).

Sorry, this is right, it was just my mistake when it came to the notepad, even though this is not counting packages.
 
sindy
Forum Guru
Forum Guru
Posts: 5968
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mangle problems after update 6.46.7

Thu Oct 15, 2020 10:51 pm

I am confused by your reaction. Are you saying that the connection mark value set in the rule in chain output is actually correct (Link2-Conn), but nevertheless the rule doesn't match on any packet? And that the missing n in the post before is just a copy-paste error?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
antiqued4
just joined
Topic Author
Posts: 20
Joined: Mon Jan 13, 2020 1:50 pm

Re: Mangle problems after update 6.46.7

Thu Oct 15, 2020 10:57 pm

I am confused by your reaction. Are you saying that the connection mark value set in the rule in chain output is actually correct (Link2-Conn), but nevertheless the rule doesn't match on any packet? And that the missing n in the post before is just a copy-paste error?

Yes my rules are correct as you warned there, the problem was when copying to the notepad I ended up changing the name of the connections, which had private information and I ended up typing wrong, but everything is correct.
Imagine that in this code the missing "n" is correct
 
sindy
Forum Guru
Forum Guru
Posts: 5968
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mangle problems after update 6.46.7

Thu Oct 15, 2020 11:29 pm

Imagine that in this code the missing "n" is correct
OK. In this case, I suspect that the router doesn't actually respond to incoming packets which get the connection-mark Link2-Conn, or that it has no route to the sender of those packets in the routing table main. In the first case, something in the firewall may prevent it from responding; the explanation for the second one is more complex. Packets sent by the router itself are first routed using the routing table main; also determination of the source address for these packets is part of this process. Only if a route for the packet is found during this first step, it is handled by chain output of mangle, and if a routing-mark is assigned there, the routing is done one more time, taking the routing-mark into account. On the packet flow graph this step is called "routing adjustment".
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
antiqued4
just joined
Topic Author
Posts: 20
Joined: Mon Jan 13, 2020 1:50 pm

Re: Mangle problems after update 6.46.7

Thu Oct 15, 2020 11:45 pm

Imagine that in this code the missing "n" is correct
OK. In this case, I suspect that the router doesn't actually respond to incoming packets which get the connection-mark Link2-Conn, or that it has no route to the sender of those packets in the routing table main. In the first case, something in the firewall may prevent it from responding; the explanation for the second one is more complex. Packets sent by the router itself are first routed using the routing table main; also determination of the source address for these packets is part of this process. Only if a route for the packet is found during this first step, it is handled by chain output of mangle, and if a routing-mark is assigned there, the routing is done one more time, taking the routing-mark into account. On the packet flow graph this step is called "routing adjustment".

I don't know if it helps you with anything, but my route table is, There is a 0.0.0.0/0 for link 1 with weight 1. There is another one for link 2 with weight 2.
There are two more routes 0.0.0.0/0 one for each route mark
 
sindy
Forum Guru
Forum Guru
Posts: 5968
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mangle problems after update 6.46.7

Thu Oct 15, 2020 11:59 pm

So look into the firewall rules, and if you find nothing there, use /tool sniffer quick ip-address=ip.of.the.remote to see whether the router sends the response anywhere at all when you try to connect from outside to its public IP on uplink #2, or even whether the request from outside actually arrives to it. It could be that the ISP started blocking some ports during the time you weren't actively using the setup.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: markos222 and 118 guests