Community discussions

MikroTik App
 
n1kt0
just joined
Topic Author
Posts: 12
Joined: Sun Dec 07, 2014 9:44 pm

multiple ip in 1 wan (CHR in Amazon)

Thu Dec 24, 2020 11:53 am

Hi all.

Help me to understand.
So, i have CHR on Amazon.

Make it so that
1. L2TP always connected from a specific IP
2. Certain machines left the network only with certain IP 2/3

Issued 3 ip and each is bound to a static ip from the amazon pool

Private — StatIP
192.168.0.10 — 1.1.1.1
192.168.0.11 — 2.2.2.2
192.168.0.12 — 3.3.3.3

Image

In route list add certains

Image

What am I doing. Created three entries in Route List with RouteMark and ping.
ping 13.13.13.13 routing-table = route_out_192.168.0.12
What is the result? On 13.13.13.13 I see pings from 1.1.1.1, that is, going out of 192.168.0.10
I am doing something wrong? Why don't the rules work (rules Routing Mark)?
---
The next question is how to make L2TP always exit 1.1.1.1? For the test, I did the following, for the test.
chain=prerouting action=mark-routing new-routing-mark=route_out_192.168.0.12 passthrough=no protocol=udp dst-port=500,1701,4500
and
 chain=prerouting action=route passthrough=no route-dst=192.168.0.12 protocol=udp dst-port=500,1701,4500 
I see traffic in the statistics window, but the rule still doesn't work.
Nothing works, always exits through 192.168.0.10 (StatIP 1.1.1.1)

##Can you give a link to what to read?
Thank you.
P.S. sorry for my English
 
n1kt0
just joined
Topic Author
Posts: 12
Joined: Sun Dec 07, 2014 9:44 pm

Re: multiple ip in 1 wan (CHR in Amazon)

Tue Dec 29, 2020 4:25 pm

On the first question, I made a mistake.
i didn't create a table
route_out_192.168.0.12
.

Image

I created it and now when I ping
ping 13.13.13.13 routing-table = route_out_192.168.0.12
everything works. I see on 13.13.13.13 incoming packets with IP 3.3.3.3
That is, the table is working.

However, I still have a problem with l2tp, I cannot send data from the ip I need in any way.
/ip firewall mangle
chain=output action=mark-connection new-connection-mark=conn_from_192.168.0.12 passthrough=yes protocol=udp src-address-type="" src-address-list=localhost_list dst-port=500,1701,4500 log=no
chain=output action=mark-routing new-routing-mark=route_out_192.168.0.12 passthrough=yes connection-mark=conn_from_192.168.0.12 log=no
The rules don't work. The connection is coming from 192.168.0.10
Image
Client connection from IP 1.1.1.1. There must be a connection from 3.3.3.3

Thank you.
P.S. sorry for my English
 
sindy
Forum Guru
Forum Guru
Posts: 6655
Joined: Mon Dec 04, 2017 9:19 pm

Re: multiple ip in 1 wan (CHR in Amazon)

Wed Dec 30, 2020 8:38 pm

There are several points.

First of all, the source address of a packet sent by the router itself is chosen when the route is selected, but routing takes place before the packet reaches the output chain. If a new routing-mark is eventually assigned by a mangle rule in the output chain, the packet is routed again using the required routing table, but its source address remains unchanged.

So however surprising it may seem, to change the source address of packets sent by the router itself, you need an action=src-nat rule.

Second, there is no point in assigning a connection-mark using one rule and then using another rule to translate the connection-mark into routing-mark in this particular case.

Third, the action=src-nat rule is actually sufficient alone, you don't need the route with pref-src at all. Just bear in mind that the rules in the /ip firewall nat table are only checked for the first packet of each connection, so you need to either remove the existing connections, or disable the client for more than three minutes, which is the connection timeout for UDP.

Last, if the IPsec policy is generated dynamically, you have to let the action=src-nat rule match only on source UDP ports 500 and 4500, not those from 1701, as otherwise the L2TP packets would not be matched by the policy.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
n1kt0
just joined
Topic Author
Posts: 12
Joined: Sun Dec 07, 2014 9:44 pm

Re: multiple ip in 1 wan (CHR in Amazon)

Mon Jan 11, 2021 12:29 pm

Thank you very much for your answers.
Unfortunately I did not come across multiple ip.
So however surprising it may seem, to change the source address of packets sent by the router itself, you need an action = src-nat rule.
Then it is not clear what to do with "Socks 5" for example? How to specify the output IP?
This is a local process.
Second, there is no point in assigning a connection-mark using one rule and then using another rule to translate the connection-mark into routing-mark in this particular case.
It was an idea, several different rules for connections, one rule for outgoing traffic. Apparently the idea is bad.
Last, if the IPsec policy is dynamically generated, you have to let the action = src-nat rule match only on source UDP ports 500 and 4500, not those from 1701, as otherwise the L2TP packets would not be matched by the policy ...
Thank you. Didn't know about port 1701. I always try to make a separate rule for each port. Then I decided to do it quickly.

We wanted it as good as possible, but it turned out as always.
Thank you.
P.S. sorry for my English
 
n1kt0
just joined
Topic Author
Posts: 12
Joined: Sun Dec 07, 2014 9:44 pm

Re: multiple ip in 1 wan (CHR in Amazon)

Mon Jan 11, 2021 12:52 pm

Then it is not clear what to do with "Socks 5" for example? How to specify the output IP?
This is a local process.
I meant when it is not transit traffic, but traffic addressed to the router itself.
This will not work through the SRC-NAT. But the marking in the "mangle" does not work.

Thank you.
P.S. sorry for my English
 
sindy
Forum Guru
Forum Guru
Posts: 6655
Joined: Mon Dec 04, 2017 9:19 pm

Re: multiple ip in 1 wan (CHR in Amazon)

Mon Jan 11, 2021 1:14 pm

Then it is not clear what to do with "Socks 5" for example? How to specify the output IP?
This is a local process.
I meant when it is not transit traffic, but traffic addressed to the router itself.
This will not work through the SRC-NAT. But the marking in the "mangle" does not work.
You cannot choose a particular local source IPs per SOCKS5 client. But you can per destination if that is sufficient for you, using routes with pref-src or a combination of mangle rules and src-nat rules as described above.

The connection of the SOCKS5 client to the SOCKS5 proxy and the connection from the SOCKS5 proxy to the actual destination are only linked to each other at application level (the SOCKS5 proxy process), not at network stack level. So there is no way how any mark assigned by a mangle rule to the client-to-server packet or connection could reach the server-to-destination packet or connection.

Second, there is no point in assigning a connection-mark using one rule and then using another rule to translate the connection-mark into routing-mark in this particular case.
It was an idea, several different rules for connections, one rule for outgoing traffic. Apparently the idea is bad.
Use the case to study the purpose of the connection-mark to understand why the idea is bad (or let's say just overcomplicated in this particular case). It is a very important tool if used properly.

The idea to use multiple rules with complex match conditions to assign the same connection-mark, and then translate the connection-mark value to a routing-mark value using a single simple rule, is correct as such (it's how it is intended to work), but the important detail which is missing in your implementation is to only evaluate all the complex rules for the initial packet of each connection, not for all packets.

example.:
/ip firewall mangle
add chain=output connection-state=new action=jump jump-target=o-mark-conn
add chain=output connection-mark=no-mark action=accept
add chain=output connection-mark=CM1 action=mark-routing new-routing-mark=RM1 passthrough=no
...
add chain=output connection-mark=CMN action=mark-routing new-routing-mark=RMN passthrough=no
add chain=o-mark-conn ...some complex conditions... action=mark-connection new-connection-mark=CM1 passthrough=yes
...
add chain=o-mark-conn ...other complex conditions... connection-mark=no-mark action=mark-connection new-connection-mark=CMN passthrough=yes

The order of the rules assigning the routing-mark should be such that most traffic passes least rules, to save CPU consumption.

P.S. sorry for my English
Есть два выхода - пользоваться русскоязычным форумом или общаться на английском еще больше, и он станет еще лучше. На самом деле заметно, что английский - не родной, но непонятных мест нет. Так что если он настоящий, а не гуглтранслейтный, все нормально.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: Google [Bot] and 204 guests