Redirecting Traffic with a Mangle Rule

Ryzz · Wed Jan 06, 2021 11:13 am

I have a IPSec VPN running between two network (mine and my parents) with a RB3011 & a RB4011. Im trying to stop high bandwidth traffic like Plex from going over the VPN and instead routing over the public internet instead as Ive found its buffering a lot.

I tried to create a mangle rule from, with the source address of the TV running Plex, and port 32400, and redirect the traffic out the public internet instead, however even though I can see the traffic counters on the mangle rule incrementing, Plex traffic is still going over the VPN.

This is my mangle rule

chain=prerouting action=mark-routing new-routing-mark=BypassVPN passthrough=yes protocol=tcp src-address=10.253.11.234 dst-port=32400 log=no log-prefix=""

This is my route with the routemark.

ip route> print detail 
 0 A S  dst-address=0.0.0.0/0 gateway=ether1 gateway-status=ether1 reachable distance=1 scope=30 target-scope=10 routing-mark=BypassVPN

Any ideas what im missing here to try and get Plex traffic to go over the public internet instead of the VPN? I seems that Plex is somehow resolving the server IP as an internal address instead of the public IP as well, I dont know how plex knows its on a VPN connected network to discover the Internal IP instead of the public ip. There is also no shared DNS infrastructure for the TV to to use to resolve the IP address.

If this is more of a plex issue than a Mikrotik issue, ill repost elsewhere. Thanks for any help here.

sindy · Wed Jan 06, 2021 12:24 pm

If it is a bare IPsec VPN, not a "some-tunneling-protocol over IPsec" one, the packets are chosen for being sent via the VPN by matching to the "traffic selector" specified by the /ip ipsec policy row after the "normal" routing took place. So no matter which output interface and gateway are chosen by the "normal" routing, if the source and destination address, protocol, and source and destination port of the packet match a traffic selector of some policy, the packet is redirected into the security association linked to that policy. So to prevent the packet from being sent down that security association, you must make sure that it doesn't match the corresponding traffic selector. You can do that by

modifying the traffic selector
adding an action=none policy with a more specific traffic selector matching such packet before the policy you want to exempt the packet from (the policies are matched first to last until first match, like firewall rules)
adding a src-nat rule, or exempting the packet from an existing src-nat rule, so that its source address changes to one not matching the traffic selector (or does not change to one matching the traffic selector)

If you need a more specific advice what to change in your existing setup, you have to post configuration exports from both routers. See my automatic signature regarding "non-destructive" anonymisation.

Ryzz · Fri Jan 08, 2021 4:53 am

Thanks @Sindy,

When you refer to the traffic selector, are you referring to the policies section under IP -> IPSec? I have a very broad scope here, its a /16 network that encompasses where the Plex server happens to sit on the destination network.

I have included a copy of the running config and updated the public ip's to be more discrete where possible. Im not to fussed with Private IP ranges.

Thanks again for your help

# jan/04/2021 00:30:13 by RouterOS 6.44.3
# software id = 8Y0I-6ZYA
#
# model = RouterBOARD 3011UiAS
# serial number = 8EED09915961
/interface bridge
add admin-mac=B8:69:F4:98:61:79 auto-mac=no comment=defconf \
    ingress-filtering=yes name=bridge pvid=10 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] name=ether6-master speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan20 vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256 hash-algorithm=sha512 name=\
    profile1
/ip ipsec peer
add address=Public.1/32 local-address=Public.2 name=peer1 profile=\
    profile1
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512 enc-algorithms=aes-256-cbc
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc name=mikrotik
/ip pool
add name=Pool_VLAN10 ranges=10.253.11.2-10.253.11.250
add comment="IP Pool for VLAN20 DHCP" name=Pool_VLAN20 ranges=\
    10.253.12.2-10.253.12.250
add name=VPN-Pool ranges=172.16.2.2-172.16.2.254
/ip dhcp-server
add address-pool=Pool_VLAN10 disabled=no interface=vlan10 name=Jamberoo_DHCP
add add-arp=yes address-pool=Pool_VLAN20 disabled=no interface=vlan20 name=\
    DHCP_VLAN20
/interface bridge port
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf hw=no interface=sfp1
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether10
add bridge=bridge interface=ether9
add bridge=bridge ingress-filtering=yes interface=ether4 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether3 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether5 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether2-master pvid=10
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface bridge vlan
add bridge=bridge tagged=ether4,bridge vlan-ids=20
add bridge=bridge tagged=bridge untagged=ether2-master,ether3,ether5 \
    vlan-ids=10
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=sfp1 list=discover
add interface=ether6-master list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add interface=bridge list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
/interface sstp-server server
set authentication=mschap2 certificate="VPN Server" enabled=yes force-aes=yes \
    pfs=yes
/ip address
add address=10.253.12.1/24 interface=vlan20 network=10.253.12.0
add address=10.253.11.1/24 interface=vlan10 network=10.253.11.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1
/ip dhcp-relay
add dhcp-server=192.168.100.4 interface=ether2-master local-address=\
    10.253.11.1 name=Kiama_Relay
add add-relay-info=yes dhcp-server=192.168.100.4 disabled=no local-address=\
    10.253.12.1 name=Guest_WIFI_Relay relay-info-remote-id=10.253.12.1
/ip dhcp-server lease

add address=10.253.11.230 client-id=1:70:1f:53:b:6f:c0 comment=\
    "Cisco Phone ATA" mac-address=70:1F:53:0B:6F:C0 server=Jamberoo_DHCP
add address=10.253.11.234 client-id=1:50:56:bf:39:a6:4c mac-address=\
    50:56:BF:39:A6:4C server=Jamberoo_DHCP
/ip dhcp-server network
add address=10.253.11.0/24 comment=defconf dns-server=\
    192.168.100.5,192.168.100.13,202.142.142.142 domain=ecs.local gateway=\
    10.253.11.1 netmask=24 ntp-server=103.38.120.36
add address=10.253.12.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.253.12.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=159.148.172.226 name=upgrade.mikrotik.com
add address=Public.3 list=IronbarkCr
add address=Public.1/31 list=IronbarkCr
add address=Public.4 list=IronbarkCr
add address=192.168.0.0/17 list=IronbarkCr_Internal
add address=10.13.254.0/24 list=IronbarkCr_Internal
add address=10.70.0.0/16 list=IronbarkCr_Internal
/ip firewall filter
add action=accept chain=forward comment=\
    "Allow  VPN Traffic between Jamberoo & Kiama" dst-address=10.253.11.0/24 \
    src-address=192.168.0.0/16
add action=drop chain=forward disabled=yes dst-address=192.168.150.56 \
    dst-port=32400 protocol=tcp
add action=accept chain=input comment="Allow ANY from Public.4" \
    src-address=Public.4
add action=accept chain=forward comment=\
    "Allow LAN access to 192.168.100.0/16" dst-address=192.168.0.0/16 \
    src-address=10.253.11.0/24
add action=drop chain=forward comment=\
    "Block Guest Wifi from accessing Jamberoo or Kiama Production Networks" \
    disabled=yes dst-address=10.253.11.0/24 dst-address-list=IronbarkCr \
    src-address=10.253.12.0/24
add action=accept chain=input comment="Ipsec  VPN" log=yes protocol=ipsec-ah \
    src-address=Public.4
add action=accept chain=input comment="Ipsec VPN" protocol=ipsec-esp \
    src-address=Public.4
add action=accept chain=input dst-port=500 in-interface=ether1 log=yes \
    log-prefix=vpn protocol=udp src-address=Public.4
add action=accept chain=forward comment=\
    "Alarm System - TCP/10000 -> 10.253.11.235" dst-port=10000 in-interface=\
    ether1 log=yes protocol=tcp
add action=accept chain=forward dst-port=10000 in-interface=ether1 log=yes \
    protocol=tcp
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input in-interface=ether1 protocol=ipsec-ah
add action=accept chain=forward comment="Allow VPN Traffic Jamberoo & Kiama" \
    dst-address=10.13.252.0/23 log=yes src-address=10.253.11.0/24
add action=accept chain=input comment="Winbox remote access" dst-port=8291 \
    protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment="Drop Shadow Server Foundation IP's" \
    src-address-list=ShadowFoundation
add action=drop chain=input comment="Drop all China traffic" \
    src-address-list=CN
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log=yes
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN log=yes
/ip firewall mangle
add action=mark-routing chain=prerouting dst-port=32400 new-routing-mark=\
    BypassVPN passthrough=yes protocol=tcp src-address=10.253.11.234
add action=change-mss chain=forward new-mss=1448 protocol=tcp tcp-flags=syn \
    tcp-mss=!0-1448
/ip firewall nat
add action=accept chain=srcnat comment="IPSec SrcNat Traffic" dst-address=\
    192.168.0.0/16 src-address=10.253.11.0/24
add action=accept chain=srcnat comment="IPSec SrcNat Traffic" disabled=yes \
    dst-address=10.13.252.0/23 src-address=10.253.11.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface=ether1 out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Paradox Alarm" dst-port=10000 log=\
    yes protocol=tcp to-addresses=10.253.11.235 to-ports=10000
add action=dst-nat chain=dstnat disabled=yes dst-port=5060-5061 protocol=udp \
    to-addresses=10.253.11.230 to-ports=5060-5061
add action=dst-nat chain=dstnat disabled=yes dst-port=5060-5061 protocol=tcp \
    to-addresses=10.253.11.230 to-ports=5060-5061
add action=dst-nat chain=dstnat comment=\
    "Paradox Alarm System - Web Port                  8437/adeptsec" \
    dst-port=81 protocol=tcp to-addresses=10.253.11.235
add action=accept chain=dstnat comment="DHCP-Relay  NAT Accept" disabled=yes \
    dst-address=192.168.100.4
add action=masquerade chain=srcnat out-interface=ether1
/ip firewall service-port
set sip disabled=yes
/ip ipsec identity
add notrack-chain=output peer=peer1
/ip ipsec policy
set 0 disabled=yes
add disabled=yes dst-address=10.13.252.0/23 proposal=mikrotik sa-dst-address=\
    Public.4 sa-src-address=Public.2 src-address=10.253.11.0/24 \
    tunnel=yes
add dst-address=192.168.0.0/16 proposal=mikrotik sa-dst-address=Public.4 \
    sa-src-address=Public.2 src-address=10.253.11.0/24 tunnel=yes
/ip route
add distance=1 gateway=ether1 routing-mark=BypassVPN
/ip route rule
add routing-mark=BypassVPN src-address=10.253.11.234/32 table=BypassVPN
/ip service
set winbox address=192.168.0.0/16,10.253.11.0/24
/ip upnp
set show-dummy-rule=no
/ip upnp interfaces
add interface=ether2-master type=internal
add interface=ether1 type=external
/lcd
set enabled=no
/ppp secret
add name=ryan service=sstp
/system clock
set time-zone-name=Australia/Sydney
/system logging
add topics=ipsec,debug,error,info
add disabled=yes topics=debug,dhcp
/system ntp client
set enabled=yes primary-ntp=192.189.54.33 secondary-ntp=13.55.50.68
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool sniffer
set filter-interface=all filter-ip-address=10.253.11.230/32 \
    filter-operator-between-entries=and streaming-server=10.253.11.248

sindy · Fri Jan 08, 2021 7:09 pm

When you refer to the traffic selector, are you referring to the policies section under IP -> IPSec?

Yes, the traffic selector consists of the src-address, dst-address, protocol, src-port and dst-port parameters of the policy, where the default is always "any".

But the only policy enabled in your export shows that only everything from 10.253.11.0/24 to 192.168.0.0/16 will be diverted to the tunnel, and there is no reference to mode-config and dynamic policy generation in the /ip ipsec identity, so I can't see how traffic to public IPs could be diverted to the tunnel.

Did you have dst-address=0.0.0.0/0 in the static policy before?

Ryzz · Tue Jan 12, 2021 3:43 am

When you refer to the traffic selector, are you referring to the policies section under IP -> IPSec?
Yes, the traffic selector consists of the src-address, dst-address, protocol, src-port and dst-port parameters of the policy, where the default is always "any".

But the only policy enabled in your export shows that only everything from 10.253.11.0/24 to 192.168.0.0/16 will be diverted to the tunnel, and there is no reference to mode-config and dynamic policy generation in the /ip ipsec identity, so I can't see how traffic to public IPs could be diverted to the tunnel.

Did you have dst-address=0.0.0.0/0 in the static policy before?

Thx again for your help, I tracked it down further after more investigation and found the dhcp scope refers to a shared DNS server in the primary site where the Plex server is. The Dns server was running spilt DNS for the public namespace. Which resulted in the 192.168.x.x internal IP being resolved for the Plex DNS name. Hence the IP went over the tunnel.

I need to find a work around for this DNS issue, it's an overall design issue and not as simple as I hoped. I tried moving the Plex into a new vlan with a 10.x.x.x address that's not routed over the tunnel, however this just blackholes the traffic as dns is still resolving the local, not public IP.

Redirecting Traffic with a Mangle Rule

Redirecting Traffic with a Mangle Rule

Re: Redirecting Traffic with a Mangle Rule

Re: Redirecting Traffic with a Mangle Rule

Re: Redirecting Traffic with a Mangle Rule

Re: Redirecting Traffic with a Mangle Rule

Who is online