Community discussions

MikroTik App
 
dksoft
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 56
Joined: Thu Dec 06, 2012 8:56 am
Location: Germany

Howto mark Amazon AWS traffic?

Fri Jan 08, 2021 6:45 pm

Dear forum members,

I would like to mark traffic that goes to Amazon AWS, e.g. github-production-release-asset-2e65be.s3.amazonaws.com, so that routing goes throw my second WAN.
Usually I use an address list and then mark the traffic via a mangle rule.

The problem with Amazon AWS is that the IP-address changes very quickly, so that the address list is not updated quick enough.

Any ideas, how to mangle that traffic?

Thanks and best regards
dksoft
Setup: Dt. Telekom FTTH with GPON SFP MA5671A, CHR on Promox, CRS328-24P-4S+RM, multiple WAP AC via CAPsMAN. MCTNA
 
Sob
Forum Guru
Forum Guru
Posts: 6469
Joined: Mon Apr 20, 2009 9:11 pm

Re: Howto mark Amazon AWS traffic?

Fri Jan 08, 2021 8:17 pm

How exactly you do it? Do you mark routing directly based on address list? That wouldn't work well if it changes very often. But if you mark connections based on address list and then mark routing based on connection marks, it should work.
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.
 
R1CH
Forum Veteran
Forum Veteran
Posts: 945
Joined: Sun Oct 01, 2006 11:44 pm

Re: Howto mark Amazon AWS traffic?

Fri Jan 08, 2021 8:53 pm

The IP ranges are published at https://ip-ranges.amazonaws.com/ip-ranges.json, just script something to update the address list.
 
dksoft
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 56
Joined: Thu Dec 06, 2012 8:56 am
Location: Germany

Re: Howto mark Amazon AWS traffic?

Fri Jan 08, 2021 11:15 pm

How exactly you do it?



This works, I hope it's the Mikrotik way:
/ip firewall mangle
add action=mark-connection chain=prerouting comment="Mark outgoing Amazon AWS connection" connection-mark=no-mark connection-state=new \
dst-address-list=AmazonAWS new-connection-mark=WAN2_con passthrough=yes
add action=mark-connection chain=prerouting comment="WAN2_rt set by DHCP client" connection-mark=no-mark connection-state=new \
in-interface=WAN2 new-connection-mark=WAN2_con passthrough=yes
add action=mark-routing chain=prerouting comment="WAN2_rt set by DHCP client" connection-mark=WAN2_con new-routing-mark=WAN2_rt passthrough=no

/ip route
add comment="WAN2_rt set by DHCP client" distance=1 gateway=<WAN2 ip-address> routing-mark=WAN2_rt


The IP ranges are published at https://ip-ranges.amazonaws.com/ip-ranges.json, just script something to update the address list.
That's the solution, thank you. I removed duplicates and added 2.766 IPv4 addresses to my address list.
Deutsche Telekom has a very poor peering to github hosted on Amazon AWS. Without routing the traffic over my second WAN, I download at 24 KB/s over FTTH.

There is one drawback: As ROS 6 does no IPv6 source routing, I can no longer use IPv6 in my network till ROS 7 is released.
Setup: Dt. Telekom FTTH with GPON SFP MA5671A, CHR on Promox, CRS328-24P-4S+RM, multiple WAP AC via CAPsMAN. MCTNA
 
sindy
Forum Guru
Forum Guru
Posts: 6657
Joined: Mon Dec 04, 2017 9:19 pm

Re: Howto mark Amazon AWS traffic?

Sat Jan 09, 2021 9:44 pm

As it's not clear from your post, do you know that you can use address-list items with an fqdn as an address, which is then kept up-to-date automatically?

The TCP session cannot survive a change of the remote address, so even if the fqdns are migrating between IPs fast, tracking the current addresses using such address list, marking the TCP connection just once when it is initiated, and using the connection-mark to assign the routing-mark as suggested by @Sob should be a maintenance-free solution in terms that you wouldn't need to watch for changes on the list published by Amazon.

The only question is how many individual fqdns we talk about here. If units, I'd say the above is better; if tens or more and the list of these fqdns is constantly changing, you'd have to use a periodically spawned script to learn the individual fqdns from the dns cache and add them to the address-list, so automated synchronisation of the list from AWS web may be equally complex.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: Baidu [Spider], Bing [Bot], Google [Bot], sindy and 208 guests