Dear forum members,
I would like to mark traffic that goes to Amazon AWS, e.g. github-production-release-asset-2e65be.s3.amazonaws.com, so that routing goes throw my second WAN.
Usually I use an address list and then mark the traffic via a mangle rule.
The problem with Amazon AWS is that the IP-address changes very quickly, so that the address list is not updated quick enough.
Any ideas, how to mangle that traffic?
Thanks and best regards
dksoft
Howto mark Amazon AWS traffic?
Setup: Dt. Telekom FTTH with GPON SFP MA5671A, CHR on Promox, CRS328-24P-4S+RM, multiple WAP AC via CAPsMAN. MCTNA
Re: Howto mark Amazon AWS traffic?
How exactly you do it? Do you mark routing directly based on address list? That wouldn't work well if it changes very often. But if you mark connections based on address list and then mark routing based on connection marks, it should work.
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.
Re: Howto mark Amazon AWS traffic?
The IP ranges are published at https://ip-ranges.amazonaws.com/ip-ranges.json, just script something to update the address list.
Re: Howto mark Amazon AWS traffic?
How exactly you do it?
This works, I hope it's the Mikrotik way:
Code: Select all
/ip firewall mangle
add action=mark-connection chain=prerouting comment="Mark outgoing Amazon AWS connection" connection-mark=no-mark connection-state=new \
dst-address-list=AmazonAWS new-connection-mark=WAN2_con passthrough=yes
add action=mark-connection chain=prerouting comment="WAN2_rt set by DHCP client" connection-mark=no-mark connection-state=new \
in-interface=WAN2 new-connection-mark=WAN2_con passthrough=yes
add action=mark-routing chain=prerouting comment="WAN2_rt set by DHCP client" connection-mark=WAN2_con new-routing-mark=WAN2_rt passthrough=no
/ip route
add comment="WAN2_rt set by DHCP client" distance=1 gateway=<WAN2 ip-address> routing-mark=WAN2_rt
That's the solution, thank you. I removed duplicates and added 2.766 IPv4 addresses to my address list.The IP ranges are published at https://ip-ranges.amazonaws.com/ip-ranges.json, just script something to update the address list.
Deutsche Telekom has a very poor peering to github hosted on Amazon AWS. Without routing the traffic over my second WAN, I download at 24 KB/s over FTTH.
There is one drawback: As ROS 6 does no IPv6 source routing, I can no longer use IPv6 in my network till ROS 7 is released.
Setup: Dt. Telekom FTTH with GPON SFP MA5671A, CHR on Promox, CRS328-24P-4S+RM, multiple WAP AC via CAPsMAN. MCTNA
Re: Howto mark Amazon AWS traffic?
As it's not clear from your post, do you know that you can use address-list items with an fqdn as an address, which is then kept up-to-date automatically?
The TCP session cannot survive a change of the remote address, so even if the fqdns are migrating between IPs fast, tracking the current addresses using such address list, marking the TCP connection just once when it is initiated, and using the connection-mark to assign the routing-mark as suggested by @Sob should be a maintenance-free solution in terms that you wouldn't need to watch for changes on the list published by Amazon.
The only question is how many individual fqdns we talk about here. If units, I'd say the above is better; if tens or more and the list of these fqdns is constantly changing, you'd have to use a periodically spawned script to learn the individual fqdns from the dns cache and add them to the address-list, so automated synchronisation of the list from AWS web may be equally complex.
The TCP session cannot survive a change of the remote address, so even if the fqdns are migrating between IPs fast, tracking the current addresses using such address list, marking the TCP connection just once when it is initiated, and using the connection-mark to assign the routing-mark as suggested by @Sob should be a maintenance-free solution in terms that you wouldn't need to watch for changes on the list published by Amazon.
The only question is how many individual fqdns we talk about here. If units, I'd say the above is better; if tens or more and the list of these fqdns is constantly changing, you'd have to use a periodically spawned script to learn the individual fqdns from the dns cache and add them to the address-list, so automated synchronisation of the list from AWS web may be equally complex.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.