Community discussions

MikroTik App
 
ishanjain
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Tue Sep 29, 2020 8:40 am

Route ALL NTP traffic over a specific WAN

Thu Sep 16, 2021 9:08 pm

I have two WAN interfaces and I want to route all NTP traffic through a specific WAN gateway.

I tried marking udp/123 traffic with via-lte mark in prerouting/input chains and then adding the routing mark based on the packets or connections that have the via-lte mark but this doesn't seem to be working.

All the clients in the network can successfully use NTP but the NTP client in RouterOS was stuck on Waiting indefinitely. (This is because the ISP I am avoiding here blocks NTP Traffic).


Then I tried adding this mangle rule.
chain=output action=mark-routing new-routing-mark=lte-failover passthrough=no protocol=udp dst-port=123 log=yes log-prefix="route-over-lte-mark-added"
and now all the clients on the network can use NTP and RouterOS can use NTP. Can someone here help me understand this rule? Suggestions to improve this are also welcome.

I had also added a `log` rule that simply logs all udp/123 traffic and I see stuff like this,
ntp input: in:lte-vlan out:(unknown 0), src-mac 54:0d:f9:f2:f8:de, proto UDP, p.q.r.s:123->a.b.c.d:123, NAT p.q.r.s:123->(x.y.z.w:123->a.b.c.d:123), len 76
where p.q.r.s is the address of time.windows.com
a.b.c.d is the address of the WAN interface I am trying to avoid and
x.y.z.w is the address of the WAN gateway I want to use.


I don't understand what's happening here?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Route ALL NTP traffic over a specific WAN

Thu Sep 16, 2021 10:05 pm

Why do you want NTP traffic to go out a certain WAN, it cannot be using up much bandwidth??
How many devices do you have that need NTP?

Can you create and put all these devices on a vlan if numerous?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Route ALL NTP traffic over a specific WAN  [SOLVED]

Thu Sep 16, 2021 10:20 pm

The answer is here. In brief, packets sent and received by the router itself are processed by other firewall chains than packets the router just forwards.

What is not immediately clear from that diagram is that when the router itself sends a packet, first of all a route to the destination is found in routing table main. The source address is then assigned to the packet based on the out-interface chosen by routing. And only after this, the the packet passes through mangle, where a routing-mark may get assigned; if it is, the packet gets routed again, using the routing table indicated (this is called /routing adjustment/ on the diagram), but its source address does not change automatically. So there must be a the src-nat or mangle rule that changes the source address to the one of the interface actually used.

So as your (probably default) route in table main sends the NTP packets via "the WAN you want to avoid", the initially assigned source address of the packet is the one of that WAN. And the "reply-to-address" is the one of the actual WAN used, assigned by the masquerade/src-nat rule.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Route ALL NTP traffic over a specific WAN

Thu Sep 16, 2021 10:32 pm

Modify that accordingly your needs and paste it on terminal.

Legend:
3.3.3.3 / 6.6.6.6 / 7.7.7.7 NTP servers used from computers
/ip route rule
add dst-address=3.3.3.3/32 table=ntp
add dst-address=6.6.6.6/32 table=ntp
add dst-address=7.7.7.7/32 table=ntp

/ip route
add distance=1 gateway=<put-lte-gateway-here> routing-mark=ntp

Added automation method:
viewtopic.php?f=2&t=178602&p=880497#p880497
Last edited by rextended on Fri Sep 17, 2021 3:43 pm, edited 3 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Route ALL NTP traffic over a specific WAN

Thu Sep 16, 2021 10:33 pm

So a routing rule that says a request from an NTP client (on IP xxxx)
Should go out WAN AB will not work??

Ex.
Route ISP3
Route ISP3 routing-mark=usewanAB
with route rule
source-address=IP xxx
lookup only in table
table=usewanAB
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Route ALL NTP traffic over a specific WAN

Thu Sep 16, 2021 10:35 pm

Modify that accordingly your needs and paste it on terminal.

Legend:
3.3.3.3 / 6.6.6.6 / 7.7.7.7 NTP servers used from computers
/ip route rule
add dst-address=3.3.3.3/32 table=ntp
add dst-address=6.6.6.6/32 table=ntp
add dst-address=7.7.7.7/32 table=ntp

/ip route
add distance=1 gateway=<put-lte-gateway-here>  routing-mark=ntp
Damn your fast LOL
Okay so instead of basing the route rule on source address of NTP client (IP xxx)
You are basing it on traffic heading to ??????? assuming you have put in addresses of NTP servers on the net??

Remember the PCs dont dictate which NTP servers are contacted by the Router, the ROUTER NTP server settings do that!!
in other words one has to match the entries for NTP server on RoS

SO................... It would look like this and you need the original MAIN route and the new route for the route rule to point to0!
ex.
/system ntp client
set enabled=yes primary-ntp=209.87.233.53 secondary-ntp=209.115.181.108
/system ntp server
set enabled=yes

/ip route rule
add dst-address=209.87.233.53 table=ntp lookup only in table
add dst-address=209.115.181.108 table=ntp lookup only in table.

/ip route
add distance=1 gateway=<put-lte-gateway-here> routing-mark=ntp
add distance=1 gateway=<put-lte-gateway-here>

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
In any case I expect mKX to show up us to inform us that we are barking up a wrong packet flow tree. :-)
Last edited by anav on Thu Sep 16, 2021 10:50 pm, edited 5 times in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Route ALL NTP traffic over a specific WAN

Thu Sep 16, 2021 10:39 pm

The source IP that need the NTP info do not count, if the ISP on WAN1 block NTP,
the NTP servers defined on list (that are the dst-nation of the request started from PCs)
are forced to be reachable from lte-vlan gateway
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Route ALL NTP traffic over a specific WAN

Thu Sep 16, 2021 10:46 pm

Ahh yes you are quite correct, the OP is not using the NTP Server package for MT.
I wonder why not? So easy.

THe question remains, can I force NTP traffic for the MT provided NTP service out a specific WAN using the ruleset I provided but using rextendeds Destination address method, assuming that my source address version would not work ???

So if the Router is not providing NTP services,
and all LAN PCs are using NTP direct from the internet I can see how rextendeds approach looks good!!

However, since these are all LANIPs one could use interface........... Lets say all users are on the bridge

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Answered my own question, the reason why the destination address works / Superior, is that the routing deviation is ONLY used when sending traffic to those destination.
If I did it my way ALL traffic from source addresses or interfaces identified would go out the wan, vice just the ntp traffic.

I may be slow but I can see the finnish line ;-)
Last edited by anav on Thu Sep 16, 2021 10:51 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Route ALL NTP traffic over a specific WAN

Thu Sep 16, 2021 10:50 pm

The rule I wrote working also for RouterOS itself (if IP set on NTP client are put obviously on route rule dst-address)
without change nothing.
If the output is generated from RouterOS, still go at the end on routing.


My rule are easy because nothing other count.
Simply I want that IP reachable by another WAN whitout worry about mangle, other routing tables or other things.
Last edited by rextended on Thu Sep 16, 2021 10:56 pm, edited 2 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Route ALL NTP traffic over a specific WAN

Thu Sep 16, 2021 10:53 pm

Yes, its all good ( I am also allergic to mangle). Destination address is the only choice, which surgically only sends traffic down the other WAN for packets heading to NTP servers, my attempt to use source or interface was wrong as it will send ALL traffic to the other wan.
We make a good team, I make a wrong idea, you come by with the right idea and we all learn something. :-)

@Sindy, do we get a packet flow blessing or are you going to pretzel another suggestion???
Last edited by anav on Thu Sep 16, 2021 10:55 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Route ALL NTP traffic over a specific WAN

Thu Sep 16, 2021 10:55 pm

also him have freetime :lol:
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Route ALL NTP traffic over a specific WAN

Thu Sep 16, 2021 11:02 pm

I use at my home the /ip route rule to drop all ASN like Facebook / WhatsApp, Twitter, Instagram and some Google parts like Doubleclick and googleadservices.com
(but do not say that to @msatter :lol: )
Last edited by rextended on Thu Sep 16, 2021 11:06 pm, edited 3 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Route ALL NTP traffic over a specific WAN

Thu Sep 16, 2021 11:03 pm

How do I do that........
their destination addresses change all the time??
Route rule?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Route ALL NTP traffic over a specific WAN

Thu Sep 16, 2021 11:05 pm

like this:
/ip route rule
add action=drop dst-address=157.240.210.0/24


Until the service do not use CDN that have same IP for multile services, block ASN IPs drop all.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Route ALL NTP traffic over a specific WAN

Thu Sep 16, 2021 11:11 pm

I am to believe one subnet will drop all that horrible crap I see on my browser ???

So it would look like

isp 1 distance =1
isp 1 distance=1 route-mark=dropcrap

Ip route rule
destination address=157.249.0.24
Action: drop
table=dropcrap
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Route ALL NTP traffic over a specific WAN

Thu Sep 16, 2021 11:14 pm

Are not required any rules or setting.

simply:

FACEBOOK
/ip route rule
add action=drop dst-address=102.132.112.0/24
add action=drop dst-address=102.132.113.0/24
add action=drop dst-address=102.132.114.0/24
add action=drop dst-address=102.132.115.0/24
add action=drop dst-address=102.132.116.0/24
add action=drop dst-address=102.132.117.0/24
add action=drop dst-address=102.132.118.0/24
add action=drop dst-address=102.132.119.0/24
add action=drop dst-address=102.132.120.0/24
add action=drop dst-address=102.132.122.0/24
add action=drop dst-address=102.132.124.0/24
add action=drop dst-address=102.132.125.0/24
add action=drop dst-address=102.132.126.0/24
add action=drop dst-address=102.132.127.0/24
add action=drop dst-address=102.221.188.0/24
add action=drop dst-address=102.221.189.0/24
add action=drop dst-address=129.134.128.0/24
add action=drop dst-address=129.134.129.0/24
add action=drop dst-address=129.134.130.0/24
add action=drop dst-address=129.134.131.0/24
add action=drop dst-address=129.134.132.0/24
add action=drop dst-address=129.134.135.0/24
add action=drop dst-address=129.134.136.0/24
add action=drop dst-address=129.134.137.0/24
add action=drop dst-address=129.134.138.0/24
add action=drop dst-address=129.134.140.0/24
add action=drop dst-address=129.134.143.0/24
add action=drop dst-address=129.134.144.0/24
add action=drop dst-address=129.134.147.0/24
add action=drop dst-address=129.134.148.0/24
add action=drop dst-address=129.134.149.0/24
add action=drop dst-address=129.134.150.0/24
add action=drop dst-address=129.134.154.0/24
add action=drop dst-address=129.134.155.0/24
add action=drop dst-address=129.134.156.0/24
add action=drop dst-address=129.134.157.0/24
add action=drop dst-address=129.134.158.0/24
add action=drop dst-address=129.134.159.0/24
add action=drop dst-address=129.134.160.0/24
add action=drop dst-address=129.134.163.0/24
add action=drop dst-address=129.134.164.0/24
add action=drop dst-address=129.134.165.0/24
add action=drop dst-address=157.240.128.0/24
add action=drop dst-address=157.240.158.0/24
add action=drop dst-address=157.240.159.0/24
add action=drop dst-address=157.240.169.0/24
add action=drop dst-address=157.240.172.0/24
add action=drop dst-address=157.240.174.0/24
add action=drop dst-address=157.240.175.0/24
add action=drop dst-address=157.240.176.0/24
add action=drop dst-address=157.240.177.0/24
add action=drop dst-address=157.240.178.0/24
add action=drop dst-address=157.240.179.0/24
add action=drop dst-address=157.240.180.0/24
add action=drop dst-address=157.240.181.0/24

WHATSAPP
/ip route rule
add action=drop dst-address=66.111.48.0/22
add action=drop dst-address=66.111.48.0/24
add action=drop dst-address=66.111.49.0/24
add action=drop dst-address=66.111.50.0/24
add action=drop dst-address=66.111.51.0/24

TWITTER
/ip route rule
add action=drop dst-address=104.244.40.0/24
add action=drop dst-address=104.244.41.0/24
add action=drop dst-address=104.244.42.0/24
add action=drop dst-address=104.244.43.0/24
add action=drop dst-address=104.244.44.0/24
add action=drop dst-address=104.244.45.0/24
add action=drop dst-address=104.244.46.0/24
add action=drop dst-address=104.244.47.0/24
add action=drop dst-address=185.45.4.0/23
add action=drop dst-address=185.45.4.0/24
add action=drop dst-address=185.45.5.0/24
add action=drop dst-address=185.45.6.0/23
add action=drop dst-address=192.133.76.0/22
add action=drop dst-address=192.133.76.0/23
add action=drop dst-address=192.133.78.0/23
add action=drop dst-address=199.16.156.0/22
add action=drop dst-address=199.16.156.0/23
add action=drop dst-address=199.59.148.0/22
add action=drop dst-address=199.96.56.0/23
add action=drop dst-address=199.96.56.0/24
add action=drop dst-address=199.96.57.0/24
add action=drop dst-address=199.96.58.0/23
add action=drop dst-address=199.96.60.0/23
add action=drop dst-address=199.96.60.0/24
add action=drop dst-address=199.96.61.0/24
add action=drop dst-address=199.96.62.0/23
add action=drop dst-address=202.160.128.0/24
add action=drop dst-address=202.160.129.0/24
add action=drop dst-address=202.160.130.0/24
add action=drop dst-address=202.160.131.0/24
add action=drop dst-address=209.237.192.0/24
add action=drop dst-address=209.237.193.0/24
add action=drop dst-address=209.237.194.0/24
add action=drop dst-address=209.237.195.0/24
add action=drop dst-address=209.237.196.0/24
add action=drop dst-address=209.237.198.0/24
add action=drop dst-address=209.237.199.0/24
add action=drop dst-address=209.237.200.0/24
add action=drop dst-address=209.237.201.0/24
add action=drop dst-address=209.237.203.0/24
add action=drop dst-address=209.237.204.0/24
add action=drop dst-address=209.237.205.0/24
add action=drop dst-address=209.237.206.0/24
add action=drop dst-address=209.237.207.0/24
add action=drop dst-address=209.237.208.0/24
add action=drop dst-address=209.237.209.0/24
add action=drop dst-address=209.237.210.0/24
add action=drop dst-address=209.237.211.0/24
add action=drop dst-address=209.237.212.0/24
add action=drop dst-address=209.237.213.0/24
add action=drop dst-address=209.237.215.0/24
add action=drop dst-address=209.237.216.0/24
add action=drop dst-address=209.237.222.0/24
add action=drop dst-address=209.237.223.0/24
add action=drop dst-address=69.195.160.0/24
add action=drop dst-address=69.195.162.0/24
add action=drop dst-address=69.195.163.0/24
add action=drop dst-address=69.195.164.0/24
add action=drop dst-address=69.195.165.0/24
add action=drop dst-address=69.195.166.0/24
add action=drop dst-address=69.195.168.0/24
add action=drop dst-address=69.195.169.0/24
add action=drop dst-address=69.195.171.0/24
add action=drop dst-address=69.195.174.0/24
add action=drop dst-address=69.195.176.0/24
add action=drop dst-address=69.195.177.0/24
add action=drop dst-address=69.195.178.0/24
add action=drop dst-address=69.195.179.0/24
add action=drop dst-address=69.195.180.0/24
add action=drop dst-address=69.195.181.0/24
add action=drop dst-address=69.195.182.0/24
add action=drop dst-address=69.195.185.0/24
add action=drop dst-address=69.195.186.0/24
add action=drop dst-address=69.195.187.0/24
add action=drop dst-address=69.195.188.0/24
add action=drop dst-address=69.195.189.0/24
add action=drop dst-address=69.195.190.0/24
add action=drop dst-address=69.195.191.0/24
add action=drop dst-address=8.25.194.0/23
add action=drop dst-address=8.25.196.0/23
Last edited by rextended on Thu Sep 16, 2021 11:41 pm, edited 1 time in total.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Route ALL NTP traffic over a specific WAN

Thu Sep 16, 2021 11:18 pm

@Sindy, do we get a packet flow blessing or are you going to pretzel another suggestion???
The OP has asked for "all NTP traffic", not "all traffic to a particular IP address".
If you want traffic to a particular destination address to be sent via a particular WAN, you don't need even a routing rule to choose another routing table - a mere route in routing table main is sufficient. If you want to use something else/more than source address, destination address, and in-interface as criteria to choose a route, you need mangle. Routing rules deal with the area between those two extremes.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Route ALL NTP traffic over a specific WAN

Thu Sep 16, 2021 11:20 pm

a mere route in routing table main is sufficient
Not...
Sorry, but my rules are structured on that way for change all gateway with one click, just on one position,
instead of open one-by-one single route to change each gateway for each IP...
Last edited by rextended on Thu Sep 16, 2021 11:27 pm, edited 2 times in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Route ALL NTP traffic over a specific WAN

Thu Sep 16, 2021 11:25 pm

Is possible to find updated list for facebook, twitter, etc here:

Facebook and Instagram, 3 ASN
https://bgp.he.net/AS32934#_prefixes
https://bgp.he.net/AS54115#_prefixes
https://bgp.he.net/AS63293#_prefixes

Blocking Facebook also block part of WhatsApp, but WhatsApp have also his own pool.
WhatsApp 1 ASN
https://bgp.he.net/AS11917#_prefixes

Twitter, 2 ASN
https://bgp.he.net/AS35995#_prefixes (only IPv4)
https://bgp.he.net/AS13414#_prefixes

Obviously also IPv6 addresses:
https://bgp.he.net/AS32934#_prefixes6
https://bgp.he.net/AS54115#_prefixes6
https://bgp.he.net/AS63293#_prefixes6

https://bgp.he.net/AS11917#_prefixes6

https://bgp.he.net/AS13414#_prefixes6


About Doubleclick and googleadservices.com,
the IP are added by script, because are dynamically used and shared with youtube, gmail, google play, and other services.
Last edited by rextended on Thu Sep 16, 2021 11:42 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Route ALL NTP traffic over a specific WAN

Thu Sep 16, 2021 11:40 pm

Ok, now we waiting @ishanjain if this solution is good for him...
 
ishanjain
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Tue Sep 29, 2020 8:40 am

Re: Route ALL NTP traffic over a specific WAN

Fri Sep 17, 2021 7:22 am

The answer is here. In brief, packets sent and received by the router itself are processed by other firewall chains than packets the router just forwards.

What is not immediately clear from that diagram is that when the router itself sends a packet, first of all a route to the destination is found in routing table main. The source address is then assigned to the packet based on the out-interface chosen by routing. And only after this, the the packet passes through mangle, where a routing-mark may get assigned; if it is, the packet gets routed again, using the routing table indicated (this is called /routing adjustment/ on the diagram), but its source address does not change automatically. So there must be a the src-nat or mangle rule that changes the source address to the one of the interface actually used.

So as your (probably default) route in table main sends the NTP packets via "the WAN you want to avoid", the initially assigned source address of the packet is the one of that WAN. And the "reply-to-address" is the one of the actual WAN used, assigned by the masquerade/src-nat rule.
Hey there! Thank you for linking me to the new documentation. I was looking at the old documentation that just has a bunch of diagrams and I didn't understand the packet flow from that. The new documentation explains it well.
Your reasoning behind the packet flow log I shared feels _right_ and it also appears to be working just fine.



And thank you to everyone else for suggesting alternate solutions but I don't really want to implement those. Even though I now announce router's IP as a NTP server to all the connected clients, The clients still use time.windows.com, time.cloudflare.com, time.google.com, the pool.ntp.org service and apple probably uses their own thing. All this means, There are quite a few different IPs that are being contacted for NTP queries and tracking it down and adding routing entries for all those IPs will take a lot of time and that is if I am able to figure out all the addresses. All my network equipment(APs, Switches etc) are obeying/using the NTP server announced via DHCP but most client devices just seem to ignore it.


At the end, These are the rules I have added to make this work.

/ip/firewall/mangle
chain=output action=mark-routing connection-mark=no-mark new-routing-mark=lte-failover passthrough=no protocol=udp out-interface-list=WAN dst-port=123 log=no 
   chain=prerouting action=mark-routing connection-mark=no-mark new-routing-mark=lte-failover passthrough=no protocol=udp dst-address-list=!not_in_internet in-interface-list=LAN dst-port=123 log=no

The rule in output chain redirects/forces udp/123 traffic that originated on the router via lte interface. The logs look a bit weird, (logged via log rule in filter table)
output: in:(unknown 0) out:pppoe-bsnl, proto UDP, <ip-on-wan-to-avoid-interface>:123->216.239.35.8:123, NAT (<ip-on-wan-to-avoid-interface>:123-> <ip-on-lte-interface>:123)->216.239.35.8:123, len 76
but it works fine.

The second rule takes care of traffic that originated from client devices.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Route ALL NTP traffic over a specific WAN

Fri Sep 17, 2021 2:51 pm

Why would use mangle.
My impression from the above discussion is that one can just create a route for that as sindy indicated.

add distance=1 dst-address=3.3.3.3. gateway=Selected WAN gateway (for dns traffic) (assuming 3.3.3.3 is the NTP servers all the PCs are pointing too).

Did you know mangle negates faster traffic and takes up CPU cycles, or is the aim to be inefficient??
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Route ALL NTP traffic over a specific WAN

Fri Sep 17, 2021 3:10 pm

Why would use mangle.

@ishanjain clearly stated that he doesn't control which NTP servers are used by clients. The only clear way of determining that a packet should be routed via alternative path is thus matching against certain properties (protocol=udp and dst-port=123) for packets about to leave router through either of WAN ports. The known bits of information are not enough for straight use of specific route, hence use of mangle (which is more flexible).
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Route ALL NTP traffic over a specific WAN

Fri Sep 17, 2021 3:19 pm

for obtain the list of all IPs used as NTP server

(NTP is one of the protocol than for be full compliant want also the src port 123)

added automation method
viewtopic.php?f=2&t=178602&p=880497#p880497
Last edited by rextended on Fri Sep 17, 2021 3:42 pm, edited 3 times in total.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Route ALL NTP traffic over a specific WAN

Fri Sep 17, 2021 3:26 pm

(NTP is one of the protocol than for be full compliant want also the src port 123)

AFAIK neither src-port nor dst-port have to be exactly 123.

There are two kinds of NTP applications:
  1. applications running as service/daemon and usually work as clients (to lower stratum servers) as well as servers (to higher stratum clients).
    These customary use port 123 for both src and dst.
  2. applications running as client only and mostly implement SNTP. These can run as non-privileged process and thus use ports with numbers higher than 1023. In this case src-port for packets originating from clients will be different than 123.
It is really unusual to see NTP server running on port other than 123, so dst-port will normally be 123 indeed.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Route ALL NTP traffic over a specific WAN

Fri Sep 17, 2021 3:35 pm

Putting all togheter:

Paste this on terminal (after set the right gateway address)
/ip route
add distance=1 gateway=<put-lte-gateway-IP-address-here> routing-mark=ntp
/ip firewall raw
add action=add-dst-to-address-list address-list=ntp_pool address-list-timeout=none-dynamic chain=prerouting dst-address-list=!ntp_pool dst-port=123 protocol=udp src-port=123
add action=add-dst-to-address-list address-list=ntp_pool address-list-timeout=none-dynamic chain=output dst-address-list=!ntp_pool dst-port=123 protocol=udp src-port=123

Just schedule or launch manually:
/ip firewall address-list
:foreach item in=[find where list="ntp_pool"] do={
    :local ntpip [get $item address]
    /ip route rule
    :if ([:len [find where dst-address="$ntpip/32" and table="ntp"]] = 0) do={
        add dst-address="$ntpip/32" table="ntp"
    }
}
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Route ALL NTP traffic over a specific WAN

Fri Sep 17, 2021 5:51 pm

One drawback of using IP address list instead of mangling NTP traffic is that all traffic towards those targets will use alternative WAN, non-NTP traffic as well. Some NTP servers share their IP addresses with other services (the most famous NTP servers don't).
Plus, if I understand the latest concept, there will be some delay between clients first trying to access NTP server and first success (IIRC OP mentioned that the preferred ISP blocks NTP traffic) because of delayed running the script which populates the routing table.
 
ishanjain
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Tue Sep 29, 2020 8:40 am

Re: Route ALL NTP traffic over a specific WAN

Fri Sep 17, 2021 8:26 pm

Hi rextended, mkx, anav and everyone else who responded.

The approach to add all the routes to a ntp table will also work but it does have the downside that I am likely sending non-ntp traffic over LTE as well(which is slow and expensive) and it doesn't have an instantaneous effect as mkx said. This'll probably subside over time as a good chunk of NTP servers are added to the list but I don't really want to do this.


For now, I will continue to use the firewall mangle rules. The script may help others(and maybe even myself if I notice problems in future with these mangle rules I have added) if they want to try something similar.

And Performance is not the biggest concern right now since the router I have(rb450gx4) is quite overpowered to begin with for my use case. For the longest time I was just running two bridges on it and didn't knew that wasn't the right way to do it. I recently switched it a proper bridge vlan filtering setup but for some reason, The bridge interface still aren't hardware accelerated like they should be. Anyway, I'll try to create another thread if this bugs me too much. For now, Even with all these issues, It works fine.

Thank you so much for your responses, I really appreciate it. :D
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Route ALL NTP traffic over a specific WAN

Fri Sep 17, 2021 8:58 pm

None of RB devices (your IPQ4019-based RB450Gx4 is not excluded) can HW offload bridge vlan-filtering in ROS v6. In ROSv7 things might change (RB4011 was mentioned, but uses completely different SoC). If you want VLAN operations done by switch chip, you have to configure things under /interface ethernet switch.
 
ishanjain
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Tue Sep 29, 2020 8:40 am

Re: Route ALL NTP traffic over a specific WAN

Fri Sep 17, 2021 9:23 pm

Yes, I also just found this thread. viewtopic.php?t=151104

So, Looks like hw offloaded inter-vlan routing is not possible with my mikrotik board.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Route ALL NTP traffic over a specific WAN

Fri Sep 17, 2021 10:08 pm

HW offloaded routing (inter LAN or inter-VLAN, doesn't matter) is being in development (ROS v7.1) and only for CRS3xx models.

HW offloaded switching/bridging is to certain extent possible on all devices with switch chip, the way it should be configured varies between device models.

Who is online

Users browsing this forum: Bing [Bot], Google [Bot], Sailwebwifi and 56 guests