Community discussions

MUM Europe 2020
 
User avatar
airstream
Member Candidate
Member Candidate
Topic Author
Posts: 188
Joined: Fri Feb 03, 2006 6:33 am
Location: New Zealand

Mangle, Routing Marks, Interface matching in v3.6-3.9

Wed Mar 26, 2008 8:35 am

After Upgrading our main MT Router to v3.6 some mangle rules that existed in 2.9.51 cannot be installed to v3.6.

Our network gateway router has two wan Ethernet interfaces and a lan interface. All internet data from the lan is masqueraded to the default routes (wan1 wan2)
chain=srcnat action=masquerade src-address=10.0.0.0/8
but wan2 gateway route requires a routing mark.

Routing marks are simply added by mangle rules that match to IP addresses from LAN
chain=prerouting action=mark-routing new-routing-mark=Even passthrough=no src-address=10.0.0.22

However since wan2 will only route data to the internet that has a packet mark the router itself cannot respond to ping requests etc from the internet from wan2 (the reply from the MT will not go out through wan2 because the reply packets lack routing marks)

In 2.9.51 you could have a mangle rule:
chain=forward action=mark-routing new-routing-mark=Even passthrough=no out-interface=WAN2 dst-address=0.0.0.0/0
which would catch all data destined to go out wan2 and ensure it had the correct routing mark to be routed out the wan2 gateway. With this enabled in v2.9.51 the router could respond to requests perfectly on wan2.

when upgrading to 3.6 all existing mangle rules (in fact all other settings) were imported etc but the above mangle rule from 2.9.51 was missing. So I tried to enter it manually to the newly upgraded 3.6 and...
[admin@MTKROUTER] /ip firewall mangle> add chain=forward action=mark-routing new-routing-mark=Even passthrough=no out-interface=WAN2 dst-address=0.0.0.0/0
failure: routing-mark allowed only in output and prerouting chains
[admin@MTKROUTER] /ip firewall mangle>
Is this a bug? or is it now by v3 design that we can no longer catch outgoing interfaces and apply routing marks so that they leave (routed) through the correct Ethernet interface.

I have tried many different workarounds in the last 24hrs, including other mangle rules to mark packets followed by another mangle rule to get those marked packets and mark the routing on them. So far no success.

Any ideas?
Last edited by airstream on Tue May 20, 2008 11:35 pm, edited 3 times in total.
Keep tryin' its bound to work!!
-----
-----
ROOT@COSMOS> Reality.sys corrupted -- Reboot Universe (Y/N)?
>_
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5971
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Mangle, Routing Marks and Interface matching in v3.6

Wed Mar 26, 2008 11:30 am

In v3.x routing marks are valid only in prerouting and output chains.
 
gacopl
Frequent Visitor
Frequent Visitor
Posts: 63
Joined: Sun Jul 29, 2007 5:11 pm
Location: Poland

Re: Mangle, Routing Marks and Interface matching in v3.6

Thu Mar 27, 2008 11:44 am

Do the same but on output chain this should help, i do mark-routing on output chain and set a src-address filter to the public ip MT has, and then when you ping that MT from the world it responds, however this rule doesn't make MT to use this routing mark to get outside (ie when you do ping yahoo.com from wibox this rule won't make him use this route)

B/R
Michal
 
User avatar
airstream
Member Candidate
Member Candidate
Topic Author
Posts: 188
Joined: Fri Feb 03, 2006 6:33 am
Location: New Zealand

Re: Mangle, Routing Marks and Interface matching in v3.6

Fri Mar 28, 2008 5:26 am

Ok, Many thanks for your suggestion. I have come to this configuration that seems to work.
chain=prerouting action=mark-connection new-connection-mark=Even passthrough=yes in-interface=WAN2
So here I am marking all connections that come in from WAN2, then checking all outbound packets for this connection mark. If it has this connection mark then the rule below will add the correct WAN2 routing mark.
chain=output action=mark-routing new-routing-mark=Even passthrough=no connection-mark=Even
Keep tryin' its bound to work!!
-----
-----
ROOT@COSMOS> Reality.sys corrupted -- Reboot Universe (Y/N)?
>_
 
gacopl
Frequent Visitor
Frequent Visitor
Posts: 63
Joined: Sun Jul 29, 2007 5:11 pm
Location: Poland

Re: Mangle, Routing Marks, Interface matching in v3.6 *SOLVED*

Fri Mar 28, 2008 12:05 pm

Your welcome :)
 
User avatar
airstream
Member Candidate
Member Candidate
Topic Author
Posts: 188
Joined: Fri Feb 03, 2006 6:33 am
Location: New Zealand

Re: Mangle, Routing Marks, Interface matching in v3.6-3.9

Tue May 20, 2008 11:34 pm

Ok, this just wont work. Version 3 will not let you add a routing mark that go out a particular interface. Its simply broken.

We have rolled back to 2.9.51 (again) because you CAN add route marks prior to leaving on a particular interface in that version.

When will this be fixed fo v3? no workarounds have a 100% success in this.
Keep tryin' its bound to work!!
-----
-----
ROOT@COSMOS> Reality.sys corrupted -- Reboot Universe (Y/N)?
>_
 
changeip
Forum Guru
Forum Guru
Posts: 3804
Joined: Fri May 28, 2004 5:22 pm

Re: Mangle, Routing Marks, Interface matching in v3.6-3.9

Wed May 21, 2008 6:00 am

once a packet has determined and out-interface its too late to change that with a routing mark.
Colo and Wholesale Bandwidth Available! Sales at SanDiegoBroadband dot com
 
User avatar
airstream
Member Candidate
Member Candidate
Topic Author
Posts: 188
Joined: Fri Feb 03, 2006 6:33 am
Location: New Zealand

Re: Mangle, Routing Marks, Interface matching in v3.6-3.9

Wed May 21, 2008 7:51 am

once a packet has determined and out-interface its too late to change that with a routing mark.
So it seems with V3.
Keep tryin' its bound to work!!
-----
-----
ROOT@COSMOS> Reality.sys corrupted -- Reboot Universe (Y/N)?
>_
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1730
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: Mangle, Routing Marks, Interface matching in v3.6-3.9

Wed May 21, 2008 3:18 pm

Same in 2.8 and in 2.9! if you place packet mark rules in other chains it can be used only for furder matching in other chains - so basically it was useless, and it was not working.
With great knowledge comes great responsibility, because of ability to recognize id... incompetent people much faster.

Who is online

Users browsing this forum: renatoornelas and 75 guests