Page 1 of 1

Mangle, Routing Marks, Interface matching in v3.6-3.9

Posted: Wed Mar 26, 2008 8:35 am
by airstream
After Upgrading our main MT Router to v3.6 some mangle rules that existed in 2.9.51 cannot be installed to v3.6.

Our network gateway router has two wan Ethernet interfaces and a lan interface. All internet data from the lan is masqueraded to the default routes (wan1 wan2)
chain=srcnat action=masquerade src-address=10.0.0.0/8
but wan2 gateway route requires a routing mark.

Routing marks are simply added by mangle rules that match to IP addresses from LAN
chain=prerouting action=mark-routing new-routing-mark=Even passthrough=no src-address=10.0.0.22

However since wan2 will only route data to the internet that has a packet mark the router itself cannot respond to ping requests etc from the internet from wan2 (the reply from the MT will not go out through wan2 because the reply packets lack routing marks)

In 2.9.51 you could have a mangle rule:
chain=forward action=mark-routing new-routing-mark=Even passthrough=no out-interface=WAN2 dst-address=0.0.0.0/0
which would catch all data destined to go out wan2 and ensure it had the correct routing mark to be routed out the wan2 gateway. With this enabled in v2.9.51 the router could respond to requests perfectly on wan2.

when upgrading to 3.6 all existing mangle rules (in fact all other settings) were imported etc but the above mangle rule from 2.9.51 was missing. So I tried to enter it manually to the newly upgraded 3.6 and...
[admin@MTKROUTER] /ip firewall mangle> add chain=forward action=mark-routing new-routing-mark=Even passthrough=no out-interface=WAN2 dst-address=0.0.0.0/0
failure: routing-mark allowed only in output and prerouting chains
[admin@MTKROUTER] /ip firewall mangle>
Is this a bug? or is it now by v3 design that we can no longer catch outgoing interfaces and apply routing marks so that they leave (routed) through the correct Ethernet interface.

I have tried many different workarounds in the last 24hrs, including other mangle rules to mark packets followed by another mangle rule to get those marked packets and mark the routing on them. So far no success.

Any ideas?

Re: Mangle, Routing Marks and Interface matching in v3.6

Posted: Wed Mar 26, 2008 11:30 am
by mrz
In v3.x routing marks are valid only in prerouting and output chains.

Re: Mangle, Routing Marks and Interface matching in v3.6

Posted: Thu Mar 27, 2008 11:44 am
by gacopl
Do the same but on output chain this should help, i do mark-routing on output chain and set a src-address filter to the public ip MT has, and then when you ping that MT from the world it responds, however this rule doesn't make MT to use this routing mark to get outside (ie when you do ping yahoo.com from wibox this rule won't make him use this route)

B/R
Michal

Re: Mangle, Routing Marks and Interface matching in v3.6

Posted: Fri Mar 28, 2008 5:26 am
by airstream
Ok, Many thanks for your suggestion. I have come to this configuration that seems to work.
chain=prerouting action=mark-connection new-connection-mark=Even passthrough=yes in-interface=WAN2
So here I am marking all connections that come in from WAN2, then checking all outbound packets for this connection mark. If it has this connection mark then the rule below will add the correct WAN2 routing mark.
chain=output action=mark-routing new-routing-mark=Even passthrough=no connection-mark=Even

Re: Mangle, Routing Marks, Interface matching in v3.6 *SOLVED*

Posted: Fri Mar 28, 2008 12:05 pm
by gacopl
Your welcome :)

Re: Mangle, Routing Marks, Interface matching in v3.6-3.9

Posted: Tue May 20, 2008 11:34 pm
by airstream
Ok, this just wont work. Version 3 will not let you add a routing mark that go out a particular interface. Its simply broken.

We have rolled back to 2.9.51 (again) because you CAN add route marks prior to leaving on a particular interface in that version.

When will this be fixed fo v3? no workarounds have a 100% success in this.

Re: Mangle, Routing Marks, Interface matching in v3.6-3.9

Posted: Wed May 21, 2008 6:00 am
by changeip
once a packet has determined and out-interface its too late to change that with a routing mark.

Re: Mangle, Routing Marks, Interface matching in v3.6-3.9

Posted: Wed May 21, 2008 7:51 am
by airstream
once a packet has determined and out-interface its too late to change that with a routing mark.
So it seems with V3.

Re: Mangle, Routing Marks, Interface matching in v3.6-3.9

Posted: Wed May 21, 2008 3:18 pm
by macgaiver
Same in 2.8 and in 2.9! if you place packet mark rules in other chains it can be used only for furder matching in other chains - so basically it was useless, and it was not working.