Community discussions

MikroTik App
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Mangle + NAT + Policy Routing

Mon Jun 26, 2006 1:21 pm

/ ip firewall mangle
add chain=prerouting src-address=192.168.1.150 dst-address=213.206.94.83 action=mark-connection new-connection-mark=dip_kav passthrough=yes 

add chain=prerouting connection-mark=dip_kav action=mark-packet new-packet-mark=dip_kav passthrough=yes 

add chain=prerouting connection-mark=dip_kav action=mark-routing new-routing-mark=dip_kav passthrough=yes 

/ ip route 
add dst-address=0.0.0.0/0 gateway=81.25.36.1 scope=255 target-scope=10 routing-mark=dip_kav comment="ftp.kaspersky.ru" disabled=no

/ ip firewall nat 
add chain=srcnat packet-mark=dip_kav action=masquerade comment="" disabled=no
When I try to connect from 192.168.1.150 to 213.206.94.83, I see in ConnTrack, that the connection is marked 'dip_kav' and TCP State is 'syn received'. Then my program says 'Connection timeout'. But when
/ ip firewall mangle 
add chain=prerouting src-address=192.168.1.150 dst-address=213.206.94.83 action=mark-routing new-routing-mark=dip_kav passthrough=yes comment="KAV Updates" disabled=no 

/ ip route 
add dst-address=0.0.0.0/0 gateway=81.25.36.1 scope=255 target-scope=10 routing-mark=dip_kav comment="ftp.kaspersky.ru" disabled=no

/ ip firewall nat 
add chain=srcnat src-address=192.168.1.150 dst-address=213.206.94.83 action=masquerade comment="ftp.kaspersky.ru" disabled=no 
all is o'kay. What's wrong?
 
User avatar
Mitak
newbie
Posts: 42
Joined: Wed Jun 07, 2006 10:12 am
Location: Bulgaria
Contact:

Mon Jun 26, 2006 1:47 pm

/ ip firewall mangle 
 add chain=prerouting src-address=192.168.1.150 dst-address=213.206.94.83 action=mark-connection new-connection-mark=dip_kav passthrough=yes 
 
add chain=prerouting connection-mark=dip_kav action=mark-routing new-routing-mark=dip_kav passthrough=no
 
 / ip route 
 add dst-address=0.0.0.0/0 gateway=81.25.36.1 scope=255 target-scope=10 routing-mark=dip_kav comment="ftp.kaspersky.ru" disabled=no 
 
 / ip firewall nat 
 add chain=srcnat src-address=192.168.1.150 action=masquerade comment="" disabled=no 
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Mon Jun 26, 2006 2:12 pm

/ ip firewall mangle 
 add chain=prerouting src-address=192.168.1.150 dst-address=213.206.94.83 action=mark-connection new-connection-mark=dip_kav passthrough=yes 
 
add chain=prerouting connection-mark=dip_kav action=mark-routing new-routing-mark=dip_kav passthrough=no
 
 / ip route 
 add dst-address=0.0.0.0/0 gateway=81.25.36.1 scope=255 target-scope=10 routing-mark=dip_kav comment="ftp.kaspersky.ru" disabled=no 
 
 / ip firewall nat 
 add chain=srcnat src-address=192.168.1.150 action=masquerade comment="" disabled=no 
Oh, thank you :) But what's wrong with that settings? I don't want type IPs everywhere, I have more complicated structures, and I'd like to write them using connection and packet marks
 
User avatar
Mitak
newbie
Posts: 42
Joined: Wed Jun 07, 2006 10:12 am
Location: Bulgaria
Contact:

use address list

Mon Jun 26, 2006 2:27 pm

use address-list :)

1-st add all ip addressess you want to mark to the address list:
/ip firewall address-list add list=list1 address=192.168.1.51 disabled=no

/ip firewall address-list add list=list1 address=192.168.1.52 disabled=no

.
.
.

/ip firewall address-list add list=list1 address=192.168.1.100 disabled=no

and then change other rules:
/ ip firewall mangle
 add chain=prerouting src-address-list=list1 dst-address=213.206.94.83 action=mark-connection new-connection-mark=dip_kav passthrough=yes
 
add chain=prerouting connection-mark=dip_kav action=mark-routing new-routing-mark=dip_kav passthrough=no
 
 / ip route
 add dst-address=0.0.0.0/0 gateway=81.25.36.1 scope=255 target-scope=10 routing-mark=dip_kav comment="ftp.kaspersky.ru" disabled=no


/ip firewall nat add chain=srcnat address-list=list1 action=masquerade

Then, if you want to add a new IP to these mangle rules, is just enought to do:

/ip firewall address-list add name=list1 address=<NEW-IP> disabled=no
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Mon Jun 26, 2006 4:18 pm

Yeah, maybe... But I'd like to know, why connection marking do not work :(
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: Mangle + NAT + Policy Routing

Sat Sep 11, 2021 1:07 pm

still it doesne work, i need that for OpenVPN, cant make it work
[quote]/ip firewall mangle
add action=mark-connection chain=prerouting comment=OpenVPN in-interface=ether9 new-connection-mark=ovpn.conn passthrough=yes protocol=tcp src-port=1198

/ip firewall nat
add action=masquerade chain=srcnat connection-mark=ovpn.conn
[/quote]
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re:

Sat Sep 11, 2021 3:57 pm

But I'd like to know, why connection marking do not work :(
What actually doesn't work, or rather works too good, is the rule translating the connection-mark to routing-mark. You've only got a single (default) route in the routing table dip-kav, and your action=mark-routing rule doesn't care about in-interface. So since the response packets for 192.168.1.150 arriving via WAN get routing-marked with dip_kav, they are also routed via the WAN gateway. The connected routes (distance=0) do not override the routing-mark.

So as you expressly don't want to match on IP addresses, use something like in-interface-list=!WAN in the action=mark-routing rule.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mangle + NAT + Policy Routing

Sat Sep 11, 2021 4:03 pm

i need that for OpenVPN, cant make it work
@nichky, in your case, is the Mikrotik with these rules the OpenVPN client or server? Or none of the two and it just forwards someone else's OpenVPN connections? In any case, assigning a connection-mark alone has no effect on routing, you have to translate the connection-mark to a routing-mark at some point. If the Mikrotik itself is a client or server for OpenVPN, you may have to assign the connection-mark, and you definitely have to assign the routing-mark, in chain output in mangle, not in chain prerouting.
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: Mangle + NAT + Policy Routing

Sun Sep 12, 2021 2:29 am

hi sindy,

The MT that has this rules is OVPN -Server.
What is my goal here:
by using this rules i want to masq the traffic going to the ovpn clients, so i what that to allow me to get access to them, without adding any routes from the client perspective.

Currently i'm using this rule which it does work:

NAT
add action = masquerade chain = srcnat out-interface = ovpn-client

The problem is i don't want to add for all the clients.
That is why i'm forcing mangel+nat to do that for me
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mangle + NAT + Policy Routing

Sun Sep 12, 2021 10:24 am

OK, so you need to src-nat the payload traffic (sent inside the tunnel). But your action=mark-connection rule matches on protocol=tcp src-port=1198, which seems to refer to the transport packets of the OpenVPN (those forming up the tunnel). As the IP firewall has no knowledge about the relationship between the payload packets and the transport ones, this idea fails. On top of that, the action=mark-connection rule itself actually never matches because the transport packets are sent by the router itself, not forwarded from ether9, and because packets sent by the router itself never get to chain prerouting. That's why I was asking about the role of the router in the overall OpenVPN topology.

So to get what you actually want, forget about connection marking, and do the following (in exactly this order):
  • /interface list add name=ovpn-client
  • create an action=masquerade rule matching on out-interface-list=ovpn-client just before or just after the current individual rules matching on out-interface=<ovpn-user>
  • /ppp profile add copy-from=[/interface ovpn-server server get default-profile] name=ovpn-profile interface-list=ovpn-client
  • at a time when a short-time disconnection of all clients is acceptable:
    /interface ovpn-server server set default-profile=ovpn-profile (if you refer to customized /ppp profile rows from the /ppp secret rows, add interface-list=ovpn-client to these customized profiles instead).
As you change the OpenVPN server setting, the server terminates all connections and the clients reconnect (pity but that's how it is currently implemented). Each time a client connects, the dynamically created <ovpn-user> interface will be added as a member to the interface list indicated in the profile, so the new action=masquerade rule will handle connections established via this dynamic port. I'm not sure whether this works also if you have manually created static /interface ovpn-server rows for the clients, you have to try - if it doesn't, add these static interfaces as members to the interface list manually, or just remove the static items if they had no other purpose than the masquerade rule.
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: Mangle + NAT + Policy Routing

Sun Sep 12, 2021 11:07 am

wow, hvala brate

I didn't need to touch this one "/interface ovpn-server server set default-profile=ovpn-profile".
As fas as i know /ppp profile has priority than
/interface xxx-server,
is that corect?

ne znam od koju dizavu si tachno,ali kad idem na balkanu pozvachute, svaka chas majstore!!
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mangle + NAT + Policy Routing

Sun Sep 12, 2021 11:38 am

As fas as i know /ppp profile has priority than
/interface xxx-server,
is that corect?
more precisely, the profile value from /ppp secret overrides the default-profile value from /interface xxx-server server. So yes, if you specify a profile on each /ppp secret row, no need to change the "last resort" profile associated to the server.

To što malo pričam jezik još ne znači da sam iz Balkana :) Ali imam ga bliže nego sada ti.
 
Kove
just joined
Posts: 3
Joined: Fri Oct 09, 2020 6:04 pm

Re: Re:

Thu Jul 14, 2022 3:50 am

But I'd like to know, why connection marking do not work :(
What actually doesn't work, or rather works too good, is the rule translating the connection-mark to routing-mark. You've only got a single (default) route in the routing table dip-kav, and your action=mark-routing rule doesn't care about in-interface. So since the response packets for 192.168.1.150 arriving via WAN get routing-marked with dip_kav, they are also routed via the WAN gateway. The connected routes (distance=0) do not override the routing-mark.

So as you expressly don't want to match on IP addresses, use something like in-interface-list=!WAN in the action=mark-routing rule.
Sindy,

I just came to say thank you. In the past couple of years, whenever I ran into issues with MikroTik configurations, very often the solutions are found in your replies. You, as well as a very few other gurus on this forum, can always explain complicate issues in a way for newbies like me to not just get something to work, but to understand exactly why. This particular example of connection marking in mangle rules had been bothering me for days. I read a lot of online discussions and watched a lot of videos; it only clicked when I saw your explanation.
Really appreciate it.

Who is online

Users browsing this forum: Ahrefs [Bot], Bing [Bot], dmitris, karlisi, loloski, onnyloh, sadjoe and 85 guests