Community discussions

MikroTik App
 
h2desk
just joined
Topic Author
Posts: 12
Joined: Wed May 24, 2023 8:11 pm

Mikrotik's own traffic with mangle rules

Tue Sep 26, 2023 6:01 pm

It is possible to control the output of Mikrotik's own traffic with mangle rules?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19318
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mikrotik's own traffic with mangle rules

Tue Sep 26, 2023 6:05 pm

What is the requirement in better detail.
a. identify user(s)/device(s), groups of users/devices
b. identify what traffic they should be allowed to execute.
c. identify any particular routes traffic should take
d. identify any traffic that the router needs to execute ( aka router services like VPN ).

Short answer: Yes, Long answer: Yes. Without more information,...............
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3422
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Mikrotik's own traffic with mangle rules  [SOLVED]

Tue Sep 26, 2023 6:07 pm

Yes. It's covered by Packet Flow Diagram.

The "Mikrotik's own traffic" is a "routing process" here going through LOCAL:
https://help.mikrotik.com/docs/display/ ... lowDiagram
Image

And mangle can catch, among other places, the "output" chain:
https://help.mikrotik.com/docs/display/ ... rOS-Output
Or when a packet is originated from the router (routing output):
The packet is originated from the router itself
the packet goes through the routing table to make a routing decision

A packet enters the output process
process packet through the Bridge decision;
send the packet through connection tracking;
process packet through the Mangle output chain;
process packet through the Filter output chain;
send the packet to routing adjustment ( policy routing)

The packet enters postrouting process;
- process packet through Mangle postrouting chain;
- process packet through NATs src-nat chain;
- if there is a hotspot undo any modifications made in hotspot-in;
- process packet through queue tree (HTB Global);
- process packet through simple queues;

Check if there is IPsec and then process through IPsec policies;

Specifically in the "Mangle Output" and "Mangle Input", which break out the "Routing Decision" in first diagram:
Image
The OUTPUT and INPUT part are clear from first diagram, but just to clarify...
PREROUTING chain is traffic going through ⒾⓀ
POSTROUTING chain is traffic going through 🅙🅛
e.g. from the "break-out" of top diagram of this post
 
h2desk
just joined
Topic Author
Posts: 12
Joined: Wed May 24, 2023 8:11 pm

Re: Mikrotik's own traffic with mangle rules

Tue Sep 26, 2023 8:52 pm

What is the requirement in better detail.
a. identify user(s)/device(s), groups of users/devices
b. identify what traffic they should be allowed to execute.
c. identify any particular routes traffic should take
d. identify any traffic that the router needs to execute ( aka router services like VPN ).

Short answer: Yes, Long answer: Yes. Without more information,...............
Anav, thank you for your time and the incredible speed in responding.
It would be options C and D, but precisely for D. The intention is to make Mikrotik itself execute some script tasks that will use the VPN and some DNS queries.
I initially had doubts about knowing the possibility, now I'm going to research and study. Thanks a lot for the help.
 
h2desk
just joined
Topic Author
Posts: 12
Joined: Wed May 24, 2023 8:11 pm

Re: Mikrotik's own traffic with mangle rules

Tue Sep 26, 2023 8:58 pm

Yes. It's covered by Packet Flow Diagram.

The "Mikrotik's own traffic" is a "routing process" here going through LOCAL:
https://help.mikrotik.com/docs/display/ ... lowDiagram
Image

And mangle can catch, among other places, the "output" chain:
https://help.mikrotik.com/docs/display/ ... rOS-Output
Or when a packet is originated from the router (routing output):
The packet is originated from the router itself
the packet goes through the routing table to make a routing decision

A packet enters the output process
process packet through the Bridge decision;
send the packet through connection tracking;
process packet through the Mangle output chain;
process packet through the Filter output chain;
send the packet to routing adjustment ( policy routing)

The packet enters postrouting process;
- process packet through Mangle postrouting chain;
- process packet through NATs src-nat chain;
- if there is a hotspot undo any modifications made in hotspot-in;
- process packet through queue tree (HTB Global);
- process packet through simple queues;

Check if there is IPsec and then process through IPsec policies;

Specifically in the "Mangle Output" and "Mangle Input", which break out the "Routing Decision" in first diagram:
Image
The OUTPUT and INPUT part are clear from first diagram, but just to clarify...
PREROUTING chain is traffic going through ⒾⓀ
POSTROUTING chain is traffic going through 🅙🅛
e.g. from the "break-out" of top diagram of this post
Anm0, thank you for your time, incredible speed in putting together the material and responding.

You gave me a lot of content, Wow! Complex, I will need to assimilate the information and test a lot. Thank you very much for your help, you've already given me a lot of homework. lol!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19318
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mikrotik's own traffic with mangle rules

Tue Sep 26, 2023 9:22 pm

In simple terms there are tools you can use.

What is common to both is needing a table and an IP route.

One is create a table
add fib table=utilizeWANX

Create the route
add dst-address=0.0.0.0/0 gateway=ISPX routing-table=utilizeWANX

Then you have two options:

a. use routing rule This basically states, that any traffic coming from WANX ( and since this includes responses to external traffic hitting WANX like vpn handshake, any response will be forced out the table to WANX and not follow the normal main table routes.
add action=lookup-only-in-table src-address=WANX-IP table=utilizeWANX

b. use mangling These rule mark traffic coming in a WAN, and force any return traffic with those marks to go out same WAN, regardless of priority on main table as we force the traffic out a separate table. This is also valid for any port forwardings coming in on WANX.

add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface=WAN2 new-connection-mark=incomingWANX passthrough=yes
add action=mark-routing chain=output connection-mark=incomingWANX \
new-routing-mark=utilizeWANX passthrough=no


and modify fastrack rule....
add action=fasttrack-connection chain=forward comment=Fasttrack \
connection-state=established,related hw-offload=yes connection-mark=no-mark



These are just possible tools to consider, depending on how complex the config may be...... some variations are expected.
 
h2desk
just joined
Topic Author
Posts: 12
Joined: Wed May 24, 2023 8:11 pm

Re: Mikrotik's own traffic with mangle rules

Wed Sep 27, 2023 3:16 pm

In simple terms there are tools you can use.

What is common to both is needing a table and an IP route.

One is create a table
add fib table=utilizeWANX

Create the route
add dst-address=0.0.0.0/0 gateway=ISPX routing-table=utilizeWANX

Then you have two options:

a. use routing rule This basically states, that any traffic coming from WANX ( and since this includes responses to external traffic hitting WANX like vpn handshake, any response will be forced out the table to WANX and not follow the normal main table routes.
add action=lookup-only-in-table src-address=WANX-IP table=utilizeWANX

b. use mangling These rule mark traffic coming in a WAN, and force any return traffic with those marks to go out same WAN, regardless of priority on main table as we force the traffic out a separate table. This is also valid for any port forwardings coming in on WANX.

add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface=WAN2 new-connection-mark=incomingWANX passthrough=yes
add action=mark-routing chain=output connection-mark=incomingWANX \
new-routing-mark=utilizeWANX passthrough=no


and modify fastrack rule....
add action=fasttrack-connection chain=forward comment=Fasttrack \
connection-state=established,related hw-offload=yes connection-mark=no-mark



These are just possible tools to consider, depending on how complex the config may be...... some variations are expected.
Perfect, Anav.
Thanks for the examples. Two ways, the simple one like routing and the more complicated one like mangle.

I understood your explanation.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3422
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Mikrotik's own traffic with mangle rules

Wed Sep 27, 2023 6:23 pm

I'm the "big picture" guy ... I'd listen to @anav if you want something working ;)

@anav – the connection-mark=no-mark is pretty cleaver way to be generic about what's going through main routing table...
and modify fastrack rule....
add action=fasttrack-connection chain=forward comment=Fasttrack \
connection-state=established,related hw-offload=yes connection-mark=no-mark
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19318
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mikrotik's own traffic with mangle rules

Wed Sep 27, 2023 6:26 pm

My middle name is clever, I will give you hint.
Anav "SINDY" Llama
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3422
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Mikrotik's own traffic with mangle rules

Wed Sep 27, 2023 7:27 pm

For completeness, the reason for the "extra rule" for fasttrack comes later in the Packet Flow. RouterOS has a feature called "fastrack" that's enabled in default firewall. This, essentially, does work when using routing tables... As you can see below, before the MANGLE PREROUTING, the FASTTRACKED? is checked ... so traffic can "jump the shark"
Traffic that belongs to a fast-tracked connection travels in FastPath, which means that it will not be visible by other router L3 facilities (firewall, queues, IPsec, IP accounting, VRF assignment, etc). Fasttrack lookups route before routing marks have been set, so it works only with the main routing table.
Image
Last edited by Amm0 on Wed Sep 27, 2023 10:36 pm, edited 2 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19318
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mikrotik's own traffic with mangle rules

Wed Sep 27, 2023 8:37 pm

Super helpful to describe where it fits !!!
 
h2desk
just joined
Topic Author
Posts: 12
Joined: Wed May 24, 2023 8:11 pm

Re: Mikrotik's own traffic with mangle rules

Sun Oct 01, 2023 3:56 pm

It's very satisfying to witness a conversation between intelligent people.

If I understand correctly, using no-mark on the connection marked in the connection state would disable fasttracked? This way it would use the mangle rules and not be ignored by the jump from fasttrack to fastpath.

Who is online

Users browsing this forum: Ahrefs [Bot], googol, phascogale and 59 guests