Currently, with L3HW enabled on my CRS309-1G-8S+, it seems that Mange Rules are not applied to traffic. Is there a way to make mangle rules work selectively or would I have to disable L3HW all together?
The goal of my mangle rules is, that I route my LAN traffic to the internet through an L7 firewall as default route which THEN goes to the NAT firewall but if the L7 firewall fails, I have a backup route (distance 10) to just leave out the L7 firewall and route directly to the NAT firewall. Port forwardings from the internet come in through the NAT firewall and therefore the return path of the packets should always go through the NAT firewall directly and not through the L7 firewall. The config below worked on a RB5009, which of course does not have L3HW offloading.
I have three default routes on my CRS309-1G-8S+ like this:
Code: Select all
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.31.52 pref-src=192.168.31.49 \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=10 dst-address=0.0.0.0/0 gateway=10.200.25.1 pref-src=192.168.25.252 \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.200.25.1 pref-src=192.168.25.252 routing-table=\
public-service-return-path scope=30 suppress-hw-offload=no target-scope=10
- The second one is a backup route if the gateway of the first route isn't available (hence distance=10)
- The third route should ALWAYS route packets via 10.200.25.1, if the packet has "public-service-return-path" set as routing mark. This is because on 10.200.25.1 there are port forwardings from the internet to the internal network and the return path should not go over 192.168.31.52 from the first route but always over 10.200.25.1.
Additionaly, i have these mangle rules of course, to mark the routing:
Code: Select all
add action=mark-connection chain=prerouting connection-mark=no-mark connection-state=new dst-address-list=\
PUBLISHED-SERVERS in-interface=ether1 log=yes log-prefix=mark new-connection-mark=out-fgt passthrough=yes \
src-address-list=!LAN-NETWORKS
add action=mark-routing chain=prerouting connection-mark=out-fgt connection-state=established,related dst-address-list=\
!LAN-NETWORKS in-interface=bridge log=yes log-prefix=route new-routing-mark=public-service-return-path passthrough=yes \
src-address-list=PUBLISHED-SERVERS
Code: Select all
add address=192.168.0.0/16 list=LAN-NETWORKS
add address=172.16.0.0/12 list=LAN-NETWORKS
add address=10.0.0.0/8 list=LAN-NETWORKS
add address=192.168.25.11 disabled=yes list=PUBLISHED-SERVERS
add address=192.168.25.6 list=PUBLISHED-SERVERS
add address=192.168.31.70 list=PUBLISHED-SERVERS
add address=192.168.31.21 list=PUBLISHED-SERVERS
Servers and Clients (LAN-NETWORKS) <-> 192.168.25.252 (CRS309) 10.200.25.2 <-> [10.200.25.1 (NAT Firewall)] OR [192.168.31.52 (L7 Transparent Firewall)] <-> Internet Modem
Thanks for any advice