Hi Gang
I have started using Wireguard Tunnels and they work nice. But I have come across an PMTU Discovery issue with unsymetric routing which I attempt to 'fix' by using policy routing.
What I basically try to attempt is to send traffic back to the interface it came to, even if this is not where the longes route match points.
So I have two interfaces. A PPPoE Interface and a wg-srv interface (which is a tunnel over the PPPoE interface)
Let's try an example:
200185a3:0000::/64 via wg-srv
:/0 via PPPoE
200185a3:0000::1:42/64 does NOT know the route back via the Wireguard tunnel, but is sending traffic directly via PPPoE.
This is asymetric routing, but it works fine (traffic FROM ::1:42 arrives via PPPoE and replies to this traffic take the route via wg-srv)
except for what it looks like a very specific range of packet sizes which probably get dropped because thed don't fragment and are too big.
So my goal is: If a connection originates from ::1:42 I want to send that traffic back via PPPoE (same interface as inbound) and not via Wireguard Tunnel.
So I added a mangle roule matching: 200185a3:0000::/64 and marking the connection.
/ipv6/firewall/connection/print detail confirms, connection is marked.
I added one more rule BEFORE the mark connection rule (I use packet marks for queueing) to add a route-mark 'NO-WG' to all packets in that connection and I have a routing table 'NO-WG' pointing 200185a3:0000::/64 to the %PPPOE. Counters increase. So the rules match!
BUT no joy, all reply traffic is sent out wg-srv-
Could it be, that Wireguard is grabbing that traffic on a lower level before a lookup for the routing table is done?