Community discussions

MikroTik App
 
tty1
just joined
Topic Author
Posts: 21
Joined: Thu Dec 09, 2021 10:34 pm

Firewall Mangle: mark conn/routing not working as expected

Sun Apr 30, 2023 4:24 pm

Hi guys,

I have set up Cloudflare WARP as a WireGuard interface on my RouterOS, and I want to route specific traffic to it. The interface is up and accessible to the Internet. It works well if I add a static route, or mark routing for an IP address or address list in the mangle table. I use
curl https://cloudflare.com/cdn-cgi/trace -v -4
to check the "warp" option to see whether the traffic is going through WARP interface or not.
add action=mark-routing chain=prerouting dst-address-list=cloudflare new-routing-mark=vpn passthrough=yes
Now I want to route only the HTTPS traffic of a specific domain, so I am using the TLS host option to match the SNI of TLS traffic.
add action=mark-connection chain=prerouting comment="sni cloudflare" connection-mark=no-mark dst-port=443 new-connection-mark=vpn passthrough=yes protocol=tcp tls-host=*cloudflare*
add action=mark-routing chain=output comment="mark routing" connection-mark=vpn new-routing-mark=vpn passthrough=yes
The packet counter for the
mark-connection
rule increased, which means that the packets have been delegated a connection mark. But the traffic does not go through the VPN interface, and the packet counter of the
mark-routing
rule doesn't change. Do you have any ideas? Many thanks
 
wiseroute
Member
Member
Posts: 352
Joined: Sun Feb 05, 2023 11:06 am

Re: Firewall Mangle: mark conn/routing not working as expected

Sun Apr 30, 2023 5:14 pm

hello

i am sorry I am not sure about what you want to achieve.

did you mean:

remote pbr to your cloudflare warp?

or vice versa, pbr warp for inbound outbound to internet?
 
tty1
just joined
Topic Author
Posts: 21
Joined: Thu Dec 09, 2021 10:34 pm

Re: Firewall Mangle: mark conn/routing not working as expected

Sun Apr 30, 2023 5:19 pm

hello

i am sorry I am not sure about what you want to achieve.

did you mean:

remote pbr to your cloudflare warp?

or vice versa, pbr warp for inbound outbound to internet?
I wanna use RouterOS as VPN client, route specific traffic to WARP.
 
wiseroute
Member
Member
Posts: 352
Joined: Sun Feb 05, 2023 11:06 am

Re: Firewall Mangle: mark conn/routing not working as expected

Sun Apr 30, 2023 6:10 pm

hello @ tty1

from all your config and those mangle list - just one thing i would like to ask:

where is that ip route command directing the traffic go to the wireguard? do you need nat as well?
 
tty1
just joined
Topic Author
Posts: 21
Joined: Thu Dec 09, 2021 10:34 pm

Re: Firewall Mangle: mark conn/routing not working as expected

Sun Apr 30, 2023 6:13 pm

hello @ tty1

from all your config and those mangle list - just one thing i would like to ask:

where is that ip route command directing the traffic go to the wireguard? do you need nat as well?
I created a routing table named "vpn", with a default route to the wireguard interface. There is a routing rule to enforce routing lookup only in the "vpn" table for traffic with "vpn" routing mark. I have configured masquerade for outbound traffic on the wireguard interface.
 
Guscht
Member Candidate
Member Candidate
Posts: 236
Joined: Thu Jul 01, 2010 5:32 pm

Re: Firewall Mangle: mark conn/routing not working as expected

Sun Apr 30, 2023 6:19 pm

If the counter doesnt increase, simply nothing matches agianst your rule.

But why do you frst the routing-mark and then the conncection-mark?
Id set it up, match the connection and then use the connection-mark as a matcher for the routing mark.
 
tty1
just joined
Topic Author
Posts: 21
Joined: Thu Dec 09, 2021 10:34 pm

Re: Firewall Mangle: mark conn/routing not working as expected

Sun Apr 30, 2023 6:22 pm

If the counter doesnt increase, simply nothing matches agianst your rule.

But why do you frst the routing-mark and then the conncection-mark?
Id set it up, match the connection and then use the connection-mark as a matcher for the routing mark.
The 2nd code snippet was shown as a example config, which means that the VPN connection itself works well.
The 3rd code snippet is the config I am facing the issue. I first mark the connection, then apply the routing mark to packets with connection marks.
 
wiseroute
Member
Member
Posts: 352
Joined: Sun Feb 05, 2023 11:06 am

Re: Firewall Mangle: mark conn/routing not working as expected

Sun Apr 30, 2023 6:23 pm

ok.

because you have asked this
packet counter for the mark-connection rule increased, which means that the packets have been delegated a connection mark. But the traffic does not go through the VPN interface, and the packet counter of the mark-routing rule doesn't change. Do you have any ideas? Many thanks
then, would you be kind enough to show us your pbr rules?

because I don't see them in your first post.

and @ guscht beat me to it 😂
 
Guscht
Member Candidate
Member Candidate
Posts: 236
Joined: Thu Jul 01, 2010 5:32 pm

Re: Firewall Mangle: mark conn/routing not working as expected

Sun Apr 30, 2023 6:27 pm

Move the 2nd rule in your 3rd code-snippet to the prerouting-chain.

The output-chain is for traffic the router itself produces. You cant conn-mark in prerouting and route-mark this in the output-chain. There is simply nothing which will match, which correlates with your observation :D
Last edited by Guscht on Sun Apr 30, 2023 6:30 pm, edited 1 time in total.
 
tty1
just joined
Topic Author
Posts: 21
Joined: Thu Dec 09, 2021 10:34 pm

Re: Firewall Mangle: mark conn/routing not working as expected

Sun Apr 30, 2023 6:28 pm

ok.

because you have asked this
packet counter for the mark-connection rule increased, which means that the packets have been delegated a connection mark. But the traffic does not go through the VPN interface, and the packet counter of the mark-routing rule doesn't change. Do you have any ideas? Many thanks
then, would you be kind enough to show us your pbr rules?

because I don't see them in your first post.

and @ guscht beat me to it 😂
I am trying to route "traffic to a specific website" via the WARP interface. The website was behind CDN networks so I have to use TLS host (SNI) matching to mark the connections, then apply routing mark to these packets, and lookup in the VPN routing table, and route them via WARP interface. Here I use cloudflare.com as an example of SNI host.
 
tty1
just joined
Topic Author
Posts: 21
Joined: Thu Dec 09, 2021 10:34 pm

Re: Firewall Mangle: mark conn/routing not working as expected

Sun Apr 30, 2023 6:57 pm

Move the 2nd rule in your 3rd code-snippet to the prerouting-chain.

The output-chain is for traffic the router itself produces. You cant conn-mark in prerouting and route-mark this in the output-chain. There is simply nothing which will match, which correlates with your observation :D
Thanks for your message. Why in the PCC example https://help.mikrotik.com/docs/display/ ... classifier, people use prerouting and output at the same time?
 
Guscht
Member Candidate
Member Candidate
Posts: 236
Joined: Thu Jul 01, 2010 5:32 pm

Re: Firewall Mangle: mark conn/routing not working as expected  [SOLVED]

Sun Apr 30, 2023 7:00 pm

Normally you use both, prerouting (for everthying the router routes) and output for traffic the router itself produces. With 2 rules (prerouting and output) you catch everything. If you want to route traffic from the router itself (eg. DNS requests from the routers DNS-Clinet) you qould need the output chain.

You can visulaize this here:
https://wiki.mikrotik.com/wiki/File:Routing_Diagram.jpg
The only entry-points are I (prerouting) and K (output).
 
tty1
just joined
Topic Author
Posts: 21
Joined: Thu Dec 09, 2021 10:34 pm

Re: Firewall Mangle: mark conn/routing not working as expected

Sun Apr 30, 2023 7:04 pm

Normally you use both, prerouting (for everthying the router routes) and output for traffic the router itself produces. With 2 rules (prerouting and output) you catch everything. If you want to route traffic from the router itself (eg. DNS requests from the routers DNS-Clinet) you qould need the output chain.

You can visulaize this here:
https://wiki.mikrotik.com/wiki/File:Routing_Diagram.jpg
The only entry-points are I (prerouting) and K (output).
Many thanks! And also thanks to @wiseroute as well.
 
tty1
just joined
Topic Author
Posts: 21
Joined: Thu Dec 09, 2021 10:34 pm

Re: Firewall Mangle: mark conn/routing not working as expected

Sun Apr 30, 2023 7:15 pm

Normally you use both, prerouting (for everthying the router routes) and output for traffic the router itself produces. With 2 rules (prerouting and output) you catch everything. If you want to route traffic from the router itself (eg. DNS requests from the routers DNS-Clinet) you qould need the output chain.

You can visulaize this here:
https://wiki.mikrotik.com/wiki/File:Routing_Diagram.jpg
The only entry-points are I (prerouting) and K (output).
In the routing table named "vpn", there is no entry for local LAN networks, which means that the backhaul traffic with "vpn" routing mark will be redirected back to the VPN interface. So I need to limit the "mark-routing" entry with "in-interface=bridge", am I right?

Who is online

Users browsing this forum: GoogleOther [Bot], Netstumble and 47 guests