Community discussions

MikroTik App
 
User avatar
CTassisF
newbie
Topic Author
Posts: 35
Joined: Thu Jun 11, 2020 10:26 pm
Location: São Paulo, Brazil
Contact:

Custom Routing Table + Routing Mark not working

Wed Jan 19, 2022 8:54 pm

(hAP ac^3 running 7.2rc1)

I have properly working IPv4 and IPv6 networks. IPv4 is NATed, IPv6 /64 prefix comes from WAN (PPPoE) via DHCPv6 PD and it is then Router Advertised to my LAN.

I wan't to route some of the outgoing traffic via a WireGuard VPN using NAT. To do that I've:

- created a new routing table;
- added the 0.0.0.0/0 and ::/0 routes via the VPN interface to this new routing table;
- added the nat rules;
- added the mangle rules to do the mark-routing.

I can see the mangle firewall rule increasing the packets counter, but this is not working for IPv6. The marked IPv6 traffic is still going directly to the Internet, not via the VPN.

Interestingly, this same configuration is working fine for IPv4.

Am I doing anything wrong here? Or is it a bug with RouterOS v7?

Here are the relevant parts of my config:
/interface wireguard
add listen-port=51820 mtu=1432 name=vpn
/interface wireguard peers
add allowed-address=0.0.0.0/0,::/0 interface=vpn
/ip address
add address=172.16.0.2 interface=vpn network=172.16.0.2
/ipv6 address
add address=fd00:a:b:c:d:e:f:1234/128 advertise=no interface=vpn
/routing table
add fib name=vpn
/ip route
add dst-address=0.0.0.0/0 gateway=vpn routing-table=vpn
/ipv6 route
add dst-address=::/0 gateway=vpn routing-table=vpn
/ipv6 firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=vpn passthrough=no src-mac-address=AA:BB:CC:DD:EE:FF
/ipv6 firewall nat
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none out-interface=vpn

I also discovered by accident that if I mess with /routing/rule/ (like add and then remove some rules) the marked traffic will start going through the VPN, even after removing all rules in there. This makes me guess it is something related to routing cache?

Thanks in advance.
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Custom Routing Table + Routing Mark not working

Fri May 20, 2022 1:26 am

I am trying exactly the same and it fails for me too.
Any progress on your configuration?
 
User avatar
CTassisF
newbie
Topic Author
Posts: 35
Joined: Thu Jun 11, 2020 10:26 pm
Location: São Paulo, Brazil
Contact:

Re: Custom Routing Table + Routing Mark not working

Fri May 20, 2022 4:27 am

Any progress on your configuration?

Yes! I was able to make it work.

Apparently to make it work you have to do both mark-connection and mark-routing:

/ipv6 firewall mangle
add action=jump chain=prerouting comment=prerouting-vpn dst-address-list=vpn jump-target=prerouting-vpn
add action=mark-connection chain=prerouting-vpn comment="mark-connection vpn" dst-address-list=!not-vpn new-connection-mark=vpn passthrough=yes
add action=mark-routing chain=prerouting-vpn comment="mark-routing vpn" connection-mark=vpn new-routing-mark=vpn passthrough=no
/ipv6 firewall nat
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none out-interface=vpn

(This config is slightly different from the other one I posted before. In this one I'm using address-lists to mark which traffic should and should not go through the VPN interface.)

Doing this way worked perfectly for me.
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Custom Routing Table + Routing Mark not working

Fri May 20, 2022 11:48 pm

Well, I have a configuration the reliably crashes the router...
Opened a support ticket (SUP-82649)... Will do further testing when this is resolved.
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Custom Routing Table + Routing Mark not working

Sat Jul 09, 2022 12:54 am

Works for me now as well. My crash was fixed with:
*) firewall - fixed IPv6 NAT functionality when processing GRE traffic on TILE devices; 
 
RomikB
just joined
Posts: 14
Joined: Tue May 08, 2018 5:16 pm

Re: Custom Routing Table + Routing Mark not working

Tue Jan 30, 2024 1:11 am

I have the same problem as topic author.
Connection mark didn't help.
The marked IPv6 traffic is still going directly to the Internet, not via the VPN.
Can anyone suggest the solution?

RouterOS 7.13.3, hap ac
 
User avatar
CTassisF
newbie
Topic Author
Posts: 35
Joined: Thu Jun 11, 2020 10:26 pm
Location: São Paulo, Brazil
Contact:

Re: Custom Routing Table + Routing Mark not working

Tue Jan 30, 2024 2:24 am

I was able to make this work with custom routing tables (and even VRFs) using the following configuration:

/ip firewall mangle add action=jump chain=prerouting comment="prerouting LAN" connection-mark=no-mark connection-state=new dst-address-list=!private dst-address-type=!local in-interface-list=LAN jump-target=prerouting-lan

/ip firewall mangle add action=jump chain=prerouting-lan comment=NordVPN dst-address-list=nordvpn jump-target=prerouting-nordvpn

/ip firewall mangle add action=mark-connection chain=prerouting-nordvpn comment="mark-connection nordvpn" dst-address-list=!not-nordvpn new-connection-mark=nordvpn

/ip firewall mangle add action=mark-routing chain=prerouting comment="mark-routing nordvpn" connection-mark=nordvpn in-interface-list=LAN new-routing-mark=nordvpn-vrf passthrough=no

/ip firewall mangle add action=mark-routing chain=prerouting comment="mark-routing main" connection-mark=nordvpn in-interface=nordvpn new-routing-mark=main passthrough=no

These same rules work for IPv6.

In this example I'm using a destination address list (dst-address-list=nordvpn) to mark which connections I want to go through the VPN, but you can use other methods too (like source IP address, for example).

The last rule is important to make sure the traffic that went through the VPN comes back to the main table (where my LAN is).
 
RomikB
just joined
Posts: 14
Joined: Tue May 08, 2018 5:16 pm

Re: Custom Routing Table + Routing Mark not working

Tue Jan 30, 2024 9:54 am

Thank you, but this didn't help me.
ipv4 works without problem but ipv6 not.
I try mark the connection before and try now again. Connection is marked, packets are marked, but routing is ignored.
Can it be a routing problem. Is routing require a more complex setting that for ipv4?
/ipv6 route add dst-address=::/0 gateway=vpn routing-table=vpn

Who is online

Users browsing this forum: loloski and 15 guests