Community discussions

MikroTik App
 
woodych
just joined
Topic Author
Posts: 19
Joined: Fri Nov 12, 2021 7:09 pm

Wireguard and Policy Routing (route-mark)

Tue Jun 21, 2022 5:21 pm

Hi Gang

I have started using Wireguard Tunnels and they work nice. But I have come across an PMTU Discovery issue with unsymetric routing which I attempt to 'fix' by using policy routing.

What I basically try to attempt is to send traffic back to the interface it came to, even if this is not where the longes route match points.

So I have two interfaces. A PPPoE Interface and a wg-srv interface (which is a tunnel over the PPPoE interface)

Let's try an example:

2001:0db8:85a3:0000::/64 via wg-srv
:/0 via PPPoE

2001:0db8:85a3:0000::1:42/64 does NOT know the route back via the Wireguard tunnel, but is sending traffic directly via PPPoE.

This is asymetric routing, but it works fine (traffic FROM ::1:42 arrives via PPPoE and replies to this traffic take the route via wg-srv)
except for what it looks like a very specific range of packet sizes which probably get dropped because thed don't fragment and are too big.

So my goal is: If a connection originates from ::1:42 I want to send that traffic back via PPPoE (same interface as inbound) and not via Wireguard Tunnel.

So I added a mangle roule matching: 2001:0db8:85a3:0000::/64 and marking the connection.
/ipv6/firewall/connection/print detail confirms, connection is marked.

I added one more rule BEFORE the mark connection rule (I use packet marks for queueing) to add a route-mark 'NO-WG' to all packets in that connection and I have a routing table 'NO-WG' pointing 2001:0db8:85a3:0000::/64 to the %PPPOE. Counters increase. So the rules match!

BUT no joy, all reply traffic is sent out wg-srv-

Could it be, that Wireguard is grabbing that traffic on a lower level before a lookup for the routing table is done?
 
woodych
just joined
Topic Author
Posts: 19
Joined: Fri Nov 12, 2021 7:09 pm

Re: Wireguard and Policy Routing (route-mark)

Tue Jun 21, 2022 5:48 pm

I guess I just figured it out.
As mentioned, I use packet-marks for Queueing. I found out, that the mangle rules are run once for preroute and then again for forward, despite passthrou not being ticket. So I probably ended up with a packet mark on the packets I wanted a route mark.
Now it sort of works, need to draw a picture :-)

Who is online

Users browsing this forum: AquaL1te2, CGGXANNX, Google [Bot], GoogleOther [Bot], Pinacolada88 and 24 guests