Using fasttrack with mangle

Zipdots · Mon Jan 16, 2023 4:44 pm

Hello!

I'm trying to route traffic to some resources through a VPN, but I'm having trouble marking connections with fasttrack enabled.
I'm sure this question has already been asked, but I couldn't find a solution on the forum, sorry.

At the moment I have an additional routing table (RM-VPN):

/routing table
add disabled=no fib name=RM-VPN

And the VPN route that redirects the traffic:

/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=wireguard routing-table=RM-VPN suppress-hw-offload=no

And also the mangle rules:

/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark new-connection-mark=CM-VPN passthrough=yes
add action=add-dst-to-address-list address-list=VPN-list address-list-timeout=none-dynamic chain=prerouting connection-mark=\
    CM-VPN log=yes protocol=tcp tls-host=whatismyipaddress.com
add action=mark-routing chain=prerouting dst-address-list=VPN-list new-routing-mark=RM-VPN passthrough=no
add action=mark-connection chain=prerouting connection-mark=CM-VPN new-connection-mark=no-mark passthrough=yes

The problem is that I want to keep the fasttrack for traffic that is not routed through the VPN in order to reduce the load on the router, and also use mangle marking.

With the fasttrack turned off, this works fine, but with it - incorrectly.

Can you tell me if it's possible to achieve what I want? Thanks in advance.

anav · Mon Jan 16, 2023 7:34 pm

Can you describe what you are attempting to mangle.
In other words what comprises your vpn address list ( one user, two users how many, is it one subnet, various users across various subnets)???

sindy · Tue Jan 17, 2023 12:04 am

viewtopic.php?t=134048#p659676

Zipdots · Tue Jan 17, 2023 9:09 am

Can you describe what you are attempting to mangle.
In other words what comprises your vpn address list ( one user, two users how many, is it one subnet, various users across various subnets)???

I will try to describe my idea in more detail.

I have a route through my ISP for the default routing table, and a route through my VPN server for the "RM-VPN" routing table:

For all clients on my subnet (this is my home router, only my computer and TV connected via LAN and a few devices connected via Wi-Fi), I want to change the default route to a VPN route for certain resources (for example, whatismyipaddress. com).

And so, I have a mangle rule to pre-mark all connections as CM-VPN (maybe not the best idea, so I'm here):

/ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark new-connection-mark=CM-VPN passthrough=yes

Mangle rule to add a resource to the address list if its TLS host is whatismyipaddress.com:

/ip firewall mangle add action=add-dst-to-address-list address-list=VPN-list address-list-timeout=none-dynamic chain=prerouting connection-mark=CM-VPN log=yes protocol=tcp tls-host=whatismyipaddress.com

Mangle rule for marking the route of those resources whose IP address is in the "VPN-list" address list with passthrough=no

/ip firewall mangle add action=mark-routing chain=prerouting dst-address-list=VPN-list new-routing-mark=RM-VPN passthrough=no

As well as a rule that returns the "no-mark" marking to those connections on which the previous rule did not work:

/ip firewall mangle add action=mark-connection chain=prerouting connection-mark=CM-VPN new-connection-mark=no-mark passthrough=yes

With fasttrack turned off, this whole chain works correctly (I see a change in my IP address to whatismyipaddress.com, as well as bytes / packets in the mangle rules):

But with the fasttrack enabled, the mangle rules for adding to the address list and marking the route do not work out, and I cannot fully understand why:

P.S. I noticed that the route marking rule works with fasttrack enabled (but sometimes the connection drops), if I add the IP address of the resource to the list of addresses manually, but the rule of adding to the list of addresses by host TLS, which I need, does not work:

anav · Tue Jan 17, 2023 2:31 pm

Yeah, best if SIndy handles this one, you have a layer of complication I do not understand how to solve.

Zipdots · Tue Jan 17, 2023 2:46 pm

viewtopic.php?t=134048#p659676

Dear sindy!
I read your post and tried to reproduce your settings for my needs, but nothing worked out for me

Current mangle:

/ip firewall mangle
add action=accept chain=prerouting connection-mark=no-mark connection-state=established,related
add action=accept chain=prerouting connection-state=established,related in-interface=ether1
add action=mark-routing chain=prerouting connection-mark=CM-VPN new-routing-mark=RM-VPN passthrough=no
add action=mark-connection chain=prerouting connection-state=new dst-address-list=VPN-list new-connection-mark=CM-VPN \
    passthrough=yes
add action=accept chain=prerouting connection-state=established,related in-interface=ether1
add action=mark-routing chain=prerouting connection-mark=CM-VPN new-routing-mark=RM-VPN passthrough=yes

And firewall filters:

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Accept SSH and Winbox connection" disabled=yes dst-port=22,8291 in-interface-list=WAN \
    protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-mark=no-mark connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN

Address list:

Flags: D - DYNAMIC
Columns: LIST, ADDRESS, CREATION-TIME
#   LIST      ADDRESS                CREATION-TIME       
0   VPN-list  whatismyipaddress.com  jan/17/2023 17:40:27
;;; whatismyipaddress.com
1 D VPN-list  104.16.154.36          jan/17/2023 17:40:27
;;; whatismyipaddress.com
2 D VPN-list  104.16.155.36          jan/17/2023 17:40:27

While I'm trying to do it without automatically adding it to the list of addresses (I added the IP address of the resource manually) and I get ERR_CONNECTION_TIMED_OUT in my browser

Did I do something wrong?

sindy · Tue Jan 17, 2023 9:35 pm

Current mangle:

The very first mangle rule shadows all the subsequent ones, so no connection-mark is ever assigned. I assume connection-state=!new is missing in that rule?

Zipdots · Wed Jan 18, 2023 11:06 am

Current mangle:
The very first mangle rule shadows all the subsequent ones, so no connection-mark is ever assigned. I assume connection-state=!new is missing in that rule?

Yes, connection-state=!new is missing from this rule, because it already has connection-state=established,related

sindy · Wed Jan 18, 2023 11:12 am

connection-state=!new is missing from this rule, because it already has connection-state=established,related

Yes, sorry, I don't know where I was looking. I'll go through that again later today.

Zipdots · Wed Jan 18, 2023 11:33 am

I see some connections being marking, but I still get ERR_CONNECTION_TIMED_OUT from a resource in the address list

Zipdots · Mon Jan 23, 2023 4:55 pm

Any help?

sindy · Mon Jan 23, 2023 5:37 pm

The statistics shows that you have marked 6 outgoing connections and translated the connection-mark to routing-mark for them, but it doesn't show any responses to come via ether1.

So what are the routes and nat rules? I.e. did those 6 initial packets leave via ether1, and did they get src-nated to its address?

Zipdots · Wed Jan 25, 2023 9:44 am

The statistics shows that you have marked 6 outgoing connections and translated the connection-mark to routing-mark for them, but it doesn't show any responses to come via ether1.

So what are the routes and nat rules? I.e. did those 6 initial packets leave via ether1, and did they get src-nated to its address?

Oh, it seems that this is my problem, the incoming interface of my VPN Wireguard is not the same as ether1.

I changed in. Interface with "ether1" on the "wireguard" by the receiving rule and ensures that the resource added to the address is redirected in the VPN correctly.

My Mangle rules at the moment:

/ip firewall mangle
add action=accept chain=prerouting connection-mark=no-mark connection-state=established,related
add action=accept chain=prerouting connection-state=established,related in-interface=wireguard
add action=mark-routing chain=prerouting connection-mark=CM-VPN new-routing-mark=RM-VPN passthrough=no
add action=mark-connection chain=prerouting connection-state=new dst-address-list=VPN-list new-connection-mark=CM-VPN passthrough=yes
add action=mark-routing chain=prerouting connection-mark=CM-VPN new-routing-mark=RM-VPN passthrough=yes

However, my original idea was to mark connections/populate the list of addresses based on the host address (because the IP address of the host sometimes changes).

I tried changing the rule:

/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new dst-address-list=VPN-list new-connection-mark=CM-VPN passthrough=yes

To the rule:

/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new new-connection-mark=CM-VPN passthrough=yes protocol=tcp tls-host=whatismyipaddress.com

But it didn't work.

Tell me, is this possible? Or is it easier to fill the list of addresses through a script?

sindy · Wed Jan 25, 2023 8:59 pm

You cannot use matching on tls-host to affect routing because if NAT is involved (which is your case), all packets of the same TCP session must take the same route, so the "final" (and only) route has to be chosen already for the initial packet of that session whereas the TLS host information is carried by one of the first payload packets, i.e. the fourth and above packet of the TCP session.

What should be possible with recent versions of RouterOS, but I couldn't make it work in 7.7 although it could be configured in 7.6 as a minimum, is to use a regular expression in the "static" DNS configuraton to indicate an address-list to which the IP addresses found in the DNS response to a query matching that regular expression should be added. In order that it worked, the clients have to use the Mikrotik as their DNS server.

Yet another possibility is to use the fqdns in question as the address values of rows of /ip firewall address-list, but in this case, no wildcards can be used.

Regardless which way of translating fqdn to address-list items you use, there's always a potential surprise, as many services serve multiple fqdns from the same set of IP addresses - e. g. if you add google.com to an address-list that way, also connections to youtube.com will most likely match that list.

Using fasttrack with mangle

Using fasttrack with mangle

Re: Using fasttrack with mangle

Re: Using fasttrack with mangle

Re: Using fasttrack with mangle

Re: Using fasttrack with mangle

Re: Using fasttrack with mangle

Re: Using fasttrack with mangle

Re: Using fasttrack with mangle

Re: Using fasttrack with mangle

Re: Using fasttrack with mangle

Re: Using fasttrack with mangle

Re: Using fasttrack with mangle

Re: Using fasttrack with mangle

Re: Using fasttrack with mangle

Who is online