Community discussions

MikroTik App
 
MrSerio
newbie
Topic Author
Posts: 25
Joined: Tue Feb 15, 2022 10:17 pm

Dynamic interface address in mangle rule

Wed Mar 29, 2023 5:02 pm

Is there a (correct) way to define an interface address or subnet similarly to how this is done in EdgeOS/VyOS by selecting the interface or network address in a firewall rule?
Context:
We have a customer with a dynamic IP, and we'd like to mangle packets/connections destined to the router's IP address (which is dynamic on that interface). Is there a way similar to how this is done in VyOS or EdgeOS with RouterOS? Or is a DHCP client script a work-around that adds the assigned IP to an address list?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dynamic interface address in mangle rule

Wed Mar 29, 2023 5:35 pm

Yes!
 
MrSerio
newbie
Topic Author
Posts: 25
Joined: Tue Feb 15, 2022 10:17 pm

Re: Dynamic interface address in mangle rule

Wed Mar 29, 2023 9:46 pm

Do you have an example script how this can be done?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dynamic interface address in mangle rule

Thu Mar 30, 2023 1:01 am

State the requirement more clearly, mangling is a tool it is not a reason.
A config pops from requirements not the other way round.
What is the traffic issue you are facing.
 
MrSerio
newbie
Topic Author
Posts: 25
Joined: Tue Feb 15, 2022 10:17 pm

Re: Dynamic interface address in mangle rule

Thu Mar 30, 2023 4:04 pm

Context:
This site has 2 WAN's, failover is configured by utilizing gateway distance and gateway check. We want to monitor both connections from our monitoring server (by simply pinging them, to see when one of the connections drop). The problem now is that we're unable to ping the connection/ip in failover (standby) state as the replies are sent from the interface that is in the active state (with the source IP of the interface of the failover/standby interface weirdly enough). We want to utilize a mangle rule to mark packets coming IN this interface so that these are routed back through the same interface.
 
404Network
Member Candidate
Member Candidate
Posts: 285
Joined: Wed Feb 16, 2022 2:04 pm

Re: Dynamic interface address in mangle rule

Thu Mar 30, 2023 4:45 pm

So you are saying that the secondary ISP for example is not pingable because Primary 1 WAN is up? More accurately the supposition is that the router attempts to answer ping out WAN1 and thus the response is not from the expected IP and dropped at your end. ( or something like that ).

The quick answer is to mangle any incoming on both wans, assign connection marks and then routing marks and then routes and tables to ensure any traffic coming in on a WAN goes out the same WAN.

Tables:
/routing-table add fib name=viaISP1
/routing-table add fib name=viaISP2

Mangles
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface=ether1 new-connection-mark=WAN1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface=ether2 new-connection-mark=WAN2 passthrough=yes
=============================================================================
add action=mark-routing chain=prerouting connection-mark=WAN1 \
new-routing-mark=viaISP1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN2 \
new-routing-mark=viaISP2 passthrough=no


/ip route
add distance=5 gwy=WAN1 table=main check-gateway=ping {standard route}
add distance=10 gwy=WAN2 table=main {standard route}
add distance=1 gwy=WAN1 table=viaISP1 { route for external return traffic to go back out WAN1}
add distance=1 gwy=WAN2 table=viaISP2 {route for external return traffic to go back out WAN2}


Additional Step, to keep fastrack available for all other traffic modify forward chain rule to
/ip firewall filter
add action=fasttrack-connection chain=forward connection-mark=no-mark connection-state=established,related
 
MrSerio
newbie
Topic Author
Posts: 25
Joined: Tue Feb 15, 2022 10:17 pm

Re: Dynamic interface address in mangle rule

Thu Apr 06, 2023 7:58 pm

I've finally gotten the change to try the above, but as soon as I enable to mangle rules, my routes start flapping. My OSPF session that runs over a tunnel interface flaps as well. I've even configured the mangle rules to only work for ICMP traffic (for testing), but no difference.
 
MrSerio
newbie
Topic Author
Posts: 25
Joined: Tue Feb 15, 2022 10:17 pm

Re: Dynamic interface address in mangle rule

Wed Apr 12, 2023 10:27 pm

I've tried the following now:
/ip firewall mangle
add action=mark-packet chain=input comment=\
    "Mark incoming packets on ISP2 as ISP2-in" in-interface=ether2 \
    new-packet-mark=ISP2-wan-ip passthrough=yes protocol=icmp
add action=mark-connection chain=input comment=\
    "Mark incoming connections on ISP2 as ISP2-in" new-connection-mark=\
    ISP2 packet-mark=ISP2-wan-ip passthrough=yes
add action=route chain=prerouting comment=\
    "Packets with ISP2 mark to ISP2 routing table" connection-mark=\
    ISP2 log=yes log-prefix=ISP2 passthrough=yes route-dst=ISP2.gateway.IP
I've tried the last rule using both the "route" and mark-routing (to the routing table with only the default GW for ISP 2), however this doesn't work, as it appears the router doesn't know where to output the packet? The counters do count up, so the rules are hit/executed as expected.
ISP2 prerouting: in:ether2 out:(unknown 0), connection-mark:ISP2 connection-state:established src-mac 3c:5e:c3xxxx, proto ICMP (type 8, code 0), Ext.Src.Ip.Addr->ISP2.ip.addr, len 84
To sum up: I need ICMP replies to be sent out the same interface they ware received from so I can monitor the backup/slave connection in a failed over configuration.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dynamic interface address in mangle rule  [SOLVED]

Wed Apr 12, 2023 11:32 pm

Well to ensure incoming WAN1 and incoming WAN2 go out same interface there are two spefic sets of mangling rules. (why do you have protocol on one of the rules??)
CHain is PREROUTING not INPUT!!


Set1 - Add connection-marks to traffic coming in on WANs
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface=ether1 new-connection-mark=WAN1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface=ether2 new-connection-mark=WAN2 passthrough=yes


Set 2. (ensure output traffic goes out the route it came in on based on connection marks and assigned routing mark (table)
add action=mark-routing chain=output connection-mark=WAN1 new-routing-mark=ether1-mark passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2 new-routing-mark=ether2-mark passthrough=yes
 
MrSerio
newbie
Topic Author
Posts: 25
Joined: Tue Feb 15, 2022 10:17 pm

Re: Dynamic interface address in mangle rule

Wed Apr 12, 2023 11:41 pm

Thanks @anav,
This finally works:
/ip firewall mangle
add action=mark-packet chain=prerouting comment=\
    "Mark incoming packets on ISP2 as ISP2-in" in-interface=ether2 \
    new-packet-mark=ISP2-wan-ip passthrough=yes protocol=icmp
add action=mark-connection chain=prerouting comment=\
    "Mark incoming packets on ISP2 as ISP2-in" new-connection-mark=\
    ISP2 packet-mark=ISP2-wan-ip passthrough=yes
add action=mark-routing chain=output comment=\
    "Packets with ISP2 mark to ISP2 routing table" connection-mark=\
    ISP2 log-prefix=ISP2 new-routing-mark=ISP2 passthrough=yes
 
baburao6560
just joined
Posts: 1
Joined: Thu Apr 13, 2023 10:53 am

Re: Dynamic interface address in mangle rule

Thu Apr 13, 2023 10:54 am

We have a customer with a dynamic IP, and we'd like to mangle packets/connections destined to the router's IP address (which is dynamic on that interface). Is there a way similar to how this is done in VyOS or EdgeOS with RouterOS? Or is a DHCP client script a work-around that adds the assigned IP to an address list?
pikashow.fyi
ppssppgold.one
Last edited by baburao6560 on Fri Apr 21, 2023 4:33 pm, edited 1 time in total.
 
MrSerio
newbie
Topic Author
Posts: 25
Joined: Tue Feb 15, 2022 10:17 pm

Re: Dynamic interface address in mangle rule

Fri Apr 14, 2023 6:52 pm

We have a customer with a dynamic IP, and we'd like to mangle packets/connections destined to the router's IP address (which is dynamic on that interface). Is there a way similar to how this is done in VyOS or EdgeOS with RouterOS? Or is a DHCP client script a work-around that adds the assigned IP to an address list?
That was my original question, still pending an answer on that one!

Who is online

Users browsing this forum: Google [Bot], johnson73, mbovenka, rplant and 94 guests