Mikrotik - Mangle question

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Mikrotik - Mangle question

chevrolux

4962 posts

Uber Geek
Inactive user

#148776 30-Jun-2014 21:18

Just a quick one that maybe someone on here knows the answer to - this forum is a bit more friendly than Mikrotiks.

I have my routing that has two PPPoE WAN interfaces on it. Lets say they are pppoe-wan1 & pppoe-wan2

The first interface (pppoe-wan1) is just for the entire network (192.168.2.0/24), the other (pppoe-wan2) I just want one host (192.168.2.250) to go out over it.

From reading, and from my general thoughts, I thought it would be fairly simple and did the following....

- Create Mangle rule.
- Chain: prerouting, src address: 192.168.2.250
- Action: mark routing, new routing mark: server_host

- Create second 'default' route but only for marked traffic.
- dst address: 0.0.0.0/0
- gateway: pppoe-wan2
- routing mark: server_host

- Add another NAT masquerade rule to NAT single host to the second gateway
- Chain: src nat
- Src addr: 192.168.2.250
- Out int: pppoe-wan2
- Action: masquerade

Now the issue I am seeing is that as soon as I enable the Mangle rule I loose connectivity to the host. When I try to load the web page on the server I see the packet counters go up by the Mangle rule so it is obviously matching packets. But, as I mentioned, I never actually get connectivity to it unless the mangle rule is disabled.

Any one got any pointers and where I am going wrong? Going a bit mad reading different wiki's and forum posts!

1 | 2

320 posts

Ultimate Geek

#1078038 1-Jul-2014 16:08

Hi Sam,

Where are you testing from? ie. where do you lose connection from? The internet or local network?

chevrolux

4962 posts

Uber Geek
Inactive user

#1078064 1-Jul-2014 16:49

The local network looses connection to the server. Can't ping from a local machine or from the router itself, but only when the mangle rule is enabled. Haven't actually tested from the server yet.... will have another fiddle tonight.

My understanding of a routing mark is that it doesn't actually do anything to the packet itself and is only usable within routeros, but maybe it is screwing something up deeper.

nbroad

320 posts

Ultimate Geek

#1078111 1-Jul-2014 17:43

I'm not near a computer at the moment to look (on my phone at the pub) but in the mangle rule is there something to do with next action or something that should be set to forward?

chevrolux

4962 posts

Uber Geek
Inactive user

#1078113 1-Jul-2014 17:48

The 'action' in mangle is to simply mark the packet with a routing mark. There is a 'passthrough' checkbox but I have tried that both ticked and unticked and makes no difference.

kiwirock

685 posts

Ultimate Geek

#1078123 1-Jul-2014 18:01

I would be more inclined to just create an ip-->route-->rules for the 192.168.2.250/32 address to use a seperate route table, and that route table have a different default route address, or interface. Unless you want 192.168.2.250 to use the default route on the main table but only a single route entry for the server IP address to use the pppoe2 interface.

Or would that not work?

You'd still need to use masquerade if your PPPoE is on the public Internet but I don't see why you'd need to use mangle.

nbroad

320 posts

Ultimate Geek

#1078124 1-Jul-2014 18:06

Passthrough was the option I was thinking of

insane

3240 posts

Uber Geek

ID Verified

Trusted

#1078125 1-Jul-2014 18:08

chevrolux:

Now the issue I am seeing is that as soon as I enable the Mangle rule I loose connectivity to the host

But that's what a hide NAT does, it only allows outbound connections. From the server you'll be able to initiate outbound connections just fine.

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

kiwirock

685 posts

Ultimate Geek

#1078126 1-Jul-2014 18:10

Just another thought. I've had problems when I have had a default route set to a specific interface rather than specify the nexthop IP address.

kiwirock

685 posts

Ultimate Geek

#1078128 1-Jul-2014 18:12

insane:
chevrolux:

Now the issue I am seeing is that as soon as I enable the Mangle rule I loose connectivity to the host

But that's what a hide NAT does, it only allows outbound connections. From the server you'll be able to initiate outbound connections just fine.

Ah I miss understood the problem. You'd need to create a port mapping too. I didn't realise you're talking about accessing 192.168.2.250 from the Internet not the other way around.

nbroad

320 posts

Ultimate Geek

#1078132 1-Jul-2014 18:28

No he loses connection from the local LAN, from a host on the same subnet

chevrolux

4962 posts

Uber Geek
Inactive user

#1078139 1-Jul-2014 18:44

kiwirock:
insane:
chevrolux:

Now the issue I am seeing is that as soon as I enable the Mangle rule I loose connectivity to the host

But that's what a hide NAT does, it only allows outbound connections. From the server you'll be able to initiate outbound connections just fine.

Ah I miss understood the problem. You'd need to create a port mapping too. I didn't realise you're talking about accessing 192.168.2.250 from the Internet not the other way around.

It's not NAT that I am having issues with. I fully understand what masquerade does and it isn't access from internet that is the issue.

The issue I have is this mangle rule is mucking things up internally. Supposedly the packet should just get marked and move on but that's not happening.

I feel like the issue is probably with the route tables and it might be a case of just going through each step (again!) and checking everything is in place.

chevrolux

4962 posts

Uber Geek
Inactive user

#1078167 1-Jul-2014 19:07

Right, just did some tests from the server.

When I enable the mangle rule I have connectivity from the server to the internet AND it is even going out over the correct WAN (pppoe-wan2). Tested this just by doing a traceroute. The really weird thing is I can't ping the local gateway yet it shows up in the traceroute.

I think the issue I have is totally up to the routing table and not the the actual mangle rule.

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#1078188 1-Jul-2014 19:55

Multiple PPPoE clients are just a mess because of the default route issue. I only configure multiple IPs via static IP addresses and offer this to my customers, it's a far simpler option and means you just need a simple masquerade rules to easily route traffic based on a source IP with the correct public IP and you're away.

LennonNZ

2459 posts

Uber Geek

ID Verified

Trusted

#1078215 1-Jul-2014 20:51

I have similar set up and used it for a long time (but I use it to send my TV's IP Address out via a StrongVPN Connection instead of the normal internet connection for Netflix)
. Reading your post it seems "ok" but double check...

- set up 2 interfaces
- set up NAT rule for both interfaces (srcnat out wan1 -> MASQ, and srcnat out wan2 -> MASQ)
- set up default gateway out the 1st connection (make sure you can swap it over to the 2nd one and it works as well)
- set up default gateway out the 2nd but make sure its set routing mark to be called say "server"
- set up Mangle - Prerouting - src_addr (of the server) - action mark routing to new routing mark to "server" and make sure Passthough is enabled

One thing to note.. make sure you are running the latest version of software (system packages) _AND_ are running the latest firmware (System, Routerboard) or things can go strangely/not work. people forget a lot of the time to upgrade their firmware when upgrading their software.

chevrolux

4962 posts

Uber Geek
Inactive user

#1078236 1-Jul-2014 21:09

LennonNZ: I have similar set up and used it for a long time (but I use it to send my TV's IP Address out via a StrongVPN Connection instead of the normal internet connection for Netflix)
. Reading your post it seems "ok" but double check...

- set up 2 interfaces
- set up NAT rule for both interfaces (srcnat out wan1 -> MASQ, and srcnat out wan2 -> MASQ)
- set up default gateway out the 1st connection (make sure you can swap it over to the 2nd one and it works as well)
- set up default gateway out the 2nd but make sure its set routing mark to be called say "server"
- set up Mangle - Prerouting - src_addr (of the server) - action mark routing to new routing mark to "server" and make sure Passthough is enabled

One thing to note.. make sure you are running the latest version of software (system packages) _AND_ are running the latest firmware (System, Routerboard) or things can go strangely/not work. people forget a lot of the time to upgrade their firmware when upgrading their software.

Yep that's exactly what I have. Been through each step so many times. At this point I am fairly convinced it is the routing tables that are the issue.

And yes, running ROS 6.15 & 3.10 firmware - TBH though only did that upgrade yesterday due to the same thought process you had that maybe an old version had an issue.

1 | 2