When TCP connections are taking long or even not complete then think of MTU problems. For that I have the following rule in Mange:

Code: Select all

add action=change-mss chain=forward comment="WireGuard & IKEv2 Sync" in-interface-list=PMTU-IN log-prefix=MSS new-mss=clamp-to-pmtu \
    passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1232-65535

The PMTU-IN interface list contains the gateways that I want to be handled by this rule.

P.S. I am still open to suggestions how to solve this "address list-based routing" task more efficiently.

Keep in mind, changing MTU may not have an immediate effect... Connections are tracked and devices have caches of PMTUD. And also setting too low have introduce new problems.
But with @msatter this sounds like MTU issue, someplace...

Might want to post your full config. Still could be firewall, but if it was working before...mangle hasn't changed much since V6 so not my first guess here.

You state re-transmissions then the question is your network sending out the request, or the other side because it did not got an acknowledgement from you?

Secondly did you see any traffic hitting the MTU rule I gave? With this one you don't need to state a wished MTU and it will adapt to the MTU size the destination is able to handle.

Thirdly, if the other side is answering on a related IP address you are then sending out through the main gateway. This is not very likely.

As last, I connection mark traffic that should go through the VPN so I can see in connection tracking the connection. You routing mark traffic based on an address-list so there it is not needed keep connection marking active after debugging.

Another difference between v6 and v7 is that in v7 a routing mark (in IPv4) makes the router do only lookups in the specified table.
In v6 it was just a hint, and other routing rules and the main table were still in use. Not in v7.
So your alternative routing table must be complete. You may need to copy routes from the main table to the second routing table, or you may need to adapt your mangle rule to exclude certain cases form the routing mark (e.g. local addresses).

Also, make sure you don't have the "fasttrack" rule enabled, as this method of route mangle will NOT work with fasttrack enabled.
Disable or remove the fasttrack rule in the forward chain, and reboot the router.

just add connection-mark=no-mark to fastrack rule............

/ip/firewall/filter> add action=fasttrack-connection routing-mark=!to-vpn in-interface=!vpn chain=forward