Mangle & Routing RoS 7

dline · Wed Dec 18, 2024 4:30 pm

Hello everybody!

I have RouterOS 7.17rc3 (try latest OS)
Main aim of router is NAT and routing traffic

Router have 1 default route via ether1 (static route) and 1 VPN connection
My task is: Router traffic to listed resources (dynamic changes with dns) via VPN connection

All work fine if setup Route Rule and set src_ip & routing table.
But if I want to use Mangle (src_address list, dst_address list) - it is now work.

How to fix is?

My current config is:

[dline-local@r-nat.dl-net.ru] > /export
# 2024-12-18 17:26:13 by RouterOS 7.17rc3
# system id = XxmLaV5VF4G
#

/ip vrf
add disabled=yes interfaces=vpn-de name=openai
/routing table
add disabled=no fib name=VPN

/ip firewall address-list
add address=api.openai.com list=route_to_vpn


/ip firewall mangle
add action=mark-connection chain=prerouting dst-address-list=route_to_vpn log=yes log-prefix="MARK CONNECTION OUT" new-connection-mark=conn-VPN
add action=mark-routing chain=prerouting connection-mark=conn-VPN connection-state="" dst-address-list=route_to_vpn log=yes log-prefix="MARK ROUTE OUT" new-routing-mark=VPN \
    passthrough=no
add action=mark-connection chain=prerouting in-interface=vpn-de log=yes log-prefix="MARK CONN IN" new-connection-mark=incoming-VPN
add action=mark-routing chain=prerouting connection-mark=incoming-VPN in-interface=vpn-de log=yes log-prefix="MARK ROUTE IN" new-routing-mark=main passthrough=no

/ip firewall nat
add action=masquerade chain=srcnat comment="OUT (Mangle)" log=yes log-prefix="NAT MANGLE" out-interface=vpn-de
add action=src-nat chain=srcnat comment=OUT dst-address=!10.0.0.0/8 log-prefix="NAT REG" out-interface=public src-address-list=!dedicated-white-ip to-addresses=white_ip

/ip route
add disabled=no distance=10 dst-address=0.0.0.0/0 gateway=white_ip pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.20.0.0/16 gateway=10.20.1.65 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=20 dst-address=0.0.0.0/0 gateway=192.168.41.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10 vrf-interface=vpn-de
add disabled=no dst-address=0.0.0.0/0 gateway=vpn-de routing-table=VPN suppress-hw-offload=no
add disabled=no distance=1 dst-address=1.0.0.1/32 gateway=vpn-de pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10

My logs:


r-nat: MARK CONNECTION OUT prerouting: in:nat out:(unknown 0), connection-state:new src-mac 42:fa:40:e4:85:ac, proto TCP (SYN), 10.20.5.154:46153->172.66.0.243:443, len 60

r-nat: MARK ROUTE OUT prerouting: in:nat out:(unknown 0), connection-mark:conn-VPN connection-state:new src-mac 42:fa:40:e4:85:ac, proto TCP (SYN), 10.20.5.154:46153->172.66.0.243:443, len 60

r-nat: VPN NAT LOG srcnat: in:nat out:vpn-de, connection-mark:conn-VPN connection-state:new src-mac 42:fa:40:e4:85:ac, proto TCP (SYN), 10.20.5.154:46153->172.66.0.243:443, len 60

r-nat: MARK CONN IN prerouting: in:vpn-de out:(unknown 0), connection-mark:conn-VPN connection-state:established,snat proto TCP (SYN,ACK), 172.66.0.243:443->192.168.41.50:46153, NAT 172.66.0.243:443->(192.168.41.50:46153->10.20.5.154:46153), len 60

r-nat: MARK ROUTE IN prerouting: in:vpn-de out:(unknown 0), connection-mark:incoming-VPN connection-state:established,snat proto TCP (SYN,ACK), 172.66.0.243:443->192.168.41.50:46153, NAT 172.66.0.243:443->(192.168.41.50:46153->10.20.5.154:46153), len 60

r-nat: MARK CONNECTION OUT prerouting: in:nat out:(unknown 0), connection-mark:incoming-VPN connection-state:established,snat src-mac 42:fa:40:e4:85:ac, proto TCP (SYN), 10.20.5.154:46153->172.66.0.243:443, NAT (10.20.5.154:46153->192.168.41.50:46153)->172.66.0.243:443, len 60

r-nat: MARK ROUTE OUT prerouting: in:nat out:(unknown 0), connection-mark:conn-VPN connection-state:established,snat src-mac 42:fa:40:e4:85:ac, proto TCP (SYN), 10.20.5.154:46153->172.66.0.243:443, NAT (10.20.5.154:46153->192.168.41.50:46153)->172.66.0.243:443, len 60

r-nat: MARK CONN IN prerouting: in:vpn-de out:(unknown 0), connection-mark:conn-VPN connection-state:established,snat proto TCP (SYN,ACK), 172.66.0.243:443->192.168.41.50:46153, NAT 172.66.0.243:443->(192.168.41.50:46153->10.20.5.154:46153), len 60

r-nat: MARK ROUTE IN prerouting: in:vpn-de out:(unknown 0), connection-mark:incoming-VPN connection-state:established,snat proto TCP (SYN,ACK), 172.66.0.243:443->192.168.41.50:46153, NAT 172.66.0.243:443->(192.168.41.50:46153->10.20.5.154:46153), len 60

r-nat: MARK CONN IN prerouting: in:vpn-de out:(unknown 0), connection-mark:incoming-VPN connection-state:established,snat proto TCP (SYN,ACK), 172.66.0.243:443->192.168.41.50:46153, NAT 172.66.0.243:443->(192.168.41.50:46153->10.20.5.154:46153), len 60

r-nat: MARK ROUTE IN prerouting: in:vpn-de out:(unknown 0), connection-mark:incoming-VPN connection-state:established,snat proto TCP (SYN,ACK), 172.66.0.243:443->192.168.41.50:46153, NAT 172.66.0.243:443->(192.168.41.50:46153->10.20.5.154:46153), len 60

dline · Sat Dec 21, 2024 5:28 pm

Can anybody help me?

anav · Sat Dec 21, 2024 6:12 pm

I would if I could instead what you were rambling about. I have no clue as to what you are trying to accomplish.

a. identify users/devices, groups of users/devices, including external and internat and admin
b. identify what traffic each needs
c. identify any vpn traffic or port fowarding traffic
d. discuss WANS how many types, static/dynamic, public private, purpose.... and usage of each
e. network diagram helpful.
f. full config not snippets.

Mangle & Routing RoS 7

Mangle & Routing RoS 7

Re: Mangle & Routing RoS 7

Re: Mangle & Routing RoS 7