help me please
My plan is to split traffic and fileover (policy based routing use ax2 v7.12.1)
isp-1 = game, whatsapp dan zoom
isp-2 = youtube
isp-3 = facebook and tiktok
isp-4 = other than above
Which is more EFFICIENT and LOW CPU using firewall MANGLE or firewall RAW?
Thank You
Firewall raw rules have nothing to do with policy routing.
You cannot direct traffic for applications using the mikrotik router
You can direct users, subnets, vlans etc
You can elect to share all wans or some with some users etc…
Which is more EFFICIENT and LOW CPU using firewall MANGLE or firewall RAW?
for the example i use ip firewal mangle to get ip whatshap to route isp-1 :
/ip firewall mangle
add action=mark-connection chain=prerouting content=.whatsapp. \
dst-address-list=!address-local new-connection-mark=whatsapp-c \
passthrough=yes src-address-list=address-local
add action=add-dst-to-address-list address-list=address-whatsapp \
address-list-timeout=1d chain=prerouting connection-mark=whatsapp-c \
dst-address-list=!address-local-filter src-address-list=\
address-local-filter
add action=mark-routing chain=prerouting dst-address-list=address-whatsapp \
new-routing-mark=isp-1 passthrough=no
i use ip firewal raw to get ip whatshap
/ip firewall raw
add action=add-dst-to-address-list address-list=address-whatsapp \
address-list-timeout=1d chain=prerouting content=.whatsapp. \
dst-address-list=!address-local-filter src-address-list=\
address-local-filter
so, what do I have to do !
Which is more EFFICIENT and LOW CPU using firewall MANGLE or firewall RAW?
First, I have to leave leave aside the “why” question here — QoS/queues be more typical way to control traffic BEFORE using multiple ISP. And we assume “efficient” mean CPU usages, NOT bandwidth utilization (e.g. if there no Facebook etc traffic, a WAN is “wasted”). Some odd choices to start, so ignoring that reality…
Since you can’t avoid connection tracking — which is likely the more intensive part here — I don’t think it matters much if you do some processing in the RAW. The idea behind RAW is AVOID the more expensive connection tracking, which you cannot do here since mangle is need to mark connections. And CPU usage for add-dst-to-address-list operation is going to be the SAME regardless if it runs in RAW or mangle.
What problems are seeing that you think you need to use RAW to solve?
Thank for your respon Mr Amm0
I am Sorry, my understanding of English is not good
Why i use multiple ISP ?
Because in my location every ISP has its own advantages, such as ISP-A is good for games and WhatsApp, but not good for streaming like YouTube, TikTok etc.
I think by combining several ISPs you can get maximum results
isp-1 = game, whatsapp dan zoom
isp-2 = youtube
isp-3 = facebook and tiktok
isp-4 = other than above
Which is more EFFICIENT and LOW CPU using firewall MANGLE or firewall RAW?
/ip firewall mangle
add action=mark-connection chain=prerouting content=.whatsapp. \
dst-address-list=!address-local new-connection-mark=whatsapp-c \
passthrough=yes src-address-list=address-local
or
/ip firewall raw
add action=add-dst-to-address-list address-list=address-whatsapp \
address-list-timeout=1d chain=prerouting content=.whatsapp. \
dst-address-list=!address-local-filter src-address-list=\
address-local-filter
My bahasa isn’t good either. Just be aware this is NOT a fool-proof scheme, since there are a lot of domains/IPs etc involved in these services… so some of social media traffic (WAN1-3 here) is going to escape to default WAN.
There isn’t an “or” in the above — those lines do different things, so likely need BOTH. You can add hosts to the address-list in RAW if you want. But they still need to be marked in the mangle. So you need BOTH lines – the first marks the connection (presumablely…for a unknown routing rule, that’s not shown)
But you really should NOT need a RAW rule & using them is NOT going to be any quicker is the answer to your question. I’d really recommend you get this working without RAW first. And then look at to see what can be optimized AFTER it’s working. For example, perhaps, using different chains and action=jump – that’s the way to avoid some rules from being evaluated. But same operation/rule is going to use same CPU, regardless of where it is in the firewall.
Maybe post a config if you’re having trouble.
I apologize, I made a mistake in writing the code above, it should be like below.
Which is more EFFICIENT and LOW CPU using firewall MANGLE or firewall RAW?
/ip firewall mangle
add action=add-dst-to-address-list address-list=address-whatsapp \
address-list-timeout=1d chain=prerouting content=.whatsapp. \
dst-address-list=!address-local-filter src-address-list=\
address-local-filter
or
/ip firewall raw
add action=add-dst-to-address-list address-list=address-whatsapp \
address-list-timeout=1d chain=prerouting content=.whatsapp. \
dst-address-list=!address-local-filter src-address-list=\
address-local-filter