Sorry, I am newbie in mikrotik router OS.
I read the manual here http://www.mikrotik.com/testdocs/ros/2.9/ip/flow.php
what I dont understand is chain…
in Mangle i like to mark connections with chain, I like to know how chains work in mangle and marking connections? what is different between passthrough=yes and passthrough=no, what happen if i made 2 mark in same chain, is it related somehow???
can somebody please explain..or hopefully giving some examples…
And thanks very much in advance. 
if you add mangle rules then they are executed one after another that is chain.
you can create other row (chain) of rules. and then jump to that chain of mangle rules that will execute one after another.
passthrough means will that packed passed to next rule or packed will leave mangle, if passthrough=no packed will leave mangle
Thanks for reply janisk,
your explanations give me new idea, but still blur…here for example :
I have 3 interfaces
Public → is for internet connection to my ISP
Ether1 → My network 1 (192.168.1.0)
Ether2 → My network 2 (192.168.100.0)
I have 2 network masquerade to the internet (public)
;;; Masquerade Network #1
chain=srcnat src-address=192.168.1.0/24 action=masquerade
;;; Masquerade Network #2
chain=srcnat src-address=192.168.100.0/24 action=masquerade
and then I activate web-proxy and redirect to it
14 chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=3128
15 chain=dstnat protocol=tcp dst-port=3128 action=redirect to-ports=3128
16 chain=dstnat protocol=tcp dst-port=8080 action=redirect to-ports=3128
17 chain=dstnat protocol=tcp dst-port=8088 action=redirect to-ports=3128
then I readed some post (I forgot where I found it) about how to mark down trafic
1 ;;; Connection Mark
chain=forward src-address=192.168.100.0/24 action=mark-connection
new-connection-mark=test-conn passthrough=yes
2 ;;; Straight Down Traffic
chain=forward in-interface=Public connection-mark=test-conn
action=mark-packet
new-packet-mark=test-down-straight passthrough=no
3 ;;; Down traffic via Web Proxy
chain=output dst-address=192.168.100.0/24 protocol=tcp src-port=3128
action=mark-packet new-packet-mark=test-down
passthrough=no
now the question is
How rule #1 (“Connection Mark”) works related to rule #2 (Straight Down Traffic) and #3 (Down traffic via Web Proxy),
on my understanding now rule #1 is for marking packet originated from my network (192.168.100.0) to the public, and rule #2 and #3 is for marking down trafic from public,
how marking down trafic from mark that comes from up trafic?
I guess this have something to do with masquerading and forward chain,
but how??
i dont get the logic and sequence.
Why in rule #1 passthrough=yes ???
Why in rule #2 passthrough=no ???
Why in rule #1 passthrough=no ???
For overall is i dont get the logic and sequence of those rules…
I am very new at this sorry for asking so much…
First, I am a newbie as well…
I can give you one example…
If you have two net port… one is lan, anthoer is wan…
and then, you must to setting in mangle…
chain have five kinds…(forward, prerouting, postrouting, input, output..)
actually, I usually use “prerouting” in the chain…
that chain means you set the rule when you want to do action…
It like I hope http port go to lan… so I must take http port at prerouting..
so… I will set…
Chain:prerouting
Proocol: 6(tcp)
Dst. Port: 80
Action: mark routing
New Routing Mark : http
Passthrough: yes
It set in mangle… and if you want to http port go to lan…
You must to IP–> Route setting…
It’s setting…
IP—> Route—>Rules
Routing Mark: http
Interface: lan
Action: lookup
Table: http
Ip—Route
you must to add one lan’s gateway of lan interface.
In lan’s gateway …
Destination:0.0.0.0/0
Gateway:1.2.3.4 (ex)
Mark: http
If you do all aciton, that’s is ok …
Sorry my english is so bad…so, maybe you can’t understand my mean..
I am sorry…
kiwi0428
thanks for replying…
IP—> Route—>Rules <— I cant find this package on my router, are u sure this is not mistype or I have to install additional package???
yes…actully Rules is on IP—>Route
Route List have two page… one is Routes, anthoer is Rules…
My tool is use " Winbox"…
so my english is so poor… I am very sorry…
for better understanding chain concept see packed flow:
http://www.mikrotik.com/testdocs/ros/2.9/ip/flow.php
here you can see how packed travels through RouterOS. and if you set up some rule where you are applying that rule.
easiest example of chain can be made in firewall as there are usually a lot of rules, and you have to use chains to speed up packet processing. and for better understanding what rules are doing what things.
for example i have firewall rules with chain=incoming - there are rules that protects router.
then i have ICMP chain that is processing ICMP packets and replies. i am jumping to that chain from input and from forward so i have same policy ho i process icmp packets.
also i have chain - viruses where i filter out most popular malware ports.
and if last rule of chain is reached than packets are forwarded back to chain where they originated if it is one of default chains (like input or forward) then packet goes to next stage.
but if you know that packed is already ready to leave chain you accept it (in firewall) or set passthrough=no so, packets that meet requirements are pushed to next stage.
this applies to every chain in RouterOS.
I see… but I use masquerade method in communication my internal network with public, you can see in my previous reply, can u please explain to me…???
its okay with your english, I completely understand, and since my english is bad too…kekekeke… I have lots of friends speeking english like your style, most of then used to study in singapore…we call it “Singlish” Singapore English…( no offence ) its true…
as you can see in my post i readed http://www.mikrotik.com/testdocs/ros/2.9/ip/flow.php already still I dont understand completely.
Can you please explain to me base on my example. I really appreciate your time and effort…
once again very thanks in advance… [/url]
do not do that:
15 chain=dstnat protocol=tcp dst-port=3128 action=redirect to-ports=3128
as it is already port you need, why try to redirect it once more
and if you have any prior knowladge about networking here are good links to read about features in ROS:
magle:
http://www.mikrotik.com/testdocs/ros/2.9/ip/mangle.php
thanks to you, I will correct that mistake…
anymore about how ( logic/sequence ) the forward chain can mark down packets as like the example above will very helpfull…
Once again thanks a lot janisk.
OK…actually…you have three interface…
If you want to use masquerade…you will set up that…
IP–>Firewall–>NAT
you must add a rule…
Chain:srcnat
Action: masquerade
That’s over…
Because do that…your src.address will masquerade…
and you don’t care that go which one of interface…
Oh…realley? My style … ha ha ha … actually I live in Taiwan…and you? I went to Singapre’s neighbor…“Malaysia”…last year…
Thanks god…you uderstand my english…so cool…ha ha …thands…
kiwi0428
Yesss… I already masquerade my connections from the first (before I post my problem ) .
Looks like we have missunderstanding here. I dont want to mark my connections from routes ( I already masquerading ).
I already have example how to mark down-trafiic ( u can read from my example above ) I copy it from some site. I just dont know how that rules in mangle can work ( the sequence and logic ), and about the chain too especially the forward chain it use.
This is frustrating me… I invite an expert to my place today, and let see how he can help me. I let u guys know how it goes later.
And oh yeahh.. I live in Jakarta, Indonesia. Nice to know you.
I am very sorry … I realley missuderstand your problem…
sorry… Maybe I can explain your problem…
In rule one, Conneciont Mark
why do that,first? Beaceuse It just take foward src.address…make it..connection…so, foward means passthough of src.address. And passthrough set up yes. Beacuse you mark connecion first time, you must set up passthrough=yes , first.
In rule two, Straight Down…
That just take rule one’s connecion , in put packet. Maybe you will why do that? Actully you can just do rule 2 action,too. If you do rule one, that will not misser packetage. And passthrough=no in rule2. Beacuse you set up over in rule one , so you don’t set up again…
In rule tree, Down traffic via Web Proxy
answer is like rule two of your question.
You can focus on new-packet-mark=test-down…
but I don’t think to set up right in rule 3.
Maybe new-packet-mark , you can designation new ones.
And that’s name=test-down , you should set up on Packet Mark (IP–Mangle–>General)
I hope my expain can help you…but any way…good luck…