Bug or normal ? dynamic rules appears winbox but not in CLI

hgb · February 3, 2011, 8:49pm

Hello everyone , I want to mark the packets using hotspot packet marking option in winbox, I marked the packets with “normal” mark and the dynamic rules appears in winbox list as follows :

But when I check from the CLI its not there !

Also no hits at all for the rule , is because of chain=hotspot ! when I do make another one with chain=preroute it does get hits ..
Also the dynamic rules for the /ip firewall filter appears in winbox but not in the CLI !

Is that normal ? I did reboot the router twice but the same results ..

RoS V 4.16

Greetings ..

changeip · February 3, 2011, 9:04pm

try “print all where dynamic” and see waht happens…

Hello,

print command in firewall does not show dynamic rules.
You have to write “print all where dynamic”

Regards,
Maris

mrz · February 3, 2011, 9:05pm

/ip firewall filter print all

if you want only dynamic
/ip firewall filter print dynamic

hgb · February 4, 2011, 10:59am

Yah sorry for the noob and thanks for the fast helping

The second problem now , why does the dynamic mangle rules in the chain=hotspot doesn't get hits !? if the chain=prerouting it does get hits ..

what I want simply is to mark packets for each profile group, so later to traffic shape them and give the managers group more bandwidth and priority for example ...

everything is the default till now didn't make any strange modifications but here is the firewall nat and mangle configs :

[admin@MikroTik] /ip hotspot user profile> print
Flags: * - default
 0 * name="default" idle-timeout=none keepalive-timeout=2m status-autorefresh=1m shared-users=1
     outgoing-packet-mark="normal" transparent-proxy=yes open-status-page=always advertise=no

 1   name="Managers" idle-timeout=none keepalive-timeout=2m20s status-autorefresh=1m shared-users=1
     outgoing-packet-mark="high" transparent-proxy=no

 2   name="Normal_Users" idle-timeout=none keepalive-timeout=2m30s status-autorefresh=1m shared-users=1
     outgoing-packet-mark="normal" transparent-proxy=no

[admin@MikroTik] /ip firewall filter> print all
Flags: X - disabled, I - invalid, D - dynamic
 0 D chain=forward action=jump jump-target=hs-unauth hotspot=from-client,!auth

 1 D chain=forward action=jump jump-target=hs-unauth-to hotspot=to-client,!auth

 2 D chain=input action=jump jump-target=hs-input hotspot=from-client

 3 I chain=hs-input action=jump jump-target=pre-hs-input

 4 D chain=hs-input action=accept protocol=udp dst-port=64872

 5 D chain=hs-input action=accept protocol=tcp dst-port=64872-64875

 6 D chain=hs-input action=jump jump-target=hs-unauth hotspot=!auth

 7 D chain=hs-unauth action=reject reject-with=tcp-reset protocol=tcp

 8 D chain=hs-unauth action=reject reject-with=icmp-net-prohibited

 9 D chain=hs-unauth-to action=reject reject-with=icmp-host-prohibited

10 X ;;; place hotspot rules here
     chain=unused-hs-chain action=passthrough

[admin@MikroTik] /ip firewall nat> print all
Flags: X - disabled, I - invalid, D - dynamic
 0 D chain=dstnat action=jump jump-target=hotspot hotspot=from-client

 1 I chain=hotspot action=jump jump-target=pre-hotspot

 2 D chain=hotspot action=redirect to-ports=64872 protocol=udp dst-port=53

 3 D chain=hotspot action=redirect to-ports=64872 protocol=tcp dst-port=53

 4 D chain=hotspot action=redirect to-ports=64873 protocol=tcp hotspot=local-dst dst-port=80

 5 D chain=hotspot action=redirect to-ports=64875 protocol=tcp hotspot=local-dst dst-port=443

 6 D chain=hotspot action=jump jump-target=hs-unauth protocol=tcp hotspot=!auth

 7 D chain=hotspot action=jump jump-target=hs-auth protocol=tcp hotspot=auth

 8 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=80

 9 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=3128

10 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=8080

11 D chain=hs-unauth action=redirect to-ports=64875 protocol=tcp dst-port=443

12 I chain=hs-unauth action=jump jump-target=hs-smtp protocol=tcp dst-port=25

13 D chain=hs-auth action=redirect to-ports=64874 protocol=tcp hotspot=http

14 I chain=hs-auth action=jump jump-target=hs-smtp protocol=tcp dst-port=25

15 X ;;; place hotspot rules here
     chain=unused-hs-chain action=passthrough

16   chain=srcnat action=masquerade src-address=192.168.0.0/24

[admin@MikroTik] /ip firewall mangle> print all
Flags: X - disabled, I - invalid, D - dynamic
 0 D chain=hotspot action=mark-packet new-packet-mark=normal passthrough=yes dst-address=192.168.0.10

Greetings ...

hgb · February 4, 2011, 2:10pm

Ok this one solved for now, I placed the marking in the postrouting chain manually, and I removed the dynamic marking based on the ip address from the hotspot user-profile packet-marking feature, and I did use the addres-list instead for each user-profile " the users are going to get to be put into the specific user profile based on their group in active directory returning attribute #3 Mikrotik-group and the address-list can be set manually or get returned from the IAS also using attribute #19 Mikrotik-address-list "

Using the address-list to mark all the group using one rule is much better for the performance ofcourse than making one dynamic rule for every ip address automatically from hotspot marking feature ..

But just I am curious why does the dynamic packet-marking in user-profile not working ??

To be continued …

fewi · February 4, 2011, 2:37pm

I’ve never used the packet mark option on a profile but from looking at what you posted you found a bug. Look at the filter and NAT rules - as you’d expect the first dynamic rules jump into the chains that do the actual work. Packets don’t magically go through special chains, you have to jump there first. The mangle rule that gets installed is the only dynamic rule, and it is in the Hotspot chain. Nothing ever jumps into that chain so the rule never gets hit. Out of curiosity try adding an inbound packet chain and see if it has the same problem. Also talk to support about this as I do believe this is a bug.

That said, the address list solution you’re now using instead isn’t just a workaround, it’s the better approach. Think about it in terms of rules. If you use marks directly there are two rules for each user. Each one requires several comparisons, and a packet for a user that has his rule at the bottom of the pile is going to take a lot of processing. The more users you get, the worse the router will perform. Address list lookups do get more expensive the bigger the address list gets, but there is far less of a penalty. You always only look at two rules (one in, one out) and on one of the quantifiers get more expensive with more users. That scales much, much better. Address lists can also get reused for other purposes.

hgb · February 4, 2011, 9:16pm

The mangle rule that gets installed is the only dynamic rule, and it is in the Hotspot chain. Nothing ever jumps into that chain so the rule never gets hit.

Yes exactly I thought it is by design mangled in the hotspot chain, and yes no way to reach it with the default dynamic rules by the hotspot script modifications. there is an option to choose the filter chain in the user-profile section I thought it may place my rules in the selected chain but didn’t, dynamic mangle rules still placed in the hotspot chain.
The winbox also when I try to change some stuff in the user-profile and do apply->ok I still found them from the cli, specially the packet-marking no matter what couldn’t change it back till I did from the CLI, so thought that everything is messed up around me

the address list solution you’re now using instead isn’t just a workaround, it’s the better approach.

yes exactly :

Using the address-list to mark all the group using one rule is much better for the performance ofcourse than making one dynamic rule for every ip address automatically from hotspot marking feature ..

I will keep looking and I will contact mikrotik support too ..