Can “PREROUTING = FORWARD + INPUT” and “FORWARD + OUTPUT = POSTROUTING” be used to count mangle packets?

fzinfz · November 23, 2016, 5:09pm

While reading http://mum.mikrotik.com/presentations/HR13/valens.pdf page 17:

I suspected following formulas should work when counting mangle packets:

PREROUTING = FORWARD + INPUT
FORWARD + OUTPUT = POSTROUTING

So I created following mangle rules based on default interface config on RB750Gr3 to count WAN download traffic:

/ip firewall mangle
add action=mark-packet chain=prerouting in-interface=ether1 new-packet-mark=WAN_IN_prerouting passthrough=yes
add action=mark-packet chain=input in-interface=ether1 new-packet-mark=WAN_IN_input passthrough=yes
add action=mark-packet chain=forward in-interface=ether1 new-packet-mark=WAN_IN_forward passthrough=yes
add action=mark-packet chain=output new-packet-mark=output_TO_LAN out-interface=ether2-master passthrough=yes
add action=mark-packet chain=postrouting new-packet-mark=postrouting_TO_LAN out-interface=ether2-master passthrough=yes

And the result I got was:

[admin@MikroTik] /ip firewall mangle> print stats
Flags: X - disabled, I - invalid, D - dynamic 
 #    CHAIN                                                         ACTION                            BYTES         PACKETS
 0  D ;;; special dummy rule to show fasttrack counters
      prerouting                                                    passthrough               2 546 162 852       4 072 518
 1  D ;;; special dummy rule to show fasttrack counters
      forward                                                       passthrough               2 546 162 852       4 072 518
 2  D ;;; special dummy rule to show fasttrack counters
      postrouting                                                   passthrough               2 546 162 852       4 072 518
 3    prerouting                                                    mark-packet                   5 197 305          35 655
 4    input                                                         mark-packet                     678 103           8 855
 5    forward                                                       mark-packet                   2 984 371          18 497
 6    output                                                        mark-packet                  66 288 850          73 511
 7    postrouting                                                   mark-packet                  69 293 559          92 129

postrouting 92 129 packets is quite close to forward+ output (18 497 + 73 511 = ) 92008 packets, with only 1.3 per thousand missing.
But prerouting 35655 packets is far more than input + forward (8 855 + 18 497 =) 27352 packets, which indicates the formula above should be wrong.

Then I started downloading a file, but the Rate and Bytes in firewall also didn’t match the interface Tx rate and actual downloaded Bytes:

Did I create the wrong rules? Where were the missing packets?
I am new to networking and thanks for help in advance.

andriys · November 23, 2016, 7:28pm

Disable fasttrack and check again.

fzinfz · November 24, 2016, 7:44am

After disabling Fast Path/fasttrack in IP Settings, it works as expected. Thanks!

[admin@MikroTik] /ip firewall mangle> print stats
Flags: X - disabled, I - invalid, D - dynamic 
 #    CHAIN                                                                 ACTION                            BYTES         PACKETS
 0  D ;;; special dummy rule to show fasttrack counters
      prerouting                                                            passthrough                           0               0
 1  D ;;; special dummy rule to show fasttrack counters
      forward                                                               passthrough                           0               0
 2  D ;;; special dummy rule to show fasttrack counters
      postrouting                                                           passthrough                           0               0
 3    prerouting                                                            mark-packet               2 127 412 112       1 574 291
 4    input                                                                 mark-packet                     186 121           1 585
 5    forward                                                               mark-packet               2 126 971 323       1 571 224
 6    output                                                                mark-packet                  99 579 613         104 051
 7    postrouting                                                           mark-packet               2 226 567 562       1 675 377

It’s 99.9% close to “PREROUTING = INPUT + FORWARD” and “FORWARD + OUTPUT = POSTROUTING” formulas.
I can do further Queues testing now, but I think it would be better if someone could tell where are the missing packets, just for studying purpose.