Confused with PASSTHROUGH YES/NO in Mangle

RouterOS Beginner Basics
1

I have been following a guide in the forum as well as on youtube to setup Queue Tree QOS. Everything is working, I just don’t quite understand passthrough completely.

Aim:

  1. To split overall bandwidth to: hotspot (higher priority and bandwidth) and office downloads (lower priority and bandwidth).
  2. Within each, further split the type of packets into: http browsing (highest priority), Youtube & Netflix (middle priority), all other downloads (mid-low priority) and Torrent (lowest priority).

The only point of confusion is whether:
A. I have setup the PASSTHROUGH = YES/NO correctly in my mangle rules, and whether
B. My rule ordering is correct, specifically between 5 to 8. Happy for other errors to be corrected as well.

The Mangle rules I have setup:

  1. Mark Connection > fwd > In Interface List = WAN > Dst. Address List = HOTSPOT VLAN > Mark Conn = con.hotspot.dw > Passthrough = YES

  2. Mark Connection > fwd > In Interface List = WAN > Dst. Address List = OFFICE VLAN > Mark Conn = con.office.dw > Passthrough = YES

  3. Mark Connection > fwd > Out Interface List = WAN > Mark Conn = con.all.up > Passthrough = YES

  4. Mark Packet > fwd > Conn Mark = con.hotspot.dw (#1) > Mark Packet = pk.hotspot.dw > Passthrough = YES

  5. Mark Packet > fwd > Pk Mark = pk.hotspot.dw (#4) > L7 Protocol = Torrent > Mark Packet = pk.hotspot.p2p.dw > Passthrough = NO

  6. Mark Packet > fwd > Pk Mark = pk.hotspot.dw (#4) > L7 Protocol = Youtube & Netflix > Mark Packet = pk.hotspot.video.dw > Passthrough = NO

  7. Mark Packet > fwd > Pk Mark = pk.hotspot.dw (#4) > Prot = tcp > Port = 80,443 > Connection Bytes = 0-10M > Mark Packet = pk.hotspot.httpbrowsing.dw > Passthrough = NO

  8. Mark Packet > fwd > Pk Mark = pk.hotspot.dw (#4) > Prot = tcp > Mark Packet = pk.hotspot.other.dw > Passthrough = NO

  9. Mark Packet > fwd > Conn Mark = con.office.dw (#2) > Mark Packet = pk.office.dw > Passthrough = YES
    10-13. Same as 5-8, but for office.

  10. Mark Packet > fwd > Conn Mark = con.all.up (#3) > Mark Packet = pk.all.up > Passthrough = NO

Unfortunately I have to travel a long way to attend a Mikrotik training session, so I am trying to do as much as I can based on forums and guides before I attend one.

Thank you

2

If a rule/line is matching and the Passthrough is NOT marked for that line then the rest of the lines are skipped in Mangle.
If a rule/line is matching and the Passthrough is marked then the next line is processed. If that line or an later line is also matching then the value is overwritten if that was the same on the previous matched line.

So Passthrough = NO and rule/line matches then processing is Mangle ready for that chain. If Passthrough = YES then just carry on till the last rule/line in the chain if not stopped by later a Passthrough = NO. The Chain in your setup is FWD (forward).

Video’s are nice but the Wiki is the best source: https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Mangle

passthrough (yes|no; Default: yes) 
whether to let the packet to pass further (like action passthrough) into firewall or not (property only valid some actions).
Passthrough in a mangle subchain
3

Thank you. I’ve read and understood all that.

The clarification I need is, and I should have been clearer on this, whether the PASSTHROUGH=NO in Packet Marking Rules 5-8 stops Packet Marking Rule 9 from processing.

It shouldn’t, since Packet Marking Rule 9 is based on a different connection mark than Packet Rules 5-8. Is this correct?

4

Passthrough only matters if a packet matches a rule. It basically asks the question: “If a packet matches this rule, should I continue scanning?”

So, if a packet matches a rule and passthrough=no then it stops at that rule and uses that packet mark.

If it matches a rule and passthrough=yes then it continues scanning down the list of mangle rules for another rule that matches a more specific criteria. If it matches the second rule, it uses the packet mark of the second rule. If it doesn’t match another rule, it uses the mark of the first rule.

The way you setup passthrough is correct. Because traffic from office vlan has a different connection mark that doesn’t match with any of the first rules (hotspot 5-8) it will not be affected by the passthrough settings of those first rules.

5

So, if a packet matches a rule early on in the mangle rules BUT… will also need to be processed again by lets say 10 mangle rules later, then the first rule that packet is involved in MUST have passthrough=yes??

6

^^^ You added question marks by mistake. :wink:

7

They were rhetorical question marks!! :stuck_out_tongue_winking_eye:

8

Noted and thanks. The ?? threw me off, thanks for clarifying they were rhetorical. :slight_smile:



Thank you. This was not clearly explained in the wiki and other mangle guides. It is now clear.

Question on the ordering of rules. I have my packet mark ordering order as follows (specific rules at the top, general rules at the bottom):

  1. Torrent (lowest priority)
  2. Video-streaming, mainly youtube and netflix (mid priority)
  3. Http browsing (0-10M connection bytes) (highest priority)
  4. All Others (intent is to catch big downloads, mid priority)

My logic is the more specific mangles should be at the top. Is my logic correct?

Thanks again.