I’m facing a weird behavior using IPv6 connection mark on RouterOS v7.6 Stable. I’m setting a new connection mark to ICMP (protocol ICMPv6) and DNS (UDP port 53) connections, then I mark packets to QoS simple queue.
I have noticed some connection UDP 443, but there is no rule in mangle that match this protocol/port to me marked as “ICMP+DNS_conn”. As shown below, I have only 2 rules to mark this connections.
There are a 3 attachments to illustrate this.
Connection marks in mangle:
Connections marked correctly:
Connection that should not be marked:
Can someone please point me a direction?
In the IPv4 connection tracking, the connection mark values are inherited from the basic connection also to the “related” ones (e.g. if a TCP packet that has the DF flag set and exceeds the MTU of the outgoing interface, the ICMP “fragmentation needed” packet reporting this to the sender gets the same connection mark like that TCP packet).
So I would assume that here it works also in the reverse direction, and at some point, an ICMPv6 packet has arrived that was related to the UDP connection to port 443 and got marked with your connection mark, and the basic connection has inherited the connection mark.
I am facing the same problem during last few months and the solution is to put connection-state=new,established.
the connection-state=established for the return traffic.
so far i am not see the packets with protocol tcp and udp anymore.
