Any idea why
/ip firewall mangle
add action=mark-connection comment=“SIP DOWN” chain=prerouting connection-type=sip in-interface=ether1-gateway new-connection-mark=SIP_DOWN passthrough=yes
add action=mark-packet comment=“SIP DOWN” chain=prerouting connection-mark=SIP_DOWN new-packet-mark=SIP_DOWN passthrough=noDoesn’t actually seem to be matching anything? Connection tracking is on and I actually see the connection marked as type sip in the list… it just still doesn’t match.
-Eric
I assume by not matching you mean the packet counter isn’t incrementing. What are you trying to do with these rules? There may be a better or different way to verify it.
Ryan
Yes, that’s what I meant. And I’m just trying to mark all sip and sip related connections so I can do qos on them. Matching by port and host works fine, but I was trying to figure out why the connection type didn’t seem to work.
-Eric
Sent from my SCH-I545 using Tapatalk
About connection-type:
(from wiki)
Matches packets from related connections based on information from their connection tracking helpers.
A relevant connection helper must be enabled under /ip firewall service-port
And I add this:
The helper are created not to mark packet or connection, but as help for NAT traversal.
connection-type=sip is equal to write:
on forward mark-connection where upd port are equal to 5060 or 5061 (or any added manually on /ip firewall service-port sip)