Hi,
Before I post a support request, I’d be grateful if some of you Guru’s would look over my firewall settings…I’m new to mangling (only really filtered in the past) and so I may have done something silly, but I’ll be blowed if I can see what…
OK, here is a view of ip->firewalls from winbox (running on an RB532, ROS 2.9.27, F/Ware 1.13)
Basically, I want to mark packet types (for priority queuing). As you can see, the p2p_conn/p2p_packet and other_conn/other_packet totals agree…but nothing else do’s. Here are the rules I am using, somewhat formatted for convenience:
0 chain=prerouting action=mark-packet new-packet-mark=all passthrough=yes
1 chain=prerouting protocol=tcp dst-port=8291 action=mark-connection new-connection-mark=winbox_conn passthrough=yes
2 chain=prerouting connection-mark=winbox_conn action=mark-packet new-packet-mark=winbox_pack passthrough=no
3 chain=prerouting p2p=all-p2p action=mark-connection new-connection-mark=p2p_conn passthrough=yes
4 chain=prerouting connection-mark=p2p_conn action=mark-packet new-packet-mark=p2p_pack passthrough=no
5 chain=prerouting protocol=tcp dst-port=80 action=mark-connection new-connection-mark=http_conn passthrough=yes
6 chain=prerouting protocol=tcp dst-port=8080 action=mark-connection new-connection-mark=http_conn passthrough=yes
7 chain=prerouting connection-mark=http_conn action=mark-packet new-packet-mark=http_pack passthrough=no
8 chain=prerouting protocol=tcp dst-port=443 action=mark-connection new-connection-mark=https_conn passthrough=yes
9 chain=prerouting connection-mark=https_conn action=mark-packet new-packet-mark=https_pack passthrough=no
10 chain=prerouting protocol=tcp dst-port=53 action=mark-connection new-connection-mark=dns_conn passthrough=yes
11 chain=prerouting protocol=udp dst-port=53 action=mark-connection new-connection-mark=dns_conn passthrough=yes
12 chain=prerouting connection-mark=dns_conn action=mark-packet new-packet-mark=dns_pack passthrough=no
13 chain=prerouting protocol=tcp dst-port=25 action=mark-connection new-connection-mark=email_conn passthrough=yes
14 chain=prerouting protocol=tcp dst-port=109 action=mark-connection new-connection-mark=email_conn passthrough=yes
15 chain=prerouting protocol=udp dst-port=109 action=mark-connection new-connection-mark=email_conn passthrough=yes
16 chain=prerouting protocol=tcp dst-port=110 action=mark-connection new-connection-mark=email_conn passthrough=yes
17 chain=prerouting protocol=udp dst-port=110 action=mark-connection new-connection-mark=email_conn passthrough=yes
18 chain=prerouting connection-mark=email_conn action=mark-packet new-packet-mark=email_pack passthrough=no
19 chain=prerouting action=mark-connection new-connection-mark=other_conn passthrough=yes
20 chain=prerouting connection-mark=other_conn action=mark-packet new-packet-mark=other_pack passthrough=no
As far as I understand, these rules look OK to me - I mark connections to various ports and allow passthrough until the corresponding rule marks the packets from those connections, and doesn’t pass through. Queues then check for packet marks and prioritise accordingly.
As far as I can tell, the queues that are being fed by this rule are reporting the inflated totals. I can’t see any relationship between the connection and packet counts, the only thing the non-functioning rules have in common is they rely on the dst-port argument. Am I perhaps misusing this? Is the prerouting chain the right place for them - I originally had them in the input chain, but they didn’t seem to feed my PCQ’s (a subject thats completley new to me).
(This is the only drawback to being self-taught, you think you understand perfectly…until it doesn’t work 
).
Would anybody know of a way I can see which packets are being caught by a particular rule to try and trace their origin?
Any and all help would be greatly appreciated.
Thanks in advance.