for 3 years about chain mangle game ?

hendra · February 8, 2021, 5:11pm

for 3 years ive been looking for this. What is best chain for mangle games connection mark ?

many people are using prerouting, but when i ask why, they dont know the reason.
some people are using postrouting for it and forward for mark packet without any reason.
and then few people are using forward and they said its not good as chain

so I need best explaination or good reason from people who unsderstanding about marking the game, not asnwer from wiki.

thanks.

anav · February 8, 2021, 8:04pm

Please provide some requirements…
What is the use case or use cases?
Also a network diagram will help understand if this is for a single WAN router with a single LAN or something different.
If you want specifics you need to provide specifics.

hendra · February 9, 2021, 4:01pm

wlan1, wlan2, and ether2,3,4,5 are bridge-LAN.

ether 1 is wan to my ISP. dial up on ISP router not mikrotik. like that, is that enough information for you ?

hendra · February 10, 2021, 3:50pm

any suggestion sir ?

anav · February 13, 2021, 3:20pm

/export hide-sensitive file=anynameyouwish

Unable to really figure out what you are trying to do.

sindy · February 13, 2021, 5:36pm

The best chain for connection marking depends on the purpose. You can assign a connection-mark value for multiple purposes:

to translate it later into a packet-mark value, using some other mangle rules, to facilitate QoS (queueing and prioritisation of traffic)
to translate it later into a routing-mark value, using some other mangle rules, to choose a specific routing table
to match some filter or nat rules on the connection-mark value

Sometimes you need to use the same connection-mark value for multiple purposes, as each connection can have only a single connection-mark at a time.

A connection-mark must always be assigned before it gets actually used. So

if you translate it into a packet-mark for QoS purpose, you can assign it in any of the chains the packet passes - it doesn’t matter which particular one because a packet-mark is used to choose a queue after postrouting, so the only requirement is that the connection-mark gets assigned before it gets translated into a packet-mark
if you translate the connection-mark into a routing-mark, it must be assigned in prerouting if the same packet which has caused a connection-mark assignment has to be routed using a specific routing table chosen up to the connection-mark value. But you can assign a connection-mark in input or forward if the packet causing the assignment comes in the WAN->LAN direction side whereas the translation of connection-mark to routing-mark is only necessary in LAN->WAN direction (like when you have multiple WANs and you need the router itself or servers on its LAN to respond to incoming requests via the same WAN through which the incoming request has come) if you need to assign a different one to packets towards the router itself (input) or towards a LAN device (forward); if you don’t need this distinction, prerouting is fine.

If you need that a rule has the information about in-interface(-list), you cannot place it to postrouting; if you need it to have the information about out-interface(-list), you cannot place it to prerouting. But there is nothing wrong about assigning a connection-mark in prerouting and translating it to packet-mark in postrouting.

To save CPU consumption, keep the number of rules a typical packet has to pass through as low as possible.

The packet flow diagram should explain you the role and order of the packet processing chains.