[help] Same Mangle rule on group of interfaces: how to?

magnavox · August 16, 2008, 10:03am

Hello to all!

I need to apply same mangle rule on group of interfaces (N interfaces).

Example:

add action=mark-packet chain=prerouting comment=POP3 disabled=no dst-port=\
    1025-65535 in-interface=ether3 new-packet-mark=pop3_in passthrough=no \
    protocol=tcp src-port=110
add action=mark-packet chain=postrouting comment="" disabled=no dst-port=110 \
    new-packet-mark=pop3_out out-interface=ether3 passthrough=no protocol=tcp \
    src-port=1025-65535

I need to replicate this rule even in ether4 and ether 6,.
Consider that I have many of this rule and it’s very expensive to replicate for N interfaces.

RouterOS, not accept mangle rule whit “in-interface=ether3,ether4,ether6”

A solution would be to preventive mark all packets to/from this N interfaces, like
“group_in/group_out” and apply the rules on all interfaces, but only on “group packets”?

Can you help me?

Chupaka · August 16, 2008, 10:06am

it’s not as expensive as you think - just replicate =)

magnavox · August 16, 2008, 10:40am

I have to replicate many rules, over 50!

50 rules
3 interfaces

50 x 3 = 150 rules…

Chupaka · August 16, 2008, 11:56am

well, you may do it in two steps:

mark packets from ether3, ether4, ether6 - three rules
mark packets having packet-mark from step 1 based on ports etc

only three additional rules =)

magnavox · August 16, 2008, 12:05pm

…3 + 3 additional rules (from/to)

This agree whit my idea of “preventive mark packets” from/to this interfaces.
No alternative solution exist?

TNX!

Chupaka · August 16, 2008, 12:10pm

well, ‘alternative solutions’… when you forcibly set in-interface or out-interface, then when the list of interfaces changes, you need to change 50s of rules. and with my solution, you need only change 3+3 rules

so I don’t see much sense in other solutions

magnavox · August 16, 2008, 12:20pm

Your solution is my solution

But, I think that is possible a more optimized solution…

Chupaka · August 16, 2008, 12:38pm

oh, yeah, just re-read your first post =)

why do you think it’s not optimized? it’s easy to use, easy to modify… is CPU load too high?

changeip · August 16, 2008, 3:44pm

create jump rules for each interface to the same chain. Then use only a single set of mangle rules in that chain. This is what chains are for, so you can reuse your rules.

magnavox · August 16, 2008, 6:02pm

Ok, I understand, but I m a bit confused…
Can you show a little example?

Chupaka · August 16, 2008, 10:56pm

/ip firewall mangle 
add action=jump chain=prerouting comment="" disabled=no in-interface=lollipop jump-target=kaboom-in 
add action=mark-packet chain=kaboom-in comment="" disabled=no new-packet-mark=bzzz passthrough=yes protocol=tcp

magnavox · August 17, 2008, 10:48am

A possible start (for me ) solution:

/ip firewall mangle

add action=jump chain=prerouting comment="" disabled=no in-interface=ether2 jump-target=QoS-in
add action=jump chain=postrouting comment="" disabled=no jump-target=QoS-out out-interface=ether2
add action=jump chain=prerouting comment="" disabled=no in-interface=bridge1 jump-target=QoS-in
add action=jump chain=postrouting comment="" disabled=no jump-target=QoS-out out-interface=bridge1

add action=mark-packet chain=QoS-in comment=ICMP disabled=no new-packet-mark=icmp_in passthrough=no protocol=icmp
add action=mark-packet chain=QoS-out comment="" disabled=no new-packet-mark=icmp_out passthrough=no protocol=icmp
add action=mark-packet chain=QoS-in comment=DNS disabled=no new-packet-mark=dns_in passthrough=no protocol=udp src-port=53
add action=mark-packet chain=QoS-out comment="" disabled=no dst-port=53 new-packet-mark=dns_out passthrough=no protocol=udp
add action=mark-packet chain=QoS-in comment=WinBOX disabled=no new-packet-mark=winbox_in passthrough=no protocol=tcp src-port=8291
add action=mark-packet chain=QoS-out comment="" disabled=no dst-port=8291 new-packet-mark=winbox_out passthrough=no protocol=tcp
add action=mark-packet chain=QoS-in comment=SSH disabled=no new-packet-mark=ssh_in passthrough=no protocol=tcp src-port=22
add action=mark-packet chain=QoS-out comment="" disabled=no dst-port=22 new-packet-mark=ssh_out passthrough=no protocol=tcp
add action=mark-packet chain=QoS-in comment=PPtP disabled=no new-packet-mark=gre_in passthrough=no protocol=gre
add action=mark-packet chain=QoS-out comment="" disabled=no new-packet-mark=gre_out passthrough=no protocol=gre
add action=mark-packet chain=QoS-in comment=HTTP_Video disabled=no layer7-protocol=http-video new-packet-mark=http-video_in \
    passthrough=no protocol=tcp
add action=mark-packet chain=QoS-out comment="" disabled=no layer7-protocol=http-video new-packet-mark=http-video_out passthrough=no \
    protocol=tcp

[cut]

In this simple rule set:

substitute “prerouting” chain whit “QoS-in” chain
substitute “postrouting” chain whit “QoS-out” chain
not specified in/out interface