How to mangle Mail, DNS, RDP?

phuang3 · April 24, 2011, 1:33am

I’ve been read many posts here, but I still have problem on identifying Mail,DNS and RDP packets. First of all, receiving mails from ISP’s pop3 server never get recognized, throughtput is always 0 bytes.

The other 2 protocols have same problem, too. My setup is pretty simple. A 10M/2M VDSL on ether1 (pppoe client) as ‘Hinet’, an interface bridge on ether2~5 as ‘bridge’ on RB450G with OS 5.1. Is there anyone could help me?
Here are my firewall mangle rules.

 //ip firewall mangle rules
 
 0   ;;; ICMP
     chain=prerouting action=mark-connection new-connection-mark=icmp_conn passthrough=yes protocol=icmp
 1   chain=prerouting action=mark-packet new-packet-mark=ICMP passthrough=no connection-mark=icmp_conn

 2   ;;; DNS
     chain=prerouting action=mark-connection new-connection-mark=Dns_conn passthrough=yes protocol=tcp dst-port=53
 3   chain=prerouting action=mark-connection new-connection-mark=Dns_conn passthrough=yes protocol=udp dst-port=53
 4   chain=prerouting action=mark-packet new-packet-mark=DNS passthrough=no connection-mark=Dns_conn

 5 I ;;; Mail Download
     chain=prerouting action=mark-connection new-connection-mark=mail_dl passthrough=yes protocol=tcp src-port=110 connection-mark=""
 6   chain=prerouting action=mark-packet new-packet-mark=MAIL_DOWNLOAD passthrough=no connection-mark=mail_dl

 7   ;;; HTTP Download Request
     chain=prerouting action=mark-connection new-connection-mark=cm_http_request passthrough=yes protocol=tcp src-port=80,443 connection-bytes=0-500000
 8   chain=prerouting action=mark-packet new-packet-mark=HTTP_DL_REQ passthrough=no connection-mark=cm_http_request

 9   ;;; HTTP Download
     chain=prerouting action=mark-connection new-connection-mark=cm_http passthrough=yes protocol=tcp src-port=80,443 connection-bytes=500000-0
10   chain=prerouting action=mark-packet new-packet-mark=HTTP_DL passthrough=no connection-mark=cm_http

11   ;;; HTTP Upload Request
     chain=prerouting action=mark-connection new-connection-mark=cm_http_ul_request passthrough=yes protocol=tcp dst-port=80,81,443,8080 connection-bytes=0-500000
12   chain=prerouting action=mark-packet new-packet-mark=HTTP_UL_REQ passthrough=no connection-mark=cm_http_ul_request

13   ;;; HTTP Upload
     chain=prerouting action=mark-connection new-connection-mark=cm_http_ul passthrough=yes protocol=tcp dst-port=80,81,443,8080 connection-bytes=500000-0
14   chain=prerouting action=mark-packet new-packet-mark=HTTP_UL passthrough=no connection-mark=http_ul

15   ;;; FTP Client
     chain=prerouting action=mark-connection new-connection-mark=ftp_dl_conn passthrough=yes protocol=tcp src-port=20,21
16   chain=prerouting action=mark-packet new-packet-mark=FTP_DOWNLOAD passthrough=no connection-mark=ftp_dl_conn

17   ;;; FTP Server
     chain=prerouting action=mark-connection new-connection-mark=ftp_ul_conn passthrough=yes protocol=tcp dst-port=20,21
18   chain=prerouting action=mark-packet new-packet-mark=FTP_UPLOAD passthrough=no connection-mark=ftp_ul_conn

19   ;;; Others
     chain=prerouting action=mark-connection new-connection-mark=other_conn passthrough=yes
20   chain=prerouting action=mark-packet new-packet-mark=OTHER passthrough=no connection-mark=other_conn

21   ;;; RDP Server
     chain=prerouting action=mark-connection new-connection-mark=rdp_conn passthrough=yes protocol=tcp dst-port=3389
22   chain=prerouting action=mark-packet new-packet-mark=RDP_UL passthrough=yes connection-mark=rdp_conn

//queue
 0   name="Global Traffic In" parent=bridge limit-at=0 priority=1 max-limit=10M burst-limit=0 burst-threshold=0 burst-time=0s
 1   name="Global Traffic Out" parent=Hinet limit-at=0 priority=1 max-limit=1900k burst-limit=0 burst-threshold=0 burst-time=0s
 2   name="ICMP In" parent=Global Traffic In packet-mark=ICMP limit-at=0 queue=default priority=1 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
 3   name="ICMP Out" parent=Global Traffic Out packet-mark=ICMP limit-at=0 queue=default priority=1 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
 4   name="DNS In" parent=Global Traffic In packet-mark=DNS limit-at=0 queue=default priority=1 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
 5   name="DNS Out" parent=Global Traffic Out packet-mark=DNS limit-at=0 queue=default priority=1 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
 6   name="HTTP Download" parent=Global Traffic In packet-mark=HTTP_DL limit-at=0 queue=default priority=6 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
 7   name="HTTP Upload" parent=Global Traffic Out packet-mark=HTTP_UL limit-at=0 queue=default priority=6 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
 8   name="Other Traffic In" parent=Global Traffic In packet-mark=OTHER limit-at=0 queue=default priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
 9   name="Other Traffic Out" parent=Global Traffic Out packet-mark=OTHER limit-at=0 queue=default priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
10   name="HTTP Download Request" parent=Global Traffic In packet-mark=HTTP_DL_REQ limit-at=0 queue=default priority=6 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
11   name="HTTP Upload Request" parent=Global Traffic Out packet-mark=HTTP_UL_REQ limit-at=0 queue=default priority=6 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
12   name="FTP Download" parent=Global Traffic In packet-mark=FTP_DOWNLOAD limit-at=0 queue=default priority=7 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
13   name="FTP Server" parent=Global Traffic Out packet-mark=FTP_UPLOAD limit-at=0 queue=default priority=7 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
14   name="MAIL Download" parent=Global Traffic In packet-mark=MAIL_DOWNLOAD limit-at=0 queue=default priority=5 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
15   name="RDP Server" parent=Global Traffic Out packet-mark=RDP_UL limit-at=0 queue=default priority=5 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s

fewi · April 24, 2011, 3:06am

Your mail rule is invalid (and marked as such) because it is referring to an empty connection mark. Remove it.
Your RDP rule is under a rule commented as “other” that marks all traffic so no traffic can fall through to the RDP rule. Move it above the “other” rule.

phuang3 · April 24, 2011, 9:32am

Hi Fewi,

You solved my problem, thanks. The WinBox did not show the empty ‘connection mark’ properly, that’s why this rule was always in red and displayed ‘Inactive’. This confused me for a long time!

By the way, I still have few questions about the mangle rules. I know these rules works, but I just couldn’t understand the directions they imply.
The ‘Global Traffic Out’ queue is on WAN interface - ‘Hinet’, this is understandable since we need traffic shaping on up stream. Why is the ‘Global Traffic In’ queue on LOCAL interface - ‘bridge’? Why not use it on WAN interface? So that both down stream and up stream are queued as the way we like. The other is the src-port and dst-port problem. Why is the mangle rule for ‘HTTP Download’ was set for ‘src-port=80,443’? I thought it should be ‘dst-port=80,443’, because we are making a connection from local interface to wan interface on destination port 80 of some other IP addresses, right?

fewi · April 24, 2011, 5:09pm

I don’t know why you configure your mangle rules the way you did. There are indeed other ways to go about it.
Queues that have interfaces as their parent only see packets sent through that interface, and never packets received through that interface.