efaden
August 4, 2013, 8:32pm
1
http://wiki.mikrotik.com/wiki/Manual:HTB#HTB_configuration_example
In there the first code block has
/ip firewall mangle> add chain=prerouting src-address=10.1.1.1/32 action=mark-connection \
new-connection-mark=server_con
/ip firewall mangle> add chain=forward connection-mark=server_con action=mark-packet \
new-packet-mark=server
In it. The comments say that you use that code to mark packets going to and from the “server” (e.g. 10.1.1.1/32). I see how that marks data coming FROM the 10.1.1.1, but how exactly does that mark data going to 10.1.1.1? Wouldn’t you need a mirror of that rule using the dst-address instead? Or am I missing something?
Connection marks propagate to all packets in the connection - not just those packets which met the original selection criteria.
If it were applying packet marks then yes you would need to have something applying the marks in both directions.
efaden
August 4, 2013, 10:50pm
3
CelticComms:
Connection marks propagate to all packets in the connection - not just those packets which met the original selection criteria.
If it were applying packet marks then yes you would need to have something applying the marks in both directions.
Ah… What about something using connection state?..
/ip firewall mangle
connection-state=new src-address=10.1.1.1/32 chain=prerouting action=mark-connection new-connection-mark=sernver_con
Would that also work? Or would that only catch 1/2 of the traffic? (e.g. ones initiated FROM 10.1.1.1)
efaden
August 6, 2013, 9:05pm
4
efaden:
CelticComms:
Connection marks propagate to all packets in the connection - not just those packets which met the original selection criteria.
If it were applying packet marks then yes you would need to have something applying the marks in both directions.
Ah… What about something using connection state?..
/ip firewall mangle
connection-state=new src-address=10.1.1.1/32 chain=prerouting action=mark-connection new-connection-mark=sernver_con
Would that also work? Or would that only catch 1/2 of the traffic? (e.g. ones initiated FROM 10.1.1.1)
Anyone answer this? Basically what I am looking at is the following scenario:
A <-----> Internet <-----> RouterBoard <------> B
And the code:
/ip firewall mangle
add chain=prerouting src-address=B action=mark-connection \
new-connection-mark=server_con
add chain=forward connection-mark=server_con action=mark-packet \
new-packet-mark=server
From what I can tell when B makes a connection to A it will match that connection and then mark all the packets (both ingress and egress).
/ip firewall mangle
add chain=prerouting dst-address=B action=mark-connection \
new-connection-mark=server_con
The connection itself typically has traffic in both directions which will all be marked.
Whether you need multiple marking rules depends on selection criteria. E.g. if using connection state = New then typically a pair may be used with SRC & DST reversed.