I can't mangle packet with Layer 7

RouterOS General
1

Hello everybody
I’m studding Layer 7 with MKT, becuase is something WONDERFULL. I ask it in the MUM of Argentina, and they say me A GOOD QUESTION and nothing more. And now appears!!!
But I’ve some problems… :frowning:
I insert in /ip firewall layer7-protocol the instructions that are in http://www.mikrotik.com/download/l7-protos.rsc. Then I create this 4 rules in mangle:
0 ;;; HTTP Layer 7
chain=prerouting action=mark-connection new-connection-mark=HTTP_CON passthrough=yes layer7-protocol=http

1 chain=prerouting action=mark-packet new-packet-mark=HTTP passthrough=no connection-mark=HTTP_CON

2 ;;; RESTO
chain=prerouting action=mark-connection new-connection-mark=RESTO_CON passthrough=yes

3 chain=prerouting action=mark-packet new-packet-mark=RESTO passthrough=no connection-mark=RESTO_CON

Finally I open a browser and start use it, and the only marks that appears un CONNECTIOS are “RESTO_CON”, none marks of “HTTP_CON”. Look this is a print of Connections:
17 SA protocol=tcp src-address=10.10.1.253:51260 dst-address=200.43.15.16:80 reply-src-address=10.10.200.1:3128 reply-dst-address=10.10.1.253:51260
tcp-state=96 timeout=5s connection-mark=“RESTO_CON” p2p=none
18 SA protocol=tcp src-address=xxx.xxx.xxx.xxx:43112 dst-address=200.43.15.16:80 reply-src-address=200.43.15.16:80 reply-dst-address=xxx.xxx.xxx.xxx:43112
tcp-state=232 timeout=5s connection-mark=“RESTO_CON” p2p=none
19 SA protocol=tcp src-address=10.10.1.253:51261 dst-address=200.43.15.16:80 reply-src-address=10.10.200.1:3128 reply-dst-address=10.10.1.253:51261
tcp-state=none timeout=4s connection-mark=“RESTO_CON” p2p=none
20 SA protocol=tcp src-address=10.10.1.253:51262 dst-address=200.43.15.16:80 reply-src-address=10.10.200.1:3128 reply-dst-address=10.10.1.253:51262
tcp-state=232 timeout=4s connection-mark=“RESTO_CON” p2p=none
21 SA protocol=tcp src-address=xxx.xxx.xxx.xxx:43113 dst-address=200.43.15.16:80 reply-src-address=200.43.15.16:80 reply-dst-address=xxx.xxx.xxx.xxx:43113
tcp-state=none timeout=5s connection-mark=“RESTO_CON” p2p=none
22 SA protocol=tcp src-address=xxx.xxx.xxx.xxx:43114 dst-address=200.43.15.16:80 reply-src-address=200.43.15.16:80 reply-dst-address=xxx.xxx.xxx.xxx:43114
tcp-state=172 timeout=5s connection-mark=“RESTO_CON” p2p=none
23 SA protocol=tcp src-address=10.10.1.253:51263 dst-address=200.43.15.16:80 reply-src-address=10.10.200.1:3128 reply-dst-address=10.10.1.253:51263
tcp-state=225 timeout=4s connection-mark=“RESTO_CON” p2p=none

As you can see the IP 200.43.15.16 is working in port 80, so it is HTTP!!!
I’m using a HOTSPOT Server to try it, but I think that it doesn’t depends in what type of server I’m using.
Somebody could tell my what I’m doing bad?
Thank you very much

Rafael Loré

2

no mangle. put it directly into firewall.

  1. make the l7 rule
  2. use the created rule in a firewall drop rule
3

layer7 matcher must see traffic in both directions. Put your rule in forward chain and it should work.

4

Thank Boy for your request!!!
But normis, I don´t undestand you, I want to use Mangle, becuase then I will use QUEUE TREE!!. If I drop you know how be my telephone :smiley:
And another thing, mrz you say me that I have to use in forward, but I want to use different gateway for some traffic, example P2P. I can’t do it with forward, isn’t it?
Thank you very much!!! :slight_smile:
Rafael Loré

5

You can! Just set ingoing or outgoing interface. But if you really need that rule in prerouting, then it is possible to add two rules like this:

/ip firewall mangle
add action=mark-connection chain=prerouting comment="L7 bittorent" connection-mark=lat-download-conn layer7-protocol=bittorrent new-connection-mark=lat-p2p-download-conn passthrough=yes 

add action=passthrough chain=postrouting layer7-protocol=bittorent

In this example bittorent matcher will see connections in both directions.