Layer 7 protocols not working

kgninfos · January 11, 2013, 1:57pm

Hello
i was using layer 7 based traffic prioritization on ros v 5.22 and was working fine
but in ROS v6 rc6 it’s not working

i used the guide at
http://wiki.mikrotik.com/wiki/Basic_traffic_shaping_based_on_layer-7_protocols

sergejs · January 14, 2013, 4:42pm

You have to specify used pattern at least, however note that most of l7 protocol does not provide 100% effect for marking traffic.

kgninfos · January 15, 2013, 3:57am

the pattern is already specified in the example

and also it was working in v 5.22

sergejs · January 15, 2013, 1:17pm

Example has too much layer7 patterns. Please be more specific about pattern that does not work.

kgninfos · January 15, 2013, 4:48pm

none of the pattern are working as of now
that is why i told “Layer 7 protocols filter not working”

sergejs · January 16, 2013, 1:34pm

I’ve used default patter for HTTP,

/ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
1 chain=forward action=log layer7-protocol=http log-prefix=“”
[admin@MikroTik] /ip firewall filter> print d

/ip firewall filter> print stats
Flags: X - disabled, I - invalid, D - dynamic

CHAIN ACTION BYTES PACKETS

1 forward log 44 920 191

/system package print detail
5 name=“system” version=“6.0rc7” build-time=jan/09/2013 14:32:00
scheduled=“”

kgninfos · January 16, 2013, 1:59pm

ok i deleted all entry and created again
and surprisingly it worked

Thank you all

cthompson · July 29, 2015, 12:22pm

revival of a dead thread.

I have blocked FB via a drop rule in the forward chain as FB does not play as well as I had hoped with layer 7 packet matching and blocks other sites required for business here.

I have added an exception for my machine at the top of the chain.

      chain=forward action=accept protocol=tcp src-address=192.168.20.196 src-port=80,443,53 log=no log-prefix=""

the above does not function or allow my traffic through.

however, if I modify this to not have the src-port set, the rule matches and works as expected.

    chain=forward action=accept protocol=tcp src-address=192.168.20.196 log=no log-prefix=""

Now the fun part.

I have a layer 7 rule to match ‘twitter’
the regular expression for matching states:

^.+(twitter.com).*$

and it is enabled in the forward chain

39    ;;; BLOCK TWITTER
      chain=forward action=reject reject-with=icmp-host-prohibited layer7-protocol=Twitter log=no log-prefix=""

it is matched and blocks traffic even despite the exception for my specific ip address above.

What am I missing within the configuration here in order to allow exceptions to work for both direct forward chain rules as well as layer 7 rules?

Thank-You,