Mangle Best Practice

sudiptakp · December 21, 2009, 5:55pm

What is better among the two for marking packets in pre-routing chain in mangle coming from a specific sublet?

add action=mark-packet chain=prerouting comment=“Internet Zone2–DN” disabled=no dst-address-list=“Internet Zone2”
new-packet-mark=“Internet Zone2” passthrough=no
… Internet Zone2 is defined in address-list as a subnet.
add action=mark-connection chain=prerouting comment=“Internet Zone2–DN” disabled=no dst-address-list=“Internet Zone2”
new-connection-mark=“Internet Zone2 Conn” passthrough=yes

add action=mark-packet chain=prerouting comment=“Internet Zone2–DN” disabled=no connection-mark=“Internet Zone2 Conn”
new-packet-mark=“Internet Zone2” passthrough=no

Which one is better and why?

Thanks,

Sudipta

gmsmstr · December 21, 2009, 6:32pm

The end result is having a packet mark, however, marking your connection is less CPU intensive. The PROPER or perferred way is the do the connection mark then the packet mark. This does two things, provides a simpler faster way to mark packets once the connection is identified. Two, depending on the connection and type, it will typically get traffic both directions vs just a single direction.

Chupaka · December 21, 2009, 6:46pm

http://forum.mikrotik.com/t/firewall-and-mangle-flow-questions/33998/11