Can anybody explain an issue with connection tracking on RouterOS v6.
Assume: need to mark SSH (tcp port:22) traffic for further QoS rules
After reding many manuals and forums and official wiki I found that:
0. First I need to mark all traffic with default mark, that will be used on lowest priority queues with passthrough=yes
- I need to mark whole connection with new-connection-mark
- Mark subsequent packets in that connection with new-packet-mark with passthrough=no
- Use packet marks in Queue Tree
Ok.
/ip firewall mangle
add chain=forward action=mark-connection new-connection-mark=ALL-TRAFFIC passthrough=yes comment="ALL connections"
add chain=forward action=mark-packet new-packet-mark=LOWPRIO-RX passthrough=yes dst-address-list=LAN-Clients connection-mark=ALL-TRAFFIC comment="ALL inboud packets"
add chain=prerouting action=mark-packet new-packet-mark=LOWPRIO-TX passthrough=yes src-address-list=LAN-Clients connection-mark=ALL-TRAFFIC comment="ALL outbound packets"
add chain=forward action=mark-connection new-connection-mark=ssh-connection passthrough=yes protocol=tcp dst-port=22 comment="SSH connections"
add chain=forward action=mark-packet new-packet-mark=ssh-rx passthrough=no dst-address-list=LAN-Clients connection-mark=ssh-connection comment="SSH inboud"
add chain=prerouting action=mark-packet new-packet-mark=ssh-tx passthrough=no src-address-list=LAN-Clients connection-mark=ssh-connection comment="SSH outbound"
Contrary to my expectations I’ve got that INBOUD(“-rx”) packet counter is not start growing and remains at “0”
Then I found that if I add another one rule for incoming connection FROM SSH port with same connectin mark then corresponding counter is start growing exactly same amount as counter of connection mark rule.
/ip firewall mangle
add chain=forward action=mark-connection new-connection-mark=ALL-TRAFFIC passthrough=yes comment="ALL connections"
add chain=forward action=mark-packet new-packet-mark=LOWPRIO-RX passthrough=yes dst-address-list=LAN-Clients connection-mark=ALL-TRAFFIC comment="ALL inboud packets"
add chain=prerouting action=mark-packet new-packet-mark=LOWPRIO-TX passthrough=yes src-address-list=LAN-Clients connection-mark=ALL-TRAFFIC comment="ALL outbound packets"
add chain=forward action=mark-connection new-connection-mark=ssh-connection passthrough=yes protocol=tcp src-port=22 comment="SSH connections"
add chain=forward action=mark-connection new-connection-mark=ssh-connection passthrough=yes protocol=tcp dst-port=22 comment="SSH connections"
add chain=forward action=mark-packet new-packet-mark=ssh-rx passthrough=no dst-address-list=LAN-Clients connection-mark=ssh-connection comment="SSH inboud"
add chain=prerouting action=mark-packet new-packet-mark=ssh-tx passthrough=no src-address-list=LAN-Clients connection-mark=ssh-connection comment="SSH outboud"
Further investigations led me to fact that FIRST mangle rule with connection mark for ALL traffic do something that I’m not understanded, because of disabling it makes ALL work again without additional src-port connection mark rule!
/ip firewall mangle
add chain=forward action=mark-packet new-packet-mark=LOWPRIO-RX passthrough=yes dst-address-list=LAN-Clients connection-mark=ALL-TRAFFIC comment="ALL inboud packets"
add chain=prerouting action=mark-packet new-packet-mark=LOWPRIO-TX passthrough=yes src-address-list=LAN-Clients connection-mark=ALL-TRAFFIC comment="ALL outbound packets"
add chain=forward action=mark-connection new-connection-mark=ssh-connection passthrough=yes protocol=tcp dst-port=22 comment="SSH connections"
add chain=forward action=mark-packet new-packet-mark=ssh-rx passthrough=no dst-address-list=LAN-Clients connection-mark=ssh-connection comment="SSH inboud"
add chain=prerouting action=mark-packet new-packet-mark=ssh-tx passthrough=no src-address-list=LAN-Clients connection-mark=ssh-connection comment="SSH outboud"
NOTE: I have been resetted counters and typed something in ssh-terminal before getting each screenshot for updating counters
So questions are:
- Why first rule that marking all conections with mark affects next connection mark rules
- Why adding src-port rule for marking inbound connections make sense for packet marks EVEN if all traffic rule enabled