In some work I was doing to support another thread I realized I needed some help in terms of whether my passthrough usage was correct and/or should I be using JUMP instead.
Being weak on both I am asking advice.
Context: Ensure those using Youtube, netflix etc are sent do a secondary WAN connection (ADSL) where 4G is the primary. This could apply to any scenario, that one needs to identify specific TLS traffic and then do some action based on that identification.
First step: Identify users who are attempting to access youtube etc… and add the destination addresses to a firewall address list.
/ip firewall mangle
{youtube}
add action=add-dst-to-address-list address-list=Streaming_users address-list-timeout=
12h chain=prerouting dst-port=443 in-interface-list=lan
connection-mark=no-mark protocol=tcp tls-host=*.googlevideo.com passthrough=yes
{primevideo} Note that prime music may be harder and in that case would have to force all amazon.com or amazon.uk traffic to asdl)
add action=add-dst-to-address-list address-list=Streaminge_users address-list-timeout=
12h chain=prerouting dst-port=443 in-interface-list=lan
connection-mark=no-mark protocol=tcp tls-host=*.primevideo.com.com passthrough=yes
Second step: For all identified traffic apply a connection mark and a routing mark to any traffic with said list.
/ip firewall mangle
add action=mark-connection chain=prerouting dst-address-list=Streaming_users in-interface-list=lan
connection-mark=no-mark new-connection-mark=markStreamers passthrough=yes
add action=mark-routing chain=prerouting connection-mark=markStreamers
new-routing-mark=routeStreamers passthrough=no
A number of things not sure of in this approach.
Should I use no-mark packets for the first mangle rule or is sticking with no-mark connections more efficient/optimal/accurate??
Should I be using jump chain rules here? I’m not sure if I have used pass through correctly??
Specifically I have MULTIPLE add to address rules - do they need passthrough or should I jump to Step 2?
I’m sure that more knowledgeable people will pass by and share their wisdom. I’ll just drop my 5 cents … so you can decide not to agree with me by not picking those 5 cents
Jump and passthrough are different stuff so it’s not either-either. There are cases, where one has to perform a series of identical checks on packets with slightly different base characteristics. One would construct a custom chain of filter rules and use jump to this chain as result of those basic checks. I’ve seen use of jump for checking ICMP packets according to options etc. (Not that I agree with anti-ICMP frenzy). Use of separate chain is sensible as the same checks are done both for incoming packets (chain=input) and for passing packets (chain=forward). For example:
/ip firewall rule
# rules about ICMP packets
add action=drop chain=icmp fragment=yes protocol=icmp
add action=accept chain=icmp comment="Type 0, Echo reply" icmp-options=0 protocol=icmp
add action=accept chain=icmp comment="Type 3, Code 4, Fragmentation needed and DF set" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="Type 4, Source quench" icmp-options=4 protocol=icmp
add action=accept chain=icmp comment="Type 8, Echo" icmp-options=8 protocol=icmp
add action=accept chain=icmp comment="Type 11, Code 0, Time to live exceeded in transit" disabled=yes icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="Type 12, Parameter problem" icmp-options=12 protocol=icmp
add action=drop chain=icmp
#
# apply same ICMP rules to both input and forward chains without writing rules twice
#
add action=jump chain=forward jump-target=icmp protocol=icmp
add action=jump chain=forward jump-target=icmp protocol=icmp
Another advantage of using jump over adding all of rules to “normal” chains is in this case performance: only packets matching the action=jump rule (protocol=icmp) will pass the series of rules in chain=icmp … otherwise all other packets would have to pass the same rules.
Normally packet matching terminates with the first matching rule … action depends on action= … However, sometimes one wants to perform more than one action on a given packet (as it’s in your case in step 2 where you assign both connection mark and routing mark to the same packets), then one has to use passthrough=yes so that further rules get evaluated against same packet.
You might want to use a jump in this case for performance … if such two-time evaluated packets are minority of total traffic, you’d save some CPU cycles by processing packets that don’t match criteria (basically it’s dst-address-list=Streaming_users) only once. But even if you’d move the two mangle rules to separate chain, you’d still have to use passthrough on all but last rules to make sure all mangle rules would apply. If there were more than two rules, in your particular case you could abuse the currently first rule for action=jump and the “unconditionally” execute the second action inside the custom chain.
That was 5c well spent!
After reviewing the below, is RETURN a viable parameter/function to use?
Passthrough doesnt appear as available with jump action luckily LOL.
Hmmm perhaps the better approach is to simply jump I think I may have cracked this nuT!!!..
{primevideo} Note that prime music may be harder and in that case would have to force all amazon.com or amazon.uk traffic to asdl)
add chain=prerouting action=jump jump-target=moveTOstep 2 dst-port=443 in-interface-list=lan
connection-mark=no-mark protocol=tcp tls-host=*.primevideo.com.com
