I have set up my QoS and mangle rules following the guidelines I could find around on the forum and in the Manual. Thus, first marking the connection and the mark all packet belonging to this connection. My question concerns the passthorugh option (not the action “pass Through”, but the check box “passthrough” under the action box in winbox).
For all lines marking connections the “passthrough” is checked.
And for all lines marking the packets (based on the connection mark) the “passthrough” is un-checked.
Question: Is this the right practice?
Question 2: What will happen if a new connection matches more rules will the old connection mark be over-written by the last rule matching the connection?
Basically the passthrough option in the Mangle rules means is that if a packet matches this rule, continue to process this packet through the mangle rules instead of exiting. Generally you will want to leave this unchecked, unless you want to allow for the possibility for a connection or packet to be marked differently later on once it has received a mark. This saves resources since it doesn’t have to continue processing the packet against the rules.
In the firewall the rules are processed in the order of what chain they are in. This means that rule 1 in prerouting/forward/input/output/postrouting is always processed before rule 2 and so on. So if a connection can match several rules and you have passthrough checked, it will initially get marked by the first rule and then marked by the second rule. In general you want to place your rules that will get hit the most higher up in the chain and don’t have passthrough checked so it will bail out sooner and save resources.
In the Mikrotik each packet can have one packet-mark, connection-mark, and routing-mark. Trying to overwrite marks to have something match multiple different rules however can make things mess up and cause issues you weren’t looking for.
Thanks, that makes a lot of sense now. I will try to uncheck the passthrough option.
Is it possible to set up a rule at the end of the mangle chain of rules that will catch all traffic not matching any of the previous mangle rules i.e. just to make a check how much traffic is not mangled by the previous rules?
Yes it is, you just make the rule as general as possible and place it as the last rule in that specific chain, if you have multiple chains you are marking stuff on, set a rule for each chain. If you just want to see how many packets are hit you can just have the action set to “accept”. If you want more information on the packet set the action to log, this can generate a ton of logs though so I would only use it for debugging stuff.
Of course. Just add a last rule in the appropriate chain (i.e., the same chain the other rules are in) that has an action of ‘accept’. That doesn’t change the packet in any way, but will count packets/bytes.