Mangle Rule for change DSCP out interface

Hello,

I try to reproduce a QoS from a Cisco to a Mikrotik, I stumble on the way of doing “class class-default => set dscp cs1” on the Mikrotik !!

On the Mikrotik I tried to do it this way in order to reproduce the Cisco “class class-default” in order to change the DSCP on ALL traffic leaving the Mikrotik (WAN interface = vlan20) :

/ ip firewall mangle add action = mark-connection chain = forward connection-state = new new-connection-mark = no-mark passthrough = yes
/ ip firewall mangle add action = mark-packet chain = forward new-packet-mark = no-mark passthrough = yes
/ ip firewall mangle add action = change-dscp chain = postrouting log-prefix = test_cs1 new-dscp = 8 out-interface = vlan20 packet-mark = no-mark passthrough = yes

Only when I look at the switch where the OUT port (vlan20) of the Mikrotik is connected, I can see traffic passing with DSCP 0 and DSCP 8.

I conclude that my rules are not good, with a Cisco CPE no problem on the switch I can see traffic passing in DSCP 8 only …

Thank !

There are many holes through which a DSCP 0 may leak to the out-interface:

• it is not clear whether the action=change-dscp rule is the only one in chain=postrouting of ip firewall mangle.
• the same applies for the other two rules you’ve shown, and if some other rules assign a packet-mark, the action=change-dscp rule which checks packet-mark=no-mark will ignore marked packets.
• if you want to mimic a switch behaviour, you have to disable hardware-accelerated bridging (/interface bridge port set [find bridge=your-bridge-name] hw=no) if you use a device with a switch chip, and you also have to either force bridged frames via the IP firewall (/interface bridge settings set use-ip-firewall=yes use-ip-firewall-for-vlan=yes) or use /interface bridge filter rules in chain=forward to change the DSCP field on frames being forwarded from one bridge interface to another. If you only want to change the DSCP value, the latter method is sufficient; if you want to apply some QoS policy (bandwidth restriction), forcing the bridged traffic through the IP firewall is mandatory, as the queues only work there. But you an assign packet-marks already by /interface bridge filter rules.

I have to mark the SIP / RTP traffic in DSCP 46 and all the rest of the traffic has to be marked in DSCP 8.

I can identify and mark SIP / RTP traffic.

/ip firewall mangle add action=mark-connection chain=forward dst-address=1.2.3.4 dst-port=5060 new-connection-mark=sip-connection protocol=udp
/ip firewall mangle add action=mark-packet chain=forward connection-mark=sip-connection new-packet-mark=SIP passthrough=yes
/ip firewall mangle add action=mark-connection chain=forward dst-address=1.2.3.4 new-connection-mark=rtp-connection port=10000-20000 protocol=udp
/ip firewall mangle add action=mark-packet chain=forward connection-mark=rtp-connection new-packet-mark=RTP
/ip firewall mangle add action=change-dscp chain=postrouting log=yes log-prefix=DSCP-46 new-dscp=46 out-interface=vlan20 packet-mark=RTP passthrough=yes
/ip firewall mangle add action=change-dscp chain=postrouting log=yes log-prefix=DSCP-5060 new-dscp=46 out-interface=vlan20 packet-mark=SIP passthrough=yes

I can’t seem to do the same for the rest of the traffic and find it difficult to understand the Mikrotik principle compared to Cisco…

What do you recommend to me?

• to answer the following question which was hidden in my previous post, “Is all the traffic you want to DSCP-mark routed, or is there any switched (=bridged) one?”, and depending on the answer, take an appropriate measure (do nothing or update the configuration to handle the bridged traffic too),
• to add a rule /ip firewall mangle add action=change-dscp chain=postrouting log=yes log-prefix=DSCP- new-dscp=34 out-interface=vlan20 after (below) the other two, and set passthrough=no on the other two. The rules in each firewall chain are evaluated from the top one downwards until the first match. So packets marked as SIP or RTP will get the 46 and thanks to passthrough=no they won’t get any further in that chain, and packets which bear none of those two packet marks will reach the last rule and get the 34. This is equivalent to Cisco’s “default handling”. If there is no such rule, the DSCP will remain unchanged.

sindy,

Thanks for your help but I still can’t ;(

Is all the traffic you want to DSCP-mark routed, or is there any switched (=bridged) one?

The traffic of Mikrotik is routed to another router. I have a switch with QoS between Mikrotik and the Internet output router :

PC–(LAN]–[Mikrotik]–(WAN vlan20)-----[SWITCH QoS]----[ROUTER]===WWW

to add a rule /ip firewall mangle add action=change-dscp chain=postrouting log=yes log-prefix=DSCP- new-dscp=34 out-interface=vlan20 after (below) the other two, and set passthrough=no on the other two

I tried to do like this :
/ip firewall mangle add action=mark-connection chain=forward dst-address=1.2.3.4 dst-port=5060 new-connection-mark=sip-connection passthrough=yes protocol=udp
/ip firewall mangle add action=mark-packet chain=forward connection-mark=sip-connection new-packet-mark=SIP passthrough=yes
/ip firewall mangle add action=mark-connection chain=forward dst-address=1.2.3.4 new-connection-mark=rtp-connection passthrough=yes port=10000-20000 protocol=udp
/ip firewall mangle add action=mark-packet chain=forward connection-mark=rtp-connection new-packet-mark=RTP passthrough=yes
/ip firewall mangle add action=change-dscp chain=postrouting log=yes log-prefix=DSCP-RTP new-dscp=46 out-interface=vlan20 packet-mark=RTP passthrough=no
/ip firewall mangle add action=change-dscp chain=postrouting log=yes log-prefix=DSCP-SIP new-dscp=46 out-interface=vlan20 packet-mark=SIP passthrough=no
/ip firewall mangle add action=change-dscp chain=postrouting log=yes log-prefix=test_cs1 new-dscp=8 out-interface=vlan20 passthrough=yes

OK, so all what you actually want is to make the QoS-ing switch prioritize the outgoing traffic of a softphone running on the PC, which is routed through the WAN of the Tik, which is vlan20. And the means to do that is to mark the VoIP packets with dscp 46, and everything else with dscp 8. Correct?

If so, I cannot see a mistake in your mangle rules, except they are overly complex for the purpose - as you only deal with the PC->WAN direction and do no QoS enforcement on the Tik itself, you can omit the mark-connection and mark-packet rules and use only the change-dscp ones, making them match on dst-address, protocol, and dst-port directly, without first translating these values into connection-mark and then translating the connection-mark into packet-mark. This approach makes a lot of sense in more complex setups but not here.

But there may be one common mistake elsewhere - in order that mangle rules worked on all packets, the action=fasttrack-connection rule in /ip firewall filter must not be active, because the very essence of fasttracking packets is to let them skip mangle rules plus a lot of other processing. As fasttracking is otherwise helpful, it may make sense to disable it only for the traffic you need to mark with a non-default DSCP. So first check this point, and if the action=fasttrack-connection is there, disable it and try again. Yet it is still not so simple - already existing connections will remain fasttracked until they end, so you have to test on new connections. If it would be too complex to distinguish between the old and new ones, use a bigger hammer - after disabling the action=fasttrack-connection rule, use ip firewall connection remove [find fasttrack] to clean up all existing fasttracked connections. It may break some ongoing TCP transmissions, though.

Off topic, are you sure that the VoIP provider expects the RTP always on the same IP where they expect SIP?

Off topic 2, would you mind to disclose your native language?

OK, so all what you actually want is to make the QoS-ing switch prioritize the outgoing traffic of a softphone running on the PC, which is routed through the WAN of the Tik, which is vlan20. And the means to do that is to mark the VoIP packets with dscp 46, and everything else with dscp 8. Correct?

Yes, that’s exactly it ! With a CISCO I have no problem everything works !
The switch takes care of managing network congestion with the queues.

If so, I cannot see a mistake in your mangle rules, except they are overly complex for the purpose - as you only deal with the PC->WAN direction and do no QoS enforcement on the Tik itself, you can omit the mark-connection and mark-packet rules and use only the change-dscp ones, making them match on dst-address, protocol, and dst-port directly, without first translating these values into connection-mark and then translating the connection-mark into packet-mark. This approach makes a lot of sense in more complex setups but not here.

The ROUTER (CISCO) also processes the flow to the Mikrotik :

interface GigabitEthernet0/0.20
description *** VLAN20 to MIKROTIK ***
encapsulation dot1Q 20
ip address 10.0.2.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no cdp enable
service-policy output Qos_VLAN20
!
ip access-list extended ACL_VoIP
permit udp host 1.2.3.4 eq 5060 any
permit udp host 1.2.3.4 range 10000 20000 any
!
policy-map Qos_VLAN20
class VoIP
set cos 5
class class-default
set cos 1
!
I really can’t figure out how to get DSCP to work properly on TIK. I spent days there without success

But there may be one common mistake elsewhere - in order that mangle rules worked on all packets, the action=fasttrack-connection rule in /ip firewall filter must not be active,

The fasttrack on filter rules is removed ! No items found on mangle rules.

Off topic, are you sure that the VoIP provider expects the RTP always on the same IP where they expect SIP?

The ASTERISK server is in the same network segment as the CISCO ROUTER.

Off topic 2, would you mind to disclose your native language?

I am French, my English is not very good, I know it

Do you think there is a solution to make DSCP 8 work properly?

That’s good, and I did understand that the QoS on the Asterisk-to-PC direction is handled elsewhere; what I had in mind when saying you only need to handle the PC->WAN direction was that you don’t need to handle the opposite direction on the Mikrotik itself.

Well, my reason to ask was not that I’d have problems to understand what you wrote, but because I struggle to understand what you didn’t. For example, I’ve suggested you what to do (disable the fasttrack rule if it exists), and instead of providing any feedback on this, you’ve asked

But without that feedback, the only thing I can answer is “yes, I know there is, because I do that regularly with no problems”, but I cannot tell you where else to dig. Disabling of the action=fasttrack-connection rule in /ip firewall filter should have made all the action=change-dscp rules in /ip firewall mangle work. If it hasn’t, I need the full config export to tell you what to do next.


As for “everything is crystal clear on Cisco, and dark forest on Mikrotik” - this is usually a matter of what vendor’s ecosystem you’ve met first when learning networking. To me, the way how everything is done in Mikrotik (ordered rule chains for firewall, ordered rule chains for routing, ordered rule chains for IPsec policies, …) is crystal clear, because RouterOS is in fact a unified configuration front-end above various linux features, and the hundreds of default settings not shown in show runnig-config upset me.

Ok…

But without that feedback, the only thing I can answer is “yes, I know there is, because I do that regularly with no problems”, but I cannot tell you where else to dig. Disabling of the action=fasttrack-connection rule in /ip firewall filter should have made all the action=change-dscp rules in /ip firewall mangle work. If it hasn’t, I need the full config export to tell you what to do next.

/ip firewall filter fastrack is removed !

Here is my complete configuation

# jan/02/1970 03:53:15 by RouterOS 6.46.6
# software id = M97U-JVGB
#
# model = RB952Ui-5ac2nD
# serial number = BEE40BD3C89B
/interface bridge add admin-mac=C4:AD:34:88:00:7B auto-mac=no comment="Network LAN" name=bridge
/interface wireless set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-B26F1D wireless-protocol=802.11
/interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX comment="Interface(s) Wifi" country="france res" disabled=no distance=indoors frequency=2437 installati
on=indoor mode=ap-bridge name=wlan2.4 ssid=WIFI_TIK wireless-protocol=802.11
/interface ethernet set [ find default-name=ether1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface ethernet set [ find default-name=ether2 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface ethernet set [ find default-name=ether3 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface ethernet set [ find default-name=ether4 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface ethernet set [ find default-name=ether5 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless nstreme set wlan2.4 comment="Interface(s) Wifi"
/interface wireless manual-tx-power-table set wlan2.4 comment="Interface(s) Wifi"
/interface vlan add comment="WAN" interface=ether5 name=vlan20 vlan-id=20
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface list add exclude=dynamic name=discover
/interface list add name=mactel
/interface list add name=mac-winbox
/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa-psk eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=XXXXXXXX
/ip pool add name=default-dhcp ranges=192.168.1.1-192.168.1.249
/ip dhcp-server add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/ipv6 pool add name=pool1 prefix=2001:db8:25:b068::/64 prefix-length=64
/interface bridge port add bridge=bridge comment="Interfaces du LAN" interface=ether2
/interface bridge port add bridge=bridge interface=wlan2.4
/interface bridge port add bridge=bridge interface=ether3
/interface bridge port add bridge=bridge interface=ether4
/interface bridge port add bridge=bridge interface=ether1
/ip neighbor discovery-settings set discover-interface-list=discover
/interface list member add comment=defconf interface=bridge list=LAN
/interface list member add comment=defconf interface=vlan20 list=WAN
/interface list member add interface=wlan2.4 list=discover
/interface list member add interface=wlan2 list=discover
/interface list member add interface=ether2 list=discover
/interface list member add interface=ether3 list=discover
/interface list member add interface=ether4 list=discover
/interface list member add interface=ether5 list=discover
/interface list member add interface=bridge list=discover
/interface list member add interface=bridge list=mactel
/interface list member add interface=bridge list=mac-winbox
/interface wireless access-list add interface=wlan2.4 mac-address=C4:AD:34:88:00:81 vlan-mode=no-tag
/ip address add address=192.168.1.254/24 comment="Network LAN" interface=bridge network=192.168.1.0
/ip address add address=10.0.2.1/30 comment="IP WAN" interface=vlan20 network=10.0.2.0
/ip dhcp-server network add address=192.168.1.0/24 comment="Network LAN" domain=network.local gateway=192.168.1.254
/ip dns set servers=2001:4860:4860::8888,2620:0:ccc::2,8.8.8.8,208.67.222.222
/ip firewall filter add action=accept chain=input comment="Accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="Accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input comment="Accept WINBOX" dst-port=8291 in-interface=vlan20 protocol=tcp
/ip firewall filter add action=accept chain=input comment="Allow L2TP VPN (ipsec-esp)" in-interface-list=WAN protocol=ipsec-esp
/ip firewall filter add action=accept chain=input comment="Allow L2TP VPN (500,4500,1701/udp)" dst-port=500,1701,4500 in-interface-list=WAN protocol=udp
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle add action=mark-connection chain=forward dst-address=1.2.3.4 dst-port=5060 new-connection-mark=sip-connection passthrough=yes protocol=udp
/ip firewall mangle add action=mark-packet chain=forward connection-mark=sip-connection new-packet-mark=SIP passthrough=yes
/ip firewall mangle add action=mark-connection chain=forward dst-address=1.2.3.4 new-connection-mark=rtp-connection passthrough=yes port=10000-20000 protocol=udp
/ip firewall mangle add action=mark-packet chain=forward connection-mark=rtp-connection new-packet-mark=RTP passthrough=yes
/ip firewall mangle add action=change-dscp chain=postrouting log=yes log-prefix=DSCP-RTP new-dscp=46 out-interface=vlan20 packet-mark=RTP passthrough=no
/ip firewall mangle add action=change-dscp chain=postrouting log=yes log-prefix=DSCP-SIP new-dscp=46 out-interface=vlan20 packet-mark=SIP passthrough=no
/ip firewall mangle add action=change-dscp chain=postrouting log=yes log-prefix=test_cs1 new-dscp=8 out-interface=vlan20 passthrough=yes
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route add distance=1 gateway=10.0.2.2
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set www disabled=yes
/ip service set ssh disabled=yes
/ip service set api disabled=yes
/ip service set winbox address=2001:db9:2525:ffff::/64,A.B.C.D/32
/ip service set api-ssl disabled=yes
/ipv6 address add address=2001:db8:1234:3329:20:ffff:ffff:1/126 advertise=no comment="IPv6" interface=vlan20
/ipv6 address add address=::f254 comment="Gateway IPv6 LAN" from-pool=pool1 interface=bridge
/ipv6 firewall filter add action=accept chain=input comment="Accept established,related,untracked" connection-state=established,related
/ipv6 firewall filter add action=accept chain=input comment="Accept ICMP" protocol=icmpv6
/ipv6 firewall filter add action=accept chain=input comment="Accept WINBOX" dst-port=8291 in-interface=vlan20 protocol=tcp
/ipv6 firewall filter add action=drop chain=input connection-state=invalid
/ipv6 firewall filter add action=drop chain=input connection-state=new in-interface=vlan20
/ipv6 firewall filter add chain=forward protocol=icmpv6
/ipv6 firewall filter add chain=forward connection-state=established,related
/ipv6 firewall filter add chain=forward connection-state=new in-interface=!vlan20
/ipv6 firewall filter add action=drop chain=forward connection-state=invalid
/ipv6 firewall filter add action=drop chain=forward connection-state=new in-interface=vlan20
/ipv6 nd set [ find default=yes ] interface=bridge managed-address-configuration=yes other-configuration=yes
/ipv6 nd prefix add autonomous=no interface=bridge
/ipv6 route add distance=1 gateway=2001:db8:1234:3329:20:ffff:ffff:2
/system clock set time-zone-name=Europe/Paris
/system identity set name=RB952UI_VLAN20
/tool bandwidth-server set enabled=no
/tool graphing interface add allow-address=192.168.1.254/32 interface=vlan20
/tool mac-server set allowed-interface-list=none
/tool mac-server mac-winbox set allowed-interface-list=none
/tool mac-server ping set enabled=no

As for “everything is crystal clear on Cisco, and dark forest on Mikrotik” - this is usually a matter of what vendor’s ecosystem you’ve met first when learning networking. To me, the way how everything is done in Mikrotik (ordered rule chains for firewall, ordered rule chains for routing, ordered rule chains for IPsec policies, …) is crystal clear, because RouterOS is in fact a unified configuration front-end above various linux features, and the hundreds of default settings not shown in show runnig-config upset me.

You are right ! I learned about Cisco for a long time … I really like Mikrotik but it is true that from time to time I have problems converting a configuration from a Cisco to Mikrotik. I still don’t despair of finding the DSCP problem…

I still cannot see any reason why it should not work.

Where and how do you check the DSCP value of the packets?

We were dealing with IPv4 packets all the time so far, so could it be that it’s only the IPv6 ones which keep DSCP 0?

So please set passthrough=no also to the rule setting the dscp 8, and add another rule:
/ip firewall mangle add chain=postrouting action=passthrough

Then run some traffic, and then show me the output of /ip firewall mangle print stats chain=postrouting. The last rule should count nothing.

Then, try to sniff the traffic at ether5 into a file, and open that file using Wireshark. You should see there which packets have DSCP 0, and from that we could conclude something.

If it’s only the IPv6 ones, you need an ipv6 firewall mangle add action=change-dscp new-dscp=8.

Thank you sindy for your suggestions ! I think we are on the right track.

Cos 0 comes from IPV6. I disabled IPv6 from Mikrotik and I still have some packets coming in ??

Here is the display of DSCP sent by Mikrotik on the switch port :

1. what exactly means “disabled IPv6 from Mikrotik”? The Wireshark screenshot shows IPv6 source and destination address :: which is quite surprising.
2. don’t mix up COS and TOS/DSCP. COS is the priority field of VLAN tag, DSCP is the six bits of the TOS field of IP header. They need to be set separately if you need both to be set (although the Cisco may translate one into the other).
   
   
   

Well, but this doesn’t show the protocol used, so it is useless to track down the source. Stick with the Wireshark until it stops showing any DSCP 0, then we may check the Cisco statistics again.

1. what exactly means “disabled IPv6 from Mikrotik”? The Wireshark screenshot shows IPv6 source and destination address :: which is quite surprising.

I have disabled the IPV6 packet, do we agree that the method is correct ?

I am using a Windows 10 on the Mikrotik LAN. I also disable IPv6 on all interfaces of the PC.
The PC still sends IPv6 requests:

If I have correctly disabled IPv6 on the Mikrotik there should be no requests !!

Sure. This seems to be a sufficiently big hammer for the task.

Well, Microsoft and disabling things… that’s another can of worms.

Agreed, but as you post only screenshots of Wireshark packet list, it is hard to say what is the direction of the frames (Mikrotik → Cisco or opposite) and what the VLAN ID is.

In short, even if the PC sends IPv6 packets, with the IPv6 software package disabled on the Mikrotik the Mikrotik should not route them anywhere. Since at Mikrotik side, ether5 only carries VLAN 20, nothing IPv6 should leave Mikrotik through ether5, and whatever leaves Mikrotik should have the MAC address of ether5 as source. So double-check this in the sniff(capture), and if you spot any packets with DSCP field set to 0 or with ethertype IPv6, and with ether5’s MAC address as source, show them in more detail.

Agreed, but as you post only screenshots of Wireshark packet list, it is hard to say what is the direction of the frames (Mikrotik → Cisco or opposite) and what the VLAN ID is.

C4:AD:34:88:00:7F => ETHER5 = VLAN20 (WAN Interface)
58:F3:9C:5B:0D:91 => CISCO GigabitEthernet0.20

On CISCO GigabitEthernet0.20 no IPv6

interface GigabitEthernet0.20
 encapsulation dot1Q 20
 ip address 10.0.2.2 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no cdp enable
!
sh ARP :
Internet  10.0.2.1                4   c4ad.3488.007f  ARPA   GigabitEthernet0.20
Internet  10.0.2.2                -   58f3.9c5b.0d91  ARPA   GigabitEthernet0.20

OK, so it’s just a display issue. Those packets with DSCP 0 are actually not IPv6 packets, as the source and destination address values :: suggest, but they are IPv4 ARP packets, which are not handled by IP firewall either (they are related to IPv4 but they are not IPv4 themselves) nor they contain any DSCP field (so the 0 there is again a display issue, instead of showing a blank or - gents have decided to cofuse us by showing a made up number).

So for these packets, you cannot set any DSCP not because there is no tool to do that but because there is no DSCP field in the packets themselves. If you want to set the CoS (priority) field in the VLAN tag, there’s a way to do that, but it involves a bridge filter, which requires to insert a bridge into the WAN path, so some waste of CPU resources. The switch chip in RB952 is 8227 which doesn’t support rules on itself, so no way to set CoS for ARP and translate DSCP into CoS that way.

Hello,

@sindy : Thank you very much for your help I understood why I have this !

Now I cannot change DSCP at the output interface of my router for Winbox management

I want the Winbox traffic to be in DSCP 48 and the rest of the traffic in DSCP 8.

/ip firewall mangle add action=change-dscp chain=postrouting new-dscp=8 out-interface=vlan20 passthrough=no
/ip firewall mangle add action=change-dscp chain=output new-dscp=48 out-interface=vlan20 passthrough=yes protocol=tcp src-port=8291

All traffic is marked in cos 8

As the packet flow diagram shows, the postrouting chain follows after the output one. So if you want to prevent the rule in postrouting from rewriting any already assigned DSCP value (assuming that value 0 means that it has not been assigned yet), you have to add dscp=0 to it as a match condition to it.

Okay, but I don’t understand how to add this condition …

Should I add a packet forward mark rule and in the DSCP (TOS) advanced tab put 0?

/ip firewall mangle set [find action~“change-dscp” chain~“postrouting” new-dscp~“8” out-interface~“vlan20”] dscp=0