We are attempting to severely limit filesharing at some of our sites. We have had these same rules working with several boxes that use radius authentication and everything is fine. However at a couple of sites that we are using an on board redirect and authentication, these same rules will cause packet loss. If we disable the bolded rule below, the packet loss dissapears. Within 20 seconds or so of enabling it, we get packet loss again. Any thoughts?
/ip firewall filter add action=add-dst-to-address-list address-list=filesharing address-list-timeout=10m chain=forward comment=“” disabled=no dst-address=!10.59.0.0/22 p2p=all-p2p
/ip firewall filter add action=add-src-to-address-list address-list=filesharing address-list-timeout=10m chain=forward comment=“” disabled=no p2p=all-p2p src-address=!10.59.0.0/22
/ip firewall mangle add action=mark-packet chain=prerouting comment=“” disabled=no new-packet-mark=peer2peer passthrough=yes src-address-list=filesharing
/ip firewall mangle add action=mark-packet chain=forward comment=“” disabled=no dst-address-list=filesharing new-packet-mark=peer2peer passthrough=yes
/queue simple add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s comment=“” direction=both disabled=no dst-address=0.0.0.0/0 interface=all limit-at=64k/64k max-limit=64k/64k name=queue1 packet-marks=peer2peer parent=none priority=8 queue=default-small/default-small total-limit-at=128 total-max-limit=128 total-queue=default-small
I cannot see how that could possibly be related to RADIUS vs local authentication.
What are the system conditions when the packet loss occurs? CPU load? Memory load?
Free MEM is flat at almost 450MB, We haven’t been able to discern a CPU spike, though that was my first thought.
Maybe the packet loss is caused by mis-classified packets ending up with those marks? Check “/ip firewall connections” for connections with that mark and see if the connection experiencing packet loss is going through the queue and is being dropped simply due to queue limits.
Not as far as I can tell. I ran a test where I exempted our public IP and it still happened.
So per the rules we are marking the packet, not just the connection. When I switched the mangle rules to mark the connection and not the packets, it stopped causing the packet loss. Now I just need to figure out how to get a queue to work on connection mark, not just packet mark if that is even possible.
You cannot do that.
You can, however, mark packets just based on a connection-mark, which may be significantly cheaper to do as far as processing resources go. Move those rules on top of the chain and set passthrough=no.