Mangle rules layer 3 vs layer 4

emikrotik · May 14, 2018, 8:13am

Hello,

I have an issue with mark-connection being overwritten in my mangle rules.

Please see below mangle rules;

361-363 are layer 3, PBR on source and destination IP Addresses.

361 chain=prerouting action=mark-connection 
      new-connection-mark=GOOGLE DRIVE passthrough=yes 
      dst-address-list=GOOGLE DRIVE log=no log-prefix="" 

362 chain=prerouting action=mark-packet 
      new-packet-mark=GOOGLE DRIVE passthrough=yes 
      connection-mark=GOOGLE DRIVE log=no log-prefix="" 

363 chain=prerouting action=mark-routing 
      new-routing-mark=MultiWAN passthrough=no 
      src-address=10.80.0.0/16 packet-mark=GOOGLE DRIVE
      log=no log-prefix=""

395-397 are layer 4, PBR based on destination port

395
      chain=prerouting action=mark-connection 
      new-connection-mark=HTTP-HTTPS BROWSING passthrough=yes 
      protocol=tcp port=80,443 log=no log-prefix="" 

396    chain=prerouting action=mark-packet 
      new-packet-mark=HTTP-HTTPS BROWSING passthrough=yes 
      connection-mark=HTTP-HTTPS BROWSING log=no log-prefix="" 

397    chain=prerouting action=mark-routing 
      new-routing-mark=ECMP passthrough=no 
      src-address=10.80.0.0/16 packet-mark=HTTP-HTTPS BROWSING 
      log=no log-prefix=""

If traffic going to an IP Address in the destination address list ‘GOOGLE DRIVE’ is establishing a connection on port 80 or 443, the connection-mark will be overwritten with HTTP-HTTPS BROWSING this then causes issues with routing via different ISP’s and queuing.

Does anyone know why this happens? Is there a correlation between how RoS processes mangle rules and the OSI model?

Thank you.

RoadkillX · May 14, 2018, 8:35am

Reorder the rules to be mark-connection then mark-routing then mark-packet enable passthrough on mark-routing disable on all rules that mark-packets so that once marked it leaves the prerouting chain and the mark-connection will not get overwrriten by http-https rule.

Mark Google Drive connection based on dst IP(passthrough)
Mark Google Drive routing based on source IP(passthrough)
Mark Google Drive packet based on connection mark (No passthrough)

sindy · May 14, 2018, 9:39am

There seems to be a common belief that action=mark-connection only marks connections which have not been marked yet. This is not true.

If a packet belonging to an already marked connection matches the conditions of another action=mark-connection rule, the connection mark gets rewritten by that rule.

So you either have to ensure that packets belonging to already marked connections are not handled by other action=mark-connection rules, or you have to add a match condition connection-mark=no-mark to each action=mark-connection rule.

Plus in most cases you want to assign the connection mark only to the initial packet of each connection, and this is also not automatic. So adding connection-state=new may be necessary as well.

Have a look here for one possible way of implementation.