Mangle rules with internal IP

Aveyer · July 26, 2011, 7:11pm

Hi, I’m trying to setup Mangle rules for Linksys PAP2T so I can prioritise it in Queue Tree. I am trying to get Mangle
to detect the PAP2T’s traffic by IP address but it only seems to detect the outgoing traffic and not incoming traffic. I’m using ROS 5.5 on RB750GL, please help.

Thanks in advance.

fewi · July 26, 2011, 7:50pm

Please post the output of “/ip address print detail”, “/ip route print detail”, “/interface print”, “/ip firewall export”, and an accurate network diagram.

Aveyer · July 26, 2011, 7:59pm

/ip address print detail
Flags: X - disabled, I - invalid, D - dynamic 
 0   address=192.168.2.1/24 network=192.168.2.0 interface=eth4-LAN 
     actual-interface=eth4-LAN 

 1   address=192.168.254.254/24 network=192.168.254.0 interface=eth1-WAN 
     actual-interface=eth1-WAN 

 2   address=192.168.253.254/24 network=192.168.253.0 interface=eth2-backup 
     actual-interface=eth2-backup 

 3   address=192.168.3.254/24 network=192.168.3.0 interface=eth3-farm 
     actual-interface=eth3-farm

/ip route print detail
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 0 A S  dst-address=0.0.0.0/0 gateway=192.168.254.1 
        gateway-status=192.168.254.1 reachable eth1-WAN distance=1 scope=30 
        target-scope=10 

 1 ADC  dst-address=192.168.2.0/24 pref-src=192.168.2.1 gateway=eth4-LAN 
        gateway-status=eth4-LAN reachable distance=0 scope=10 

 2 ADC  dst-address=192.168.3.0/24 pref-src=192.168.3.254 gateway=eth3-farm 
        gateway-status=eth3-farm reachable distance=0 scope=10 

 3 ADC  dst-address=192.168.253.0/24 pref-src=192.168.253.254 
        gateway=eth2-backup gateway-status=eth2-backup reachable distance=0 
        scope=10 

 4 ADC  dst-address=192.168.254.0/24 pref-src=192.168.254.254 gateway=eth1-WAN 
        gateway-status=eth1-WAN reachable distance=0 scope=10

 /interface print
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                             TYPE               MTU L2MTU  MAX-L2MTU
 0  R  eth1-WAN                         ether             1500  1598       4074
 1  R  eth2-backup                      ether             1500  1598       4074
 2  R  eth3-farm                        ether             1500  1598       4074
 3  R  eth4-LAN                         ether             1500  1598       4074
 4  R  eth5-LAN                         ether             1500  1598       4074

/ip firewall export
# jul/26/2011 20:55:57 by RouterOS 5.5
# software id = Q370-G3N0
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=no \
    protocol=icmp
add action=accept chain=input comment="default configuration" \
    connection-state=established disabled=no
add action=accept chain=input comment="default configuration" \
    connection-state=related disabled=no
add action=drop chain=input comment="default configuration" disabled=no \
    in-interface=eth1-WAN
add action=drop chain=input disabled=no in-interface=eth2-backup
/ip firewall mangle
add action=mark-packet chain=prerouting comment=\
    "all other, remember mangle process order" disabled=no in-interface=\
    eth1-WAN new-packet-mark=all_other-in passthrough=yes
add action=mark-packet chain=postrouting disabled=no new-packet-mark=\
    all_other-out out-interface=eth1-WAN passthrough=yes
add action=mark-packet chain=prerouting comment="source games" disabled=no \
    in-interface=eth1-WAN new-packet-mark=source_games-in passthrough=yes \
    protocol=udp src-port=27000-28000
add action=mark-packet chain=postrouting disabled=no dst-port=27000-28000 \
    new-packet-mark=source_games-out out-interface=eth1-WAN passthrough=yes \
    protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat comment=Masquerade disabled=no \
    out-interface=eth1-WAN
add action=masquerade chain=srcnat disabled=no out-interface=eth2-backup
add action=masquerade chain=srcnat disabled=no out-interface=eth3-farm
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no

Ubiquiti Nanostation 5 is plugged into port 1 (internet).
Linksys PAP2T is plugged into a switch, switch is plugged into RB750GL on Port 5 (LAN)

fewi · July 26, 2011, 9:00pm

Thanks! Much easier to read than screenshots.

I am trying to get Mangle to detect the PAP2T’s traffic by IP address but it only seems to detect the outgoing traffic and not incoming traffic.

I don’t see any mangle attempts by IP address. How are you defining the traffic sourced from the PAP2T? If you’re going to go by IP assuming its IP is 192.168.2.100 the rules would look something like this, and would account for traffic in both directions based on connection state:

/ip firewall mangle
add chain=prerouting src-address=192.168.2.100 action=mark-connection new-connection-mark=pap2t passthrough=yes
add chain=prerouting connection-mark=pap2t action=mark-packet new-packet-mark=pap2t passthrough=no

On a side note, it only makes sense to prioritize outbound traffic - there’s no point prioritizing inbound traffic because your WAN interfaces are the limiting factor. By the time the packets arrive on your WAN port it’s too late to do anything about them, you either received them or you didn’t.

Aveyer · July 26, 2011, 9:53pm

You should be able to see in the screenshot, the PAP2T’s address is 192.168.2.2.
eg.

prerouting   dst address=192.168.2.2 in interface=eth1-WAN
postrouting  src address=192.168.2.2 out interface=eth1-WAN

Basically, can you give please an example of what is the correct way to have it?
I might want to cap the speeds on some computers with Mangle/Queue Tree in future too so I need to know the correct dst/src address setup.
These Mangle rules are really confusing me.
Thanks.

fewi · July 26, 2011, 10:29pm

The best way to do this is the one I posted, which only takes into account one direction of traffic, and then marks the other direction based on state:

/ip firewall mangle
add chain=prerouting src-address=192.168.2.2 action=mark-connection new-connection-mark=pap2t passthrough=yes
add chain=prerouting connection-mark=pap2t action=mark-packet new-packet-mark=pap2t passthrough=no

That marks all connections sourced from 192.168.2.2 with a connection mark of ‘pap2t’. This connection mark is available for investigation by the router for all packets that belong to that connection. The second rule then marks all packets with that connection mark (so all packets, both ways) with a packet mark of ‘pap2t’.

Aveyer · July 26, 2011, 11:30pm

So I’ll have one packet mark counting both traffic directions, how will that work with Queue Tree?
Would it be counting download traffic in the upload queue and upload in the download queue?
Thanks.

fewi · July 27, 2011, 12:20am

Typically you’d either use interface queues, which only see packets leaving through an interface. That’s how you get direction.

If you’re going to use global queues you’re right, you’d remark based on direction with two marks (e.g. connection mark and in-interface, with two distinct marks for upload and download.

Aveyer · July 27, 2011, 2:36am

Something I just noticed in your earlier example, does passthrough need to be disabled on the packet mark?
This is my current setup now and seems to be working fine:

/ip firewall export
# jul/27/2011 03:51:44 by RouterOS 5.5
# software id = Q370-G3N0
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=no \
    protocol=icmp
add action=accept chain=input comment="default configuration" \
    connection-state=established disabled=no
add action=accept chain=input comment="default configuration" \
    connection-state=related disabled=no
add action=drop chain=input comment="default configuration" disabled=no \
    in-interface=eth1-WAN
add action=drop chain=input disabled=no in-interface=eth2-backup
/ip firewall mangle
add action=mark-packet chain=prerouting comment=\
    "all other, remember mangle process order" disabled=no in-interface=\
    eth1-WAN new-packet-mark=all_other-in passthrough=yes
add action=mark-packet chain=postrouting disabled=no new-packet-mark=\
    all_other-out out-interface=eth1-WAN passthrough=yes
add action=mark-packet chain=prerouting comment="source games" disabled=no \
    in-interface=eth1-WAN new-packet-mark=source_games-in passthrough=yes \
    protocol=udp src-port=27000-28000
add action=mark-packet chain=postrouting disabled=no dst-port=27000-28000 \
    new-packet-mark=source_games-out out-interface=eth1-WAN passthrough=yes \
    protocol=udp
add action=mark-connection chain=prerouting comment=PAP2T disabled=no \
    new-connection-mark=con-pap2t passthrough=yes protocol=udp src-address=\
    192.168.2.2
add action=mark-packet chain=prerouting connection-mark=con-pap2t disabled=no \
    in-interface=eth1-WAN new-packet-mark=pap2t-in passthrough=yes
add action=mark-packet chain=postrouting connection-mark=con-pap2t disabled=\
    no new-packet-mark=pap2t-out out-interface=eth1-WAN passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment=Masquerade disabled=no \
    out-interface=eth1-WAN
add action=masquerade chain=srcnat disabled=no out-interface=eth2-backup
add action=masquerade chain=srcnat disabled=no out-interface=eth3-farm
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no

fewi · July 27, 2011, 3:11am

Strictly speaking, no, passthrough in this case can be left set to “yes”. However, if you’re done dealing with a packet what’s the point of processing rules further below that either - best case - don’t match so the CPU is churning for no good reason, or - worst case - do match even though you did not mean for them to match, overwriting the work done previously that you meant to get done? Best practice is to bail out when you’re done.

Edit: missed the chain question. What chain you use depends on your queue tree parent. For example, global-in happens before forward, so you’d have to mark in prerouting to use it. If you’re using interfaces you can use any chain you please as they happen after postrouting. Depending on your chain choice NAT may also come into place. In your case you’re marking the connection based on an inside local IP, so the only NAT that would come into play is source NAT. That happens after postrouting, so you can use any chain for marking that you like.
So there’s no general answer, it depends on the situation. In your case the chains as you have them are fine.

Aveyer · July 27, 2011, 3:16am

My last question (I promise), would it be better to use the forward chain instead of prerouting for the connection mark?

Thanks

fewi · July 27, 2011, 3:18am

Just in case, see above, I missed it initially but edited the post to answer that question.

fewi · July 27, 2011, 3:21am

If you’d like to see all the gritty details, check out the packet flow wiki: http://wiki.mikrotik.com/wiki/Manual:Packet_Flow

That page is easily the best and most valuable manual resource. It shows in detail what facility gets processed in what order.

Aveyer · July 27, 2011, 3:22am

Yes I took a look through the wiki and the packet flow pages but sometimes they confused
me more than clarifying anything, everything seems to be working fine now.
Thanks for the help.