Mangle SIP on pre-routing

I’m trying to route SIP packets via another network.

I have tried this:

/ip firewall mangle print
chain=prerouting action=mark-routing new-routing-mark=route-via-dedicated-line passthrough=no connection-type=sip

/ip route print detail
dst-address=0.0.0.0/0 gateway=192.168.21.1 routing-mark=route-via-dedicated-line

I am policy routing some other protocols based on TCP ports and sources and destinations so my policy routing setup is OK.

What’s not OK is marking and / or mangling SIP packets.

Should I mark just the connection-type?
Should I actually be marking the connection and then the packets?
Should I be applying mark routing on the pre-routing chain based on the packets or the connection or both?
Should I mark the connection and the packets with no passthrough?
Should I mark differently when I am NATting on the router?

This stuff is so confusing, even after 6 years working with MikroTik.

add action=mark-connection chain=forward comment=“” connection-type=sip disabled=no new-connection-mark=voip-conn passthrough=yes
add action=mark-connection chain=forward comment=“” disabled=no dst-port=5060 new-connection-mark=voip-conn passthrough=yes protocol=udp
add action=mark-connection chain=forward comment=“” disabled=no layer7-protocol=sip new-connection-mark=voip-conn passthrough=yes
add action=mark-packet chain=forward comment=“” connection-mark=voip-conn disabled=no new-packet-mark=voip-packet passthrough=no


This seems to mark every connection for me. a couple trunks and 1/2 dozen incoming phone extensions. I use the L7 matcher as well as the built in connection tracking and also plain old port 5060.