mangle...

dyrdymal · December 17, 2009, 10:53pm

Hi,

Can someone explain to me why exactly some examples mangle connections and then mangle packets…? Why not mangle packets alone…?
Example:
why this

add chain=prerouting protocol=tcp dst-port=80 action=mark-connection \
    new-connection-mark=http_conn passthrough=yes
add chain=prerouting connection-mark=http_conn action=mark-packet \
    new-packet-mark=http passthrough=no

and not this:

add chain=prerouting protocol=tcp dst-port=80 action=mark-packet \
    new-packet-mark=http passthrough=no

Thanks,

akosenko · December 18, 2009, 8:18am

If I’m not mistaken, when you’re mark connection first and then mark all packets belong this connection, then in packet marks you’re have src-address and dst-address, then apply this packet mark for outgoing or incoming interface and you’re have download or upload traffic. In other words you’re don’t have separate upload or download connections, just apply packet mark for upload or download interface. BUT if you’re using NAT (masquerade) you must separate upload and download traffic (in this connection, or use only packet marks).

sorry for my bad english

dyrdymal · December 18, 2009, 5:36pm

my guess is that it may be more efficient to mark connection first and then look only at that connection when marking packets (it may be more efficient to look at connection and not every single packet)… but that’s just a guess…

Perhaps one of MIkrotik’s QoS/firewall expert could clarify that…?

gmsmstr · December 18, 2009, 7:29pm

Connection marks are MUCH more efficent, not to mention, they capture data both ways, not just to or from depending on the ports and/or in interfaces.

butche · December 21, 2009, 6:02am

dyrdymal: see this thread http://forum.mikrotik.com/t/firewall-and-mangle-flow-questions/33998/1