Mangle

icapcea · April 6, 2012, 12:03pm

Hello.

How can I use Mangle to mark packets comming/going from/to a vlan?

Thank you for accorded time!

tomaskir · April 6, 2012, 6:40pm

First create an address list with the subnet present on the vlan

/ip firewall address-list
add address=1.2.3.0/24 disabled=no list=SomeVLANsubnet

Then mark in mangle

/ip firewall mangle
add action=mark-connection chain=prerouting comment="Connections from the VLAN" connection-mark=no-mark disabled=no new-connection-mark=Con_from_VLAN passthrough=no src-address-list=SomeVLANsubnet

add action=mark-connection chain=prerouting comment="Connections to the VLAN" connection-mark=no-mark disabled=no dst-address-list=SomeVLANsubnet new-connection-mark=Con_to_VLAN passthrough=no

icapcea · April 7, 2012, 8:03am

My VLANs actually split the WAN in metro and external traffic so they are dinamically described by BGP and I don’t have a list of IPs/Subnets.

How can I baypass that?

Regards,
Ioan Capcea

tomaskir · April 8, 2012, 7:44am

You will have to use the forward chain for incoming connections, and sort it out by interface.

/ip firewall mangle
add action=mark-connection chain=prerouting comment="Connections from the VLAN" connection-mark=no-mark disabled=no new-connection-mark=Con_from_VLAN passthrough=no in-interface=someVlanInterface

add action=mark-connection chain=forward comment="Connections to the VLAN" connection-mark=no-mark disabled=no new-connection-mark=Con_to_VLAN passthrough=no out-interface=someVlanInterface