Mangling

azurtem · January 20, 2016, 3:33pm

Hi

I understand the difference between prerouting, forward and postrouting chains in terms of the relative position they occupy in the flow of things

What I’m not sure about is which one to use and why

For instance, I setup mangling of VoIP traffic based on the remote Asterisk server’s IP
I first created prerouting mangling rules, and noticed that it wasn’t picking up many packets
When I switched over to forward chains things picked up considerably with regards to marked packets

add action=mark-packet chain=forward comment=VoIP new-packet-mark=VOIP-PMD \
    passthrough=no src-address=2xx.xxx.xxx.149
add action=mark-packet chain=forward dst-address=2xx.xxx.xxx.149 \
    new-packet-mark=VOIP-PMU passthrough=no

Furthermore, why would one use postrouting rules since the packets are pratically out the door and one has no control beyond this point

Is there a rule of thumb to know which chain is better suited ?

thanks
yann

ZeroByte · January 20, 2016, 3:43pm

I’ve seen some “fancy” configurations where a packet was marked in prerouting in order to run it through some queues, etc, and then the packet marks are changed in postrouting in order for other queues and firewall rules.

pe1chl · January 20, 2016, 9:53pm

Indeed I use a postrouting mangle rule set to first set the packet priority from the DSCP value, and then the packet mark from the packet priority, to then use it in a queue tree to prioritize the packets when sending them.
In Linux routers configured natively it is possible to directly match the DSCP value in a queue tree, but I have not been able to do that in a MikroTik (no u32 match ip feature in Queues to match IP header fields), hence the workaround via mangle.

azurtem · January 21, 2016, 9:40am

Thank you for your responses

ZeroByte · January 21, 2016, 5:43pm

Yeah - a queue that allows DSCP (or 802.1P) as a target would sure simplify things a lot, eh?

pe1chl · January 21, 2016, 6:07pm

Ok it is not too bad…

/ip firewall mangle
add action=set-priority chain=postrouting comment=“From dscp high 3 bits”
new-priority=from-dscp-high-3-bits
add action=mark-packet chain=postrouting comment=“Priority 0”
new-packet-mark=prio0 priority=0
add action=mark-packet chain=postrouting comment=“Priority 1”
new-packet-mark=prio1 priority=1
add action=mark-packet chain=postrouting comment=“Priority 2”
new-packet-mark=prio2 priority=2
add action=mark-packet chain=postrouting comment=“Priority 3”
new-packet-mark=prio3 priority=3
add action=mark-packet chain=postrouting comment=“Priority 4”
new-packet-mark=prio4 priority=4
add action=mark-packet chain=postrouting comment=“Priority 5”
new-packet-mark=prio5 priority=5
add action=mark-packet chain=postrouting comment=“Priority 6”
new-packet-mark=prio6 priority=6
add action=mark-packet chain=postrouting comment=“Priority 7”
new-packet-mark=prio7 priority=7

and then use it in queue tree like this:
/queue tree
add comment=“Link limited at 19,4 Mbps” limit-at=19M max-limit=19M name=
queue-vlan51 parent=ether1.vlan51 queue=default
add limit-at=4M max-limit=18M name=queue-vlan51-p1 packet-mark=prio7 parent=
queue-vlan51 priority=1 queue=default
add limit-at=4M max-limit=18M name=queue-vlan51-p2 packet-mark=prio6 parent=
queue-vlan51 priority=2 queue=default
add limit-at=4M max-limit=18M name=queue-vlan51-p3 packet-mark=prio5 parent=
queue-vlan51 priority=3 queue=default
add limit-at=4M max-limit=18M name=queue-vlan51-p4 packet-mark=prio4 parent=
queue-vlan51 priority=4 queue=default
add limit-at=4M max-limit=18M name=queue-vlan51-p5 packet-mark=prio3 parent=
queue-vlan51 priority=5 queue=default
add limit-at=4M max-limit=18M name=queue-vlan51-p6 packet-mark=prio2 parent=
queue-vlan51 priority=6 queue=default
add limit-at=4M max-limit=18M name=queue-vlan51-p7 packet-mark=prio0 parent=
queue-vlan51 priority=7 queue=default
add limit-at=4M max-limit=18M name=queue-vlan51-p8 packet-mark=prio1 parent=
queue-vlan51 queue=default
add limit-at=4M max-limit=18M name=queue-vlan51-u7 packet-mark=no-mark
parent=queue-vlan51 priority=7 queue=default

but in native Linux it can be done using:
tc filter add … protocol ip prio 1 u32 match ip tos 0x20 0xe0 …

What also doesn’t help is that the values for priority sometimes count up, sometimes count down,
and sometimes count 1 0 2 3 4 5 6 7.

It is quite clear that quality-of-service is an afterthought in IP.

ZeroByte · January 21, 2016, 6:21pm

I know and this is all over the place, too - for instance in BGP:
weight: higher value = preferred
local-preference: higher value = preferred
metric: lower value = preferred

vrrp - higher value = higher priority

DSCP = throw darts at a dart board and then put the darts and dart board into a wood chipper

Cisco puts dot1p 5 into the priority queue by default, for instance.

Funny thing is, putting dot1p and dscp values into packets is about the same as stamping “fragile” on a box and sending it to the post office. If a mail carrier reads “fragile” and interprets this to mean “use as elephant trampoline” then - too bad for you, right?

Williambannerman · January 22, 2016, 10:29am

In compiler construction, name mangling (also called name decoration) is a technique used to solve various problems caused by the need to resolve unique names for programming entities in many modern programming languages. I know this one. But i don t know about your answer. I am no experience in this filed.