hi all
-
what is the diferent between mark-connection and mark-packet and why we use it together in the same configuration?
can i use any one alone??? -
for using queue is necessary to use mark-packet? or there’s an other method for using it ???
1 Like
A connection mark is a mark that is automatically applied to all packets of a connection. You mark the connection on one packet, and all other packets in the same connection will have the same mark. This is very useful for identifying traffic to a host as well as the return traffic.
Packet marks only are applied to one packet, and do not propagate to other packets in the same connection.
Sometimes you use the two together because it requires fewer resources to do so. Let’s take the following example:
/ip firewall mangle
add protocol=tcp dst-port=80 src-address=1.1.1.0/24 out-interface=WAN chain=forward action=mark-packet new-packet-mark=test
add protocol=tcp src-port=80 dst-address=1.1.1.0/24 in-interface=WAN chain=forward action=mark-packet new-packet-mark=test
That would mark all packet that are HTTP traffic between hosts on the 1.1.1.0/24 network and web servers with the packet mark ‘test’. However, for each and every single packet you would have to do a lot of work. Is this packet TCP? Yes. Is it going to destination port 80? Yes. Is the source address within 1.1.1.0/24? Yes. Is it going out the WAN interface? No. Oh. OK. Is it a TCP packet? Yes. Is it sourced from port 80? Yes. And so on. Every packet that is traffic to a webserver would require four comparisons, every packet that is traffic from a webserver would require 8 comparions, and every packet that doesn’t fit either would also require 8 comparisons, plus whatever happens afterward.
/ip firewall mangle
add connection-state=new protocol=tcp dst-port=80 src-address=1.1.1.0/24 out-interface=WAN chain=forward action=mark-connection new-connection-mark=test passthrough=yes
add connection-mark=test chain=forward action=mark-packet new-packet-mark=test
Now the first packet of a connection gets compared five times, and a connection mark is set. Every subsequent packet, whether it’s part of the connection or not, is only compared two times: is this a new connection? No. Does it have this connection mark? Yes.
Both packet marks and connection marks are internal to the router only. They are not ever transmitted on the wire, and the next router that sees the traffic has no idea the packet or connection were ever marked.
Simple queues can work without packet marks, but you can use them if you want to. For queue trees it usually doesn’t make sense to not use packet marks.
Hope that helps.
1 Like
ok thanks for the explanation…
how can i use the queue if i want to limit all this ips 192.168.1.0/24, i need to input each one or any ip in the same rang that have the same conditions
Hi Fewi,
I am still confused about the explanation. As you’ve stated in the very beginning - “You mark the connection on one packet, and all other packets in the same connection will have the same mark.”, this time all subsequent packets (back & forth?) should be marked by connection-mark from any ‘new’ connections with our criteria. Why do we still have to add the packet-mark on those already connection-marked packets?
1 Like
You don’t if you’re not using any facilities that require packet marks. Other mangle and filter and NAT rules work just fine with only connection marks. Queues, though, which are a very common reason to use markings at all, only fire on packet marks. Routes only fire on routing marks. Hence the need to apply the other kind of mark - the facilities the mark is for can’t use connection marks.
1 Like
Fewi,
Thanks for the quick reply.
I got one more question. If I apply connection + packet mark on any connection of http port:80 through WAN, does it mean any further incoming “and” outgoing packets are both marked? Without connection mark, I have to achieve this in both ways, right?
Does mark-connection do anything for connectionless protocols?
Sure. COnnection is not “connection in the procotol”, it is “connection in the connection tracker”. THere is no “connectionless” protocol there. UDP streams - identified as connection (with timeout). Otherwise how would NAT work 
The connections are “artificial” in the tracker and also work for connectionless protocols.
Which is the best way, to mark connections or packets for using in policy based routing.
I have two internet connections and I want to route some traffic through on connection
and others through the other based on either connection marks or packets marks and
to ensure each packets comes back through the same connection it went out?
To mark for policy routing you need routing marks for outbound traffic, packet marks do you no good for routing decisions.
If you need traffic that was established from WAN to LAN to go back out the same interface, you need to use connection marks because the routing marks have to be applied to packets in the other direction of the bidirectional flow. Then apply routing marks outbound based on the connection marks.
The PCC wiki is the simplest example, it contains exactly what you’re asking for.
Here an example:
/ip firewall mangle
# first mark connections coming in via a WAN interface with the interface it came in through
add chain=prerouting in-interface=ISP1 connection-mark=no-mark action=mark-connection new-connection-mark=ISP1_conn
add chain=prerouting in-interface=ISP2 connection-mark=no-mark action=mark-connection new-connection-mark=ISP2_conn
# then make random policy decisions - here we're putting tcp/80 traffic out via ISP1
add chain=prerouting in-interface=LAN dst-address-type=!local protocol=tcp dst-port=80 action=mark-connection new-connection-mark=ISP1_conn
# and everything else via ISP2
add chain=prerouting in-interface=LAN dst-address-type=!local action=mark-connection new-connection-mark=ISP2_conn
# and finally apply routing marks based on connection marks
add chain=prerouting in-interface=LAN connection-mark=ISP1_conn action=mark-routing new-routing-mark=to_ISP1
add chain=prerouting in-interface=LAN connection-mark=ISP2_conn action=mark-routing new-routing-mark=to_ISP2
Heavily based on: http://wiki.mikrotik.com/wiki/Manual:PCC
Thanks. I have marked packets and placed routing marks based on the packet marks
and things are all mixed up. Let me check out the PCC wiki
Hi fewi,
I got doubt about this marks. Im using mark-connection in prerouting chain and then for two different reasons Im using mark-packet (for queue tree) and mark-routing (to route through different wans) but I cant use both, right ? I suppose that just can use or mark-packet or mark-routing with the same mark-connection.
I`ll think how to workaround this problem, maybe separating queue for routing decisions in two mikrotiks.
Thanks in advice.
each packet has three marks: connection-mark, packet-mark and routing-mark. you can use them all in any combinations. also look at ‘passthrough=’ parameter of firewall rules
sounds good news!!!
Ill do some lab practice first because I have so many lines in the mangle that Im a bit dizzy!
Yes, passthrough is very important I`ll check looking for mistakes.
thanks!
How many connection marks can we put on there?
I have been using mangle rules to mark connections as FTP/SSH/etc.. and now want to ensure that traffic goes through the correct interfaces, but I’m worried that my exquisitely written rules will fail if they detect the wrong connection-mark..
Ive realized that I have the same problem. I dont wanna split into two different routesOS for now.
So Im using mark-connection to ensure the flow through the proper interface. And mark-packet alone for the queues (Iknow this is not the best approach).
Figured it out, had to use “Passthrough” to add extra marks to packets, routes and connections.. Damn this is cool!
FYI: Passthrough means it will continue processing rules, so a mangle rule adds a route-mark, then another checks and adds a Packet Mark, then a third checks and adds the connection Mark to new connections, allowing all manner of fun-times, then the jumps to type chains and so forth. Loving this.
Question:
router A has 3 ports eth0 to clients, eth1 and eth2 are 2 possible paths each 3 hops to router B, B has 2 LANs and one WAN to world
I set up PCC on a router A to sort of load balance between these 2 paths.
Assuming that connections are initiated by clients, is it also necessary to connection mark on router B to keep streams from breaking, or will the established route initiated by the clients hold on router B?
All PCC examples deal with 2 WAN 1 LAN, this would be the opposite?
My router A is splitting traffic nicely according to byte counts, but are my streams breaking?
all marks (connection-, packet-, routing-) are local, other routers do not know anything about them
what do you mean by ‘breaking’?..