Need clarify on PCC example Wiki wrt Passthrough & Accept

eugenevdm · January 15, 2010, 10:56am

We have decided to move away from ECMP and rather use PCC.

I have some questions with regards to the PCC example on the MikroTik Wiki here:
http://wiki.mikrotik.com/wiki/PCC

Please clarify if passthrough is relevant at all. Why?

If I copy paste these rules from the Wiki:

add chain=input in-interface=wlan1 action=mark-connection new-connection-mark=wlan1_conn
add chain=input in-interface=wlan2 action=mark-connection new-connection-mark=wlan2_conn
add chain=output connection-mark=wlan1_conn action=mark-routing new-routing-mark=to_wlan1     
add chain=output connection-mark=wlan2_conn action=mark-routing new-routing-mark=to_wlan2

RouterOS automatically assigns “passthrough=yes”. But on these examples I am unsure if it should be set to yes or no and / or if it’s relevant at all. Why I am confused is later on in the example the script:

add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:2/0 \
    action=mark-connection new-connection-mark=wlan1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:2/1 \
    action=mark-connection new-connection-mark=wlan2_conn passthrough=yes

now explicitly specifies passthrough=yes making me think it is indeed important.

So the question is passthrough relevant on the rules where it’s not specified and what should passthrough be on those rules.

What exactly do these two lines do?:

add chain=prerouting dst-address=10.111.0.0/24  action=accept in-interface=Local 
add chain=prerouting dst-address=10.112.0.0/24  action=accept in-interface=Local

The explanation is:

With policy routing it is possible to force all traffic to the specific gateway, even if traffic is destined to the host (other that gateway) in the connected networks. This way routing loop will be generated and communications with those hosts will be impossible. To avoid this situation we need to allow usage of default routing table for traffic to connected networks.

The explanation is a little unclear to me. I am hoping that maybe the author of the Wiki article could give us more insight.

macgaiver · January 15, 2010, 1:54pm

1a) as those are only rules in chain “input” and chain “output” I think pass-trough doesn’t really matters

1b) there are other rules in the chain that requires packets from these rules be there

Imagine packet that comes from internet and then your policy routing route it back to internet, and not to your clients - these accept rules correct that

Chupaka · January 15, 2010, 2:42pm

(* 1a) if you won’t passthrough 1st and 2nd rules, you won’t mark routing at all by 3rd and 4th rule *) - edited: it’s wrong %)
2) actually, it’s for packets that are coming from one of connected networks to another one. if 10.111.0.10 sends a packet to 10.112.0.10, the packet won’t be sent to the Internet

eugenevdm · January 25, 2010, 5:36am

I’m sorry to be a pain but “macgaiver” and “Chupaka” you guys are contradicting each other.

I still need some clarity about this passthrough because I find this stuff very confusing.

For the time being I am going to side with Chupaka because I see he has posted a gazillion posts.

I guess macgaiver is confused like me because he thought that passthrough only applies to each individual chain, as opposed to the whole “Mangle” ruleset.

In order to clarify it even more, in the example, the last two rules are:

add chain=prerouting connection-mark=wlan1_conn in-interface=Local action=mark-routing new-routing-mark=to_wlan1
add chain=prerouting connection-mark=wlan2_conn in-interface=Local action=mark-routing new-routing-mark=to_wlan2

Again on the example it’s unbeknownst to me if passthrough should be on or not. As I said if you paste those rules passthrough is on.

But can I assume because you are now at the end of your ruleset and you have matched what you want to match you can generally turn off passthrough?

Thank you.

Chupaka · January 25, 2010, 10:14am

aaaaaaaa!.. %) sooooorrrrryyyyy ))) friday tiredness, maybe… I didn’t noticed that there’re different chains

as we see, zillion posts is nothing compared to this:

yes, they are mutually exclusive, so you may set passthrough=no, but… it will change almost nothing - I don’t think there will be some performance increase because of ~0.5 firewall rule =)

macgaiver · January 25, 2010, 10:34am

For the time being I am going to side with Chupaka because I see he has posted a gazillion posts.

It should all about the quality, not quantity

eugenevdm · January 25, 2010, 12:35pm

MacGaiver, Please do not send Darth Vader.

For me the conclusion here is passthrough is specific to a chain. E.g. input chain passthrough=on or off won’t affect forward chain on or off

And if you use PCC example and you have some more complex firewall rules after the PCC snapshot taken from the Wiki be careful because if you set passthrough=on you might end up re-routing the packets again. Thanks guys for the input, I think I understand now.