Hi. I recently saw this on a forum:
source: http://forum.mikrotik.com/t/mark-connection-vs-mark-packet/44577/1
/ip firewall mangle
add protocol=tcp dst-port=80 src-address=1.1.1.0/24 out-interface=WAN chain=forward action=mark-packet new-packet-mark=test
add protocol=tcp src-port=80 dst-address=1.1.1.0/24 in-interface=WAN chain=forward action=mark-packet new-packet-mark=testThat would mark all packet that are HTTP traffic between hosts on the 1.1.1.0/24 network and web servers with the packet mark ‘test’. However, for each and every single packet you would have to do a lot of work. Is this packet TCP? Yes. Is it going to destination port 80? Yes. Is the source address within 1.1.1.0/24? Yes. Is it going out the WAN interface? No. Oh. OK. Is it a TCP packet? Yes. Is it sourced from port 80? Yes. And so on. Every packet that is traffic to a webserver would require four comparisons, every packet that is traffic from a webserver would require 8 comparions, and every packet that doesn’t fit either would also require 8 comparisons, plus whatever happens afterward.
Seeing that each match criteria in a rule is a process… is there an order for each match criteria? for example: if the first thing to compare is “mark-connection”, then the rest of the match criteria that the rule has, I do not care for the packages that do not comply with this mark-connection… it is right?