Outgoing packages marked in incoming rule

levak · April 2, 2014, 12:11pm

Hello!

I’m stressing my brains for the past hour as to why the outdoing packages are marked by the firewall, since only incoming packages should be.
Here is my firewall setting:

 0   ;;; All download
     chain=forward action=mark-connection new-connection-mark=All-Download passthrough=yes out-interface=Local 
 1   chain=forward action=mark-packet new-packet-mark=All-Download-Pkg passthrough=yes connection-mark=All-Download 
 2   ;;; Wifi 130
     chain=forward action=mark-connection new-connection-mark=Wifi130-DL-conn passthrough=yes 
     dst-address=10.10.10.130 connection-mark=All-Download 
 3   ;;; Wifi 130 - HTTP
     chain=forward action=mark-packet new-packet-mark=Wifi-http-high passthrough=no protocol=tcp src-port=80,443 
     connection-mark=Wifi130-DL-conn connection-bytes=0-5000000 
 4   ;;; Wifi 130 - ICMP
     chain=forward action=mark-packet new-packet-mark=Wifi-icmp-dns passthrough=no protocol=icmp 
     connection-mark=Wifi130-DL-conn 
 5   chain=forward action=log connection-mark=Wifi130-DL-conn log-prefix="OTHER" 
 6   chain=forward action=mark-packet new-packet-mark=Wifi-other-high passthrough=yes connection-mark=Wifi130-DL-conn

So what I do here(if I understand that correctly):

mark ALL connections from WAN to local network
remark all connections going to 10.10.10.130 with ‘Wifi130-DL-conn’
mark HTTP packages with ‘Wifi-http-high’
mark ALL other with ‘Wifi-other-high’

I then start a download of a file over HTTP and I see increase in ‘Wifi-other-high’ mantle rule. When I look at a log file, I see this:

11:56:40 firewall OTHER forward: in:Local out:Public, src-mac 08:00:27:10:15:6a, proto TCP (ACK),
info 10.10.10.130:3071->193.2.1.XX:80, NAT (10.10.10.130:3071->192.168.50.121:3071)->193.2.1.XX:80,
len 40
11:56:40 firewall OTHER forward: in:Local out:Public, src-mac 08:00:27:10:15:6a, proto TCP (ACK),
info 10.10.10.130:3071->193.2.1.XX:80, NAT (10.10.10.130:3071->192.168.50.121:3071)->193.2.1.XX:80,
len 40

193.2.1.XX is the server’s IP from where I’m downloading. Why is outgoing traffic being logged and marked? According to mangle rules, only traffic going out the Local interface should get marked.

Matej

rextended · April 2, 2014, 12:19pm

XX = XX… you have left to obscure on the last…

levak · April 2, 2014, 12:57pm

Crap:)
Fixed…

On the other hand, it’s a public distro mirror anyway, so no harm there I guess…

Matej

rextended · April 2, 2014, 1:01pm

Paste this on terminal

/interface bridge export compact

and

/ip firewall export compact

and put the result on the forum.

levak · April 2, 2014, 5:20pm

Bridge:

[admin@MikroTik] > /bridge export compact
bad command name bridge (line 1 column 2)

I dont have any bridges configured, just 2 interfaces, Local and Public.

Firewall:

/ip firewall mangle
add action=mark-connection chain=forward comment=“All download” new-connection-mark=All-Download out-interface=Local
add action=mark-packet chain=forward connection-mark=All-Download new-packet-mark=All-Download-Pkg
add action=mark-connection chain=forward comment=“Wifi 130” connection-mark=All-Download dst-address=10.10.10.130 new-connection-mark=Wifi130-DL-conn
add action=mark-packet chain=forward comment=“Wifi 130 - HTTP” connection-bytes=0-5000000 connection-mark=Wifi130-DL-conn new-packet-mark=HTTP-High-Speed passthrough=no
protocol=tcp src-port=80,443
add action=mark-packet chain=forward connection-bytes=5000001-0 connection-mark=Wifi130-DL-conn new-packet-mark=HTTP-Low-Speed passthrough=no protocol=tcp src-port=80,443
add action=mark-packet chain=forward comment=“Wifi 130 - ICMP” connection-mark=Wifi130-DL-conn new-packet-mark=ICMP-DNS passthrough=no protocol=icmp
add action=mark-packet chain=forward comment=“Wifi 130 - DNS” connection-mark=Wifi130-DL-conn new-packet-mark=ICMP-DNS passthrough=no protocol=tcp src-port=53
add action=mark-packet chain=forward connection-mark=Wifi130-DL-conn new-packet-mark=ICMP-DNS passthrough=no protocol=udp src-port=53
add action=mark-packet chain=forward comment=“Wifi 130 SMTP-IMAP” connection-bytes=0-50000000 connection-mark=Wifi130-DL-conn new-packet-mark=Mail-High-Speed passthrough=no
protocol=tcp src-port=143,993,110,995,465,587
add action=mark-packet chain=forward connection-bytes=50000001-0 connection-mark=Wifi130-DL-conn new-packet-mark=Mail-High-Speed passthrough=no protocol=tcp src-port=
143,993,110,995,465,587
add action=log chain=forward comment=Other connection-mark=Wifi130-DL-conn log-prefix=OTHER protocol=tcp
add action=mark-packet chain=forward comment=Other connection-bytes=0-5000000 connection-mark=Wifi130-DL-conn new-packet-mark=Other-High-Speed passthrough=no protocol=tcp
add action=mark-packet chain=forward connection-bytes=5000001-30000000 connection-mark=Wifi130-DL-conn new-packet-mark=Other-Medium-Speed passthrough=no protocol=tcp
add action=mark-packet chain=forward connection-bytes=30000001-0 connection-mark=Wifi130-DL-conn new-packet-mark=Other-Low-Speed passthrough=no protocol=tcp
add action=mark-packet chain=forward connection-bytes=0-5000000 connection-mark=Wifi130-DL-conn new-packet-mark=Other-High-Speed passthrough=no protocol=udp
add action=mark-packet chain=forward connection-bytes=5000001-30000000 connection-mark=Wifi130-DL-conn new-packet-mark=Other-Medium-Speed passthrough=no protocol=udp
add action=mark-packet chain=forward connection-bytes=30000001-0 connection-mark=Wifi130-DL-conn new-packet-mark=Other-Low-Speed passthrough=no protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=Public to-addresses=0.0.0.0

What is interesting is, that even though I can see traffic in IP->Firewall->Mangle windows in WinBox, there is no traffic in Queue window…

Image from Winbox when visiting www.google.com:

Matej

rextended · April 2, 2014, 5:27pm

Sorry:

/interface bridge export compact

levak · April 2, 2014, 5:59pm

Result of ‘/interface bridge export compact’

[admin@MikroTik] > /interface bridge export compact

apr/02/2014 17:58:40 by RouterOS 6.11

software id = 3UE8-NMHG

[admin@MikroTik] >

MAtej

docmarius · April 2, 2014, 9:34pm

If you use connection mark, that is exactly what happens. All packets belonging to that connection will be marked, incoming and outgoing.
e.g. in rule nr. 0, packets going out via Local will get a “All-Download” connection mark, and so will all the response packages of that connection (established state, don’t know about related…).

Now, in rule nr. 1, all packages that have the “All-Download” connection mark, incoming and outgoing, will get a packet mark “All-Download-Pkg”.

To have only a “All-Download-Pkg” packet mark on downloading packets, you should mark the packets directly in the first rule:
0 chain=forward action=action=mark-packet new-packet-mark=All-Download-Pkg passthrough=yes out-interface=Local

Packet marks do not appear in response packets.

rextended · April 2, 2014, 9:51pm

+1

Thank you for responding at the user.