packet marking for QoS

laverc · January 20, 2024, 5:55am

Hello - here is my setup. Two routers, one is acting as a range extender. On the main router I want to mark packets from one server .99 to the other server .100. I created a new mangle rule with the following: Chain - Prerouting, Src. Add - .99 and Dest. Add .100, In action, I set action - mark packet, with New Packet Mark - test. passthrough is checked. The rule does not ever show any packets; even though I use wireshark and clearly see traffic between the two PC’s . Any suggestions

holvoetn · January 20, 2024, 8:03am

It might be more useful for anyone to help you if you could provide a bit more info.

Like indicated in this thread:
http://forum.mikrotik.com/t/getting-the-most-out-of-this-forum/40983/1

jvanhambelgium · January 20, 2024, 8:13am

Pre-routing chain ?
Try the “forward” chain and it will work I guess.

I’ve several marking-rules and they work fine as the traffic flows-through the Mikrotik (= forward chain)

pe1chl · January 20, 2024, 10:32am

Also, what do you mean with “one is acting as a range extender”?
Is it operating as a router or did you configure it as a bridge?

laverc · January 20, 2024, 6:52pm

To be more clear:

I cannot get mangle to mark packets and would like some help with that. Below is an image of my network (capture)
I am using routerOs 7.13.2
The repeater is an ‘ap bridge’ , see picture below for a quick overview of its setup (capture2)
On the ‘Main’ I am adding the mangle rule (capture3)
the statistics page for the mangle rule shows no packets, even though I can see them with Wireshark. Wireshark is running on 192.168.1.99.

Pre-routing chain ?
Try the “forward” chain and it will work I guess.

tried that previously to no avail

pe1chl · January 21, 2024, 10:15am

That “Repeater” seems not to be routing (IP address is from the same subnet).
In that case “firewall mangle” rules are not processed, because the traffic is not routed but only bridged.
You can set the option “Use IP firewall” in the bridge global settings, but be careful not to lock yourself out.

laverc · January 21, 2024, 7:03pm

The repeater or ‘wi-fi range extender’ is in the mode of ‘AP Bridge’ and my understanding is that the traffic from the ‘repeater’ is forwarded to the main, and therefore the mangle rules would not be processed in the repeater. However, I believe they should be processed in the main; as this is where I put the mangle rule. Which is what I think you are saying Pe1chi.

You can set the option “Use IP firewall” in the bridge global settings, but be careful not to lock yourself out.

Is the recommendation to set the ‘use ip firewall’ in the repeater or the main?

pe1chl · January 21, 2024, 7:53pm

It all depends on what you want to accomplish… which is not very clear from your description.
Firewall rules will not affect what is happening inside the network that you have sketched.
Only when there is more to it than you show us (e.g. the “main” router also has an internet connection) it could work.
Still, it would not affect traffic between the two computers shown.
To have that, you need the bridge setting. And you need it at least on the side that originates the traffic you want to mark.