packet marking on mangle

RouterOS General
1

I want to seperating icmp and non icmp traffic per network subnet via packet marking.
here is my config :

/ip firewall mangle add chain=prerouting src-address=192.168.0.0/24 protocol=icmp action=mark-connection new-connection-mark=icmp-conn passthrough=yes

/ip firewall mangle add chain=forward connection-mark=icmp-conn action=mark-packet new-packet-mark=icmp passthrough=no



And then i want to mark non icmp packet :

OPTION 1.
/ip firewall mangle add chain=prerouting src-address=192.168.0.0/24 action=mark-connection new-connection-mark=local-conn passthrough=yes

/ip firewall mangle add chain=forward connection-mark=local-conn action=mark-packet new-packet-mark=local passthrough=no

OPTION 2.
/ip firewall mangle add chain=prerouting src-address=192.168.0.0/24 packet-mark=!icmp connection-mark=!icmp-conn action=mark-connection new-connection-mark=local-conn passthrough=yes

/ip firewall mangle add chain=forward connection-mark=local-conn action=mark-packet new-packet-mark=local passthrough=no

Which one should works correctly? option 1/2? or maybe there is another options? thx in advance :smiley:

2

Second one!

First mark ICMP
Second mark non-ICMP

/ip firewall mangle 
add chain=prerouting src-address=192.168.0.0/24 protocol=icmp action=mark-connection  \
     new-connection-mark=icmp-conn
add chain=forward connection-mark=icmp-conn action=mark-packet  \
     new-packet-mark=icmp
add chain=prerouting src-address=192.168.0.0/24 protocol=!icmp action=mark-connection  \
     new-connection-mark=non-icmp-conn
add chain=forward connection-mark=non-icmp-conn action=mark-packet  \
     new-packet-mark=non-icmp

OR

/ip firewall mangle 
add chain=prerouting src-address=192.168.0.0/24 protocol=icmp action=mark-connection  \
     new-connection-mark=icmp-conn
add chain=forward connection-mark=icmp-conn action=mark-packet  \
     new-packet-mark=icmp
add chain=prerouting src-address=192.168.0.0/24 connection-mark=!icmp-conn  \
     action=mark-connection new-connection-mark=non-icmp-conn
add chain=forward connection-mark=non-icmp-conn action=mark-packet  \
     new-packet-mark=non-icmp
3

Ah… i see.. but what if i just make it more precisely…

add chain=prerouting src-address=192.168.0.0/24 protocol=!icmp connection-mark=!icmp-conn packet mark=!icmp action=mark-connection new-connection-mark=non-icmp-conn

add chain=forward connection-mark=non-icmp-conn action=mark-packet new-packet-mark=non-icmp

does it works too? Or with making it precisely will only consuming more cpu load and the system will slow down or maybe will causing a “failed packet marking”? hehe, sorry maybe just a dumb question? but i really2 need to consider about packet marking, because it will be used in bw control for our costumers :slight_smile: Anw… is that important to separating icmp traffic? Just to keep the ping time stable… since some costumers judge the connection quality by it;s ping time, not considering that they already used all alocated bw to them…

What about passthrough then? Little bit confusing for me…
Or maybe for the instance… how can i setup mangle with this scenario…
“if a rule found match with the packet, ignore all rules below”.. does passthrough will be able control this scenario? or just use the “return” action?

since i’m managed Public IP’s, did i hv to used connection mark? or just packet mark is enough… coz in the manual said that “if u used masqueraded IP’s, u hv to used connection mark” and i dont hv masqueraded IP’s…

thx u so much… :wink:

4

There are two passtrough mangle provides,
first action=passtrough, that is just ignoring this rule and passing furhter to mangle rule list, it could be used just for statistic.
second ‘passtrough=yes’ or ‘no’ that is used in order to exclude or not marked packets from mangle table, as packets marked once can be marked once again and first mark is not used, that’s why passtrougn=no means to exclude traffic from mangle table and proceed this traffic for the further actions.

5

Ok… thx u so much… and for the other questions? :smiley:

6

Probably better it would be to mark any packets (there is no sence with packet-mark=!icmp), in my opinion it is better to leave src-address or even without it for second rule (if there are not any other networks).

7

so you wanna said that packet-mark=!icmp would probably fail? or not 100% success? apparently, there are any another networks… :frowning:

8

It will work ok, but why do you want to match something that will never happen? You already marked icmp packets and those packets won’t pass to next rules if passthrough=no was set. So the point is that there is no need to check packet-mark=!icmp if those packets will never reach that rule.