Port range not working in mangle rules

digin4 · April 28, 2020, 8:02am

I have two mangle rules, first one with a port range 12000-51819,51821-64000 and the second rule with only port 51820, issue is the range isn’t excluding the port 51820 correctly, it is still getting marked by the first rule, what am I doing wrong?

add chain=prerouting  action=mark-connection new-connection-mark=Games port=5060,5062,6250,3478-3479,3724,12000-51819,51821-64000 protocol=udp passthrough=yes
add chain=prerouting  action=mark-packet     connection-mark=Games new-packet-mark=Games passthrough=no

add chain=prerouting  action=mark-connection new-connection-mark=NordLynx port=51820 protocol=udp passthrough=yes
add chain=prerouting  action=mark-packet     connection-mark=NordLynx new-packet-mark=NordLynx passthrough=no

Thank you.

Zacharias · April 28, 2020, 11:08am

Am not sure if it is correct to add ports and port-ranges at the same line… According to the Manual it should be Ports or Port Ranges…
You can just move your last rules on top and you will be fine…

Edit, both ports and ports ranges can be used without a problem…

digin4 · April 29, 2020, 3:20am

Using both ports and port ranges work, I did move the rule to the top and it worked! thank you, but I’m still wondering why the port did not get excluded?

Zacharias · April 29, 2020, 2:44pm

I can’t be sure or guess as to why the first rule was matched by that port although it does not exist in the ports field.
What is your ROS Version ?
Is it updated to latest Version ?

digin4 · April 29, 2020, 3:49pm

Using latest version: v6.46.6 on hAP ac^2

Zacharias · April 29, 2020, 3:58pm

Then only one question remains, how sure are you that indeed it was matched by the Rule because of that specific port ?

digin4 · April 29, 2020, 5:13pm

I generated traffic and checked where the queued bytes are going, also used torch to verify that it is indeed port 51820