Prerouting Connections cannot be shaped

cupid · March 27, 2012, 5:24pm

I’ve marked connections using chain prerouting. But these connections cannot be shaped using simple rules.Why so?

Example:
/ ip firewall mangle
add chain=prerouting src.addrss-list=512k action=mark-connection new-connection-mark=512k_conn passthrough=yes
add chain=prerouting connection-mark=512k_conn action=mark-packet new-packet-mark=512k_p passthrough=no

/ queue simple
add name=“512k” packet-marks=512k_p max-limit=128000/512000 priority=8

It’s not limiting the connections.It’s unlimited.

jackman · March 28, 2012, 2:43am

Do you have another mangle related to list=512k on another chain? I just tried your code and it work perfect. Or could you attach the output of
/ip fi ma export

so we could have better overview of your system

cupid · March 28, 2012, 4:41am

No other rule for 512k list. But i’m using web proxy and caching.

ditonet · March 28, 2012, 6:44am

Does mangle counters increase?
Try to use ‘Queue Tree’ instead of ‘Simple Queues’.
http://wiki.mikrotik.com/wiki/Queue_with_Masquerading_and_Internal_Web-Proxy

HTH,

jackman · March 28, 2012, 9:26am

Just make another packet-mark on chain output and name it “packet-from-proxy” with dst-address-list=512k
make another simple queue entry with packet mark= packet-from-proxy
let me know if that work

cupid · March 29, 2012, 4:52am

Mangle increases.

Output chain is working fine with dst-address-list only for download traffic. But i wanted to do like what it says here
http://wiki.mikrotik.com/wiki/TransparentTrafficShaper
Looks very simple. I did not bridge thou.

jackman · March 29, 2012, 9:16am

In my basic understanding of simple queue.

you could make a traffic shaping based on target address
you could also use the packet mark

Next take a look on your traffic. With an assumption you have transparent proxy for http traffic (destination port 80). I will simplify the packet stream into 4 stream in 2 connection

a) ------------->              c) ------------->
CLIENT            RouterOS                     WEB-SERVER
b) <------------               d) <------------

connection I. between client and ROS
a) request came from client an redirect by ROS
b) ROS as a proxy response the request to client
connection II. between ROS and WEB-Server
c) Proxy request
d) web-server response

Let see what you have done.

connection marking for connection I
packet marking for packet stream a) “512_p”
shaping with simple queue parameter = packet mark = “512_p”

My Question, on packet stream b), do you have marked packet flow in those direction?
I Guess, you will have no-mark packet in this direction (b). That’s the reason you could not do traffic shaping in single flow packet mark. On the download direction you will also need to mark the packet.

Let’s make it simple, you have already marked the upload packet stream with 512_p. Just make as i posted the same packet mark in output chain, but rename instead “packet-from-proxy” to “512_p”. And disable the simple queue entry with packet mark “packet-from-proxy”.

Correct me, if i am wrong please.

jackman · March 29, 2012, 9:35am

Output chain is working fine with dst-address-list only for download traffic. But i wanted to do like what it says here
http://wiki.mikrotik.com/wiki/TransparentTrafficShaper
Looks very simple. I did not bridge thou.

Your scenario and on wiki scenario have following differences

on WIKI, it is single connection with two way data stream a) and b). Since both data steam came from outside of RouterOS you could mark the packet on prerouting chain

  a) -------------------------------------------->
CLIENT                RouterOS              WEB-SERVER
  b) <-------------------------------------------

on your scenario look on my post, the a) data stream came from client, that is fine to mark the packet on pre-routing. but the b) data stream came from RouterOS. in this case you could not mark the packet based on connection as shown on the wiki. The packet came from RouterOS will never passing through the chain prerouting.

For detail let see the http://wiki.mikrotik.com/wiki/Manual:Packet_Flow

Correct me, if i am wrong please

cupid · March 30, 2012, 3:07am

Thanks. I understood. One more question. I’ve given two IPs for a client for his two PCs. But he pays for one. He wants to brows from both the pcs. Now can i restrict him to brows only from one pc at a time? No simultaneous connection from both the pcs. is it possible?

jackman · March 30, 2012, 11:19am

I have not tried it before, it will be complicated. but it could be done with some tricks.

you have to group the ip address of the same user in subnet. It could be done with dhcp static ip

2a) create pcc type of queue name it download and set the classify base on dst-address aslo the src-address mask name it download
2b) create second pcc for upload with dst-address and dst-address-mask

set on your simple queue to use this queue type

With this trick you will classify both ip on the same queue

For detail you could learn about PCC on mikrotik wiki

cupid · March 31, 2012, 1:27pm

it seems beyond my exprties, but i’ll give it a try. thanks a lot.

jackman · April 5, 2012, 10:23am

anytime