savage
June 29, 2006, 3:11pm
1
Ok,
Something’s wrong here… Help pls?
First, I mark:
3 ;;; SSH Connection
chain=prerouting protocol=tcp dst-port=22 src-address-list=Everyone action=mark-connection new-connection-mark=Prio2
passthrough=yes
4 ;;; Telnet Connection
chain=prerouting protocol=tcp dst-port=23 src-address-list=Everyone action=mark-connection new-connection-mark=Prio2
passthrough=yes
5 ;;; HTTP Connection
chain=prerouting protocol=tcp dst-port=80 src-address-list=Everyone action=mark-connection new-connection-mark=Prio2
passthrough=yes
6 ;;; HTTPs Connection
chain=prerouting protocol=tcp dst-port=443 src-address-list=Everyone action=mark-connection new-connection-mark=Prio2
passthrough=yes
7 ;;; Telnet via SSL Connection
chain=prerouting protocol=tcp dst-port=992 src-address-list=Everyone action=mark-connection new-connection-mark=Prio2
passthrough=yes
8 ;;; MS Remote Desktop Connection
chain=prerouting protocol=tcp dst-port=3389 src-address-list=Everyone action=mark-connection new-connection-mark=Prio2
passthrough=yes
9 chain=prerouting connection-mark=Prio2 src-address-list=Everyone action=mark-packet new-packet-mark=Prio2 passthrough=no
Already, the counters does not add up:
3 ;;; SSH Connection
prerouting mark-connection 486983 6481
4 ;;; Telnet Connection
prerouting mark-connection 0 0
5 ;;; HTTP Connection
prerouting mark-connection 669 8
6 ;;; HTTPs Connection
prerouting mark-connection 0 0
7 ;;; Telnet via SSL Connection
prerouting mark-connection 0 0
8 ;;; MS Remote Desktop Connection
prerouting mark-connection 0 0
9 prerouting mark-packet 2709264 12914
Rule 9 marks packets where the connection has not been marked (rules 3 to 8 ).
The queue tree, I believe is fine however
1 name="Priority 2" parent=global-total packet-mark=Prio2 limit-at=0 queue=default priority=2 max-limit=0 burst-limit=0
burst-threshold=0 burst-time=0s
I’ve seen multiple posts where the mangle happens on either the forwarding or the pre-routing chain… Which is it supposed to be? Any help to get this right, would be wonderba!
–
savage
June 29, 2006, 3:37pm
2
Doh
Seems to work fine. Yet another good example in the forums for someone to find via the search button
jo2jo
June 30, 2006, 5:20am
3
I’m confused by the:
9 chain=prerouting connection-mark=Prio2 src-address-list=Everyone action=mark-packet new-packet-mark=Prio2 passthrough=no
is that to make it so everything else is grabed by the queue and thus processed by the queue?
if so could u just set that to passthrough=yes and packetmark=SOMETHING and then have the queue look for SOMETHING to then limit?
im asking bc this is kinda what i have set up and i want to verify its working right…bc i have my doubts sometimes about it catching all the traffic.
tks
savage
June 30, 2006, 5:36am
4
8 ;;; MS Remote Desktop Connection
9 chain=prerouting connection-mark=Prio2 src-address-list=Everyone action=mark-packet new-packet-mark=Prio2 passthrough=no
As I understand it, rules 3-8 (or just 8 above), markes the new connections. Rule 9 then, takes all the connections that’s been marked, and mark the packets on those connections.
9 Basically says, if the connection match Prio2, mark the packets as Prio2. The packets that are marked, then gets picked up in the queue tree. From what I can see on my queue tree, it seems to definately be working - and I’ve also seen where priority takes affect where one service is radically slowed down, to make bandwidth available for higher priority packets…
Complete config:
[cknipe@wsmd-core02] > /ip firewall mangle pr
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; DNS TCP
chain=prerouting protocol=tcp dst-port=53 src-address-list=Everyone action=mark-connection new-connection-mark=Prio1 passthrough=yes
1 ;;; DNS UDP
chain=prerouting protocol=udp dst-port=53 src-address-list=Everyone action=mark-connection new-connection-mark=Prio1 passthrough=yes
2 chain=prerouting connection-mark=Prio1 src-address-list=Everyone action=mark-packet new-packet-mark=Prio1 passthrough=no
3 ;;; SSH Connection
chain=prerouting protocol=tcp dst-port=22 src-address-list=Everyone action=mark-connection new-connection-mark=Prio2 passthrough=yes
4 ;;; Telnet Connection
chain=prerouting protocol=tcp dst-port=23 src-address-list=Everyone action=mark-connection new-connection-mark=Prio2 passthrough=yes
5 ;;; HTTP Connection
chain=prerouting protocol=tcp dst-port=80 src-address-list=Everyone action=mark-connection new-connection-mark=Prio2 passthrough=yes
6 ;;; HTTPs Connection
chain=prerouting protocol=tcp dst-port=443 src-address-list=Everyone action=mark-connection new-connection-mark=Prio2 passthrough=yes
7 ;;; Telnet via SSL Connection
chain=prerouting protocol=tcp dst-port=992 src-address-list=Everyone action=mark-connection new-connection-mark=Prio2 passthrough=yes
8 ;;; MS Remote Desktop Connection
chain=prerouting protocol=tcp dst-port=3389 src-address-list=Everyone action=mark-connection new-connection-mark=Prio2 passthrough=yes
9 chain=prerouting connection-mark=Prio2 src-address-list=Everyone action=mark-packet new-packet-mark=Prio2 passthrough=no
10 ;;; SMTP Connection
chain=prerouting protocol=tcp dst-port=25 src-address-list=Everyone action=mark-connection new-connection-mark=Prio3 passthrough=yes
11 ;;; POP3 Connection
chain=prerouting protocol=tcp dst-port=110 src-address-list=Everyone action=mark-connection new-connection-mark=Prio3 passthrough=yes
12 ;;; NNTP Connection
chain=prerouting protocol=tcp dst-port=119 src-address-list=Everyone action=mark-connection new-connection-mark=Prio3 passthrough=yes
13 ;;; SMTPs Connection
chain=prerouting protocol=tcp dst-port=465 src-address-list=Everyone action=mark-connection new-connection-mark=Prio3 passthrough=yes
14 ;;; NNTPs Connection
chain=prerouting protocol=tcp dst-port=563 src-address-list=Everyone action=mark-connection new-connection-mark=Prio3 passthrough=yes
15 ;;; POP3s Connection
chain=prerouting protocol=tcp dst-port=995 src-address-list=Everyone action=mark-connection new-connection-mark=Prio3 passthrough=yes
16 chain=prerouting connection-mark=Prio3 src-address-list=Everyone action=mark-packet new-packet-mark=Prio3 passthrough=no
17 ;;; FTP-DATA Connection
chain=prerouting protocol=tcp dst-port=20 src-address-list=Everyone action=mark-connection new-connection-mark=Prio4 passthrough=yes
18 ;;; FTP Connection
chain=prerouting protocol=tcp dst-port=21 src-address-list=Everyone action=mark-connection new-connection-mark=Prio4 passthrough=yes
19 ;;; FTP-DATAs Connection
chain=prerouting protocol=tcp dst-port=989 src-address-list=Everyone action=mark-connection new-connection-mark=Prio4 passthrough=yes
20 ;;; FTPs Connection
chain=prerouting protocol=tcp dst-port=990 src-address-list=Everyone action=mark-connection new-connection-mark=Prio4 passthrough=yes
21 chain=prerouting connection-mark=Prio4 src-address-list=Everyone action=mark-packet new-packet-mark=Prio4 passthrough=no
22 chain=prerouting connection-mark=Prio5 src-address-list=Everyone action=mark-packet new-packet-mark=Prio5 passthrough=no
23 ;;; All Other UDP
chain=prerouting protocol=udp p2p=!all-p2p src-address-list=Everyone action=mark-connection new-connection-mark=Prio6 passthrough=yes
24 chain=prerouting connection-mark=Prio6 src-address-list=Everyone action=mark-packet new-packet-mark=Prio6 passthrough=no
25 ;;; All Other TCP
chain=prerouting protocol=tcp p2p=!all-p2p src-address-list=Everyone action=mark-connection new-connection-mark=Prio7 passthrough=yes
26 chain=prerouting connection-mark=Prio7 src-address-list=Everyone action=mark-packet new-packet-mark=Prio7 passthrough=no
27 ;;; All P2P
chain=prerouting p2p=all-p2p src-address-list=Everyone action=mark-connection new-connection-mark=Prio8 passthrough=yes
28 chain=prerouting connection-mark=Prio8 src-address-list=Everyone action=mark-packet new-packet-mark=Prio8 passthrough=no
[cknipe@wsmd-core02] > /queue tree print
Flags: X - disabled, I - invalid
0 name="Priority 1" parent=global-total packet-mark=Prio1 limit-at=0 queue=default priority=1 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
1 name="Priority 2" parent=global-total packet-mark=Prio2 limit-at=0 queue=default priority=2 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
2 name="Priority 3" parent=global-total packet-mark=Prio3 limit-at=0 queue=default priority=3 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
3 name="Priority 4" parent=global-total packet-mark=Prio4 limit-at=0 queue=default priority=4 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
4 name="Priority 5" parent=global-total packet-mark=Prio5 limit-at=0 queue=default priority=5 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
5 name="Priority 6" parent=global-total packet-mark=Prio6 limit-at=0 queue=default priority=6 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
6 name="Priority 7" parent=global-total packet-mark=Prio7 limit-at=0 queue=default priority=7 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
7 name="Priority 8" parent=global-total packet-mark=Prio8 limit-at=0 queue=default priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
[cknipe@wsmd-core02] > /queue tree print stats
Flags: X - disabled, I - invalid
0 name="Priority 1" parent=global-total packet-mark=Prio1 limit-at=0 rate=56 packet-rate=0 queued-bytes=0 queued-packets=0 bytes=601943 packets=5453
dropped=0 overlimits=0 lends=3619 borrows=1834
1 name="Priority 2" parent=global-total packet-mark=Prio2 limit-at=0 rate=1184 packet-rate=1 queued-bytes=0 queued-packets=0 bytes=10260679
packets=144869 dropped=0 overlimits=0 lends=9978 borrows=134891
2 name="Priority 3" parent=global-total packet-mark=Prio3 limit-at=0 rate=0 packet-rate=0 queued-bytes=0 queued-packets=0 bytes=382148 packets=1463
dropped=0 overlimits=0 lends=693 borrows=770
3 name="Priority 4" parent=global-total packet-mark=Prio4 limit-at=0 rate=0 packet-rate=0 queued-bytes=0 queued-packets=0 bytes=16775 packets=381
dropped=0 overlimits=0 lends=255 borrows=126
4 name="Priority 5" parent=global-total packet-mark=Prio5 limit-at=0 rate=0 packet-rate=0 queued-bytes=0 queued-packets=0 bytes=0 packets=0 dropped=0
overlimits=0 lends=0 borrows=0
5 name="Priority 6" parent=global-total packet-mark=Prio6 limit-at=0 rate=0 packet-rate=0 queued-bytes=0 queued-packets=0 bytes=1591922 packets=15940
dropped=0 overlimits=0 lends=6971 borrows=8969
6 name="Priority 7" parent=global-total packet-mark=Prio7 limit-at=0 rate=3168 packet-rate=2 queued-bytes=0 queued-packets=0 bytes=19565084
packets=176046 dropped=0 overlimits=0 lends=19304 borrows=156742
7 name="Priority 8" parent=global-total packet-mark=Prio8 limit-at=0 rate=0 packet-rate=0 queued-bytes=0 queued-packets=0 bytes=7460 packets=5 dropped=0
overlimits=0 lends=5 borrows=0
It might help if I add the src-address into my address-list that I’m testing from -grin-