In order to optimize the mangle config, one must know exactly if packets are processed one by one by all the packet flow mechanisms or one by one by a facility/chain/whatever. Or what rules apply? When are packets processed one by one and when all together/in groups?
Another question: will this config catch all packets of the connection and mark the routing of all packets:
? Will ROS recognize the Second incoming packet (this means before second packet enters the chain) is from the connection, when the connection is actually marked in a later rule in the same chain?
Another question: which is faster? large address-lists (50-100+) or “action=jump” processing?
Another question: how fast are address-lists ready to be matched by a mangle rule when a new entry is added to them? for example:
As you may have guessed, I am trying to adapt the Load_Balancing_Persistent example to the setup I am currently working on. If anyone else has gone through this - please comment. As I think the example is highly unoptimized and slowing down the CPU.
I think an optimization guide by the MikroTik team will help all, it will be a good addition to the WiKi.
address-lists are faster, I was converting to them when this feature first appeared - results was impressive.
if you use “connection-mark=” option it will lookup this mark in connection tracking, and if at least one packet got connection-mark it will be there.
nth=2,1 example will not solve your problems, with rules like this you will sooner or later end up with all connections as odd
I will try to write rules that will avoid that problem.
If the first packet of a connection causes the src-addr to be added to the lookup address lsit, will the second packet match that address-list? Is it that fast? And can we place the matching rule of the second packet above the matching rule of the first packet?
if you use “connection-mark=” option it will lookup this mark in connection tracking, and if at least one packet got connection-mark it will be there.
This is correct but connection tracking has different functionality to what we are trying to accomplish in the mangle chain=prerouting for highly optimized load balancing. The question is : If the first packet of a connection causes the connection to be marked, will the second packet of that connection match the connection matching rule? Is it that fast? And can we place the matching rule of the second packet above the matching rule of the first packet? From the pint of view of the prerouting as a separate facility, Is ‘marking’ being processed before the attention is shifted to the second incoming packet?
nth=2,1 example will not solve your problems, with rules like this you will sooner or later end up with all connections as odd > >
I will try to write rules that will avoid that problem.
>
> last 2 rules are for connection-type=new packets
First line - will it be faster if we do not match every packet against an address-list, instead first match a connection-state=new packet against the list and then 1. mark the connection and 2. match the rest of the packets with that connection mark?
Second line - with only two possibilities, all packets that are not Even are Odd, we do not need to match them at all?
