Queue tree in a dual Wan installation

RouterOS General
1

Hello

We have a CCR1009 with two wans. In the DMZ we have some services and we wanted to serve them from both wans, therefore we did this in mangle for keep which wan we need to remember to answer requests:

Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Input: Fibra1->ROS
chain=input action=mark-connection new-connection-mark=Fibra1->ROS passthrough=no in-interface=pppoe-fibra1 connection-mark=no-mark log=no log-prefix=“”

1 ;;; Input: Fibra2->ROS
chain=input action=mark-connection new-connection-mark=Fibra2->ROS passthrough=no in-interface=pppoe-fibra2 connection-mark=no-mark log=no log-prefix=“”

2 ;;; Output: ROS → Fibra1
chain=output action=mark-routing new-routing-mark=Fibra1_Route passthrough=no connection-mark=Fibra1->ROS log=no log-prefix=“”

3 ;;; Output: ROS → Fibra2
chain=output action=mark-routing new-routing-mark=Fibra2_Route passthrough=no connection-mark=Fibra2->ROS log=no log-prefix=“”

4 ;;; Forward: Fibra1->LAN
chain=forward action=mark-connection new-connection-mark=Fibra1->LAN passthrough=no in-interface=pppoe-fibra1 connection-mark=no-mark log=no log-prefix=“”

5 ;;; Forward: Fibra2->LAN
chain=forward action=mark-connection new-connection-mark=Fibra2->LAN passthrough=no in-interface=pppoe-fibra2 connection-mark=no-mark log=no log-prefix=“”

6 ;;; Forward: LAN->Fibra1
chain=prerouting action=mark-routing new-routing-mark=Fibra1_Route passthrough=no src-address-list=lan_address connection-mark=Fibra1->LAN log=no log-prefix=“”

7 ;;; Forward: LAN->Fibra2
chain=prerouting action=mark-routing new-routing-mark=Fibra2_Route passthrough=no src-address-list=lan_address connection-mark=Fibra2->LAN log=no log-prefix=“”

And it’s working like a champ.

Now we would like to priorize traffic in a Tree Queue therefor we need to mark packets and connections, The question is: How whe should do it without break double wan mangle? Because if we mark connections and packets for different traffic (http, smtp, pop …) we will lose mark and routerBoard won’t know which wan should choose for answering requests.

Thanks a lot

2

You should be able to use your connection marks to create packet marks for QoS matching also - you could even use the same connection marks that the route marking rules are using. Wherever you have a route mark, you could put a packet mark rule right before it and make sure the “continue” option is specified so that the chain doesn’t stop on the one mark.

3

Probably I haven’t understood it, but this is how I understand it:

Imagine we have an http request in wan_1 for our http server in our DMZ zone:

firstly it pass for the mangle rules who mark the connection (I have two wans)

4 ;;; Forward: Fibra1->LAN
chain=forward action=mark-connection new-connection-mark=Fibra1->LAN passthrough=no in-interface=pppoe-fibra1 connection-mark=no-mark log=no log-prefix=“”

Ok, connection mark is Fibra1->LAN. This mark permits ROS to know that it must send request by WAN1. Until here, it works perfectly.

If I add now QOS mangle rules like this

20 ;;;HTTP connection (80)
chain=prerouting action=mark-connection new-connection-mark=http_connection passthrough=no connection-state=new protocol=tcp dst-port=80 log=no log-prefix=“”

21 ;;; HTTP_IN PACKETS
chain=prerouting action=mark-packet new-packet-mark=http_packet_in passthrough=no protocol=tcp in-interface=pppoe-movistar src-port=80 connection-mark=http_connection log=no log-prefix=“”


Now, I have lost Fibra1->LAN connection mark, because it has been substituted by http_connection. Therefor ROS won’t be able to answer request by the correct WAN

am I wrong?

Thanks

4

Two things -

First: I notice that all of your rules have passthrough=no - you will need to set this to yes on some of the actions… More on that in a moment.

Second:

Do not confuse connection mark, packet mark, and routing mark. They are 3 different things.
Connection mark has to do with connection state tracking. If you mark connections as you did in rules 4 and 5 of your original example, you’ll see these connection marks in IP > Firewall > Connections. There’s a column to show you what connection mark any combination of src:port+dst:port is using. You don’t need to change how your connection marks are working.

In order to force all packets of ‘Fibra1’ through the same ISP after the connection establishes, you use route marks, right? (action = mark routing) A configuration must do this for every single packet that passes through the router.

In your original example, rules 4 and 5 mark connections based on which interface they enter through.
Then rules 6 and 7 stamp each individual packet with routing marks based on which marked connection they belong to.
While you’re at it, you can then also stamp generic packet marks based on those same connection marks.
After that, your queues will be able to match traffic based on those packet marks.
(They cannot match on connection or routing marks as far as I know).

I would remove the interface and IP address criteria from the packet mark rules in your configuration- they make the rule have more information to check than is required. Your connection mark rules should be where you classify entire connections, and those can be more complicated, as they really only need to happen once per new connection.
The rules that mark individual packets should be fast and simple.

Change rule 6/7 to this:

/ip firewall mangle
chain=prerouting action=mark-routing new-routing-mark=Fibra1_Route passthrough=yes connection-mark=Fibra1->LAN
chain=prerouting action=mark-packet new-packet-mark=Fibra1 passthrough=no connection-mark=Fibra1->LAN
chain=prerouting action=mark-routing new-routing-mark=Fibra2_Route passthrough=yes connection-mark=Fibra2->LAN
chain=prerouting action=mark-packet new-packet-mark=Fibra2 passthrough=no connection-mark=Fibra1->LAN

Note that you now have two marking actions which search for connection marks, the first allows passthrough and the second stops the chain. Also note that this will mark the packets on inbound AND outbound.

If you don’t want to mark packets based on the link used, but on the service type, you could do something like this -
create a new chain = classify packet

chain=classify-packet protocol=tcp dst-port=80 action=mark-packet new-packet-mark=web passthrough=no
chain=classify-packet protocol=tcp dst-port=443 action=mark-packet new-packet-mark=web passthrough=no
chain=classify-packet protocol=tcp dst-port=25 action=mark-packet new-packet-mark=mail passthrough=no
chain=classify-packet protocol=tcp dst-port=143 action=mark-packet new-packet-mark=mail passthrough=no
chain=classify-packet protocol=tcp dst-port=53 action=mark-packet new-packet-mark=dns passthrough=no
...
chain=classify-packet action=mark-packet new-packet-mark=default passthrough=no

and change the packet-mark rules in my previous example to:
chain=prerouting action=jump jump-target=classify-packet

Using a seperate chain lets you use the same rule set for both ISP connections. Your queues wold look for packet marks such as web, mail, dns, and default if you used my examples.

5

Thanks for your help ZeroByte, I will try it.