RB won't mark (by src-addr) packets routed through it

brointhemix · February 22, 2012, 1:25pm

Hello!

I have three RBs running. The first is the Internet gateway, the third is the one distributing IPs to the customers over DHCP and the second is “the man in the middle” doing packet marking and traffic shaping. All of them are interconnected with OSPF.

I have noticed just recently that the QoS RB would not mark packets if a mangle rule tells it to mark them basing on source address. The said RB marks all just fine if you mark the packets by destination address. And so, this rule works fine and captures and marks packets:

/ip firewall mangle
add action=mark-packet chain=forward disabled=no dst-address=192.168.1.17 new-packet-mark=client17-d passthrough=no

But this one catches nothing at all:

/ip firewall mangle
add action=mark-packet chain=forward disabled=no new-packet-mark=client17-u passthrough=no src-address=192.168.1.17

IPv6 mangle rules for both upload and download mark and capture their packets - only the IPv4 mangle has the problem. I am pretty sure everything worked some time before. I am running v5.13 now, but even when I downgraded to v5.12 for a while the problem persisted. The funny thing is that the third RB (the one with clients on it) can mark IPv4 packets for both up- and download correctly - I have checked - so why the QoS RB can’t… Any ideas?

Regards!

brointhemix · February 22, 2012, 2:02pm

OK, I might have found a solution. I had a VPLN tunnel between the second and the third RB so that I could bridge some of their ports into one broadcast domain (a virtual switch). When I removed that configuration the mangle IPv4 src rule started capturing packets again. I guess that does it but why did it influence the packet flow, I have no idea.

brointhemix · February 22, 2012, 2:59pm

Cancel the above. It is LDP neighbourship related problem. When I turn it off and the neighbourship goes down the mangle src rule starts capturing packets. If the neighbourship goes up again (without or without any VPLS tunnels), the rule stops getting anything. The LDP neighbourship works only over IPv4 and that is probably why IPv6 mangle rule worked fine all the time.

MT guys, any idea why that is happening?

P.S. Just tested the mentioned tunelling setup with EoIP and seen no issues with marking on that one, so the problem is definitely LDP related.