traffic not marked correctly ?

ajmacias · March 26, 2011, 11:37am

Hi!.
I’m trying to implement PCQ.
I’ve marked traffic with this rules (only relevant code i think):

69   ;;; clients with 1mb (comes from 10.21.0.0/16)
     chain=forward action=mark-connection new-connection-mark=1mb_client_conn_A passthrough=yes 
     src-address=10.21.0.0/16 connection-mark=ADSL-1 

70   chain=forward action=mark-packet new-packet-mark=1mb_client_traffic_A passthrough=no 
     connection-mark=1mb_client_conn_A 

71   chain=forward action=log log-prefix=""

If rule 71 is activated, i can see in the logs:

Mar/26/2011 12:26:57 firewall info  forward: in:pppoe_c1 out:eth3-BACKBONE, proto TCP (ACK), 209.85.149.100:80->10.21.2.244:3382, len 1450

If rule 70 has passthrough=no… why traffic is logged in rule 71 ???

WirelessRudy · March 26, 2011, 12:26pm

ajmacias:

Hi!.
I’m trying to implement PCQ.
I’ve marked traffic with this rules (only relevant code i think):

69   ;;; clients with 1mb (comes from 10.21.0.0/16)
     chain=forward action=mark-connection new-connection-mark=1mb_client_conn_A passthrough=yes 
     src-address=10.21.0.0/16 connection-mark=ADSL-1 

70   chain=forward action=mark-packet new-packet-mark=1mb_client_traffic_A passthrough=no 
     connection-mark=1mb_client_conn_A 

71   chain=forward action=log log-prefix=""

If rule 71 is activated, i can see in the logs:

Mar/26/2011 12:26:57 firewall info  forward: in:pppoe_c1 out:eth3-BACKBONE, proto TCP (ACK), 209.85.149.100:80->10.21.2.244:3382, len 1450

If rule 70 has passthrough=no… why traffic is logged in rule 71 ???

Well, probably you also have traffic going through your router that is not already having a connection-mark “ADSL-1” so it is this traffic that is therefore not processed by rule 69 and thus 70 so it will come up in your logging rule.

ajmacias · March 28, 2011, 2:15am

emm… nop.

Was/Are invalid connections:

Mar/28/2011 04:11:03 firewall info WO_MARK forward: in: eth3-BACKBONE out pppc1, src-mac -MAC-, proto TCP (ACK,FIN), 10.22.2.246:2475->87.248.205.204:80, len 20
Mar/28/2011 04:11:03 firewall info INV_FWD forward: in: eth3-BACKBONE out pppc1, src-mac -MAC-, proto TCP (ACK,FIN), 10.22.2.246:2475->87.248.205.204:80, len 20

Here is my /ip filter

 0   ;;; accept established connection packets
     chain=input action=accept connection-state=established 

 1   chain=forward action=accept connection-state=established 

 2   ;;; accept related connection packets
     chain=input action=accept connection-state=related 

 3   chain=forward action=accept connection-state=related 

 4   ;;; drop invalid packets
     chain=input action=drop connection-state=invalid 

 5  chain=forward action=log connection-state=invalid log-prefix="INV_FWD" 

 6   chain=forward action=drop connection-state=invalid

Thanks.

WirelessRudy · March 28, 2011, 8:25pm

I don’t know what you are doing.
In your first post you show me PCQ which is done in mangle.
Then you reply with some filter rules?

Look at you mangle rules and read my previous post. Or print your complete set of mangle and I can take a look at it given time..