Using mangle to change dscp

dcam · October 25, 2011, 3:26am

I’m trying to use mangle to change the dscp value for packets bound for a certain port range, as follows:

/ip firewall mangle add action=change-dscp chain=postrouting comment=(“dscp_46_eth_port_range_1”) disabled=no protocol=udp dst-port=16400-16405 new-dscp=46

Should the above work?

Now I want to test the above to see if it works using the MikroTik packet sniffer.

But that raises a separate matter… when using the MikroTik packet sniffer with detail mode on, it displays a “TOS” field, but it appears to me that it actually displays the DSCP value there under the TOS field, which I think is not strictly accurate, because TOS and DSCP are different things stored within bit fields of the same byte, right?

There used to be a change-tos action but that doesn’t seem to exist any more.

Now back to my original attempt to change the dscp. If I use the MikroTik packet sniffer, I can see udp packets with destination ports that match the range, but their TOS value displayed is 0.

Thus the above rule doesn’t appear to work.

Any ideas?

fewi · October 25, 2011, 3:58am

Try changing the chain to prerouting and check again. The sniffer might be grabbing them before postrouting.

dcam · October 25, 2011, 11:07pm

As you suggested, I tried the following:

/ip firewall mangle add action=change-dscp chain=prerouting comment=(“dscp_46_eth_port_range_1”) disabled=no protocol=udp dst-port=16400-16405 new-dscp=46

…and with that installed, I sent udp traffic across the link to a port in that range.

But snooping on both sides of the link for a packet bound for a port in the range with detail mode on shows a TOS value of 0.

If traffic goes out from a device with a TOS on the wire of 184 (binary 10111000), the MikroTik winbox packet sniffer wrongly displays a TOS of 46 (binary 101110) which is the most significant 6 bits of the TOS (known as the DSCP). Anyway, at least it displays something.

But the mangle rule is not changing the DSCP.

Any ideas?