What is the best scenario?

ahmedelbarbary · March 12, 2021, 4:45am

Hello! i saw many rules to mark the conn pre and postrouting, What is the best senario?
1-
add action=mark-connection chain=prerouting connection-state=new dst-address-list=pubg new-connection-mark=pubg passthrough=yes src-address-list=Allowed_Users
add action=mark-connection chain=postrouting connection-state=new dst-address-list=pubg new-connection-mark=pubg passthrough=yes src-address-list=Allowed_Users
add action=mark-packet chain=prerouting connection-mark=pubg new-packet-mark=“Pubg DW” passthrough=yes src-address-list=!Allowed_Users
add action=mark-packet chain=prerouting connection-mark=pubg new-packet-mark=“Pubg UP” passthrough=yes src-address-list=Allowed_Users
2-
add action=mark-connection chain=prerouting connection-state=new dst-address-list=pubg new-connection-mark=pubg passthrough=yes src-address-list=Allowed_Users
add action=mark-packet chain=prerouting connection-mark=pubg new-packet-mark=“Pubg DW” passthrough=yes src-address-list=!Allowed_Users
add action=mark-packet chain=postrouting connection-mark=pubg new-packet-mark=“Pubg DW” passthrough=yes src-address-list=!Allowed_Users
add action=mark-packet chain=prerouting connection-mark=pubg new-packet-mark=“Pubg UP” passthrough=yes src-address-list=Allowed_Users
add action=mark-packet chain=postrouting connection-mark=pubg new-packet-mark=“Pubg UP” passthrough=yes src-address-list=Allowed_Users
3-
add action=mark-connection chain=prerouting connection-state=new dst-address-list=pubg new-connection-mark=pubg passthrough=yes src-address-list=Allowed_Users
add action=mark-connection chain=postrouting connection-state=new dst-address-list=pubg new-connection-mark=pubg passthrough=yes src-address-list=Allowed_Users
ark=pubg new-packet-mark=“Pubg DW” passthrough=yes src-address-list=!Allowed_Users
add action=mark-packet chain=postrouting connection-mark=pubg new-packet-mark=“Pubg DW” passthrough=yes src-address-list=!Allowed_Users
add action=mark-packet chain=prerouting connection-mark=pubg new-packet-mark=“Pubg UP” passthrough=yes src-address-list=Allowed_Users
add action=mark-packet chain=postrouting connection-mark=pubg new-packet-mark=“Pubg UP” passthrough=yes src-address-list=Allowed_Users

ahmedelbarbary · March 12, 2021, 1:17pm

Could i get any answer ???

anav · March 12, 2021, 1:50pm

This is not a place to debate configs without any context.
If you need help actually provide a SCENARIO.
IN other words, provide a network diagram.
Describe your requirements without any reference to the network or the config But explain in USER use cases (for users and devices)
the things they should be able to do
the things they should not be able to

Then a design can be formulated which may or may not entail marking connections etc.

ahmedelbarbary · March 12, 2021, 5:29pm

this is export from my mikrotik, Could you tell me if there is a mistake ?

anav · March 12, 2021, 8:58pm

Good day, that is some config and beyond my level of knowledge, hopefully someone can chime in to give assistance.
It would appear that you are mostly concerned with the marking of traffic flow.
What is the primary purpose of such marking.
Routing of lan users out specific WANIPS??

ahmedelbarbary · March 13, 2021, 12:12am

Yes the best way to me to mark all traffic then Use QOS
yes i need to do best QOS thats is the purpose
yes i have 3 WAN And 6LAN
all what i need to know is Mark Conn in prerouting = Mark conn in postrouting or not ?
because i see the 2 rule of mark conn have the same packets so if i made 1 prerouting mark conn is this enough ???

anav · March 13, 2021, 3:24am

Mangle pt1 +BW management
https://www.youtube.com/watch?v=3zJrNOUDNrc

Mangle pt2 +BW managment
https://www.youtube.com/watch?v=LELIuNeQS-E

Update to previous two videos
https://www.youtube.com/watch?v=JgPOQChB7_8

For QoS, this was an informative video
https://www.youtube.com/watch?v=RK-1mRgTEPg
.
BW management and failover two wans has mangling
https://www.youtube.com/watch?v=GeuuNE3EPBA&t=27s

For QoS, this was an informative video
https://www.youtube.com/watch?v=RK-1mRgTEPg

sindy · March 13, 2021, 8:18am

OK, so finally a concise question which can be answered.

Since you only use connection-mark as a base to assign a packet-mark, it doesn’t matter in which of the chains you assign each of them, as the packet-mark is actually used (to choose a queue) after the postrouting in mangle, as the packet flow diagram shows. It even wouldn’t matter much if the rule translating a connection-mark to a packet-mark would be placed earlier in the packet path than the one assigning the connection-mark, as only the initial packet of each connection would be mis-queued due to such an incorrect handling.

Only if you wanted to use QoS also for packets received by the router itself, you’d have to use prerouting and/or input to assign connection-mark and packet-mark values to such packets.

The situation is different when you use connection-mark as a base to assign a routing-mark; in this case, the routing-mark must be assigned in prerouting for obvious reasons, and the connection-mark must be assigned before the routing-mark, otherwise the initial packet of the connection could take a different route than all the other ones, so the connection would most likely fail.

Here, it’s the packets sent by the router itself that have to be treated in a special way - the routing-mark must be assigned in output, and additional measures have to be taken as routing is actually partially redone if a routing-mark is assigned in output.

ahmedelbarbary · March 13, 2021, 10:50pm

Thanks very very much, these vidoes are the best

ahmedelbarbary · March 14, 2021, 1:30am

Thanks sindy for answer
Now i understand that when i use mark connection it doesn’t matter which chain is, Routing mark is very good with prerouting but i don’t understand what about the packets sent by router itself, Could you give me an expamle ?

About QOS
before QOS internet not bad and ping google.com was very stable, After QOS internet is very good but ping google.com is very sensitve, At the peak time ping is 3000ms and internet is very good, Because of that i still do search about connection mark and packet mark, i think maybe i have a mistake, Could you tell me if i have a mistake ?
this is my ping rules
add action=mark-connection chain=prerouting comment=ICMP new-connection-mark=ICMP-Traffic passthrough=yes protocol=icmp src-address-list=Allowed_Users
add action=set-priority chain=postrouting connection-mark=ICMP-Traffic disabled=no new-priority=6 passthrough=yes
add action=change-dscp chain=postrouting connection-mark=ICMP-Traffic disabled=yes no-dscp=48 passthrough=yes
add action=set-priority chain=postrouting disabled=no dscp=48 new-priority=6 passthrough=yes

sindy · March 14, 2021, 10:44am

None of the rules you’ve posted assigns a packet-mark; they just change the DSCP value and set the 802.1p or 802.11 priority field. Does that mean that you don’t use queues at the Mikrotik where you assign these values, and just mark them with DSCP and priority so that other devices down the stream do not need to classify them and just use the right queue for them? Or that there is a queue matching on packet-mark=no-mark?

In short, it is impossible to say why your ping traffic suffers without seeing the complete queue tree and /ip firewall mangle configuration export (also bridge filter rules and bridge settings may be related depending on your setup), and without a description or a diagram of the rest of the network path between the Mikrotik and the site uplink channel.

ahmedelbarbary · March 14, 2021, 1:16pm

iforgot packet mark rules here you are

add action=mark-connection chain=prerouting comment=ICMP new-connection-mark=ICMP-Traffic passthrough=yes protocol=icmp src-address-list=Allowed_Users
add action=set-priority chain=postrouting connection-mark=ICMP-Traffic disabled=no new-priority=6 passthrough=yes
add action=change-dscp chain=postrouting connection-mark=ICMP-Traffic disabled=yes no-dscp=48 passthrough=yes
add action=set-priority chain=postrouting disabled=no dscp=48 new-priority=6 passthrough=yes

add action=mark-packet chain=prerouting connection-mark=ICMP-Traffic new-packet-mark=“ICMP DW” passthrough=no src-address-list=!Allowed_Users
add action=mark-packet chain=prerouting connection-mark=ICMP-Traffic new-packet-mark=“ICMP UP” passthrough=no src-address-list=Allowed_Users
add action=mark-packet chain=postrouting connection-mark=ICMP-Traffic new-packet-mark=“ICMP DW” passthrough=no src-address-list=!Allowed_Users
add action=mark-packet chain=postrouting connection-mark=ICMP-Traffic new-packet-mark=“ICMP UP” passthrough=no src-address-list=Allowed_Users

anav · March 14, 2021, 2:22pm

I think Sindy is looking for the complete config as many items have relationships and need to be examined.
/export hide-sensitive file=anynameyouwish

sindy · March 14, 2021, 4:17pm

As @anav pointed out, you forgot much more. The purpose of the packet marks is to choose a queue for the packet, and you haven’t shown a smallest bit of your queue configuration yet. Also the rules assigning other packet marks are necessary to understand the whole setup, as the principle of QoS is reservation of bandwidth for each traffic category (class) and sharing the remaining one by priority. So the complete set of rules and queues is necessary to find an issue.