Why Mark Connection?

RouterOS General
1

Hello

When we do shapping we mark conection and then mark the packects.
When is the reason for marking the connection?

What happens with conectionless things like udp?

Thanks :slight_smile:

2

Well, that was the kind of question, which bothered me too. Not sure if related to NAT (masquarading), but generally I think that you mark your connection just because of it. Then MT tracks the connection for you (correct me, if I am wrong, please :slight_smile:

If you can see, your marked packets are just equal to your marked connections, so marking packets does not add anything for you. The thing is, when you look at queue definition, you can add your “packet mark”, not “connection mark”.

So, my understanding is, that marking connecion is just helper to be able to properly mark packets.

One guy told me, that it would be easier to do shaping without masquarading, and insert one other router in front of your router, doing only masquarading. Can anyone confirm, that NAT is generally complicating our situation here? :slight_smile:

Thanks,
Petr

3

Personally I only do connection marking then packet marking for p2p. By marking the connection of a P2P connection, I have less risk of them floating around my filters and queues.

For almost everything else I just mark packets.

4

if you mark a packet with a connection mark, connection tracking will remember the mark whenever the return/consecutive packet(s) in the stream come along. You mark a stream/connection once and connection marking will remember it until the stream/connection is gone from the connections table.

A packet mark is forgotten as soon as the packet exits the router.

The reason there is two different ones is that you might want to apply different policies to packets that belong to the same stream/connection.

udp is connectionless but is considered a connection when udp packets flow through the router and a return packet of that exact host/port combination is returned. same goes for ip but there is no port combination.

Thus you must mark peer2peer connections with a connection mark and then a packet mark based on the connection mark to apply queueing. Otherwise you would just apply queueing to a single packet in the stream/connection (and that wouldnt make for very good peer2peer shaping!)