But i can't see any traffic in accept rule for connection-mark=!no-mark.
Because your chain=pktmark
works well and does not leave any packets unhandled
rule was there just to catch packets for which the translation of connection-mark
did not happen for any reason in the chain=pktmark
and not let them get further. However,
Any comments for the new configuration?
yes, there is an important one related to the above - as you have added out-interface=pppoe
to the first two rules as compared to my suggestion, all packets in the download direction do pass through all the connection-marking rules followed by passing through all the chain=pktmark
rules, because neither of the first two rules matches on them (as they have a connection-mark
assigned but don't have out-interface=pppoe
). So if you don't want to enqueue download packets, remove the out-interface=pppoe
from the accept rule with connection-mark=!no-mark
, so it will accept all download packets belonging to already marked connections and thus will not let them pass all the connection-marking rules (as doing so generates an unnecessary CPU load). So all download packets (except the initial ones of connections initiated from WAN side which probably don't exist) will be handled by just two rules - the first one which won't match on them, and the second one which will accept them. In my initial suggestion, the first rule in the chain=connmark2pktmark was responsible for the same, but it caused the upload packets to pass through that one extra rule, so the way described just above is more efficient.
Other than that, it seems fine to me. So if after implementing the change above you still experience RTP packet loss, there is no more optimisation I could suggest.