Hi all!
I try to mark traffic by type with magle and sort its by priority later, but its works very bad, only one half of p2p traffic marks normally, almost all other traffic marks like OTHER.
here is my firewall export
/ip firewall export
# aug/01/2010 09:54:06 by RouterOS 3.30
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=forward comment="Access to internet from admin" \
disabled=no src-address=192.168.1.0/24
add action=drop chain=forward comment="Drop invalid connection packets" \
connection-state=invalid disabled=no
add action=accept chain=forward comment="Allow established connections" \
connection-state=established disabled=no
add action=accept chain=forward comment="Allow related connections" \
connection-state=related disabled=no
add action=accept chain=forward comment="Allow UDP" disabled=no protocol=udp
add action=accept chain=forward comment="Allow ICMP Ping" disabled=no \
protocol=icmp
/ip firewall mangle
add action=mark-connection chain=prerouting comment=ICMP disabled=no \
new-connection-mark=icmp passthrough=yes protocol=icmp
add action=mark-packet chain=prerouting comment=ICMP connection-mark=icmp \
disabled=no new-packet-mark=ICMP passthrough=no
add action=mark-connection chain=prerouting comment=0-bytes connection-bytes=\
1-128000 disabled=no new-connection-mark=0-bytes passthrough=yes port=80 \
protocol=tcp
add action=mark-packet chain=prerouting comment=0-bytes connection-bytes=\
0-128000 connection-mark=0-bytes disabled=no new-packet-mark=0bytes \
passthrough=yes
add action=mark-packet chain=prerouting comment="HTTP 80" connection-mark=\
http disabled=no new-packet-mark=HTTP_80 passthrough=no
add action=mark-packet chain=prerouting comment=POP3 disabled=no \
new-packet-mark=POP3 passthrough=no port=110 protocol=tcp
add action=mark-packet chain=prerouting comment=FTP disabled=no \
new-packet-mark=FTP passthrough=no port=21 protocol=tcp
add action=mark-packet chain=prerouting comment=SMTP disabled=no \
new-packet-mark=SMTP passthrough=no port=25 protocol=tcp
add action=mark-packet chain=prerouting comment=IMAP disabled=no \
new-packet-mark=IMAP passthrough=no port=143 protocol=tcp
add action=mark-packet chain=prerouting comment=SSL disabled=no \
new-packet-mark=SSL passthrough=no port=443 protocol=tcp
add action=mark-packet chain=prerouting comment=P2P disabled=no \
new-packet-mark=p2p p2p=all-p2p passthrough=no
add action=mark-connection chain=prerouting comment=UDP disabled=no \
new-connection-mark=udp passthrough=yes protocol=udp
add action=mark-packet chain=prerouting comment=UDP connection-mark=udp \
disabled=no new-packet-mark=udp passthrough=no
add action=mark-connection chain=prerouting comment=OTHER disabled=no \
new-connection-mark=other passthrough=yes
add action=mark-packet chain=prerouting comment=OTHER connection-mark=other \
disabled=no new-packet-mark=other passthrough=no
add action=log chain=forward comment="Check for unmarked traffic" disabled=\
yes log-prefix=""
/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=!lan
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
Re: trouble with mangle
The built in P2P filter that recognizes P2P traffic is somewhat outdated and doesn't catch all current P2P protocols.
You're better off marking all traffic that should have priority (like you're basically already doing) and treating everything else as 'other'.
You're better off marking all traffic that should have priority (like you're basically already doing) and treating everything else as 'other'.
Re: trouble with mangle
i want to mark all types of downloads and make low priority for its
Re: trouble with mangle
You can't.
The best you can do is mark everything that is important and give it high priority.
The best you can do is mark everything that is important and give it high priority.
Re: trouble with mangle
That doesn't really help, either. If you work really, really hard you can maybe - that's a big maybe - discover all the P2P traffic on your network. At a huge price of resources (CPU and RAM), and only until the next protocol comes out.
Trying to mark all P2P to give it low priority is equivalent to blacklisting in firewalls. You're always chasing. Blacklisting is a losing proposition. Whitelisting is the way to go. Prioritize the protocols that are important. They don't change - HTTP, POP3, SIP. Easy to spot. Prioritize them over everything else.
It is not just a technical problem and decision, it comes pretty close to a philosophical one. Whitelisting has been proven over blacklisting time and time and time again.
Trying to mark all P2P to give it low priority is equivalent to blacklisting in firewalls. You're always chasing. Blacklisting is a losing proposition. Whitelisting is the way to go. Prioritize the protocols that are important. They don't change - HTTP, POP3, SIP. Easy to spot. Prioritize them over everything else.
It is not just a technical problem and decision, it comes pretty close to a philosophical one. Whitelisting has been proven over blacklisting time and time and time again.
Re: trouble with mangle
Well whitelisting,
then i need to know how to mark VOIP(Skype), online radio, http and http dowloading, mail, games etc., but my mangle script don't mark nothing except for one half of p2p traffic. Where is mistake? can you help me?
then i need to know how to mark VOIP(Skype), online radio, http and http dowloading, mail, games etc., but my mangle script don't mark nothing except for one half of p2p traffic. Where is mistake? can you help me?
Re: trouble with mangle
@fewi
I never suggested blacklisting was the answer, nor is philosophy.
[I think the glass is neither half empty nor half full. You can't measure that precisely]
If a network has serious traffic issues, all tools must be considered.
Using the "well defined" port is a trap.
I haven't seen p2p on port 110 (yet), but certainly on port 80 and growing.
110 & 143 OK.
SIP? Hmm. Which port has the rtp stream? (I find the MT sip helper doesn't work)
It is sometimes not so easy to spot.
L7 can (and probably should) be used for whitelisting as well as blacklisting.
Both are chasing, as it is far too easy to use the well known ports, especially tcp 80 for any traffic.
Besides, if your cpu and memory can't handle it, you need a bigger box, go to http://www.routerboard.com
I never suggested blacklisting was the answer, nor is philosophy.
[I think the glass is neither half empty nor half full. You can't measure that precisely]
If a network has serious traffic issues, all tools must be considered.
YES! I agree. But......how does one prioritize protocols without determining the protocol?Prioritize the protocols that are important. They don't change - HTTP, POP3, SIP. Easy to spot. Prioritize them over everything else.
Using the "well defined" port is a trap.
I haven't seen p2p on port 110 (yet), but certainly on port 80 and growing.
110 & 143 OK.
SIP? Hmm. Which port has the rtp stream? (I find the MT sip helper doesn't work)
It is sometimes not so easy to spot.
L7 can (and probably should) be used for whitelisting as well as blacklisting.
Both are chasing, as it is far too easy to use the well known ports, especially tcp 80 for any traffic.
Besides, if your cpu and memory can't handle it, you need a bigger box, go to http://www.routerboard.com
Re: trouble with mangle
Fair enough, I misinterpreted. Finding well known protocols via L7 is a much nicer proposition than finding all P2P. Once you have an L7 matcher for HTTP you'll be good for a long time.
Re: trouble with mangle
In the post I left above is a wiki article with some examples.
Also in that wiki are links (at the top) to where you can find the L7 regex expressions and a MT script that imports these into the firewall.
I don't know if the script is kept up to date - I doubt it. But it is easy enough to make a PHP page to build the script dynamically.
This should be more than enough to get you started.
If you want to experiment, I would start by running the script and add a mangle rule to mark L7 http connections so you can see the connection mark in the Firewall connections. Then as you browse, your connection marks should show up.
Get that working then add more L7 mangle expressions.
If the script is outdated, you can always delete the entries.
Also in that wiki are links (at the top) to where you can find the L7 regex expressions and a MT script that imports these into the firewall.
I don't know if the script is kept up to date - I doubt it. But it is easy enough to make a PHP page to build the script dynamically.
This should be more than enough to get you started.
If you want to experiment, I would start by running the script and add a mangle rule to mark L7 http connections so you can see the connection mark in the Firewall connections. Then as you browse, your connection marks should show up.
Get that working then add more L7 mangle expressions.
If the script is outdated, you can always delete the entries.
-
-
mxmxmxmxmx
Frequent Visitor
- Posts: 68
- Joined:
Re: trouble with mangle
All...The built in P2P filter that recognizes P2P traffic is somewhat outdated and doesn't catch all current P2P protocols.
In my network it catchs maybe 10% of P2P. Maybe whitelisting is better, but both are chasing. I'm using some combination both of them. Ex "Other" - priority 4; Important services prio 1,2; P2P and HTTP downloading prio 8.
Re: trouble with mangle
i think mark all necessary type of traffic with l7 rules its not so good for cpu and memory usage, why i cant mark all traffic on port 110 or another?? pls help me do it.
p.s. my PC have 100mb ram and 366mhz cpu on board, internet speed 8mbit
p.s. my PC have 100mb ram and 366mhz cpu on board, internet speed 8mbit
Re: trouble with mangle
/ip firewall mangle
0 ;;; HTTP
chain=prerouting action=mark-connection new-connection-mark=HTTP
passthrough=yes protocol=tcp dst-port=80
1 ;;; HTTP
chain=prerouting action=mark-connection new-connection-mark=HTTP
passthrough=yes protocol=udp dst-port=80
2 ;;; HTTP
chain=prerouting action=mark-packet new-packet-mark=HTTP passthrough=no
connection-mark=HTTP
.............................................................................................................
108 ;;; OTHER
chain=prerouting action=mark-connection new-connection-mark=other
passthrough=yes
109 ;;; OTHER
chain=prerouting action=mark-packet new-packet-mark=other passthrough=no
connection-mark=other
0 ;;; HTTP
chain=prerouting action=mark-connection new-connection-mark=HTTP
passthrough=yes protocol=tcp dst-port=80
1 ;;; HTTP
chain=prerouting action=mark-connection new-connection-mark=HTTP
passthrough=yes protocol=udp dst-port=80
2 ;;; HTTP
chain=prerouting action=mark-packet new-packet-mark=HTTP passthrough=no
connection-mark=HTTP
.............................................................................................................
108 ;;; OTHER
chain=prerouting action=mark-connection new-connection-mark=other
passthrough=yes
109 ;;; OTHER
chain=prerouting action=mark-packet new-packet-mark=other passthrough=no
connection-mark=other
Who is online
Users browsing this forum: No registered users and 49 guests