Community discussions

MUM Europe 2020
 
boo9
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 81
Joined: Sat Jul 09, 2011 5:19 pm

How does new-connection-mark work ?

Wed Jan 22, 2014 2:39 am

How does the new-connection-mark work ?

if connection is already marked, and next rule matches the connection, will it apply that mark ?
or does the new-connection-mark marks connections that are unmarked ?

eg, two wan interfaces

ros code

add chain=prerouting in-interface=ISP1 connection-mark=no-mark action=mark-connection new-connection-mark=ISP1_conn
add chain=prerouting in-interface=ISP2 connection-mark=no-mark action=mark-connection new-connection-mark=ISP2_conn
add chain=prerouting in-interface=LAN dst-address-type=!local src-address=192.168.1.0/24 action=mark-connection new-connection-mark=ISP1_conn
add chain=prerouting in-interface=LAN dst-address-type=!local action=mark-connection new-connection-mark=ISP2_conn
incoming connection on isp2 gets marked with rule2, it goes to 192.168.1.0 net, but then outbound packets for this connections would get marked by rule3 (isp1). Surely that would not work.

I could not find any docs on semantics of new-connection-mark,
looks to me like the new-connection-mark= affects implicitely only unmarked connections,
 
samsung172
Forum Guru
Forum Guru
Posts: 1186
Joined: Sat Apr 04, 2009 3:45 am
Location: Østfold - Norway
Contact:

Re: How does new-connection-mark work ?

Thu Jan 23, 2014 3:01 am

but does Your lan have some Connection marks? It seems like you dont have any marks to this packets.

Edit. Try to change the 2 last rules. I think you might want to have the change mark, AFTER the mark rule
 
boo9
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 81
Joined: Sat Jul 09, 2011 5:19 pm

Re: How does new-connection-mark work ?

Thu Jan 23, 2014 3:12 am

ROS rules I quoted are not real, they are just an example to illustrate the discussion/question.
 
deejayq
Member Candidate
Member Candidate
Posts: 195
Joined: Wed Feb 23, 2011 8:33 am

Re: How does new-connection-mark work ?

Thu Jan 23, 2014 8:53 am

i think they get marked ISP1_conn in the third rule and after that ISP2_conn in the fourth rule. if you have passthrough set to no then you will not have that problem

Who is online

Users browsing this forum: No registered users and 46 guests