Community discussions

MikroTik App
 
immtelecom
just joined
Topic Author
Posts: 2
Joined: Tue Jun 16, 2020 7:29 pm

Marking packets between mikrotik routers!

Tue Jun 16, 2020 7:40 pm

Good afternoon, I have the virtual environment as you can see below, where I have network A and network B, and I needed that all traffic that passes through the Firewall coming from network A, be subject to some rules, for example blocking sites.

Is there a way for me on the "EST" router to mark the packets coming from the 10.1.1.0/24 network and when these packets reach the "Firewall" router be properly inspected.

Observations:

The "Tondela-Router" router bridges the two interfaces.

There is PPoE authentication on the "SchoolsMainRouter" router for the "Tondela-Router" router interface

Between the "SchoolsMainRouter" router and the Firewall, NAT is done, and a static route from SchoolsMainRouter to the Firewall is placed.

Image
 
pwuk
Frequent Visitor
Frequent Visitor
Posts: 51
Joined: Wed Aug 01, 2012 8:51 pm

Re: Marking packets between mikrotik routers!  [SOLVED]

Wed Jun 17, 2020 8:34 pm

I see, so the traffic appears to come from the same public IP address whether it's from network A, or network B, and you want to deal with traffic from network B differently on the firewall

You could use a mangle rule to change DSCP on each packet - set it to 1 from network A, 2 from network B, then filter on the firewall based on dscp tag

Something like
EST:
/ip firewall mangle add chain=prerouting in-interface=networkA action=change-dscp new-dscp=21
/ip firewall mangle add chain=prerouting in-interface=networkB action=change-dscp new-dscp=22

Firewall
/ip firewall filter add chain=forward action=accept dscp=22 comment="allow traffic from network B"
/ip firewall filter add chain=forward action=drop dst-address-list=badaddress dscp=21 comment="block traffic from network A to bad addresses"

This assumes that DSCP isn't mangled on the rest of the network, and you aren't using it for QOS purposes.

Choosing DSCP21 and 22 would reduce (but not eliminate) the chance of other traffic from elsewhere on the network being flagged
 
immtelecom
just joined
Topic Author
Posts: 2
Joined: Tue Jun 16, 2020 7:29 pm

Re: Marking packets between mikrotik routers!

Wed Jun 17, 2020 10:00 pm

Okay, that works.
But what is dscp? I've been reading but I still don't understand it very well, from what I saw it has to do with traffic prioritization. Why use dscp = 21 and dscp = 22? Were the numbers random or is there a reason?
I see, so the traffic appears to come from the same public IP address whether it's from network A, or network B, and you want to deal with traffic from network B differently on the firewall

You could use a mangle rule to change DSCP on each packet - set it to 1 from network A, 2 from network B, then filter on the firewall based on dscp tag

Something like
EST:
/ip firewall mangle add chain=prerouting in-interface=networkA action=change-dscp new-dscp=21
/ip firewall mangle add chain=prerouting in-interface=networkB action=change-dscp new-dscp=22

Firewall
/ip firewall filter add chain=forward action=accept dscp=22 comment="allow traffic from network B"
/ip firewall filter add chain=forward action=drop dst-address-list=badaddress dscp=21 comment="block traffic from network A to bad addresses"

This assumes that DSCP isn't mangled on the rest of the network, and you aren't using it for QOS purposes.

Choosing DSCP21 and 22 would reduce (but not eliminate) the chance of other traffic from elsewhere on the network being flagged
 
millenium7
Long time Member
Long time Member
Posts: 538
Joined: Wed Mar 16, 2016 6:12 am

Re: Marking packets between mikrotik routers!

Mon Jun 22, 2020 2:57 am

DSCP on its own is just a tag
Yes its used for QoS but its up to each device along the chain to decide what to do, there's nothing stopping it from just entirely ignoring the DSCP number and doing no QoS whatsoever. It's common for most devices to just bundle a range of DSCP values into only 3 or so priority values i.e. low/medium/high

It's typically not best practice to use DSCP for tagging because even if devices in your network aren't using it, many routers on the internet 'do' use it, so overriding i.e. VoIP traffic (which should be tagged 46) with 21 may mean their calls are a little worse. But it is entirely valid to use it for your purposes yes

Who is online

Users browsing this forum: No registered users and 16 guests