Page 1 of 1

how to mark packets comming to a host in lan (nat)

Posted: Fri Sep 29, 2006 1:06 am
by kolorasta
i've got this in mangle and 2 & 3 work, 0 and 1 not.
i want to mark every incomming packet from internet to host 172.16.0.27 to do something with them in QUEUE TREE
every packet from 172.16.0.27 is well marked... but not packets to 172.16.0.27
0   ;;; Excedidos_Download_Connection
     chain=prerouting in-interface=WAN dst-address=172.16.0.27 
     action=mark-connection new-connection-mark=excedidos_download_conn 
     passthrough=yes 

 1   ;;; Excedidos_Download_Packet
     chain=prerouting dst-address=172.16.0.27 
     connection-mark=excedidos_download_conn action=mark-packet 
     new-packet-mark=excedidos_download_packet passthrough=no 

 2   ;;; Excedidos_Upload_Connection
     chain=prerouting in-interface=LANbridge src-address=172.16.0.27 
     action=mark-connection new-connection-mark=excedidos_upload_conn 
     passthrough=yes 

 3   ;;; Excedidos_Upload_Packet
     chain=prerouting src-address=172.16.0.27 
     connection-mark=excedidos_upload_conn action=mark-packet 
     new-packet-mark=excedidos_upload_packet passthrough=no 
any suggestions?

Re: how to mark packets comming to a host in lan (nat)

Posted: Fri Sep 29, 2006 1:11 am
by cibernet
i've got this in mangle and 2 & 3 work, 0 and 1 not.
i want to mark every incomming packet from internet to host 172.16.0.27 to do something with them in QUEUE TREE
every packet from 172.16.0.27 is well marked... but not packets to 172.16.0.27
0   ;;; Excedidos_Download_Connection
     chain=prerouting in-interface=WAN dst-address=172.16.0.27 
     action=mark-connection new-connection-mark=excedidos_download_conn 
     passthrough=yes 

 1   ;;; Excedidos_Download_Packet
     chain=prerouting dst-address=172.16.0.27 
     connection-mark=excedidos_download_conn action=mark-packet 
     new-packet-mark=excedidos_download_packet passthrough=no 

 2   ;;; Excedidos_Upload_Connection
     chain=prerouting in-interface=LANbridge src-address=172.16.0.27 
     action=mark-connection new-connection-mark=excedidos_upload_conn 
     passthrough=yes 

 3   ;;; Excedidos_Upload_Packet
     chain=prerouting src-address=172.16.0.27 
     connection-mark=excedidos_upload_conn action=mark-packet 
     new-packet-mark=excedidos_upload_packet passthrough=no 
any suggestions?
If it NAT there, outside world will never reach the natted address....

Best regards

Posted: Fri Sep 29, 2006 2:02 am
by kolorasta
i know that, but my router knows which packets are for 172.16.0.27 (my local pc)... how can I mark them in mangle... so then apply some speed limits in queue tree...
sorry if my questions are stupids, but this forum is my only source of learning MT stuff...

Posted: Fri Sep 29, 2006 4:11 am
by cibernet
i know that, but my router knows which packets are for 172.16.0.27 (my local pc)... how can I mark them in mangle... so then apply some speed limits in queue tree...
sorry if my questions are stupids, but this forum is my only source of learning MT stuff...
Check the interface... youre using WAN as the input...
You should read the manual: http://www.mikrotik.com/docs/ros/2.9/ip/mangle

Posted: Fri Sep 29, 2006 11:02 am
by janisk
on my home natted network i do marking that way
/ ip firewall mangle 
add chain=prerouting action=mark-connection new-connection-mark=all_traffic passthrough=yes \
    comment="mark all traffic" disabled=no 
add chain=prerouting in-interface=ether1 connection-mark=all_traffic action=mark-packet \
    new-packet-mark=incomming_packet passthrough=no comment="incomming packet" disabled=no 
add chain=prerouting connection-mark=all_traffic action=mark-packet \
    new-packet-mark=outgoing_packet passthrough=no comment="outgoing packet" disabled=no 
so maybe this help and then i divide to what marks to where. :roll:

Posted: Wed Oct 04, 2006 7:27 pm
by kolorasta
what i want to do is to use different pcq queues to different group of users...
let's say CORPORATIVE, RESIDENTIAL, etc... ... i know how to do this

but i don't want the web-proxy to be limited.... i know how to do this

but I DON'T KNOW both things at the same time.. different pcq for different users groups, with unlimited access to the web-proxy