Community discussions

MikroTik App
  4. RouterOS
  5. General

Mangle rules layer 3 vs layer 4

Post Reply
 
emikrotik
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 71
Joined: Fri Jun 19, 2015 9:30 am

Mangle rules layer 3 vs layer 4

Mon May 14, 2018 11:13 am

Hello,

I have an issue with mark-connection being overwritten in my mangle rules.

Please see below mangle rules;

361-363 are layer 3, PBR on source and destination IP Addresses.
Code: Select all
361 chain=prerouting action=mark-connection 
      new-connection-mark=GOOGLE DRIVE passthrough=yes 
      dst-address-list=GOOGLE DRIVE log=no log-prefix="" 

362 chain=prerouting action=mark-packet 
      new-packet-mark=GOOGLE DRIVE passthrough=yes 
      connection-mark=GOOGLE DRIVE log=no log-prefix="" 

363 chain=prerouting action=mark-routing 
      new-routing-mark=MultiWAN passthrough=no 
      src-address=10.80.0.0/16 packet-mark=GOOGLE DRIVE
      log=no log-prefix=""
395-397 are layer 4, PBR based on destination port
Code: Select all
395
      chain=prerouting action=mark-connection 
      new-connection-mark=HTTP-HTTPS BROWSING passthrough=yes 
      protocol=tcp port=80,443 log=no log-prefix="" 

396    chain=prerouting action=mark-packet 
      new-packet-mark=HTTP-HTTPS BROWSING passthrough=yes 
      connection-mark=HTTP-HTTPS BROWSING log=no log-prefix="" 

397    chain=prerouting action=mark-routing 
      new-routing-mark=ECMP passthrough=no 
      src-address=10.80.0.0/16 packet-mark=HTTP-HTTPS BROWSING 
      log=no log-prefix=""
If traffic going to an IP Address in the destination address list 'GOOGLE DRIVE' is establishing a connection on port 80 or 443, the connection-mark will be overwritten with HTTP-HTTPS BROWSING this then causes issues with routing via different ISP's and queuing.

Does anyone know why this happens? Is there a correlation between how RoS processes mangle rules and the OSI model?

Thank you.
Last edited by emikrotik on Tue May 15, 2018 3:48 am, edited 1 time in total.
Top
 
RoadkillX
Frequent Visitor
Frequent Visitor
Posts: 88
Joined: Sun Apr 22, 2018 6:00 pm
Location: Spain

Re: Mangle rules layer 3 vs layer 4

Mon May 14, 2018 11:35 am

Reorder the rules to be mark-connection then mark-routing then mark-packet enable passthrough on mark-routing disable on all rules that mark-packets so that once marked it leaves the prerouting chain and the mark-connection will not get overwrriten by http-https rule.

1) Mark Google Drive connection based on dst IP(passthrough)
2) Mark Google Drive routing based on source IP(passthrough)
3) Mark Google Drive packet based on connection mark (No passthrough)
Top
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mangle rules layer 3 vs layer 4

Mon May 14, 2018 12:39 pm

There seems to be a common belief that action=mark-connection only marks connections which have not been marked yet. This is not true.

If a packet belonging to an already marked connection matches the conditions of another action=mark-connection rule, the connection mark gets rewritten by that rule.

So you either have to ensure that packets belonging to already marked connections are not handled by other action=mark-connection rules, or you have to add a match condition connection-mark=no-mark to each action=mark-connection rule.

Plus in most cases you want to assign the connection mark only to the initial packet of each connection, and this is also not automatic. So adding connection-state=new may be necessary as well.

Have a look here for one possible way of implementation.
Top
Post Reply

Who is online

Users browsing this forum: dawdler, Google [Bot], svh79 and 124 guests
  4. RouterOS
  5. General