Community discussions

 
levicki
just joined
Topic Author
Posts: 10
Joined: Mon Apr 30, 2018 12:22 pm
Location: Belgrade, Serbia
Contact:

Not all RDP traffic seems to be marked in firewall mangle

Wed May 29, 2019 3:03 pm

I have a RDP server on LAN which is forwarded to WAN:
add action=mark-connection chain=prerouting comment="MARK RDP CONNECTIONS" new-connection-mark=rdp-connection-mark passthrough=yes port=3389 protocol=tcp
add action=mark-connection chain=prerouting comment="MARK RDP CONNECTIONS" new-connection-mark=rdp-connection-mark passthrough=yes port=3389 protocol=udp
add action=mark-packet chain=prerouting comment="MARK RDP PACKETS" connection-mark=rdp-connection-mark new-packet-mark=rdp-mark passthrough=yes
If I make a queue on the WAN interface which has rdp-mark as a criterium I see much less traffic than it actually is sent by RDP server (kilobits, instead of few Mbps). Instead this traffic can be observed when I use queue with no-mark.

Could someone please explain why is this so (perhaps fasttrack should be disabled?), and how to mark all RDP traffic so you can rate-limit it?
 
sindy
Forum Guru
Forum Guru
Posts: 3811
Joined: Mon Dec 04, 2017 9:19 pm

Re: Not all RDP traffic seems to be marked in firewall mangle

Wed May 29, 2019 3:48 pm

You've answered yourself. Fasttracking means bypass of all firewall rules, fasttracked packets only pass through the connection-tracking part of the firewall.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
levicki
just joined
Topic Author
Posts: 10
Joined: Mon Apr 30, 2018 12:22 pm
Location: Belgrade, Serbia
Contact:

Re: Not all RDP traffic seems to be marked in firewall mangle

Wed Jun 12, 2019 12:00 pm

You've answered yourself. Fasttracking means bypass of all firewall rules, fasttracked packets only pass through the connection-tracking part of the firewall.
Is there a way to still mark / count this traffic or is the only way for proper bandwidth management to have fasttracking disabled?
 
sindy
Forum Guru
Forum Guru
Posts: 3811
Joined: Mon Dec 04, 2017 9:19 pm

Re: Not all RDP traffic seems to be marked in firewall mangle

Wed Jun 12, 2019 3:21 pm

Is there a way to still mark / count this traffic or is the only way for proper bandwidth management to have fasttracking disabled?
It depends what you need to do in particular. If the only traffic categories are "RDP" and "the rest", you can selectively exclude from fasttracking the RDP traffic, handle it by the queues chosen by packet-mark, and handle the rest by the queues chosen by absence of packet-mark.

You have to use one queue tree on each interface, which handles only output through that interface, because in order for a queue to handle fasttracked packets, its ultimate parent has to be an interface, not global. You can reuse the same packet-mark values in all of these trees, i.e. you can assign the same packet-mark to packets in both directions of the tracked connection.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: No registered users and 104 guests