I had the assumption that what ever you put into Connection marking follows the Packet marking if you use "Connection marking" as input ?
This had me fighting for a very long time and i hope it help others as well. Also this proves that almost every Tutorial out there is "Wrong" and the setups are working based on randomness and luck.
Maybe someone with the know-how can explain us why is this happening.
Slow down, man. Step by step.
is assigned to the whole connection, i.e. a (bi-directional by nature) TCP session or a UDP stream (which is usually also bi-directional). So once you assign connection-mark=XXX
to a connection, by means of a mangle rule with action=mark-connection
, all further packets belonging to that connection, regardless their direction, and including the packet which caused the connection-mark
to be assigned if passthrough
was set to yes
in the action=mark-connection
rule, match the condition connection-mark=XXX
never "follows" a packet-mark
automatically, nor vice versa - you have to use a mangle rule to generate one from the other, i.e. action=mark-packet connection-mark=XXX new-packet-mark=YYY
(used more frequently as it makes sense in more scenarios) or action=mark-connection packet-mark=YYY new-connection-mark=XXX
(which might make sense in some complex scenarios where the packet-mark
is assigned by an /interface bridge filter
rule). The name spaces of connection-mark
, and routing-mark
are independent, so use of the same string as connection-mark
has no effect unless you use one of the rules above.
Next, don't misunderstand what @pe1chl has written - in the current version of RouterOS (6.44.3 for the record), only a single connection-mark
can be assigned to a connection at a time. If you assign another connection-mark
to it, the previously assigned one is overwritten. I don't exactly understand what @pe1chl had in mind when saying that you can assign a distinct connection-mark
to each direction of a connection; what you can do is to assign a different connection-mark
depending on the direction in which the connection was initiated
, but that's not the same thing.
Another important point is that assignment of packet-mark
is only valid for a single packet; the next packet belonging to the same direction of the same connection has to be packet-marked or routing-marked on its own if that is required (which it usually is).
So to assign the appropriate packet-mark
to a packet, to be used as a key to select a queue, you have to use a mangle rule (usually, one assigning a packet-mark
depending on connection-mark
as above; to do so already for the first packet of a connection, the action=mark-connection
rule must have passthrough
set to yes
and the action=mark-packet
rule must follow it (and it doesn't necessarily need to have passthrough
set to no
as you may want to assign both a packet-mark
and a routing-mark
But you have two possibilities how to use the packet-mark
to choose a queue from the tree:
- either you set the parent of the queue to global, and in that case, you have to use a distinct packet-mark for each direction to choose the right queue, so you need to match something more than just the connection-mark in the mangle rule,
- or you set the parent of the queue to an outgoing interface, and in that case, you can use the same packet-mark for both directions as the queue matching the packet-mark is only chosen among those whose ultimate parent matches the packet's output interface.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.