I had the assumption that what ever you put into Connection marking follows the Packet marking if you use "Connection marking" as input ?
This had me fighting for a very long time and i hope it help others as well. Also this proves that almost every Tutorial out there is "Wrong" and the setups are working based on randomness and luck.
Maybe someone with the know-how can explain us why is this happening.
Slow down, man. Step by step.
A
connection-mark is assigned to the whole connection, i.e. a (bi-directional by nature) TCP session or a UDP stream (which is usually also bi-directional). So once you assign
connection-mark=XXX to a connection, by means of a mangle rule with
action=mark-connection, all further packets belonging to that connection, regardless their direction, and including the packet which caused the
connection-mark to be assigned if
passthrough was set to
yes in the
action=mark-connection rule, match the condition
connection-mark=XXX.
A
connection-mark never "follows" a
packet-mark automatically, nor vice versa - you have to use a mangle rule to generate one from the other, i.e.
action=mark-packet connection-mark=XXX new-packet-mark=YYY (used more frequently as it makes sense in more scenarios) or
action=mark-connection packet-mark=YYY new-connection-mark=XXX (which might make sense in some complex scenarios where the
packet-mark is assigned by an
/interface bridge filter rule). The name spaces of
connection-mark,
packet-mark, and
routing-mark are independent, so use of the same string as
connection-mark and
packet-mark has no effect unless you use one of the rules above.
Next, don't misunderstand what @pe1chl has written - in the current version of RouterOS (6.44.3 for the record), only a single
connection-mark can be assigned to a connection at a time. If you assign another
connection-mark to it, the previously assigned one is overwritten. I don't exactly understand what @pe1chl had in mind when saying that you can assign a distinct
connection-mark to each direction of a connection; what you can do is to assign a different
connection-mark depending on the direction in which the connection was
initiated, but that's not the same thing.
Another important point is that assignment of
packet-mark and
routing-mark is only valid for a single packet; the next packet belonging to the same direction of the same connection has to be packet-marked or routing-marked on its own if that is required (which it usually is).
So to assign the appropriate
packet-mark to a packet, to be used as a key to select a queue, you have to use a mangle rule (usually, one assigning a
packet-mark depending on
connection-mark as above; to do so already for the first packet of a connection, the
action=mark-connection rule must have
passthrough set to
yes and the
action=mark-packet rule must follow it (and it doesn't necessarily need to have
passthrough set to
no as you may want to assign both a
packet-mark and a
routing-mark).
But you have two possibilities how to use the
packet-mark to choose a queue from the tree:
- either you set the parent of the queue to global, and in that case, you have to use a distinct packet-mark for each direction to choose the right queue, so you need to match something more than just the connection-mark in the mangle rule,
- or you set the parent of the queue to an outgoing interface, and in that case, you can use the same packet-mark for both directions as the queue matching the packet-mark is only chosen among those whose ultimate parent matches the packet's output interface.