Community discussions

MikroTik App
  4. RouterOS
  5. General

Mangle PCC rules check for improvement.  [SOLVED]

Post Reply
 
accarda
Member Candidate
Member Candidate
Topic Author
Posts: 208
Joined: Fri Apr 05, 2019 4:06 pm
Location: Italy

Mangle PCC rules check for improvement.

Mon Jun 01, 2020 12:39 pm

Hi all,
I'm currently using a config with dual WAN for failover and load balancing traffic.
The setup is working fine, but since it was based on reading articles and few other posts, I'd like to see whether there are possible improvements mainly in term of logical rule order and bad usage of passthrough=yes/no that might be working, but not formally correct in this implementation or due to mistakes covering other mistakes.
I'm using 2 address-lists to avoid load balancing some IP.
Code: Select all
/ip firewall mangle

add action=accept chain=prerouting comment=\
    "Allow connected networks to skip load balance" \
    dst-address-list=ConnectedNetworks in-interface=bridge-vpn-lan

add action=mark-connection chain=prerouting comment=\
    "Create Mangle rules that will sort the traffic into streams WAN1" \
    connection-mark=no-mark dst-address-type=!local in-interface=\
    bridge-vpn-lan new-connection-mark=WAN1_conn passthrough=yes \
    per-connection-classifier=both-addresses:2/0 src-address-list=\
    !LB_Disabled

add action=mark-connection chain=prerouting comment=\
    "Create Mangle rules that will sort the traffic into streams WAN2" \
    connection-mark=no-mark dst-address-type=!local in-interface=\
    bridge-vpn-lan new-connection-mark=WAN2_conn passthrough=yes \
    per-connection-classifier=both-addresses:2/1 src-address-list=\
    !LB_Disabled

add action=mark-routing chain=prerouting comment="Create the routing marks \
    based on the conn mark for WAN1" connection-mark=WAN1_conn \
    in-interface=bridge-vpn-lan new-routing-mark=route_WAN1 passthrough=yes

add action=mark-routing chain=prerouting comment="Create the routing marks \
    based on the conn mark for WAN2" connection-mark=WAN2_conn \
    in-interface=bridge-vpn-lan new-routing-mark=route_WAN2 passthrough=yes

add action=mark-routing chain=output comment="This ensures traffic from the ro\
    uter returns through the proper interface WAN1" connection-mark=WAN1_conn \
    dst-address-list=!ConnectedNetworks new-routing-mark=route_WAN1 \
    passthrough=yes

add action=mark-routing chain=output comment="This ensures traffic from the ro\
    uter returns through the proper interface WAN2" connection-mark=WAN2_conn \
    dst-address-list=!ConnectedNetworks new-routing-mark=route_WAN2 \
    passthrough=yes

add action=mark-connection chain=prerouting comment="Identify which WAN interf\
    ace the traffic came in and mark the connection" connection-mark=no-mark \
    in-interface=ether1-WAN1 new-connection-mark=WAN1_conn passthrough=yes

add action=mark-connection chain=prerouting comment="Identify which WAN interf\
    ace the traffic came in and mark the connection" connection-mark=no-mark \
    in-interface=ether2-WAN2 new-connection-mark=WAN2_conn passthrough=yes
Thanks in advance for any suggestion that you can provide.
Armando.
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9121
Joined: Mon Apr 20, 2009 9:11 pm

Re: Mangle PCC rules check for improvement.  [SOLVED]

Mon Jun 01, 2020 4:51 pm

Passthrough tells router whether it should process further rules. When it's new outgoing connection, you first set connection mark and then you need to set routing mark for same packet. So in this case, rules that set connection mark for new outgoing connections need passthrough=yes. Same rules for new incoming connections can have passthrough=no, because it's the last thing you need to do with those packets. And all other rules can have passthrough=no too.

Order of rules matters within same chain, so you can do something only in chain=prerouting, but not much. You could move last two rules to the beginning, which would save some processing for incoming packets, but would add it for outgoing, so no real difference in the end.

You should not need dst-address-list=!ConnectedNetworks in chain=output rules, because connections to router itself can only get WANx_conn mark when they come from WANx. And you want to send responses back the same way.

Edit: As was pointed out to me, last paragraph is not true, because those rules also match icmp 'ttl exceeded' packets.
Top
 
accarda
Member Candidate
Member Candidate
Topic Author
Posts: 208
Joined: Fri Apr 05, 2019 4:06 pm
Location: Italy

Re: Mangle PCC rules check for improvement.

Mon Jun 01, 2020 6:24 pm

Thank you Sob for the info that you have provided.
I have re-arranged the rules so that now all prerouting are organized so that marking connection are grouped together and mark routing is last part of the chain; in this way I have adjusted the passthrough based on your explanation.
This is how it looks now after these changes.
Code: Select all
/ip firewall mangle

add action=accept chain=prerouting comment=\
    "Allow connected networks to skip load balance" dst-address-list=\
    ConnectedNetworks in-interface=bridge-vpn-lan

add action=mark-connection chain=prerouting comment="Identify which WAN interf\
    ace the traffic came in and mark the connection" connection-mark=no-mark \
    in-interface=ether1-WAN1 new-connection-mark=WAN1_conn passthrough=yes

add action=mark-connection chain=prerouting comment="Identify which WAN interf\
    ace the traffic came in and mark the connection" connection-mark=no-mark \
    in-interface=ether2-WAN2 new-connection-mark=WAN2_conn passthrough=yes

add action=mark-connection chain=prerouting comment=\
    "Create Mangle rules that will sort the traffic into streams WAN1" \
    connection-mark=no-mark dst-address-type=!local in-interface=\
    bridge-vpn-lan new-connection-mark=WAN1_conn passthrough=yes \
    per-connection-classifier=both-addresses:2/0 src-address-list=\
    !LB_Disabled

add action=mark-connection chain=prerouting comment=\
    "Create Mangle rules that will sort the traffic into streams WAN2" \
    connection-mark=no-mark dst-address-type=!local in-interface=\
    bridge-vpn-lan new-connection-mark=WAN2_conn passthrough=yes \
    per-connection-classifier=both-addresses:2/1 src-address-list=\
    !LB_Disabled

add action=mark-routing chain=prerouting comment=\
    "Create the routing marks based on the conn mark for WAN1" \
    connection-mark=WAN1_conn in-interface=bridge-vpn-lan new-routing-mark=\
    route_WAN1 passthrough=no

add action=mark-routing chain=prerouting comment=\
    "Create the routing marks based on the conn mark for WAN2" \
    connection-mark=WAN2_conn in-interface=bridge-vpn-lan new-routing-mark=\
    route_WAN2 passthrough=no

add action=mark-routing chain=output comment="This ensures traffic from the ro\
    uter returns through the proper interface WAN1" connection-mark=WAN1_conn \
    dst-address-list=!ConnectedNetworks new-routing-mark=route_WAN1 \
    passthrough=no

add action=mark-routing chain=output comment="This ensures traffic from the ro\
    uter returns through the proper interface WAN2" connection-mark=WAN2_conn \
    dst-address-list=!ConnectedNetworks new-routing-mark=route_WAN2 \
    passthrough=no
As for last part, as you confirmed, I used that remedy to fix an issue about traceroute which was failing otherwise when initiated directly from the connected LAN interface.
Thanks again for having clarified some of the key points here.
Armando
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9121
Joined: Mon Apr 20, 2009 9:11 pm

Re: Mangle PCC rules check for improvement.

Mon Jun 01, 2020 9:35 pm

Second and third rule don't need passthrough either.
Top
Post Reply

Who is online

Users browsing this forum: Bing [Bot] and 162 guests
  4. RouterOS
  5. General