Code: Select all
0 X ;;; ingress forward
chain=forward action=passthrough in-interface-list=WAN ingress-priority=!0 log-prefix="ingress forward" ipsec-policy=in,none
1 X ;;; dscp forward
chain=forward action=passthrough in-interface-list=WAN dscp=!0 log-prefix="dscp forward" ipsec-policy=in,noneDSCP priority is set by senders, there are no rules on RouterOS to set ingress priority. Thus my understanding is that RouterOS sets ingress priority automatically using the DSCP field. Therefore I expect counters for both rules to match. But it's not the case, there is much more traffic that match rule [1] than [0], i.e. RouterOS translates DSCP values into ingress priority selectively.
When logging is configured on the rules, the following can be seen:
Code: Select all
dscp forward: in:ether1-gateway out:vlan-main, src-mac 00:01:5c:6e:12:46, proto TCP (ACK,PSH), [2600:1406:3c::6863:ee71]:443->[...]:52424, prio 6->0, len 174
ingress forward: in:ether1-gateway out:vlan-main, src-mac 00:01:5c:6e:12:46, proto TCP (ACK,PSH), [2600:1406:3c::6863:ee71]:443->[...]:52424, prio 6->0, len 174
dscp forward: in:ether1-gateway out:vlan-main, src-mac 00:01:5c:6e:12:46, proto TCP (ACK), [2600:1406:3c::6863:ee71]:443->[...]:52424, len 3
dscp forward: in:ether1-gateway out:vlan-main, src-mac 00:01:5c:6e:12:46, proto TCP (ACK), [2600:1f18:60d5:4e03:547c:e76f:6e88:c080]:443->[...]:64826, len 32
dscp forward: in:ether1-gateway out:vlan-main, src-mac 00:01:5c:6e:12:46, proto TCP (ACK,PSH), [2600:1f18:60d5:4e03:547c:e76f:6e88:c080]:443->[...]:64826, len 63
dscp forward: in:ether1-gateway out:vlan-main, src-mac 00:01:5c:6e:12:46, proto TCP (SYN,ACK), [2602:fd3f:3:ff02::2a]:443->[...]:64912, len 40I do not see why some packets get ingress priority and others don't.
Is it documented somewhere how RouterOS sets ingress priority?