Page 1 of 1

Need just a straight answer

Posted: Fri Nov 09, 2007 2:00 am
by titius
Ok,

Never ming What am I using it for, is this the way we need to mangle packets.
0   chain=postrouting out-interface=SBB action=mark-connection new-connection-mark=UP_ALL passthrough=yes 

 1   chain=postrouting out-interface=SBB connection-mark=UP_ALL action=mark-packet new-packet-mark=UP_ALL_P 
     passthrough=yes 

 2   chain=prerouting in-interface=SBB action=mark-connection new-connection-mark=DOWNLOAD_ALL passthrough=yes 

 3   chain=prerouting in-interface=SBB connection-mark=DOWNLOAD_ALL action=mark-packet new-packet-mark=DOWNLOAD_ALL_P 
     passthrough=yes 

 4   ;;; HTTPUP
     chain=postrouting out-interface=SBB protocol=tcp dst-port=80 action=mark-connection new-connection-mark=HTTPUPLOAD 
     passthrough=yes 

 5   chain=postrouting out-interface=SBB protocol=tcp connection-mark=HTTPUPLOAD connection-bytes=0-512000 
     action=mark-packet new-packet-mark=FIRST512UP passthrough=no 

 6   chain=postrouting out-interface=SBB protocol=tcp connection-mark=HTTPUPLOAD action=mark-packet 
     new-packet-mark=HTTPUPLOADP passthrough=no 

 7   ;;; HTTPDOWN
     chain=prerouting in-interface=SBB protocol=tcp src-port=80 action=mark-connection new-connection-mark=HTTPDOWNLOAD 
     passthrough=yes 

 8   chain=prerouting in-interface=SBB connection-mark=HTTPDOWNLOAD action=mark-packet new-packet-mark=HTTPDOWNLOAD 
     passthrough=yes 
OUT INTERFACE=SBB is interface that gets public IP.

These rules are counting nice and equaly.

But just when they are in this order:

1. Connection Mark + Packet Mark

It wont count right if I put all connection marks first and then packet marks, nevermind it works.

But If I put simple queue with a packet mark DOWNLOAD_ALL_P, it count few bytes, and in statistics of that packet mart traffic is 800kbps. Why ? :(

Also queue tree wont work ?

Can someone please explain this.

I read IP FLOW, but just dont know why it wont work.

Thx

Re: Need just a straight answer

Posted: Fri Nov 09, 2007 3:46 pm
by galaxynet
titius -
First thing - most folks on this board are volunteers, if you want an answer you have to 'play nice'.
Two - folks ask what you are using it for so they can give you a solution that fits the problem. If you don't define the problem then how can 'we' give you a solution? Like asking a blind man "...what color is that wall?".

Order of your rules is important as well as whether or not you use passthrough.

If you are trying to do QOS / Bandwidth shaping for your users then you want to use prerouting not postrouting - like this;

add chain=prerouting protocol=tcp src-port=1024-65535 dst-port=80 action=mark-connection new-connection-mark=http passthrough=yes

add chain=prerouting action=mark-packet new-packet-mark=http connection-mark=http passthrough=no

The above two rules, first mark the connection and then mark the packet so you can use the packet mark in the queue tree to control the bandwidth. Then the rule 'returns' as we didn't allow passthrough - since we marked the traffic we wanted, i.e. http port 80, no futher processing of the data stream is required in this chain so we 'return'.

Make sure connection tracking is ON, that way anything associated with a particular connection will also get marked / and your router won't lose track of "who's on first...".

I saw in one of your earlier posts that you were trying use address lists, well you can use address lists in the above commands as well, do a little reseach and you'll see how to add src-address list= (! = not) XXXX if you still want to use that. I would not use address list in these mangle rules though. You'd probably want to use that type of thing (address list) I'd do it right up front to identify whether or not to pass traffic at all from a particular IP address, over in firewall filter. You could also use it in mangle to identify traffic going to either known or unknow IP addresses that you want to limit. Like the queuing scheme MT gives in their manual for local and overseas traffic queuing....
You can also still use the in-interface command as well for you client interface. Be careful what you use though as each thing you add narrows the matching criteria, makes the router work harder as it has more parameters to match...

Re: Need just a straight answer

Posted: Sun Nov 11, 2007 1:38 pm
by titius
sorry for being rude, :(.

Just that I tried several ways of marking and queueing and some of them worked.

Bud I dont know what is goin on there :).

I read IP Flow and thoroughly examine chart, but some things cant understand.

I will post my complete setup it is not long and you will see what Im talking about .

Re: Need just a straight answer

Posted: Sun Nov 11, 2007 4:32 pm
by galaxynet
titius -
No problem - we ALL get frustrated sometimes, especially when it seems so simple but it still doesn't work.... Man - I hate that!!! :D

Anyway - post your config, we'll all take a look and see how we can help you achieve your goals.


Thom

Re: Need just a straight answer

Posted: Sun Nov 11, 2007 8:57 pm
by titius
Here is my config
0   ;;; UP
     chain=prerouting in-interface=NAT protocol=tcp action=mark-connection 
     new-connection-mark=ALL_UP passthrough=yes 

 1   chain=prerouting in-interface=NAT protocol=tcp connection-mark=ALL_UP 
     action=mark-packet new-packet-mark=ALL_UP passthrough=yes 

 2   ;;; DOWN
     chain=postrouting out-interface=NAT protocol=tcp action=mark-connection 
     new-connection-mark=ALL_DOWN passthrough=yes 

 3   chain=postrouting out-interface=NAT protocol=tcp connection-mark=ALL_DOWN 
     action=mark-packet new-packet-mark=ALL_DOWN passthrough=yes 

 4   ;;; HTTP_UP
     chain=prerouting in-interface=NAT protocol=tcp dst-port=80 
     action=mark-connection new-connection-mark=HTTP_UP passthrough=yes 

 5   ;;; 512_UP
     chain=prerouting in-interface=NAT protocol=tcp dst-port=80 
     connection-mark=HTTP_UP connection-bytes=0-512000 action=mark-packet 
     new-packet-mark=HTTP_512_UP passthrough=no 

 6   chain=prerouting in-interface=NAT protocol=tcp dst-port=80 
     connection-mark=HTTP_UP action=mark-packet 
     new-packet-mark=HTTP_AFTER_512 passthrough=no 

 7   ;;; Rest_UP
     chain=prerouting in-interface=NAT protocol=tcp action=mark-connection 
     new-connection-mark=Rest_UP passthrough=yes 

 8   chain=prerouting in-interface=NAT protocol=tcp connection-mark=Rest_UP 
     action=mark-packet new-packet-mark=REST_ALL_UP passthrough=no 

 9   ;;; HTTP_DOWN
     chain=postrouting out-interface=NAT protocol=tcp src-port=80 
     action=mark-connection new-connection-mark=HTTP_DOWN passthrough=yes 

10   ;;; 2MBdown
     chain=postrouting out-interface=NAT protocol=tcp src-port=80 
     connection-mark=HTTP_DOWN connection-bytes=0-2048000 action=mark-packet 
     new-packet-mark=First_2MB_DOWN passthrough=no 

11   chain=postrouting out-interface=NAT protocol=tcp src-port=80 
     connection-mark=HTTP_DOWN action=mark-packet 
     new-packet-mark=Rest_HTTP_Down passthrough=no 

12   ;;; RestDown
     chain=postrouting out-interface=NAT protocol=tcp action=mark-connection 
     new-connection-mark=RestDown passthrough=yes 

13  chain=postrouting out-interface=NAT protocol=tcp 
     connection-mark=RestDown action=mark-packet 
     new-packet-mark=Rest_Down passthrough=no 
It counts every single packet right. Every packet is where it should be :).

This is just mangling of ALL traffic then Port 80 traffic and then REST traffic.

But QUEUE TREE
0 name="queue1" parent=NAT packet-mark=alldown limit-at=0 queue=ethernet-default priority=8 max-limit=0 burst-limit=0
burst-threshold=0 burst-time=0s

1 name="queue2" parent=NAT packet-mark=SVE_UP limit-at=0 queue=default priority=8 max-limit=0 burst-limit=0
burst-threshold=0 burst-time=0s
Wont count anything, UNLESS I disable last PACKET MARK rule for marking REST UP or DOWN traffic .

I cant find why :(.

Re: Need just a straight answer

Posted: Mon Nov 12, 2007 5:40 pm
by galaxynet
titius -

0 ;;; UP
chain=prerouting in-interface=NAT protocol=tcp action=mark-connection
new-connection-mark=ALL_UP passthrough=yes

1 chain=prerouting in-interface=NAT protocol=tcp connection-mark=ALL_UP
action=mark-packet new-packet-mark=ALL_UP passthrough=yes

Rules 0 & 1 mark all connections/ packets going up AND down originating on interface NAT for TCP protocol ONLY.

Perhaps you also need to mark UDP traffic and/or ANY other traffic? If you want to mark EVERYTHING that is NOT http then change the above rules to;

0 ;;; UP
chain=prerouting in-interface=NAT action=mark-connection new-connection-mark=ALL_UP passthrough=yes

1 ;;; chain=prerouting in-interface=NAT connection-mark=ALL_UP action=mark-packet new-packet-mark=ALL_UP passthrough=no


Question 1) Do you want to mark traffic going to/from your own network(s)? If no we'll need to change this rule, if yes then you are fine. What I mean here is if a client on your system is 'talking' to say, your web server right on your network, do you want to mark this traffic or are you looking to only mark traffic that is leaving your network(s) to go to the Internet?


2 ;;; DOWN
chain=postrouting out-interface=NAT protocol=tcp action=mark-connection
new-connection-mark=ALL_DOWN passthrough=yes

3 chain=postrouting out-interface=NAT protocol=tcp connection-mark=ALL_DOWN
action=mark-packet new-packet-mark=ALL_DOWN passthrough=yes

Rules 2 & 3 are not necessary, you should delete them.


4 ;;; HTTP_UP
chain=prerouting in-interface=NAT protocol=tcp dst-port=80
action=mark-connection new-connection-mark=HTTP_UP passthrough=yes

5 ;;; 512_UP
chain=prerouting in-interface=NAT protocol=tcp dst-port=80
connection-mark=HTTP_UP connection-bytes=0-512000 action=mark-packet
new-packet-mark=HTTP_512_UP passthrough=no

6 chain=prerouting in-interface=NAT protocol=tcp dst-port=80
connection-mark=HTTP_UP action=mark-packet
new-packet-mark=HTTP_AFTER_512 passthrough=no

Rules 4, 5 & 6 should be your first rules and then put 0 & 1 for the remaining traffic.


7 ;;; Rest_UP
chain=prerouting in-interface=NAT protocol=tcp action=mark-connection
new-connection-mark=Rest_UP passthrough=yes

8 chain=prerouting in-interface=NAT protocol=tcp connection-mark=Rest_UP
action=mark-packet new-packet-mark=REST_ALL_UP passthrough=no

9 ;;; HTTP_DOWN
chain=postrouting out-interface=NAT protocol=tcp src-port=80
action=mark-connection new-connection-mark=HTTP_DOWN passthrough=yes

10 ;;; 2MBdown
chain=postrouting out-interface=NAT protocol=tcp src-port=80
connection-mark=HTTP_DOWN connection-bytes=0-2048000 action=mark-packet
new-packet-mark=First_2MB_DOWN passthrough=no

11 chain=postrouting out-interface=NAT protocol=tcp src-port=80
connection-mark=HTTP_DOWN action=mark-packet
new-packet-mark=Rest_HTTP_Down passthrough=no

12 ;;; RestDown
chain=postrouting out-interface=NAT protocol=tcp action=mark-connection
new-connection-mark=RestDown passthrough=yes

13 chain=postrouting out-interface=NAT protocol=tcp
connection-mark=RestDown action=mark-packet
new-packet-mark=Rest_Down passthrough=no

7, 8, 9, 10, 11, 12, & 13 - I understand what they are doing but if you make the earlier changes I suggested then most of these will not be necessary.

Queueing

0 name="queue1" parent=NAT packet-mark=alldown limit-at=0 queue=ethernet-default priority=8 max-limit=0

burst-limit=0 burst-threshold=0 burst-time=0s

1 name="queue2" parent=NAT packet-mark=SVE_UP limit-at=0 queue=default priority=8 max-limit=0 burst-limit=0
burst-threshold=0 burst-time=0s


The two packet marks you have here "alldown" and "SVE_UP" are not in your mangle rules anywhere. So I can only surmise that A) You put in the wrong packet marks to look for here or B) You didn't include all of your mangle rules.

Re: Need just a straight answer

Posted: Mon Nov 12, 2007 8:59 pm
by titius
thanks for the answer,

Just misstyped some of the packet marks, they arent in english so I had to retype them for forum :).

I want to mark traffic going out my network. This setup is on the router that is doing NAT and there is nothing else on it.

generally I get it just need more practice, thanks a lot .

Ill try to help people on the forum that are starting, so I wont just go and use this for me . . .

Re: Need just a straight answer

Posted: Mon Nov 12, 2007 9:36 pm
by galaxynet
Ok titius - No problem on the packet marks for your queue....just wanted to make sure there wasn't something else I was missing....

On to the rest.... The connection / packet marking scheme I gave you marks all the packets going through your MT router. The only packets that won't get counted are packets generated by the MT router itself.... Generally this isn't an issue - but I did want you to know that.

As I said in my earlier posts, marking those connections / packets in prerouting will mark both UP and DOWN packets. Then queuing should be able to shape your bandwidth the way you want to.

So - what did you end up with as your final configuration? We'd all be curious to see how you resolved your issue. It could help many folks.

Ok Titus - 'talk' to you soon.

Re: Need just a straight answer

Posted: Thu Nov 15, 2007 2:53 pm
by galaxynet
titius - "bump"

How did your packet/connection marking turn out for you? Are you able to get the fine control over your bandwidth that you were hoping to achieve?

Re: Need just a straight answer

Posted: Fri Nov 16, 2007 2:44 am
by titius
I think it is :)

Works quite good counts every packet wright.

In a few days I will post my settings, must work on queue tree.

Im wandering is it enough just to set priority numbers in queue tree, will it use just prio or I have to do limit trees with max and limit at?

Re: Need just a straight answer

Posted: Sat Nov 17, 2007 3:53 am
by galaxynet
Titus-
here is that link to packet / connection marking I spoke about before....

http://forum.mikrotik.com/viewtopic.php?f=2&t=19770

makes good reading.

Thom