I've been getting a hang of firewall mangle and filter flow. After years of just copying Mkrotik wikis, I'm forced to learn to write my own rules. After reading manuals and wikis as good as I could, I still have a few unanswered questions:
First let me say that I GREATLY appreciate the way this question was asked. It is clear (based on your questions) that you have, indeed, studied the manual. This is the proper way to ask a question.
1) How many packet/connection/routing marks can you add to one packet. Eg I use connection/route marks for load balance but would also like to shape P2P and QoS for VoIP. Would second connection mark override first one, or be added? Eg. if I want to mark according to load balance connection/route marks, but then also mark them to be shaped for QoS and/or other firewall rules like brute force attacks, etc?
When you create a connection mark, that mark will be applied automatically to each packet in the connection. This connection mark is available to you in other parts of firewall. For example, if you mark a connection in prerouting, you will be able to match that packet using the filter in both forward and input or even in later mangles (such as forward/input or postrouting). Each connection can have only 1 connection mark.
It should be noted that you can have a packet that has a connection mark, a routing mark and a packet mark. It is possible to have one of each, but each "type" is limited to ONE. In other words, 1 [packet|connection|route] mark/packet. Another thing to keep in mind is that connection mark, once added, will be automatically added (as stated above) to future packets in this connection, however, packet marks AND route marks are only added to individual packets. I hope that does not add confusion.
2) In the wiki
http://wiki.mikrotik.com/wiki/PCC where connections get marked:
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:2/0 \
action=mark-connection new-connection-mark=wlan1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:2/1 \
action=mark-connection new-connection-mark=wlan2_conn passthrough=yes
2a) Would router automatically mark all packets related to a previously conn-marked connection with the same conn-mark during conn-track phase? If so, will it then also add previous routing mark automatically?
Answered above, but the answers are "yes" and "no" (in the order you asked).
If so, why isn't there rules before these checks to passthrough=no for already marked connections?
The wiki does not always present the most efficient example. It's purpose is to show examples of how things work. The specific article you posted is one that does a good job of showing HOW to do the task, but is not necessarily the most efficient method.
Say on the first packet, the connection is marked on second rule(wlan2_conn). The next packet that arrives, hits the first rule and it is the first in a 'batch' of two, will the first rule not then add/override with wlan1_conn mark? How will it stay marked as wlan2_conn? (Hope this makes sense)
This should not be the case, since it is already marked by the second. I have not tested this, but I believe that is the case. From my reading about PCC (both here and other places), I think the example you are asking about will work correctly, but is simply not the most efficient use of the PCC matcher. I may be able to spend some time testing this and see what I can come up with.
I don't think it is necessary as I stated above. I DO think that the example is just that. Not a complete application, but an example showing how to design the rules using the PCC matcher.
3a) When creating your own chains in mangle, if you passthrough=no in your custom chain, does it just exit that chain, or the default chain that jumped to it as well?
This is a little more difficult to explain without writing a LONG answer. Here's how this works:
1. Firewall rules (including mangle) are processed in order from the top down, according to which BUILT-IN chain they are in. In other words, if we are in "forward", then rule 0, then 1, then 2, etc. in the forward chain will be processed in order.
2. when we encounter a matching rule that has action "jump", the firewall will begin processing THAT chain from the top down (again, it order). IF we encounter a matching rule in that chain that has the action "accept" or "no passthrough", then ALL processing of that packet in forward mangle will be stopped.
3. The packet processing will continue where it left the forward chain under 2 circumstances:
a. We encounter a matching rule that has action "return"
b. We have processed the last rule in the user chain WITHOUT seeing a matching rule with action "accept" or
"no passthrough"
I hope this is clear.
3b) How can you prevent or allow an accept/drop or passthrough=yes/no action to also continue/stop processing in the parent chain that called it? eg. in my own chain, sometimes I just want to exit somewhere in chain and continue in parent chain. Sometimes I want to stop all further processing on that packet.
I think you are looking for action "return" here.
I hope this has helped to clear this up a little.