Community discussions

MikroTik App
Topic Author
Posts: 36
Joined: Fri Sep 24, 2010 4:59 am

Efficient connection marking and packet marking for QoS

Fri Mar 18, 2011 7:46 am

Hi All

Just want to do a sanity check.
I have setup a queue tree and use mangle rules to create the appropriate packet marks.

I read an interesting wiki article showing a rule that would filter TCP traffic, by port, etc and give it a connection mark, with passthrough enabled. Immediately following it was a rule that filtered traffic by the connection mark and packet marked it with no passthrough.

I saw the advantage in this for performance. It would be quicker to check a packet for its connection mark, rather than other criteria, but the way it was done in the above example, due to top down processing, every packet would be getting filtered by both rules, effectively making even more overhead.

To counter this, I added a second set of packet marking rules at the top of the mangle table that filtered of the connection mark. This way the first packet in a connection would go through the connection mark / packet mark pair, but all subsequent packets would be picked up earlier by the packet mark rule at the top, thus speeding up processing and lowering overhead.

Member Candidate
Member Candidate
Posts: 256
Joined: Wed Apr 01, 2009 9:09 pm

Re: Efficient connection marking and packet marking for QoS

Fri Mar 18, 2011 12:05 pm

I use what I call a "selector" for the firewall set up, with a classifier at the top which sends the packet to the correct chain given it's source/destination IP. That way packets will have to be checked only against the rules that may be applicable to them and not against all 300 rules.

I suppose you may use something similar for the mangle chain (just started playing with PCC, QoS and packet marks, so I don't have enough experience with that)
just joined
Posts: 20
Joined: Mon Jul 12, 2010 2:22 am

Re: Efficient connection marking and packet marking for QoS

Thu Mar 31, 2011 6:48 am

Hi Mark,

Check out Fewi's response in this post;
The mark connection mangle rule should also have either connection state=new or connection mark=!<mark> to prevent the situation you're describing.

Who is online

Users browsing this forum: aradicev, Google [Bot], harvey and 110 guests