Page 1 of 1

What is the best way to mark packet in this case

Posted: Sun Oct 10, 2021 3:38 am
by ahmedelbarbary
What is the best way to mark packet upload and download in mangle becaue i have 4 WAN and 7 LAN
in-interface-list is not woking good for me
I already mark packet with this way
QUIC WAN name is (4 - In)
Users address list name is Allowed_Users

add action=mark-connection chain=forward dst-port=80,443 new-connection-mark=QUIC passthrough=yes protocol=udp \
src-address-list=Allowed_Users
add action=mark-packet chain=forward connection-mark=QUIC new-packet-mark=QUIC_UP out-interface="4 - In" \
passthrough=no src-address-list=Allowed_Users
add action=mark-packet chain=forward connection-mark=QUIC dst-address-list=Allowed_Users in-interface="4 - In" \
new-packet-mark=QUIC_DW passthrough=no

Is this way right ?
Should i mark on Connection-stat new ?
Should i add out-interface="4 - In" in mark connection rule ?
I mark all traffic like this that expamle, if i have any mistakes tell me please how to fix.
Thanks Alot.

Re: What is the best way to mark packet in this case

Posted: Sun Oct 10, 2021 5:17 pm
by sindy
If the first rule is the only one to ever assign the connection mark value QUIC, you don't need that the action=mark-packet rules also match on address-list Allowed_Users. If you remove this match condition, you save a little bit of CPU by not doing these matches.

And yes, by adding connection-state=new to the action=mark-connection rule, you'll save some CPU too (as the connection-mark will not be re-assigned for each LAN->WAN packet).

Since you've got multiple WANs, aren't you using connection-mark also to choose a routing-mark (in chains prerouting or output)?

Re: What is the best way to mark packet in this case

Posted: Sun Oct 10, 2021 5:45 pm
by ahmedelbarbary

If the first rule is the only one to ever assign the connection mark value QUIC, you don't need that the action=mark-packet rules also match on address-list Allowed_Users. If you remove this match condition, you save a little bit of CPU by not doing these matches.
- hi sindy Thanks for your answer
- I have 7 LANs without any bridges, if i removed src address or dst how could i mark packet upload and download in mangle ? or should i add Parent for every LAN and WAN in queue tree

And yes, by adding connection-state=new to the action=mark-connection rule, you'll save some CPU too (as the connection-mark will not be re-assigned for each LAN->WAN packet).
[/quote]
- I saw many times people says connection stat new is good in udp because the first packet in udp is like every other packets but in TCP more difference about first packet and other packets,
I tested this on my way to mark routing when i set connection-stat new or connection mark-no-mark it makes some delay in the first time to open app for example, after i removed connection-stat or mark connecion-no mark i saw more response but this in mark-routing i think mark packet is deffirent
Since you've got multiple WANs, aren't you using connection-mark also to choose a routing-mark (in chains prerouting or output)?
[/quote]
yes i use mark connection and mark routing in prerouting but i don't mark packet them because they already have more than enough band
my problem is i have many LANs i want to mark upload and download from the mangle not in queue beucase i use global as a parent, what should i mark packet first download or upload ?

Re: What is the best way to mark packet in this case

Posted: Sun Oct 10, 2021 7:39 pm
by sindy
I have 7 LANs without any bridges, if i removed src address or dst how could i mark packet upload and download in mangle?
That's why I said "if the action=mark-connection rule is the only one ever to assign the connection-mark value QUIC". Because if it is, this connection-mark value is only assigned to connections from hosts on that address-list. Since the action=mark-packet rules match on that connection-mark value, the packet-mark will never be assigned to packets not coming to/from these hosts, as such packets will never have that connection-mark value.

or should i add Parent for every LAN and WAN in queue tree
If you use interfaces as queue parents, you can use the same packet-mark value for both upload and download, but you cannot set a common bandwidth limit for the LAN host no matter which WAN that host uses for a given connection (the limit would apply to each WAN individually). So with a global parent, you need to assign a distinct packet-mark depending on direction, but in-interface(-list) and out-interface(-list) are sufficient for that, no need to match on dst|src-address(-list) as well.


I saw many times people says connection stat new is good in udp because the first packet in udp is like every other packets but in TCP more difference about first packet and other packets
Here, it doesn't matter whether it is TCP or UDP. It is just that it is sufficient to assign the connection-mark when handling the initial (very first) packet of the connection; assigning a connection-mark is more CPU consuming than matching on connection-state=new. So your action=mark-connection rule will inspect every packet, but it will only actually assign the connection-mark if it matches on all conditions, including connection-state=new.

I tested this on my way to mark routing when i set connection-stat new or connection mark-no-mark it makes some delay in the first time to open app for example, after i removed connection-stat or mark connecion-no mark i saw more response but this in mark-routing i think mark packet is deffirent
It's the same.

yes i use mark connection and mark routing in prerouting but i don't mark packet them because they already have more than enough band
my problem is i have many LANs i want to mark upload and download from the mangle not in queue beucase i use global as a parent, what should i mark packet first download or upload ?
from the end - there are normally about as many upload packets as download ones, so it doesn't really matter which of these have to be matched against two rules and which against three. The average will be 2.5 rules per packet anyway.

But there is just a single connection-mark per connection, so you cannot assign one connection-mark in prerouting and another one in forward to the same connection. The one assigned last will overwrite any previous ones. So you can either assign combined connection-mark values encoding both the desired routing-mark to be used and the desired packet-mark to be used (so e.g. for 3 routing-marks and 4 packet-mark UL/DL pairs, you'll need 12 connection-mark values), or you have to assign the packet-marks using matching on interfaces, addresses, protocols, and port alone, not matching on connection-mark.

Re: What is the best way to mark packet in this case

Posted: Fri Oct 15, 2021 8:48 pm
by ahmedelbarbary
Thanks Sindy