Community discussions

MikroTik App
 
olivier2831
Member Candidate
Member Candidate
Topic Author
Posts: 296
Joined: Fri Sep 08, 2017 6:53 pm

Questions on Wiki's PCC page

Mon Oct 18, 2021 7:21 pm

Hello,

After reading it several times, I still have some question on [1].
/ ip firewall mangle
add chain=prerouting dst-address=10.111.0.0/24  action=accept in-interface=LAN
add chain=prerouting dst-address=10.112.0.0/24  action=accept in-interface=LAN
With policy routing it is possible to force all traffic to the specific gateway, even if traffic is destined to the host (other that gateway) from the connected networks. This way routing loop will be generated and communications with those hosts will be impossible. To avoid this situation we need to allow usage of default routing table for traffic to connected networks
How could be this last paragraph be better re-phrased ?
To me, IMHO, it could be logical to
1. introduce what dst-address-type is ie,
1a. explicitly define if 192.168.0.1/24, 10.111.0.2/24, 10.112.0.2/24 are of local address type or not.
2a. explicitly define if 10.111.0.12/24, 10.112.0.1/24 are of local address type or not.
2. Then introduce the block bellow
3. Then introduce the block accepting traffic to either 10.111.0.0/24 or 10.112.0.0/24 and give an explicit example of so-called traffic loop (is that a traffic loop is the first place or is the traffic unpredictably sent through the wrong interface ?).
add chain=prerouting  in-interface=LAN connection-mark=no-mark dst-address-type=!local \
    per-connection-classifier=both-addresses:2/0 action=mark-connection new-connection-mark=ISP1_conn 
add chain=prerouting  in-interface=LAN connection-mark=no-mark dst-address-type=!local \ 
    per-connection-classifier=both-addresses:2/1 action=mark-connection new-connection-mark=ISP2_conn
Do you need equivalent rules if WAN addresses are public and set through DHCP or PPPoE ?


Is it correct to think that "if a replies to an outbound marked packet comes in, then it would be allocated the same mark as the original outbound packet" ?
If positive, what could be the difference between checking an unmarked packet or a NEW connection (as opposed to an ESTABLISHED one) ?
What should you prefer one or the other ?

Best regards




[1] https://wiki.mikrotik.com/wiki/Manual:PCC
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Questions on Wiki's PCC page

Tue Oct 19, 2021 2:01 am

With connection marking you mark the connection. Apply it only to new connections.

Then looking at second example. !local means addresses not belonging to the router and no-mark all unmarked traffic.

All traffic outgoing is here going to be marked, not yet marked traffic is then also New traffic. Established is already marked before so no need to do that again and end up using a wrong new mark.

Addresses of the wan/dhcp/pppoe are Local to the router. Returning traffic is marked by connection tracking based on src-address (external) and local port. Statefull firewall principe.

Who is online

Users browsing this forum: Amazon [Bot], syahendrareca and 62 guests