Page 1 of 1

Change DSCP on DNS packet from LAN to Mikrotik?

Posted: Thu Nov 25, 2021 12:55 pm
by IntLDaniel
I am trying to change DSCP value on packets comming from my LAN to Mikrotik (ROS v6.49.1). I have these two examples in mangle:

add action=change-dscp chain=input comment=\
"qos - change DSCP on ICMP traffic for FIREWALL" in-interface-list=LAN \
new-dscp=56 passthrough=no protocol=icmp

add action=change-dscp chain=input comment=\
"qos - change DSCP on DNS traffic for FIREWALL" dst-port=53 \
in-interface-list=LAN new-dscp=56 passthrough=no protocol=udp

The first one (for ICMP) works, the second (for DNS) does not :-( I can see packet counting on both rules (so the prove that conditions are meet), but when I monitor packets via Torch, I can see the changed DSCP value for ICMP packets comming from LAN to router BUT not for DNS packets (no DSCP value there at all) :-( I did try to disable all other mangle rules but does not help. For me it seems that the DSCP value is deleted somewhere else after...maybe in the internal DNS of Mikrotik?

Thanks for any comment or help!

Re: Change DSCP on DNS packet from LAN to Mikrotik?

Posted: Thu Nov 25, 2021 1:14 pm
by sindy
/tool sniffer shows received packets before they get handled by any mangle rules, I'm not sure where /tool torch is hooked. So if /tool sniffer quick interface=whateverthenameis ip-protocol=icmp ip-address=ip.of.the.router shows you any DSCP value except 56 for received ICMP (to see the DSCP value, you have to use /tool sniffer packet print detail after stopping it), whereas /tool torch shows you 56, it means that mangling takes place between the wire and the monitoring point of torch; if sniffer also shows 56, it means the packets already come from the LAN like that.

To reliably check that the change did actually take place, the only way is to set passthrough=yes in the action=change-dscp rule, and then put an action=log or action=passthrough rule matching on the new DSCP value into the same chain.

Re: Change DSCP on DNS packet from LAN to Mikrotik?

Posted: Thu Nov 25, 2021 1:38 pm
by IntLDaniel
Thanks for reply. So current result with Packet Sniffer:
* I can see there TOS values 56 on ICMP packets if my mangle rule for ICMP is active, if is disabled then NOT (TOS = 0)
* for the DNS (udp/53) there is always TOS = 0

So for me the Torch has the same output like packet sniffer. So what is the result now? :-)

Re: Change DSCP on DNS packet from LAN to Mikrotik?

Posted: Thu Nov 25, 2021 2:03 pm
by sindy
Something must be wrong, as in my case, it works the way I expect:

[me@myTik] > ip firewall mangle print where !dynamic
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=change-dscp new-dscp=34 protocol=tcp src-port=443
1 chain=input action=log dscp=35
When the second rule matches on dscp=34, it logs packets, if it matches on dscp=35, it doesn't. And both /tool sniffer and /tool torch interface-name dscp=any show a DSCP value of 0.

So I think you actually look at the DSCP of the responses, and the ICMP responder copies the DSCP from the ICMP ECHO packets to the ICMP ECHO RESPONSE packets, whereas the DNS and other normal services do not.

I've tried to ping a mikrotik from a remote device and set dscp=34 as a parameter of the ping command, and the responses show dscp of 34 too.

Not the case for normal traffic, DNS included.

Re: Change DSCP on DNS packet from LAN to Mikrotik?

Posted: Thu Nov 25, 2021 2:38 pm
by IntLDaniel
Thanks for testing I have already tested another service (SSH) an the same result as DNS. You you are probably right that ICMP is different case than others and I am watching the reply packet? The question now is if the packets from my LAN going to my Mikrotik really gets new DSCP or not? The intention was to prioritize packets across the whole network from client to Mikrotik (the way is going through several switches with correctly configured QOS TOS priority).

Re: Change DSCP on DNS packet from LAN to Mikrotik?  [SOLVED]

Posted: Thu Nov 25, 2021 2:50 pm
by sindy
I was wondering why you set the DSCP in chain input, as the right place is to set it in chain output for packets sent by the Mikrotik itself, and in chain forward for packets forwarded from one interface to another.

For the traffic from the client to the Mikrotik, the client itself or the switch to which it is directly connected must set the DSCP (the TOS field of the IP header) and QoS (the PRI field of the 802.1Q header). Setting it as late as when it arrives to Mikrotik makes no sense.

Re: Change DSCP on DNS packet from LAN to Mikrotik?

Posted: Thu Nov 25, 2021 3:04 pm
by IntLDaniel
Eh, of course, input does not make sence :shock: :? Very thanks for this catch, of course I need to set DSCP values to replies from Mikrotik to clients and not to opposite! So the output chain is the point and now it works like a charm :)