Hello all,
I'm facing a weird behavior using IPv6 connection mark on RouterOS v7.6 Stable. I'm setting a new connection mark to ICMP (protocol ICMPv6) and DNS (UDP port 53) connections, then I mark packets to QoS simple queue.
I have noticed some connection UDP 443, but there is no rule in mangle that match this protocol/port to me marked as "ICMP+DNS_conn". As shown below, I have only 2 rules to mark this connections.
There are a 3 attachments to illustrate this.
Connection marks in mangle:
Connections marked correctly:
Connection that should not be marked:
Can someone please point me a direction?
Connection mark misconfiguration?
You do not have the required permissions to view the files attached to this post.
Re: Connection mark misconfiguration?
In the IPv4 connection tracking, the connection mark values are inherited from the basic connection also to the "related" ones (e.g. if a TCP packet that has the DF flag set and exceeds the MTU of the outgoing interface, the ICMP "fragmentation needed" packet reporting this to the sender gets the same connection mark like that TCP packet).
So I would assume that here it works also in the reverse direction, and at some point, an ICMPv6 packet has arrived that was related to the UDP connection to port 443 and got marked with your connection mark, and the basic connection has inherited the connection mark.
So I would assume that here it works also in the reverse direction, and at some point, an ICMPv6 packet has arrived that was related to the UDP connection to port 443 and got marked with your connection mark, and the basic connection has inherited the connection mark.
Re: Connection mark misconfiguration?
Thanks for reply! I agree that is a possible couse!
What you suggest to solve this? Mark only connections with connection state equal new? Mark connection with connection state not equal related?
I'm testing the first option, mark only if connection state equal new.
What you suggest to solve this? Mark only connections with connection state equal new? Mark connection with connection state not equal related?
I'm testing the first option, mark only if connection state equal new.
Re: Connection mark misconfiguration?
Yes.Mark only connections with connection state equal new?
That would selectively address the suspected cause, but the above way is clearer.Mark connection with connection state not equal related?
Re: Connection mark misconfiguration?
Sindy, the first alternative, to mark only connection state equal new, did the job.Yes.Mark only connections with connection state equal new?
That would selectively address the suspected cause, but the above way is clearer.Mark connection with connection state not equal related?
Many thanks!
Re: Connection mark misconfiguration?
Hello all,
I am facing the same problem during last few months and the solution is to put connection-state=new,established.
the connection-state=established for the return traffic.
so far i am not see the packets with protocol tcp and udp anymore.
P
I am facing the same problem during last few months and the solution is to put connection-state=new,established.
the connection-state=established for the return traffic.
so far i am not see the packets with protocol tcp and udp anymore.
P