Community discussions

 
bartmanxxi
just joined
Topic Author
Posts: 6
Joined: Wed Dec 05, 2007 2:41 pm

Multiple connection-marks

Tue Mar 06, 2012 9:13 pm

Is it possible to create more than one connection-mark for a specific connection? For example, one for doing traffic shaping and another for routing policy?
Thanks.
 
User avatar
Caci99
Forum Guru
Forum Guru
Posts: 1050
Joined: Wed Feb 21, 2007 2:26 pm
Location: Tirane
Contact:

Re: Multiple connection-marks

Tue Mar 06, 2012 10:06 pm

Yes you can. Mark the connections first in prerouting and/or postrouting chain for traffic shaping, and then
place the queues in global-in and/or global-out interfaces.
Then use again connection marks on forward chain for routing policy.
-Toni-
Don't crash the ambulance, whatever you do
 
bartmanxxi
just joined
Topic Author
Posts: 6
Joined: Wed Dec 05, 2007 2:41 pm

Re: Multiple connection-marks

Tue Mar 06, 2012 10:14 pm

Ok, but the seconf time I mark the connection will be overiten?
 
User avatar
Caci99
Forum Guru
Forum Guru
Posts: 1050
Joined: Wed Feb 21, 2007 2:26 pm
Location: Tirane
Contact:

Re: Multiple connection-marks

Wed Mar 07, 2012 1:36 pm

Yes, they will be overwritten the second time, but not before those packets
are captured by the queues in global-in interface.
Take a look at the flowing diagram on wiki so you can understand it better:
http://wiki.mikrotik.com/wiki/Manual:Packet_Flow
-Toni-
Don't crash the ambulance, whatever you do
 
User avatar
lapsio
Member
Member
Posts: 463
Joined: Wed Feb 24, 2016 5:19 pm

Re: Multiple connection-marks

Sat Jul 07, 2018 5:02 pm

Sorry for bump but is it possible now in different way? Routing marks are not stateful (unlike connection marks) so when you're overwriting them you either loose PBR info or QoS info for related packets. Is there any other way to acieve stateful routing-mark criteria AND stateful QoS criteria at the same time?

Naive solution is to create NxM connection marks where N is number of PBR-related marks and M is number of QoS related marks but it explodes quite quickly to 100+ marks. Stateful routing marks are necessary if you apply PBR to outgoing traffic (not forwarded). For example if you want router to reply to pings using the same interface that has been used to ping regardless of src ip.
MTCNA, MTCRE, MTCINE
 
sindy
Forum Guru
Forum Guru
Posts: 3757
Joined: Mon Dec 04, 2017 9:19 pm

Re: Multiple connection-marks

Sat Jul 07, 2018 7:32 pm

EDIT: before I finished it, @lapsio has edited his post to suggest the same in less detail. Keeping it here for the lazy ones.

Only one connection mark can be assigned to a connection at a time, so assigning a new connection mark means rewriting (losing) the previous one. So to use connection marks to statefully control both routing marks for routing purposes and packet marks for QoS purposes requires, you have to use composite routing marks.

Let's say you need to assign two distinct routing marks and three distinct packet marks for QoS and all combinations of those two categories are possible.

So first you use one set of mangle rules using the criteria for routing to assign intermediate connection marks - cm_r1 and cm_r2.

Then, you use two similar sets of mangle rules, each referring to one of the connection marks assigned above and both using the same criteria for QoS, to assign the final composite connection marks - cm_r1_q1, cm_r1_q2, cm_r1_q3, cm_r2_q1, cm_r2_q2, cm_r2_q3.

Or you may use custom chains for the same purpose and assign the final composite connection marks at once:
/ip firewall mangle
### chain=prerouting:
# skip to routing and packet mark assignment if packet belongs to an already marked connection:
add chain=prerouting action=jump jump-target=assign-r-q-marks connection-mark=!no-mark
# only packets belonging to not-yet-marked connections, i.e. initial packets of each connection, get here
# because chain=assign-r-q-marks always provides a final verdict so nothing ever returns from there

add chain=prerouting action=jump jump-target=r1-conns ...criteria for selection of routing policy #1 here...
# only initial packets matching routing policy #2 criteria should get here

add chain=prerouting action=mark-connection new-connection-mark=cm_r2_q1 passthrough=yes ...criteria for selection of QoS policy #1 here...
add chain=prerouting action=mark-connection new-connection-mark=cm_r2_q2 passthrough=yes connection-mark=no-mark ...criteria for selection of QoS policy #2 here...
#only initial packets matching routing policy #2 criteria and QoS policy #3 criteria should get here

add chain=prerouting action=mark-connection new-connection-mark=cm_r2_q3 passthrough=yes connection-mark=no-mark
add chain=prerouting action=jump jump-target=assign-r-q-marks

### chain=r1_conns:
add chain=r1_conns action=mark-connection new-connection-mark=cm_r1_q1 passthrough=yes ...criteria for selection of QoS policy #1 here...
add chain=r1_conns action=mark-connection new-connection-mark=cm_r1_q2 passthrough=yes connection-mark=no-mark ...criteria for selection of QoS policy #2 here...
#only initial packets matching routing policy #1 criteria and QoS policy #3 criteria should get here

add chain=r1_conns action=mark-connection new-connection-mark=cm_r1_q3 passthrough=yes connection-mark=no-mark
add chain=r1_conns action=jump jump-target=assign-r-q-marks

### chain=assign-r-q-marks:
### first, assign routing marks:
add chain=assign-r-q-marks action=mark-routing new-routing-mark=r1 connection-mark=cm_r1_q1,cm_r1_q2,cm_r1_q3 passthrough=yes
add chain=assign-r-q-marks action=mark-routing new-routing-mark=r2 passthrough=yes
### then, assign packet (QoS) marks:
add chain=assign-r-q-marks action=mark-packet new-packet-mark=q1 connection-mark=cm_r1_q1,cm_r2_q1 passthrough=no
add chain=assign-r-q-marks action=mark-packet new-packet-mark=q2 connection-mark=cm_r1_q2,cm_r2_q2 passthrough=no
add chain=assign-r-q-marks action=mark-packet new-packet-mark=q3 passthrough=no
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
lapsio
Member
Member
Posts: 463
Joined: Wed Feb 24, 2016 5:19 pm

Re: Multiple connection-marks

Sat Jul 07, 2018 8:06 pm

Hmm I wonder if it'd be possible to template it. I mean to create marks for QoS, marks for routing and make script that will duplicate given chain M times and will compute and replace new marks for each routing mark. And do the same for QoS queues.

I know it would be just nobody has time to write such script because it'd take at least 2 days XD

Also I think having like 2k rules in mangle could have terrible impact on performance
MTCNA, MTCRE, MTCINE
 
sindy
Forum Guru
Forum Guru
Posts: 3757
Joined: Mon Dec 04, 2017 9:19 pm

Re: Multiple connection-marks

Sat Jul 07, 2018 8:16 pm

What kind of input to the generating script would you expect? It is a matter of two hours to write such script, but you'd spend the remaining 46 hours debugging it :-D

What do you mean by doing the same for QoS queues - to create an own copy of the queue tree for each WAN? What if the WANs have different bandwidth?

The 2k mangle rules are not that bad as each packet would pass just a small subset of them.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
lapsio
Member
Member
Posts: 463
Joined: Wed Feb 24, 2016 5:19 pm

Re: Multiple connection-marks

Sat Jul 07, 2018 9:12 pm

What kind of input to the generating script would you expect? It is a matter of two hours to write such script, but you'd spend the remaining 46 hours debugging it :-D

What do you mean by doing the same for QoS queues - to create an own copy of the queue tree for each WAN? What if the WANs have different bandwidth?

The 2k mangle rules are not that bad as each packet would pass just a small subset of them.
I mean that for example for following rules:
chain=prerouting action=jump jump-target=routemark connection-mark=no-mark
chain=routemark action=mark-connection new-connection-mark=mgmt in-interface=br-mgmt
chain=routemark action=mark-connection new-connection-mark=srv dst-address-list=networkSERVICE
...

chain=prerouting action=jump jump-target=qosmark connection-mark=no-mark
chain=qosmark action=mark-connection new-connection-mark=www protocol=tcp dst-port=80,443
chain=qosmark action=mark-connection new-connection-mark=ssh protocol=tcp dst-port=22
...
You'd give it parameter 1=qosmark, 2=mgmt,srv and it'd create rules:
chain=prerouting action=jump jump-target=qosmark-mgmt connection-mark=mgmt
chain=qosmark-mgmt action=mark-connection new-connection-mark=mgmt-www protocol=tcp dst-port=80,443
chain=qosmark-mgmt action=mark-connection new-connection-mark=mgmt-ssh protocol=tcp dst-port=22
...

chain=prerouting action=jump jump-target=qosmark-srv connection-mark=srv
chain=qosmark-srv action=mark-connection new-connection-mark=srv-www protocol=tcp dst-port=80,443
chain=qosmark-srv action=mark-connection new-connection-mark=srv-ssh protocol=tcp dst-port=22
...
and so on, one copy for each routing mark given as parameter
Then it'd be nice if it could also look for all QueueTree records with connection-marks from chain qosmark and also create N sets with mgmt-* and srv-* instead. It doesn't sound like rocket science to make but yeah it'd take some time. I believe ROS scripting language isn't especially powerful when it comes to string manipulation/comparison. I hope it's quite clear what i mean by script mechanics xD I think it'd be symmertic. As in if you'd give it routemark chain and www,ssh it'd probably be able to do that without any changes because logic of this operation seems to be the same.
MTCNA, MTCRE, MTCINE

Who is online

Users browsing this forum: No registered users and 74 guests