Dear All,
I have been using mikrotik for sometime, but something is bugging me.
Without it, my rules run well.
Why we have to mark the connection then mark the packet based on connection?
What if I dont do it, means just mark the packet?
Maybe someone can point me to an introduction to mark thing.

Thank you.
Regards,
Andre

I "think" marking connection will also marl ack packects etc, not just the packets in your rule

You can just mark packets

without the connection tracking - no connection marks, router will compare each packet to a given conditions (very slow).

also, think about ftp, tftp, sip, etc ... they start on one port and then switch to another. using connection-marking will also grab those additional packets and consider them a related connection that otherwise couldnt be identified.

If you want to do mark for source or destination IP Address, and you don't have any NAT on your firewall, you don't have to use Conn-Mark. You can do it with Packet Mark.

If you want to mark protocol and port, it's better you use Conn-Mark first, as after handshaking, the port number will change. We use conn-mark to detect each connection so the port changing will not effect the result.

If you are using src-nat in prerouting you can not mark destination local IP address, as in prerouting the destination is still public ip address and have not translated to the local IP Address.