marking packets

mhitrov · Wed Mar 26, 2008 5:00 pm

Hi,

Could you explain me when should i use just "action=mark-packet" and when i should use it in confunction with "action=mark-connection", for Queue tree shaping.

I saw several scripts from different guys.

Somebody just mark the packet (without any connection-mark actions):

1   ;;; UP TRAFFIC
    chain=prerouting in-interface=lan 
    src-address=172.21.1.0/24 action=mark-packet 
    new-packet-mark=test-up passthrough=no

Somebody fist of all, mark the connection, and after that mark the packet2:

2   ;;; CONN-MARK
    chain=forward src-address=172.21.1.0/24 
    action=mark-connection 
    new-connection-mark=test-conn passthrough=yes 

3   ;;; DOWN-DIRECT CONNECTION
    chain=forward in-interface=public 
    connection-mark=test-conn action=mark-packet 
    new-packet-mark=test-down passthrough=no 

4   ;;; DOWN-VIA PROXY
    chain=output out-interface=lan 
    dst-address=172.21.1.0/24 action=mark-packet 
    new-packet-mark=test-down passthrough=no

Could you explain me in more details how it works?

Thanks

Ibersystems · Wed Mar 26, 2008 8:24 pm

Hi,

I allways mark connection and later mark packet. This is how we make in training..

In mark connection u have to put passthrough=yes and in mark packet passthrough=no.

Martín.

mhitrov · Wed Mar 26, 2008 8:28 pm

mhitrov · Wed Mar 26, 2008 8:30 pm

Thanks Martin,

But i want to know what is the difference.

Why to use two marking rules (connection, packet mark) if it is possible to use just one (direct packet mark).

I want to be sure how RouterOS works, in order to make the right configuration.

I saw this technics in the wiki pages.
Code link: http://wiki.mikrotik.com/wiki/Queue_wit ... _Web-Proxy

Thanks again

hulk-bd · Wed Mar 26, 2008 8:56 pm

Dear mhitrov,

Basic of packet marking in MT, you should mark connection first then mark packet for the specific mangle rules. cause for connection tracking marking connection is needed and about passthrough it means the 1st rule will pass to the next one, so you'll always see that kind of passthrough and no passthrough in many rules. 1st passthrough rules stop to the next no passthrough rule, am I clear here? and someone written here that only mark packet rule consume more CPU consumption.

Regards

Chupaka · Thu Mar 27, 2008 3:15 am

Why to use two marking rules (connection, packet mark) if it is possible to use just one (direct packet mark).

if it is possible - then you should use it =)

but when you mark connection between A.A.A.A and B.B.B.B, then in mark packet rule you mark both packets from A.A.A.A to B.B.B.B and packets from B.B.B.B to A.A.A.A. how do you plan mark it with one rule?

mhitrov · Thu Mar 27, 2008 11:53 am

I think a understand.

In that case it is used masquarading and queueing.

That person uses global-in parent interface for queueing the upload traffic (cause it is masquarading). In that case, we should mark just the uploading traffic (with one mark rule), because through global-in is passed upload and dowload traffic.

that is why you can't use mark conecction (with packet mark), because it will mark both : download and upload traffic (but we need just upload in order to use it in global-in virtual interface).

I hope i'm right.

Thanks to everybody for answers

patagonia · Sun Mar 30, 2008 1:53 am

mhitrov, the difference is based on nat type, if you use masquerade you first need to mark the connection and then the packet because the routing mark need to know for where the flow comes to mark the packets.

marking packets

marking packets

Re: marking packets

Re: marking packets

Re: marking packets

Re: marking packets

Re: marking packets

Re: marking packets

Re: marking packets

Who is online