Community discussions

MikroTik App
 
inibir
Member Candidate
Member Candidate
Topic Author
Posts: 116
Joined: Thu Nov 25, 2010 2:25 pm
Location: lebanon
Contact:

mark-connection VS mark-packet

Thu Feb 10, 2011 9:33 pm

hi all

* what is the diferent between mark-connection and mark-packet and why we use it together in the same configuration?
can i use any one alone????

* for using queue is necessary to use mark-packet? or there's an other method for using it ????
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: mark-connection VS mark-packet

Thu Feb 10, 2011 10:16 pm

A connection mark is a mark that is automatically applied to all packets of a connection. You mark the connection on one packet, and all other packets in the same connection will have the same mark. This is very useful for identifying traffic to a host as well as the return traffic.
Packet marks only are applied to one packet, and do not propagate to other packets in the same connection.

Sometimes you use the two together because it requires fewer resources to do so. Let's take the following example:
/ip firewall mangle
add protocol=tcp dst-port=80 src-address=1.1.1.0/24 out-interface=WAN chain=forward action=mark-packet new-packet-mark=test
add protocol=tcp src-port=80 dst-address=1.1.1.0/24 in-interface=WAN chain=forward action=mark-packet new-packet-mark=test
That would mark all packet that are HTTP traffic between hosts on the 1.1.1.0/24 network and web servers with the packet mark 'test'. However, for each and every single packet you would have to do a lot of work. Is this packet TCP? Yes. Is it going to destination port 80? Yes. Is the source address within 1.1.1.0/24? Yes. Is it going out the WAN interface? No. Oh. OK. Is it a TCP packet? Yes. Is it sourced from port 80? Yes. And so on. Every packet that is traffic to a webserver would require four comparisons, every packet that is traffic from a webserver would require 8 comparions, and every packet that doesn't fit either would also require 8 comparisons, plus whatever happens afterward.
/ip firewall mangle
add connection-state=new protocol=tcp dst-port=80 src-address=1.1.1.0/24 out-interface=WAN chain=forward action=mark-connection new-connection-mark=test passthrough=yes
add connection-mark=test chain=forward action=mark-packet new-packet-mark=test
Now the first packet of a connection gets compared five times, and a connection mark is set. Every subsequent packet, whether it's part of the connection or not, is only compared two times: is this a new connection? No. Does it have this connection mark? Yes.

Both packet marks and connection marks are internal to the router only. They are not ever transmitted on the wire, and the next router that sees the traffic has no idea the packet or connection were ever marked.

Simple queues can work without packet marks, but you can use them if you want to. For queue trees it usually doesn't make sense to not use packet marks.

Hope that helps.
 
inibir
Member Candidate
Member Candidate
Topic Author
Posts: 116
Joined: Thu Nov 25, 2010 2:25 pm
Location: lebanon
Contact:

Re: mark-connection VS mark-packet

Fri Feb 11, 2011 1:03 am

ok thanks for the explanation...

how can i use the queue if i want to limit all this ips 192.168.1.0/24, i need to input each one or any ip in the same rang that have the same conditions
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: mark-connection VS mark-packet

Fri Feb 11, 2011 1:52 am

 
phuang3
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Thu Apr 21, 2011 3:39 am

Re: mark-connection VS mark-packet

Thu Apr 21, 2011 6:16 am

A connection mark is a mark that is automatically applied to all packets of a connection. You mark the connection on one packet, and all other packets in the same connection will have the same mark. This is very useful for identifying traffic to a host as well as the return traffic...
/ip firewall mangle
add connection-state=new protocol=tcp dst-port=80 src-address=1.1.1.0/24 out-interface=WAN chain=forward action=mark-connection new-connection-mark=test passthrough=yes
add connection-mark=test chain=forward action=mark-packet new-packet-mark=test
Now the first packet of a connection gets compared five times, and a connection mark is set. Every subsequent packet, whether it's part of the connection or not, is only compared two times: is this a new connection? No. Does it have this connection mark? Yes.
Hi Fewi,
I am still confused about the explanation. As you've stated in the very beginning - "You mark the connection on one packet, and all other packets in the same connection will have the same mark.", this time all subsequent packets (back & forth?) should be marked by connection-mark from any 'new' connections with our criteria. Why do we still have to add the packet-mark on those already connection-marked packets?
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: mark-connection VS mark-packet

Thu Apr 21, 2011 7:01 am

You don't if you're not using any facilities that require packet marks. Other mangle and filter and NAT rules work just fine with only connection marks. Queues, though, which are a very common reason to use markings at all, only fire on packet marks. Routes only fire on routing marks. Hence the need to apply the other kind of mark - the facilities the mark is for can't use connection marks.
 
phuang3
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Thu Apr 21, 2011 3:39 am

Re: mark-connection VS mark-packet

Thu Apr 21, 2011 8:26 am

Fewi,

Thanks for the quick reply.
I got one more question. If I apply connection + packet mark on any connection of http port:80 through WAN, does it mean any further incoming "and" outgoing packets are both marked? Without connection mark, I have to achieve this in both ways, right?
 
asionterma
just joined
Posts: 2
Joined: Tue Apr 12, 2011 4:26 am

Re: mark-connection VS mark-packet

Thu Apr 21, 2011 9:43 am

Does mark-connection do anything for connectionless protocols?
 
Sanity
Member Candidate
Member Candidate
Posts: 198
Joined: Sun Mar 06, 2011 8:51 am

Re: mark-connection VS mark-packet

Thu Apr 21, 2011 1:21 pm

Does mark-connection do anything for connectionless protocols?
Sure. COnnection is not "connection in the procotol", it is "connection in the connection tracker". THere is no "connectionless" protocol there. UDP streams - identified as connection (with timeout). Otherwise how would NAT work ;) The connections are "artificial" in the tracker and also work for connectionless protocols.
 
heviejob
Member Candidate
Member Candidate
Posts: 171
Joined: Mon Nov 30, 2009 4:54 pm

Re: mark-connection VS mark-packet

Tue Aug 16, 2011 7:29 pm

Which is the best way, to mark connections or packets for using in policy based routing.
I have two internet connections and I want to route some traffic through on connection
and others through the other based on either connection marks or packets marks and
to ensure each packets comes back through the same connection it went out?
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: mark-connection VS mark-packet

Tue Aug 16, 2011 7:34 pm

To mark for policy routing you need routing marks for outbound traffic, packet marks do you no good for routing decisions.

If you need traffic that was established from WAN to LAN to go back out the same interface, you need to use connection marks because the routing marks have to be applied to packets in the other direction of the bidirectional flow. Then apply routing marks outbound based on the connection marks.

The PCC wiki is the simplest example, it contains exactly what you're asking for.

Here an example:
/ip firewall mangle
# first mark connections coming in via a WAN interface with the interface it came in through
add chain=prerouting in-interface=ISP1 connection-mark=no-mark action=mark-connection new-connection-mark=ISP1_conn
add chain=prerouting in-interface=ISP2 connection-mark=no-mark action=mark-connection new-connection-mark=ISP2_conn
# then make random policy decisions - here we're putting tcp/80 traffic out via ISP1
add chain=prerouting in-interface=LAN dst-address-type=!local protocol=tcp dst-port=80 action=mark-connection new-connection-mark=ISP1_conn
# and everything else via ISP2
add chain=prerouting in-interface=LAN dst-address-type=!local action=mark-connection new-connection-mark=ISP2_conn
# and finally apply routing marks based on connection marks
add chain=prerouting in-interface=LAN connection-mark=ISP1_conn action=mark-routing new-routing-mark=to_ISP1
add chain=prerouting in-interface=LAN connection-mark=ISP2_conn action=mark-routing new-routing-mark=to_ISP2
Heavily based on: http://wiki.mikrotik.com/wiki/Manual:PCC
 
heviejob
Member Candidate
Member Candidate
Posts: 171
Joined: Mon Nov 30, 2009 4:54 pm

Re: mark-connection VS mark-packet

Tue Aug 16, 2011 7:41 pm

Thanks. I have marked packets and placed routing marks based on the packet marks
and things are all mixed up. Let me check out the PCC wiki
 
rferroni
just joined
Posts: 14
Joined: Wed Sep 13, 2006 11:37 pm

Re: mark-connection VS mark-packet

Tue Nov 06, 2012 5:05 pm

Hi fewi,
I got doubt about this marks. I`m using mark-connection in prerouting chain and then for two different reasons I`m using mark-packet (for queue tree) and mark-routing (to route through different wan`s) but I can`t use both, right ? I suppose that just can use or mark-packet or mark-routing with the same mark-connection.
I`ll think how to workaround this problem, maybe separating queue for routing decisions in two mikrotiks.
Thanks in advice.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8712
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: mark-connection VS mark-packet

Wed Nov 07, 2012 1:44 am

each packet has three marks: connection-mark, packet-mark and routing-mark. you can use them all in any combinations. also look at 'passthrough=' parameter of firewall rules
 
rferroni
just joined
Posts: 14
Joined: Wed Sep 13, 2006 11:37 pm

Re: mark-connection VS mark-packet

Wed Nov 07, 2012 2:54 pm

sounds good news!!!
I`ll do some lab practice first because I have so many lines in the mangle that I`m a bit dizzy!
Yes, passthrough is very important I`ll check looking for mistakes.
thanks!
 
grizly
just joined
Posts: 19
Joined: Thu Nov 29, 2012 2:15 am
Location: Melbourne/Australia

Re: mark-connection VS mark-packet

Fri Nov 30, 2012 1:36 am

How many connection marks can we put on there?
I have been using mangle rules to mark connections as FTP/SSH/etc.. and now want to ensure that traffic goes through the correct interfaces, but I'm worried that my exquisitely written rules will fail if they detect the wrong connection-mark..
 
rferroni
just joined
Posts: 14
Joined: Wed Sep 13, 2006 11:37 pm

Re: mark-connection VS mark-packet

Mon Dec 03, 2012 4:21 pm

I`ve realized that I have the same problem.
I don`t wanna split into two different routesOS for now.
So I`m using mark-connection to ensure the flow through the proper interface.
And mark-packet alone for the queues (I`know this is not the best approach).
 
grizly
just joined
Posts: 19
Joined: Thu Nov 29, 2012 2:15 am
Location: Melbourne/Australia

Re: mark-connection VS mark-packet

Mon Dec 10, 2012 2:33 am

Figured it out, had to use "Passthrough" to add extra marks to packets, routes and connections.. Damn this is cool!

FYI: Passthrough means it will continue processing rules, so a mangle rule adds a route-mark, then another checks and adds a Packet Mark, then a third checks and adds the connection Mark to new connections, allowing all manner of fun-times, then the jumps to type chains and so forth. Loving this.
 
User avatar
marria
newbie
Posts: 35
Joined: Sat Jun 04, 2011 8:41 pm

Re: mark-connection VS mark-packet

Thu Dec 20, 2012 9:11 am

Question:

router A has 3 ports eth0 to clients, eth1 and eth2 are 2 possible paths each 3 hops to router B, B has 2 LANs and one WAN to world
I set up PCC on a router A to sort of load balance between these 2 paths.

Assuming that connections are initiated by clients, is it also necessary to connection mark on router B to keep streams from breaking, or will the established route initiated by the clients hold on router B?

All PCC examples deal with 2 WAN 1 LAN, this would be the opposite?

My router A is splitting traffic nicely according to byte counts, but are my streams breaking?
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8712
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: mark-connection VS mark-packet

Fri Dec 21, 2012 2:00 pm

all marks (connection-, packet-, routing-) are local, other routers do not know anything about them

what do you mean by 'breaking'?..
 
User avatar
marria
newbie
Posts: 35
Joined: Sat Jun 04, 2011 8:41 pm

Re: mark-connection VS mark-packet

Fri Dec 21, 2012 8:13 pm

Breaking: if the stream shifts from on leg of the return path to the other for some reason, such as the original path becomes un available, I assume that the stream would break. On video maybe recover, on a VOIP drop the call.

The "A" PCC router designates the path, the "B" knows nothing about that, I assume it would keep the path initiated on the same leg, but am I wrong? do I need to mark that path when it starts?

It all appears to be working correctly.... I just want a better understanding here if I make an unfounded assumption.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8712
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: mark-connection VS mark-packet

Fri Dec 21, 2012 9:22 pm

'A' select one of paths to 'B'. further path is selected by 'B', isn't it?..
 
Decsus
just joined
Posts: 18
Joined: Tue Aug 19, 2014 1:27 pm

Re: mark-connection VS mark-packet

Tue Aug 19, 2014 1:38 pm

Hi,

Apologies for necroposting.

But this topic relates to a few questions that I have regarding mangle and packet marking.

1. I assume I can only mark a packet once with each type of mark, [packet, connection and routing marks] if this is incorrect please tell me.

2. I want to use PCQ to mark packets and balance bandwidth between say 10 clients.
a. wlan1 -> connected to all clients
b. ether1 -> connected to broadband
I have set this [PCQ] up [with packet marks] and it works perfectly, but I am unsure what will happen if I try and add additional packet marks for Prioritizing traffic. - HTTP, P2P, SSL etc.
I need priority reduced, especially for p2p but cannot afford to not have the PCQ balancing the bandwidth between clients.

3. Can some one provide a very basic idea of how packets flow through firewall-mangle and how passthrough affects this flow.

Thanks

Decsus
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6263
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: mark-connection VS mark-packet

Thu Aug 21, 2014 3:29 pm

you can have only 1 mark fo a packet that is active for queues. So, if you are re-marking, then the original mark is gone.

So, for queues, you have to use generic marks, and for performance reasons you will mark connections first, and then based on connections add packet marks that belong to that connection.

If you want to have dual queue setup, you have to use different logic altogether. You can look up configuration examples/discussions here on the forums.
 
nkourtzis
Member Candidate
Member Candidate
Posts: 230
Joined: Tue Dec 11, 2012 12:56 am
Location: Greece

Re: mark-connection VS mark-packet

Mon Aug 25, 2014 4:04 pm

This thread answered some of my long-standing questions too. Thanks to all contributors!
 
RochieBatula
just joined
Posts: 4
Joined: Tue Sep 02, 2014 4:17 am

Re: mark-connection VS mark-packet

Tue Sep 23, 2014 1:34 pm

Hi im using 3 ISP and i want any ip from my LAN try to access specific site like clevvermail.com to use WAN1 in and out. how can is the setup?

the reason is, i can connect and login but when i browse from folder to folder. the connection terminate and bring me back to login page. its only happen when im connected under mikrotik with 3 ISP(WAN) but when i connect directly to modem of 1 ISP or when im at home the connection is normal.

thanks in advance.


Rochie Batula
ProudlY PinoY
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8712
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: mark-connection VS mark-packet

Tue Sep 23, 2014 3:17 pm

show your setup. probably, your router sometimes switches you from one uplink to another
 
rferroni
just joined
Posts: 14
Joined: Wed Sep 13, 2006 11:37 pm

Re: mark-connection VS mark-packet

Tue Sep 23, 2014 10:54 pm

Hi there!

You can do it using just routing mark without problem.
The only problem is you have to use IP address (not domain names).
First in the firewall:
Mangle table, chain=prerouting dst-address=IP action=mark-routing new-routing-mark=to_isp1
And then in your routing table you have to create a new default gateway (choose your ISP1 here) with "Routing Mark" (the mark created before).
Ip Route, dst-address=0.0.0.0/0 gateway=ip_gw_isp1 routing-mark=to_isp1

All done!
 
User avatar
hgonzale
Member Candidate
Member Candidate
Posts: 275
Joined: Thu Nov 06, 2014 1:12 pm
Location: Fuengirola, Spain
Contact:

Re: mark-connection VS mark-packet

Wed Nov 26, 2014 2:35 pm

Hello friends...

I am a little newbie using mikrotik and I think I am doing good policies for traffic shaping and prioritize the traffic. I am doing a double mark, first I mark the connection, and after I mark the packet with the connection name. Is it correct? Here, some examples about my rules.....

for example: Here, my VOIP Marks..

add action=mark-connection chain=prerouting comment="VoIP Mark" new-connection-mark=VoIP src-address=192.168.10.53
add action=mark-connection chain=forward dst-address=192.168.10.53 new-connection-mark=VoIP
add action=mark-connection chain=prerouting new-connection-mark=VoIP src-address=192.168.10.58
add action=mark-connection chain=forward dst-address=192.168.10.58 new-connection-mark=VoIP

add action=mark-packet chain=prerouting comment="VoIP Packet" connection-mark=VoIP new-packet-mark=VOIP passthrough=no
add action=mark-packet chain=forward connection-mark=VoIP new-packet-mark=VOIP passthrough=no


Here, connections to my server:

add action=mark-connection chain=prerouting comment="Amertrade Mark" dst-address=142.4.xxx.xxx new-connection-mark=amertrade-server src-address=\
192.168.10.1-192.168.10.199
add action=mark-connection chain=forward dst-address=192.168.10.1-192.168.10.199 new-connection-mark=amertrade-server src-address=142.4.xxx.xxx
add action=mark-packet chain=prerouting comment="Amertrade Packet" connection-mark=amertrade-server new-packet-mark=Amertrade-conection passthrough=no
add action=mark-packet chain=forward connection-mark=amertrade-server new-packet-mark=Amertrade-conection passthrough=no

And here, to web:

add action=mark-connection chain=forward dst-address=192.168.10.200/29 new-connection-mark=http-customer protocol=tcp src-port=80,443,8080
add action=mark-connection chain=prerouting comment="Http Airbnb Mark" dst-port=80,443,8080 new-connection-mark=http-customer protocol=tcp src-address=192.168.11.0/24
add action=mark-connection chain=forward dst-address=192.168.11.0/24 new-connection-mark=http-customer protocol=tcp src-port=80,443,8080
add action=mark-packet chain=prerouting comment="Http customers Packet" connection-mark=http-customer new-packet-mark=HTTP-customers passthrough=no
add action=mark-packet chain=forward connection-mark=http-customer new-packet-mark=HTTP-customers passthrough=no
add action=mark-connection chain=prerouting comment="Http home Mark" dst-port=80,443,8080 new-connection-mark=http-home protocol=tcp src-address=192.168.10.1-192.168.10.199
add action=mark-connection chain=forward dst-address=192.168.10.1-192.168.10.199 new-connection-mark=http-home protocol=tcp src-port=80,443,8080
add action=mark-packet chain=prerouting comment="Http home Packet" connection-mark=http-home new-packet-mark=HTTP-home passthrough=no
add action=mark-packet chain=forward connection-mark=http-home new-packet-mark=HTTP-home passthrough=no

Is ccorect the double mark?

After, in the queue tree I use the new-packet-mark name.... like this:

add limit-at=768k max-limit=20480k name=web-home-download packet-mark=HTTP-home parent=ether2-master-local priority=4 queue=test-sfq
add limit-at=512k max-limit=2M name=VoIP-download packet-mark=VOIP parent=ether2-master-local priority=2 queue=default
add limit-at=256k max-limit=9130k name=web-customers-download packet-mark=HTTP-customers parent=ether2-master-local priority=6 queue=test-sfq
add limit-at=512k max-limit=20480k name=amertrade-server-download packet-mark=Amertrade-conection parent=ether2-master-local priority=3 queue=t
add limit-at=768k max-limit=6144k name=web.home-upload packet-mark=HTTP-home parent=ether1-gateway priority=4 queue=test-sfq
add limit-at=256k max-limit=2765k name=web-customers-upload packet-mark=HTTP-customers parent=ether1-gateway priority=6 queue=test-sfq
add limit-at=512k max-limit=2M name=VoIP-upload packet-mark=VOIP parent=ether1-gateway priority=2 queue=default
add limit-at=512k max-limit=6144k name=amertrade-server-upload packet-mark=Amertrade-conection parent=ether1-gateway priority=3 queue=test-sfq

I have many other rules, but this is onle the Voip, http for me, for customers and guest (http).

Is correct the double mark? Thank you