Extending the Local/Overseas Setup

Znuff · Wed Mar 07, 2007 11:07 pm

Hello,

I'm trying to extend the Different Limits for Overseas/Local Traffic into something like "Local/Metro/Extern", in wich Local means the local network(s), direct peering or such, Metro is for my ISP's Network and Extern is for the rest of the connections.

My setup consist of 3 MT's, one main gateway and two "slave" gateways. Like:

--- My ISP --->  [ MT - TCT ] --- Network|---> [ MT - NZN ] ---> Customers-NZN
                                         |---> [ MT - IT3 ] ---> Customers-IT3
                                         |---> Customers-TCT

MT - TCT has the network class 89.35.79.0/26 wich is represented by "Network" here, as Customers-TCT
MT - NZN is 89.35.79.2
Customers-NZN have te class 89.35.79.64/26 and 89.35.79.128/25
MT - IT3 is 89.35.79.4
Customers-IT3 is 89.35.78.0/24 and 86.107.189.0/24

So, Local trafic should be between Customers-IT3, Customers-NZN and Customers-TCT.

I've followed the HowTo in the wiki, and I've modified it to suit my tastes. Here's the address-list:

ip firewall address-list> print
Flags: X - disabled, D - dynamic 
 #   LIST       ADDRESS                        
 0   Metro      85.120.71.0/24                 
 1   Metro      85.120.78.0/23                 
 2   Metro      85.120.187.0/24                
 3   Metro      86.107.102.0/24                
 4   Local      86.107.189.0/24                
 5   Metro      89.32.206.0/23                 
 6   Metro      89.33.6.0/23                   
 7   Metro      89.35.64.0/21                  
 8   Local      89.35.78.0/24                  
 9   Metro      89.35.126.0/24                 
10   Metro      89.40.73.0/24                  
11   Metro      89.114.75.0/24                 
12   Metro      193.227.226.0/23               
13   Local      89.35.79.0/24

And here are the mangle rules:

ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; Marcheaz  Conexiuni - Clasa /25
     chain=prerouting src-address=89.35.79.128/25 action=mark-connection new-connection-mark=Whole passthrough=yes 

 1   ;;; Marcheaz  Conexiuni - Clasa /26
     chain=prerouting src-address=89.35.79.64/26 action=mark-connection new-connection-mark=Whole passthrough=yes 

 2   ;;; Marcheaz  Conexiuni Locale - Clasa /25
     chain=prerouting src-address=89.35.79.128/25 connection-mark=Whole dst-address-list=Local action=mark-connection 
     new-connection-mark=Local passthrough=no 

 3   ;;; Marcheaz  Conexiuni Locale - Clasa /26
     chain=prerouting src-address=89.35.79.64/26 connection-mark=Whole dst-address-list=Metro action=mark-connection 
     new-connection-mark=Local passthrough=no 

 4   ;;; Marcheaz  Conexiuni Externe - Clasa /25
     chain=prerouting src-address=89.35.79.128/25 connection-mark=Whole dst-address-list=!Metro action=mark-connection 
     new-connection-mark=Extern passthrough=yes 

 5   ;;; Marcheaz  Conexiuni Externe - Clasa /26
     chain=prerouting src-address=89.35.79.64/26 connection-mark=Whole dst-address-list=!Metro action=mark-connection 
     new-connection-mark=Extern passthrough=yes 

 6   ;;; Marcheaz  Pachete Externe
     chain=prerouting connection-mark=Extern action=mark-packet new-packet-mark=extern_trafic passthrough=no 

 7   ;;; Marcheaz  Pachete Metro
     chain=prerouting connection-mark=!Extern action=mark-packet new-packet-mark=metro_trafic passthrough=no

My problems are that currently connections wich should be labeled as "Metro" are ending up with "Extern" limits and I can't figure out why! :-/

Can anyone put some light on this?

Later Edit:

I've tried a different approach in marking connections / packages:


/ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=prerouting src-address=89.35.79.64/26 action=mark-connection new-connection-mark=Whole passthrough=yes 

 1   chain=prerouting src-address=89.35.79.128/25 action=mark-connection new-connection-mark=Whole passthrough=yes 

 2   chain=prerouting src-address=89.35.79.64/26 connection-mark=Whole dst-address-list=Metro action=mark-connection 
     new-connection-mark=Metro passthrough=no 

 3   chain=prerouting src-address=89.35.79.128/25 connection-mark=Whole dst-address-list=Metro action=mark-connection 
     new-connection-mark=Metro passthrough=no 

 4   chain=prerouting src-address=89.35.79.64/26 connection-mark=Whole dst-address-list=Local action=mark-connection 
     new-connection-mark=Local passthrough=no 

 5   chain=prerouting src-address=89.35.79.128/25 connection-mark=Whole dst-address-list=Local action=mark-connection 
     new-connection-mark=Local passthrough=no 

 6   chain=prerouting src-address=89.35.79.64/26 connection-mark=Whole action=mark-connection new-connection-mark=Extern passthrough=no 

 7   chain=prerouting src-address=89.35.79.128/25 connection-mark=Whole action=mark-connection new-connection-mark=Extern passthrough=no 

 8   chain=prerouting connection-mark=Extern action=mark-packet new-packet-mark=extern_trafic passthrough=no 

 9   chain=prerouting connection-mark=Metro action=mark-packet new-packet-mark=metro_trafic passthrough=no 

10   chain=prerouting connection-mark=Local action=mark-packet new-packet-mark=local_trafic passthrough=no

But yet this doesn't work properly. Metro or Local is not LIMITED properly. I'm starting to thing this is not a packet marking issue but a queue issue?! I'm really saying that this is pretty simple-logic.

Extending the Local/Overseas Setup

Extending the Local/Overseas Setup

Who is online