Hello everybody
I'm studding Layer 7 with MKT, becuase is something WONDERFULL. I ask it in the MUM of Argentina, and they say me A GOOD QUESTION and nothing more. And now appears!!!
But I've some problems....
I insert in /ip firewall layer7-protocol the instructions that are in http://www.mikrotik.com/download/l7-protos.rsc. Then I create this 4 rules in mangle:
0 ;;; HTTP Layer 7
chain=prerouting action=mark-connection new-connection-mark=HTTP_CON passthrough=yes layer7-protocol=http

1 chain=prerouting action=mark-packet new-packet-mark=HTTP passthrough=no connection-mark=HTTP_CON

2 ;;; RESTO
chain=prerouting action=mark-connection new-connection-mark=RESTO_CON passthrough=yes

3 chain=prerouting action=mark-packet new-packet-mark=RESTO passthrough=no connection-mark=RESTO_CON

Finally I open a browser and start use it, and the only marks that appears un CONNECTIOS are "RESTO_CON", none marks of "HTTP_CON". Look this is a print of Connections:
17 SA protocol=tcp src-address=10.10.1.253:51260 dst-address=200.43.15.16:80 reply-src-address=10.10.200.1:3128 reply-dst-address=10.10.1.253:51260
tcp-state=96 timeout=5s connection-mark="RESTO_CON" p2p=none
18 SA protocol=tcp src-address=xxx.xxx.xxx.xxx:43112 dst-address=200.43.15.16:80 reply-src-address=200.43.15.16:80 reply-dst-address=xxx.xxx.xxx.xxx:43112
tcp-state=232 timeout=5s connection-mark="RESTO_CON" p2p=none
19 SA protocol=tcp src-address=10.10.1.253:51261 dst-address=200.43.15.16:80 reply-src-address=10.10.200.1:3128 reply-dst-address=10.10.1.253:51261
tcp-state=none timeout=4s connection-mark="RESTO_CON" p2p=none
20 SA protocol=tcp src-address=10.10.1.253:51262 dst-address=200.43.15.16:80 reply-src-address=10.10.200.1:3128 reply-dst-address=10.10.1.253:51262
tcp-state=232 timeout=4s connection-mark="RESTO_CON" p2p=none
21 SA protocol=tcp src-address=xxx.xxx.xxx.xxx:43113 dst-address=200.43.15.16:80 reply-src-address=200.43.15.16:80 reply-dst-address=xxx.xxx.xxx.xxx:43113
tcp-state=none timeout=5s connection-mark="RESTO_CON" p2p=none
22 SA protocol=tcp src-address=xxx.xxx.xxx.xxx:43114 dst-address=200.43.15.16:80 reply-src-address=200.43.15.16:80 reply-dst-address=xxx.xxx.xxx.xxx:43114
tcp-state=172 timeout=5s connection-mark="RESTO_CON" p2p=none
23 SA protocol=tcp src-address=10.10.1.253:51263 dst-address=200.43.15.16:80 reply-src-address=10.10.200.1:3128 reply-dst-address=10.10.1.253:51263
tcp-state=225 timeout=4s connection-mark="RESTO_CON" p2p=none

As you can see the IP 200.43.15.16 is working in port 80, so it is HTTP!!!
I'm using a HOTSPOT Server to try it, but I think that it doesn't depends in what type of server I'm using.
Somebody could tell my what I'm doing bad?
Thank you very much

Rafael Loré

no mangle. put it directly into firewall.

1. make the l7 rule
2. use the created rule in a firewall drop rule

layer7 matcher must see traffic in both directions. Put your rule in forward chain and it should work.

Thank Boy for your request!!!
But normis, I don´t undestand you, I want to use Mangle, becuase then I will use QUEUE TREE!!. If I drop you know how be my telephone
And another thing, mrz you say me that I have to use in forward, but I want to use different gateway for some traffic, example P2P. I can't do it with forward, isn't it?
Thank you very much!!!!!
Rafael Loré

You can! Just set ingoing or outgoing interface. But if you really need that rule in prerouting, then it is possible to add two rules like this:
In this example bittorent matcher will see connections in both directions.