I follow famous article "Dmitry on Firewalling", then i tried to modify the configuration.
Why i can not mark packet with chain tcp-services ?
10 chain=tcp-services connection-mark=http action=mark-packet new-packet-mark=packet_http_in passthrough=no

so, no packet detected..
should i use chain prerouting instead tcp-services ? because with chain prerouting it works, the mark packet is counting.

then i will put the packet mark on Queue Tree, to do bandwidth limitation of HTTP Download, then SMTP Download, HTTPS Download, POP3 Download, etc.


[admin@MikroTik] > ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=prerouting protocol=tcp connection-state=new action=jump jump-target=tcp-services

1 chain=prerouting protocol=udp connection-state=new action=jump jump-target=udp-services

2 chain=prerouting connection-state=new action=jump jump-target=other-services

3 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=20-21 action=mark-connection new-connection-mark=ftp
passthrough=no

4 chain=tcp-services protocol=tcp src-port=513-65535 dst-port=22 action=mark-connection new-connection-mark=ssh
passthrough=no

5 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=23 action=mark-connection new-connection-mark=telnet
passthrough=no

6 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=25 action=mark-connection new-connection-mark=smtp
passthrough=no

7 chain=tcp-services protocol=tcp src-port=53 dst-port=53 action=mark-connection new-connection-mark=dns passthrough=no

8 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=53 action=mark-connection new-connection-mark=dns
passthrough=no

9 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=80 action=mark-connection new-connection-mark=http
passthrough=no

10 chain=tcp-services connection-mark=http action=mark-packet new-packet-mark=packet_http_in passthrough=no

11 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=110 action=mark-connection new-connection-mark=pop
passthrough=no

12 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=113 action=mark-connection new-connection-mark=auth
passthrough=no

13 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=119 action=mark-connection new-connection-mark=nntp
passthrough=no

14 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=143 action=mark-connection new-connection-mark=imap
passthrough=no

15 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=161-162 action=mark-connection new-connection-mark=snmp
passthrough=no

16 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=443 action=mark-connection new-connection-mark=https
passthrough=no

thanks,
yudi

yudigadget -
You need to study the firewall mechanisms more throughly....

9 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=80 action=mark-connection new-connection-mark=http passthrough=no

10 chain=tcp-services connection-mark=http action=mark-packet new-packet-mark=packet_http_in passthrough=no

Rule 9 above already marked the connection, and you have passthrough set to no - so the rule returns to whatever chain sent it here.

When you used 'chain=pre-routing' you were using a differrent firewall chain - not tcp-services - so the packets were counted.

If you want to use the tcp-services chain then allow passthrough on rule 9 and keep passthrough = no in rule 10. Then the connection AND the packet will get marked with a connection mark and a packet mark.

R/