mangle...

dyrdymal · Fri Dec 18, 2009 12:53 am

Hi,

Can someone explain to me why exactly some examples mangle connections and then mangle packets...? Why not mangle packets alone...?
Example:
why this

add chain=prerouting protocol=tcp dst-port=80 action=mark-connection \
    new-connection-mark=http_conn passthrough=yes
add chain=prerouting connection-mark=http_conn action=mark-packet \
    new-packet-mark=http passthrough=no

and not this:

add chain=prerouting protocol=tcp dst-port=80 action=mark-packet \
    new-packet-mark=http passthrough=no

Thanks,

akosenko · Fri Dec 18, 2009 10:18 am

If I'm not mistaken, when you're mark connection first and then mark all packets belong this connection, then in packet marks you're have src-address and dst-address, then apply this packet mark for outgoing or incoming interface and you're have download or upload traffic. In other words you're don't have separate upload or download connections, just apply packet mark for upload or download interface. BUT if you're using NAT (masquerade) you must separate upload and download traffic (in this connection, or use only packet marks).

sorry for my bad english

dyrdymal · Fri Dec 18, 2009 7:36 pm

my guess is that it may be more efficient to mark connection first and then look only at that connection when marking packets (it may be more efficient to look at connection and not every single packet)... but that's just a guess...

Perhaps one of MIkrotik's QoS/firewall expert could clarify that...?

gmsmstr · Fri Dec 18, 2009 9:29 pm

Connection marks are MUCH more efficent, not to mention, they capture data both ways, not just to or from depending on the ports and/or in interfaces.

butche · Mon Dec 21, 2009 8:02 am

dyrdymal: see this thread http://forum.mikrotik.com/viewtopic.php?f=2&t=37694

mangle...

mangle...

Re: mangle...

Re: mangle...

Re: mangle...

Re: mangle...

Who is online