MikroTik

After upgrading from 4.11 to 5.0rc1 on X86 Server, suddenly all the mangle rule, not working properly

After passthrough check box been unchecked, the connection still affect to the below rule like this :

9 chain=prerouting action=mark-connection new-connection-mark=internal-con passthrough=no src-address=xx.xx.xx.xx/xx dst-address=xx.xx.xx.xx/xx
10 chain=prerouting action=mark-packet new-packet-mark=internal-mark passthrough=no connection-mark=internal-con

supposed connection after passthrough = no, no incoming packet on rule 10, but it not apply on 5.0rc1 OS

Thanks,

Irvan
Grahamedia Net
Indonesia

your rule 9 can catch packets with src-address=xx.xx.xx.xx/xx dst-address=yy.yy.yy.yy/yy, and rule 10 will catch packets of the same connections, but with src-address=yy.yy.yy.yy/yy dst-address=xx.xx.xx.xx/xx

just change rule 10's action to 'log' and see what packets it catches

as far as I know, if in rule 9, we set passthrough = no, in rule 10, the connection-mark = internal-con will not passed, the rule to the next rule or rule 10

So the rule 10 will work just fine, just if in rule 9 we set passthrough = yes, otherwise, no mark will be received on the rule 10

CMIIM

Thanks before..

I can confirm that this does not work in 5.0RC1 (running on RB433). All packets always traverse the whole mangle chain, regardless of passthrough setting.

I now have the same issue.

My rules are :-

Rule 10 :- add action=mark-packet chain=prerouting comment="Usenet - Astraweb server" \
disabled=no dst-address-list=ExternalNET new-packet-mark=usenet_in \
passthrough=no protocol=tcp src-port=563

Rule 11: add action=mark-packet chain=prerouting comment=\
"SSL and TLS - Secure Socket Layer / Transport Layer Security " disabled=\
no dst-address-list=ExternalNET layer7-protocol=ssl new-packet-mark=\
ssl_in passthrough=yes

In Beta6 the packet was marked as usenet_in, in RC1 the packet is now marked as SSL.

Thanks
mitch

look. let's suppose we have these rules:
now, host 1.1.1.1 sends a packet to host 2.2.2.2. rule 9 will catch that packet and the other rules will be skipped because of passthrough=no

but host 2.2.2.2 answers to 1.1.1.1 via the same connection. rule 9 won't catch the packet (because addresses do not match), but rule 10 will, because connection-mark is persistent - conection tracking will save it between packets of the same connection

Chupaka, I agree with you, however you said :-

"rule 9 will catch that packet and the other rules will be skipped because of passthrough=no"

In rc1 that doesn't seem to be the case and all packets are being allowed to passthrough to the next mangle rule.

I tested by resetting my counters and both my rules had the exact same amount of packets being received even with pass through = no set.

mitch

Chupaka, please try the following:

[*] Add the following rules to the top of the /ip firewall mangle chain: Obviously those are identical, so packet matching the first rule should never reach the second one (because passthrough is off)

[*] ping 212.51.10.6 from a system behind the router

The hit counters will increase on both rules on 5.0rc1, which is not the expected behaviour.

so, as far as I can see, the problem is not with 'passthrough', but with 'action=mark-connection' and similar - 'passthrough' works fine when I set action=set-priority or clear-df, for example...

any comments from developers? =)

there are some places where passthrough=no passes through the packets, so, caution advised when you are using RC1.

that will be fixed in rc2 and test builds are proven to work correctly

Thanks Mikrotik Developer !! You're the best !!
So case closed, Hope 5.0rc2 will release very soon !