[Mikrotik] Policy routing based on DSCP

William Esteves stevens144 at hotmail.com
Mon Jun 4 09:14:05 CDT 2012


Im wondering if theres really possible to redirect a conecction like this, look, I tried to redirect all_p2p of mikrotik, but didnt work.
I have a L7 for files types like .iso .exe, and even in that I failed. And by the way, I found the SYN packet on DSCP of my web-cache server, but it didnt work anyway.
Im working on my last discovery, I use the DSCP like this, 
/ip firewall mangle add action=add-dst-to-address-list address-list=youtube address-list-timeout=0s chain=prerouting disabled=no dscp=56 dst-port=80 protocol=tcp src-address=172.16.1.2
add action=mark-routing chain=prerouting disabled=no dst-address-list=youtube new-routing-mark=link3 passthrough=no src-address=!172.16.1.2
All files that have a DSCP=56 will create a dynamic address list of youtube, and all client who the destiny is this address will be redirect to this route.
Thats work just fine, but theres a problem. In the fisrt time when that happens, the video stops, only work, when you press f5. I do not have knowledge enough to know what to do, I only think that, this connection need to be redone.
Sorry for my bad english and for take your time, thank you for all.



> From: chupaka at gmail.com
> Date: Fri, 1 Jun 2012 01:56:38 +0300
> To: mikrotik at mail.butchevans.com
> Subject: Re: [Mikrotik] Policy routing based on DSCP
> 
> You need to NAT that SYN packet, so that the server saw it with your
> line3's src IP. If you don't know that this connection will be with dscp=56
> sometime in future - you cannot NAT it now. So look at the server who sets
> dscp to see why it sets dhcp not from the beginning of connection.
> 
> 
> 2012/6/1 William Esteves <stevens144 at hotmail.com>
> 
> >
> > Its right man! Theres no SYN packet whit DSCP, even when I add
> > connection-state=new, so theres a problem.
> > I'm wondering if theres something that I can do to, recreate this
> > connection with DSCP or something. You know what I mean?!
> > What can I do?
> >
> > > From: chupaka at gmail.com
> > > Date: Thu, 31 May 2012 23:56:20 +0300
> > > To: mikrotik at mail.butchevans.com
> > > Subject: Re: [Mikrotik] Policy routing based on DSCP
> > >
> > > TCP (ACK) - seems like it's not the first packet of the connection. Make
> > > sure that SYN packet has the same dscp. Try to add 'connection-state=new'
> > > to your logging rule - will it still log packets? It's important because
> > > you must redirect traffic to another line from the very first packet -
> > you
> > > cannot do it in the middle of connection.
> > >
> > >
> > > 2012/5/31 William Esteves <stevens144 at hotmail.com>
> > >
> > > >
> > > > Sorry, I sended without this last line:
> > > > Thats what I see:
> > > > dscp prerouting: in:eth3/Interno out:(none), src-mac 00:13:72:65:71:72,
> > > > proto TCP (ACK), 172.1.1.2:48668->74.125.214.83:80, len 64
> > > >
> > > > looks like is a good connection to work with mark-routing. And theres
> > no
> > > > other rule on firewall the only rule that I have is this:
> > > > /ip firewall mangle add action=mark-connection chain=prerouting
> > > > comment="HTTP e FTP" disabled=no dst-address-list=!Out-Cache
> > dst-port=80
> > > > new-connection-mark=squid_conn \    passthrough=yes protocol=tcp
> > > > src-address=!172.16.1.2 src-address-list=cacheadd
> > action=mark-connection
> > > > chain=prerouting disabled=no dst-address-list=!Out-Cache
> > > > dst-port=21,40000-42999 new-connection-mark=squid_conn passthrough=yes
> > > > protocol=\    tcp src-address=!172.16.1.2 src-address-list=cacheadd
> > > > action=mark-routing chain=prerouting comment="Rota Conexoes HTTP e FTP"
> > > > connection-mark=squid_conn disabled=no dst-address-list=!Out-Cache
> > > > new-routing-mark=\    squid-route passthrough=no
> > src-address=!172.16.1.2
> > > > src-address-list=cache
> > > >
> > > >
> > > > > From: stevens144 at hotmail.com
> > > > > To: mikrotik at mail.butchevans.com
> > > > > Date: Thu, 31 May 2012 00:04:44 +0000
> > > > > Subject: Re: [Mikrotik] Policy routing based on DSCP
> > > > >
> > > > >
> > > > > Yeah, I mean, when I look at the interface goes to 300kbps then stop
> > > > (goes to 0).
> > > > > Let me explain:
> > > > > This is a web-cache server who is parallel to my mikrotik server
> > > > (connected on ether3 of my mikrotik server):
> > > > > Mikrotik: 172.16.1.1Web-cache: 172.16.1.2 Gateway of
> > webcache:172.16.1.1
> > > > > The logic is pretty simple: This server marks every MISS to YouTube
> > with
> > > > a DSCP=36 for example.
> > > > > Like you said I tried to redirect the connection to the server
> > without
> > > > dscp=56 and its works.
> > > > > add action=mark-routing chain=prerouting disabled=no dst-port=80
> > > > new-routing-mark=link3 passthrough=no protocol=tcp
> > src-address=172.16.1.2
> > > > > But do not work when I do with the DSCP.
> > > > > when I log the connection of DSCP56 I see this:
> > > > >
> > > > > > From: chupaka at gmail.com
> > > > > > Date: Thu, 31 May 2012 02:27:54 +0300
> > > > > > To: mikrotik at mail.butchevans.com
> > > > > > Subject: Re: [Mikrotik] Policy routing based on DSCP
> > > > > >
> > > > > > The download starts?.. What are you talking about?.. If TCP
> > connection
> > > > is
> > > > > > established (it's before actual data transfer), then three-way TCP
> > > > > > handshake is passed. Make sure every outgoing packet of the
> > connection
> > > > has
> > > > > > dscp=56. Check without dscp (will that IP work just on another
> > > > uplink?) -
> > > > > > maybe you have some other firewall rules which mess up your setup.
> > > > > >
> > > > > >
> > > > > > 2012/5/31 William Esteves <stevens144 at hotmail.com>
> > > > > >
> > > > > > >
> > > > > > > Didnt work :/
> > > > > > > /ip firewall mangle add action=mark-routing chain=prerouting
> > > > disabled=no
> > > > > > > dscp=56 dst-port=80 in-interface=eth3/Interno
> > new-routing-mark=link3
> > > > > > > passthrough=no protocol=tcp src-address=\    172.16.1.2
> > > > > > > thats the rule, the server goes like the other time, the download
> > > > starts
> > > > > > > but stop again, didnt work. :/
> > > > > > > > From: stevens144 at hotmail.com
> > > > > > > > To: mikrotik at mail.butchevans.com
> > > > > > > > Date: Wed, 30 May 2012 22:25:38 +0000
> > > > > > > > Subject: Re: [Mikrotik] Policy routing based on DSCP
> > > > > > > >
> > > > > > > >
> > > > > > > > Understood, thank you so much... lets try this, THANKS! :D
> > > > > > > >
> > > > > > > > > From: chupaka at gmail.com
> > > > > > > > > Date: Wed, 30 May 2012 21:24:18 +0300
> > > > > > > > > To: mikrotik at mail.butchevans.com
> > > > > > > > > Subject: Re: [Mikrotik] Policy routing based on DSCP
> > > > > > > > >
> > > > > > > > > Connection is bidirectional, it matches both outgoing and
> > > > incoming
> > > > > > > packets,
> > > > > > > > > so you're routing packets from the Internet back to the
> > > > Internet. Add
> > > > > > > > > 'in-interface=Local' to your routing marking rule.
> > > > > > > > >
> > > > > > > > > Or, as I already said, mark routing directly, without
> > > > connection-mark.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > 2012/5/30 William Esteves <stevens144 at hotmail.com>
> > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > Sadly, this didnt work. When I do all the marks (mark
> > > > connection,
> > > > > > > then
> > > > > > > > > > mark routing), the traffic STOPS, and I dont know why. I
> > > > looked all
> > > > > > > my
> > > > > > > > > > rules (to make sure that I'm not marking to the wrong
> > way), I
> > > > > > > created a log
> > > > > > > > > > to this connection
> > > > > > > > > > /ip firewall mangle add chain=prerouting dscp=56 action=log
> > > > > > > log-prefix=dscp
> > > > > > > > > > this is what appers on my log:Code:10:23:12 firewall,info
> > dscp
> > > > > > > prerouting:
> > > > > > > > > > in:eth3/Interno out:(none), src-mac 00:13:72:65:71:72,
> > proto
> > > > TCP
> > > > > > > (ACK),
> > > > > > > > > > 172.1.1.2:48668->74.125.214.83:80, len 64 10:23:12
> > > > firewall,info
> > > > > > > dscp
> > > > > > > > > > prerouting: in:eth3/Interno out:(none), src-mac
> > > > 00:13:72:65:71:72,
> > > > > > > proto
> > > > > > > > > > TCP (ACK), 172.1.1.2:19251->173.194.29.200:80, len 80
> > 10:23:12
> > > > > > > > > > firewall,info dscp prerouting: in:eth3/Interno out:(none),
> > > > src-mac
> > > > > > > > > > 00:13:72:65:71:72, proto TCP (ACK), 172.1.1.2:37568->
> > > > > > > 173.194.60.116:80,
> > > > > > > > > > len 72 10:23:12 firewall,info dscp prerouting:
> > in:eth3/Interno
> > > > > > > out:(none),
> > > > > > > > > > src-mac 00:13:72:65:71:72, proto TCP (ACK), 172.1.1.2:19135
> > ->
> > > > > > > > > > 173.194.29.86:80, len 80
> > > > > > > > > > Until thats its OK, seens like is working does
> > marks(DSCP56).
> > > > So I
> > > > > > > decide
> > > > > > > > > > to take this connections and redirect to another gateway
> > that I
> > > > > > > have(and Im
> > > > > > > > > > not using this gateway in defaults).So I make another
> > > > ruleCode:/ip
> > > > > > > firewall
> > > > > > > > > > mangle add action=mark-connection chain=prerouting
> > > > comment="DSCP 56"
> > > > > > > > > > disabled=no dscp=56 new-connection-mark=dscp56_conn
> > > > > > > passthrough=yesadd
> > > > > > > > > > action=mark-routing chain=prerouting
> > > > connection-mark=dscp56_conn
> > > > > > > > > > disabled=no new-routing-mark=link3 passthrough=noAnd when
> > I do
> > > > that
> > > > > > > the
> > > > > > > > > > traffic simple stops. So I thought thats the problem whas
> > the
> > > > rule,
> > > > > > > so I
> > > > > > > > > > make the rule to my computer that is in the same network.
> > But
> > > > I add
> > > > > > > the
> > > > > > > > > > rule to create a DSCP to my connnections change my DSCP=56,
> > > > and its
> > > > > > > works.I
> > > > > > > > > > tried differnt ways to do that, but its simply dont work. I
> > > > losing
> > > > > > > my hopes
> > > > > > > > > > to make this happen. But I believe thats someone has much
> > more
> > > > > > > knowledge
> > > > > > > > > > than me can do such thing.So anyone know how to make this
> > work?
> > > > > > > > > > By the way Im not using this to VoIP, its in my Speedr
> > videos
> > > > cache
> > > > > > > (its
> > > > > > > > > > like squid, but do all dynamic cache). And they mark in
> > DSCP=56
> > > > > > > files that
> > > > > > > > > > are MISS to the internet. And Looks that Im doing the right
> > > > mark,
> > > > > > > but the
> > > > > > > > > > download stop. Please help me on this.
> > > > > > > > > > thanks.
> > > > > > > > > >
> > > > > > > > > > > From: butche at butchevans.com
> > > > > > > > > > > To: mikrotik at mail.butchevans.com
> > > > > > > > > > > Date: Sat, 26 May 2012 11:35:43 -0500
> > > > > > > > > > > Subject: Re: [Mikrotik] Policy routing based on DSCP
> > > > > > > > > > >
> > > > > > > > > > > On Sat, 2012-05-26 at 10:27 +0300, Chupaka wrote:
> > > > > > > > > > > > Why do you mark connection if you need routing? Just
> > mark
> > > > routing
> > > > > > > > > > directly
> > > > > > > > > > > > :)
> > > > > > > > > > >
> > > > > > > > > > > This would work if you only need to route ONE DIRECTION
> > for
> > > > the
> > > > > > > traffic.
> > > > > > > > > > > In other words, inside traffic going toward the internet
> > via
> > > > a
> > > > > > > specific
> > > > > > > > > > > upstream.  Downstream is likely to NOT need policy
> > routing.
> > > >  The
> > > > > > > trouble
> > > > > > > > > > > with this approach, and WHY he may need to be using
> > > > connection
> > > > > > > tracking
> > > > > > > > > > > (connection mark) is due to the fact that once it hits
> > "the
> > > > > > > internet",
> > > > > > > > > > > the dscp bits are very likely to be reset.  Using
> > connection
> > > > mark
> > > > > > > gives
> > > > > > > > > > > the ability to maintain the routing in both directions
> > using
> > > > policy
> > > > > > > > > > > routes.  This is just a guess.
> > > > > > > > > > >
> > > > > > > > > > > --
> > > > > > > > > > >
> > > > > > >
> > ********************************************************************
> > > > > > > > > > > * Butch Evans                * Professional Network
> > > > Consultation
> > > > > > > *
> > > > > > > > > > > * http://www.butchevans.com/ * Network Engineering
> > > > > > >   *
> > > > > > > > > > > * http://store.wispgear.net/ * Wired or Wireless
> > Networks
> > > > > > >  *
> > > > > > > > > > > * http://blog.butchevans.com/ * ImageStream, Mikrotik
> > and
> > > > MORE!
> > > > > > >  *
> > > > > > > > > > > *          NOTE THE NEW PHONE NUMBER: 702-537-0979
> > > > > > >   *
> > > > > > > > > > >
> > > > > > >
> > ********************************************************************
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > _______________________________________________
> > > > > > > > > > > Mikrotik mailing list
> > > > > > > > > > > Mikrotik at mail.butchevans.com
> > > > > > > > > > > http://www.butchevans.com/mailman/listinfo/mikrotik
> > > > > > > > > > >
> > > > > > > > > > > Visit http://blog.butchevans.com/ for tutorials related
> > to
> > > > > > > Mikrotik
> > > > > > > > > > RouterOS
> > > > > > > > > >
> > > > > > > > > > -------------- next part --------------
> > > > > > > > > > An HTML attachment was scrubbed...
> > > > > > > > > > URL: <
> > > > > > > > > >
> > > > > > >
> > > >
> > http://www.butchevans.com/pipermail/mikrotik/attachments/20120530/cbb4fc96/attachment.html
> > > > > > > > > > >
> > > > > > > > > > _______________________________________________
> > > > > > > > > > Mikrotik mailing list
> > > > > > > > > > Mikrotik at mail.butchevans.com
> > > > > > > > > > http://www.butchevans.com/mailman/listinfo/mikrotik
> > > > > > > > > >
> > > > > > > > > > Visit http://blog.butchevans.com/ for tutorials related to
> > > > Mikrotik
> > > > > > > > > > RouterOS
> > > > > > > > > >
> > > > > > > > > -------------- next part --------------
> > > > > > > > > An HTML attachment was scrubbed...
> > > > > > > > > URL: <
> > > > > > >
> > > >
> > http://www.butchevans.com/pipermail/mikrotik/attachments/20120530/23b0b65c/attachment.html
> > > > > > > >
> > > > > > > > > _______________________________________________
> > > > > > > > > Mikrotik mailing list
> > > > > > > > > Mikrotik at mail.butchevans.com
> > > > > > > > > http://www.butchevans.com/mailman/listinfo/mikrotik
> > > > > > > > >
> > > > > > > > > Visit http://blog.butchevans.com/ for tutorials related to
> > > > Mikrotik
> > > > > > > RouterOS
> > > > > > > >
> > > > > > > > -------------- next part --------------
> > > > > > > > An HTML attachment was scrubbed...
> > > > > > > > URL: <
> > > > > > >
> > > >
> > http://www.butchevans.com/pipermail/mikrotik/attachments/20120530/e79e3204/attachment.html
> > > > > > > >
> > > > > > > > _______________________________________________
> > > > > > > > Mikrotik mailing list
> > > > > > > > Mikrotik at mail.butchevans.com
> > > > > > > > http://www.butchevans.com/mailman/listinfo/mikrotik
> > > > > > > >
> > > > > > > > Visit http://blog.butchevans.com/ for tutorials related to
> > > > Mikrotik
> > > > > > > RouterOS
> > > > > > >
> > > > > > > -------------- next part --------------
> > > > > > > An HTML attachment was scrubbed...
> > > > > > > URL: <
> > > > > > >
> > > >
> > http://www.butchevans.com/pipermail/mikrotik/attachments/20120530/83eaee69/attachment.html
> > > > > > > >
> > > > > > > _______________________________________________
> > > > > > > Mikrotik mailing list
> > > > > > > Mikrotik at mail.butchevans.com
> > > > > > > http://www.butchevans.com/mailman/listinfo/mikrotik
> > > > > > >
> > > > > > > Visit http://blog.butchevans.com/ for tutorials related to
> > Mikrotik
> > > > > > > RouterOS
> > > > > > >
> > > > > > -------------- next part --------------
> > > > > > An HTML attachment was scrubbed...
> > > > > > URL: <
> > > >
> > http://www.butchevans.com/pipermail/mikrotik/attachments/20120531/894b0818/attachment.html
> > > > >
> > > > > > _______________________________________________
> > > > > > Mikrotik mailing list
> > > > > > Mikrotik at mail.butchevans.com
> > > > > > http://www.butchevans.com/mailman/listinfo/mikrotik
> > > > > >
> > > > > > Visit http://blog.butchevans.com/ for tutorials related to
> > Mikrotik
> > > > RouterOS
> > > > >
> > > > > -------------- next part --------------
> > > > > An HTML attachment was scrubbed...
> > > > > URL: <
> > > >
> > http://www.butchevans.com/pipermail/mikrotik/attachments/20120531/e67eb306/attachment.html
> > > > >
> > > > > _______________________________________________
> > > > > Mikrotik mailing list
> > > > > Mikrotik at mail.butchevans.com
> > > > > http://www.butchevans.com/mailman/listinfo/mikrotik
> > > > >
> > > > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
> > > > RouterOS
> > > >
> > > > -------------- next part --------------
> > > > An HTML attachment was scrubbed...
> > > > URL: <
> > > >
> > http://www.butchevans.com/pipermail/mikrotik/attachments/20120531/e129d159/attachment.html
> > > > >
> > > > _______________________________________________
> > > > Mikrotik mailing list
> > > > Mikrotik at mail.butchevans.com
> > > > http://www.butchevans.com/mailman/listinfo/mikrotik
> > > >
> > > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
> > > > RouterOS
> > > >
> > > -------------- next part --------------
> > > An HTML attachment was scrubbed...
> > > URL: <
> > http://www.butchevans.com/pipermail/mikrotik/attachments/20120531/4a01b071/attachment.html
> > >
> > > _______________________________________________
> > > Mikrotik mailing list
> > > Mikrotik at mail.butchevans.com
> > > http://www.butchevans.com/mailman/listinfo/mikrotik
> > >
> > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
> > RouterOS
> >
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL: <
> > http://www.butchevans.com/pipermail/mikrotik/attachments/20120531/a822529b/attachment.html
> > >
> > _______________________________________________
> > Mikrotik mailing list
> > Mikrotik at mail.butchevans.com
> > http://www.butchevans.com/mailman/listinfo/mikrotik
> >
> > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
> > RouterOS
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://www.butchevans.com/pipermail/mikrotik/attachments/20120601/04359da3/attachment.html>
> _______________________________________________
> Mikrotik mailing list
> Mikrotik at mail.butchevans.com
> http://www.butchevans.com/mailman/listinfo/mikrotik
> 
> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.butchevans.com/pipermail/mikrotik/attachments/20120604/c4e50373/attachment.html>


More information about the Mikrotik mailing list