[Mikrotik] Policy routing based on DSCP

Chupaka chupaka at gmail.com
Mon Jun 4 09:45:28 CDT 2012


L7 rules work with connection's data - it's too late to redirect when
connection is already established. Something similar with 'all_p2p'.

" I found the SYN packet on DSCP of my web-cache server" - mmm?.. If SYN
packet has DSCP mark, then previous rules should still work.


2012/6/4 William Esteves <stevens144 at hotmail.com>

>
> Im wondering if theres really possible to redirect a conecction like this,
> look, I tried to redirect all_p2p of mikrotik, but didnt work.
> I have a L7 for files types like .iso .exe, and even in that I failed. And
> by the way, I found the SYN packet on DSCP of my web-cache server, but it
> didnt work anyway.
> Im working on my last discovery, I use the DSCP like this,
> /ip firewall mangle add action=add-dst-to-address-list
> address-list=youtube address-list-timeout=0s chain=prerouting disabled=no
> dscp=56 dst-port=80 protocol=tcp src-address=172.16.1.2
> add action=mark-routing chain=prerouting disabled=no
> dst-address-list=youtube new-routing-mark=link3 passthrough=no
> src-address=!172.16.1.2
> All files that have a DSCP=56 will create a dynamic address list of
> youtube, and all client who the destiny is this address will be redirect to
> this route.
> Thats work just fine, but theres a problem. In the fisrt time when that
> happens, the video stops, only work, when you press f5. I do not have
> knowledge enough to know what to do, I only think that, this connection
> need to be redone.
> Sorry for my bad english and for take your time, thank you for all.
>
>
>
> > From: chupaka at gmail.com
> > Date: Fri, 1 Jun 2012 01:56:38 +0300
> > To: mikrotik at mail.butchevans.com
> > Subject: Re: [Mikrotik] Policy routing based on DSCP
> >
> > You need to NAT that SYN packet, so that the server saw it with your
> > line3's src IP. If you don't know that this connection will be with
> dscp=56
> > sometime in future - you cannot NAT it now. So look at the server who
> sets
> > dscp to see why it sets dhcp not from the beginning of connection.
> >
> >
> > 2012/6/1 William Esteves <stevens144 at hotmail.com>
> >
> > >
> > > Its right man! Theres no SYN packet whit DSCP, even when I add
> > > connection-state=new, so theres a problem.
> > > I'm wondering if theres something that I can do to, recreate this
> > > connection with DSCP or something. You know what I mean?!
> > > What can I do?
> > >
> > > > From: chupaka at gmail.com
> > > > Date: Thu, 31 May 2012 23:56:20 +0300
> > > > To: mikrotik at mail.butchevans.com
> > > > Subject: Re: [Mikrotik] Policy routing based on DSCP
> > > >
> > > > TCP (ACK) - seems like it's not the first packet of the connection.
> Make
> > > > sure that SYN packet has the same dscp. Try to add
> 'connection-state=new'
> > > > to your logging rule - will it still log packets? It's important
> because
> > > > you must redirect traffic to another line from the very first packet
> -
> > > you
> > > > cannot do it in the middle of connection.
> > > >
> > > >
> > > > 2012/5/31 William Esteves <stevens144 at hotmail.com>
> > > >
> > > > >
> > > > > Sorry, I sended without this last line:
> > > > > Thats what I see:
> > > > > dscp prerouting: in:eth3/Interno out:(none), src-mac
> 00:13:72:65:71:72,
> > > > > proto TCP (ACK), 172.1.1.2:48668->74.125.214.83:80, len 64
> > > > >
> > > > > looks like is a good connection to work with mark-routing. And
> theres
> > > no
> > > > > other rule on firewall the only rule that I have is this:
> > > > > /ip firewall mangle add action=mark-connection chain=prerouting
> > > > > comment="HTTP e FTP" disabled=no dst-address-list=!Out-Cache
> > > dst-port=80
> > > > > new-connection-mark=squid_conn \    passthrough=yes protocol=tcp
> > > > > src-address=!172.16.1.2 src-address-list=cacheadd
> > > action=mark-connection
> > > > > chain=prerouting disabled=no dst-address-list=!Out-Cache
> > > > > dst-port=21,40000-42999 new-connection-mark=squid_conn
> passthrough=yes
> > > > > protocol=\    tcp src-address=!172.16.1.2 src-address-list=cacheadd
> > > > > action=mark-routing chain=prerouting comment="Rota Conexoes HTTP e
> FTP"
> > > > > connection-mark=squid_conn disabled=no dst-address-list=!Out-Cache
> > > > > new-routing-mark=\    squid-route passthrough=no
> > > src-address=!172.16.1.2
> > > > > src-address-list=cache
> > > > >
> > > > >
> > > > > > From: stevens144 at hotmail.com
> > > > > > To: mikrotik at mail.butchevans.com
> > > > > > Date: Thu, 31 May 2012 00:04:44 +0000
> > > > > > Subject: Re: [Mikrotik] Policy routing based on DSCP
> > > > > >
> > > > > >
> > > > > > Yeah, I mean, when I look at the interface goes to 300kbps then
> stop
> > > > > (goes to 0).
> > > > > > Let me explain:
> > > > > > This is a web-cache server who is parallel to my mikrotik server
> > > > > (connected on ether3 of my mikrotik server):
> > > > > > Mikrotik: 172.16.1.1Web-cache: 172.16.1.2 Gateway of
> > > webcache:172.16.1.1
> > > > > > The logic is pretty simple: This server marks every MISS to
> YouTube
> > > with
> > > > > a DSCP=36 for example.
> > > > > > Like you said I tried to redirect the connection to the server
> > > without
> > > > > dscp=56 and its works.
> > > > > > add action=mark-routing chain=prerouting disabled=no dst-port=80
> > > > > new-routing-mark=link3 passthrough=no protocol=tcp
> > > src-address=172.16.1.2
> > > > > > But do not work when I do with the DSCP.
> > > > > > when I log the connection of DSCP56 I see this:
> > > > > >
> > > > > > > From: chupaka at gmail.com
> > > > > > > Date: Thu, 31 May 2012 02:27:54 +0300
> > > > > > > To: mikrotik at mail.butchevans.com
> > > > > > > Subject: Re: [Mikrotik] Policy routing based on DSCP
> > > > > > >
> > > > > > > The download starts?.. What are you talking about?.. If TCP
> > > connection
> > > > > is
> > > > > > > established (it's before actual data transfer), then three-way
> TCP
> > > > > > > handshake is passed. Make sure every outgoing packet of the
> > > connection
> > > > > has
> > > > > > > dscp=56. Check without dscp (will that IP work just on another
> > > > > uplink?) -
> > > > > > > maybe you have some other firewall rules which mess up your
> setup.
> > > > > > >
> > > > > > >
> > > > > > > 2012/5/31 William Esteves <stevens144 at hotmail.com>
> > > > > > >
> > > > > > > >
> > > > > > > > Didnt work :/
> > > > > > > > /ip firewall mangle add action=mark-routing chain=prerouting
> > > > > disabled=no
> > > > > > > > dscp=56 dst-port=80 in-interface=eth3/Interno
> > > new-routing-mark=link3
> > > > > > > > passthrough=no protocol=tcp src-address=\    172.16.1.2
> > > > > > > > thats the rule, the server goes like the other time, the
> download
> > > > > starts
> > > > > > > > but stop again, didnt work. :/
> > > > > > > > > From: stevens144 at hotmail.com
> > > > > > > > > To: mikrotik at mail.butchevans.com
> > > > > > > > > Date: Wed, 30 May 2012 22:25:38 +0000
> > > > > > > > > Subject: Re: [Mikrotik] Policy routing based on DSCP
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Understood, thank you so much... lets try this, THANKS! :D
> > > > > > > > >
> > > > > > > > > > From: chupaka at gmail.com
> > > > > > > > > > Date: Wed, 30 May 2012 21:24:18 +0300
> > > > > > > > > > To: mikrotik at mail.butchevans.com
> > > > > > > > > > Subject: Re: [Mikrotik] Policy routing based on DSCP
> > > > > > > > > >
> > > > > > > > > > Connection is bidirectional, it matches both outgoing and
> > > > > incoming
> > > > > > > > packets,
> > > > > > > > > > so you're routing packets from the Internet back to the
> > > > > Internet. Add
> > > > > > > > > > 'in-interface=Local' to your routing marking rule.
> > > > > > > > > >
> > > > > > > > > > Or, as I already said, mark routing directly, without
> > > > > connection-mark.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > 2012/5/30 William Esteves <stevens144 at hotmail.com>
> > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > Sadly, this didnt work. When I do all the marks (mark
> > > > > connection,
> > > > > > > > then
> > > > > > > > > > > mark routing), the traffic STOPS, and I dont know why.
> I
> > > > > looked all
> > > > > > > > my
> > > > > > > > > > > rules (to make sure that I'm not marking to the wrong
> > > way), I
> > > > > > > > created a log
> > > > > > > > > > > to this connection
> > > > > > > > > > > /ip firewall mangle add chain=prerouting dscp=56
> action=log
> > > > > > > > log-prefix=dscp
> > > > > > > > > > > this is what appers on my log:Code:10:23:12
> firewall,info
> > > dscp
> > > > > > > > prerouting:
> > > > > > > > > > > in:eth3/Interno out:(none), src-mac 00:13:72:65:71:72,
> > > proto
> > > > > TCP
> > > > > > > > (ACK),
> > > > > > > > > > > 172.1.1.2:48668->74.125.214.83:80, len 64 10:23:12
> > > > > firewall,info
> > > > > > > > dscp
> > > > > > > > > > > prerouting: in:eth3/Interno out:(none), src-mac
> > > > > 00:13:72:65:71:72,
> > > > > > > > proto
> > > > > > > > > > > TCP (ACK), 172.1.1.2:19251->173.194.29.200:80, len 80
> > > 10:23:12
> > > > > > > > > > > firewall,info dscp prerouting: in:eth3/Interno
> out:(none),
> > > > > src-mac
> > > > > > > > > > > 00:13:72:65:71:72, proto TCP (ACK), 172.1.1.2:37568->
> > > > > > > > 173.194.60.116:80,
> > > > > > > > > > > len 72 10:23:12 firewall,info dscp prerouting:
> > > in:eth3/Interno
> > > > > > > > out:(none),
> > > > > > > > > > > src-mac 00:13:72:65:71:72, proto TCP (ACK),
> 172.1.1.2:19135
> > > ->
> > > > > > > > > > > 173.194.29.86:80, len 80
> > > > > > > > > > > Until thats its OK, seens like is working does
> > > marks(DSCP56).
> > > > > So I
> > > > > > > > decide
> > > > > > > > > > > to take this connections and redirect to another
> gateway
> > > that I
> > > > > > > > have(and Im
> > > > > > > > > > > not using this gateway in defaults).So I make another
> > > > > ruleCode:/ip
> > > > > > > > firewall
> > > > > > > > > > > mangle add action=mark-connection chain=prerouting
> > > > > comment="DSCP 56"
> > > > > > > > > > > disabled=no dscp=56 new-connection-mark=dscp56_conn
> > > > > > > > passthrough=yesadd
> > > > > > > > > > > action=mark-routing chain=prerouting
> > > > > connection-mark=dscp56_conn
> > > > > > > > > > > disabled=no new-routing-mark=link3 passthrough=noAnd
> when
> > > I do
> > > > > that
> > > > > > > > the
> > > > > > > > > > > traffic simple stops. So I thought thats the problem
> whas
> > > the
> > > > > rule,
> > > > > > > > so I
> > > > > > > > > > > make the rule to my computer that is in the same
> network.
> > > But
> > > > > I add
> > > > > > > > the
> > > > > > > > > > > rule to create a DSCP to my connnections change my
> DSCP=56,
> > > > > and its
> > > > > > > > works.I
> > > > > > > > > > > tried differnt ways to do that, but its simply dont
> work. I
> > > > > losing
> > > > > > > > my hopes
> > > > > > > > > > > to make this happen. But I believe thats someone has
> much
> > > more
> > > > > > > > knowledge
> > > > > > > > > > > than me can do such thing.So anyone know how to make
> this
> > > work?
> > > > > > > > > > > By the way Im not using this to VoIP, its in my Speedr
> > > videos
> > > > > cache
> > > > > > > > (its
> > > > > > > > > > > like squid, but do all dynamic cache). And they mark in
> > > DSCP=56
> > > > > > > > files that
> > > > > > > > > > > are MISS to the internet. And Looks that Im doing the
> right
> > > > > mark,
> > > > > > > > but the
> > > > > > > > > > > download stop. Please help me on this.
> > > > > > > > > > > thanks.
> > > > > > > > > > >
> > > > > > > > > > > > From: butche at butchevans.com
> > > > > > > > > > > > To: mikrotik at mail.butchevans.com
> > > > > > > > > > > > Date: Sat, 26 May 2012 11:35:43 -0500
> > > > > > > > > > > > Subject: Re: [Mikrotik] Policy routing based on DSCP
> > > > > > > > > > > >
> > > > > > > > > > > > On Sat, 2012-05-26 at 10:27 +0300, Chupaka wrote:
> > > > > > > > > > > > > Why do you mark connection if you need routing?
> Just
> > > mark
> > > > > routing
> > > > > > > > > > > directly
> > > > > > > > > > > > > :)
> > > > > > > > > > > >
> > > > > > > > > > > > This would work if you only need to route ONE
> DIRECTION
> > > for
> > > > > the
> > > > > > > > traffic.
> > > > > > > > > > > > In other words, inside traffic going toward the
> internet
> > > via
> > > > > a
> > > > > > > > specific
> > > > > > > > > > > > upstream.  Downstream is likely to NOT need policy
> > > routing.
> > > > >  The
> > > > > > > > trouble
> > > > > > > > > > > > with this approach, and WHY he may need to be using
> > > > > connection
> > > > > > > > tracking
> > > > > > > > > > > > (connection mark) is due to the fact that once it
> hits
> > > "the
> > > > > > > > internet",
> > > > > > > > > > > > the dscp bits are very likely to be reset.  Using
> > > connection
> > > > > mark
> > > > > > > > gives
> > > > > > > > > > > > the ability to maintain the routing in both
> directions
> > > using
> > > > > policy
> > > > > > > > > > > > routes.  This is just a guess.
> > > > > > > > > > > >
> > > > > > > > > > > > --
> > > > > > > > > > > >
> > > > > > > >
> > > ********************************************************************
> > > > > > > > > > > > * Butch Evans                * Professional Network
> > > > > Consultation
> > > > > > > > *
> > > > > > > > > > > > * http://www.butchevans.com/ * Network Engineering
> > > > > > > >   *
> > > > > > > > > > > > * http://store.wispgear.net/ * Wired or Wireless
> > > Networks
> > > > > > > >  *
> > > > > > > > > > > > * http://blog.butchevans.com/ * ImageStream,
> Mikrotik
> > > and
> > > > > MORE!
> > > > > > > >  *
> > > > > > > > > > > > *          NOTE THE NEW PHONE NUMBER: 702-537-0979
> > > > > > > >   *
> > > > > > > > > > > >
> > > > > > > >
> > > ********************************************************************
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > _______________________________________________
> > > > > > > > > > > > Mikrotik mailing list
> > > > > > > > > > > > Mikrotik at mail.butchevans.com
> > > > > > > > > > > > http://www.butchevans.com/mailman/listinfo/mikrotik
> > > > > > > > > > > >
> > > > > > > > > > > > Visit http://blog.butchevans.com/ for tutorials
> related
> > > to
> > > > > > > > Mikrotik
> > > > > > > > > > > RouterOS
> > > > > > > > > > >
> > > > > > > > > > > -------------- next part --------------
> > > > > > > > > > > An HTML attachment was scrubbed...
> > > > > > > > > > > URL: <
> > > > > > > > > > >
> > > > > > > >
> > > > >
> > >
> http://www.butchevans.com/pipermail/mikrotik/attachments/20120530/cbb4fc96/attachment.html
> > > > > > > > > > > >
> > > > > > > > > > > _______________________________________________
> > > > > > > > > > > Mikrotik mailing list
> > > > > > > > > > > Mikrotik at mail.butchevans.com
> > > > > > > > > > > http://www.butchevans.com/mailman/listinfo/mikrotik
> > > > > > > > > > >
> > > > > > > > > > > Visit http://blog.butchevans.com/ for tutorials
> related to
> > > > > Mikrotik
> > > > > > > > > > > RouterOS
> > > > > > > > > > >
> > > > > > > > > > -------------- next part --------------
> > > > > > > > > > An HTML attachment was scrubbed...
> > > > > > > > > > URL: <
> > > > > > > >
> > > > >
> > >
> http://www.butchevans.com/pipermail/mikrotik/attachments/20120530/23b0b65c/attachment.html
> > > > > > > > >
> > > > > > > > > > _______________________________________________
> > > > > > > > > > Mikrotik mailing list
> > > > > > > > > > Mikrotik at mail.butchevans.com
> > > > > > > > > > http://www.butchevans.com/mailman/listinfo/mikrotik
> > > > > > > > > >
> > > > > > > > > > Visit http://blog.butchevans.com/ for tutorials related
> to
> > > > > Mikrotik
> > > > > > > > RouterOS
> > > > > > > > >
> > > > > > > > > -------------- next part --------------
> > > > > > > > > An HTML attachment was scrubbed...
> > > > > > > > > URL: <
> > > > > > > >
> > > > >
> > >
> http://www.butchevans.com/pipermail/mikrotik/attachments/20120530/e79e3204/attachment.html
> > > > > > > > >
> > > > > > > > > _______________________________________________
> > > > > > > > > Mikrotik mailing list
> > > > > > > > > Mikrotik at mail.butchevans.com
> > > > > > > > > http://www.butchevans.com/mailman/listinfo/mikrotik
> > > > > > > > >
> > > > > > > > > Visit http://blog.butchevans.com/ for tutorials related to
> > > > > Mikrotik
> > > > > > > > RouterOS
> > > > > > > >
> > > > > > > > -------------- next part --------------
> > > > > > > > An HTML attachment was scrubbed...
> > > > > > > > URL: <
> > > > > > > >
> > > > >
> > >
> http://www.butchevans.com/pipermail/mikrotik/attachments/20120530/83eaee69/attachment.html
> > > > > > > > >
> > > > > > > > _______________________________________________
> > > > > > > > Mikrotik mailing list
> > > > > > > > Mikrotik at mail.butchevans.com
> > > > > > > > http://www.butchevans.com/mailman/listinfo/mikrotik
> > > > > > > >
> > > > > > > > Visit http://blog.butchevans.com/ for tutorials related to
> > > Mikrotik
> > > > > > > > RouterOS
> > > > > > > >
> > > > > > > -------------- next part --------------
> > > > > > > An HTML attachment was scrubbed...
> > > > > > > URL: <
> > > > >
> > >
> http://www.butchevans.com/pipermail/mikrotik/attachments/20120531/894b0818/attachment.html
> > > > > >
> > > > > > > _______________________________________________
> > > > > > > Mikrotik mailing list
> > > > > > > Mikrotik at mail.butchevans.com
> > > > > > > http://www.butchevans.com/mailman/listinfo/mikrotik
> > > > > > >
> > > > > > > Visit http://blog.butchevans.com/ for tutorials related to
> > > Mikrotik
> > > > > RouterOS
> > > > > >
> > > > > > -------------- next part --------------
> > > > > > An HTML attachment was scrubbed...
> > > > > > URL: <
> > > > >
> > >
> http://www.butchevans.com/pipermail/mikrotik/attachments/20120531/e67eb306/attachment.html
> > > > > >
> > > > > > _______________________________________________
> > > > > > Mikrotik mailing list
> > > > > > Mikrotik at mail.butchevans.com
> > > > > > http://www.butchevans.com/mailman/listinfo/mikrotik
> > > > > >
> > > > > > Visit http://blog.butchevans.com/ for tutorials related to
> Mikrotik
> > > > > RouterOS
> > > > >
> > > > > -------------- next part --------------
> > > > > An HTML attachment was scrubbed...
> > > > > URL: <
> > > > >
> > >
> http://www.butchevans.com/pipermail/mikrotik/attachments/20120531/e129d159/attachment.html
> > > > > >
> > > > > _______________________________________________
> > > > > Mikrotik mailing list
> > > > > Mikrotik at mail.butchevans.com
> > > > > http://www.butchevans.com/mailman/listinfo/mikrotik
> > > > >
> > > > > Visit http://blog.butchevans.com/ for tutorials related to
> Mikrotik
> > > > > RouterOS
> > > > >
> > > > -------------- next part --------------
> > > > An HTML attachment was scrubbed...
> > > > URL: <
> > >
> http://www.butchevans.com/pipermail/mikrotik/attachments/20120531/4a01b071/attachment.html
> > > >
> > > > _______________________________________________
> > > > Mikrotik mailing list
> > > > Mikrotik at mail.butchevans.com
> > > > http://www.butchevans.com/mailman/listinfo/mikrotik
> > > >
> > > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
> > > RouterOS
> > >
> > > -------------- next part --------------
> > > An HTML attachment was scrubbed...
> > > URL: <
> > >
> http://www.butchevans.com/pipermail/mikrotik/attachments/20120531/a822529b/attachment.html
> > > >
> > > _______________________________________________
> > > Mikrotik mailing list
> > > Mikrotik at mail.butchevans.com
> > > http://www.butchevans.com/mailman/listinfo/mikrotik
> > >
> > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
> > > RouterOS
> > >
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL: <
> http://www.butchevans.com/pipermail/mikrotik/attachments/20120601/04359da3/attachment.html
> >
> > _______________________________________________
> > Mikrotik mailing list
> > Mikrotik at mail.butchevans.com
> > http://www.butchevans.com/mailman/listinfo/mikrotik
> >
> > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
> RouterOS
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://www.butchevans.com/pipermail/mikrotik/attachments/20120604/c4e50373/attachment.html
> >
> _______________________________________________
> Mikrotik mailing list
> Mikrotik at mail.butchevans.com
> http://www.butchevans.com/mailman/listinfo/mikrotik
>
> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
> RouterOS
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.butchevans.com/pipermail/mikrotik/attachments/20120604/335f8910/attachment.html>


More information about the Mikrotik mailing list