L7 rules work with connection's data - it's too late to redirect when connection is already established. Something similar with 'all_p2p'.
" I found the SYN packet on DSCP of my web-cache server" - mmm?.. If SYN packet has DSCP mark, then previous rules should still work. 2012/6/4 William Esteves <stevens...@hotmail.com> > > Im wondering if theres really possible to redirect a conecction like this, > look, I tried to redirect all_p2p of mikrotik, but didnt work. > I have a L7 for files types like .iso .exe, and even in that I failed. And > by the way, I found the SYN packet on DSCP of my web-cache server, but it > didnt work anyway. > Im working on my last discovery, I use the DSCP like this, > /ip firewall mangle add action=add-dst-to-address-list > address-list=youtube address-list-timeout=0s chain=prerouting disabled=no > dscp=56 dst-port=80 protocol=tcp src-address=172.16.1.2 > add action=mark-routing chain=prerouting disabled=no > dst-address-list=youtube new-routing-mark=link3 passthrough=no > src-address=!172.16.1.2 > All files that have a DSCP=56 will create a dynamic address list of > youtube, and all client who the destiny is this address will be redirect to > this route. > Thats work just fine, but theres a problem. In the fisrt time when that > happens, the video stops, only work, when you press f5. I do not have > knowledge enough to know what to do, I only think that, this connection > need to be redone. > Sorry for my bad english and for take your time, thank you for all. > > > > > From: chup...@gmail.com > > Date: Fri, 1 Jun 2012 01:56:38 +0300 > > To: mikrotik@mail.butchevans.com > > Subject: Re: [Mikrotik] Policy routing based on DSCP > > > > You need to NAT that SYN packet, so that the server saw it with your > > line3's src IP. If you don't know that this connection will be with > dscp=56 > > sometime in future - you cannot NAT it now. So look at the server who > sets > > dscp to see why it sets dhcp not from the beginning of connection. > > > > > > 2012/6/1 William Esteves <stevens...@hotmail.com> > > > > > > > > Its right man! Theres no SYN packet whit DSCP, even when I add > > > connection-state=new, so theres a problem. > > > I'm wondering if theres something that I can do to, recreate this > > > connection with DSCP or something. You know what I mean?! > > > What can I do? > > > > > > > From: chup...@gmail.com > > > > Date: Thu, 31 May 2012 23:56:20 +0300 > > > > To: mikrotik@mail.butchevans.com > > > > Subject: Re: [Mikrotik] Policy routing based on DSCP > > > > > > > > TCP (ACK) - seems like it's not the first packet of the connection. > Make > > > > sure that SYN packet has the same dscp. Try to add > 'connection-state=new' > > > > to your logging rule - will it still log packets? It's important > because > > > > you must redirect traffic to another line from the very first packet > - > > > you > > > > cannot do it in the middle of connection. > > > > > > > > > > > > 2012/5/31 William Esteves <stevens...@hotmail.com> > > > > > > > > > > > > > > Sorry, I sended without this last line: > > > > > Thats what I see: > > > > > dscp prerouting: in:eth3/Interno out:(none), src-mac > 00:13:72:65:71:72, > > > > > proto TCP (ACK), 172.1.1.2:48668->74.125.214.83:80, len 64 > > > > > > > > > > looks like is a good connection to work with mark-routing. And > theres > > > no > > > > > other rule on firewall the only rule that I have is this: > > > > > /ip firewall mangle add action=mark-connection chain=prerouting > > > > > comment="HTTP e FTP" disabled=no dst-address-list=!Out-Cache > > > dst-port=80 > > > > > new-connection-mark=squid_conn \ passthrough=yes protocol=tcp > > > > > src-address=!172.16.1.2 src-address-list=cacheadd > > > action=mark-connection > > > > > chain=prerouting disabled=no dst-address-list=!Out-Cache > > > > > dst-port=21,40000-42999 new-connection-mark=squid_conn > passthrough=yes > > > > > protocol=\ tcp src-address=!172.16.1.2 src-address-list=cacheadd > > > > > action=mark-routing chain=prerouting comment="Rota Conexoes HTTP e > FTP" > > > > > connection-mark=squid_conn disabled=no dst-address-list=!Out-Cache > > > > > new-routing-mark=\ squid-route passthrough=no > > > src-address=!172.16.1.2 > > > > > src-address-list=cache > > > > > > > > > > > > > > > > From: stevens...@hotmail.com > > > > > > To: mikrotik@mail.butchevans.com > > > > > > Date: Thu, 31 May 2012 00:04:44 +0000 > > > > > > Subject: Re: [Mikrotik] Policy routing based on DSCP > > > > > > > > > > > > > > > > > > Yeah, I mean, when I look at the interface goes to 300kbps then > stop > > > > > (goes to 0). > > > > > > Let me explain: > > > > > > This is a web-cache server who is parallel to my mikrotik server > > > > > (connected on ether3 of my mikrotik server): > > > > > > Mikrotik: 172.16.1.1Web-cache: 172.16.1.2 Gateway of > > > webcache:172.16.1.1 > > > > > > The logic is pretty simple: This server marks every MISS to > YouTube > > > with > > > > > a DSCP=36 for example. > > > > > > Like you said I tried to redirect the connection to the server > > > without > > > > > dscp=56 and its works. > > > > > > add action=mark-routing chain=prerouting disabled=no dst-port=80 > > > > > new-routing-mark=link3 passthrough=no protocol=tcp > > > src-address=172.16.1.2 > > > > > > But do not work when I do with the DSCP. > > > > > > when I log the connection of DSCP56 I see this: > > > > > > > > > > > > > From: chup...@gmail.com > > > > > > > Date: Thu, 31 May 2012 02:27:54 +0300 > > > > > > > To: mikrotik@mail.butchevans.com > > > > > > > Subject: Re: [Mikrotik] Policy routing based on DSCP > > > > > > > > > > > > > > The download starts?.. What are you talking about?.. If TCP > > > connection > > > > > is > > > > > > > established (it's before actual data transfer), then three-way > TCP > > > > > > > handshake is passed. Make sure every outgoing packet of the > > > connection > > > > > has > > > > > > > dscp=56. Check without dscp (will that IP work just on another > > > > > uplink?) - > > > > > > > maybe you have some other firewall rules which mess up your > setup. > > > > > > > > > > > > > > > > > > > > > 2012/5/31 William Esteves <stevens...@hotmail.com> > > > > > > > > > > > > > > > > > > > > > > > Didnt work :/ > > > > > > > > /ip firewall mangle add action=mark-routing chain=prerouting > > > > > disabled=no > > > > > > > > dscp=56 dst-port=80 in-interface=eth3/Interno > > > new-routing-mark=link3 > > > > > > > > passthrough=no protocol=tcp src-address=\ 172.16.1.2 > > > > > > > > thats the rule, the server goes like the other time, the > download > > > > > starts > > > > > > > > but stop again, didnt work. :/ > > > > > > > > > From: stevens...@hotmail.com > > > > > > > > > To: mikrotik@mail.butchevans.com > > > > > > > > > Date: Wed, 30 May 2012 22:25:38 +0000 > > > > > > > > > Subject: Re: [Mikrotik] Policy routing based on DSCP > > > > > > > > > > > > > > > > > > > > > > > > > > > Understood, thank you so much... lets try this, THANKS! :D > > > > > > > > > > > > > > > > > > > From: chup...@gmail.com > > > > > > > > > > Date: Wed, 30 May 2012 21:24:18 +0300 > > > > > > > > > > To: mikrotik@mail.butchevans.com > > > > > > > > > > Subject: Re: [Mikrotik] Policy routing based on DSCP > > > > > > > > > > > > > > > > > > > > Connection is bidirectional, it matches both outgoing and > > > > > incoming > > > > > > > > packets, > > > > > > > > > > so you're routing packets from the Internet back to the > > > > > Internet. Add > > > > > > > > > > 'in-interface=Local' to your routing marking rule. > > > > > > > > > > > > > > > > > > > > Or, as I already said, mark routing directly, without > > > > > connection-mark. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > 2012/5/30 William Esteves <stevens...@hotmail.com> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Sadly, this didnt work. When I do all the marks (mark > > > > > connection, > > > > > > > > then > > > > > > > > > > > mark routing), the traffic STOPS, and I dont know why. > I > > > > > looked all > > > > > > > > my > > > > > > > > > > > rules (to make sure that I'm not marking to the wrong > > > way), I > > > > > > > > created a log > > > > > > > > > > > to this connection > > > > > > > > > > > /ip firewall mangle add chain=prerouting dscp=56 > action=log > > > > > > > > log-prefix=dscp > > > > > > > > > > > this is what appers on my log:Code:10:23:12 > firewall,info > > > dscp > > > > > > > > prerouting: > > > > > > > > > > > in:eth3/Interno out:(none), src-mac 00:13:72:65:71:72, > > > proto > > > > > TCP > > > > > > > > (ACK), > > > > > > > > > > > 172.1.1.2:48668->74.125.214.83:80, len 64 10:23:12 > > > > > firewall,info > > > > > > > > dscp > > > > > > > > > > > prerouting: in:eth3/Interno out:(none), src-mac > > > > > 00:13:72:65:71:72, > > > > > > > > proto > > > > > > > > > > > TCP (ACK), 172.1.1.2:19251->173.194.29.200:80, len 80 > > > 10:23:12 > > > > > > > > > > > firewall,info dscp prerouting: in:eth3/Interno > out:(none), > > > > > src-mac > > > > > > > > > > > 00:13:72:65:71:72, proto TCP (ACK), 172.1.1.2:37568-> > > > > > > > > 173.194.60.116:80, > > > > > > > > > > > len 72 10:23:12 firewall,info dscp prerouting: > > > in:eth3/Interno > > > > > > > > out:(none), > > > > > > > > > > > src-mac 00:13:72:65:71:72, proto TCP (ACK), > 172.1.1.2:19135 > > > -> > > > > > > > > > > > 173.194.29.86:80, len 80 > > > > > > > > > > > Until thats its OK, seens like is working does > > > marks(DSCP56). > > > > > So I > > > > > > > > decide > > > > > > > > > > > to take this connections and redirect to another > gateway > > > that I > > > > > > > > have(and Im > > > > > > > > > > > not using this gateway in defaults).So I make another > > > > > ruleCode:/ip > > > > > > > > firewall > > > > > > > > > > > mangle add action=mark-connection chain=prerouting > > > > > comment="DSCP 56" > > > > > > > > > > > disabled=no dscp=56 new-connection-mark=dscp56_conn > > > > > > > > passthrough=yesadd > > > > > > > > > > > action=mark-routing chain=prerouting > > > > > connection-mark=dscp56_conn > > > > > > > > > > > disabled=no new-routing-mark=link3 passthrough=noAnd > when > > > I do > > > > > that > > > > > > > > the > > > > > > > > > > > traffic simple stops. So I thought thats the problem > whas > > > the > > > > > rule, > > > > > > > > so I > > > > > > > > > > > make the rule to my computer that is in the same > network. > > > But > > > > > I add > > > > > > > > the > > > > > > > > > > > rule to create a DSCP to my connnections change my > DSCP=56, > > > > > and its > > > > > > > > works.I > > > > > > > > > > > tried differnt ways to do that, but its simply dont > work. I > > > > > losing > > > > > > > > my hopes > > > > > > > > > > > to make this happen. But I believe thats someone has > much > > > more > > > > > > > > knowledge > > > > > > > > > > > than me can do such thing.So anyone know how to make > this > > > work? > > > > > > > > > > > By the way Im not using this to VoIP, its in my Speedr > > > videos > > > > > cache > > > > > > > > (its > > > > > > > > > > > like squid, but do all dynamic cache). And they mark in > > > DSCP=56 > > > > > > > > files that > > > > > > > > > > > are MISS to the internet. And Looks that Im doing the > right > > > > > mark, > > > > > > > > but the > > > > > > > > > > > download stop. Please help me on this. > > > > > > > > > > > thanks. > > > > > > > > > > > > > > > > > > > > > > > From: but...@butchevans.com > > > > > > > > > > > > To: mikrotik@mail.butchevans.com > > > > > > > > > > > > Date: Sat, 26 May 2012 11:35:43 -0500 > > > > > > > > > > > > Subject: Re: [Mikrotik] Policy routing based on DSCP > > > > > > > > > > > > > > > > > > > > > > > > On Sat, 2012-05-26 at 10:27 +0300, Chupaka wrote: > > > > > > > > > > > > > Why do you mark connection if you need routing? > Just > > > mark > > > > > routing > > > > > > > > > > > directly > > > > > > > > > > > > > :) > > > > > > > > > > > > > > > > > > > > > > > > This would work if you only need to route ONE > DIRECTION > > > for > > > > > the > > > > > > > > traffic. > > > > > > > > > > > > In other words, inside traffic going toward the > internet > > > via > > > > > a > > > > > > > > specific > > > > > > > > > > > > upstream. Downstream is likely to NOT need policy > > > routing. > > > > > The > > > > > > > > trouble > > > > > > > > > > > > with this approach, and WHY he may need to be using > > > > > connection > > > > > > > > tracking > > > > > > > > > > > > (connection mark) is due to the fact that once it > hits > > > "the > > > > > > > > internet", > > > > > > > > > > > > the dscp bits are very likely to be reset. Using > > > connection > > > > > mark > > > > > > > > gives > > > > > > > > > > > > the ability to maintain the routing in both > directions > > > using > > > > > policy > > > > > > > > > > > > routes. This is just a guess. > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > > > > > > > > > > > > ******************************************************************** > > > > > > > > > > > > * Butch Evans * Professional Network > > > > > Consultation > > > > > > > > * > > > > > > > > > > > > * http://www.butchevans.com/ * Network Engineering > > > > > > > > * > > > > > > > > > > > > * http://store.wispgear.net/ * Wired or Wireless > > > Networks > > > > > > > > * > > > > > > > > > > > > * http://blog.butchevans.com/ * ImageStream, > Mikrotik > > > and > > > > > MORE! > > > > > > > > * > > > > > > > > > > > > * NOTE THE NEW PHONE NUMBER: 702-537-0979 > > > > > > > > * > > > > > > > > > > > > > > > > > > > > > > > ******************************************************************** > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > > > > Mikrotik mailing list > > > > > > > > > > > > Mikrotik@mail.butchevans.com > > > > > > > > > > > > http://www.butchevans.com/mailman/listinfo/mikrotik > > > > > > > > > > > > > > > > > > > > > > > > Visit http://blog.butchevans.com/ for tutorials > related > > > to > > > > > > > > Mikrotik > > > > > > > > > > > RouterOS > > > > > > > > > > > > > > > > > > > > > > -------------- next part -------------- > > > > > > > > > > > An HTML attachment was scrubbed... > > > > > > > > > > > URL: < > > > > > > > > > > > > > > > > > > > > > > > > > > > > http://www.butchevans.com/pipermail/mikrotik/attachments/20120530/cbb4fc96/attachment.html > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > > > Mikrotik mailing list > > > > > > > > > > > Mikrotik@mail.butchevans.com > > > > > > > > > > > http://www.butchevans.com/mailman/listinfo/mikrotik > > > > > > > > > > > > > > > > > > > > > > Visit http://blog.butchevans.com/ for tutorials > related to > > > > > Mikrotik > > > > > > > > > > > RouterOS > > > > > > > > > > > > > > > > > > > > > -------------- next part -------------- > > > > > > > > > > An HTML attachment was scrubbed... > > > > > > > > > > URL: < > > > > > > > > > > > > > > > > > http://www.butchevans.com/pipermail/mikrotik/attachments/20120530/23b0b65c/attachment.html > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > > Mikrotik mailing list > > > > > > > > > > Mikrotik@mail.butchevans.com > > > > > > > > > > http://www.butchevans.com/mailman/listinfo/mikrotik > > > > > > > > > > > > > > > > > > > > Visit http://blog.butchevans.com/ for tutorials related > to > > > > > Mikrotik > > > > > > > > RouterOS > > > > > > > > > > > > > > > > > > -------------- next part -------------- > > > > > > > > > An HTML attachment was scrubbed... > > > > > > > > > URL: < > > > > > > > > > > > > > > > > > http://www.butchevans.com/pipermail/mikrotik/attachments/20120530/e79e3204/attachment.html > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > Mikrotik mailing list > > > > > > > > > Mikrotik@mail.butchevans.com > > > > > > > > > http://www.butchevans.com/mailman/listinfo/mikrotik > > > > > > > > > > > > > > > > > > Visit http://blog.butchevans.com/ for tutorials related to > > > > > Mikrotik > > > > > > > > RouterOS > > > > > > > > > > > > > > > > -------------- next part -------------- > > > > > > > > An HTML attachment was scrubbed... > > > > > > > > URL: < > > > > > > > > > > > > > > > > > http://www.butchevans.com/pipermail/mikrotik/attachments/20120530/83eaee69/attachment.html > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > Mikrotik mailing list > > > > > > > > Mikrotik@mail.butchevans.com > > > > > > > > http://www.butchevans.com/mailman/listinfo/mikrotik > > > > > > > > > > > > > > > > Visit http://blog.butchevans.com/ for tutorials related to > > > Mikrotik > > > > > > > > RouterOS > > > > > > > > > > > > > > > -------------- next part -------------- > > > > > > > An HTML attachment was scrubbed... > > > > > > > URL: < > > > > > > > > > http://www.butchevans.com/pipermail/mikrotik/attachments/20120531/894b0818/attachment.html > > > > > > > > > > > > > _______________________________________________ > > > > > > > Mikrotik mailing list > > > > > > > Mikrotik@mail.butchevans.com > > > > > > > http://www.butchevans.com/mailman/listinfo/mikrotik > > > > > > > > > > > > > > Visit http://blog.butchevans.com/ for tutorials related to > > > Mikrotik > > > > > RouterOS > > > > > > > > > > > > -------------- next part -------------- > > > > > > An HTML attachment was scrubbed... > > > > > > URL: < > > > > > > > > > http://www.butchevans.com/pipermail/mikrotik/attachments/20120531/e67eb306/attachment.html > > > > > > > > > > > > _______________________________________________ > > > > > > Mikrotik mailing list > > > > > > Mikrotik@mail.butchevans.com > > > > > > http://www.butchevans.com/mailman/listinfo/mikrotik > > > > > > > > > > > > Visit http://blog.butchevans.com/ for tutorials related to > Mikrotik > > > > > RouterOS > > > > > > > > > > -------------- next part -------------- > > > > > An HTML attachment was scrubbed... > > > > > URL: < > > > > > > > > > http://www.butchevans.com/pipermail/mikrotik/attachments/20120531/e129d159/attachment.html > > > > > > > > > > > _______________________________________________ > > > > > Mikrotik mailing list > > > > > Mikrotik@mail.butchevans.com > > > > > http://www.butchevans.com/mailman/listinfo/mikrotik > > > > > > > > > > Visit http://blog.butchevans.com/ for tutorials related to > Mikrotik > > > > > RouterOS > > > > > > > > > -------------- next part -------------- > > > > An HTML attachment was scrubbed... > > > > URL: < > > > > http://www.butchevans.com/pipermail/mikrotik/attachments/20120531/4a01b071/attachment.html > > > > > > > > _______________________________________________ > > > > Mikrotik mailing list > > > > Mikrotik@mail.butchevans.com > > > > http://www.butchevans.com/mailman/listinfo/mikrotik > > > > > > > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik > > > RouterOS > > > > > > -------------- next part -------------- > > > An HTML attachment was scrubbed... > > > URL: < > > > > http://www.butchevans.com/pipermail/mikrotik/attachments/20120531/a822529b/attachment.html > > > > > > > _______________________________________________ > > > Mikrotik mailing list > > > Mikrotik@mail.butchevans.com > > > http://www.butchevans.com/mailman/listinfo/mikrotik > > > > > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik > > > RouterOS > > > > > -------------- next part -------------- > > An HTML attachment was scrubbed... > > URL: < > http://www.butchevans.com/pipermail/mikrotik/attachments/20120601/04359da3/attachment.html > > > > _______________________________________________ > > Mikrotik mailing list > > Mikrotik@mail.butchevans.com > > http://www.butchevans.com/mailman/listinfo/mikrotik > > > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik > RouterOS > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://www.butchevans.com/pipermail/mikrotik/attachments/20120604/c4e50373/attachment.html > > > _______________________________________________ > Mikrotik mailing list > Mikrotik@mail.butchevans.com > http://www.butchevans.com/mailman/listinfo/mikrotik > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik > RouterOS > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.butchevans.com/pipermail/mikrotik/attachments/20120604/335f8910/attachment.html> _______________________________________________ Mikrotik mailing list Mikrotik@mail.butchevans.com http://www.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
