Mikrotik Firewall Mangle and Queue Trees Example HOW TO
by Travis Kenner
Mikrotik RB750GL Running Package version 6.0rc11
NOTE: I am no Mikrotik expert and definitely don’t fully understand Mangling and Queues but I will correct and add to this blog as I learn.
I decided to put this together after I could not find a clear and concise example of how to use the Mikrotik Mangle and Queue functionality.
Marking a connection? Packet Mark, route mark, connection mark, Queue Tree???? Anything I found was vague, felt incomplete or just didn’t explain enough of the what and the how.
So What is Mikrotiks IP Firewall Mangle?
Here is the Wiki that explains it: http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Mangle
Here is the Summary copied straight from the Wiki:
Mangle is a kind of ‘marker’ that marks packets for future processing with special marks. Many other facilities in RouterOS make use of these marks, e.g. queue trees, NAT, routing. They identify a packet based on its mark and process it accordingly. The mangle marks exist only within the router, they are not transmitted across the network.
Using Mangle we can mark Packets, Connections or Routes (I will go into the first two in a bit) and then based on the marks / identifying the packets we can do something to them such as QoS (Quality of Service) on VOIP traffic, or make HTTP traffic takes precedence over another type of traffic or maybe if were feeling mischievous well mark all traffic going to our wife’s favorite website and make it feel like she’s using Old Time Dial UP Internet by limiting the bandwidth down to 1 kbps LOL. Yah she didn’t like that.
So how do we go about mangling packets? Lets get started:
Marking your Connections or Packets:
When mangling you have a choice of where you want to start mangling your data. Knowing where to mark them in the flow of data is important.
Here is the Mikrotik Wiki link for how packets flow through a Mikrotik:http://wiki.mikrotik.com/wiki/Manual:Packet_Flow
Here is another Link for Packet flow from Mikrotiks documentation: http://www.mikrotik.com/testdocs/ros/2.9/ip/flow.php
Here is a summery straight from Mikrotik documentation on prerouting, postrouting and forward chain.
The traffic received for the router’s MAC address on the respective port, is passed to the routing procedures and can be of one of these four types:
- the traffic which is destined to the router itself. The IP packets has destination address equal to one of the router’s IP addresses. A packet enters the router through the input interface, sequentially traverses prerouting and input chains and ends up in the local process. Consequently, a packet can be filtered in the input chain filter and mangled in two places: the input and the prerouting chain filters.
- the traffic is originated from the router. In this case the IP packets have their source addresses identical to one of the router’s IP addresses. Such packets travel through the output chain, then they are passed to the routing facility where an appropriate routing path for each packet is determined and leave through the postrouting chain.
- routable traffic, which is received at the router’s MAC address, has an IP address different from any of the router’s own addresses, and its destination can be found in the routing tables. These packets go through the prerouting, forward and postrouting chains.
- unroutable traffic, which is received at the router’s MAC address, has an IP address different from any of the router’s own addresses, but its destination can not be found in the routing tables. These packets go through the prerouting and stop in the routing recision.
The actions imposed by various router facilities are sequentially applied to a packet in each of the default chains. The exact order they are applied is pictured in the bottom of the flow diagram. Exempli gratia, for a packet passing postrouting chain the mangle rules are applied first, two types of queuing come in second place and finally source NAT is performed on packets that need to be natted.
Note, that any given packet can come through only one of the input, forward or output chains.
In case the incoming traffic needs to be bridged (do not confuse it with the traffic coming to the bridge interface at the router’s own MAC address and, thus, classified as routed traffic) it is first determined whether it is an IP traffic or not. After that, IP traffic goes through the prerouting, forward and postrouting chains, while non-IP traffic bypasses all IP firewall rules and goes directly to the interface queue. Both types of traffic, however, undergo the full set of bridge firewall chains anyway, regardless of the protocol.
Choosing your Chain Mangle Point:
Breaking it down a little simpler:
PreRouting – The chain where Masquerade or SRC NAT happen
- Prerouting in layman’s terms is marking packets just as it is entering your firewall flow processing from the port it was received on.
- 99% of your packet mangling will be PreRouting
Post Routing – Packets are marked leaving your firewall flow
Forward – This chain is the packets that flow through your router after the pre-routing but before post-routing
After you choose where you want to start (and this is important as knowing how data flow through your Mikrotik is VERY important) mangling, your next decision is how do you want to mark your data. Understanding how you want to mark your connection is just as important as to where along the flow of the data through your firewall you want to mark the data.
There are 3 Types of Marking I will note:
Again this is taken right from the Wiki
mark-connection – place a mark specified by the new-connection-mark parameter on the entire connection that matches the rule
mark-packet – place a mark specified by the new-packet-mark parameter on a packet that matches the rule
mark-routing – place a mark specified by the new-routing-mark parameter on a packet. This kind of marks is used for policy routing purposes only
1. Mark the Connection
- Marking the connection means that you mark your data as a Whole Connection
- An Example is that instead of marking EVERY packet as it flows though your Mikrotik instead you choose what you want to identify / mark and you mark the connection at the start and then all packets from that connection are a part of that connection mark
2. Mark the Packet
- When you choose mark packet you will mangle / mark every single packet as it flows through the Mikrotik. This eats up more CPU than just marking a connection
3. Mark the Route
- Marking a route is used for Policy Based routing. As I understand it more I will write more on this subject
Let’s get to marking some data / packets that are of interest to us:
Say you want to mark all Web Traffic so that you can either restrict it, throttle it or do something with it.
How to mark HTTP Traffic
Logon to your Mikrotik Firewall
Click on the IP Menu Button on the left side
Click Firewall from the pop up menu
Click the Mangle TAB from the window that opens
Here is where you set all your Mangle Rules
Here is the command to add a HTTP mangle to you mangle window
Simply copy the code below and paste it as a whole into your terminal window to add it to your Mikrotik
(To paste code into a terminal window Mikrotik has a Menu item on the left called New Terminal. Clicking this menu button will open a terminal windows / session. Using this terminal you can enter commands or paste codes directly so that you don’t have to type them out all the time if you have them in a notepad or text file. NOTE: don’t paste code into your terminal that you do not understand how it works. This could compromise your firewalls security or do things that you are not aware of.)
Copy the code from in between the == Code == and == End Code == Lines.
== Code ==
/ip firewall mangle
add action=mark-connection chain=prerouting comment=”Mark HTTP” dst-port=80 \
new-connection-mark=HTTP-Conn protocol=tcp src-address=192.168.88.0/24
add action=mark-packet chain=prerouting connection-mark=HTTP-Conn \
== End Code==
What does this do. Let’s break it down piece by piece.
chain=prerouting (This command says mark the Connection on the Prerouting Chain for all data flowing into the Mikrotik)
src-address (This is the subnet I am narrowing down my mangle rule to be applied to)
protocol=tcp (Again another part of narrowing what I am trying to mangle
dst-port=80 (Since HTTP traffic flows over TCP port 80 I am adding this to my mangle again to help narrow down what to mangle)
add action=mark-connection (This command tells the mangle rule that we are going to mark the Connection not the Packet)
new-connection-mark=HTTP-Con (This is the name I am going to give to identify my HTTP marked connection. Notice I use HTTP for web traffic and Conn to signify Connection)
comment (This is where you can put a comment if you want. I like to comment as it helps me remember what I was mangling. After you get a long list of mangles it all blurs together)
OK now the second part of the code:
chain=prerouting (Again I am starting my marking just as data is coming into the port on the firewall and entering the processing queue)
connection-mark=HTTP-Conn (I enable this because I am passing the above marking that I did to this next magle rule to mark the PACKETS as the above rule marked the CONNECTION. The reason we do this trick is so that I can pass a Tree Queue the Marked Packets later using less CPU power.) (At a later time I will explain this technique more.)
add action=mark-packet (Here again we are now marking the PACKET and not the CONNECTION like above)
new-packet-mark=HTTP-Marked (Again we are now naming the packet marking so when we are using this mangle in a Queue we know what we were marking)
passthrough=no (If this is checked to yes ((checked)) then the mangle rule is processed and we continue to the next mangle rule. If it is unchecked ((no)) then when this mangle rule is process it hits the passthrough and stops.
OK WOW I hope that was clear. We now have a mangle rule setup to catch TCP port 80 Traffic from the IP Subnet range of 192.168.88.0/24 and we are packet marking it as HTTP-Marked and Connection marking it as HTTP-Conn
Now lets use a Mikrotik Tree Queue to throttle it as an example of what we can do with it.
Again here is some Code you can use to setup a queue tree
== Code ==
add name=”HTTP-Queue” packet-mark=HTTP-Marked parent=ether1-gateway priority=2 queue=default
== End Code ==
Ok lets break this down:
add name=”HTTP-Queue” (This is just what you are going name your queue so when you look at it you know what you are queuing)
packet-mark=HTTP-Marked (This is the name of that Packet Marking that you did in the mangle rules. This is how you apply what you are doing in your queue to the traffic you want to manipulate)
parent=ether1-gateway (This is where you are applying this queue in the Flow of Traffic. There are many points if you look under Parent in Winbox when looking at Tree Queues)
priority=2 (This is the priority you give to that traffic over other queue that you may have if you have several queues. IE how you would have a queue for VOIP and set it to 1 and then set HTTP to 2 so that VOIP takes precedence over HTTP traffic)
queue=default (This is the Queue Type. I will alter talk about this as I start to understand it more. For now I will add a Mikrotik link that talks more about it)
Now to start throttling you also set the Limit At and Max Limit. They must both be set.
In WinBox navigate to the Queues | Queue Tree and Double Click the HTTP Queue that you made.
Under the General TAB there will be the Limit At and Max Limit options.
Note that these are in bits per second.
Let’s say that you want to throttle your HTTP traffic from 192.168.88.0/24 connection to feel like good ole dialup internet from way back. Click in the Limit at box and type in 14400 and Max Limit set to 14400.
Everyone on the 192.168.88.0/24 subnet will now feel like they are sharing a 14.4 USR Robotics dial up internet connection. Welcome back to the Good Ole Days???? LOL
Hopefully this Blog will give you ideas on what you can start doing with Tree Queues and Mangling Rules:
Link for Mikrotik Queues and Types : http://wiki.mikrotik.com/wiki/Manual:Queue
I will update this article as I learn more and correct myself on things I don’t fully understand yet.