Mangle

Mangle rules allow RouterOS to mark packets and connections for Quality of Service (QoS), policy-based routing, bandwidth management, and advanced traffic manipulation without modifying the actual packet data.

In WinBox you can configure mangle in IP -> Firewall -> Mangle, or you can use terminal with command /ip firewall mangle

Mangle is processed before NAT and routing decisions, making it essential for traffic shaping, load balancing, and policy routing.

Mangle fundamentals

How mangle works

Marking types:

Packet marks - Mark individual packets for QoS and routing
Connection marks - Mark entire connections for bandwidth management
Routing marks - Direct packets through specific routes
DSCP marks - Set Differentiated Services Code Point for QoS

Mangle chains:

prerouting - Before routing decision (all incoming packets)
input - Packets destined for router (before input filter)
forward - Packets being routed through (before forward filter)
output - Packets from router (before output filter)
postrouting - After routing decision (all outgoing packets)

Processing order

# Packet flow through mangle chains
1. prerouting  # First processing, before routing
2. input       # To router (if destined for router)
   OR
   forward     # Through router (if being routed)
3. output      # From router (if generated by router)
4. postrouting # Final processing, after routing

Basic packet marking

Mark packets by protocol

Basic packet marking for common protocols:

# Mark HTTP traffic
/ip firewall mangle add chain=prerouting action=mark-packet protocol=tcp dst-port=80 \
    new-packet-mark=http-traffic passthrough=no comment="Mark HTTP traffic"

# Mark HTTPS traffic  
/ip firewall mangle add chain=prerouting action=mark-packet protocol=tcp dst-port=443 \
    new-packet-mark=https-traffic passthrough=no comment="Mark HTTPS traffic"

# Mark DNS traffic
/ip firewall mangle add chain=prerouting action=mark-packet protocol=udp dst-port=53 \
    new-packet-mark=dns-traffic passthrough=no comment="Mark DNS traffic"

# Mark video streaming (common ports)
/ip firewall mangle add chain=prerouting action=mark-packet protocol=tcp dst-port=1935,8080 \
    new-packet-mark=streaming-traffic passthrough=no comment="Mark streaming traffic"

Mark by source/destination

Mark traffic based on network addresses:

# Create address lists for different networks
/ip firewall address-list add list=SERVERS address=192.168.1.100-192.168.1.110
/ip firewall address-list add list=GUESTS address=192.168.10.0/24
/ip firewall address-list add list=MANAGEMENT address=192.168.2.0/24

# Mark server traffic (high priority)
/ip firewall mangle add chain=prerouting action=mark-packet src-address-list=SERVERS \
    new-packet-mark=server-traffic passthrough=no comment="Mark server traffic"

# Mark guest traffic (low priority)
/ip firewall mangle add chain=prerouting action=mark-packet src-address-list=GUESTS \
    new-packet-mark=guest-traffic passthrough=no comment="Mark guest traffic"

# Mark management traffic (highest priority)
/ip firewall mangle add chain=prerouting action=mark-packet src-address-list=MANAGEMENT \
    new-packet-mark=mgmt-traffic passthrough=no comment="Mark management traffic"

Connection marking

Mark connections for bandwidth management

Connection marking allows tracking entire sessions:

# Mark download connections (incoming traffic)
/ip firewall mangle add chain=prerouting action=mark-connection connection-state=new \
    in-interface-list=WAN new-connection-mark=download-conn passthrough=yes \
    comment="Mark download connections"

/ip firewall mangle add chain=prerouting action=mark-packet connection-mark=download-conn \
    new-packet-mark=download-traffic passthrough=no comment="Mark download packets"

# Mark upload connections (outgoing traffic)  
/ip firewall mangle add chain=prerouting action=mark-connection connection-state=new \
    out-interface-list=WAN new-connection-mark=upload-conn passthrough=yes \
    comment="Mark upload connections"

/ip firewall mangle add chain=prerouting action=mark-packet connection-mark=upload-conn \
    new-packet-mark=upload-traffic passthrough=no comment="Mark upload packets"

Per-user connection marking

Mark connections per user or device:

# Mark connections per source IP for per-user bandwidth limits
/ip firewall mangle add chain=prerouting action=mark-connection src-address=192.168.1.10 \
    new-connection-mark=user1-conn passthrough=yes comment="Mark user 1 connections"

/ip firewall mangle add chain=prerouting action=mark-packet connection-mark=user1-conn \
    new-packet-mark=user1-traffic passthrough=no comment="Mark user 1 traffic"

# Mark connections for a subnet
/ip firewall mangle add chain=prerouting action=mark-connection src-address=192.168.1.0/28 \
    new-connection-mark=subnet1-conn passthrough=yes comment="Mark subnet 1 connections"

/ip firewall mangle add chain=prerouting action=mark-packet connection-mark=subnet1-conn \
    new-packet-mark=subnet1-traffic passthrough=no comment="Mark subnet 1 traffic"

QoS implementation with mangle

DSCP marking for QoS

Set DSCP values for enterprise QoS:

# Mark voice traffic (EF - Expedited Forwarding)
/ip firewall mangle add chain=prerouting action=mark-packet protocol=udp dst-port=5060,5004,16384-32767 \
    new-packet-mark=voice-traffic passthrough=yes comment="Mark VoIP traffic"

/ip firewall mangle add chain=postrouting action=change-dscp packet-mark=voice-traffic \
    new-dscp=46 passthrough=no comment="Set DSCP EF for voice"

# Mark video traffic (AF31 - Assured Forwarding)
/ip firewall mangle add chain=prerouting action=mark-packet protocol=tcp dst-port=1935,8080 \
    new-packet-mark=video-traffic passthrough=yes comment="Mark video traffic"

/ip firewall mangle add chain=postrouting action=change-dscp packet-mark=video-traffic \
    new-dscp=26 passthrough=no comment="Set DSCP AF31 for video"

# Mark bulk traffic (AF11 - Low priority)
/ip firewall mangle add chain=prerouting action=mark-packet protocol=tcp dst-port=21,20 \
    new-packet-mark=bulk-traffic passthrough=yes comment="Mark FTP traffic"

/ip firewall mangle add chain=postrouting action=change-dscp packet-mark=bulk-traffic \
    new-dscp=10 passthrough=no comment="Set DSCP AF11 for bulk"

Priority marking with TOS

Set Type of Service bits for priority:

# High priority for interactive traffic
/ip firewall mangle add chain=prerouting action=mark-packet protocol=tcp dst-port=22,23,3389 \
    new-packet-mark=interactive-traffic passthrough=yes comment="Mark interactive traffic"

/ip firewall mangle add chain=postrouting action=change-tos packet-mark=interactive-traffic \
    new-tos=0x10 passthrough=no comment="Set high priority TOS"

# Low delay for real-time traffic
/ip firewall mangle add chain=prerouting action=mark-packet protocol=udp dst-port=53,123 \
    new-packet-mark=realtime-traffic passthrough=yes comment="Mark real-time traffic"

/ip firewall mangle add chain=postrouting action=change-tos packet-mark=realtime-traffic \
    new-tos=0x08 passthrough=no comment="Set low delay TOS"

Policy-based routing with mangle

Route marking for multiple WANs

Direct traffic through specific gateways:

# Mark traffic for specific WAN interfaces
/ip firewall mangle add chain=prerouting action=mark-routing src-address=192.168.1.0/25 \
    new-routing-mark=wan1-route passthrough=no comment="Route subnet 1 via WAN1"

/ip firewall mangle add chain=prerouting action=mark-routing src-address=192.168.1.128/25 \
    new-routing-mark=wan2-route passthrough=no comment="Route subnet 2 via WAN2"

# Create routing tables for marked traffic
/ip route add gateway=203.0.113.1 routing-mark=wan1-route distance=1 comment="WAN1 gateway"
/ip route add gateway=203.0.114.1 routing-mark=wan2-route distance=1 comment="WAN2 gateway"

Load balancing with PCC

Per Connection Classifier for load balancing:

# Mark connections for load balancing using PCC
/ip firewall mangle add chain=prerouting action=mark-connection connection-state=new \
    per-connection-classifier=both-addresses:2/0 new-connection-mark=wan1-conn \
    passthrough=yes comment="Mark connections for WAN1"

/ip firewall mangle add chain=prerouting action=mark-connection connection-state=new \
    per-connection-classifier=both-addresses:2/1 new-connection-mark=wan2-conn \
    passthrough=yes comment="Mark connections for WAN2"

# Mark routing for balanced connections
/ip firewall mangle add chain=prerouting action=mark-routing connection-mark=wan1-conn \
    new-routing-mark=wan1-route passthrough=no comment="Route WAN1 connections"

/ip firewall mangle add chain=prerouting action=mark-routing connection-mark=wan2-conn \
    new-routing-mark=wan2-route passthrough=no comment="Route WAN2 connections"

Policy routing by application

Route specific applications through different paths:

# Route SMTP through primary WAN (reliable delivery)
/ip firewall mangle add chain=prerouting action=mark-routing protocol=tcp dst-port=25,587 \
    new-routing-mark=primary-wan passthrough=no comment="Route SMTP via primary"

# Route P2P traffic through secondary WAN (save primary bandwidth)
/ip firewall mangle add chain=prerouting action=mark-routing protocol=tcp dst-port=6881-6889 \
    new-routing-mark=secondary-wan passthrough=no comment="Route P2P via secondary"

# Route VPN traffic through specific interface
/ip firewall mangle add chain=prerouting action=mark-routing protocol=udp dst-port=1194,500,4500 \
    new-routing-mark=vpn-wan passthrough=no comment="Route VPN traffic"

Advanced mangle techniques

Gaming traffic optimization

Optimize gaming traffic with low latency marking:

# Mark gaming traffic by ports (common games)
/ip firewall mangle add chain=prerouting action=mark-packet protocol=tcp \
    dst-port=27015,27036,7777-7784,25565 new-packet-mark=gaming-tcp passthrough=yes \
    comment="Mark gaming TCP traffic"

/ip firewall mangle add chain=prerouting action=mark-packet protocol=udp \
    dst-port=27015,27036,7777-7784,25565 new-packet-mark=gaming-udp passthrough=yes \
    comment="Mark gaming UDP traffic"

# Set high priority DSCP for gaming
/ip firewall mangle add chain=postrouting action=change-dscp packet-mark=gaming-tcp \
    new-dscp=34 passthrough=no comment="Gaming TCP priority"

/ip firewall mangle add chain=postrouting action=change-dscp packet-mark=gaming-udp \
    new-dscp=34 passthrough=no comment="Gaming UDP priority"

# Mark gaming connections for bandwidth guarantee
/ip firewall mangle add chain=prerouting action=mark-connection \
    packet-mark=gaming-tcp,gaming-udp new-connection-mark=gaming-conn \
    passthrough=yes comment="Mark gaming connections"

Time-based traffic marking

Different marking based on time of day:

# Business hours - prioritize work traffic
/ip firewall mangle add chain=prerouting action=mark-packet protocol=tcp dst-port=80,443 \
    time=8h-18h,mon,tue,wed,thu,fri new-packet-mark=business-web passthrough=yes \
    comment="Business hours web traffic"

# After hours - allow more bandwidth for recreation  
/ip firewall mangle add chain=prerouting action=mark-packet protocol=tcp dst-port=80,443 \
    time=18h-8h new-packet-mark=personal-web passthrough=yes \
    comment="After hours web traffic"

# Weekend traffic - different priorities
/ip firewall mangle add chain=prerouting action=mark-packet src-address=192.168.1.0/24 \
    time=0h-24h,sat,sun new-packet-mark=weekend-traffic passthrough=yes \
    comment="Weekend traffic"

Bandwidth monitoring with mangle

Mark traffic for monitoring and accounting:

# Mark traffic per user for accounting
/ip firewall mangle add chain=forward action=mark-packet src-address=192.168.1.10 \
    new-packet-mark=user1-in passthrough=yes comment="User 1 download"

/ip firewall mangle add chain=forward action=mark-packet dst-address=192.168.1.10 \
    new-packet-mark=user1-out passthrough=yes comment="User 1 upload"

# Mark by interface for monitoring
/ip firewall mangle add chain=forward action=mark-packet in-interface=ether1 \
    new-packet-mark=wan-in passthrough=yes comment="WAN incoming traffic"

/ip firewall mangle add chain=forward action=mark-packet out-interface=ether1 \
    new-packet-mark=wan-out passthrough=yes comment="WAN outgoing traffic"

Mangle with Queue Tree

Prepare traffic for queue tree

Mangle marks are essential for queue tree bandwidth management:

# Mark all traffic for global bandwidth control
/ip firewall mangle add chain=postrouting action=mark-packet out-interface-list=WAN \
    new-packet-mark=all-upload passthrough=yes comment="Mark all upload traffic"

/ip firewall mangle add chain=prerouting action=mark-packet in-interface-list=WAN \
    new-packet-mark=all-download passthrough=yes comment="Mark all download traffic"

# Mark per-user traffic for individual limits
/ip firewall mangle add chain=forward action=mark-connection src-address=192.168.1.0/24 \
    new-connection-mark=lan-conn passthrough=yes comment="Mark LAN connections"

/ip firewall mangle add chain=forward action=mark-packet connection-mark=lan-conn \
    out-interface-list=WAN new-packet-mark=lan-upload passthrough=yes \
    comment="Mark LAN upload"

/ip firewall mangle add chain=forward action=mark-packet connection-mark=lan-conn \
    in-interface-list=WAN new-packet-mark=lan-download passthrough=yes \
    comment="Mark LAN download"

Gaming and VoIP priority queuing

# Mark VoIP traffic (highest priority)
/ip firewall mangle add chain=prerouting action=mark-packet protocol=udp \
    dst-port=5060,10000-20000 new-packet-mark=voip-traffic passthrough=yes \
    comment="Mark VoIP traffic"

# Mark gaming traffic (high priority)  
/ip firewall mangle add chain=prerouting action=mark-packet protocol=tcp,udp \
    dst-port=27015,7777-7784 new-packet-mark=game-traffic passthrough=yes \
    comment="Mark gaming traffic"

# Mark streaming (medium priority)
/ip firewall mangle add chain=prerouting action=mark-packet protocol=tcp \
    dst-port=1935,8080 new-packet-mark=stream-traffic passthrough=yes \
    comment="Mark streaming traffic"

# Mark bulk downloads (low priority)
/ip firewall mangle add chain=prerouting action=mark-packet protocol=tcp \
    dst-port=21,80,443 connection-bytes=>1000000 new-packet-mark=bulk-traffic \
    passthrough=yes comment="Mark bulk downloads"

Monitoring and troubleshooting mangle

Monitor mangle rules

# Check mangle rule statistics
/ip firewall mangle print stats

# Monitor specific packet marks
/ip firewall mangle print stats where new-packet-mark="gaming-traffic"

# Check connection marks
/ip firewall connection print where connection-mark~"gaming"

# Monitor marked packets in real-time
/tool torch interface=ether1 src-address=192.168.1.0/24

Debug mangle issues

# Enable logging for mangle rules
/ip firewall mangle add chain=prerouting action=log log-prefix="MANGLE-DEBUG: " \
    place-before=0 comment="Debug mangle processing"

# Test packet marking
/tool torch interface=bridge src-address=192.168.1.10

# Check routing marks
/ip route print where routing-mark~"wan1"

# Monitor connection tracking with marks
/ip firewall connection print where connection-mark!=no-mark

Performance monitoring

# Check mangle processing impact
/system resource print

# Monitor marked traffic bandwidth
/interface monitor-traffic interface=ether1

# Check queue tree performance (if using queues)
/queue tree print stats

# Monitor connection table usage
/ip firewall connection tracking print

Layer-7 protocol detection

Mark traffic by detected protocols

Use layer-7 patterns for application detection:

# Create layer-7 protocols
/ip firewall layer7-protocol add name=youtube regexp="^.*(youtube|googlevideo).*$"
/ip firewall layer7-protocol add name=facebook regexp="^.*(facebook|fbcdn).*$"
/ip firewall layer7-protocol add name=bittorrent regexp="^(\\x13BitTorrent protocol|\\x42\\x54:|\\x47\\x45\\x54\\x2f)"

# Mark traffic using layer-7 detection
/ip firewall mangle add chain=prerouting action=mark-connection layer7-protocol=youtube \
    new-connection-mark=youtube-conn passthrough=yes comment="Mark YouTube connections"

/ip firewall mangle add chain=prerouting action=mark-packet connection-mark=youtube-conn \
    new-packet-mark=youtube-traffic passthrough=no comment="Mark YouTube traffic"

/ip firewall mangle add chain=prerouting action=mark-connection layer7-protocol=bittorrent \
    new-connection-mark=p2p-conn passthrough=yes comment="Mark P2P connections"

/ip firewall mangle add chain=prerouting action=mark-packet connection-mark=p2p-conn \
    new-packet-mark=p2p-traffic passthrough=no comment="Mark P2P traffic"

Show complete QoS mangle setup

# Complete QoS mangle configuration for office network
# 1. Create address lists
/ip firewall address-list add list=SERVERS address=192.168.1.100-192.168.1.110 comment="Server farm"
/ip firewall address-list add list=MANAGEMENT address=192.168.2.0/24 comment="Management network"
/ip firewall address-list add list=GUESTS address=192.168.10.0/24 comment="Guest network"

# 2. Mark connections by source network
/ip firewall mangle add chain=prerouting action=mark-connection src-address-list=SERVERS \
    new-connection-mark=server-conn passthrough=yes comment="Mark server connections"

/ip firewall mangle add chain=prerouting action=mark-connection src-address-list=MANAGEMENT \
    new-connection-mark=mgmt-conn passthrough=yes comment="Mark management connections"

/ip firewall mangle add chain=prerouting action=mark-connection src-address-list=GUESTS \
    new-connection-mark=guest-conn passthrough=yes comment="Mark guest connections"

# 3. Mark packets by connection type
/ip firewall mangle add chain=prerouting action=mark-packet connection-mark=server-conn \
    new-packet-mark=server-traffic passthrough=no comment="Mark server traffic"

/ip firewall mangle add chain=prerouting action=mark-packet connection-mark=mgmt-conn \
    new-packet-mark=mgmt-traffic passthrough=no comment="Mark management traffic"

/ip firewall mangle add chain=prerouting action=mark-packet connection-mark=guest-conn \
    new-packet-mark=guest-traffic passthrough=no comment="Mark guest traffic"

# 4. Mark VoIP traffic (highest priority)
/ip firewall mangle add chain=prerouting action=mark-packet protocol=udp \
    dst-port=5060,5004,16384-32767 new-packet-mark=voip-traffic passthrough=yes \
    comment="Mark VoIP traffic"

# 5. Mark interactive traffic (SSH, RDP)
/ip firewall mangle add chain=prerouting action=mark-packet protocol=tcp \
    dst-port=22,3389 new-packet-mark=interactive-traffic passthrough=yes \
    comment="Mark interactive traffic"

# 6. Mark DNS and NTP (critical services)
/ip firewall mangle add chain=prerouting action=mark-packet protocol=udp \
    dst-port=53,123 new-packet-mark=critical-traffic passthrough=yes \
    comment="Mark critical services"

# 7. Mark streaming traffic
/ip firewall mangle add chain=prerouting action=mark-packet protocol=tcp \
    dst-port=1935,8080 new-packet-mark=streaming-traffic passthrough=yes \
    comment="Mark streaming traffic"

# 8. Mark bulk traffic (low priority)
/ip firewall mangle add chain=prerouting action=mark-packet protocol=tcp \
    dst-port=21,80,443 connection-bytes=>10000000 new-packet-mark=bulk-traffic \
    passthrough=yes comment="Mark bulk downloads"

# 9. Set DSCP values for QoS
/ip firewall mangle add chain=postrouting action=change-dscp packet-mark=voip-traffic \
    new-dscp=46 passthrough=no comment="VoIP - EF"

/ip firewall mangle add chain=postrouting action=change-dscp packet-mark=mgmt-traffic \
    new-dscp=34 passthrough=no comment="Management - AF41"

/ip firewall mangle add chain=postrouting action=change-dscp packet-mark=server-traffic \
    new-dscp=26 passthrough=no comment="Servers - AF31"

/ip firewall mangle add chain=postrouting action=change-dscp packet-mark=interactive-traffic \
    new-dscp=18 passthrough=no comment="Interactive - AF21"

/ip firewall mangle add chain=postrouting action=change-dscp packet-mark=bulk-traffic \
    new-dscp=10 passthrough=no comment="Bulk - AF11"

# 10. Mark traffic for bandwidth management
/ip firewall mangle add chain=postrouting action=mark-packet out-interface-list=WAN \
    new-packet-mark=upload-all passthrough=yes comment="All upload traffic"

/ip firewall mangle add chain=prerouting action=mark-packet in-interface-list=WAN \
    new-packet-mark=download-all passthrough=yes comment="All download traffic"

Mangle best practices

Performance optimization

Order rules efficiently - Most frequent matches first
Use passthrough wisely - Set to 'no' for final marking
Minimize regex patterns - Layer-7 detection impacts performance
Use connection marking - More efficient than per-packet marking
Combine conditions - Reduce rule count with multiple criteria

Design recommendations

Plan marking strategy - Design comprehensive marking scheme
Use descriptive names - Clear packet/connection mark names
Document purposes - Comment all mangle rules clearly
Test thoroughly - Verify marking works as expected
Monitor performance - Watch CPU usage with complex rules

Common patterns

# Efficient connection + packet marking pattern
/ip firewall mangle add chain=prerouting action=mark-connection src-address=X \
    new-connection-mark=Y passthrough=yes

/ip firewall mangle add chain=prerouting action=mark-packet connection-mark=Y \
    new-packet-mark=Z passthrough=no

# Time-based marking for different policies
/ip firewall mangle add chain=prerouting action=mark-packet time=8h-17h,mon,tue,wed,thu,fri \
    new-packet-mark=business-hours passthrough=yes

# Protocol + size based marking for bulk detection
/ip firewall mangle add chain=prerouting action=mark-packet protocol=tcp \
    connection-bytes=>1000000 new-packet-mark=bulk-data passthrough=yes

PreviousNAT NextLayer-7

Last updated 3 months ago

Was this helpful?

Good afternoon

hashtagMangle fundamentals

hashtagHow mangle works

hashtagProcessing order

hashtagBasic packet marking

hashtagMark packets by protocol

hashtagMark by source/destination

hashtagConnection marking

hashtagMark connections for bandwidth management

hashtagPer-user connection marking

hashtagQoS implementation with mangle

hashtagDSCP marking for QoS

hashtagPriority marking with TOS

hashtagPolicy-based routing with mangle

hashtagRoute marking for multiple WANs

hashtagLoad balancing with PCC

hashtagPolicy routing by application

hashtagAdvanced mangle techniques

hashtagGaming traffic optimization

hashtagTime-based traffic marking

hashtagBandwidth monitoring with mangle

hashtagMangle with Queue Tree

hashtagPrepare traffic for queue tree

hashtagGaming and VoIP priority queuing

hashtagMonitoring and troubleshooting mangle

hashtagMonitor mangle rules

hashtagDebug mangle issues

hashtagPerformance monitoring

hashtagLayer-7 protocol detection

hashtagMark traffic by detected protocols

hashtagMangle best practices

hashtagPerformance optimization

hashtagDesign recommendations

hashtagCommon patterns