I've been struggling for some time to create a working QoS configuration, reading through countless manual pages, wikis, forum topics etc. I've noticed two things; in order to do something great with a Mikrotik router, you have to be a network guru. I thought I knew relatively much about networking when I got my router, but it seems I was wrong. Second, it seems like there's a tendency among those who actually do know something and who actually have working configurations to be pretty secretive about them, which is understandable, but very frustrating for novices. That's why I thought I'd post my QoS configuration here as well as explain what it does (or at least what I want it to do).
1. My network layout
WAN connection: 110/5 Mbit (up/down). The actual downlink speed is limited to 100 Mbit by the fact that my RouterBOARD only has 100 Mbit Ethernet ports.
My stuff is hooked up like this: Cable modem <-- [bridge] --> Routerboard --> Switch(es) --> computers.
2. What I want to accomplish
I'm a heavy BitTorrent user, which means I'm pretty much maxing out my upstream bandwidth all the time. I also have my own FTP server which some of my friends use to download some stuff from me, a HTTP server from which stream music from my collection when I'm at other peoples places (I have my own home-made system for this) and finally I'm always connected to my computer at home using SSH.
What happens with no QoS at all is that I constantly have to limit the torrent clients upload speed everytime I come somewhere and want to stream something, or a friend needs to get something fast over FTP. It also means that unless I cap the upload speed in the torrent client I get incredible lag when using SSH to chat on IRC (for example). Of course web browsing is a PITA too when seeding at full speed...
3. The solution
The solution to all this is to mark traffic from the most critical to the non-critical. I got most of my rules from this guide. This is my current mangle config and my queue tree config. Just to clearify: "Public" is the interface connected to the modem and "Local" is the interface connected to the switch. The key seems to be to mark the ACK packets correctly (only marking the ones with a size of 0-80 bytes like most people suggest is not sufficient as the ACK flag can be set on bigger packets as well).
Mangle rules:
Code:
[xxx@xxx] /ip firewall mangle> print Flags: X - disabled, I - invalid, D - dynamic 0 ;;; Link-critical traffic (ARP, DHCP) chain=postrouting action=mark-packet new-packet-mark=link_critical passthrough=no protocol=udp out-interface=Public src-port=68 dst-port=67
With the current settings, if I'm seeding at full speed and somebody starts downloading something over FTP, the FTP transfer gets all upload bandwidth while the torrents almost stop. If I'm connected with SSH, there's absolutely no lag when I'm writing in the console. When surfing the web, DNS lookups happen instantly and pages load just like if I wasn't seeding at all.
Feel free to comment on my config if you have any suggestions that would make it better.
Edit: Forgot to mention that I changed the queue size to 200 packets (default is 50)
Joined: Sun Oct 12, 2008 8:48 pm Posts: 2
Karma: 0
seems that its working, is possible do this for download too
wan to lan qos
this is for lan to wan qos
but p2p uploading is < 50% of free bandwith, when I start uploading something else (vpn), p2p is stil so low and vpn works 50KB (where is free bandwith +-500KB)... better will be p2p 50KB, vpn 600KB
pings are very high +- 50ms average... maybe qos download is the solution
You cannot apply QoS on the downlink because you have no way of controlling how much data is being sent to you. If you want to prioritize VPN just mark packets with IPsec traffic and give them higher priority in the queue.
Joined: Mon Jun 16, 2008 2:12 am Posts: 108
Karma: 2
Location: Venezuela
Negge, first congratulation, it works good..
i'm trying to modify it to work in my scenario, i just want to know why you use thats packet size for ack? why you did no use 0-80 too? i've read the site that you told but they dont talk about the packets size you used, can you help me? where did you find that, thanks
_________________ If you found this post useful don't forget about the karma viewtopic.php?f=1&t=41148
Feed Your FAITH Then Your Doubts Will Starve To Death...!!!
Joined: Wed May 13, 2009 11:48 am Posts: 72
Karma: 0
Hi Negge.
Thanks for this. I'm newish to MT and know little about routing. Thanks for writing down your config in this forum. Can I make a suggestion that you also write a wiki on the MT wiki page as I think that will be longer lasting. People, like you yourself mentioned check out the wiki first.
Joined: Mon Mar 09, 2009 12:00 am Posts: 446
Karma: 3
lukkes wrote:
Negge, first congratulation, it works good..
i'm trying to modify it to work in my scenario, i just want to know why you use thats packet size for ack? why you did no use 0-80 too? i've read the site that you told but they dont talk about the packets size you used, can you help me? where did you find that, thanks
Quote from the link Negge reffered to (length highlighted in red):
I'm still trying to figure out why this is needed...
...hm it's actually explained in the guide as well:
Quote:
The generalisation of the above is quite effective since we can assume that the larger the size of a TCP ACK (or UDP) packet, the more likely it is to contain payload data. The more data it has, the further it sinks in priority of being sent out our broadband connection first leaving all the real control ACK packets (with little or no payload) to exit as quickly as possible
EDIT: added content
PS: I think this setup makes a lot of packets arrive out of order.
Joined: Mon Jun 16, 2008 2:12 am Posts: 108
Karma: 2
Location: Venezuela
hmmm, ok understod, thanks, maybe i didn't read well the link, somebody know if i's really needed another lenght more tha 0-80? with the others lenght it catch much traffic, including p2p traffic thanks
_________________ If you found this post useful don't forget about the karma viewtopic.php?f=1&t=41148
Feed Your FAITH Then Your Doubts Will Starve To Death...!!!
First of all, it's nice to see that it's working for other people too! It's been some time since I wrote this but the configuration has remained the same since then, so here it is:
You may need to edit the commands to reflect your own interface names. I don't use "Public" and "Local" anymore like I did in my first post, nowadays it's simply "WAN" and "LAN".
Quote:
i'm trying to modify it to work in my scenario, i just want to know why you use thats packet size for ack? why you did no use 0-80 too? i've read the site that you told but they dont talk about the packets size you used, can you help me? where did you find that, thanks
The reason why I only mangle ACK packets with size between 40-89 and not 0-89 is because a TCP packet can't be smaller than 40 bytes.
Quote:
Thanks for this. I'm newish to MT and know little about routing. Thanks for writing down your config in this forum. Can I make a suggestion that you also write a wiki on the MT wiki page as I think that will be longer lasting. People, like you yourself mentioned check out the wiki first.
I might just do that, if there's enough interest and if I find some spare time.
Quote:
PS: I think this setup makes a lot of packets arrive out of order.
Joined: Sun Mar 30, 2008 1:04 pm Posts: 165
Karma: 1
Thanks Negge, Great piece of work. Just want to add a question concerning your comments on the download.
Quote:
You cannot apply QoS on the downlink because you have no way of controlling how much data is being sent to you. If you want to prioritize VPN just mark packets with IPsec traffic and give them higher priority in the queue.
I have seen many examples on prioritizing downloads and have also set up a QoS for my download. Maybe I misunderstood you, but did you mean to say that it is not possible to prioritize downloads. I am just wondering if your rules could not be applied to download also - or would it spoil / overlap the purpose "Maximise Download Speed via Outbound Traffic Shaping"?
Joined: Mon Mar 09, 2009 12:00 am Posts: 446
Karma: 3
Quote:
Quote: PS: I think this setup makes a lot of packets arrive out of order.
Why would it do that? This is TCP.
Packets will eventually be reordered since -as you point out it's TCP -however during transmission dupack will be sent and in some cases (depending on dupack limit) can trigger retransmission. I don't know how badly this would affect the speed though. Myself I try not to rearange packets within the same stream.
@Pilgrim: What I meant to say is you can't directly shape your incoming connections, but you can get the same effect by prioritizing certain ACK packets instead. That's basically what my configuration does. If all the ACK rules wouldn't be there, the QoS would only work on a server where no one rarely downloads anything at all.
Joined: Sun Mar 30, 2008 1:04 pm Posts: 165
Karma: 1
Thanks negge, That is really interesting. I also read the article and to me this is completely new angle on QoS.
Great job in implementing this on the mikrotik platform and like it was already mentioned it would be really nice if this could be turned into an article on the wiki.
Joined: Sat Jan 16, 2010 1:04 pm Posts: 2
Karma: 0
Location: London
rmichael wrote:
Quote:
Quote: PS: I think this setup makes a lot of packets arrive out of order.
Why would it do that? This is TCP.
Packets will eventually be reordered since -as you point out it's TCP -however during transmission dupack will be sent and in some cases (depending on dupack limit) can trigger retransmission. I don't know how badly this would affect the speed though. Myself I try not to rearange packets within the same stream.
Hi Rmichael,
I'm Mark, I wrote the HOWTO that Negge has based his MikroTek configuration on. I just wanted to make a quick comment about your statement here (I have updated my HOWTO accordingly).
I agree with your statement about dupACKs, but, only where TCP packets have not been classified into a particular queue based on something consitent like a client or peer port number. In this instance, they will be classified on size instead and the shaping rules I've described do this in a banded way based on size. Again, in this instance, the only possible way out of ordered packets could then occur is if BOTH the client and peer are sending payload (data) ACK packets to each other, within the same TCP session. When I wrote that HOWTO (some years ago now!), I was observing how BitTorrent exchanges data across TCP. Most of the time, I observed that BitTorrent TCP streams could be classified into one of two forms:
1) TCP sessions between you and peer where YOU are sending large payload ACKs out, peers sending small ACKs back 2) TCP session between you and peer where THEY are sending large payload ACKs in, you sending small ACKs back
If either of the above hold true, the chances of out of ordered packets reaching you or your peers are fairly remote. If however, you and your peers are doing BOTH of the above, within the SAME TCP session, then yes, out of ordered packets could occur.
BitTorrent has since moved onto uTP anyway (which uses UDP) - if anyone has any further information about this protocol, such as its frame format, it is probably very possible to use iptables to match on particular bytes within such packets to determine if they are uTP, and thus place such traffic in a low priority class, rather than use the crude method of size. This would be preferable.
I'm glad everyone here has found Negge's configuration and my HOWTO useful - when I originally came up with the ideas in it, it dramatically improved the usability and speed of my connection when I had a 1Mbit broadband line (things have now moved on though, now I am on 50Mbit)
I'm sorry I haven't put together the wiki article yet, I simply haven't had that much spare time lately. Don't give up the hope though, it will come sooner or later!
there is a legacy DNS querk where if a reply from a DNS server exceeds 512 bytes (which is now the case from the root servers), the protocol switches to using TCP. So you'll want to also include TCP destination port 53 traffic in these classification rules as well as UDP (just repeat the UDP port 53 rule but for TCP instead). If you miss this out, it -could- affect the speed at which you resolve host names, and hence will affect the speed at which you can browse.
Although, this issue does not appear to have affected me because I use the 'unbound' ( http://www.unbound.net/ ) resolver daemon which, upon initial checks, ignores this limit and continues to use UDP regardless.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot post attachments in this forum
Login |
View unanswered posts | View active topics
