asymetric QoS for 2 nated network

lucas · July 31, 2014, 8:46pm

Hello.
I am new to this forum, so please forgive any mistakes.

From two days i try to do asymetric QoS for my nated networks. So ihave a few questions, but first I will try to explain my situation exactly.

Suppose we have the following configuration:

eth1 -\
       |- bridghe1 -\ 
eth2 -/              \
                      |- srcnat (masq) - eth5
eth3 -\              /
       |- bridghe2 -/
eth4 -/

eth6 - router admin

adresses:
bridge1 - 192.168.1.1/24 (LAN1)
bridge2 - 192.168.2.1/24 (LAN2)
eth5 - 10.0.0.1/30 (as samble public IP)
eth6 - 172.16.0.1/24 (onlu for access router administration)

/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=192.168.2.1/24 interface=bridge2 network=192.168.2.0
add address=10.0.0.1/30 interface=eth5 network=10.0.0.0
add address=172.16.0.1/24 interface=eth6 network=172.16.0.0

/ip firewall nat
add action=masquerade chain=srcnat out-interface=eth5
add action=masquerade chain=srcnat src-address=192.168.2.0/24 to-addresses=0.0.0.0

/ip route
add distance=1 gateway=10.0.0.2

(secure filter ruless ommited)

Now what we want:
1 - limit all trafic from LAN1 and LAN2 going to eth5 to some value
2 - divide all trafic going outsie (from 1) equal to all user (idepend on witch terwork they are)
3 - divavie user outgaoing trafic equal to every his connection
4 - Important! no limit trafic from oune user to oter user!
5 - limit all incoming trafic (goint from eth5)
7 - divide all incoming trafic equal to every user (independ on LAN)
8 - divide user incomind trafic equal to every his connecion
9 - No limit trafic fron ther users.

(Example)
Ew have 5 users: u1, u2, u3 on LAN1 and u4, u5 on LAN2
and lets say u1, u2, u4 have 2 active connextion adn u3, u5 have 4 active connection
1 - limit all trafic from u1..u5 to 5Mbit
2 - then u1, u2, u3, u4 and u5 can send 1Mbit
3 - u1, u2, u4 have 2 connection, exh 512kbit, u3, u5 heav 4 connetcion each 256kbit
4 - Its important thet in this sample we hav no connection ex from u1 to u4. It cannot be limited!
5 - limit all trafic to u1..u5 (from eth5) to 10Mvit
7 - hten all users can download with the same speed: 2Mbit
8 - u1, u2 u 4 1Mbit per connextion and u3, u5 513kbit per connection
9 - All trafic betwien users (eg u1 → u2, u2 → u5) are not limited, and administrative trafiic on eth6 are not limited too.

I know then in QoS the sum of trafic must bee som lower then all posibilit, but for simplify exeample i divide it all..

IMPORTANT: I can use: /interface bridge settings use-ip-firewall=yes
because its incrediable decresse local trafic speed.

So ferst question about HTB:
Where place HTB for incoming trafic? (for outcoming i thing it must be: paretn: eth5)
if use global how to exlude from it local trafic?

Next ho to mangle trafic?
If i marc connection, then packt (for speed reson) marked i mark packet in all direction. It will bo ok weh i Use HTB on other interfaces? or i must mark separet ougoing an incoming pacekt?

Packet from LANx to eth5 (srcnat) are routed or briges? (in my opinion it must be routed, but never found answer)

how to easy chcec if i mark correct packet - is the a siple tool for chcek it?

Thanks in advance for any hint

Caci99 · August 2, 2014, 12:38pm

First, you don’t need two masquerade rules, remove the one:
action=masquerade chain=srcnat src-address=192.168.2.0/24 to-addresses=0.0.0.0

What you are looking for requires careful mangle rules which will mark packets, and then use those packet marks in a queue tree using pcq.
To allow traffic between the two networks you should add mangle rules which should stay on top of the others:

/ip firewall mangle
add chain=forward src-address=192.168.1.0/24 dst-address=192.168.2.0/24 action=accept
add chain=forward src-address=192.168.2.0/24 dst-address=192.168.1.0/24 action=accept

Then will follow the other rules which will mark traffic from LAN to WAN and viceversa, like:

/ip firewall mangle
chain=forward action=mark-connection new-connection-mark=down_bridge1 in-interface=ether5 out-interface=birdge1 
cahin=forward action=mark-packet new-packet-mark=down_bridge1 connection-mark=down_bridge1

and so on
Once you have marked the traffic, use those marks on queue tree. The Upload queue is attached to the outgoing interface, ether5 in your case. The download queue is attached to the global interface since you have two LAN interfaces and you don’t want to create two different trees for them. The above are the parent queues, something like:

/queue tree
add name="upload" parent=ether5 packet-mark="" limit-at=0 queue=default priority=8 max-limit=10M burst-limit=0 burst-threshold=0 burst-time=0s 
add name="download" parent=global packet-mark="" limit-at=0 queue=default priority=8 max-limit=10M burst-limit=0 burst-threshold=0 burst-time=0s

This is supposed to be a 10M up and down bandwidth, but change it to your own specifications.
Then you add the child queues, like:

/queue tree
add name="down_bridge1" parent=download packet-mark=down_bridge1 limit-at=2M queue=PcqDown priority=1 max-limit=10M burst-limit=0 burst-threshold=0 burst-time=0s

and so on
Be careful though with the marks. The download queue is attached to the global interface, which means all interfaces, so what will distinguish the traffic there for the queue are the marks established in mangle.

lucas · August 2, 2014, 3:48pm

Second masquerding are for hot-spoted network. They musq be isolated (exemple sthet i shwo are simpified anly to show idea, real usage are more complicated)
“To allow traffic between the two networks you should add mangle rules which should stay on top of the others:”
It is necesery? This trafic go trhoug router not olny by bridge?
To mangle it, i must turn on bridge use-ip-firewall (i can/t do thent due to performace reason)
No marking packets. You tel then I first mark connection, then packet in connection. I read then is good for perfonmace, but in this way i mark all packet outgoing and incoming. So how to distinguish it in queeue (i wong differrent limit for outgong and diferrent for incoming)
Queues. Upload Queue are clear for me. But Download. I mus use Global.
So Global count all incoming, outcoming and local. So hao to prioritize only Download?
Secont. Where i “G;pba;” HTB" in flow diagram?

Caci99 · August 4, 2014, 8:51am

The traffic between the two networks goes through the router, it is the router connecting them. For example, when you want to connect to device 192.168.2.24 from device 192.168.1.17, the device 192.168.1.17 will send a request to the router, and the router then will search for 192.168.2.24 and will establish the connection. You don’t need to activate use firewall filter in bridge.

You will not mark all connections, if you specify the direction of the connection like in the example I put in the first post. You will mark connections coming from WAN to LAN1 and vice versa, and so on.

Global interface will include all interfaces, but using marks from mangle in the queue it will actually account only for those packets. This is done with the scope of having one queue tree for the download instead of having two of them (each for every LAN interface). In normal configuration, the download queue will be attached to the LAN interface, but in this case you have two of them, so it is better to group the two together.
You should read the pcq queue as well in the wiki, it is important to understand it correctly.

lucas · August 16, 2014, 8:40am

Sorry for long time.
But reading ale understanding take me some times;)

Thx very much. You replies was wery helpfuuly.