Bandwidth management, queues not catching all traffic

RouterOS General
1

Hi, I tried moving my linux shaping config over to routeros but it’s not working really well. eth5 is modem. 6.20

/interface bridge
add mtu=1500 name=bridge1 protocol-mode=none
/queue simple
add limit-at=8192k/960k max-limit=8192k/960k name=queue1 queue=pcq-download-default/pcq-upload-default target=ether5
add limit-at=5M/512k max-limit=8192k/960k name=queue2 packet-marks=test1 parent=queue1 target=ether5
add limit-at=2M/384k max-limit=8192k/960k name=queue3 packet-marks=test2 parent=queue1 target=ether5
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=wlan1
/ip address
add address=10.25.50.1/24 interface=bridge1 network=10.25.50.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=ether5
/ip firewall filter
add chain=input connection-state=established in-interface=ether5
add chain=input connection-state=related in-interface=ether5
add action=drop chain=input in-interface=ether5
/ip firewall mangle
add action=mark-packet chain=postrouting dst-port=25 new-packet-mark=test1 out-interface=ether5 passthrough=no protocol=tcp
add action=mark-packet chain=postrouting dst-port=80 new-packet-mark=test1 out-interface=ether5 passthrough=no protocol=tcp
add action=mark-packet chain=postrouting dst-port=443 new-packet-mark=test1 out-interface=ether5 passthrough=no protocol=tcp
add action=mark-packet chain=postrouting new-packet-mark=test1 out-interface=ether5 passthrough=no protocol=tcp src-port=25
add action=mark-packet chain=postrouting new-packet-mark=test1 out-interface=ether5 passthrough=no protocol=tcp src-port=80
add action=mark-packet chain=postrouting new-packet-mark=test1 out-interface=ether5 passthrough=no protocol=tcp src-port=443
add action=mark-packet chain=postrouting dst-port=3724 new-packet-mark=test2 out-interface=ether5 passthrough=no protocol=tcp
/ip firewall nat
add chain=srcnat dst-address=10.30.10.0/24 out-interface=ether5
add action=dst-nat chain=dstnat dst-port=25 in-interface=ether5 protocol=tcp to-addresses=10.25.50.10
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether5 protocol=tcp to-addresses=10.25.50.65
add action=dst-nat chain=dstnat dst-port=443 in-interface=ether5 protocol=tcp to-addresses=10.25.50.65
add action=masquerade chain=srcnat out-interface=ether5 to-addresses=0.0.0.0
/ip route
add distance=1 gateway=ether5

What I want to do is limit the global modem bandwidth to 8192k/960k, be sure that http, ssl and smtp traffic get at least 5M/512k (up to the limit of 8192k/960k with the unmarked packets). So when the link is full of traffic I get responsive http, ssl and smtp anyway. I also have ipsec configured that I removed from the previous config, please tell if I have something to configure regarding that (unmarked packets, but I still want everything falling under the 8192k/960k global limit).

Under linux I had a working script for years :

        tc qdisc add dev eth0 root        handle  1:   htb default 10 r2q 1                             # IT ALL GOES HERE
        tc class add dev eth0 parent 1:   classid 1:1  htb rate 960kbit quantum 1500                    # IT ALL GOES HERE
        tc class add dev eth0 parent 1:1  classid 1:10 htb rate 960kbit #ceil 1024kbit                  # IT ALL GOES HERE
        tc qdisc add dev eth0 parent 1:10 handle  2:   htb default 10 r2q 1                             # IT ALL GOES HERE
        tc class add dev eth0 parent 2:   classid 2:1  htb rate 960kbit #ceil 1024kbit                  # IT ALL GOES HERE
        tc class add dev eth0 parent 2:1  classid 2:10 htb rate 48kbit  ceil 960kbit                    # IT ALL GOES HERE
        tc class add dev eth0 parent 2:1  classid 2:20 htb rate 512kbit ceil 960kbit                    # QoS WoW
        tc class add dev eth0 parent 2:1  classid 2:30 htb rate 384kbit ceil 960kbit                    # QoS HTTP
        tc class add dev eth0 parent 2:1  classid 2:40 htb rate 16kbit  ceil 960kbit                    # QoS IPSEC
        tc class add dev eth0 parent 1:1  classid 1:11 htb rate 4200bps                                 # SLOW LINK
        tc class add dev eth0 parent 1:1  classid 1:21 htb rate 4200bps                                 # SLOW LINK
        tc class add dev eth0 parent 1:1  classid 1:31 htb rate 4200bps                                 # SLOW LINK
        tc class add dev eth0 parent 1:1  classid 1:41 htb rate 4200bps                                 # SLOW LINK
        tc class add dev eth0 parent 1:1  classid 1:51 htb rate 4200bps                                 # SLOW LINK
        tc filter add dev eth0 protocol ip parent 2:0  prio 1 handle 9  fw flowid 2:20
        tc filter add dev eth0 protocol ip parent 2:0  prio 1 handle 8  fw flowid 2:30
        tc filter add dev eth0 protocol ip parent 2:0  prio 1 handle 7  fw flowid 2:40
        tc filter add dev eth0 protocol ip parent 1:0  prio 1 handle 11 fw flowid 1:11
        tc filter add dev eth0 protocol ip parent 1:0  prio 1 handle 21 fw flowid 1:21
        tc filter add dev eth0 protocol ip parent 1:0  prio 1 handle 31 fw flowid 1:31
        tc filter add dev eth0 protocol ip parent 1:0  prio 1 handle 41 fw flowid 1:41
        tc filter add dev eth0 protocol ip parent 1:0  prio 1 handle 51 fw flowid 1:51

        tc qdisc add dev eth1 root        handle 1:    htb default 10 r2q 1                             # IT ALL GOES HERE
        tc class add dev eth1 parent 1:   classid 1:1  htb rate 8192kbit quantum 1500                   # IT ALL GOES HERE
        tc class add dev eth1 parent 1:1  classid 1:10 htb rate 8192kbit #ceil 100mbit quantum 1500     # IT ALL GOES HERE
        tc qdisc add dev eth1 parent 1:10 handle  2:   htb default 10 r2q 1                             # IT ALL GOES HERE
        tc class add dev eth1 parent 2:   classid 2:1  htb rate 8192kbit #ceil 1024kbit                 # IT ALL GOES HERE
        tc class add dev eth1 parent 2:1  classid 2:10 htb rate 496kbit  ceil 8192kbit                  # IT ALL GOES HERE
        tc class add dev eth1 parent 2:1  classid 2:20 htb rate 1536kbit ceil 8192kbit                  # QoS WoW
        tc class add dev eth1 parent 2:1  classid 2:30 htb rate 2048kbit ceil 8192kbit                  # QoS HTTP
        tc class add dev eth1 parent 2:1  classid 2:40 htb rate 16kbit   ceil 8192kbit                  # QoS IPSEC
        tc class add dev eth1 parent 1:1  classid 1:12 htb rate 7000bps                                 # SLOW LINK
        tc class add dev eth1 parent 1:1  classid 1:22 htb rate 7000bps                                 # SLOW LINK
        tc class add dev eth1 parent 1:1  classid 1:32 htb rate 7000bps                                 # SLOW LINK
        tc class add dev eth1 parent 1:1  classid 1:42 htb rate 7000bps                                 # SLOW LINK
        tc class add dev eth1 parent 1:1  classid 1:52 htb rate 7000bps                                 # SLOW LINK
        tc filter add dev eth1 protocol ip parent 2:0  prio 1 handle 9  fw flowid 2:20
        tc filter add dev eth1 protocol ip parent 2:0  prio 1 handle 8  fw flowid 2:30
        tc filter add dev eth1 protocol ip parent 2:0  prio 1 handle 7  fw flowid 2:40
        tc filter add dev eth1 protocol ip parent 1:0  prio 1 handle 12 fw flowid 1:12
        tc filter add dev eth1 protocol ip parent 1:0  prio 1 handle 22 fw flowid 1:22
        tc filter add dev eth1 protocol ip parent 1:0  prio 1 handle 32 fw flowid 1:32
        tc filter add dev eth1 protocol ip parent 1:0  prio 1 handle 42 fw flowid 1:42
        tc filter add dev eth1 protocol ip parent 1:0  prio 1 handle 52 fw flowid 1:52

Thanks for any input!

2

consider marking all the other packets as well and managing them too with queus. Queues only work if all packets go through it.

just add a firewall rule to mark all packets below the other rules that mark packets. Than make a new queue and put them as lower priority if that is what you want.

3

Thank you, it seems to work now!