Correct Mange 2 ISP's and priority of traffic

MikRu · April 4, 2016, 2:17pm

Situation:
RB951 6.34.4, ccr1036 (the same situation on both of them)

2ISP

This is a mangle rules, to route traffic through 2ISP’s.

0    ;;; ISP1_3_1-StaticRoute-Client-fromAL-Direct
      chain=prerouting action=mark-routing new-routing-mark=ISP1-rt passthrough=no connection-state=new dst-address-list=to-ISP1 log=no log-prefix="" 

 1    ;;; ISP1_4_1-StaticRoute-MIK-OUT-fromAL-Direct
      chain=output action=mark-connection new-connection-mark=ISP1-con-out-static passthrough=yes dst-address-list=to-ISP1 log=no log-prefix="" 

 2    ;;; ISP1_4_2-StaticRoute-MIK-OUT-fromAL-Direct
      chain=output action=mark-routing new-routing-mark=ISP1-rt passthrough=no connection-mark=ISP1-con-out-static log=no log-prefix="" 

 3    ;;; ISP2_3_1-StaticRoute-Client-fromAL-Direct
      chain=prerouting action=mark-routing new-routing-mark=ISP2-rt passthrough=no connection-state=new dst-address-list=to-ISP2 log=no log-prefix="" 

 4    ;;; ISP2_4_1-StaticRoute-MIK-OUT-fromAL-Direct
      chain=output action=mark-connection new-connection-mark=ISP2-con-out-static passthrough=yes dst-address-list=to-ISP2 log=no log-prefix="" 

 5    ;;; ISP2_4_2-StaticRoute-MIK-OUT-fromAL-Direct
      chain=output action=mark-routing new-routing-mark=ISP2-rt passthrough=no connection-mark=ISP2-con-out-static log=no log-prefix="456" 

 6    ;;; ISP1_1_1-cli-Out-must-send-back
      chain=forward action=mark-connection new-connection-mark=ISP1-con passthrough=yes in-interface=ether2-master-local log=no log-prefix="" 

 7    ;;; ISP1_1_2-send-back-mark
      chain=prerouting action=mark-routing new-routing-mark=ISP1-rt passthrough=no src-address=192.168.0.0/24 connection-mark=ISP1-con log=no log-prefix="" 

 8    ;;; ISP1_2_1_input_to_router-TCP - ISP1-con-in
      chain=input action=mark-connection new-connection-mark=ISP1-con-in passthrough=yes connection-state=new dst-address-list=ISP1 in-interface=ether2-master-local log=no log-prefix="ISP1_INPUT" 

 9    ;;; ISP1_2_2_input_to_router-OUTPUT_route_mark
      chain=output action=mark-routing new-routing-mark=ISP1-rt passthrough=no connection-mark=ISP1-con-in log=no log-prefix="" 

10    ;;; ISP1_5_1-MIK-OUT
      chain=output action=mark-connection new-connection-mark=ISP1-con-out-mik passthrough=yes connection-state=new out-interface=ether2-master-local log=no log-prefix="" 

11    ;;; ISP1_5_2-MIK-OUT
      chain=output action=mark-routing new-routing-mark=ISP1-rt passthrough=no connection-mark=ISP1-con-out-mik log=no log-prefix="" 

12    ;;; ISP2_1_1
      chain=forward action=mark-connection new-connection-mark=ISP2-con passthrough=yes in-interface=pppoe-out1 log=no log-prefix="" 

13    ;;; ISP2_1_2-send-back-mark
      chain=prerouting action=mark-routing new-routing-mark=ISP2-rt passthrough=no src-address=192.168.0.0/24 connection-mark=ISP2-con log=no log-prefix="" 

14    ;;; ISP2_2_1_input_to_router-TCP
      chain=input action=mark-connection new-connection-mark=ISP2-con-in passthrough=yes connection-state=new dst-address-list=ISP2 in-interface=pppoe-out1 log=no log-prefix="" 

15    ;;; ISP2_2_2_input_to_router-OUTPUT_route_mark
      chain=output action=mark-routing new-routing-mark=ISP2-rt passthrough=no connection-mark=ISP2-con-in log=no log-prefix="" 

16    ;;; ISP2_5_1-MIK-OUT
      chain=output action=mark-connection new-connection-mark=ISP2-con-out-mik passthrough=yes connection-state=new out-interface=pppoe-out1 log=no log-prefix="" 

17    ;;; ISP2_5_2-MIK-OUT
      chain=output action=mark-routing new-routing-mark=ISP2-rt passthrough=no connection-mark=ISP2-con-out-mik log=no log-prefix=""

Everithing was perfect, until started problems, with disconnect of VPN’s, because of users are downloading or uploading too much.

Question1 - is that rules correct?
I’m not suare about rules 8-11 and 14-17, about “connection-state=new”. If I disable “connection-state=new”, rules 8-9 starts to mark traffic, that goes not only TO mik, but also, that goes FROM mik (L2TP,…)

Question2 - how is the most correct way to give priority to upgoing and downgoing VPN traffic (when users downs the IPS channel, VPN starts to disconnect).
I tried to mange output and input traffic from my “White” IP’s (that rules are not in the list now, because i deleted it), but, when i enable that, mangle rules (passthrough=yes), traffic does not remarks second time.

MikRu · April 5, 2016, 1:49pm

hmm… no one answers…

OK, May be some one can tell, how to make VPN traffic between mikrotik’s work without big delays and disconnects, when users overloading ISP’s interfaces?

What is the correct way to mark in MANGLE traffic, that is
1 - going FROM MIK
2 - goes to MIK

ZeroByte · April 8, 2016, 3:04pm

If you’re using queue trees (maybe simple queues too but it’s been a while since I really did any hands-on with QoS in Mikrotik) then perhaps you could sneak a few packet mark rules into the postrouting chain which do a packet mark on high-priority traffic - You’ll have to do it on a per-packet basis because the connection marks are being used to keep the routing flows going over the proper ISP links.

If you know you want to give priority to, say ESP packets (you don’t specify what protocol your VPN uses) then you could make a simple mark packet rule in the postrouting chain that matches protocol=esp (IPSec payload) new-packet-mark=vpn passthrough=no
and then a rule right behind that one: mark all packets packet-mark=besteffort

Then you make a queue tree on each WAN interface with the parent queue having the max-limit=ISP upstream bandwidth, and then two child queues of the parent queue with a high priority queue for VPN and a low priority queue for everything else.