Hi guys,
I’m just trying to implement Queue Tree to prioritize traffic. Everything is ok except that I can’t mark connection based on TOS, for example I would like to mark all video traffic and put that traffic to low priority in the tree.
When I packet sniff incoming traffic I see that it has 0 value in TOS:
I added firewall mange to catch this kind of traffic but it can’t see it:
Any ideas?
Thanks
Provide full config: ip firewall mangle export
add action=mark-connection chain=forward comment=Stream layer7-protocol="Video Streaming" new-connection-mark=Stream passthrough=yes
add action=mark-packet chain=forward connection-mark=Stream new-packet-mark=Video passthrough=no
add action=mark-packet chain=forward comment=Video connection-mark=Video new-packet-mark=Video passthrough=no
add action=mark-connection chain=prerouting comment=Browsing connection-bytes=0-1000000 in-interface=WAN new-connection-mark=Browsing passthrough=yes protocol=tcp src-port=80,443
add action=mark-packet chain=prerouting comment=Browsing connection-mark=Browsing new-packet-mark=Browsing passthrough=no
add action=mark-connection chain=prerouting comment=Download connection-bytes=1000000-0 in-interface=WAN new-connection-mark=Download passthrough=yes protocol=tcp src-port=80,443
add action=mark-packet chain=prerouting comment=Download connection-mark=Download new-packet-mark=Download passthrough=no
add action=mark-packet chain=forward comment=ICMP connection-mark=ICMP new-packet-mark=ICMP passthrough=no
add action=mark-packet chain=forward dst-address-list=!Local dst-port=80 new-packet-mark=HTTP passthrough=no protocol=tcp
add action=mark-packet chain=forward dst-port=443 new-packet-mark=HTTPS passthrough=no protocol=tcp
add action=mark-packet chain=forward new-packet-mark=UDP-100 packet-size=0-100 passthrough=no protocol=udp
add action=mark-packet chain=forward new-packet-mark=UDP-500 packet-size=100-500 passthrough=no protocol=udp
add action=mark-packet chain=forward new-packet-mark=UDP-Other passthrough=no protocol=udp
add action=mark-packet chain=forward dst-port=110 new-packet-mark=POP3 passthrough=no protocol=tcp
add action=mark-packet chain=forward dst-port=25 new-packet-mark=SMTP passthrough=no protocol=tcp
add action=mark-packet chain=forward dst-port=143 new-packet-mark=IMAP passthrough=no protocol=tcp
add action=mark-packet chain=forward dst-port=587 new-packet-mark=SMTPS passthrough=no protocol=tcp
add action=mark-packet chain=forward dst-port=995 new-packet-mark=POP3S passthrough=no protocol=tcp
add action=mark-packet chain=forward dst-port=993 new-packet-mark=IMAPS passthrough=no protocol=tcp
add action=mark-packet chain=forward new-packet-mark=GRE passthrough=no protocol=gre
add action=mark-packet chain=forward new-packet-mark=IPSec-ESP passthrough=no protocol=ipsec-esp
add action=mark-packet chain=forward new-packet-mark=IPSec-AH passthrough=no protocol=ipsec-ah
add action=mark-packet chain=forward new-packet-mark=IPEncap passthrough=no protocol=ipencap
add action=mark-packet chain=forward new-packet-mark=IPIP passthrough=no protocol=ipip
add action=mark-packet chain=forward new-packet-mark=P2P p2p=all-p2p passthrough=no
add action=mark-packet chain=forward comment="All other" new-packet-mark=Other packet-mark=no-mark passthrough=no
add action=mark-connection chain=forward comment=ICMP new-connection-mark=ICMP passthrough=yes protocol=icmp
add action=mark-connection chain=prerouting comment="New Connection" connection-state=new new-connection-mark=no-mark passthrough=yes
add action=mark-packet chain=prerouting new-packet-mark=no-mark passthrough=yes
add action=mark-connection chain=prerouting comment=Video dscp=61 new-connection-mark=Video passthrough=yes protocol=udp
also when I watch youtube and monitor it traffic using wireshark, the DSCP value is always eather 0 or 4:
So you want to set DSCP or match DSCP? With current rule set you are trying to match specific value.
When your goal is to priority traffic in a couple of different categories, it is best to first evaluate the typical TOS values observed in the traffic and when it is not to your liking, adjust it (e.g from 0 to some other value).
Then, copy the TOS to the priority field of the packets using:
/ip firewall mangle
add action=set-priority chain=postrouting comment="From dscp high 3 bits" \
new-priority=from-dscp-high-3-bits passthrough=yes
This will copy the highest 3 bits of the TOS (DSCP) into the priority, giving 8 different priority classes to work with, usually more than enough.
Now, you can set some packet marks from this:
add action=mark-packet chain=postrouting comment="Priority 0" \
new-packet-mark=prio0 passthrough=no priority=0
add action=mark-packet chain=postrouting comment="Priority 1" \
new-packet-mark=prio1 passthrough=no priority=1
add action=mark-packet chain=postrouting comment="Priority 2" \
new-packet-mark=prio2 passthrough=no priority=2
add action=mark-packet chain=postrouting comment="Priority 3" \
new-packet-mark=prio3 passthrough=no priority=3
add action=mark-packet chain=postrouting comment="Priority 4" \
new-packet-mark=prio4 passthrough=no priority=4
add action=mark-packet chain=postrouting comment="Priority 5" \
new-packet-mark=prio5 passthrough=no priority=5
add action=mark-packet chain=postrouting comment="Priority 6" \
new-packet-mark=prio6 passthrough=no priority=6
add action=mark-packet chain=postrouting comment="Priority 7" \
new-packet-mark=prio7 passthrough=no priority=7
so you have a different packet mark for each priority value. You can then use these packet marks in a queue tree:
/queue tree
add comment="Internet 10 Mbps uplink" limit-at=9500k max-limit=9500k name=\
queue-ether1 parent=ether1-inet queue=default
add limit-at=2M max-limit=8M name=queue-ether1-p1 packet-mark=prio7 parent=\
queue-ether1 priority=1 queue=default
add limit-at=2M max-limit=8M name=queue-ether1-p2 packet-mark=prio6 parent=\
queue-ether1 priority=2 queue=default
add limit-at=2M max-limit=8M name=queue-ether1-p3 packet-mark=prio5 parent=\
queue-ether1 priority=3 queue=default
add limit-at=2M max-limit=8M name=queue-ether1-p4 packet-mark=prio4 parent=\
queue-ether1 priority=4 queue=default
add limit-at=2M max-limit=8M name=queue-ether1-p5 packet-mark=prio3 parent=\
queue-ether1 priority=5 queue=default
add limit-at=2M max-limit=8M name=queue-ether1-p6 packet-mark=prio0 parent=\
queue-ether1 priority=6 queue=default
add limit-at=2M max-limit=5M name=queue-ether1-p7 packet-mark=prio2 parent=\
queue-ether1 priority=7 queue=default
add limit-at=2M max-limit=5M name=queue-ether1-p8 packet-mark=prio1 parent=\
queue-ether1 queue=default
Note the “strange order” of the last 3 lines, that is because the top 3 bits of TOS are defined in that strange way to
allow priorities 1 and 2 to be “below normal” where normal was defined as 0. Due to an oversight in the original
TOS definition one could only specify priorities higher than normal.
(what we really need from MikroTik is a function to set priority from DSCP in a way that reflects the common usage
of DSCP code points. But often the above method is good enough. DSCP “assured forwarding” code points can
sometimes be problematic)
Thanks!!!
So, actually I can just replace my queue tree with yours and forget about classifying things with their names and protocols, right? btw, Is it required to set bandwidth limits?
I tested the mangle priorities, prio0 is active when I watch movie, but I wonder which priority is “responsible” for ping packets for example? Because all I see now is that only prio0 and prio6 are showing bytes and packets.
Yes, I use those queue trees on many routers. You need to set the limit-at and max-limit at top level to some 5% less than the actual upload speed of your line, and the max-limit of each priority to maybe 80-90% of that. It depends on the local situation: when you have only cooperating users, these settings are OK, when you have people who like to exploit the system to their advantage, you want to set a lower max-limit for the high priorities (prio3-7).
The limit-at for the 8 queues is not that important, you can set it to 1/4 of the speed.
Now your next issue is “first evaluate the typical TOS values observed in the traffic and when it is not to your liking, adjust it”.
You need to check what different TOS values are seen in your system for the different protocols you use (e.g. use TORCH and enable the DSCP item).
When they are not to your liking, you can match the protocols or addresses and adjust the TOS values. That would be done ABOVE the mangle rules shown.
It is a good idea to use connection marking to mark the connections you want to change, and then change TOS based on these connection markings.
That way you are sure the marking works in both directions.
Example:
/ip firewall mangle
add action=mark-connection chain=prerouting comment=\
"Traffic from cam -> mark for lower prio" connection-mark=no-mark dscp=0 \
in-interface=bridge.vlan58 new-connection-mark=cs2 passthrough=yes \
protocol=tcp src-address=1.2.3.4
add action=mark-connection chain=prerouting comment=\
"Traffic from nvr -> mark for lower prio" connection-mark=no-mark dscp=0 \
in-interface=bridge.vlan58 new-connection-mark=cs2 passthrough=yes \
protocol=tcp src-address=1.2.3.4 src-port=554
add action=mark-connection chain=prerouting comment=\
"Traffic from webstream -> mark for lower prio" connection-mark=no-mark \
dscp=0 dst-port=1935 in-interface=bridge.vlan58 new-connection-mark=cs2 \
passthrough=yes protocol=tcp
add action=change-dscp chain=postrouting comment=\
"cs1 marked connection -> DSCP 8" connection-mark=cs1 dscp=0 new-dscp=8 \
passthrough=yes
add action=change-dscp chain=postrouting comment=\
"cs2 marked connection -> DSCP 16" connection-mark=cs2 dscp=0 new-dscp=16 \
passthrough=yes
add action=change-dscp chain=postrouting comment=\
"cs3 marked connection -> DSCP 24" connection-mark=cs3 dscp=0 new-dscp=24 \
passthrough=yes
Here, some traffic is matched (similar to what you did above) and a connection mark
is put on it, and then the traffic with that connection mark, but with TOS/DSCP 0, is
changed to another TOS/DSCP.
That is then fed into the 8-queue solution shown above.
In this case, cs1 is lowest priority, cs2 is one step higher, the next level is the default (DSCP 0),
and cs3 is again a priority level above that (prio3).
Devices that know they need a higher priority (like VoIP phones), will set a DSCP like 46
which will map to prio5.
veery long time 
I came back to this problem.
someone on this forum mentioned that the DSCP traffic prioritization can’t work for incoming traffic but only for outgoing. Is that true? Maybe this is why I see ZERO value in TOS field in the packet sniffer?
Problem is that there is no value in TOS for me to “convert” it into priority values.
Anyway, all traffic is marked by priority 0 for some reason no matter if it’s youtube or file transfer.
Well, queuing only works for outgoing traffic. You cannot tell the other side to sort traffic according to priority.
There used to be some ISPs that always set TOS to 0 on all packets because they did not want to be involved in an arms race for ever higher priority requested by some users. But that is becoming less common because of the heavy use of VoIP that requires a bit of priority over background traffic.
Still, you cannot tell others (youtube, file transfer services) what TOS they should use on their traffic.
So yes, TOS/DSCP based traffic priority is for outgoing traffic. For better handling of incoming traffic you can only ask your ISP to implement some things like fair queue or more modern queueing systems.
Thanks a lot! Now it’s absolutely clear!
Looks like I will have to fight a bit more with mangles, it’s too hard nowadays to differentiate traffic based on protocol/port alone.
Even when you can identify the traffic, you still cannot shape the incoming traffic.
There are some tricks to control incoming TCP traffic by shaping the outgoing ACK traffic, but it still depends on the behavior of the ISP side.
Your last reply does not make me happy 