Using page 35 of http://mum.mikrotik.com/presentations/CZ09/QoS_Megis.pdf as guide, I have setup to mark every traffic, including unknowns as “others”, and using simple queue to control bandwidth usage. But for some reason, enabling the “others” queue is causing problem for all clients with huge lags, delays, timeouts, etc. and unable to brows. I’ve also tried using connection_mark and then packet_mark but it didn’t make a difference. Below is my setup, what am I missing? Help! Thanks.
# nov/28/2009 11:27:33 by RouterOS 4.2
# software id = X6XK-92P9
#
/ip firewall mangle
add action=mark-packet chain=prerouting comment=\
"Ensign Services: DNS / ICMP / HTTPS / Telnet / SSH / HTTP Rqst / WinBox" \
disabled=no dst-port=53 new-packet-mark=ensign_svc passthrough=no \
protocol=tcp
add action=mark-packet chain=prerouting comment="" disabled=no dst-port=53 \
new-packet-mark=ensign_svc passthrough=no protocol=udp
add action=mark-packet chain=prerouting comment="" disabled=no \
new-packet-mark=ensign_svc passthrough=no protocol=icmp
add action=mark-packet chain=prerouting comment="" disabled=no dst-port=443 \
new-packet-mark=ensign_svc passthrough=no protocol=tcp
add action=mark-packet chain=prerouting comment="" disabled=no dst-port=23 \
new-packet-mark=ensign_svc passthrough=no protocol=tcp
add action=mark-packet chain=prerouting comment="" disabled=no dst-port=22 \
new-packet-mark=ensign_svc passthrough=no protocol=tcp
add action=mark-packet chain=prerouting comment="" connection-bytes=0-500000 \
disabled=no dst-port=80 new-packet-mark=ensign_svc passthrough=no \
protocol=tcp
add action=mark-packet chain=prerouting comment="" disabled=no dst-port=8291 \
new-packet-mark=ensign_svc passthrough=no protocol=tcp
add action=mark-packet chain=prerouting comment=\
"Communication Services: VoIP / Skyp / Video Conference / VPN / MSN" \
disabled=no dscp=26 new-packet-mark=communication_svc passthrough=no
add action=mark-packet chain=prerouting comment="" disabled=no dscp=46 \
new-packet-mark=communication_svc passthrough=no
add action=mark-packet chain=prerouting comment=\
"Download Services: Mails / HTTP Dnlds / FTP / SFTP" disabled=no \
dst-port=110 new-packet-mark=download_svc passthrough=no protocol=tcp
add action=mark-packet chain=prerouting comment="" disabled=no dst-port=995 \
new-packet-mark=download_svc passthrough=no protocol=tcp
add action=mark-packet chain=prerouting comment="" disabled=no dst-port=143 \
new-packet-mark=download_svc passthrough=no protocol=tcp
add action=mark-packet chain=prerouting comment="" disabled=no dst-port=993 \
new-packet-mark=download_svc passthrough=no protocol=tcp
add action=mark-packet chain=prerouting comment="" disabled=no dst-port=25 \
new-packet-mark=download_svc passthrough=no protocol=tcp
add action=mark-packet chain=prerouting comment="" connection-bytes=500000-0 \
disabled=no dst-port=80 new-packet-mark=download_svc passthrough=no \
protocol=tcp
add action=mark-packet chain=prerouting comment="" disabled=no dst-port=20 \
new-packet-mark=download_svc passthrough=no protocol=tcp
add action=mark-packet chain=prerouting comment="" disabled=no dst-port=21 \
new-packet-mark=download_svc passthrough=no protocol=tcp
add action=mark-packet chain=prerouting comment="" disabled=no dst-port=22 \
new-packet-mark=download_svc packet-size=1400-1500 passthrough=no \
protocol=tcp
add action=mark-packet chain=prerouting comment="all p2p" disabled=no \
new-packet-mark=p2p p2p=all-p2p passthrough=no
add action=mark-packet chain=prerouting comment="Everything Else" disabled=no \
new-packet-mark=other passthrough=no
# nov/28/2009 11:29:35 by RouterOS 4.2
# software id = X6XK-92P9
#
/queue simple
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s comment="Priority 1" \
direction=both disabled=no dst-address=0.0.0.0/0 interface=all limit-at=\
0/0 max-limit=512k/2M name=Ensign_Svc packet-marks=ensign_svc parent=none \
priority=1 queue=default-small/default-small total-queue=default-small
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s comment="Priority 5" \
direction=both disabled=no dst-address=0.0.0.0/0 interface=all limit-at=\
0/0 max-limit=512k/2M name=Communication_Svc packet-marks=\
communication_svc parent=none priority=5 queue=\
default-small/default-small total-queue=default-small
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s comment="Priority 6" \
direction=both disabled=no dst-address=0.0.0.0/0 interface=all limit-at=\
0/0 max-limit=256k/512k name=Download_Svc packet-marks=download_svc \
parent=none priority=6 queue=default-small/default-small total-queue=\
default-small
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s comment="Priority 7" \
direction=both disabled=no dst-address=0.0.0.0/0 interface=all limit-at=\
0/0 max-limit=64k/256k name=p2p packet-marks=p2p parent=none priority=7 \
queue=default-small/default-small total-queue=default-small
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s comment="Priority 8" \
direction=both disabled=yes dst-address=0.0.0.0/0 interface=all limit-at=\
0/0 max-limit=64k/128k name=other packet-marks=other parent=none \
priority=8 queue=default-small/default-small total-queue=default-small
fewi
November 28, 2009, 6:22pm
2
That queue is full, which isn’t surprising given how small it is and that your mangle rules don’t cover all the traffic you appear to want to cover.
Take this snippet:
add action=mark-packet chain=prerouting comment="" connection-bytes=500000-0 \
disabled=no dst-port=80 new-packet-mark=download_svc passthrough=no \
protocol=tcp
You want to cover all the traffic that the server sends back to the client beyond the first 500KB. However, that rule only applies packet-marks to packets with a destination port of 80, which is only traffic from the client to the server. Traffic from the server to the client has a source port of 80. As a result, traffic from server to client does not match this rule and falls through and gets a packet-mark of ‘other’ and gets put into a tiny queue, which results in packet loss since the queue must drop packets.
You can either adapt your rules on ‘port’ instead of ‘dst-port’ to catch either source or destination port, or apply connection-marks instead and add rules to add packet-marks to connections marked in a certain way.
Edit: I see you tried to use connection-marks as well. As mentioned, that approach would work. Maybe try it again and if it stil doesn’t, post that rule set.
That’s what I thought, and I used to have two rules for each, dest and src port. But I was still having problem with clients timing out. That’s when I found the pdf which listed just the dest ports. I’m assuming the dest/src applies to all of my mangle rules? I will change them all to just “port” and see what happens. Thanks.
Chupaka
November 28, 2009, 10:16pm
4
in latest version, to see all non-marked packets, you can use
/ip firewall mangle add chain=forward packet-mark=no-mark action=log
This is very frustrating as I am still getting timeouts on browsing and too much packet losts on ping test and voip . I’ve attached registration to show CCQ/Signals, mangle, queues.
There is one client in particular that gets disconnect/reconnect frequently with -80’s dbm. Can that effect rest of the clients? Lowering data rate helps him stay connected longer, but the overall timeouts/packet lost doesn’t seem to improve.
I’m using RB333 v4.2 w/ XR2, 5MHz band w/ default data rate. I could really use some help. Below is my latest settings in Queue to prioritize. Thank you.
# nov/29/2009 14:23:23 by RouterOS 4.2
# software id = X6XK-92P9
#
/ip firewall mangle
add action=mark-packet chain=prerouting comment=\
"Ensign Services: DNS / ICMP / HTTPS / Telnet / SSH / HTTP Rqst / WinBox" \
disabled=no new-packet-mark=ensign_svc passthrough=no port=53 protocol=\
tcp
add action=mark-packet chain=prerouting comment="" disabled=no \
new-packet-mark=ensign_svc passthrough=no port=53 protocol=udp
add action=mark-packet chain=prerouting comment="" disabled=no \
new-packet-mark=ensign_svc passthrough=no protocol=icmp
add action=mark-packet chain=prerouting comment="" disabled=no \
new-packet-mark=ensign_svc passthrough=no port=443 protocol=tcp
add action=mark-packet chain=prerouting comment="" disabled=no \
new-packet-mark=ensign_svc passthrough=no port=23 protocol=tcp
add action=mark-packet chain=prerouting comment="" disabled=no \
new-packet-mark=ensign_svc passthrough=no port=22 protocol=tcp
add action=mark-packet chain=prerouting comment="" connection-bytes=0-500000 \
disabled=no new-packet-mark=ensign_svc passthrough=no port=80 protocol=\
tcp
add action=mark-packet chain=prerouting comment="" disabled=no \
new-packet-mark=ensign_svc passthrough=no port=8291 protocol=tcp
add action=mark-packet chain=prerouting comment=\
"User Request Services: Game Servers" disabled=no new-packet-mark=\
userrequest_svc passthrough=no port=3724 protocol=tcp
add action=mark-packet chain=prerouting comment=\
"Communication Services: VoIP / Skyp / Video Conference / VPN / MSN" \
disabled=no dscp=26 new-packet-mark=communication_svc passthrough=no
add action=mark-packet chain=prerouting comment="" disabled=no dscp=46 \
new-packet-mark=communication_svc passthrough=no
add action=mark-packet chain=prerouting comment="" disabled=no \
new-packet-mark=communication_svc passthrough=no port=1863 protocol=tcp
add action=mark-packet chain=prerouting comment="" disabled=no \
new-packet-mark=communication_svc passthrough=no port=3389 protocol=tcp
add action=mark-packet chain=prerouting comment="" disabled=no \
new-packet-mark=communication_svc passthrough=no port=5050 protocol=tcp
add action=mark-packet chain=prerouting comment=\
"Download Services: Mails / HTTP Dnlds / FTP / SFTP" disabled=no \
new-packet-mark=download_svc passthrough=no port=110 protocol=tcp
add action=mark-packet chain=prerouting comment="" disabled=no \
new-packet-mark=download_svc passthrough=no port=995 protocol=tcp
add action=mark-packet chain=prerouting comment="" disabled=no \
new-packet-mark=download_svc passthrough=no port=143 protocol=tcp
add action=mark-packet chain=prerouting comment="" disabled=no \
new-packet-mark=download_svc passthrough=no port=993 protocol=tcp
add action=mark-packet chain=prerouting comment="" disabled=no \
new-packet-mark=download_svc passthrough=no port=25 protocol=tcp
add action=mark-packet chain=prerouting comment="" connection-bytes=500000-0 \
disabled=no new-packet-mark=download_svc passthrough=no port=80 protocol=\
tcp
add action=mark-packet chain=prerouting comment="" disabled=no \
new-packet-mark=download_svc passthrough=no port=20 protocol=tcp
add action=mark-packet chain=prerouting comment="" disabled=no \
new-packet-mark=download_svc passthrough=no port=21 protocol=tcp
add action=mark-packet chain=prerouting comment="" disabled=no \
new-packet-mark=download_svc packet-size=1400-1500 passthrough=no port=22 \
protocol=tcp
add action=mark-packet chain=prerouting comment="all p2p" disabled=no \
new-packet-mark=p2p p2p=all-p2p passthrough=no
add action=mark-packet chain=prerouting comment="Everything Else" disabled=no \
new-packet-mark=other passthrough=no
# nov/29/2009 14:38:38 by RouterOS 4.2
# software id = X6XK-92P9
#
/queue simple
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s comment="Priority 1" \
direction=both disabled=no dst-address=0.0.0.0/0 interface=all limit-at=\
0/0 max-limit=512k/2M name=Ensign_Svc packet-marks=ensign_svc parent=none \
priority=1 queue=default-small/default-small total-queue=default-small
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s comment="Priority 3" \
direction=both disabled=no dst-address=0.0.0.0/0 interface=all limit-at=\
0/0 max-limit=512k/2M name=User_Request_Svc packet-marks=userrequest_svc \
parent=none priority=3 queue=default-small/default-small total-queue=\
default-small
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s comment="Priority 5" \
direction=both disabled=no dst-address=0.0.0.0/0 interface=all limit-at=\
0/0 max-limit=512k/2M name=Communication_Svc packet-marks=\
communication_svc parent=none priority=5 queue=\
default-small/default-small total-queue=default-small
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s comment="Priority 6" \
direction=both disabled=no dst-address=0.0.0.0/0 interface=all limit-at=\
0/0 max-limit=256k/512k name=Download_Svc packet-marks=download_svc \
parent=none priority=6 queue=default-small/default-small total-queue=\
default-small
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s comment="Priority 7" \
direction=both disabled=no dst-address=0.0.0.0/0 interface=all limit-at=\
0/0 max-limit=64k/256k name=p2p packet-marks=p2p parent=none priority=7 \
queue=default-small/default-small total-queue=default-small
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s comment="Priority 8" \
direction=both disabled=no dst-address=0.0.0.0/0 interface=all limit-at=\
0/0 max-limit=64k/128k name=other packet-marks=other parent=none \
priority=8 queue=default-small/default-small total-queue=default-small
