I just want to ask that how i can give priority on port base in mikrotik?
example: i want to give port 5000 traffic, to the highest priority as well as guaranteed bandwidth, how i can acheive it?
You use /ip firewall mangle:
- /ip firewall mangle add chain=prerouting protocol=tcp port=5000 connection-state=new action=mark-connection new-connection-mark=prio_conn
- /ip firewall mangle add chain=prerouting connection-mark=prio_conn action=mark-packet new-packet-mark=prio
- /queue simple add name=Internet interface=ether1 max-limit=512k/4M
- /queue simple add name=prio interface=ether1 parent=Internet packet-marks=prio priority=1
- /queue simple add name=other interface=ether1 parent=Internet priority=8
then:
- Every TCP connection with port 5000 gets connection mark “prio_conn” when it is created
- Every packet from the connection gets packet mark “prio”
- Queue “Internet” sets the limit for upload and download on ether1 (assume it’s the port connecting to the internet)
- Queue “prio” is a child queue with the highest priority (1) and it queues all packets with mark “prio” - belonging to the prioritized connection
- Queue “other” is a child queue with the lowest priority for the other packets (the order matters!).
Then the two queues share the parent’s limit, but the “prio” queue gets all, and “other” - only the rest. If you don’t want “prio” to get all the traffic and to block “other” totally, you can add limit-at in the “other” queue (ex. max-limit=512k/4M limit-at=128k/1M)
dasiu
my internet connection is 4M upload/download (CIR) and I want to give the prioirty of 1M upload/download to port 5000.
please check these rules and tell me that i am going in the right direction or not?
- /ip firewall mangle add chain=prerouting protocol=tcp port=5000 connection-state=new action=mark-connection new-connection-mark=prio_conn
- /ip firewall mangle add chain=prerouting connection-mark=prio_conn action=mark-packet new-packet-mark=prio
- /queue simple add name=Internet interface=WAN max-limit=4M/4M
- /queue simple add name=prio interface=WAN parent=Internet packet-marks=prio priority=1
- /queue simple add name=other interface=WAN parent=Internet priority=8
Please give me your feed back.
thanks!
What do you mean by “to give the prioirty of 1M upload/download to port 5000” ?
Is it that connections to port 5000 have higher priority, but they are limited to 1M? then:
4. /queue simple add name=prio interface=WAN parent=Internet packet-marks=prio priority=1 max-limit=1M/1M
Or maybe it can take all 4M, when the bandwidth is “clear”, but if there is another traffic - it gets only 1M, but guarranteed? then:
4. /queue simple add name=prio interface=WAN parent=Internet packet-marks=prio priority=8 max-limit=4M/4M limit-at=1M/1M
5. /queue simple add name=other interface=WAN parent=Internet priority=1
(yeah, here the concept is changed - port 5000 have guarranteed 1M, but above that - other traffic gets priority, and port 5000 only takes the rest of the remaining 3M)
You can only:
- CUT the prioritized traffic,
or - guarrantee sth. to lower-priority traffic
There is no point to guarrantee sth. to prioritized traffic, as it - by definition - takes all bandwidth available for it
my point is this that i want to give as much as to port 5000 or in other words i want to give all bandwidth to prot 5000 if it is free but minimum i want to give 2M.
so can you tell me the steps.
thanks in advance
- /ip firewall mangle add chain=prerouting protocol=tcp port=5000 connection-state=new action=mark-connection new-connection-mark=prio_conn
- /ip firewall mangle add chain=prerouting connection-mark=prio_conn action=mark-packet new-packet-mark=prio
- /queue simple add name=Internet interface=WAN max-limit=4M/4M
- /queue simple add name=prio interface=WAN parent=Internet packet-marks=prio priority=8 max-limit=4M/4M limit-at=2M/2M
- /queue simple add name=other interface=WAN parent=Internet priority=1
So then:
Step 1: port 5000 gets up to 2M of guaranteed traffic (if it wants more - it gets 2M for now, if it wants - let’s say - 1M, it gets 1M)
Step 2: the other traffic gets the rest of the bandwidth available to 4M (4M minus what was used earlier by port 5000)
Step 3: if there is still a free bandwidth after step 2, port 5000 gets the rest
I think that is what you expected?
This is very interesting I want to give Prio 1 to FPS games like Quakelive, to have good ping and no packet loss.
I´m not sure to do it via Queue or Layer7 !? ( today I read about DSCP and now I´m completly confused,… 
)
Thx for advice
br
cm
Yes, you do it with queues AND layer7 . Queues look like the ones I put in previous posts as examples. But first you need to mark packets with “prio” mark in /ip firewall mangle - and you can do this using layer7 filtering (or if a game has its own TCP/UDP port number - you can just use the port, like in our examples with port 5000).
With layer7 first 2 steps will look like:
- /ip firewall mangle add chain=prerouting layer7-protocol=quakelive action=mark-packet new-packet-mark=prio
But before that - you need to create layer7 rule “quakelive”. For example - you have a pattern (http://l7-filter.sourceforge.net/layer7-protocols/protocols/quake-halflife.pat), and you create the rule:
0. /ip firewall layer7-protocol add name=quakelive regexp=“^\xff\xff\xff\xffget(info|challenge)”
Not sure if it will work with quakelive - I don’t even know the game . You need to run it - and see if the number of packets “catched” by the firewall rule increases .
Thanks man, I have few questions regarding the suggestion you gave me in your reply above
So then:
Step 1: port 5000 gets up to 2M of guaranteed traffic (if it wants more - it gets 2M for now, if it wants - let’s say - 1M, it gets 1M)
Step 2: the other traffic gets the rest of the bandwidth available to 4M (4M minus what was used earlier by port 5000)
Step 3: if there is still a free bandwidth after step 2, port 5000 gets the rest
\
Port 5000 traffic will get the 2M guaranteed bandwidth and rest will get the remaining 2M bandwidth and if the rest is not using its 2M, can it assign automatically to port 5000 traffic or i have to add another rule?
Please clarify this doubt!
thanks
You don’t have to add any other rule. That 2 rules cover all .
- If there is overall “demand” for less than 4M (each direction separately), every connection gets its bandwidth without limitation.
- If the “overall demand” exceeds 4M, something must be cut:
2a. If port 5000 wants to have 1,5M and other traffic 3,5M, it gives us 5M - and we need to “cut” 1M. The router gives 1,5M to port 5000 (as it has 2M guaranteed), and then the rest (2,5M) to other. 1M from other traffic is cut.
2b. If port 5000 wants to have 3M, and other traffic wants to have 2M - router gives 2M to port 5000 (guaranteed), and then the rest 2M to other traffic (higher priority) - so there is nothing left. In this case 1M from “5000” traffic is cut.
2c. If port 5000 wants to have 3M, and the rest 1,5M - port 5000 gets 2M guaranteed, then other traffic 1,5M, and there is remaining 0,5M - it is given to 5000 traffic. So then 5000 gets 2,5M and other 1,5M.
But these are only examples. The “5000” traffic shouldn’t exceed 2M, I think - because usually the “prioritized” traffic (such as ping/voice/online games/etc.) that we want to pass without queueing, has small bandwidth .
thanks for such an excellent examples…
Now, I will tell you why I am using port 5000 as an example, may be you have better suggestion for me.
I want to use port 5000 for skype traffic to prioritize it over any kind of traffic.
Because skype doesn’t have very well defined protocol, that’s why I am using port 5000 for it.
If you have better solution for this problem, please suggest me.
thanks in advance!
Thx for hints too ,
My simple config for filtered bridge now is following:
/ interface bridge
add name=“bridge1”
/ interface bridge port
add interface=ether2 bridge=bridge1
add interface=ether3 bridge=bridge1
/ interface bridge settings
set use-ip-firewall=yes
/ ip firewall mangle
add chain=prerouting protocol=tcp dst-port=80 action=mark-connection \ new-connection-mark=http_conn passthrough=yes
add chain=prerouting connection-mark=http_conn action=mark-packet \ new-packet-mark=http passthrough=no
add chain=prerouting protocol=tcp dst-port=5222 action=mark-connection \ new-connection-mark=qltcp_conn passthrough=yes
add chain=prerouting connection-mark=qltcp_conn action=mark-packet \ new-packet-mark=ql-tcp passthrough=no
add chain=prerouting protocol=udp dst-port=27000-27500 action=mark-connection \ new-connection-mark=qludp_conn passthrough=yes
add chain=prerouting connection-mark=qludp_conn action=mark-packet \ new-packet-mark=ql-udp passthrough=no
add chain=prerouting p2p=all-p2p action=mark-connection \ new-connection-mark=p2p_conn passthrough=yes
add chain=prerouting connection-mark=p2p_conn action=mark-packet \ new-packet-mark=p2p passthrough=no
add chain=prerouting action=mark-connection new-connection-mark=other_conn \ passthrough=yes
add chain=prerouting connection-mark=other_conn action=mark-packet \ new-packet-mark=other passthrough=no
/ queue simple
add name=“main” target-addresses=192.168.1.0/24 max-limit=2048000/2048000
add name=“http” parent=main packet-marks=http max-limit=1920000/2048000 priority=3
add name=“Quakelife-TCP” parent=main packet-marks=ql-tcp max-limit=1024000/2048000 priority=2
add name=“Quakelife-UDP” parent=main packet-marks=ql-udp max-limit=1024000/2048000 priority=1
add name=“p2p” parent=main packet-marks=p2p max-limit=640000/640000 priority=8
add name=“other” parent=main packet-marks=other max-limit=1280000/1280000 priority=4
Together with simple PCQ ( http://wiki.mikrotik.com/wiki/Manual:Queues_-_PCQ_Examples) its working ok for now 
In next step I will experiment with layer 7
br cm
If you want to have PCQ for clients limiting AND layer7 for prioritizing traffic - you need to have one queueing in prerouting, and one in postrouting (and use /queue tree, not /queue simple) .
See http://tiktube.com/index.php?video=JpcD3eCChqGnDlJFJEEsCvExClIoEKDH= and the PDF slides . With filtered bridge it should work exactly the same .
@dasiu, can you give the hint regarding skype traffic prioritize!
thanks
Sorry, I have no experience with Skype… As Janis once said - there is no way to filter Skype. It can operate on different ports (also on port 80), there is probably no reliable layer7 rule… So I don’t know, what can be done .
in mikrotik the qos is lie between 1-8, where 1 is the highest priority or 8 is the highest priority?
please tell me about this?
Yes, 1 is highest priority, 8 is lowest. I recommend looking at the examples: http://wiki.mikrotik.com/wiki/Manual:HTB
thanks, because in cisco, 8 is the highest and 1 is the lowest and it confused me that’s why i asked this.
Wow thx for the links ,…
A lot of work to do, is there no config wizard for doing this it costs a lot time for noobs to do the basic config,..
Everyone has to do the same procedure again and again.
Better would be some complete basic configurations for starting point and not only few code lines of different functions.
(1. /ip firewall mangle add chain=prerouting protocol=tcp port=5000 connection-state=new action=mark-connection new-connection-mark=prio_conn
2. /ip firewall mangle add chain=prerouting connection-mark=prio_conn action=mark-packet new-packet-mark=prio
3. /queue simple add name=Internet interface=WAN max-limit=4M/4M
4. /queue simple add name=prio interface=WAN parent=Internet packet-marks=prio priority=8 max-limit=4M/4M limit-at=2M/2M
5. /queue simple add name=other interface=WAN parent=Internet priority=1
So then:
Step 1: port 5000 gets up to 2M of guaranteed traffic (if it wants more - it gets 2M for now, if it wants - let’s say - 1M, it gets 1M)
Step 2: the other traffic gets the rest of the bandwidth available to 4M (4M minus what was used earlier by port 5000)
Step 3: if there is still a free bandwidth after step 2, port 5000 gets the rest
I think that is what you expected?)
Sir can You explain when using 2 WAN Loadbalancing how this command will be rewritten and you mentioned in step 4 priority=8 and in step 5 priority=1.