How to Mangle, Priority with HTB (Queue Tree) in ROS 3.16

RouterOS General
1

First, thanks for reading! :slight_smile:

pls see my scenario below:

\

  1. I want do limitation to one IP. let say 172.16.31.89. so, i do mangle(connection-mark and packet-mark) in prerouting(upload) and postrouting(download) with Passthrought=NO and then apply it in global-in(upload), global-out(download) in Queue Tree. i also set limit-at to 32k and max-limit to 128k for both download and upload traffic. please refer to below config:

ip mangle print
82 ;;172.16.31.89-conn-down
chain=postrouting action=mark-connection new-connection-mark=chanty-conn-download passthrough=yes src-address=172.16.31.89

83 ;;172.16.31.89-pack-down
chain=postrouting action=mark-packet new-packet-mark=chanty-packet-download passthrough=no connection-mark=chanty-conn-download

84 ;;172.16.31.89-conn-up
chain=pretrouting action=mark-connection new-connection-mark=chanty-conn-upload passthrough=yes src-address=172.16.31.89

85 ;;172.16.31.89-pack-up
chain=prerouting action=mark-packet new-packet-mark=chanty-packet-upload passthrough=no connection-mark=chanty-pack-upload

queue tree print

86 name=“chanty-inner-download” parent=Total-Download packet-mark=“” limit-at=128000 queue=default priority=8 max-limit=128000 burst-limit=0 burst-threshold=0 burst-time=0s

87 name=“chanty-inner-upload” parent=Total-Upload packet-mark=“” limit-at=128000 queue=default priority=8 max-limit=128000 burst-limit=0 burst-threshold=0 burst-time=0s

64 name=“chanty-down” parent=chanty-inner-download packet-mark=chanty-packet-download limit-at=100000 queue=default priority=8 max-limit=120000 burst-limit=0 burst-threshold=0 burst-time=0s

65 name=“chanty-up” parent=chanty-inner-upload packet-mark=chanty-packet-upload limit-at=100000 queue=default priority=8 max-limit=120000 burst-limit=0 burst-threshold=0 burst-time=0s

  1. I want to give priority to incoming ICMP traffic. so, i do mangle(packet-mark only) in both prerouting(upload) and postrouting(download) specifying Protocol=ICMP.

ip firewall mangle print
0 ;;; icmp-packet-upload
chain=prerouting action=mark-packet new-packet-mark=icmp-packet-upload passthrough=yes protocol=icmp

1 ;;; icmp-packet-download
chain=postrouting action=mark-packet new-packet-mark=icmp-packet-download passthrough=yes protocol=icmp

queue tree print

66 name=“icmp-priority-download” parent=chanty-inner-upload packet-mark=icmp-packet-upload limit-at=28000 queue=default priority=2 max-limit=120000 burst-limit=0 burst-threshold=0 burst-time=0s

67 name=“icmp-priority-download” parent=chanty-inner-download packet-mark=icmp-packet-download limit-at=28000 queue=default priority=2 max-limit=120000 burst-limit=0 burst-threshold=0 burst-time=0s

My problem is ICMP cannot get priority. Everytime, i try to test full download or upload, ICMP will get a lot delay time.

can anyone please advise on the configuration?

Thanks,

Is (( PRIORITY )) Really working ???
2

anyone has any idea?
i have been looking around like Doc and this forum, but i can not find the answer.

3

OK - take a look at diagram:
http://wiki.mikrotik.com/wiki/Packet_Flow

\

  1. As you can see all traffic is going thought the prerouting and postrouting - so there are no actual need to mark traffic into 2 different places
  2. packet can have only one -packet mark at the same time
  3. Priority doesn’t work without limitation


    So the plan for you might be to mark by traffic type in prerouting and limit by traffic type in global-in.
    Then remark traffic by IP addresses in forward and limit them on the outgoing interface.
4

set passthrough=no to ICMP


p.s. if “3) Priority doesn’t work without limitation” how does PCQ work without setting a max-limit and limit-at ?! :confused:

5

PCQ and priority are different things

6

If my queue is pcq type, as the equal-sharing example, the priority will not work and all will get same priority (round robin) ? Must I switch to sfq for priority to work?

7

YES, we can limit the traffic by mark-packet in forward only and do queue in outgoing interface (upload) and incoming interface(download).

if i mark traffic type like ICMP or other protocols in prerouting in order to give priority, ICMP will get a good ping result even thought I DID NOT GIVE PRIORITY OR QUEUE in Queue Tree yet. i think there is problem with packet-mark. please advise!

My purpose is to limit one IP to 128k(download) and 128k(upload). and i want to give priority to some specific protocols like ICMP generated by the IP. So, even the bandwidth of the IP is full, the protocol which is given 1st priority will have good result in the scope of 128k(download) and 128k(upload). i would also want to apply this policy either globally(root) or specifically(inner-leaf).

showing configuration example would be appreciated!! :laughing:

8

icmp gets priority because all other traffic already has queues. traffic that does not have queues gets priority. This is mentioned in the manual. p.s. I want to see example with inner leaf (subqueue in the Queue Tree)

9

If i do like that, my customer(the IP) will get extra bandwidth if he uses ICMP or other protocols that i gave priority. i don’t think it is the way to go.

please add more!!

10

You are right - it there is no Queue in the tree for certain packets - they will escape the max-limit of that Queue. The meaning of the previous post is: you were seeing good pings because of this behavior, but you should not configure your router like that.

I think what macgaiver is saying is the right answer. His suggestion means that you will have different Queue Trees - one for bandwidth limitation of the users, and another for the QoS/priorities.

11

Forget Priority here !! we tried hard to get the same results , giving ICMP highest priority without any hope ..

at last i made it with a very simple way , tested and working great :

1- mangle ICMP packet with passthru=no , put it at the top of mangle rules.
2- at Q , put a simple Q for ICMP packets .
3- use a script to keep that simple Q at the top of Q rules .

now each user ( IP ) will get a normal ICMP even if he filled his MAX RATE ..

12

Have you upgraded to ver 3.17?

There is still hope. RouterOS could have a bug/faulty hardware. Best practice - contact support if something is misbehaving, because history has shown - some Queues stop working in some versions of RouterOS. Then paste entire configuration here :slight_smile:

Also, IP is complex. There is STILL a possibility of misconfiguration, and/or dependence on queue processing on other equipment in the network!

Please some guy with 10+ years of pro networking experience back me up on this, or MikroTik paranoia will take over everyone :smiley:

Actually I’m starting a new thread on the subject : http://forum.mikrotik.com/t/does-queue-processing-qos-pcq-htb-etc-depend-on-isp/25197/1

13

By doing mangle ICMP with passthrought=NO, we will extra bandwidth to customer (the IP).
it should be ok since ICMP will eat a little bandwidth only.

How about other protocol which will eat a lot of bandwidth like VoIP, Video Conferencing?
i mean those protocol that need be prioritied.

Is ROS3.17 really help? I don’t think so because the configuration will be the same.

please add more!!

14

I just answered your question which is

My problem is ICMP cannot get priority. Everytime, i try to test full download or upload, ICMP will get a lot delay time.

can anyone please advise on the configuration?

15

according to http://forum.mikrotik.com/t/problem-with-mount-point/94/1 as below:

here is from janis

In my presentation I told that creating priorities seperatly for each client is suicide - there are no hardware that can handle small queue tree for every user (if you have 1000 of them). So in my presentation I discuse next best thing, that is close as possible to desired behaviour.

The main Idea of the setup is to have two separate QoS steps.

  1. in the first step we prioritize traffic, we are making sure that traffic with higher priority have more chance to get to the custumers than traffic with the lower priority.

Example:
we have total of 100Mbps available, but clients at this particular moment would like to receive 10Mbps of Priority=1 traffic 20Mbps of Priority=4 and 150Mbps of Priority=8.

Of course after our prioritization and limitaion 80Mbps of priority=8 will be droped. And only 100Mbps will get to the next step


2) next step is per-user limitation, we already have only higher priority traffic, but now we must make sure that some user will not overuse it, so we have PCQ with limits

This way we get virtually the same behaviour as “per user prioritization”

here is from nomis

QoS includes several facilities, in the following order:

  1. mangle chain prerouting
  2. HTB global-in
  3. Mangle chain forward
  4. Mangle chain postrouting
  5. HTB global-out
  6. HTB out interface

so, inside one router, you can do shape twice if you use:

a) #1 and #2 for first marking and shaping, and #3+#5 for second
b) #1 and #2 for first marking and shaping, and #3+#6 for second
c) #1 and #2 for first marking and shaping, and #4+#5 for second
d) #1 and #2 for first marking and shaping, and #4+#6 for second

i have made some testing configuration as below:

ip firewall mangle print
0 ;;; icmp-packet
chain=prerouting action=mark-packet new-packet-mark=icmp-packet
passthrough=no protocol=icmp

133 ;;; test-conn
chain=forward action=mark-connection new-connection-mark=test-conn
passthrough=yes src-address=172.16.31.89

134 ;;; test-packet
chain=forward action=mark-packet new-packet-mark=test-packet
passthrough=no connection-mark=test-conn

queue tree print

118 name=“icmp-priority” parent=global-in packet-mark=icmp-packet limit-at=0
queue=default priority=2 max-limit=0 burst-limit=0 burst-threshold=0
burst-time=0s

119 name=“test-user-download” parent=vlan5-noc packet-mark=test-packet
limit-at=128000 queue=pcq-128k-down priority=8 max-limit=128000
burst-limit=0 burst-threshold=0 burst-time=0s

0 name=“test-user-upload” parent=ether2-Outside packet-mark=test-packet
limit-at=128000 queue=pcq-128k-up priority=8 max-limit=128000 burst-limit=0
burst-threshold=0 burst-time=0s

queue type print

13 name=“pcq-128k-up” kind=pcq pcq-rate=128000 pcq-limit=50 pcq-classifier=src-address pcq-total-limit=5000

14 name=“pcq-128k-down” kind=pcq pcq-rate=128000 pcq-limit=50 pcq-classifier=dst-address pcq-total-limit=5000

BUT icmp still has high reply time.

Am i doing the right configuration?

Is (( PRIORITY )) Really working ???
16

  1. you need to mark all traffic at the same place (prerouting)

  2. you must mark upload and download for every type of traffic seperatly

  3. you need to limit traffic at the same place (parent=global-in)

  4. you must have a parent queue, that have max-limit and parent=global-in - all other queues parent=

  5. don’t forget you need 2 sets of those queues - one for upload one for download

17

Here we go

ip firewall managle print

136 ;;; icmp-packet-download
chain=prerouting action=mark-packet new-packet-mark=icmp-packet-download passthrough=no protocol=icmp

137 ;;; icmp-packet-upload
chain=prerouting action=mark-packet new-packet-mark=icmp-packet-upload passthrough=no protocol=icmp in-interface=vlan5-noc

138 ;;; test-conn
chain=prerouting action=mark-connection new-connection-mark=test-conn passthrough=yes src-address=172.16.31.89

139 ;;; test-packet-upload
chain=prerouting action=mark-packet new-packet-mark=test-packet-upload passthrough=no in-interface=vlan5-noc connection-mark=test-conn

140 ;;; test-packet-download
chain=prerouting action=mark-packet new-packet-mark=test-packet-download passthrough=no connection-mark=test-conn

queue tree print

118 name=“icmp-priority-upload” parent=test-parent-upload packet-mark=icmp-packet-upload limit-at=0 queue=default priority=2 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s

119 name=“test-user-download” parent=test-parent-download packet-mark=test-packet-download limit-at=128000 queue=pcq-128k-down priority=8 max-limit=128000 burst-limit=0 burst-threshold=0 burst-time=0s

120 name=“test-parent-upload” parent=global-in packet-mark=“” limit-at=0 queue=default priority=8 max-limit=45000000 burst-limit=0 burst-threshold=0 burst-time=0s

121 name=“test-parent-download” parent=vlan5-noc packet-mark=“” limit-at=0 queue=default priority=8 max-limit=45000000 burst-limit=0 burst-threshold=0 burst-time=0s

122 name=“icmp-priority-download” parent=test-parent-download packet-mark=icmp-packet-download limit-at=0 queue=default priority=2 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s

queue type print

13 name=“pcq-128k-up” kind=pcq pcq-rate=128000 pcq-limit=50 pcq-classifier=src-address pcq-total-limit=5000

14 name=“pcq-128k-down” kind=pcq pcq-rate=128000 pcq-limit=50 pcq-classifier=dst-address pcq-total-limit=5000

is it correct?

18

  1. switch 136 ↔ 137

  2. there should 6 rules in queue tree

Upload-parent
–ICMP upload
–Other upload

Download parent
–ICMP download
–Other download

  1. specify limit-at and max-limit to all ICMP and Other queues.
19

Ok, corrected. pls see below:

ip firewall mangle print
136 ;;; icmp-packet-upload
chain=prerouting action=mark-packet new-packet-mark=icmp-packet-upload passthrough=no protocol=icmp

137 ;;; icmp-packet-download
chain=prerouting action=mark-packet new-packet-mark=icmp-packet-download passthrough=no protocol=icmp in-interface=vlan5-noc

138 ;;; test-conn
chain=prerouting action=mark-connection new-connection-mark=test-conn passthrough=yes src-address=172.16.31.89

139 ;;; test-packet-upload
chain=prerouting action=mark-packet new-packet-mark=test-packet-upload passthrough=no in-interface=vlan5-noc connection-mark=test-conn

140 ;;; test-packet-download
chain=prerouting action=mark-packet new-packet-mark=test-packet-download passthrough=no connection-mark=test-conn

queue tree print

120 name=“test-parent-upload” parent=global-in packet-mark=“” limit-at=10000000 queue=default priority=8 max-limit=45000000 burst-limit=0 burst-threshold=0 burst-time=0s

118 name=“icmp-priority-upload” parent=test-parent-upload packet-mark=icmp-packet-upload limit-at=128000 queue=default priority=2 max-limit=128000 burst-limit=0 burst-threshold=0 burst-time=0s

0 name=“test-user-upload” parent=test-parent-upload packet-mark=test-packet-upload limit-at=128000 queue=pcq-128k-up priority=8 max-limit=128000 burst-limit=0 burst-threshold=0 burst-time=0s

121 name=“test-parent-download” parent=vlan5-noc packet-mark=“” limit-at=10000000 queue=default priority=8 max-limit=45000000 burst-limit=0 burst-threshold=0 burst-time=0s

122 name=“icmp-priority-download” parent=test-parent-download packet-mark=icmp-packet-download limit-at=128000 queue=default priority=2 max-limit=128000 burst-limit=0 burst-threshold=0 burst-time=0s

119 name=“test-user-download” parent=test-parent-download packet-mark=test-packet-download limit-at=128000 queue=pcq-128k-down priority=8 max-limit=128000 burst-limit=0 burst-threshold=0 burst-time=0s

queue type print

13 name=“pcq-128k-up” kind=pcq pcq-rate=128000 pcq-limit=50 pcq-classifier=src-address pcq-total-limit=5000

14 name=“pcq-128k-down” kind=pcq pcq-rate=128000 pcq-limit=50 pcq-classifier=dst-address pcq-total-limit=5000

Is it correct? :sunglasses:

20

again

  1. rule 137 will not get any traffic you need to put it before rule 137

  2. max-limit is limit for whole queue are you sure that you allow only 128k to ALL your users together? (in test-user-upload)

  3. global-in for both parents

Do you make some tests? or you just paste your configuration? You should be able to debug it yourself, just by testing it.