How to mark traffic for two Queues?

WayneF · June 13, 2020, 1:38am

Can someone please explain how to get the correct markings for traffic to show in two Queues’s?

I have two Queues:

a Internet-Q
a WiFi-Access-Point-Q

When traffic is marked correctly I expect the traffic to show in the WiFi-AP-Q and in the Internet-Q

Please consider this:

The output interface is eth1 bridged with PPPoE
The WiFi AP is on eth10 in its own bride, and has a address list named ap1_addr_list.

Here is my Mangle Rules

35    ;;; OTHER
      chain=output action=mark-connection new-connection-mark=other-conn passthrough=yes connection-state=new out-interface=pppoe-isp log=no log-prefix="" 

36    chain=prerouting action=mark-connection new-connection-mark=other-conn-ap1 passthrough=yes connection-state=new src-address-list=ap1_addr_list log=no log-prefix="" 

37    ;;; upload
      chain=forward action=mark-packet new-packet-mark=other-out-pk passthrough=no connection-mark=other-conn out-interface=pppoe-isp log=no log-prefix="" 

38    chain=prerouting action=mark-packet new-packet-mark=other-out-pk passthrough=no connection-mark=other-conn-ap1 in-interface=bridge_wifi_ap log=no log-prefix="" 

39    ;;; download
      chain=prerouting action=mark-packet new-packet-mark=other-in-pk passthrough=no connection-mark=other-conn in-interface=pppoe-isp log=no log-prefix="" 

40    chain=postrouting action=mark-packet new-packet-mark=other-in-pk passthrough=no connection-mark=other-conn-ap1 out-interface=bridge_wifi_ap log=no log-prefix=""

Here is the internet Q (“my global Q”)

/queue tree
add bucket-size=0.01 max-limit=100M name=internet-in parent=global priority=3 queue=default
add bucket-size=0.01 max-limit=50M name=internet-out parent=global priority=3 queue=default

add bucket-size=0.01 name=other-out packet-mark=other-out-pk parent=internet-out queue=pcq-upload-default
add bucket-size=0.01 name=other-in packet-mark=other-in-pk parent=internet-in queue=pcq-download-default

Here is the WiFi AP Q

add bucket-size=0.01 max-limit=50M name=ap-in parent=global priority=1 queue=default
add bucket-size=0.01 max-limit=25M name=ap-out parent=global priority=2 queue=default

add name=other-out-ap packet-mark=other-out-pk parent=ap-out queue=pcq-upload-default
add name=other-in-ap packet-mark=other-in-pk parent=ap-in queue=pcq-download-default

sindy · June 13, 2020, 6:00am

Before digging into details of your queue setup - have you disabled the action=fasttrack-connection rule in chain=forward of /ip firewall filter? Fasttracking makes most packets bypass mangling and queue processing.

WayneF · June 13, 2020, 8:45am

Thanks for that Sindy.

I have checked that and it is switched off. (Bridge–>Settings: Allow Fast Path is not checked.)

also:

/interface bridge settings> print
              use-ip-firewall: yes
     use-ip-firewall-for-vlan: yes
    use-ip-firewall-for-pppoe: yes
              allow-fast-path: no
      bridge-fast-path-active: no
     bridge-fast-path-packets: 0
       bridge-fast-path-bytes: 0
  bridge-fast-forward-packets: 0
    bridge-fast-forward-bytes: 0

WayneF · June 13, 2020, 8:51am

I have change stuff quite a bit..

I have split the network into three subnets,

1: One For the LAN (wired connections)
2: WiFi AP number 1
3: WiFi AP number 2

Now I have these three sets of markings for each subset (address lists); and still I cannot get the LAN traffic,
marked

add action=mark-connection chain=forward comment=OTHER connection-state=new new-connection-mark=other-conn passthrough=yes src-address-list=addr-list-lan
add action=mark-connection chain=postrouting connection-state=new new-connection-mark=other-conn-ap9 passthrough=yes src-address-list=addr-list-ap9
add action=mark-connection chain=postrouting connection-state=new new-connection-mark=other-conn-ap10 passthrough=yes src-address-list=addr-list-ap10
add action=mark-packet chain=postrouting comment=upload connection-mark=other-conn new-packet-mark=other-out-pk passthrough=no
add action=mark-packet chain=prerouting connection-mark=other-conn-ap9 new-packet-mark=other-out-pk-ap9 passthrough=no
add action=mark-packet chain=prerouting connection-mark=other-conn-ap10 new-packet-mark=other-out-pk-ap10 passthrough=no
add action=mark-packet chain=prerouting comment=download connection-mark=other-conn new-packet-mark=other-in-pk passthrough=no
add action=mark-packet chain=postrouting connection-mark=other-conn-ap9 new-packet-mark=other-in-pk-ap9 passthrough=no
add action=mark-packet chain=postrouting connection-mark=other-conn-ap10 new-packet-mark=other-in-pk-ap10 passthrough=no

WayneF · June 13, 2020, 9:10am

Do not why this happened, but after I retyped the address list using Winbox it started working,
or maybe it was not that.

the new code:

add action=mark-connection chain=postrouting comment=OTHER connection-state=new new-connection-mark=other-conn passthrough=yes src-address-list=\
    addr-list-lan
add action=mark-connection chain=postrouting connection-state=new new-connection-mark=other-conn-ap9 passthrough=yes src-address-list=addr-list-ap9
add action=mark-connection chain=postrouting connection-state=new new-connection-mark=other-conn-ap10 passthrough=yes src-address-list=addr-list-ap10
add action=mark-packet chain=postrouting comment=upload connection-mark=other-conn new-packet-mark=other-out-pk passthrough=no
add action=mark-packet chain=prerouting connection-mark=other-conn-ap9 new-packet-mark=other-out-pk-ap9 passthrough=no
add action=mark-packet chain=prerouting connection-mark=other-conn-ap10 new-packet-mark=other-out-pk-ap10 passthrough=no
add action=mark-packet chain=postrouting comment=download connection-mark=other-conn new-packet-mark=other-in-pk passthrough=no

sindy · June 13, 2020, 10:52am

It seems to me as if you have misunderstood the purposes and positions of prerouting and postrouting chains in the packet flow. Both upload and download packets pass through both these chains, so the packet marks you assign in prerouting get overwritten in postrouting because you assign them based on the same connection mark values.

WayneF · June 14, 2020, 1:25am

Thanks Sindy!!

I do not totally understand it, it is super confusing as to when to use what.

Do you perhaps know of an example that makes use of source and destination address lists to seperate upload and download?

sindy · June 14, 2020, 8:31am

I don’t believe in examples without the background, so let’s start from the basics.

First, let’s linearize and simplify the complete packet flow diagram, which contains every possible path of every possible type of packet through the device, hence it contains a lot of loops and alternative paths. If we ignore a lot of stuff, those IP packets that travel through the router from one interface to another pass through:

in-interface
prerouting processing in firewall
routing
forward processing in firewall
postrouting processing in firewall which includes queue handling
out-interface

And each firewall processing step consists of several phases internally.

Second, there are two criteria to choose, from the queue tree, the particular queue to hold the packet: the “root parent” queue and the packet mark. If you have just one WAN and one LAN, you can make two independent trees, one rooted in the WAN interface’s “hardware” queue, and the other one rooted in the LAN interface’s “hardware” queue. The same packet mark can thus be assigned to both upload and download packets, and the right queue is chosen for each because the out-interface links it to the right tree via its root parent queue, and within that tree, the packet-mark is used to choose the right queue.

But if your case is more complex and you want different treatment for different LANs (probably, your description and names of flows are a bit unclear), you have multiple flows to shape in each direction, so you have to use “global” as the root parent for all queues, create child queues for each direction of each flow, and assign packet marks uniquely choosing a single child queue each.

There is a limitation I have never understood - the information about in-interface of a packet is not available for matching in the postrouting chain. It’s obvious why in postrouting, the information about out-interface is not available, but vice versa it’s not the case. So let’s say you have a single WAN interface and two LAN interfaces, and multiple traffic classes on each. You then need to use the information about traffic class, in-interface, and out-interface together to assign the right packet-mark. And the place where you have access to all these three pieces of information is the forward chain.

So you don’t need to use address-lists - just centralize the mangling into chain forward, and you should be good with in-interface, out-interface, and connection-mark.

So the simplified (not CPU-optimized beyond avoidance of address-list matching) example would be:

/ip firewall mangle {
  add chain=forward connection-state=new protocol=tcp dst-port=80,443 out-interface=wan action=mark-connection new-connection-mark=browsing passthrough=yes
  add chain=forward connection-state=new protocol=udp dst-port=443 out-interface=wan action=mark-connection new-connection-mark=browsing passthrough=yes
  add chain=forward out-interface=resident-lan connection-mark=browsing action=mark-packet new-packet-mark=rest-to-resident-lan
  add chain=forward out-interface=resident-lan connection-mark=no-mark action=mark-packet new-packet-mark=rest-to-resident-lan
  add chain=forward out-interface=guest-lan connection-mark=browsing action=mark-packet new-packet-mark=rest-to-guest-lan
  add chain=forward out-interface=guest-lan connection-mark=no-mark action=mark-packet new-packet-mark=rest-to-guest-lan
  add chain=forward in-interface=resident-lan out-interface=wan connection-mark=browsing action=mark-packet new-packet-mark=browsing-from-resident-lan
  add chain=forward in-interface=resident-lan out-interface=wan connection-mark=no-mark action=mark-packet new-packet-mark=rest-from-resident-lan
  add chain=forward in-interface=guest-lan out-interface=wan connection-mark=browsing action=mark-packet new-packet-mark=browsing-from-guest-lan
  add chain=forward in-interface=guest-lan out-interface=wan connection-mark=no-mark action=mark-packet new-packet-mark=rest-from-guest-lan
}

Also, it is not clear from your post whether the “wireless” and the “other LAN” share the same IP subnet and a common DHCP pool, and whether the traffic between these and the WAN initerface is routed or bridged. The thing is that use of IP firewall for bridged packets has quite some side effects which may cause headache, so it is better to avoid use of use-ip-firewall: yes and use-ip-firewall-for-vlan: yes in /interface bridge settings.