Once again i’m looking at QOS and once again my head hurts.
I was planning on putting a queue tree in place tonight but ran into a big issue
This is what i want to do:
On our edge router i want to set the priority for a bunch of /32 IP’s but within each of this IP’s i want to set the priority of some protocols
Like this
Download
I’m tring to keep the QOS off the CPE to keep the load off the RB112’s and so that i have a central place to alter QOS rules.
The trouble is this, a queue tree needs packet marks. To set priority on each of the /32’s i need to packet mark all packets from that IP. In order to set the priority of the traffic within that /32 IP i need to mark the packets again, which i cant see how to do.
Anyone know how to do this?
cmit
July 4, 2006, 11:14am
2
Something like that? (From memory, check syntax…)
/ip firewall mangle
add src-address=xxx.xxx.xxx.xxx/32 action=mark-packet new-packet-mark=from_xxxx passthrough=yes
add packet-mark=from_xxxx protocol=tcp dst-port=80 action=mark-connection new-connection-mark=http-conn-from-xxxx passthrough=yes
add connection-mark=http-conn-from-xxxx action=mark-packet new-packet-mark=http-from-xxxx passthrough=no
add packet-mark=from_xxxx protocol=udp dst-port=53 action=mark-connection new-connection-mark=dns-conn-from-xxxx passthrough=yes
add packet-mark=from_xxxx protocol=tcp dst-port=53 action=mark-connection new-connection-mark=dns-conn-from-xxxx passthrough=yes
add connection-mark=dns-conn-from-xxxx action=mark-packet new-packet-mark=dns-from-xxxx passthrough=no
add src-address=yyy.yyy.yyy.yyy/32 ...
You get the idea…
First mark all packets from your source-address you want to shape (and let the packet go on further down the mangle rules with passthrough=yes).
Of course you could just take the source-address into the rule where you create your connection-marks, but this way you only have 1 place to change the src-address. So you could just copy all rules for your next client, and just alter the src-address in the first rule for this client.
Just something to start with…
Best regards,
Wouldnt that example overwrite the packet mark “from_xxxx” with “http-from-xxxx” before the packet hit the queue tree?
cmit
July 4, 2006, 1:01pm
4
Yes, it will. I wrote that and was under the impression that you want to achieve exactly what you get with this: packet-marks for every combination of source address and “protocol”, to queue all those per user AND protocol.
Best regards,
well that would be a way of doing it i guess, so rather than having 3 layers, Download - IP - Protocol i would end up with Download - IP&Protocol.
What i’m looking for is a way to set the priority of the IP in relation to all our IP’s and then set the priority of certain protcol in relation to that single IP, from the example above i cant see how it would do it, i would end up being able to assign different priorities to different protocols on different IP’s but i wouldnt be able to assign different priorites to different IP’s regardless of protocol
Sorry i’ve just seen in my first post that the spaceing is wrong
Download
P1:xxx.xxx.xxx.xxx/32
P1:Http
Download
P3:xxx.xxx.xxx.xxx/32
P1:Http
cmit
July 4, 2006, 1:39pm
7
OK, now I got what you want to achieve… dumb me!
I haven’t tried this myself, but could imagine the following could work:
Mark the packets as in my previous example, so that you have packet-marks on all packet for “client 1, HTTP”, “client 1, DNS” etc.
Then create a simple queue just using the “target-address” (ip address of client 1) to create the “overall limit” for this customer. Let’s call it “client1_total” here.
Perhaps someone from MikroTik could comment (or someone else having something like that in operation)?
Best regards,
Yeah, mikrotik any ideas/comments? It seems short of doing it via 2 routers that i cant do it, really lost on this one
Regarding Christian’s example, it’s better just mark HTTP, FTP, P2P, etc. traffic with separate marks without splitting it into individual clients’ flows.
Then create a parent queue that limits traffic to a particular customer using target-address as a classifier. Finally, create a bunch of child queues limiting separate traffic types by packet marks.
cmit
July 5, 2006, 6:33am
10
Eugene:
So marking traffic only as “HTTP” (opposed to marking it as “HTTP for client A”) does not lead to problem here?
Best regards,
PS: The good news is that this solution will work on ONE system, Beccara
Hello 1000’s of Simple Queues,
I guess thats looking to be the best option, some conformation on what you have said and i will start putting it in place.
Smells like the start of a nice wiki guide
Hmm, i’ve put it in place useing this template
/ queue simple
add name="$NAME" target-addresses=$IP/32 dst-address=0.0.0.0/0 interface=all parent=none direction=both priority=5 max-limit=$SPEED/$SPEED disabled=no
add name="$NAME-Critical" interface=all parent=$NAME direction=both priority=1 disabled=no packet-marks=dns-packet,http-packet,ssh-packet,ping-packet,telnet-packet,ntp-packet
add name="$NAME-Vpn" interface=all parent=$NAME direction=both priority=2 disabled=no packet-marks=gre-packet,pptp-packet,l2tp-packet
add name="$NAME-Email/Remote" interface=all parent=$NAME direction=both priority=3 disabled=no packet-marks=pop3-packet,smtp-packet,imap-packet,win-ts-packet,vnc-packet
add name="$NAME-Other" interface=all parent=$NAME direction=both priority=5 disabled=no packet-marks=other,other-tcp-packet,other-udp-packet,nntp-packet,proxy-packet,irc-packet,snmp-packet,ftp-packet,skype-packet,auth-packet
add name="$NAME-P2P" interface=all parent=$NAME direction=both priority=7 disabled=no packet-marks=p2p-packet
Trouble is it’s not picking up all traffic, if i enable all of the “sub” queue’s the user is able to get 2mbit, and this dosnt show up in any of the queues.
I’ve checked contracking and all connection’s have a mark and i’ve checked that those are all the packet marks.
Any clue what i’m missing or doing wrong?
Eugene
July 7, 2006, 10:29am
14
could you provide the configuration of mangle as well?
sure, its big tho
/ ip firewall mangle
add chain=prerouting p2p=all-p2p action=mark-connection new-connection-mark=p2p passthrough=no comment="" disabled=no
add chain=prerouting protocol=tcp connection-state=new action=jump jump-target=tcp-services comment="" disabled=no
add chain=prerouting protocol=udp connection-state=new action=jump jump-target=udp-services comment="" disabled=no
add chain=prerouting connection-state=new action=jump jump-target=other-services comment="" disabled=no
add chain=output protocol=tcp connection-state=new action=jump jump-target=tcp-services comment="" disabled=no
add chain=output protocol=udp connection-state=new action=jump jump-target=udp-services comment="" disabled=no
add chain=output connection-state=new action=jump jump-target=other-services comment="" disabled=no
add chain=prerouting connection-state=established action=jump jump-target=packet-mark comment="" disabled=no
add chain=output connection-state=established action=jump jump-target=packet-mark comment="" disabled=no
add chain=udp-services protocol=udp dst-port=53 action=mark-connection new-connection-mark=dns passthrough=no comment="" disabled=no
add chain=udp-services protocol=udp src-port=53 action=mark-connection new-connection-mark=dns passthrough=no comment="" disabled=no
add chain=udp-services protocol=udp dst-port=123 action=mark-connection new-connection-mark=ntp passthrough=no comment="" disabled=no
add chain=udp-services protocol=udp src-port=123 action=mark-connection new-connection-mark=ntp passthrough=no comment="" disabled=no
add chain=udp-services protocol=udp src-port=1024-65535 dst-port=1701 action=mark-connection new-connection-mark=l2tp passthrough=no comment="" disabled=no
add chain=udp-services protocol=udp src-port=1024-65535 dst-port=4665 action=mark-connection new-connection-mark=p2p passthrough=no comment="" disabled=no
add chain=udp-services protocol=udp src-port=1024-65535 dst-port=4672 action=mark-connection new-connection-mark=p2p passthrough=no comment="" disabled=no
add chain=udp-services protocol=udp src-port=4672 dst-port=1024-65535 action=mark-connection new-connection-mark=p2p passthrough=no comment="" disabled=no
add chain=udp-services protocol=udp src-port=1024-65535 dst-port=12053 action=mark-connection new-connection-mark=p2p passthrough=no comment="" disabled=no
add chain=udp-services protocol=udp src-port=12053 dst-port=1024-65535 action=mark-connection new-connection-mark=p2p passthrough=no comment="" disabled=no
add chain=udp-services protocol=udp src-port=36725 dst-port=1024-65535 action=mark-connection new-connection-mark=skype passthrough=no comment="" disabled=no
add chain=udp-services protocol=udp connection-state=new action=mark-connection new-connection-mark=other-udp passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=20-21 action=mark-connection new-connection-mark=ftp passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=513-65535 dst-port=22 action=mark-connection new-connection-mark=ssh passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=23 action=mark-connection new-connection-mark=telnet passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=25 action=mark-connection new-connection-mark=smtp passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=53 dst-port=53 action=mark-connection new-connection-mark=dns passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=53 action=mark-connection new-connection-mark=dns passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=80 action=mark-connection new-connection-mark=http passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=110 action=mark-connection new-connection-mark=pop3 passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=113 action=mark-connection new-connection-mark=auth passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=119 action=mark-connection new-connection-mark=nntp passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=143 action=mark-connection new-connection-mark=imap passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=161-162 action=mark-connection new-connection-mark=snmp passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=443 action=mark-connection new-connection-mark=http passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=465 action=mark-connection new-connection-mark=smtp passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=993 action=mark-connection new-connection-mark=imap passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=995 action=mark-connection new-connection-mark=pop3 passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=1723 action=mark-connection new-connection-mark=pptp passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=3128 action=mark-connection new-connection-mark=proxy passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=3987 action=mark-connection new-connection-mark=win-ts passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=4242-4243 action=mark-connection new-connection-mark=p2p passthrough=no comment="" \
disabled=no
add chain=tcp-services protocol=tcp src-port=4661-4662 dst-port=1024-65535 action=mark-connection new-connection-mark=p2p passthrough=no comment="" \
disabled=no
add chain=tcp-services protocol=tcp src-port=4711 dst-port=1024-65535 action=mark-connection new-connection-mark=p2p passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=5900-5901 action=mark-connection new-connection-mark=vnc passthrough=no comment="" \
disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=6667-6669 action=mark-connection new-connection-mark=irc passthrough=no comment="" \
disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=6881-6889 action=mark-connection new-connection-mark=p2p passthrough=no comment="" \
disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=8080 action=mark-connection new-connection-mark=http passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=8291 action=mark-connection new-connection-mark=winbox passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp action=mark-connection new-connection-mark=other-tcp passthrough=no comment="" disabled=no
add chain=other-services protocol=icmp icmp-options=8:0-255 action=mark-connection new-connection-mark=ping passthrough=no comment="" disabled=no
add chain=other-services protocol=gre action=mark-connection new-connection-mark=gre passthrough=no comment="" disabled=no
add chain=other-services action=mark-connection new-connection-mark=other passthrough=no comment="" disabled=no
add chain=packet-mark connection-mark=dns action=mark-packet new-packet-mark=dns-packet passthrough=no comment="" disabled=no
add chain=packet-mark connection-mark=ntp action=mark-packet new-packet-mark=ntp-packet passthrough=no comment="" disabled=no
add chain=packet-mark connection-mark=l2tp action=mark-packet new-packet-mark=l2tp-packet passthrough=no comment="" disabled=no
add chain=packet-mark connection-mark=p2p action=mark-packet new-packet-mark=p2p-packet passthrough=no comment="" disabled=no
add chain=packet-mark connection-mark=skype action=mark-packet new-packet-mark=skype-packet passthrough=no comment="" disabled=no
add chain=packet-mark connection-mark=other-udp action=mark-packet new-packet-mark=other-udp-packet passthrough=no comment="" disabled=no
add chain=packet-mark connection-mark=ftp action=mark-packet new-packet-mark=ftp-packet passthrough=no comment="" disabled=no
add chain=packet-mark connection-mark=ssh action=mark-packet new-packet-mark=ssh-packet passthrough=no comment="" disabled=no
add chain=packet-mark connection-mark=telnet action=mark-packet new-packet-mark=telnet-packet passthrough=no comment="" disabled=no
add chain=packet-mark connection-mark=smtp action=mark-packet new-packet-mark=smtp-packet passthrough=no comment="" disabled=no
add chain=packet-mark connection-mark=http action=mark-packet new-packet-mark=http-packet passthrough=no comment="" disabled=no
add chain=packet-mark connection-mark=pop3 action=mark-packet new-packet-mark=pop3-packet passthrough=no comment="" disabled=no
add chain=packet-mark connection-mark=auth action=mark-packet new-packet-mark=auth-packet passthrough=no comment="" disabled=no
add chain=packet-mark connection-mark=nntp action=mark-packet new-packet-mark=nntp-packet passthrough=no comment="" disabled=no
add chain=packet-mark connection-mark=imap action=mark-packet new-packet-mark=imap-packet passthrough=no comment="" disabled=no
add chain=packet-mark connection-mark=snmp action=mark-packet new-packet-mark=snmp-packet passthrough=no comment="" disabled=no
add chain=packet-mark connection-mark=pptp action=mark-packet new-packet-mark=pptp-packet passthrough=no comment="" disabled=no
add chain=packet-mark connection-mark=proxy action=mark-packet new-packet-mark=proxy-packet passthrough=no comment="" disabled=no
add chain=packet-mark connection-mark=win-ts action=mark-packet new-packet-mark=win-ts-packet passthrough=no comment="" disabled=no
add chain=packet-mark connection-mark=vnc action=mark-packet new-packet-mark=vnc-packet passthrough=no comment="" disabled=no
add chain=packet-mark connection-mark=irc action=mark-packet new-packet-mark=irc-packet passthrough=no comment="" disabled=no
add chain=packet-mark connection-mark=winbox action=mark-packet new-packet-mark=winbox-packet passthrough=no comment="" disabled=no
add chain=packet-mark connection-mark=other-tcp action=mark-packet new-packet-mark=other-tcp-packet passthrough=no comment="" disabled=no
add chain=packet-mark connection-mark=gre action=mark-packet new-packet-mark=gre-packet passthrough=no comment="" disabled=no
add chain=packet-mark connection-mark=ping action=mark-packet new-packet-mark=ping-packet passthrough=no comment="" disabled=no
add chain=packet-mark connection-mark=other action=mark-packet new-packet-mark=other-packet passthrough=no comment="" disabled=no
Eugene
July 7, 2006, 10:51am
16
You have to use passthrough=yes for all your connection-marking rules.
cmit
July 7, 2006, 11:25am
18
Dmitry isn’t actually marking packets in this example, but only creating connection-marks. Then it’s right to have passthrough=no.
In your example you will have to have passthrough=yes on the rules to mark connections, and passthrough=no on the rules that mark all packets belonging to a certain connection.
Best regards,
Ok well i think i figured out what was wrong
If i change passthrough to yes then everything ends up with the “other” connection mark, i’ve removed these catchall rules and 99% of connections are marked.
In order to catch the other traffic i needed to create a Queue with no packet marks and have the same parent.
Now if only i could get p2p to be marked!
cmit
July 7, 2006, 12:18pm
20
You only should have passthrough=yes for the rules with action=mark-connection. Rules with action=mark-packet should have passthrough=no in your case!
Best regards,
