Mangle not marking all packets

RouterOS General
1

Hi guys,

I want to allow several users to login via Hotspot, but share bandwidth between them

Setting the number of “shared users” in the hotspot user profile does not have the desired effect, so I decided to mark their packets and then queue them.

I set up a test user profile that will add each user to an address list as they login:

/ip hotspot user profile print

name="multitest" address-pool=hs-pool-2 idle-timeout=none 
keepalive-timeout=5m status-autorefresh=2m shared-users=unlimited 
address-list="multitest" transparent-proxy=yes open-status-page=always 
advertise=no

I created two mangle rules to mark the connections and packets of users in that address list:

/ip firewall mangle print

chain=prerouting action=mark-connection new-connection-mark=multitest-conn passthrough=yes src-address-list=multitest
chain=prerouting action=mark-packet new-packet-mark=multitest-pkt passthrough=no connection-mark=multitest-conn

I then created a Queue of higher priority to limit the packets, but it’s not working because the mangle isn’t marking all of the packets.

E.g. If I download a 3MB file, then the mangle only marks 80KiB of packets.

Can anyone tell me why the mangle isn’t marking all of the packets?

2

btw, I’ve also tried changing the user profile to add a packet mark to all incoming and outgoing packets, like this:

/ip hotspot user profile print

name="multitest" address-pool=hs-pool-2 idle-timeout=none 
keepalive-timeout=5m status-autorefresh=2m shared-users=unlimited 
address-list="multitest" incoming-packet-mark="multitest-pkt-in" 
outgoing-packet-mark="multitest-pkt-out" transparent-proxy=yes 
open-status-page=always advertise=no

It creates these mangle rules when the test user logs on:

chain=hotspot action=mark-packet new-packet-mark=multitest-pkt-in passthrough=yes src-address=172.23.0.13 
chain=hotspot action=mark-packet new-packet-mark=multitest-pkt-out passthrough=yes dst-address=172.23.0.13

but these mangle rules don’t mark any packets at all. NONE, not even one.

What’s going on?
I there not some way that I can specify a parent queue for these users when I create their user profile?

All I really want, is to be able to limit this group of users so that they share the allotted bandwidth for their account. Surely there must be some kind of way to do this?

3

hi..

maybe merge of mark-connection and mark-packet configure is wrong, easy way to limit them is just use chain forward. :slight_smile:

4

But prerouting is the only chain I can use that will mark a packet before it gets to the queue, or do I understand the packet flow incorrectly?

5

i dont understand of your problem, you have seen it on your mangel config and no traffic shows?

or no limit when you test BW speed?

6

The mangle does mark some packets in the first example, but not all of them. In the second example, the dynamically created mangle rules do not add packet marks when the user sends / receives data on the network. Look at IP 172.23.0.13 in the picture below.

7

http://mum.mikrotik.com/presentations/US10/FelixWindt.pdf
That covers how to use PCQ with Hotspots, and how to use dynamic address lists with Hotspots. Combined you can make a queue tree shared by all users logging into the same account.

8

its very usefull, thanks fewi. :slight_smile:

9

Many thanks Fewi,

I came across that twice while I was searching for an answer, but I couldn’t make sense of it and wasn’t sure which part / parts applied to what I’m trying to do. I guess I’ve still got some learning to do… :blush:

10

btw, just so I know. Is there a reason why the mangle in my first post doesn’t mark all packets? have I done it wrong?

11

Okay, I’ve run a few tests and I seem to have got it working!

Here’s the test configuration, for those who are interested:

/ip hotspot user profile print

name="multiuser" address-pool=hs-pool-2 keepalive-timeout=5m status-autorefresh=2m shared-users=unlimited address-list="multiuser" transparent-proxy=yes open-status-page=always advertise=no

/ip firewall mangle print

chain=prerouting action=mark-packet new-packet-mark=multiuser-up passthrough=no src-address-list=multiuser in-interface=bridge1 
chain=postrouting action=mark-packet new-packet-mark=multiuser-down passthrough=no dst-address-list=multiuser out-interface=bridge1

/queue type print

name="multiuser_download" kind=pcq pcq-rate=512000 pcq-limit=50 pcq-classifier=dst-address pcq-total-limit=500 
name="multiuser_upload" kind=pcq pcq-rate=256000 pcq-limit=50 pcq-classifier=src-address pcq-total-limit=500

/queue tree print

name="multiuser-out" parent=global-out packet-mark=multiuser-down limit-at=256k queue=multiuser_download priority=8 max-limit=384k burst-limit=512k burst-threshold=256k burst-time=1m 
name="multiuser-in" parent=global-in packet-mark=multiuser-up limit-at=128k queue=multiuser_upload priority=8 max-limit=192k burst-limit=256k burst-threshold=128k burst-time=1m
12

Just out of interest - long weekend so can’t access a lab until Tuesday - does it stop working when you remove the out- and in-interface qualifiers?
I do not run Hotspots on software bridges so I am not entirely sure how that affects packet flow. As far as I can tell that’s the only meaningful difference between what you had originally and what is working now.

13

I’ve just tested it and it works fine without them, so I guess I don’t need to specify an in or out interface in the mangle rules. Specifying a src or dst address list for each rule seems to be enough.

From what I can tell, the differences are that in my first post I was using one rule, instead of two, to mark the packets. That rule only marked packets on the marked connections that were coming from the users in the src-address-list.

I’m not sure why the automatically / dynamically created rules didn’t work though

14

Me neither. At a cursory glance it appears they should have.
In this situation not using connection marks is just as efficient, so it doesn’t really matter, I guess.