Mangle / Queue Tree help needed

CZFan · April 18, 2018, 7:22pm

I am a bit confused and not sure if I am missing something here.

I created Mangle rules and then created Queue Tree queues to limit the traffic in order to leave enough free bandwidth available for SIP/RTP so that I can fasttrack this to prevent delays in voice calls.

When I compare the traffic on the ether1 interface, which is the WAN interface, the download / uploads does not seem to match the traffic on the Queue Tree screen, more specifically seems to be upload traffic, see attached client.jpg file.

My Mangle rules are only for TCP, but I torched ether1 interface, and the UDP traffic going through it is minimal and does not make up the differenece, so it looks like I am not catching all tcp traffic with the mangle rules.

Can you assist me in where I am going wrong or what am I missing? Thanking you in advance

# apr/18/2018 20:30:31 by RouterOS 6.41.4

# model = RouterBOARD 750 r2
/ip firewall filter
add action=accept chain=input comment="Allow VPN" dst-port=443 in-interface=ether1 protocol=tcp
add action=fasttrack-connection chain=forward comment="Fasttrack VoIP traffic" connection-state=established,related dst-port=53,5060,5061,10000-20000 protocol=udp
add action=accept chain=forward comment="Allow Established / Related connection through Router" connection-state=established,related
add action=accept chain=forward comment="Allow new connection through Router" connection-state=new src-address-list=LocalLan
add action=accept chain=forward comment="Allow DSTNATed" connection-nat-state=dstnat connection-state=new in-interface=ether1
add action=drop chain=forward comment="Disallow invalid connection through Router" connection-state=invalid
add action=drop chain=forward comment="Default Forward Drop Rule"
add action=accept chain=input comment="Allow Established / Related connection to Router" connection-state=established,related
add action=accept chain=input comment="Allow new connection to Router from LAN" connection-state=new src-address-list=LocalLan
add action=drop chain=input comment="Disallow Invalid connection to Router" connection-state=invalid
add action=drop chain=input comment="Default Input Drop Rule"



# apr/18/2018 20:31:06 by RouterOS 6.41.4

# model = RouterBOARD 750 r2
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat comment="SIP Server" dst-port=5060,5061,10000-20000 in-interface=ether1 protocol=udp to-addresses=192.168.1.2
add action=dst-nat chain=dstnat comment=CCTV dst-port=8000,37777 in-interface=ether1 protocol=tcp to-addresses=192.168.1.150
add action=dst-nat chain=dstnat comment="CCTV Saber" dst-port=88,10000 in-interface=ether1 protocol=tcp to-addresses=192.168.1.6
add action=dst-nat chain=dstnat comment="Alarm 1 & 2" dst-port=37111 in-interface=ether1 protocol=tcp to-addresses=192.168.1.240



# apr/18/2018 20:31:45 by RouterOS 6.41.4

# model = RouterBOARD 750 r2
/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new new-connection-mark=video_con passthrough=yes protocol=tcp src-address=192.168.1.57
add action=mark-packet chain=forward connection-mark=video_con new-packet-mark=video_pkt passthrough=no protocol=tcp
add action=mark-connection chain=prerouting connection-mark=no-mark connection-state=new new-connection-mark=rest_con passthrough=yes protocol=tcp src-address=192.168.1.0/24
add action=mark-packet chain=forward connection-mark=rest_con new-packet-mark=rest_pkt passthrough=no protocol=tcp


# apr/18/2018 20:32:26 by RouterOS 6.41.4

# model = RouterBOARD 750 r2
/ip firewall raw
add action=drop chain=prerouting dst-port=21,22,80,81,82,8080,8081,8082,8089,8181,8291 in-interface=ether1 protocol=tcp


# apr/18/2018 20:33:20 by RouterOS 6.41.4

# model = RouterBOARD 750 r2
/queue tree
add max-limit=17M name=Up_Q parent=ether1 queue=default
add limit-at=12M max-limit=17M name=Rest_Up packet-mark=rest_pkt parent=Up_Q priority=7 queue=default
add limit-at=5M max-limit=10M name=Video_Up packet-mark=video_pkt parent=Up_Q queue=Video_Qs
add max-limit=17M name=Down_Q parent=bridge1 queue=default
add limit-at=12M max-limit=17M name=Rest_Down packet-mark=rest_pkt parent=Down_Q priority=7 queue=default
add limit-at=5M max-limit=10M name=Video_Down packet-mark=video_pkt parent=Down_Q queue=Video_Qs

CZFan · April 19, 2018, 12:41pm

Anyone?

If you need more info, please let me know and I will gladly provide

CZFan · April 19, 2018, 4:38pm

Ok, fixed it, but still very confused why the “connection-mark=no-mark” dit not work.

Applied below changes to Mangle and the queues now reflect same as interface view

# apr/19/2018 18:30:13 by RouterOS 6.41.4

# model = RouterBOARD 750 r2
/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new new-connection-mark=video_con passthrough=yes protocol=tcp src-address-list=VideoMon
add action=mark-packet chain=forward connection-mark=video_con new-packet-mark=video_pkt passthrough=no
add action=mark-connection chain=prerouting connection-state=new new-connection-mark=rest_con passthrough=yes protocol=tcp src-address=192.168.1.0/24 src-address-list=!VideoMon
add action=mark-packet chain=forward connection-mark=rest_con new-packet-mark=rest_pkt passthrough=no

Sob · April 19, 2018, 6:19pm

Is it possible that what you saw before could be explained by previously established connections (before you added your rules) that didn’t get marked?

I’d say it should and does work. When I take your original mangle rules and add some logging (and change addresses to mine):

/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new new-connection-mark=video_con passthrough=yes \
    protocol=tcp src-address=192.168.80.10 log=yes log-prefix=match1 
add action=mark-connection chain=prerouting connection-mark=no-mark connection-state=new new-connection-mark=rest_con passthrough=yes \
    protocol=tcp src-address=192.168.80.0/24 log=yes log-prefix=match2 
add action=log chain=prerouting connection-mark=video_con log-prefix=video_con
add action=log chain=prerouting connection-mark=rest_con log-prefix=rest_con

I get:

20:07:43 firewall,info match1 prerouting: in:internal out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 192.168.80.10:58666->192.168.80.183:12345, len 48 
20:07:43 firewall,info video_con prerouting: in:internal out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 192.168.80.10:58666->192.168.80.183:12345, len 48 

20:08:01 firewall,info match2 prerouting: in:internal out:(unknown 0), src-mac yy:yy:yy:yy:yy:yy, proto TCP (SYN), 192.168.80.1:55250->192.168.80.183:12345, len 60 
20:08:01 firewall,info rest_con prerouting: in:internal out:(unknown 0), src-mac yy:yy:yy:yy:yy:yy, proto TCP (SYN), 192.168.80.1:55250->192.168.80.183:12345, len 60

CZFan · April 19, 2018, 7:41pm

@Sob,

That traffic stayed like that for days on end, even after I restarted the router. From the screenhot in the Queue Tree view, you can see that I did get traffic with the original mangle rules, but the utilization of the up_q did not match that of the ether1 (WAN) interface, from screenshots, Interface view either1 (WAN) was transmitting 8Mbps and receiving 4Mbps but in the Queue Tree view the up_q only reflected 70kbps, which should be identical or very close to the either1 in the Interface View, so there was traffic that the rule matched, but seems not all traffic.

Maybe we discovered a bug?

Sob · April 19, 2018, 10:37pm

It’s hard to tell without seeing it live. Plus queues are not my thing. But I don’t see any obvious explanation. And if the change helped…

If it would be bug, I’m not sure where exactly, when the only change was in connection marking rules. There’s basically no difference. First rule changed src-address=192.168.1.57 to src-address-list=VideoMon, so it’s no functional change at all. All what’s left is connection-mark=no-mark changed to src-address-list=!VideoMon in second rule. And it’s still the same thing.

Previously, if first rule matched the source, connection was marked and connection-mark=no-mark couldn’t match in second rule. Now the second rule is based on source not being in the list. If the problem is here, I just don’t see it.

CZFan · April 20, 2018, 10:20am

This morning when I checked the router, the same problem was back, i.e. ether1 (WAN) transmitting at 10Mbps but Up_Q only showing 170kbps, so now I removed the connection-state=new from the mangle rules and the Q is reflecting correctly again…

Something else I noticed, I have the tcp protocol specified in the mangle rule marking the connections, but when I looked at connections in firewall, some udp (sip) packets showed the connection mark also

2frogs · April 20, 2018, 12:12pm

https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Mangle#Marking_packets

This wiki suggests using chain forward.

CZFan · April 20, 2018, 12:34pm

Uhmmm, that might be, as connection marking is in prerouting chain and packet marking being in the forward chain, not matching apples with apples…

It is working now, will monitor and if any issues, will try this.

Thx frogs