MPLS/VPLS and rate limiting

RouterOS General
1

I have a problem which i hope someone can help me with.

My Scenario is very simple, One VPLS circuit setup from point A to B using RB133 and x86 PC both running V3.10.
The circuit is working fine with customer traffic but i am unable to rate limit the circuit.

I have tried setting up connection / packet marking on the interfaces in the bridge but the firewall rules see no traffic.

I have tried turning on the ‘Use IP Firewall’ setting in the bridge settings and then the firewall sees some traffic but not all because the customer is using vlans. So i turned on ‘Use IP Firewall for VLAN’ in the bridge settings which causes the customers traffic to stop completely.

I have tried setting up packet marking in the bridge filter and i see the bytes and packets counter increment, i even set the action to ‘log’ and verified that the correct packets were being marked, but then the queue doesn’t see the packet marks for some reason.

Can anyone shed any light on this problem for me? It is important to note that the circuit needs to be completely transparent to the customer, as-in they should be able to put whatever protocols they like through the circuit and the queue / firewall should rate limit it without knowing what it is.

I’m assuming that it can be done as MPLS/VPLS are carrier grade technologies by definition and carriers don’t often know or care what their circuits are being used for.

2

How do you configure limiting queue? You have to use ‘queue tree’ if you want to limit traffic that does not pass IP firewall.

3

Can you explain more? I have tried simple queue’s and queue tree and had no luck with either.

4

Here is working example:

[admin@R1] > /interface vpls print
Flags: X - disabled, D - dynamic, R - running, B - bgp-signaled
 0  R  name="vpls1" mtu=1500 mac-address=02:35:99:D7:83:C4 arp=enabled disable-running-check=no remote-peer=9.9.9.5 vpls-id=1:1

[admin@R1] > /interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic
 #    INTERFACE                                                                                     BRIDGE                                                                                    PRIORITY PATH-COST  HORIZON
 0    ether2                                                                                        vpls-bridge                                                                               0x80     10         none
 1    vpls1                                                                                         vpls-bridge                                                                               0x80     10         none

[admin@R1] > /interface bridge filter print
Flags: X - disabled, I - invalid, D - dynamic
 0   chain=forward action=mark-packet new-packet-mark=lala in-interface=ether2

[admin@R1] > /interface bridge filter print
Flags: X - disabled, I - invalid, D - dynamic
 0   chain=forward action=mark-packet new-packet-mark=lala in-interface=ether2

[admin@R1] > /queue tree print
Flags: X - disabled, I - invalid
 0   name="queue1" parent=vpls1 packet-mark=lala limit-at=10000 queue=default priority=8 max-limit=10000 burst-limit=0 burst-threshold=0 burst-time=0s

Packets that do not pass IP firewall do not pass through ‘queue simple’. Taking into account that you want to provide completely transparent circuit, you can not assume that your customer is passing only IP. Therefore you have to use ‘queue tree’ like in the above example.

5

I have the following implemented as per your instructions and can see the packet and byte counters incrementing in the bridge filters but the queue statistics show no traffic, is this likely to be a bug do you think?

[admin@MikroTik] > /interface vpls print 
Flags: X - disabled, D - dynamic, R - running, B - bgp-signaled 
 0  R  name="COLLINGWOOD_AREA" mtu=1500 mac-address=02:3E:0E:F5:0B:75 arp=enabled disable-running-check=no remote-peer=172.16.30.6 vpls-id=400:0 

[admin@MikroTik] > /interface bridge port print 
Flags: X - disabled, I - inactive, D - dynamic 
 #    INTERFACE                                                      BRIDGE                                                     PRIORITY PATH-COST  HORIZON   
 0    COLLINGWOOD_AREA                                               THELOOP_BRIDGE                                             0x80     10         none      
 1    The_Loop_Interface                                             THELOOP_BRIDGE                                             0x80     10         none      

[admin@MikroTik] > /interface bridge filter print 
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=forward action=mark-packet new-packet-mark=mark_in in-interface=COLLINGWOOD_AREA 

 1   chain=forward action=mark-packet new-packet-mark=mark_out in-interface=The_Loop_Interface 

[admin@MikroTik] > /interface bridge filter print 
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=forward action=mark-packet new-packet-mark=mark_in in-interface=COLLINGWOOD_AREA 

 1   chain=forward action=mark-packet new-packet-mark=mark_out in-interface=The_Loop_Interface
6

The most important is how your queue config looks (post ‘/queue tree print’).

7

Oops sorry

[admin@MikroTik] > /queue tree print
Flags: X - disabled, I - invalid 
 0   name="queue1" parent=The_Loop_Interface packet-mark=mark_in limit-at=2000000 queue=default priority=8 max-limit=2000000 burst-limit=0 burst-threshold=0 
     burst-time=0s 

 1   name="queue2" parent=COLLINGWOOD_AREA packet-mark=mark_out limit-at=2000000 queue=default priority=8 max-limit=2000000 burst-limit=0 burst-threshold=0 
     burst-time=0s
8

Config looks correct, I suppose you should confirm that you still have this problem with latest version and then cotact support with supout file.

9

Hi Mplsguy,

I’m also interested in this exact setup, so thanks for posting the config.

Tprice, I just tried this out on a network of 5 vmware based MT 3.10 machines and worked straight up. Maybe you have something missing in your config?

Rich