PCC and QoS at the same time

jimronic · May 20, 2011, 9:36pm

Hello everyone,

I have been tasked with getting both PCC and QoS working at the same time. I have reviewed this website,
http://mikrotikuniversity.com/index.php/2010/11/mikrotik-layer3-gateway-load-balancing/

Which claims that in order to get PCC and QoS working, you need several mikrotiks, or one really powerful machine that can emulate multiple mikrotiks. I have a setup that I feel is mostly working, and only uses two routers.

The network is set up as follows:
We have one mikrotik dedicated to PCC, which has 5 interfaces.
Interfaces 1-3 are my gateways that I want the traffic load spread over.
Interface 4 is used for nothing.
Interface 5 connects to another router which will handle QoS.

The QoS router is connected to the PCC router on interface 1.
The rest of its ports are bridged and are the LAN connection.
There is also a VLAN associated with the bridge.

However, I notice something very strange. Traffic seems to be balanced over the 3 connections when coming into the PCC router, but everything leaving seems to be on Interface 2.

If anyone can help in any way, I would greatly appreciate it. My actual configs will appear in a subsequent post.

jimronic · May 20, 2011, 9:51pm

---------- PCC Router -----------

Addresses

/ip address
add address=192.168.0.1/24 broadcast=192.168.0.255 comment="" disabled=no interface=ether5 network=192.168.0.0
add address=68.164.219.6/29 broadcast=68.164.219.7 comment="" disabled=no interface=ether1 network=68.164.219.0
add address=66.166.13.62/29 broadcast=66.166.13.63 comment="" disabled=no interface=ether2 network=66.166.13.56
add address=172.16.0.2/24 broadcast=172.16.0.255 comment="" disabled=no interface=ether3 network=172.16.0.0

Routes

/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=68.164.219.1 routing-mark=to_ISP1 scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=66.166.13.57 routing-mark=to_ISP2 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.16.0.1 routing-mark=to_ISP3 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=68.164.219.1 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=66.166.13.57 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=3 dst-address=0.0.0.0/0 gateway=172.16.0.1 scope=30 target-scope=10

Mangle Rules

/ip firewall mangle
add action=accept chain=prerouting comment="" disabled=no dst-address=68.164.219.0/29 in-interface=ether5
add action=accept chain=prerouting comment="" disabled=no dst-address=66.166.13.56/29 in-interface=ether5
add action=accept chain=prerouting comment="" disabled=no dst-address=172.16.0.0/24 in-interface=ether5
add action=mark-connection chain=prerouting comment="" connection-mark=no-mark disabled=no in-interface=ether1 new-connection-mark=ISP1_conn passthrough=yes
add action=mark-connection chain=prerouting comment="" connection-mark=no-mark disabled=no in-interface=ether2 new-connection-mark=ISP2_conn passthrough=yes
add action=mark-connection chain=prerouting comment="" connection-mark=no-mark disabled=no in-interface=ether3 new-connection-mark=ISP3_conn passthrough=yes
add action=mark-connection chain=prerouting comment="" connection-mark=no-mark disabled=no dst-address-type=!local in-interface=ether5 new-connection-mark=ISP1_conn passthrough=yes per-connection-classifier=\
    both-addresses:3/0
add action=mark-connection chain=prerouting comment="" connection-mark=no-mark disabled=no dst-address-type=!local in-interface=ether5 new-connection-mark=ISP2_conn passthrough=yes per-connection-classifier=\
    both-addresses:3/1
add action=mark-connection chain=prerouting comment="" connection-mark=no-mark disabled=no dst-address-type=!local in-interface=ether5 new-connection-mark=ISP3_conn passthrough=yes per-connection-classifier=\
    both-addresses:3/2
add action=mark-routing chain=prerouting comment="" connection-mark=ISP1_conn disabled=no in-interface=ether5 new-routing-mark=to_ISP1 passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=ISP2_conn disabled=no in-interface=ether5 new-routing-mark=to_ISP2 passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=ISP3_conn disabled=no in-interface=ether5 new-routing-mark=to_ISP3 passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=ISP1_conn disabled=no new-routing-mark=to_ISP1 passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=ISP2_conn disabled=no new-routing-mark=to_ISP2 passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=ISP3_conn disabled=no new-routing-mark=to_ISP3 passthrough=yes

---------- /PCC Router ----------

---------- QoS Router -----------
Address

/ip address
add address=192.168.0.2/24 broadcast=192.168.0.255 comment="" disabled=no \
    interface=ether1-gateway network=192.168.0.0
add address=10.0.0.1/21 broadcast=10.0.7.255 comment="" disabled=no \
    interface=bridge1 network=10.0.0.0
add address=192.168.96.1/21 broadcast=192.168.103.255 comment="" disabled=no \
    interface=vlan17 network=192.168.96.0

Route

/ip route
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    192.168.0.1 scope=30 target-scope=10

Mangle

/ip firewall mangle
add action=mark-connection chain=prerouting comment="P2P Traffic (8)" \
    disabled=no new-connection-mark=p2p_conn p2p=all-p2p passthrough=yes
add action=mark-packet chain=prerouting comment="Mark P2P Packets (8)" \
    connection-mark=p2p_conn disabled=no new-packet-mark=p2p passthrough=no
add action=mark-connection chain=prerouting comment="Mail (7)" disabled=no \
    dst-port=110 new-connection-mark=download_conn passthrough=yes protocol=\
    tcp
add action=mark-connection chain=prerouting comment="" disabled=no dst-port=\
    995 new-connection-mark=download_conn passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no dst-port=\
    143 new-connection-mark=download_conn passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no dst-port=\
    993 new-connection-mark=download_conn passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no dst-port=\
    25 new-connection-mark=download_conn passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="HTTP Downloads (7)" \
    connection-bytes=500000-0 disabled=no dst-port=80 new-connection-mark=\
    download_conn passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="FTP (7)" disabled=no \
    dst-port=20 new-connection-mark=download_conn passthrough=yes protocol=\
    tcp
add action=mark-connection chain=prerouting comment="" disabled=no dst-port=\
    21 new-connection-mark=download_conn passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="SFTP (7)" disabled=no \
    dst-port=22 new-connection-mark=download_conn packet-size=1400-1500 \
    passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting comment="Mark Download Packets (7)" \
    connection-mark=download_conn disabled=no new-packet-mark=download \
    passthrough=no
add action=mark-connection chain=prerouting comment="DNS (1)" disabled=no \
    dst-port=53 new-connection-mark=ensign_conn passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no dst-port=\
    53 new-connection-mark=ensign_conn passthrough=yes protocol=udp
add action=mark-connection chain=prerouting comment="ICMP (1)" disabled=no \
    new-connection-mark=ensign_conn passthrough=yes protocol=icmp
add action=mark-connection chain=prerouting comment="Telnet (1)" disabled=no \
    dst-port=23 new-connection-mark=ensign_conn passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="HTTPS (1)" disabled=no \
    dst-port=443 new-connection-mark=ensign_conn passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="SSH (1)" disabled=no \
    dst-port=22 new-connection-mark=ensign_conn packet-size=0-1400 \
    passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="HTTP Requests (1)" \
    connection-bytes=0-500000 disabled=no dst-port=80 new-connection-mark=\
    ensign_conn passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="Winbox (1)" disabled=no \
    dst-port=8291 new-connection-mark=ensign_conn passthrough=yes protocol=\
    tcp
add action=mark-packet chain=prerouting comment="Mark Ensign Packets (1)" \
    connection-mark=ensign_conn disabled=no new-packet-mark=ensign \
    passthrough=no
add action=mark-connection chain=prerouting comment="Online game servers (3)" \
    disabled=no dst-address-list=user_requests new-connection-mark=\
    user_requests_conn passthrough=yes
add action=mark-packet chain=prerouting comment=\
    "Mark User Request Packets (3)" connection-mark=user_requests_conn \
    disabled=no new-packet-mark=user_requests passthrough=no
add action=mark-connection chain=prerouting comment=\
    "Communication Services and Other (5)" disabled=no new-connection-mark=\
    other_conn passthrough=yes
add action=mark-packet chain=prerouting comment=\
    "Mark Communication and Other Packets (5)" connection-mark=other_conn \
    disabled=no new-packet-mark=other passthrough=no

Queues

/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=3M name=Parent parent=global-in priority=8
	
/queue type
set default kind=pfifo name=default pfifo-limit=50
set ethernet-default kind=pfifo name=ethernet-default pfifo-limit=50
set wireless-default kind=sfq name=wireless-default sfq-allot=1514 \
    sfq-perturb=5
set synchronous-default kind=red name=synchronous-default red-avg-packet=1000 \
    red-burst=20 red-limit=60 red-max-threshold=50 red-min-threshold=10
set hotspot-default kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=\
    5
set default-small kind=pfifo name=default-small pfifo-limit=10

/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name="(1) Ensign_services" packet-mark=ensign parent=Parent \
    priority=1 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name="(3) User_requests" packet-mark=user_requests parent=\
    Parent priority=3 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name="(5) Other_services" packet-mark=other parent=Parent \
    priority=5 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name="(7) Download_services" packet-mark=download parent=\
    Parent priority=7 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name="(8) P2P_services" packet-mark=p2p parent=Parent \
    priority=8 queue=default

/queue interface
set ether1-gateway queue=ethernet-default
set ether2-local queue=ethernet-default
set ether3-local queue=ethernet-default
set ether4-local queue=ethernet-default
set ether5-local queue=ethernet-default
set bridge1 queue=default
set vlan17 queue=default

---------- /Qos Router ----------