Please assist on queues configuration for pppoe

asterisco · September 16, 2010, 10:53am

Hi

I’m setting up an scenario with PPPoE customers which connect to a PPPoE concentrator. I’m going to enforce bandwidth limits on each customer. In the past I had static IP assigned to the customers and the bandwidth was enforced at the CPE side (traffic shapping). Now the traffic shapping is to be done at the pppoe concentrator (mikrotik rb1100) based on radius attribute.

In the past, when the CPE did the traffic shapping and QOS, voip packets were never dropped (they are correctly marked with the DSCP field). Now with PPPoE I need to perform such QoS at the routerboard.

Now routerboard creates a dynamic queue for each pppoe customer with him bandwidth settings based on the radius configuration. I’m stucked because I don’t know how enforce QoS for voip (for example) with such pppoe dynamic queues… Is this (using dynamic queues for pppoe customers) the correct way? I saw in the forum that I can create addresses lists and queues by addresses list, etc..

Can anybody assist on this or point to the right way?

Thank you very much,
Antonio

fewi · September 16, 2010, 1:39pm

Those dynamic queues are simple queues, which means you get bandwidth control only - there’s no assigning priority to different types of packets.

The most scalable approach would be to use RADIUS for authentication, and to dynamically assign customers to address lists on login. Search Google for “MUM QoS” and you’ll find a presentation that shows both how to strictly rate limit per user, and give priority by protocol - you can adjust that to use the dynamically adjusted address lists for the packet marking.

asterisco · September 16, 2010, 3:26pm

Thank you very much for your response. It is greatly apreciated!!

I saw that MUM presentation but I don’t fully understand how queue tree works. Are they"per user" view and then they are “automagicaly” instantiated by customer? or instead this is an aggregated view of all customers and their traffic?

Thanks,
Antonio

fewi · September 16, 2010, 4:18pm

The PCQ portion can be per user. PCQ essentially is a queue type that automagically creates internal subqueues with a CIR per subqueue based on some classifier you specify.
The available classifiers include just the destination IP address of an IP header (for traffic to the user that would be one subqueue per user) and the source IP address of an IP header (for traffic from the user that would be one subqueue per user).

otgooneo · October 9, 2010, 9:06pm

Hi fewi,

Can I change my interface name of simple dynamic queue of Hotspot server? Please help me to do it.

   D name="<hotspot-otgoo>" target-addresses=172.16.24.17/32 dst-address=0.0.0.0/0 interface=all parent=none direction=both priority=8 
      queue=default-small/default-small limit-at=128k/128k max-limit=128k/128k burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s 
      total-queue=default-small

fewi · October 9, 2010, 9:21pm

No, you cannot. Why do you think you have to? What are you trying to achieve?

otgooneo · October 11, 2010, 1:48am

I`m using hotspot service with FreeRadius and it creates dynamic simple queue. Now dynamic queues rate traffic to all network. But I want, that clients access to network 172.24.24.0/24 with unlimited speed. The network 172.24.24.0/24 is my game, data and stream servers. Here is my interfaces:
Interface1 = Internet
Interface2 = Servers (data, game and stream)
Interface3 = To clients
Interface4 = Radius server

Therefor I think,
If I change interface of dynamic queue to interface1, it doesn`t rate traffic from interface3 to interface2.

Now I don`t know how to do this and solve my problem.

fewi · October 11, 2010, 3:24am

There are several possible solutions. Here’s the one I would prefer:
Queue trees attached to global-in and global-out fife before simple queues do, and the simple queues don’t get evaluated for packets that match them. Packets that don’t match fall through to the simple queues. That makes it possible to mark packets and pass them through a queue with a very large rate limit, such as 1Gbps and effectively exempt them from being rate limited.

In your scenario you would want to mark all packets that match traffic between the users and the data servers. This has to be done in specific chains so that the packets are marked before global-in and global-out queues fire, refer to the packet flow wiki page for details.

/ip firewall mangle
add chain=prerouting src-address=172.16.0.0/16 dst-address=172.24.24.0/24 action=mark-packet new-packet-mark=exempt-upload
add chain=postrouting src-address=172.24.24.0/24 dst-address=172.16.0.0/24 action=mark-packet new-packet-mark=exempt-download
/queue tree
add parent=global-in limit-at=1000000000 packet-mark=exempt-upload
add parent=global-out limit-at=1000000000 packet-mark=exempt-download

otgooneo · October 11, 2010, 11:18am

Ohh thank you so much fewi. It works.
But strange, that upload traffic is rated by simple dynamic queue. Do you have any other advice for me about upload flow?

otgooneo · October 12, 2010, 2:26am

Fewi, also when I start to uploading data, download speed goes down.
Do you have other idea to set src&dst based queue unconcern to dynamic simple queue.

fewi · October 12, 2010, 3:10am

/ip firewall export
/ip address print detail
/ip route print detail
/queue export

What I posted should work.

otgooneo · October 12, 2010, 8:09am

Here is the my configuration:

[otgoo@Testing] > ip fire ex
# oct/12/2010 16:00:55 by RouterOS 4.5
# software id = S17R-9NMM
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
    tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m \
    udp-timeout=10s
/ip firewall mangle
add action=mark-packet chain=forward comment="" disabled=no dst-address=172.16.20.0/24 new-packet-mark=FrMOBINET_ISP passthrough=yes src-address=\
    202.131.224.0/19
add action=mark-packet chain=forward comment="" disabled=no dst-address=202.131.224.0/19 new-packet-mark=ToMOBINET_ISP passthrough=yes src-address=\
    172.16.20.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=ether1

[otgoo@Testing] > ip add pr det
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; to Internet - IP
     address=192.168.123.80/24 network=192.168.123.0 broadcast=192.168.123.255 interface=ether1 actual-interface=ether1 

 1   ;;; to Radius - IP:192.168.100.3/24
     address=192.168.100.3/24 network=192.168.100.0 broadcast=192.168.100.255 interface=ether3 actual-interface=ether3 

 2   ;;; Japan Town 
     address=172.16.20.1/23 network=172.16.20.0 broadcast=172.16.21.255 interface=ether2 actual-interface=ether2 

 3   ;;; New 1r khoroolol
     address=172.16.24.1/23 network=172.16.24.0 broadcast=172.16.25.255 interface=ether4 actual-interface=ether4 

[otgoo@Testing] > ip rou pr det
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 0 A S  dst-address=0.0.0.0/0 gateway=192.168.123.250 gateway-status=192.168.123.250 reachable ether1 distance=1 scope=30 target-scope=10 

 1 ADC  dst-address=172.16.20.0/23 pref-src=172.16.20.1 gateway=ether2 gateway-status=ether2 reachable distance=0 scope=10 

 2 ADC  dst-address=172.16.24.0/23 pref-src=172.16.24.1 gateway=ether4 gateway-status=ether4 unreachable distance=0 scope=200 

 3 ADC  dst-address=192.168.100.0/24 pref-src=192.168.100.3 gateway=ether3 gateway-status=ether3 unreachable distance=0 scope=200 

 4 ADC  dst-address=192.168.123.0/24 pref-src=192.168.123.80 gateway=ether1 gateway-status=ether1 reachable distance=0 scope=10 

[otgoo@Testing] > que ex
# oct/12/2010 16:07:32 by RouterOS 4.5
# software id = S17R-9NMM
#
/queue type
set default kind=pfifo name=default pfifo-limit=50
set ethernet-default kind=pfifo name=ethernet-default pfifo-limit=50
set wireless-default kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5
set synchronous-default kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 red-limit=60 red-max-threshold=50 red-min-threshold=10
set hotspot-default kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
add kind=pcq name=Test-Gueue pcq-classifier=src-address,dst-address pcq-limit=50 pcq-rate=1024000 pcq-total-limit=2000
set default-small kind=pcq name=default-small pcq-classifier="" pcq-limit=50 pcq-rate=0 pcq-total-limit=2000
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=MN-Upload packet-mark=ToMOBINET_ISP parent=global-in priority=1 \
    queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=MN-Download packet-mark=FrMOBINET_ISP parent=global-out priority=1 \
    queue=default
/queue interface
set ether1 queue=ethernet-default
set ether2 queue=ethernet-default
set ether3 queue=ethernet-default
set ether4 queue=ethernet-default
set pppoe-in1 queue=default

[otgoo@Testing] > que sim prin det
Flags: X - disabled, I - invalid, D - dynamic 
 0  D name="<hotspot-otgoo>" target-addresses=172.16.20.11/32 dst-address=0.0.0.0/0 interface=all parent=none direction=both priority=8 
      queue=default-small/default-small limit-at=256k/256k max-limit=256k/256k burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s 
      total-queue=default-small 

 1  D name="<hotspot-booloo>" target-addresses=172.16.20.18/32 dst-address=0.0.0.0/0 interface=all parent=none direction=both priority=8 
      queue=default-small/default-small limit-at=256k/256k max-limit=256k/256k burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s 
      total-queue=default-small 

 2  D name="hs-<MobiNet JapanTown>" dst-address=0.0.0.0/0 interface=ether2 parent=none direction=both priority=8 queue=hotspot-default/hotspot-default 
      limit-at=0/0 max-limit=0/0 burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s total-queue=default-small 

 3  D name="hs-<1r horoolol>" dst-address=0.0.0.0/0 interface=ether4 parent=none direction=both priority=8 queue=hotspot-default/hotspot-default limit-at=0/0 
      max-limit=0/0 burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s total-queue=default-small

Please check my configuration and tell me how to correct it. Thanks

fewi · October 12, 2010, 12:13pm

The IP addressing in that export is different from your topology drawing, so make sure it’s appropriate for the prerouting and postrouting chains in those mangle rules. Refer to the packet flow diagram to ensure you’re aware of where you are in NAT and whether IPs have been translated or not. It looks OK, but I cannot be sure. More importantly, queues don’t take if you leave all their settings at default, which you seem to have done - set max-limit to 1000000000 on those queue trees like I initially posted. That export shows it at 0.

Then test again.

otgooneo · October 13, 2010, 3:17am

Thanks Fewi,
I changed max-limit to 0, after it wasn`t work when max-limit=4096K and forgot to return max-limit.

Ill try again and Ill post here, once I can solve my problem. Thanks again Fewi

otgooneo · November 6, 2010, 11:32am

I have solved my problem. Your post was right. I removed all configuration and reconfigured again careful step by step. Now it`s working very very nice. Thank you very much fewi…