Please help - simple rate limit not working

Cato2 · April 19, 2020, 9:02am

I’ve been trying to get a simple rate limit inbound and outbound for one interface only - on doing a speed test, the limit doesn’t apply.

Any ideas on how to debug this? I have done some CLI configuration before for dual WAN but not QoS so I’m not sure where to start.

Setup is hEX router with 6.40.9 using multiple WAN links - this one is ethernet to Huawei 4G router. To reduce data costs since this is a failover link at home, I want to limit downstream to 8 Mbps (1 GB / hour, for Netflix SD video) and upstream to 4 Mbps.

Current queue config is only for this interface:

/queue simple
add dst=WAN1-Huawei4G max-limit=4M/8200k name=limit-4G target=""

# Only one queue
/queue simple> print
 0    name="limit-4G" target="" dst=WAN1-Huawei4G parent=none packet-marks="" priority=8/8 queue=default-small/default-small limit-at=0/0 max-limit=4M/8200k burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s bucket-size=0.1/0.1

There are no other queues of any type, but there is some minor firewalling/mangling.

The above is meant to cover all traffic on interface. I don’t need to classify by protocol/IP, just by interface - the main WAN interface is normally up and should not be limited, failover is done by removing the main WAN ethernet cable.

I have looked in the RouterOS By Example book and the manuals, plus the QoS wiki page - I’m sure I’m missing something basic.

Full config, in case it helps:

# apr/24/2020 06:15:47 by RouterOS 6.40.9
# software id = TTBC-QLI8
#
# model = RouterBOARD 750G r3
/interface ethernet
set [ find default-name=ether2 ] comment="LAN, port 2" name=LAN
set [ find default-name=ether1 ] comment="WAN1 Huawei4G, port 1" name=WAN1-Huawei4G
set [ find default-name=ether5 ] comment="WAN2 WISP, port 5" name=WAN2-WISP
set [ find default-name=ether3 ] comment="LAN to router testbed"
set [ find default-name=ether4 ] master-port=LAN
/ip neighbor discovery
set WAN1-Huawei4G discover=no
set WAN2-WISP discover=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.3.100-192.168.3.149
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=LAN name=defconf
/queue simple
add dst=WAN1-Huawei4G max-limit=4M/8200k name=limit-4G target=""
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/ip address
add address=192.168.3.249/24 comment=LAN interface=LAN network=192.168.3.0
add address=192.168.0.64/24 interface=WAN2-WISP network=192.168.0.0
add address=192.168.88.190/24 comment="LAN to router testbed" interface=ether3 network=192.168.88.0
/ip dhcp-client
add default-route-distance=2 dhcp-options=hostname,clientid disabled=no interface=WAN1-Huawei4G
/ip dhcp-server network
add address=192.168.3.0/24 comment=defconf gateway=192.168.3.249
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.3.249 name=fw
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=WAN1-Huawei4G
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=WAN1-Huawei4G
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=WAN2-WISP
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=WAN2-WISP
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=WAN1-Huawei4G
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=WAN2-WISP
/ip route
add check-gateway=ping distance=1 gateway=192.168.0.1
add distance=1 dst-address=192.168.88.0/24 gateway=192.168.88.2
add distance=1 dst-address=192.168.99.0/24 gateway=192.168.88.2
/ip service
set telnet disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub disabled=yes
/system clock
set time-zone-name=Europe/London
/system identity
set name=fw
/system ntp client
set enabled=yes primary-ntp=90.207.238.105 secondary-ntp=130.88.200.4 server-dns-names=0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
/system package update
set channel=bugfix
/system script
add name=myScript owner=richard policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":put \"Hello  !\""
/tool graphing interface
add interface=WAN2-WISP
add interface=WAN1-Huawei4G
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=LAN
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=LAN

Cato2 · April 24, 2020, 5:22am

Ping …

sindy · April 24, 2020, 8:23am

Any queueing is incompatible with fasttracking - fasttracked packets bypass most of packet handling in the kernel. So disable the action=fasttrack-connection rule in /ip firewall filter and watch newly created (not already existing) connections to be rate-limited.

If you need to limit only one WAN, it may make sense for you to use a selective exclusion from fasttracking in order to minimize the CPU load while keeping rate limitation working for the chosen WAN.

One loosely related point: before posting, try to think about the topic title as if you were reading it with no knowledge of the actual issue and poor knowledge of English.
I’ve understood it as “rate limit does not work on just one of the interfaces (while it does on the rest)”.

And yet another point - why 6.40.9???

Cato2 · April 24, 2020, 8:50am

Thank you so much for the helpful pointers - will try them. This is a WAN only router for home usage, so probably enough to disable fast tracking - all LAN traffic goes through a switch.

Point taken about the ambiguous subject line.

I’m still on 6.40.9 just because I was aware of some non-backward compatible bridge changes in later versions from 6.41, and I’m short of time to test config changes that might require a downgrade if I don’t get them right, based on this forum comment: http://forum.mikrotik.com/t/master-port-setting-missing/116214/1

any tips on how to simplify this sort of upgrade very welcome

kvee · August 28, 2023, 5:48pm

MichaelOlsen:

Any queueing is incompatible with fasttracking - fasttracked packets bypass most of packet handling in the kernel. So disable the action=fasttrack-connection rule in /ip firewall filter and watch newly created (not already existing) connections to be rate-limited.

If you need to limit only one WAN, it may make sense for you to use a selective exclusion from fasttracking in order to minimize the CPU load while keeping rate limitation working for the chosen WAN.

One loosely related point: before posting, try to think about the topic title as if you were reading it with no knowledge of the actual issue and poor knowledge of English.
I’ve understood it as “rate limit does not work on just one of the interfaces (while it does on the rest)”.

And yet another point - why 6.40.9???

Thank you. Disabled that fast track in firewall default rule then everything works.