Good morning,
I am lost in how to accomplish what I am trying to do.
I want to give bandwidth priority to a “physical” port on my MicoTik router.
I have found quite a few post on how to do this using TDP port priority, but can I do it via a physical port?
I am a church IT and want to give priority to my hardware streaming device.
Port 1 is WAN
Port 2 is all my network traffic
Port 5 is my streaming encoder
Thanks!
To answer your question: if, under /interface bridge settings, you set use-ip-firewall=yes, you can refer to in-bridge-port in the firewall rules used to mark packets for queueing. Or, if the traffic between LAN and WAN is routed, you may remove port 5 from the bride, create a dedicated subnet for the streamer and attach it directly to port 5.
However, I wonder how your whole setup looks like, and especially what kind of other traffic it is that competes with the streaming one. What is the actual issue, and why do you think that prioritizing the streamed video, which effectively means throttling other traffic, will resolve it?
Sindy,
Thanks for the reply!!
I have about 30-40 active computers plus all the guests that come on during a service on a Sunday.
When we begin our live broadcast, I want the stream encoder to get all the bandwidth that it needs to not drop any of our signal.
Right now, between dropbox, iCloud, facebook, youtube, and all the other things, out 50mb is being consumed extremely quickly.
Should I be thinking in a different way?
Thanks!!
Limit bandwidth of the others
Well, to me it seemed most likely that it is actually the number of remote clients subscribed to the live “broadcast” that exhausts the uplink bandwidth during the service. If the guests run their own live broadcasts (or take videos and store them into cloud online, that’s the same bandwidth-wise), or if you have a half-duplex uplink to the internet, such as a WiFi-based one, where upload and download share a common bandwidth, that’s a different case of course.
As usually with QoS, you need to classify the traffic and to enforce the bandwidth for each class.
As you’ve mentioned you wanted to prioritize the complete traffic of the encoder, you can use the information about the src-address (of the encoder), rather than the information about in-bridge-interface, to classify the traffic for use of the right queue without need for the reconfiguration I’ve suggested.
So for a full duplex uplink, i.e. where the bandwidth for upload and download is independent, and if the traffic between LAN and WAN is routed, the whole solution would look as simple as follows.
Classification:
/ip firewall mangle
add chain=prerouting src-address=ip.of.the.encoder action=mark-packet new-packet-mark=encoder
This rule must not be shadowed by any other one in chain=prerouting of /ip firewall mangle, nor must any other rule change the packet-mark assigned by this one, but I suppose you currently have no mangle rules at all. You don’t need to packet-mark any other traffic than the one from the encoder.
Enforcement:
/queue tree
add limit-at=50M max-limit=50M name=common-ul parent=ether1
add limit-at=50M max-limit=50M name=encoder-ul packet-mark=encoder parent=common-ul
add max-limit=50M name=other-ul packet-mark=no-mark parent=common-ul
The first queue limits the total bandwidth below the physical speed of the Ethernet link which connects your Mikrotik to the uplink gear, to the actual throughput of the uplink, which you’ve stated to be 50 Mbit/s; as it has the uplink interface as a parent, all its children only serve the upload traffic, whereas the download traffic bypasses any queueing.
The second queue is a child of the common one and guarantees the complete bandwidth to be given to packets marked with a packet-mark encoder if they come.
The third queue is another child of the common one and it holds all the other traffic, thanks to matching on packet-mark=no-mark; since it has no guaranteed bandwidth (no limit-at value), the traffic handled by this queue only gets the badwidth that the other child queue did not use.
There is no priority specified because in this simple case, it is implicit: the encoder-ul queue always wins because it is the only one with limit-at set above 0. Priority is only needed to control how the bandwidth unused by other queues will be distributed among multiple child queues.
Any answer can only be as detailed as the question is, hence:
Sindy,
Wow!! Thank you for all of the information and the actual way to execute this!!
We are broadcasting our stream to a company on the internet via the RTMP protocol. I do not believe that the unit requires any information back while streaming. All it does is send a MP4 compressed file via RTMP that gets rebroadcast.
We have a full duplex fiber link. True 50mb/50mb.
I am unsure of what you mean by LAN and WAN ports being switched… I have a DHCP server setup for the VLAN that the Encoder is on, and the RouterBoard is sending the traffic from port 5 to port 1. Also, not sure if this matters, i have 2 ports bridged together and instead of entering the dedicated IP
/ip firewall mangle
add chain=prerouting src-address=ip.of.the.encoder action=mark-packet new-packet-mark=encoder
I changed it to:
/ip firewall mangle
add chain=prerouting in-interface=streaming_bridge action=mark-packet new-packet-mark=encoder
I do see traffic flowing through this rule, so I think I got it!
Fascinating topic and clear amazing education.
I would like to see your config to see if it can be further optimized in any case.
/export hide-sensitive file=anynameyouwish
@sindy Confirm once you start using mangle rules the router slows down (fasttrack has to be disabled in foreward fw rules) and if so by how much?? (What is the real effect)??
OK, so no need to worry about multiple streams occupying the downstream (from the encodes’s perspective) = upload (from the router perspective) bandwidth, and no dependence on any upstream=download confirmation packets.
OK, so no need to worry about the download direction at all.
It is hard to assess the knowledge of people on the forum from a few lines they post. It is not unusual that people call the box a router because it is sold as such, but actually use it as a managed switch. So I just wanted to know that there really is routing between the encoder port and the WAN one, as it affects the necessary configuration for QoS.
And here I’m unsure about your vernacular. Do you mean a port-based VLAN, i.e. in plain words a dedicated bridge with some (two in your case) member ports, while one of these ports is free and to the other one only the encoder is connected? Or you mean a tag-based VLAN, where the encoder port is an access port to one VLAN and the other port is an access one to another VLAN, while both VLANs exist on the same bridge? The thing is that /ip firewall rules match on L3 port names, so there is a theoretical chance that the native VLAN of the streaming_bridge is not the one used by the encoder, so the mangle rule could be theoretically matching other traffic than you expect.
I wouldn’t be this sticklery if it was clear from your OP that you have dedicated a bridge with an own IP subnet for the encoder, as I’ve assumed from that post that you run the default configuration where ether1 is WAN and ether2..ether5 are members of the same bridge, and want to prioritize traffic from one of the member ports (i.e. to distinguish the encoder traffic from other traffic coming in via the same L3 interface - the common bridge).
@anav, strictly speaking the router doesn’t slow down but has to spend more effort to handle a single packet. So the traffic may slow down as a consequence - if the CPU throughput becomes more limiting than the uplink bandwidth. A total throughput of 100 Mbit/s (50+50) may be close to the limit without fasttracking and with PPPoE for older devices. The manual shows the benefits of fasttracking on a RB2011; my test shows that difference for hAP ac² (where the limit with fasttracking at both ends may actually have been the link speed of the interface); both these tests only illustrate the benefits of fasttracking, not of the throughput decrease caused by mangle rules and queue processing.
It is noteworthy that CPU core load exceeding, say, 25% except short-time spikes is already dangerous for the traffic. E.g. an IPsec rekey process may easily cause drops of unrelated packets when it spawns while the CPU is almost fully occupied by packet forwarding. But it’s quite off this topic.
And here I’m unsure about your vernacular. Do you mean a port-based VLAN, i.e. in plain words a dedicated bridge with some (two in your case) member ports, while one of these ports is free and to the other one only the encoder is connected? Or you mean a tag-based VLAN, where the encoder port is an access port to one VLAN and the other port is an access one to another VLAN, while both VLANs exist on the same bridge? The thing is that /ip firewall rules match on L3 port names, so there is a theoretical chance that the native VLAN of the streaming_bridge is not the one used by the encoder, so the mangle rule could be theoretically matching other traffic than you expect.
I wouldn’t be this sticklery if it was clear from your OP that you have dedicated a bridge with an own IP subnet for the encoder, as I’ve assumed from that post that you run the default configuration where ether1 is WAN and ether2..ether5 are members of the same bridge, and want to prioritize traffic from one of the member ports (i.e. to distinguish the encoder traffic from other traffic coming in via the same L3 interface - the common bridge).
[/quote]
Thank you again for your input here. Im sorry my OP did not have all the details. I honestly am unsure of what information is relevant in seeking out help. I know enough about networking to be dangerous. I am not an expert in any way.
Port 1 = WAN
Port 2 = Goes to my network switch and carries 6 VLANs and DCHP information for everyone
Port 3 = Empty
Port 4 & 5 = Members of streaming_bridge and VLAN 7 is assigned here with a DCHP server handling this traffic.
I will find out this Sunday if I did this correctly!
I am concerned about the comments about the load on the CPU. Where would I track this to make sure that I am not asking too much from my RouterBoard?
As this description still hasn’t removed the doubts, can you just follow the instruction in my automatic signature below?
On the hardware product page, there is always a tab called Test Results; there, you are interested in the table under Ethernet Test Results. A rule of thumb says that the throughput stated for 512 byte packets is quite informative for a mixed traffic (it’s a sum of traffic in all directions, and TCP traffic like web browsing and file transfers tends to be mixed of one small packet per one to four large ones, whereas interactive traffic like voice and video calls use small-to-mid-sized packets in both directions); your throughput will be better than the lower one of the “25 filter rules” and “25 simple queues”, at least if you don’t use PPPoE on WAN.
Running /tool profile while the service will be broadcast will tell you what is actually going on, along with running queue tree print stats interval=1s in another window. If everything is fine, you should see no packets dropped for the queue handling the RTSP, and possibly some packet drops in the queue handling the rest of the upload.
Any unnecessary handling of packets slows the machine down a bit, so e.g. if you do run VLAN 7 alone on a dedicated bridge, you may simplify the configuration and thus remove one handling step.
I appreciate all the help you're giving me.
I just ran: queue tree print stats interval=1s with the following results
0 name="common-ul" parent=ether1 packet-mark="" rate=8513992 packet-rate=2020 queued-bytes=0 queued-packets=0 bytes=9761676573 packets=13089929 dropped=0
1 name="encoder-ul" parent=common-ul packet-mark=encoder rate=7647448 packet-rate=654 queued-bytes=0 queued-packets=0 bytes=6935550363 packets=7008325 dropped=15931
2 name="other-ul" parent=common-ul packet-mark=no-mark rate=866536 packet-rate=1366 queued-bytes=0 queued-packets=0 bytes=2825497734 packets=6081174 dropped=0
It does look like the encoder rule is dropping packets.
[admin@New Life Church] > /export hide-sensitive
/interface bridge
add admin-mac=E4:8D:8C:24:C9:72 auto-mac=no fast-forward=no name="Staff / No VPN - Bridge"
add name="Streaming Ports Bridge" pvid=5 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] mac-address=E4:8D:8C:24:C9:72 name="(02)" speed=100Mbps
set [ find default-name=ether3 ] mac-address=E4:8D:8C:24:C9:73 name="(03)" speed=100Mbps
set [ find default-name=ether4 ] mac-address=E4:8D:8C:24:C9:74 name="(04) - NV33 Stream" speed=100Mbps
set [ find default-name=ether5 ] mac-address=E4:8D:8C:24:C9:75 name="(05) - Stream Programing" speed=100Mbps
set [ find default-name=ether6 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=E4:8D:8C:24:C9:76 name="(06)"
set [ find default-name=ether7 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=E4:8D:8C:24:C9:77 name="(07)"
set [ find default-name=ether8 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=E4:8D:8C:24:C9:78 name="(08)"
set [ find default-name=ether9 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=E4:8D:8C:24:C9:79 name="(09) - Microtel"
set [ find default-name=ether10 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=E4:8D:8C:24:C9:7A name="(10) - TW SIP"
set [ find default-name=sfp1 ] mac-address=E4:8D:8C:24:C9:70 name="(SFP) Interconnect" rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether1 ] mac-address=E4:8D:8C:24:C9:71 speed=100Mbps
/interface vlan
add interface="(02)" name="AV Network" vlan-id=2
add interface="(02)" name=ArtNet vlan-id=7
add interface="(02)" name=Check-In vlan-id=6
add interface="(02)" name=Communications vlan-id=8
add interface="(02)" name=Dante vlan-id=9
add interface="(02)" name=Guest vlan-id=3
add interface="Staff / No VPN - Bridge" name=Office vlan-id=1
add interface="(02)" name=Security vlan-id=4
add interface="(02)" name=Streaming vlan-id=5
add disabled=yes interface="(SFP) Interconnect" name="Video Distro 1" vlan-id=10
add disabled=yes interface="(SFP) Interconnect" name="Video Distro 2" vlan-id=11
add interface=ether1 name=vlan1 vlan-id=1
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=dhcp ranges=192.168.0.10-192.168.0.254
add name=AV ranges=192.168.1.100-192.168.1.254
add name=Guest ranges=10.10.10.2-10.10.10.254
add name=Security ranges=192.168.4.100-192.168.4.200
add name=Check-In ranges=192.168.3.2-192.168.3.254
add name=ArtNet ranges=192.168.5.100-192.168.5.200
add name=Streaming ranges=192.168.6.100-192.168.6.200
add name=Communications ranges=192.168.7.100-192.168.7.200
add name=Dante ranges=192.168.8.100-192.168.8.200
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface="Staff / No VPN - Bridge" lease-time=8h name=Staff
add address-pool=AV authoritative=after-2sec-delay disabled=no interface="AV Network" lease-time=8h name=AV
add address-pool=Guest authoritative=after-2sec-delay disabled=no interface=Guest name=Guest
add address-pool=Streaming authoritative=after-2sec-delay disabled=no interface="Streaming Ports Bridge" lease-time=8h name="Stream DHCP Server"
add address-pool=Check-In authoritative=after-2sec-delay disabled=no interface=Check-In lease-time=8h name=Check-In
add address-pool=ArtNet authoritative=after-2sec-delay disabled=no interface=ArtNet lease-time=8h name=ArtNet
add address-pool=Security authoritative=after-2sec-delay disabled=no interface=Security lease-time=8h name=Security
add address-pool=Communications disabled=no interface=Communications lease-time=8h name=Communications
add address-pool=Dante disabled=no interface=Dante lease-time=8h name=Dante
/queue tree
add limit-at=60M max-limit=60M name=common-ul parent=ether1
add limit-at=18M max-limit=18M name=encoder-ul packet-mark=encoder parent=common-ul
add max-limit=50M name=other-ul packet-mark=no-mark parent=common-ul
/queue type
add kind=pcq name=Upload-Staff pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-limit=0KiB pcq-rate=4M pcq-src-address6-mask=64 pcq-total-limit=5000000KiB
add kind=pcq name=Download-Staff pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-limit=0KiB pcq-rate=4M pcq-src-address6-mask=64 pcq-total-limit=5000000KiB
/queue simple
add burst-limit=2M/4M burst-threshold=2M/4M burst-time=5s/5s max-limit=2M/4M name=Guest-2 queue=pcq-upload-default/pcq-download-default target=Guest
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/user group
add name=ssh policy=ssh,read,!local,!telnet,!ftp,!reboot,!write,!policy,!test,!winbox,!password,!web,!sniff,!sensitive,!api,!romon,!dude,!tikapp
/interface bridge port
add bridge="Staff / No VPN - Bridge" hw=no interface="(06)"
add bridge="Staff / No VPN - Bridge" interface="(SFP) Interconnect"
add bridge="Staff / No VPN - Bridge" hw=no interface="(07)"
add bridge="Staff / No VPN - Bridge" hw=no interface="(08)"
add bridge="Staff / No VPN - Bridge" hw=no interface="(09) - Microtel"
add bridge="Staff / No VPN - Bridge" hw=no interface="(10) - TW SIP"
add bridge="Staff / No VPN - Bridge" interface="(02)"
add bridge="Staff / No VPN - Bridge" hw=no interface="(03)"
add bridge="Streaming Ports Bridge" interface="(04) - NV33 Stream" pvid=5
add bridge="Streaming Ports Bridge" interface="(05) - Stream Programing" pvid=5
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface bridge vlan
add bridge="Streaming Ports Bridge" untagged="Streaming Ports Bridge,(04) - NV33 Stream,(05) - Stream Programing" vlan-ids=5
/interface list member
add interface="(SFP) Interconnect" list=discover
add interface="(02)" list=discover
add interface="(03)" list=discover
add interface="(04) - NV33 Stream" list=discover
add interface="(05) - Stream Programing" list=discover
add interface="(06)" list=discover
add interface="(07)" list=discover
add interface="(08)" list=discover
add interface="(09) - Microtel" list=discover
add interface="(10) - TW SIP" list=discover
add list=discover
add interface="Staff / No VPN - Bridge" list=discover
add interface="AV Network" list=discover
add interface=Guest list=discover
add interface=Security list=discover
add interface=Check-In list=discover
add interface=Office list=discover
add interface="Video Distro 1" list=discover
add interface="Video Distro 2" list=discover
add interface=ArtNet list=discover
add interface=Streaming list=discover
add interface="(02)" list=mactel
add interface="(03)" list=mactel
add interface="(02)" list=mac-winbox
add interface="(04) - NV33 Stream" list=mactel
add interface="(03)" list=mac-winbox
add interface="(05) - Stream Programing" list=mactel
add interface="(06)" list=mactel
add interface="(04) - NV33 Stream" list=mac-winbox
add interface="(07)" list=mactel
add interface="(05) - Stream Programing" list=mac-winbox
add interface="(08)" list=mactel
add interface="(06)" list=mac-winbox
add interface="(09) - Microtel" list=mactel
add interface="(07)" list=mac-winbox
add interface="(10) - TW SIP" list=mactel
add interface="(08)" list=mac-winbox
add interface="(SFP) Interconnect" list=mactel
add list=mactel
add interface="Staff / No VPN - Bridge" list=mactel
add interface="(09) - Microtel" list=mac-winbox
add interface="(10) - TW SIP" list=mac-winbox
add interface="(SFP) Interconnect" list=mac-winbox
add list=mac-winbox
add interface="Staff / No VPN - Bridge" list=mac-winbox
add interface=ether1 list=WAN
/ip accounting
set enabled=yes
/ip accounting web-access
set accessible-via-web=yes address=192.168.1.211/32
/ip address
add address=192.168.88.1/24 comment="default configuration" disabled=yes interface="(02)" network=192.168.88.0
add address=OUTSIDE IP/30 interface=ether1 network=OUTSIDE IP
add address=192.168.0.1/24 interface="(06)" network=192.168.0.0
add address=192.168.1.1/24 interface="AV Network" network=192.168.1.0
add address=192.168.2.1/24 interface=Security network=192.168.2.0
add address=192.168.3.1/24 interface=Check-In network=192.168.3.0
add address=10.10.10.1/24 interface=Guest network=10.10.10.0
add address=192.168.5.1/24 interface=ArtNet network=192.168.5.0
add address=192.168.4.1/24 interface=Security network=192.168.4.0
add address=192.168.6.1/24 interface="Streaming Ports Bridge" network=192.168.6.0
add address=192.168.7.1/24 interface=Communications network=192.168.7.0
add address=192.168.8.1/24 interface=Dante network=192.168.8.0
/ip dhcp-client
add comment="default configuration" interface=ether1
/ip dhcp-server lease
add address=192.168.1.3 client-id="Lyntec Power" mac-address=00:23:50:01:00:E0 server=AV use-src-mac=yes
add address=192.168.1.4 client-id="Left Projector" mac-address=00:1F:67:45:C5:64 server=AV
add address=192.168.1.5 client-id="Center Projector" mac-address=08:00:7B:65:90:67 server=AV
add address=192.168.1.6 client-id="Right Projector" mac-address=00:1F:67:45:C7:61 server=AV
add address=192.168.1.7 client-id="London Blue" mac-address=00:0F:D4:01:1A:93 server=AV
add address=192.168.1.8 mac-address=00:A0:DE:6D:F9:83 server=AV
add address=192.168.1.9 mac-address=7C:2E:0D:01:A8:0C server=AV
add address=192.168.0.201 client-id="Mitel - Phone" mac-address=00:10:36:09:1F:96 server=Staff
add address=192.160.0.202 client-id="TW - SIP" mac-address=00:10:99:0A:28:EA server=Staff
add address=192.168.3.201 client-id=1:0:19:70:c0:42:92 mac-address=00:19:70:C0:42:92 server=Check-In
add address=192.168.3.202 client-id=1:0:19:70:c0:43:f mac-address=00:19:70:C0:43:0F server=Check-In
add address=192.168.3.200 client-id=1:d0:27:88:93:f7:d2 mac-address=D0:27:88:93:F7:D2 server=Check-In
add address=192.168.3.208 client-id=1:0:19:70:c0:42:9c mac-address=00:19:70:C0:42:9C server=Check-In
add address=192.168.3.207 client-id=1:0:19:70:c0:42:bf mac-address=00:19:70:C0:42:BF server=Check-In
add address=192.168.3.203 client-id=1:0:19:70:c0:42:97 mac-address=00:19:70:C0:42:97 server=Check-In
add address=192.168.3.206 client-id=1:0:19:70:c0:42:89 mac-address=00:19:70:C0:42:89 server=Check-In
add address=192.168.3.205 client-id=1:0:19:70:c0:42:6c mac-address=00:19:70:C0:42:6C server=Check-In
add address=192.168.3.204 client-id=1:0:19:70:c0:43:23 mac-address=00:19:70:C0:43:23 server=Check-In
add address=192.168.3.209 client-id=00:19:70:C0:D0:E3 mac-address=00:19:70:C0:D0:E3 server=Check-In
add address=192.168.4.181 client-id=1:ec:71:db:79:95:17 mac-address=EC:71:DB:79:95:17 server=Security
add address=192.168.4.180 client-id=1:ec:71:db:e9:5:ac mac-address=EC:71:DB:E9:05:AC server=Security
add address=192.168.4.179 client-id=1:ec:71:db:7a:88:69 mac-address=EC:71:DB:7A:88:69 server=Security
add address=192.168.4.178 client-id=1:ec:71:db:e7:dc:43 mac-address=EC:71:DB:E7:DC:43 server=Security
add address=192.168.4.177 client-id=1:ec:71:db:af:c:f5 mac-address=EC:71:DB:AF:0C:F5 server=Security
add address=192.168.4.176 client-id=1:ec:71:db:83:16:97 mac-address=EC:71:DB:83:16:97 server=Security
add address=192.168.4.175 client-id=1:ec:71:db:27:93:33 mac-address=EC:71:DB:27:93:33 server=Security
add address=192.168.4.174 client-id=1:ec:71:db:42:8d:1e mac-address=EC:71:DB:42:8D:1E server=Security
add address=192.168.4.173 client-id=1:ec:71:db:29:a6:f0 mac-address=EC:71:DB:29:A6:F0 server=Security
add address=192.168.4.172 client-id=1:ec:71:db:59:1c:d3 mac-address=EC:71:DB:59:1C:D3 server=Security
add address=192.168.4.171 client-id=1:ec:71:db:ff:d:89 mac-address=EC:71:DB:FF:0D:89 server=Security
add address=192.168.4.170 client-id=1:ec:71:db:9b:e2:1 mac-address=EC:71:DB:9B:E2:01 server=Security
add address=192.168.4.169 client-id=1:ec:71:db:5d:e3:f5 mac-address=EC:71:DB:5D:E3:F5 server=Security
add address=192.168.4.168 client-id=1:ec:71:db:4f:ea:4a mac-address=EC:71:DB:4F:EA:4A server=Security
add address=192.168.4.167 client-id=1:ec:71:db:f3:9f:3f mac-address=EC:71:DB:F3:9F:3F server=Security
add address=192.168.4.166 client-id=1:ec:71:db:cf:49:c3 mac-address=EC:71:DB:CF:49:C3 server=Security
add address=192.168.4.165 client-id=1:ec:71:db:aa:47:57 mac-address=EC:71:DB:AA:47:57 server=Security
add address=192.168.4.164 client-id=1:ec:71:db:d:ce:9 mac-address=EC:71:DB:0D:CE:09 server=Security
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=208.67.222.222,208.67.220.220 gateway=10.10.10.1 netmask=24
add address=192.168.0.0/24 dns-server=208.67.222.222,208.67.220.220 gateway=192.168.0.1 netmask=24
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1 netmask=24
add address=192.168.2.0/24 dns-server=208.67.222.222,208.67.220.220 gateway=192.168.2.1 netmask=24
add address=192.168.3.0/24 dns-server=208.67.222.222,208.67.220.220 gateway=192.168.3.1 netmask=24
add address=192.168.4.0/24 dns-server=208.67.222.222,208.67.220.220 gateway=192.168.4.1 netmask=24
add address=192.168.5.0/24 dns-server=208.67.222.222,208.67.220.220 gateway=192.168.5.1 netmask=24
add address=192.168.6.0/24 dns-server=208.67.222.222,208.67.220.220 gateway=192.168.6.1 netmask=24
add address=192.168.7.0/24 dns-server=208.67.222.222,208.67.220.220 gateway=192.168.7.1 netmask=24
add address=192.168.8.0/24 dns-server=208.67.222.222,208.67.220.220 gateway=192.168.8.1 netmask=24
add address=192.168.88.0/24 comment="default configuration" gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=208.67.222.222,208.67.220.220
/ip dns static
add address=192.168.88.1 name=router
/ip firewall address-list
add address=10.10.10.0/24 list=local_networks
add address=192.168.0.0/24 list=local_networks
add address=192.168.1.0/24 list=local_networks
add address=192.168.2.0/24 list=local_networks
add address=192.168.3.0/24 list=local_networks
add address=192.168.4.0/24 list=local_networks
add address=192.168.5.0/24 list=local_networks
add address=192.168.6.0/24 list=local_networks
add address=192.168.168.55 list=block_this
add address=226.2.2.2 list=block_this
/ip firewall filter
add action=accept chain=forward comment="DNS SERVER OVERIDE" dst-address=208.67.222.222 out-interface=ether1
add action=accept chain=forward comment="DNS SERVER OVERIDE" dst-address=208.67.220.220 out-interface=ether1
add action=accept chain=forward comment="Fellowship 1" disabled=yes dst-address=136.179.1.0/24 in-interface=Check-In out-interface=ether1
add action=accept chain=forward comment=ClockSpot disabled=yes dst-address=204.232.143.61 in-interface=Check-In out-interface=ether1
add action=accept chain=forward comment=ClockSpot disabled=yes dst-address=104.16.96.65 in-interface=Check-In out-interface=ether1
add action=drop chain=forward comment="Check-In Computers Outbound Blockage" disabled=yes in-interface=Check-In out-interface=ether1
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=drop chain=input comment="default configuration" in-interface=ether1
add action=accept chain=forward comment="default configuration" connection-state=established,related disabled=yes
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=new in-interface=ether1
/ip firewall mangle
add action=mark-packet chain=prerouting comment="Mark Packets Leaving Streaming Ports" in-interface="Streaming Ports Bridge" new-packet-mark=encoder passthrough=
yes
add action=mark-packet chain=postrouting comment="Mark Pkts for dropbox-conn" connection-mark=dropbox-conn disabled=yes new-packet-mark=lo-prio-traffic-pkts
passthrough=no
add action=mark-connection chain=postrouting comment="Mark Conn for dropbox" content=dropbox.com disabled=yes new-connection-mark=dropbox-conn passthrough=yes
add action=mark-packet chain=prerouting disabled=yes in-interface=ether1 new-packet-mark=upload passthrough=yes
add action=mark-packet chain=prerouting disabled=yes in-interface=Check-In new-packet-mark=Checkin-DL passthrough=yes
add action=mark-packet chain=prerouting disabled=yes in-interface="Staff / No VPN - Bridge" new-packet-mark=Staff-DL passthrough=yes
add action=mark-packet chain=prerouting disabled=yes in-interface="AV Network" new-packet-mark="AV - DL" passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1
add action=dst-nat chain=dstnat comment="Absolute Communication" dst-port=44000 in-interface=ether1 protocol=tcp to-addresses=192.168.0.201 to-ports=44000
add action=dst-nat chain=dstnat comment="Absolute Communication" dst-port=4000 in-interface=ether1 protocol=udp to-addresses=192.168.0.201 to-ports=4000
add action=dst-nat chain=dstnat comment="Absolute Communication" dst-port=44000 in-interface=ether1 protocol=udp to-addresses=192.168.0.201 to-ports=44000
add action=dst-nat chain=dstnat comment="Absolute Communication" dst-port=4000 in-interface=ether1 protocol=tcp to-addresses=192.168.0.201 to-ports=4000
add action=dst-nat chain=dstnat comment="Absolute Communication" dst-port=8080 in-interface=ether1 packet-mark="" protocol=tcp to-addresses=192.168.0.201 to-ports=
8080
add action=dst-nat chain=dstnat comment="Absolute Communication" dst-port=4043 in-interface=ether1 protocol=tcp to-addresses=192.168.0.201 to-ports=4043
add action=dst-nat chain=dstnat comment="Camera System 1" dst-port=37777 in-interface=ether1 protocol=tcp to-addresses=192.168.4.200 to-ports=37777
add action=dst-nat chain=dstnat comment="Camera System 1" dst-port=37778 in-interface=ether1 protocol=udp to-addresses=192.168.4.200 to-ports=37778
/ip route
add distance=1 gateway=GATEWAY
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
/system clock
set time-zone-name=America/Chicago
/system identity
set name="New Life Church"
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool romon port
add
Okay. So first, the “beauty of this beast” (the Mikrotik) is that, unlike with most hardware-only switches, you may create several independent bridges, and the VLAN IDs are only relevant within each bridge, i.e. frames are not forwarded from one virtual bridge to another just because they carry a VLAN ID which happens to be used at both bridges.
Hence as you have dedicated a bridge to the encoder and its control, it was not necessary to change the pvid of that bridge itself and its member ports to 5 - but it is not harmful either. But given that you don’t actually need a full-featured VLAN tag processing on this bridge, setting vlan-filtering to no may save some CPU cycles.
With this configuration, and regardless whether you change the vlan-filtering setting or not, assigning packet-mark=encoder based on in-interface=“Streaming Ports Bridge” is correct (as the pvid of the bridge itself and (04) - NV33 Stream is the same, no /interface vlan needs to be attached to the bridge to extract the tagless parts of the frames).
So since you say the queue named encoder shows packet drops, its limit-at and max-limit values (18M) are lower than the actual traffic volume the encoder sends. The manual doesn’t explain whether the rate value in the stats is the arrival rate or the departure rate, so you have to find that out on your own; in any case, if you set the limit and max-limit to something higher, point the camera to a significantly changing scene (static scenes or scenes with a few moving objects, like a single person walking through the scene, generate much lower data rate) and watch the stats, you should see the actual rate you need to set as limit-at & max-limit even if the rate shown is the departure one, provided that the actual rate is lower than the limits currently set. The rate value is averaged for 10 seconds or so, so take some time before the change becomes visible.
I never needed /queue simple queues, so I’m not sure how they interact with /queue tree queues; however, if the bandwidth calculation in these two trees (simple and tree) is independent as I suppose, the sum of max-limit (or burst-limit if set for the queue) of the root queues in both trees must not exceed the available bandwidth of the uplink in the respective direction. So if your actual uplink bandwidth is 60 Mbit/s, you have to set the max-limit of the root parent in /queue tree to only 58M, in order to leave the rest free for the 2M upload burst-limit set for the only queue in /queue simple.
The thing is that if you overbook the uplink, all the bandwidth control executed by the queues will show no drops, but the packets will be actually dropped because the link would be unable to transport them or, as you’ve mentioned a fibre uplink, more likely because the traffic shaper at the ISP will drop them as the bandwidth limitation is a contractual rather than physical one.
Sindy,
Thank you for all of your great insight with my problem.
I wanted to let you know that I had a great experience yesterday with my streaming device. I even had a user that was doing a major dropbox transfer and my unit did not skip any packets!!
I will be making the adjustment you suggested removing the vlan tagging in the streaming_bridge group to help with compute cycles tomorrow.
Is there anything else you can see from my setup that i might be doing wrong or could do better?
Thanks again!!