QoS and Limit bandwidth

RouterOS General
1

Hello.

We have an office, a 10mb/s bandwidth, 15 workers, hardware used is RB2011UIAS-2HND-IN

We have a server allocated in the datacenter with RouterOS and bandwidth 100mb / s

Between them configured ipsec site to site

At the office, of course, the employees download something from the Internet, periodically clog the channel, apparently now 10mb / s - this is archaism, but we live that way.

Is it possible to allocate for the ipsec traffic the guaranteed speed of 3-4mb / s and priority on traffic, otherwise the traffic “outside” make a limit of 6-7mb / s?

I’ve read some articles over the internet and thought about this configuration:

  1. Set the maximum bandwidth 8mb\s to the server subnet 192.168.10.0/24 and smtp,imap traffic outside
  2. Set total allowed bandwidth 10mb\s
  3. Mark packets by the main protocols:priority1: dns, smtp, imap, Active Directory, priority2: rdp, 1c, smb - file storage,
  4. Set priority 1 and priority 2 for the protocols

The only thing I have not yet understood is whether it is possible to make the traffic via SMTP and IMAP interrelate with the traffic on the server subnets, or i should just spoecify e-mail server address IPs?

Am I thinking right? Any errors?


Thanks in advance.

2

I’d think using IP is better as the whole queue solutionis simpler, all your target can be catolorised by IP address
the email, the server (assuming behind a public IP or interanl IP even) these two would be set with higher priority and higher Limit-at value

then you can have PCQ for your LAN subnet, this average out all the Internet traffic so no one user or IP, or connection can take all.

3

In Prerouting: Mark priority traffic new Connections only with mangle and pass to next rule. You can Mangle by IP, Port, Protocol and etc. You can check if connections are mangled correctly in IP → Firewall → Connections
In Prerouting: next rule Mark every packet of previously Marked Connections.

Now on Queue Tree create Simple Queues:
Global on WAN interface – for Upload.
Global on LAN interface or Bridge – For Download.
Now create subqueues (child queues). Set priority in each of them and Parent Queue. You can limit Maximum speed here (or on global queue) also.


Keep in mind that if you want prioritize traffic you MUST Mangle packets.

4

Hello! Thanks for the answers. I have such problem:

  1. I created mangle rules:
add action=mark-connection chain=prerouting comment="Mark Web browser" dst-port=80,443 new-connection-mark=outside_web passthrough=yes protocol=tcp tcp-flags=""
add action=mark-connection chain=prerouting dst-port=80,443 new-connection-mark=outside_web passthrough=yes protocol=udp tcp-flags=""
add action=mark-packet chain=prerouting connection-mark=outside_web new-packet-mark=outside_web_pck passthrough=no
  1. I mark umarked packets after that:
[code]
add action=mark-packet chain=forward comment="All other"  log=yes log-prefix=UNMARKED new-packet-mark=no_mark out-interface=ether1 packet-mark=no-mark passthrough=no src-address=192.168.33.0/24

[/code]

3.I created queue trees:

/queue tree
add max-limit=10M name="Total - rx" parent=global
add name="Browser - rx" packet-mark=outside_web_pck parent="Total - rx"
add name="Umarked - rx" packet-mark=no-mark parent="Total - rx"

And in the log i see that there is traffic to 80 and 443 ports which is unmarked:


11:01:00 firewall,info UNMARKED forward: in:bridge out:ether1, src-mac ac:9e:17:2f:83:18, proto TCP (ACK,FIN), 192.168.33.45:63200->78.46.57.120:443, len 40 
11:01:00 firewall,info UNMARKED forward: in:bridge out:ether1, src-mac ac:9e:17:2f:83:18, proto TCP (ACK,RST), 192.168.33.45:63200->78.46.57.120:443, len 40 
11:01:01 firewall,info UNMARKED forward: in:bridge out:ether1, src-mac 3c:2c:30:9e:e8:49, proto TCP (ACK,RST), 192.168.33.30:51957->138.201.36.251:80, len 40 
11:01:01 firewall,info UNMARKED forward: in:bridge out:ether1, src-mac 3c:2c:30:9e:e8:49, proto TCP (ACK,RST), 192.168.33.30:51968->82.202.213.163:80, len 40

Why?