Hi, i was trying simple queues, also queue tree to ensure constant bit rates for IPTV with no success. Do you have any ideas, how to correctly configure QoS?
Are you trying to slow down the IPTV or to give it absolute priority over everything? I assume the latter.
If so, read this topic and come back if you still have some questions after reading it.
I’m trying to give priority for IPTV.
I have to mention, that I replaced ISP router by my Mikrotik router to save some cost. I don’t know if the ISP was doing any prioritization on the last router (or this should not be the problem?)
But anyway, i will try to reconfigure these brigde and switch interfaces as you suggested.
The time-critical IPTV packets come from the network to your Set-Top Box or TV set, so your only task is not to delay or even drop them. You cannot affect the priority your ISP has given them, so if you experience issues, it is because your Mikrotik is unable to forward all of them.
The switch configuration depends heavily on the Mikrotik model you have. The awful hack suggested in the topic I’ve referred to is only necessary for devices with switch chip AR8237; looking at your configuration, I assume you’ve got hAP AC lite or hAP AC2, which makes a difference - hAP AC lite uses AR8237 so the hack is necessary while AC2 uses 8337 where hybrid ports are supported so the same can be done using ordinary methods.
A thought, but I might be kicking dead horse here: how did ISP’s router handle the connection towards TV (Ether3 in your diagram)? As per configuration attached to the diagram, TV (set-top box?) receives un-tagged packets. If that multicast is delivered wrapped in VLAN-ID=3 and if ISP’s router did not unwrap them, then set-top-box expects them tagged. It might work without tags with some issues (if set-top-box deals with it in some funny way).
In my case, ISP provider delivers IPTV multicast in VLAN-ID=3999 and ISP’s router does not unwrap it, so I need to pass that VLAN further to the set-top-box. Performance wise that might be even better than your current set-up as VLAN-tagged packets would be handled within switch chip (if switch chip supports that) … specially so if you don’t intend to firewall TV from ISP. If you’re concerned about untagged access from TV to rest of your LAN, you can create additional VLAN (and set Ether3 PVID to that), effectively pushing anything untagged to black hole. If your TV (set-top-box) actually need internet access (mine does to fetch EPG and whatnot), you can create separate IP subnet on that VLAN, add DHCP server, allow it to use RB’s DNS and set up FW rules to prevent routing from the “TV” subnet anywhere but towards internet.
I’m using hAP lite.
I changed config according to sindy.
Now cpu reduced from 11-13% till 3-4% when watching IPTV.
But i’m not able to browse internet. Do i need to replace everything to vlan40 instead of ether 1, or to bridge interface?
I’m not getting IP address on vlan40. Does that mean, that i should change vlan number, because it is used already by ISP?
My wlan client even get public IP address.
Please paste here the output of ****
/export hide-sensitive
, and if there are any public addresses in it, replace each of them systematically (using Ctrl-H in a text editor) with a distinctive pattern like
public.ip.addr.A
. You seem to have bridged the uplink port with the wireless AP interface which is definitely not what you want.
mar/28/2018 18:59:11 by RouterOS 6.41.3
model = RouterBOARD 952Ui-5ac2nD
/interface bridge
add name=bridgeTV
add fast-forward=no name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no frequency=2462 frequency-mode=regulatory-domain mode=ap-bridge ssid=MikroTik tx-power=6 tx-power-mode=
all-rates-fixed
set [ find default-name=wlan2 ] antenna-gain=3 band=5ghz-onlyac channel-width=20/40/80mhz-Ceee disabled=no frequency=5500 frequency-mode=regulatory-domain mode=ap-bridge ssid=
MikroTik2
/interface vlan
add interface=bridge name=vlan40 vlan-id=40
/interface ethernet switch port
set 0 vlan-mode=secure
set 2 default-vlan-id=3 vlan-header=always-strip vlan-mode=secure
set 5 vlan-mode=secure
/interface list
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods=“” mode=dynamic-keys supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_pool0 ranges=192.168.1.1-192.168.1.253
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge name=dhcp1
/tool user-manager customer
set admin access=own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
add bridge=bridge interface=ether1 pvid=40
add bridge=bridge interface=ether3 pvid=3
add bridge=bridge interface=vlan40
/interface ethernet switch vlan
add ports=switch1-cpu,ether1 switch=switch1
add ports=ether1,ether3 switch=switch1 vlan-id=3
/interface list member
add interface=vlan40 list=WAN
/interface wireless access-list
add authentication=no interface=wlan1 mac-address=34:02:86:14:3E:58 vlan-mode=no-tag
add authentication=no interface=wlan1 mac-address=B4:6D:83:78:94:F2 vlan-mode=no-tag
/ip address
add address=192.168.1.254/24 interface=bridge network=192.168.1.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=vlan40
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.254
/ip firewall filter
add action=drop chain=input dst-port=8728 in-interface=vlan40 protocol=tcp
add action=drop chain=input dst-port=8728 in-interface=vlan40 protocol=udp
add action=drop chain=input dst-port=8729 in-interface=vlan40 protocol=tcp
add action=drop chain=input dst-port=8729 in-interface=vlan40 protocol=udp
add action=drop chain=input dst-port=21 in-interface=vlan40 protocol=tcp
add action=drop chain=input dst-port=21 in-interface=vlan40 protocol=udp
add action=drop chain=input dst-port=22 in-interface=vlan40 protocol=tcp
add action=drop chain=input dst-port=22 in-interface=vlan40 protocol=udp
add action=drop chain=input dst-port=23 in-interface=vlan40 protocol=tcp
add action=drop chain=input dst-port=23 in-interface=vlan40 protocol=udp
add action=drop chain=input dst-port=8291 in-interface=vlan40 protocol=tcp
add action=drop chain=input dst-port=8291 in-interface=vlan40 protocol=udp
add action=drop chain=input dst-port=80 in-interface=vlan40 protocol=tcp
add action=drop chain=input dst-port=80 in-interface=vlan40 protocol=udp
add action=drop chain=input dst-port=443 in-interface=vlan40 protocol=tcp
add action=drop chain=input dst-port=443 in-interface=vlan40 protocol=udp
add action=drop chain=input in-interface=vlan40 protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=vlan40
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set bridge disabled=yes display-time=5s
set bridgeTV disabled=yes display-time=5s
set wlan1 disabled=yes display-time=5s
set wlan2 disabled=yes display-time=5s
set ether1 disabled=yes display-time=5s
set ether2 disabled=yes display-time=5s
set ether3 disabled=yes display-time=5s
set ether4 disabled=yes display-time=5s
set ether5 disabled=yes display-time=5s
set vlan40 disabled=yes display-time=5s
/tool user-manager database
set db-path=flash/user-manager
Why don’t set a static ip for your iptvs and mark those packets in mangle. Then you can use the queue tree to set priorities for them.
As expected, there is a small mess.
From your configuration and from the fact that your wireless client has got a public address assigned that on the Ethernet cable coming from the provider, I understand that the internet connection packets come tagless and the IPTV packets come tagged with VLAN ID 3, right?
If not, write here the actual setting.
If yes:
- connect to the Mikrotik using any of**** (
ether2
,
ether4
,
ether5
) while the cable from
ether1
is disconnected (to avoid getting an IP address from the provider rather than from the Mikrotik itself)
- keep the ****
/interface ethernet switch port
and
/interface ethernet switch vlan
configurations as they are
- rename the only currently existing bridge to ****
bridge-lan
(just for convenience of further description)
- set ****
hw=no
to
/interface bridge port
items for
ether2
,
ether4
,
ether5
- maybe better step by step, i.e. first change one of those through which you are not connected, then reconnect to it, then change the rest
- create another bridge named ****
bridge-wan-iptv
- change the ****
/interface bridge port
items for
ether1
and
ether3
to
hw=yes bridge=bridge-wan-iptv
- change the ****the
/ip dhcp-client interface
value from
vlan40
to
bridge-wan-iptv
- add ****
bridge-wan-iptv
to
/interface list list=WAN
and remove
vlan40
from there
- in all your firewall rules, replace ****
in-interface=vlan40
by
in-interface-list=WAN
, analogically for
out-interface
and
out-interface-list
- connect back the cable from provider to ****
ether1
That should be it. Tagless packets from ****
ether1
should now be received by the CPU on interface
bridge-wan-iptv
, packets tagged with VLAN ID 3 coming to
ether1
should be forwarded to
ether3
and untagged there by the switch chip alone, without CPU intervention. The LAN and WLAN interfaces would be bridged together on a software-only bridge
bridge-lan
.
HzMeister - seems that it is not QoS issue. It is CPU problem.
Sindy - seems that this config is working. As much as tests i did, i never saw packet loss on TV. You deserved bonus 
Why do we need dummy vlan 40 and VLAN 0 on switchports?
Without VLAN 0 there is no internet. Without vlan 40 everything works as before.
We do not need VLAN 40, it is a zombie information from the other thread where it was just one of the ideas. I haven’t written explicitly that you may delete it, sorry.
VLAN 0 is necessary because you need to set a mode on the switch where only vlans permitted on a port are let in and out on that port, and VLAN ID 0 means “no VLAN ID”.
The whole thing is that the switch chip used in your router model cannot output tagged and tagless packets on the same port. So as you need iptv packets (VLAN 3) tagged and internet packets tagless on ether1, you have to use a special arrangement where the internet packets are not tagged anywhere. But as you also need to set VLAN filtering on ether1 (so that packets with any other VLAN ID than 3 would not be forwarded by that port), you need to configure the vlan secure mode on the port, set the egress (output to the wire) mode to “don’t touch the tag”, and tell the port to tag the ingress tagless packets with VLAN ID 0. If you would set any other VLAN ID than 0, you would have to set the same one at the WAN interface, so it would send the packets out tagged, and the ether1 would not be able to strip that tag. Packets with a tag but with VLAN ID 0 in it are treated as tagless from the VLAN point of view by all devices, so although the ether1 does not strip the tag, the remote device only reads the priority field from the tag but otherwise treats the packet as tagless.
But the table in the switch which controls which VLAN can be let in on which ports works with the VLAN ID 0 just as with any other one, so you need to permit VLAN ID 0 at the CPU port and at the ether1 port.
Hi, I’ll continue to use this thread since it depicts my situation quite well, however I’d like to do the opposite - to slow down IPTV.
In my setup, I have two set-top-boxes, they get IPTV traffic over VLAN (ID=3999), for internet access they use the same VLAN as other workstations (untagged traffic for STBs). When both STBs are on, web surfing slows down to be unbearable (on 100/40 fiber). I tried with another configuration where STBs are on separate LAN (exactly as mkx suggests above) however it doesn’t help.
An interesting observation is that if I enable packet sniffing on the STBs’ ports on hAP ac lite or 951G-2HnD, the web surfing is OK, and IPTV also works flawless. I suppose that Mikrotiks are slowing down the traffic with packet sniffing activity just as needed.
Additionally, my provider has an option to give a higher priority to the web traffic, however it doesn’t help - I assume that’s because it’s implemented in the access modem, but it is in the bridge mode.
So, how would one slow down the IPTV traffic..?
When internet is unbearably slow, is any direction blocking the whole traffic (e.g. is UL blocking or DL?) How’s CPU load on routers during those periods of time? If load is high, what does profile show?
How are VLANs configured, on switch chip or on bridge? With packet sniffing things get configured differently …
Hi Metod,
The problem is DL, as it seems to me. CPU load goes from 0-1 % to 2-6%, both on the “main” RB (to the modem) and the ones that have STBs attached. VLANs are configured in switch chips.
For packet sniffing, I changed the setup according to the notion “Packets that are processed with hardware offloading enabled bridge will also not be visible (unknown unicast, broadcast and some multicast traffic will be visible to sniffer tool) https://wiki.mikrotik.com/wiki/Manual:Tools/Packet_Sniffer”; STB is on ether5 and VLANs are set up with bridges:
- bridge-lan has ether5 and other lan access ports (for untagged internet access)
- bridge-iptv has ports vlan-3999-ether5 and vlan-3999-bridge-for-switch ports (for tagged VLAN ID 3999).
However, this setup is behaving the same regarding the web traffic blocking - it behaves better if I start with packet sniffing on ether5, with logging into a file. For that, the RB is on 25-40% CPU.
Your description sounds strange to me.
First, what I understand from your description is that you have two /interface vlan with vlan-id=3999 bridged together at one of the machines, one connected to a bridge and another one to an interface which is st the same time a member port of another bridge? That should not be possible to configure, but as you mention three bridges in total, I assume I have misunderstood something. So please export the whole /interface configuration sub-tree rather than describing just few lines out of it. The best would be to export the complete configuration of both devices, see my automatic signature below.
Second, I can imagine that you leave more bandwidth for internet by throttling the IPTV streams (no matter how that actually happens while you run the packet sniffer), but I cannot imagine how doing so could keep the picture quality unchanged. So either the TVs have lower screen resolution than the highest rate codec used for the video stream can handle, so a switchover to a lower rate codec has no impact on the picture, or the quality deterioration is there but you don’t notice it for some other reason (it can be that picture dynamics is reduced, not pixel resolution).
In any case, to see the difference between the cases without actually affecting the throughput is a mission impossible with hAP ac lite as it has only 100 Mbit/s Ethernet ports. You can set the switch chip of the device next to the modem to mirror the WAN interface to an unused switch port, but both directions of a 100/40 Mbit/s link can’t fit to a 100 Mbit/s egress direction of the mirror port so some frames would be lost, and the switch chip doesn’t support mirroring each direction to a separate port.
Also, as you mention the modem to be in bridge mode, I would be thinking about the PPPoE throughput on the WAN-facing Mikrotik combined with other CPU load (if any). So a more powerful device like hAP ac², or some managed switch with port mirroring capability, will be necessary to move forward with the analysis. And it may come out that a more powerful device is necessary also to solve the internet speed issue if the bottleneck is not the physical link speed.
As for the ISP prioritization of the internet traffic over the IPTV traffic, there is almost no IPTV-related traffic in the uplink direction, so the important part of such prioritisation takes place at the ISP end, as the frames are sent down your uplink. And for prioritisation in this direction, it should not matter whether the modem is in bridge mode or not, unless the modem would be providing some feedback to the DSLAM - but I cannot see a reason for that. So if you configure a preference of the internet over the IPTV, and you cannot see any difference, I’d assume it is not the bandwidth of the uplink but the load of the CPU of the WAN-facing hAP ac lite which causes your issues.
The thing is that when you start sniffer, HW offload for involved ether port(s) should be disabled so that traffic passes RB’s CPU, which is consistent with increased CPU load. So there’s either some bug in switch chip or there’s some non-optimal setting or there’s some other mismatch.
Which kind of IPTV set-top box is giving you problems? In my setup (two RB951Gs, one RBD52G currently used as switch and a third-party managed ethernet switch) both my IPTV boxes (vintage Sagem and original Netgem box) work like a charm. Both RB951Gs are configured with VLAN filtering in switch chip while RBD52G is configured with modern bridge-vlan setup.
@sindy: IPTV streams are multicast with single bitrate. Many TV channels have two variations (HD and SD), but those variations are actually two distinct multicast streams with distinct mcast addresses. The only thing that matters in this case is that there’s an unicast retransmission mechanism in place so that even in case of error in multicast reception set-top box can fetch correct data.
I wouldn’t say it is the only thing that matters - the STB can opt to switch over to the SD stream and unsubscribe the HD one if it notices too many lost packets in the HD one, which is what I’ve called switching codec bitrate to simplify it. And the unicast retransmission mechanism contributes to clogging the download bandwidth as effectively the same packet gets sent twice, once as multicast and later as a unicast one. What I’m not sure, though, is how the playback of “recorded programs” is done, whether they are always unicast or whether multicast groups are created also for them so that multiple viewers of a recorded program can be served the same stream to save network bandwidth (so you have to wait to next whole minute or so when you order the playback).
Thank you both for these interesting notions. I suspect that something might be wrong with the modem setup (innbox g64) and/or the WAN facing RB951G. @sindy, I assume that RB951G is “strong” enough to deal with all the traffic. It’s not the hAP ac lite that I use for the “main” router.
Both STBs that I have are Netgem N7800, and both introduce troubles for web surfing - but the TV plays just OK in HD, on both of them at the same time!
mkx, you mentioned in some other threads that you are using only one WAN facing port, untagged traffic to the modem and tagged traffic (3999) for IPTV. If I understand correctly, your modem in in bridge mode, too, and you do PPPoE with RB through that port (via untagged traffic to the modem), and your workstations and STBs are connecting to the internet in this way (by some other VLAN apart from IPTV traffic which is on ID 3999 all the way.) I’d be glad if you can share your thoughts and practice with the modem setup, if you have the same or similar model - at least the parameters that might be important. For instance, there is a setting “IGMP snooping - standard/block” under the LAN settings of a modem. I’m using two ports, one is data (WAN) and the other is video (for IPTV).