Hi all,
I’m new to Mikrotik. I wonder if anyone can help me on my case scenario.
We are using Mikrotik routers on our remote sites for site to site VPN with our data center.
The remote sites are connected to the datacenter via different tunnels like SSTP, PPTP, L2TP, GRE, IPIP through Internet.
I wonder if there is any capability on Mikrotik that can “prioritize” tunnel traffic on the WAN (Internet) connection over other Internet traffic?
any help is much appreciated
Regards
Seek
There is, however its power ends at the WAN interface. So you can prioritize your own outgoing VPN traffic over your own outgoing non-VPN traffic, but the ISPs won’t give any priority to your VPN traffic over the rest of overall traffic unless you have an SLA with them for a particular site-to-site path.
Hi Sindy,
Thanks for your quick response.
Suppose we have 10Mbps Internet connection from one of remote sites.
Can we instruct the Mikrotik router (on the remote site) to have some sort of congestion management.
In another words, if there is a traffic congestion (10Mbps) the VPN traffic is taking precedence over the Internet traffic.
If yes, can you please provide the how to?
Regards
Seek
The complete answer is here.
In short, you have to attach a parent queue to your WAN interface, and create sub-queues within it which are handled with priority and eventually have some bandwidth limits, saying how much bandwidth they are guaranteed to get and how much they can take if no other queue needs it.
In the firewall, you assign packet-marks to packets which need a special treatment (in your case, the VPN transport packets of various types); each packet-mark is used to identify the right sub-queue. The traffic with highest volume may stay without any packet-mark assigned, and it will be handled by queue with packet-mark set to reserved value no-mark.
An example would be the following:
/queue tree
add limit-at=9500k max-limit=9500k name=wan-parent parent=ether1 queue=ethernet-default
add limit-at=4M max-limit=9500k name=voip-out packet-mark=voip-out parent=wan-parent priority=1 queue=default
add limit-at=1M max-limit=9500k name=rest-out packet-mark=no-mark parent=wan-parent priority=2 queue=default
The total bandwidth of the uplink is 10 Mbit/s symmetrically, so all queues have a max-limit of “almost 10 Mbit/s”. I use just two categories of traffic, “voip” and “the rest”. VoIP traffic/ has 4 Mbit/s of guaranteed bandwidth but can use up to the full bandwidth of the uplink; other traffic has just 1 Mbit/s of guaranteed bandwidth but can also use up to the full bandwidth of the uplink. If both queues want to exceed their guaranteed minimum, VoIP wins because it has higher priority (represented by lower number).
/ip firewall mangle rules are used to say which packet belongs to “VoIP” and mark them accordingly. In my case, some VoIP traffic goes via open internet and some via IPsec VPN, so I have multiple rules translating various combinations of address and port ranges to a DSCP value, and another rule translating DSCP value to a packet-mark:
/ip firewall mangle
add action=change-dscp chain=prerouting new-dscp=46 passthrough=yes src-address=172.16.111.0/24
add action=change-dscp chain=prerouting dst-address-list=voip-subnets new-dscp=46 passthrough=yes
add action=change-dscp chain=prerouting dst-port=8000-8999,40000-65535 new-dscp=46 passthrough=yes protocol=udp
add action=mark-packet chain=prerouting dscp=46 in-interface-list=INT new-packet-mark=voip-out passthrough=yes
add action=mark-packet chain=postrouting dscp=46 new-packet-mark=voip-out out-interface=ether1
So you might want to set packet-mark=vpn simply to anything which leaves towards the public IP of your central virtualized Mikrotik, and use that packet-mark value as a selector value for the higher priotity queue, and that would be it. If the VPN clients are the satellite Mikrotiks themselves, you would use chain=output of /ip firewall mangle.