I’m currently in the process of simplifying my mikrotik administration, because there are just to many that need constant care.
We use Mikrotiks to manage in and outbounding traffic, using default queue queue-trees.
Since they’re not supposed to route anything, theres just one bridge which connects 2 WAN-Ports and one LAN-Port.
To do so, we created several Mangle rules, which mark connetions based on IPs, subnets and/or destination-ports.
After that, we specify, which upload-connections have a higher priority and bandwith, using several queues.
Every endpoint-mikrotik is connected to one big “core” CCR1036-Mikrotik, which manages the download for every endpoint
In order to make administration easier, I decided to switch to only 4 (2 for the backupline) pcq-queues which provide equal traffic to every outgoing connection .
So far, this didn’t seem as much of a problem on my test-endpoint. I disabled the old config and created 4 mangle rulepairs: all_in, all_out, all_in_backup, all_out_backup. (the second WAN-Line is a fallback router)
Those Mangle rules mark connections upload and download solely via incoming bridge-interface and outgoing bridge-interface, in forward chain.
This works well on all my endpoints at least it seem so
Since every endpoint is connected to one core-qos device, I have to mark outgoing traffic on my core device via IPs, subnets and Ports.
So: One side has traffic marked on interfaces, the other has traffic marked per IP’s,etc
Normally, all in-traffic on one side has to mirror all out-traffic on the other side.
Sadly, this isnt the case.
The input queue on my endpoint mikrotik shows significantly more traffic going on than my core-mikrotik shows in his specific output queue.
The connectionlist also shows that on my endpoint mikrotik, connections switch between input and output connection mark.
From my understanding, marking the traffic based on which interfaces it passes through is a cleaner way to just get “everything” than just marking a source/destination network
Am I wrong? is it just a display bug? I am not so sure anymore if my solution was a good choice with such inconsistend results
Should I switch back to specific mangling on my endpoint mikrotik or should I look for a better solution on my core-device?
Mangle rule which marks everything that goes from Core-Device to endpoint-subnet
chain=forward action=mark-connection new-connection-mark=d1_TO_all_C passthrough=yes protocol=tcp src-address=192.168.242.0/24 log=no log-prefix=""
chain=forward action=mark-packet new-packet-mark=d1_TO_all_P passthrough=yes connection-mark=d1_TO_all_C log=no log-prefix=""
Mangle Rules via Interface on Endpoint
64 ;;; Upload über Mainrouter (WAN1)
chain=forward action=mark-connection new-connection-mark=out_main_c
passthrough=yes in-bridge-port=eth01_LAN out-bridge-port=eth02_WAN1
log=no log-prefix=""
65 chain=forward action=mark-packet new-packet-mark=out_main_p
passthrough=yes connection-mark=out_main_c log=no log-prefix=""
66 ;;; Upload über Backup (WAN2)
chain=forward action=mark-connection new-connection-mark=out_backup_c
passthrough=yes in-bridge-port=eth01_LAN out-bridge-port=eth03_WAN2
log=no log-prefix=""
67 chain=forward action=mark-packet new-packet-mark=out_backup_p
passthrough=yes connection-mark=out_backup_c log=no log-prefix=""
68 ;;; Download über Mainrouter (WAN1)
chain=forward action=mark-connection new-connection-mark=in_main_c
passthrough=yes in-bridge-port=eth02_WAN1 out-bridge-port=eth01_LAN
log=no log-prefix=""
69 chain=forward action=mark-packet new-packet-mark=in_main_p
passthrough=yes connection-mark=in_main_c log=no log-prefix=""
70 ;;; Download über Backuprouter (WAN2)
chain=forward action=mark-connection new-connection-mark=in_backup_c
passthrough=yes in-bridge-port=eth03_WAN2 out-bridge-port=eth01_LAN
log=no log-prefix=""
71 chain=forward action=mark-packet new-packet-mark=in_backup_p
passthrough=yes connection-mark=in_backup_c log=no log-prefix=""