QoS on a gateway with more than two interfaces.

RouterOS General
1

I have a problem putting a QoS into a Gateway with multiple interfaces…
I followed the guide of the wiki about it, giving the upload parent into the outgoing interface (one) and download parent into the global out (three)
But it ends up giving the correct numbers of the upload on the queue tree, while having the aggregate of up/down into the global out.
Plus i need to avoid the QoSing of the internal traffic passing through the machine but that doesn’t go out of my network..
ATM I’m doing a prerouting mangle of all the traffic and those rules to recognize the internal traffic

add action=mark-connection chain=forward comment="" disabled=no dst-address-list="IP Medi@net" new-connection-mark=INTERNO_CONN passthrough=yes src-address-list="IP Medi@net"
add action=mark-packet chain=input comment="" disabled=no dst-address-list="IP Medi@net" new-packet-mark=INTERNO_CONN passthrough=yes src-address-list="IP Medi@net"
add action=mark-connection chain=output comment="" disabled=no dst-address-list="IP Medi@net" new-connection-mark=INTERNO_CONN passthrough=yes src-address-list="IP Medi@net"
add action=mark-packet chain=output comment="" connection-mark=INTERNO_CONN disabled=no new-packet-mark=INTERNO passthrough=no

Looks like it works..

Is there a way to work on download traffic without having the aggregate of global out in multiple interfaces?

2

ummm… drawing?.. I can’t understand, where’s trouble… %)

3

The trouble is:
I cannot make a proper queuing of download if in the queue tree i get the aggregate of upload and download (generated by global out).

4

why do you need to aggregate it? =) just mark upload packets with one mark, and download packets with another one =)

5

hi Chupaka i hope you can help me (once again :unamused: ), when i need to mark upload and download packets i need to make two connection marks ight? one connection mark and packet mark to upload and another one to download? i got a confusion with this..

something like this it’s correct?

/ip firewall mangle

add action=mark-connection chain=forward comment=“down dns prio1” disabled=no in-interface=!local new-connection-mark=down_dns_conn passthrough=yes protocol=udp src-port=53
add action=mark-packet chain=forward comment=“down dns prio1” connection-mark=down_dns_conn disabled=no new-packet-mark=down_dns_pkt passthrough=yes

add action=mark-connection chain=forward comment=“up dns prio1” disabled=no dst-port=53 in-interface=local new-connection-mark=up_dns_conn passthrough=yes protocol=udp
add action=mark-packet chain=forward comment=“up dns prio1” connection-mark=up_dns_conn disabled=no new-packet-mark=up_dns_pkt passthrough=yes

add action=mark-connection chain=forward comment=“down prio3” disabled=no in-interface=!local new-connection-mark=down_http_conn passthrough=yes protocol=tcp src-port=80,443
add action=mark-packet chain=forward comment=“down prio3” connection-mark=down_http_conn disabled=no new-packet-mark=down_http_pkt passthrough=yes

add action=mark-connection chain=forward comment=“up prio3” disabled=no dst-port=80,443 in-interface=local new-connection-mark=up_http_conn passthrough=yes protocol=tcp
add action=mark-packet chain=forward comment=“up prio3” connection-mark=up_http_conn disabled=no new-packet-mark=up_http_pkt passthrough=yes

as you can se i mark connection with src port to download because the traffi come FROM port 80 (http) and eith dst port to upload because the traffic GOES TO port 80, i’m correct or not?

also i want to know if it’s really need to mark first the connection, because i read so many posts where the people marks tje pakets directly like networkpro in this example (http://wiki.mikrotik.com/wiki/NetworkPro_on_Quality_of_Service),

and the last question: when i mark the connection i set the match criteria e.g. dst-port=80 so when i mark the packet, i set the connection-mark, but i’s necessary to set the dst-port again? in my examples i didn’t..

thanks a lot..

6

‘connection’ is bi-directional, so you should mark connection, and then mark upload and download packets according to this connection (either by in/out-interface, or src/dst-address)

if you can directly mark packets - you may do it without marking connections. sometimes it’s impossible, and fortunately it’s not your case =)

in marked connections you will see packets both dst-port=80 and src-port=80 - requests to the server and responses from the server, they all belong to the same connection. so if you need only upload or download part of it - you need to set dst-port again

7

ok, in someplaces i’ve read that we need to mark connectios because the router when the connection it’s started then it save it in the connection track, then check packets use more cpu, than check connection firts (mainly we need to mark connections for performnce issue, do you ever heard something about it? read this it make so much sense i beleive it’s very good explanation http://forum.mikrotik.com/t/mark-connection-vs-mark-packet/17170/2 ), maybe i dont expalin very well, but my english is so limited sorry, i read better than i write sorry again… so to resume your explanation and to know if i well understood…

  1. it’s better to mark just packets when it’s possible…
  2. when it necessary to mark connections and need upload and download i must set (dst/src port) OR (input/ouput interfaces) in the packets…
8

I know about ‘preformance’… teoretically… I recently posted similar explaination…

and now I’m trying to test this. I can’t see any difference!!!

what I have: firewall rule that is matching packets against address list of 1100 items, and three rules working with short lists, 4 to 50 items. packet throughput is about 120 kpps. CPU load is about 28-30%

now I add top rule ‘accept established connections’. it accepts 120kpps =) CPU load is still 28-30% :smiley: what do I do wrong?.. maybe somebody have another experience?

about where connection-mark is necessary.. simpliest example: managing incoming connections on several uplink interfaces. you don’t know (w/o connection-mark), from what uplink the connection was established, but you should send responses only to that uplink. with connection marking it becames possible

9

ok understood make almost the same test, with and without connection marks, matching ALL TRAFFIC up/down and sendig to two queues and llimiting, and the cpu load is the same, can you give me the link to your performance issue post?

now, have you some experience marking ACK packets, i’ve read a lot of that but i want to know if you’ve tested and have some working experience. thanks a lot

10

UPDATE:

actually, there’s about ~2% difference in CPU load!

conclusion: matching against ~1100-items address-list is 2% of 3166 MHz cpu…

p.s. mine traffic is ~800 Mbps w/o NAT

11

thanks again for your tests, i think that a 2% in a 3000+ cpu it’s a huge difference and much for me that im runnig a 8 wan balancer in a 493AH, what do you think?..

have you read what i wrote about ACK mark?

12

well, 5% of difference is not much =)

about ACK: no, I have not digged so deep…

13

ok, bro thanks for your advice, hey i work with the advise you told me about look only in table, remember from another post, and works great. thanks a lot..