QoS Shaping Question

RouterOS General
1

I am looking at some complex queues to control P2P software, improve QoS, and shape bandwidth on a per user basis.

First I am doing a connection mark and passthrough to allow me to tag the assorted traffic. This just does the basic separation of traffic types.

Then I mark and accept the users traffic based off their IP and the connection mark to break it out properly for the queuing.

[admin@MikroTik] > ip firewall mangle pr without-paging 
Flags: X - disabled, I - invalid, D - dynamic 
 0   p2p=all-p2p action=passthrough mark-connection=p2p-all 

 1   src-address=:7 protocol=tcp connection=!p2p-all action=passthrough 
     mark-connection=common-tcp 

 2   src-address=:20-25 protocol=tcp connection=!p2p-all action=passthrough 
     mark-connection=common-tcp 

 3   src-address=:37 protocol=tcp connection=!p2p-all action=passthrough 
     mark-connection=common-tcp 

 4   src-address=:42 protocol=tcp connection=!p2p-all action=passthrough 
     mark-connection=common-tcp 

 5   src-address=:80 protocol=tcp connection=!p2p-all action=passthrough 
     mark-connection=common-tcp 

 6   src-address=:110 protocol=tcp connection=!p2p-all action=passthrough 
     mark-connection=common-tcp 

 7   src-address=:119 protocol=tcp connection=!p2p-all action=passthrough 
     mark-connection=common-tcp 

 8   src-address=:143 protocol=tcp connection=!p2p-all action=passthrough 
     mark-connection=common-tcp 

 9   src-address=:161-162 protocol=tcp connection=!p2p-all action=passthrough 
     mark-connection=common-tcp 

10   dst-address=:7 protocol=tcp connection=!p2p-all action=passthrough 
     mark-connection=common-tcp 

11   dst-address=:20-25 protocol=tcp connection=!p2p-all action=passthrough 
     mark-connection=common-tcp 

12   dst-address=:37 protocol=tcp connection=!p2p-all action=passthrough 
     mark-connection=common-tcp 

13   dst-address=:42 protocol=tcp connection=!p2p-all action=passthrough 
     mark-connection=common-tcp 

14   dst-address=:80 protocol=tcp connection=!p2p-all action=passthrough 
     mark-connection=common-tcp 

15   dst-address=:110 protocol=tcp connection=!p2p-all action=passthrough 
     mark-connection=common-tcp 

16   dst-address=:119 protocol=tcp connection=!p2p-all action=passthrough 
     mark-connection=common-tcp 

17   dst-address=:143 protocol=tcp connection=!p2p-all action=passthrough 
     mark-connection=common-tcp 

18   dst-address=:161-162 protocol=tcp connection=!p2p-all action=passthrough 
     mark-connection=common-tcp 

19   dst-address=172.16.0.2/32 connection=p2p-all action=accept 
     mark-flow=172.16.0.2-in-p2p 

20   dst-address=172.16.0.2/32 flow=common-tcp action=accept 
     mark-flow=172.16.0.2-in-tcp 

21   dst-address=172.16.0.2/32 action=accept mark-flow=172.16.0.2-in-oth 

22   src-address=172.16.0.2/32 connection=p2p-all action=accept 
     mark-flow=172.16.0.2-out-p2p 

23   src-address=172.16.0.2/32 connection=common-tcp action=accept 
     mark-flow=172.16.0.2-out-tcp 

24   src-address=172.16.0.2/32 action=accept mark-flow=172.16.0.2-out-oth 

25   dst-address=172.16.0.3/32 connection=p2p-all action=accept 
     mark-flow=172.16.0.3-in-p2p 

26   dst-address=172.16.0.3/32 flow=common-tcp action=accept 
     mark-flow=172.16.0.3-in-tcp 

27   dst-address=172.16.0.3/32 action=accept mark-flow=172.16.0.3-in-oth 

28   src-address=172.16.0.3/32 connection=p2p-all action=accept 
     mark-flow=172.16.0.3-out-p2p 

29   src-address=172.16.0.3/32 connection=common-tcp action=accept 
     mark-flow=172.16.0.3-out-tcp 

30   src-address=172.16.0.3/32 action=accept mark-flow=172.16.0.3-out-oth

My goal for priorities is as follows:

  1. Have a high (good) priority for unknown traffic because that covers all games, VoIP, etc.
  2. Have a moderate priority for known TCP/IP based traffic, such as web surfing, mail and FTP, because these are more resilient protocols.
  3. Have a low (poor) priority for P2P traffic.

My goal for bandwidth is a follows:

  1. Use IP blocks to control the overall bandwidth usage for a group of customers. This helps prevent overloading of the devices that the MikroTik is connected to, as well as provides everyone with a more equal utilization of basic bandwidth. These will be children of the global in and out. These will also use RED to cause the falloff to be smoother overall.
  2. Use individual IP based queues for each customer. These assign the maximum bandwidth for each customer. These will use the IP block queues as parents.
  3. Use content based sub queues to limit the bandwidth of P2P software, but make full bandwidth available to other software. These will use the customer’s IP pool as a parent.

It sounded nice to me when I sat down and worked it out, but then I ran into a small problem.

In the manual, it states that for queue priority to work, I must have limit-at set. Well, to have limit-at work, I must have max-limit set.

This puts me in a little bit of a bind. Specifically, it looks like I will need to put the limit-at, max-limit, burst-limit, burst threshold and burst-time set for the sub queues.

I was hoping that there was some way to have the p2p per user queue limited, but let the other two grow to the size of the parent, but still have different priorities.

I stopped with the below, partially done, test configuration. It is not finished because I decided to ask what others had done that was similar to this before I did a lot more work.

[admin@MikroTik] > queue export 

  file  File name
[admin@MikroTik] > queue export 
# jan/05/2000 23:37:33 by RouterOS 2.8.27
# software id = LKRK-IB0
#
/ queue type 
set default name="default" kind=pfifo bfifo-limit=15000 pfifo-limit=50 \
    red-limit=60 red-min-threshold=10 red-max-threshold=50 red-burst=20 \
    sfq-perturb=5 sfq-allot=1514 pcq-rate=0 pcq-limit=50 pcq-classifier="" 
set ethernet-default name="ethernet-default" kind=pfifo bfifo-limit=15000 \
    pfifo-limit=50 red-limit=60 red-min-threshold=10 red-max-threshold=50 \
    red-burst=20 sfq-perturb=5 sfq-allot=1514 pcq-rate=0 pcq-limit=50 \
    pcq-classifier="" 
set wireless-default name="wireless-default" kind=sfq bfifo-limit=15000 \
    pfifo-limit=50 red-limit=60 red-min-threshold=10 red-max-threshold=50 \
    red-burst=20 sfq-perturb=5 sfq-allot=1514 pcq-rate=0 pcq-limit=50 \
    pcq-classifier="" 
set synchronous-default name="synchronous-default" kind=red bfifo-limit=15000 \
    pfifo-limit=50 red-limit=60 red-min-threshold=10 red-max-threshold=50 \
    red-burst=20 sfq-perturb=5 sfq-allot=1514 pcq-rate=0 pcq-limit=50 \
    pcq-classifier="" 
add name="ip-blocks" kind=red bfifo-limit=15000 pfifo-limit=10 red-limit=60 \
    red-min-threshold=10 red-max-threshold=50 red-burst=20 sfq-perturb=5 \
    sfq-allot=1514 pcq-rate=0 pcq-limit=50 pcq-classifier="" 
add name="user" kind=sfq bfifo-limit=15000 pfifo-limit=10 red-limit=60 \
    red-min-threshold=10 red-max-threshold=50 red-burst=20 sfq-perturb=5 \
    sfq-allot=1514 pcq-rate=0 pcq-limit=50 pcq-classifier="" 
add name="user-in-tcp-oth" kind=pcq bfifo-limit=15000 pfifo-limit=10 \
    red-limit=60 red-min-threshold=10 red-max-threshold=50 red-burst=20 \
    sfq-perturb=5 sfq-allot=1514 pcq-rate=0 pcq-limit=50 \
    pcq-classifier=dst-address 
add name="user-out-tcp-oth" kind=pcq bfifo-limit=15000 pfifo-limit=10 \
    red-limit=60 red-min-threshold=10 red-max-threshold=50 red-burst=20 \
    sfq-perturb=5 sfq-allot=1514 pcq-rate=0 pcq-limit=50 \
    pcq-classifier=src-address 
/ queue tree 
add name="172.16.0-block-in" parent=global-in flow="" limit-at=2621440 \
    queue=ip-blocks priority=8 max-limit=2621440 burst-limit=3145728 \
    burst-threshold=2621440 burst-time=75 disabled=no 
add name="172.16.0-block-out" parent=global-out flow="" limit-at=1572864 \
    queue=default priority=8 max-limit=1572864 burst-limit=1966080 \
    burst-threshold=1572864 burst-time=75 disabled=no 
add name="172.16.0.2-in" parent=172.16.0-block-in flow="" limit-at=1572864 \
    queue=user priority=8 max-limit=1572864 burst-limit=2097152 \
    burst-threshold=1572864 burst-time=60 disabled=no 
add name="172.16.0.2-in-p2p" parent=172.16.0.2-in flow=172.16.0.2-in-p2p \
    limit-at=65536 queue=user priority=8 max-limit=131072 burst-limit=262144 \
    burst-threshold=131072 burst-time=60 disabled=no 
add name="172.16.0.2-in-tcp" parent=172.16.0.2-in flow=172.16.0.2-in-tcp \
    limit-at=0 queue=user-in-tcp-oth priority=6 max-limit=0 burst-limit=0 \
    burst-threshold=0 burst-time=0 disabled=no 
add name="172.16.0.2-in-oth" parent=172.16.0.2-in flow=172.16.0.2-in-oth \
    limit-at=1572864 queue=user-in-tcp-oth priority=4 max-limit=1572864 \
    burst-limit=0 burst-threshold=0 burst-time=0 disabled=no 
add name="172.16.0.2-out" parent=172.16.0-block-out flow="" limit-at=786432 \
    queue=user priority=8 max-limit=786432 burst-limit=1048576 \
    burst-threshold=786432 burst-time=60 disabled=no 
[admin@MikroTik] >

Any suggestions? Pointers?

The next project after this one is to filter out as many common attack ports as possible so that the priorities here don’t get me into more trouble.