Queue Tree Upload

Hi,

Im tried to build a queue tree for the up and download.
The queue tree works only for the download. The upload is not shaped.
I think its maybe a problem with the NAT.

Maybe someone can help me with this problem

Thanks Chris

/queue tree
add max-limit=50M name=wan_gesamt_down packet-mark=wan_gesamt_down parent=\
    global queue=pcq-download-default
add max-limit=50M name=wan_gesamt_up packet-mark=wan_gesamt_up parent=global \
    queue=pcq-upload-default
add limit-at=20M max-limit=50M name=ohne_mark_down packet-mark=no-mark \
    parent=wan_gesamt_down priority=6 queue=pcq-download-default
add limit-at=20M max-limit=50M name=voice_down packet-mark=voice_down parent=\
    wan_gesamt_down priority=2 queue=pcq-download-default
add limit-at=20M max-limit=50M name=mgmt_down packet-mark=mgmt_down parent=\
    wan_gesamt_down priority=1 queue=pcq-download-default
add limit-at=20M max-limit=50M name=mgmt_up packet-mark=mgmt_up parent=\
    wan_gesamt_up priority=1 queue=pcq-upload-default
add limit-at=20M max-limit=50M name=voice_up packet-mark=voice_up parent=\
    wan_gesamt_up priority=2 queue=pcq-upload-default
add limit-at=20M max-limit=50M name=ohne_mark_up packet-mark=no-mark parent=\
    wan_gesamt_up priority=6 queue=pcq-upload-default
add limit-at=10M max-limit=40M name=fremd_down parent=wan_gesamt_down queue=\
    pcq-download-default
add limit-at=10M max-limit=40M name=fremd_up parent=wan_gesamt_up queue=\
    pcq-upload-default
add limit-at=10M max-limit=40M name=office_down packet-mark=office_down \
    parent=fremd_down priority=7 queue=pcq-download-default
add limit-at=10M max-limit=40M name=public_down packet-mark=public_down \
    parent=fremd_down queue=pcq-download-default
add limit-at=10M max-limit=10M name=office_up packet-mark=office_up parent=\
    fremd_up queue=pcq-upload-default
add limit-at=20M max-limit=40M name=public_up packet-mark=public_up parent=\
    fremd_up queue=pcq-upload-default

/ip firewall mangle
add action=mark-packet chain=prerouting comment="WAN Zuleitung" in-interface=\
    ether1 new-packet-mark=wan_gesamt_up passthrough=no
add action=mark-packet chain=postrouting comment="WAN Zuleitung" \
    new-packet-mark=wan_gesamt_down out-interface=ether1 passthrough=no
add action=mark-packet chain=prerouting comment=MGMT in-interface=ether2 \
    new-packet-mark=mgmt_up passthrough=no
add action=mark-packet chain=postrouting comment=MGMT new-packet-mark=\
    mgmt_down out-interface=ether2 passthrough=no
add action=mark-packet chain=prerouting comment=OFFICE in-interface=ether3 \
    new-packet-mark=office_up passthrough=no
add action=mark-packet chain=postrouting comment=OFFICE new-packet-mark=\
    office_down out-interface=ether3 passthrough=no
add action=mark-packet chain=prerouting comment=VOICE in-interface=ether5 \
    new-packet-mark=voice_up passthrough=no
add action=mark-packet chain=postrouting comment=VOICE new-packet-mark=\
    voice_down out-interface=ether5 passthrough=no
add action=mark-packet chain=prerouting comment=PUBLIC in-interface=ether7 \
    new-packet-mark=office_up passthrough=no
add action=mark-packet chain=postrouting comment=PUBLIC new-packet-mark=\
    public_down out-interface=ether7 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1

On your mangle rules, use chain=forward…

/ip firewall mangle
add action=mark-packet chain=forward comment="WAN Zuleitung" in-interface=\
    ether1 new-packet-mark=wan_gesamt_up passthrough=no
add action=mark-packet chain=forward comment="WAN Zuleitung" \
    new-packet-mark=wan_gesamt_down out-interface=ether1 passthrough=no
add action=mark-packet chain=forward comment=MGMT in-interface=ether2 \
    new-packet-mark=mgmt_up passthrough=no
add action=mark-packet chain=forward comment=MGMT new-packet-mark=\
    mgmt_down out-interface=ether2 passthrough=no
add action=mark-packet chain=forward comment=OFFICE in-interface=ether3 \
    new-packet-mark=office_up passthrough=no
add action=mark-packet chain=forward comment=OFFICE new-packet-mark=\
    office_down out-interface=ether3 passthrough=no
add action=mark-packet chain=forward comment=VOICE in-interface=ether5 \
    new-packet-mark=voice_up passthrough=no
add action=mark-packet chain=forward comment=VOICE new-packet-mark=\
    voice_down out-interface=ether5 passthrough=no
add action=mark-packet chain=forward comment=PUBLIC in-interface=ether7 \
    new-packet-mark=office_up passthrough=no
add action=mark-packet chain=forward comment=PUBLIC new-packet-mark=\
    public_down out-interface=ether7 passthrough=no

with mangle rules, use chain=forward it is not working.
If i change it to chain=forward also the download Queues are not working anymore.

The paket mark with the mangle roules is working
https://imgur.com/1RVYOgL

Have you disabled the fasttrack-connection rules in IP->Firewall->Filter?

yes fasttrack is disabled
https://imgur.com/zkk7pO4

Whenever I have done hierarchical queue tree setups like that, I have never had a packet-mark set for the parent, it is always unset (i.e. !packet-mark yes but NOT packet-mark=no-mark). Only child queues with no children of their own have a packet mark generally. I’m not sure what happens if a queue has children and also has a packet mark set. Parent queues like that generally do not match traffic directly, all traffic would instead go into a child queue.

Using prerouting or postrouting in mangle is fine, you do not need to switch to forward.

I think I remember that if you use interfaces you need to tag one direction on the bridge and the other one on the port. Then it works.
but it won’t work if you tag both on the port.
This I found quit strange so due to this I now tag DL via IP address: DL is destination “local IP addresses”,
UL is “source” local IP address and packet mark them accordingly.

Works like a charme

(you still use only connections from the parent mangle rule that marks in interface/out interface WAN.
So local traffic won’t get hit.

packet mark is on the bound on the interface.

when the traffic is routed the queues tree is working. but not with NAT

has anybody a queue tree with NAT running?

I might be mistaken but I believe you should marking the connection. Then mark the packet based on the connection not marking the packet first

I tired to mark the connections. No success. ;-((
I also tried the simple queues but there i have problems with the priority

I would like to splitt my 50Mbit Internet to the different departments in the company. I also would like to set the priority to different departments if the internet line is full.

Yes, in the two ways mentioned above it does work for.me.

has someone an example. I cant get it working

Hi, few remarks

• total of limit-at <= max-limit of parent (see https://wiki.mikrotik.com/wiki/Manual:HTB), that is not the case for: wan_gesamt_down, wan_gesamt_up
• priority is missing for some of the “leaf” queue’s
• marking is only relevant for “leaf” queues

So currently there are 5 classes usable in each direction: mgmt_up/down, voice_up/down, no_mark_up/down, office_up/down & public_up/down. Marking should be fhese classes only.

Comment: In-interface WAN = downlink (coming into the router)
Outinterface WAN= Uplink (leaving the router towards internet etc.)
This is also why you do NAT on outinterface WAN and not IN-interface WAN .

Then as others said, you need to mark connections coming through that WAN interface first
and allow passthrough to process this connection/packet right then and add more granularity (GUEST packets, ETHx packets etc)!
Keep in mind there is only one mark possible regardless of the chain, therefore you need to create an absolute hierarchy.
As example if you mark packet in pre-routing with tag “All-DL”, and then in foward chain tag “GUEST_DL”, the ALL-DL mark is gone and replaced by GUEST-DL.
You can do : mark pre-routing with tag “All-DL”, and then in foward chain tag “All-DL-GUEST_DL”, if you want to keep the granularity.

Last but not least the NAT should really have no impact on the routing it the routing table is correct and you do not route based on connection or packet marks.
(have you any mangle based routing like for failover?)
BECAUSE if you set mangle marks for load balancing for example, they can ruin/conflict with the bandwidth marks (as they might replace them as mentioned above).