Queues not working right?

usmc58xx · August 26, 2010, 3:12pm

Hello,

I made some changes to my router (added in load balancing for SSL using PCC) and it seems that my queue trees aren’t working now.

Everything is limited as ‘basic-traffic’, even when they are on an address list that says otherwise.
Does anyone see something I am doing wrong here?

It used to work fine, I would add a customer to a different traffic address list and they would have the bandwidth but now it’s giving everyone the basic.

If they are not on a list they should get basic, if they are on a list, they should get what is in the queue tree for that list and the packets are marked via mangle.

Here’s my mangle

MikroTik RouterOS 4.10 (c) 1999-2010       http://www.mikrotik.com/





[jeff@SEI Communciations Router] > /ip firewall mangle export
# aug/26/2010 21:07:19 by RouterOS 4.10
# software id = 9XY1-****
#
/ip firewall mangle
add action=mark-connection chain=prerouting comment=gate1 disabled=no \
    dst-address-type=!local new-connection-mark=1st-conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:6/0
add action=mark-connection chain=prerouting comment=gate2 disabled=no \
    dst-address-type=!local new-connection-mark=2nd-conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:6/1
add action=mark-connection chain=prerouting comment=gate3 disabled=no \
    dst-address-type=!local new-connection-mark=3rd-conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:6/2
add action=mark-connection chain=prerouting comment=gate4 disabled=no \
    dst-address-type=!local new-connection-mark=4th-conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:6/3
add action=mark-connection chain=prerouting comment=gate5 disabled=no \
    dst-address-type=!local new-connection-mark=5th-conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:6/4
add action=mark-connection chain=prerouting comment=gate6 disabled=no \
    dst-address-type=!local new-connection-mark=6th-conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:6/5
add action=mark-connection chain=prerouting comment="HTTPS gate1" disabled=no \
    dst-address-type=!local dst-port=443 new-connection-mark=1st-conn-ssl \
    passthrough=yes per-connection-classifier=src-address:6/0 protocol=tcp
add action=mark-connection chain=prerouting comment="HTTPS gate2" disabled=no \
    dst-address-type=!local dst-port=443 new-connection-mark=2nd-conn-ssl \
    passthrough=yes per-connection-classifier=src-address:6/1 protocol=tcp
add action=mark-connection chain=prerouting comment="HTTPS gate3" disabled=no \
    dst-address-type=!local dst-port=443 new-connection-mark=3rd-conn-ssl \
    passthrough=yes per-connection-classifier=src-address:6/2 protocol=tcp
add action=mark-connection chain=prerouting comment="HTTPS gate4" disabled=no \
    dst-address-type=!local dst-port=443 new-connection-mark=4th-conn-ssl \
    passthrough=yes per-connection-classifier=src-address:6/3 protocol=tcp
add action=mark-connection chain=prerouting comment="HTTPS gate5" disabled=no \
    dst-address-type=!local dst-port=443 new-connection-mark=5th-conn-ssl \
    passthrough=yes per-connection-classifier=src-address:6/4 protocol=tcp
add action=mark-connection chain=prerouting comment="HTTPS gate6" disabled=no \
    dst-address-type=!local dst-port=443 new-connection-mark=6th-conn-ssl \
    passthrough=yes per-connection-classifier=src-address:6/5 protocol=tcp
add action=mark-packet chain=prerouting comment="Mark Bronze Customers" \
    disabled=no new-packet-mark=bronze-traffic passthrough=yes
add action=mark-packet chain=prerouting comment="Mark Platinum Customers" \
    disabled=no new-packet-mark=platinum-traffic passthrough=yes \
    src-address-list=Platinum-Customer
add action=mark-packet chain=prerouting comment="Mark Gold Customers" \
    disabled=no new-packet-mark=gold-traffic passthrough=yes \
    src-address-list=Gold-Customer
add action=mark-packet chain=prerouting comment="Mark Silver Customers" \
    disabled=no new-packet-mark=silver-traffic passthrough=yes \
    src-address-list=Silver-Customer
add action=mark-routing chain=prerouting comment="" connection-mark=\
    1st-conn-ssl disabled=no new-routing-mark=1st_route passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=\
    2nd-conn-ssl disabled=no new-routing-mark=2nd_route passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=\
    3rd-conn-ssl disabled=no new-routing-mark=3rd_route passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=\
    4th-conn-ssl disabled=no new-routing-mark=4th_route passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=\
    5th-conn-ssl disabled=no new-routing-mark=5th_route passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=\
    6th-conn-ssl disabled=no new-routing-mark=6th_route passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=1st-conn \
    disabled=no new-routing-mark=1st_route passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=2nd-conn \
    disabled=no new-routing-mark=2nd_route passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=3rd-conn \
    disabled=no new-routing-mark=3rd_route passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=4th-conn \
    disabled=no new-routing-mark=4th_route passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=5th-conn \
    disabled=no new-routing-mark=5th_route passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=6th-conn \
    disabled=no new-routing-mark=6th_route passthrough=yes
[jeff@SEI Communciations Router] >

Queue Tree

/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name="Bandwidth Management" parent=ether2 priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=19360k name=Bronze packet-mark=bronze-traffic parent=\
    "Bandwidth Management" priority=8 queue="PCQ_BASIC_IN 1M"
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=9217k name="Silver Package" packet-mark=silver-traffic parent=\
    "Bandwidth Management" priority=5 queue="PCQ_SILVER_IN 1.5"
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=2048k name="Gold Clients" packet-mark=gold-traffic parent=\
    "Bandwidth Management" priority=3 queue="PCQ_GOLD_IN 2M"
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=9217k name="Platinum Clients" packet-mark=platinum-traffic \
    parent="Bandwidth Management" priority=1 queue="PCQ_PLATINUM_IN 3M"

Queue types

/queue type
set default kind=pfifo name=default pfifo-limit=50
set ethernet-default kind=pfifo name=ethernet-default pfifo-limit=50
set wireless-default kind=sfq name=wireless-default sfq-allot=1514 \
    sfq-perturb=5
set synchronous-default kind=red name=synchronous-default red-avg-packet=1000 \
    red-burst=20 red-limit=60 red-max-threshold=50 red-min-threshold=10
set hotspot-default kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=\
    5
add kind=pcq name="PCQ_BASIC_IN 1M" pcq-classifier=src-address pcq-limit=40 \
    pcq-rate=1024000 pcq-total-limit=7000
add kind=pcq name="PCQ_SILVER_IN 1.5" pcq-classifier=src-address pcq-limit=40 \
    pcq-rate=1536000 pcq-total-limit=7000
add kind=pcq name="PCQ_GOLD_IN 2M" pcq-classifier=src-address pcq-limit=15 \
    pcq-rate=2048000 pcq-total-limit=500
add kind=pcq name="PCQ_PLATINUM_IN 3M" pcq-classifier=src-address pcq-limit=\
    50 pcq-rate=3072000 pcq-total-limit=2000
add kind=pcq name=BASIC_OUT pcq-classifier=dst-address pcq-limit=40 pcq-rate=\
    312000 pcq-total-limit=7000
add kind=pcq name="P2P Limit 256k" pcq-classifier=src-address pcq-limit=50 \
    pcq-rate=256000 pcq-total-limit=2000
set default-small kind=pfifo name=default-small pfifo-limit=10
[jeff@SEI Communciations Router] >

And simple firewall rules

/ip firewall filter
add action=drop chain=forward comment="No Pay: Drop ICMP Ping" disabled=no \
    protocol=icmp src-address-list=off
add action=drop chain=forward comment="No Pay: Drop ALL UDP Ports" disabled=\
    no dst-port=!53 protocol=udp src-address-list=off
add action=drop chain=forward comment="No Pay: Disable All TCP Traffic except \
    port 80 which redirects to 10.10.1.11" disabled=no dst-port=!80 protocol=\
    tcp src-address-list=off
add action=drop chain=forward comment="Drop all packets from JD \
    using DHCP on the network (just in case we missed a password) by MAC addre\
    ss of his laptop." disabled=no src-address=10.0.0.0/8 src-mac-address=\
    00:22:5F:D7:D5:2E
add action=drop chain=forward comment="Drop DHCP to Sporos" disabled=no \
    layer7-protocol=dhcp out-interface=ether1
add action=drop chain=forward comment="Drop Traffic From SEI bound for sporos \
    if they somehow hopped through the router." disabled=no dst-address=\
    192.168.2.0/24 src-address=10.0.0.0/8
add action=add-src-to-address-list address-list=OSBI_CONNECTION \
    address-list-timeout=0s chain=forward comment=\
    "LOG All traffic to Law Enforcement" disabled=no dst-address=164.58.69.81 \
    src-address=10.0.0.0/8 src-address-list=!OSBI_CONNECTION
add action=add-src-to-address-list address-list=OSBI_CONNECTION \
    address-list-timeout=0s chain=forward comment=\
    "LOG All traffic to/from law enforcement." disabled=no dst-address=\
    74.94.188.237 src-address=10.0.0.0/8 src-address-list=!OSBI_CONNECTION
add action=add-src-to-address-list address-list=Known-Torrenters \
    address-list-timeout=1w chain=forward comment=\
    "Add P2P users to an address list." disabled=no p2p=all-p2p src-address=\
    10.0.0.0/8 src-address-list=!Known-Torrenters
add action=log chain=forward comment="LOG All traffic to Law Enforcement" \
    disabled=no dst-address=164.58.69.81 log-prefix=law_enforcement \
    src-address=10.0.0.0/8
add action=log chain=forward comment=\
    "LOG All traffic to/from law enforcement." disabled=no dst-address=\
    74.94.188.237 log-prefix=law_enforcement src-address=10.0.0.0/8
add action=add-src-to-address-list address-list=possible-bots \
    address-list-timeout=1w chain=forward comment="Mark possible bots" \
    connection-limit=100,32 disabled=no dst-port=445 protocol=tcp
add action=tarpit chain=forward comment=\
    "Stop SYN Flooding by sending ACK without connection. DoS Attack" \
    disabled=no dst-port=445 protocol=tcp
add action=tarpit chain=forward comment="BLOCK SPAMMERS OR INFECTED USERS" \
    disabled=no dst-port=25 protocol=tcp src-address-list=spammer
add action=add-src-to-address-list address-list=spammer address-list-timeout=\
    30m chain=forward comment="Detect and add-list SMTP virus or spammers" \
    connection-limit=30,32 disabled=no dst-port=25 limit=50,5 protocol=tcp \
    src-address-list=!WhiteListed

fewi · August 26, 2010, 5:45pm

A couple of thoughts:

You are only marking packets with a traffic class based on a source address list. That will only mark packets FROM the customer, all packets TO the customer (download, usually significantly more traffic than upload) will not be caught and have the bronze mark. On the other hand you are only doing QoS attached to an interface HTB, so that only ever gets traffic leaving through that interface - you’re only doing QoS in one traffic direction. It’s unclear what direction that is, because:
What is ether2? Is that your WAN uplink? Interface HTB happens AFTER source NAT, so you wouldn’t be able to tell the private IP address of the clients anymore if you masquerade on that interface and your address lists probably wouldn’t work at all.

Combining the two would explain why everyone gets the bronze class: all traffic to clients is going to be marked bronze because your address list mangle rules don’t catch them, and your queue tree only captures either download or upload packets. If it’s the former, you have your explanation.