Simple QOS, No Limitation

RouterOS Beginner Basics
1

Ok so here is my question.

I have a RB532 with all 3 ports bridged with the setting “Use IP Firewall”.



The idea behind this is that i want to use this device to provide QOS transparently.


I have done alot of reading and have finally tried to do my own thing, however im not sure if it’s working.
If someone could have a look and let me know if what ive done is correct it would be appreciated.

Under Mangle I have…

[admin@Internet-Bridge] /ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward action=mark-packet new-packet-mark=Mail passthrough=yes protocol=tcp dst-port=25

1 chain=forward action=mark-packet new-packet-mark=http passthrough=yes protocol=tcp dst-port=80

2 chain=forward action=mark-packet new-packet-mark=ssh passthrough=yes protocol=tcp dst-port=22

3 chain=forward action=mark-packet new-packet-mark=DNS_UDP passthrough=yes protocol=udp dst-port=53

4 chain=forward action=mark-packet new-packet-mark=DNS_TCP passthrough=yes protocol=tcp dst-port=53

5 chain=forward action=mark-packet new-packet-mark=SSL passthrough=yes protocol=tcp dst-port=443

6 chain=forward action=mark-packet new-packet-mark=POP3 passthrough=yes protocol=tcp dst-port=110

7 chain=forward action=mark-packet new-packet-mark=http passthrough=yes protocol=tcp src-port=80

8 chain=forward action=mark-packet new-packet-mark=Mail passthrough=yes protocol=tcp src-port=25

9 chain=forward action=mark-packet new-packet-mark=POP3 passthrough=yes protocol=tcp src-port=110

10 chain=forward action=mark-packet new-packet-mark=SSL passthrough=yes protocol=tcp src-port=443

11 chain=forward action=mark-packet new-packet-mark=ssh passthrough=yes protocol=tcp src-port=22

12 chain=forward action=mark-packet new-packet-mark=DNS_TCP passthrough=yes protocol=tcp src-port=53

13 chain=forward action=mark-packet new-packet-mark=DNS_UDP passthrough=yes protocol=udp src-port=53

14 chain=forward action=mark-packet new-packet-mark=ICMP passthrough=yes protocol=icmp

15 chain=forward action=mark-packet new-packet-mark=Skype passthrough=yes layer7-protocol=Skype

16 chain=forward action=mark-packet new-packet-mark=eSystem passthrough=yes protocol=tcp dst-port=12000-12020

17 chain=forward action=mark-packet new-packet-mark=eSystem passthrough=yes protocol=tcp src-port=12000-12020

18 chain=forward action=mark-packet new-packet-mark=OpenVPN passthrough=yes protocol=udp dst-address=196.211.117.42 dst-port=1194

19 chain=forward action=mark-packet new-packet-mark=OpenVPN passthrough=yes protocol=udp src-address=196.211.117.42 src-port=1194

20 chain=forward action=mark-packet new-packet-mark=Time passthrough=yes protocol=udp dst-port=123
[admin@Internet-Bridge] /ip firewall mangle>

And under simple queues i have…

[admin@Internet-Bridge] /queue simple> print
Flags: X - disabled, I - invalid, D - dynamic
0 name=“Web” dst-address=0.0.0.0/0 interface=all parent=none packet-marks=http direction=both priority=1 queue=default/default
limit-at=0/0 max-limit=0/0 burst-limit=0/0 burst-threshold=0/0 burst-time=2s/2s total-queue=default

1 name=“Mail” dst-address=0.0.0.0/0 interface=all parent=none packet-marks=Mail direction=both priority=6 queue=default/default
limit-at=0/0 max-limit=0/0 burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s total-queue=default-small

2 name=“p2p” dst-address=0.0.0.0/0 interface=all parent=none direction=both priority=8 queue=default/default limit-at=0/0
max-limit=0/0 burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s total-queue=default p2p=all-p2p

3 name=“ssh” dst-address=0.0.0.0/0 interface=all parent=none packet-marks=ssh direction=both priority=1 queue=default/default
limit-at=0/0 max-limit=0/0 burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s total-queue=default-small

4 name=“DNS_Query” dst-address=0.0.0.0/0 interface=all parent=none packet-marks=DNS_UDP direction=both priority=1
queue=default/default limit-at=0/0 max-limit=0/0 burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s
total-queue=default-small

5 name=“DNS_Transfer” dst-address=0.0.0.0/0 interface=all parent=none packet-marks=DNS_TCP direction=both priority=3
queue=default/default limit-at=0/0 max-limit=0/0 burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s
total-queue=default-small

6 name=“SSL” dst-address=0.0.0.0/0 interface=all parent=none packet-marks=SSL direction=both priority=1 queue=default/default
limit-at=0/0 max-limit=0/0 burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s total-queue=default-small

7 name=“POP3” dst-address=0.0.0.0/0 interface=all parent=none packet-marks=POP3 direction=both priority=6 queue=default/default
limit-at=0/0 max-limit=0/0 burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s total-queue=default-small

8 name=“ICMP” dst-address=0.0.0.0/0 interface=all parent=none packet-marks=ICMP direction=both priority=2 queue=default/default
limit-at=0/0 max-limit=1000/1000 burst-limit=64000/64000 burst-threshold=1000/1000 burst-time=20s/20s total-queue=default

9 name=“Skype” dst-address=0.0.0.0/0 interface=all parent=none packet-marks=Skype direction=both priority=1
queue=default/default limit-at=0/0 max-limit=0/0 burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s total-queue=default

10 name=“eSystem” dst-address=0.0.0.0/0 interface=all parent=none packet-marks=eSystem direction=both priority=1
queue=default/default limit-at=0/0 max-limit=0/0 burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s total-queue=default

11 name=“OpenVPN” dst-address=0.0.0.0/0 interface=all parent=none packet-marks=OpenVPN direction=both priority=2
queue=default/default limit-at=0/0 max-limit=0/0 burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s total-queue=default

12 name=“Rest” dst-address=0.0.0.0/0 interface=all parent=none direction=both priority=7 queue=default/default limit-at=0/0
max-limit=0/0 burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s total-queue=default
[admin@Internet-Bridge] /queue simple>

Oh, & under Interface Queues the bridge is using “default”
I am using v3.15


Input would also be appreciated.

2

No takers on this one?

3

Here is a link to what i am trying to accomplish… well similar
They seem to limit the speeds of the connections , where i don’t wish to do this.


http://wiki.mikrotik.com/wiki/TransparentTrafficShaper

4

Is this actually working for you? How do you manage the traffic that is not explicitly specified in the mangle rules?

5

This does not seem to be working…

Everything is being marked correctly , but the QOS priority isnt working…

Ive pretty much marked everything via mangle…

6

I think your chain needs to be ‘prerouting’ and not ‘forward’.

7

Here is a sample of mine:

Flags: X - disabled, I - invalid, D - dynamic
0 ;;; P2P Marking Rules
chain=forward action=mark-connection new-connection-mark=P2P_conn
passthrough=yes p2p=all-p2p

1 chain=forward action=mark-packet new-packet-mark=P2P_Packet passthrough=n>
connection-mark=P2P_conn

2 ;;; VoIP Marking Rules
chain=prerouting action=mark-connection
new-connection-mark=VoipConnection passthrough=yes protocol=udp
src-port=10000-30000

3 chain=prerouting action=mark-packet new-packet-mark=VoIPpacket
passthrough=no connection-mark=VoipConnection

4 chain=postrouting action=mark-connection
new-connection-mark=VoipConnection passthrough=yes protocol=udp
dst-port=10000-30000

5 chain=postrouting action=mark-packet new-packet-mark=VoIPpacket
passthrough=no connection-mark=VoipConnection

6 X ;;; Packet marking for web user - PCQ
chain=forward action=mark-connection new-connection-mark=User_Connection
passthrough=yes src-address=172.16.0.0/12

7 X chain=forward action=mark-packet new-packet-mark=User_Packet
passthrough=no connection-mark=User_Connection

8 ;;; Packet Marking for Web
chain=prerouting action=mark-packet new-packet-mark=Webin passthrough=no
protocol=tcp src-port=80

9 chain=postrouting action=mark-packet new-packet-mark=WebOut passthrough=n>
protocol=tcp dst-port=80

10 ;;; Packet marking for DNS
chain=prerouting action=mark-packet new-packet-mark=DNSin passthrough=no
protocol=udp src-port=53

11 chain=postrouting action=mark-packet new-packet-mark=DNSout passthrough=n>
protocol=udp dst-port=53

12 ;;; Packet Marking for port SSL
chain=prerouting action=mark-packet new-packet-mark=SSLin passthrough=no
protocol=tcp src-port=443

13 chain=postrouting action=mark-packet new-packet-mark=SSLOut passthrough=n>
protocol=tcp dst-port=443

and my queues:

/queue tree

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=56000 max-limit=128000 name=P2POut packet-mark=P2P_Packet parent=Outside priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=128000 max-limit=128000 name=P2P_in packet-mark=P2P_Packet parent=Local priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=300000 max-limit=560000 name=VoIP packet-mark=VoIPpacket parent=global-total priority=1 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=Web-Incomin packet-mark=Webin parent=global-in priority=2 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=WebOut packet-mark=WebOut parent=global-out priority=2 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=yes limit-at=0 max-limit=0 name=video_streaming packet-mark=videopacket parent=global-in priority=3 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=DNSin packet-mark=DNSin parent=global-in priority=1 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=DNSout packet-mark=DNSout parent=global-out priority=1 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=SSLin packet-mark=SSLin parent=global-in priority=2 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=SSLOut packet-mark=SSLOut parent=global-out priority=2 queue=default

They are working

8

Ok so ive done following, but still don’t know if it’s working…


[admin@Internet-Bridge] /ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=prerouting action=mark-packet new-packet-mark=Mail passthrough=yes protocol=tcp dst-port=25

1 chain=prerouting action=mark-packet new-packet-mark=SS_mail passthrough=yes src-address=196.212.65.187

2 chain=prerouting action=mark-packet new-packet-mark=SS_mail passthrough=yes dst-address=196.212.65.187

3 chain=prerouting action=mark-packet new-packet-mark=http passthrough=yes protocol=tcp dst-port=80

4 chain=prerouting action=mark-packet new-packet-mark=ssh passthrough=yes protocol=tcp dst-port=22

5 chain=prerouting action=mark-packet new-packet-mark=DNS_UDP passthrough=yes protocol=udp dst-port=53

6 chain=prerouting action=mark-packet new-packet-mark=DNS_TCP passthrough=yes protocol=tcp dst-port=53

7 chain=prerouting action=mark-packet new-packet-mark=SSL passthrough=yes protocol=tcp dst-port=443

8 chain=prerouting action=mark-packet new-packet-mark=POP3 passthrough=yes protocol=tcp dst-port=110

9 chain=prerouting action=mark-packet new-packet-mark=http passthrough=yes protocol=tcp src-port=80

10 chain=prerouting action=mark-packet new-packet-mark=Mail passthrough=yes protocol=tcp src-port=25

11 chain=prerouting action=mark-packet new-packet-mark=POP3 passthrough=yes protocol=tcp src-port=110

12 chain=prerouting action=mark-packet new-packet-mark=SSL passthrough=yes protocol=tcp src-port=443

13 chain=prerouting action=mark-packet new-packet-mark=ssh passthrough=yes protocol=tcp src-port=22

14 chain=prerouting action=mark-packet new-packet-mark=DNS_TCP passthrough=yes protocol=tcp src-port=53

15 chain=prerouting action=mark-packet new-packet-mark=DNS_UDP passthrough=yes protocol=udp src-port=53

16 chain=prerouting action=mark-packet new-packet-mark=ICMP passthrough=yes protocol=icmp

17 chain=prerouting action=mark-packet new-packet-mark=Skype passthrough=yes layer7-protocol=Skype

18 chain=prerouting action=mark-packet new-packet-mark=eSystem passthrough=yes protocol=tcp dst-port=12000-12020

19 chain=prerouting action=mark-packet new-packet-mark=eSystem passthrough=yes protocol=tcp src-port=12000-12020

20 chain=prerouting action=mark-packet new-packet-mark=OpenVPN passthrough=yes protocol=udp dst-address=196.211.117.42 dst-port=1194

21 chain=prerouting action=mark-packet new-packet-mark=OpenVPN passthrough=yes protocol=udp src-address=196.211.117.42 src-port=1194

22 chain=prerouting action=mark-packet new-packet-mark=Time passthrough=yes protocol=udp dst-port=123

23 chain=prerouting action=mark-packet new-packet-mark=p2p_packet_mark passthrough=yes p2p=all-p2p



[admin@Internet-Bridge] /queue simple> print
Flags: X - disabled, I - invalid, D - dynamic
0 name=“SS_Mail” dst-address=0.0.0.0/0 interface=all parent=none packet-marks=SS_mail direction=both priority=7 queue=default/default limit-at=0/0 max-limit=96000/96000
burst-limit=256000/256000 burst-threshold=96000/96000 burst-time=6s/6s total-queue=default

1 name=“Web” dst-address=0.0.0.0/0 interface=all parent=none packet-marks=http direction=both priority=1 queue=default/default limit-at=0/0 max-limit=0/0 burst-limit=0/0
burst-threshold=0/0 burst-time=2s/2s total-queue=default

2 name=“Mail” dst-address=0.0.0.0/0 interface=all parent=none packet-marks=Mail direction=both priority=6 queue=default/default limit-at=0/0 max-limit=128000/128000
burst-limit=256000/256000 burst-threshold=128000/128000 burst-time=8s/8s total-queue=default

3 name=“p2p” dst-address=0.0.0.0/0 interface=all parent=none direction=both priority=8 queue=default/default limit-at=0/0 max-limit=0/0 burst-limit=0/0 burst-threshold=0/0
burst-time=0s/0s total-queue=default p2p=all-p2p

4 name=“ssh” dst-address=0.0.0.0/0 interface=all parent=none packet-marks=ssh direction=both priority=1 queue=default/default limit-at=0/0 max-limit=0/0 burst-limit=0/0
burst-threshold=0/0 burst-time=0s/0s total-queue=default

5 name=“DNS_Query” dst-address=0.0.0.0/0 interface=all parent=none packet-marks=DNS_UDP direction=both priority=1 queue=default/default limit-at=0/0 max-limit=0/0 burst-limit=0/0
burst-threshold=0/0 burst-time=0s/0s total-queue=default

6 name=“DNS_Transfer” dst-address=0.0.0.0/0 interface=all parent=none packet-marks=DNS_TCP direction=both priority=3 queue=default/default limit-at=0/0 max-limit=0/0 burst-limit=0/0
burst-threshold=0/0 burst-time=0s/0s total-queue=default

7 name=“SSL” dst-address=0.0.0.0/0 interface=all parent=none packet-marks=SSL direction=both priority=1 queue=default/default limit-at=0/0 max-limit=0/0 burst-limit=0/0
burst-threshold=0/0 burst-time=0s/0s total-queue=default

8 name=“POP3” dst-address=0.0.0.0/0 interface=all parent=none packet-marks=POP3 direction=both priority=6 queue=default/default limit-at=0/0 max-limit=0/0 burst-limit=0/0
burst-threshold=0/0 burst-time=0s/0s total-queue=default

9 name=“ICMP” dst-address=0.0.0.0/0 interface=all parent=none packet-marks=ICMP direction=both priority=2 queue=default/default limit-at=0/0 max-limit=1000/1000
burst-limit=64000/64000 burst-threshold=1000/1000 burst-time=20s/20s total-queue=default

10 name=“Skype” dst-address=0.0.0.0/0 interface=all parent=none packet-marks=Skype direction=both priority=1 queue=default/default limit-at=0/0 max-limit=0/0 burst-limit=0/0
burst-threshold=0/0 burst-time=0s/0s total-queue=default

11 name=“eSystem” dst-address=0.0.0.0/0 interface=all parent=none packet-marks=eSystem direction=both priority=1 queue=default/default limit-at=0/0 max-limit=0/0 burst-limit=0/0
burst-threshold=0/0 burst-time=0s/0s total-queue=default

12 name=“OpenVPN” dst-address=0.0.0.0/0 interface=all parent=none packet-marks=OpenVPN direction=both priority=2 queue=default/default limit-at=0/0 max-limit=0/0 burst-limit=0/0
burst-threshold=0/0 burst-time=0s/0s total-queue=default

13 name=“Time” dst-address=0.0.0.0/0 interface=all parent=none packet-marks=Time direction=both priority=5 queue=default/default limit-at=0/0 max-limit=0/0 burst-limit=0/0
burst-threshold=0/0 burst-time=0s/0s total-queue=default

14 name=“Rest” dst-address=0.0.0.0/0 interface=all parent=none direction=both priority=7 queue=default/default limit-at=0/0 max-limit=0/0 burst-limit=0/0 burst-threshold=0/0
burst-time=0s/0s total-queue=default

Is (( PRIORITY )) Really working ???
9

Why is it that you have the same chains listed more then once?

10

Each chain is in-fact unique.

One for SRC one For DST.


Or one for UDP and One For TCP in case of DNS.

11

I don’t think it’s necessary to mark packets with both src and dst.
But that’s not the problem.
I think need to set passthrough=no.

12

Good Day.

Tried that also with no results.
Tried Watching a Youtube video with torrents running at full speed and it was VERY evident that the torrents killed youtube.

As for my mangle rules, to me logically i did them both directions so that…
I mark all packets connecting too my services and me too external services.
Then i Mark The Response Coming From Those services, sort of like upload/download.

From the Packet counting it seems too be correct…




Input?

13

Sorry didn’t notice that you were using simple queues.
Never tried it that way.
Try using queue tree.
here is sample - watch the word-wrap

/queue tree
add disabled=no limit-at=1500000 max-limit=2000000 name=download packet-mark=“” parent=lan priority=1 queue=default
add disabled=no limit-at=512000 max-limit=750000 name=down_Mail packet-mark=Mail parent=download priority=1 queue=default
add disabled=no limit-at=1500000 max-limit=2000000 name=upload packet-mark=“” parent=wan priority=1 queue=default
add disabled=no limit-at=512000 max-limit=750000 name=up_Mail packet-mark=Mail parent=upload priority=1 queue=default

14

I was playing around with his for a while. I think you need to assign all your queues to be childes of the same parent queue. The parent must have a max-limit, usually your total available bandwidth.
It might not the best way to do it but it worked for me.

I would like to know if its possible to do without having to set a max-limit. Any ideas?

15

That is exactly why i decided to attempt doing it this way, i did NOT want to make a parent queue that would effectively limit the speed of my link!


Im in a position where if i had too do it the way advised i would loose the bursting the ISP provides me with as well as relaxed restrictions sometimes!

So, effectively shooting myself in the foot!

I am also looking forward too someone doing this differently too accommodate!

16

set the max-limit of the parent to the highest rate you can get from your isp.
Then set limits on whatever it is you’re trying to control.

17

Just a question…

By setting the max limit higher than what you are receiving from the ISP, how does this influence the QOS?


I do not wish to speed limit any of the protocols , simply QOS , and my fear is that if the max limit of the parent is higher than what you are receiving the ROS will not accurately be able to do the QOS…


Any Input?

18

The way I understand QOS. Correct me if I’m wrong.

The parent queue needs to know what the limit is in order to provide the QOS. Then you set priority on child queues.
If a limit is reached or close to reached, the lower priority child queues will drop packets to allow the higher priority traffic.
You can also set limits on the child queues if needed to throttle certain traffic.

19

That makes sense too me, but is exactly why it also then should apply that specifying that parent queue’s value incorrectly WILL mess up the entire QOS strategy.

And hence why my original thought was too somehow not specify a max limit on parent.
I think that idea is impossible with ROS. (Correct me if im wrong) , and i can eccept that.

However im in a position where i must either accept limiting my connection provided by my ISP to ensure QOS, or simply take a chance not knowing how it impacts the QOS
strategy by specifying it at my max possible connection speed.

Maby none of the sub queues will then work because the line infact doesnt reach it’s max limit during slower speed peroids, and thereaby it won’t know too drop packets for the QOS..


It’s a pity i can’t get someone like normis or the likes to comment.

20
  1. queue priority will not work correctly without parent.

Why? HTB do not have actual physical limit as your interface does, it is placed before the interface, not on it. So in case you have 3 queues with different priorities limit-at=5Mbps and max-limit=10Mbps without any parent - HTB will give out 30Mbps of traffic and when those 30Mbps will get to the out-interface with FiFo queue on it and only then packets will be dropped. Resulting in no priorities what so ever.

Read more about HTB at: http://wiki.mikrotik.com/wiki/HTB

  1. simple queues require that parent queue must also capture all traffic that goes to its child queues. And I strongly suggest to use queu tree for this setup.