Simple queues - PCQ classifier question- SRC or DST?

GWISA · September 26, 2006, 10:59am

Greetings all - I’ve done a search in the forums for this subject, but can’t find info specific to my confusion…

The aim is to use PCQ for equal-connection sharing within and between PPPoE users on a bridged RB just shaping in & out traffic from remote sites handling the PPPoE connections.

this is my Simple Queue config:

add name="Parent \(2\)" target-addresses=10.0.96.0/21 dst-address=0.0.0.0/0 \
    interface=all parent=none direction=both priority=2 \
    queue=pcq-src-add/pcq-dest-add limit-at=1700000/1700000 \
    max-limit=1700000/1700000 total-queue=default-small disabled=no
 
add name="https \(3\)" dst-address=0.0.0.0/0 interface=all parent="Parent (2)" \
    packet-marks=users-https direction=both priority=3 \
    queue=pcq-src-add/pcq-dest-add limit-at=128000/128000 \
    max-limit=1700000/1700000 total-queue=default disabled=no
 
add name="users \(4\)" dst-address=0.0.0.0/0 interface=all parent="Parent (2)" \
    packet-marks=users direction=both priority=4 \
    queue=pcq-src-add/pcq-dest-add limit-at=750000/750000 \
    max-limit=1700000/1700000 total-queue=default disabled=no
 
add name="mail \(5\)" dst-address=0.0.0.0/0 interface=all parent="Parent (2)" \
    packet-marks=mail direction=both priority=5 \
    queue=pcq-src-add/pcq-dest-add limit-at=128000/128000 \
    max-limit=1000000/1000000 total-queue=default disabled=no 

add name="p2p-after-hours \(8\)" dst-address=0.0.0.0/0 interface=all \
    parent="Parent (2)" packet-marks=p2p-after-hours direction=both priority=8 \
    queue=pcq-src-add/pcq-dest-add limit-at=64000/64000 \
    max-limit=64000/128000 total-queue=default disabled=no 


add name="p2p-office-hrs \(8\)" dst-address=0.0.0.0/0 interface=all \
    parent="Parent (2)" packet-marks=p2p direction=both priority=8 \
    queue=pcq-src-add/pcq-dest-add limit-at=16000/16000 \
    max-limit=16000/16000 total-queue=default disabled=no

When using simple queues, I get confused between PCQ classifiers of src-address and dst-address.

How are they identified at each point in the flow? Where my confusion stems from is between using torch on Internet and Client interfaces, and /ip firewall connections.

If I torch the outgoing-to-client interface, I see ‘source address’ for clients that are downloading.
If I torch the up-to-internet interface, I see ‘destination address’ for clients’ traffic uploading.

In /ip firewall connections, I see download connections by clients as ‘source address’ and upload as ‘destination address’.

I identify the above by download/upload speeds and number of connections…

The confusion comes from the wiki (http://wiki.mikrotik.com/wiki/PCQ_Examples) which mentions Queue trees and defining pcq as ‘dest-addr’ for download, and ‘src-address’ for upload, but my torching does not seem to coincide with this.

Can anyone clarify this for me? Did I miss something in the manual?

Also, if I use the ‘print’ command which returns the following code:

> queue simple pr
Flags: X - disabled, I - invalid, D - dynamic 

 2    name="p2p-after-hours (8)" dst-address=0.0.0.0/0 interface=all parent=Parent (2) packet-marks=p2p-after-hours 
      direction=both priority=8 queue=pcq-src-add/pcq-dest-add limit-at=64000/64000 max-limit=64000/128000 
      total-queue=default 

 3    name="p2p-office-hrs (8)" dst-address=0.0.0.0/0 interface=all parent=Parent (2) packet-marks=p2p direction=both 
      priority=8 queue=pcq-src-add/pcq-dest-add limit-at=16000/16000 max-limit=16000/16000 total-queue=default 

 5    name="Parent (2)" target-addresses=10.0.96.0/21 dst-address=0.0.0.0/0 interface=all parent=none direction=both 
      priority=2 queue=pcq-src-add/pcq-dest-add limit-at=1700000/1700000 max-limit=1700000/1700000 
      total-queue=default-small 

 6    name="https (3)" dst-address=0.0.0.0/0 interface=all parent=Parent (2) packet-marks=users-https direction=both 
      priority=3 queue=pcq-src-add/pcq-dest-add limit-at=128000/128000 max-limit=1700000/1700000 
      total-queue=default 

 7    name="users (4)" dst-address=0.0.0.0/0 interface=all parent=Parent (2) packet-marks=users direction=both priority=4 
      queue=pcq-src-add/pcq-dest-add limit-at=750000/750000 max-limit=1700000/1700000 total-queue=default 

 8    name="mail (5)" dst-address=0.0.0.0/0 interface=all parent=Parent (2) packet-marks=mail direction=both priority=5 
      queue=pcq-src-add/pcq-dest-add limit-at=128000/128000 max-limit=1000000/1000000 total-queue=default

Does the numbered order affect the processing order if I did not use packet-marks & parents? Is there a specific order of processing (ie like filter & mangle rules from top to bottom)?

Thanks in advance for any responses…

PS - is there any advantage to using simple queues over queue tree, or vice-versa?

sergejs · September 26, 2006, 12:25pm

PCQ classifier settings depends on the attached interface.

Classifying packets by src-address - all packets with different source IP addresses will be grouped into different subqueues.

Attaching it to the local interface traffic from the public interface will be grouped by src-address.
If we will attach it to the public interface, all traffic form clients will be grouped by src-address (it will give the opportunity to handle client upload).

I think much better to avoid duplicate queuing for the same packets, and use only one queue for traffic, user, etc.

janisk · September 26, 2006, 12:28pm

so if packet originates from your client and you see src-address is your client address and you limit what size goes from that IP you are limiting users upload speed. if you limit by destination and dst addresses arent your client addresses you will also limit upload speed, but per connection basis not per user, so user who manages to make more connectios to difrenet targets gets more traffic, therfore you have to limit upload my src-addresses hat are your clients addresses.

and same for download. if you limit by destinatios of incoming packets you limit speed of incoming packets per user, if you fitler incoming by source then you limit per connection.

hope that helps

for more mangle:
http://www.mikrotik.com/docs/ros/2.9/root/queue

GWISA · September 26, 2006, 12:45pm

Thanks for the quick reply guys!

However:

In the parent of my Simple Queue rules, I have the ‘target address’ defined, which is my client pool.
For ‘interfaces’ I have specified ‘all’, which by my logic says that whether its the local or public, the traffic should be identified by client IP - upload and download and queue according to classifier because of src/dst on that interface (target address defined).
My understanding of src vs dst is as you describe - client uploading is source-address, client downloading is dst-address.

My main question is this - why when I torch or check /ip firewall connections, do the src/dst appear opposite to what I’d expect as mentioned and described?
Thanks for the manual link - I am re-reading that now…

And sergejs - sorry for not understanding you here:

I think much better to avoid duplicate queuing for the same packets, and use only one queue for traffic, user, etc.

Do you mean not use a parent/child type system? I’d like to offer each level a CIR and MIR for traffic types…

janisk · September 26, 2006, 12:57pm

IMHO when you are doing magnle and liminting this is hapeneing in prerouting, but when you are using torch you see incoming packets and outgoing packets.

correct me if im wrong

GWISA · September 26, 2006, 1:56pm

And let me just clarify my packet marks:

‘users’ = ‘all-the-rest’

ie: everything that is NOT p2p, http or mail

Is there still a possibility of applying more than one queue to a packet flow even when specifying packet marks?

Any other opinions on what torch is doing? Just had a test session here with ftp through the same router & monitoring connections…

I see that upload/download is always the same src/dst when torching - or whichever way the connection was initiated - not necessarily the true flow of traffic…

or is that a shot in the dark?