Simple queues unable to catch traffic to/from the router itself?

skyhawk · April 10, 2016, 1:23am

Is it possible to have Simple Queues limit/control the traffic generated by the router itself?

I’ve recreated a simple config in CHR

/queue simple
add dst=ether3 name=queue1 target=""
/ip settings
set allow-fast-path=no
/ip address
add address=10.1.0.1/24 interface=ether1 network=10.1.0.0
add address=192.168.1.2/24 interface=ether3 network=192.168.1.0
#add address=172.16.0.1/24 interface=ether2 network=172.16.0.0
/ip firewall filter
add action=drop chain=forward dst-address=169.254.0.0/16
add action=drop chain=output dst-address=169.254.0.0/16
/ip route
add distance=1 gateway=192.168.1.1

When I watch the traffic in queue1, and ping to 192.168.1.1, I get replies from the other CHR in my test environment, but see zero traffic in the queue.

This is on a CHR, running version: 6.34.1 (stable), but I’m observing the same behavior with a hAP-ac-Lite running version: 6.34.4 (stable).

ShayanFiroozi · April 10, 2016, 8:20am

skyhawk:

Is it possible to have Simple Queues limit/control the traffic generated by the router itself?

I’ve recreated a simple config in CHR
/queue simple
add dst=ether3 name=queue1 target=""
/ip settings
set allow-fast-path=no
/ip address
add address=10.1.0.1/24 interface=ether1 network=10.1.0.0
add address=192.168.1.2/24 interface=ether3 network=192.168.1.0
#add address=172.16.0.1/24 interface=ether2 network=172.16.0.0
/ip firewall filter
add action=drop chain=forward dst-address=169.254.0.0/16
add action=drop chain=output dst-address=169.254.0.0/16
/ip route
add distance=1 gateway=192.168.1.1
When I watch the traffic in queue1, and ping to 192.168.1.1, I get replies from the other CHR in my test environment, but see zero traffic in the queue.

This is on a CHR, running version: 6.34.1 (stable), but I’m observing the same behavior with a hAP-ac-Lite running version: 6.34.4 (stable).

Hi,
you didn’t initialize your Queue !!

first you have to mark your traffic with firewall mangle , after packets matched with you mangle then use Queue and force your router to limit every packet with specific packet mark

skyhawk · April 10, 2016, 4:09pm

My understanding is that if packet-marks aren’t set, Queues will match all packets that meet the other conditions - on my hAP-acLite I am marking the connections and packets that I want to catch, and Simple Queues still aren’t seeing them.

Nonetheless, I will update my testing configuration this evening and report back.

skyhawk · April 10, 2016, 4:33pm

No change in behavior. New config export:

/queue simple
add dst=ether3 name=queue1 packet-marks=icmp target=""
/ip settings
set allow-fast-path=no
/ip address
add address=10.1.0.1/24 interface=ether1 network=10.1.0.0
add address=192.168.1.2/24 interface=ether3 network=192.168.1.0
/ip firewall filter
add action=drop chain=forward dst-address=169.254.0.0/16
add action=drop chain=output dst-address=169.254.0.0/16
/ip firewall mangle
add action=mark-packet chain=output new-packet-mark=icmp passthrough=no protocol=icmp
add action=mark-packet chain=input new-packet-mark=icmp passthrough=no protocol=icmp
/ip route
add distance=1 gateway=192.168.1.1

Pinging to 192.168.1.1 still generates no traffic in queue1, despite the counters incrementing on the mangle rules.