SQM queue limit to WAN but not LAN

diasdm · May 24, 2025, 4:50pm

I tried some SQM configurations and basically ended with this:

[RB5009UPr+S+] > queue/export 
/queue type
add kind=cake name=queue_cake

/queue tree
add name=queue_cake_downstream max-limit=300M packet-mark=no-mark parent=bridge queue=queue_cake
add name=queue_cake_upstream max-limit=150M packet-mark=no-mark parent=pppoe-WAN queue=queue_cake

It works and I can see a measurable reduction in bufferbloat with Waveform speed test and Ookla Speedtest, in either direction.

However, with this configuration, my inter-vlan routing is reduced to the max limit set in the downstream queue (300M), which has the bridge interface set as “parent”. When I stop the queue, the limit is lifted and I can reach near wire speed.

So, I’m trying to understand how to configure the queues so that the WAN traffic goes through them, but the LAN is not limited.

Any thoughts on this matter?

anserk · May 24, 2025, 7:58pm

I had the exact same issue since I also use interface queue (with fq_codel in my case). There is an easy solution. First, you need to apply the queues only to unmarked packets, which is what you are already doing (“packet-mark=no-mark”).

Then you need to mark your inter-VLAN traffic (adjust lists and mangle passthrough as needed):

/interface list
add name=local
/interface list member
add interface=vlan101 list=local
add interface=vlan102 list=local
/ip firewall mangle
add action=mark-packet chain=forward comment=inter-vlan in-interface-list=local new-packet-mark=intervlan out-interface-list=local passthrough=no

Packet mark can be anything, we are not matching on it. We just need some mark to satisfy the “no-mark” filters.

But the mangle rule won’t work because of fasttrack, so you need to adjust the latter to exclude all marked traffic.

/ip firewall filter
add action=fasttrack-connection chain=forward comment="fasttrack for established,related" connection-state=established,related hw-offload=yes packet-mark=no-mark

Although marking packets is heavy on CPU, this approach is still better over having to completely disable fasttrack in order to use simple queue where you don’t involve the bridge at all. And of course, it’s better than dealing with limited inter-VLAN bandwidth.

With this configuration on a hAP ac2 I can achieve 530 Mbit/s single stream iperf inter-VLAN bandwidth, 680 Mbit/s with 4 streams. I’m sure you won’t have any troubles reaching full gigabit on RB5009.

diasdm · May 24, 2025, 10:01pm

That did the trick.

I used the LAN list that was already configured and had my VLANs as members.

[RB5009] > interface/list/export
/interface list
add comment=defconf name=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment="VLAN7 in LAN" interface=VLAN7 list=LAN
add comment="VLAN8 in LAN" interface=VLAN8 list=LAN
add comment="VLAN9 in LAN" interface=VLAN9 list=LAN

Added the mangle rule.

[RB5009] > ip firewall/mangle/export
/ip firewall mangle
add action=mark-packet chain=forward comment="Mark LAN packets for queue bypass" in-interface-list=LAN new-packet-mark=LAN out-interface-list=LAN passthrough=no

And updated the fasttrack filter rule.

[RB5009] > ip firewall/filter/export
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes packet-mark=no-mark

Now, my inter-vlan routing is reaching good speeds on iPerf3 with just a single stream.

[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec   255 MBytes  2.14 Gbits/sec   45    395 KBytes       
[  5]   1.00-2.00   sec   257 MBytes  2.16 Gbits/sec   11    496 KBytes       
[  5]   2.00-3.00   sec   257 MBytes  2.16 Gbits/sec    8    437 KBytes

Thanks a lot.

moorezilla · June 6, 2025, 4:40pm

If you have no vlans and just want to get full speed local bridge traffic while using a queueTree on the bridge to smooth downloads, would it be sufficient simply to just do these two steps?:

Added the mangle rule.
Code: Select all
[RB5009] > ip firewall/mangle/export
/ip firewall mangle
add action=mark-packet chain=forward comment=“Mark LAN packets for queue bypass” in-interface-list=LAN new-packet-mark=LAN out-interface-list=LAN passthrough=no

And updated the fasttrack filter rule.
Code: Select all
[RB5009] > ip firewall/filter/export
/ip firewall filter
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related hw-offload=yes packet-mark=no-mark

anserk · June 6, 2025, 6:05pm

You don’t need to do anything in this case. LAN to LAN traffic doesn’t go through the router CPU, so it doesn’t hit queues or firewall. It will be switched in hardware by the switch chip.

moorezilla · June 6, 2025, 7:49pm

Ok. Sounds good. Thanks for the clarification.