Traffic Prioritization

usmans · February 22, 2011, 11:33pm

hello experts plz see below
is this right or wrong…
my firewall mangle

/ip firewall mangle
add action=mark-connection chain=prerouting comment="Mark ICMP" disabled=no \
    new-connection-mark=icmp_conn passthrough=yes protocol=icmp
add action=mark-packet chain=prerouting comment="" connection-mark=icmp_conn \
    disabled=no new-packet-mark=ICMP passthrough=yes
add action=set-priority chain=prerouting comment="" disabled=no new-priority=\
    1 packet-mark=ICMP passthrough=no
add action=mark-connection chain=prerouting comment="Mark Telnet" disabled=no \
    dst-port=23 new-connection-mark=telnet_conn passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting comment="" connection-mark=\
    telnet_conn disabled=no new-packet-mark=Telnet passthrough=yes
add action=set-priority chain=prerouting comment="" disabled=no new-priority=\
    1 packet-mark=Telnet passthrough=no
add action=mark-connection chain=prerouting comment="Mark DNS" disabled=no \
    dst-port=53 new-connection-mark=Dns_conn passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no dst-port=\
    53 new-connection-mark=Dns_conn passthrough=yes protocol=udp
add action=mark-packet chain=prerouting comment="" connection-mark=Dns_conn \
    disabled=no new-packet-mark=DNS passthrough=yes
add action=set-priority chain=prerouting comment="" disabled=no new-priority=\
    1 packet-mark=DNS passthrough=no
add action=mark-connection chain=prerouting comment="Mark P2P" disabled=no \
    new-connection-mark=P2P_conn p2p=all-p2p passthrough=yes
add action=mark-packet chain=prerouting comment="" connection-mark=P2P_conn \
    disabled=no new-packet-mark=P2P passthrough=yes
add action=set-priority chain=prerouting comment="" disabled=no new-priority=\
    8 packet-mark=P2P passthrough=no
add action=mark-connection chain=prerouting comment="Mark FTP" disabled=no \
    dst-port=20,21 new-connection-mark=ftp_conn passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting comment="" connection-mark=ftp_conn \
    disabled=no new-packet-mark=Ftp passthrough=yes
add action=set-priority chain=prerouting comment="" disabled=no new-priority=\
    7 packet-mark=Ftp passthrough=no
add action=mark-connection chain=prerouting comment="Mark Yahoo" disabled=no \
    layer7-protocol=yahoo22 new-connection-mark=Yahoo_conn passthrough=yes
add action=mark-packet chain=prerouting comment="" connection-mark=Yahoo_conn \
    disabled=no new-packet-mark=Yahoo passthrough=yes
add action=set-priority chain=prerouting comment="" disabled=no new-priority=\
    3 packet-mark=Yahoo passthrough=no
add action=mark-connection chain=prerouting comment="Mark HTTP" \
    connection-bytes=500000-0 disabled=no dst-port=80 new-connection-mark=\
    http_conn1 passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting comment="" connection-mark=http_conn1 \
    disabled=no new-packet-mark=Http passthrough=yes
add action=set-priority chain=prerouting comment="" disabled=no new-priority=\
    7 packet-mark=Http passthrough=no
add action=mark-connection chain=prerouting comment="Mark HTTP Request" \
    connection-bytes=0-500000 disabled=no dst-port=80,443 \
    new-connection-mark=http_conn passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting comment="" connection-mark=http_conn \
    disabled=no new-packet-mark="Http Request" passthrough=yes
add action=set-priority chain=prerouting comment="" disabled=no new-priority=\
    1 packet-mark="Http Request" passthrough=no
add action=mark-connection chain=prerouting comment="Mark all other" \
    disabled=no new-connection-mark=other_conn passthrough=yes
add action=mark-packet chain=prerouting comment="" connection-mark=other_conn \
    disabled=no new-packet-mark=Other passthrough=yes
add action=set-priority chain=prerouting comment="" disabled=no new-priority=\
    8 packet-mark=Other passthrough=no

my queue tree

/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name="Global Traffic In" parent=bridge1 priority=1
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name="Http Request In" packet-mark="Http Request" parent=\
    "Global Traffic In" priority=1 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name="Other Traffic In" packet-mark=Other parent=\
    "Global Traffic In" priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name="Global Traffic Out" parent=Wan priority=1
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name="Http Request Out" packet-mark="Http Request" parent=\
    "Global Traffic Out" priority=1 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name="Yahoo Messenger In" packet-mark=Yahoo parent=\
    "Global Traffic In" priority=3 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name="Yahoo Messenger Out" packet-mark=Yahoo parent=\
    "Global Traffic Out" priority=3 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name="Http In" packet-mark=Http parent="Global Traffic In" \
    priority=7 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name="Http Out" packet-mark=Http parent="Global Traffic Out" \
    priority=7 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name="ICMP In" packet-mark=ICMP parent="Global Traffic In" \
    priority=1 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name="Telnet In" packet-mark=Telnet parent=\
    "Global Traffic In" priority=1 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name="ICMP Out" packet-mark=ICMP parent="Global Traffic Out" \
    priority=1 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name="Telnet Out" packet-mark=Telnet parent=\
    "Global Traffic Out" priority=1 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name="Other Traffic Out" packet-mark=Other parent=\
    "Global Traffic Out" priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name="Dns In" packet-mark=DNS parent="Global Traffic In" \
    priority=1 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name="Dns Out" packet-mark=DNS parent="Global Traffic Out" \
    priority=1 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name="P2P In" packet-mark=P2P parent="Global Traffic In" \
    priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name="P2P Out" packet-mark=P2P parent="Global Traffic Out" \
    priority=8 queue=default

here is my winbox view

usmans · February 23, 2011, 6:33pm

hello plz chk this…

usmans · February 25, 2011, 11:48am

hello experts plz chk this…
is this right or wrong?

kosh · February 27, 2011, 8:52pm

After a quick glance it seems you use the priority setting for something else than it was intended for. Read:
http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Mangle

ditonet · February 27, 2011, 9:39pm

@usmans

First of all you should separate mangle marking for ingress and egress traffic.
Don’t set priority in mangle as mentioned by kosh, set it in queue tree instead.
Your FTP marking can work for Active FTP only, for Passive FTP (mostly used) is useless.

HTH,

usmans · March 1, 2011, 8:55am

thanks for reply
@ditonet
i am beginner
can u tell me how to mark ingree and engress traffic…
plz give me littele example…
sorry for bad english…

ditonet · March 1, 2011, 9:10pm

Hi,

Here is an example for marking HTTP download and upload:

add action=mark-connection chain=prerouting comment="HTTP,HTTPS Request" connection-bytes=0-500000 disabled=no new-connection-mark=cm_http_request passthrough=yes protocol=tcp src-port=80,443,8080
add action=mark-packet chain=prerouting comment=HTTP_DL_Request connection-mark=cm_http_request disabled=no new-packet-mark=pm_http_dl_request passthrough=no
add action=mark-connection chain=prerouting comment=HTTP,HTTPS connection-bytes=500000-0 disabled=no new-connection-mark=cm_http passthrough=yes protocol=tcp src-port=80,443,8080
add action=mark-packet chain=prerouting comment=HTTP_Download connection-mark=cm_http disabled=no new-packet-mark=pm_http_download passthrough=no
add action=mark-connection chain=prerouting comment="HTTP,HTTPS Upload Request" connection-bytes=0-500000 disabled=no dst-port=80,443,8080 new-connection-mark=cm_http_ul_request passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting comment=HTTP_UL_Request connection-mark=cm_http_ul_request disabled=no new-packet-mark=pm_http_ul_request passthrough=no
add action=mark-connection chain=prerouting comment="HTTP,HTTPS Upload" connection-bytes=500000-0 disabled=no dst-port=80,443,8080 new-connection-mark=cm_http_ul passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting comment=HTTP_Upload connection-mark=http_ul disabled=no new-packet-mark=pm_http_upload passthrough=no

It’s quite simple, for HTTP download SOURCE port is 80,443,8080, but for HTTP upload DESTINATION port is 80,443,8080.
For POP3 protocol SOURCE port is 110, for SMTP DESTINATION port is 25 and so on…
Every service you want to mark must be considered as ingress/egress traffic, what is SOURCE or DESTINATION port for this traffic and marked packet must be used in download/upload queue respectively.

Regards and hope this helps,

usmans · March 3, 2011, 10:01am

its not working only one rule work which is on top in my firewall mangle

ditonet · March 3, 2011, 4:18pm

Hi,

Today I’ve installed RB450G with QoS, and previously posted mangle rules work great (among others of course).
Below is simplest version for marking HTTP traffic:

/ip firewall mangle
add action=mark-connection chain=prerouting comment=HTTP,HTTPS disabled=no new-connection-mark=cm_http_dl passthrough=\
    yes protocol=tcp src-port=80,443,8080
add action=mark-packet chain=prerouting comment=HTTP_Download connection-mark=cm_http_dl disabled=no new-packet-mark=\
    pm_http_dl passthrough=no
add action=mark-connection chain=prerouting comment="HTTP,HTTPS Upload" disabled=no dst-port=80,443,8080 \
    new-connection-mark=cm_http_ul passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting comment=HTTP_Upload connection-mark=cm_http_ul disabled=no new-packet-mark=\
    pm_http_ul passthrough=no

Try this, it must work.

Regards,

usmans · March 4, 2011, 11:39pm

sorry my mistake i use dst port for download and src port for upload
both example working great
thxxxxxxxx