Traffic Priority (Queue Tree?)

sytex · April 4, 2016, 1:01pm

Hi All,

I’m trying to make a (simple?) config. RB has 1 uplink port, and has 3 private ports with separated ip subnets.
I have to make a masquerading router to internet, which proiritizes the upload and download between the 3 subnets. I googled a lot, but could not find any solution for this.
The common problem with installing the solutions found on internet to my setup is: all example uses one ethernet interface as main parent for download, but I have 3 interfaces, where the donwload traffic can exit my router.

Thanks

ZeroByte · April 4, 2016, 4:55pm

You will need to use a master parent queue whose parent is “global” and then a sub-queue for each LAN in question.
You’ll need to use packet marks to distinguish the traffic for the sub queues - and this marking should probably be done in the forward chain of the mangle table - because prerouting chain happens before the nat table, which makes me think that the packets will still have the WAN’s IP address as the destination address when they go through the prerouting chain (but I could be wrong).

The way to flag your connections for packet marking is going to be to use 3 connection-marking rules in the mangle->prerouting chain based on in-interface=lan1, lan2, and lan3
(also include a criteria that connection-mark=no-mark so that once a connection is flagged, it stays flagged)

Then after those 3 rules, add 3 more rules that do mark-packet based on the connection marks:
in-interface=wan connection-mark=lan1 action=mark-packet new-packet-mark=lan1down passthrough=no

And for upstream marking, add 3 packet mark rules to the post-routing chain:
out-interface=wan connection-mark=lan1 action=mark-packet new-packet-mark=lan1up

You can then make an upstream queue tree parented to the wan interface where the three lan sub-queues are looking for the upstream packet marks.

slv · April 5, 2016, 8:16am

@Sytex

I fighting with same problem
On internet is a lot of examples but usually based on 5.x ROS code with is incompatibile with 6.x code.
Second problem is that even on 6.x code there where some changes (like global-in dissapered and now is just global and so on).

At the moment i use PCQ with equall bandwitch for every user IP using just one queue:
/queue simple print
Flags: X - disabled, I - invalid, D - dynamic
0 name=“queue3” target=192.168.0.0/16 parent=none packet-marks=“” priority=8/8
queue=pcq-upload-default/pcq-download-default limit-at=0/0 max-limit=49M/49M burst-limit=0/0 burst-threshold=0/0
burst-time=0s/0s bucket-size=0.1/0.1

Few control question:

do You use bridging?
do You use masquarade or SNAT?
According to my knoweladge this are important things.

ZeroBytes - If I use SNAT should I mark on prerouting (upload) and post-routing (dwonload)?

Regards
Slawek

sytex · April 5, 2016, 9:46am

Thanks for the answers. I will try them,

Answers to @slv:

Yes I have bridges, so the 3 ‘LAN’ interfaces are bridges in my setup.
I use masquerade.

ZeroByte · April 5, 2016, 3:38pm

I’d say prerouting is usually the go-to chain for mangle in my experience.

Now that I’ve read back over my earlier post, I’d say that the IP address doesn’t matter because if marking packets based on connection mark, you can just do that in prerouting all the time in basic cases - I suggested 3 packet mark rules in postrouting so that at this point, the output interface is known and the packets can be re-marked with the “upstream” marks based on the connection mark. (the connection mark is the same for both directions in the flow)

The NAT isn’t really important in this case - once a connection gets marked, it stays marked until the connection is closed or times out, so the IP is irrelevant. The connection mark can happen in prerouting because we know that no new connections from the WAN are possible, so we know that a new, unmarked connection is coming in via some LAN interface - and this can be used to mark the flow as lan1, lan2, etc…

slv · April 8, 2016, 1:10pm

Hello

So let’s start with (not)working code:

/ip firewall mangle
add chain=prerouting action=mark-connection new-connection-mark=LAN-down-con passthrough=yes src-address-list=Local_LANs comment="mark client traffic" disabled=no 
add chain=prerouting action=mark-packet new-packet-mark=all_packet passthrough=no comment="upload" disabled=no

and without "src-address-list"

/ip firewall mangle
add chain=prerouting action=mark-connection new-connection-mark=LAN-down-con passthrough=yes comment="mark client traffic" disabled=no 
add chain=prerouting action=mark-packet new-packet-mark=all_packet passthrough=no comment="upload" disabled=no

I got strange (for me) resoults

Why this two rules has almost similat amount of packet and amount of bytes?

Next step should be roule for “download”

add chain=postouting action=mark-packet new-packet-mark=all_packet out-interface=ethernet6  passthrough=no comment="download" disabled=no

Unfortunetely above roule doesnt catch anything
Summary:
How to fix this marking roules - at the moment noone is working in my opinion

Regards
Slawek

sash7 · April 9, 2016, 1:31pm

slv simply use forward chain, packet mark and use interfaces in-interface / out-interface

for all download like this

/ip firewall mangle
add chain=forward action=mark-packet new-packet-mark=download in-interface=your_wan_iface out-interface=your_lan_iface passthrough=no comment=“all download” disabled=no

for upload reverse in-out interfaces, change mark, comment…

slv · April 10, 2016, 10:24am

I did:

add chain=forward action=mark-packet new-packet-mark=download in-interface=WAN out-interface=LAN passthrough=no comment="" disabled=no

add chain=forward action=mark-packet new-packet-mark=download in-interface=LAN out-interface=WAN passthrough=no comment="all upload" disabled=no

What about connection mark - is it nessasary?

I see in Connection mark tab a lol session with empty name or (unknown 1) as a name - whot is going on?
In Bytes/Packet coulmns counter are increasing - so it seems that are working but why isnt mangled properly?

Reards
Slawek

sash7 · April 10, 2016, 7:54pm

you have an error in marking - in both places is new-packet-mark=download ?

slv · April 11, 2016, 7:27am

as You see - in both rules (one for upload and one for download)
what is wrong with it? could You be more specific

Regards
Slawek

sytex · April 13, 2016, 10:08am

Thanks for the answers, and advices.

Now I’m stuck at the queue tree setup, I made this config:

/ip firewall mangle
add action=mark-connection chain=prerouting comment=con_LAN1 connection-mark=no-mark in-interface=LAN1 new-connection-mark=conn_LAN1 passthrough=no
add action=mark-connection chain=prerouting comment=con_LAN2 connection-mark=no-mark in-interface=LAN2 new-connection-mark=conn_LAN2 passthrough=no
add action=mark-connection chain=prerouting comment=con_LAN3 connection-mark=no-mark in-interface=LAN3 new-connection-mark=conn_LAN3 passthrough=no
add action=mark-packet chain=forward comment=pckt_LAN1_up connection-mark=conn_LAN1 new-packet-mark=pckt_LAN1_up out-interface=WAN passthrough=no
add action=mark-packet chain=forward comment=pckt_LAN2_up connection-mark=conn_LAN2 new-packet-mark=pckt_LAN2_up out-interface=WAN passthrough=no
add action=mark-packet chain=forward comment=pckt_LAN3_up connection-mark=conn_LAN3 new-packet-mark=pckt_LAN3_up out-interface=WAN passthrough=no
add action=mark-packet chain=forward comment=pckt_LAN1_down connection-mark=conn_LAN1 in-interface=WAN new-packet-mark=pckt_LAN1_down passthrough=no
add action=mark-packet chain=forward comment=pckt_LAN2_down connection-mark=conn_LAN2 in-interface=WAN new-packet-mark=pckt_LAN2_down passthrough=no
add action=mark-packet chain=forward comment=pckt_LAN3_down connection-mark=conn_LAN3 in-interface=WAN new-packet-mark=pckt_LAN3_down passthrough=no

The packet markings are working fine, tested them. For testing purposes I made a 10M/5M limit (in the real setup there will be 100/50)

I made the following config for queue tree:

/queue tree
add max-limit=5M name=upload parent=global queue=default
add name=LAN1_up packet-mark=pckt_LAN1_up parent=upload priority=8 queue=default
add name=LAN2_up packet-mark=pckt_LAN2_up parent=upload priority=7 queue=default
add name=LAN3_up packet-mark=pckt_LAN3_up parent=upload priority=6 queue=default
add max-limit=10M name=download parent=global queue=default
add name=LAN1_down packet-mark=pckt_LAN1_down parent=download priority=8 queue=default
add name=LAN2_down packet-mark=pckt_LAN2_down parent=download priority=7 queue=default
add name=LAN3_down packet-mark=pckt_LAN3_down parent=download priority=6 queue=default

Prioritizing the traffic does not work. It dropps whole connections on LAN1 at the moment when a device on LAN2 begins to transmit (testing with speedtest.net)

Next setup:

/queue tree
add max-limit=5M name=upload parent=global queue=default
add limit-at=1M max-limit=5M name=LAN1_up packet-mark=pckt_LAN1_up parent=upload priority=8 queue=default
add limit-at=2M max-limit=5M name=LAN2_up packet-mark=pckt_LAN2_up parent=upload priority=7 queue=default
add name=LAN3_up packet-mark=pckt_LAN3_up parent=upload priority=6 queue=default
add max-limit=10M name=download parent=global queue=default
add limit-at=2M max-limit=10M name=LAN1_down packet-mark=pckt_LAN1_down parent=download priority=8 queue=default
add limit-at=4M max-limit=10M name=LAN2_down packet-mark=pckt_LAN2_down parent=download priority=7 queue=default
add name=LAN3_down packet-mark=pckt_LAN3_down parent=download priority=6 queue=default

Tried to make some guarantied bandwith, it is a bit more stable, but lot of dropped connections and unfinished speed test are still present.

Any suggestions?

sash7 · April 13, 2016, 12:30pm

about upload:
lan1 drop because your lan2 has high priority.
another: where is limit and max-limit for lan3?
if your upload max-limit is 5M, then sum of all tree lan’s limit need to be equal to 5M. try in this way, and without different priority.
exactly same case in downloads.
change and test again)

sytex · April 14, 2016, 8:06am

LAN3 is not set yet, because I’m testing it with two clients.

Again: I don’t want to set exact max-limits per subnet (I can make that with simple queues, and don’t need the queue tree).

My goal:
LAN1 lowest priority but guaranteed 2M down, 1M up
LAN2 middle priority but guaranteed 4M down, 2M up
LAN3 highest priority.

If no uses LAN2 or LAN3, the LAN1 clients can get all the bandwith.
If LAN2 users are online, than their traffic is prioritized before the LAN1 traffic, so LAN1 can get the 2M/1M and LAN2 the rest of the available.
If LAN3 user are online than they can get the bandwith what they need, but keep the guaranteed for LAN1 and LAN2.

Or is it to complex task for Ros??

sash7 · April 14, 2016, 8:34am

i understand what you want, but when use priority there is no “guarantee” nothing for classes with low priority. these with high priority probably may get all bandwidth. in my opinion htb work predictable and fair if you use equal priority and set correct numbers for limit and max limit.

sytex · April 25, 2016, 11:23am

Equal priority, max-limit set on each subchain to the same as global max-limit, and some limit-at parameters depends on needed priority (LAN1 20Mbit, LAN2 40Mbit, LAN3 40Mbit) worked for me.

Thanks for the advices.

slv · April 26, 2016, 6:10pm

Hello Sytex

Could You post here code for QoS that You configured?

Regards
Slawek

sytex · April 26, 2016, 6:14pm

Slawek,

Right now I am on business trip, and cannot access the router. I will post it next week.

slv · May 30, 2016, 6:02pm

Hi Sytex

I hope that You are doing well

Please share your config if its possible now.

Regards
Slawek

ploquets · February 22, 2017, 7:13pm

Please, post it… Right now I need your working configuration.
Thanks

Scottymidd · August 22, 2017, 12:36pm

Also looking for an update on this. Hoping to see the working code. Thank you