Traffic Shaper with Transparent Bridge

Tkl · June 28, 2017, 5:26pm

I try to setup a Traffic Shaper with a Transparent Bridge, but so far cannot get the Traffic Shaper working.

Got a MikroTik RouterBoard home Access Point lite (hAP lite).

Configuration with Winbox based on default config
IP > Address, change the default 192.168.88.0 entry to a fixed ip in my LAN (so that i can manage the device)
IP > DHCP Client, delete the entry
IP > DHCP Server, delete the entry
IP > Interface, go to ether1, set master port to ether2-master
IP > Firewall > NAT, delete the masquerade rule for ether1

Now i do have a working bridge, at least for ports 2-4. Connected ether2 to my FritzBox and ether4 to my Clients.
Traffic flows through the bridge, the hAP lite is manageable via the fixed ip.

Configuration for Traffic Shaping
Configure bridge1 to use ip firewall so that packet marking works
/interface bridge settings
set use-ip-firewall=yes

Tried to limit traffic from/to 2 ip addresses with simple queue
/queue simple
add max-limit=512k/5M name=“Limit1” target=192.168.2.101/32
add max-limit=512k/5M name=“Limit2” target=192.168.2.102/32

This has no effect.

Now my questions
Does this simple queue setup prevent all bursts? I don’t want to have any bursts allowed.
Is it possible to use Simple Queues in such a setup? What is wrong with my approach?
If i need to use Queue Trees, can somebody post a short config example how to limit traffic for a single ip with them?

Greetings, Tkl

andriys · June 28, 2017, 6:04pm

Wrong. Now you have a working switch, not bridge. The traffic is fully handled by the switch chip (but not the CPU of your hAP lite) and cannot be shaped. You seem to have a bridge from the default configuration, so the only traffic that flows through the bridge and can be shaped is the traffic from/to your WiFi clients.

You need to set the master-port=none on your ether1, then add ether1 to the bridge, then also connect your Fritz! to ether1.

Tkl · June 28, 2017, 6:33pm

You need to set the master-port=none on your ether1, then add ether1 to the bridge, then also connect your Fritz! to ether1.

Thanks, i will try this out.

Do i understand it right that with this setup i will still have switching by the switch chip between ports 2-4 and transparent firewalling and traffic shaping between port 1 and the remaining connections?

And do i need to cleanup any or even all of the default firewall filter rules? As i do not need firewall rules, but only the traffic shaping i think i should try to remove all the rules.

andriys · June 28, 2017, 6:55pm

Correct.

The traffic between ether1, wireless and the rest of the wired ports will be bridged, i.e. handled by the OS. How that traffic is handled depends on the configuration. For instance it can be filtered (firewalled) and/or shaped.

They have no effect on the traffic only being bridged (but not routed), but you can of course remove all the extra rules to keep your config nice and clean.

Tkl · June 28, 2017, 8:00pm

I could test now, but still the Simple Queues Limits are not working.

Looking into the ethernet ports i also wonder why ether1 has the Slave flag:

> /interface ethernet print 
Flags: X - disabled, R - running, S - slave 
 #    NAME                 MTU MAC-ADDRESS       ARP             MASTER-PORT               SWITCH              
 0 RS ether1              1500 64:D1:54:34:8F:F5 enabled         none                      switch1             
 1 RS ether2-master       1500 64:D1:54:34:8F:F6 enabled         none                      switch1             
 2  S ether3              1500 64:D1:54:34:8F:F7 enabled         ether2-master             switch1             
 3 RS ether4              1500 64:D1:54:34:8F:F8 enabled         ether2-master             switch1   

/interface bridge settings print
              use-ip-firewall: yes
     use-ip-firewall-for-vlan: no
    use-ip-firewall-for-pppoe: no
              allow-fast-path: yes
      bridge-fast-path-active: no
     bridge-fast-path-packets: 0
       bridge-fast-path-bytes: 0
  bridge-fast-forward-packets: 0
    bridge-fast-forward-bytes: 0
[admin@MikroTik] > /interface bridge port print    
Flags: X - disabled, I - inactive, D - dynamic 
 #    INTERFACE                              BRIDGE                              PRIORITY  PATH-COST    HORIZON
 0    ;;; defconf
      ether2-master                          bridge                                  0x80         10       none
 1 I  ;;; defconf
      wlan1                                  bridge                                  0x80         10       none
 2 ID ether3                                 bridge                                  0x80         10       none
 3  D ether4                                 bridge                                  0x80         10       none
 4    ether1                                 bridge                                  0x80         10       none
[admin@MikroTik] >

andriys · June 28, 2017, 8:06pm

It became slave when you added it to the bridge.

Post your /queue configuration. But please use export instead of print.

Tkl · June 28, 2017, 8:33pm

/queue export
# jun/28/2017 20:18:50 by RouterOS 6.39.2
# software id = 9AAI-4J5U
#
/queue simple
add max-limit=512k/5M name=Limit1 target=192.168.2.101/32
add max-limit=512k/5M name=Limit2 packet-marks="" target=192.168.2.102/32

After removing the packet-marks=“” it started to work. This was a leftover from my look into the Advanced Tab which i did not recognize in the WinBox Gui …

Thanks for your help!