I’m attempting to build a transparent shaper on routeros v7 but I’m seeing something odd.
It seems that the bridge firewall adds both sides together.
config notes: v7b5. bridge w/ IP firewall enabled, fast path disabled, 2 ports ether4 and ether5 in bridge both with hardware accel disabled. both ports link up at 1G full duplex as do all other devices in the chain. My PC where I’m hosting the iperf3 server instances and the PC across the bridge. If I disable all queues, I can push ~940Mbps/~940Mbps across the bridge. I’ve tested multiple queue types, all with sale result. Also, this hap ac2 was factory reset with config removed and the only changes made were bridging the ports and enabling the queue, and attempting mangle rules.
Test host is connected to port 5, upstream router in port 4.
I’ve tried just adding a simple queue targeting the test host’s IP. ie, target=192.168.1.185, set upload=100m and download=100m. Then I run 2 iperf3s across, one sending and one receiving to attempt to get a 100m/100m queue running. This results in only 100Mbps total passing the bridge as if the bridge were half-duplex. If I cancel one of the iperf3s, then I get about 100M passing in that direction.
I’ve tried marking packets with source=192.168.1.185=packet mark ‘UL’ and dst=…185 for packet mark ‘DL’ and putting those packet marks in the queue, same result.
Any idea what’s going on here?
The ultimate goal is a transparent fq-codel shaper. I can get fantastic results one way but then this strange half-duplex-like behavior is kicking in.
I think your problem is that the firewall rules for the bridge will be evaluated as input for port4->bridge and then as output for bridge->port5.
So all your traffic is counted twice.
When you want to avoid that, you may have to match on port number. Then add a packet mark and match that in the queue?
That is why you need to match the interface in a bridge filter rule and set a packet mark there… it is no longer possible to check that once it has gone to the IP level.
bridge filter, chain forward, in interface ether5 = packet mark UL. in interface ether4 = packet mark DL. Filter stats climb rapidly, ie the filter is catching the traffic.
If I change to input chain on the filter, only a few bits are caught. I also tried a forward filter with in=ether4 and out=ether5 for DL and the opposite for UL, which causes the packet counts to go up quickly so that seems to be working.
Add a simple queue with those two packet marks, queue doesn’t see them. Tried targeting the .185 IP, ether5, ether4, the bridge, 0.0.0.0/0, the queue doesn’t see anything. It’s like the filter moves the packets out of the queues path.
Are you sure you have disabled fasttrack? (should not matter for bridging, but when I read “it does not see my settings” I think about that fasttrack thing that I always remove as first action)
Ok, so the bridge filters are taking the packets completely out of the firewall path. With the bridge filters enabled, I can’t match those packet marks in the firewall OR even match based on IP. ie, try to add a packet mark in mangle with source address and almost no data shows up while the bridge filter is on. Somehow the bridge filter is bypassing the firewall and queues. I don’t see any options in the filter for hardware acceleration or fast path.
on the bridge, disable fast forward. on bridge settings, disable allow fast path (and enable use IP firewall). Stats also show fast path inactive and 0 packets fast pathed. On each member port, disable hardware accel. No firewall rules at all. I can’t think of anywhere else fastpath might be hiding.
Ok maybe it is not so easy to make a bridging shaper then… I have no experience with that, only with shaper at IP level (both simple queue and queue tree) and that works OK, and also with bridge filter to filter e.g. ARP requests and that works too, also together with filters at IP level.