update: another way how to Masquerade + Shape, may be faste

RouterOS General
1

Hi everyone,

case is:
shaping and masquerade on one router
packet marks + queue tree

Standart way is to use packet mark + connection mark in prerouting, as stated in wiki

I’m using this method:

incomming traffic(download for user)> packetmark in Postrouting, dst address is users IP, out interface WAN, action mark packet
outgoing traffic(upload for user)> packetmark in Forward, src address is users IP, out interface LAN,action packet mark

queue-tree, incomming traffic WAN, outgoing traffic LAN

Shaping works, but I don’t know if it’s more cpu intensive than the connection-mark way.
Any idea what sollution is better?

2

Connection mark + packet mark is much less CPU intensive than just a packet mark.

3

indeed, because in connection mark you have to check only initial packet to mark connection while in packet mark you ahve to check every packet over and over again.

so if packet-mark is used with connection-mark, then when you mark packets you have to see only to what connection packet belong, not ip addresses or other fields of packet.

4

wonderfull response. thank you.

5

tested connection mark way and in my config with 1000+ ips it consumes 2-3 times more cpu power(before 20-30%, now 60-90%)

did it this way>
mark based on ip address in forward with connection mark
in forward mark packet based on connection mark and interface(two rules, in and out)

my previous setup works this way

first set of rules are putting subnets into individual chains ( if ip is xxx.xxx.YYY.0/24, put into chain FORWARD_YYY, the same for POSTROUTING)
then in individual chains I do matching for src or dst IP address

so packet passes less rules than when using connection-mark way

maybe I have done something wrong, should I use flag new connection for connection mark?

any advice for marking 1000+ ips?

6

I use it this:
download from internet:
chain=forward action=mark-packet new-packet-mark=internet_rx_normal passthrough=yes in-interface=internet

you suggest to make two rules like this:
chain=forward action=mark-packet new-connection-mark=internet_rx_normal passthrough=yes in-interface=internet
chain=forward action=mark-packet new-packet-mark=internet_rx_normal passthrough=yes in-interface=internet

is that right using that two rules or something wrong or any better way?

7

both methods are working(only set the passthrough to no in 2nd line in the connection-mark example and you don’t have to specify interface in 1st line)

but the only packet mark without connection mark is faster for me, maybe some Guru knows the truth

I’m migrating shapers from linux to ROS and what I did, is that I rewrited my system to support mikrotik API, but the shaping algorithm remained same.

more friendly schema how I do the shaping, it’s on routers with nat

first dividing used custommers to subnets, now for /24, will make better tree in future, so every packet should pass max 10 rules.
..

chain=forward action=jump jump-target=FORWARD_25
src-address=10.108.25.0/24 out-interface=ether1

chain=postrouting action=jump jump-target=POSTROUTING_25
dst-address=10.108.25.0/24 out-interface=ether2

chain=forward action=jump jump-target=FORWARD_5
src-address=10.108.5.0/24 out-interface=ether1

chain=postrouting action=jump jump-target=POSTROUTING_5
dst-address=10.108.5.0/24 out-interface=ether2

..

and now mark concrete ips

..

chain=POSTROUTING_25 action=mark-packet new-packet-mark=in25.83
passthrough=no dst-address=10.108.25.83

chain=FORWARD_25 action=mark-packet new-packet-mark=out25.83
passthrough=no src-address=10.108.25.83

chain=POSTROUTING_5 action=mark-packet new-packet-mark=in5.51
passthrough=no dst-address=10.108.5.51

chain=FORWARD_5 action=mark-packet new-packet-mark=out5.51 passthrough=no
src-address=10.108.5.51

..

and then ordinary queue trees for shaping

8

I think also that using only packet mark is faster(I tested both ways).

9

OMG - idea to mark each independent IP is completely wrong! - you can use simple queues then, they will be faster.

Connection marks + packet marks + address lists + PCQ - ideal combination works faster than “Packet marks + address lists + PCQ”

In this case you have 1500 mangle rules instead of 500, of course you will get less CPU load, but this issue is not related to the performance of the mangle+queues, this is simple the bigger your setup the more it will take CPU

10

megy,

if you group your users into user groups using address list and create like 4 - 5 (depends on user group count), then your config will be slower then this one

11

I don’t understand, I’m willing to pay you for your consultation, I’m starting to be desperate :slight_smile:

i have let say 1000 ips and have to shape them separately, each IP has individual rate for down and up

I create ip list with 200 ips in each address list, so i have 5 address lists
and now I can do connection-mark in mangle
then I create another five groups from 200ips groups, so I have 40ips in one address list and total of 25 address lists
add 25 mangle rules and do connection mark, each matching to connection-mark from 200ips group it belongs to and each address list from 40ips group
then I create another five groups from 40ips groups, so I have 8ips in one address list and total of 125 address lists
add 125 mangle rules and do connection mark, each matching to connection-mark from 40ips group it belongs to and each addresslist from 8ips group
and now I add 1000 mangle rules, matching to connection-mark from 8ips group it belongs to and matching ip address and
do connection mark for this IP

the packet now in worst condition pases max 5 rules in each mangle group, max 15+8=23rules to match

OK, this is like my setup instead of this is using connection mark

and now what, should I add 2 mangle rules for each IP, each for in and out interface, matching connection mark a and doing packet-mark?

the mangle table will be huge, but if matching against connection-mark is faster than mathing to IP, it will be faster
but this presumes that connection-mark matching uses some smart algorithm, not just passing each rule by rule and looking if connection-mark is equal to what it’s looking for
I come from the point, that each packet has to be marked, to be able to assign it to queue and for me faster algorithm means less rules the packet has to pass, not less rules in total

Ideal thing in linux is hashing algorithm U32 in TC, but mikrotik does not look like it has one or it uses it internally and i just don’t know.





Equal bandwidth sharing among users: 3.0rc14
12

any idea?

13

idea is:

  1. you have like 1000 clients that buy from you 5 different services (like 1st 128/512kbps, 2nd up/down 256/1024 kbps etc.)

  2. you add them in each address-list corresponding what service is bought

  3. you shape those clients like i described ealrier (you can limit up/down in one simple queue)


    but if you really really have 1000 clients that have different speeds assigned - then your solution is best available, unless you can group them under some group and make groups, and then if you have like 5 groups - it will be the same as if you have 5 users.

and you can attend mum/training and have real time conversation with different specialists. and MT stuff, get to know best practices.

also you can look at our consultant list:
http://www.mikrotik.com/consultants.html