Community discussions

MikroTik App
 
syadnom
Forum Veteran
Forum Veteran
Topic Author
Posts: 794
Joined: Thu Jan 27, 2011 7:29 am

transparent bridging directionality issue?

Thu Apr 22, 2021 9:18 pm

I'm attempting to build a transparent shaper on routeros v7 but I'm seeing something odd.

It seems that the bridge firewall adds both sides together.

config notes: v7b5. bridge w/ IP firewall enabled, fast path disabled, 2 ports ether4 and ether5 in bridge both with hardware accel disabled. both ports link up at 1G full duplex as do all other devices in the chain. My PC where I'm hosting the iperf3 server instances and the PC across the bridge. If I disable all queues, I can push ~940Mbps/~940Mbps across the bridge. I've tested multiple queue types, all with sale result. Also, this hap ac2 was factory reset with config removed and the only changes made were bridging the ports and enabling the queue, and attempting mangle rules.

Test host is connected to port 5, upstream router in port 4.

I've tried just adding a simple queue targeting the test host's IP. ie, target=192.168.1.185, set upload=100m and download=100m. Then I run 2 iperf3s across, one sending and one receiving to attempt to get a 100m/100m queue running. This results in only 100Mbps *total* passing the bridge as if the bridge were half-duplex. If I cancel one of the iperf3s, then I get about 100M passing in that direction.

I've tried marking packets with source=192.168.1.185=packet mark 'UL' and dst=....185 for packet mark 'DL' and putting those packet marks in the queue, same result.

Any idea what's going on here?

The ultimate goal is a transparent fq-codel shaper. I can get fantastic results *one way* but then this strange half-duplex-like behavior is kicking in.
 
syadnom
Forum Veteran
Forum Veteran
Topic Author
Posts: 794
Joined: Thu Jan 27, 2011 7:29 am

Re: transparent bridging directionality issue?

Thu Apr 22, 2021 9:19 pm

I should add, I've tried many speed combos, even 5M/5M and that results in an aggregate of 5M. ie, this eliminates port speeds from the equasion.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: transparent bridging directionality issue?

Thu Apr 22, 2021 10:01 pm

I think your problem is that the firewall rules for the bridge will be evaluated as input for port4->bridge and then as output for bridge->port5.
So all your traffic is counted twice.
When you want to avoid that, you may have to match on port number. Then add a packet mark and match that in the queue?
 
syadnom
Forum Veteran
Forum Veteran
Topic Author
Posts: 794
Joined: Thu Jan 27, 2011 7:29 am

Re: transparent bridging directionality issue?

Fri Apr 23, 2021 12:01 am

my pc 192.168.1.135 <> [ ether4 / bridge / ether5 ] <> 192.168.1.185 test PC

packet mark src=.185 UL
packet mark dst=.185 DL
simple queue with target .185, UL/DL marks added to get directionality.

I can match interface on the queue, but that doesn't change anything.

I cannot match interface in mangle, it errors saying that interface is part of a bridge.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: transparent bridging directionality issue?

Fri Apr 23, 2021 11:11 am

That is why you need to match the interface in a bridge filter rule and set a packet mark there... it is no longer possible to check that once it has gone to the IP level.
 
syadnom
Forum Veteran
Forum Veteran
Topic Author
Posts: 794
Joined: Thu Jan 27, 2011 7:29 am

Re: transparent bridging directionality issue?

Fri Apr 23, 2021 5:59 pm

bridge filter, chain forward, in interface ether5 = packet mark UL. in interface ether4 = packet mark DL. Filter stats climb rapidly, ie the filter is catching the traffic.

If I change to input chain on the filter, only a few bits are caught. I also tried a forward filter with in=ether4 and out=ether5 for DL and the opposite for UL, which causes the packet counts to go up quickly so that seems to be working.

Add a simple queue with those two packet marks, queue doesn't see them. Tried targeting the .185 IP, ether5, ether4, the bridge, 0.0.0.0/0, the queue doesn't see anything. It's like the filter moves the packets out of the queues path.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: transparent bridging directionality issue?

Fri Apr 23, 2021 6:09 pm

Are you sure you have disabled fasttrack? (should not matter for bridging, but when I read "it does not see my settings" I think about that fasttrack thing that I always remove as first action)
 
syadnom
Forum Veteran
Forum Veteran
Topic Author
Posts: 794
Joined: Thu Jan 27, 2011 7:29 am

Re: transparent bridging directionality issue?

Fri Apr 23, 2021 6:13 pm

Ok, so the bridge filters are taking the packets completely out of the firewall path. With the bridge filters enabled, I can't match those packet marks in the firewall OR even match based on IP. ie, try to add a packet mark in mangle with source address and almost no data shows up while the bridge filter is on. Somehow the bridge filter is bypassing the firewall and queues. I don't see any options in the filter for hardware acceleration or fast path.
 
syadnom
Forum Veteran
Forum Veteran
Topic Author
Posts: 794
Joined: Thu Jan 27, 2011 7:29 am

Re: transparent bridging directionality issue?

Fri Apr 23, 2021 6:16 pm

on the bridge, disable fast forward. on bridge settings, disable allow fast path (and enable use IP firewall). Stats also show fast path inactive and 0 packets fast pathed. On each member port, disable hardware accel. No firewall rules at all. I can't think of anywhere else fastpath might be hiding.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: transparent bridging directionality issue?

Fri Apr 23, 2021 7:14 pm

Ok maybe it is not so easy to make a bridging shaper then... I have no experience with that, only with shaper at IP level (both simple queue and queue tree) and that works OK, and also with bridge filter to filter e.g. ARP requests and that works too, also together with filters at IP level.
 
syadnom
Forum Veteran
Forum Veteran
Topic Author
Posts: 794
Joined: Thu Jan 27, 2011 7:29 am

Re: transparent bridging directionality issue?

Fri Apr 23, 2021 10:45 pm

This works in v6. Specifically just using packet marks to identify directionality then targeting the IP address. No problem.

I'm wanting to build this for fq_codel though, so v6 isn't an option.

Who is online

Users browsing this forum: No registered users and 19 guests