I'm having a hard time wrapping my head around the mangle terminology. So I'll start from the top.
My setup:
Fios(rj45) - rb433ah - a few dumb switches and wifi
eth1 = dhcp client for fios IP, default route is added to NAT automatically (felt like a hero when I got this setup)
eth2/eth3/wifi is properly functioning & dhcp server hand out IPs properly
eth3 has eth2 as master port for switch chip
Only basic firewall rules as defined by Mikrotik wiki like 'drop invalid' and such.
All ports are bridged and 'use IP firewall' is checked, everything works perfectly and is fast. My goal is 4 QoS levels, just packet/connection priority rules regardless of user to keep thing running smoothly.
My biggest question: What 'interface' should I specify for watching traffic? (bridge? eth1? same or incoming & outgoing, or different)
When making mangle rules for outgoing traffic (ex http requests) I put 80 in destination port, correct? Does packet vs connection matter?
When making mangle rules for incoming traffic (ex http) I put 80 in source port, correct? Does packet vs connection matter?
And when talking outgoing vs incoming, which is the proper chain? Prerouting or postrouting?
Here are the mangle rules I've come up with so far (in plain english, highest, fast, regular, bulk are my Qos 'levels'), please advise if I'm completely messing up incoming vs outgoing, source vs destination, etc:
Highest:
prerouting packet ICMP incoming
postrouting packet ICMP outgoing
postrouting packet dst-port 53 udp outgoing 1-1024 bytes
prerouting packet src-port 53 udp incoming 1-1024 bytes
Fast:
postrouting connection tcp dst-port 80, 443, 21 outgoing 1-5000000 bytes
prerouting connection tcp src-port 80, 443, 21 incoming 1-5000000 bytes
1 post & 1 for pre (rule here for mac address of voip adapter)
Regular:
postrouting connection tcp dst-port 80, 443, 21 outgoing 5000001-0 bytes
prerouting connection tcp src-port 80, 443, 21 incoming 5000001-0 bytes
Catch-all rule to be placed at bottom for all unmarked packets and connections
Bulk (torrents, only 1-sided due to random port use of outgoing connections and packets, and I cap connection and speeds at only part of connection already, just want QoS to schedule packets when needed):
prerouting packet udp dst-port 11911 incoming
prerouting connection tcp dst-port 11911 incoming
Thanks for any help you can give!
-
-
brandonrossl
Frequent Visitor
- Posts: 61
- Joined:
Mangle Marking for QoS
Last edited by brandonrossl on Wed Jan 25, 2012 2:49 pm, edited 1 time in total.
-
-
brandonrossl
Frequent Visitor
- Posts: 61
- Joined:
Re: Mangle Basics
Here's my current config for reference:
Code: Select all
/interface bridge
add l2mtu=1522 name=bridge1
/interface ethernet
set 2 master-port=ether2
/interface wireless
set 0 antenna-gain=7 band=2ghz-b/g/n bridge-mode=disabled country=\
"united states" disabled=no disconnect-timeout=5s distance=indoors \
frequency=2452 frequency-mode=regulatory-domain ht-rxchains=0,1 \
ht-supported-mcs="mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7,mcs-8,mc\
s-9,mcs-10,mcs-11,mcs-12,mcs-13,mcs-14,mcs-15" ht-txchains=0,1 \
hw-fragmentation-threshold=375 hw-retries=4 l2mtu=2290 mode=ap-bridge \
periodic-calibration=disabled ssid="Pretty Fly For A Wifi" \
wds-default-bridge=bridge1 wireless-protocol=802.11
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" \
group-ciphers=tkip,aes-ccm mode=dynamic-keys unicast-ciphers=tkip,aes-ccm \
wpa-pre-shared-key=XXXX wpa2-pre-shared-key=XXXX
/ip pool
add name=pool1 ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add address-pool=pool1 authoritative=yes disabled=no interface=bridge1 name=\
server1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=wlan1
/interface bridge settings
set use-ip-firewall=yes
/ip address
add address=192.168.1.1/24 comment=LAN interface=bridge1
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=DHCP gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes cache-size=1024KiB max-udp-packet-size=512 \
servers=71.252.0.12,68.238.112.12
/ip firewall address-list
add address=192.168.1.0/24 comment=LAN list=local
/ip firewall connection tracking
set tcp-established-timeout=12h
/ip firewall filter
add chain=input comment="Local Access to RB for Winbox" dst-port=8291 \
protocol=tcp src-address-list=local
add chain=input comment="Accept Established" connection-state=established
add chain=input comment="Accept related" connection-state=related
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add chain=input comment=UDP protocol=udp
add chain=input comment="Internal traffic freedom" src-address-list=local
add chain=input comment="Allow limited ICMP" limit=10,2 protocol=icmp
add action=drop chain=input comment="Drop Excess ICMP" protocol=icmp
add action=drop chain=input comment="Drop other"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
192.168.1.0/24
/ip smb shares
set [ find default=yes ] directory=/pub
/ip upnp
set allow-disable-external-interface=no enabled=yes show-dummy-rule=no
/ip upnp interfaces
add interface=ether1 type=external
add interface=bridge1 type=internal
/queue interface
set ether1 queue=ethernet-default
set ether2 queue=ethernet-default
set ether3 queue=ethernet-default
set wlan1 queue=wireless-default
/system clock
set time-zone-name=EST
/system ntp client
set enabled=yes primary-ntp=64.236.96.53
/tool graphing interface
add interface=ether1 store-on-disk=no-
-
brandonrossl
Frequent Visitor
- Posts: 61
- Joined:
Re: Mangle Marking for QoS
I think in figured some of it out:
eth1 is my wan so all rules have interface in as eth1
For incoming traffic I would say prerouting, dst port, tcp, ports 80/8080/81/443, new connection mark 'name'
then after connections are marked i just make rules to mark the packets
correcto?
eth1 is my wan so all rules have interface in as eth1
For incoming traffic I would say prerouting, dst port, tcp, ports 80/8080/81/443, new connection mark 'name'
then after connections are marked i just make rules to mark the packets
correcto?
Re: Mangle Marking for QoS
yes, in general, that is how packet marking has to be done. You can check out tiktube.com for mum videos about QoS.I think in figured some of it out:
eth1 is my wan so all rules have interface in as eth1
For incoming traffic I would say prerouting, dst port, tcp, ports 80/8080/81/443, new connection mark 'name'
then after connections are marked i just make rules to mark the packets
correcto?
-
-
brandonrossl
Frequent Visitor
- Posts: 61
- Joined:
Re: Mangle Marking for QoS
It seems to be working now (mangle itself). I still get some random packets unmarked but most of the actual traffic is caught before the catch-all rule at the bottom.
Basically I just want to prioritize traffic into type via mangle classification and have the router pick (PCQ) what happens first based on priority. So I just need 1 parent (with my connection speed input) and the 5 children (my traffic levels with no limit but priority marked) and it should do the rest? And since I'm NAT I have to mark packets after I mark connections:
Basically I just want to prioritize traffic into type via mangle classification and have the router pick (PCQ) what happens first based on priority. So I just need 1 parent (with my connection speed input) and the 5 children (my traffic levels with no limit but priority marked) and it should do the rest? And since I'm NAT I have to mark packets after I mark connections:
One issue I have found is when doing this on a NAT router, you can not use connection marking for the PCQ tracking. PCQ applied to the out-interface can not see the NAT'ed address, so you have to apply PCQ to Global-out instead. This means you have to mark ingress and egress packets independently rather than marking the connection as a whole and letting the out-interface determine which is which.
Who is online
Users browsing this forum: mkx and 42 guests