Community discussions

MikroTik App
 
marekm
Member Candidate
Member Candidate
Topic Author
Posts: 231
Joined: Tue Feb 01, 2011 11:27 pm

Traffic shaping on specific VLAN by packets per second

Fri Jun 26, 2020 2:14 pm

In a common wireless CPE setup, using the new bridge implementation with VLAN filtering. wlan1 (station-bridge) is bridged with ether1.
There are two separate VLANs for management and data.
wlan1 is a trunk port with both VLANs tagged, ether1 is an access port (only untagged data VLAN) where customer has their PPPoE client.
DHCP client is running on bridge management VLAN, for management access to the device itself.
Until now, it's easy (wlan1 station-bridge config omitted for clarity, data VLAN 1001 and mgmt VLAN 1002 in this example):
/interface bridge
add name=bridge1 protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=bridge1 name=vlan-mgmt vlan-id=1002
/interface bridge port
add bridge=bridge1 broadcast-flood=no frame-types=admit-only-untagged-and-priority-tagged hw=no ingress-filtering=yes interface=ether1 pvid=1001 \
    unknown-multicast-flood=no unknown-unicast-flood=no
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=wlan1
/interface bridge vlan
add bridge=bridge1 tagged=wlan1 untagged=ether1 vlan-ids=1001
add bridge=bridge1 tagged=wlan1,bridge1 vlan-ids=1002
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=vlan-mgmt
Also, unknown-unicast flood is disabled as it is the PPPoE client that sends something first so the bridge can learn its MAC address.
But, I'd like to add a traffic shaper to limit upload before it overloads the wireless network (download is shaped from the other end). And, it's high pps that kills wireless much more so than high Mbps.
So, I'd like to shape traffic going out on wlan1, only data VLAN, to 1000pps. This is about 12 Mbps in full-sized frames, and proportionally less in smaller ones.
Data traffic to be bridged is PPPoE, the shaper should be transparent and pass anything equally without looking at any IPs etc. (in the data VLAN only, not affecting management).
This way the device is always accessible for management even if the data VLAN shaper is completely saturated. Any suggestions how to do this?
Another thing I'd like to implement - not yet possible, or am I wrong? - is to limit ether1 bridge port to learn just a single MAC address (any single one, without specifying it).
 
sindy
Forum Guru
Forum Guru
Posts: 5383
Joined: Mon Dec 04, 2017 9:19 pm

Re: Traffic shaping on specific VLAN by packets per second

Fri Jun 26, 2020 5:25 pm

So, I'd like to shape traffic going out on wlan1, only data VLAN, to 1000pps.
Queues do not understand PPS for sure, so the only way to control PPS is via the limit matcher in /ip firewall, which requires a change of /interface bridge settings - use-ip-firewall-for-vlan, and probably also use-ip-firewall, have to be set to yes. An action=drop rule in /ip firewall filter matching limit=!1000,0:packet ...some selection criteria... might do the trick, however as you want to drop by VLAN, you'll probably have to assign a packet-mark in /interface bridge filter based on VLAN ID, and let the filter drop rule match on that packet-mark value.

But using IP firewall for bridged traffic has quite some side effects, so you may expect surprises if the same machine does e.g. NAT.

Other than that, if you don't discriminate between packet types, you may end up with PPPoE disconnections if the keepalives don't get through for long enough. No idea how to recognize a PPP keepalive in a PPPoE flow except by packet-size, though.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
marekm
Member Candidate
Member Candidate
Topic Author
Posts: 231
Joined: Tue Feb 01, 2011 11:27 pm

Re: Traffic shaping on specific VLAN by packets per second

Fri Jun 26, 2020 6:15 pm

Linux HTB has had "mpu" and "overhead" parameters for quite a while, perhaps they wouldn't be that hard to support in RouterOS. I want to shape - queue excess traffic to smooth it out, not drop it immediately but only after queue is full. Well behaved TCP connections will see small packet loss as congestion and slow down, letting some LCP Echo through (to disconnect, several in a row have to be lost). PPPoE LCP could also be given better VLAN CoS than ordinary data. For any DDoS like full 100 Mb/s of UDP unresponsive to any shaping, disconnecting is actually a good thing as it protects the network and the rest of the Internet. It's all layer 2 stuff, is the complexity of IP firewall really necessary here? (The device doesn't need to do anything else - it's just a bridge, NAT is done by customer's own router.)
 
sindy
Forum Guru
Forum Guru
Posts: 5383
Joined: Mon Dec 04, 2017 9:19 pm

Re: Traffic shaping on specific VLAN by packets per second

Fri Jun 26, 2020 6:38 pm

perhaps they wouldn't be that hard to support in RouterOS.
Implementation of any feature requests takes ages, so if you need it now, don't rely on anything to get implemented.

I want to shape - queue excess traffic to smooth it out, not drop it immediately but only after queue is full.
You can look at the limit counters as a kind of a queue - when 1000 packets/s are exceeded, the rest won't get through until the next second window opens. Releasing packets from the actual queue based on PPS (which would do your smoothing job) is currently not possible.

It's all layer 2 stuff, is the complexity of IP firewall really necessary here?
Unfortunately, no other place to handle PPS is currently available. So the power (accompanied by complexity) of IP firewall is what you have to use to get close to your requirement.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: Bing [Bot], monotsc and 90 guests