Community discussions

MUM Europe 2020
 
bigguns
Member Candidate
Member Candidate
Topic Author
Posts: 238
Joined: Thu Apr 01, 2010 9:03 am

QoS for ToS/DSCP - rule check and any suggestions.

Fri Jun 25, 2010 9:32 pm

Hi,

I've been playing with my router trying to figure out why my QoS set isn't working so I've gone back to the start and trying a different move.
Please could someone check the following rules for me to see if my rules would give priority to VOIP (tos 184/DSCP 46) and also to the PBX server on 192.168.0.200.
Also should the pass through value be set to 'yes'

Anything else should be set to low priority.
These rules are now old please see post 2 - thank you.

/ip firewall mangle
add chain=forward src-address=192.168.0.100-192.168.0.110 action=mark-packet new-packet-mark=VoIP\
    passthrough=yes comment="VoIP" disabled=no

add chain=forward dst-address=192.168.0.100-192.168.0.110 action=mark-packet new-packet-mark=VoIP\
    passthrough=yes comment="VoIP" disabled=no

add chain=forward src-address=192.168.0.200 action=mark-packet new-packet-mark=VoIP\
    passthrough=yes comment="VoIP pbx" disabled=no

add chain=forward dst-address=192.168.0.200 action=mark-packet new-packet-mark=VoIP\
    passthrough=yes comment="VoIP pbx" disabled=no

add chain=forward tos=184 action=mark-packet new-packet-mark=VoIP passthrough=yes \
    comment="voip tos 184" disabled=no

add chain=forward dscp=26 action=mark-packet new-packet-mark=voip sip passthrough=yes

add chain=forward dscp=46 action=mark-packet new-packet-mark=voip rtp passthrough=yes





/ queue tree
add name="ether1_voip" parent=ether1 packet-mark=VOIP limit-at=0 queue=default priority=1 \
    max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="ether3_voip" parent=ether3 packet-mark=VOIP limit-at=0 queue=default priority=1 \
    max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no

add name="VOIP-SIP" interface=all packet-marks=voip sip priority=1

add name="VOIP-RTP" interface=all packet-marks=voip rtp priority=1

Last edited by bigguns on Fri Jun 25, 2010 9:59 pm, edited 1 time in total.
 
bigguns
Member Candidate
Member Candidate
Topic Author
Posts: 238
Joined: Thu Apr 01, 2010 9:03 am

Re: QoS for ToS/DSCP - rule check and any suggestions.

Fri Jun 25, 2010 9:47 pm

Ok I've made more changes and included other important areas:

/ip firewall mangle

add chain=prerouting action=mark-packet new-packet-mark=http-total passthrough=yes protocol=tcp port=80 comment="HTTP Total"


add chain=prerouting action=mark-packet new-packet-mark=https-total passthrough=yes protocol=tcp port=443 comment="HTTPS Total"


add chain=prerouting action=mark-packet new-packet-mark=voip-sip-total passthrough=yes dscp=26 comment="VOIP SIP Total"


add chain=prerouting action=mark-packet new-packet-mark=icmp-total passthrough=yes protocol=icmp comment="ICMP Total"


add chain=prerouting action=mark-packet new-packet-mark=voip-rtp-total passthrough=yes dscp=46 comment="VOIP RTP Total"


add chain=prerouting action=mark-packet new-packet-mark=smtp-tx passthrough=yes protocol=tcp dst-port=25 comment="Email Out"


add chain=prerouting action=mark-packet new-packet-mark=pop3-rx passthrough=yes protocol=tcp src-port=110 comment="POP3 Email In"


add chain=prerouting action=mark-packet new-packet-mark=imap-rx passthrough=yes protocol=tcp src-port=143 comment="IMAP TCP Email In"


add chain=prerouting action=mark-packet new-packet-mark=imap-rx passthrough=yes protocol=udp src-port=143 comment="IMAP UDP Email In"


add chain=prerouting action=mark-packet new-packet-mark=imap-rx passthrough=yes protocol=tcp src-port=993 comment="IMAP SSL Email In"


add chain=prerouting action=mark-packet new-packet-mark=pop3-rx passthrough=yes protocol=tcp src-port=995 comment="POP3 TLS/SSL Email In"

add chain=prerouting action=mark-packet new-packet-mark=smtp-tx passthrough=yes protocol=tcp dst-port=465 
comment="Email TLS/SSL Out"

add chain=prerouting tos=184 action=mark-packet new-packet-mark=voip-tos-total passthrough=yes comment="voip tos 184" disabled=no

/queue tree 

add name="Global_In" parent=global-in limit-at=0 priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s

add name="pop3-rx" parent=Global_In packet-mark=pop3-rx limit-at=0 queue=default priority=1 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s

add name="imap-rx" parent=Global_In packet-mark=imap-rx limit-at=0 queue=default priority=1 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s

add name="Email_Out" parent=global-out packet-mark=smtp-tx limit-at=0 queue=default priority=1 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s

add name="Global_Total" parent=global-total packet-mark="" limit-at=0 queue=default priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s

add name="voip-sip-total" parent=Global_Total packet-mark=voip-sip-total limit-at=0 queue=default priority=2 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s

add name="voip-rtp-total" parent=Global_Total packet-mark=voip-rtp-total limit-at=0 queue=default priority=2 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s

add name="icmp-total" parent=Global_Total packet-mark=icmp-total limit-at=0 queue=default priority=1 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s

add name="http-total" parent=Global_Total packet-mark=http-total limit-at=0 queue=default priority=3 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s

add name="https-total" parent=Global_Total packet-mark=https-total limit-at=0 queue=default priority=3 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s

add name="voip-tos-total" parent=Global_Total packet-mark=voip-tos-total limit-at=0 queue=default priority=2 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
 
rmichael
Forum Veteran
Forum Veteran
Posts: 718
Joined: Sun Mar 08, 2009 11:00 pm

Re: QoS for ToS/DSCP - rule check and any suggestions.

Fri Jun 25, 2010 10:25 pm

You need to set max-limit - otherwise HTB will not work.
 
bigguns
Member Candidate
Member Candidate
Topic Author
Posts: 238
Joined: Thu Apr 01, 2010 9:03 am

Re: QoS for ToS/DSCP - rule check and any suggestions.

Fri Jun 25, 2010 10:31 pm

Ok other than that will the rules be good for VOIP?
also what I wasn't sure is if the PBX (3cx system) would be caught by these rules - if its not what is the best way of adding it in there using its ip address?
 
rmichael
Forum Veteran
Forum Veteran
Posts: 718
Joined: Sun Mar 08, 2009 11:00 pm

Re: QoS for ToS/DSCP - rule check and any suggestions.

Fri Jun 25, 2010 10:50 pm

For VOIP, you'll need to use connection mark, when sip is detected - then mark packets based on connection mark.
 
bigguns
Member Candidate
Member Candidate
Topic Author
Posts: 238
Joined: Thu Apr 01, 2010 9:03 am

Re: QoS for ToS/DSCP - rule check and any suggestions.

Fri Jun 25, 2010 11:06 pm

So the rules I made above won't do that but just in a different way?

Would this be:

add chain=prerouting tos=184 action=mark-packet new-packet-mark=voip-tos-total passthrough=yes comment="voip tos 184" disabled=no connection-mark=VOIP

add chain=prerouting action=mark-packet new-packet-mark=voip-rtp-total passthrough=yes dscp=46 comment="VOIP RTP Total" connection-mark=VOIP

add chain=prerouting action=mark-packet new-packet-mark=voip-sip-total passthrough=yes dscp=26 comment="VOIP SIP Total" connection-mark=VOIP
 
rmichael
Forum Veteran
Forum Veteran
Posts: 718
Joined: Sun Mar 08, 2009 11:00 pm

Re: QoS for ToS/DSCP - rule check and any suggestions.

Sat Jun 26, 2010 1:23 am

Use connection tracking to make sure that all packets are marked. Connection mark persists for the duration of the connection, where packet mark does not. What you did will work as long as all VOIP packets have dscp marks.
 
bigguns
Member Candidate
Member Candidate
Topic Author
Posts: 238
Joined: Thu Apr 01, 2010 9:03 am

Re: QoS for ToS/DSCP - rule check and any suggestions.

Sat Jun 26, 2010 12:27 pm

Ok now I've finished what I set out to do and it seems to be working fine. If anyone has any optimisation tips or anything to suggest that would be great:

=========================-------------------------------------===============================

/ip firewall filter 

add action=add-src-to-address-list address-list=VOIP_list \
    address-list-timeout=0s chain=forward comment="mark voip" \
    connection-type=sip disabled=no


/ip firewall mangle 

add action=mark-packet chain=prerouting comment="VOIP SIP port" disabled=no \
    new-packet-mark=voip-sip-total passthrough=yes port=5060 protocol=udp

add action=mark-packet chain=prerouting comment="VOIP SIP list" disabled=no \
    dst-address-list=VOIP_list new-packet-mark=voip-sip-total passthrough=\
    yes

add action=mark-packet chain=prerouting comment="VOIP SIP Total" disabled=\
    no dscp=26 new-packet-mark=voip-sip-total passthrough=yes

add action=mark-packet chain=prerouting comment="VOIP SIP Total pbx" \
    disabled=no new-packet-mark=voip-sip-total passthrough=yes src-address=\
    192.168.0.200

add action=mark-packet chain=prerouting comment="VOIP SIP Total pbx" \
    disabled=no new-packet-mark=voip-sip-total passthrough=yes src-address=\
    192.168.0.116

add action=mark-packet chain=prerouting comment="VOIP RTP Total" disabled=\
    no dscp=46 new-packet-mark=voip-rtp-total passthrough=yes

add action=mark-packet chain=prerouting comment="VOIP RTP Total pbx" \
    disabled=no new-packet-mark=voip-rtp-total passthrough=yes src-address=\
    192.168.0.200

add action=mark-packet chain=prerouting comment="HTTP Total" disabled=no \
    new-packet-mark=http-total passthrough=yes port=80 protocol=tcp

add action=mark-packet chain=prerouting comment="HTTPS Total" disabled=no \
    new-packet-mark=https-total passthrough=yes port=443 protocol=tcp

add action=mark-packet chain=prerouting comment="ICMP Total" disabled=no \
    new-packet-mark=icmp-total passthrough=yes protocol=icmp

add action=mark-packet chain=prerouting comment="Email Out" disabled=no \
    dst-port=25 new-packet-mark=smtp-tx passthrough=yes protocol=tcp

add action=mark-packet chain=prerouting comment="POP3 Email In" disabled=no \
    new-packet-mark=pop3-rx passthrough=yes protocol=tcp src-port=110

add action=mark-packet chain=prerouting comment="IMAP TCP Email In" \
    disabled=no new-packet-mark=imap-rx passthrough=yes protocol=tcp \
    src-port=143

add action=mark-packet chain=prerouting comment="IMAP UDP Email In" \
    disabled=no new-packet-mark=imap-rx passthrough=yes protocol=udp \
    src-port=143

add action=mark-packet chain=prerouting comment="IMAP SSL Email In" \
    disabled=no new-packet-mark=imap-rx passthrough=yes protocol=tcp \
    src-port=993

add action=mark-packet chain=prerouting comment="POP3 TLS/SSL Email In" \
    disabled=no new-packet-mark=pop3-rx passthrough=yes protocol=tcp \
    src-port=995

add action=mark-packet chain=prerouting comment="Email TLS/SSL Out" \
    disabled=no dst-port=465 new-packet-mark=smtp-tx passthrough=yes \
    protocol=tcp

add action=mark-packet chain=prerouting comment="Other packets" disabled=\
    yes new-packet-mark=other packet-mark=no-mark passthrough=yes


/queue tree

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=Global_In parent=global-in priority=8

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=pop3-rx packet-mark=pop3-rx parent=Global_In priority=\
    1 queue=default

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=imap-rx packet-mark=imap-rx parent=Global_In priority=\
    1 queue=default

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=Email_Out packet-mark=smtp-tx parent=global-out \
    priority=1 queue=default

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=Global_Total parent=global-total priority=8

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=250k \
    max-limit=10M name=voip-sip-total packet-mark=voip-sip-total parent=\
    Global_Total priority=1 queue=default

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=250k \
    max-limit=10M name=voip-rtp-total packet-mark=voip-rtp-total parent=\
    Global_Total priority=1 queue=default

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=100k \
    max-limit=10M name=icmp-total packet-mark=icmp-total parent=\
    Global_Total priority=1 queue=default

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=500k \
    max-limit=10M name=http-total packet-mark=http-total parent=\
    Global_Total priority=3 queue=default

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=250k \
    max-limit=10M name=https-total packet-mark=https-total parent=\
    Global_Total priority=3 queue=default

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=100k \
    max-limit=10M name=other packet-mark=no-mark parent=Global_Total \
    priority=8 queue=default



 
robertfranz
newbie
Posts: 37
Joined: Tue Apr 21, 2009 3:30 am

Re: QoS for ToS/DSCP - rule check and any suggestions.

Sat Jun 26, 2010 4:06 pm

If I'm reading this wrong, I apologize, but it looks like you're trying to mark all packets.

That's pretty resource intensive, and the reason for using connection marking.

I was doing this on my edge routers, and it was ok.
When I tried this on my core router, I saw my cpu load jump from a few percent to about 15% instantly.
 
bigguns
Member Candidate
Member Candidate
Topic Author
Posts: 238
Joined: Thu Apr 01, 2010 9:03 am

Re: QoS for ToS/DSCP - rule check and any suggestions.

Sat Jun 26, 2010 4:20 pm

Hi there
Yes that is right. It's marking all packets and therefore giving it a fixed ranking.
At the moment the load is around 5% on a rb800. So I guess that's acceptable.

I was finding that certain packets of voip related activity were being picked up in my non-mark group. And this was causing spikes.

At full load on these rules I'm finding that there is a time lag on the external side. Audio coming in to the pbx is prefect.
Any suggestions on how to fix this?

Who is online

Users browsing this forum: No registered users and 113 guests