Anyone know how to properly do a QoS tree with IPIP tunnels? I have no problem setting up the tree for the IPIP interface but I have a feeling that does nothing for traffic leaving the regular WAN interface.
I want to QoS my voip traffic that leaves out an IPIP tunnel, but if I qos the WAN interface (the same interface as the IPIP tunnel leaves) the traffic in the IPIP tunnel doesnt get any QoS.
Re: QoS with IPIP tunnel
This is normal. There are two tips for this to work.
1) You need to put your root queue inside Global Out.
Then you need to mark each trafic through mangle rules by interface.
2) The tunnel trafic is not in forwarding, but in output. You need to mark it in output mangle.
Then you can apply QOS by chield queues in the tree using your marks.
Clearly this is not something for beginners if you need to do it cleanly, but after some research and thinking, it works flawlessly.
All my tunnels (PPTP) are QOS managed, so i can define each tunnel max bandwith and a global max bandwith for all tunnels. Last, i've set DSCP marking, to give priority to VoIP packets and management packets inside the tunnels.
This is a lot of administration work as soon as you have more than a few tunnels and different trafics to mark. You can use custom chains in mangle to simplify things.
Don't forget that you need to do that at each side of the tunnels for the outbound trafic. Inbound QOS almost never works correctly, and never work at all for UDP.
Hope this will help.
1) You need to put your root queue inside Global Out.
Then you need to mark each trafic through mangle rules by interface.
2) The tunnel trafic is not in forwarding, but in output. You need to mark it in output mangle.
Then you can apply QOS by chield queues in the tree using your marks.
Clearly this is not something for beginners if you need to do it cleanly, but after some research and thinking, it works flawlessly.
All my tunnels (PPTP) are QOS managed, so i can define each tunnel max bandwith and a global max bandwith for all tunnels. Last, i've set DSCP marking, to give priority to VoIP packets and management packets inside the tunnels.
This is a lot of administration work as soon as you have more than a few tunnels and different trafics to mark. You can use custom chains in mangle to simplify things.
Don't forget that you need to do that at each side of the tunnels for the outbound trafic. Inbound QOS almost never works correctly, and never work at all for UDP.
Hope this will help.
-
-
Inssomniak
Member
- Posts: 332
- Joined:
Re: QoS with IPIP tunnel
I realized about the global-out.
I have only one tunnel from each router, and Im marking DSCP 0, 46 and 48 in postrouting chain. I only care about making sure DSCP 46 is prioritized to leave the router before DSCP 0.
I created a tree with root as global-out, and then the child queues prioritizing the DSCPs.
Packets also arriving to the router with DSCPs are getting marked, so for example I have a voip conversation going on 80k in each direction, the queue shows 160kbit of traffic, I guess for traffic entering from the tunnel and leaving on the LAN and also traffic entering on the LAN and leaving on the tunnel.
I have only one tunnel from each router, and Im marking DSCP 0, 46 and 48 in postrouting chain. I only care about making sure DSCP 46 is prioritized to leave the router before DSCP 0.
I created a tree with root as global-out, and then the child queues prioritizing the DSCPs.
Packets also arriving to the router with DSCPs are getting marked, so for example I have a voip conversation going on 80k in each direction, the queue shows 160kbit of traffic, I guess for traffic entering from the tunnel and leaving on the LAN and also traffic entering on the LAN and leaving on the tunnel.
Re: QoS with IPIP tunnel
You need to better define you marking.
You should get only 80k in the queue. Select the trafic not only by DSCP but by out interface as well in forward mangle.
The best is to create a mangle forward rule with an output interface matcher jumping to a custom chain where you can filter by DSCP (DSCP = 46 for the first rule of this chain, DSCP != 46 for the second one).
I made an error in my previous post. You don't need to use output mangle rules. Output mangle rules is for marking PPTP control packet (TCP port 1723). But for IPIP i think there is no control packet to mark.
You will need mangle rules as well to mark your non tunnelled trafic, so that you can include it in the queue tree to get the right balance between tunnels bandwith and non tunneled bandwith.
In the queue tree you should have :
You need a marking for each queue level except for the root. The order of rules for marking in mangle is very important. You need to catch first the more precise rules.
As i said it's not a trivial admin task.
You should get only 80k in the queue. Select the trafic not only by DSCP but by out interface as well in forward mangle.
The best is to create a mangle forward rule with an output interface matcher jumping to a custom chain where you can filter by DSCP (DSCP = 46 for the first rule of this chain, DSCP != 46 for the second one).
I made an error in my previous post. You don't need to use output mangle rules. Output mangle rules is for marking PPTP control packet (TCP port 1723). But for IPIP i think there is no control packet to mark.
You will need mangle rules as well to mark your non tunnelled trafic, so that you can include it in the queue tree to get the right balance between tunnels bandwith and non tunneled bandwith.
In the queue tree you should have :
Code: Select all
Main queue (parent = global out)
Wan trafic DSCP46 queue (parent = Main)
Wan trafic other trafic queue (parent = Main)
Tunnel Queue (parent = Main)
Tunnel Queue DSCP46 (parent = Tunnel Queue)
Tunnel Queue other trafic (parent = Tunnel Queue)
As i said it's not a trivial admin task.
-
-
Inssomniak
Member
- Posts: 332
- Joined:
Re: QoS with IPIP tunnel
I am trying as you suggest and the marking is working properly (packets are getting marked at a rate of 80kb per sec) but as soon as I try to use that mark in a queue it always shows 4 times as fast traffic amount. I cant figure out whats goin on.
Re: QoS with IPIP tunnel
This is because your marking rules are wrong.
You need to mark each trafic so that it does not go inside another queue.
You can't use in this context a queue with "no mark". Absolutly all trafic must receive a specific mark.
The only queue without Packets mark selector must be the root queue
You need to mark each trafic so that it does not go inside another queue.
You can't use in this context a queue with "no mark". Absolutly all trafic must receive a specific mark.
The only queue without Packets mark selector must be the root queue
-
-
Inssomniak
Member
- Posts: 332
- Joined:
Re: QoS with IPIP tunnel
This is what I have come up with so far.
So What I think Im doing is jumping to a chain from the forward chain based on the output interface.
Then marking that traffic in the new chain, voip, network and everything else.
Code: Select all
# jan/11/2011 12:17:59 by RouterOS 5.0rc5
# software id = DZX8-NDHL
#
/ip firewall mangle
add action=jump chain=forward disabled=no jump-target="Traffic To Toronto" \
out-interface="IPIP To Toronto"
add action=jump chain=forward disabled=no jump-target="Traffic To WAN" \
out-interface="To Internet Gateway"
add action=mark-packet chain="Traffic To Toronto" comment=48 disabled=no \
dscp=48 new-packet-mark=dscp_48-Tunnel passthrough=no
add action=mark-packet chain="Traffic To Toronto" comment=46 disabled=no \
dscp=46 new-packet-mark=dscp_46-Tunnel passthrough=no
add action=mark-packet chain="Traffic To Toronto" comment=0 disabled=no dscp=\
0 new-packet-mark=dscp_0-Tunnel passthrough=no
add action=mark-packet chain="Traffic To WAN" comment=48 disabled=no dscp=48 \
new-packet-mark=dscp_48-WAN passthrough=no
add action=mark-packet chain="Traffic To WAN" comment=46 disabled=no dscp=46 \
new-packet-mark=dscp_46-WAN passthrough=no
add action=mark-packet chain="Traffic To WAN" comment=0 disabled=no dscp=0 \
new-packet-mark=dscp_0-WAN passthrough=no
Code: Select all
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=Main parent=global-out priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="WAN DSCP 46" packet-mark=dscp_46-WAN parent=Main \
priority=4 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="WAN DSCP 48" packet-mark=dscp_48-WAN parent=Main \
priority=5 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="WAN DSCP 0" packet-mark=dscp_0-WAN parent=Main \
priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="Tunnel Queue" packet-mark="" parent=Main priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="Tunnel DSCP 0" packet-mark=dscp_0-Tunnel parent=\
"Tunnel Queue" priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="Tunnel DSCP 46" packet-mark=dscp_46-Tunnel parent=\
"Tunnel Queue" priority=3 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="Tunnel DSCP 48" packet-mark=dscp_48-Tunnel parent=\
"Tunnel Queue" priority=2 queue=default
Then marking that traffic in the new chain, voip, network and everything else.
Re: QoS with IPIP tunnel
humm this should works.
Verify that passthrough=no for the first two mangle rules and upgrade to RC6 minimum. I think there was a problem with RC5 and queues.
I'm not sure that DSCP = 0 is a working filter. I didn't tried this. Just use a catch all rule for the last rule of your custom chains. It's enough because priority trafic has been catched before.
Verify that passthrough=no for the first two mangle rules and upgrade to RC6 minimum. I think there was a problem with RC5 and queues.
I'm not sure that DSCP = 0 is a working filter. I didn't tried this. Just use a catch all rule for the last rule of your custom chains. It's enough because priority trafic has been catched before.
Re: QoS with IPIP tunnel
What do you mean by 4 times faster ?
Wich value do you have for bytes and packet number ? Do you get 4 times those value in the queue compared to corresponding mangle rule ?
Verify that rule
Is in first position.
Then try with a PPTP tunnel. This is working for me with PPTP tunnels. I never tried with IPIP.
Wich router hardware is it ?
Wich value do you have for bytes and packet number ? Do you get 4 times those value in the queue compared to corresponding mangle rule ?
Verify that rule
Code: Select all
add action=jump chain=forward disabled=no jump-target="Traffic To Toronto" \
out-interface="IPIP To Toronto"Then try with a PPTP tunnel. This is working for me with PPTP tunnels. I never tried with IPIP.
Wich router hardware is it ?
Who is online
Users browsing this forum: fadelliz78 and 103 guests