I am using Mikrotik in a SOHO environment with ADSL. I wish to implement QoS in such a way that uploads and downloads are simply prioritised. I do not need any rate limiting (at the moment). I only wish to prioritize traffic in such a manner:
Priority
1 : ssh (for me to remotely access home systems from abroad)
2 : games (for lowest latency when playing online games)
3 : http, etc etc
4 : bulk traffic (eg, torrents & p2p)
I have already set this up (please see config posted further down) but I want to verify that my configuration is acheiving my desired result. My question (I believe) revolves around the purpose of the different routing chains and how they play a role in QoS and prioritisation.
NAT configuration:
Code: Select all
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; NAT rule to redirect port 80 requests to local proxy server
chain=dstnat action=redirect to-ports=8080 protocol=tcp in-interface=LAN <-> Billion 8-port 1Gbit switch dst-port=80
1 ;;; SSH
chain=dstnat action=dst-nat to-addresses=192.168.1.50 to-ports=1337 protocol=tcp dst-port=1337
2 ;;; bittorrent
chain=dstnat action=dst-nat to-addresses=192.168.1.50 to-ports=7000-7010 protocol=tcp dst-port=7000-7010
3 ;;; bittorrent
chain=dstnat action=dst-nat to-addresses=192.168.1.50 to-ports=7000-7010 protocol=udp dst-port=7000-7010
4 ;;; Clients -> Internet
chain=srcnat action=masquerade out-interface=iinet
Code: Select all
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; allow connections to transparent proxy
chain=input action=accept protocol=tcp in-interface=LAN <-> Billion 8-port 1Gbit switch dst-port=8080
1 ;;; allow ssh
chain=forward action=accept protocol=tcp dst-port=1337
2 ;;; allow ssl
chain=forward action=accept protocol=tcp src-port=443
3 ;;; Accept established connections
chain=input action=accept connection-state=established
4 ;;; Accept related connections
chain=input action=accept connection-state=related
5 ;;; UDP
chain=input action=accept protocol=udp
6 ;;; Allow limited pings
chain=input action=accept protocol=icmp in-interface=iinet limit=50/5s,2
7 ;;; winbox
chain=input action=accept protocol=tcp in-interface=LAN <-> Billion 8-port 1Gbit switch dst-port=8291
8 ;;; Drop invalid connections
chain=input action=drop connection-state=invalid
9 ;;; Drop excess pings
chain=input action=drop protocol=icmp
10 X ;;; Log of dropped packets
chain=input action=log log-prefix="DROPPED PACKETS"
11 ;;; Log of dropped packets
chain=input action=drop in-interface=iinet
Code: Select all
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; accept proxy - no limits
chain=output action=accept dscp=4
1 ;;; Battlefield 3 TCP
chain=forward action=mark-connection new-connection-mark=bf3-tcp passthrough=yes protocol=tcp src-address=192.168.1.0/24
dst-port=9988,20000-20100,22990,17502,42127 connection-mark=bf3-tcp
2 chain=prerouting action=mark-packet new-packet-mark=bf3-tcp passthrough=no connection-mark=bf3-tcp
3 ;;; Battlefield 3 UDP
chain=forward action=mark-packet new-packet-mark=bf3-udp passthrough=yes protocol=udp src-address=192.168.1.0/24
dst-port=3659,14000-14016,22990-23006,25200-25300
4 ;;; steam tcp
chain=prerouting action=mark-connection new-connection-mark=steam-tcp passthrough=yes protocol=tcp src-port=27014-27050
5 chain=prerouting action=mark-packet new-packet-mark=steam-tcp passthrough=yes connection-mark=steam-tcp
6 ;;; steam udp
chain=prerouting action=mark-packet new-packet-mark=steam-udp passthrough=no protocol=udp src-address=192.168.1.0/24
dst-port=27000-27030,4380,3478,4379,4380,1500,3005,3101,28960
7 X ;;; built-in P2P mark
chain=forward action=mark-packet new-packet-mark=p2p passthrough=yes p2p=all-p2p
8 ;;; deluge
chain=prerouting action=mark-connection new-connection-mark=bittorrent passthrough=yes protocol=tcp src-address=192.168.1.50 src-port=7000-7010
9 chain=prerouting action=mark-packet new-packet-mark=bittorrent_packet passthrough=no connection-mark=bittorrent
10 chain=prerouting action=mark-packet new-packet-mark=bittorrent_packet passthrough=yes dscp=2
11 ;;; ssh to outside internet
chain=prerouting action=mark-connection new-connection-mark=ssh_out_conn passthrough=yes protocol=tcp src-address=192.168.1.0/24
in-interface=LAN <-> Billion 8-port 1Gbit switch src-port=1337
12 chain=prerouting action=mark-packet new-packet-mark=ssh_out_packet passthrough=no connection-mark=ssh_out_conn
13 ;;; ssh from outside internet
chain=prerouting action=mark-connection new-connection-mark=ssh_in_conn passthrough=yes protocol=tcp in-interface=iinet dst-port=1337
14 chain=prerouting action=mark-packet new-packet-mark=ssh_in_packet passthrough=yes connection-mark=ssh_in_conn
15 ;;; http outgoing
chain=output action=mark-connection new-connection-mark=http_conn_out passthrough=yes protocol=tcp src-address=192.168.1.0/24 out-interface=iinet
dst-port=80
16 chain=output action=mark-packet new-packet-mark=http_out_packet passthrough=no connection-mark=http_conn_in
17 ;;; http incoming
chain=prerouting action=mark-connection new-connection-mark=http_conn_in passthrough=yes protocol=tcp in-interface=iinet src-port=80
18 chain=prerouting action=mark-packet new-packet-mark=http_in_packet passthrough=no connection-mark=http_conn_in
19 ;;; all other traffic from htpc
chain=prerouting action=mark-packet new-packet-mark=htpc_packet passthrough=no protocol=tcp src-address=192.168.1.50 src-port=!1337
Code: Select all
Flags: X - disabled, I - invalid
0 name="internet" parent=iinet limit-at=0 priority=1 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
1 name="games" parent=internet packet-mark=bf3-udp,bf3-tcp,steam-tcp,steam-udp limit-at=0 queue=default priority=2 max-limit=0 burst-limit=0
burst-threshold=0 burst-time=0s
2 name="http etc" parent=internet packet-mark=http_out_packet,http_in_packet limit-at=0 queue=default priority=3 max-limit=0 burst-limit=0 burst-threshold=0
burst-time=0s
3 name="bulk" parent=internet packet-mark=p2p,htpc_packet limit-at=0 queue=default priority=4 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
4 name="remote access" parent=internet packet-mark=ssh_in_packet,ssh_out_packet limit-at=0 queue=default priority=1 max-limit=0 burst-limit=0
burst-threshold=0 burst-time=0s
It seems like a silly question to me, as the packet flow diagram clearly states "input interface" at one end and "output interface" so the diagram must be "two way" ie the same for output to WAN and input from WAN, right?
Just want to confirm my configuration makes sense and is actually doing what I want it to do.
Thanks