Community discussions

MikroTik App
 
djhurt1
just joined
Topic Author
Posts: 7
Joined: Wed Mar 29, 2006 10:38 pm

transparent traffic shaper

Sun Apr 02, 2006 8:03 am

I've gone through the "how-to" on the MT home page for the transparent traffic shaper and it worked on 2.9.9. I've upgraded to 2.9.18 and now the
"/interface bridge port set ext,int bridge=bridge" command says invalid item number. I've tried using the item numbers in place and nothing seems to work. Any ideas?
Aaron
 
yancho
Member Candidate
Member Candidate
Posts: 205
Joined: Tue Jun 01, 2004 3:04 pm
Location: LV

Sun Apr 02, 2006 11:14 am

1. Create bridge
 /interface bridge add name=bridge
2. Add interfaces to bridge, ether1 and ether2 are interfaces names
/interface bridge port add ether1 bridge=bridge
/interface bridge port add ether2 bridge=bridge
Manual and how-to is outdated :cry:
 
djhurt1
just joined
Topic Author
Posts: 7
Joined: Wed Mar 29, 2006 10:38 pm

renamed interfaces?

Mon Apr 03, 2006 8:43 pm

No, this still doesn't work. I renamed the interfaces to public, private respectively. I changed the names back to default and still no go.
 
User avatar
gottin
Frequent Visitor
Frequent Visitor
Posts: 62
Joined: Fri Feb 25, 2005 8:33 am
Location: Bulgaria
Contact:

Mon Apr 03, 2006 8:56 pm

I have the same problem on 2.9.6 version.

I have done a lot of shapes on non bridge interfaces and they work fine. However when marking traffic in/out of interface (that is specified to be a bridge port) that traffic is not going into any queue. I tried to use "/queue simple" as explained in howto as well as "/queue tree" queues - No results.

Is there something specific that should be done when shaping traffic on bridge interfaces?
 
djhurt1
just joined
Topic Author
Posts: 7
Joined: Wed Mar 29, 2006 10:38 pm

Mon Apr 03, 2006 10:48 pm

I think I found a solution at least to my problem. When adding interfaces to the bridge, I had to type the "set" command by itself and follow the prompts it provided. I couldn't do it as one whole command line format.
Aaron
 
User avatar
gottin
Frequent Visitor
Frequent Visitor
Posts: 62
Joined: Fri Feb 25, 2005 8:33 am
Location: Bulgaria
Contact:

Tue Apr 04, 2006 12:42 am

Well I have my bridge set up and running, however I can not shape traffic on it.
 
BurstNET

Tue Apr 04, 2006 4:59 am

See out earlier thread over past couple months...you cannot shape properly on a transparent bridge and it must be routed.

SMA
 
User avatar
gottin
Frequent Visitor
Frequent Visitor
Posts: 62
Joined: Fri Feb 25, 2005 8:33 am
Location: Bulgaria
Contact:

Tue Apr 04, 2006 9:06 am

It really looks that I can not shape traffic on a transparent bridge. However it is strange that the guys from MikroTik have posted an article HowTo shape on it! (http://www.mikrotik.com/Documentation/H ... How_shaper)
 
postmanerk
just joined
Posts: 22
Joined: Fri May 28, 2004 8:03 pm
Location: Indiana, USA
Contact:

QoS Mangle on a Bridge

Thu Apr 06, 2006 5:36 pm

It really looks that I can not shape traffic on a transparent bridge. However it is strange that the guys from MikroTik have posted an article HowTo shape on it! (http://www.mikrotik.com/Documentation/H ... How_shaper)
I can tell you that I am using a transparent bridge for the main QoS router, but I am running 2.2.28 on it. So to answer your question, it should work. However, I am not seeing the same result on 2.9.18-19. I don't know if the problems are related, but to me they might because of the interaction with a bridge interface.

One thing I am seeing is that I have a router, that is on a tower, and the eth1 interface is the backhaul... I am routing between the eth1 and 3 other (eth2-4) interfaces in a bridge (so I am not the same as a transparent bridge). When I try and create a /queue tree who's parent is the bridge interface, I am getting nothing in the counters, and it doesn't look like it is processing. On the eth1 side of the queues, it does increment properly and they are using the same packet tags as the bridge. I validated my configs with another router (identical setup) running 2.8.28 and it works properly...

I have tried in the /ip firewall mangle rules both prerouting and forward but both rules do not tag the packets properly or the bridge interface queue is missing the packet tags.

Am I beating my head against the wall or am I missing something? I am trying to do VoIP QoS tagging based on my own server IP. The mangle rules are as follows:

add chain=forward src-address=[IPADDRESS] action=mark-packet new-packet-mark="Local VoIP Flow" passthrough=no comment="VoIP" disabled=no
add chain=forward dst-address=[IPADDRESS] action=mark-packet new-packet-mark="Local VoIP Flow" passthrough=no comment="" disabled=no

Eric
 
User avatar
gottin
Frequent Visitor
Frequent Visitor
Posts: 62
Joined: Fri Feb 25, 2005 8:33 am
Location: Bulgaria
Contact:

Mon Apr 10, 2006 10:58 am

Would someone from MT support explain us why MT 2.9.x can not mark packets that are flowing through bridge interfaces? Should we wait for a fix?
 
postmanerk
just joined
Posts: 22
Joined: Fri May 28, 2004 8:03 pm
Location: Indiana, USA
Contact:

MikroTik Support

Wed Apr 12, 2006 3:05 am

Can anyone else verify that a bridged interface cannot increment counters?

Anyone from MikroTik on here?

Eric
 
User avatar
Eugene
Forum Veteran
Forum Veteran
Posts: 993
Joined: Mon May 31, 2004 5:06 pm
Location: Cranfield, UK

Wed Apr 12, 2006 8:22 pm

Works fine for me. I.e.:
/ip firewall mangle add chain=forward out-bridge-port=ether2 action=mark-packet new-packet-mark=MyMark
marks packets and increments counters as it should ...
Tout individu a droit à la vie, à la liberté et à la sûreté de sa personne.
 
postmanerk
just joined
Posts: 22
Joined: Fri May 28, 2004 8:03 pm
Location: Indiana, USA
Contact:

Transparent Bridge Queue Tree

Thu Apr 27, 2006 9:25 pm

My /ip firewall mangle counters do increment, but in the /queue trees do not increment. The queue tree rules I have my parent as the bridge interface and the packet mark as the one in the mangle rules.

Simple test is just IP based. I am trying to do a VoIP prioritization by just using one IP and tag it as my internal VoIP server. Should be a simple example, right? This all works on my 2.8.26-28 versions, but I cannot do the same on 2.9.x.

First, mark packets:
/ ip firewall mangle
add chain=forward src-address=68.77.78.25 action=mark-packet new-packet-mark="Local VoIP Flow" passthrough=no \
comment="VoIP" disabled=no
add chain=forward dst-address=68.77.78.25 action=mark-packet new-packet-mark="Local VoIP Flow" passthrough=no comment="" \
disabled=no

Then Queue them:
/ queue tree
add name="Global - In" parent="Wireless Bridge" packet-mark="" limit-at=0 queue=default priority=8 max-limit=0 \
burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="Global - Out" parent="Ether2 - Backhaul" packet-mark="" limit-at=0 queue=default priority=8 max-limit=0 \
burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="Internet - In" parent="Global - In" packet-mark="" limit-at=0 queue="Internet Global" priority=8 max-limit=0 \
burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="Internet - Out" parent="Global - Out" packet-mark="" limit-at=0 queue="Internet Global" priority=8 max-limit=0 \
burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="VoIP - In" parent="Internet - In" packet-mark="VoIP Flow" limit-at=1500000 queue=VoIP priority=4 \
max-limit=1500000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="VoIP - Out" parent="Internet - Out" packet-mark="VoIP Flow" limit-at=1500000 queue=VoIP priority=4 \
max-limit=1500000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="Local - In" parent="Global - In" packet-mark="Local Traffic Flow" limit-at=0 queue=default priority=8 \
max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="Local - Out" parent="Global - Out" packet-mark="Local Traffic Flow" limit-at=0 queue=default priority=8 \
max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="Local VoIP - In" parent="Local - In" packet-mark="Local VoIP Flow" limit-at=1500000 queue="Local VoIP" \
priority=3 max-limit=3000000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="Local VoIP - Out" parent="Local - Out" packet-mark="Local VoIP Flow" limit-at=1500000 queue="Local VoIP" \
priority=3 max-limit=3000000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
 
valens
Trainer
Trainer
Posts: 246
Joined: Tue Jun 01, 2004 5:42 pm
Location: INDONESIA
Contact:

Thu Apr 27, 2006 11:30 pm

I'm using Mikrotik 2.9.20 using transparant bridge, and every thing work fine. I'm using this config since 2.9.1
 
e2346437
Frequent Visitor
Frequent Visitor
Posts: 65
Joined: Sun Mar 12, 2006 1:35 am

2.9.22

Fri Apr 28, 2006 5:43 am

I just upgraded to 2.9.22 on my transparent bridge, and I can't seem to get queue trees (pcq) to work at all. I've got it running on an RB500 that is doing routing, but I can't seem to get it working on bridge.

To be more specific, the example in the Wiki seems to only work for upload on my bridge, not download. The example in the manual does not work at all.

Can anybody confirm for SURE that queue trees DO or DO NOT work with a transparent bridge running 2.9.22?

Eric
 
valens
Trainer
Trainer
Posts: 246
Joined: Tue Jun 01, 2004 5:42 pm
Location: INDONESIA
Contact:

Fri Apr 28, 2006 2:10 pm

It DO work.
 
postmanerk
just joined
Posts: 22
Joined: Fri May 28, 2004 8:03 pm
Location: Indiana, USA
Contact:

Post Config

Sat Apr 29, 2006 6:15 am

valens,

Would you post a smidgeon of your config so I can try it on my router? I posted my config, and if you run it through (changing your IP), it may not work for you.

I have the exact config on a 2.8.28 router and it works. I have it on a 2.9.22 router and it does not. Same code, just different versions (syntax).

Eric
 
e2346437
Frequent Visitor
Frequent Visitor
Posts: 65
Joined: Sun Mar 12, 2006 1:35 am

Re: Post Config

Sat Apr 29, 2006 5:09 pm

valens,

Would you post a smidgeon of your config so I can try it on my router? I posted my config, and if you run it through (changing your IP), it may not work for you.

I have the exact config on a 2.8.28 router and it works. I have it on a 2.9.22 router and it does not. Same code, just different versions (syntax).

Eric
I can confirm that the exact config does not work on my 2.9.22 bridge either.

<another> Eric
 
valens
Trainer
Trainer
Posts: 246
Joined: Tue Jun 01, 2004 5:42 pm
Location: INDONESIA
Contact:

Sun Apr 30, 2006 8:33 pm

[valens@BM] interface> pr
Flags: X - disabled, D - dynamic, R - running 
 #    NAME                         TYPE             RX-RATE    TX-RATE    MTU  
 0  R ether1                       ether            0          0          1500 
 1  R ether2                       ether            0          0          1500 

[valens@BM] interface bridge port> pr
Flags: X - disabled, I - inactive, D - dynamic 
 #    INTERFACE BRIDGE  PRIORITY PATH-COST
 0    ether1    bridge1 128      10       
 1    ether2    bridge1 128      10       

[valens@BM] ip firewall mangle> pr
16   ;;; Citraweb Office
     chain=forward src-address=202.0.0.0/26 action=mark-connection 
     new-connection-mark=citraweb-conn passthrough=yes 
17   chain=forward connection-mark=citraweb-conn action=mark-packet new-packet-mark=citraweb-flow 
     passthrough=yes 

[valens@BM] queue tree> pr

 6   name="Internal-Downlink" parent=ether2 packet-mark="" limit-at=0 queue=default priority=1 
     max-limit=512000 burst-limit=0 burst-threshold=0 burst-time=0s 

 7   name="Internal-Uplink" parent=ether1 packet-mark="" limit-at=0 queue=default priority=1 
     max-limit=384000 burst-limit=0 burst-threshold=0 burst-time=0s 

115   name="Citraweb-Downlink" parent=Internal-Downlink packet-mark=citraweb-flow limit-at=0 
     queue=default priority=4 max-limit=256000 burst-limit=0 burst-threshold=0 burst-time=0s 

116   name="Citraweb-Uplink" parent=Internal-Uplink packet-mark=citraweb-flow limit-at=0 
     queue=default priority=8 max-limit=128000 burst-limit=0 burst-threshold=0 burst-time=0s 

Last edited by valens on Sun Apr 30, 2006 9:28 pm, edited 1 time in total.
 
valens
Trainer
Trainer
Posts: 246
Joined: Tue Jun 01, 2004 5:42 pm
Location: INDONESIA
Contact:

Sun Apr 30, 2006 8:34 pm

Screen Capture:

Image
 
e2346437
Frequent Visitor
Frequent Visitor
Posts: 65
Joined: Sun Mar 12, 2006 1:35 am

Interpretation

Mon May 01, 2006 5:32 am

[valens@BM] interface> pr
Flags: X - disabled, D - dynamic, R - running 
 #    NAME                         TYPE             RX-RATE    TX-RATE    MTU  
 0  R ether1                       ether            0          0          1500 
 1  R ether2                       ether            0          0          1500 

[valens@BM] interface bridge port> pr
Flags: X - disabled, I - inactive, D - dynamic 
 #    INTERFACE BRIDGE  PRIORITY PATH-COST
 0    ether1    bridge1 128      10       
 1    ether2    bridge1 128      10       

[valens@BM] ip firewall mangle> pr
16   ;;; Citraweb Office
     chain=forward src-address=202.0.0.0/26 action=mark-connection 
     new-connection-mark=citraweb-conn passthrough=yes 
17   chain=forward connection-mark=citraweb-conn action=mark-packet new-packet-mark=citraweb-flow 
     passthrough=yes 

[valens@BM] queue tree> pr

 6   name="Internal-Downlink" parent=ether2 packet-mark="" limit-at=0 queue=default priority=1 
     max-limit=512000 burst-limit=0 burst-threshold=0 burst-time=0s 

 7   name="Internal-Uplink" parent=ether1 packet-mark="" limit-at=0 queue=default priority=1 
     max-limit=384000 burst-limit=0 burst-threshold=0 burst-time=0s 

115   name="Citraweb-Downlink" parent=Internal-Downlink packet-mark=citraweb-flow limit-at=0 
     queue=default priority=4 max-limit=256000 burst-limit=0 burst-threshold=0 burst-time=0s 

116   name="Citraweb-Uplink" parent=Internal-Uplink packet-mark=citraweb-flow limit-at=0 
     queue=default priority=8 max-limit=128000 burst-limit=0 burst-threshold=0 burst-time=0s 

Let me see if I understand this...

First, you packet-mark all packets with mark "citraweb-flow" and all connections with "citraweb-conn".

Then...you create a default queue tree for upload and download, with a max-limit of 384kb (upload) and 512kb (download), a priority of 1 (highest), assigned to the appropriate parent ethernet interface. These queue trees are not assigned to any packet-mark.

Then, you apply "default" queues to all packets marked "citraweb-flow". One, Downlink, has a parent of ether2, and a max-limit half that of ether2, or 256kb. Also, a priority half that of ether2, priority=4. Uplink gets half of ether1's max-limit, or 128kb, and half the priority, also 4.

Now, can I pose a question or two? I don't want to insult, I am just straining to understand.

Why do you use mangle to mark the packets "contraweb-flow", and the connections "contraweb-conn", if, in the config example you give us, you don't use "contraweb-conn" for anything?

Why do you have to setup queues for upload and download assigned with ether1 and ether2, then have to setup additional queues, with the first queues as their parent, for queue trees to work in this example? I think this is the key concept that I am missing in my own config.

Why do the first two queues that have ether1 and ether2 as their parent have max-limits twice that of their child queues?

Why do the two child queues have priorites half that of their parents?

Do the child queues actually do the speed-limiting, or do the first two queues?

Do the customers get 512kb down and 256kb up, or 256kb down and 128kb up?

Could you also use limit-at in addition to max-limit in the child queues? My theory has been that limit-at can be set at 75% of your total bandwidth, and max-limit can be set at 95% of your total bandwidth. This way, customers start to see bandwidth limitation a little before the link becomes saturated, not when it "hits the wall". Am I crazy?

Thanks in advance for any help you can offer.

Eric
 
valens
Trainer
Trainer
Posts: 246
Joined: Tue Jun 01, 2004 5:42 pm
Location: INDONESIA
Contact:

Mon May 01, 2006 5:45 am

Eric, please do not confuse with limit-at, max-limit, priority, or parent in my script. The script I pasted in here only small peace of the whole script in my box. Very complicated if I have to explain one by one.

Answering your question:

1. We are doing connection mark, and then packet mark. This is what conn-mark for. We can not use conn-mark directly in queue tree.

2. In this case, the network will have 256/128 kbps connection.

About the limit-at or max-limit, it's depend on your setting and network.
 
pjulian
Member Candidate
Member Candidate
Posts: 267
Joined: Mon May 31, 2004 12:16 pm
Location: Sydney, Australia

Sat May 06, 2006 7:12 am

Guys,

Here is a template that I use to create bandwidth management queues. First it creates the marking rules, then it creates the queues. I use this to manage a number of links from a datacentre, and it works fine with 2.9.17 and bridged interfaces. I also have one for 2.8.x as well.
Let me know if this helps or if you have any suggestions on it, it's as simple as following the instructions at the top, and making sure your interface names are right, or just change them to suit, and setting your throttling values.

## - Do find and replace on SITEADDRESS to insert subnet, must be in the format of xx.xx.xx.0/subnet (24) example 10.1.1.0/24 (This does whole document)
## - Do find and replace on SITECODE to insert site code, should be 3 to 5 letters, such as syd or nrgba (This does whole document)



## *********** ALL RULES MUST REMAIN IN THE ORDER PRESENTED IN THIS TEMPLATE OR SHAPING WILL NOT FUNCTION CORRECTLY **************


## - Change comment on first rule to indicate description of the site that the rules are for, such as "Frankfurt Rules Start"

/ ip firewall mangle

## Citrix Traffic to Site
add chain=forward src-port=2598 in-interface=private dst-address=SITEADDRESS protocol=tcp action=mark-connection new-connection-mark=SITECODE-citrix-out-con comment="Frankfurt Rules Start" disabled=no passthrough=yes

## Filesharing Traffic to Site
add chain=forward src-port=445 in-interface=private dst-address=SITEADDRESS protocol=tcp action=mark-connection new-connection-mark=SITECODE-fileshare-out-con comment="" disabled=no passthrough=yes

## Filesharing Traffic from Site
add chain=forward src-address=SITEADDRESS in-interface=public dst-port=445 protocol=tcp action=mark-connection new-connection-mark=SITECODE-fileshare-in-con comment="" disabled=no passthrough=yes

## Telnet Traffic to Site
add chain=forward in-interface=private dst-address=SITEADDRESS dst-port=23 protocol=tcp action=mark-connection new-connection-mark=SITECODE-telnet-out-con comment="" disabled=no passthrough=yes

## Thinprint Traffic to Site
add chain=forward in-interface=private dst-address=SITEADDRESS dst-port=4000 protocol=tcp action=mark-connection new-connection-mark=SITECODE-thinprint-out-con comment="" disabled=no passthrough=yes

## Filesharing Traffic to Site
add chain=forward connection-mark=SITECODE-fileshare-out-con action=mark-packet new-packet-mark=SITECODE-fileshare-out comment="" disabled=no passthrough=no

## Citrix Traffic to Site
add chain=forward connection-mark=SITECODE-citrix-out-con action=mark-packet new-packet-mark=SITECODE-citrix-out comment="" disabled=no passthrough=no

## Filesharing Traffic from Site
add chain=forward connection-mark=SITECODE-fileshare-in-con action=mark-packet new-packet-mark=SITECODE-fileshare-in comment="" disabled=no passthrough=no

## Telnet Traffic to Site
add chain=forward connection-mark=SITECODE-telnet-out-con action=mark-packet new-packet-mark=SITECODE-telnet-out comment="" disabled=no passthrough=no

## Thinprint Traffic to Site
add chain=forward connection-mark=SITECODE-thinprint-out-con action=mark-packet new-packet-mark=SITECODE-thinprint-out comment="" disabled=no passthrough=no

## Other Traffic to Site
add chain=forward in-interface=private dst-address=SITEADDRESS action=mark-connection new-connection-mark=SITECODE-other-out-con comment="" disabled=no passthrough=yes

## Other Traffic from Site
add chain=forward src-address=SITEADDRESS in-interface=public action=mark-connection new-connection-mark=SITECODE-other-in-con comment="" disabled=no passthrough=yes

## Other Traffic to Site
add chain=forward connection-mark=SITECODE-other-out-con action=mark-packet new-packet-mark=SITECODE-other-out comment="" disabled=no passthrough=no

## Other Traffic from Site
add chain=forward connection-mark=SITECODE-other-in-con action=mark-packet new-packet-mark=SITECODE-other-in comment="" disabled=no passthrough=no




## - Set max-limit figures in each line to the maximum allowable tranfer rate or bandwidth allocation for that service
## - Set limit-at figures to be the CIR or guaranteed rates provided for that service
## - Remove lines for any services not needed, but always leave "Other Traffic" queues in place as a catch-all

/ queue tree
add name="SITECODE-UP" parent=private packet-mark="" limit-at=0 queue=default priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no
add name="SITECODE-DOWN" parent=public packet-mark="" limit-at=0 queue=default priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

## Citrix Traffic to Site
add name="citrix-to-SITECODE" parent=SITECODE-DOWN packet-mark=SITECODE-citrix-out limit-at=942000 queue=pfifo priority=1 max-limit=1024000 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

## Other Traffic to Site
add name="other-to-SITECODE" parent=SITECODE-DOWN packet-mark=SITECODE-other-out limit-at=0 queue=red priority=8 max-limit=128000 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

## Other Traffic from Site
add name="other-from-SITECODE" parent=SITECODE-UP packet-mark=SITECODE-other-in limit-at=128000 queue=pfifo priority=8 max-limit=768000 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

## Thinprint Traffic to Site
add name="thinprint-to-SITECODE" parent=SITECODE-DOWN packet-mark=SITECODE-thinprint-out limit-at=128000 queue=pfifo priority=2 max-limit=256000 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

## Filesharing Traffic to Site
add name="fileshare-to-SITECODE" parent=SITECODE-DOWN packet-mark=SITECODE-fileshare-out limit-at=0 queue=red priority=8 max-limit=128000 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

## Filesharing traffic from Site
add name="fileshare-from-SITECODE" parent=SITECODE-UP packet-mark=SITECODE-fileshare-in limit-at=128000 queue=pfifo priority=8 max-limit=256000 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

## Telnet Traffic to Site
add name="telnet-to-SITECODE" parent=SITECODE-DOWN packet-mark=SITECODE-telnet-out limit-at=8000 queue=red priority=2 max-limit=32000 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

Regards
Paul
 
e2346437
Frequent Visitor
Frequent Visitor
Posts: 65
Joined: Sun Mar 12, 2006 1:35 am

Mon May 08, 2006 2:07 am

Guys,

Here is a template that I use to create bandwidth management queues. First it creates the marking rules, then it creates the queues. I use this to manage a number of links from a datacentre, and it works fine with 2.9.17 and bridged interfaces. I also have one for 2.8.x as well.
Let me know if this helps or if you have any suggestions on it, it's as simple as following the instructions at the top, and making sure your interface names are right, or just change them to suit, and setting your throttling values.

## - Do find and replace on SITEADDRESS to insert subnet, must be in the format of xx.xx.xx.0/subnet (24) example 10.1.1.0/24 (This does whole document)
## - Do find and replace on SITECODE to insert site code, should be 3 to 5 letters, such as syd or nrgba (This does whole document)



## *********** ALL RULES MUST REMAIN IN THE ORDER PRESENTED IN THIS TEMPLATE OR SHAPING WILL NOT FUNCTION CORRECTLY **************


## - Change comment on first rule to indicate description of the site that the rules are for, such as "Frankfurt Rules Start"

/ ip firewall mangle

## Citrix Traffic to Site
add chain=forward src-port=2598 in-interface=private dst-address=SITEADDRESS protocol=tcp action=mark-connection new-connection-mark=SITECODE-citrix-out-con comment="Frankfurt Rules Start" disabled=no passthrough=yes

## Filesharing Traffic to Site
add chain=forward src-port=445 in-interface=private dst-address=SITEADDRESS protocol=tcp action=mark-connection new-connection-mark=SITECODE-fileshare-out-con comment="" disabled=no passthrough=yes

## Filesharing Traffic from Site
add chain=forward src-address=SITEADDRESS in-interface=public dst-port=445 protocol=tcp action=mark-connection new-connection-mark=SITECODE-fileshare-in-con comment="" disabled=no passthrough=yes

## Telnet Traffic to Site
add chain=forward in-interface=private dst-address=SITEADDRESS dst-port=23 protocol=tcp action=mark-connection new-connection-mark=SITECODE-telnet-out-con comment="" disabled=no passthrough=yes

## Thinprint Traffic to Site
add chain=forward in-interface=private dst-address=SITEADDRESS dst-port=4000 protocol=tcp action=mark-connection new-connection-mark=SITECODE-thinprint-out-con comment="" disabled=no passthrough=yes

## Filesharing Traffic to Site
add chain=forward connection-mark=SITECODE-fileshare-out-con action=mark-packet new-packet-mark=SITECODE-fileshare-out comment="" disabled=no passthrough=no

## Citrix Traffic to Site
add chain=forward connection-mark=SITECODE-citrix-out-con action=mark-packet new-packet-mark=SITECODE-citrix-out comment="" disabled=no passthrough=no

## Filesharing Traffic from Site
add chain=forward connection-mark=SITECODE-fileshare-in-con action=mark-packet new-packet-mark=SITECODE-fileshare-in comment="" disabled=no passthrough=no

## Telnet Traffic to Site
add chain=forward connection-mark=SITECODE-telnet-out-con action=mark-packet new-packet-mark=SITECODE-telnet-out comment="" disabled=no passthrough=no

## Thinprint Traffic to Site
add chain=forward connection-mark=SITECODE-thinprint-out-con action=mark-packet new-packet-mark=SITECODE-thinprint-out comment="" disabled=no passthrough=no

## Other Traffic to Site
add chain=forward in-interface=private dst-address=SITEADDRESS action=mark-connection new-connection-mark=SITECODE-other-out-con comment="" disabled=no passthrough=yes

## Other Traffic from Site
add chain=forward src-address=SITEADDRESS in-interface=public action=mark-connection new-connection-mark=SITECODE-other-in-con comment="" disabled=no passthrough=yes

## Other Traffic to Site
add chain=forward connection-mark=SITECODE-other-out-con action=mark-packet new-packet-mark=SITECODE-other-out comment="" disabled=no passthrough=no

## Other Traffic from Site
add chain=forward connection-mark=SITECODE-other-in-con action=mark-packet new-packet-mark=SITECODE-other-in comment="" disabled=no passthrough=no




## - Set max-limit figures in each line to the maximum allowable tranfer rate or bandwidth allocation for that service
## - Set limit-at figures to be the CIR or guaranteed rates provided for that service
## - Remove lines for any services not needed, but always leave "Other Traffic" queues in place as a catch-all

/ queue tree
add name="SITECODE-UP" parent=private packet-mark="" limit-at=0 queue=default priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no
add name="SITECODE-DOWN" parent=public packet-mark="" limit-at=0 queue=default priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

## Citrix Traffic to Site
add name="citrix-to-SITECODE" parent=SITECODE-DOWN packet-mark=SITECODE-citrix-out limit-at=942000 queue=pfifo priority=1 max-limit=1024000 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

## Other Traffic to Site
add name="other-to-SITECODE" parent=SITECODE-DOWN packet-mark=SITECODE-other-out limit-at=0 queue=red priority=8 max-limit=128000 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

## Other Traffic from Site
add name="other-from-SITECODE" parent=SITECODE-UP packet-mark=SITECODE-other-in limit-at=128000 queue=pfifo priority=8 max-limit=768000 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

## Thinprint Traffic to Site
add name="thinprint-to-SITECODE" parent=SITECODE-DOWN packet-mark=SITECODE-thinprint-out limit-at=128000 queue=pfifo priority=2 max-limit=256000 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

## Filesharing Traffic to Site
add name="fileshare-to-SITECODE" parent=SITECODE-DOWN packet-mark=SITECODE-fileshare-out limit-at=0 queue=red priority=8 max-limit=128000 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

## Filesharing traffic from Site
add name="fileshare-from-SITECODE" parent=SITECODE-UP packet-mark=SITECODE-fileshare-in limit-at=128000 queue=pfifo priority=8 max-limit=256000 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

## Telnet Traffic to Site
add name="telnet-to-SITECODE" parent=SITECODE-DOWN packet-mark=SITECODE-telnet-out limit-at=8000 queue=red priority=2 max-limit=32000 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

Regards
Paul
Paul,
Maybe you can answer some questions. Why do you need to mark the connection, then use that connection-mark to mark the packets? Why won't Mikrotik just let you mark the packets using packet-mark?

Second, the first two queues are for the public and private interfaces, with the other queues being child queues to these two "master" queues. If I wanted to extend your template to service many different subnets, do I have to recreate these "master" parent queues, or can I re-use them with multiple sets of child queues for each class-C subnet pointed at the the same parents?

Thanks for any light you can shed on this.

Eric
 
e2346437
Frequent Visitor
Frequent Visitor
Posts: 65
Joined: Sun Mar 12, 2006 1:35 am

Template doesn't work

Thu Jun 01, 2006 10:27 pm

Guys,

Here is a template that I use to create bandwidth management queues. First it creates the marking rules, then it creates the queues. I use this to manage a number of links from a datacentre, and it works fine with 2.9.17 and bridged interfaces. I also have one for 2.8.x as well.
Let me know if this helps or if you have any suggestions on it, it's as simple as following the instructions at the top, and making sure your interface names are right, or just change them to suit, and setting your throttling values.

## - Do find and replace on SITEADDRESS to insert subnet, must be in the format of xx.xx.xx.0/subnet (24) example 10.1.1.0/24 (This does whole document)
## - Do find and replace on SITECODE to insert site code, should be 3 to 5 letters, such as syd or nrgba (This does whole document)



## *********** ALL RULES MUST REMAIN IN THE ORDER PRESENTED IN THIS TEMPLATE OR SHAPING WILL NOT FUNCTION CORRECTLY **************


## - Change comment on first rule to indicate description of the site that the rules are for, such as "Frankfurt Rules Start"

/ ip firewall mangle

## Citrix Traffic to Site
add chain=forward src-port=2598 in-interface=private dst-address=SITEADDRESS protocol=tcp action=mark-connection new-connection-mark=SITECODE-citrix-out-con comment="Frankfurt Rules Start" disabled=no passthrough=yes

## Filesharing Traffic to Site
add chain=forward src-port=445 in-interface=private dst-address=SITEADDRESS protocol=tcp action=mark-connection new-connection-mark=SITECODE-fileshare-out-con comment="" disabled=no passthrough=yes

## Filesharing Traffic from Site
add chain=forward src-address=SITEADDRESS in-interface=public dst-port=445 protocol=tcp action=mark-connection new-connection-mark=SITECODE-fileshare-in-con comment="" disabled=no passthrough=yes

## Telnet Traffic to Site
add chain=forward in-interface=private dst-address=SITEADDRESS dst-port=23 protocol=tcp action=mark-connection new-connection-mark=SITECODE-telnet-out-con comment="" disabled=no passthrough=yes

## Thinprint Traffic to Site
add chain=forward in-interface=private dst-address=SITEADDRESS dst-port=4000 protocol=tcp action=mark-connection new-connection-mark=SITECODE-thinprint-out-con comment="" disabled=no passthrough=yes

## Filesharing Traffic to Site
add chain=forward connection-mark=SITECODE-fileshare-out-con action=mark-packet new-packet-mark=SITECODE-fileshare-out comment="" disabled=no passthrough=no

## Citrix Traffic to Site
add chain=forward connection-mark=SITECODE-citrix-out-con action=mark-packet new-packet-mark=SITECODE-citrix-out comment="" disabled=no passthrough=no

## Filesharing Traffic from Site
add chain=forward connection-mark=SITECODE-fileshare-in-con action=mark-packet new-packet-mark=SITECODE-fileshare-in comment="" disabled=no passthrough=no

## Telnet Traffic to Site
add chain=forward connection-mark=SITECODE-telnet-out-con action=mark-packet new-packet-mark=SITECODE-telnet-out comment="" disabled=no passthrough=no

## Thinprint Traffic to Site
add chain=forward connection-mark=SITECODE-thinprint-out-con action=mark-packet new-packet-mark=SITECODE-thinprint-out comment="" disabled=no passthrough=no

## Other Traffic to Site
add chain=forward in-interface=private dst-address=SITEADDRESS action=mark-connection new-connection-mark=SITECODE-other-out-con comment="" disabled=no passthrough=yes

## Other Traffic from Site
add chain=forward src-address=SITEADDRESS in-interface=public action=mark-connection new-connection-mark=SITECODE-other-in-con comment="" disabled=no passthrough=yes

## Other Traffic to Site
add chain=forward connection-mark=SITECODE-other-out-con action=mark-packet new-packet-mark=SITECODE-other-out comment="" disabled=no passthrough=no

## Other Traffic from Site
add chain=forward connection-mark=SITECODE-other-in-con action=mark-packet new-packet-mark=SITECODE-other-in comment="" disabled=no passthrough=no




## - Set max-limit figures in each line to the maximum allowable tranfer rate or bandwidth allocation for that service
## - Set limit-at figures to be the CIR or guaranteed rates provided for that service
## - Remove lines for any services not needed, but always leave "Other Traffic" queues in place as a catch-all

/ queue tree
add name="SITECODE-UP" parent=private packet-mark="" limit-at=0 queue=default priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no
add name="SITECODE-DOWN" parent=public packet-mark="" limit-at=0 queue=default priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

## Citrix Traffic to Site
add name="citrix-to-SITECODE" parent=SITECODE-DOWN packet-mark=SITECODE-citrix-out limit-at=942000 queue=pfifo priority=1 max-limit=1024000 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

## Other Traffic to Site
add name="other-to-SITECODE" parent=SITECODE-DOWN packet-mark=SITECODE-other-out limit-at=0 queue=red priority=8 max-limit=128000 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

## Other Traffic from Site
add name="other-from-SITECODE" parent=SITECODE-UP packet-mark=SITECODE-other-in limit-at=128000 queue=pfifo priority=8 max-limit=768000 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

## Thinprint Traffic to Site
add name="thinprint-to-SITECODE" parent=SITECODE-DOWN packet-mark=SITECODE-thinprint-out limit-at=128000 queue=pfifo priority=2 max-limit=256000 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

## Filesharing Traffic to Site
add name="fileshare-to-SITECODE" parent=SITECODE-DOWN packet-mark=SITECODE-fileshare-out limit-at=0 queue=red priority=8 max-limit=128000 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

## Filesharing traffic from Site
add name="fileshare-from-SITECODE" parent=SITECODE-UP packet-mark=SITECODE-fileshare-in limit-at=128000 queue=pfifo priority=8 max-limit=256000 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

## Telnet Traffic to Site
add name="telnet-to-SITECODE" parent=SITECODE-DOWN packet-mark=SITECODE-telnet-out limit-at=8000 queue=red priority=2 max-limit=32000 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

Regards
Paul
Paul,
Maybe you can answer some questions. Why do you need to mark the connection, then use that connection-mark to mark the packets? Why won't Mikrotik just let you mark the packets using packet-mark?

Second, the first two queues are for the public and private interfaces, with the other queues being child queues to these two "master" queues. If I wanted to extend your template to service many different subnets, do I have to recreate these "master" parent queues, or can I re-use them with multiple sets of child queues for each class-C subnet pointed at the the same parents?

Thanks for any light you can shed on this.

Eric
I need to add that PJulian's template absolutely, unequivocally, does NOT work under 2.9.23 with bridged interfaces. I've even tried a completely different MT router box. I'm getting really frustrated that NOTHING I do to limit traffic under 2.9.23 with bridged interfaces works.

Eric
 
goldclick
Frequent Visitor
Frequent Visitor
Posts: 51
Joined: Fri Sep 17, 2004 10:48 pm
Location: Nigeria
Contact:

Fri Jun 02, 2006 3:08 am

Why do you need to mark the connection, then use that connection-mark to mark the packets? Why won't Mikrotik just let you mark the packets using packet-mark?

Eric
If you by any means NAT your connection (either DST-NAT; web-proxy redirect or SRC-NAT), then you must first mark the connections and then mark the flows within that connection. This is why there is a connection-mark and the packet-mark.

Sonny.
 
e2346437
Frequent Visitor
Frequent Visitor
Posts: 65
Joined: Sun Mar 12, 2006 1:35 am

No NAT

Fri Jun 02, 2006 3:34 am

Why do you need to mark the connection, then use that connection-mark to mark the packets? Why won't Mikrotik just let you mark the packets using packet-mark?

Eric
If you by any means NAT your connection (either DST-NAT; web-proxy redirect or SRC-NAT), then you must first mark the connections and then mark the flows within that connection. This is why there is a connection-mark and the packet-mark.

Sonny.
Thanks, but, I'm not using NAT at all. Just a transparent bridge. NAT is done upstream by a PIX 525.

Eric
 
User avatar
samsoft08
Long time Member
Long time Member
Posts: 617
Joined: Sat Nov 26, 2005 10:52 pm

Mon Jun 05, 2006 1:52 am

why dont the holy Mt team give us more support ? why dont they put a standard setup for any case we face ? i dont think that the cases will be mor than 10 cases .. actually i see no support at all .
 
jacknux
just joined
Posts: 7
Joined: Tue Jun 27, 2006 5:53 am

Tue Jun 27, 2006 11:40 am

maybe one of you have ever tried to stand mikrotik bridging beetwen router (cisco) and switch (catalyst). Because I could not run traffic shaper on this configuration.

Cisco == Mikrotik bridge == Catalyst

I have setup mangle & it looks can trapping paket. But I couldn't implement it on queue tree.

IMHO, maybe Mikrotik is not smart enough to 'read' packet encapsulated by VLAN protocol (802.1q).

Any opinion guys?

regard's

***miko
 
User avatar
Eugene
Forum Veteran
Forum Veteran
Posts: 993
Joined: Mon May 31, 2004 5:06 pm
Location: Cranfield, UK

Tue Jun 27, 2006 4:16 pm

read this: http://www.catb.org/~esr/faqs/smart-que ... tml#before

and try to ask your question once again.
Tout individu a droit à la vie, à la liberté et à la sûreté de sa personne.
 
krugmartin
Trainer
Trainer
Posts: 5
Joined: Sat May 27, 2006 3:23 pm

Wed Aug 09, 2006 2:00 am

read this: http://www.catb.org/~esr/faqs/smart-que ... tml#before

and try to ask your question once again.
I think that I can represent all other guys regarding Questions and solutions to find Answer to ours questions.

There is not a easy way to ask a dificult Question and there is realy
too manny unclear situations in Microtic SW.

Manual will not help beacause in mine opinion manual is OLD and it needs be rewriten.

There is no need of so manny options if there is no manual or they dont work as they should or work but ONLY if they are used sertain way.

And all of us are spending too much time to find solutions witch are sometimes easy only noone have time to distribute the rihgt solutions!

Sugestion to Mikrotik stuff get somebody to prepare FAQ witch should by actual and I think that even you can find someone from this forum there are a lots of peoples witch will by happy to manage such FAQ section and it can help all others to find a right solutions without spending weeks of work.

Martin.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24495
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Wed Aug 09, 2006 9:33 am

the manual is not old. 99% of the described functions are actual and working, when applied in the explained way. btw, about the FAQ:
http://forum.mikrotik.com/viewtopic.php?t=9957

if you would ask your question in simple terms, explaining the problem, and describing what didn't work in your attempt, we could have already answered it.
 
User avatar
Eugene
Forum Veteran
Forum Veteran
Posts: 993
Joined: Mon May 31, 2004 5:06 pm
Location: Cranfield, UK

Thu Aug 10, 2006 4:10 pm

Tout individu a droit à la vie, à la liberté et à la sûreté de sa personne.
 
jfan
newbie
Posts: 25
Joined: Wed May 31, 2006 9:04 pm
Location: United States

Wed Aug 23, 2006 6:22 pm

I have studied the Transparent Traffic Shaper (TTS) on wiki. A few questions come up.

Why prerouting chain is used instead of forward chain? Is it because of bridging?

What kind of queue do you recommend for TTS? Can I implement PCQ in TTS?

I believe queue tree can't be implemented because the top-level parents are the available interfaces. Since the interfaces are bridged, there is no way to identify the outgoing and incoming interfaces. Am I right here?

Jin [/i]
 
User avatar
Eugene
Forum Veteran
Forum Veteran
Posts: 993
Joined: Mon May 31, 2004 5:06 pm
Location: Cranfield, UK

Thu Aug 24, 2006 1:21 pm

Why prerouting chain is used instead of forward chain? Is it because of bridging?
because we need to know the marks before the forward chain. see http://www.mikrotik.com/docs/ros/2.9/gr ... flow31.jpg
What kind of queue do you recommend for TTS? Can I implement PCQ in TTS?
depends on your needs. PCQ works fine.
I believe queue tree can't be implemented because the top-level parents are the available interfaces. Since the interfaces are bridged, there is no way to identify the outgoing and incoming interfaces. Am I right here?
Queue tree can accept global-* interfaces as well.
Tout individu a droit à la vie, à la liberté et à la sûreté de sa personne.
 
jfan
newbie
Posts: 25
Joined: Wed May 31, 2006 9:04 pm
Location: United States

Mon Aug 28, 2006 10:02 pm

Thanks, Eugene. Let me show my implementation on TTS using PCQ for equal bandwidth sharing. Please comment.
/ interface bridge 
add name="bridge1"
/ interface bridge port 
add interface=ether2 bridge=bridge1 
add interface=ether3 bridge=bridge1 

/queue type
add name="pcq-upload" kind=pcq pcq-rate=256k pcq-classifier=src-address
add name="pcq-download" kind=pcq pcq-rate=768k pcq-classifier=dst-address

/ ip firewall mangle
add chain=prerouting action=mark-packet new-packet-mark=ALL_traffic

/queue tree 
add parent=global-in flow=ALL_traffic queue=pcq-upload
add parent=global-out flow=ALL_traffic queue=pcq-download
ps. I see others in the early posts using forward chain in TTS, and they claim it works. Can you see why? As you can see I am still uncomfortable about when to use prerouting/forward/postrouting chain.

Who is online

Users browsing this forum: Google [Bot] and 113 guests