Community discussions

MikroTik App
 
hwmonkey
Member Candidate
Member Candidate
Topic Author
Posts: 115
Joined: Wed Feb 08, 2012 9:50 pm

Queue by Mac for Bridge?

Tue Mar 18, 2014 6:24 pm

I have created a queue by Mac that works effectively for a port behind NAT. But, if I try to apply the queue to a port that is bridged, it does not work.

To restate this, using the code below, my queue works great when my uplink is on port 1 and the targeted MAC is connected to bridge2, using a NAT'd 172.17.1.0/24 address. When I keep the uplink the same and connect to port 5 (bridge1) using an uplink IP address, queuing does not apply. What I want to do is limit the bandwidth of the particular Mac, which I plan to have connected to bridge 1 on port 5. I have attempted toggling the use-ip-firewall, for I am not certain how that affects mangle. It made no difference. The relevant code is:
/queue simple
add dst=172.17.1.0/24 name="No Throttle Local" target=172.17.1.0/24
add max-limit=700k/200k name=test packet-marks=target_device_1_packet target=\
    bridge1 total-max-limit=800k
/ip firewall mangle
add chain=prerouting action=mark-connection new-connection-mark=target_device_1 passthrough=yes src-mac-address=00:18:6B:10:B0:A0
add chain=prerouting action=mark-packet new-packet-mark=target_device_1_packet passthrough=yes connection-mark=target_device_1
/interface bridge
add l2mtu=1598 name=bridge1
add name=bridge2 protocol-mode=none
/interface bridge port
add bridge=bridge2 interface=eth2
add bridge=bridge2 interface=eth3
add bridge=bridge2 interface=eth4
add bridge=bridge2 interface=wlan1
add bridge=bridge1 interface=eth5
add bridge=bridge1 interface=eth1
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes
Can someone offer some assistance?
 
hwmonkey
Member Candidate
Member Candidate
Topic Author
Posts: 115
Joined: Wed Feb 08, 2012 9:50 pm

Re: Queue by Mac for Bridge?

Thu Mar 20, 2014 11:24 pm

Do you need more details than this? I have submitted a support question with the same info and have no response yet either.
Image
 
hwmonkey
Member Candidate
Member Candidate
Topic Author
Posts: 115
Joined: Wed Feb 08, 2012 9:50 pm

Re: Queue by Mac for Bridge?

Tue Apr 01, 2014 5:34 pm

Okay, support sent a follow up:
-------- Original Message --------
Subject: 	Re: Queuing on bridged port?
Date: 	Mon, 31 Mar 2014 14:57:52 +0300
From: 	MikroTik support [Janis Megis] <support@mikrotik.com>


Hello,

Queues work in layer-3, from layer-3 perspective packets are coming from bridge 
interface not bridge-port interface. Hope it helps.

If you are interested in limiting traffic from bridge-port to another bridge-port, 
then it requires additional queue and to enable use-ip-firewall in bridge 
settings, but this option adds a level of complexity for the rest of 
configurations
 
hwmonkey
Member Candidate
Member Candidate
Topic Author
Posts: 115
Joined: Wed Feb 08, 2012 9:50 pm

Re: Queue by Mac for Bridge?

Tue Apr 01, 2014 5:36 pm

I replied asking for clarification:
On 3/31/2014 7:57 AM, MikroTik support [Janis Megis] wrote:
> Hello,
>
> Queues work in layer-3, from layer-3 perspective packets are coming from bridge
> interface not bridge-port interface. Hope it helps.

Not really. I am not using a bridged ethernet port(eht1), but I am using a bridge port (e.g. bridge1). I am not marking packets on on eth1 but on bridge 1. What am I missing?

> If you are interested in limiting traffic from bridge-port to another bridge-port,
> then it requires additional queue

What additional queue and why?

> and to enable use-ip-firewall in bridge
> settings, but this option adds a level of complexity for the rest of
> configurations

What type of complexities must I deal with. It is my understanding that all bridged traffic now will go through firewall rules. So, the bridged ports need a firewall rule to allow all traffic between those ports to continue to act as a bridge, right? Is that all?

Thanks.
 
hwmonkey
Member Candidate
Member Candidate
Topic Author
Posts: 115
Joined: Wed Feb 08, 2012 9:50 pm

Re: Queue by Mac for Bridge?

Tue Apr 01, 2014 5:38 pm

Which results in Mikrotik avoiding the questions that I asked:
-------- Original Message --------
Subject: 	Re: Queuing on bridged port?
Date: 	Tue, 1 Apr 2014 14:58:25 +0300
From: 	MikroTik support<support@mikrotik.com>


Hello,

there is no complexity in firewall, with action=log or snif- you can examine what 
traffic is captured by rule this way you can determine exact options that you 
need. Please, use these actions to debug your firewall yourself.
 
hwmonkey
Member Candidate
Member Candidate
Topic Author
Posts: 115
Joined: Wed Feb 08, 2012 9:50 pm

Re: Queue by Mac for Bridge?

Tue Apr 01, 2014 5:48 pm

After trying support, I am back to you, the community.
  • When I refer to bridge1, aren't I referring to the bridge interface, not the bridge-port interfaceas Mikrotik support indicates I should be doing
  • Support says I need an additional queue rule if working with two bridge ports. What kind of rule, and why?
  • Mikrotik says I should have use-ip-firewall to accomplish this and it will increase firewall complexity. What will be more complex?
Thank YOU.
 
hwmonkey
Member Candidate
Member Candidate
Topic Author
Posts: 115
Joined: Wed Feb 08, 2012 9:50 pm

Re: Queue by Mac for Bridge?

Wed Apr 02, 2014 8:51 pm

I think I am finally pointed in the right direction. But I am in need of assistance still.

I am accustomed to using /ip firewall mangle and /ip firewall filter and /ip firewall nat. I have not used /interface bridge filter or /interface bridge nat. The documentation on the /interface bridge filter/nat seems a bit lacking.

How would I convert the following to /interface bridge filter/nat? Or, how would I pass all bridge traffic to the ip firewall filter/nat so that firewall rules can be applied on the bridge?
/ip firewall filter
add chain=input comment="default icmp" protocol=icmp
add chain=input comment="default established" connection-state=established
add chain=input comment="default related" connection-state=related
add chain=input src-address=10.1.1.0/24
add chain=input dst-port=8291 protocol=udp
add chain=input dst-port=8291 protocol=tcp
add chain=input dst-port=1701 protocol=tcp
add action=log chain=input disabled=yes
add action=drop chain=input comment="default drop" in-interface=bridge1
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=\
    target_device_1 src-mac-address=00:24:D7:00:00:48
add action=mark-connection chain=prerouting new-connection-mark=\
    target_device_1 src-mac-address=68:B5:99:00:00:02
add action=mark-packet chain=prerouting connection-mark=target_device_1 \
    new-packet-mark=target_device_1_packet
/ip firewall nat
add action=masquerade chain=srcnat comment=srcnat-masquerade out-interface=\
    bridge1 to-addresses=0.0.0.0

Who is online

Users browsing this forum: jaclaz and 91 guests