Community discussions

MikroTik App
 
hagoyi
newbie
Topic Author
Posts: 29
Joined: Wed May 17, 2023 8:36 pm

How to QoSing this correctly?

Mon May 29, 2023 5:26 pm

My connection is not so fast and stable (2WAN LTE with PCQ Load balancing), but 30 megabits is almost always (from my experience). I use these settings and queues.
My tasks:
1. Good conditions for VoIP (I exclude VoIP-server from mangling with passthrough=no at first)
2. Fast VPN channel between offices
3. Responsive for remote access apps
4. Low speed guest WiFi and not-a-office resources (like youtube etc. by tls-host)

Questions:
1. Is everything set up ok?
2. I use chain=forward and because of this, the connections of the router itself are not marked up (vpn connection or DNS and NTP requests). So they don't queued?
3. If I use the chain=prerouting and add, for example, the VPN-connection protocol=udp port=500,4500 to the "HIGH" section, then the traffic "intra-tunnel" (by address-list) and "external-tunnel" (by this rule) is duplicated in the queue twice. How to solve it correctly?

Mangle:
/ip firewall mangle
add action=mark-packet chain=forward dst-address=192.168.88.222 new-packet-mark=VOIP-IN passthrough=no
add action=mark-packet chain=forward new-packet-mark=VOIP-OUT passthrough=no src-address=192.168.88.222

add action=mark-packet chain=forward comment=GUEST-DOWNLOAD dst-address=192.168.99.0/24 new-packet-mark=GUEST-DOWNLOAD passthrough=no
add action=mark-packet chain=forward comment=GUEST-UPLOAD new-packet-mark=GUEST-UPLOAD passthrough=no src-address=192.168.99.0/24

add action=passthrough chain=forward comment="###### LOW ######" disabled=yes
add action=add-dst-to-address-list address-list=UNLIMTRAFFIC address-list-timeout=1w chain=forward dst-address-list=!UNLIMTRAFFIC port=443 protocol=tcp tls-host=*googlevideo.com
add action=add-dst-to-address-list address-list=UNLIMTRAFFIC address-list-timeout=1w chain=forward dst-address-list=!UNLIMTRAFFIC port=443 protocol=tcp tls-host=*tiktok*
add action=add-dst-to-address-list address-list=UNLIMTRAFFIC address-list-timeout=1w chain=forward dst-address-list=!UNLIMTRAFFIC port=443 protocol=tcp tls-host=*twitch*
add action=mark-connection chain=forward comment=ALL-TRAFFIC new-connection-mark=LOW passthrough=yes
add action=mark-packet chain=forward comment="UNLIMTRAFFIC LOW-DOWNLOAD" connection-mark=LOW new-packet-mark=LOW-DOWNLOAD passthrough=no src-address-list=UNLIMTRAFFIC
add action=mark-packet chain=forward comment="UNLIMTRAFFIC LOW-UPLOAD" connection-mark=LOW dst-address-list=UNLIMTRAFFIC new-packet-mark=LOW-UPLOAD passthrough=no
add action=mark-packet chain=forward comment=LOW-DOWNLOAD connection-mark=LOW in-interface-list=WAN new-packet-mark=LOW-DOWNLOAD passthrough=yes
add action=mark-packet chain=forward comment=LOW-UPLOAD connection-mark=LOW new-packet-mark=LOW-UPLOAD out-interface-list=WAN passthrough=yes
add action=passthrough chain=forward comment="###### END LOW ######" disabled=yes

add action=passthrough chain=forward comment="###### NORMAL ######" disabled=yes
add action=mark-connection chain=forward comment=HTTPS new-connection-mark=NORMAL passthrough=yes port=443 protocol=tcp
add action=mark-connection chain=forward comment=HTTP new-connection-mark=NORMAL passthrough=yes port=80 protocol=tcp
add action=mark-connection chain=forward comment=QUIC new-connection-mark=NORMAL passthrough=yes port=80,443 protocol=udp
add action=mark-connection chain=forward comment=Proxy new-connection-mark=NORMAL passthrough=yes port=3128,8080 protocol=tcp
add action=mark-connection chain=forward comment=FTP new-connection-mark=NORMAL passthrough=yes port=20,21 protocol=tcp
add action=mark-connection chain=forward comment=IMAPS new-connection-mark=NORMAL passthrough=yes port=993 protocol=tcp
add action=mark-connection chain=forward comment=SMTPS new-connection-mark=NORMAL passthrough=yes port=465 protocol=tcp
add action=mark-connection chain=forward comment=POP3S new-connection-mark=NORMAL passthrough=yes port=995 protocol=tcp
add action=mark-connection chain=forward comment=L2TP new-connection-mark=NORMAL passthrough=yes port=1701,4500,500 protocol=udp
add action=mark-connection chain=forward comment="1Mb Connections" connection-bytes=0-1000000 new-connection-mark=NORMAL passthrough=yes protocol=tcp
add action=mark-packet chain=forward comment=NORMAL-DOWNLOAD connection-mark=NORMAL in-interface-list=WAN new-packet-mark=NORMAL-DOWNLOAD passthrough=yes
add action=mark-packet chain=forward comment=NORMAL-UPLOAD connection-mark=NORMAL new-packet-mark=NORMAL-UPLOAD out-interface-list=WAN passthrough=yes
add action=passthrough chain=forward comment="###### END NORMAL ######" disabled=yes

add action=passthrough chain=forward comment="###### HIGH ######" disabled=yes
add action=mark-connection chain=forward comment="Google Push" new-connection-mark=HIGH passthrough=yes port=5228 protocol=tcp
add action=mark-connection chain=forward comment=VoIP new-connection-mark=HIGH passthrough=yes port=5060,5061,5065 protocol=udp
add action=mark-connection chain=forward comment=VoIP new-connection-mark=HIGH passthrough=yes port=5060,5061,5065 protocol=tcp
add action=mark-connection chain=forward comment=Zoom new-connection-mark=HIGH passthrough=yes port=3478,3479,8801-8810 protocol=udp
add action=mark-connection chain=forward comment=Zoom new-connection-mark=HIGH passthrough=yes port=8801,8802 protocol=tcp
add action=mark-connection chain=forward comment=SSH new-connection-mark=HIGH packet-size=0-1400 passthrough=yes port=22 protocol=tcp
add action=mark-connection chain=forward comment=TELNET new-connection-mark=HIGH passthrough=yes port=23 protocol=tcp
add action=mark-connection chain=forward comment="VPN in" new-connection-mark=HIGH passthrough=yes src-address-list=VPN-LANs
add action=mark-connection chain=forward comment="VPN out" dst-address-list=VPN-LANs new-connection-mark=HIGH passthrough=yes
add action=mark-connection chain=forward comment="100Kb Connections" connection-bytes=0-100000 new-connection-mark=HIGH passthrough=yes protocol=tcp
add action=mark-packet chain=forward comment=HIGH-DOWNLOAD connection-mark=HIGH in-interface-list=WAN new-packet-mark=HIGH-DOWNLOAD passthrough=yes
add action=mark-packet chain=forward comment=HIGH-UPLOAD connection-mark=HIGH new-packet-mark=HIGH-UPLOAD out-interface-list=WAN passthrough=yes
add action=passthrough chain=forward comment="###### END HIGH ######" disabled=yes

add action=passthrough chain=forward comment="###### SUPER-HIGH ######" disabled=yes
add action=mark-connection chain=forward comment=DNS new-connection-mark=SUPER-HIGH passthrough=yes port=53 protocol=udp
add action=mark-connection chain=forward comment=DNS new-connection-mark=SUPER-HIGH passthrough=yes port=53 protocol=tcp
add action=mark-connection chain=forward comment=NTP new-connection-mark=SUPER-HIGH passthrough=yes port=123 protocol=udp
add action=mark-connection chain=forward comment=Winbox new-connection-mark=SUPER-HIGH passthrough=yes port=8291 protocol=tcp
add action=mark-connection chain=forward comment=Anydesk new-connection-mark=SUPER-HIGH passthrough=yes port=7070 protocol=tcp
add action=mark-connection chain=forward comment=RDP new-connection-mark=SUPER-HIGH passthrough=yes port=3389 protocol=tcp
add action=mark-connection chain=forward comment=PING new-connection-mark=SUPER-HIGH passthrough=yes protocol=icmp
add action=mark-connection chain=forward comment="10Kb Connections" connection-bytes=0-10000 new-connection-mark=SUPER-HIGH passthrough=yes protocol=tcp
add action=mark-packet chain=forward comment=SUPER-HIGH-DOWNLOAD connection-mark=SUPER-HIGH in-interface-list=WAN new-packet-mark=SUPER-HIGH-DOWNLOAD passthrough=yes
add action=mark-packet chain=forward comment=SUPER-HIGH-UPLOAD connection-mark=SUPER-HIGH new-packet-mark=SUPER-HIGH-UPLOAD out-interface-list=WAN passthrough=yes
add action=passthrough chain=forward comment="###### END SUPER-HIGH ######" disabled=yes
Queues:

/queue type
add cake-diffserv=besteffort cake-rtt-scheme=internet cake-wash=yes kind=cake name=Q-dn
add cake-ack-filter=filter cake-diffserv=besteffort cake-nat=yes cake-rtt-scheme=internet kind=cake name=Q-up

/queue tree
add bucket-size=0.01 max-limit=30M name="MAIN DN" parent=global queue=Q-dn
add parent="MAIN DN" queue=Q-dn name=1-VOIP-DN packet-mark=VOIP-IN limit-at=512k max-limit=1M priority=1
add parent="MAIN DN" queue=Q-dn name=3-SUPER-HIGH-DOWNLOAD packet-mark=SUPER-HIGH-DOWNLOAD priority=3
add parent="MAIN DN" queue=Q-dn name=4-HIGH-DOWNLOAD packet-mark=HIGH-DOWNLOAD priority=4
add parent="MAIN DN" queue=Q-dn name=6-NORMAL-DOWNLOAD packet-mark=NORMAL-DOWNLOAD burst-limit=30M burst-threshold=512k burst-time=3s max-limit=20M priority=6
add parent="MAIN DN" queue=Q-dn name=7-GUEST-DOWNLOAD packet-mark=GUEST-DOWNLOAD burst-limit=5M burst-threshold=512k burst-time=3s max-limit=1M priority=7
add parent="MAIN DN" queue=Q-dn name=8-LOW-DOWNLOAD packet-mark=LOW-DOWNLOAD burst-limit=5M burst-threshold=512k burst-time=3s max-limit=1M


add bucket-size=0.01 max-limit=30M name="MAIN UP" parent=global queue=Q-up
add parent="MAIN UP" queue=Q-up name=1-VOIP-UP packet-mark=VOIP-OUT priority=1 limit-at=512k max-limit=1M
add parent="MAIN UP" queue=Q-up name=3-SUPER-HIGH-UPLOAD packet-mark=SUPER-HIGH-UPLOAD priority=3
add parent="MAIN UP" queue=Q-up name=4-HIGH-UPLOAD packet-mark=HIGH-UPLOAD priority=4
add parent="MAIN UP" queue=Q-up name=6-NORMAL-UPLOAD packet-mark=NORMAL-UPLOAD priority=6 burst-limit=30M burst-threshold=512k burst-time=3s max-limit=20M
add parent="MAIN UP" queue=Q-up name=7-GUEST-UPLOAD packet-mark=GUEST-UPLOAD priority=7 burst-limit=5M burst-threshold=512k burst-time=3s max-limit=1M
add parent="MAIN UP" queue=Q-up name=8-LOW-UPLOAD packet-mark=LOW-UPLOAD burst-limit=5M burst-threshold=512k burst-time=3s max-limit=1M
Last edited by hagoyi on Tue Jun 06, 2023 1:59 pm, edited 2 times in total.
 
hagoyi
newbie
Topic Author
Posts: 29
Joined: Wed May 17, 2023 8:36 pm

Re: How to QoSing this correctly?

Wed May 31, 2023 12:33 pm

And the second question is: why does some upload get double queued?
1.png
You do not have the required permissions to view the files attached to this post.
 
hagoyi
newbie
Topic Author
Posts: 29
Joined: Wed May 17, 2023 8:36 pm

Re: How to QoSing this correctly?

Tue Jun 06, 2023 2:01 pm

Any opinions, pls)
 
User avatar
Joni
Member Candidate
Member Candidate
Posts: 156
Joined: Fri Mar 20, 2015 2:46 pm
Contact:

Re: How to QoSing this correctly?

Fri Jun 09, 2023 9:39 pm

Why so much complexity? How about you try something simple generic and tell where it fails.
/queue type
add kind=sfq name=sfq

/queue simple
add limit-at=2M/2M max-limit=25M/25M name="Simple" queue=pcq-upload-default/pcq-download-default target=192.168.7.0/24 total-queue=sfq
add name="Xbox" parent="Simple" priority=3/3 queue=pcq-upload-default/pcq-download-default target=192.168.7.230/32,192.168.7.231/32 total-queue=sfq

/queue simple move "Xbox" destination=0

192.168.7.0/24 is your LAN subnet, could be much more.


Unfortunately due to how RouterOS exports these and since they can't be input in reverse, child before parent, you have to reorder them so the more specific mask is first.

Every IP gets 2Mbps, up and down, or dynamically more from 25Mbps pool if not used by other IPs.
Each IPs traffic PCQ fair queued between destination IPs (responsiveness between a single IPs own traffic, VOIP and Download) and SFQ balanace queued in total (Small first, Rest later).
Xbox is cheating... still getting a equal share, just sooner than default.

So anything between, with only 1 user getting the whole 25Mbps or divided between 12 users each getting 2Mbps. 2Mbps guaranteed for "all users" (max-limit / limit-at),if not used then shared to anyone else.
 
hagoyi
newbie
Topic Author
Posts: 29
Joined: Wed May 17, 2023 8:36 pm

Re: How to QoSing this correctly?

Mon Jun 26, 2023 9:32 am

Why so much complexity?
The point is, for example, to prevent the channel from filling up with fat traffic (like videos) (1 due to limited LTE speed, 2 due to limited LTE traffic - with the group name LOW I do all youtube playback as 360p).
 
Rox169
Member
Member
Posts: 432
Joined: Sat Sep 04, 2021 1:47 am

Re: How to QoSing this correctly?

Mon Jun 26, 2023 10:13 am

If you want to simplify it just use QOS CAKE for you whole bandwith and it will take sure that your voip, video, etc. has enough bandwith and it is not killed by torrents etc and it will juice your bandwith to maximum.
 
User avatar
Joni
Member Candidate
Member Candidate
Posts: 156
Joined: Fri Mar 20, 2015 2:46 pm
Contact:

Re: How to QoSing this correctly?

Mon Jun 26, 2023 11:46 am

just use QOS CAKE
Post example configuration, or it didn't happen.
Can't wait for that "just" oneliner.
 
hagoyi
newbie
Topic Author
Posts: 29
Joined: Wed May 17, 2023 8:36 pm

Re: How to QoSing this correctly?

Mon Jun 26, 2023 12:23 pm

just use QOS CAKE
Post example configuration, or it didn't happen.
Can't wait for that "just" oneliner.
I can answer for him, but that doesn't solve the "youtube" problem. 2 lines is ok?)
/queue type add cake-diffserv=besteffort cake-nat=yes kind=cake name=Q-cake
/queue simple add bucket-size=0.01/0.01 limit-at=5M/5M max-limit=25M/25M name=QUEUE queue=Q-cake/Q-cake target=192.168.88.0/24
Last edited by hagoyi on Wed Jun 28, 2023 6:43 pm, edited 2 times in total.
 
Rox169
Member
Member
Posts: 432
Joined: Sat Sep 04, 2021 1:47 am

Re: How to QoSing this correctly?

Mon Jun 26, 2023 1:10 pm

you can use some setting on CAKE here you have some explanation.

besteffort does not attempt any differentiation between diffserv classes. It is equivalent to fq_codel in this mode, except it uses an 8-way set associative method to (nearly) garuntee each flow it's own queue, and the default triple-isolate mode tries to share fairly, also, between hosts.

diffserv3 is the default for cake, but with the rise of videoconferencing, many folk have shifted to diffserv4, which allocates even more bandwidth for videoconferencing flows.
You can do additional classification into these tins via tc filters.

diffserv4
Provides a general-purpose Diffserv implementation with four
tins:
Bulk (CS1, LE in kernel v5.9+), 6.25% threshold,
generally low priority.
Best Effort (general), 100% threshold.
Video (AF4x, AF3x, CS3, AF2x, CS2, TOS4, TOS1), 50%
threshold.
Voice (CS7, CS6, EF, VA, CS5, CS4), 25% threshold.

diffserv3 (default)
Provides a simple, general-purpose Diffserv implementation
with three tins:
Bulk (CS1, LE in kernel v5.9+), 6.25% threshold,
generally low priority.
Best Effort (general), 100% threshold.
Voice (CS7, CS6, EF, VA, TOS4), 25% threshold, reduced
 
hagoyi
newbie
Topic Author
Posts: 29
Joined: Wed May 17, 2023 8:36 pm

Re: How to QoSing this correctly?

Thu Jun 29, 2023 6:20 pm

I completely cut out the mangle rules and switched to Simple Queues instead of Trees. Is it better now?
  • Is the queue order correct?
  • Do I need to set the max limits for the NORMAL queue again if they are the same as the limits of the parent queue?
  • Are the queue types correct? Do I need to specify the total-queue type?

Mangle (to catch video traffic to LOW)
/ip firewall mangle
add action=add-dst-to-address-list address-list=UNLIMTRAFFIC address-list-timeout=1w chain=forward comment="Add *googlevideo.com  to UNLIMTRAFFIC list" dst-address-list=!UNLIMTRAFFIC port=443 protocol=tcp tls-host=*googlevideo.com
add action=add-dst-to-address-list address-list=UNLIMTRAFFIC address-list-timeout=1w chain=forward comment="Add *tiktok*  to UNLIMTRAFFIC list" dst-address-list=!UNLIMTRAFFIC port=443 protocol=tcp tls-host=*tiktok*
add action=add-dst-to-address-list address-list=UNLIMTRAFFIC address-list-timeout=1w chain=forward comment="Add *twitch* to UNLIMTRAFFIC list" dst-address-list=!UNLIMTRAFFIC port=443 protocol=tcp tls-host=*twitch*
add action=mark-packet chain=forward comment="UNLIMTRAFFIC LOW-DOWNLOAD" src-address-list=UNLIMTRAFFIC new-packet-mark=LOW passthrough=no
add action=mark-packet chain=forward comment="UNLIMTRAFFIC LOW-UPLOAD" dst-address-list=UNLIMTRAFFIC new-packet-mark=LOW passthrough=no
New queues:
/queue type
add cake-diffserv=diffserv4 cake-flowmode=dual-dsthost cake-mpu=84 cake-nat=yes cake-overhead=44 kind=cake name=Q-dn
add cake-diffserv=diffserv4 cake-flowmode=dual-srchost cake-mpu=84 cake-nat=yes cake-overhead=44 kind=cake name=Q-up
/queue simple
add burst-limit=30M/30M burst-threshold=512k/512k burst-time=3s/3s limit-at=1M/1M max-limit=20M/20M name=QoS target=bridge-local,bridge-guest
add bucket-size=0.01/0.01 max-limit=20M/20M name=1-VOIP parent=QoS priority=1/1 queue=Q-up/Q-dn target=192.168.88.222/32
add bucket-size=0.01/0.01 burst-limit=5M/5M burst-threshold=512k/512k burst-time=3s/3s max-limit=1M/1M name=8-LOW packet-marks=LOW parent=QoS queue=Q-up/Q-dn
add bucket-size=0.01/0.01 burst-limit=30M/30M burst-threshold=512k/512k burst-time=3s/3s max-limit=20M/20M name=6-NORMAL parent=QoS priority=6/6 queue=Q-up/Q-dn target=bridge-local
add bucket-size=0.01/0.01 burst-limit=5M/5M burst-threshold=512k/512k burst-time=3s/3s max-limit=1M/1M name=7-GUEST parent=QoS priority=7/7 queue=Q-up/Q-dn target=bridge-guest
 
hagoyi
newbie
Topic Author
Posts: 29
Joined: Wed May 17, 2023 8:36 pm

Re: How to QoSing this correctly?

Thu Jun 29, 2023 9:33 pm

Found out that traffic is double-queued when it is intra-VPN exchanged, and the target is set as an interface. Changed targert to LAN pool and now it displays correctly.
I also simplified the rules a bit. Is everything right this time?
/queue simple
add burst-limit=20M/30M burst-threshold=512k/512k burst-time=3s/3s limit-at=1M/1M max-limit=15M/20M name=QoS target=bridge-local,bridge-guest
add bucket-size=0.01/0.01 name=1-VOIP parent=QoS priority=1/1 queue=Q-up/Q-dn target=192.168.88.222/32
add bucket-size=0.01/0.01 name=6-NORMAL packet-marks=no-mark parent=QoS priority=6/6 queue=Q-up/Q-dn target=192.168.88.0/24
add bucket-size=0.01/0.01 burst-limit=5M/5M burst-threshold=512k/512k burst-time=3s/3s max-limit=1M/2M name=7-GUEST packet-marks=no-mark parent=QoS priority=7/7 queue=Q-up/Q-dn target=192.168.99.0/24
add bucket-size=0.01/0.01 max-limit=1M/1M name=8-LOW packet-marks=LOW parent=QoS queue=Q-up/Q-dn target=""
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2989
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: How to QoSing this correctly?

Thu Jun 29, 2023 11:00 pm

talking about QoS of VPN traffic, is a challenge because that traffic "weights" more when is encapsulated "inside" the VPN

Who is online

Users browsing this forum: coreshock, GoogleOther [Bot], Qalderu, Railander, sted and 59 guests