Community discussions

MikroTik App
  4. RouterOS
  5. General

DSCP TOS - Unable to mark

Post Reply
 
zx128k
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Wed Oct 16, 2013 12:24 pm

DSCP TOS - Unable to mark

Sun May 29, 2022 11:47 am

Hi guys,

I'm just trying to implement Queue Tree to prioritize traffic. Everything is ok except that I can't mark connection based on TOS, for example I would like to mark all video traffic and put that traffic to low priority in the tree.

When I packet sniff incoming traffic I see that it has 0 value in TOS:

Image

I added firewall mange to catch this kind of traffic but it can't see it:
Image

Any ideas?

Thanks
Top
 
mixig
Member
Member
Posts: 315
Joined: Thu Oct 27, 2011 2:19 pm

Re: DSCP TOS - Unable to mark

Sun May 29, 2022 1:44 pm

Provide full config: ip firewall mangle export
Top
 
zx128k
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Wed Oct 16, 2013 12:24 pm

Re: DSCP TOS - Unable to mark

Sun May 29, 2022 2:20 pm

Provide full config: ip firewall mangle export
add action=mark-connection chain=forward comment=Stream layer7-protocol="Video Streaming" new-connection-mark=Stream passthrough=yes
add action=mark-packet chain=forward connection-mark=Stream new-packet-mark=Video passthrough=no
add action=mark-packet chain=forward comment=Video connection-mark=Video new-packet-mark=Video passthrough=no
add action=mark-connection chain=prerouting comment=Browsing connection-bytes=0-1000000 in-interface=WAN new-connection-mark=Browsing passthrough=yes protocol=tcp src-port=80,443
add action=mark-packet chain=prerouting comment=Browsing connection-mark=Browsing new-packet-mark=Browsing passthrough=no
add action=mark-connection chain=prerouting comment=Download connection-bytes=1000000-0 in-interface=WAN new-connection-mark=Download passthrough=yes protocol=tcp src-port=80,443
add action=mark-packet chain=prerouting comment=Download connection-mark=Download new-packet-mark=Download passthrough=no
add action=mark-packet chain=forward comment=ICMP connection-mark=ICMP new-packet-mark=ICMP passthrough=no
add action=mark-packet chain=forward dst-address-list=!Local dst-port=80 new-packet-mark=HTTP passthrough=no protocol=tcp
add action=mark-packet chain=forward dst-port=443 new-packet-mark=HTTPS passthrough=no protocol=tcp
add action=mark-packet chain=forward new-packet-mark=UDP-100 packet-size=0-100 passthrough=no protocol=udp
add action=mark-packet chain=forward new-packet-mark=UDP-500 packet-size=100-500 passthrough=no protocol=udp
add action=mark-packet chain=forward new-packet-mark=UDP-Other passthrough=no protocol=udp
add action=mark-packet chain=forward dst-port=110 new-packet-mark=POP3 passthrough=no protocol=tcp
add action=mark-packet chain=forward dst-port=25 new-packet-mark=SMTP passthrough=no protocol=tcp
add action=mark-packet chain=forward dst-port=143 new-packet-mark=IMAP passthrough=no protocol=tcp
add action=mark-packet chain=forward dst-port=587 new-packet-mark=SMTPS passthrough=no protocol=tcp
add action=mark-packet chain=forward dst-port=995 new-packet-mark=POP3S passthrough=no protocol=tcp
add action=mark-packet chain=forward dst-port=993 new-packet-mark=IMAPS passthrough=no protocol=tcp
add action=mark-packet chain=forward new-packet-mark=GRE passthrough=no protocol=gre
add action=mark-packet chain=forward new-packet-mark=IPSec-ESP passthrough=no protocol=ipsec-esp
add action=mark-packet chain=forward new-packet-mark=IPSec-AH passthrough=no protocol=ipsec-ah
add action=mark-packet chain=forward new-packet-mark=IPEncap passthrough=no protocol=ipencap
add action=mark-packet chain=forward new-packet-mark=IPIP passthrough=no protocol=ipip
# p2p matcher is obsolete please use layer7 matcher instead
add action=mark-packet chain=forward new-packet-mark=P2P p2p=all-p2p passthrough=no
add action=mark-packet chain=forward comment="All other" new-packet-mark=Other packet-mark=no-mark passthrough=no
add action=mark-connection chain=forward comment=ICMP new-connection-mark=ICMP passthrough=yes protocol=icmp
add action=mark-connection chain=prerouting comment="New Connection" connection-state=new new-connection-mark=no-mark passthrough=yes
add action=mark-packet chain=prerouting new-packet-mark=no-mark passthrough=yes
add action=mark-connection chain=prerouting comment=Video dscp=61 new-connection-mark=Video passthrough=yes protocol=udp
Top
 
zx128k
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Wed Oct 16, 2013 12:24 pm

Re: DSCP TOS - Unable to mark

Sun May 29, 2022 3:37 pm

also when I watch youtube and monitor it traffic using wireshark, the DSCP value is always eather 0 or 4:
You do not have the required permissions to view the files attached to this post.
Top
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7056
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:
Contact mrz

Re: DSCP TOS - Unable to mark

Mon May 30, 2022 11:10 am

So you want to set DSCP or match DSCP? With current rule set you are trying to match specific value.
Top
 
pe1chl
Forum Guru
Forum Guru
Posts: 10237
Joined: Mon Jun 08, 2015 12:09 pm

Re: DSCP TOS - Unable to mark

Mon May 30, 2022 2:51 pm

When your goal is to priority traffic in a couple of different categories, it is best to first evaluate the typical TOS values observed in the traffic and when it is not to your liking, adjust it (e.g from 0 to some other value).
Then, copy the TOS to the priority field of the packets using:
Code: Select all
/ip firewall mangle
add action=set-priority chain=postrouting comment="From dscp high 3 bits" \
    new-priority=from-dscp-high-3-bits passthrough=yes
This will copy the highest 3 bits of the TOS (DSCP) into the priority, giving 8 different priority classes to work with, usually more than enough.
Now, you can set some packet marks from this:
Code: Select all
add action=mark-packet chain=postrouting comment="Priority 0" \
    new-packet-mark=prio0 passthrough=no priority=0
add action=mark-packet chain=postrouting comment="Priority 1" \
    new-packet-mark=prio1 passthrough=no priority=1
add action=mark-packet chain=postrouting comment="Priority 2" \
    new-packet-mark=prio2 passthrough=no priority=2
add action=mark-packet chain=postrouting comment="Priority 3" \
    new-packet-mark=prio3 passthrough=no priority=3
add action=mark-packet chain=postrouting comment="Priority 4" \
    new-packet-mark=prio4 passthrough=no priority=4
add action=mark-packet chain=postrouting comment="Priority 5" \
    new-packet-mark=prio5 passthrough=no priority=5
add action=mark-packet chain=postrouting comment="Priority 6" \
    new-packet-mark=prio6 passthrough=no priority=6
add action=mark-packet chain=postrouting comment="Priority 7" \
    new-packet-mark=prio7 passthrough=no priority=7
so you have a different packet mark for each priority value. You can then use these packet marks in a queue tree:
Code: Select all
/queue tree
add comment="Internet 10 Mbps uplink" limit-at=9500k max-limit=9500k name=\
    queue-ether1 parent=ether1-inet queue=default
add limit-at=2M max-limit=8M name=queue-ether1-p1 packet-mark=prio7 parent=\
    queue-ether1 priority=1 queue=default
add limit-at=2M max-limit=8M name=queue-ether1-p2 packet-mark=prio6 parent=\
    queue-ether1 priority=2 queue=default
add limit-at=2M max-limit=8M name=queue-ether1-p3 packet-mark=prio5 parent=\
    queue-ether1 priority=3 queue=default
add limit-at=2M max-limit=8M name=queue-ether1-p4 packet-mark=prio4 parent=\
    queue-ether1 priority=4 queue=default
add limit-at=2M max-limit=8M name=queue-ether1-p5 packet-mark=prio3 parent=\
    queue-ether1 priority=5 queue=default
add limit-at=2M max-limit=8M name=queue-ether1-p6 packet-mark=prio0 parent=\
    queue-ether1 priority=6 queue=default
add limit-at=2M max-limit=5M name=queue-ether1-p7 packet-mark=prio2 parent=\
    queue-ether1 priority=7 queue=default
add limit-at=2M max-limit=5M name=queue-ether1-p8 packet-mark=prio1 parent=\
    queue-ether1 queue=default
Note the "strange order" of the last 3 lines, that is because the top 3 bits of TOS are defined in that strange way to
allow priorities 1 and 2 to be "below normal" where normal was defined as 0. Due to an oversight in the original
TOS definition one could only specify priorities higher than normal.

(what we really need from MikroTik is a function to set priority from DSCP in a way that reflects the common usage
of DSCP code points. But often the above method is good enough. DSCP "assured forwarding" code points can
sometimes be problematic)
Top
 
zx128k
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Wed Oct 16, 2013 12:24 pm

Re: DSCP TOS - Unable to mark

Tue May 31, 2022 11:13 am

Thanks!!!

So, actually I can just replace my queue tree with yours and forget about classifying things with their names and protocols, right? btw, Is it required to set bandwidth limits?

I tested the mangle priorities, prio0 is active when I watch movie, but I wonder which priority is "responsible" for ping packets for example? Because all I see now is that only prio0 and prio6 are showing bytes and packets.
Top
 
pe1chl
Forum Guru
Forum Guru
Posts: 10237
Joined: Mon Jun 08, 2015 12:09 pm

Re: DSCP TOS - Unable to mark

Tue May 31, 2022 12:05 pm

Yes, I use those queue trees on many routers. You need to set the limit-at and max-limit at top level to some 5% less than the actual upload speed of your line, and the max-limit of each priority to maybe 80-90% of that. It depends on the local situation: when you have only cooperating users, these settings are OK, when you have people who like to exploit the system to their advantage, you want to set a lower max-limit for the high priorities (prio3-7).
The limit-at for the 8 queues is not that important, you can set it to 1/4 of the speed.

Now your next issue is "first evaluate the typical TOS values observed in the traffic and when it is not to your liking, adjust it".
You need to check what different TOS values are seen in your system for the different protocols you use (e.g. use TORCH and enable the DSCP item).
When they are not to your liking, you can match the protocols or addresses and adjust the TOS values. That would be done ABOVE the mangle rules shown.

It is a good idea to use connection marking to mark the connections you want to change, and then change TOS based on these connection markings.
That way you are sure the marking works in both directions.
Example:
Code: Select all
/ip firewall mangle
add action=mark-connection chain=prerouting comment=\
    "Traffic from cam -> mark for lower prio" connection-mark=no-mark dscp=0 \
    in-interface=bridge.vlan58 new-connection-mark=cs2 passthrough=yes \
    protocol=tcp src-address=1.2.3.4
add action=mark-connection chain=prerouting comment=\
    "Traffic from nvr -> mark for lower prio" connection-mark=no-mark dscp=0 \
    in-interface=bridge.vlan58 new-connection-mark=cs2 passthrough=yes \
    protocol=tcp src-address=1.2.3.4 src-port=554
add action=mark-connection chain=prerouting comment=\
    "Traffic from webstream -> mark for lower prio" connection-mark=no-mark \
    dscp=0 dst-port=1935 in-interface=bridge.vlan58 new-connection-mark=cs2 \
    passthrough=yes protocol=tcp

add action=change-dscp chain=postrouting comment=\
    "cs1 marked connection -> DSCP 8" connection-mark=cs1 dscp=0 new-dscp=8 \
    passthrough=yes
add action=change-dscp chain=postrouting comment=\
    "cs2 marked connection -> DSCP 16" connection-mark=cs2 dscp=0 new-dscp=16 \
    passthrough=yes
add action=change-dscp chain=postrouting comment=\
    "cs3 marked connection -> DSCP 24" connection-mark=cs3 dscp=0 new-dscp=24 \
    passthrough=yes
Here, some traffic is matched (similar to what you did above) and a connection mark
is put on it, and then the traffic with that connection mark, but with TOS/DSCP 0, is
changed to another TOS/DSCP.
That is then fed into the 8-queue solution shown above.
In this case, cs1 is lowest priority, cs2 is one step higher, the next level is the default (DSCP 0),
and cs3 is again a priority level above that (prio3).
Devices that know they need a higher priority (like VoIP phones), will set a DSCP like 46
which will map to prio5.
Top
Post Reply

Who is online

Users browsing this forum: dvdlss, Google [Bot], TEOshkin, xrlls and 127 guests
  4. RouterOS
  5. General