Hello everyone. Here I sit and think what I'm doing wrong. It seems to be a simple task, but it does not work out to solve it. I want to use simple queues to limit the Internet speed from a certain IP. The task is simple, but it has led me to a dead end. There is RBD52G-5HacD2HnD, Version ROS 7.4.1/ The Internet is connected to it via PPPOE. Creating a queue: /queue simple
add dst=pppoe-out-dom.ru max-limit=3M/3M name=queue1 target=192.168.77.15/32
pppoe-out-dom.ru this is a PPPOE connection that leads to the Internet.
I run the speedtest, but it does not show that the speed is limited by the queue rule. On the traffic tab in the queue, the counter is not moving.
Re: Problems with queues
hello there, can you send all config to fix it
-
-
alexandr777
just joined
- Posts: 7
- Joined:
Re: Problems with queues
if it's convenient for you, I can post them here. Tell me which configuration blocks you are interested in, I will publish them here.hello there, can you send all config to fix it
.
Re: Problems with queues
For queue to be able to act on traffic, that traffic must not be fasttracked. Default firewall fasttracks almost everything (except IPsec). One possible solution is to add a firewall filters which accepts traffic to and from that particular IP address and place them above the fasttrack rule.
-
-
alexandr777
just joined
- Posts: 7
- Joined:
Re: Problems with queues
Good afternoon. The first thing I did was check if the fast track was disabledFor queue to be able to act on traffic, that traffic must not be fasttracked. Default firewall fasttracks almost everything (except IPsec). One possible solution is to add a firewall filters which accepts traffic to and from that particular IP address and place them above the fasttrack rule.
Re: Problems with queues
is the source and destination off this traffic on the same subnet? If so that would be the issue as the traffic would never hit the queue.
I think more information about the issue is needed, such as the destination and source of the traffic, what is in between these as well as the configuration from the device with the queues so we can get a better idea of what is going on rather than us all taking shots in the dark
I think more information about the issue is needed, such as the destination and source of the traffic, what is in between these as well as the configuration from the device with the queues so we can get a better idea of what is going on rather than us all taking shots in the dark
-
-
alexandr777
just joined
- Posts: 7
- Joined:
Re: Problems with queues
Drew a diagram On the router Hap ac2, I add a simple queue.is the source and destination off this traffic on the same subnet? If so that would be the issue as the traffic would never hit the queue.
I think more information about the issue is needed, such as the destination and source of the traffic, what is in between these as well as the configuration from the device with the queues so we can get a better idea of what is going on rather than us all taking shots in the dark
Code: Select all
/queue simple
add disabled=yes max-limit=10M/10M name=queue2 target=192.168.77.20/32export CRS109 Settings:
Code: Select all
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface ethernet
set [ find default-name=ether1 ] comment=UpLink
set [ find default-name=ether3 ] comment=F2-210
set [ find default-name=ether5 ] comment=F2-221
set [ find default-name=ether7 ] comment=MyPC
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
/interface ethernet switch shaper
add disabled=yes port=ether5 rate=10M
/lcd
set backlight-timeout=never default-screen=informative-slideshow
/lcd screen
set 2 disabled=yes
set 3 disabled=yes
set 4 disabled=yes
set 5 disabled=yes
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=CRS109-8G-1S-2HnD
/system routerboard settings
set auto-upgrade=yes
/tool sniffer
set file-name=camera.cap filter-interface=ether8 memory-limit=1000KiBCode: Select all
# aug/30/2022 22:53:08 by RouterOS 7.4.1
/interface bridge
add admin-mac=74:4D:28:E5:00:BB auto-mac=no comment=defconf name=bridge
add name=bridge-HMA
/interface ethernet
set [ find default-name=ether1 ] comment="WAN ppoe"
set [ find default-name=ether2 ] comment=HP
set [ find default-name=ether3 ] comment=UpLink
set [ find default-name=ether4 ] comment="NAS2 (white)"
set [ find default-name=ether5 ] comment="NAS1 (black)"
/interface ovpn-client
add connect-to=name_vpn mac-address=02:36:4D:5E:A4:75 name=\
ovpn-out-fornex.com port=443 protocol=udp user=username
/interface pppoe-client
add add-default-route=yes comment="internet" disabled=no interface=\
ether1 name=pppoe_name user=user
/interface wireguard
add listen-port=1344 mtu=1420 name=wireguard1
/disk
set usb1 disabled=no
set usb1-part1 disabled=no name=disk1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=WiFI
add name=HMA
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" mode=\
dynamic-keys name=AP-MT-2G supplicant-identity=""
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" mode=\
dynamic-keys name=HMA supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
comment="2.4 Ghz" country=russia3 disabled=no distance=indoors frequency=\
auto installation=indoor mode=ap-bridge radio-name=h-gw security-profile=\
AP-MT-2G ssid=AP-MT-2G wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX comment="5 Ghz" country=russia3 disabled=no distance=\
indoors frequency=auto installation=indoor mode=ap-bridge radio-name=h-gw \
security-profile=AP-MT-2G ssid=AP-MT-5G wireless-protocol=802.11 \
wps-mode=disabled
add comment=HMA disabled=no keepalive-frames=disabled mac-address=\
76:4D:28:E5:00:BF master-interface=wlan1 multicast-buffering=disabled \
name=wlan3 security-profile=HMA ssid=HideMyAss wds-cost-range=0 \
wds-default-cost=0 wps-mode=disabled
add comment=HMA disabled=no keepalive-frames=disabled mac-address=\
76:4D:28:E5:00:C0 master-interface=wlan2 multicast-buffering=disabled \
name=wlan4 security-profile=HMA ssid=HideMyAss wds-cost-range=0 \
wds-default-cost=0 wps-mode=disabled
/interface wireless nstreme
set wlan1 comment="2.4 Ghz"
set wlan2 comment="5 Ghz"
set *C comment=HMA
set *D comment=HMA
/interface wireless manual-tx-power-table
set wlan1 comment="2.4 Ghz"
set wlan2 comment="5 Ghz"
set wlan3 comment=HMA
set wlan4 comment=HMA
/ip pool
add name=default-dhcp ranges=192.168.77.10-192.168.77.254
add name=ovpn_pool0 ranges=10.8.8.100-10.8.8.199
add name=dhcp_pool2 ranges=192.168.168.2-192.168.168.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=2d name=defconf
add address-pool=dhcp_pool2 interface=bridge-HMA lease-time=1h10m name=\
dhcp-HMA
/ppp profile
add local-address=10.8.8.1 name=ovpn remote-address=ovpn_pool0
/queue simple
add disabled=yes dst=pppoe_name max-limit=3M/3M name=queue1 target=\
192.168.77.15/32
add disabled=yes max-limit=10M/10M name=queue2 target=192.168.77.15/32
add disabled=yes max-limit=10M/10M name=queue3 target=192.168.77.30/32
add disabled=yes dst=ether4 max-limit=10M/10M name=queue4 target=\
192.168.77.0/24
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
add disabled=no name=default-v3 version=3
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
add disabled=yes instance=default-v3 name=backbone-v3
/routing table
add disabled=no fib name=HMA-WG
add disabled=no fib name=RKN-table
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
add bridge=bridge-HMA interface=wlan3
add bridge=bridge-HMA interface=wlan4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=pppoe_name list=WAN
add interface=wlan1 list=WiFI
add interface=wlan2 list=WAN
add interface=bridge-HMA list=HMA
/interface wireless access-list
add authentication=no comment=Dell mac-address=1C:BF:CE:A4:23:96
/ip address
add address=192.168.77.1/24 comment=defconf interface=bridge network=\
192.168.77.0
add address=192.168.168.1/24 interface=bridge-HMA network=192.168.168.0
add address=174.16.0.1/24 interface=wireguard1 network=174.16.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server lease
add address=192.168.77.254 client-id=1:68:39:43:aa:30:85 mac-address=\
68:39:43:AA:30:85 server=defconf
/ip dhcp-server network
add address=192.168.77.0/24 comment=defconf dns-server=192.168.77.1 gateway=\
192.168.77.1
add address=192.168.168.0/24 dns-server=192.168.168.1 gateway=192.168.168.1
/ip dns
set allow-remote-requests=yes use-doh-server=https://1.1.1.1/dns-query \
verify-doh-cert=yes
/ip dns static
add address=192.168.77.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.77.0/24 list="winbox acess"
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input dst-port=13231 in-interface=pppoe_name \
protocol=udp src-address=92.241.17.146
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input dst-port=8291 in-interface=pppoe_name \
protocol=tcp src-address-list="winbox acess"
add action=accept chain=input comment="Open VPN" dst-port=1194 in-interface=\
pppoe_name log-prefix=-VPN- protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=RKN \
new-routing-mark=RKN-table passthrough=no src-address=192.168.77.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=src-nat chain=srcnat comment="NAT for OpenVPN users" disabled=yes \
out-interface=*A src-address-list=VPN-client to-addresses=192.168.77.1
add action=masquerade chain=srcnat comment=SRC-NAT-fornex out-interface=\
ovpn-out-fornex.com
add action=masquerade chain=srcnat disabled=yes out-interface=wireguard1 \
src-address=192.168.77.0/24
/ip firewall raw
add action=add-src-to-address-list address-list="Blocked IP's" \
address-list-timeout=1w chain=prerouting comment="Port scanners to list" \
in-interface-list=WAN log=yes protocol=tcp psd=21,3s,3,1 \
src-address-list="!Blocked IP's"
add action=drop chain=prerouting in-interface-list=WAN log-prefix=Port_scan \
src-address-list="Blocked IP's"
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=ovpn-out-fornex.com \
pref-src=0.0.0.0 routing-table=HMA-WG scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no dst-address=192.168.168.0/24 gateway=bridge-HMA \
routing-table=HMA-WG suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=ovpn-out-fornex.com \
pref-src=0.0.0.0 routing-table=RKN-table scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no dst-address=192.168.66.0/24 gateway=wireguard1 routing-table=\
main suppress-hw-offload=no
add disabled=no dst-address=10.0.1.0/24 gateway=wireguard1 routing-table=main \
suppress-hw-offload=no
add disabled=no dst-address=10.0.2.0/24 gateway=wireguard1 routing-table=main \
suppress-hw-offload=no
/routing rule
add action=lookup-only-in-table disabled=no src-address=192.168.168.0/24 \
table=HMA-WG
You do not have the required permissions to view the files attached to this post.
Last edited by alexandr777 on Thu Sep 01, 2022 5:49 pm, edited 5 times in total.
Re: Problems with queues
OK, so we're talking about switch with HW offliad active. And in this case traffic never gets near CRS'es CPU (it's handled by switch chip) hence queues can't work. If you disable HW offload on one of involved ports and thus force traffic to pass CPU, queues may start to work. But that port will not be able to work at wirespeed because all of traffic, travelling through that port, will be handled by sloooow CPU.
-
-
alexandr777
just joined
- Posts: 7
- Joined:
Re: Problems with queues
And why would it go through a CRS processor? Should it pass through "hap ac2" where I set up a simple queue?OK, so we're talking about switch with HW offliad active. And in this case traffic never gets near CRS'es CPU (it's handled by switch chip) hence queues can't work. If you disable HW offload on one of involved ports and thus force traffic to pass CPU, queues may start to work. But that port will not be able to work at wirespeed because all of traffic, travelling through that port, will be handled by sloooow CPU.
CRC is just like an L2 switch and that's it. Look in the manuals for setting up simple queues and tell me where it says to disable HW?
Or say I'm wrong, but then rely on the documentation in the wiki
Re: Problems with queues
So why are you posting config of CRS if it has nothing to do with the issue?
You need to show the config of device that doesn't perform according to your expectations.
Anyway, neither CRS1xx nor hAP ac2 offload anything from CPU processes to hardware (unlike CRS3xx or sone other device models) - simple switching is a notable exception. If you want CRS1xx or hAP ac2 to do something in hardware (i.e. switch chip), then you have to configure it under /interface ethernet switch and sub-tree. Manuals indeed don't say anything about disabling HW offload, so you will either take my word and try it (andvsee if queues start to limit traffic) or you'll keep waiting for another idea (which might never come).
You need to show the config of device that doesn't perform according to your expectations.
Anyway, neither CRS1xx nor hAP ac2 offload anything from CPU processes to hardware (unlike CRS3xx or sone other device models) - simple switching is a notable exception. If you want CRS1xx or hAP ac2 to do something in hardware (i.e. switch chip), then you have to configure it under /interface ethernet switch and sub-tree. Manuals indeed don't say anything about disabling HW offload, so you will either take my word and try it (andvsee if queues start to limit traffic) or you'll keep waiting for another idea (which might never come).
Re: Problems with queues
Just to further clarify I don't think this is an issue with the hardware offloading this is just how traffic works on layer2 domains as well as how Mikrotik handles the traffic flow.
Obviously this is directed for OP rather than MKX even though this sort of looks like a reply?
So to understand why this is not working you will need to understand how same subnet traffic works, to put it simply we dont route we arp. If you have a look at your routing table you will notice some dynamic routes with DAC (dynamic, active, connected) that get put into the device automatically when installing a IP address and if you look at the gateway you will notice that it is an interface not an ip address.
To put it simply when the router seeing this it will know that it has to use ARP to find out how owns that IP address rather than just being forwarded on to a router that has a path to get to that address.
So when you try to go to the same subnet your device will send out a broadcast and say hey who has x.x.x.x and everyone on the same layer 2 domain(do not get that confused with same broadcast domain as that is to do with IP addresses/subnets not layer 2 connectivity in general) from there is someone has the address they will reply and say yep that's mine here is my mac address if ya wanna chat then they both put each others mac address to ip translation in their arp table for a little while.
Thats as simple as I can make it, if you would like something more in depth let me know and if I have time ill write up something a bit more 'official' but the important thing here is to know that we 'dont route' to same subnet devices we use ARP
ok now that we know we are not going though any of the routing forwarding tables we can get an idea of what the traffic is doing, now we need to pair this up with the packet flow, if you look at: https://wiki.mikrotik.com/wiki/Manual:Packet_Flow
This explains how the traffic moves around the router and what processes will be hit.
It might be hard to follow but if you look at the overall packet flow our traffic will come in from the physical in-interface on the left there and then go into the bridge from section A, in the bridging diagram it shows you how this traffic will flow, since the traffic is not coming from outside the router and is destined for an address not on this router this will not be an input chain instead since the traffic is originating from outside the router is is destined for an address not on this router it will be a forward chain packet.
so you can see in here that the traffic will not be processed by anything to do with the queues which is over in the routing diagram section, this will be regardless of hardware offloading as that is more about the process of if the traffic is handled by the CPU or by the switch chip.
Going back to the bridging diagram if you look there is a section saying use-ip-firewall? at these points if you enable this setting in the bridge the traffic is able to be processed by the prerouting, forward and postrouting chains of the IP firewall.
hopefully you can follow along with that explanation, I know im not the best at explaining so if you dont understand any part of this let me know and ill try and follow up with something better
Obviously this is directed for OP rather than MKX even though this sort of looks like a reply?
So to understand why this is not working you will need to understand how same subnet traffic works, to put it simply we dont route we arp. If you have a look at your routing table you will notice some dynamic routes with DAC (dynamic, active, connected) that get put into the device automatically when installing a IP address and if you look at the gateway you will notice that it is an interface not an ip address.
To put it simply when the router seeing this it will know that it has to use ARP to find out how owns that IP address rather than just being forwarded on to a router that has a path to get to that address.
So when you try to go to the same subnet your device will send out a broadcast and say hey who has x.x.x.x and everyone on the same layer 2 domain(do not get that confused with same broadcast domain as that is to do with IP addresses/subnets not layer 2 connectivity in general) from there is someone has the address they will reply and say yep that's mine here is my mac address if ya wanna chat then they both put each others mac address to ip translation in their arp table for a little while.
Thats as simple as I can make it, if you would like something more in depth let me know and if I have time ill write up something a bit more 'official' but the important thing here is to know that we 'dont route' to same subnet devices we use ARP
ok now that we know we are not going though any of the routing forwarding tables we can get an idea of what the traffic is doing, now we need to pair this up with the packet flow, if you look at: https://wiki.mikrotik.com/wiki/Manual:Packet_Flow
This explains how the traffic moves around the router and what processes will be hit.
It might be hard to follow but if you look at the overall packet flow our traffic will come in from the physical in-interface on the left there and then go into the bridge from section A, in the bridging diagram it shows you how this traffic will flow, since the traffic is not coming from outside the router and is destined for an address not on this router this will not be an input chain instead since the traffic is originating from outside the router is is destined for an address not on this router it will be a forward chain packet.
so you can see in here that the traffic will not be processed by anything to do with the queues which is over in the routing diagram section, this will be regardless of hardware offloading as that is more about the process of if the traffic is handled by the CPU or by the switch chip.
Going back to the bridging diagram if you look there is a section saying use-ip-firewall? at these points if you enable this setting in the bridge the traffic is able to be processed by the prerouting, forward and postrouting chains of the IP firewall.
hopefully you can follow along with that explanation, I know im not the best at explaining so if you dont understand any part of this let me know and ill try and follow up with something better
-
-
alexandr777
just joined
- Posts: 7
- Joined:
Re: Problems with queues
I do not publish the "hap ac2" config because it is large and there is a lot of confidential information. I'm going to "clean it up" and publish it.So why are you posting config of CRS if it has nothing to do with the issue?
You need to show the config of device that doesn't perform according to your expectations.
Anyway, neither CRS1xx nor hAP ac2 offload anything from CPU processes to hardware (unlike CRS3xx or sone other device models) - simple switching is a notable exception. If you want CRS1xx or hAP ac2 to do something in hardware (i.e. switch chip), then you have to configure it under /interface ethernet switch and sub-tree. Manuals indeed don't say anything about disabling HW offload, so you will either take my word and try it (andvsee if queues start to limit traffic) or you'll keep waiting for another idea (which might never come).
upd. I added the "hap ac2" configuration to my post that I wrote earlier..
-
-
alexandr777
just joined
- Posts: 7
- Joined:
Re: Problems with queues
What is OP and MKX ?
Please look at the config that I attached above in the messages. Maybe you'll understand why queues don't work.
Please look at the config that I attached above in the messages. Maybe you'll understand why queues don't work.
Re: Problems with queues
OP is an abbreviation for "Original Poster" ie you and MKX is the user @mkx that posted a reply in this thread.