Community discussions

MikroTik App
 
zaqik
newbie
Topic Author
Posts: 30
Joined: Mon Apr 13, 2020 5:31 pm

Prioritization with Simple Queues for port-forwarded services

Thu May 26, 2022 10:28 pm

Hello!
Here's what I'm struggling with. I have OpenVPN server at 192.168.0.99. Also I have video surveillance device (NVR) at 192.168.0.153. And of course the whole network at 192.168.0.0/24. My goal is set the highest priority for 0.153 traffic, then go VPN clients (0.99's port is forwarded outside) and the last priority have all other network participants. So whenever someone in the network starts to download something, his downloading won't affect the speed of NVR and total speed (max-limit) of VPN clients.
/queue simple
add dst=ether1-wan max-limit=100M/100M name=QoS-simple priority=1/1 target="" total-queue=ethernet-default
add queue=pcq-upload-default/pcq-download-default limit-at=50M/50M parent=QoS-simple priority=1/1 max-limit=100M/100M name =NVR target=192.168.0.153/32
add queue=pcq-upload-default/pcq-download-default limit-at=40M/40M parent=QoS-simple priority=2/2 max-limit=60M/60M name=VPN target=192.168.0.99/32
add queue=pcq-upload-default/pcq-download-default parent=QoS-simple priority=8/8 name=LAN target=192.168.0.0/24

According to most guides, I should not set dst for my queue. But if I don't do it, I see zeroes in the statistics of the queue and child queues, which tells me that queues don't work at all. Only after I set my WAN interface (connection type - static address) as dst something starts to work. The way I test my setup is using iperf for VPN client and browser downloading as regular network's participant. NVR is using nearly 50M/s itself, so I just track is it affected or not. Long story short: 0.153 and 0.99 ARE affected when someone in the network starts his download UNTIL I set up a Queue Tree in addition to my Simple Queues:
/queue tree
add limit-at=100M max-limit=100M name=QoS-tree packet-mark=no-mark parent=global priority=1 queue=default

Now 0.153 stays mostly unaffected with somebody's download, but as VPN client I get significantly speed reduce. Maybe I wrongly treat VPN client's traffic as 0.99's traffic, because when I open Connections I see VPN traffic like: Source - <client's white IP>, Destination - <Mikrotik white IP>:<port where 0.99 if forwarded to>. But when I look to the queue statistics for 0.99 I see exactly the same amount of traffic which iperf generates. So I don't get how should look my queues in this case.

Please, help me to set up traffic prioritization for this setup.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2990
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Prioritization with Simple Queues for port-forwarded services

Fri May 27, 2022 1:37 am

try this

please disable queue-tree and any other simple queue

and off be sure you have not enabled fast-track
/queue simple
add max-limit=100M/100M name=QoS-simple target=192.168.0.0/24
add parent=QoS-simple priority=1/1 limit-at=50M/50M max-limit=100M/100M name =NVR target=192.168.0.153/32
add parent=QoS-simple priority=2/2 limit-at=40M/40M max-limit=60M/60M name=VPN target=192.168.0.99/32
add queue=pcq-upload-default/pcq-download-default parent=QoS-simple priority=8/8 name=LAN target=192.168.0.0/24
 
zaqik
newbie
Topic Author
Posts: 30
Joined: Mon Apr 13, 2020 5:31 pm

Re: Prioritization with Simple Queues for port-forwarded services

Fri May 27, 2022 10:59 am

chechito, thanks for the reply. Unfortunately, I witness the same picture with your rules: when I start a download it cripples the NVR's speed. I didn't do the right math between Limit At of all rules, but it's just a pure logic when NVR downloads at 50M when network mostly idles, and then drops to 20M (the download is going on the host from 192.168.0.0/24 where's no Limit At at all) - it's not working. I can tell it by how NVR has a speed spike to 99M right after I stop download.
Also, I've read a lot about fasstrack, but not sure - does it enable by just Firewall's Filter Rule with action 'fasstrack connection' or anywhere else? I have no firewall's rule with fasttrack action.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2990
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Prioritization with Simple Queues for port-forwarded services

Fri May 27, 2022 5:37 pm

chechito, thanks for the reply. Unfortunately, I witness the same picture with your rules: when I start a download it cripples the NVR's speed. I didn't do the right math between Limit At of all rules, but it's just a pure logic when NVR downloads at 50M when network mostly idles, and then drops to 20M (the download is going on the host from 192.168.0.0/24 where's no Limit At at all) - it's not working. I can tell it by how NVR has a speed spike to 99M right after I stop download.
Also, I've read a lot about fasstrack, but not sure - does it enable by just Firewall's Filter Rule with action 'fasstrack connection' or anywhere else? I have no firewall's rule with fasttrack action.

try this
/queue simple
add max-limit=100M/100M name=QoS-simple target=192.168.0.0/24
add parent=QoS-simple priority=1/1 max-limit=100M/100M name =NVR target=192.168.0.153/32
add parent=QoS-simple priority=2/2 max-limit=60M/60M name=VPN target=192.168.0.99/32
add queue=pcq-upload-default/pcq-download-default parent=QoS-simple priority=8/8 name=LAN target=192.168.0.0/24
 
zaqik
newbie
Topic Author
Posts: 30
Joined: Mon Apr 13, 2020 5:31 pm

Re: Prioritization with Simple Queues for port-forwarded services

Sat May 28, 2022 12:57 am

The funniest thing about parent queue for target=192.168.0.0/24 without dst=<my-wan-iface> is that upload (yeah, only UPLOAD) gets doubled when it comes to child queues. There's no mistake or coincidence - the traffic on the screenshot is the same!
Image

After countless test attempts, the only nearly working (as it seems) rules for me (without additional Queue Tree) look like:
/queue simple
add dst=ether1-wan max-limit=150M/150M name=QoS-simple queue=pcq-upload-default/pcq-download-default target="0.0.0.0/0"
add limit-at=2M/60M max-limit=10M/100M name=NVR parent=QoS-simple priority=1/1 queue=pcq-upload-default/pcq-download-default target=192.168.0.153/32
add limit-at=50M/50M max-limit=100M/100M name=VPN parent=QoS-simple priority=1/1 queue=pcq-upload-default/pcq-download-default target=192.168.0.99/32
add dst=ether1-wan limit-at=1M/1M max-limit=140M/140M name=LAN parent=QoS-simple queue=pcq-upload-default/pcq-download-default target=192.168.0.0/24
There are some speed differences from my initial example, but it's not important.

NVR speed stays mostly unaffected, VPN speed (orange rectangle) gets significantly reduced with a download somewhere in LAN (black rectangle):
Image

Now I stop the downloading (the moment is marked with the arrow) and get:
Image

Well, since even the simple queue for equal speed among /24 network works strange in my case, guess the problem is somewhere else. Thank for the help, chechito!
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2990
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Prioritization with Simple Queues for port-forwarded services

Sat May 28, 2022 2:21 am

i think i forgot to put the max-imit on last queue

new try
/queue simple
add max-limit=100M/100M name=QoS-simple target=192.168.0.0/24
add parent=QoS-simple priority=1/1 max-limit=100M/100M name=NVR target=192.168.0.153/32
add parent=QoS-simple priority=2/2 max-limit=100M/100M name=VPN target=192.168.0.99/32
add parent=QoS-simple priority=8/8 max-limit=100M/100M name=LAN target=192.168.0.0/24 queue=pcq-upload-default/pcq-download-default

Who is online

Users browsing this forum: Amazon [Bot], Bing [Bot], norepto and 82 guests