Community discussions

MikroTik App
 
JanJoh
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Tue Nov 26, 2013 10:14 pm

Queues and NAT and whyyy

Thu Jun 02, 2022 10:09 pm

So, while I have never been a big fan of the Queues in RouterOS, I usually have been able to get them to do what I want. But not this time.

RB 760, with 7.2.3
eth1 connected to a 10M/10M link, delivered over gigabit copper.
eth4 connected to a switch that in turn connects a few appliances
eth5 general access surfing.

Basically, I want eth4 to be "guranteed" (using the term loosely) 1Mbps and everything on eth5 to share whatever is currently available

Now, after banging my head for a bit i decided to just start over with a blank second device and JUST keep the queues until I could figure out why this was not working.

basically, no matter how I mangle my packets, all traffic seem to end up on one of the queues.

I am certain I am missing something simple.. or something has changed in 7.x.

Any advice welcome.

Here is the config. I've tried many things, back and forth so this may not even be my best effort :)

[admin@MikroTik] > /export hide-sensitive
# jun/01/2022 22:11:10 by RouterOS 7.2.3
# software id = VD2N-3208
#
# model = RB760iGS

/interface bridge
add admin-mac=DC:2C:6E:0F:FD:66 auto-mac=no comment=defconf name=bridgeLocal
add name=bridgeScantron
add name=bridgeSurf
/caps-man security
add authentication-types=wpa2-psk name=security1
/caps-man configuration
add country=sweden datapath.bridge=bridgeSurf name=cfg1 security=security1 \
ssid=wifi
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcpScopeScantron ranges=172.25.14.100-172.25.14.200
add name=dhcpScopeSurf ranges=172.25.15.100-172.25.15.200
/ip dhcp-server
add address-pool=dhcpScopeScantron interface=bridgeScantron name=dhcpdScantron
add address-pool=dhcpScopeSurf interface=bridgeSurf name=dhcpdSurf
/port
set 0 name=serial0
/queue type
add kind=pcq name=pcq-upload-9500kbps pcq-classifier=src-address pcq-rate=9500k
add kind=pcq name=pcq-download-9500kbps pcq-classifier=dst-address pcq-rate=\
9500k
add kind=pcq name=pcq-download-8000kbps pcq-classifier=dst-address pcq-rate=8M
add kind=pcq name=pcq-upload-8000kbps pcq-classifier=src-address pcq-rate=8M
/queue tree
add name="Global Down" parent=global queue=pcq-download-9500kbps
add name="Global Up" parent=global queue=pcq-upload-9500kbps
add limit-at=5M max-limit=9M name=Scantron-Up-5M-9M packet-mark=\
scantron-client-traffic parent="Global Up" queue=pcq-download-8000kbps
add limit-at=5M max-limit=9M name=Surf-Up-5M-9M packet-mark=surf-client-traffic \
parent="Global Up" queue=pcq-download-8000kbps
add limit-at=5M max-limit=9M name=Surf-Down-5M-9M packet-mark=\
surf-client-traffic parent="Global Down" queue=pcq-download-8000kbps
add limit-at=5M max-limit=9M name=Scantron-Down-Mk-9M packet-mark=\
scantron-client-traffic parent="Global Down" queue=pcq-download-8000kbps
/caps-man manager
set enabled=yes package-path=/firmware upgrade-policy=suggest-same-version
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridgeLocal
add disabled=no interface=bridgeScantron
add disabled=no interface=bridgeSurf
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cfg1
/interface bridge port
add bridge=bridgeLocal comment=defconf disabled=yes ingress-filtering=no \
interface=ether1
add bridge=bridgeLocal comment=defconf disabled=yes ingress-filtering=no \
interface=ether2
add bridge=bridgeLocal comment=defconf disabled=yes ingress-filtering=no \
interface=ether3
add bridge=bridgeScantron comment=defconf ingress-filtering=no interface=ether4
add bridge=bridgeSurf comment=defconf ingress-filtering=no interface=ether5
add bridge=bridgeLocal comment=defconf disabled=yes ingress-filtering=no \
interface=sfp1
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=\
yes
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=ether1 list=WAN
add interface=bridgeLocal list=LAN
add interface=bridgeScantron list=LAN
add interface=bridgeSurf list=LAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=172.25.14.1/24 interface=bridgeScantron network=172.25.14.0
add address=172.25.15.1/24 interface=bridgeSurf network=172.25.15.0
/ip dhcp-client
add comment=defconf interface=bridgeLocal
add interface=ether1
/ip dhcp-server network
add address=172.25.14.0/24 caps-manager=172.25.14.1 dns-server=172.25.14.1 \
gateway=172.25.14.1 netmask=24
add address=172.25.15.0/24 caps-manager=172.25.15.1 dns-server=172.25.15.1 \
gateway=172.25.15.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip firewall address-list
add address=172.25.74.0-172.25.80.254 list=allowed_to_router
add address=172.25.15.0-172.25.15.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
add address=172.25.14.2-172.25.14.254 list=scantron-addresses
add address=172.25.15.2-172.25.15.254 list=surf-addresses
/ip firewall filter
add action=accept chain=input comment="default configuration" connection-state=\
established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log-prefix=invalid
add action=drop chain=forward comment=\
"Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
protocol=icmp
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public IP" in-interface=ether1 \
log=yes log-prefix=!public src-address-list=not_in_internet
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
protocol=icmp
add action=accept chain=icmp comment="host unreachable fragmentation required" \
icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
protocol=icmp
add action=drop chain=icmp comment="deny all other types"
/ip firewall mangle
add action=mark-connection chain=forward new-connection-mark=\
scantron-client-conn passthrough=yes src-address-list=scantron-addresses
add action=mark-packet chain=forward connection-mark=scantron-client-conn \
new-packet-mark=scantron-client-traffic passthrough=yes
add action=mark-connection chain=forward new-connection-mark=surf-client-conn \
passthrough=yes src-address-list=surf-addresses
add action=mark-packet chain=forward connection-mark=surf-client-conn \
new-packet-mark=surf-client-traffic passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Stockholm
[admin@MikroTik] >

Who is online

Users browsing this forum: adimihaix, Ahrefs [Bot], GoogleOther [Bot], infabo, Qalderu and 67 guests