Is (( PRIORITY )) Really working ???

samsoft08 · Sat Oct 25, 2008 8:42 pm

Please anyone has a success story with PRIORITY let us know ..
it's very important for QoS , only if its WORKING !!!!!

samsoft08 · Sun Oct 26, 2008 11:35 am

for me , it's not ..
the point is to make a good QoS , giving browsing a higher priority than the downloading traffic ..
by using examples written here at this foeum and wiki , which gives the ( small size ) connections the highest priority , its not working !!!!

example :

giving a Max 512k download , when downloading files which get all the 512k and try to browse , priority MUST let the new browsing ( small size ) connection process first , so browsing must not be effected , download traffic ( large size ) connection should be effected and let the new connection process ..that is what should happened , as many ISP's do , but with MT priority its not !!!

Chupaka · Sun Oct 26, 2008 5:30 pm

did you read, what 'PRIORITY' is? =) see documentation

samsoft08 · Mon Oct 27, 2008 12:18 am

Well , if you have a new definition to the word ( Priority ) please let us know ..

in MT doc. :
Priority - the order of importance in what traffic will be processed. You can give priority to
some traffic in order it to be handeled before some other traffic

let us take some of Priority definitions here :

Wikipedia: priority
Priority level, the priority of emergency communications
Priority signs, a traffic sign that specifies which route has the right of way
Priority date, a concept of establishing waiting times in the immigration process by United States Department of State ... lol

Computer Desktop Encyclopedia: priority
A particular order, or sequence, in which things take place (items processed, users served, etc.). A priority is based on a predetermined assignment of value, or importance, to different types of events and people.

Translations: Translations for: Priority
Dansk (Danish)
n. - fortrinsret, prioritet
Nederlands (Dutch)
prioriteit, voorrang
Français (French)
n. - priorité
Deutsch (German)
n. - Priorität, Vorrang, vordringliche Angelegenheit
Ελληνική (Greek)
n. - προτεραιότητα
Italiano (Italian)
precedenza, priorità
Português (Portuguese)
n. - prioridade (f)
Русский (Russian)
приоритет
Español (Spanish)
n. - prioridad, anterioridad
Svenska (Swedish)
n. - prioritet, företräde(srätt)
中文（简体） (Chinese (Simplified))
先, 优先, 前
中文（繁體） (Chinese (Traditional))
n. - 先, 優先, 前
한국어 (Korean)
n. - 앞[먼저] 임

Quotes About: Priorities
"It is the mark of great people to treat trifles as trifles and important matters as important." - Doris Lessing

these are enough examples that let us believe that priority in router means that higher priority traffics go / process / run FIRST , the lower will come later ..........and that what i dont see in MT .........

Chupaka · Mon Oct 27, 2008 12:27 am

did you tried to read whole page, not just the beginning? =)

priority - order in which classes are served at the same level

and lower:

Priorities
When there is a possibility to send out a packet, HTB queries all its self slots in order of priority, starting with highest priority on the lowest level, till lowest priority on highest level. Each leaf class (packets are stored and enqueued only within qdiscs attached to each leaf class) is ultimately connected to a certain self slot, either directly or through a chain of parent classes:

As you can see from the picture, leaf-classes that are in the green state will always have a higher effective priority than those that are yellow (and, thus, borrowing their rate from parent classes), because their priority is at a lower level (level 0). In this picture, Leaf1 will be served only after Leaf2, although it has a higher priority (priority 7) than Leaf1 (priority .

In case of equal priorities and equal states, HTB serves these classes, using round robin algorithm.

samsoft08 · Mon Oct 27, 2008 4:32 am

Ok , any REAL WORLD successfull running stories using Router OS done by the theoritical words above ?

cause nothing i tried is giving a real QoS , in fact any QoS that letting new connection handeled before the old connections of a continues downloading ..
all kind of Q sfq , pcq , ....
marking the small connection size and the large ones ...Priority...

nothing shows any successful result ..

I need to let the same client ( same IP ) has a QoS , so if he is downloading and reaching his MAX download rate and start a browsing at the same time then browse wont be effected by his max download , the Q should lower his running download connection letting the new connection to be processed ..

divinesecret · Wed Oct 29, 2008 8:15 pm

hehe, that's sad but it's true.

Thu Oct 30, 2008 9:17 am

Can we atleast see a configuration? I have no problems with QoS in mikrotik

So at this point it looks like "Problem exists between keyboard and chair"

(no offense)

samsoft08 · Sat Nov 08, 2008 11:48 pm

macgaiver , are you really doing a real QoS ?
maybe you dont have a problem cause you are just putting rules without seeing the results !!!!!!
can you give us a single example of your successfull QoS ?

loop11 · Sun Nov 09, 2008 1:56 am

I made a thread asking the same thing, and I didn't get any answer, seems and this is for sure that there is no priority on the Mikrotik for incoming packets and ports if you want to use the whole incoming bandwidth.

People should warn other people that if you need the qos you should avoid Mikrotik.

For now we know that Mikrotik could work in quasi qos environment only if you put hard limit for the max transfer rate on child's which is lower than parent max transfer rate , but that's the pure waste of the bandwidth.

If you want to download with the max speed and if you dont want to waste any transfer than mikrotik has no solution for you and me.

Maybe there are some scripts or ways which are in some heads, but for the now, there is no manual, stories or ways for that> Everyone who could said "it can shape incoming bandwidth" is liar, because if that's the truth and if that's the thing that you know in your head, we dont have any value for, and by pure math its a lie. Till someone state the operative qos with operative priorities which could use max bandwidth and which could give ultra fast response and transfer for high priority ports
I could say ITS a lie.

Mikrotik is bad for the qos.
Its not match for the master shaper or some other free shapers.

Maybe in the early days of the Internet qos on the far end wasn't the priority for customers, but this days outgoing qos is not important as a incoming qos and seems that Mikrotik cant compete with the trends.

Its a same story like multilink over two pppoe adsl, and on the end we found that that's in fact not possible on mikrotik, but 2 years we were lied, ok Mikrotik seems fixed that, and seems now its possible.

changeip · Sun Nov 09, 2008 3:57 am

qos isn't supposed to be done on the inbound packets! if you are routing them, then qos them on the interface they are leaving your router from. think about it, how are you going to reorder packets / queue packets on the way in when you have no control over who's sending them to you.

loop11 · Sun Nov 09, 2008 5:36 am

Ok now we getting something, that in fact inbound qos doesn't exist on mikrotik and that talking about it is just the marketing trick.

Listen just this second I'm thinking about 10 ways, lets just spoke about few.
For example we have 10mbit incoming link, we want to prioritized the incoming traffic, and we want to give the port 80 and 443 the ultra high priority and for the other ports we want to set lower priorities. Like for example some passive ports for ftp or 119 for nntp we want to give them the ultra low priority.

We want that we could have ultra fast browsing same like we dont use any other data transfer beside port 80 , but in fact we should have inbound on lower priorities as much as its needed for the ultra low ping and reply's for the ultra high priorities.
As I see Dlink is doing that and Linksys on the newest devices, Cisco is doing that, and god knows who else.

1. If you have full transfer on low ports and you request first high priority packet from port 80, lower the speed of low priority port in steps each second more, till you get the lowest ping time.
Setting the steps will be god idea, like step one lower 10%, step two lower 20%, step 3 lower 30% and so on, the moment the high demand on the high priority port stops, the script could step up the speed back to normal for the lower priority ports.
Its same like making the max limit for the ports just in more steps. One max level for the child is stupid and its a waste of bandwidth, this is the old fashion and should be banned.
It was used for oversellers.

2. Second example could drop packets on the lower priority ports till the higher priority ports doesn't get low ping and we dont get the good transfer response for the high priority ports. Drop the packets and request the same again till the high ports demands are over.
... ...

There are ways someone just needs to think clever way.

loop11 · Sun Nov 09, 2008 6:11 am

Even Windows have the tool which could fight with this issue, its cfosspeed, and it will do just what I explained, it monitors the ping with their main site, and based on ping, reply's it will lower the speed on the inbound lower ports, to give higher priority ports better response and transfer rate.

And when I'm seeing that Mikrotik doesn't have solution for this issue my eyes got full of blood.

changeip · Sun Nov 09, 2008 8:12 am

ping (icmp) is a simple test. You could be seeing 1000ms ping times or timeouts and it doesn't always mean the path is slow. For a router to generate packets it is way more overhead that simply routing them.

With that solution it is still based on changing outbound packets, not inbound. Why not just give your specific (voip?) outbound traffic higher priority all the time?

I think macgaiver was onto something ... post your rules.

From your first few posts it sounds like you want a way to give less priority to longer running connections. Since downloading and browsing is the same thing you need a way to determine what you really want to give less priority to. Maybe based on bursts, or mime types, or something else.

loop11 · Sun Nov 09, 2008 8:56 am

ping (icmp) is a simple test. You could be seeing 1000ms ping times or timeouts and it doesn't always mean the path is slow. For a router to generate packets it is way more overhead that simply routing them.

cfosspeed is doing the perfect shaping on the windows, they found the solution.

With that solution it is still based on changing outbound packets, not inbound. Why not just give your specific (voip?) outbound traffic higher priority all the time?

Yes but based on outbound it knows when to react.
I get terrible surfing speed when I got the full download (when I say download I mean other port than port 80, like Usenet download, ftp download, or similar ) I get way better surfing speed with ultra cheap routers like TP link, or Planet or us Robotics, or Netgear.

From your first few posts it sounds like you want a way to give less priority to longer running connections. Since downloading and browsing is the same thing you need a way to determine what you really want to give less priority to. Maybe based on bursts, or mime types, or something else.

Yes of course the lower priority download is 24/7 which means all the time, full bandwidth used, or like 99,8% average usage of the bandwidth.
And yes its longer running connections and its 10 bots each taking one connection which means that even one http connection on port 80 has to fight with 10 or 100 lower priority port which were the "longer running connections".
And idea is that if that one http connection needs 1kb/s or 100kb/s or even 500kb/s that it must have the full amount as ever it needs with ultra fast ping.

And I'm getting the worst possible surfing with full download on the lower priority ports on the full download, which isn't normal. I would say its a criminal results but I'm too angry and I would like to sustain my words.

Maybe the problem is because the uplink is just 192kbit/s and Mikrotik cant work with such low speed with the good results, I have good downlink but low uplink.
But with cheap routers I get solid results.

Sorry on typos I'm to tired from reading the forum and I'm too angry, I need to sleep, sorry again.

samsoft08 · Sun Nov 09, 2008 4:22 pm

there is no difference in port between browsing , latge file download and a small file download , they all are using port 80 ( of course i'm talking about http download )!!!!! and this is what i was talking about ..
if we have 10Mbps total download speed , and its all filled with downloading large files by different users , when a user tried to browse a small size site , then the user will not find the available bandwidth to browse , ((( page cannot be displayed ))) will shine infront of his eyes , or in the BEST conditions he will take a nap before the page will be downloaded !!!!!!!!
how can MT recognize this ? how can it tell this is a user , he needs just to browse this small page let those giants traffic to slow down a little bit .. WHAT IS MT PRIORITY DOING ??
some falks in this forum ( previous topics ) tried to differintiate between these two types of traffics by thier connection size , which i found it not working good most of the time , may be there is somthing is missing here which is the connection time , so we may consider not only the size of connection , but the active duration of the connection too .. the longest duration large size connection should be slower than the new connections ..

its somthing like burst , but would the burst work if the total download has been filled ?

loop11 · Sun Nov 09, 2008 5:09 pm

there is no difference in port between browsing , latge file download and a small file download , they all are using port 80 ( of course i'm talking about http download )!!!!! and this is what i was talking about ..
if we have 10Mbps total download speed , and its all filled with downloading large files by different users , when a user tried to browse a small size site , then the user will not find the available bandwidth to browse , ((( page cannot be displayed ))) will shine infront of his eyes , or in the BEST conditions he will take a nap before the page will be downloaded !!!!!!!!
how can MT recognize this ? how can it tell this is a user , he needs just to browse this small page let those giants traffic to slow down a little bit .. WHAT IS MT PRIORITY DOING ??
some falks in this forum ( previous topics ) tried to differintiate between these two types of traffics by thier connection size , which i found it not working good most of the time , may be there is somthing is missing here which is the connection time , so we may consider not only the size of connection , but the active duration of the connection too .. the longest duration large size connection should be slower than the new connections ..

its somthing like burst , but would the burst work if the total download has been filled ?

In my case I'm downloading the big files from the port 119 and from some passive ports from the range 51000-55000.
Port 80 is used for surfing the small packages, but sometimes I have some big file from the port 80.

MyThoughts · Sun Nov 09, 2008 5:29 pm

Priority is RouterOS is a customizable solution, its not geared to any one scenario. I use priority alot espically for things like VOIP, gaming, and streaming traffic.

For simplicity any time I mention HTTP traffic I am referring to port 80 traffic.

I don't attempt to differeniate between Website HTTP traffic and download HTTP traffic as I have no need to at this time. I can however see how this could be useful.

As a few contributors mentioned above basing the Web HTTP traffic on packet size will be unreliable. I have not tested the following theory and don't have time to but maybe others can try and feed back their findings.

I believe that if you make a couple mangle rules for HTTP traffic you may be able to do what you want. When a customer goes to a website many new TCP connections are created, you could prioritize the new connections differently from established connections. I will admit that its not perfect as the web site data doesn't come till after the TCP is in an established state but on a stressed link I believe that you should see fairly resonable increases in website load times. Once the TCP connections are in an established state ideally you would see all established connections sharing the available bandwidth. If you don't do this you may get page cannot be found becuase it was never even able to reach that state.

Don't forget that prioritizing outbound requests is also just as important, if not more.

Cheers

samsoft08 · Mon Nov 10, 2008 12:04 am

so , giving the new connection higher priority will not help at all ..
there is no solution yet ..

changeip · Mon Nov 10, 2008 1:04 am

for all we know you havent even configured it right. Mikrotik QoS works as it should, its up to you to customize it for what you need. Post your configs if you want help.

samsoft08 · Mon Nov 10, 2008 5:32 am

First of all , Is (( PRIORITY )) Really working ???
I asked anyone here if he has a successfull REAL LIFE QoS working , not Theoreticaly , documentation , or " for all we know you havent even configured it right " , its so strange that you know my ( wrong ) config even before i didnt post it here !!!!!!!
this issue has been discussed before and there was many replys and suggestions to solve it , none of them is working .. anyway as loop11 said we dont have to live in a big lie .. lets face it , we should search for an addition to our setup a real QoS software or hardware ..

janisk · Mon Nov 10, 2008 8:24 am

none is bothering answering because whatever answer you get you say that it is not working, when you are asked for actual configuration all you say is not working. So why would anyone answer if you are not listening what others are saying?

post your configs, read thoroughly manual.

also you can check out this link:
http://wiki.mikrotik.com/wiki/HTB

make sure you perfectly understand what is inbound and what is outbound traffic for router. and as long as we are talking about QoS, you are not interested in inbound or outbound traffic of your network.

Inbound traffic for router - traffic that hits your interfaces, no matter from what side - internet or local it will be received by interface no matter what, even if these are malformed packets, you cannot do anything with these.

Outbound traffic for router - traffic that goes out of your router interfaces, no matter of direction, in your network or outside of it. this is where you can set up queues and prioritise, and limit.

samsoft08 · Mon Nov 10, 2008 11:52 am

according to janisk , we cant control the incomnig packets , i dont think its 100% true , cause these downloads are going to some clients IP's , and we can delay them or letting them go by limiting those IP's max download rate , or by (( Priority )) I suppose !!!! , so these download packets are OUTBOUND for the router !!!!
if we can do nothing to them then how can we avoid the case when the max download rate reached and no one can browse or do anything ?
you , yourself janisk had posted a previous topic to solve this issue , by differentiate between the large size connections and the small size connection , after applaying your example the result is the same if I disable your rules , a page is taking 7 sec to browse in normal condition , wehn large files were downloaded , the same page with or without your example is taking 25 sec ..

HTB is not the solution here , we need to QoS the TCP connections , its not imaginary words , cause this exists with another ISP , as we see them doing exactly what we are talking about ..

the point is giving the long time or large files downloading the lowest priority .. thats it ..

Mon Nov 10, 2008 12:57 pm

Priority is HTB feature. HTB allow to order and/or shape outgoing traffic (traffic that is leaving router via any interface)

Example1: Client sends out 10Mbps UDP traffic - this traffic will get to the routers local interface, but in one of the HTB (global-in,global-total,global-out or outgoing interface) will be shaped to (lets say) 1Mbps. So only 1Mbps will leave the router. But in the next second client can send 10Mbps once again and we will shape them again.

Example2:Client sends out 10Mbps TCP traffic - this traffic will get to the routers local interface, but in one of the HTB (global-in,global-total,global-out or outgoing interface) will be shaped to (lets say) 1Mbps. So only 1Mbps will leave the router. Source get ACK packets only for 1Mbps of 10Mpbs, so source, in the next second, will send little more than 1Mbps Of TCP traffic

This was the main idea behind introducing TCP - only way how to control inbound traffic.

Windows, MacOS or anything else - all traffic that is sent to that PC will be getting there, whats happen then is another question.

And only WARNING that must be there is "To use queues you MUST have TCP/IP knowledge."

Muqatil · Mon Nov 10, 2008 1:39 pm

I have a Mikrotik QoS working as a charm.
Packets with lower priority are being dropped correctly and if my bandwitdth is full and a higher priority request is processed, it makes room and bandwitdth for it...
No theory or documentation. I have it deployed on my network and i have 600 users in a 34mbit connection. Without that QoS i would've been in troubles already.

loop11 · Mon Nov 10, 2008 2:52 pm

I have a Mikrotik QoS working as a charm.
Packets with lower priority are being dropped correctly and if my bandwitdth is full and a higher priority request is processed, it makes room and bandwitdth for it...
No theory or documentation. I have it deployed on my network and i have 600 users in a 34mbit connection. Without that QoS i would've been in troubles already.

Tell me just few things, do you mean you have perfect qos for the incoming or outgoing packets or for the both, and do you have bandwidth limitation by the ip's, plus the max transfer limitation for the child ports. Or did you let the child ports with lower priority the full bandwidth allocation of a each IP.

Did you tried to give to just 1 IP just for the test the max bandwidth, and I would like to see qos priority in that case.
Start some premium nntp like giganews who can give you the full transfer with the 4-5 connections on the 34mbit,
start the download and than just for the test, start from the browser 10 web pages at the same time and observe how fast would be needed for that opened web pages to get the bandwidth allocation, than try that with the 25 pages at the same moment and after that try 50 and than 100 web pages.
Measure thee performance of the bandwidth allocation of the high priority ports.
And after that test, do the same test but without any download on the low priority ports.
I bet that it would be 5 times slower if you use maximal bandwidth with some low priority download on some other port.
And as the final paste your config in here I could bet that you have bandwidth limitation for the each the each Ip plus you have bandwidth limitation for the child ports with the lower priority.

And for this test its important that you can choke your bandwidth with the low priority port with the full 99.8% bandwidth allocation.

Lets see your config.

And of course few things to clarify are you using static ip, static gateway, or you have dynamic Ip, dynamic gateway, pppoe logging, do you use nat , transparent proxy, we need more infos .
Are you getting the wan link from the fiber or trough frame relay, or maybe trough hotspot?

Mon Nov 10, 2008 3:49 pm

Give us your queue configuration.. we will take a look at it

changeip · Mon Nov 10, 2008 6:55 pm

okay, you wanted to know if QoS / Priority is working on Mikrotik. Yes, on my 5-10 routers that i use it on, yes. I shape the routed / outbound packets to make sure that I slow down the incoming packets.

Sam

samsoft08 · Mon Nov 10, 2008 10:20 pm

macgaiver wrote:
Example2:Client sends out 10Mbps TCP traffic - this traffic will get to the routers local interface, but in one of the HTB (global-in,global-total,global-out or outgoing interface) will be shaped to (lets say) 1Mbps. So only 1Mbps will leave the router. Source get ACK packets only for 1Mbps of 10Mpbs, so source, in the next second, will send little more than 1Mbps Of TCP traffic
And only WARNING that must be there is "To use queues you MUST have TCP/IP knowledge."

and what do you think when when I say shaping the inbound traffic ?

Medianet wrote:
I have a Mikrotik QoS working as a charm.
Packets with lower priority are being dropped correctly and if my bandwitdth is full and a higher priority request is processed, it makes room and bandwitdth for it...
No theory or documentation. I have it deployed on my network and i have 600 users in a 34mbit connection. Without that QoS i would've been in troubles already.

still theoretical without example , i'll be very happy to see working one ..

Muqatil · Tue Nov 11, 2008 12:05 pm

I might sound harsh, but i don't bother to post here the config of my QoS, since i spent a lot of effort to config it.
Anyway after my BGP router there's my QoS with mangle rules that shape connections in a queue tree. I shape Inbound and Outbound Traffic by queuing Ether1 and Ether2 (Inbound and Outbound). Next hop is my PPPoE Server with simple queues to limit user bandwidth (2mbits and 640kbits) with bursts and priorities.
That's my config.

thavinci · Tue Nov 11, 2008 1:56 pm

Sorry for cross posting, but im also struggling with this here...

http://forum.mikrotik.com/viewtopic.php ... 98#p134898

However in my case im PRETTY sure the problem lies between keyboard and chair

Tue Nov 11, 2008 4:44 pm

macgaiver wrote:
Example2:Client sends out 10Mbps TCP traffic - this traffic will get to the routers local interface, but in one of the HTB (global-in,global-total,global-out or outgoing interface) will be shaped to (lets say) 1Mbps. So only 1Mbps will leave the router. Source get ACK packets only for 1Mbps of 10Mpbs, so source, in the next second, will send little more than 1Mbps Of TCP traffic
And only WARNING that must be there is "To use queues you MUST have TCP/IP knowledge."

and what do you think when when I say shaping the inbound traffic ?

Well it is definitely not "shaping the inbound traffic" - this is feature of TCP protocol that's it (and BTW there are 254 other IP protocols out there

)

Equis · Wed Nov 12, 2008 12:47 am

I shape Inbound Traffic

The key is to set your upper limit about 15% lower than your service can push.

so if I had 10Mbps from my supplier I would set my top to 9Mbps.

It does work perfect, I light user has 10ms ping, the hog user when he uses torrent gets 1000+ms ping.

thavinci · Wed Nov 12, 2008 12:49 am

Only 254?

Wed Nov 12, 2008 8:53 am

Only 254?

Well there are 1 byte field in IPV4 packet that indicates IP protocol number and as we all know 2^8=256.

Wed Nov 12, 2008 9:19 am

I shape Inbound Traffic

The key is to set your upper limit about 15% lower than your service can push.

so if I had 10Mbps from my supplier I would set my top to 9Mbps.

It does work perfect, I light user has 10ms ping, the hog user when he uses torrent gets 1000+ms ping.

To make it clear - there are 4 traffics that we can talk about:

1) client upload that router receives on the local interface
2) client upload that router sends out to the Internet
3) clients download that router receives on the public interface
4) clients download that router receives sends out to the customer

1) and 3) - is Inbound traffic
2) and 4) - is Outbound traffic
QoS can change (shape/prioritize) 1) into 2) and 3) into 4)

samsoft08 · Sat Nov 15, 2008 1:12 am

I can fly to the moon in 1 sec , but please dont ask me how , cause i spent alot of effort to reach that !!!!!!!!!!!!!!!!
still theoretical ..

we still discussing basic things , TCP , whts inbound and outbound ... its good informations but it doesnt help here ..

the thing I need is not a mericale , its exist , we can see how its working by other providers ( ISP's) using other than MT ..
the question is can we did it by MT or not ? if yes then how ? cause we tried every trick in the book and no results , every suggestion or example here or in the wiki , every theoritecally working examples ..

this is again what we need :

a user has a 256k max download .. he is filling it by downloading a large size file .. he is 256k now ..
this user trying to browse a page ..
I need to give this page at least 100k , 156k left for his still downloading file ..
the page completed , the download return to 256k..

thats is ...

Mon Nov 17, 2008 1:13 pm

easy - use "connection-bytes" option in mangle - to prioritize first 4Mb or so of ever TCP port 80 connection.

Long version
1) HTTP browsing connection usually is not more that 0,5MB (or 4Mb)
2) Mangle facility can mark only part of connection - you must use mark-packet directly without mark-connection
3) create two marks "first_bytes" and "last_bytes"
4) create queue structure in queue tree (one for download on local interface, one for upload on public interface)
queue structure must have 3 queues
a) parent with max-limit
b) queue for "first_bytes" with priority=1 and limit-at and max-limit specified
c) queue for "last_bytes" wint priority=8 and limit-at and max-limit specified.

That is it - I use it every day to prioritize normal HTTP over other trraffic on port80 (like p2p, downloads etc)

janisk · Mon Nov 17, 2008 3:00 pm

i will put it bluntly - you have to know what is going on to manage it. if you have vague image of what is happening you will run in different problems. You have to have good knowledge about networks. You have to know, what traffic is what, where you can possibly alter it in a safe way that you are not dropping packets, but limiting those.

I can assure you - priority is working in queues. how? here is how:
http://www.mikrotik.com/testdocs/ros/3.0/qos/queue.php

using manual you should be able to make working configuration (very basic) and then, if you know what you have just done, you can advance it to even higher complexity. if you want very complex example you should contact consultants, because that is a lot of effort to make it.

loop11 · Mon Nov 17, 2008 7:15 pm

easy - use "connection-bytes" option in mangle - to prioritize first 4Mb or so of ever TCP port 80 connection.

Long version
1) HTTP browsing connection usually is not more that 0,5MB (or 4Mb)
2) Mangle facility can mark only part of connection - you must use mark-packet directly without mark-connection
3) create two marks "first_bytes" and "last_bytes"
4) create queue structure in queue tree (one for download on local interface, one for upload on public interface)
queue structure must have 3 queues
a) parent with max-limit
b) queue for "first_bytes" with priority=1 and limit-at and max-limit specified
c) queue for "last_bytes" wint priority=8 and limit-at and max-limit specified.

That is it - I use it every day to prioritize normal HTTP over other trraffic on port80 (like p2p, downloads etc)

macgaiver to be sure what you want to give with your example, you are saying that in order to apprehend the buffer on the mikrotik the user need to make 4 policy two for outgoing and two for incoming for the each port.
I will show you on the picture is that what you are saying.

In fact one incoming policy should be operative if we have two policy with the same priorities like:
pppoeout>wanin incoming which is incoming Qos and wan1out>lan0in outgoing which is also incoming qos .
And vice versa for the outgoing:
pppoein<wanout outgoing which is outgoing qos and wan1in and lan0out incoming which is in fact outgoing qos.

To be clear I marked what you said which policy should be forward and which would be prerouting.
Or we have 3 prerouting and one forward for forward for one port in both ways outgoing and incoming.

Is that right.

valens · Tue Nov 18, 2008 2:02 pm

yes, QoS and Priority is WORKING in MIKROTIK.

for priority, do you make parent queue for the priority rules ? If you don't have one, Router will think that you have unlimited bandwidth, so no matter what priority that connection has, router will pass the traffic.

omega-00 · Wed Nov 19, 2008 5:41 am

I shape Inbound Traffic
The key is to set your upper limit about 15% lower than your service can push.
so if I had 10Mbps from my supplier I would set my top to 9Mbps.
It does work perfect, I light user has 10ms ping, the hog user when he uses torrent gets 1000+ms ping.

This is probably the best idea I've seen yet, nowhere near as complicated as shaping outbound pps and makes sense that it allows a margin for any new traffic/connections you can't control straight up. You do however need a connection that has a set limit (eg this wouldn't work as well on an contentioned connection as you aren't guranteed the bandwidth)

MyThoughts · Wed Nov 19, 2008 7:20 pm

This post is titled wrong, from what I recall the OP wanted to differeniate between web surfing and downloading. The HTB system that RouterOS uses works fine you just have to get the correct queue and mangle rules for shaping the appropiate traffic.

The problem the OP is having is how do you prioritize different types of HTTP traffic (both HTTP downloading and web surfing use the same port).

I would suggest to the OP that a new topic be created under the question of how to prioritize web surfing over downloading.

variable · Thu Nov 20, 2008 6:15 am

how would you do this given two "public" interfaces going out routed with OSPF?

By this I mean what would the parent in the queue tree be?

janisk · Thu Nov 20, 2008 8:57 am

as far as i can understand - i do not see any difference, you have 3 - 4 or 10 isps connected to your netwroks that is routed using OSPF, because in this case default gateway in any case will point to closest exit ISP and you will have to set queues on each of exit points, as only load balancing that is done is done via pointing users to closest connection to outer world (ISP)

or i have completely misunderstood the question.

variable · Thu Nov 20, 2008 5:54 pm

I am asking what you would assign the parent for the queue in the queue tree to be if you have more than 1 "public" interface.

Say I have a router with 3 interfaces:

1) LOCAL
2) OUT1
3) OUT2

The download would be set to the LOCAL interface. But the upload what should the parent be there?

Chupaka · Fri Nov 21, 2008 1:13 am

global-in?

samsoft08 · Fri Nov 21, 2008 3:05 am

yes, QoS and Priority is WORKING in MIKROTIK.

for priority, do you make parent queue for the priority rules ? If you don't have one, Router will think that you have unlimited bandwidth, so no matter what priority that connection has, router will pass the traffic.

easy - use "connection-bytes" option in mangle - to prioritize first 4Mb or so of ever TCP port 80 connection.

Long version
1) HTTP browsing connection usually is not more that 0,5MB (or 4Mb)
2) Mangle facility can mark only part of connection - you must use mark-packet directly without mark-connection
3) create two marks "first_bytes" and "last_bytes"
4) create queue structure in queue tree (one for download on local interface, one for upload on public interface)
queue structure must have 3 queues
a) parent with max-limit
b) queue for "first_bytes" with priority=1 and limit-at and max-limit specified
c) queue for "last_bytes" wint priority=8 and limit-at and max-limit specified.

That is it - I use it every day to prioritize normal HTTP over other trraffic on port80 (like p2p, downloads etc)

IF what you said can be done then it will manage the total bandwidth not per user limit , cause max limit is the total bandwidth of the network , so as per user he will not notice any difference if he hit his max limit .. for example a network with 10M max download , and one user has 256k max , when he is downloading a large file he will hit the 256k and stay like that , at the same time the whole network is not consuming more than lets say 2M , when he try to browse the Q tree will not prioritize anything cause the max limit ( 10M ) is not reached yet , right ?
the most important for me is to make the browsing very normal at user side even if he is downloading big files ..I'm talking here on normal limited user basis , nevermind if the whole network is reaching less 10% of the total max limit..

This post is titled wrong, from what I recall the OP wanted to differeniate between web surfing and downloading. The HTB system that RouterOS uses works fine you just have to get the correct queue and mangle rules for shaping the appropiate traffic.

The problem the OP is having is how do you prioritize different types of HTTP traffic (both HTTP downloading and web surfing use the same port).

I would suggest to the OP that a new topic be created under the question of how to prioritize web surfing over downloading.

this how to had been asked before , some examples posted , some mikrotik " experts " said it cant be done cause the both browsing and download has the same port , and we try hard to apply the connection byte example but no hope !!!!!
you cant just say everything will work fine if you just get the correct mangle and Q rules , its not like that , we should know what Really MT can do , and what should we wait for in the next many versions ..

i will put it bluntly - you have to know what is going on to manage it. if you have vague image of what is happening you will run in different problems. You have to have good knowledge about networks. You have to know, what traffic is what, where you can possibly alter it in a safe way that you are not dropping packets, but limiting those.

I can assure you - priority is working in queues. how? here is how:
http://www.mikrotik.com/testdocs/ros/3.0/qos/queue.php

using manual you should be able to make working configuration (very basic) and then, if you know what you have just done, you can advance it to even higher complexity. if you want very complex example you should contact consultants, because that is a lot of effort to make it.

but your example about connection byte doesnt work in giving browsing higher priority than download !!!!!!! did you missed somthing in the manual or may be its just MT !!!!!!!
the worse reply in the forum is ( in my opinion ) " go to the manual " !!!!! we cant find such replys in other forums , the manual always contain definitions and basic things , here we are sharing our experience , we are giving each other ideas and examples of what we tested , what we failed with and what we succeded with ..
is it really complex ?? is it complex in Mt to make such thing ....or it cannot be done ...........YET ..

titius · Fri Nov 21, 2008 3:12 am

ok can someone post just a hint on this topic ?

janisk · Fri Nov 21, 2008 8:32 am

to see what can be done using RouterOS go to /queue and start experimenting with different settings, set up different rules and see how these behave, run traffic using bandwidth-test so you can see, when rule is stopping to work, when the other one is starting (in connection-bytes example)

Check out data flow diagram so you understand where the packets are going and at what moment you are doing something.

MyThoughts · Sat Nov 22, 2008 1:35 am

I am going to try and make this is my last post on this topic.

1. No software/hardware can prioritize inbound packets, without the qos 'machine' knowing what the max bandwidth is. Think about this, how do you prioritize something that hasn't arrived yet. You need them to queue up then you can do QoS on them. This is why so many RouterOS users do QoS on outbound traffic. I myself do in some cases do inbound QoS by properly tweaking the parent/child queues with bandwidth caps that reflect my backbone connections.

2. RouterOS's QoS works just fine, I've mentioned I use it for game/voip traffic all the time. I use many different methods to 'measure' the effectiveness of my QoS, but for those that want an easy way try this website: http://www.testyourvoip.com/, when I turn my rules off my rating goes to 2.3/5.0, with them on I get 4.4/5.0 (This is of course when under load ie. using all available bandwidth).

3. I have found no software/handware that can differeniate between web surfing and download HTTP (port 80) traffic. For those that believe RouterOS is at fault, please if you could point to a RouterOS competitor that can as I am sure there are those that could/would figure a way to reverse engineer their methods. So far all the theoretical methods I have thought up always have some caveat to them and even though I am interested in this topic I don't find myself requiring this feature so I am not actively pursuing the answer...yet

Cheers

Tonda · Sun Nov 23, 2008 1:55 am

Dear samsoft08, I think your shouts are not about Mikrotik and possibility/impossibility of incoming traffic shaping but about understanding/misunderstnading basic network principless. Can you please explain here, which criteria you would like to use when distinguishing between large file download and smaller web page content download both using HTTP protocol? Can you please define exactly, what "incoming traffic" is and what is the advantage of shaping incoming tracffic instead of shaping traffic, passing through router on outgoing interface?
I think that basic principle of traffic shaping is to:
1. Select connections or packets to be shaped (using mangle and information, known exactly when first SYN packet of new connection arrives to router = source or destination IP or port etc.).
2. Shape mangled connections/packets using appropriate shaping method.

You would like to create your traffic shaping based on information not known at the moment when initial decision about mangling/shaping is made = how large will be the data, transferred by this connection. When staying on router level you need to make another shaping decision later based on time, spent by given connection or on amount of bytes transferred by given connection. When time or amount exceedes given limit, you want to move given connection to lower priority queue. So basic question is: Is Mikrotik (or any device), operating on network router level, able to dynamically move given connection to another queue (in your case with lower priority level) after exceeding some parameter value?
Can you answer all my questions mentioned here please?
Let the constructive posts gain victory over the unsubstantial ones...

samsoft08 · Sun Nov 23, 2008 2:57 am

the idea is very clear , and i repeated it more than once here , and why insisting to call it incoming traffic ? isnt it the same outgoing traffic to the user ? which i want to shape .. can we just shape that traffic , outgoing traffic to the user ? based on size of connection byte , and time of connection spent ? how can we avoid (page cannot be displayed) from appears to a user who has 128k max download while he is downloading a large file for a long time and trying to browse ? in this case the page may not appear or in the best cases will take 3 or 4 times than the normal time ..
MT manual says : use burst for fast browsing , but burst needs an extra available bandwidth , which may not available !!!
I assume this user ( /32 ) has only 128k , no more , and I need him to download at full 128k , but when he browse at the same time his download should be slow down to an amount that let the browse done normally ..
there is a previous topic here in this forum contains a nice example by janisk to give the small size connections a higher priority , I tried it , manipulated the valuse and monitored the Q and tourch , but it didnt help , there is no time basis here , which is so important to tell MT that connection has to be slow down when a new connection come ..

titius · Sun Nov 23, 2008 4:26 am

Can someone who achieved QoS setup on Mikrotik, to post example of that QoS on TIKTUBE.

I dont ask for configuration example, I ask for real life example eg. browsing while available bandwidth is maxed out. . .

BobcatGuy · Sun Nov 23, 2008 12:43 pm

I found that at least on a RB532A and a RB 112 that versions around 3.1X did not function for simple queues. I downgraded to 2.9.51 and those simple queues worked. ( Had to recreate in either version)

I was stuck on this for a while. there are other posts that ask what hapened to the QOS functionality, and no one seemed to of noticed? its not working.

Yes I tried chaging everything from the small defualt, ehter, wireless types... never worked until downgrade. I do not know which version specifically it stopped working at. ALl I know is I am going to stick with 2.9.51 for a while.

Mon Nov 24, 2008 9:41 am

I found that at least on a RB532A and a RB 112 that versions around 3.1X did not function for simple queues. I downgraded to 2.9.51 and those simple queues worked. ( Had to recreate in either version)

I was stuck on this for a while. there are other posts that ask what hapened to the QOS functionality, and no one seemed to of noticed? its not working.

Yes I tried chaging everything from the small defualt, ehter, wireless types... never worked until downgrade. I do not know which version specifically it stopped working at. ALl I know is I am going to stick with 2.9.51 for a while.

some configuration things have to be changed if you upgrade to v3. it doesn't mean that v3 doesn't work, it just means you have to change something. like queue type to "default" for example

BobcatGuy · Mon Nov 24, 2008 9:52 am

I have tried changing the default type for the queues. I re-created the rules. I tried every combination, it did not work. I was trying to limit the speed for one DVR so it didn't consume all bandwidth. I dont actually have any rule set up now. It wasnt a big priority, just tried it out and found it did not work.

I was merley mentioning it so if people were having the same problem, they could at least find this thread through search.

Mon Nov 24, 2008 9:54 am

I can tell you for a Fact that Simple Queues work 100% in v3

If you have trouble with your configuration, before doing anything - write to support, and also post in the forum

omega-00 · Tue Nov 25, 2008 5:40 am

Normis is 100% correct, queues work fine in v3.1X

I made a stupid mistake and missed the note in the changelog detailing the changes to default-small queue type, but soon as I figured that out everything re: queues works perfectly.

titius · Tue Nov 25, 2008 11:50 am

so anyone just a hint in priorities, three or four lines from mangle and queue . . . ?

janisk · Tue Nov 25, 2008 3:40 pm

if there is no available bandwidth - how you are going to make connection a higher priority one? you have to lower available rates for all queues, if you are using full available bandwidth already.

burst is perfect in your situation, you just have to understand perfectly how it works. please check out queue topic on wiki.mikrotik.com i seen there perfect explanation of burst, with step by step walk-through, what happens in what time.

using that you can make new connection from the user who just connected a fast one. when user witches to other web page after reading one, he will receive boost from burst and load page faster.

i am still suggesting to attend some networking seminars/lectures/lessons, because all the things that you learn and understand about networking you can use and apply in routeros, it is much easer, when you know what is going on, and then you see methods on how to control what is going on. While you do not know what is underneath, you hardly can control that.

Check out HTB example on how parent/child queues work, what at what time lends traffic to, what limitation must be set for all of it to work. It is not that easy to make proper configuration the first time you try with very basic knowledge of networking as is.

BrianHiggins · Wed Nov 26, 2008 7:50 am

2. RouterOS's QoS works just fine, I've mentioned I use it for game/voip traffic all the time. I use many different methods to 'measure' the effectiveness of my QoS, but for those that want an easy way try this website: http://www.testyourvoip.com/, when I turn my rules off my rating goes to 2.3/5.0, with them on I get 4.4/5.0 (This is of course when under load ie. using all available bandwidth).

can you post your QoS config? with no load I get a 4.4, but when I'm maxing out my upload bandwidth with my QoS settings enabled I get ratings in the lower 3's, but with it disabled I get ratings in the 1-2 range...

I'm curious what you're doing differently that you don't see any drop at all.

I often work from home taking sales and support calls that come into our office from my VoIP phone at home, and almost never see any quality issues. I'd like to change "almost never", to a "never under any situation"...

fanepix · Wed Nov 26, 2008 9:52 am

according to janisk , we cant control the incomnig packets , i dont think its 100% true , cause these downloads are going to some clients IP's , and we can delay them or letting them go by limiting those IP's max download rate , or by (( Priority )) I suppose !!!! , so these download packets are OUTBOUND for the router !!!!
if we can do nothing to them then how can we avoid the case when the max download rate reached and no one can browse or do anything ?
you , yourself janisk had posted a previous topic to solve this issue , by differentiate between the large size connections and the small size connection , after applaying your example the result is the same if I disable your rules , a page is taking 7 sec to browse in normal condition , wehn large files were downloaded , the same page with or without your example is taking 25 sec ..

HTB is not the solution here , we need to QoS the TCP connections , its not imaginary words , cause this exists with another ISP , as we see them doing exactly what we are talking about ..

the point is giving the long time or large files downloading the lowest priority .. thats it ..

I mean no harm, but you ar obviously talking about http downloads, at least in some points in teh topic. How can you possibly know wtf is going on in a connection without having something ready-made ?!? You count connection-bytes, or something, or do something else to know it, it wan't fall from the sky ready configured, on your router.
Priority is working ok. Try and test in a simpler way, and a primitive one: put some simple queue wich gives priority -1 regarding the rest of the traffic, and is active for icmp. And test a ping with a full download to something you want, with and without the queue being active, and a download at full speed for your connection.
You really should read this: http://mum.mikrotik.com/presentations/2 ... traweb.pdf it will give you a proper understanding of what are you trying to achieve.

MyThoughts · Thu Nov 27, 2008 5:00 pm

I think I may have some time this Sunday to type up a wiki article. I'll create that with an example of my QoS setup.

Another thing to mention is I've noticed some internet service providers are already doing their own internal QoS I noticed this on my home internet connection. This made it a bit more difficult as I had no idea what they were in fact doing. So if you are using a generic cable/DSL connection to the internet for your backbone to your wireless network it may be worth asking them if they apply any QoS, or if the modem unit they provided you does.

Cheers

Fri Nov 28, 2008 2:49 pm

Normis just posted answer to all your questions
http://forum.mikrotik.com/viewtopic.php?f=2&t=28222

Especially you should be interested in:
http://wiki.mikrotik.com/wiki/Packet_Flow
http://wiki.mikrotik.com/wiki/Queue
http://wiki.mikrotik.com/wiki/HTB
http://wiki.mikrotik.com/wiki/Burst

samsoft08 · Tue Dec 02, 2008 11:40 am

to fanepix

and you think we didnt tested it as a very simple way ( ping ) ??
ping test failed , no difference if it has priority 1 or 8 when the full bandwidth hit..

If as janisk said dont expect any role for priority when the max rate hit , so why bothering ourself with QoS ? when we will need it ?

Burst can deal with total user download rate and time , total user rate may contain all kind of traffic , we cant seperate one from each other ..

many ( here ) said use HTB .. but what about the target user ? its a hotspot dynamic user !!!! can HTB deal with them per user connection ?

i think this subject took more than it worth , if there is a solution we would see it here , untill now its only REDIRECTING to the manual or some ideas , thanks for everything ..

Tue Dec 02, 2008 12:10 pm

I think you misunderstood Janisk

Ok, lets try a different approach:

Imagine you are in metro train and in the next station granny is waiting.
Granny is highest priority and as soon as she will get into train someone for sure will give her a place to sit. (at least where I'm from)
Now imagine that train is so full, that granny will not even get into train, so at this point it doesn't matter what priority granny had, she is staying on the station.
But if train was only 95% full granny will have no problems to get in and use her highest priority.

I hope this part is now clear.

(Just to be sure: granny can also be a ping packet)

samsoft08 · Tue Dec 02, 2008 7:48 pm

to macgaiver

thanks for your nice explaination .. very clear ..

so if this train stay filled for a very long time with same passengers then this high priority Granny will wait long time before she can get in .. we should sit and wait ..

why dont we tell a youngest man* there ( lowest priority ) to get out and wait for the next train , letting the granny to get into the train ??

* this youngest man was in the train for a very long time , maybe he is drunk and sleeping there !!!!

is it possible or not ?

and what if we consider this train is for single IP , a single user .. dynamic hotspot user ..
this user filled the train with people , they stayed for a long time , but now he wants this granny to get in , its not a problem for him to let the younger to get out for a while , untill all grannies reached thier targets safe ..

Chupaka · Wed Dec 03, 2008 12:21 am

do you want to send back received packets with low priority, so that you receive all high-priority packets? (O_o)

there you should ask for help your ISP, to increase your interface's queue length and/or change its type

imtrulylovd · Wed Dec 03, 2008 5:26 am

This topic is very important. Thanks for starting it.

What rules do we need to put into MirkoTik for it to distinguish new connections, mark their packets, and prioritize them, as opposed to already existing connections?

Give us an example configuration of a MikroTik router with NAT and two-three clients, with ... equal bandwidth sharing amongst them, and that will allow new http(s) connections head-of-the-queue processing and maximum bandwidth allocation, as opposed to already established (p2p, http download, etc.) connections? Some of this is done at our ISPs end. But A LOT can be done on our end as well. Someone post the config please

Wed Dec 03, 2008 9:05 am

why dont we tell a youngest man* there ( lowest priority ) to get out and wait for the next train , letting the granny to get into the train ??
* this youngest man was in the train for a very long time , maybe he is drunk and sleeping there !!!!
is it possible or not ?

It is possible, IF you throw out youngest man in previous station and train gets to granny's station 95% full, and granny sees that it is possible to get into train at all.

to samsoft08 I have better example for you:

Imagine high-speed road with lots of traffic on it, and there are one car coming from side road and need to get on the main high-speed road. In order to make it much more easier you need an acceleration line - where car can build up speed to main roads speed and then blend into rest of the traffic. If there are no acceleration line, this car will have hard time getting on the main road.

If there are 100% of traffic used - similar to situation without acceleration line
If there are 95% and less of traffic used - similar to situation with acceleration line

Wed Dec 03, 2008 9:44 am

listen guys, I don't understand anything at all anymore

can one side clearly state their question in ONE SENTENCE and the other side ANSWER in one sentence? No more anecdotes please

gustkiller · Wed Dec 03, 2008 8:34 pm

i think if you just do the queue tree and the MAIN QUEUE for upload and the MAIN QUEUE for download for an example 95% of your total down/up bandwitdth the priorities and qos should work better coz they will have some room to work.

samsoft08 · Thu Dec 04, 2008 4:46 am

to macgaiver :

YES we can let the side car to enter the road even if its 100% , a police man can stop the side line making a space for this car ... right ? this police man what i'm searching for ..
can we just slow down a connection speed dynamicly ?

to normis with pleasure , this is what i need in 1 sentence :
user1 , dynamic hotspot user 64k/128k , downloading big file , also he start to browse , page cannot be displayed !!!! can we just slow down his current download to 64k giving the new browsing the other 64k ?

Thu Dec 04, 2008 9:13 am

I was explaining the actual way how it works - it can't be changed.

Sorry, it is just the way it is, not only in MT.

Chupaka · Thu Dec 04, 2008 3:11 pm

YES we can let the side car to enter the road even if its 100% , a police man can stop the side line making a space for this car ... right ? this police man what i'm searching for ..

yeah, right. but, as I said, this policeman had to be _before_ the side road, i.e. at your provider's devices

janisk · Fri Dec 05, 2008 11:17 am

create main queue with 100% upload or download respectively. then make child queues,

* queue for ping, high priority, 1% of traffic

* queue for http, high priority -1, say, % depending on speed for example 1MB/s and that is 40%

* queue for the rest of traffic

all that for download, upload

that way, if no one uses ICMP and TCP-HTTP you have 100 - 40 -1 % of your BW used = 59%

then, when you have some "hardcore http surfers" you will use 99% of traffic, and then, if someone start using icmp he will get last 1% for ICMP

i will say once more - THIS ALL IS IN MANUAL - go and read it, if you do not understand, ask someone to translate it to your native language for your networking knowledge - that was my answer 2 years ago, and year ago and it is still have not changed.

get a consultant that will make that configuration for you - save it, so you can restore it and then you have starting point of working configuration of queue-tree

also - parent queue have to have match all the traffic that will go for child queues

imtrulylovd · Fri Dec 05, 2008 12:20 pm

Janis have explained it well on the USA MUM and we have a PDF from that: http://mum.mikrotik.com/presentations/US08/janism.pdf but the PDF is not enough. How about uploading the whole video/audio or all hos words in another PDF file ? Since this PDF file is cut at the interesting part

the priority. In this PDF there is information that IS NOT IN ANY MIKROTIK MANUAL. MikroTik manual have sucked hard for ages - admit it. Cheers

Fri Dec 05, 2008 12:23 pm

Janis have explained it well on the USA MUM and we have a PDF from that: http://mum.mikrotik.com/presentations/US08/janism.pdf but the PDF is not enough. How about uploading the whole video/audio or all hos words in another PDF file ? Since this PDF file is cut at the interesting part the priority. In this PDF there is information that IS NOT IN ANY MIKROTIK MANUAL. MikroTik manual have sucked hard for ages - admit it. Cheers

it's not cut, the document is complete. just read the few slides before the last one

if somebody has a video of that presentation, upload it to tiktube.com and you will get a RouterOS license

samsoft08 · Sat Dec 06, 2008 7:00 am

Janisk , that was not even close !!!!!!!

you are talking about general setup , which wont help in this case at all ..
i'm not asking HOW to set Q rules , or HOW to use mangle or else ..
it was a specific idea , its all about the connections of a single dynamic user .. not for the Total MAX Download as in all examples here or even in janism.pdf ..
its like if we say using PCQ for single dynamic IP .. not a group of IP's in address list ..

and please enough redirecting to the manual !!!!!!!!

loop11 · Sat Dec 06, 2008 9:05 am

Janisk, I would kindly ask you, that you stop responding to this thread at all, please dont read it, dont think about it, just continue to do something else. Your agenda is wrong, you are thinking like this, if anyone could get the example my consultant days were over. That's wrong and I'm sick of such behavior.
You are not polite, you are counter progressive toward us, in short words you are Mikrotik shame, I searched trough your post's on this forum and as I see you made thousands of angry mikrotik customers with your statements.

In short words, Mikrotik needs to change their state policy, by the EU laws they are frauding the customers, because you are not getting the full product as they stated.

They are hiding importing things from their customers, because Mikrotik manuals were one of the worst on the market.

Second, seems things are workable trough the consultants, which is the shame and its some kind of the fraud, no one has rights to advice you the consultant if he is not the free one, its by the law the fraudulent behavior on the support forum.

In the Mikrotik manuals or on the main mikrotik web site, you cant see any remark that you as an customer cant received any advanced support, neither you can get any advanced manual, or that you cant get any advanced example.

I will state this, in this native state if we look at the mikrotik as a semi-pro or a pro device and software, its at the low bottom state of similar devices which are 80% ready from the box, which is not the case with the mikrotik.

I would advice any new customer to avoid mikrotik at all costs, there is no support, you cant get advice and help because these days every guy on the mikrotik community thinks that he is the consultant and that he have rights to take your money, but in fact mikrotik is responsible because that's their job.

When Mikrotik clearly state that you dont have the support for the money you bought the Mikrotik license, than advising for the consultant would be ok on the Mikrotik support forum.

But than the license price needs to drop 3 or 4 times.

I could gladly state that mikrotik has no advanced community willing to help.

All I can see is that some kind (kind and good) people made wiki pages for nothing , for the lousy license which is again the utter shame for the mikrotik, but the problem with the mikrotik wiki is that examples are just the basic stuff, maybe Jansik was good in the start of the wiki, but he made worst thing transforming himself to the money taker.

No one has a right to publicly advice someone on the support forum, that he needs to hire the consultant, you need to make another forum for that matter, or eventually you could pm someone with such advice.

Stop with that practice at once.

Chupaka · Sat Dec 06, 2008 3:59 pm

loop11, you are so funny =)

It's Community Support forums, not MikroTik Support! MikroTik Support is support@mikrotik.com AND ONLY!

http://www.mikrotik.com/support.html

ColdHaze · Sat Dec 06, 2008 7:37 pm

You are right Chupaka. Maybe they think this forums is for support. I think the community here is very good! I have implemented PPPoE with freeraius and mysql, and Squid zph without any support from this forums... I only got the idea from here then some RTFM

and some googling and it works!

Come on guys... If you are here, you have to sweat sometimes... not just ask for scripts... read the forums, the manual, the wiki and google for what you want if you don't want to call support.

Also, samsoft08 should first try to setup what he wants with the ROS then posts his config here so we can see why he can't do the qos priority that he is talking about...

ColdHaze

samsoft08 · Sat Dec 06, 2008 11:15 pm

5 years ago when i started providing internet , some issue faced me , I asked my main provider , he want to know wht software / hardware i'm using , after he knew about MT , he tried to ask here about the issue , he came back to me saying : i dont believe it , they told me READ the manual !!!!!!!!!!! what kind of support forum is this ???

we must admit that the support is bad here , in other forum of another devices or softwares they simply saying : you cant do that at this time wait for next versions , or we are working on that ..

what do you find here ? yes its RouterOS Community Support , but there must be admins here , if we look at all topics what can we see ? what kind of topics the admins are answering ? how many % they redirect to the manual ?

normis with all of my respect , he said i cant understand whats going on here !!!!!!!!! thats impossible you didnt understood what's going on , its not but what can MT do , and what is not possible untill the latest version , if this version can do anything so why you are waiting for the next version ?
many times here in this topic i repeated the idea , and you cant understand ? please ..........

janisk at his famous example , differentiate between http browsing from http downloading by connection bytes , but in real life its not working , if the user hit his max rate with http downloading there will be no room for http browsing even it has priority 0 or even -100000 !!!!!!!!!!!!!

jwcn · Sat Dec 06, 2008 11:44 pm

http://wiki.mikrotik.com/wiki/Basic_tra ... _protocols

I have found the above works remarkably well, it is an excellent starting point and can be tweaked from there.

omidkosari · Sun Dec 07, 2008 9:46 am

Janisk , that was not even close !!!!!!!

you are talking about general setup , which wont help in this case at all ..
i'm not asking HOW to set Q rules , or HOW to use mangle or else ..
it was a specific idea , its all about the connections of a single dynamic user .. not for the Total MAX Download as in all examples here or even in janism.pdf ..
its like if we say using PCQ for single dynamic IP .. not a group of IP's in address list ..

janisk at his famous example , differentiate between http browsing from http downloading by connection bytes , but in real life its not working , if the user hit his max rate with http downloading there will be no room for http browsing even it has priority 0 or even -100000 !!!!!!!!!!!!!

By doing mangle ICMP with passthrought=NO, we will extra bandwidth to customer (the IP).
it should be ok since ICMP will eat a little bandwidth only.

How about other protocol which will eat a lot of bandwidth like VoIP, Video Conferencing?
i mean those protocol that need be prioritied.

I agree there should be a way to prioritize the bandwidth of each user (each ip) , priority for all bandwidth is not so useful.

titius · Sun Dec 07, 2008 1:03 pm

If you do prio for all badnwidth, it will work for each user that is not the point here. point is how to do it, because it does not work

, I mean it does work, but no one is willing to give just three lines ov mangle and queue rules to get us started .

dot-bot · Sun Dec 07, 2008 3:06 pm

Maybe trying to combine it with PCQ creates a problem? ( http://forum.mikrotik.com/viewtopic.php?f=2&t=28383 ) Maybe trying to use it on different outgoing interfaces creates a problem? ( http://wiki.mikrotik.com/wiki/Queue_Tre ... interfaces )

samsoft08 · Sun Dec 07, 2008 9:09 pm

If you do prio for all badnwidth, it will work for each user that is not the point here

NO , its the point , it will work per total bandwidth , not per user max limit ..

because it does not work , I mean it does work

How to be sure it can be done in these versions ?

but no one is willing to give just three lines ov mangle and queue rules to get us started

cause it's 90% cant be done , now ..

Mon Dec 08, 2008 9:40 am

samsoft08 and loop11 - can we take a look at least one example of your configuration attempts????

At this point this is only random shouting and it looks like you don't know what are you shouting about.

We already described you that your idea how limitation works was incorrect, but it doesn't mean that you can't get it done a little bit differently.
(if you can't go strait over the hill, you must go around)

Create a QoS system. Test it. paste it here, describe the actual disadvantages or problem of the setup. We will try to share ideas how to get things done. This is the way how this forum works.

omidkosari · Mon Dec 08, 2008 10:47 am

samsoft08 and loop11 - can we take a look at least one example of your configuration attempts????

At this point this is only random shouting and it looks like you don't know what are you shouting about.

We already described you that your idea how limitation works was incorrect, but it doesn't mean that you can't get it done a little bit differently.
(if you can't go strait over the hill, you must go around)

Create a QoS system. Test it. paste it here, describe the actual disadvantages or problem of the setup. We will try to share ideas how to get things done. This is the way how this forum works.

You did not named me but i have this problem too.
Lets assume an example.We have 1000 pppoe users (200 online pppoe often) and 20Mbs of bandwidth.we use PCQ for shape users and we have services like 128kbps,192kbps,256kbps,384kbps,512kbps,1Mbps.

/ip firewall mangle>
chain=prerouting action=mark-connection new-connection-mark=128_upload_conn passthrough=yes src-address-list=128 

chain=prerouting action=mark-packet new-packet-mark=128_upload passthrough=yes connection-mark=128_upload_conn 

chain=forward action=mark-connection new-connection-mark=128_download_conn passthrough=yes src-address-list=128 

chain=forward action=mark-packet new-packet-mark=128_download passthrough=yes connection-mark=128_download_conn

/queue type>
name="128 Download" kind=pcq pcq-rate=128000 pcq-limit=50 pcq-classifier=dst-address pcq-total-limit=5000 

name="128 Upload" kind=pcq pcq-rate=128000 pcq-limit=50 pcq-classifier=src-address pcq-total-limit=5000

/queue simple>
name="128" dst-address=0.0.0.0/0 interface=all parent=ALL packet-marks=128_upload,128_download direction=both 
      priority=1 queue=128 Upload/128 Download limit-at=0/0 max-limit=1000000/2000000 burst-limit=0/0 burst-threshold=0/0 
      burst-time=0s/0s total-queue=default-small

I paste just config of 128kbps but others are like this one .
Now the question is this : How can i prioritize the bandwidth of each user to have priorities like last pages of http://mum.mikrotik.com/presentations/US08/janism.pdf and each user should not have 1 bit more than its shape. for example a 128kbps user has 1st priority for ping,telnet,ssh 2nd for http surfing,3rd http download,8th p2p and has its 128kbps NOT MORE

Mon Dec 08, 2008 11:03 am

now we are talking

1) connections can't be upload or download, packets are. For example TCP connections have traffic in both directions.

2) if you use queue simple you will need 2 marks and mark them in prerouting, both

In mangle I suggest to have 4 rules
a) mark-connections where src-address-list=128
b) mark-connections where dst-address-list=128
c) mark-packet from those connection where in-interface=WAN as client download passthrough=no
d) mark-packet rest of the packets from those connections as upload passthrough=no

3) in simple queues - "parent=ALL"?

Those are the problems in present configuration!

omidkosari · Mon Dec 08, 2008 11:14 am

/queue simple>
name="ALL" target-addresses=10.0.0.0/8,x.x.x.0/23 dst-address=0.0.0.0/0 interface=all parent=none 
direction=both priority=1 queue=default/default limit-at=10000000/20000000 max-limit=10000000/20000000 burst-limit=0/0 
burst-threshold=0/0 burst-time=0s/0s total-queue=default-small

Thanks for suggestions. Please talk about main question at the bottom of post.

Mon Dec 08, 2008 11:17 am

I was getting there .... don't rush things

Now the question is this : How can i prioritize the bandwidth of each user to have priorities like last pages of http://mum.mikrotik.com/presentations/US08/janism.pdf and each user should not have 1 bit more than its shape. for example a 128kbps user has 1st priority for ping,telnet,ssh 2nd for http surfing,3rd http download,8th p2p and has its 128kbps NOT MORE

1) First of all forget about simple queues -> you need to move to queue tree
2) move your present per user marking to mange chain "forward" (with my corrections) and per user limitation to "global-out"

3)now you have free mangle chain "prerouting" and "global-in" for priority configuration (from presentation)

omidkosari · Mon Dec 08, 2008 11:26 am

1)a)Why?
1)b)There is an old question with multiple replies.May i use simple queues and queue tree at the same time?
2)Please give example

Mon Dec 08, 2008 12:05 pm

1)a)Why?
1)b)There is an old question with multiple replies.May i use simple queues and queue tree at the same time?
2)Please give example

1) a) Simple queue stands for one queue in global-in, one queue in global-out, one queue in global-total. So basically 3 out of 4 available HTBs are occupied. And we need one HTB at the beginning to prioritize, to free this HTB we must go to queue tree.

1) b) As you should know traffic can be captured only once in every HTB, so if you have both (queue simple and queue tree in one of the "global-" ) only one will get traffic, other will not (sorry I don't remember who goes first in this situation)

2)Example - unnecessary for 2 reasons
a) it was explained strait forward
b) can't see enough effort from your side,

i gave you instructions, now it is your time to try them out and paste your configuration and observations.

P.S. RTFM, all principles of what I wrote here are written in wiki manual.

Mon Dec 08, 2008 12:09 pm

macgaiver is right. by the way, we are thinking about a prize to the most useful forum answers, macgaiver is on the right track

Mon Dec 08, 2008 12:16 pm

Thanks, normis!

samsoft08 · Mon Dec 08, 2008 12:22 pm

Now the question is this : How can i prioritize the bandwidth of each user

WHERE is the ANSWER ? macgaiver please can you just read this : How can i prioritize the bandwidth of each user ?????
and you think you are talking ? you are just repeating what's in the manual and wiki .......

We already described you that your idea how limitation works was incorrect

incorrect or impossible in router os ?
prioritize the bandwidth of each user is the point , its so clear that every one can understand it !!!!

Mon Dec 08, 2008 12:37 pm

How can i prioritize the bandwidth of each user ?????

OMG can you READ?

That is described in http://mum.mikrotik.com/presentations/US08/janism.pdf
and that is exactly the same what omidkosari asked and I gave him instructions how to do it.

and you think you are talking ? you are just repeating what's in the manual and wiki .......

Well it doesn't matter - one way or another in my network everything is fine with QoS and customers are happy

incorrect or impossible in router os ?

Incorrect, Cisco is exactly the same.

prioritize the bandwidth of each user is the point , its so clear that every one can understand it !!!!

For matter of fact everything that is necessary was described in the presentation. omidkosari had only one big difference instead of one client interface he had many (pppoe) so I adopted the setup for that change and gave him instructions. IF you can't get it - FORGET IT.

BTW - can we see your configuration? I have serious doubts you have one.

omidkosari · Mon Dec 08, 2008 1:17 pm

c) mark-packet from those connection where in-interface=WAN as client download passthrough=no
d) mark-packet rest of the packets from those connections as upload passthrough=no

What can i do if i want the mangles be interface independent . i mean don't use interface in my rules. i don't have good experience about that . sometimes we have more than one WAN etc.
Now what is your suggestion?

Mon Dec 08, 2008 1:29 pm

Then use src-address or src-address-list. but if you have only one public interface it should be fine and faster.

samsoft08 · Mon Dec 08, 2008 1:33 pm

an example made by janisk in this topic http://forum.mikrotik.com/viewtopic.php ... ction+byte

you can see it , and you can see the replies , and see what people needs , i dont think all of them are incorrect thinking !!!!!!!!! cause they are REAL LIFE users , they know what they need ..
this is an old issue , you , janism.pdf and the example above are talking about the total network bandwidth , but every user in the network has a max limit , it dosent matter if the total bandwidth is 100M , a single dynamic hotspot user ( IP ) has lets say 128k only .. this 128k is what i want to work on , a single IP traffic ..prioritize it's traffic with so called PRIORITY in router os ..

I applied the previous example on my own IP , a page took 10sec to open , making a large files download , the same page took 60 sec , sometimes page cannot display !!! where is the priority depending on connection size here ?????

and what about giving icmp highest priority ? http://forum.mikrotik.com/viewtopic.php?f=2&t=28339
this is the simplist example of how so called priority has nothing to do when max bandwidth reached ...... its working when there is a free space in the bandwidth !!!!!!!!!!!!!! whats is this? a joke ??? i dont need anything when i have free space ...

Chupaka · Mon Dec 08, 2008 1:42 pm

to prioritize packets in PCQ subqueues, one need to use packet-submarks... don't think, that it will be realized even in v4 =(

omidkosari · Mon Dec 08, 2008 1:50 pm

to prioritize packets in PCQ subqueues, one need to use packet-submarks... don't think, that it will be realized even in v4 =(

What exactly you mean ? you mean macgaiver suggest is wrong ?

Mon Dec 08, 2008 1:52 pm

to prioritize packets in PCQ subqueues, one need to use packet-submarks... don't think, that it will be realized even in v4 =(
What exactly you mean ? you mean macgaiver suggest is wrong ?

I think Chupaka means that what Samsoft is asking, is impossible.

samsoft08 · Mon Dec 08, 2008 1:56 pm

to prioritize packets in PCQ subqueues, one need to use packet-submarks... don't think, that it will be realized even in v4 =(

at last .. this answer must have the prize for the best answers ..

Mon Dec 08, 2008 2:00 pm

So what Samsoft is asking:

- when user opens his browser, during a download, to give priority to WWW and slow down the download

The problem is the following, you will need several queues PER USER to do this, to assign each type of traffic their own priority. This will make a total of several hundred queues, and they will have to be made by hand, so this is not feasible.

the partial solution (there exists no perfect solution here) offered by janism presentation was this:

- give priority to different traffic types first
- then, after prioritization and shaping has taken place, divide the traffic per user

-- edit --

More information from Janis M. himself:

In my presentation I told that creating priorities seperatly for each client is suicide - there are no hardware that can handle small queue tree for every user (if you have 1000 of them). So in my presentation I discuse next best thing, that is close as possible to desired behaviour.

The main Idea of the setup is to have two separate QoS steps.

1) in the first step we prioritize traffic, we are making sure that traffic with higher priority have more chance to get to the custumers than traffic with the lower priority.

Example:
we have total of 100Mbps available, but clients at this particular moment would like to receive 10Mbps of Priority=1 traffic 20Mbps of Priority=4 and 150Mbps of Priority=8.

Of course after our prioritization and limitaion 80Mbps of priority=8 will be droped. And only 100Mbps will get to the next step

2) next step is per-user limitation, we already have only higher priority traffic, but now we must make sure that some user will not overuse it, so we have PCQ with limits

This way we get virtually the same behaviour as "per user prioritization"

Chupaka · Mon Dec 08, 2008 2:13 pm

- give priority to different traffic types first
- then, after prioritization and shaping has taken place, divide the traffic per user

is it possible to do within one router? i.e. shape twice: first per user, then per service (e.g. in different mangle chains). or we need two routers (either hardware or virtualized)?

Mon Dec 08, 2008 2:19 pm

- give priority to different traffic types first
- then, after prioritization and shaping has taken place, divide the traffic per user

shape twice: first per user, then per service

other way, first per service, then per user.

is it possible to do within one router? i.e. shape twice: first per user, then per service (e.g. in different mangle chains). or we need two routers (either hardware or virtualized)?

QoS includes several facilities, in the following order:

1. mangle chain prerouting
2. HTB global-in
3. Mangle chain forward
4. Mangle chain postrouting
5. HTB global-out
6. HTB out interface

so, inside one router, you can do shape twice if you use:

a) #1 and #2 for first marking and shaping, and #3+#5 for second
b) #1 and #2 for first marking and shaping, and #3+#6 for second
c) #1 and #2 for first marking and shaping, and #4+#5 for second
d) #1 and #2 for first marking and shaping, and #4+#6 for second

the presentation was all about this, and Macgaiver was saying the same thing.

I suggest you guys to pack bags for the upcoming Europe MUM where there will be Traffic Management training by the same Janis M.

samsoft08 · Mon Dec 08, 2008 2:37 pm

when i applied janis example http://forum.mikrotik.com/viewtopic.php ... ction+byte

it may work if i download with just 1 connection , but if there is more than 1 connections , and they are small connections as what download accelerators do , it cant be possible to differentiate between download and browsing connection ,

so its not working in real life , with most ( 90% ) of network users ..

Mon Dec 08, 2008 2:39 pm

of course it's not possible to distinguish short HTTP downloads with browsing, because Browsing IS Downloading (of html pages).

titius · Mon Dec 08, 2008 3:23 pm

Can please someone tell me if Im on the right track,
This is from Dmitris wiki on firewalling

1   chain=prerouting protocol=tcp connection-state=new action=jump 
     jump-target=tcp-services 

 2   chain=prerouting protocol=udp connection-state=new action=jump 
     jump-target=udp-services 

 3   chain=prerouting connection-state=new action=jump 
     jump-target=other-services 

 4   chain=prerouting protocol=tcp action=jump 
     jump-target=tcp-services-established 

 5   chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=80 
     action=mark-connection new-connection-mark=http passthrough=no 

 6   chain=tcp-services-established protocol=tcp src-port=1024-65535 
     dst-port=80 connection-bytes=0-2048000 action=mark-connection 
     new-connection-mark=http-established-2MB passthrough=no 

 7   chain=tcp-services-established protocol=tcp src-port=1024-65535 
     dst-port=80 action=mark-connection new-connection-mark=http-established 
     passthrough=no

Now packet marks

47   chain=prerouting connection-mark=http action=mark-packet 
     new-packet-mark=http-new passthrough=no 

48   chain=prerouting connection-mark=http-established-2MB action=mark-packet 
     new-packet-mark=http-2MB passthrough=no 

49   chain=prerouting connection-mark=http-established action=mark-packet 
     new-packet-mark=http-established passthrough=no

Now queue tree

1   name="DOWNLOAD" parent=Lokal packet-mark="" limit-at=0 queue=default priority=8 max-limit=1850000 burst-limit=0 
     burst-threshold=0 burst-time=0s 

 2   name="http" parent=DOWNLOAD packet-mark=http-new limit-at=1500000 queue=default priority=1 max-limit=1800000 
     burst-limit=0 burst-threshold=0 burst-time=0s 

 3   name="http-2M" parent=DOWNLOAD packet-mark=http-2MB limit-at=10000 queue=default priority=4 max-limit=1800000 
     burst-limit=0 burst-threshold=0 burst-time=0s 

 4   name="http-rest" parent=DOWNLOAD packet-mark=http-established limit-at=10000 queue=default priority=8 
     max-limit=1800000 burst-limit=0 burst-threshold=0 burst-time=0s

Is this ok ?

mknnoc · Tue Dec 09, 2008 10:02 am

here is my configuration http://forum.mikrotik.com/viewtopic.php ... 19#p137619.

omidkosari · Tue Dec 09, 2008 5:33 pm

move your present per user marking to mange chain "forward" (with my corrections)

Then use src-address or src-address-list. but if you have only one public interface it should be fine and faster.

Then how can i mangle uploads with forward chain and src-address-list ?

Wed Dec 10, 2008 10:03 am

Sorry, but I don't see the problem, can you elaborate?

omidkosari · Wed Dec 10, 2008 2:51 pm

Maybe because you have queue tree . in my case i will first change my mangles (still with simple queues) and then slowly move to queue tree. with simple queue it does not work.

omidkosari · Mon Dec 22, 2008 7:16 pm

Is there a way to use mangle chain FORWARD for marking upload and download of users separately without using (in or out) INTERFACE ?
I tired a lot but i have no success . An example is very helpful . Thanks.

gustkiller · Mon Dec 22, 2008 7:58 pm

Is there a way to use mangle chain FORWARD for marking upload and download of users separately without using (in or out) INTERFACE ?
I tired a lot but i have no success . An example is very helpful . Thanks.

try this approach
src address = your user ip address ( upload)
dst address= your user ip address (download)

omidkosari · Mon Dec 22, 2008 9:45 pm

I tried this and put those mangles in Simple Queues > packet mark but Rx is 0 and Tx is very low !!

this does not work

/ip firewall mangle>
chain=forward action=mark-connection new-connection-mark=Special_upload_conn passthrough=yes src-address-list=Special 

chain=forward action=mark-packet new-packet-mark=Special_upload passthrough=yes connection-mark=Special_upload_conn 

chain=forward action=mark-connection new-connection-mark=Special_download_conn passthrough=yes dst-address-list=Special  

chain=forward action=mark-packet new-packet-mark=Special_download passthrough=yes connection-mark=Special_download_conn

      name="test" dst-address=0.0.0.0/0 interface=all parent=ALL packet-marks=Special_upload,Special_download direction=both 
      priority=1 queue=default/default limit-at=1000000/1000000 max-limit=2000000/10000000 burst-limit=0/0 burst-threshold=0/0 
      burst-time=0s/0s total-queue=default-small

but when mangle is like bellow this works fine

/ip firewall mangle>
chain=prerouting action=mark-connection new-connection-mark=Special_upload_conn passthrough=yes src-address-list=Special  

chain=prerouting action=mark-packet new-packet-mark=Special_upload passthrough=yes connection-mark=Special_upload_conn 

chain=forward action=mark-connection new-connection-mark=Special_download_conn passthrough=yes src-address-list=Special  

chain=forward action=mark-packet new-packet-mark=Special_download passthrough=yes connection-mark=Special_download_conn

Tue Dec 23, 2008 10:01 am

Guys, do you actually read something or just play with configuration???

Simple queue is in global-in and global-out.... and only mangle chain before global-in is.....

<everyone quickly opens up a diagram http://wiki.mikrotik.com/wiki/Packet_Flow and find an answer >

janisk · Tue Dec 23, 2008 10:41 am

it seems that some are thinking that this is 2 way diagram - well, it is not...

for example, if you have configured that ether1 is local interface and ether2 is wan interface, then when traffic goes from your customers to internet it goes in ether1 and goes out ether2, so input-interface is ether1 and output-interface is ether2. But if traffic is going from internet to your customer, then it is going in ether2 and going out ether1, in this case input-interface is ether2 and output-interface is ether1, and you have to follow the path that direction no matter what.

omidkosari · Thu Dec 25, 2008 6:37 pm

OK . the first part i done with help of professional friends in this forum .

1) First of all forget about simple queues -> you need to move to queue tree
2) move your present per user marking to mange chain "forward" (with my corrections) and per user limitation to "global-out"

3)now you have free mangle chain "prerouting" and "global-in" for priority configuration (from presentation)

Now 1,2 is DONE .
for 3 i have these mangle rules

155   chain=prerouting action=mark-connection new-connection-mark=p2p_conn passthrough=yes p2p=all-p2p 

156   chain=prerouting action=mark-packet new-packet-mark=p2p_download passthrough=no dst-address-list=Apply QOS connection-mark=p2p_conn 

157   chain=prerouting action=mark-packet new-packet-mark=p2p_upload passthrough=no src-address-list=Apply QOS connection-mark=p2p_conn 

158   chain=prerouting action=mark-connection new-connection-mark=download_conn passthrough=yes protocol=tcp dst-port=110 

159   chain=prerouting action=mark-connection new-connection-mark=download_conn passthrough=yes protocol=tcp dst-port=995 

160   chain=prerouting action=mark-connection new-connection-mark=download_conn passthrough=yes protocol=tcp dst-port=143 

161   chain=prerouting action=mark-connection new-connection-mark=download_conn passthrough=yes protocol=tcp dst-port=993 

162   chain=prerouting action=mark-connection new-connection-mark=download_conn passthrough=yes protocol=tcp dst-port=25 

163   chain=prerouting action=mark-connection new-connection-mark=download_conn passthrough=yes protocol=tcp dst-port=20 

164   chain=prerouting action=mark-connection new-connection-mark=download_conn passthrough=yes protocol=tcp dst-port=21 

165   chain=prerouting action=mark-connection new-connection-mark=download_conn passthrough=yes protocol=tcp dst-port=22 packet-size=1400-1500 

166   chain=prerouting action=mark-connection new-connection-mark=download_conn passthrough=yes protocol=tcp dst-port=80 connection-bytes=500000-0 

167   chain=prerouting action=mark-connection new-connection-mark=download_conn passthrough=yes protocol=tcp dst-port=443 connection-bytes=500000-0 

168   chain=prerouting action=mark-packet new-packet-mark=download_download passthrough=no dst-address-list=Apply QOS connection-mark=download_conn 

169   chain=prerouting action=mark-packet new-packet-mark=download_upload passthrough=no src-address-list=Apply QOS connection-mark=download_conn 

170   chain=prerouting action=mark-connection new-connection-mark=high_prio_conn passthrough=yes protocol=tcp dst-port=53 

171   chain=prerouting action=mark-connection new-connection-mark=high_prio_conn passthrough=yes protocol=udp dst-port=53 

172   chain=prerouting action=mark-connection new-connection-mark=high_prio_conn passthrough=yes protocol=icmp 

173   chain=prerouting action=mark-connection new-connection-mark=high_prio_conn passthrough=yes protocol=tcp dst-port=443 

174   chain=prerouting action=mark-connection new-connection-mark=high_prio_conn passthrough=yes protocol=tcp dst-port=8291 

175   chain=prerouting action=mark-connection new-connection-mark=high_prio_conn passthrough=yes protocol=tcp dst-port=23 

176   chain=prerouting action=mark-connection new-connection-mark=high_prio_conn passthrough=yes protocol=tcp dst-port=22 packet-size=0-1400 

177   chain=prerouting action=mark-connection new-connection-mark=high_prio_conn passthrough=yes protocol=tcp dst-port=80 connection-bytes=0-500000 

178   chain=prerouting action=mark-packet new-packet-mark=high_prio_download passthrough=no dst-address-list=Apply QOS connection-mark=high_prio_co>

179   chain=prerouting action=mark-packet new-packet-mark=high_prio_upload passthrough=no src-address-list=Apply QOS connection-mark=high_prio_conn 

180   chain=prerouting action=mark-connection new-connection-mark=other_conn passthrough=yes 

181   chain=prerouting action=mark-packet new-packet-mark=other_download passthrough=no dst-address-list=Apply QOS connection-mark=other_conn 

182   chain=prerouting action=mark-packet new-packet-mark=other_upload passthrough=no src-address-list=Apply QOS connection-mark=other_conn

and in queue tree

66   name="QOS_Download" parent=global-in packet-mark="" limit-at=0 queue=default priority=1 max-limit=12000000 burst-limit=0 burst-threshold=0 
     burst-time=0s 

67   name="QOS_Upload" parent=global-in packet-mark="" limit-at=0 queue=default priority=1 max-limit=12000000 burst-limit=0 burst-threshold=0 
     burst-time=0s 

68   name="p2p down" parent=QOS_Download packet-mark=p2p_download limit-at=0 queue=default priority=8 max-limit=2000000 burst-limit=0 
     burst-threshold=0 burst-time=0s 

69   name="p2p up" parent=QOS_Upload packet-mark=p2p_upload limit-at=0 queue=default priority=8 max-limit=1000000 burst-limit=0 burst-threshold=0 
     burst-time=0s 

70   name="High Priority down" parent=QOS_Download packet-mark=high_prio_download limit-at=5000000 queue=default priority=1 max-limit=9000000 
     burst-limit=0 burst-threshold=0 burst-time=0s 

71   name="High Priority up" parent=QOS_Upload packet-mark=high_prio_upload limit-at=2000000 queue=default priority=1 max-limit=6000000 
     burst-limit=0 burst-threshold=0 burst-time=0s 

72   name="Other down" parent=QOS_Download packet-mark=other_download limit-at=0 queue=default priority=6 max-limit=6000000 burst-limit=0 
     burst-threshold=0 burst-time=0s 

73   name="Other up" parent=QOS_Upload packet-mark=other_upload limit-at=0 queue=default priority=6 max-limit=6000000 burst-limit=0 
     burst-threshold=0 burst-time=0s 

74   name="Big Downloads down" parent=QOS_Download packet-mark=download_download limit-at=0 queue=default priority=7 max-limit=6000000 burst-limit=>
     burst-threshold=0 burst-time=0s 

75   name="Big Downloads up" parent=QOS_Upload packet-mark=download_upload limit-at=0 queue=default priority=7 max-limit=6000000 burst-limit=0 
     burst-threshold=0 burst-time=0s

But the QOS trees are strange and does not work correctly . any suggestion appreciated . thanks.

omidkosari · Mon Dec 29, 2008 9:43 am

I tried so much but no success . Any help please .

Mon Dec 29, 2008 12:26 pm

Well everything looks more or less correct - only one small upgrade - if you use connection-bytes, it is better to use mark-packet without mark-connection.

Can you elaborate on what exactly is the problem? also screenshot of queue tree from winbox would be handy (just enable all necessary columns)

omidkosari · Wed Jan 07, 2009 5:02 pm

OK . thanks . the problem was in mangle rules .

Let's assume i have a 90Mbps uplink to provider and i have 9*10Mbps sublinks which my clients come to main mikrotik by them and i have priority and per user limitations with help of queue tree (global-in , global-out) , and mangle chains (prerouting , forward) .
according to this post http://forum.mikrotik.com/viewtopic.php ... 84#p139184

I'm not sure I understand your question completely, perhaps you could explain it with an example.

In general - if your parent class is not limited, it will behave as if it was limited to full link bandwidth (because of hardware flow control - underlying network hardware will simply not take from queue more data than it can send). So e.g. if you have 1Gbps Ethernet link to your provider, but provider limits traffic received from that link to 200Mbs, it is better to configure parent queue with 200Mbps limit - this way bandwidth control moves to your queues where you can apply your policies (prioritizing, limits, distribution of excess bandwidth and such), instead of just sending everything to upstream provider where you can not control what will get dropped.

How can i prioritize those 10Mbps links to prevent hardware flow ?

NetworkPro · Wed Jan 07, 2009 6:59 pm

With a really good Queue Tree in your MikroTik router. Max-limit must be lower (85-100% or 62% for ATM) than what a speedtest through the link would show. This way you achieve control. This is because of how packet queues work. What is your internet uplink and what are your links to your clients? I mean not just teoretical speeds, but what technology...

omidkosari · Thu Jan 08, 2009 10:10 am

My uplink priority works good . the real problem are those links to clients . each 10Mbps is 5*E1 .
the question is : how can i prioritize those client links in addition to my other queues on same mikrotik ? is it possible on same mikrotik ? because my mangles (forward and prerouting ) are in use and my queue trees (global-in , global-out) are also in use .

NetworkPro · Thu Jan 08, 2009 12:52 pm

It is possible if you redesign it all. Last time when I had to do this, I was thinking - ok, what is the traffic that leaves my interfaces and how can I manage it according to traffic contracts with my clients? A problem that I had was that I had multiple client interfaces so I needed to use global-out.

Maybe you can paste your mangle and queue, and explain what needs to be done?

proggams2 · Mon Jan 26, 2009 12:32 am

if we add mangle rules with connection bytes,first called lower(0-100000) and second called upper (100000->), what we have to use to distinguish from download and upload in mangle and in queue tree (dst src ....) ???
and if the priorization is working with someone (http over all download) let him post his configuation to compare and correct our mistakes

proggams2 · Mon Jan 26, 2009 12:44 am

how to bind all connections made by download accelerators (they usually use 7 or 8 connection per server).
im saying if we can limit all of the same ip to a limit that we can seperate it from mangle

janisk · Mon Jan 26, 2009 10:12 am

if you limit overall user traffic you do not have to worry about how many connections users use.

omidkosari · Mon Jan 26, 2009 2:37 pm

if you limit overall user traffic you do not have to worry about how many connections users use.

But connection bytes are very useful in QOS stuff.

xordi · Sun Mar 01, 2009 10:02 pm

Hello Everyone... I've some troubles with that, can somebody help me and tell what i do wrong?
Here is my configuration, I hope somebody help me...

Mangle:

 0   ;;; p2p
     chain=prerouting action=mark-connection new-connection-mark=p2p passthrough=yes p2p=all-p2p 

 1   chain=prerouting action=mark-packet new-packet-mark=p2p_down passthrough=no in-interface=WAN connection-mark=p2p 

 2   chain=prerouting action=mark-packet new-packet-mark=p2p_up passthrough=no in-interface=LAN connection-mark=p2p 

 3   ;;; WWW SSL
     chain=prerouting action=mark-connection new-connection-mark=www_ssl passthrough=yes protocol=tcp dst-port=80 

 4   chain=prerouting action=mark-connection new-connection-mark=www_ssl passthrough=yes protocol=udp dst-port=80 

 5   chain=prerouting action=mark-connection new-connection-mark=www_ssl passthrough=yes protocol=tcp dst-port=443 

 6   chain=prerouting action=mark-packet new-packet-mark=www_ssl_down passthrough=no in-interface=WAN 
     connection-mark=www_ssl 

 7   chain=prerouting action=mark-packet new-packet-mark=www_ssl_up passthrough=no in-interface=LAN connection-mark=www_ss>

 8   ;;; DNS ICMP
     chain=prerouting action=mark-connection new-connection-mark=dns_icmp passthrough=yes protocol=icmp 

 9   chain=prerouting action=mark-connection new-connection-mark=dns_icmp passthrough=yes protocol=tcp dst-port=53 

10   chain=prerouting action=mark-connection new-connection-mark=dns_icmp passthrough=yes protocol=udp dst-port=53 

11   chain=prerouting action=mark-packet new-packet-mark=dns_icmp_down passthrough=no in-interface=WAN 
     connection-mark=dns_icmp 

12   chain=prerouting action=mark-packet new-packet-mark=dns_icmp_up passthrough=no in-interface=LAN 
     connection-mark=dns_icmp 

13   ;;; winbox
     chain=prerouting action=mark-connection new-connection-mark=winbox passthrough=yes protocol=tcp dst-port=8291 

14   chain=prerouting action=mark-packet new-packet-mark=winbox_down passthrough=no in-interface=WAN connection-mark=winbo>

15   chain=prerouting action=mark-packet new-packet-mark=winbox_up passthrough=no in-interface=LAN connection-mark=winbox 

16   ;;; other
     chain=prerouting action=mark-connection new-connection-mark=other passthrough=yes 

17   chain=prerouting action=mark-packet new-packet-mark=other_down passthrough=no in-interface=WAN connection-mark=other 

18   chain=prerouting action=mark-packet new-packet-mark=other_up passthrough=no in-interface=LAN connection-mark=other 

19   ;;; 256/128
     chain=forward action=mark-connection new-connection-mark=256/128_conn passthrough=yes src-address-list=256/128 

20   chain=forward action=mark-connection new-connection-mark=256/128_conn passthrough=yes dst-address-list=256/128 

21   chain=forward action=mark-packet new-packet-mark=256/128_upload passthrough=no src-address-list=256/128 
     connection-mark=256/128_conn 

22   chain=forward action=mark-packet new-packet-mark=256/128_download passthrough=no dst-address-list=256/128 

23 X chain=forward action=log in-interface=WAN connection-mark=www_ssl log-prefix=""

Q:

0   name="DOWN_KOL" parent=global-in packet-mark="" limit-at=0 queue=sfq priority=4 max-limit=950000 burst-limit=0 
     burst-threshold=0 burst-time=0s 

 1   name="UP_KOL" parent=global-in packet-mark="" limit-at=0 queue=sfq priority=4 max-limit=256000 burst-limit=0 
     burst-threshold=0 burst-time=0s 

 2   name="DOWN_klient" parent=global-out packet-mark="" limit-at=0 queue=sfq priority=4 max-limit=1000000 burst-limit=0 
     burst-threshold=0 burst-time=0s 

 3   name="UP_klient" parent=global-out packet-mark="" limit-at=0 queue=sfq priority=4 max-limit=256000 burst-limit=0 
     burst-threshold=0 burst-time=0s 

 4   name="256/128" parent=DOWN_klient packet-mark=256/128_download limit-at=0 queue=256_download priority=8 max-limit=0 
     burst-limit=0 burst-threshold=0 burst-time=0s 

 5   name="256/125" parent=UP_klient packet-mark=256/128_upload limit-at=0 queue=128_upload priority=8 max-limit=0 
     burst-limit=0 burst-threshold=0 burst-time=0s 

 6   name="www_ssl_down" parent=DOWN_KOL packet-mark=www_ssl_down limit-at=0 queue=download_high priority=2 max-limit=0 
     burst-limit=0 burst-threshold=0 burst-time=0s 

 7   name="www_ssl_up" parent=UP_KOL packet-mark=www_ssl_up limit-at=0 queue=upload_high priority=2 max-limit=0 
     burst-limit=0 burst-threshold=0 burst-time=0s 

 8   name="dns_icmp_down" parent=DOWN_KOL packet-mark=dns_icmp_down limit-at=0 queue=download_high priority=1 max-limit=0 
     burst-limit=0 burst-threshold=0 burst-time=0s 

 9   name="dns_icmp_up" parent=UP_KOL packet-mark=dns_icmp_up limit-at=0 queue=upload_high priority=1 max-limit=0 
     burst-limit=0 burst-threshold=0 burst-time=0s 

10   name="p2p_up" parent=UP_KOL packet-mark=p2p_up limit-at=10000 queue=upload_reszta priority=8 max-limit=20000 
     burst-limit=0 burst-threshold=0 burst-time=0s 

11   name="p2p_down" parent=DOWN_KOL packet-mark=p2p_down limit-at=0 queue=download_reszta priority=8 max-limit=0 
     burst-limit=0 burst-threshold=0 burst-time=0s 

12   name="winbox_down" parent=DOWN_KOL packet-mark=winbox_down limit-at=0 queue=download_high priority=3 max-limit=0 
     burst-limit=0 burst-threshold=0 burst-time=0s 

13   name="winbox_up" parent=UP_KOL packet-mark=winbox_up limit-at=0 queue=upload_high priority=3 max-limit=0 burst-limit=>
     burst-threshold=0 burst-time=0s 

14   name="other_up" parent=UP_KOL packet-mark=other_up limit-at=0 queue=upload_reszta priority=4 max-limit=0 burst-limit=>
     burst-threshold=0 burst-time=0s 

15   name="other_down" parent=DOWN_KOL packet-mark=other_down limit-at=0 queue=download_reszta priority=8 max-limit=0 
     burst-limit=0 burst-threshold=0 burst-time=0s

The problem is on the screenshot... and some Web pages don't open :/ Plz help me

Eising · Sun Mar 01, 2009 10:13 pm

Sorry, didn't read the entire thread, but if you are looking for a working example of priority, you could check out my provider friendly QoS article in the wiki, about how to prioritize using DSCP values. It should be fairly easy to adapt to any other marking of packets. It's at http://wiki.mikrotik.com/wiki/DSCP_based_QoS_with_HTB

xordi · Sun Mar 08, 2009 5:09 am

Still nobody help? ;/

Tue Mar 10, 2009 11:24 am

ok friends, look at this, maybe it sheds some light:
http://www.tiktube.com/?video=214

roneyeduardo · Tue Mar 10, 2009 11:49 pm

Just my 2 cents about a way to differentiate traffic between web browsing and downloading (both on port 80):

1) Redirect all your HTTP (p. 80) traffic to a squid box, running on a linux server;

2) Create an url_regex ACL on squid called web_downloads, and point it to a text file. E.g:

acl web_downloads url_regex -i "/etc/squid/web-downloads.txt";

3) Fill this file with file extensions known to be downloads. E.g:

\.mp3$
\.iso$
\.zip$
\.rar$
...and so on (there are huge lists on the net, do a google search. You can also put in urls of bandwidth hungry websites).

4) Tell squid to put a TOS mark on the packets that matches this ACL. E.g.:

tcp_outgoing_tos 0x20 web_downloads

5) On your MT gateway (or QOS box...or whatever) filter/shape HTTP packets according to the TOS of packets using port 80 (do this with a connection mark, as squid is putting this TOS bits on user requests, not in server replies). All packets/connections with TOS=0x20, in port 80, will be given low priority...any other will be higher priority.

P.S-1.: For any QOS/traffic-shaping solution to work, I think that it's mandatory to use queue-trees (IMHO).
P.S-2.: And for the ones that will say that it's not possible to use squid because the client has public IP address, give TPROXY a try.

bledar · Mon Oct 05, 2009 10:12 am

Hi.
I want to give some packets higher priority than others.
Is it any way to mark packet on chain 'prerouting' and than shaping them on HTB Global-in when I have 3 public interfaces?
Or I must mark packets only on chain 'forward' and than shaping them on HTB Global-out?

My Router's actual config is:

[admin@MikroTik] > ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 S 0.0.0.0/0 xx.xx.xx.225 1
1 A S 0.0.0.0/0 xx.xx.3.1%WAN2 1
2 A S 0.0.0.0/0 xx.xx.3.1%WAN3 1
3 ADS 0.0.0.0/0 xx.xx.3.1 1
4 S 0.0.0.0/0 xx.xx.xx.225 1
5 DS 0.0.0.0/0 xx.xx.3.1 1
6 S 0.0.0.0/0 xx.xx.3.1 2
7 S 0.0.0.0/0 xx.xx.3.1 3
8 ADC xx.xx.3.1/32 xx.xx.3.207 WAN3 0
WAN2
9 ADC xx.xx.xx.224/27 xx.xx.xx.247 WAN1 0
10 ADC 192.168.12.0/24 192.168.12.210 Local

[admin@MikroTik] /ip firewall> nat pr
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=WAN1

1 chain=srcnat action=masquerade out-interface=WAN2

2 chain=srcnat action=masquerade out-interface=WAN3

3 chain=dstnat action=redirect to-ports=800 protocol=tcp
src-address=192.168.0.0/16 in-interface=Local dst-port=80

[admin@MikroTik] /ip firewall> mangle pr
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=mark-connection new-connection-mark=pub1_conn
passthrough=yes in-interface=WAN1

1 chain=input action=mark-connection new-connection-mark=pub2_conn
passthrough=yes in-interface=WAN2

2 chain=input action=mark-connection new-connection-mark=pub3_conn
passthrough=yes in-interface=WAN3

3 chain=output action=mark-routing new-routing-mark=to_pub1 passthrough=yes
connection-mark=pub1_conn

4 chain=output action=mark-routing new-routing-mark=to_pub2 passthrough=yes
connection-mark=pub2_conn

5 chain=output action=mark-routing new-routing-mark=to_pub3 passthrough=yes
connection-mark=pub3_conn

6 chain=prerouting action=accept dst-address=xx.xx.xx.0/24 in-interface=Loca>

7 chain=prerouting action=accept dst-address=xx.xx.3.0/24 in-interface=Loca>

8 chain=prerouting action=mark-connection new-connection-mark=pub1_conn
passthrough=yes dst-address-type=!local in-interface=Local
per-connection-classifier=both-addresses:3/0

9 chain=prerouting action=mark-connection new-connection-mark=pub2_conn
passthrough=yes dst-address-type=!local in-interface=Local
per-connection-classifier=both-addresses:3/1

10 chain=prerouting action=mark-connection new-connection-mark=pub3_conn
passthrough=yes dst-address-type=!local in-interface=Local
per-connection-classifier=both-addresses:3/2

11 chain=prerouting action=mark-routing new-routing-mark=to_pub1
passthrough=yes in-interface=Local connection-mark=pub1_conn

12 chain=prerouting action=mark-routing new-routing-mark=to_pub2
passthrough=yes in-interface=Local connection-mark=pub3_conn

13 chain=prerouting action=mark-routing new-routing-mark=to_pub3
passthrough=yes in-interface=Local connection-mark=pub2_conn

14 ;;; HIT TRAFFIC FROM PROXY
chain=output action=mark-packet new-packet-mark=proxy-hit passthrough=no
out-interface=Local dscp=4

15 ;;; UP TRAFFIC
chain=prerouting action=mark-packet new-packet-mark=test-up
passthrough=no in-interface=Local

16 ;;; DOWN-DIRECT CONNECTION
chain=forward action=mark-packet new-packet-mark=test-down passthrough=no
out-interface=Local

17 ;;; DOWN-VIA PROXY
chain=output action=mark-packet new-packet-mark=test-down passthrough=no
out-interface=Local

[admin@MikroTik] /ip proxy> pr
enabled: yes
src-address: 0.0.0.0
port: 800
parent-proxy: 0.0.0.0
parent-proxy-port: 0
cache-administrator: "webmaster"
max-cache-size: 62914560KiB
cache-on-disk: yes
max-client-connections: 60
max-server-connections: 60
max-fresh-time: 2w1d
serialize-connections: yes
always-from-cache: no
cache-hit-dscp: 4
cache-drive: sata1

[admin@MikroTik] /queue tree> pr
Flags: X - disabled, I - invalid
0 name="queue1" parent=global-out packet-mark=test-down limit-at=0
queue=PCQ_download priority=8 max-limit=0 burst-limit=0 burst-threshold=0
burst-time=0s

1 name="queue2" parent=global-in packet-mark=test-up limit-at=0
queue=PCQ_upload priority=8 max-limit=0 burst-limit=0 burst-threshold=0
burst-time=0s

[admin@MikroTik] > queue interface pr
Flags: D - dynamic
# INTERFACE QUEUE
0 Local default
1 spare default
2 WAN1 ethernet-default
3 WAN-eth 2 ethernet-default
4 WAN-eth 3 ethernet-default
5 Public4 default
6 WAN2 default
7 WAN3 default

[admin@MikroTik] > queue type pr
0 name="default" kind=pfifo pfifo-limit=50

1 name="ethernet-default" kind=pfifo pfifo-limit=50

2 name="wireless-default" kind=sfq sfq-perturb=5 sfq-allot=1514

3 name="synchronous-default" kind=red red-limit=60 red-min-threshold=10
red-max-threshold=50 red-burst=20 red-avg-packet=1000

4 name="hotspot-default" kind=sfq sfq-perturb=5 sfq-allot=1514

5 name="PCQ_download" kind=pcq pcq-rate=0 pcq-limit=50
pcq-classifier=dst-address pcq-total-limit=3500

6 name="PCQ_upload" kind=pcq pcq-rate=0 pcq-limit=50 pcq-classifier=src-address
pcq-total-limit=3500

7 name="default-small" kind=pfifo pfifo-limit=10

[admin@MikroTik] > queue simple pr
Flags: X - disabled, I - invalid, D - dynamic
0 name="Komp 1" target-addresses=192.168.12.101/32 dst-address=0.0.0.0/0
interface=Local parent=none direction=both priority=5
queue=default/default limit-at=200k/200k max-limit=500k/500k
burst-limit=1500k/1500k burst-threshold=400k/400k burst-time=10s/10s
total-queue=default

1 name="Komp 2" target-addresses=192.168.12.102/32 dst-address=0.0.0.0/0
interface=Local parent=none direction=both priority=5
queue=default/default limit-at=200k/200k max-limit=500k/500k
burst-limit=1500k/1500k burst-threshold=400k/400k burst-time=10s/10s
total-queue=default

2 name="Komp 3" target-addresses=192.168.12.103/32 dst-address=0.0.0.0/0
interface=Local parent=none direction=both priority=5
queue=default/default limit-at=200k/200k max-limit=500k/500k
burst-limit=1500k/1500k burst-threshold=400k/400k burst-time=10s/10s
total-queue=default

[admin@MikroTik] /ip firewall filter> pr
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; WEB Proxy from outside
chain=input action=drop protocol=tcp src-address=0.0.0.0/0
in-interface=WAN1 dst-port=800

1 chain=input action=drop protocol=tcp src-address=0.0.0.0/0
in-interface=WAN2 dst-port=800

2 chain=input action=drop protocol=tcp src-address=0.0.0.0/0
in-interface=WAN3 dst-port=800

3 chain=input action=accept src-address=192.168.12.0/24

4 chain=input action=accept dst-address=192.168.12.0/24

5 chain=forward action=drop src-address=85.117.24.2

6 chain=forward action=drop dst-address=85.117.24.2

7 chain=forward action=reject reject-with=icmp-network-unreachable
protocol=tcp dst-port=25

8 ;;; To WEB proxy
chain=input action=reject reject-with=icmp-network-unreachable
protocol=tcp src-address=!192.168.0.0/16 dst-port=800

9 chain=output action=reject reject-with=icmp-network-unreachable
protocol=tcp dst-address=xx.xx.xx.247 dst-port=800

10 chain=output action=reject reject-with=icmp-network-unreachable
protocol=tcp dst-address=xx.xx.3.43 dst-port=800

11 chain=output action=reject reject-with=icmp-network-unreachable
protocol=tcp dst-address=xx.xx.3.207 dst-port=800

12 chain=input action=reject reject-with=icmp-network-unreachable protocol=tcp
dst-port=445

13 chain=input action=drop src-address=192.168.12.124

14 chain=input action=drop dst-address=192.168.12.124

15 ;;; P2P
chain=forward action=drop p2p=bit-torrent

16 chain=forward action=drop p2p=blubster

17 chain=forward action=drop p2p=direct-connect

18 chain=forward action=drop p2p=edonkey

19 chain=forward action=drop p2p=fasttrack

20 chain=forward action=drop p2p=gnutella

21 chain=forward action=drop p2p=soulseek

22 chain=forward action=drop p2p=warez

23 chain=forward action=drop p2p=winmx

24 chain=forward action=drop protocol=tcp src-port=3074

25 X chain=forward action=drop protocol=udp src-port=3074

26 X ;;; Drop Telnet from Outside
chain=input action=drop protocol=tcp in-interface=WAN 2
dst-port=23

27 X chain=input action=drop protocol=tcp in-interface=WAN 3 dst-port=23

28 X chain=input action=drop protocol=tcp in-interface=WAN1 dst-port=23

29 chain=input action=accept src-address=192.168.12.95-192.168.12.129

30 chain=input action=accept dst-address=192.168.12.95-192.168.12.129

31 chain=input action=accept src-address=192.168.12.20/31

32 chain=input action=accept dst-address=192.168.12.20/31

33 chain=input action=accept src-address=192.168.12.55-192.168.12.59

34 chain=input action=accept dst-address=192.168.12.55-192.168.12.59

35 ;;; Comp Games
chain=input action=accept src-address=192.168.11.100

36 chain=input action=accept dst-address=192.168.11.100

37 chain=input action=drop src-address=192.168.0.0/16

38 chain=input action=drop dst-address=192.168.0.0/16

39 ;;; All Local Network Block
chain=input action=drop src-address=192.168.0.0/16

40 chain=input action=drop dst-address=192.168.0.0/16

Mon Oct 05, 2009 12:05 pm

If you use policy routing your mangle chain "prerouting" is already occupied - so to make things easier I suggest to go for mangle chain "forward"

bledar · Mon Oct 05, 2009 1:46 pm

Thank you Macgaiver!

So is no way to use prerouting packets in this case?
Confronting prerouting mark, shaping on global-in and forward mark and shaping on global-out for QoS purposes, who is the best way?
Or the result is same on both ways?

Mon Oct 05, 2009 2:13 pm

Suggestion - get it done the easy way first. Then move on.

At this point you need deeper understanding of traffic flow (including diagram) and only way to get is to start from simple setups and learn.

Answer to your questions -
1) yes, it is possible to use prerouting only it will be more complex.
2) I do not know it depends on task that QoS must make.

bledar · Mon Oct 05, 2009 4:46 pm

QoS regarding traffic prioritization.
Is it true that must use oly prerouting for marking packet and shaping on HTB global-in?
Forward for marking packets and shaping on HTB global-out, will it works good?

Thanks for helping me.

Chupaka · Mon Oct 05, 2009 5:15 pm

yes, only 'prerouting' is before 'global-in'

bledar · Mon Oct 05, 2009 6:01 pm

No Chupaka I asked: is it true that must use oly prerouting for marking packet and shaping on HTB global-in, not for example mark packet with forward and shaping on global-out?
Will work good the second way for traffic prioritization purpose?

Thank you!

Chupaka · Mon Oct 05, 2009 6:08 pm

I believe, you can proiritize anywhere you like: global-in, global-out or even interface queue

bledar · Tue Oct 06, 2009 11:12 am

Hi.

On this link, http://mum.mikrotik.com/presentations/C ... _Megis.pdf
page 34 indicate to mark with prerouting and shape with HTB global-in. Not mark packets with forward and shaping with HTB global-out.

I don't understand now what I must to do, trying to find the way to mark with prerouting and shape with HTB global-in, or to do the easiest way for my scenario, mark packets with forward and shaping with HTB global-out.

Please, help me!

Chupaka · Tue Oct 06, 2009 12:18 pm

in that presentation, two-step QoS is shown:
- first, mark in prerouting, shape in global-in;
- then, mark in forward/postrouting, shape in global-out/interface queue;

bledar · Wed Oct 07, 2009 3:18 pm

Hi all.

This is my config:
Please I need your opinion regarding traffic prioritization.

[admin@MikroTik] /ip firewall mangle> pri
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=mark-connection new-connection-mark=pub1_conn
passthrough=yes in-interface=WAN1

1 chain=input action=mark-connection new-connection-mark=pub2_conn
passthrough=yes in-interface=WAN2

2 chain=input action=mark-connection new-connection-mark=pub3_conn
passthrough=yes in-interface=WAN3

3 chain=output action=mark-routing new-routing-mark=to_pub1 passthrough=yes
connection-mark=pub1_conn

4 chain=output action=mark-routing new-routing-mark=to_pub2 passthrough=yes
connection-mark=pub2_conn

5 chain=output action=mark-routing new-routing-mark=to_pub3 passthrough=yes
connection-mark=pub3_conn

6 chain=prerouting action=accept dst-address=80.78.75.0/24
in-interface=Local

7 chain=prerouting action=accept dst-address=79.106.3.0/24
in-interface=Local

8 chain=prerouting action=mark-connection new-connection-mark=pub1_conn
passthrough=yes dst-address-type=!local in-interface=Local
per-connection-classifier=both-addresses:3/0

9 chain=prerouting action=mark-connection new-connection-mark=pub2_conn
passthrough=yes dst-address-type=!local in-interface=Local
per-connection-classifier=both-addresses:3/1

10 chain=prerouting action=mark-connection new-connection-mark=pub3_conn
passthrough=yes dst-address-type=!local in-interface=Local
per-connection-classifier=both-addresses:3/2

11 chain=prerouting action=mark-routing new-routing-mark=to_pub1
passthrough=yes in-interface=Local connection-mark=pub1_conn

12 chain=prerouting action=mark-routing new-routing-mark=to_pub2
passthrough=yes in-interface=Local connection-mark=pub3_conn

13 chain=prerouting action=mark-routing new-routing-mark=to_pub3
passthrough=yes in-interface=Local connection-mark=pub2_conn

14 X ;;; HIT TRAFFIC FROM PROXY
chain=output action=mark-packet new-packet-mark=proxy-hit passthrough=no
out-interface=Local dscp=4

15 X ;;; UP TRAFFIC
chain=prerouting action=mark-packet new-packet-mark=test-up
passthrough=no in-interface=Local

16 X ;;; DOWN-DIRECT CONNECTION
chain=forward action=mark-packet new-packet-mark=test-down
passthrough=no out-interface=Local

17 X ;;; DOWN-VIA PROXY
chain=output action=mark-packet new-packet-mark=test-down passthrough=no
out-interface=Local

18 ;;; DNS
chain=prerouting action=mark-packet new-packet-mark=prio1 passthrough=no
protocol=udp dst-port=53

19 ;;; ICMP
chain=prerouting action=mark-packet new-packet-mark=prio1 passthrough=no
protocol=icmp

20 ;;; VOIP
chain=prerouting action=mark-packet new-packet-mark=prio1 passthrough=no
src-address=192.168.12.40 in-interface=Local

21 ;;; dns L7
chain=prerouting action=mark-packet new-packet-mark=prio1 passthrough=no
layer7-protocol=dns

22 ;;; sip conn type
chain=prerouting action=mark-packet new-packet-mark=prio1 passthrough=no
connection-type=sip

23 ;;; stun L7
chain=prerouting action=mark-packet new-packet-mark=prio1 passthrough=no
layer7-protocol=stun

24 ;;; teamfortres2 L7
chain=prerouting action=mark-packet new-packet-mark=prio2 passthrough=no
layer7-protocol=teamfortres2

25 ;;; counter-strike L7
chain=prerouting action=mark-packet new-packet-mark=prio2 passthrough=no
layer7-protocol=counterstrike-source

26 ;;; half-life2 L7
chain=prerouting action=mark-packet new-packet-mark=prio2 passthrough=no
layer7-protocol=half-life2

27 ;;; mohaa L7
chain=prerouting action=mark-packet new-packet-mark=prio2 passthrough=no
layer7-protocol=mohaa

28 ;;; worldofwarcraft L7
chain=prerouting action=mark-packet new-packet-mark=prio2 passthrough=no
layer7-protocol=worldofwarcraft

29 ;;; gif L7
chain=prerouting action=mark-packet new-packet-mark=prio3 passthrough=no
layer7-protocol=gif

30 ;;; flash L7
chain=prerouting action=mark-packet new-packet-mark=prio3 passthrough=no
layer7-protocol=flash

31 ;;; png L7
chain=prerouting action=mark-packet new-packet-mark=prio3 passthrough=no
layer7-protocol=png

32 ;;; msn L7
chain=prerouting action=mark-packet new-packet-mark=prio4 passthrough=no
layer7-protocol=msn

33 ;;; MSN mesengers port 1863 TCP
chain=prerouting action=mark-packet new-packet-mark=prio4 passthrough=no
protocol=tcp dst-port=1863

34 ;;; yahoo L7
chain=prerouting action=mark-packet new-packet-mark=prio4 passthrough=no
layer7-protocol=yahoo

35 ;;; skype to skype L7
chain=prerouting action=mark-packet new-packet-mark=prio4 passthrough=no
layer7-protocol=skypetoskype

36 ;;; aim L7
chain=prerouting action=mark-packet new-packet-mark=prio4 passthrough=no
layer7-protocol=aim

37 ;;; shoutcast L7
chain=prerouting action=mark-packet new-packet-mark=prio6 passthrough=no
layer7-protocol=shoutcast

38 ;;; http-audio L7
chain=prerouting action=mark-packet new-packet-mark=prio6 passthrough=no
layer7-protocol=http-audio

39 ;;; http-video L7
chain=prerouting action=mark-packet new-packet-mark=prio6 passthrough=no
layer7-protocol=http-video

40 ;;; http L7
chain=prerouting action=mark-packet new-packet-mark=prio3 passthrough=no
layer7-protocol=http

41 ;;; skypeout L7
chain=prerouting action=mark-packet new-packet-mark=prio4 passthrough=no
layer7-protocol=skypeout

42 ;;; ftp L7
chain=prerouting action=mark-packet new-packet-mark=prio7 passthrough=no
connection-type=ftp

43 ;;; http-dap L7
chain=prerouting action=mark-packet new-packet-mark=prio7 passthrough=no
layer7-protocol=http-dap

44 ;;; http-freshdownload L7
chain=prerouting action=mark-packet new-packet-mark=prio7 passthrough=no
layer7-protocol=http-freshdownload

45 ;;; exe L7
chain=prerouting action=mark-packet new-packet-mark=prio7 passthrough=no
layer7-protocol=exe

46 ;;; mp3 L7
chain=prerouting action=mark-packet new-packet-mark=prio7 passthrough=no
layer7-protocol=mp3

47 ;;; pdf L7
chain=prerouting action=mark-packet new-packet-mark=prio7 passthrough=no
layer7-protocol=pdf

48 ;;; rar L7
chain=prerouting action=mark-packet new-packet-mark=prio7 passthrough=no
layer7-protocol=rar

49 ;;; rpm L7
chain=prerouting action=mark-packet new-packet-mark=prio7 passthrough=no
layer7-protocol=rpm

50 ;;; rtf L7
chain=prerouting action=mark-packet new-packet-mark=prio7 passthrough=no
layer7-protocol=rtf

51 ;;; tar L7
chain=prerouting action=mark-packet new-packet-mark=prio7 passthrough=no
layer7-protocol=tar

52 ;;; zip L7
chain=prerouting action=mark-packet new-packet-mark=prio7 passthrough=no
layer7-protocol=zip

53 ;;; tftp L7
chain=prerouting action=mark-packet new-packet-mark=prio7 passthrough=no
layer7-protocol=tftp

54 ;;; msn-filetransfer L7
chain=prerouting action=mark-packet new-packet-mark=prio7 passthrough=no
layer7-protocol=msn-filetransfer

55 ;;; p2p ares L7
chain=prerouting action=mark-packet new-packet-mark=prio8 passthrough=no
layer7-protocol=p2p ares

56 ;;; p2p gnucleuslan L7
chain=prerouting action=mark-packet new-packet-mark=prio8 passthrough=no
layer7-protocol=p2p gnucleuslan

57 ;;; p2p napster L7
chain=prerouting action=mark-packet new-packet-mark=prio8 passthrough=no
layer7-protocol=p2p napster

58 ;;; p2p openftp L7
chain=prerouting action=mark-packet new-packet-mark=prio8 passthrough=no
layer7-protocol=p2p openftp

59 ;;; p2p soribada L7
chain=prerouting action=mark-packet new-packet-mark=prio8 passthrough=no
layer7-protocol=p2p soribada

60 ;;; p2p xunlei L7
chain=prerouting action=mark-packet new-packet-mark=prio8 passthrough=no
layer7-protocol=p2p xunlei

61 ;;; p2p 100bao L7
chain=prerouting action=mark-packet new-packet-mark=prio8 passthrough=no
layer7-protocol=p2p 100bao

62 ;;; p2p imesh L7
chain=prerouting action=mark-packet new-packet-mark=prio8 passthrough=no
layer7-protocol=p2p imesh

63 ;;; p2p kugoo L7
chain=prerouting action=mark-packet new-packet-mark=prio8 passthrough=no
layer7-protocol=p2p kugoo

64 ;;; p2p poco L7
chain=prerouting action=mark-packet new-packet-mark=prio8 passthrough=no
layer7-protocol=p2p poco

65 ;;; p2p pplive L7
chain=prerouting action=mark-packet new-packet-mark=prio8 passthrough=no
layer7-protocol=p2p pplive

66 ;;; p2p goboogy L7
chain=prerouting action=mark-packet new-packet-mark=prio8 passthrough=no
layer7-protocol=p2p goboogy

67 ;;; p2p hotline L7
chain=prerouting action=mark-packet new-packet-mark=prio8 passthrough=no
layer7-protocol=p2p hotline

68 ;;; p2p mute L7
chain=prerouting action=mark-packet new-packet-mark=prio8 passthrough=no
layer7-protocol=p2p mute

69 ;;; p2p tesla L7
chain=prerouting action=mark-packet new-packet-mark=prio8 passthrough=no
layer7-protocol=p2p tesla

70 ;;; p2p bittorrent L7
chain=prerouting action=mark-packet new-packet-mark=prio8 passthrough=no
layer7-protocol=p2p bit-torrent

71 ;;; p2p blubster
chain=prerouting action=mark-packet new-packet-mark=prio8 passthrough=no
p2p=blubster

72 ;;; p2p directconnect L7
chain=prerouting action=mark-packet new-packet-mark=prio8 passthrough=no
layer7-protocol=p2p direct-connect

73 ;;; p2p edonkey L7
chain=prerouting action=mark-packet new-packet-mark=prio8 passthrough=no
layer7-protocol=p2p edonkey

74 ;;; p2p gnutella
chain=prerouting action=mark-packet new-packet-mark=prio8 passthrough=no
layer7-protocol=p2p gnutella

75 ;;; p2p soulseek L7
chain=prerouting action=mark-packet new-packet-mark=prio8 passthrough=no
layer7-protocol=p2p soulseek

76 ;;; p2p warez
chain=prerouting action=mark-packet new-packet-mark=prio8 passthrough=no
p2p=warez

77 ;;; p2p winmx
chain=prerouting action=mark-packet new-packet-mark=prio8 passthrough=no
p2p=winmx

78 ;;; http-video list
chain=prerouting action=mark-packet new-packet-mark=prio6 passthrough=no
src-address-list=Youtube

79 ;;; p2p fasttrack L7
chain=prerouting action=mark-packet new-packet-mark=prio8 passthrough=no
layer7-protocol=p2p fasttrack

80 ;;; ??? prio?, ?tcp-flags=syn,ack HTTP and>
TPS port 80, 443
chain=prerouting action=mark-packet new-packet-mark=prio3 passthrough=no
protocol=tcp dst-port=80,443

81 ;;; conn-rate 0-200, conn-byte 0-500k TCP
chain=prerouting action=mark-packet new-packet-mark=prio2
passthrough=yes protocol=tcp connection-bytes=0-500000
connection-rate=0-200k

82 ;;; conn-rate 0-200, conn-byte 0-500k UDP
chain=prerouting action=mark-packet new-packet-mark=prio2
passthrough=yes protocol=udp connection-bytes=0-500000
connection-rate=0-200k

83 ;;; conn-byte=500k-1M TCP
chain=prerouting action=mark-packet new-packet-mark=prio4
passthrough=yes protocol=tcp connection-bytes=500000-1000000

84 ;;; conn-byte=500k-1M UDP
chain=prerouting action=mark-packet new-packet-mark=prio4
passthrough=yes protocol=udp connection-bytes=500000-1000000

85 ;;; conn-byte=1M-0 TCP
chain=prerouting action=mark-packet new-packet-mark=prio5 passthrough=no
protocol=tcp connection-mark=all_conn connection-bytes=1000000-0

86 ;;; conn-byte=1M-0 UDP
chain=prerouting action=mark-packet new-packet-mark=prio5 passthrough=no
protocol=udp connection-mark=all_conn connection-bytes=1000000-0

87 ;;; Mark all downloaded packets from 3 WANs
chain=prerouting action=mark-packet new-packet-mark=all_dw
passthrough=no in-interface=WAN1

88 chain=prerouting action=mark-packet new-packet-mark=all_dw passthrough=no
in-interface=WAN2

89 chain=prerouting action=mark-packet new-packet-mark=all_dw passthrough=no
in-interface=WAN3

[admin@MikroTik] /queue tree> pr
Flags: X - disabled, I - invalid
0 name="Download All" parent=global-in packet-mark=all_dw limit-at=0 priority=1 max-limit=8M burst-limit=0 burst-threshold=0 burst-time=0s

1 X name="Upload All" parent=global-in packet-mark=to_pub limit-at=0 priority=1 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s

2 name="Prio 1 dw" parent=Download All packet-mark=prio1 limit-at=200k queue=PCQ_download priority=1 max-limit=500k burst-limit=0 burst-threshold=0
burst-time=0s

3 X name="Prio 1 up" parent=Upload All packet-mark=prio1 limit-at=0 queue=PCQ_upload priority=1 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s

4 name="Prio 2 dw" parent=Download All packet-mark=prio2 limit-at=200k queue=PCQ_download priority=2 max-limit=500k burst-limit=0 burst-threshold=0
burst-time=0s

5 X name="Prio 2 up" parent=Upload All packet-mark=prio2 limit-at=0 queue=PCQ_upload priority=2 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s

6 name="Prio 3 dw" parent=Download All packet-mark=prio3 limit-at=0 queue=PCQ_download priority=3 max-limit=8M burst-limit=0 burst-threshold=0 burst-time=0s

7 X name="Prio 3 up" parent=Upload All packet-mark=prio3 limit-at=0 queue=PCQ_upload priority=3 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s

8 name="Prio 4 dw" parent=Download All packet-mark=prio4 limit-at=0 queue=PCQ_download priority=4 max-limit=5M burst-limit=0 burst-threshold=0 burst-time=0s

9 X name="Prio 4 up" parent=Upload All packet-mark=prio4 limit-at=0 queue=PCQ_upload priority=4 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s

10 name="Prio 5 dw" parent=Download All packet-mark=prio5 limit-at=0 queue=PCQ_download priority=5 max-limit=3M burst-limit=0 burst-threshold=0 burst-time=0s

11 X name="Prio 5 up" parent=Upload All packet-mark=prio5 limit-at=0 queue=PCQ_upload priority=5 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s

12 name="Prio 6 dw" parent=Download All packet-mark=prio6 limit-at=0 queue=PCQ_download priority=6 max-limit=3M burst-limit=0 burst-threshold=0 burst-time=0s

13 X name="Prio 6 up" parent=Upload All packet-mark=prio6 limit-at=0 queue=PCQ_upload priority=6 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s

14 name="Prio 7 dw" parent=Download All packet-mark=prio7 limit-at=0 queue=PCQ_download priority=7 max-limit=1500k burst-limit=0 burst-threshold=0
burst-time=0s

15 X name="Prio 7 up" parent=Upload All packet-mark=prio7 limit-at=0 queue=PCQ_upload priority=7 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s

16 name="Prio 8 dw" parent=Download All packet-mark=prio8 limit-at=0 queue=PCQ_download priority=8 max-limit=1500k burst-limit=0 burst-threshold=0
burst-time=0s

17 X name="Prio 8 up" parent=Upload All packet-mark=prio8 limit-at=0 queue=PCQ_upload priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s

If max-limit or other limit on queue tree is not specified, does prioritization works?

Chupaka · Wed Oct 07, 2009 4:44 pm

http://wiki.mikrotik.com/wiki/HTB#Priority

btw, 'Mark all downloaded packets from 3 WANs' is actually 'Mark all not marked downloaded packets from 3 WANs' - in previous rules you have passthrough=no

bledar · Wed Oct 07, 2009 5:14 pm

By the way, why I have to specify limitation (CIR, MIR) for queue tree. I do not need to do limitation of traffic or services, I want to give them prioritization.
For ex. if we have 2 services A with 10 packets and B with 20 packets (A prio1 and B prio2), firstly must pass all 10 packets of service A (packets of service B must queued) and than will pass 20 packets of service B.

bledar · Wed Oct 07, 2009 5:23 pm

Sorry, understood

bledar · Wed Oct 07, 2009 5:36 pm

On this example: http://wiki.mikrotik.com/wiki/NetworkPr ... of_Service

add action=mark-packet chain=postrouting comment=QoS dst-port=80,443 new-packet-mark=QoS_1_Up out-interface=ADSL1 packet-size=0-666 passthrough=no protocol=tcp tcp-flags=syn

why packet-size is 0-666, why till 666?

Chupaka · Wed Oct 07, 2009 10:44 pm

I think, 200 would be enough =) key parameter is 'tcp-flags=syn' - it's just prioritization of start of tcp connection

bledar · Thu Oct 08, 2009 10:32 am

[img][i]btw, 'Mark all downloaded packets from 3 WANs' is actually 'Mark all not marked downloaded packets from 3 WANs' - in previous rules you have passthrough=no
[/i][/img]

I put those rules upper than 'services' packets mark, passthrough=yes and seems that works well.

I have no success with .exe downloads packet mark. One mate here told me to mark them with PCC (I already have implemented it).
I don't know how to do that.

[admin@MikroTik] /ip firewall mangle> pr
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=mark-connection new-connection-mark=pub1_conn
passthrough=yes in-interface=WAN1

1 chain=input action=mark-connection new-connection-mark=pub2_conn
passthrough=yes in-interface=WAN2

2 chain=input action=mark-connection new-connection-mark=pub3_conn
passthrough=yes in-interface=WAN3

3 chain=output action=mark-routing new-routing-mark=to_pub1 passthrough=yes
connection-mark=pub1_conn

4 chain=output action=mark-routing new-routing-mark=to_pub2 passthrough=yes
connection-mark=pub2_conn

5 chain=output action=mark-routing new-routing-mark=to_pub3 passthrough=yes
connection-mark=pub3_conn

6 chain=prerouting action=accept dst-address=80.78.75.0/24
in-interface=Local

7 chain=prerouting action=accept dst-address=79.106.3.0/24
in-interface=Local

8 chain=prerouting action=mark-connection new-connection-mark=pub1_conn
passthrough=yes dst-address-type=!local in-interface=Local
per-connection-classifier=both-addresses:3/0

9 chain=prerouting action=mark-connection new-connection-mark=pub2_conn
passthrough=yes dst-address-type=!local in-interface=Local
per-connection-classifier=both-addresses:3/1

10 chain=prerouting action=mark-connection new-connection-mark=pub3_conn
passthrough=yes dst-address-type=!local in-interface=Local
per-connection-classifier=both-addresses:3/2

11 chain=prerouting action=mark-routing new-routing-mark=to_pub1
passthrough=yes in-interface=Local connection-mark=pub1_conn

12 chain=prerouting action=mark-routing new-routing-mark=to_pub2
passthrough=yes in-interface=Local connection-mark=pub3_conn

13 chain=prerouting action=mark-routing new-routing-mark=to_pub3
passthrough=yes in-interface=Local connection-mark=pub2_conn

14 ;;; HIT TRAFFIC FROM PROXY
chain=output action=mark-packet new-packet-mark=proxy-hit passthrough=no
out-interface=Local dscp=4

15 ;;; UP TRAFFIC
chain=prerouting action=mark-packet new-packet-mark=test-up
passthrough=no in-interface=Local

16 ;;; DOWN-DIRECT CONNECTION
chain=forward action=mark-packet new-packet-mark=test-down
passthrough=no out-interface=Local

17 ;;; DOWN-VIA PROXY
chain=output action=mark-packet new-packet-mark=test-down passthrough=no
out-interface=Local

18 ;;; Mark all downloaded packets from 3 WANs
chain=prerouting action=mark-packet new-packet-mark=all_dw
passthrough=yes in-interface=WAN1

19 chain=prerouting action=mark-packet new-packet-mark=all_dw passthrough=ye>
in-interface=WAN2

20 chain=prerouting action=mark-packet new-packet-mark=all_dw passthrough=ye>
in-interface=WAN3

21 ;;; DNS
chain=prerouting action=mark-packet new-packet-mark=prio1 passthrough=no
protocol=udp dst-port=53

22 ;;; ICMP
chain=prerouting action=mark-packet new-packet-mark=prio1 passthrough=no
protocol=icmp

23 ;;; VOIP
chain=prerouting action=mark-packet new-packet-mark=prio1 passthrough=no
src-address=192.168.12.40 in-interface=Local

24 ;;; dns L7
chain=prerouting action=mark-packet new-packet-mark=prio1 passthrough=no
layer7-protocol=dns

25 ;;; sip conn type
chain=prerouting action=mark-packet new-packet-mark=prio1 passthrough=no
connection-type=sip

26 ;;; stun L7
chain=prerouting action=mark-packet new-packet-mark=prio1 passthrough=no
layer7-protocol=stun

27 ;;; teamfortres2 L7
chain=prerouting action=mark-packet new-packet-mark=prio2 passthrough=no
layer7-protocol=teamfortres2

28 ;;; counter-strike L7
chain=prerouting action=mark-packet new-packet-mark=prio2 passthrough=no
layer7-protocol=counterstrike-source

29 ;;; half-life2 L7
chain=prerouting action=mark-packet new-packet-mark=prio2 passthrough=no
layer7-protocol=half-life2

30 ;;; mohaa L7
chain=prerouting action=mark-packet new-packet-mark=prio2 passthrough=no
layer7-protocol=mohaa

31 ;;; worldofwarcraft L7
chain=prerouting action=mark-packet new-packet-mark=prio2 passthrough=no
layer7-protocol=worldofwarcraft

32 ;;; gif L7
chain=prerouting action=mark-packet new-packet-mark=prio3 passthrough=no
layer7-protocol=gif

33 ;;; flash L7
chain=prerouting action=mark-packet new-packet-mark=prio3 passthrough=no
layer7-protocol=flash

34 ;;; png L7
chain=prerouting action=mark-packet new-packet-mark=prio3 passthrough=no
layer7-protocol=png

35 ;;; yahoo L7
chain=prerouting action=mark-packet new-packet-mark=prio4 passthrough=no
layer7-protocol=yahoo

36 ;;; msn L7
chain=prerouting action=mark-packet new-packet-mark=prio4 passthrough=no
layer7-protocol=msn

37 ;;; MSN mesengers port 1863 TCP
chain=prerouting action=mark-packet new-packet-mark=prio4 passthrough=no
protocol=tcp dst-port=1863

38 ;;; skype to skype L7
chain=prerouting action=mark-packet new-packet-mark=prio4 passthrough=no
layer7-protocol=skypetoskype

39 ;;; aim L7
chain=prerouting action=mark-packet new-packet-mark=prio4 passthrough=no
layer7-protocol=aim

40 ;;; shoutcast L7
chain=prerouting action=mark-packet new-packet-mark=prio6 passthrough=no
layer7-protocol=shoutcast

41 ;;; http-audio L7
chain=prerouting action=mark-packet new-packet-mark=prio6 passthrough=no
layer7-protocol=http-audio

42 ;;; http-video L7
chain=prerouting action=mark-packet new-packet-mark=prio6 passthrough=no
layer7-protocol=http-video

43 ;;; http L7
chain=prerouting action=mark-packet new-packet-mark=prio3 passthrough=no
layer7-protocol=http

44 ;;; skypeout L7
chain=prerouting action=mark-packet new-packet-mark=prio4 passthrough=no
layer7-protocol=skypeout

45 ;;; ftp L7
chain=prerouting action=mark-packet new-packet-mark=prio7 passthrough=no
connection-type=ftp

46 ;;; http-dap L7
chain=prerouting action=mark-packet new-packet-mark=prio7 passthrough=no
layer7-protocol=http-dap

47 ;;; http-freshdownload L7
chain=prerouting action=mark-packet new-packet-mark=prio7 passthrough=no
layer7-protocol=http-freshdownload

48 ;;; exe L7
chain=prerouting action=mark-packet new-packet-mark=prio7 passthrough=no
layer7-protocol=exe

49 ;;; mp3 L7
chain=prerouting action=mark-packet new-packet-mark=prio7 passthrough=no
layer7-protocol=mp3

50 ;;; pdf L7
chain=prerouting action=mark-packet new-packet-mark=prio7 passthrough=no
layer7-protocol=pdf

51 ;;; rar L7
chain=prerouting action=mark-packet new-packet-mark=prio7 passthrough=no
layer7-protocol=rar

52 ;;; rpm L7
chain=prerouting action=mark-packet new-packet-mark=prio7 passthrough=no
layer7-protocol=rpm

53 ;;; rtf L7
chain=prerouting action=mark-packet new-packet-mark=prio7 passthrough=no
layer7-protocol=rtf

54 ;;; tar L7
chain=prerouting action=mark-packet new-packet-mark=prio7 passthrough=no
layer7-protocol=tar

55 ;;; zip L7
chain=prerouting action=mark-packet new-packet-mark=prio7 passthrough=no
layer7-protocol=zip

56 ;;; tftp L7
chain=prerouting action=mark-packet new-packet-mark=prio7 passthrough=no
layer7-protocol=tftp

57 ;;; msn-filetransfer L7
chain=prerouting action=mark-packet new-packet-mark=prio7 passthrough=no
layer7-protocol=msn-filetransfer

58 ;;; p2p ares L7
chain=prerouting action=mark-packet new-packet-mark=prio8 passthrough=no
layer7-protocol=p2p ares

59 ;;; p2p gnucleuslan L7
chain=prerouting action=mark-packet new-packet-mark=prio8 passthrough=no
layer7-protocol=p2p gnucleuslan

60 ;;; p2p napster L7
chain=prerouting action=mark-packet new-packet-mark=prio8 passthrough=no
layer7-protocol=p2p napster

61 ;;; p2p openftp L7
chain=prerouting action=mark-packet new-packet-mark=prio8 passthrough=no
layer7-protocol=p2p openftp

62 ;;; p2p soribada L7
chain=prerouting action=mark-packet new-packet-mark=prio8 passthrough=no
layer7-protocol=p2p soribada

63 ;;; p2p xunlei L7
chain=prerouting action=mark-packet new-packet-mark=prio8 passthrough=no
layer7-protocol=p2p xunlei

64 ;;; p2p 100bao L7
chain=prerouting action=mark-packet new-packet-mark=prio8 passthrough=no
layer7-protocol=p2p 100bao

65 ;;; p2p imesh L7
chain=prerouting action=mark-packet new-packet-mark=prio8 passthrough=no
layer7-protocol=p2p imesh

66 ;;; p2p kugoo L7
chain=prerouting action=mark-packet new-packet-mark=prio8 passthrough=no
layer7-protocol=p2p kugoo

67 ;;; p2p poco L7
chain=prerouting action=mark-packet new-packet-mark=prio8 passthrough=no
layer7-protocol=p2p poco

68 ;;; p2p pplive L7
chain=prerouting action=mark-packet new-packet-mark=prio8 passthrough=no
layer7-protocol=p2p pplive

69 ;;; p2p goboogy L7
chain=prerouting action=mark-packet new-packet-mark=prio8 passthrough=no
layer7-protocol=p2p goboogy

70 ;;; p2p hotline L7
chain=prerouting action=mark-packet new-packet-mark=prio8 passthrough=no
layer7-protocol=p2p hotline

71 ;;; p2p mute L7
chain=prerouting action=mark-packet new-packet-mark=prio8 passthrough=no
layer7-protocol=p2p mute

72 ;;; p2p tesla L7
chain=prerouting action=mark-packet new-packet-mark=prio8 passthrough=no
layer7-protocol=p2p tesla

73 ;;; p2p bittorrent L7
chain=prerouting action=mark-packet new-packet-mark=prio8 passthrough=no
layer7-protocol=p2p bit-torrent

74 ;;; p2p blubster
chain=prerouting action=mark-packet new-packet-mark=prio8 passthrough=no
p2p=blubster

75 ;;; p2p directconnect L7
chain=prerouting action=mark-packet new-packet-mark=prio8 passthrough=no
layer7-protocol=p2p direct-connect

76 ;;; p2p edonkey L7
chain=prerouting action=mark-packet new-packet-mark=prio8 passthrough=no
layer7-protocol=p2p edonkey

77 ;;; p2p gnutella
chain=prerouting action=mark-packet new-packet-mark=prio8 passthrough=no
layer7-protocol=p2p gnutella

78 ;;; p2p soulseek L7
chain=prerouting action=mark-packet new-packet-mark=prio8 passthrough=no
layer7-protocol=p2p soulseek

79 ;;; p2p warez
chain=prerouting action=mark-packet new-packet-mark=prio8 passthrough=no
p2p=warez

80 ;;; p2p winmx
chain=prerouting action=mark-packet new-packet-mark=prio8 passthrough=no
p2p=winmx

81 ;;; http-video list
chain=prerouting action=mark-packet new-packet-mark=prio6 passthrough=no
src-address-list=Youtube

82 ;;; p2p fasttrack L7
chain=prerouting action=mark-packet new-packet-mark=prio8 passthrough=no
layer7-protocol=p2p fasttrack

83 ;;; ??? prio?, ?tcp-flags=syn,ack HTTP and>
TPS port 80, 443
chain=prerouting action=mark-packet new-packet-mark=prio3 passthrough=no
protocol=tcp dst-port=80,443

84 ;;; conn-rate 0-200, conn-byte 0-500k TCP
chain=prerouting action=mark-packet new-packet-mark=prio2
passthrough=yes protocol=tcp connection-bytes=0-500000
connection-rate=0-200k

85 ;;; conn-rate 0-200, conn-byte 0-500k UDP
chain=prerouting action=mark-packet new-packet-mark=prio2
passthrough=yes protocol=udp connection-bytes=0-500000
connection-rate=0-200k

86 ;;; conn-byte=500k-1M TCP
chain=prerouting action=mark-packet new-packet-mark=prio4
passthrough=yes protocol=tcp connection-bytes=500000-1000000

87 ;;; conn-byte=500k-1M UDP
chain=prerouting action=mark-packet new-packet-mark=prio4
passthrough=yes protocol=udp connection-bytes=500000-1000000

88 ;;; conn-byte=1M-0 TCP
chain=prerouting action=mark-packet new-packet-mark=prio5 passthrough=no
protocol=tcp connection-mark=all_conn connection-bytes=1000000-0

89 ;;; conn-byte=1M-0 UDP
chain=prerouting action=mark-packet new-packet-mark=prio5 passthrough=no
protocol=udp connection-mark=all_conn connection-bytes=1000000-0

Chupaka · Thu Oct 08, 2009 1:55 pm

I put those rules upper than 'services' packets mark, passthrough=yes and seems that works well.

and now you just re-mark packets in the rules below...

bledar · Sat Oct 10, 2009 10:19 am

But how may I do that. Please help me.

Chupaka · Sat Oct 10, 2009 8:26 pm

http://mum.mikrotik.com/presentations/C ... _Megis.pdf - here you can read about two-step shaping

bledar · Tue Oct 13, 2009 4:49 pm

May I use PCQ with rate=x for QoS, traffic prioritization queue tree?

Thank you in advance.

Chupaka · Tue Oct 13, 2009 9:00 pm

well... maybe I don't understand you question, but...
sure, why not =)

wispnz · Wed Oct 14, 2009 4:01 am

Hi Everyone!

I am not a MT pro, not by a long shot, I usually backup my scripts and cut/paste em for any new installs I do ^.^

But in this case I can provide a general solution on how you would proceed to give traffic priority per user per traffic type!

In my case we run a Hotspot for all our sites with multiple wan connections. We do not have guaranteed speeds on our lines either as some are ADSL.

Now our average user usually buys the 1Mbit/128K plan from us. So his/her maximum upload/download is 1M/128K respectively.
So when the user logs on, MT creates a Queue for the user with a max of 1Mbit and 128k up.

To achieve QOS per user you have to go a create a new mangle script that monitors all the specified traffic types on your Hot spot sub net, in my case 10.10.11.2 - 10.10.11.254.
The address we will work with is 10.10.11.2 that our user theoretically gets assigned.

First you have to mark all traffic to and from 10.10.11.2, and call this in_10.10.11.2 and out_10.10.11.2 - we will use this as the parent for out 10.10.11.2 Queue lists.
Next mark the associated traffic for all the addresses in that range eg: HTTP80_DOWN_10.10.11.2 or even shorter HTTP80D_2 and upload HTTP80_UP_10.10.11.2 or shorter HTTP80U_2.
(This is going to be long winded - Someone can make a script to create the manual entries needed for every ip address

)

Now that the firewall marks all 80 incoming and outgoing traffic for ip 10.10.11.2 when any user who connects and gets assigned that address, MT can pass on the marked packets for queuing and prioritization for a prioritization scheme for ip address 10.10.11.2 .

Why do we do this? The reason is when you create a new Traffic prioritization group/queue it will ask you for the parent, here you will select in_10.10.11.12 and for upload out_10.10.11.2.
So create a new Queue list named download_10.10.11.2 and upload_10.10.11.2 . You will have to do this for each ip in your address range. Also assign the priority for all the traffic to and from this address and set the Limit At value, in our case 1Mbit.

Now under your newly created list add the marked http80 traffic. When you add the HTTP80 marked traffic name it HTTP80 and for the parent select download_10.10.11.2 and for packet mark select HTTP80_DOWN_10.10.11.2 (This is the marked traffic from our firewall ). Now you may assign the desired priority for your port 80 download traffic.

Repeat the same procedure for your upload queue for 10.10.11.2 with its Limit At value set to your users max Upload, in our case 128K.

You will use this same procedure to mark all the different traffic types of your choice, pop3, p2p ect.

Why should this work you ask? Why not make a global?
Well for the prioritization to work, it needs to know what its available bandwidth for that user/ip is going to be.
In our case its 1Mbit/128 UP. So now it will know how to best prioritize the marked traffic we have for that user in his own bandwidth pool

So now if you have QOS setup for p2p. 80 etc, when the user is downloading via FTP, and starts surfing the net/gaming, the QOS rules will kick in for that users session giving him a better experience.

This might impact the performance of your MT device a bit more.
If someone can make a nice script for this it would be cool! Also please make improvements!

Kind Regards,
Arno

NetworkPro · Wed Oct 14, 2009 8:54 am

Maybe it will become understandable if you provide WinBox screenshots and config exports.

bledar · Wed Oct 14, 2009 12:21 pm

May I use PCQ with rate=x for QoS, traffic prioritization queue tree?

I mean. Does it have any problem to use PCQ queue types (with rate specified) on queue trees for QoS traffic prioritization?

In some threads here in forum, say that QoS prioritization does not work for download traffic with motive 'the router does not know the amount of data that comes from internet to clients'

Is it true?

Chupaka · Wed Oct 14, 2009 10:16 pm

yes, that's true - he doesn't know =)

so you need to set 'max-limit' also

omidkosari · Thu Oct 22, 2009 11:08 am

if our provider give us for example 50Mbps dedicated bandwidth and sometimes (randomize and without any programmable conditions) give us 10Mbps extra bandwidth , is there a way to use that 10Mbps ? the router configuration is like http://forum.mikrotik.com/viewtopic.php ... 18#p137518 .

NetworkPro · Thu Oct 22, 2009 12:06 pm

Yes, if your provider agrees to DIFFERENTIATE you traffic somehow.

omidkosari · Thu Oct 22, 2009 12:16 pm

Yes, if your provider agrees to DIFFERENTIATE you traffic somehow.

Sorry i did not understand . please explain more .

NetworkPro · Thu Oct 22, 2009 2:50 pm

Hello again. Sorry my previous post was not helpful - I had to leave the PC quickly. And now I have a little time to give you a little know-how on this topic:

The (L3) http://en.wikipedia.org/wiki/DiffServ (or L2 ToS/CoS) technique is designed for this - packets of your guaranteed BW are marked with a certain DSCP when travelling inside of your provider(s) network(s) and as a result - it is not dropped. The other BW that is not guaranteed is marked with a different mark and as a result is the first to get dropped and/or queued when there is congestion somewhere in provider(s) network(s). This is not 100% true for all providers - in fact - you would have to negotiate an agreement with the provider for this.

Basicly u call their admin/tech person and ask them it they can solve your problem which is: you have two types of traffic and you want a cheaper treatment for the second type of traffic. You can ask about DSCP, DiffServ etc. at this point. And the tech guy will tell u - no we can not bla bla our servers bla bla or he will tell u that management havent made a billing plan for this bla bla. So you go to their management guy/your official contact person/sales person etc and you ask very politely and stubbornly for this.

And for example last time my contact person for a certain company for a certain location in Bulgaria told me right away - "our shaper has only two types of traffic treatment - guaranteed and end user" - first expensive like a m07th3rfckr and the second one - usually not guaranteed "but currently overprovisioned" - at least thats what he told me

and they both come in the form of PPPoE connections to different concentrators over the same optic cable. So I had to go with that and certain outgoing connections will be routed over the second PPPoE link in our border router.

And if they had support for DiffServ we would have the problem of traffic going from the world -> to us and differentiating that! If anyone has anything to add please do, please correct me if this is not practical and good. Thanks.

P.S. UPDATE 2012: Many providers have TOS values for "low latency" - ask them what they are and mark your VoIP with that ToS mark so providers routers take care to forward the packets in an expedited manner.

I hope soon they upgrade though so that there is no routing delay and no queueing when routing in their expensive carrier network.

NetworkPro · Thu Oct 22, 2009 3:02 pm

AND: the problem is that when congestion occurs in the provider(s) network they drop all traffic no matter if it is important (certain DSCP mark?, certain type of packet) or not important. So extending the negotiations you can ask whether they are willing to Not drop the important traffic (differentiated in their machines by DSCP) when congestion occurs, going from you to the world. And in the case when traffic is from the world-> to you - they would have to have a powerful machine(s) at their own border (ingress) as classifiers to know what traffic is what.

Anyway lets start a "important packets" WiKi so that people know what not to drop (and not to get queued in a large queue) to dramatically increase Quality of Experience for their customers.

Edit: UPDATE 2012 congestion in a typical carriers network is at the Edge where provided to the customer. A better "CPE" configuration may be needed for specific QoS purpose.

omidkosari · Thu Oct 22, 2009 4:38 pm

Is there a way or trick to solve it at my side ?
Actually if i have not used priority based shaping , i could use incoming interface as the parent of my queues but now i can not .

Chupaka · Thu Oct 22, 2009 4:54 pm

btw, if you're using incoming interface as a parent - you cannot process incoming traffic with that queue

omidkosari · Thu Oct 22, 2009 4:57 pm

So the extra bandwidth should be wasted ? Really there isn't a way to use that (without help of provider) ?

Chupaka · Thu Oct 22, 2009 5:07 pm

how can you have known that you have that extra bandwidth?

omidkosari · Thu Oct 22, 2009 5:15 pm

Sometimes just for testing i increase parent queue max-limit from 50Mbps to 60Mbps and see that it hits 60Mbps . but in that time if there were no extra bandwidth , then the quality will decrease very much.

lukkes · Thu Jan 14, 2010 7:13 am

this works for me

/ip firewall mangle
add action=mark-connection chain=forward comment="" disabled=no new-connection-mark=new_conn passthrough=yes protocol=\
tcp src-port=80
add action=mark-packet chain=forward comment="math first 1mb" connection-bytes=0-1000000 connection-mark=conn disabled=no\ new-packet-mark=browse passthrough=yes
add action=mark-packet chain=forward comment="match above 1mb supose download" connection-bytes=1200000-0 \
connection-mark=conndisabled=no new-packet-mark=download passthrough=yes

/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=1M max-limit=1M name=download_total parent=Local priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=128k max-limit=1M name=Browsing-128 packet-mark=browse\ parent=download_total priority=1 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=80k max-limit=1M name=Download-128 packet-mark=download\ parent=download_total priority=8 queue=default

when somebody is downloading large file above 1mb and somebody new user want to open a web page then the queue down the speed for the first user and give priority to the new user. this is what i understood that you need. sorry if not..

WISP-BG · Tue Mar 09, 2010 2:24 pm

In some of our tests we found that if we mark connection in "prerouting", for example with src. port 80, it is not possible to mark this connection again in "forward" with src. address or list. When we mark packet directly, this is not happen.
Where is the mistake or this is a bug?
Tx

Chupaka · Tue Mar 09, 2010 5:21 pm

should work. please post your test rules

WISP-BG · Tue Mar 09, 2010 7:48 pm

For example:
If we have in prerouting
1 chain=prerouting action=mark-connection new-connection-mark=http passthrough=yes protocol=tcp src-port=80

In forward
2 chain=forward action=mark-connection new-connection-mark=cl-conn passthrough=yes src-address-list=Clients
3 chain=forward action=mark-packet new-packet-mark=cl passthrough=no connection-mark=cl-conn

In this case -2- miss all the connections from/to port 80. You need additional rule:
3 chain=forward action=mark-connection new-connection-mark=cl-conn passthrough=yes protocol=tcp src-port=80

and after that
4 chain=forward action=mark-packet new-packet-mark=cl passthrough=no connection-mark=cl-conn

Chupaka · Wed Mar 10, 2010 1:45 am

are you sure you need src-port=80? maybe dst-port=80?.. or your clients are webservers?..

WISP-BG · Wed Mar 10, 2010 11:26 am

No, it's just an example. But why is this happening? I thought that the two chains are completely independent of each other...
Appears that they are not, or I do not understand something...

janisk · Wed Mar 10, 2010 1:00 pm

look here:
http://wiki.mikrotik.com/wiki/Packet_Flow#Diagram

this is order how packets are processed in RouterOS

Chupaka · Wed Mar 10, 2010 4:12 pm

No, it's just an example. But why is this happening? I thought that the two chains are completely independent of each other...
Appears that they are not, or I do not understand something...

they ARE. but when your clients go to some web server, they send packets with src-address-list=Clients dst-port=80 and src-port=1025-65535 in general. so your 'forward' rule catches those packets

response packets have src-port=80 and dst-addtrss-list=Clients. maybe that is messing you?

WISP-BG · Wed Mar 10, 2010 5:21 pm

No, I know that. You don't understand me...
My point is, when you mark connection for some reason in "prerouting" whit src. port 80 (or else), this connection become unmarkable in "forward" whith src. address. Simply pass through. But it is sufficient to disable the rule in "prerouting", and voila - all connections from or to port 80 are captured again.

NetworkPro · Wed Mar 10, 2010 6:20 pm

My dear colleague, you can let me see the problem in real time (WinBox access) so I could confirm.

Chupaka · Wed Mar 10, 2010 11:16 pm

yep, it would be nice

WISP-BG · Fri Mar 12, 2010 1:55 pm

OK, after several additional tests, I think the problem is that we can't mark same connections simultaneously in "prerouting" and "forward" by different criteria. Packets - yes, but connections - no. Otherwise strange things happen.
So, if you use mark connection -> mark packet in "forward" for shaping, and you want to do marking for prioritization in "prerouting", you should use mark packed only.
May be this is connection tracking related...

And one more question - marking connections correctly in "prerouting", is this possible at all?

Chupaka · Fri Mar 12, 2010 4:25 pm

just a simple test:

/ip firewall mangle
add chain=prerouting src-address=my_ip dst-address=1.2.3.4 action=mark-connection new-connection-mark=test1
add chain=forward connection-mark=test1 action=mark-packet new-packet-mark=test1
add chain=forward src-address=my_ip dst-address=1.2.3.4 action=mark-connection new-connection-mark=test2
add chain=forward connection-mark=test2 action=mark-packet new-packet-mark=test2

when I try 'telnet 1.2.3.4', all these rules count three packets (three retries of connection). so, all is working as expected

what am I doing wrong?

bledar · Tue Mar 16, 2010 4:29 pm

Hello guys.

Do you have any idea or any experience on mangle audio and video messengers traffic (msn,yahoo, skype)?

Thnks.

smile__2006 · Sun Apr 04, 2010 2:21 pm

Hi to all. First of all, sorry may bad English, but it official language is...

How i can understood, to achieve priority of different traffic kinds and per-user-ip-address shaping (limitation) I must do :

\i don`t put all config here to don`t garbage forum)\

-mark connections prerouting, in interface Public passthrough=yes, mark=ALL-down
-mark packets prerouting, connection mark=ALL-down, src-port=80, proto=tcp, new-packet-mark=http-down-browsing, connection-bytes=0-1000000, passthrough=NO
-mark packets prerouting, connection mark=ALL-down, src-port=80, proto=tcp, new-packet-mark=http-down-download, passthrough=NO
..... - other packet marks here by proto, ports, layer7, etc...

queue tree add... parent iface=global-in.... question here... what kind of queue i can use? imho I can`t use pcq because dst-address in prerouting is Public ip of router, not dst-addreses of my clients( so no criteria to deploy pcq queue in my(
no I use ethernet-default queue, but without understanding( also that about queue size.... 1000 users and 100Mb BW...

after that second mangle.. chain=forward, in-iface=Public, out-iface=local... mark connections.... mark packets..... without services now.... packet marks in one rule......after...go in queue tree and shape this mark with pcq to distribute BW
equally over user with dst-address criteria...

its my config, please comment it, is my track true)( ?