Community discussions

MikroTik App
 
Beccara
Long time Member
Long time Member
Topic Author
Posts: 606
Joined: Fri Apr 08, 2005 3:13 am

Help with Mangle for QOS

Sun Jan 08, 2006 9:37 am

Hi all,

i'm putting in place QOS on our edge router and i'm tring to achive the following

With mangle i want to mark the connections and packets of the following

dns
http/https
email
everything else
p2p

and then place those marked packets into a queue with the following Priority

Dns = 1
http/https =2
email = 2
everything else = 7
p2p = 8

The trouble i'm having is that as soon as i add a rule to mangle the everything that isnt picked up by the other rules its starts picking everything up including those packets and connects that should be under other rules.

Heres my mangle list

[admin@Edge] > ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=prerouting protocol=tcp dst-port=53 action=mark-connection new-connection-mark=dns-con passthrough=yes

1 chain=prerouting protocol=udp dst-port=53 action=mark-connection new-connection-mark=dns-con passthrough=yes

2 chain=prerouting protocol=tcp dst-port=80 action=mark-connection new-connection-mark=http-con passthrough=yes

3 chain=prerouting protocol=tcp dst-port=443 action=mark-connection new-connection-mark=http-con passthrough=yes

4 chain=prerouting protocol=tcp dst-port=110 action=mark-connection new-connection-mark=email-con passthrough=yes

5 chain=prerouting protocol=tcp dst-port=25 action=mark-connection new-connection-mark=email-con passthrough=yes

6 chain=prerouting p2p=all-p2p action=mark-connection new-connection-mark=p2p-con passthrough=yes

7 chain=prerouting p2p=!all-p2p action=mark-connection new-connection-mark=everything-con passthrough=yes

8 chain=prerouting connection-mark=dns-con action=mark-packet new-packet-mark=dns passthrough=yes

9 chain=prerouting connection-mark=http-con action=mark-packet new-packet-mark=http passthrough=yes

10 chain=prerouting connection-mark=email-con action=mark-packet new-packet-mark=email passthrough=yes

11 chain=prerouting connection-mark=everything-con action=mark-packet new-packet-mark=everything passthrough=yes

12 chain=prerouting connection-mark=p2p action=mark-packet new-packet-mark=p2p passthrough=yes

Anyone know how i can mark connections and traffic that arnt picked up by the other rules?

Cheers
 
User avatar
raenius
just joined
Posts: 13
Joined: Thu Dec 29, 2005 12:15 am

Tue Jan 17, 2006 8:59 am

Have you figured this out yet? I'm trying to do something similar.
 
yancho
Member Candidate
Member Candidate
Posts: 207
Joined: Tue Jun 01, 2004 3:04 pm
Location: LV

Tue Jan 17, 2006 11:58 am

add chain=prerouting p2p=all-p2p action=mark-connection new-connection-mark=p2p-con passthrough=yes
add chain=prerouting connection-mark=p2p action=mark-packet new-packet-mark=p2p passthrough=no (all p2p)
add chain=prerouting protocol=tcp dst-port=53 action=mark-connection new-connection-mark=dns-con passthrough=yes
add chain=prerouting protocol=udp dst-port=53 action=mark-connection new-connection-mark=dns-con passthrough=yes
add chain=prerouting connection-mark=dns-con action=mark-packet new-packet-mark=dns passthrough=no (dns)
add chain=prerouting protocol=tcp dst-port=80 action=mark-connection new-connection-mark=http-con passthrough=yes
add chain=prerouting protocol=tcp dst-port=443 action=mark-connection new-connection-mark=http-con passthrough=yes
add chain=prerouting connection-mark=http-con action=mark-packet new-packet-mark=http passthrough=no(http, maybe you shoul add 8080 port also)
add chain=prerouting protocol=tcp dst-port=110 action=mark-connection new-connection-mark=email-con passthrough=yes
add chain=prerouting protocol=tcp dst-port=25 action=mark-connection new-connection-mark=email-con passthrough=yes
add chain=prerouting connection-mark=email-con action=mark-packet new-packet-mark=email passthrough=no (POP3S (secure) uses port 995, IMAP - 143, IMAPS - 993)
chain=prerouting action=mark-connection new-connection-mark=everything-con passthrough=yes
chain=prerouting connection-mark=everything-con action=mark-packet new-packet-mark=everything passthrough=yes (this should mark everything else)
 
Beccara
Long time Member
Long time Member
Topic Author
Posts: 606
Joined: Fri Apr 08, 2005 3:13 am

Tue Jan 17, 2006 1:23 pm

hmm i tired the whole "no passthrough" thing but as soon as the packet was marked it wouldnt follow the mark connection side of the rules. Ideas?
 
joeri91942
Frequent Visitor
Frequent Visitor
Posts: 88
Joined: Thu Mar 31, 2005 12:31 pm
Location: Sundsvall, Sweden

Wed Jan 18, 2006 9:42 am

Uhm.... passthrough=no is the way to go, here's parts of my config (I've deleted lines and config-statemenets to bring it down to a readable size)

/ip fire mang exp
add chain=prerouting dst-address=192.168.2.40 protocol=tcp dst-port=5061 action=mark-connection new-connection-mark=voip-con passthrough=yes disabled=no
add chain=prerouting dst-address=192.168.2.40 protocol=udp dst-port=5061 action=mark-connection new-connection-mark=voip-con passthrough=yes disabled=no
add chain=prerouting dst-address=192.168.2.40 protocol=tcp dst-port=19000-20000 action=mark-connection new-connection-mark=voip-con passthrough=yes comment="" disabled=no
add chain=prerouting dst-address=192.168.2.40 protocol=udp dst-port=19000-20000 action=mark-connection new-connection-mark=voip-con passthrough=yes comment="" disabled=no
add chain=prerouting connection-mark=voip-con action=mark-packet new-packet-mark=voip passthrough=no comment="" disabled=no
add chain=prerouting action=mark-packet new-packet-mark=slask passthrough=yes comment="" disabled=no
add chain=prerouting dst-address=10.11.2.77 action=mark-packet new-packet-mark=slask passthrough=yes comment="" disabled=no
add chain=prerouting src-address=10.11.2.77 action=mark-packet new-packet-mark=slask passthrough=yes comment="" disabled=no


/ queue tree
add name="1 VOIP Prio" parent=global-total packet-mark=voip priority=1 disabled=no
add name="3 Sat" parent=global-in packet-mark=sat priority=3 disabled=no
add name="8 Slask" parent=global-total packet-mark=slask priority=8 disabled=no

/que tre pr st
Flags: X - disabled, I - invalid
0 name="1 VOIP Prio" parent=global-total packet-mark=voip limit-at=0 rate=1048
packet-rate=0 queued-bytes=0 queued-packets=0 bytes=2479767116 packets=11798027
dropped=0 overlimits=0 lends=364140 borrows=11433887

1 name="8 Slask" parent=global-total packet-mark=slask limit-at=0 rate=43008
packet-rate=55 queued-bytes=0 queued-packets=0 bytes=98575037754 packets=123904091
dropped=21 overlimits=0 lends=1146578 borrows=122757433

2 name="3 Sat" parent=global-in packet-mark=sat limit-at=0 rate=352 packet-rate=0
queued-bytes=0 queued-packets=0 bytes=6736306442 packets=62360095 dropped=0
overlimits=0 lends=786613 borrows=61573482

As you can se it clearly uses the proper queue for tagged traffic

/Jörgen
 
Beccara
Long time Member
Long time Member
Topic Author
Posts: 606
Joined: Fri Apr 08, 2005 3:13 am

Thu Jan 19, 2006 4:38 am

Thank you VERY VERY much for this, its helped alot - i can see the order of my rules was incorrect.
 
joeri91942
Frequent Visitor
Frequent Visitor
Posts: 88
Joined: Thu Mar 31, 2005 12:31 pm
Location: Sundsvall, Sweden

Thu Jan 19, 2006 9:26 am

You're welcome, it's feels good to be able to help!

/Jörgen
 
conchalnet
Member Candidate
Member Candidate
Posts: 274
Joined: Thu Nov 03, 2005 1:44 pm
Location: Brazil

Thu Jan 19, 2006 1:23 pm

joeri91942

What's the passthrough do?

I want to put the QoS on my bridge... will I need to change the prerouting to foward chain?

Thanks

Fabrício
 
User avatar
Charlie Whiskey
just joined
Posts: 24
Joined: Wed Nov 16, 2005 7:45 am

Thu Jan 19, 2006 2:53 pm

The manual says:

"passthrough - ignore this rule and go on to the next one. Acts the same way as a disabled rule, except for ability to count packets"
 
joeri91942
Frequent Visitor
Frequent Visitor
Posts: 88
Joined: Thu Mar 31, 2005 12:31 pm
Location: Sundsvall, Sweden

Thu Jan 19, 2006 2:54 pm

My understanding of passthrough is as follows;

All packets flow through each chain, starting with the first rule and continues through to the next rule UNLESS the packet is matched in a rule AND the passthrough option is set to no. If the option is set to no then the packet is kicked out of the chain it was in and passed on to the next step in the packet handling.

This means that if you do not use passthrough=no then all later rules will do something with the packet if it matches criteria for any subsequent rule, real bad if you have a final rule that drops everything or similar :-)

So... if you want to have a ruleset for handling three types of traffic, high-prio - medium prio - low prio then your would need to this in the following order (this is based on my setup using masq on all outgoing traffic and dst-nat on all incoming, no bridging)

1 - connection mark high-prio connections based on src IP / dst IP / interface / port / whatever, option passthrough=yes so that they will reach next rule
2 - mark all packets having high-prio connection mark with a high-prio packet mark, option passthrough=no. This kicks out all packets with the high-prio connection mark

any packets coming here did NOT match the above rules
3 - connection mark medium-prio connections based on src IP / dst IP / interface / port / whatever, option passthrough=yes so that they will reach next rule
4 - mark all packets having medium-prio connection mark with a medium-prio packet mark, option passthrough=no. This kicks out all packets with the medium-prio connection mark

any packets coming to this step did not match ANY of the above rules
5 - mark all packets with low-prio packet mark (last and final rule, no need for passthrough and everything that comes here are lowest prio so mark everything)

Next, create three rules in the queue tree
1 - packet mark high-prio / priority 1
2 - packet mark medium-prio / priority 4
3 - packet mark low-prio / priority 8
you could of course use priority 1,2,3 but this leaves some room for additional levels to be added

For bridging I am not quite sure what chain to use.... but start up winbox, place all the relevant counter-windows so you see them and try it, chnage a rule here and a rule there and watch how many packets are counted in each mangle rule (winbox / ip / firewall / mangle)

Hope this helps

/Jörgen
 
joeri91942
Frequent Visitor
Frequent Visitor
Posts: 88
Joined: Thu Mar 31, 2005 12:31 pm
Location: Sundsvall, Sweden

Thu Jan 19, 2006 2:58 pm

The manual says:

"passthrough - ignore this rule and go on to the next one. Acts the same way as a disabled rule, except for ability to count packets"
Yes.... however if you look at the detailed explanation in the manual it states the following;
passthrough (yes | no; default: yes) - whether to let the packet to pass further (like action passthrough) after marking it with a given mark (property only valid if action is mark packet, connection or routing mark)

So the short and the long explanation doesn't quite agree :-)

/Jörgen
 
conchalnet
Member Candidate
Member Candidate
Posts: 274
Joined: Thu Nov 03, 2005 1:44 pm
Location: Brazil

Thu Jan 19, 2006 3:03 pm

Thanks Jörgen

Your explanation was great...

Who is online

Users browsing this forum: arcc and 18 guests