I've gone through the "how-to" on the MT home page for the transparent traffic shaper and it worked on 2.9.9. I've upgraded to 2.9.18 and now the
"/interface bridge port set ext,int bridge=bridge" command says invalid item number. I've tried using the item numbers in place and nothing seems to work. Any ideas?
Aaron

1. Create bridge 2. Add interfaces to bridge, ether1 and ether2 are interfaces names Manual and how-to is outdated :cry:

No, this still doesn't work. I renamed the interfaces to public, private respectively. I changed the names back to default and still no go.

I have the same problem on 2.9.6 version.

I have done a lot of shapes on non bridge interfaces and they work fine. However when marking traffic in/out of interface (that is specified to be a bridge port) that traffic is not going into any queue. I tried to use "/queue simple" as explained in howto as well as "/queue tree" queues - No results.

Is there something specific that should be done when shaping traffic on bridge interfaces?

I think I found a solution at least to my problem. When adding interfaces to the bridge, I had to type the "set" command by itself and follow the prompts it provided. I couldn't do it as one whole command line format.
Aaron

Well I have my bridge set up and running, however I can not shape traffic on it.

See out earlier thread over past couple months...you cannot shape properly on a transparent bridge and it must be routed.

SMA

It really looks that I can not shape traffic on a transparent bridge. However it is strange that the guys from MikroTik have posted an article HowTo shape on it! (http://www.mikrotik.com/Documentation/H ... How_shaper)

It really looks that I can not shape traffic on a transparent bridge. However it is strange that the guys from MikroTik have posted an article HowTo shape on it! (http://www.mikrotik.com/Documentation/H ... How_shaper)

I can tell you that I am using a transparent bridge for the main QoS router, but I am running 2.2.28 on it. So to answer your question, it should work. However, I am not seeing the same result on 2.9.18-19. I don't know if the problems are related, but to me they might because of the interaction with a bridge interface.

One thing I am seeing is that I have a router, that is on a tower, and the eth1 interface is the backhaul... I am routing between the eth1 and 3 other (eth2-4) interfaces in a bridge (so I am not the same as a transparent bridge). When I try and create a /queue tree who's parent is the bridge interface, I am getting nothing in the counters, and it doesn't look like it is processing. On the eth1 side of the queues, it does increment properly and they are using the same packet tags as the bridge. I validated my configs with another router (identical setup) running 2.8.28 and it works properly...

I have tried in the /ip firewall mangle rules both prerouting and forward but both rules do not tag the packets properly or the bridge interface queue is missing the packet tags.

Am I beating my head against the wall or am I missing something? I am trying to do VoIP QoS tagging based on my own server IP. The mangle rules are as follows:

add chain=forward src-address=[IPADDRESS] action=mark-packet new-packet-mark="Local VoIP Flow" passthrough=no comment="VoIP" disabled=no
add chain=forward dst-address=[IPADDRESS] action=mark-packet new-packet-mark="Local VoIP Flow" passthrough=no comment="" disabled=no

Eric

Would someone from MT support explain us why MT 2.9.x can not mark packets that are flowing through bridge interfaces? Should we wait for a fix?

Can anyone else verify that a bridged interface cannot increment counters?

Anyone from MikroTik on here?

Eric

Works fine for me. I.e.: marks packets and increments counters as it should ...

My /ip firewall mangle counters do increment, but in the /queue trees do not increment. The queue tree rules I have my parent as the bridge interface and the packet mark as the one in the mangle rules.

Simple test is just IP based. I am trying to do a VoIP prioritization by just using one IP and tag it as my internal VoIP server. Should be a simple example, right? This all works on my 2.8.26-28 versions, but I cannot do the same on 2.9.x.

First, mark packets:
/ ip firewall mangle
add chain=forward src-address=68.77.78.25 action=mark-packet new-packet-mark="Local VoIP Flow" passthrough=no \
comment="VoIP" disabled=no
add chain=forward dst-address=68.77.78.25 action=mark-packet new-packet-mark="Local VoIP Flow" passthrough=no comment="" \
disabled=no

Then Queue them:
/ queue tree
add name="Global - In" parent="Wireless Bridge" packet-mark="" limit-at=0 queue=default priority=8 max-limit=0 \
burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="Global - Out" parent="Ether2 - Backhaul" packet-mark="" limit-at=0 queue=default priority=8 max-limit=0 \
burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="Internet - In" parent="Global - In" packet-mark="" limit-at=0 queue="Internet Global" priority=8 max-limit=0 \
burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="Internet - Out" parent="Global - Out" packet-mark="" limit-at=0 queue="Internet Global" priority=8 max-limit=0 \
burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="VoIP - In" parent="Internet - In" packet-mark="VoIP Flow" limit-at=1500000 queue=VoIP priority=4 \
max-limit=1500000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="VoIP - Out" parent="Internet - Out" packet-mark="VoIP Flow" limit-at=1500000 queue=VoIP priority=4 \
max-limit=1500000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="Local - In" parent="Global - In" packet-mark="Local Traffic Flow" limit-at=0 queue=default priority=8 \
max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="Local - Out" parent="Global - Out" packet-mark="Local Traffic Flow" limit-at=0 queue=default priority=8 \
max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="Local VoIP - In" parent="Local - In" packet-mark="Local VoIP Flow" limit-at=1500000 queue="Local VoIP" \
priority=3 max-limit=3000000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="Local VoIP - Out" parent="Local - Out" packet-mark="Local VoIP Flow" limit-at=1500000 queue="Local VoIP" \
priority=3 max-limit=3000000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no

I'm using Mikrotik 2.9.20 using transparant bridge, and every thing work fine. I'm using this config since 2.9.1

I just upgraded to 2.9.22 on my transparent bridge, and I can't seem to get queue trees (pcq) to work at all. I've got it running on an RB500 that is doing routing, but I can't seem to get it working on bridge.

To be more specific, the example in the Wiki seems to only work for upload on my bridge, not download. The example in the manual does not work at all.

Can anybody confirm for SURE that queue trees DO or DO NOT work with a transparent bridge running 2.9.22?

Eric

It DO work.

valens,

Would you post a smidgeon of your config so I can try it on my router? I posted my config, and if you run it through (changing your IP), it may not work for you.

I have the exact config on a 2.8.28 router and it works. I have it on a 2.9.22 router and it does not. Same code, just different versions (syntax).

Eric

valens,

Would you post a smidgeon of your config so I can try it on my router? I posted my config, and if you run it through (changing your IP), it may not work for you.

I have the exact config on a 2.8.28 router and it works. I have it on a 2.9.22 router and it does not. Same code, just different versions (syntax).

Eric

I can confirm that the exact config does not work on my 2.9.22 bridge either.

<another> Eric

Screen Capture:

Code: Select all

[valens@BM] interface> pr
Flags: X - disabled, D - dynamic, R - running 
 #    NAME                         TYPE             RX-RATE    TX-RATE    MTU  
 0  R ether1                       ether            0          0          1500 
 1  R ether2                       ether            0          0          1500 

[valens@BM] interface bridge port> pr
Flags: X - disabled, I - inactive, D - dynamic 
 #    INTERFACE BRIDGE  PRIORITY PATH-COST
 0    ether1    bridge1 128      10       
 1    ether2    bridge1 128      10       

[valens@BM] ip firewall mangle> pr
16   ;;; Citraweb Office
     chain=forward src-address=202.0.0.0/26 action=mark-connection 
     new-connection-mark=citraweb-conn passthrough=yes 
17   chain=forward connection-mark=citraweb-conn action=mark-packet new-packet-mark=citraweb-flow 
     passthrough=yes 

[valens@BM] queue tree> pr

 6   name="Internal-Downlink" parent=ether2 packet-mark="" limit-at=0 queue=default priority=1 
     max-limit=512000 burst-limit=0 burst-threshold=0 burst-time=0s 

 7   name="Internal-Uplink" parent=ether1 packet-mark="" limit-at=0 queue=default priority=1 
     max-limit=384000 burst-limit=0 burst-threshold=0 burst-time=0s 

115   name="Citraweb-Downlink" parent=Internal-Downlink packet-mark=citraweb-flow limit-at=0 
     queue=default priority=4 max-limit=256000 burst-limit=0 burst-threshold=0 burst-time=0s 

116   name="Citraweb-Uplink" parent=Internal-Uplink packet-mark=citraweb-flow limit-at=0 
     queue=default priority=8 max-limit=128000 burst-limit=0 burst-threshold=0 burst-time=0s 

Let me see if I understand this...

First, you packet-mark all packets with mark "citraweb-flow" and all connections with "citraweb-conn".

Then...you create a default queue tree for upload and download, with a max-limit of 384kb (upload) and 512kb (download), a priority of 1 (highest), assigned to the appropriate parent ethernet interface. These queue trees are not assigned to any packet-mark.

Then, you apply "default" queues to all packets marked "citraweb-flow". One, Downlink, has a parent of ether2, and a max-limit half that of ether2, or 256kb. Also, a priority half that of ether2, priority=4. Uplink gets half of ether1's max-limit, or 128kb, and half the priority, also 4.

Now, can I pose a question or two? I don't want to insult, I am just straining to understand.

Why do you use mangle to mark the packets "contraweb-flow", and the connections "contraweb-conn", if, in the config example you give us, you don't use "contraweb-conn" for anything?

Why do you have to setup queues for upload and download assigned with ether1 and ether2, then have to setup additional queues, with the first queues as their parent, for queue trees to work in this example? I think this is the key concept that I am missing in my own config.

Why do the first two queues that have ether1 and ether2 as their parent have max-limits twice that of their child queues?

Why do the two child queues have priorites half that of their parents?

Do the child queues actually do the speed-limiting, or do the first two queues?

Do the customers get 512kb down and 256kb up, or 256kb down and 128kb up?

Could you also use limit-at in addition to max-limit in the child queues? My theory has been that limit-at can be set at 75% of your total bandwidth, and max-limit can be set at 95% of your total bandwidth. This way, customers start to see bandwidth limitation a little before the link becomes saturated, not when it "hits the wall". Am I crazy?

Thanks in advance for any help you can offer.

Eric

Eric, please do not confuse with limit-at, max-limit, priority, or parent in my script. The script I pasted in here only small peace of the whole script in my box. Very complicated if I have to explain one by one.

Answering your question:

1. We are doing connection mark, and then packet mark. This is what conn-mark for. We can not use conn-mark directly in queue tree.

2. In this case, the network will have 256/128 kbps connection.

About the limit-at or max-limit, it's depend on your setting and network.

Guys,

Here is a template that I use to create bandwidth management queues. First it creates the marking rules, then it creates the queues. I use this to manage a number of links from a datacentre, and it works fine with 2.9.17 and bridged interfaces. I also have one for 2.8.x as well.
Let me know if this helps or if you have any suggestions on it, it's as simple as following the instructions at the top, and making sure your interface names are right, or just change them to suit, and setting your throttling values.

## - Do find and replace on SITEADDRESS to insert subnet, must be in the format of xx.xx.xx.0/subnet (24) example 10.1.1.0/24 (This does whole document)
## - Do find and replace on SITECODE to insert site code, should be 3 to 5 letters, such as syd or nrgba (This does whole document)



## *********** ALL RULES MUST REMAIN IN THE ORDER PRESENTED IN THIS TEMPLATE OR SHAPING WILL NOT FUNCTION CORRECTLY **************


## - Change comment on first rule to indicate description of the site that the rules are for, such as "Frankfurt Rules Start"

/ ip firewall mangle

## Citrix Traffic to Site
add chain=forward src-port=2598 in-interface=private dst-address=SITEADDRESS protocol=tcp action=mark-connection new-connection-mark=SITECODE-citrix-out-con comment="Frankfurt Rules Start" disabled=no passthrough=yes

## Filesharing Traffic to Site
add chain=forward src-port=445 in-interface=private dst-address=SITEADDRESS protocol=tcp action=mark-connection new-connection-mark=SITECODE-fileshare-out-con comment="" disabled=no passthrough=yes

## Filesharing Traffic from Site
add chain=forward src-address=SITEADDRESS in-interface=public dst-port=445 protocol=tcp action=mark-connection new-connection-mark=SITECODE-fileshare-in-con comment="" disabled=no passthrough=yes

## Telnet Traffic to Site
add chain=forward in-interface=private dst-address=SITEADDRESS dst-port=23 protocol=tcp action=mark-connection new-connection-mark=SITECODE-telnet-out-con comment="" disabled=no passthrough=yes

## Thinprint Traffic to Site
add chain=forward in-interface=private dst-address=SITEADDRESS dst-port=4000 protocol=tcp action=mark-connection new-connection-mark=SITECODE-thinprint-out-con comment="" disabled=no passthrough=yes

## Filesharing Traffic to Site
add chain=forward connection-mark=SITECODE-fileshare-out-con action=mark-packet new-packet-mark=SITECODE-fileshare-out comment="" disabled=no passthrough=no

## Citrix Traffic to Site
add chain=forward connection-mark=SITECODE-citrix-out-con action=mark-packet new-packet-mark=SITECODE-citrix-out comment="" disabled=no passthrough=no

## Filesharing Traffic from Site
add chain=forward connection-mark=SITECODE-fileshare-in-con action=mark-packet new-packet-mark=SITECODE-fileshare-in comment="" disabled=no passthrough=no

## Telnet Traffic to Site
add chain=forward connection-mark=SITECODE-telnet-out-con action=mark-packet new-packet-mark=SITECODE-telnet-out comment="" disabled=no passthrough=no

## Thinprint Traffic to Site
add chain=forward connection-mark=SITECODE-thinprint-out-con action=mark-packet new-packet-mark=SITECODE-thinprint-out comment="" disabled=no passthrough=no

## Other Traffic to Site
add chain=forward in-interface=private dst-address=SITEADDRESS action=mark-connection new-connection-mark=SITECODE-other-out-con comment="" disabled=no passthrough=yes

## Other Traffic from Site
add chain=forward src-address=SITEADDRESS in-interface=public action=mark-connection new-connection-mark=SITECODE-other-in-con comment="" disabled=no passthrough=yes

## Other Traffic to Site
add chain=forward connection-mark=SITECODE-other-out-con action=mark-packet new-packet-mark=SITECODE-other-out comment="" disabled=no passthrough=no

## Other Traffic from Site
add chain=forward connection-mark=SITECODE-other-in-con action=mark-packet new-packet-mark=SITECODE-other-in comment="" disabled=no passthrough=no




## - Set max-limit figures in each line to the maximum allowable tranfer rate or bandwidth allocation for that service
## - Set limit-at figures to be the CIR or guaranteed rates provided for that service
## - Remove lines for any services not needed, but always leave "Other Traffic" queues in place as a catch-all

/ queue tree
add name="SITECODE-UP" parent=private packet-mark="" limit-at=0 queue=default priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no
add name="SITECODE-DOWN" parent=public packet-mark="" limit-at=0 queue=default priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

## Citrix Traffic to Site
add name="citrix-to-SITECODE" parent=SITECODE-DOWN packet-mark=SITECODE-citrix-out limit-at=942000 queue=pfifo priority=1 max-limit=1024000 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

## Other Traffic to Site
add name="other-to-SITECODE" parent=SITECODE-DOWN packet-mark=SITECODE-other-out limit-at=0 queue=red priority=8 max-limit=128000 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

## Other Traffic from Site
add name="other-from-SITECODE" parent=SITECODE-UP packet-mark=SITECODE-other-in limit-at=128000 queue=pfifo priority=8 max-limit=768000 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

## Thinprint Traffic to Site
add name="thinprint-to-SITECODE" parent=SITECODE-DOWN packet-mark=SITECODE-thinprint-out limit-at=128000 queue=pfifo priority=2 max-limit=256000 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

## Filesharing Traffic to Site
add name="fileshare-to-SITECODE" parent=SITECODE-DOWN packet-mark=SITECODE-fileshare-out limit-at=0 queue=red priority=8 max-limit=128000 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

## Filesharing traffic from Site
add name="fileshare-from-SITECODE" parent=SITECODE-UP packet-mark=SITECODE-fileshare-in limit-at=128000 queue=pfifo priority=8 max-limit=256000 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

## Telnet Traffic to Site
add name="telnet-to-SITECODE" parent=SITECODE-DOWN packet-mark=SITECODE-telnet-out limit-at=8000 queue=red priority=2 max-limit=32000 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

Regards
Paul

Guys,

Here is a template that I use to create bandwidth management queues. First it creates the marking rules, then it creates the queues. I use this to manage a number of links from a datacentre, and it works fine with 2.9.17 and bridged interfaces. I also have one for 2.8.x as well.
Let me know if this helps or if you have any suggestions on it, it's as simple as following the instructions at the top, and making sure your interface names are right, or just change them to suit, and setting your throttling values.

## - Do find and replace on SITEADDRESS to insert subnet, must be in the format of xx.xx.xx.0/subnet (24) example 10.1.1.0/24 (This does whole document)
## - Do find and replace on SITECODE to insert site code, should be 3 to 5 letters, such as syd or nrgba (This does whole document)



## *********** ALL RULES MUST REMAIN IN THE ORDER PRESENTED IN THIS TEMPLATE OR SHAPING WILL NOT FUNCTION CORRECTLY **************


## - Change comment on first rule to indicate description of the site that the rules are for, such as "Frankfurt Rules Start"

/ ip firewall mangle

## Citrix Traffic to Site
add chain=forward src-port=2598 in-interface=private dst-address=SITEADDRESS protocol=tcp action=mark-connection new-connection-mark=SITECODE-citrix-out-con comment="Frankfurt Rules Start" disabled=no passthrough=yes

## Filesharing Traffic to Site
add chain=forward src-port=445 in-interface=private dst-address=SITEADDRESS protocol=tcp action=mark-connection new-connection-mark=SITECODE-fileshare-out-con comment="" disabled=no passthrough=yes

## Filesharing Traffic from Site
add chain=forward src-address=SITEADDRESS in-interface=public dst-port=445 protocol=tcp action=mark-connection new-connection-mark=SITECODE-fileshare-in-con comment="" disabled=no passthrough=yes

## Telnet Traffic to Site
add chain=forward in-interface=private dst-address=SITEADDRESS dst-port=23 protocol=tcp action=mark-connection new-connection-mark=SITECODE-telnet-out-con comment="" disabled=no passthrough=yes

## Thinprint Traffic to Site
add chain=forward in-interface=private dst-address=SITEADDRESS dst-port=4000 protocol=tcp action=mark-connection new-connection-mark=SITECODE-thinprint-out-con comment="" disabled=no passthrough=yes

## Filesharing Traffic to Site
add chain=forward connection-mark=SITECODE-fileshare-out-con action=mark-packet new-packet-mark=SITECODE-fileshare-out comment="" disabled=no passthrough=no

## Citrix Traffic to Site
add chain=forward connection-mark=SITECODE-citrix-out-con action=mark-packet new-packet-mark=SITECODE-citrix-out comment="" disabled=no passthrough=no

## Filesharing Traffic from Site
add chain=forward connection-mark=SITECODE-fileshare-in-con action=mark-packet new-packet-mark=SITECODE-fileshare-in comment="" disabled=no passthrough=no

## Telnet Traffic to Site
add chain=forward connection-mark=SITECODE-telnet-out-con action=mark-packet new-packet-mark=SITECODE-telnet-out comment="" disabled=no passthrough=no

## Thinprint Traffic to Site
add chain=forward connection-mark=SITECODE-thinprint-out-con action=mark-packet new-packet-mark=SITECODE-thinprint-out comment="" disabled=no passthrough=no

## Other Traffic to Site
add chain=forward in-interface=private dst-address=SITEADDRESS action=mark-connection new-connection-mark=SITECODE-other-out-con comment="" disabled=no passthrough=yes

## Other Traffic from Site
add chain=forward src-address=SITEADDRESS in-interface=public action=mark-connection new-connection-mark=SITECODE-other-in-con comment="" disabled=no passthrough=yes

## Other Traffic to Site
add chain=forward connection-mark=SITECODE-other-out-con action=mark-packet new-packet-mark=SITECODE-other-out comment="" disabled=no passthrough=no

## Other Traffic from Site
add chain=forward connection-mark=SITECODE-other-in-con action=mark-packet new-packet-mark=SITECODE-other-in comment="" disabled=no passthrough=no




## - Set max-limit figures in each line to the maximum allowable tranfer rate or bandwidth allocation for that service
## - Set limit-at figures to be the CIR or guaranteed rates provided for that service
## - Remove lines for any services not needed, but always leave "Other Traffic" queues in place as a catch-all

/ queue tree
add name="SITECODE-UP" parent=private packet-mark="" limit-at=0 queue=default priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no
add name="SITECODE-DOWN" parent=public packet-mark="" limit-at=0 queue=default priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

## Citrix Traffic to Site
add name="citrix-to-SITECODE" parent=SITECODE-DOWN packet-mark=SITECODE-citrix-out limit-at=942000 queue=pfifo priority=1 max-limit=1024000 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

## Other Traffic to Site
add name="other-to-SITECODE" parent=SITECODE-DOWN packet-mark=SITECODE-other-out limit-at=0 queue=red priority=8 max-limit=128000 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

## Other Traffic from Site
add name="other-from-SITECODE" parent=SITECODE-UP packet-mark=SITECODE-other-in limit-at=128000 queue=pfifo priority=8 max-limit=768000 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

## Thinprint Traffic to Site
add name="thinprint-to-SITECODE" parent=SITECODE-DOWN packet-mark=SITECODE-thinprint-out limit-at=128000 queue=pfifo priority=2 max-limit=256000 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

## Filesharing Traffic to Site
add name="fileshare-to-SITECODE" parent=SITECODE-DOWN packet-mark=SITECODE-fileshare-out limit-at=0 queue=red priority=8 max-limit=128000 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

## Filesharing traffic from Site
add name="fileshare-from-SITECODE" parent=SITECODE-UP packet-mark=SITECODE-fileshare-in limit-at=128000 queue=pfifo priority=8 max-limit=256000 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

## Telnet Traffic to Site
add name="telnet-to-SITECODE" parent=SITECODE-DOWN packet-mark=SITECODE-telnet-out limit-at=8000 queue=red priority=2 max-limit=32000 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

Regards
Paul

Paul,
Maybe you can answer some questions. Why do you need to mark the connection, then use that connection-mark to mark the packets? Why won't Mikrotik just let you mark the packets using packet-mark?

Second, the first two queues are for the public and private interfaces, with the other queues being child queues to these two "master" queues. If I wanted to extend your template to service many different subnets, do I have to recreate these "master" parent queues, or can I re-use them with multiple sets of child queues for each class-C subnet pointed at the the same parents?

Thanks for any light you can shed on this.

Eric

Guys,

Here is a template that I use to create bandwidth management queues. First it creates the marking rules, then it creates the queues. I use this to manage a number of links from a datacentre, and it works fine with 2.9.17 and bridged interfaces. I also have one for 2.8.x as well.
Let me know if this helps or if you have any suggestions on it, it's as simple as following the instructions at the top, and making sure your interface names are right, or just change them to suit, and setting your throttling values.

## - Do find and replace on SITEADDRESS to insert subnet, must be in the format of xx.xx.xx.0/subnet (24) example 10.1.1.0/24 (This does whole document)
## - Do find and replace on SITECODE to insert site code, should be 3 to 5 letters, such as syd or nrgba (This does whole document)



## *********** ALL RULES MUST REMAIN IN THE ORDER PRESENTED IN THIS TEMPLATE OR SHAPING WILL NOT FUNCTION CORRECTLY **************


## - Change comment on first rule to indicate description of the site that the rules are for, such as "Frankfurt Rules Start"

/ ip firewall mangle

## Citrix Traffic to Site
add chain=forward src-port=2598 in-interface=private dst-address=SITEADDRESS protocol=tcp action=mark-connection new-connection-mark=SITECODE-citrix-out-con comment="Frankfurt Rules Start" disabled=no passthrough=yes

## Filesharing Traffic to Site
add chain=forward src-port=445 in-interface=private dst-address=SITEADDRESS protocol=tcp action=mark-connection new-connection-mark=SITECODE-fileshare-out-con comment="" disabled=no passthrough=yes

## Filesharing Traffic from Site
add chain=forward src-address=SITEADDRESS in-interface=public dst-port=445 protocol=tcp action=mark-connection new-connection-mark=SITECODE-fileshare-in-con comment="" disabled=no passthrough=yes

## Telnet Traffic to Site
add chain=forward in-interface=private dst-address=SITEADDRESS dst-port=23 protocol=tcp action=mark-connection new-connection-mark=SITECODE-telnet-out-con comment="" disabled=no passthrough=yes

## Thinprint Traffic to Site
add chain=forward in-interface=private dst-address=SITEADDRESS dst-port=4000 protocol=tcp action=mark-connection new-connection-mark=SITECODE-thinprint-out-con comment="" disabled=no passthrough=yes

## Filesharing Traffic to Site
add chain=forward connection-mark=SITECODE-fileshare-out-con action=mark-packet new-packet-mark=SITECODE-fileshare-out comment="" disabled=no passthrough=no

## Citrix Traffic to Site
add chain=forward connection-mark=SITECODE-citrix-out-con action=mark-packet new-packet-mark=SITECODE-citrix-out comment="" disabled=no passthrough=no

## Filesharing Traffic from Site
add chain=forward connection-mark=SITECODE-fileshare-in-con action=mark-packet new-packet-mark=SITECODE-fileshare-in comment="" disabled=no passthrough=no

## Telnet Traffic to Site
add chain=forward connection-mark=SITECODE-telnet-out-con action=mark-packet new-packet-mark=SITECODE-telnet-out comment="" disabled=no passthrough=no

## Thinprint Traffic to Site
add chain=forward connection-mark=SITECODE-thinprint-out-con action=mark-packet new-packet-mark=SITECODE-thinprint-out comment="" disabled=no passthrough=no

## Other Traffic to Site
add chain=forward in-interface=private dst-address=SITEADDRESS action=mark-connection new-connection-mark=SITECODE-other-out-con comment="" disabled=no passthrough=yes

## Other Traffic from Site
add chain=forward src-address=SITEADDRESS in-interface=public action=mark-connection new-connection-mark=SITECODE-other-in-con comment="" disabled=no passthrough=yes

## Other Traffic to Site
add chain=forward connection-mark=SITECODE-other-out-con action=mark-packet new-packet-mark=SITECODE-other-out comment="" disabled=no passthrough=no

## Other Traffic from Site
add chain=forward connection-mark=SITECODE-other-in-con action=mark-packet new-packet-mark=SITECODE-other-in comment="" disabled=no passthrough=no




## - Set max-limit figures in each line to the maximum allowable tranfer rate or bandwidth allocation for that service
## - Set limit-at figures to be the CIR or guaranteed rates provided for that service
## - Remove lines for any services not needed, but always leave "Other Traffic" queues in place as a catch-all

/ queue tree
add name="SITECODE-UP" parent=private packet-mark="" limit-at=0 queue=default priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no
add name="SITECODE-DOWN" parent=public packet-mark="" limit-at=0 queue=default priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

## Citrix Traffic to Site
add name="citrix-to-SITECODE" parent=SITECODE-DOWN packet-mark=SITECODE-citrix-out limit-at=942000 queue=pfifo priority=1 max-limit=1024000 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

## Other Traffic to Site
add name="other-to-SITECODE" parent=SITECODE-DOWN packet-mark=SITECODE-other-out limit-at=0 queue=red priority=8 max-limit=128000 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

## Other Traffic from Site
add name="other-from-SITECODE" parent=SITECODE-UP packet-mark=SITECODE-other-in limit-at=128000 queue=pfifo priority=8 max-limit=768000 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

## Thinprint Traffic to Site
add name="thinprint-to-SITECODE" parent=SITECODE-DOWN packet-mark=SITECODE-thinprint-out limit-at=128000 queue=pfifo priority=2 max-limit=256000 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

## Filesharing Traffic to Site
add name="fileshare-to-SITECODE" parent=SITECODE-DOWN packet-mark=SITECODE-fileshare-out limit-at=0 queue=red priority=8 max-limit=128000 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

## Filesharing traffic from Site
add name="fileshare-from-SITECODE" parent=SITECODE-UP packet-mark=SITECODE-fileshare-in limit-at=128000 queue=pfifo priority=8 max-limit=256000 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

## Telnet Traffic to Site
add name="telnet-to-SITECODE" parent=SITECODE-DOWN packet-mark=SITECODE-telnet-out limit-at=8000 queue=red priority=2 max-limit=32000 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

Regards
Paul

Paul,
Maybe you can answer some questions. Why do you need to mark the connection, then use that connection-mark to mark the packets? Why won't Mikrotik just let you mark the packets using packet-mark?

Second, the first two queues are for the public and private interfaces, with the other queues being child queues to these two "master" queues. If I wanted to extend your template to service many different subnets, do I have to recreate these "master" parent queues, or can I re-use them with multiple sets of child queues for each class-C subnet pointed at the the same parents?

Thanks for any light you can shed on this.

Eric

I need to add that PJulian's template absolutely, unequivocally, does NOT work under 2.9.23 with bridged interfaces. I've even tried a completely different MT router box. I'm getting really frustrated that NOTHING I do to limit traffic under 2.9.23 with bridged interfaces works.

Eric

Why do you need to mark the connection, then use that connection-mark to mark the packets? Why won't Mikrotik just let you mark the packets using packet-mark?

Eric

If you by any means NAT your connection (either DST-NAT; web-proxy redirect or SRC-NAT), then you must first mark the connections and then mark the flows within that connection. This is why there is a connection-mark and the packet-mark.

Sonny.

Why do you need to mark the connection, then use that connection-mark to mark the packets? Why won't Mikrotik just let you mark the packets using packet-mark?

Eric

If you by any means NAT your connection (either DST-NAT; web-proxy redirect or SRC-NAT), then you must first mark the connections and then mark the flows within that connection. This is why there is a connection-mark and the packet-mark.

Sonny.

Thanks, but, I'm not using NAT at all. Just a transparent bridge. NAT is done upstream by a PIX 525.

Eric

why dont the holy Mt team give us more support ? why dont they put a standard setup for any case we face ? i dont think that the cases will be mor than 10 cases .. actually i see no support at all .

maybe one of you have ever tried to stand mikrotik bridging beetwen router (cisco) and switch (catalyst). Because I could not run traffic shaper on this configuration.

Cisco == Mikrotik bridge == Catalyst

I have setup mangle & it looks can trapping paket. But I couldn't implement it on queue tree.

IMHO, maybe Mikrotik is not smart enough to 'read' packet encapsulated by VLAN protocol (802.1q).

Any opinion guys?

regard's

***miko

read this: http://www.catb.org/~esr/faqs/smart-que ... tml#before

and try to ask your question once again.

read this: http://www.catb.org/~esr/faqs/smart-que ... tml#before

and try to ask your question once again.

I think that I can represent all other guys regarding Questions and solutions to find Answer to ours questions.

There is not a easy way to ask a dificult Question and there is realy
too manny unclear situations in Microtic SW.

Manual will not help beacause in mine opinion manual is OLD and it needs be rewriten.

There is no need of so manny options if there is no manual or they dont work as they should or work but ONLY if they are used sertain way.

And all of us are spending too much time to find solutions witch are sometimes easy only noone have time to distribute the rihgt solutions!

Sugestion to Mikrotik stuff get somebody to prepare FAQ witch should by actual and I think that even you can find someone from this forum there are a lots of peoples witch will by happy to manage such FAQ section and it can help all others to find a right solutions without spending weeks of work.

Martin.

the manual is not old. 99% of the described functions are actual and working, when applied in the explained way. btw, about the FAQ:
http://forum.mikrotik.com/viewtopic.php?t=9957

if you would ask your question in simple terms, explaining the problem, and describing what didn't work in your attempt, we could have already answered it.

I have studied the Transparent Traffic Shaper (TTS) on wiki. A few questions come up.

Why prerouting chain is used instead of forward chain? Is it because of bridging?

What kind of queue do you recommend for TTS? Can I implement PCQ in TTS?

I believe queue tree can't be implemented because the top-level parents are the available interfaces. Since the interfaces are bridged, there is no way to identify the outgoing and incoming interfaces. Am I right here?

Jin [/i]

Why prerouting chain is used instead of forward chain? Is it because of bridging?

because we need to know the marks before the forward chain. see http://www.mikrotik.com/docs/ros/2.9/gr ... flow31.jpg

What kind of queue do you recommend for TTS? Can I implement PCQ in TTS?

depends on your needs. PCQ works fine.

I believe queue tree can't be implemented because the top-level parents are the available interfaces. Since the interfaces are bridged, there is no way to identify the outgoing and incoming interfaces. Am I right here?

Queue tree can accept global-* interfaces as well.

Thanks, Eugene. Let me show my implementation on TTS using PCQ for equal bandwidth sharing. Please comment.
ps. I see others in the early posts using forward chain in TTS, and they claim it works. Can you see why? As you can see I am still uncomfortable about when to use prerouting/forward/postrouting chain.