Hi, I configurated mikrotik but queue is not working on this configuratiton, what is worng?

/interface vlan
add interface=ether1 name=vlan21E1 vlan-id=21
add interface=ether2 name=vlan21E2 vlan-id=21

/interface bridge port
add bridge=bridge1 interface=vlan21E1
add bridge=bridge1 interface=vlan21E2

/queue simple
add max-limit=10M/10M name=queue1 queue=pcq-upload-default/pcq-download-default target=bridge1
or
/queue simple
add max-limit=10M/10M name=queue1 target=bridge1
or
/queue simple
add max-limit=10M/10M name=queue1 queue=default/default target=bridge1
or
/queue simple
add max-limit=10M/10M name=queue1 queue=default/default target=vlan21E1

disable fasttrack in firewall filter rules.

there is no any rule on firewall.

The queue does not catch any traffic if the ports are under the bridge.


/interface vlan

add interface=ether1 name=vlan21E1 vlan-id=21
add interface=ether2 name=vlan21E2 vlan-id=21


/interface bridge port
add bridge=bridge1 interface=vlan21E1
add bridge=bridge1 interface=vlan21E2


/queue simple
add max-limit=10M/10M name=queue1 queue=pcq-upload-default/pcq-download-default target=bridge1

OR

/interface vlan

add interface=bridge1 name=vlan21E2 vlan-id=21


/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2


/queue simple
add max-limit=10M/10M name=queue1 queue=pcq-upload-default/pcq-download-default target=vlan21E2

Disable IP Fasttrack/IP Fast PAth en IP Settings

The queue does not catch any traffic if the ports are under the bridge.

/queue simple
add max-limit=10M/10M name=queue1 queue=pcq-upload-default/pcq-download-default target=bridge1

Hi,

This is normal behavior, simple queues do not operate when an interface is the target, unless it is a point to point interface (ex. PPPoE, L2TP). Use an IP address or IP range instead of an interface.

Thank you for all of your answer,

All of circuits are L2, There is no such ip address and router in our backbone. we can`t use vpls or pseudowire. all devices are l2 switch and connect with the fibre cable. we all want to do rate-limiting all of vlan please click link to see diagram.http://higgs.gen.tr/rate.jpg

Ok, so is it possible to tagged vlan base qos on mikrotik switches?

I am unsure but... what if you enable "use-ip-firewall" for those bridges? Thing is, that Simple queue is applied in input/postrouting, which is L3 (see packet flow diagram). However, when you bridge two interfaces, it will be pure L2 connection. I haven't try that but maybe, maybe... it will work? Give it try

I am unsure but... what if you enable "use-ip-firewall" for those bridges? Thing is, that Simple queue is applied in input/postrouting, which is L3 (see packet flow diagram). However, when you bridge two interfaces, it will be pure L2 connection. I haven't try that but maybe, maybe... it will work? Give it try

It`s not working, I see traffic under the queue but less than reall traffic. reall traafic 500-600 Mbp/s but queue catches just 2-3 Mbp/s.

That sounds like fasttrack enabled Fasttracked connections are "fast" because they skip firewall, queues, etc... There are still some packets going through the slow way, but it is just small percentage. Due to that, you can't see whole "forward" traffic in your queue. Try to disable firewall rule which says "action=fasttrack". Then, you should see full traffic going through.

As you were talking only about L2 bridging, I didn't expect you have defined forward rules in your firewall. Please, make sure your changes will not interfere with some other function of the router. (Disabling "fasttrack" rule should not break anything but it may decrease throughput of your router. That is not fault/error. It is just consequence of requested function) (See Edit2)

Edit: Also, keep in mind please that you can't select which bridge will use IP firewall and which will not. Sometime it is better to use more devices - one for each purpose, instead of trying to fit everything into one device.

Edit2: I just tested it and realized that you cant possibly do queue on bridge directly because there is no way to determine which direction is upload/download. you need to apply it to one or more interfaces connected to it. I tested it right now and it works. FIY: when setting rates, download = ingress, upload = exgress. Therefore, if you configure it on interface facing towards your clients, upload queue will affect client's download (and vice versa)

Thank you for all of your answer,

All of circuits are L2, There is no such ip address and router in our backbone. we can`t use vpls or pseudowire. all devices are l2 switch and connect with the fibre cable. we all want to do rate-limiting all of vlan please click link to see diagram.http://higgs.gen.tr/rate.jpg

You can rate-limit VLANs with queue trees instead of simple queues. You don't need to have "use ip firewall" enabled if you use queue trees, that setting will put a heavy load on the router.

@mducharme: are you sure it will work on interface which is bridged? I tried to set it up and it does not seem to be working (queues are enabled but counters do not increase and limiting does not occur): I tried to follow https://wiki.mikrotik.com/wiki/Manual:HTB but their examples are overcomplicated (for basic proof-of-concept I don't want to work with mangle and marks) yet incomplete (bridging and interface setting is not specified).
Could you please point out what is wrong in my code or if there is some typical catch for queue trees?

Could you please point out what is wrong in my code or if there is some typical catch for queue trees?

Yes, I am sure - I believe it isn't working for you because you are missing the setting "packet-mark=no-mark" from the queue trees.

Having packet mark unset is only a valid configuration where that queue tree has child queues and those child queues are set to match specific packet marks. If a queue tree has no children it must have a packet mark set in order to work; if packet-mark is unset, then it will not do anything.

Excelent point! That was it!
I didnt really think this way - I expected that when packet-mark is unset, it will simply cover all packets (both marked and unmarked)
Really big thanks. With this knowledge, OP should have no issues to set up queues correctly.

it is working on egress side if you select "packet marks = no-mark"

/interface bridge
add fast-forward=no name=bridge_vlan21

/interface vlan
add interface=ether1 name=vlan21_eth1 vlan-id=21
add interface=sfp1 name=vlan21_sfp1 vlan-id=21

/queue tree
add limit-at=10M max-limit=10M name=vlan21_Sfp1 packet-mark=no-mark parent=vlan21_sfp1
add limit-at=10M max-limit=10M name=Vlan21_Eth1 packet-mark=no-mark parent=vlan21_eth1

/interface bridge port
add bridge=bridge_vlan21 interface=vlan21sfp
add bridge=bridge_vlan21 interface=vlan21eth1

it is working on egress side if you select "packet marks = no-mark"

Good! Queue trees only control egress. If you want to control ingress, a workaround is to put a queue tree on a different interface or different device. We put a queue tree on our core router to control customer download and a queue tree on the CPE to control customer upload. You could also control customer upload on the same router with a queue tree facing the other way (i.e. a queue tree on the interface facing the Internet), it is more complicated because that queue tree would need to use individual marks most likely to distinguish between your different customers..