FastTrack-Friendly QoS Script

mducharme · Tue Oct 11, 2016 7:09 am

Hi all,

Here is my FastTrack-friendly QoS script, based on one made by IntrusDave. It supports IPv4 and IPv6, and uses DSCP markings to match packets. It is fasttrack-friendly, but does not require fasttrack.

The mappings of IP precedence values to queues is in line with Cisco's AVVID 802.1p UP-Based Traffic Types, used for wireless networks, and compatible with wireless priority from MikroTik and other vendors

To retain compatibility with FastTrack, it uses interface-attached HTB rather than global-attached (fasttracked packets bypass global HTB, but are still queued by interface HTB). The inbound WAN (download) rate queueing is implemented as outbound queueing on the internal interface, since interface-attached HTB only works for egress. This is fine for many home-use scenarios where there is only one LAN subnet and only one WAN subnet.

With this solution, any traffic that is left at DSCP 0 (Best Effort) will be fasttracked; other traffic will need to bypass fasttrack to get proper priority. Of course, in many cases, most traffic will not be tagged already. If you need to manually tag traffic, this can be done by bypassing fasttrack on only the packets you need to tag (by creating an 'accept' rule for that traffic (also matching connection-state=established,related) just above the fasttrack rule). Then you can add mangle rules to set DSCP tags on those packets, and place those mangle rules at the top of the list, above the other mangle rules created by this script.

You'll need to copy and paste the script into scripts (system->scripts->new (+)->paste), change the upload and download bandwidth and inbound and outbound interface names at the top to match your settings, and run the script. (the bandwidths should be slightly less than what you normally receive as your maximum)

# this is based on IntrusDave's QoS script, but modified
# qosClasses are largely based on Cisco Wireless QoS mappings/guide

#Set outbound (WAN) interface here
:local outboundInterface "ether1"

#Set UPLOAD bandwidth of the outbound (WAN) interface
:local outInterfaceBandwidth 4900k

#Set inbound (LAN) interface here
:local inboundInterface "bridge"

#Set DOWNLOAD bandwidth of the outbound (WAN) interface
:local inInterfaceBandwidth 34500k

#Set type of queue here
:local queueType wireless-default

#Set where in the chain the packets should be mangled
:local mangleChain postrouting

#Don't mess with these. They set the parameters for what is to follow
:local queueName ("QoS_" . $outboundInterface)
:local inQueueName ("QoS_" . $inboundInterface)
# qosClasses from highest to lowest priority
:local qosClasses [:toarray "Network Control (Top Priority),Internetwork Control (High Priority),Voice (Medium-High Priority),Interactive Video (Medium Priority),Critical Data or Call Signaling (Medium-Low Priority),Best Effort (Low Priority),Background (Very Low Priority),Scavenger (Bottom Priority)"]
# maps queue priorities from highest to lowest to IP precedence values
:local priorityToIpPrecedenceMappings [:toarray "7,6,5,4,3,0,2,1"]
# queue priority used for best effort traffic (IP precedence 0)
:local beQueuePriority 6

/ip firewall mangle add action=set-priority \
   chain=postrouting new-priority=from-dscp-high-3-bits \
   passthrough=yes comment="Respect DSCP tagging"
/ip firewall mangle add action=set-priority \
   chain=postrouting new-priority=6 packet-size=0-123 \
   passthrough=yes protocol=tcp tcp-flags=ack comment="Prioritize ACKs"
/ip firewall mangle add action=accept \
   chain=postrouting priority=0 \
   comment="IP Precedence (aka Packet Priority) 0 - Best Effort (Low Priority) (default)"


:for indexA from 1 to 7 do={
    :local qosIndex (7-$indexA)
    # skip best effort in list
    :if ($indexA <= (8-$beQueuePriority)) do={ :set qosIndex (8-$indexA) }
    :local subClass ([:pick $qosClasses $qosIndex] )
    /ip firewall mangle add action=mark-packet chain=$mangleChain comment=("IP Precedence (aka Packet Priority) " . $indexA . " - " . $subClass . " (apply packet mark ip_precedence_" . $indexA . ")") \
         disabled=no priority=($indexA) new-packet-mark=("ip_precedence_" . $indexA) passthrough=no
}

:if ([/system package find name=ipv6 disabled=no] = "") do={
    :log info "IPv6 package is not installed - skipping IPv6 mangle rules";
} else={

   :for dscpValue from 0 to 7 do={
   /ipv6 firewall mangle add action=accept \
      chain=postrouting dscp=$dscpValue \
      comment="IP Precedence 0 (DSCP $dscpValue) - Best Effort (Low Priority) (default)"
   }

   :for indexA from 1 to 7 do={
       :local qosIndex (7-$indexA)
       # skip best effort in list
       :if ($indexA <= (8-$beQueuePriority)) do={ :set qosIndex (8-$indexA) }
       :local subClass ([:pick $qosClasses $qosIndex] )
       :for dscpValue from ($indexA*8) to (($indexA*8)+7) do={
       /ipv6 firewall mangle add action=mark-packet chain=$mangleChain comment=("IP Precedence " . $indexA . " (DSCP " . $dscpValue . ") - " . $subClass . " (apply packet mark ip_precedence_" . $indexA . ")") \
            disabled=no dscp=$dscpValue new-packet-mark=("ip_precedence_" . $indexA) passthrough=no
       }
   }

}

/queue tree add max-limit=$outInterfaceBandwidth name=$queueName parent=$outboundInterface comment="Uplink QoS" queue=$queueType
:for queuePriority from=1 to=8 do={
   :local qosIndex ($queuePriority-1)
   :local subClass ([:pick $qosClasses $qosIndex] )
   :local ipPrecedence ([:pick $priorityToIpPrecedenceMappings $qosIndex])
   :local ipPrecedenceMark ("ip_precedence_" . $ipPrecedence)
   :if ($ipPrecedence = "0") do={ :set ipPrecedenceMark ("no-mark") }
   /queue tree add \ 
      name=("IP Precedence " . $ipPrecedence . ". " . $subClass . " - " . $outboundInterface ) \
      parent=$queueName \
      priority=($queuePriority) \
      queue=$queueType \
      packet-mark=$ipPrecedenceMark \
      comment=("Queue Priority " . $queuePriority)
}

/queue tree add max-limit=$inInterfaceBandwidth name=$inQueueName parent=$inboundInterface comment="Downlink QoS" queue=$queueType
:for queuePriority from=1 to=8 do={
   :local qosIndex ($queuePriority-1)
   :local subClass ([:pick $qosClasses $qosIndex] )
   :local ipPrecedence ([:pick $priorityToIpPrecedenceMappings $qosIndex])
   :local ipPrecedenceMark ("ip_precedence_" . $ipPrecedence)
   :if ($ipPrecedence = "0") do={ :set ipPrecedenceMark ("no-mark") }
   /queue tree add \ 
      name=("IP Precedence " . $ipPrecedence . ". " . $subClass . " - " . $inboundInterface ) \
      parent=$inQueueName \
      priority=($queuePriority) \
      queue=$queueType \
      packet-mark=$ipPrecedenceMark \
      comment=("Queue Priority " . $queuePriority)
}

Then, if you are using fasttrack, to allow DSCP-tagged packets to be classified properly, bypass fast-track for those packets by adding the following:

/ip firewall filter add action=accept chain=forward comment="Bypass fasttrack for non-zero DSCP" connection-state=established,related dscp=!0

Move that filter just *BEFORE* your fast-track rule! All DSCP-marked packets will then be queued appropriately, and DSCP 0 packets fast-tracked. Fast-tracked packets are all placed in the best effort queue.

naylynnaung · Wed Oct 12, 2016 8:08 pm

Thanks for your script. I change the necessary values in your script just like you said. My network use PPPOE connection to my ISP. So, I change the outbound interface to PPPOE, which is the name of the interface I set in my configuration. It is actually virtual interface which use ether 1 interface. I set upload speed to 512k and download speed to 1024k. I think I can see the significant improvements in my network. However, I think some of the mangle rules are not match. Because I look at the bytes. Some of the mangle rules not match yet. Why? The rules not match are,

Background
Critical Data
Interactive Video
Voice
Network Control

They seems to not match. Why?

Please help me.

mducharme · Wed Oct 12, 2016 8:37 pm

Thanks for your script. I change the necessary values in your script just like you said. My network use PPPOE connection to my ISP. So, I change the outbound interface to PPPOE, which is the name of the interface I set in my configuration. It is actually virtual interface which use ether 1 interface. I set upload speed to 512k and download speed to 1024k. I think I can see the significant improvements in my network. However, I think some of the mangle rules are not match. Because I look at the bytes. Some of the mangle rules not match yet. Why? The rules not match are,

Background
Critical Data
Interactive Video
Voice
Network Control

They seems to not match. Why?

Please help me.

This matches traffic that is already tagged with DSCP tags. If your traffic has no tag, you can create your own mangle rules to match the traffic and apply a relevant DSCP tag at the top of the mangle list, above the other rules. Then when it hits that rule, it will match the DSCP and will get placed into the proper queue.

If you use fasttrack, you might also need to create a regular firewall rule to bypass fasttrack for for the traffic you need DSCP applied to. At your low bandwidth though, you probably do not need fasttrack.

naylynnaung · Wed Oct 12, 2016 9:06 pm

How to do? I'm very new to MikroTik. I'm not familiar with terms and options. Please guide me step by step if you can. Please. I want all of your mangle rules to match and used. Also, please check my mangle page that I attached. Thanks.

Wed Oct 12, 2016 9:28 pm

Nice QoS support script.

One question though:
It's my understanding that fasttrack skips pretty much everything in the packet forwarding process - including firewall and queues.
So wouldn't a fasttracked connection simply skip over all of this?

naylynnaung · Wed Oct 12, 2016 9:41 pm

Do I need to set DSCP values also in every mangles?
When I run the script, the priority 1 to 7 do not have DSCP values. Only the priority 0 have DSCP. Other 7 priority only have priority values not DSCP values.
In your codes, there is some lines with "$dscp". What that mean? I think I have problem with DSCP values now.
Please help me. Only DSCP values.
Thanks. I don't have any DSCP values in Priority 1 to 7. Why?

Wed Oct 12, 2016 10:09 pm

Do I need to set DSCP values also in every mangles?
When I run the script, the priority 1 to 7 do not have DSCP values. Only the priority 0 have DSCP.

No - the priority is derived from DSCP.
Note the very first mangle rule created by this script:

add action=set-priority chain=postrouting new-priority=from-dscp-high-3-bits passthrough=yes

This means that the router will examine each IP packet after the routing decision has been made, and use the top 3 bits of the DSCP field (which itself is the top 6 bits of the TOS byte) and use those three bits to set the priority. This is the standard for DSCP anyway - it is laid out so that the top 3 bits of the various DSCP values will map to an "IP precedence" value 0..7

So basically, if a packet comes along, having an IP precedence value of 4, the mangle rule will set the packet priority to 4 as well. This priority is what the remaining mangle rules will use to match the packets and put packet marks on them.

@mducharme: One other thing I noticed is that the Best Effort mark requires both dscp=0 and priority=0. Why did you specify dscp=0 as a criteria in this rule? There are a few possible DSCP values which still map to IP precedence 0, and those packets would fall through the mangle table un-marked... which I suppose is not going to affect which queue they hit since the BE queue is matching un-marked packets, but the stickler in me sees these packets being forced to compare against all rules and not just quick-exiting at the beginning with the rest of the BE traffic.

naylynnaung · Wed Oct 12, 2016 10:19 pm

Still. I got some mangle rules not matched. Why? You can check my above attached screenshot. Some mangles are 0 bytes. Also there is one thing. Some syntax error have in this chunk of code

:if ([/system package find name=ipv6 disabled=no] = "") do={
:log info "IPv6 package is not installed - skipping IPv6 mangle rules";
} else={

:for dscpValue from 0 to 7 do={
/ipv6 firewall mangle add action=accept \
chain=postrouting dscp=$dscpValue \
comment="IP Precedence 0 (DSCP $dscpValue) - Best Effort (Low Priority) (default)"
}

In the final line, comment="IP Precedence 0 (DSCP $dscpValue) - Best Effort (Low Priority) (default)"
What is that "$" sign. The system said it is wrong with red cursor.
I can only run the script when I delete that "$" sign.
I'm afraid that some functionality might be missed.
Educate me. Thanks

Wed Oct 12, 2016 10:50 pm

Still. I got some mangle rules not matched. Why?

This is probably normal. Most traffic is going to have DSCP=0, thus you're not going to see a lot of matches on these other priorities.
What these script rules basically do is enforce the DSCP values if they already exist on packets.

If your devices aren't sending packets with DSCP values in them, then you must match packets by some other criteria and set the priority value yourself.

Other things that typically mark packets by default are:
SIP (typically precedence 3)
RTP (voice) - uses DSCP_46 which maps to priority 5

I noticed that ROS's BGP and OSPF engines mark their packets with CS6 (IP precedence 6), so routing protocol traffic would get mapped to the internetwork control queue - nice!
(These are more important than voice because if they get dropped due to congestion, then network connectivity could be completely lost)

Wed Oct 12, 2016 11:00 pm

In the final line, comment="IP Precedence 0 (DSCP $dscpValue) - Best Effort (Low Priority) (default)"
What is that "$" sign. The system said it is wrong with red cursor.
I can only run the script when I delete that "$" sign.
I'm afraid that some functionality might be missed.
Educate me. Thanks

I didn't notice it supports QoS for IPv6 as well. Awesome!

The $ means "variable" - so the script is supposed to replace $dscpValue with the actual dscp value (e.g. 46).
The line you refer to only uses it to make the comment tell you what DSCP value the rule is matching, so that line doesn't affect functionality.

Note how long the IPv6 mangle chain is because it doesn't support "priority from high 3 bits of TOS" action.

naylynnaung · Wed Oct 12, 2016 11:10 pm

That IPv6 function code have some syntax error I think.
Take a look at my attached screenshot. There is red cursor over the $ sign and I can't execute the script. After I delete the $ sign, the script run normally.
What is wrong in that code, I don't know. Please explain.

Wed Oct 12, 2016 11:30 pm

Do you have IPv6 installed on your router? If not, then don't worry about it. The error seems to begin on the line "/ipv6 firewall" (firewall should be blue, not red - meaning that it doesn't know what that keyword means - everything after that is messed up by virtue of the fact that the command is invalid after that point)

Also - this script is designed to be pasted into a /system script, not directly onto the command line.

I went into scripts, added a new script, and pasted this script into the Source: window, then clicked Apply and Run Script.

naylynnaung · Wed Oct 12, 2016 11:50 pm

Now. It's OK. Thanks for everything. It has something to do with " " and <space> and ( ) and those kind of things. Now, it's OK. It's already 3:00 AM in the morning here. I have to sleep. Bye.

pe1chl · Thu Oct 13, 2016 12:27 am

Still. I got some mangle rules not matched. Why?
This is probably normal. Most traffic is going to have DSCP=0, thus you're not going to see a lot of matches on these other priorities.
What these script rules basically do is enforce the DSCP values if they already exist on packets.

If your devices aren't sending packets with DSCP values in them, then you must match packets by some other criteria and set the priority value yourself.

It is best to handle this situation in prerouting by setting the DSCP on those packets, e.g. you match on IP, proto/port, whatever
to identify your voice traffic and then set the DSCP to 46 for those. Then later on in postrouting they are treated with proper
priority. And, the DSCP is further carried with the packet so you don't need all criteria for classifying the traffic at all your routers,
only at the edge routers that face the broken equipment/software that does not properly set DSCP itself.
(I try to do this in the sending system itself rather than in the router, but my systems are usually Linux so it is easy to do)

mducharme · Thu Oct 13, 2016 1:07 am

Nice QoS support script.

One question though:
It's my understanding that fasttrack skips pretty much everything in the packet forwarding process - including firewall and queues.
So wouldn't a fasttracked connection simply skip over all of this?

Yes and no.

Interface-attached queue trees work with fasttracked packets. What doesn't work is matching the DSCP tags and marking them, so all fasttracked packets will have no mark.

The way to make this work with fasttrack is you bypass fasttrack for all packets that you need to mark as something other than "best effort" by adding firewall rules to "accept" these before they hit the fasttrack rule. All best effort packets are still fasttracked, so you still benefit from fasttrack.

See screenshot below:

fasttrack-bypass.PNG

mducharme · Thu Oct 13, 2016 1:16 am

@mducharme: One other thing I noticed is that the Best Effort mark requires both dscp=0 and priority=0. Why did you specify dscp=0 as a criteria in this rule? There are a few possible DSCP values which still map to IP precedence 0, and those packets would fall through the mangle table un-marked... which I suppose is not going to affect which queue they hit since the BE queue is matching un-marked packets, but the stickler in me sees these packets being forced to compare against all rules and not just quick-exiting at the beginning with the rest of the BE traffic.

Thanks, just fixed that. I didn't notice the issue because I use fasttrack, so my BE packets get fasttracked and most do not hit the rule anyway.

mducharme · Thu Oct 13, 2016 2:47 am

Also, you can bypass fasttrack for any packets that have non-zero DSCP; this is helpful for matching packets marked by some other device.

fasttrack-bypass-dscp.PNG

Thu Oct 13, 2016 7:24 pm

I've been thinking about this some more.
In a nutshell, I think you cannot use fastpath forwarding if you want to perform QoS prioritization in your router.

If I'm missing something here, definitely point it out because my goal is to be as knowledgeable as possible.
Anyway, here we go.....

This solution is definitely an efficient QoS mechanism for ROS and I like it very much, but I think that mixing fastpath and slowpath traffic in the same router will break QoS.
The hybrid methodology of skipping fasttrack in order to queue certain traffic while allowing the rest to be fasttracked would be fine for a selective rate limiting solution, but would fail for actual packet priority-based QoS.

Here's why:

QoS prioritization only matters during congestion.
If there's no congestion, all traffic is simply forwarded in fifo fashion and everyone's happy. No packets are lost.
If there IS congestion, then QoS is the triage process by which the least important packets are dropped whenever the output buffer and output queues are all full.
In order to make an informed decision, the QoS mechanism must know how much bandwidth is available so that it knows when to start dropping low-priority packets in favor of important packets.

So far, so good, but here's where the hybrid fast/slow path solution runs into trouble:

Fastpath skips the system queues and goes straight to the final HW queue on the interface itself. If the HW queue is full, then the packet will be dropped. If not, then it will be queued.
The job of the system queues is to ensure there will always be room on the HW queue for priority packets.
If a low-priority packet comes along which would fill the HW queue, then this packet should be dropped as long as the priority queue still has bandwidth available in its budget.
The tree's root queue is how this bandwidth is tracked - child queues borrow bandwidth budget points from their parent queues.
The parent queue should run out of bandwidth at the same moment when the actual interface runs out of bandwidth. (or sooner)

Again - fastpath skips the system queues.

Therefore, the synchronization between the root queue of the tree is lost.

Because of this loss of sync, the queue tree can forward a low priority packet thinking there is still plenty of bandwidth remaining (fifo ftw!), unaware other flows have consumed the interface's bandwidth which the queue tree considered to be available. In this case, a high priority packet will not be prioritized over low priority traffic in the queue trees because the tree thinks there's still plenty of room for everyone - when in actuality there is not. Thus traffic is proceeding through the tree in a fifo manner. When the queue tree goes to place the packet (whatever its priority) onto the HW queue for egress - shock! the HW queue is full! The queue tree must drop the packet (rather, the HW queue will drop the packet)

The HW queue isn't always where this drop happens though. It gets worse.....

Suppose the router's egress interface is a high-capacity interface (like a gigabit ethernet port) but traffic is being throttled by some other device farther upstream. If this throttling device (DSL/cable modem, ONT, Wireless radio, etc) doesn't have any notion of QoS, then it's just going to do fifo and discard all packets that it has no room for on the wire (or which exceed a policing rate) regardless of priority. If the bottleneck DOES honor QoS - then you're going to be okay anyway, but this is pretty rare in most Internet access circuits. QoS-enabled circuits are usually enterprise-class offerings, and are usually internal wan links - not Internet connections because the Internet itself is a "best effort" network to begin with.

In this scenario where the bottleneck is upstream from your router, the only recourse is for your router to intelligently rate limit and prioritize the traffic BEFORE it reaches the dumb fifo such that it will always be below the fifo's threshold - i.e. you present traffic that the dumb fifo will never need to discard. This can only be done if the master queue's bandwidth budget is 100% accurate, and matches (or falls beneath) the actual bottleneck bandwidth amount.
THAT requires 100% of traffic to go through the queues.

Again, I love this simple architecture - and it's great in a no-fastpath-forwarding scenario. It's also great if you choose to do throttling - e.g.: rate limit video streaming to some maximum, while fasttracking the rest - but true priority-based QoS cannot function properly if the bandwidth budget is inaccurate.

mducharme · Thu Oct 13, 2016 7:31 pm

Fastpath skips the system queues and goes straight to the final HW queue on the interface itself. If the HW queue is full, then the packet will be dropped. If not, then it will be queued.
.

Here I am talking about FastTrack, and not FastPath. However, what you say is not completely accurate:

FastTrack skips all simple queues - so they are useless, yes
FastTrack skips all queue trees (HTB) with parent global, so they are useless, yes

However, FastTrack DOES NOT skip any queue trees with an *interface* as the parent. All FastTrack'ed packets are still queued by the queue tree, not the hardware queue. The only problem is everything has no-mark because FastTrack also skips any mangle rules that would mark the packets.

If you try it out, you see every FastTrack'ed packet indeed does get processed through this queue tree as a no-mark packet.

So with this solution, all traffic, including FastTrack traffic, is still queued and rate-limited, so the QoS functions properly.

Thu Oct 13, 2016 7:46 pm

However, FastTrack DOES NOT skip any queue trees with an *interface* as the parent. All FastTrack'ed packets are still queued by the queue tree, not the hardware queue. The only problem is everything has no-mark because FastTrack also skips any mangle rules that would mark the packets.

Okay - that's good to know. And given this, even traffic which skips the mangle table (fasttracked packets) will still hit the best effort queue because that queue is configured to match un-marked packets. Thus the parent queue's budget stays accurate.
Brilliant. That clears things up for me.

Sorry my post was so long, but I felt that I needed to explain why the issue of traffic missing the queue was an issue for prioritization (especially for those reading along who're learning how QoS works) - I wasn't trying to imply that you don't know what you're doing.

mducharme · Thu Oct 13, 2016 7:53 pm

Sorry my post was so long, but I felt that I needed to explain why the issue of traffic missing the queue was an issue for prioritization (especially for those reading along who're learning how QoS works) - I wasn't trying to imply that you don't know what you're doing.

No offense taken, it is a common issue with QoS where some traffic does not get handled and bypasses the queueing. This is part of the reason why I generally prefer interface-attached HTB, because then with a no-mark option, and all marks accounted for, you can be sure that you have actually properly assigned a queue for all potential traffic.

BTW, these interface attached queue trees (HTB) similarly catch MPLS as no-mark and therefore can do queueing of MPLS packets. (and, there are also ways to mark specific MPLS packets so that you can do full blown MPLS QoS)

mducharme · Thu Oct 13, 2016 8:46 pm

Sorry my post was so long, but I felt that I needed to explain why the issue of traffic missing the queue was an issue for prioritization (especially for those reading along who're learning how QoS works) - I wasn't trying to imply that you don't know what you're doing.

BTW, is there a way of fixing the MikroTik wiki page on FastTrack (http://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack) to reflect this behavior? Paragraph 2 on the page has the correct information:

Note that not all packets in a connection can be fasttracked, so it is likely to see some packets going through slow path even though connection is marked for fasttrack. This is the reason why fasttrack-connection is usually followed be identical action=accept rule. Fasttracked packets bypass firewall, connection tracking, simple queues, queue tree with parent=global, ip traffic-flow(restriction removed in 6.33), ip accounting, ipsec, hotspot universal client, vrf assignment, so it is up to administrator to make sure fasttrack does not interfere with other configuration;

The above quote from the wiki is completely accurate because it does not say that Fasttracked packets bypass queue tree with an interface as the parent (and they do not); however, later on the same page, there is a misleading warning:

Warning: Queues, firewall filter and mangle rules will not be applied for FastTracked traffic.

This not completely true due to the exception of interface-attached queue trees, and this warning is likely the reason why people have the misunderstanding that it is not possible to queue FastTrack'ed packets other than the regular hardware queue that everything goes through.

Is there a way to clarify that warning?

Thu Oct 13, 2016 9:04 pm

Warning: Queues, firewall filter and mangle rules will not be applied for FastTracked traffic.
This not completely true due to the exception of interface-attached queue trees, and this warning is likely the reason why people have the misunderstanding that it is not possible to queue FastTrack'ed packets other than the regular hardware queue that everything goes through.

Is there a way to clarify that warning?

Yeah, I think that's what was in my mind all along. I don't think the forums moderators have any editorial power on the wiki - so perhaps a Mikrotik admin will see this post and update it to something like this:

Warning: Queues (except queue trees parented to interfaces), firewall filter and mangle rules will not be applied for FastTracked traffic.

The Packet flow diagram v6 certainly depicts the interface HTB as the final step prior to egress, but it doesn't really show where fastpath fits into the flow... so perhaps that should be included in the updates.

mltobing · Mon Dec 26, 2016 10:54 am

Hello, I'm just beginner with mikrotik

I'm using QoS from alaskanjackal - Using RouterOS to prioritize (Qos) traffic for a Class C net
http://forum.routerboard.com/viewtopic. ... 33#p501518
With this, I can separate HTTP BROWSING & HTTP DOWNLOAD (connection-bytes=500000-0 connection-rate=200k-1000M)

At that thread, there is someone (IntrusDave) suggest using DSCP, and I found yours (I see your script based on IntrusDave's QoS script).
If I'm using your script, Can I get same result ?

Thanks

mducharme · Mon Dec 26, 2016 10:02 pm

Hello, I'm just beginner with mikrotik

I'm using QoS from alaskanjackal - Using RouterOS to prioritize (Qos) traffic for a Class C net
http://forum.routerboard.com/viewtopic. ... 33#p501518
With this, I can separate HTTP BROWSING & HTTP DOWNLOAD (connection-bytes=500000-0 connection-rate=200k-1000M)

At that thread, there is someone (IntrusDave) suggest using DSCP, and I found yours (I see your script based on IntrusDave's QoS script).
If I'm using your script, Can I get same result ?

Thanks

Yes you can with my script, you just have to add the rules to do this. I imagine if it is HTTP download, you'll probably want to reduce it to 'background', so you would probably give it a DSCP value of 16. First you should back up your config, and then remove the existing queues and QoS rules created by the existing script so they don't conflict, before installing mine. Then add the rule to de-prioritize HTTP download to 'background' class (ip precedence 2).

The idea of my script is to use existing DSCP on packets in a fasttrack-friendly way that still lets you keep your fasttrack rules. I don't include rules to apply DSCP to packets that don't have them because that will really depend on the user, each person may have different priorities in mind. Also, you need to bypass fasttrack for any packets that you need to apply DSCP tags to, so you lose more and more fasttrack benefits as you apply more and more DSCP tags. That is another reason why I do not include an 'HTTP Download' rule and things like that. A lot of QoS scripts will put in many rules that users do not really need, to prioritize things that they do not even use. Mine is kind of a 'base setup' that you add your own rules to based on the particular things that you either want to prioritize or de-prioritize.

I kind of see this happening in two different parts
- The nuts and bolts of the QoS being provided by the QoS engine, which is my script
- A 'rule bank' for applying DSCP tags to different types of traffic; users would pick rules from the 'rule bank' depending on what they needed and add them to the QoS system

My script is really the engine; there is no 'rule bank' currently, except you can pick and choose rules from other QoS scripts and apply them here, by placing them above the existing QoS rules and applying DSCP, and bypassing fasttrack for that same traffic so that the mangle rules work.

mltobing · Wed Dec 28, 2016 9:51 am

Hi mducharme,

I cannot make it work. How to separate Browsing & Download traffic

If my script before:

add action=mark-connection chain=prerouting comment=HTTP connection-state=new \
    new-connection-mark=HTTP passthrough=yes port=80,443 protocol=tcp
add action=mark-connection chain=prerouting connection-bytes=800000-0 \
    connection-mark=HTTP connection-rate=128k-1G new-connection-mark=HTTP_BIG \
    passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting connection-mark=HTTP new-packet-mark=\
    HTTP passthrough=no
add action=mark-packet chain=prerouting connection-mark=HTTP_BIG \
    new-packet-mark=HTTP_BIG passthrough=no

If I am using your script and I have fasttrack rule, how to get same result. Please help me. Thanks

mpdamon · Wed Feb 01, 2017 1:10 am

Fastpath skips the system queues and goes straight to the final HW queue on the interface itself. If the HW queue is full, then the packet will be dropped. If not, then it will be queued.
.
Here I am talking about FastTrack, and not FastPath. However, what you say is not completely accurate:

FastTrack skips all simple queues - so they are useless, yes
FastTrack skips all queue trees (HTB) with parent global, so they are useless, yes

However, FastTrack DOES NOT skip any queue trees with an *interface* as the parent. All FastTrack'ed packets are still queued by the queue tree, not the hardware queue. The only problem is everything has no-mark because FastTrack also skips any mangle rules that would mark the packets.

If you try it out, you see every FastTrack'ed packet indeed does get processed through this queue tree as a no-mark packet.

So with this solution, all traffic, including FastTrack traffic, is still queued and rate-limited, so the QoS functions properly.

Very informative so thank you for that. I am confused though when you say that FastTrack bypasses mangle rules yet below you say that the traffic is still queued and rate-limited. So in that case how would I be able to mark the traffic that I want to prioritize?

Thanks

mpdamon · Thu Feb 02, 2017 7:50 pm

Is there a reason you use sfq instead of pcq?

mducharme · Wed Feb 08, 2017 6:26 am

Very informative so thank you for that. I am confused though when you say that FastTrack bypasses mangle rules yet below you say that the traffic is still queued and rate-limited. So in that case how would I be able to mark the traffic that I want to prioritize?

Thanks

Sorry, I missed this before. In order to mark the traffic you want to prioritize, you must create firewall rules that 'accept' this specific traffic that you want to mark before it hits the fasttrack rule, then your mangle will work because you will be effectively bypassing fasttrack for those packets only. Any traffic that hits the fasttrack rule will skip mangle and will therefore be treated as best-effort; any traffic that you either want to prioritize above best effort or de-prioritize below best effort must be mangled, and in order to mangle it, you must prevent this traffic from hitting the fasttrack rule by accepting it before it reaches that rule.

The first post includes a rule that automatically bypasses fasttrack if DSCP is non-zero, so for packets that are already tagged with DSCP, this will take care of all of them. You only need to create additional fasttrack bypass rules if there are packets that do not have DSCP applied that you either want to apply DSCP to, or simply apply the appropriate packet mark.

mducharme · Wed Feb 08, 2017 6:29 am

Is there a reason you use sfq instead of pcq?

I would expect SFQ to be slightly more efficient in terms of CPU usage. SFQ is like PCQ but without the configuration options, if you are not going to tweak those, I believe there is little reason to use PCQ over SFQ.

mpdamon · Thu Mar 02, 2017 7:59 pm

Very informative so thank you for that. I am confused though when you say that FastTrack bypasses mangle rules yet below you say that the traffic is still queued and rate-limited. So in that case how would I be able to mark the traffic that I want to prioritize?

Thanks
Sorry, I missed this before. In order to mark the traffic you want to prioritize, you must create firewall rules that 'accept' this specific traffic that you want to mark before it hits the fasttrack rule, then your mangle will work because you will be effectively bypassing fasttrack for those packets only. Any traffic that hits the fasttrack rule will skip mangle and will therefore be treated as best-effort; any traffic that you either want to prioritize above best effort or de-prioritize below best effort must be mangled, and in order to mangle it, you must prevent this traffic from hitting the fasttrack rule by accepting it before it reaches that rule.

The first post includes a rule that automatically bypasses fasttrack if DSCP is non-zero, so for packets that are already tagged with DSCP, this will take care of all of them. You only need to create additional fasttrack bypass rules if there are packets that do not have DSCP applied that you either want to apply DSCP to, or simply apply the appropriate packet mark.

Thanks for your help with this. I've gotten this to work pretty well but I'm having an issue where I'm trying to mark some packets as precedence 7 but they are going through as 6. I have listed what I have added to see if you can help determine why. I can see it in the log when I log 6 and 7 mangle rules.

add action=mark-connection chain=postrouting comment="PS4 Outgoing Connection" connection-state=new log-prefix="ps4 connection:" \
new-connection-mark=ps4-connection-out passthrough=yes src-address=192.168.1.104
add action=mark-packet chain=postrouting comment="PS4 Outgoing Packets" connection-mark=ps4-connection-out log-prefix="ps4 marked:" \
new-packet-mark=ip_precedence_7 passthrough=no

add action=accept chain=forward log-prefix=ps4: src-address=192.168.1.104
add action=accept chain=forward comment="Bypass fasttrack for non-zero DSCP" connection-state=established,related dscp=!0
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related

mducharme · Fri Mar 03, 2017 1:05 am

Thanks for your help with this. I've gotten this to work pretty well but I'm having an issue where I'm trying to mark some packets as precedence 7 but they are going through as 6. I have listed what I have added to see if you can help determine why. I can see it in the log when I log 6 and 7 mangle rules.

add action=mark-connection chain=postrouting comment="PS4 Outgoing Connection" connection-state=new log-prefix="ps4 connection:" \
new-connection-mark=ps4-connection-out passthrough=yes src-address=192.168.1.104
add action=mark-packet chain=postrouting comment="PS4 Outgoing Packets" connection-mark=ps4-connection-out log-prefix="ps4 marked:" \
new-packet-mark=ip_precedence_7 passthrough=no

add action=accept chain=forward log-prefix=ps4: src-address=192.168.1.104
add action=accept chain=forward comment="Bypass fasttrack for non-zero DSCP" connection-state=established,related dscp=!0
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related

Perhaps they are getting caught by the "prioritize ACKs" mangle rule?

mpdamon · Fri Mar 03, 2017 1:13 am

Perhaps they are getting caught by the "prioritize ACKs" mangle rule?

I have my mangle rules above that one. I just looked and now I'm not getting any packets marked as "7" i must have something wrong somewhere. Maybe shouldn't be postrouting?

I take that back. they won't actually show up in the precedence 7 because I'm marking them earlier. however I do still have traffice from that ip showing up in precedence 6. So not sure why for that.

mducharme · Fri Mar 03, 2017 3:05 am

Perhaps they are getting caught by the "prioritize ACKs" mangle rule?
I have my mangle rules above that one. I just looked and now I'm not getting any packets marked as "7" i must have something wrong somewhere. Maybe shouldn't be postrouting?

I take that back. they won't actually show up in the precedence 7 because I'm marking them earlier. however I do still have traffice from that ip showing up in precedence 6. So not sure why for that.

What are you seeing in the packet counters, and what is getting logged?

In case it helps, I can show you a similar rule I have for NetFlix prioritization (though I do it slightly differently)

I find that NetFlix always sends data to me from a certain IP so I match that IP (185.101.97.195).

In my firewall filter rules I have:

30 ;;; bypass fasttrack for netflix
chain=forward action=accept connection-state=established,related connection-mark=netflix log=no log-prefix=""

Then, in my mangle rules:

17 ;;; Prioritize Netflix
chain=forward action=mark-connection new-connection-mark=netflix passthrough=yes src-address=185.101.97.195 log=no log-prefix=""

18 chain=forward action=change-dscp new-dscp=32 passthrough=yes connection-mark=netflix log=no log-prefix=""

19 ;;; Respect DSCP tagging
chain=postrouting action=set-priority new-priority=from-dscp-high-3-bits passthrough=yes

Mangle rule 19 above is already included with my script, I just included it so that you could see the relative positioning of my prioritization rules.

I mark the DSCP tags instead of directly marking the precedence so that I can use this tag on additional internal routers if I had them, but I could just as easily mark packet as ip_precedence_4 with the mangle rule listed as 18, then I wouldn't really need the passthrough=yes on that setting (that approach is closer to what you are doing).

mducharme · Fri Mar 03, 2017 3:15 am

Also, look in the "Connections" tab of IP->Firewall to make sure the connection in question is getting marked properly. You should see it in there with the connection mark you are applying.

As you can see, it works for me and makes certain that I can browse the web on my PC without interfering with NetFlix viewing:

Netflix Priority.PNG

Netflix-connection.PNG

mducharme · Fri Mar 03, 2017 3:44 am

From looking at the packet flow diagram: https://wiki.mikrotik.com/wiki/Manual:Packet_Flow_v6

It looks like postrouting happens *after* the connection tracking, so that might explain why your PS4 prioritization isn't working.

mpdamon · Fri Mar 03, 2017 5:15 am

From looking at the packet flow diagram: https://wiki.mikrotik.com/wiki/Manual:Packet_Flow_v6

It looks like postrouting happens *after* the connection tracking, so that might explain why your PS4 prioritization isn't working.

I'll take a look at the connections tab. I hadn't really looked at that yet. the traffic is going up on the firewall rule. thanks for your help. I'm going to look through your example to understand better.

mducharme · Fri Mar 03, 2017 5:27 am

From looking at the packet flow diagram: https://wiki.mikrotik.com/wiki/Manual:Packet_Flow_v6

It looks like postrouting happens *after* the connection tracking, so that might explain why your PS4 prioritization isn't working.
I'll take a look at the connections tab. I hadn't really looked at that yet. the traffic is going up on the firewall rule. thanks for your help. I'm going to look through your example to understand better.

Oh, BTW I missed one rule change from my screenshots - the NetFlix address changed, so I had to change the mangle rule:

17 ;;; Prioritize Netflix
chain=forward action=mark-connection new-connection-mark=netflix passthrough=yes src-address=108.175.32.0/20 log=no log-prefix=""

The old rule did not catch the 108.175.42.191 address

pe1chl · Fri Mar 03, 2017 12:09 pm

That is going to be an ongoing problem. You might be able to work around it by using a DNS-based address list.
(I don't know how Netflix uses addresses and DNS)

Thu Mar 16, 2017 3:35 pm

Is there a way to clarify that warning?

I have corrected the Wiki

It now states:
"Queues (except Queue Trees parented to interfaces), firewall filter and mangle rules will not be applied for FastTracked traffic"

Thu Mar 16, 2017 10:16 pm

Very informative so thank you for that. I am confused though when you say that FastTrack bypasses mangle rules yet below you say that the traffic is still queued and rate-limited. So in that case how would I be able to mark the traffic that I want to prioritize?

Thanks

This is just the physical hardware queues which are simple fifos - so no prioritization is possible with them.

EDIT:
Whoops, this is what I get for not reading the thread after being away for a while.... The above is not correct. What I should have said was:

The firewall filter rules are configured to only trigger fasttrack-connection whenever the packet is part of a "best effort" flow. This means that future packets in the fast-tracked connection cannot be mangled - thus they will not be packet-marked. However, a queue tree parented to the egress interface will see the packets (even if fast-tracked). So the best-effort sub-queue of this tree is configured to match unmarked packets; that way it will match the best effort traffic and queue accordingly. All other classes of traffic must never match the "fasttrack-connection" rule in your forward chain, or else they will get lumped in with the best effort.

frank333 · Sun Jan 14, 2018 12:32 am

Hi all,
Here is my FastTrack-friendly QoS script, based on one made by IntrusDave. It supports IPv4 and IPv6, and uses DSCP markings to match packets. It is fasttrack-friendly, but does not require fasttrack...............

I tried to run the script with ROS 6.41 but didn't start.
I tried to run only the main part of the script and it works; while the rest does not work.
I wanted to use your script to run Active Congestion Control.

MarekP · Fri Feb 16, 2018 3:48 pm

Hi! Im new in the world of mikrotil!!!

I have a question about how to work the priorization! My network is over MPLS/VPLS and pppoe for the customers.
I want apply QoS for my VoIP (Because the comunication sound like robotic). I have this in mi MK:

chain=forward action=set-priority new-priority=from-dscp-high-3-bits passthrough=yes

The packet are marked as "EF" in the Asterisk and in the ATA customer!
I dont created queues and the trunks never are full.

Thanks in advace guys!

Rexxv · Thu May 10, 2018 7:27 pm

hi,

this script does not seem to unin ROS 6.42.1

edouardkleinhans · Mon Jun 18, 2018 6:21 pm

Hi,

Hello,

if i understand you script, when i want to add priority to HTTP service, i need to bypass fasttrack

;;; bypass fasttrack for HTTP
chain=forward action=accept connection-state=established,related connection-mark=HTTP

Then, in my mangle rules:

17 ;;; Prioritize HTTP
add action=mark-connection chain=prerouting comment=HTTP connection-mark=!HTTP_BIG connection-state=new new-connection-mark=HTTP port=80,443,8080 protocol=tcp
add action=mark-connection chain=prerouting connection-bytes=500000-0 connection-mark=HTTP connection-rate=200k-100M new-connection-mark=HTTP_BIG protocol=tcp
add action=mark-packet chain=prerouting connection-mark=HTTP_BIG new-packet-mark=ip_precedence_4 passthrough=no
add action=mark-packet chain=prerouting connection-mark=HTTP new-packet-mark=ip_precedence_5 passthrough=no

19 ;;; Respect DSCP tagging
chain=postrouting action=set-priority new-priority=from-dscp-high-3-bits passthrough=yes

Can you confirm this configuration ?

Etz · Mon Aug 05, 2019 7:40 pm

You'll need to copy and paste the script into scripts (system->scripts->new (+)->paste), change the upload and download bandwidth and inbound and outbound interface names at the top to match your settings, and run the script. (the bandwidths should be slightly less than what you normally receive as your maximum)

Got a question though, what if I have multiple outbound interfaces (2 bridges, one per switch group)?

mducharme · Tue Sep 29, 2020 1:31 am

You'll need to copy and paste the script into scripts (system->scripts->new (+)->paste), change the upload and download bandwidth and inbound and outbound interface names at the top to match your settings, and run the script. (the bandwidths should be slightly less than what you normally receive as your maximum)
Got a question though, what if I have multiple outbound interfaces (2 bridges, one per switch group)?

My script is really designed for simple scenarios where there is only one internal interface and one WAN interface. What *might* work, if you need multiple internal bridges, is if you have a bridge and two VLANs on the bridge, and you do the queueing on the bridge interface (which is shared between the VLANs) instead of on the VLAN interface itself. I have not tried this myself, however, so I'm not sure how well it would work.

Another workaround that would certainly work is if you divided your bandwidth in half and had a set of queue trees per internal bridge, each of which was configured for a bit less than half of your maximum bandwidth. However, then even if one bridge is not using anything, the remaining bridge can only use half of your bandwidth.

felodimul · Wed Dec 09, 2020 5:23 pm

I'm attempting to understand this script. For some reason I couldn't get it to run, so I'm just reading it.

Could someone post the /ip firewall mangle export, /ip firewall filter export, and /queue export as created by this script? I think this would improve my understanding of what's going on.

The main thing I don't understand is this:

Fast-tracked packets are all placed in the best effort queue.

It seems like FastTrack packets are BYPASSING all queues, not placed in a queue. Or, put another way, that the Queues are BYPASSING FastTrack. FastTrack and the Queues are separated by the firewall rule. So how do your FastTrack packets reach the Best Effort queue? What am I missing?

felodimul · Wed Dec 09, 2020 9:23 pm

OK nevermind, I understand now that the answer to my question is this:

To retain compatibility with FastTrack, it uses interface-attached HTB rather than global-attached (fasttracked packets bypass global HTB, but are still queued by interface HTB).

Still would love to see that export though, if anyone has it handy! (-:

mducharme · Wed Dec 09, 2020 10:29 pm

Still would love to see that export though, if anyone has it handy! (-:

/ip firewall mangle
add action=set-priority chain=postrouting comment="Respect DSCP tagging" new-priority=from-dscp-high-3-bits passthrough=yes
add action=set-priority chain=postrouting comment="Prioritize ACKs" new-priority=6 packet-size=0-123 passthrough=yes protocol=tcp tcp-flags=ack
add action=accept chain=postrouting comment="IP Precedence (Packet Priority) 0 - Best Effort (Low Priority) (default)" priority=0
add action=mark-packet chain=postrouting comment="IP Precedence (aka Packet Priority) 1 - Scavenger (Bottom Priority) (apply packet mark ip_precedence_1)" new-packet-mark=\
    ip_precedence_1 passthrough=no priority=1
add action=mark-packet chain=postrouting comment="IP Precedence (aka Packet Priority) 2 - Background (Very Low Priority) (apply packet mark ip_precedence_2)" new-packet-mark=\
    ip_precedence_2 passthrough=no priority=2
add action=mark-packet chain=postrouting comment="IP Precedence (aka Packet Priority) 3 - Critical Data or Call Signaling (Medium-Low Priority) (apply packet mark ip_precedence_3)" \
    new-packet-mark=ip_precedence_3 passthrough=no priority=3
add action=mark-packet chain=postrouting comment="IP Precedence (aka Packet Priority) 4 - Interactive Video (Medium Priority) (apply packet mark ip_precedence_4)" new-packet-mark=\
    ip_precedence_4 passthrough=no priority=4
add action=mark-packet chain=postrouting comment="IP Precedence (aka Packet Priority) 5 - Voice (Medium-High Priority) (apply packet mark ip_precedence_5)" new-packet-mark=\
    ip_precedence_5 passthrough=no priority=5
add action=mark-packet chain=postrouting comment="IP Precedence (aka Packet Priority) 6 - Internetwork Control (High Priority) (apply packet mark ip_precedence_6)" new-packet-mark=\
    ip_precedence_6 passthrough=no priority=6
add action=mark-packet chain=postrouting comment="IP Precedence (aka Packet Priority) 7 - Network Control (Top Priority) (apply packet mark ip_precedence_7)" new-packet-mark=\
    ip_precedence_7 passthrough=no priority=7
    
/queue tree
add comment="Uplink QoS" max-limit=15M name=QoS_ether1 parent=ether1 queue=wireless-default
add comment="Queue Priority 1" name="IP Precedence 7. Network Control (Top Priority) - ether1" packet-mark=ip_precedence_7 parent=QoS_ether1 priority=1 queue=wireless-default
add comment="Queue Priority 2" name="IP Precedence 6. Internetwork Control (High Priority) - ether1" packet-mark=ip_precedence_6 parent=QoS_ether1 priority=2 queue=wireless-default
add comment="Queue Priority 3" name="IP Precedence 5. Voice (Medium-High Priority) - ether1" packet-mark=ip_precedence_5 parent=QoS_ether1 priority=3 queue=wireless-default
add comment="Queue Priority 4" name="IP Precedence 4. Interactive Video (Medium Priority) - ether1" packet-mark=ip_precedence_4 parent=QoS_ether1 priority=4 queue=wireless-default
add comment="Queue Priority 5" name="IP Precedence 3. Critical Data or Call Signaling (Medium-Low Priority) - ether1" packet-mark=ip_precedence_3 parent=QoS_ether1 priority=5 \
    queue=wireless-default
add comment="Queue Priority 6" name="IP Precedence 0. Best Effort (Low Priority) - ether1" packet-mark=no-mark parent=QoS_ether1 priority=6 queue=wireless-default
add comment="Queue Priority 7" name="IP Precedence 2. Background (Very Low Priority) - ether1" packet-mark=ip_precedence_2 parent=QoS_ether1 priority=7 queue=wireless-default
add comment="Queue Priority 8" name="IP Precedence 1. Scavenger (Bottom Priority) - ether1" packet-mark=ip_precedence_1 parent=QoS_ether1 queue=wireless-default
add comment="Downlink QoS" max-limit=300M name=QoS_bridge parent=bridge queue=wireless-default
add comment="Queue Priority 1" name="IP Precedence 7. Network Control (Top Priority) - bridge" packet-mark=ip_precedence_7 parent=QoS_bridge priority=1 queue=wireless-default
add comment="Queue Priority 2" name="IP Precedence 6. Internetwork Control (High Priority) - bridge" packet-mark=ip_precedence_6 parent=QoS_bridge priority=2 queue=wireless-default
add comment="Queue Priority 3" name="IP Precedence 5. Voice (Medium-High Priority) - bridge" packet-mark=ip_precedence_5 parent=QoS_bridge priority=3 queue=wireless-default
add comment="Queue Priority 4" name="IP Precedence 4. Interactive Video (Medium Priority) - bridge" packet-mark=ip_precedence_4 parent=QoS_bridge priority=4 queue=wireless-default
add comment="Queue Priority 5" name="IP Precedence 3. Critical Data or Call Signaling (Medium-Low Priority) - bridge" packet-mark=ip_precedence_3 parent=QoS_bridge priority=5 \
    queue=wireless-default
add comment="Queue Priority 6" name="IP Precedence 0. Best Effort (Low Priority) - bridge" packet-mark=no-mark parent=QoS_bridge priority=6 queue=wireless-default
add comment="Queue Priority 7" name="IP Precedence 2. Background (Very Low Priority) - bridge" packet-mark=ip_precedence_2 parent=QoS_bridge priority=7 queue=wireless-default
add comment="Queue Priority 8" name="IP Precedence 1. Scavenger (Bottom Priority) - bridge" packet-mark=ip_precedence_1 parent=QoS_bridge queue=wireless-default

The script does not change anything in /ip firewall filter.

felodimul · Thu Dec 10, 2020 12:08 am

Thanks so much for both the original script and this export!

massinia · Mon Jun 27, 2022 11:47 pm

Thanks for the script @mducharme

I can't run it, it doesn't add any rules and I think it's not compatible with 6.48.6 long term, can anyone confirm?
Thanks

EDIT: it works perfectly with 7.3.1

fibracapi · Fri Dec 02, 2022 12:15 pm

/system script run QoSDave

syntax error (line 59 column 38)

jerogabe · Mon Dec 05, 2022 12:43 pm

/system script run QoSDave

syntax error (line 59 column 38)

RouterOS V6 enable packet ipv6

Generic123 · Thu Apr 27, 2023 7:20 pm

How exactly does the dscp tagging know to fall into precidence 1-8? No mark is obvious. But like the netflix rule you did, there is no packet mark to put into the queue for it to recognize. I'm guessing dscp and the priority for ip precedence 1-8 is linked. How exactly does that work? Priority 1 is dscp 1-8 etc. @mducharme

pe1chl · Mon May 01, 2023 4:50 pm

How exactly does the dscp tagging know to fall into precidence 1-8? No mark is obvious. But like the netflix rule you did, there is no packet mark to put into the queue for it to recognize. I'm guessing dscp and the priority for ip precedence 1-8 is linked. How exactly does that work? Priority 1 is dscp 1-8 etc. @mducharme

/ip firewall mangle
add action=set-priority chain=postrouting comment="Respect DSCP tagging" new-priority=from-dscp-high-3-bits passthrough=yes

mducharme · Mon May 01, 2023 9:29 pm

Yup, that's correct, the new-priority=from-dscp-high-3-bits takes care of it. It maps the values like this:
DSCP 0-7 -> Priority 0
DSCP 8-15 -> Priority 1
DSCP 16-23 -> Priority 2
etc.

lazywizard · Mon Jul 17, 2023 5:17 pm

I discovered today while playing around with fasttrack-compatible queue trees that they do not work when L3HW offload is enabled on the fasttrack rule. It seems obvious in retrospect. Unfortunately, disabling L3HW fasttrack on the CRS309 leads to high CPU demand even at modest throughput (300-400mbps). Might want to make a note in the OP about that in case people are banging their head against the wall trying to figure out why their queues never get hit.

@mducharme I'm curious to hear what you think of the recent QoS-HW improvements in RouterOS 7.10 and how we could take advantage of hardware marking with fasttrack-able queues in the future.

spr41178 · Wed Aug 23, 2023 9:19 am

Yup, that's correct, the new-priority=from-dscp-high-3-bits takes care of it. It maps the values like this:
DSCP 0-7 -> Priority 0
DSCP 8-15 -> Priority 1
DSCP 16-23 -> Priority 2
etc.

Good afternoon,

Excellent work and article.

Quick question if i wanted to prioritize SIP and RTP packets, 5060,5061 udp and 10000-20000 udp up to prioity 1
what would be the best approach to this?

From what i read ZeroByte states SIP packets as priotiy 3 and RTP as priority 5?

Thank you in advance

BrateloSlava · Fri Aug 25, 2023 9:56 pm

Quick question if i wanted to prioritize SIP and RTP packets, 5060,5061 udp and 10000-20000 udp up to prioity 1
what would be the best approach to this?

For example, you can insert packet marking rules for the desired ports and place these rules before the ones, that this script sets.

Screenshot_Rule.png

The rules that I added:

/ip firewall mangle add action=mark-packet chain=postrouting comment="Telegram, Whatsapp" dst-port=5222,5228 new-packet-mark=ip_precedence_5 passthrough=no protocol=tcp
/ip firewall mangle add action=mark-packet chain=postrouting dst-port=599,1400,3478 new-packet-mark=ip_precedence_5 passthrough=no protocol=udp

pe1chl · Sat Aug 26, 2023 12:59 am

Well, I think it is better to set priority based on DSCP than to use port numbers. Any reasonable SIP and RTP device already sets DSCP properly (EF).
"Set priority from dscp high 3 bits" works fine for most cases, and it seems that support of a fully configurable DSCP->Priority mapping table is in the works (see the HW-accelerated QoS feature).
The advantage of using DSCP is that it propagates through the network even without VLAN tagging. When you have a really broken device that does not set DSCP by itself, you can set DSCP on ingress and then further on set Priority from DSCP.

BrateloSlava · Mon Aug 28, 2023 2:48 pm

For my needs, I modified the script, which is posted in the first message. The new option adds the described rule to the firewall and allows multiple incoming and outgoing interfaces. Separate setting of speed limits is also possible.
The work of the script with IPv6 is not changed and works, IMHO, incorrectly in ROS 7.

# this is based on IntrusDave's QoS script, but modified
# qosClasses are largely based on Cisco Wireless QoS mappings/guide
#
# 2023. modified to work with multiple incoming and outgoing interfaces

# Set outbound (WAN) interface here, i.e. {"ether1";"";"460M"};{"ether2";"vlan1";"400M"};{"ether2";"vlan2";"400M"};{"ether3";"";"500M"}
# Where each entry contains 3 fields {"ether2";"vlan1";"400M"}
# First - the name of the "main" interface, for which we set the rate limit.
# Second - the name of the interface that depends on "main". For the name of this interface, packages are marked. Specify an empty string if there is none.
# Third - bandwidth limit for "main" interface. It is recommended to specify for all records, even if the data is duplicated. (for symmetry).

:local outboundInterfaceArray {{"ether1";"";"460M"}}

# Set inbound (LAN) interface here, i.e. {"bridge1";"";"460M"};{"bridge2";"vlan1";"960M"};{"bridge2";"vlan2";"960M"};{"bridge3";"";"960M"}
# Where each entry contains 3 fields {"bridge2";"vlan1";"960M"}
# First - the name of the "main" interface, for which we set the rate limit.
# Second - the name of the interface that depends on "main". For the name of this interface, packages are marked. Specify an empty string if there is none.
# Third - bandwidth limit for "main" interface. It is recommended to specify for all records, even if the data is duplicated. (for symmetry).

:local inboundInterfaceArray {{"bridge-LAN";"";"460M"}}

# Set name of queue here
:local NameOfQueue "main-queue"

# Set type of queue here
:local queueType fq-codel

# Set where in the chain the packets should be mangled
:local mangleChain postrouting

# Don't mess with these. They set the parameters for what is to follow
:local outQueueName ("QoS_" . $outboundInterface)
:local inQueueName ("QoS_" . $inboundInterface)
# qosClasses from highest to lowest priority
:local qosClasses [:toarray "Network Control (Top Priority),Internetwork Control (High Priority),Voice (Medium-High Priority),Interactive Video (Medium Priority),Critical Data or Call Signaling (Medium-Low Priority),Best Effort (Low Priority),Background (Very Low Priority),Scavenger (Bottom Priority)"]
# maps queue priorities from highest to lowest to IP precedence values
:local priorityToIpPrecedenceMappings [:toarray "7,6,5,4,3,0,2,1"]
# queue priority used for best effort traffic (IP precedence 0)
:local beQueuePriority 6

# These variables are used several times in the body of the script. Better - calculate once.
:local inboundInterfaceArraySize [:len $inboundInterfaceArray]
:local outboundInterfaceArraySize [:len $outboundInterfaceArray]

/queue type add kind=$queueType name=$NameOfQueue

:local fasttrackRuleExists [/ip firewall filter print count-only where action=fasttrack-connection]

if ($fasttrackRuleExists > 0) do={
	/ip firewall filter add action=accept chain=forward comment="Bypass fasttrack for non-zero DSCP" \
		connection-state=established,related dscp=!0 place-before=[/ip firewall filter find where action=fasttrack-connection]
}

:for indexA from 0 to ($inboundInterfaceArraySize-1) do={
    :local curComment "Respect DSCP tagging (inbound)"
    :local inboundInterface ( $inboundInterfaceArray->$indexA->1 )

    :if ($inboundInterface = "") do={ :set inboundInterface ( $inboundInterfaceArray->$indexA->0 ) }

    :if ($indexA > 0) do={ :set curComment "" }

    /ip firewall mangle add action=set-priority \
  	chain=postrouting new-priority=from-dscp-high-3-bits \
	passthrough=yes comment=$curComment out-interface=$inboundInterface
}


:for indexA from 0 to ($outboundInterfaceArraySize-1) do={
    :local curComment "Respect DSCP tagging (outbound)"
    :local outboundInterface ( $outboundInterfaceArray->$indexA->1 )

    :if ($outboundInterface = "") do={ :set outboundInterface ( $outboundInterfaceArray->$indexA->0 ) }

    :if ($indexA > 0) do={ :set curComment "" }

    /ip firewall mangle add action=set-priority \
  	chain=postrouting new-priority=from-dscp-high-3-bits \
	passthrough=yes comment=$curComment out-interface=$outboundInterface
}
   
/ip firewall mangle add action=set-priority \
   chain=postrouting new-priority=6 packet-size=0-123 \
   passthrough=yes protocol=tcp tcp-flags=ack comment="Prioritize ACKs"

/ip firewall mangle add action=accept \
   chain=postrouting priority=0 \
   comment="IP Precedence (aka Packet Priority) 0 - Best Effort (Low Priority) (default)"


:for indexI from 0 to ($inboundInterfaceArraySize-1) do={
	;local mainInterface ($inboundInterfaceArray->$indexI->0)
	:local inboundInterface ( $inboundInterfaceArray->$indexI->1 )

	:if ($inboundInterface = "") do={ :set inboundInterface ( $inboundInterfaceArray->$indexI->0 ) }

	:for indexA from 1 to 7 do={
		:local qosIndex (7-$indexA)
		# skip best effort in list
		:if ($indexA <= (8-$beQueuePriority)) do={ :set qosIndex (8-$indexA) }
		:local subClass ([:pick $qosClasses $qosIndex] )
		/ip firewall mangle add action=mark-packet chain=$mangleChain comment=("Interface -= " . $inboundInterface ." =-. IP Precedence (aka Packet Priority) " . $indexA . " - " . $subClass . " (apply packet mark " . $mainInterface . "_ip_precedence_" . $indexA . ")") \
			disabled=no priority=($indexA) new-packet-mark=($mainInterface . "_ip_precedence_" . $indexA) passthrough=no out-interface=$inboundInterface
	}
}


:for indexI from 0 to ($outboundInterfaceArraySize-1) do={
	;local mainInterface ($outboundInterfaceArray->$indexI->0)
	:local outboundInterface ( $outboundInterfaceArray->$indexI->1 )

	:if ($outboundInterface = "") do={ :set outboundInterface ( $outboundInterfaceArray->$indexI->0 ) }

	:for indexA from 1 to 7 do={
		:local qosIndex (7-$indexA)
		# skip best effort in list
		:if ($indexA <= (8-$beQueuePriority)) do={ :set qosIndex (8-$indexA) }
		:local subClass ([:pick $qosClasses $qosIndex] )
		/ip firewall mangle add action=mark-packet chain=$mangleChain comment=("Interface -= " . $outboundInterface ." =-. IP Precedence (aka Packet Priority) " . $indexA . " - " . $subClass . " (apply packet mark " . $mainInterface . "_ip_precedence_" . $indexA . ")") \
			disabled=no priority=($indexA) new-packet-mark=($mainInterface . "_ip_precedence_" . $indexA) passthrough=no out-interface=$outboundInterface
	}
}


:if ([/system package find name=ipv6 disabled=no] = "") do={
    :log info "IPv6 package is not installed - skipping IPv6 mangle rules";
} else={

   :for dscpValue from 0 to 7 do={
   /ipv6 firewall mangle add action=accept \
      chain=postrouting dscp=$dscpValue \
      comment="IP Precedence 0 (DSCP $dscpValue) - Best Effort (Low Priority) (default)"
   }

   :for indexA from 1 to 7 do={
       :local qosIndex (7-$indexA)
       # skip best effort in list
       :if ($indexA <= (8-$beQueuePriority)) do={ :set qosIndex (8-$indexA) }
       :local subClass ([:pick $qosClasses $qosIndex] )
       :for dscpValue from ($indexA*8) to (($indexA*8)+7) do={
       /ipv6 firewall mangle add action=mark-packet chain=$mangleChain comment=("IP Precedence " . $indexA . " (DSCP " . $dscpValue . ") - " . $subClass . " (apply packet mark ip_precedence_" . $indexA . ")") \
            disabled=no dscp=$dscpValue new-packet-mark=("ip_precedence_" . $indexA) passthrough=no
       }
   }
}

:for indexI from 0 to ($inboundInterfaceArraySize-1) do={
	;local inboundInterface ($inboundInterfaceArray->$indexI->0)
	;local inboundPreviousInterface ""
	:set inQueueName ("QoS_" . $inboundInterface)
	:if ($indexI > 0) do={ :set inboundPreviousInterface ($inboundInterfaceArray->($indexI-1)->0) }
	
	:if ($inboundInterface != $inboundPreviousInterface) do={
		:local inInterfaceBandwidth ($inboundInterfaceArray->$indexI->2)
		/queue tree add max-limit=$inInterfaceBandwidth name=$inQueueName parent=$inboundInterface comment="Downlink QoS" queue=$NameOfQueue
		:for queuePriority from=1 to=8 do={
			:local qosIndex ($queuePriority-1)
			:local subClass ([:pick $qosClasses $qosIndex] )
			:local ipPrecedence ([:pick $priorityToIpPrecedenceMappings $qosIndex])
			:local ipPrecedenceMark ($inboundInterface . "_ip_precedence_" . $ipPrecedence)
			:if ($ipPrecedence = "0") do={ :set ipPrecedenceMark ("no-mark") }
			/queue tree add \ 
				name=("IP Precedence " . $ipPrecedence . ". " . $subClass . " - " . $inboundInterface ) \
				parent=$inQueueName \
				priority=($queuePriority) \
				queue=$NameOfQueue \
				packet-mark=$ipPrecedenceMark \
				comment=("Queue Priority " . $queuePriority)
		}
	}
}


:for indexI from 0 to ($outboundInterfaceArraySize-1) do={
	;local outboundInterface ($outboundInterfaceArray->$indexI->0)
	;local outboundPreviousInterface ""
	:set outQueueName ("QoS_" . $outboundInterface)
	:if ($indexI > 0) do={ :set outboundPreviousInterface ($outboundInterfaceArray->($indexI-1)->0) }

	:if ($outboundInterface != $outboundPreviousInterface) do={
		:local outInterfaceBandwidth ($outboundInterfaceArray->$indexI->2)
		/queue tree add max-limit=$outInterfaceBandwidth name=$outQueueName parent=$outboundInterface comment="Uplink QoS" queue=$NameOfQueue
		:for queuePriority from=1 to=8 do={
			:local qosIndex ($queuePriority-1)
			:local subClass ([:pick $qosClasses $qosIndex] )
			:local ipPrecedence ([:pick $priorityToIpPrecedenceMappings $qosIndex])
			:local ipPrecedenceMark ($outboundInterface . "_ip_precedence_" . $ipPrecedence)
			:if ($ipPrecedence = "0") do={ :set ipPrecedenceMark ("no-mark") }
			/queue tree add \ 
				name=("IP Precedence " . $ipPrecedence . ". " . $subClass . " - " . $outboundInterface ) \
				parent=$outQueueName \
				priority=($queuePriority) \
				queue=$NameOfQueue \
				packet-mark=$ipPrecedenceMark \
				comment=("Queue Priority " . $queuePriority)
		}
	}
}

It seems to me, that the script needs final "finalization" - it is necessary to describe a parameter, that would describe additional (some specific) parameters for the created queue.

Who is online