MikroTik

Are you tired of long dynamic simple queue list for your PPP clients?
Would you like to replace all your dynamic simple queues only with several PCQ type queues?

Well - from RouterOS v3.10 it is possible by using dynamic ppp address-lists

Dynamic ppp address-lists can be enabled by:
1) new attribute in ppp profile - "address-list".
2) new RADIUS attribute - "Mikrotik-Address-List" (vendor=Mikrotik, id=19)
(usable only by ppp, not hotspot or wireless)

Both specifies to witch "ip firewall address-list" ppp (pppoe, pptp, l2tp, async ppp) should
add remote (client) address. Then this address-list can be used for packet marking in
IP firewall mangle facility, and in the end marks can be sued for PCQ type queues.

Example how to use address-list for PCQ queueing can be found in "QoS Workshop" presentation from MUM Chicago: http://mum.mikrotik.com/presentations/US08/janism.pdf (slide 15-27)

Sounds quite useful, thanks for that new feature!

Is it also possible to get networks that are specified
as Radius Framed-Route reply attributes dynamically
inserted into that same address list in addition to the
PPP peer host address?

That would make the feature useful for clients that get
Radius-assigned subnet routing of public address ranges
with no NAT at the client CPE.

--Tom

Was also possible earlier, just without address-list feature. Just make an IP-Pool per bandwidth you like to have on your AC and map them to a PCQ queue.

You will be able to handle much more users on your AC, without getting higher latency!


Regards
Lutz

That address-list feature was the main point missing. if you have several types of pppoe clients with different limitations - you need those dynamic address lists to create lists otherwise impossible because of dynamic nature of situation.

You will be able to handle much more users on your AC, without getting higher latency!

Is this accurate? Will the use of "Dynamic ppp address-lists" on a PPPoE access server improve performance of the server over the PPPoE servers default use of simple queues?

Matt

Great!

Thanks for the good description and guidelines.

That address-list feature was the main point missing. if you have several types of pppoe clients with different limitations - you need those dynamic address lists to create lists otherwise impossible because of dynamic nature of situation.

No, works also without that feature great. Just define an ip pool per bandwidth you want to offer and map each user an ip from the corresponding pool. Than you just need a PCQ queue for each pool. Works great.

Not the use of "Dynamic ppp address-lists" will improve the performance, but so (or the way described above) you need only one PCB queue per bandwidth you want to have or sell to your customers, instead of hundreds of automaticly created simple queues.


Regards
Lutz

Just define an ip pool per bandwidth you want to offer and map each user an ip from the corresponding pool. Than you just need a PCQ queue for each pool.

Sure, that works, but it's not what I was asking for.

When I asked about Radius Framed-Route attribute based routes above I was specifically talking about a scenario where a customer gets routed a public subnet via his PPP-assigned address as the gateway, i.e. a customer that does not only have one public address (and everything he does is NATed behind that address) but instead a client that in addition has one or more public subnets routed to him and does no NAT.

Such a client will transmit and receive IP traffic not only from his one PPP-assigned address but possibly also from any of the subnet address ranges that are routed to his CPE (and beyond). Thus these additional addresses (coming from Framed-Route Radius reply attributes on the ISP's end) would also need to be included into the dynamic PPP address list to be caught by the PCQ queues...

--Tom

But that would give him the specified bandwidth for every ip address in this subnet, right?

Correct, and also your szenario works with the methode mentioned above, without the use of address-lists, only with giving a special bandwidth thru special pool addresses.

But for the szenario what you are looking for - routing a subnet thru a pppoe-tunnel - I prefer to do the bandwidth limitation for this kind of customers thru the tunnel. So here a simple queue works better for me as PCQ.

Regards
Lutz

The Hotspot Address List feature is a great one for me - it has solved a problem I have been working on trying to have different "classes" of hotspot user routed down different bandwidth lines. This makes it super easy to do!

One more request though - can you make it possible to specify the address list in the batch add portion of User Manager?

Update: Note your User Manager AND your highsite must be running 3.10 for this to work!

This sounds good. It would be good to have the same feature elsewhere, DHCP for instance...

I think this feature would be better if they could be assigned per secret or per pppoe user. And that a user could be assigned to more then one list.

Say I have a user that wants to have all p2p that Mikrotik can catch blocked on his connection and he has a dynamic IP assigned by PPPoE. I would like to assign him to the address list "nop2p2". I could assign that to a small handful of PPPoE users that desire it without having to create an addition "nop2p" profile for all my service plans.

Matt

Can we have this feature on ROS 2.9.x?


I mean, maybe... Let me extend my wishes here, I would love to see one MT ROS package based on v3.11 but its pppoe server is a implementation from 2.9.x. Is that even possible? i.e. A special router OS package v3.12.x with just the pppoe server from any ROS 2.9.x. Would be the finest solution to me.

no, because if we would would add all same features to v.2.9 then it would become the same as v3.

very helpful article

This sounds good. It would be good to have the same feature elsewhere, DHCP for instance...

Yes, i agree. And wireless too.

I have strange problem with address-lists.
We have pptp сервер + radius + dynamic ppp address-list + mangle + pcq to limit bandwidth per ip.
For first hours all works fine, but after some time several ip from access lists stop hit mangle rules to mark packet. And user get unlimited bandwidth. When view address list all looks fine, if i remove dynamic entry and replace it with static all start to work. If i just add static entry for this ip without removing dynamic entry, traffic from this ip don't hit mangle rules.

My config:
/ip firewall mangle
add action=change-mss chain=forward comment="" disabled=no new-mss=1360 \
protocol=tcp src-address=x.x.x.0/21 tcp-flags=syn
add action=change-mss chain=forward comment="" disabled=no dst-address=\
x.x.x.0/21 new-mss=1360 protocol=tcp tcp-flags=syn
add action=mark-packet chain=prerouting comment=Speed_Limit_64 disabled=no \
new-packet-mark=unlim_64_upload passthrough=no src-address-list=Speed64
add action=mark-packet chain=prerouting comment="" disabled=no \
dst-address-list=Speed64 new-packet-mark=unlim_64_download passthrough=no
add action=mark-packet chain=prerouting comment=Speed_Limit_128 disabled=no \
new-packet-mark=unlim_128_upload passthrough=no src-address-list=Speed128
add action=mark-packet chain=prerouting comment="" disabled=no \
dst-address-list=Speed128 new-packet-mark=unlim_128_download passthrough=no
add action=mark-packet chain=prerouting comment=Speed_Limit_192 disabled=no \
new-packet-mark=unlim_192_upload passthrough=no src-address-list=Speed192
add action=mark-packet chain=prerouting comment="" disabled=no \
dst-address-list=Speed192 new-packet-mark=unlim_192_download passthrough=no
add action=mark-packet chain=prerouting comment=Speed_Limit_256 disabled=no \
new-packet-mark=unlim_256_upload passthrough=no src-address-list=Speed256
add action=mark-packet chain=prerouting comment="" disabled=no \
dst-address-list=Speed256 new-packet-mark=unlim_256_download passthrough=no
add action=mark-packet chain=prerouting comment=Speed_Limit_384 disabled=no \
new-packet-mark=unlim_384_upload passthrough=no src-address-list=Speed384
add action=mark-packet chain=prerouting comment="" disabled=no \
dst-address-list=Speed384 new-packet-mark=unlim_384_download passthrough=no
add action=mark-packet chain=prerouting comment=Speed_Limit_512 disabled=no \
new-packet-mark=unlim_512_upload passthrough=no src-address-list=Speed512
add action=mark-packet chain=prerouting comment="" disabled=no \
dst-address-list=Speed512 new-packet-mark=unlim_512_download passthrough=no
add action=mark-packet chain=prerouting comment=Speed_Limit_1024 disabled=no \
new-packet-mark=unlim_1024_upload passthrough=no src-address-list=Speed1024
add action=mark-packet chain=prerouting comment="" disabled=no \
dst-address-list=Speed1024 new-packet-mark=unlim_1024_download passthrough=\
no

/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=unlim_192_download packet-mark=unlim_192_download parent=\
global-in priority=8 queue=unlim_192_download
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=unlim_192_upload packet-mark=unlim_192_upload parent=\
global-out priority=8 queue=unlim_192_upload
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=unlim_384_download packet-mark=unlim_384_download parent=\
global-in priority=8 queue=unlim_384_download
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=unlim_384_upload packet-mark=unlim_384_upload parent=\
global-out priority=8 queue=unlim_384_upload
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=unlim_64_download packet-mark=unlim_64_download parent=\
global-in priority=8 queue=unlim_64_download
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=unlim_64_upload packet-mark=unlim_64_upload parent=\
global-out priority=8 queue=unlim_64_upload
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=unlim_128_download packet-mark=unlim_128_download parent=\
global-in priority=8 queue=unlim_128_download
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=unlim_128_upload packet-mark=unlim_128_upload parent=\
global-out priority=8 queue=unlim_128_upload
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=unlim_256_download packet-mark=unlim_256_download parent=\
global-in priority=8 queue=unlim_256_download
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=unlim_256_upload packet-mark=unlim_256_upload parent=\
global-out priority=8 queue=unlim_256_upload
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=unlim_512_download packet-mark=unlim_512_download parent=\
global-in priority=8 queue=unlim_512_download
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=unlim_512_upload packet-mark=unlim_512_upload parent=\
global-out priority=8 queue=unlim_512_upload
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=unlim_1024_download packet-mark=unlim_1024_download \
parent=global-in priority=8 queue=unlim_1024_download
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=unlim_1024_upload packet-mark=unlim_1024_upload parent=\
global-out priority=8 queue=unlim_1024_upload

/queue type
set default kind=pfifo name=default pfifo-limit=50
set ethernet-default kind=pfifo name=ethernet-default pfifo-limit=50
set wireless-default kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=\
5
set synchronous-default kind=red name=synchronous-default red-avg-packet=1000 \
red-burst=20 red-limit=60 red-max-threshold=50 red-min-threshold=10
set hotspot-default kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
add kind=pcq name=unlim_192_download pcq-classifier=dst-address pcq-limit=100 \
pcq-rate=192000 pcq-total-limit=10000
add kind=pcq name=unlim_192_upload pcq-classifier=src-address pcq-limit=100 \
pcq-rate=192000 pcq-total-limit=10000
add kind=pcq name=unlim_384_download pcq-classifier=dst-address pcq-limit=100 \
pcq-rate=384000 pcq-total-limit=10000
add kind=pcq name=unlim_384_upload pcq-classifier=src-address pcq-limit=100 \
pcq-rate=384000 pcq-total-limit=10000
add kind=pcq name=unlim_64_download pcq-classifier=dst-address pcq-limit=50 \
pcq-rate=64000 pcq-total-limit=2000
add kind=pcq name=unlim_128_download pcq-classifier=dst-address pcq-limit=50 \
pcq-rate=128000 pcq-total-limit=2000
add kind=pcq name=unlim_256_download pcq-classifier=dst-address pcq-limit=50 \
pcq-rate=256000 pcq-total-limit=2000
add kind=pcq name=unlim_512_download pcq-classifier=dst-address pcq-limit=300 \
pcq-rate=512000 pcq-total-limit=300000
add kind=pcq name=unlim_64_upload pcq-classifier=src-address pcq-limit=100 \
pcq-rate=64000 pcq-total-limit=10000
add kind=pcq name=unlim_128_upload pcq-classifier=src-address pcq-limit=100 \
pcq-rate=128000 pcq-total-limit=10000
add kind=pcq name=unlim_256_upload pcq-classifier=src-address pcq-limit=100 \
pcq-rate=256000 pcq-total-limit=10000
add kind=pcq name=unlim_512_upload pcq-classifier=src-address pcq-limit=100 \
pcq-rate=512000 pcq-total-limit=10000
add kind=pcq name=unlim_1024_upload pcq-classifier=src-address pcq-limit=100 \
pcq-rate=1024000 pcq-total-limit=10000
add kind=pcq name=unlim_1024_download pcq-classifier=dst-address pcq-limit=300 \
pcq-rate=1024000 pcq-total-limit=30000
set default-small kind=pfifo name=default-small pfifo-limit=10

/ppp profile
set default change-tcp-mss=no comment="" name=default only-one=default \
use-compression=default use-encryption=default use-vj-compression=default
set default-encryption change-tcp-mss=no comment="" dns-server=x.x.x.x \
local-address=x.x.x.x name=default-encryption only-one=default \
remote-address=vpn_traf_pool use-compression=no use-encryption=no \
use-vj-compression=no

I have static address lists, and I have this problem too: sometimes entries in address list stop working and do not 'participate' in firewall matching. But if you select that (not disabled) entry in WinBox and press "Enable", visually nothing changes, but address list entry is working again...

sometimes entries in address list stop working and do not 'participate' in firewall matching. But if you select that (not disabled) entry in WinBox and press "Enable", visually nothing changes, but address list entry is working again...

Experienced the same problem in 2.9.51.

nice feature

sometimes entries in address list stop working and do not 'participate' in firewall matching. But if you select that (not disabled) entry in WinBox and press "Enable", visually nothing changes, but address list entry is working again...

Experienced the same problem in 2.9.51.

can you test 3.14? It seems like problem disappeared after reorganizing the work with address-lists...

sometimes entries in address list stop working and do not 'participate' in firewall matching. But if you select that (not disabled) entry in WinBox and press "Enable", visually nothing changes, but address list entry is working again...

Experienced the same problem in 2.9.51.

can you test 3.14? It seems like problem disappeared after reorganizing the work with address-lists...

the problem still exists =( not so frequently, but still happens =(

i hope address-list add limit time or drop ipadress time

In attach, on 24th page shows queue tree. How it balance u/d speed for different groups (basic, standard, business). For example i have 30 users basic, 15 standard and 7 business, each one downloading at max. pcq-rate=0.

We have tested the Dynamic Address-Lists with pppoe and it works great. Is there any plan to support this with DHCP? We have a mixed network with both PPPOE and DHCP clients.

Thank You

Is there any plan to support this with DHCP?

hmmm... nice suggestion =) I vote for this feature =) it's not as hard to realize as DHCP routes in RADIUS request, promised me by support 'in near future' =(

I have a problem with PCQ and address-lists config.
I created configuration as it is described in Chicago MUM presentation. Everythings works great with one exception.
In download queue tree there is always max. one PCQ queue created independetly on how many users are connected.
For upload queue I have as many queues as number of users generating traffic
At local network side I have vlan created in ethernet interface and PPPoE served is binded to this vlan - this is probably the only difference with config described.

The great benefit of single simple dynamic queue for each ppp(oe) session is BURST definition. I didn't find anyway to define BURST per IP address in a PCQ QOS assigned to a specific address list.
The burst for QUEUE total is not helpful as it's for address list's total traffic.

I am missing something?

I don't use bursts. As a matter of fact, I don't drop my clients traffic on purpouse with a "queue" limitation. It is dropped naturally upstream and when congestion happens. This doesn't mean that I use the dumb FIFO queues.

When Mikrotik-Address-List will support ipv6 ?

Can someone assist me with the Radius attribute to dydnamically add PPPoE IPs to address lists using
free radius v2

A real pity that this as well as filters, are only implemented for IPv4, and nothing for IPv6...