How can i shape the traffic on a bridge. In the Microtik FAQ it says that you can put the queues on the interfaces that the traffic is leaving the router. But that does not work. No matter what i try, it fails. I tried to enable firewall on the bridge and then mark the packets. But there is no way to know if traffic is going left or right.

Can someone please help me. My setup is simple. I have a router with two interfaces: ether1 and ether2. They are bridged together in bridge1. I want to shape the traffic that comes in through ether1 and leaves through ether2 at 2Mbit, and the traffic that goes the other way i want to shape at 1Mbit.

Thanks

We do this for bandwidth shapers all the time and it works fine.
You need to make sure you clearly understand your design, once you do it's straightforward.
Oh, and forget you have a bridge, that will only complicate the understanding of the solution.

Here is some example lines from a template we use, we call one interface private, and the other public for this system, but you can use whatever you want. Call your bridge whatever you want, it is irrelevant for traffic shaping anyway.
Remember that the shaping is queuing packets IN the router BEFORE they LEAVE the router, making sure you grasp this concept is critical to getting your rules around the right way.

Have a look at this and see how you go....Notice I have TO SITE and FROM SITE specified, 2 rules for each site, incoming to the router (heading into datacentre) and outgoing from the router (heading to the site)
There is a connection mark and packet mark for each traffic type.
We only care about managing citrix traffic to the site, not from the site, hence there only being one queue for Citrix traffic.



## - Do find and replace on SITEADDRESS to insert subnet, must be in the format of xx.xx.xx.0/subnet (24) example 10.1.1.0/24 (This does whole document)
## - Do find and replace on SITECODE to insert site code, should be 3 to 5 letters, such as syd or nrgba (This does whole document)

## *********** ALL RULES MUST REMAIN IN THE ORDER PRESENTED IN THIS TEMPLATE OR SHAPING WILL NOT FUNCTION CORRECTLY **************
## - Change comment on first rule to indicate description of the site that the rules are for, such as "Frankfurt Rules Start"

/ ip firewall mangle

## Citrix Traffic to Site
add chain=forward src-port=2598 in-interface=private dst-address=SITEADDRESS protocol=tcp action=mark-connection new-connection-mark=SITECODE-citrix-out-con comment="Frankfurt Rules Start" disabled=no passthrough=yes

## Filesharing Traffic to Site
add chain=forward src-port=445 in-interface=private dst-address=SITEADDRESS protocol=tcp action=mark-connection new-connection-mark=SITECODE-fileshare-out-con comment="" disabled=no passthrough=yes

## Filesharing Traffic to Site
add chain=forward connection-mark=SITECODE-fileshare-out-con action=mark-packet new-packet-mark=SITECODE-fileshare-out comment="" disabled=no passthrough=no

## Citrix Traffic to Site
add chain=forward connection-mark=SITECODE-citrix-out-con action=mark-packet new-packet-mark=SITECODE-citrix-out comment="" disabled=no passthrough=no

## Filesharing Traffic from Site
add chain=forward connection-mark=SITECODE-fileshare-in-con action=mark-packet new-packet-mark=SITECODE-fileshare-in comment="" disabled=no passthrough=no

## Other Traffic to Site
add chain=forward connection-mark=SITECODE-other-out-con action=mark-packet new-packet-mark=SITECODE-other-out comment="" disabled=no passthrough=no

## Other Traffic from Site
add chain=forward connection-mark=SITECODE-other-in-con action=mark-packet new-packet-mark=SITECODE-other-in comment="" disabled=no passthrough=no

## - Set max-limit figures in each line to the maximum allowable tranfer rate or bandwidth allocation for that service
## - Set limit-at figures to be the CIR or guaranteed rates provided for that service
## - Remove lines for any services not needed, but always leave "Other Traffic" queues in place as a catch-all

/ queue tree
add name="SITECODE-UP" parent=private packet-mark="" limit-at=0 queue=default priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no
add name="SITECODE-DOWN" parent=public packet-mark="" limit-at=0 queue=default priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

## Citrix Traffic to Site
add name="citrix-to-SITECODE" parent=SITECODE-DOWN packet-mark=SITECODE-citrix-out limit-at=942000 queue=pfifo priority=1 max-limit=1024000 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

## Other Traffic to Site
add name="other-to-SITECODE" parent=SITECODE-DOWN packet-mark=SITECODE-other-out limit-at=0 queue=red priority=8 max-limit=128000 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

## Other Traffic from Site
add name="other-from-SITECODE" parent=SITECODE-UP packet-mark=SITECODE-other-in limit-at=128000 queue=pfifo priority=8 max-limit=768000 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

## Filesharing Traffic to Site
add name="fileshare-to-SITECODE" parent=SITECODE-DOWN packet-mark=SITECODE-fileshare-out limit-at=0 queue=red priority=8 max-limit=128000 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no

## Filesharing traffic from Site
add name="fileshare-from-SITECODE" parent=SITECODE-UP packet-mark=SITECODE-fileshare-in limit-at=128000 queue=pfifo priority=8 max-limit=256000 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no



Regards
Paul

Thanks for your swift answer.

But unfortunately this does not solve my problem.

I have the same address range on both sides of the bridge. Therefore i can not differentiate the traffic on ipaddresses.

It has to interface based.

I'm am running RouterOS v3.9. (don't know if it makes any difference)

I don't know if it's even possible.

My setup is as follows:

MyNet----ether1-MyBridge-ether2----MyNet

When i add a rule in mangle(postrouting or forward) on ether1 or ether2 which i would normally do to mark packets, no packet go through that rule. The counter stays at zero.

Is there a way to mark packets depending on the interface the packet is leaving, when the interface is part of a bridge?

I don't see why not, just leave the IP addressing out, you will obviously need to identify the ports to mark the traffic correctly and the outgoing interfaces, but I don't see why having the same IP range on both sides will affect it.

Regards
Paul

As you say: "you will obviously need to identify the ports to mark the traffic correctly "

When i do this, no packets match the rule. Strange but true. And this is the core of my problem. I can't find any way to mark the packets depending on which way the packet is traveling.

The FAQ says that this is possible. And i think i have done it on RouterOS v2.x, but i simply does not work now.

[admin@MyBridge] /interface bridge> print
0 R name="MyBridge" mtu=1500 arp=enabled mac-address=00:0C:42:0A:A0:65 protocol-mode=rstp priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:67:65 max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m

[admin@MyBridge] /interface bridge port> print
0 ether1 MyBridge 0x80 10 none
1 ether2 MyBridge 0x80 10 none


This does not work:
[admin@MyBridge]/ip firewall mangle> print
0 chain=postrouting action=mark-packet new-packet-mark=ether1out passthrough=yes out-interface=ether1

This does not work:
[admin@MyBridge]/ip firewall mangle> print
0 chain=forward action=mark-packet new-packet-mark=ether1out passthrough=yes out-interface=ether1

You need to use either the prerouting chain or forwarding chain, I think prerouting though.
You also need to mark the connection first, then the packet based on that connection.

You want the connection mark rule to be a passthrough rule, but the packet marking rule must NOT be a passthrough rule.
The order of the rules is critical, make sure they way the rules is setout that one connection rule cannot be marked against more than one packet rule.

Regards
Paul

I really don't want to be a pain in the butt:)

But im not kidding you.

No matter if its prerouting, forward og postrouting in mangle. As long as i specify a interface, no matter if its in or out interface, no packet will hit that rule - when the interfaces are in a bridge. At least not on RouterOS v3.9

Let me have a look and see if I can reproduce what you are seeing, for all intensive purposes I believe it should be working.

Regards
Paul

OK, on 2.9.40 this works when a bridge is configured with ether1 and ether2 interfaces as ports:
0 chain=forward out-interface=ether1 protocol=tcp action=mark-connection new-connection-mark=test passthrough=yes

But, I can reproduce your problem, I can't get the same to work on 3.0 or above, and the bridge setup is different which makes me think the bridging component is a major change in V3 onwards.

Perhaps one of the MT guys might be able to comment, you may need to send an email to support and ask about that one.
It definately doesn't work in V3 the same as V2

Regards
Paul

Thanks. I was just about to think that i was going crazy:)

So something has changed in v3.x which has robbed us of this nice feature of having a transparent shaping bridge.

Please Mikrotik Guys, tell us how to solve this...

Just curios, do you have interface bridge settings set use-ip-firewall=yes ?

Hi Sergejs, nope, that setting is not set, here is the settings I have in my V3.0 test box that I used.

0 R name="bridge1" mtu=1500 arp=enabled mac-address=00:0C:42:21:EB:33
protocol-mode=none priority=0x8000 auto-mac=yes
admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s
transmit-hold-count=6 ageing-time=5m

Would enabling that option make a difference do you think ?

Regards
Paul

If this option is not enabled, then bridged packets are not going over firewall.

OK, so this is a new option in V3 ? I never had to switch it on in 2.9.x

Regards
Paul

Yes, it is new option and you have to use it, when you have firewall rules/queues on bridge.

I have tried enabling it and setting the packet marking rules but it still doesn't work, is there some trick to getting the packet marking working with the new setup ?
I have tried the traditional method in the mangle rules under /ip firewall mangle but I still can't get anything to match the rules, I have also tried using the filters inside the bridge setup but can't get any packet marking happening in there either ?

Regards
Paul

Post please, ip firewall mangle print

We have same experience.
In 2.9.x we used to bridge ports in In.Interface or Out.Interface and everything was OK. Then we tried ROS 3.10 and experienced problems.

We set and then removed In.Interface and set In.bridge port. We can see traffic over 500 kbps on device but there is no packet count incrementing in firewall rule.

Our rules
Loki is wireless interface in bridge. As I said before there is 500 kbps of traffic in both directions on Loki device but packet count (especially in output device) in these firewall rules is almost constant.

I have now tested this using the filters in the bridge itself, you must use an outgoing bridge port definition, you can't queue traffic on an incoming port, only a port of the router that the traffic is exiting out.
It does work now, you have to use the setting as Sergejs says, then use the filter section of the bridge to define your packet marks. Only difference here is you don't mark the connection first as per normal mangle rules, you need to just mark the packet.

Regards
Paul

Thanks guys.

Now it works

Great, glad we could help

Hehe. One more thing.

Now the packets are getting their mark. But i can't catch them in the Queue.

No matter what parent i use, when i set the packet mark to the mark i mark the packet with, the queue counter stays at zero.

Make sure you are selecting the correct interface for the queue, it must be the interface that the packet leaves the router through.

Regards
Paul

This is awesome. I've searched online forever and then I found this solution to my queue trees... use-ip-firewall=yes.