Hi all,

i'm putting in place QOS on our edge router and i'm tring to achive the following

With mangle i want to mark the connections and packets of the following

dns
http/https
email
everything else
p2p

and then place those marked packets into a queue with the following Priority

Dns = 1
http/https =2
email = 2
everything else = 7
p2p = 8

The trouble i'm having is that as soon as i add a rule to mangle the everything that isnt picked up by the other rules its starts picking everything up including those packets and connects that should be under other rules.

Heres my mangle list

[admin@Edge] > ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=prerouting protocol=tcp dst-port=53 action=mark-connection new-connection-mark=dns-con passthrough=yes

1 chain=prerouting protocol=udp dst-port=53 action=mark-connection new-connection-mark=dns-con passthrough=yes

2 chain=prerouting protocol=tcp dst-port=80 action=mark-connection new-connection-mark=http-con passthrough=yes

3 chain=prerouting protocol=tcp dst-port=443 action=mark-connection new-connection-mark=http-con passthrough=yes

4 chain=prerouting protocol=tcp dst-port=110 action=mark-connection new-connection-mark=email-con passthrough=yes

5 chain=prerouting protocol=tcp dst-port=25 action=mark-connection new-connection-mark=email-con passthrough=yes

6 chain=prerouting p2p=all-p2p action=mark-connection new-connection-mark=p2p-con passthrough=yes

7 chain=prerouting p2p=!all-p2p action=mark-connection new-connection-mark=everything-con passthrough=yes

8 chain=prerouting connection-mark=dns-con action=mark-packet new-packet-mark=dns passthrough=yes

9 chain=prerouting connection-mark=http-con action=mark-packet new-packet-mark=http passthrough=yes

10 chain=prerouting connection-mark=email-con action=mark-packet new-packet-mark=email passthrough=yes

11 chain=prerouting connection-mark=everything-con action=mark-packet new-packet-mark=everything passthrough=yes

12 chain=prerouting connection-mark=p2p action=mark-packet new-packet-mark=p2p passthrough=yes

Anyone know how i can mark connections and traffic that arnt picked up by the other rules?

Cheers

Have you figured this out yet? I'm trying to do something similar.

add chain=prerouting p2p=all-p2p action=mark-connection new-connection-mark=p2p-con passthrough=yes
add chain=prerouting connection-mark=p2p action=mark-packet new-packet-mark=p2p passthrough=no (all p2p)
add chain=prerouting protocol=tcp dst-port=53 action=mark-connection new-connection-mark=dns-con passthrough=yes
add chain=prerouting protocol=udp dst-port=53 action=mark-connection new-connection-mark=dns-con passthrough=yes
add chain=prerouting connection-mark=dns-con action=mark-packet new-packet-mark=dns passthrough=no (dns)
add chain=prerouting protocol=tcp dst-port=80 action=mark-connection new-connection-mark=http-con passthrough=yes
add chain=prerouting protocol=tcp dst-port=443 action=mark-connection new-connection-mark=http-con passthrough=yes
add chain=prerouting connection-mark=http-con action=mark-packet new-packet-mark=http passthrough=no(http, maybe you shoul add 8080 port also)
add chain=prerouting protocol=tcp dst-port=110 action=mark-connection new-connection-mark=email-con passthrough=yes
add chain=prerouting protocol=tcp dst-port=25 action=mark-connection new-connection-mark=email-con passthrough=yes
add chain=prerouting connection-mark=email-con action=mark-packet new-packet-mark=email passthrough=no (POP3S (secure) uses port 995, IMAP - 143, IMAPS - 993)
chain=prerouting action=mark-connection new-connection-mark=everything-con passthrough=yes
chain=prerouting connection-mark=everything-con action=mark-packet new-packet-mark=everything passthrough=yes (this should mark everything else)

hmm i tired the whole "no passthrough" thing but as soon as the packet was marked it wouldnt follow the mark connection side of the rules. Ideas?

Uhm.... passthrough=no is the way to go, here's parts of my config (I've deleted lines and config-statemenets to bring it down to a readable size)

/ip fire mang exp
add chain=prerouting dst-address=192.168.2.40 protocol=tcp dst-port=5061 action=mark-connection new-connection-mark=voip-con passthrough=yes disabled=no
add chain=prerouting dst-address=192.168.2.40 protocol=udp dst-port=5061 action=mark-connection new-connection-mark=voip-con passthrough=yes disabled=no
add chain=prerouting dst-address=192.168.2.40 protocol=tcp dst-port=19000-20000 action=mark-connection new-connection-mark=voip-con passthrough=yes comment="" disabled=no
add chain=prerouting dst-address=192.168.2.40 protocol=udp dst-port=19000-20000 action=mark-connection new-connection-mark=voip-con passthrough=yes comment="" disabled=no
add chain=prerouting connection-mark=voip-con action=mark-packet new-packet-mark=voip passthrough=no comment="" disabled=no
add chain=prerouting action=mark-packet new-packet-mark=slask passthrough=yes comment="" disabled=no
add chain=prerouting dst-address=10.11.2.77 action=mark-packet new-packet-mark=slask passthrough=yes comment="" disabled=no
add chain=prerouting src-address=10.11.2.77 action=mark-packet new-packet-mark=slask passthrough=yes comment="" disabled=no


/ queue tree
add name="1 VOIP Prio" parent=global-total packet-mark=voip priority=1 disabled=no
add name="3 Sat" parent=global-in packet-mark=sat priority=3 disabled=no
add name="8 Slask" parent=global-total packet-mark=slask priority=8 disabled=no

/que tre pr st
Flags: X - disabled, I - invalid
0 name="1 VOIP Prio" parent=global-total packet-mark=voip limit-at=0 rate=1048
packet-rate=0 queued-bytes=0 queued-packets=0 bytes=2479767116 packets=11798027
dropped=0 overlimits=0 lends=364140 borrows=11433887

1 name="8 Slask" parent=global-total packet-mark=slask limit-at=0 rate=43008
packet-rate=55 queued-bytes=0 queued-packets=0 bytes=98575037754 packets=123904091
dropped=21 overlimits=0 lends=1146578 borrows=122757433

2 name="3 Sat" parent=global-in packet-mark=sat limit-at=0 rate=352 packet-rate=0
queued-bytes=0 queued-packets=0 bytes=6736306442 packets=62360095 dropped=0
overlimits=0 lends=786613 borrows=61573482

As you can se it clearly uses the proper queue for tagged traffic

/Jörgen

Thank you VERY VERY much for this, its helped alot - i can see the order of my rules was incorrect.

You're welcome, it's feels good to be able to help!

/Jörgen

joeri91942

What's the passthrough do?

I want to put the QoS on my bridge... will I need to change the prerouting to foward chain?

Thanks

Fabrício

The manual says:

"passthrough - ignore this rule and go on to the next one. Acts the same way as a disabled rule, except for ability to count packets"

My understanding of passthrough is as follows;

All packets flow through each chain, starting with the first rule and continues through to the next rule UNLESS the packet is matched in a rule AND the passthrough option is set to no. If the option is set to no then the packet is kicked out of the chain it was in and passed on to the next step in the packet handling.

This means that if you do not use passthrough=no then all later rules will do something with the packet if it matches criteria for any subsequent rule, real bad if you have a final rule that drops everything or similar

So... if you want to have a ruleset for handling three types of traffic, high-prio - medium prio - low prio then your would need to this in the following order (this is based on my setup using masq on all outgoing traffic and dst-nat on all incoming, no bridging)

1 - connection mark high-prio connections based on src IP / dst IP / interface / port / whatever, option passthrough=yes so that they will reach next rule
2 - mark all packets having high-prio connection mark with a high-prio packet mark, option passthrough=no. This kicks out all packets with the high-prio connection mark

any packets coming here did NOT match the above rules
3 - connection mark medium-prio connections based on src IP / dst IP / interface / port / whatever, option passthrough=yes so that they will reach next rule
4 - mark all packets having medium-prio connection mark with a medium-prio packet mark, option passthrough=no. This kicks out all packets with the medium-prio connection mark

any packets coming to this step did not match ANY of the above rules
5 - mark all packets with low-prio packet mark (last and final rule, no need for passthrough and everything that comes here are lowest prio so mark everything)

Next, create three rules in the queue tree
1 - packet mark high-prio / priority 1
2 - packet mark medium-prio / priority 4
3 - packet mark low-prio / priority 8
you could of course use priority 1,2,3 but this leaves some room for additional levels to be added

For bridging I am not quite sure what chain to use.... but start up winbox, place all the relevant counter-windows so you see them and try it, chnage a rule here and a rule there and watch how many packets are counted in each mangle rule (winbox / ip / firewall / mangle)

Hope this helps

/Jörgen

The manual says:

"passthrough - ignore this rule and go on to the next one. Acts the same way as a disabled rule, except for ability to count packets"

Yes.... however if you look at the detailed explanation in the manual it states the following;
passthrough (yes | no; default: yes) - whether to let the packet to pass further (like action passthrough) after marking it with a given mark (property only valid if action is mark packet, connection or routing mark)

So the short and the long explanation doesn't quite agree

/Jörgen

Thanks Jörgen

Your explanation was great...