16 Aug
2018
16 Aug
'18
10:05 a.m.
Hi Alex, So that firewall rule WILL essentially override queues for all the fast-tracked connections. You can overcome that by just changing the action from fast-track-connection to 'accept' - it will do almost the same thing, just adding a bit of CPU load because cpu will still need to run every packet through the different firewall tables (even though only matching that filter rule) If you want to use fast-Track, then you need to figure out a way to avoid fast-tracking connections that you want to shape with queues. For example, you could add relevant sources/destinations to address list, then add 'accept' rule ahead of that fasttrack rule. Cheers! > -----Original Message----- > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Alex > Samad > Sent: Thursday, 16 August 2018 9:58 AM > To: MikroTik Australia Public List <public@talk.mikrotik.com.au> > Subject: Re: [MT-AU Public] rate limiting - shapping > > Hi > > yes > fast-path - don't want as it will bypass queue fasttrack I think i do want - but does > it depend on fast-path. It seems to read that if I apply queues to interface and > not the global parent the queue will apply. > > > I will have to check. > I typically put this in forward > add chain=forward comment="Allow Established connections" > connection-state=established,related action=fasttrack-connection disabled=no > add chain=forward comment="Allow Established connections" > connection-state=established,related > > > so I have fastpath and route cache set to true in /ip settings. > > if I apply queue to internet interface, does that mean its not going to work cause > I have fast-path enabled or is fastpath the same as long as the queue is on the > interface ? > > A > > > > On 16 August 2018 at 09:45, Mike Everest <mike@duxtel.com> wrote: > > > There is fast-PATH and fast-TRACK. > > > > Fast-PATH overrides pretty much all firewall functionality, including > > filters, NAT, queues, mangle etc > > > > With fast-TRACK, connections that are explicitly (or auto selected) > > fast-tracked will bypass queues and filters, but the idea is that you > > can use firewall to decide which connections to fast track or not. > > > > https://wiki.mikrotik.com/wiki/Manual:Fast_Path > > https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack > > > > Cheers! > > > > Mike. > > > > > -----Original Message----- > > > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf > > > Of > > Alex > > > Samad > > > Sent: Thursday, 16 August 2018 7:35 AM > > > To: MikroTik Australia Public List <public@talk.mikrotik.com.au> > > > Subject: Re: [MT-AU Public] rate limiting - shapping > > > > > > Hi > > > > > > One more question on this. How does this affect fast-path... > > > > > > I read that fast patch and queue'ing don't mix if applied to the > > > global > > parents so > > > can I fast path and use queue on interfaces ? > > > > > > On 15 August 2018 at 19:20, Alex Samad <alex@samad.com.au> wrote: > > > > > > > Hi > > > > > > > > Sounds very much like tc on linux. > > > > > > > > Always interests me weather to apply the queue on the wan or the > > > > lan > > side. > > > > > > > > From > > > > https://wiki.mikrotik.com/wiki/Manual:Queue > > > > > > > > seems like it has in and outbound so it really shouldn't make a > > difference. > > > > > > > > /queue simple > > > > a) add limit-at=100M/100M max-limit=50M/50M name=INTERNET > > > > queue=default/default target=ether1 > > > > b) add limit-at=20M/20M max-limit=100M/100M name=SPECIAL-PC > > > > parent=INTERNET priority=1/1 queue=default/default > > > > target=192.168.1.10 > > > > c) add max-limit=100M/100M name=EVERYONE-ELSE parent=INTERNET > > > > priority=8/8 queue=default/default > > > > > > > > let me dissect to see if I have it > > > > > > > > so the parent is A and has 2 children so they are limit by A. > > > > > > > > add limit-at=100M/100M max-limit=50M/50M name=INTERNET > > > > queue=default/default target=ether1 > > > > * is applied to interface ether1 the internet interface limit-at - > > > > CIR it will always have 100M/100M max-limit 50M/50M ... this has > > > > me I would have thought this would be 100M/100M as well > > > > queue=default/default, I am thinking > > > > > > > > multi-queue-ethernet-default > > > > > > > > only to take advantage of that. But default/default would work I > > > > am thinking as 100M is not that big and queue limit at 50 packets, > > > > so it will hold onto 50 packets before dropping ... The question > > > > do I drop straight away and let tcp handle the back down. > > > > > > > > So my aim is to not let the link get flooded with utube so that > > > > act work traffic can make it through. I'm thinking as this is the > > > > root I will leave it at default and tune the leaf ones > > > > > > > > # lets presume this is my prod traffic add limit-at=20M/20M > > > > max-limit=100M/100M name=SPECIAL-PC parent=INTERNET > > > > priority=1/1 queue=default/default target=192.168.1.10 add > > > > limit-at=20M/20M << should have this available > > > > max-limit=100M/100M << this is the max it can burst to .. So if > > > > nothing else is using it can flow up to this name=SPECIAL-PC > > > > parent=INTERNET << the parent above > > > > priority=1/1 << means 1 from the 1 above and /1 so has priority 1 > > > > queue=default/default > > > > target=192.168.1.10 << this is on my side so anything bound for > > > > this address will match this rule > > > > > > > > # presume this is the non prod > > > > add max-limit=100M/100M name=EVERYONE-ELSE parent=INTERNET > > > > priority=8/8 queue=default/default max-limit=100M/100M << Why > > > > allow it to go to 100M is this because 1/1 above has priority > > > > before it and 1/1 has 20M/20M carved out name=EVERYONE-ELSE > > > > parent=INTERNET > > > > priority=8/8 << just checked the doc and it seems to suggest there > > > > is only > > > > 1 value 1..8 not 1..8/1..8 > > > > queue=default/default > > > > > > > > > > > > I have 4 ip's I want to shape specifically is it better to use > > > > multiple target ip's or use packet marking ? > > > > > > > > also there is target upload and direction (default is both so not > > > > really > > > > needed) options as well > > > > > > > > Alex > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On 15 August 2018 at 16:52, Philip Loenneker > > <Philip.Loenneker@tasmanet. > > > > com.au> wrote: > > > > > > > >> Hi Alex, > > > >> > > > >> I tend to put the shapers on the WAN interface, not the LAN > > > >> interface, as you may want to route/bridge between other > > > >> interfaces, and don't want that traffic to be caught by the > > > >> queues. But this only really works if you use Simple Queues, as > > > >> if you use a Queue Tree, it will only queue outbound traffic, so > > > >> you would need to have a separate tree on each. But from recent > > > >> MUM presentations, my understanding is that the current best > > > >> performing queue method is Simple Queue Trees anyway. This may give > you something to start with: > > > >> /queue simple > > > >> add limit-at=100M/100M max-limit=50M/50M name=INTERNET > > > >> queue=default/default target=ether1 add limit-at=20M/20M > > > >> max-limit=100M/100M name=SPECIAL-PC parent=INTERNET > > > >> priority=1/1 queue=default/default target=192.168.1.10 add > > > >> max-limit=100M/100M name=EVERYONE-ELSE parent=INTERNET > > > priority=8/8 > > > >> queue=default/default > > > >> > > > >> You can use Target or packet parks to identify your traffic, and > > > >> you can have quite a few queues in one tree so make it really flexible. > > > >> > > > >> Regards, > > > >> Philip > > > >> > > > >> -----Original Message----- > > > >> From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of > > > >> Paul Julian > > > >> Sent: Wednesday, 15 August 2018 4:25 PM > > > >> To: 'MikroTik Australia Public List' > > > >> <public@talk.mikrotik.com.au> > > > >> Subject: Re: [MT-AU Public] rate limiting - shapping > > > >> > > > >> Hey Alex, > > > >> > > > >> The queue parent interface is the interface that the traffic is > > > >> leaving your router on. > > > >> > > > >> If you want to manage outbound traffic to TPG it goes on the TPG > > > >> interface, if you want to manage inbound traffic to your network > > > >> if goes on interface B > > > >> > > > >> If you want to queue more than drop you need to make sure your > > > >> queue size is sufficient, but remember that you don't want to > > > >> hang on to packets for too long or stuff will start > > > >> retransmitting and causing > > other issues. > > > >> > > > >> The tree is right generally, mangle packets to mark the > > > >> connection based on IP if that's how you want to do it, then > > > >> mangle packets based on the connection mark, use the packet marks in > your queues. > > > >> Set your parent queue to the maximum speed of your connection and > > > >> priority to 8, then add you queues for individual stuff > > > >> underneath, making the addition of all queue LIMIT-AT amounts to > > > >> equal your maximum speed of your parent queue, and set the MAX > > > >> -LIMIT on each queue to equal the actual limit of your parent queue. > > > >> > > > >> Regards > > > >> Paul > > > >> > > > >> -----Original Message----- > > > >> From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of > > > >> Alex Samad > > > >> Sent: Wednesday, 15 August 2018 4:11 PM > > > >> To: MikroTik Australia Public List <public@talk.mikrotik.com.au> > > > >> Subject: [MT-AU Public] rate limiting - shapping > > > >> > > > >> Hi > > > >> > > > >> Okay - say I have a CCR 1072. > > > >> > > > >> 1 interface connected to TPG say 100M connections (int A) > > > >> 1 interface into my vlan where my firewall is connected. (int B) > > > >> > > > >> I want to shape / limit / ?? in boud and out bound traffic. > > > >> > > > >> I believe - from a quick read of the routeros pages that I apply > > > >> the limiter to the int B. > > > >> > > > >> and apply up and down for 100Mb/s - this is the max > > > >> > > > >> Then I can carve out - well what I want is from 1 ip I want to > > > >> allow full 100Mb. from 2 other I want to allow up to 80Mb and for > > > >> the rest up to 60Mb/s > > > >> > > > >> I think I create a tree of shappers the top being the full > > > >> capacity and then add nodes to match each of the above. > > > >> > > > >> plus I don't want drop I want it to hold the packects and release > > > >> when it can > > > >> > > > >> does that sound about right ? > > > >> > > > >> A > > > >> _______________________________________________ > > > >> Public mailing list > > > >> Public@talk.mikrotik.com.au > > > >> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik > > > >> .com > > > >> .au > > > >> > > > >> > > > >> _______________________________________________ > > > >> Public mailing list > > > >> Public@talk.mikrotik.com.au > > > >> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik > > > >> .com > > > >> .au > > > >> > > > >> _______________________________________________ > > > >> Public mailing list > > > >> Public@talk.mikrotik.com.au > > > >> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik > > > >> .com > > > >> .au > > > >> > > > > > > > > > > > _______________________________________________ > > > Public mailing list > > > Public@talk.mikrotik.com.au > > > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.co > > > m.au > > > > > > _______________________________________________ > > Public mailing list > > Public@talk.mikrotik.com.au > > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. > > au > > > _______________________________________________ > Public mailing list > Public@talk.mikrotik.com.au > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au