I bought an HAP ac lite, intending to use it as a throttle between a bunch of evil leeching wifi users and a client's tender defenseless Internet router. I have had a test unit (an older 951 unit) in there and used the bandwidth command on the relevant ethernet port. That worked a treat. Turns out none of the interfaces on the HPA ac line support the set bandwidth command :-( So I have turned to queues. I cannot figure them out. This command should IMHO limit the total bandwidth coming IN to ether1 to 1 megabit, and the total bandwidth for traffic LEAVING ether1 to 500 kilobits: /queue simple add target=ether1 queue=ethernet-default/ethernet-default max-limit=500K/1M But when I do that, nothing moves over ether1 (which is the link between the HAP and the Internet router). So I deleted that queue and tried this (192.168.100.0/24 is the network containing the leeches - wlan1, wlan2, ether2/3/4 bridged): /queue simple add target=192.168.100.0/24 queue=ethernet-default/ethernet-default max-limit=500K/1M Traffic flows over ether1, but this in no way limits the bandwidth to anything like those values. If I use 10K/10K instead and then download a file in Firefox, I see the transfer rate start at 12KB/s (kilobytes per second) and creep steadily up to around 100KB/s by the time the whole 50MB file has been downloaded. That's in stark contrast to the 1 or 2 megabytes per second I get without the queue, so *something* is happening, it just doesn't seem very predictable. Ideas would be very welcome... Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 8454 EE43 6215 B6DD 1B4D 9D8D 984D 7BA1 7378 A38D Old fingerprint: 58F8 09D4 97E4 D74A 0940 44BC 8D6D C28C 3BC9 B0CB
Do you have fastpath switched on at all (or more correctly, did you switch fastpath off now that it is the default for new configs)? As per [0] "Allowing fast path on eoip, gre, ipip interfaces have side effect of bypassing firewall, connection tracking, simple queues" [0] https://wiki.mikrotik.com/wiki/Manual:Fast_Path -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Karl Auer Sent: Friday, 2 February 2018 11:21 PM To: MikroTik Public <public@talk.mikrotik.com.au> Subject: [MT-AU Public] queue noob I bought an HAP ac lite, intending to use it as a throttle between a bunch of evil leeching wifi users and a client's tender defenseless Internet router. I have had a test unit (an older 951 unit) in there and used the bandwidth command on the relevant ethernet port. That worked a treat. Turns out none of the interfaces on the HPA ac line support the set bandwidth command :-( So I have turned to queues. I cannot figure them out. This command should IMHO limit the total bandwidth coming IN to ether1 to 1 megabit, and the total bandwidth for traffic LEAVING ether1 to 500 kilobits: /queue simple add target=ether1 queue=ethernet-default/ethernet-default max-limit=500K/1M But when I do that, nothing moves over ether1 (which is the link between the HAP and the Internet router). So I deleted that queue and tried this (192.168.100.0/24 is the network containing the leeches - wlan1, wlan2, ether2/3/4 bridged): /queue simple add target=192.168.100.0/24 queue=ethernet-default/ethernet-default max-limit=500K/1M Traffic flows over ether1, but this in no way limits the bandwidth to anything like those values. If I use 10K/10K instead and then download a file in Firefox, I see the transfer rate start at 12KB/s (kilobytes per second) and creep steadily up to around 100KB/s by the time the whole 50MB file has been downloaded. That's in stark contrast to the 1 or 2 megabytes per second I get without the queue, so *something* is happening, it just doesn't seem very predictable. Ideas would be very welcome... Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 8454 EE43 6215 B6DD 1B4D 9D8D 984D 7BA1 7378 A38D Old fingerprint: 58F8 09D4 97E4 D74A 0940 44BC 8D6D C28C 3BC9 B0CB _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
On Fri, 2018-02-02 at 21:16 +0000, Thomas Jackson wrote:
Do you have fastpath switched on at all (or more correctly, did you switch fastpath off now that it is the default for new configs)?
As per [0] "Allowing fast path on eoip, gre, ipip interfaces have side effect of bypassing firewall, connection tracking, simple queues"
Thanks for the suggestion. I think I have - "use_ip_firewall" is turned on in the bridge: /interface bridge settings use-ip-firwall=yes That should disable fastpath...? As noted, the queue definitely has an effect. It's just that except for being able to tell that it is slowing stuff down, it seems impossible to accurately limit the bandwidth. If I set it to 10K/10K, for example, I can feel the lag just in in the CLI, and a file transfer across the link is much, much slower than normal - but much, much faster than 10 kilobits per second. I may need a more accurate tool than Firefox's download meter. It shows a final average download speed over 50GB of 100 or more kiloBYTES per second which is way lower than the normal 1.2 megaBYTES I get for the same file on the same link without the queue (the Internet connection is ADSL). But 100 kilobytes per second is WAY higher than the 10 kilobits or less that I was expecting with the queue in place. I don't think it's THAT broken... One crazy theory I had was that the 10K is packets, not bits. There is some discussion of packets vs bits in the doco, but the queue doco all says that those numbers are bits per second, unless I'm misreading it. It would be good if there were some way to specify bits. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 8454 EE43 6215 B6DD 1B4D 9D8D 984D 7BA1 7378 A38D Old fingerprint: 58F8 09D4 97E4 D74A 0940 44BC 8D6D C28C 3BC9 B0CB
Hi Karl! if the interface is configured as a bridge port, then define the bridge as the interface for queue not the physical port. Cheers! Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Karl Auer Sent: Friday, 2 February 2018 11:21 PM To: MikroTik Public <public@talk.mikrotik.com.au> Subject: [MT-AU Public] queue noob
I bought an HAP ac lite, intending to use it as a throttle between a bunch of evil leeching wifi users and a client's tender defenseless Internet router. I have had a test unit (an older 951 unit) in there and used the bandwidth command on the relevant ethernet port. That worked a treat.
Turns out none of the interfaces on the HPA ac line support the set bandwidth command :-(
So I have turned to queues. I cannot figure them out. This command should IMHO limit the total bandwidth coming IN to ether1 to 1 megabit, and the total bandwidth for traffic LEAVING ether1 to 500 kilobits:
/queue simple add target=ether1 queue=ethernet-default/ethernet-default max- limit=500K/1M
But when I do that, nothing moves over ether1 (which is the link between the HAP and the Internet router).
So I deleted that queue and tried this (192.168.100.0/24 is the network containing the leeches - wlan1, wlan2, ether2/3/4 bridged):
/queue simple add target=192.168.100.0/24 queue=ethernet-default/ethernet-default max- limit=500K/1M
Traffic flows over ether1, but this in no way limits the bandwidth to anything like those values. If I use 10K/10K instead and then download a file in Firefox, I see the transfer rate start at 12KB/s (kilobytes per second) and creep steadily up to around 100KB/s by the time the whole 50MB file has been downloaded. That's in stark contrast to the 1 or 2 megabytes per second I get without the queue, so *something* is happening, it just doesn't seem very predictable. Ideas would be very welcome... Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
GPG fingerprint: 8454 EE43 6215 B6DD 1B4D 9D8D 984D 7BA1 7378 A38D Old fingerprint: 58F8 09D4 97E4 D74A 0940 44BC 8D6D C28C 3BC9 B0CB
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
On Sat, 2018-02-03 at 13:43 +1100, Mike Everest wrote:
if the interface is configured as a bridge port, then define the bridge as the interface for queue not the physical port.
Thanks - but still no go. The bridge has three interfaces in it - ether2, wlan1, wlan2. ether3 and ether4 are slaved to ether2. ether5 has been split off as a management port, nothing on it for these tests. The network on the bridge (actually on ether2) is 192.168.100.0/24. The bridge settings are: use-ip-firewall: yes use-ip-firewall-for-vlan: no use-ip-firewall-for-pppoe: no allow-fast-path: yes bridge-fast-path-active: no bridge-fast-path-packets: 0 bridge-fast-path-bytes: 0 bridge-fast-forward-packets: 0 bridge-fast-forward-bytes: 0 My queue looks like this (formatting edits only): Flags: X - disabled, I - invalid, D - dynamic 0 name="test" target=bridge parent=none packet-marks="" priority=8/8 queue=default-small/default-small limit-at=0/0 max-limit=10k/10k burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s bucket-size=0.1/0.1 With target=ether1, nothing moves. With target=bridge, the queue has no effect at all. With target=192.168.100.0/24, the queue seems to slow down interactive access to the router dramatically (leading to unfounded optimism), but a file transfer in Firefox scoots up to 100 kiloBYTES per second average over a 50 megabyte download. The thing is, without the queue the transfer happens at 1.2 megabytes per second, so clearly the queue is doing something! Just not remotely like what I am expecting. In desperation I set max-limit to 1000/1000 and things almost stopped :-) Interaction with the router CLI involved multi-minute delays. The browser was rendered unusable, so could not see whether the download was any slower. What am I missing? This seems like a totally simple thing to want, it must be a common requirement, how come it is so danged hard to achieve? "That link there - allow no more than X bps inbound and Y bps outbound". Regards, K.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Karl Auer Sent: Friday, 2 February 2018 11:21 PM To: MikroTik Public <public@talk.mikrotik.com.au> Subject: [MT-AU Public] queue noob
I bought an HAP ac lite, intending to use it as a throttle between a bunch of evil leeching wifi users and a client's tender defenseless Internet router. I have had a test unit (an older 951 unit) in there and used the bandwidth command on the relevant ethernet port. That worked a treat.
Turns out none of the interfaces on the HPA ac line support the set bandwidth command :-(
So I have turned to queues. I cannot figure them out. This command should IMHO limit the total bandwidth coming IN to ether1 to 1 megabit, and the total bandwidth for traffic LEAVING ether1 to 500 kilobits:
/queue simple add target=ether1 queue=ethernet-default/ethernet-default max- limit=500K/1M
But when I do that, nothing moves over ether1 (which is the link between the HAP and the Internet router).
So I deleted that queue and tried this (192.168.100.0/24 is the network containing the leeches - wlan1, wlan2, ether2/3/4 bridged):
/queue simple add target=192.168.100.0/24 queue=ethernet-default/ethernet-default max- limit=500K/1M
Traffic flows over ether1, but this in no way limits the bandwidth to anything like those values. If I use 10K/10K instead and then download a file in Firefox, I see the transfer rate start at 12KB/s (kilobytes per second) and creep steadily up to around 100KB/s by the time the whole 50MB file has been downloaded. That's in stark contrast to the 1 or 2 megabytes per second I get without the queue, so *something* is happening, it just doesn't seem very predictable. Ideas would be very welcome... Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
GPG fingerprint: 8454 EE43 6215 B6DD 1B4D 9D8D 984D 7BA1 7378 A38D Old fingerprint: 58F8 09D4 97E4 D74A 0940 44BC 8D6D C28C 3BC9 B0CB
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.c om.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com .au
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 8454 EE43 6215 B6DD 1B4D 9D8D 984D 7BA1 7378 A38D Old fingerprint: 58F8 09D4 97E4 D74A 0940 44BC 8D6D C28C 3BC9 B0CB
On Fri, 2018-02-02 at 23:21 +1100, Karl Auer wrote:
I bought an HAP ac lite, intending to use it as a throttle between a bunch of evil leeching wifi users and a client's tender defenseless Internet router. Turns out none of the interfaces on the HPA ac line support the set bandwidth command :-( [...] So I have turned to queues. I cannot figure them out.
HUGE thanks to Michael Junek, who helped me debug this over a dozen email exchanges, provided me with complete examples and patient explanations, and spotted my mistake as soon as I sent him a full config. Thanks too to Thomas Jackson who actually identified the cause of the issue sight-unseen 24 hours ago - fasttrack. For reasons that now seem ridiculous I thought that enabling use-ip- firewall for the bridge would turn off fasttrack. Not so! Which meant that this default firewall rule was interfering with my queues: add action=fasttrack-connection \ chain=forward comment="defconf: fasttrack" \ connection-state=established,related After Michael spotted it I disabled that rule, and queues are now working as expected. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 8454 EE43 6215 B6DD 1B4D 9D8D 984D 7BA1 7378 A38D Old fingerprint: 58F8 09D4 97E4 D74A 0940 44BC 8D6D C28C 3BC9 B0CB
On Sun, 2018-02-04 at 10:42 +1100, Karl Auer wrote:
On Fri, 2018-02-02 at 23:21 +1100, Karl Auer wrote:
I bought an HAP ac lite, intending to use it as a throttle between a bunch of evil leeching wifi users and a client's tender defenseless Internet router. Turns out none of the interfaces on the HPA ac lite support the set bandwidth command :-(
The ever-patient people at Duxtel sent me this information about setting bandwidth: "TX limit is supported on all Atheros switch-chip ports. RX limit is supported only on AR8327/QCA8337 switch-chip ports. If you look at the second table on the link below you will be able to see what Routerboards host these chips and what interfaces they apply to: https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features" And the hAP's use a chipset that doesn't support RX limit. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 8454 EE43 6215 B6DD 1B4D 9D8D 984D 7BA1 7378 A38D Old fingerprint: 58F8 09D4 97E4 D74A 0940 44BC 8D6D C28C 3BC9 B0CB
participants (3)
-
Karl Auer
-
Mike Everest
-
Thomas Jackson