⬆️ ⬇️

Mikrotik-Qos Prioritization by type of traffic and speed division

Mikrotik-Qos Prioritization by type of traffic and speed division





image Good day, today it will be about sore, namely, how to competently share the Internet channel, so that all your users are as happy as possible.





To begin with, according to tradition, I, like all other experts, will send you smoking manuals ... Why? Yes, just so that you at least slightly figuratively presented how the processes of speed division will proceed. Because, as practice shows, any actions without awareness of the principles of work leads only to a heap of questions, lost time and an evil accountant, or the director who, due to your fault, did not open a page with tanned blondes this morning :)

')

So, manuals:



A wonderful article by Alexander Kuzmitsky - Sharing the Internet or QoS at Mikrotik

Read ten times, to a full understanding, if you do not understand - read again ...



Two articles from Sergey Lagovsky:

MikroTik - QoS / Bandwidth Control / Simple Limit

MikroTik - QoS / Bandwidth Control / Individual rules

It will be very useful to consolidate the basic skills ...



A good, but not complete, presentation from Megis, well, and her translation from white_crow for which many thanks to him ...

QoS_Megis.pdf

QoS_Megis_ (Russian_translate_by_white_crow_rev.2) .pdf



This prezashka contains an error, read more about it in the next dock.



Russian version of the Mikrotik Wiki

http://wiki.mikrotik.com/wiki/Tutorials: Queue_ (Queue)

You do not need to spit saliva and say that you know everything, take a closer look, especially in the comments, discover a little bit of new, especially where SRC-NAT is and why outgoing speed is incorrectly cut because of it.



Well? Have read? Already have a bunch of questions?

After fumbling around the Internet, it was revealed that micro-administrators have a number of similar problems and issues related to QoS in general, prioritizing and cutting traffic, which is basically the same thing. However, as a rule, these are either unfinished articles or branches of forums that were abandoned at the most interesting place.

The main goals, problems and issues in them are as follows:







And these are just the main questions ...



After reading and reflecting a bit, I came to the conclusion that it would be very hard to think of anything, something that is universal, easily scalable, and extremely usable for the administrator. After a couple of days, the implementation plan came to mind, and a week later everything was ready ...



In general, the task was set:



Task 1.




Separate traffic by priority.

Sharav on the Internet, came across warnings, they say, p2p is difficult to tag, Skype, too. And in general, prioritization by type of traffic is not a good idea on microtic.



To all, we were embarrassed by the golden words that we cannot control incoming traffic that falls to us from the Internet, since he ALREADY CAME to our inbound interface. But these words have a disclaimer - Yes, we cannot control what has already arrived on the interface, but we can detain this traffic through the control fields of packets that will come with delays, we can inform the server that our client cannot so quickly accept data. As a result, the server will send packets a little slower.



So, the question is closed, the separation of traffic by priority will be!



A weighted decision was made: “If it’s not possible to tag low-priority traffic, we’ll mark all traffic as low-priority, and then redistribute and pull out high-priority traffic from this heap.”



To separate the traffic, four groups (traffic classes) were taken:



CLASS-A

CLASS-B

CLASS-C

CLASS-D



CLASS-A - has the highest priority, and will be skipped in the very first place.

CLASS-D - has the lowest priority and will be skipped only in the case of channel idleness by higher classes.



Task 2.


The division of the total flow into user groups with different priorities.

Here, in principle, questions as such did not arise. It was decided to make 5 user groups with different priorities, the priorities of the queues were distributed overlapping, so that the high-class traffic of the lower group could compete with the traffic of the upper group of the middle or low class.

As a result, five groups:



GROUP-A

GROUP-B

GROUP-C

GROUP-D

GROUP-E



GROUP-A - has the highest priority, clients of this group distribute the queue among themselves equally according to the above classes.

GROUP-E - has the lowest priority, clients of this group distribute the queue among themselves equally according to the above classes. If the groups with a higher priority fully occupy the entire limit, this group will be able to transmit only high-class traffic, according to probability theory and meanness law - this group will not be able to transmit any traffic at all until the channel becomes more free, so for all groups you should set the Limit parameter -At that will give some guarantee that people, at least ICQ will work.



As a result, we get a tree, names on the left, priorities on the right:



GROUP-A

CLASS-A 1

CLASS-B 2

CLASS-C 3

CLASS-D 4

GROUP-B

CLASS-A 2

CLASS-B 3

CLASS-C 4

CLASS-D 5

GROUP-C

CLASS-A 3

CLASS-B 4

CLASS-C 5

CLASS-D 6

GROUP-D

CLASS-A 4

CLASS-B 5

CLASS-C 6

CLASS-D 7

GROUP-E

CLASS-A 5

CLASS-B 6

CLASS-C 7

CLASS-D 8



At the points of intersection of priorities, classes of different groups, if there is traffic on them, will share the speed available to them.

For example,

GROUP-A CLASS-C PRIO 3 tries to completely hammer the channel



Only the following classes will be allowed to transmit packets:

GROUP-A CLASS-A 1

GROUP-A CLASS-B 2

GROUP-B CLASS-A 2

GROUP-B CLASS-B 3

GROUP-WITH CLASS-A 3

moreover, classes with the same priority will divide the speed equally among themselves, classes with a higher priority take away speed from classes with a lower one.



Task 3.


Prioritize access to certain resources.

After marking the traffic by type, I added rules that will give priority to certain resources, and divided them into three classes:

CLASS-A-SITES

CLASS-B-SITES

CLASS-C-SITES

By adding lists to the / ip firewall address-list under appropriate names, we can direct traffic to the class we need.



Task 4.


Speed ​​up the first connection flows.

Quite the dual benefit of this chip, after marking the type of traffic and towards the resources, it was decided to add three rules.



All downloads no larger than 5 kilobytes are placed in CLASS-A

All downloads from 5 to 50 kilobytes in size will be moved to CLASS-B

All downloads from 50 to 100 kilobytes in size will be moved to CLASS-C

After 100 kilobytes, packets will no longer be marked and as a rule fall into CLASS-D, these rules do not apply to CLASS-A traffic. he is so top priority.



All this works as a kind of Burst for short connections, fast loading of pages, nimble connections on the remote, fast flight of im-messages, etc.

The reverse side of the medal, all connections will receive this Burst incl. and P2P.



Task 5.


Exclude the regional resources of the provider from the shaper.

To solve this problem, in the rules that mark the streams in different classes, the list! ShaperExclude was added to the Src.address list and Dst.address list fields; all addresses and address ranges that appear in this list will be skipped by shaper rules and regional resources will no longer be limited speed.



Task 6.


Leave the administrator the ability to manage PCQ profiles for each group separately.

To solve this problem, ten profiles were created, five per load, five per return, two per group.



Task 7.


Blind all this happiness together under the following conditions:

The rules in / ip firewall mangle should not block packets in chains, i.e. passthrough = yes must be in all rules.

On a microtic, SRC-NAT is enabled, which will greatly affect the open spaces for creativity.



We have defined the tasks, now it is up to the implementation and the result.



Implementing, taking into account the conditions and the tasks we will be using PCQ queues, we will mark the packets in the forward and prerouting chains.



So, an excerpt from help:

QoS , :



1. mangle chain prerouting

2. HTB global-in

3. Mangle chain forward

4. Mangle chain postrouting

5. HTB global-out

6. HTB out interface



:



a) #1 #2 , #3+#5

b) #1 #2 , #3+#6

c) #1 #2 , #4+#5

d) #1 #2 , #4+#6





So who all the same was not lazy and once more smoked the manuals about which I spoke at the very beginning. By the present from Megis, it can be seen that the prioritization by type should lie within the limits of PREROUTING-GLOBAL-IN and the cutting of the FORWARD-HTB INTERFACE speed.



First and foremost, it does not make sense to first prioritize and then cut traffic to the user, because this will only make sense if the Internet channel is full. And if the user bangs his channel, then there will be little sense from such prioritization.



The second and very important note.

The FORWARD-HTB INTERFACE chain will not work with the outgoing channel because HTB INTERFACE is located after SRC-NAT, the same applies to the FORWARD-GLOBAL-OUT chain, PCQ queues do not work on these chains, who do not believe you can set up a couple of rules and experiment.



The third important note.

When SRC-NAT is enabled in the PREROUTING-GLOBAL-IN chain, it will not be possible to catch incoming traffic, or rather, it will turn out to be a lot of perversion and will not work very well.



And finally, now I will throw a big brick in the garden to those who shout that using Global-in, Global-out, Global-Total as Parent is not right and generally a complete heresy. So, dear, imagine for a second that a brick came to you in the garden, and a vitauha from your SECOND provider was tied to it. Catch what you mean? How much can a router spend on dubbing rules? And if they are not two and five will be?



Enough criticism ...



So, since it so happened that you can mark and then cut, we will mark and cut at the same time.

Once in the Forward chain, the shaper does not work for outgoing traffic, then we will do it in the PREROUTING-GLOBAL-TOTAL chain

Once in the Prerouting chain, we cannot know which of the gray addresses the packet arrived in, then we will mark them in the FORWARD-GLOBAL-OUT chain.



As Gagarin said: “Let's go!”




First, let's add a couple of L-7 sets to determine the type of traffic:




/ip firewall layer7-protocol

add name=Skype regexp="^..\\x02............."

add name=radmin regexp="^\\x01\\x01(\\x08\\x08|\\x1b\\x1b)\$"

add name=rdp regexp="rdp\r\

\nrdpdr.*cliprdr.*rdpsnd"

add name=http regexp="http/(0\\.9|1\\.0|1\\.1) [1-5][0-9][0-9]|post [\\x09-\\x\

0d -~]* http/[01]\\.[019]"

add name=Jabber regexp=\

"<stream:stream[\\x09-\\x0d ][ -~]*[\\x09-\\x0d ]xmlns=['\"]jabber"

add name=GIF_FILE regexp=gif

add name=PNG_FILE regexp=png





Mark all traffic in CLASS-D


/ip firewall mangle

add action=accept chain=forward comment=CLASS-D disabled=yes

add action=mark-connection chain=forward comment=ALLTRAFFIC disabled=no new-connection-mark=CLASS-D passthrough=yes

add action=mark-packet chain=forward comment=CLASS-D-GROUP-E-DL connection-mark=CLASS-D disabled=no dst-address-list=GROUP-E new-packet-mark=CLASS-D-GROUP-E-DL passthrough=yes src-address-list=!ShaperExclude

add action=mark-packet chain=forward comment=CLASS-D-GROUP-D-DL connection-mark=CLASS-D disabled=no dst-address-list=GROUP-D new-packet-mark=CLASS-D-GROUP-D-DL passthrough=yes src-address-list=!ShaperExclude

add action=mark-packet chain=forward comment=CLASS-D-GROUP-C-DL connection-mark=CLASS-D disabled=no dst-address-list=GROUP-C new-packet-mark=CLASS-D-GROUP-C-DL passthrough=yes src-address-list=!ShaperExclude

add action=mark-packet chain=forward comment=CLASS-D-GROUP-B-DL connection-mark=CLASS-D disabled=no dst-address-list=GROUP-B new-packet-mark=CLASS-D-GROUP-B-DL passthrough=yes src-address-list=!ShaperExclude

add action=mark-packet chain=forward comment=CLASS-D-GROUP-A-DL connection-mark=CLASS-D disabled=no dst-address-list=GROUP-A new-packet-mark=CLASS-D-GROUP-A-DL passthrough=yes src-address-list=!ShaperExclude

add action=mark-packet chain=prerouting comment=CLASS-D-GROUP-E-UP connection-mark=CLASS-D disabled=no dst-address-list=!ShaperExclude new-packet-mark=CLASS-D-GROUP-E-UP passthrough=yes src-address-list=GROUP-E

add action=mark-packet chain=prerouting comment=CLASS-D-GROUP-D-UP connection-mark=CLASS-D disabled=no dst-address-list=!ShaperExclude new-packet-mark=CLASS-D-GROUP-D-UP passthrough=yes src-address-list=GROUP-D

add action=mark-packet chain=prerouting comment=CLASS-D-GROUP-C-UP connection-mark=CLASS-D disabled=no dst-address-list=!ShaperExclude new-packet-mark=CLASS-D-GROUP-C-UP passthrough=yes src-address-list=GROUP-C

add action=mark-packet chain=prerouting comment=CLASS-D-GROUP-B-UP connection-mark=CLASS-D disabled=no dst-address-list=!ShaperExclude new-packet-mark=CLASS-D-GROUP-B-UP passthrough=yes src-address-list=GROUP-B

add action=mark-packet chain=prerouting comment=CLASS-D-GROUP-A-UP connection-mark=CLASS-D disabled=no dst-address-list=!ShaperExclude new-packet-mark=CLASS-D-GROUP-A-UP passthrough=yes src-address-list=GROUP-A

add action=accept chain=forward comment=CLASS-D disabled=yes





Re-package higher class CLASS-C


add action=accept chain=forward comment=CLASS-C disabled=yes

add action=mark-connection chain=forward comment=Proxy disabled=no dst-port=3128 new-connection-mark=CLASS-C passthrough=yes protocol=tcp

add action=mark-connection chain=forward comment=HTTP disabled=no layer7-protocol=http new-connection-mark=CLASS-C passthrough=yes protocol=tcp

add action=mark-connection chain=forward comment=HTTPS disabled=no dst-port=443 new-connection-mark=CLASS-C passthrough=yes protocol=tcp

add action=mark-connection chain=forward comment=FTP disabled=no dst-port=20,21 new-connection-mark=CLASS-C passthrough=yes protocol=tcp

add action=mark-connection chain=forward comment=SFTP disabled=no dst-port=22 new-connection-mark=CLASS-C packet-size=1400-1500 passthrough=yes protocol=tcp

add action=mark-connection chain=forward comment=SMTP disabled=no dst-port=25 new-connection-mark=CLASS-C passthrough=yes protocol=tcp

add action=mark-connection chain=forward comment=SMTPS disabled=no dst-port=465 new-connection-mark=CLASS-C passthrough=yes protocol=tcp

add action=mark-connection chain=forward comment=Imap disabled=no dst-port=143 new-connection-mark=CLASS-C passthrough=yes protocol=tcp

add action=mark-connection chain=forward comment=POP3 disabled=no dst-port=110 new-connection-mark=CLASS-C passthrough=yes protocol=tcp

add action=mark-connection chain=forward comment=POP3S disabled=no dst-port=995 new-connection-mark=CLASS-C passthrough=yes protocol=tcp

add action=mark-connection chain=forward comment=IMAPS disabled=no dst-port=993 new-connection-mark=CLASS-C passthrough=yes protocol=tcp

add action=mark-connection chain=forward comment=GIF_FILE disabled=no layer7-protocol=GIF_FILE new-connection-mark=CLASS-C passthrough=yes

add action=mark-connection chain=forward comment=PNG_FILE disabled=no layer7-protocol=PNG_FILE new-connection-mark=CLASS-C passthrough=yes

add action=mark-connection chain=forward comment=CLASS-C-SITES disabled=no new-connection-mark=CLASS-C passthrough=yes src-address-list=CLASS-C-SITES

add action=mark-connection chain=forward comment=CLASS-C-SITES disabled=no dst-address-list=CLASS-C-SITES new-connection-mark=CLASS-C passthrough=yes

add action=mark-connection chain=forward comment="100Kb Connections" connection-bytes=0-100000 disabled=no new-connection-mark=CLASS-C passthrough=yes protocol=tcp

add action=mark-packet chain=forward comment=CLASS-C-GROUP-E-DL connection-mark=CLASS-C disabled=no dst-address-list=GROUP-E new-packet-mark=CLASS-C-GROUP-E-DL passthrough=yes src-address-list=!ShaperExclude

add action=mark-packet chain=forward comment=CLASS-C-GROUP-D-DL connection-mark=CLASS-C disabled=no dst-address-list=GROUP-D new-packet-mark=CLASS-C-GROUP-D-DL passthrough=yes src-address-list=!ShaperExclude

add action=mark-packet chain=forward comment=CLASS-C-GROUP-C-DL connection-mark=CLASS-C disabled=no dst-address-list=GROUP-C new-packet-mark=CLASS-C-GROUP-C-DL passthrough=yes src-address-list=!ShaperExclude

add action=mark-packet chain=forward comment=CLASS-C-GROUP-B-DL connection-mark=CLASS-C disabled=no dst-address-list=GROUP-B new-packet-mark=CLASS-C-GROUP-B-DL passthrough=yes src-address-list=!ShaperExclude

add action=mark-packet chain=forward comment=CLASS-C-GROUP-A-DL connection-mark=CLASS-C disabled=no dst-address-list=GROUP-A new-packet-mark=CLASS-C-GROUP-A-DL passthrough=yes src-address-list=!ShaperExclude

add action=mark-packet chain=prerouting comment=CLASS-C-GROUP-E-UP connection-mark=CLASS-C disabled=no dst-address-list=!ShaperExclude new-packet-mark=CLASS-C-GROUP-E-UP passthrough=yes src-address-list=GROUP-E

add action=mark-packet chain=prerouting comment=CLASS-C-GROUP-D-UP connection-mark=CLASS-C disabled=no dst-address-list=!ShaperExclude new-packet-mark=CLASS-C-GROUP-D-UP passthrough=yes src-address-list=GROUP-D

add action=mark-packet chain=prerouting comment=CLASS-C-GROUP-C-UP connection-mark=CLASS-C disabled=no dst-address-list=!ShaperExclude new-packet-mark=CLASS-C-GROUP-C-UP passthrough=yes src-address-list=GROUP-C

add action=mark-packet chain=prerouting comment=CLASS-C-GROUP-B-UP connection-mark=CLASS-C disabled=no dst-address-list=!ShaperExclude new-packet-mark=CLASS-C-GROUP-B-UP passthrough=yes src-address-list=GROUP-B

add action=mark-packet chain=prerouting comment=CLASS-C-GROUP-A-UP connection-mark=CLASS-C disabled=no dst-address-list=!ShaperExclude new-packet-mark=CLASS-C-GROUP-A-UP passthrough=yes src-address-list=GROUP-A

add action=accept chain=forward comment=CLASS-C disabled=yes





Redesign higher class CLASS-B packages.


add action=accept chain=forward comment=CLASS-B disabled=yes

add action=mark-connection chain=forward comment=ICQ disabled=no dst-port=5190 new-connection-mark=CLASS-B passthrough=yes protocol=tcp

add action=mark-connection chain=forward comment="Mail.ru Agent" disabled=no dst-port=2041,2042 new-connection-mark=CLASS-B passthrough=yes protocol=tcp

add action=mark-connection chain=forward comment=Jabber disabled=no layer7-protocol=Jabber new-connection-mark=CLASS-B passthrough=yes

add action=mark-connection chain=forward comment=IRC disabled=no dst-port=6667-6669 new-connection-mark=CLASS-B passthrough=yes protocol=tcp

add action=mark-connection chain=forward comment=SSH disabled=no dst-port=22 new-connection-mark=CLASS-B packet-size=0-1400 passthrough=yes protocol=tcp

add action=mark-connection chain=forward comment=TELNET disabled=no dst-port=23 new-connection-mark=CLASS-B passthrough=yes protocol=tcp

add action=mark-connection chain=forward comment=SNMP disabled=no dst-port=161-162 new-connection-mark=CLASS-B passthrough=yes protocol=tcp

add action=mark-connection chain=forward comment=PPTP disabled=no dst-port=1723 new-connection-mark=CLASS-B passthrough=yes protocol=tcp

add action=mark-connection chain=forward comment=L2TP disabled=no dst-port=1701 new-connection-mark=CLASS-B passthrough=yes protocol=udp

add action=mark-connection chain=forward comment=GRE disabled=no new-connection-mark=CLASS-B passthrough=yes protocol=gre

add action=mark-connection chain=forward comment=Skype disabled=no layer7-protocol=Skype new-connection-mark=CLASS-B passthrough=yes

add action=mark-connection chain=forward comment=CLASS-B-SITES disabled=no new-connection-mark=CLASS-B passthrough=yes src-address-list=CLASS-B-SITES

add action=mark-connection chain=forward comment=CLASS-B-SITES disabled=no dst-address-list=CLASS-B-SITES new-connection-mark=CLASS-B passthrough=yes

add action=mark-connection chain=forward comment="50Kb Connections" connection-bytes=0-50000 disabled=no new-connection-mark=CLASS-B passthrough=yes protocol=tcp

add action=mark-packet chain=forward comment=CLASS-B-GROUP-E-DL connection-mark=CLASS-B disabled=no dst-address-list=GROUP-E new-packet-mark=CLASS-B-GROUP-E-DL passthrough=yes src-address-list=!ShaperExclude

add action=mark-packet chain=forward comment=CLASS-B-GROUP-D-DL connection-mark=CLASS-B disabled=no dst-address-list=GROUP-D new-packet-mark=CLASS-B-GROUP-D-DL passthrough=yes src-address-list=!ShaperExclude

add action=mark-packet chain=forward comment=CLASS-B-GROUP-C-DL connection-mark=CLASS-B disabled=no dst-address-list=GROUP-C new-packet-mark=CLASS-B-GROUP-C-DL passthrough=yes src-address-list=!ShaperExclude

add action=mark-packet chain=forward comment=CLASS-B-GROUP-B-DL connection-mark=CLASS-B disabled=no dst-address-list=GROUP-B new-packet-mark=CLASS-B-GROUP-B-DL passthrough=yes src-address-list=!ShaperExclude

add action=mark-packet chain=forward comment=CLASS-B-GROUP-A-DL connection-mark=CLASS-B disabled=no dst-address-list=GROUP-A new-packet-mark=CLASS-B-GROUP-A-DL passthrough=yes src-address-list=!ShaperExclude

add action=mark-packet chain=prerouting comment=CLASS-B-GROUP-E-UP connection-mark=CLASS-B disabled=no dst-address-list=!ShaperExclude new-packet-mark=CLASS-B-GROUP-E-UP passthrough=yes src-address-list=GROUP-E

add action=mark-packet chain=prerouting comment=CLASS-B-GROUP-D-UP connection-mark=CLASS-B disabled=no dst-address-list=!ShaperExclude new-packet-mark=CLASS-B-GROUP-D-UP passthrough=yes src-address-list=GROUP-D

add action=mark-packet chain=prerouting comment=CLASS-B-GROUP-C-UP connection-mark=CLASS-B disabled=no dst-address-list=!ShaperExclude new-packet-mark=CLASS-B-GROUP-C-UP passthrough=yes src-address-list=GROUP-C

add action=mark-packet chain=prerouting comment=CLASS-B-GROUP-B-UP connection-mark=CLASS-B disabled=no dst-address-list=!ShaperExclude new-packet-mark=CLASS-B-GROUP-B-UP passthrough=yes src-address-list=GROUP-B

add action=mark-packet chain=prerouting comment=CLASS-B-GROUP-A-UP connection-mark=CLASS-B disabled=no dst-address-list=!ShaperExclude new-packet-mark=CLASS-B-GROUP-A-UP passthrough=yes src-address-list=GROUP-A

add action=accept chain=forward comment=CLASS-B disabled=yes





Redesign higher class CLASS-A packages.


add action=accept chain=forward comment=CLASS-A disabled=yes

add action=mark-connection chain=forward comment=DNS disabled=no dst-port=53 new-connection-mark=CLASS-A passthrough=yes protocol=tcp src-port=53

add action=mark-connection chain=forward comment=DNS disabled=no dst-port=53 new-connection-mark=CLASS-A passthrough=yes protocol=tcp

add action=mark-connection chain=forward comment=DNS disabled=no dst-port=53 new-connection-mark=CLASS-A passthrough=yes protocol=udp

add action=mark-connection chain=forward comment=NNTP disabled=no dst-port=119 new-connection-mark=CLASS-A passthrough=yes protocol=tcp

add action=mark-connection chain=forward comment=Winbox disabled=no dst-port=8291 new-connection-mark=CLASS-A passthrough=yes protocol=tcp

add action=mark-connection chain=forward comment=ntp disabled=no dst-port=123 new-connection-mark=CLASS-A passthrough=yes protocol=udp

add action=mark-connection chain=forward comment=VNC disabled=no dst-port=5900-5901 new-connection-mark=CLASS-A passthrough=yes protocol=tcp

add action=mark-connection chain=forward comment=Radmin disabled=no layer7-protocol=radmin new-connection-mark=CLASS-A passthrough=yes

add action=mark-connection chain=forward comment=RDP disabled=no layer7-protocol=rdp new-connection-mark=CLASS-A passthrough=yes

add action=mark-connection chain=forward comment=PING disabled=no new-connection-mark=CLASS-A passthrough=yes protocol=icmp

add action=mark-connection chain=forward comment=CLASS-A-SITES disabled=no new-connection-mark=CLASS-A passthrough=yes src-address-list=CLASS-A-SITES

add action=mark-connection chain=forward comment=CLASS-A-SITES disabled=no dst-address-list=CLASS-A-SITES new-connection-mark=CLASS-A passthrough=yes

add action=mark-connection chain=forward comment="5Kb Connections" connection-bytes=0-5000 disabled=no new-connection-mark=CLASS-A passthrough=yes protocol=tcp

add action=mark-packet chain=forward comment=CLASS-A-GROUP-E-DL connection-mark=CLASS-A disabled=no dst-address-list=GROUP-E new-packet-mark=CLASS-A-GROUP-E-DL passthrough=yes src-address-list=!ShaperExclude

add action=mark-packet chain=forward comment=CLASS-A-GROUP-D-DL connection-mark=CLASS-A disabled=no dst-address-list=GROUP-D new-packet-mark=CLASS-A-GROUP-D-DL passthrough=yes src-address-list=!ShaperExclude

add action=mark-packet chain=forward comment=CLASS-A-GROUP-C-DL connection-mark=CLASS-A disabled=no dst-address-list=GROUP-C new-packet-mark=CLASS-A-GROUP-C-DL passthrough=yes src-address-list=!ShaperExclude

add action=mark-packet chain=forward comment=CLASS-A-GROUP-B-DL connection-mark=CLASS-A disabled=no dst-address-list=GROUP-B new-packet-mark=CLASS-A-GROUP-B-DL passthrough=yes src-address-list=!ShaperExclude

add action=mark-packet chain=forward comment=CLASS-A-GROUP-A-DL connection-mark=CLASS-A disabled=no dst-address-list=GROUP-A new-packet-mark=CLASS-A-GROUP-A-DL passthrough=yes src-address-list=!ShaperExclude

add action=mark-packet chain=prerouting comment=CLASS-A-GROUP-E-UP connection-mark=CLASS-A disabled=no dst-address-list=!ShaperExclude new-packet-mark=CLASS-A-GROUP-E-UP passthrough=yes src-address-list=GROUP-E

add action=mark-packet chain=prerouting comment=CLASS-A-GROUP-D-UP connection-mark=CLASS-A disabled=no dst-address-list=!ShaperExclude new-packet-mark=CLASS-A-GROUP-D-UP passthrough=yes src-address-list=GROUP-D

add action=mark-packet chain=prerouting comment=CLASS-A-GROUP-C-UP connection-mark=CLASS-A disabled=no dst-address-list=!ShaperExclude new-packet-mark=CLASS-A-GROUP-C-UP passthrough=yes src-address-list=GROUP-C

add action=mark-packet chain=prerouting comment=CLASS-A-GROUP-B-UP connection-mark=CLASS-A disabled=no dst-address-list=!ShaperExclude new-packet-mark=CLASS-A-GROUP-B-UP passthrough=yes src-address-list=GROUP-B

add action=mark-packet chain=prerouting comment=CLASS-A-GROUP-A-UP connection-mark=CLASS-A disabled=no dst-address-list=!ShaperExclude new-packet-mark=CLASS-A-GROUP-A-UP passthrough=yes src-address-list=GROUP-A

add action=accept chain=forward comment=CLASS-A disabled=yes





Now it’s probably worth scoring empty address lists, so for beauty ...


/ip firewall address-list

add address=192.168.0.1 disabled=no list=GROUP-A

add address=192.168.0.2 disabled=no list=GROUP-B

add address=192.168.0.4 disabled=no list=GROUP-D

add address=192.168.0.3 disabled=no list=GROUP-C

add address=192.168.0.5 disabled=no list=GROUP-E

add address=0.0.0.0 disabled=no list=CLASS-A-SITES

add address=0.0.0.0 disabled=no list=CLASS-B-SITES

add address=0.0.0.0 disabled=no list=CLASS-C-SITES

add address=192.168.0.0/16 disabled=no list=ShaperExclude

add address=10.0.0.0/8 disabled=no list=ShaperExclude





Now that we’re done with the firewall, it’s time to get into the queue types and plant the liver to build a tree.



Create queue types


/queue type

add kind=pcq name=GROUP-A-DL pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 pcq-dst-address6-mask=64 pcq-limit=50 pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=64 pcq-total-limit=2000

add kind=pcq name=GROUP-B-DL pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 pcq-dst-address6-mask=64 pcq-limit=50 pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=64 pcq-total-limit=2000

add kind=pcq name=GROUP-C-DL pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 pcq-dst-address6-mask=64 pcq-limit=50 pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=64 pcq-total-limit=2000

add kind=pcq name=GROUP-D-DL pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 pcq-dst-address6-mask=64 pcq-limit=50 pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=64 pcq-total-limit=2000

add kind=pcq name=GROUP-E-DL pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 pcq-dst-address6-mask=64 pcq-limit=50 pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=64 pcq-total-limit=2000

add kind=pcq name=GROUP-A-UP pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 pcq-dst-address6-mask=64 pcq-limit=150 pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=64 pcq-total-limit=2000

add kind=pcq name=GROUP-B-UP pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 pcq-dst-address6-mask=64 pcq-limit=150 pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=64 pcq-total-limit=2000

add kind=pcq name=GROUP-C-UP pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 pcq-dst-address6-mask=64 pcq-limit=150 pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=64 pcq-total-limit=2000

add kind=pcq name=GROUP-D-UP pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 pcq-dst-address6-mask=64 pcq-limit=150 pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=64 pcq-total-limit=2000

add kind=pcq name=GROUP-E-UP pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 pcq-dst-address6-mask=64 pcq-limit=150 pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=64 pcq-total-limit=2000





Pay close attention that the PCQ Rate parameter is not limited by anything, since I left the subflow rate at your discretion, by default the maximum subflow rate will be limited by the Max.Limit parameter divided by the number of subflows divided by classes.



Build a tree:


/queue tree

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=10M name=DOWNLOAD parent=global-out priority=8

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=10M name=UPLOAD parent=global-total priority=8

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=GROUP-A-UP parent=UPLOAD priority=8

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=CLASS-AA-UP packet-mark=CLASS-A-GROUP-A-UP parent=GROUP-A-UP priority=1 queue=GROUP-A-UP

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=CLASS-BA-UP packet-mark=CLASS-B-GROUP-A-UP parent=GROUP-A-UP priority=2 queue=GROUP-A-UP

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=CLASS-CA-UP packet-mark=CLASS-C-GROUP-A-UP parent=GROUP-A-UP priority=3 queue=GROUP-A-UP

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=CLASS-DA-UP packet-mark=CLASS-D-GROUP-A-UP parent=GROUP-A-UP priority=4 queue=GROUP-A-UP

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=GROUP-B-UP parent=UPLOAD priority=8

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=CLASS-AB-UP packet-mark=CLASS-A-GROUP-B-UP parent=GROUP-B-UP priority=2 queue=GROUP-B-UP

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=CLASS-BB-UP packet-mark=CLASS-B-GROUP-B-UP parent=GROUP-B-UP priority=3 queue=GROUP-B-UP

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=CLASS-CB-UP packet-mark=CLASS-C-GROUP-B-UP parent=GROUP-B-UP priority=4 queue=GROUP-B-UP

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=CLASS-DB-UP packet-mark=CLASS-D-GROUP-B-UP parent=GROUP-B-UP priority=5 queue=GROUP-B-UP

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=GROUP-C-UP parent=UPLOAD priority=8

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=CLASS-AC-UP packet-mark=CLASS-A-GROUP-C-UP parent=GROUP-C-UP priority=3 queue=GROUP-C-UP

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=CLASS-BC-UP packet-mark=CLASS-B-GROUP-C-UP parent=GROUP-C-UP priority=4 queue=GROUP-C-UP

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=CLASS-CC-UP packet-mark=CLASS-C-GROUP-C-UP parent=GROUP-C-UP priority=5 queue=GROUP-C-UP

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=CLASS-DC-UP packet-mark=CLASS-D-GROUP-C-UP parent=GROUP-C-UP priority=6 queue=GROUP-C-UP

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=GROUP-D-UP parent=UPLOAD priority=8

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=CLASS-AD-UP packet-mark=CLASS-A-GROUP-D-UP parent=GROUP-D-UP priority=4 queue=GROUP-D-UP

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=CLASS-BD-UP packet-mark=CLASS-B-GROUP-D-UP parent=GROUP-D-UP priority=5 queue=GROUP-D-UP

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=CLASS-CD-UP packet-mark=CLASS-C-GROUP-D-UP parent=GROUP-D-UP priority=6 queue=GROUP-D-UP

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=CLASS-DD-UP packet-mark=CLASS-D-GROUP-D-UP parent=GROUP-D-UP priority=7 queue=GROUP-D-UP

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=GROUP-E-UP parent=UPLOAD priority=8

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=CLASS-AE-UP packet-mark=CLASS-A-GROUP-E-UP parent=GROUP-E-UP priority=5 queue=GROUP-E-UP

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=CLASS-BE-UP packet-mark=CLASS-B-GROUP-E-UP parent=GROUP-E-UP priority=6 queue=GROUP-E-UP

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=CLASS-CE-UP packet-mark=CLASS-C-GROUP-E-UP parent=GROUP-E-UP priority=7 queue=GROUP-E-UP

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=CLASS-DE-UP packet-mark=CLASS-D-GROUP-E-UP parent=GROUP-E-UP priority=8 queue=GROUP-E-UP

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=GROUP-A-DL parent=DOWNLOAD priority=8

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=CLASS-AA-DL packet-mark=CLASS-A-GROUP-A-DL parent=GROUP-A-DL priority=1 queue=GROUP-A-DL

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=CLASS-BA-DL packet-mark=CLASS-B-GROUP-A-DL parent=GROUP-A-DL priority=2 queue=GROUP-A-DL

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=CLASS-CA-DL packet-mark=CLASS-C-GROUP-A-DL parent=GROUP-A-DL priority=3 queue=GROUP-A-DL

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=CLASS-DA-DL packet-mark=CLASS-D-GROUP-A-DL parent=GROUP-A-DL priority=4 queue=GROUP-A-DL

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=GROUP-B-DL parent=DOWNLOAD priority=8

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=CLASS-AB-DL packet-mark=CLASS-A-GROUP-B-DL parent=GROUP-B-DL priority=2 queue=GROUP-B-DL

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=CLASS-BB-DL packet-mark=CLASS-B-GROUP-B-DL parent=GROUP-B-DL priority=3 queue=GROUP-B-DL

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=CLASS-CB-DL packet-mark=CLASS-C-GROUP-B-DL parent=GROUP-B-DL priority=4 queue=GROUP-B-DL

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=CLASS-DB-DL packet-mark=CLASS-D-GROUP-B-DL parent=GROUP-B-DL priority=5 queue=GROUP-B-DL

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=GROUP-C-DL parent=DOWNLOAD priority=8

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=CLASS-AC-DL packet-mark=CLASS-A-GROUP-C-DL parent=GROUP-C-DL priority=3 queue=GROUP-C-DL

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=CLASS-BC-DL packet-mark=CLASS-B-GROUP-C-DL parent=GROUP-C-DL priority=4 queue=GROUP-C-DL

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=CLASS-CC-DL packet-mark=CLASS-C-GROUP-C-DL parent=GROUP-C-DL priority=5 queue=GROUP-C-DL

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=CLASS-DC-DL packet-mark=CLASS-D-GROUP-C-DL parent=GROUP-C-DL priority=6 queue=GROUP-C-DL

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=GROUP-D-DL parent=DOWNLOAD priority=8

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=CLASS-AD-DL packet-mark=CLASS-A-GROUP-D-DL parent=GROUP-D-DL priority=4 queue=GROUP-D-DL

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=CLASS-BD-DL packet-mark=CLASS-B-GROUP-D-DL parent=GROUP-D-DL priority=5 queue=GROUP-D-DL

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=CLASS-CD-DL packet-mark=CLASS-C-GROUP-D-DL parent=GROUP-D-DL priority=6 queue=GROUP-D-DL

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=CLASS-DD-DL packet-mark=CLASS-D-GROUP-D-DL parent=GROUP-D-DL priority=7 queue=GROUP-D-DL

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=GROUP-E-DL parent=DOWNLOAD priority=8

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=CLASS-AE-DL packet-mark=CLASS-A-GROUP-E-DL parent=GROUP-E-DL priority=5 queue=GROUP-E-DL

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=CLASS-BE-DL packet-mark=CLASS-B-GROUP-E-DL parent=GROUP-E-DL priority=6 queue=GROUP-E-DL

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=CLASS-CE-DL packet-mark=CLASS-C-GROUP-E-DL parent=GROUP-E-DL priority=7 queue=GROUP-E-DL

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=CLASS-DE-DL packet-mark=CLASS-D-GROUP-E-DL parent=GROUP-E-DL priority=8 queue=GROUP-E-DL





On this we can say the implementation is complete.



I also think it is worth mentioning the need to use the Limit-at and Max-limit parameters in each group at least for the reason that everyone needs the Internet :)

It is also useful to set up profiles of groups, again I will take you to the side of the presentation from Megis, which says about the size of the queue, delays and packet losses.



In addition, for beginners I will say a few words: This set of rules is absolutely useless if you do not set Max-Limit values ​​in the roots of DOWNLOAD and UPLOAD

Max-Limit values ​​should be set LESS than the real speed of your channel on the Internet by 5-10 percent, otherwise the setting will be absolutely meaningless, because your provider will drop or delay packets that do not fit in the output stream.



In general, everything, everything else is done to taste and color, changing the priority is done by changing the connection label and moving the rule through the list.

Adding a new specific type in the same way or by banal copying the rule with the subsequent movement and editing.



If there are several channels, the Max.Limit parameter sets the sum of the speeds of these channels.



For your convenience, I post the RSC import file into the system , as well as screenshots for a more complete view of the work. Use on health!



Mangle


image

Full size pichka



Queue


image

Full size pichka



I want to express my deep gratitude to all those brilliant people who, with their knowledge and answers on the forums, brought me to the right thoughts and the right direction.

This article may contain some inaccuracies in the description, due to the lack of high qualifications of the author and the lack of free time.



I would be very happy with your “Thank you!” Which should be sent personally to me, according to the coordinates that you can find in your profile.

I will also listen and consider constructive criticism on your part, I will be glad to communicate with experts working in a similar direction, I will take into account your amendments and additions.

Source: https://habr.com/ru/post/131295/



All Articles