Mikrotik Router OS. "Fair" channel separation
In the open spaces of Habr, I came across a couple of articles “Mikrotik Router OS, a script for dynamic speed division”. And since I have been working on this problem for more than a year, I decided to share my knowledge.
First of all, this article is useful to those who have a desire to “fairly share the Internet” among several clients of the network. However, the solution is also suitable for dividing the communication channel of several offices or accessing individual resources, and for shaping.
By “fair” channel separation, I mean the utilization of all its bandwidth regardless of the number of consumers. And consumers should receive the channel equally.
')
Since I work from under windows, for convenience, I will use WinBox, which allows you to configure the router using visual snap-ins. From my point of view, using WinBox is much more convenient than the command line. in the presence of a set of rules, find the necessary much easier And the speed of navigation increases significantly.
Users of Linx and Unix systems should not be discouraged. WinBox works fine under Vain. In addition, MikroTik has a convenient WebFig web configurator .
Further in the article I will provide text descriptions of my actions and explain them with graphics. At the end of the article I will provide a link to the configuration file of the router, so that you can examine it, pour it into your router and check it. For these purposes, I recommend using MiktoTik versions for x86 compatible systems and virtual machines.
Also at the end of the article I will try to provide all useful links. If you don’t find something, please let me know and I will try to complete the article.
First I will describe some of the tasks that you can solve by studying this article.
I will make two reservations in advance:
1. All the tasks described should be performed with any number of load / output streams by each consumer.
2. By channel, I mean both incoming and outgoing channels.
Required:
For example, the bandwidth of the incoming channel is 1000 kb / s.
If, for example, Main_HomePC receives data from the Internet at a speed of 100 kb / s, then Second_HomePC should be able to receive data at a speed of up to 900 kb / s.
When increasing the data transfer rate by the remote server for Main_HomePC to, say, 800 kb / s, the channel should be divided equally among consumers (i.e., 500 kb /).
To solve this problem is the type of queue PCQ (but more on that below).
If there are such consumers on the network who need access to the Internet, but you do not want them to “bite off” a large piece of the channel, they should limit the speed, or make the channel between them and other consumers not evenly split.
To solve this problem is the type of queue organization Queue Tree (the theory is already close).
In this case, you can, for example, assign a higher priority to connections to certain servers. For example, I so achieved excellent work of RDP connections, regardless of the channel load. 1C calipers were very pleased.
Nevertheless, surfing is the most noticeable activity of a person using the Internet. If the user is forced to wait a long time for the pages to open, then no queues and channel splitting will help him be satisfied. Therefore, we will try to speed up the opening of pages, regardless of the user and the current channel load.
So, we have come to the conclusion that you need to use Queue Tree queuing and the type of PCQ queue.
Before solving the tasks, we turn to the theory.
I will try to get rid of copy-paste. Therefore I will give references to the theory, and I will describe the most important briefly. The full theory will be needed by those who want to understand what is happening in more detail. If you want to set up a router using my example, you can refer to the very end of the article where you will find links to configuration files.
First, familiarize yourself with how the traffic passes through the router .
It is enough to study the first diagram with your eyes and the principle will become clear.
About HTB can be read here .
In brief, HTB (Hierarchical Token Bucket) is a classic queuing method for processing various types of traffic.
The method is based on three simple, but obligatory stages:
Implemented by HTB only through Queue Tree.
You can find out what makes this type of queue different from Simple Queue here .
Regarding the type of queues, PCQ was selected.
The fact is that a queue for sending packets is applied to each interface of the router. Packets are collected into a buffer, and then pulled out of it and sequentially sent to the physical network port. The order in which packets are pulled out of the buffer is called a queue.
Packets pulled out of the network interface buffer are classified by the router according to some features and placed in the so-called “flows” of the packets. Different types of queues classify packets in different ways and put them into streams using different principles.
Initially, the PFIFO (packet first in first out) queue is used for all interfaces, the first to enter is the first to go out. This queue does not allow at least some control over the order of sending packets. All packets are placed by the router into one stream and therefore, with this type of queue, we cannot solve either task 1 or task 2 completely. We can only limit the speed, but we can not balance the load. Problem 3 is solved because here we don't need balancing.
We need to configure the router so that packets from different users fit into different streams. Then it will not matter to us how many connections the user has made.
The PCQ type of queue (Per Connection Queuing, queuing by connections) allows you to select streaming addresses and ports of the source and destination of packets by classifiers, which will allow you to apply rules to individual streams, and not to individual connections or packets. This type of queue allows you to limit the speed of sampling packets from the buffer and put them in different streams (this is one of the options for allocating a fixed channel), and if Rate = 0 is established, all streams allocated by this queue will receive the same channel width (dynamic channel sharing; this is how Internet sharing between Wireless Users will work).
More details can be found here .
The first stage is HTB.
To apply the rules of the sequence of passing packets through the router, the packages must be labeled.
When passing through the router, the package can be marked and then quickly found by marker.
This is necessary in order to apply general rules to different packages, or different rules for similar packages.
A lot of text here is unnecessary. More details you can read here .
The second stage of HTB is the creation of rules that allow different types of queues to be applied to different types of traffic.
To write something here in your own words is quite difficult, but I refused to copy-paste. Therefore, we either read the theory or watch the practice. It may be easier to see the implementation first.
Manual .
My home network has the following topology:
The router connects to the PPPOE server of the provider with the PPPoE_Client interface, called by me “ISP_Internet_Connection” and through this interface gets access to the Internet. At the same time network settings (IP, Gate, DNS) are issued dynamically.
Main_HomePC and Second_HomePC are desktop computers. They have static addresses, by the example of which I will show how to balance the load on the channel between them.
Note and Tablet are examples of devices using access via Wi-Fi (they will be dynamically included into the wireless_users group, addresses will be given to them from the wireless_users pool) and, as a rule, require receiving an address from the DHCP server since can be used in different networks (therefore, often, they should not be hard-coded settings). I only have a smartphone, but for the sake of completeness I hammered in the notebook In general, the number of such devices will depend only on the allocated address pool.
The first thing to do is to tag packages from all consumer devices.
We will first label the connections, and only then the packages related to the connections. In this case, the router does not recheck the contents of the packet headers belonging to the already marked connections. This approach will prevent overloading of the processor processor.
If you are sure that the router will cope with the labeling of each package - you can not label connections.
The packet marker settings can be found in the Ip-> Firewall-> Mangle section.
Marking will be carried out in the forward branch. Here, the router already knows to whom the packet will be sent at the exit, as well as the firewall rules are applied, which means that no extra packets will be marked.
We will do this on this principle:
Thus, we will separate the packages separately to each of the home computers and separately for the group of wireless devices.
Such an algorithm must be applied to packets passing from the LAN to the WAN and from the WAN to the LAN.
1. Mark connections established from the external network (I mark connections from two interfaces with one marker, but in the classic case only one interface is used to access the Internet and therefore the connection labeling rules for and for WAN can be omitted).
To do this, we mark all connections connected to the WAN and leaving the LAN. In order to separate packages for wireless devices and home computers, I applied the labeling rules only for selected groups of addresses.
2. Mark packets inside the labeled compounds. Separately, I mark the packages with the destination address 172.16.30.31, separately 172.16.30.32 and mark the packages for the pool 172.16.30.10-172.16.30.20 with a separate marker.
Similar rules are created for outgoing packets.
The result is as follows:
Rules 0 and 1 are marked with the letter D, which means dynamic. These rules are created automatically when a PPPoE connection is established. So maybe not everywhere. They do not relate to the topic of the article.
Rule 4 is not fully reflected in the figure. Additionally, you should specify the IP protocol and source port 80. The rule terminates the chain so that under the http_dl_boost marker there are only the first two million bytes of each new connection (I think this is enough to load most pages).
According to this principle, it is possible to build and upload booster, as well as make smaller data packs go faster, for example, when playing heroes3 on a return trip, data transfer can be accelerated.
The second step is setting up the queues. To begin with, we will create two new types of queues for incoming and outgoing traffic. PCQ type.
Packet flows, to which the PCQ_Download queue type will be applied, will be classified by destination address and each will be assigned the same priority. Such a queue will ensure equality among consumers regardless of the number of flows to each of them.
Similarly, the queue for outgoing packets will classify flows by source address.
Based on this type of queues, it is also possible to balance packet flows for different applications of the same user (classifiers: address and port of destination). Difficulty can only arise with torrents. But with due diligence and this can be solved by applying a complex tree of queues.
If you notice, the Limit parameter is different for incoming and outgoing packets. To understand what this is for, go back to the theory about HTB.
Now everything is ready to create your own queue tree.
We are interested in two branches:
- incoming packets (as I call the packets that come from the Internet and are intended for devices on the local network).
- outgoing packets (packets originating from devices in the local network).
This is what all the queue tree rules look like.
The parent of the Incoming_Packets branch is the LAN2 interface — packets are sent from it to the local devices.
Parent branch Outgoing_Packets - global-out packets in my case can be sent with both WAN and ISP_Internet_Connection.
Note that the priority HTTP_DL_BOOST is 2, as well as LimitAt = MaxLimit = 32M. This gives a high priority and maximum bandwidth of ~ 2Mb of traffic received from port 80 over IP, which will ensure fast opening of pages even on slow links (tested for 2 Mb / s channel with three users).
In order to conduct a full-fledged experiment, I launch a download in 5 streams from nvidia.com on MainPC, and on SecondPC I launch a download with a torrent.
Since it’s almost impossible to score all 32 megabits, I will artificially limit the band to 2 megabits.
For the purity of the experiment, I turned off DL_BOOST.
The numbers do not coincide a bit. screenshots were not made in one moment.
The disabled rule is not updated and therefore the numbers in it do not correspond to the moment.
PS It should be added that in my case (local ISP resources are located behind the WAN interface and I get access to all 32 Mbit / s, while I have 8/8 Mbit / s access to the Internet) I need to approach it a little differently and threads for internal resources to allocate in separate branches. Then it will be possible to divide the channel even more flexibly. But I do not use internal resources, so I brought everything in a simpler form.
As promised - I spread the config .
A couple of links:
Manual
Configuration via web interface
Passing packets through the router
HTB
Mangle
Queue tree
Download WinBox
Among other things, I decided at the same time to give some information about useful utilities.
Very nice thing. It helps to build a network topology, to track its integrity. It is interesting to be able to connect to routers from it, check bandwidth of channels with the help of bandwith test, etc.
In connection with the location in the "archive" - a little-known tool. Allows remote logging of router events. Supports many filters. For debugging, the thing is excellent. If I remember correctly, built into The Dude.
Added information about web configurator and winbox work under linux / unix in the introduction.
Added a couple of useful links.
I will be happy to see criticism in the comments and try to make the article better.
First of all, this article is useful to those who have a desire to “fairly share the Internet” among several clients of the network. However, the solution is also suitable for dividing the communication channel of several offices or accessing individual resources, and for shaping.
Introduction
By “fair” channel separation, I mean the utilization of all its bandwidth regardless of the number of consumers. And consumers should receive the channel equally.
')
Since I work from under windows, for convenience, I will use WinBox, which allows you to configure the router using visual snap-ins. From my point of view, using WinBox is much more convenient than the command line. in the presence of a set of rules, find the necessary much easier And the speed of navigation increases significantly.
Users of Linx and Unix systems should not be discouraged. WinBox works fine under Vain. In addition, MikroTik has a convenient WebFig web configurator .
Further in the article I will provide text descriptions of my actions and explain them with graphics. At the end of the article I will provide a link to the configuration file of the router, so that you can examine it, pour it into your router and check it. For these purposes, I recommend using MiktoTik versions for x86 compatible systems and virtual machines.
Also at the end of the article I will try to provide all useful links. If you don’t find something, please let me know and I will try to complete the article.
Formulation of the problem
First I will describe some of the tasks that you can solve by studying this article.
I will make two reservations in advance:
1. All the tasks described should be performed with any number of load / output streams by each consumer.
2. By channel, I mean both incoming and outgoing channels.
Required:
- It is fair to divide incoming and outgoing channels between users:
- With the full utilization of the bandwidth of the channel by all consumers, the channel must be divided equally between them.
- With a free channel or a small utilization of the bandwidth of the channel by some consumers, other consumers should be provided with all the remaining bandwidth of the channel, but no more.
- Flexibly separate incoming and outgoing channels between users:
- It should be possible to limit the width of the incoming / outgoing channel of any user or to any external resource.
- It should be possible for the necessary services to provide the channel width / speed required for their normal operation.
- Make quick loading of Web pages, regardless of the current recycling channel.
A bit of clarification.
Point one.
For example, the bandwidth of the incoming channel is 1000 kb / s.
If, for example, Main_HomePC receives data from the Internet at a speed of 100 kb / s, then Second_HomePC should be able to receive data at a speed of up to 900 kb / s.
When increasing the data transfer rate by the remote server for Main_HomePC to, say, 800 kb / s, the channel should be divided equally among consumers (i.e., 500 kb /).
To solve this problem is the type of queue PCQ (but more on that below).
Point two.
If there are such consumers on the network who need access to the Internet, but you do not want them to “bite off” a large piece of the channel, they should limit the speed, or make the channel between them and other consumers not evenly split.
To solve this problem is the type of queue organization Queue Tree (the theory is already close).
In this case, you can, for example, assign a higher priority to connections to certain servers. For example, I so achieved excellent work of RDP connections, regardless of the channel load. 1C calipers were very pleased.
Point three.
Nevertheless, surfing is the most noticeable activity of a person using the Internet. If the user is forced to wait a long time for the pages to open, then no queues and channel splitting will help him be satisfied. Therefore, we will try to speed up the opening of pages, regardless of the user and the current channel load.
So, we have come to the conclusion that you need to use Queue Tree queuing and the type of PCQ queue.
Before solving the tasks, we turn to the theory.
Theory
I will try to get rid of copy-paste. Therefore I will give references to the theory, and I will describe the most important briefly. The full theory will be needed by those who want to understand what is happening in more detail. If you want to set up a router using my example, you can refer to the very end of the article where you will find links to configuration files.
First, familiarize yourself with how the traffic passes through the router .
It is enough to study the first diagram with your eyes and the principle will become clear.
HTB
About HTB can be read here .
In brief, HTB (Hierarchical Token Bucket) is a classic queuing method for processing various types of traffic.
The method is based on three simple, but obligatory stages:
- Isolation and marking of traffic of interest to us.
- Creating rules to apply to individual types of traffic of individual queues.
- Apply selected strategies (rules and advanced parameters) to interfaces.
Implemented by HTB only through Queue Tree.
You can find out what makes this type of queue different from Simple Queue here .
Regarding the type of queues, PCQ was selected.
The fact is that a queue for sending packets is applied to each interface of the router. Packets are collected into a buffer, and then pulled out of it and sequentially sent to the physical network port. The order in which packets are pulled out of the buffer is called a queue.
Packets pulled out of the network interface buffer are classified by the router according to some features and placed in the so-called “flows” of the packets. Different types of queues classify packets in different ways and put them into streams using different principles.
Initially, the PFIFO (packet first in first out) queue is used for all interfaces, the first to enter is the first to go out. This queue does not allow at least some control over the order of sending packets. All packets are placed by the router into one stream and therefore, with this type of queue, we cannot solve either task 1 or task 2 completely. We can only limit the speed, but we can not balance the load. Problem 3 is solved because here we don't need balancing.
We need to configure the router so that packets from different users fit into different streams. Then it will not matter to us how many connections the user has made.
The PCQ type of queue (Per Connection Queuing, queuing by connections) allows you to select streaming addresses and ports of the source and destination of packets by classifiers, which will allow you to apply rules to individual streams, and not to individual connections or packets. This type of queue allows you to limit the speed of sampling packets from the buffer and put them in different streams (this is one of the options for allocating a fixed channel), and if Rate = 0 is established, all streams allocated by this queue will receive the same channel width (dynamic channel sharing; this is how Internet sharing between Wireless Users will work).
More details can be found here .
Mangle
The first stage is HTB.
To apply the rules of the sequence of passing packets through the router, the packages must be labeled.
When passing through the router, the package can be marked and then quickly found by marker.
This is necessary in order to apply general rules to different packages, or different rules for similar packages.
A lot of text here is unnecessary. More details you can read here .
Queue tree
The second stage of HTB is the creation of rules that allow different types of queues to be applied to different types of traffic.
To write something here in your own words is quite difficult, but I refused to copy-paste. Therefore, we either read the theory or watch the practice. It may be easier to see the implementation first.
Manual .
Practice
Network topology
My home network has the following topology:
The router connects to the PPPOE server of the provider with the PPPoE_Client interface, called by me “ISP_Internet_Connection” and through this interface gets access to the Internet. At the same time network settings (IP, Gate, DNS) are issued dynamically.
Main_HomePC and Second_HomePC are desktop computers. They have static addresses, by the example of which I will show how to balance the load on the channel between them.
Note and Tablet are examples of devices using access via Wi-Fi (they will be dynamically included into the wireless_users group, addresses will be given to them from the wireless_users pool) and, as a rule, require receiving an address from the DHCP server since can be used in different networks (therefore, often, they should not be hard-coded settings). I only have a smartphone, but for the sake of completeness I hammered in the notebook In general, the number of such devices will depend only on the allocated address pool.
Mangle
The first thing to do is to tag packages from all consumer devices.
We will first label the connections, and only then the packages related to the connections. In this case, the router does not recheck the contents of the packet headers belonging to the already marked connections. This approach will prevent overloading of the processor processor.
If you are sure that the router will cope with the labeling of each package - you can not label connections.
The packet marker settings can be found in the Ip-> Firewall-> Mangle section.
Marking will be carried out in the forward branch. Here, the router already knows to whom the packet will be sent at the exit, as well as the firewall rules are applied, which means that no extra packets will be marked.
We will do this on this principle:
Thus, we will separate the packages separately to each of the home computers and separately for the group of wireless devices.
Such an algorithm must be applied to packets passing from the LAN to the WAN and from the WAN to the LAN.
1. Mark connections established from the external network (I mark connections from two interfaces with one marker, but in the classic case only one interface is used to access the Internet and therefore the connection labeling rules for and for WAN can be omitted).
To do this, we mark all connections connected to the WAN and leaving the LAN. In order to separate packages for wireless devices and home computers, I applied the labeling rules only for selected groups of addresses.
2. Mark packets inside the labeled compounds. Separately, I mark the packages with the destination address 172.16.30.31, separately 172.16.30.32 and mark the packages for the pool 172.16.30.10-172.16.30.20 with a separate marker.
Similar rules are created for outgoing packets.
The result is as follows:
Rules 0 and 1 are marked with the letter D, which means dynamic. These rules are created automatically when a PPPoE connection is established. So maybe not everywhere. They do not relate to the topic of the article.
Rule 4 is not fully reflected in the figure. Additionally, you should specify the IP protocol and source port 80. The rule terminates the chain so that under the http_dl_boost marker there are only the first two million bytes of each new connection (I think this is enough to load most pages).
According to this principle, it is possible to build and upload booster, as well as make smaller data packs go faster, for example, when playing heroes3 on a return trip, data transfer can be accelerated.
Queue
The second step is setting up the queues. To begin with, we will create two new types of queues for incoming and outgoing traffic. PCQ type.
Packet flows, to which the PCQ_Download queue type will be applied, will be classified by destination address and each will be assigned the same priority. Such a queue will ensure equality among consumers regardless of the number of flows to each of them.
Similarly, the queue for outgoing packets will classify flows by source address.
Based on this type of queues, it is also possible to balance packet flows for different applications of the same user (classifiers: address and port of destination). Difficulty can only arise with torrents. But with due diligence and this can be solved by applying a complex tree of queues.
If you notice, the Limit parameter is different for incoming and outgoing packets. To understand what this is for, go back to the theory about HTB.
Now everything is ready to create your own queue tree.
We are interested in two branches:
- incoming packets (as I call the packets that come from the Internet and are intended for devices on the local network).
- outgoing packets (packets originating from devices in the local network).
This is what all the queue tree rules look like.
The parent of the Incoming_Packets branch is the LAN2 interface — packets are sent from it to the local devices.
Parent branch Outgoing_Packets - global-out packets in my case can be sent with both WAN and ISP_Internet_Connection.
Note that the priority HTTP_DL_BOOST is 2, as well as LimitAt = MaxLimit = 32M. This gives a high priority and maximum bandwidth of ~ 2Mb of traffic received from port 80 over IP, which will ensure fast opening of pages even on slow links (tested for 2 Mb / s channel with three users).
Results.
In order to conduct a full-fledged experiment, I launch a download in 5 streams from nvidia.com on MainPC, and on SecondPC I launch a download with a torrent.
Since it’s almost impossible to score all 32 megabits, I will artificially limit the band to 2 megabits.
For the purity of the experiment, I turned off DL_BOOST.
The numbers do not coincide a bit. screenshots were not made in one moment.
The disabled rule is not updated and therefore the numbers in it do not correspond to the moment.
PS It should be added that in my case (local ISP resources are located behind the WAN interface and I get access to all 32 Mbit / s, while I have 8/8 Mbit / s access to the Internet) I need to approach it a little differently and threads for internal resources to allocate in separate branches. Then it will be possible to divide the channel even more flexibly. But I do not use internal resources, so I brought everything in a simpler form.
Meterialy affairs
As promised - I spread the config .
A couple of links:
Manual
Configuration via web interface
Passing packets through the router
HTB
Mangle
Queue tree
Download WinBox
I advise you to look
Among other things, I decided at the same time to give some information about useful utilities.
The dude
Very nice thing. It helps to build a network topology, to track its integrity. It is interesting to be able to connect to routers from it, check bandwidth of channels with the help of bandwith test, etc.
Syslog daemon
In connection with the location in the "archive" - a little-known tool. Allows remote logging of router events. Supports many filters. For debugging, the thing is excellent. If I remember correctly, built into The Dude.
UPD:
Added information about web configurator and winbox work under linux / unix in the introduction.
Added a couple of useful links.
I will be happy to see criticism in the comments and try to make the article better.
Source: https://habr.com/ru/post/133244/
All Articles