Difference between revisions of "Traffic Priortization, RouterOS QoS Implemetation"

From MikroTik Wiki
Jump to: navigation, search
(Bridge Setup)
 
(11 intermediate revisions by 2 users not shown)
Line 1: Line 1:
/
+
This QoS setup will limit only the Download traffic, no rules are applied for Upload traffic since I didn't had any need for it, I'm not reaching upload limit. This shaper I have installed only for Residential users, who are limited at 550 Mbit/s of overall Bandwidth, what includes around 12000 users online with different rates limited 1 Mbit/s and 2 Mbit/s per user. The idea behind the scripts is for allowing different limits Day and Night, to give to the lowest priority to reach at least 22 Mbit/s after businesses hours, when buissnes clients do not use much bandwidth. For web video (youtube ...) 400 Kbit/s per user will e served using PCQ. 
/interface bridge
+
 
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes comment="" disabled=no forward-delay=15s max-message-age=20s mtu=1500 name=ALLOT
+
== Bridge Setup ==
    priority=0x8000 protocol-mode=none transmit-hold-count=6
+
'''First, We create a bridge interface and name it as you like, I have named it ALLOT:'''
/interface bridge port
+
 
add bridge=ALLOT comment="" disabled=no edge=auto external-fdb=auto horizon=none interface=INTERNAL path-cost=10 point-to-point=auto priority=0x80
+
<pre>/interface bridge
add bridge=ALLOT comment="" disabled=no edge=auto external-fdb=auto horizon=none interface=EXTERNAL path-cost=10 point-to-point=auto priority=0x80
+
add name=ALLOT</pre>
 +
 
 +
'''After that, assign ports to the bridge INTERNAL as a Local interface and EXTERNAL as Publc interface:'''
 +
 
 +
<pre>/interface bridge port
 +
add bridge=ALLOT interface=INTERNAL
 +
add bridge=ALLOT interface=EXTERNAL</pre>
 +
 
 +
'''Than the last thing about bridge is to enable ip firewall on it, so we can mangle.'''
 +
<pre>
 
/interface bridge settings
 
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=/
+
set use-ip-firewall=yes
 +
</pre>
  
/
+
'''For web video services, create Address-List for most of the Youtube, Metacafe, Youporn, Redtube etc.'''
 +
<pre>
 +
/ip firewall address-list
 +
add address=208.117.224.0/24 list=Youtube
 +
add address=208.117.225.0/24 list=Youtube
 +
add address=208.117.228.0/24 list=Youtube
 +
add address=208.117.229.0/24 list=Youtube
 +
add address=208.117.232.0/24 list=Youtube
 +
add address=208.117.233.0/24 list=Youtube
 +
add address=208.117.234.0/24 list=Youtube
 +
add address=208.117.238.0/24 list=Youtube
 +
add address=208.65.152.0/24 list=Youtube
 +
add address=208.65.153.0/24 list=Youtube
 +
add address=208.65.154.0/24 list=Youtube
 +
add address=64.15.112.0/20 list=Youtube
 +
add address=208.117.236.0/24 list=Youtube
 +
add address=74.125.96.0/19 list=Youtube
 +
add address=72.14.221.0/24 list=Youtube
 +
add address=84.53.128.0/18 comment=Redtube list=Youtube
 +
add address=87.248.192.0/19 comment=Youporn list=Youtube
 +
add address=216.155.128.0/19 comment=Redtube list=Youtube
 +
add address=208.73.208.0/21 comment=Redtube list=Youtube
 +
add address=66.55.140.0/23 comment=Redtube list=Youtube
 +
add address=74.125.208.0/24 list=Youtube
 +
</pre>
 +
 
 +
== Mangle Setup ==
 +
'''Here we mark the packets for the different traffic, be carefull to keep this order:'''
 +
<pre>
 
/ip firewall mangle
 
/ip firewall mangle
add action=mark-packet chain=forward comment="" disabled=no new-packet-mark=icmp passthrough=no protocol=icmp
+
add action=mark-packet chain=forward new-packet-mark=icmp passthrough=no protocol=icmp
add action=mark-packet chain=forward comment="" disabled=no dst-port=443 new-packet-mark=ssl passthrough=no protocol=tcp
+
add action=mark-packet chain=forward dst-port=443 new-packet-mark=ssl passthrough=no protocol=tcp
add action=mark-packet chain=forward comment="" disabled=no new-packet-mark=p2p p2p=all-p2p passthrough=no
+
add action=mark-packet chain=forward new-packet-mark=p2p p2p=all-p2p passthrough=no
add action=mark-packet chain=forward comment="" disabled=no new-packet-mark=udp-100 packet-size=0-100 passthrough=no protocol=udp
+
add action=mark-packet chain=forward new-packet-mark=udp-100 packet-size=0-100 passthrough=no protocol=udp
add action=mark-packet chain=forward comment="" disabled=no new-packet-mark=upd-500 packet-size=100-500 passthrough=no protocol=udp
+
add action=mark-packet chain=forward new-packet-mark=upd-500 packet-size=100-500 passthrough=no protocol=udp
add action=mark-packet chain=forward comment="" disabled=no new-packet-mark=upd-other passthrough=no protocol=udp
+
add action=mark-packet chain=forward new-packet-mark=upd-other passthrough=no protocol=udp
add action=mark-packet chain=forward comment="" disabled=no dst-port=1863 new-packet-mark=msn-messenger passthrough=no protocol=tcp
+
add action=mark-packet chain=forward dst-port=1863 new-packet-mark=msn-messenger passthrough=no protocol=tcp
add action=mark-packet chain=forward comment="" disabled=no dst-port=110 new-packet-mark=pop3 passthrough=no protocol=tcp
+
add action=mark-packet chain=forward dst-port=110 new-packet-mark=pop3 passthrough=no protocol=tcp
add action=mark-packet chain=forward comment="" disabled=no dst-port=25 new-packet-mark=smtp passthrough=no protocol=tcp
+
add action=mark-packet chain=forward dst-port=25 new-packet-mark=smtp passthrough=no protocol=tcp
add action=mark-packet chain=forward comment="" disabled=no dst-port=143 new-packet-mark=imap passthrough=no protocol=tcp
+
add action=mark-packet chain=forward dst-port=143 new-packet-mark=imap passthrough=no protocol=tcp
add action=mark-packet chain=forward comment="" disabled=no new-packet-mark=gre passthrough=no protocol=gre
+
add action=mark-packet chain=forward new-packet-mark=gre passthrough=no protocol=gre
add action=mark-packet chain=forward comment="" disabled=no new-packet-mark=ipsec-esp passthrough=no protocol=ipsec-esp
+
add action=mark-packet chain=forward new-packet-mark=ipsec-esp passthrough=no protocol=ipsec-esp
add action=mark-packet chain=forward comment="" disabled=no new-packet-mark=ipsec-ah passthrough=no protocol=ipsec-ah
+
add action=mark-packet chain=forward new-packet-mark=ipsec-ah passthrough=no protocol=ipsec-ah
add action=mark-packet chain=forward comment="" disabled=no new-packet-mark=ipencap passthrough=no protocol=ipencap
+
add action=mark-packet chain=forward new-packet-mark=ipencap passthrough=no protocol=ipencap
add action=mark-packet chain=forward comment="" disabled=no new-packet-mark=ipip passthrough=no protocol=ipip
+
add action=mark-packet chain=forward new-packet-mark=ipip passthrough=no protocol=ipip
add action=mark-packet chain=forward comment="" disabled=no new-packet-mark=Youtube passthrough=no src-address-list=Youtube
+
add action=mark-packet chain=forward new-packet-mark=Youtube passthrough=no src-address-list=Youtube
add action=mark-packet chain=forward comment="" disabled=no dst-port=80 new-packet-mark=http passthrough=no protocol=tcp
+
add action=mark-packet chain=forward dst-port=80 new-packet-mark=http passthrough=no protocol=tcp
add action=mark-packet chain=forward comment="" connection-bytes=1-512000 disabled=no new-packet-mark=0bytes passthrough=yes
+
add action=mark-packet chain=forward connection-bytes=1-512000 new-packet-mark=0bytes passthrough=yes
add action=mark-packet chain=forward comment="" connection-bytes=512000-1000000 disabled=no new-packet-mark=1Mbyte passthrough=yes
+
add action=mark-packet chain=forward connection-bytes=512000-1000000 new-packet-mark=1Mbyte passthrough=yes
add action=mark-packet chain=forward comment="" connection-bytes=1000000-3000000 disabled=no new-packet-mark=3Mbyte passthrough=yes
+
add action=mark-packet chain=forward connection-bytes=1000000-3000000 new-packet-mark=3Mbyte passthrough=yes
add action=mark-packet chain=forward comment="" connection-bytes=3000000-6000000 disabled=no new-packet-mark=6Mbyte passthrough=yes
+
add action=mark-packet chain=forward connection-bytes=3000000-6000000 new-packet-mark=6Mbyte passthrough=yes
add action=mark-packet chain=forward comment="" connection-bytes=6000000-30000000 disabled=no new-packet-mark=30Mbyte passthrough=yes
+
add action=mark-packet chain=forward connection-bytes=6000000-30000000 new-packet-mark=30Mbyte passthrough=yes
add action=mark-packet chain=forward comment="" connection-bytes=30000000-60000000 disabled=no new-packet-mark=60Mbytes passthrough=yes
+
add action=mark-packet chain=forward connection-bytes=30000000-60000000 new-packet-mark=60Mbytes passthrough=yes
add action=mark-packet chain=forward comment="" connection-bytes=60000000-0 disabled=no new-packet-mark=Infinite passthrough=yes\
+
add action=mark-packet chain=forward connection-bytes=60000000-0 new-packet-mark=Infinite passthrough=yes</pre>
 +
 
 +
== Queue Type ==
 +
'''PCQ will be used only for Youtube and other web video'''
 +
<pre>
 +
/queue type
 +
add kind=pcq name=Youtube_down pcq-classifier=src-port,dst-port pcq-limit=50
 +
pcq-rate=400000 pcq-total-limit=2000
 +
</pre>
 +
 
  
 +
== Queue Tree ==
 +
'''This is the Queue Tree that manages the marked packets.'''
  
 +
For all rules except Youtube - queue=default, for all rules max-limit and limit-at are zeroes except where a value is specified.
 +
<pre>
 
/queue tree
 
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=550000000 max-limit=550000000 name=OVERALL packet-mark="" parent=INTERNAL priority=5
+
add limit-at=550000000 max-limit=550000000 name=OVERALL parent=INTERNAL priority=5
    queue=default
+
 
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=PRIO1 packet-mark="" parent=OVERALL priority=1 queue=default
+
add name=PRIO1 parent=OVERALL priority=1
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=PRIO3 packet-mark="" parent=OVERALL priority=3 queue=default
+
add name=0-512 packet-mark=0bytes parent=PRIO1 priority=1
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=PRIO5 packet-mark="" parent=OVERALL priority=5 queue=default
+
add name=ICMP packet-mark=icmp parent=PRIO1 priority=1
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=PRIO7 packet-mark="" parent=OVERALL priority=7 queue=default
+
add name=POP3 packet-mark=pop3 parent=PRIO1 priority=1
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=PRIO8 packet-mark="" parent=OVERALL priority=8 queue=default
+
add name=SMTP packet-mark=smtp parent=PRIO1 priority=1
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=UDP packet-mark="" parent=OVERALL priority=1 queue=default
+
add name=IMAP packet-mark=imap parent=PRIO1 priority=1
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=Youtube packet-mark=Youtube parent=PRIO7 priority=7 queue=
+
add name=HTTP packet-mark=http parent=PRIO1 priority=1
    Youtube_down
+
add name=SSL packet-mark=ssl parent=PRIO1 priority=1
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=PRIO6 packet-mark="" parent=OVERALL priority=6 queue=default
+
add name=MSN-MESSENGER packet-mark=msn-messenger parent=PRIO1 priority=1
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=30Mbyte packet-mark=30Mbyte parent=PRIO6 priority=6 queue=default
+
 
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=yes limit-at=22000000 max-limit=22000000 name=PRIO8-19h packet-mark="" parent=INTERNAL priority=3
+
add name=PRIO3 parent=OVERALL priority=3
    queue=default
+
add name=1Mbyte packet-mark=1Mbyte parent=PRIO3 priority=3
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=Infinite-19h packet-mark=Infinite parent=PRIO8-19h priority=8
+
 
    queue=default
+
add name=PRIO4 parent=OVERALL priority=4
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=P2P-19h packet-mark=p2p parent=PRIO8-19h priority=8 queue=default
+
add name=3Mbyte packet-mark=3Mbyte parent=PRIO4 priority=4
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=GRE-19h packet-mark=gre parent=PRIO8-19h priority=8 queue=default
+
 
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=IPENCAP-19h packet-mark=ipencap parent=PRIO8-19h priority=8 queue=
+
add name=PRIO5 parent=OVERALL priority=5
    default
+
add name=6Mbyte packet-mark=6Mbyte parent=PRIO5 priority=5
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=IPIP-19h packet-mark=ipip parent=PRIO8-19h priority=8 queue=default
+
 
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=IPSEC-AH-19h packet-mark=ipsec-ah parent=PRIO8-19h priority=8
+
add name=PRIO6 parent=OVERALL priority=6
    queue=default
+
add name=30Mbyte packet-mark=30Mbyte parent=PRIO6 priority=6
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=IPSEC-ESP-19h packet-mark=ipsec-esp parent=PRIO8-19h priority=8
+
 
    queue=default
+
add name=PRIO7 parent=OVERALL priority=7
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=PRIO4 packet-mark="" parent=OVERALL priority=4 queue=default
+
add name=Youtube packet-mark=Youtube parent=PRIO7 priority=7
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=60Mbyte packet-mark=60Mbytes parent=PRIO7 priority=7 queue=default
+
queue=Youtube_down
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=IPKO80 packet-mark=ipko180packet parent=PRIO1 priority=1 queue=
+
add name=60Mbyte packet-mark=60Mbytes parent=PRIO7 priority=7
    default
+
 
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=HTTP packet-mark=http parent=PRIO1 priority=1 queue=default
+
add name=PRIO8 parent=OVERALL priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=SSL packet-mark=ssl parent=PRIO1 priority=1 queue=default
+
add name=Infinite packet-mark=Infinite parent=PRIO8 priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=UDP-100 packet-mark=udp-100 parent=UDP priority=1 queue=default
+
add name=GRE packet-mark=gre parent=PRIO8 priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=ICMP packet-mark=icmp parent=PRIO1 priority=1 queue=default
+
add name=IPSEC-ESP packet-mark=ipsec-esp parent=PRIO8 priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=POP3 packet-mark=pop3 parent=PRIO1 priority=1 queue=default
+
add name=IPSEC-AH packet-mark=ipsec-ah parent=PRIO8 priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=SMTP packet-mark=smtp parent=PRIO1 priority=1 queue=default
+
add name=P2P packet-mark=p2p parent=PRIO8 priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=IMAP packet-mark=imap parent=PRIO1 priority=1 queue=default
+
add name=IPENCAP packet-mark=ipencap parent=PRIO8 priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=0-512 packet-mark=0bytes parent=PRIO1 priority=1 queue=default
+
add name=IPIP packet-mark=ipip parent=PRIO8 priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=1Mbyte packet-mark=1Mbyte parent=PRIO3 priority=3 queue=default
+
 
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=3Mbyte packet-mark=3Mbyte parent=PRIO4 priority=4 queue=default
+
add name=UDP parent=OVERALL priority=1
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=6Mbyte packet-mark=6Mbyte parent=PRIO5 priority=5 queue=default
+
add name=UDP-100 packet-mark=udp-100 parent=UDP priority=1
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=Infinite packet-mark=Infinite parent=PRIO8 priority=8 queue=default
+
add name=UDP-500 packet-mark=upd-500 parent=UDP priority=3
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=MSN-MESSENGER packet-mark=msn-messenger parent=PRIO1 priority=1
+
add name=UDP-Other packet-mark=upd-other parent=UDP priority=8
    queue=default
+
 
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=GRE packet-mark=gre parent=PRIO8 priority=8 queue=default
+
add disabled=yes limit-at=22000000 max-limit=22000000 name=PRIO8-19h parent=INTERNAL priority=3
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=IPSEC-ESP packet-mark=ipsec-esp parent=PRIO8 priority=8 queue=
+
add name=Infinite-19h packet-mark=Infinite parent=PRIO8-19h priority=8
    default
+
add name=P2P-19h packet-mark=p2p parent=PRIO8-19h priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=IPSEC-AH packet-mark=ipsec-ah parent=PRIO8 priority=8 queue=default
+
add name=GRE-19h packet-mark=gre parent=PRIO8-19h priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=P2P packet-mark=p2p parent=PRIO8 priority=8 queue=default
+
add name=IPENCAP-19h packet-mark=ipencap parent=PRIO8-19h priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=IPENCAP packet-mark=ipencap parent=PRIO8 priority=8 queue=default
+
add name=IPIP-19h packet-mark=ipip parent=PRIO8-19h priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=IPIP packet-mark=ipip parent=PRIO8 priority=8 queue=default
+
add name=IPSEC-AH-19h packet-mark=ipsec-ah parent=PRIO8-19h priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=UDP-500 packet-mark=upd-500 parent=UDP priority=3 queue=default
+
add name=IPSEC-ESP-19h packet-mark=ipsec-esp parent=PRIO8-19h priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=UDP-Other packet-mark=upd-other parent=UDP priority=8 queue=default
+
 
 +
</pre>
  
/
+
== Scripts for changing Queue Tree at different times of day ==
 +
''' We have some very useful scripts that change the Queue Tree at different times of the day.
 +
At 19h it will start to check the average rate of PRIO8 Queue and if it's below 20 Mbit/s
 +
it will disable it and enable PRIO8-19h what will guarantee 22Mbit/s for that kind of traffic.
 +
The other script will check the average rate of the OVERALL Queue and if the rate is below 510 Mbit/s
 +
it will disable PRIO8-19h and enable PRIO8 since there will be more than 22 MBit/s available:'''
 +
<pre>
 
/system script
 
/system script
add name=Day policy=ftp,reboot,read,write,policy,test,winbox,password,sniff source=\
+
add name=Day source="/queue tree enable PRIO8; /queue tree disable PRIO8-19h;  
    "queue tree enable PRIO8; /queue tree disable PRIO8-19h; /system scheduler disable Night; /system scheduler disable Overall-Night"
+
/system scheduler disable Night; /system scheduler disable Overall-Night"
add name=Night policy=ftp,reboot,read,write,policy,test,winbox,password,sniff source=":global checkrate [/queue tree get PRIO8 rate]\r\
+
add name=Night source=":global checkrate [/queue tree get PRIO8 rate]\r\  
    \n:local rate 20000000\r\
+
\n:local rate 20000000\r\ \n\r\ \n:if  ( \$checkrate < \$rate ) do={\r\ \n     
    \n\r\
+
/queue tree enable PRIO8-19h; /queue tree disable PRIO8\r\ \n}\r\ \n\r\  
    \n:if  ( \$checkrate < \$rate ) do={\r\
+
\n:if  ( \$checkrate > \$rate ) do={\r\ \n    /queue tree enable PRIO8;  
    \n    /queue tree enable PRIO8-19h; /queue tree disable PRIO8\r\
+
/queue tree disable PRIO8-19h\r\ \n}"
    \n}\r\
+
add name=Enable-Night source= "system scheduler enable Night;  
    \n\r\
+
/system scheduler enable Overall-Night"
    \n:if  ( \$checkrate > \$rate ) do={\r\
+
add name=Overall-Night source=":global checkrate  
    \n    /queue tree enable PRIO8; /queue tree disable PRIO8-19h\r\
+
[/queue tree get OVERALL rate]\r\ \n:local rate 510000000\r\ \n\r\ \n:if   
    \n}"
+
( \$checkrate < \$rate ) do={\r\ \n    /queue tree enable PRIO8;  
add name=Enable-Night policy=ftp,reboot,read,write,policy,test,winbox,password,sniff source=
+
/queue tree disable PRIO8-19h\r\ \n}\r\ \n"</pre>
    "system scheduler enable Night; /system scheduler enable Overall-Night"
 
add name=Overall-Night policy=ftp,reboot,read,write,policy,test,winbox,password,sniff source=":global checkrate [/queue tree get OVERALL rate]\r\
 
    \n:local rate 510000000\r\
 
    \n\r\
 
    \n:if  ( \$checkrate < \$rate ) do={\r\
 
    \n    /queue tree enable PRIO8; /queue tree disable PRIO8-19h\r\
 
    \n}\r\
 
    \n"
 
\
 
  
 +
'''And the schedules that activate the scripts:'''
 +
<pre>
 
/system scheduler
 
/system scheduler
add comment="" disabled=no interval=1d name=Day on-event=Day start-date=dec/25/2008 start-time=01:00:00
+
add interval=1d name=Day on-event=Day start-time=01:00:00
add comment="" disabled=yes interval=15m name=Night on-event=Night start-date=dec/24/2008 start-time=19:00:00
+
add disabled=yes interval=15m name=Night on-event=Night start-time=19:00:00
add comment="" disabled=no interval=1d name=Enable-Night on-event=Enable-Night start-date=feb/03/2009 start-time=18:55:00
+
add interval=1d name=Enable-Night on-event=Enable-Night start-time=18:55:00
add comment="" disabled=yes interval=15m name=Overall-Night on-event=Overall-Night start-date=feb/04/2009 start-time=19:10:00\
+
add disabled=yes interval=15m name=Overall-Night on-event=Overall-Night start-time=19:10:00
 +
</pre>

Latest revision as of 21:58, 30 April 2009

This QoS setup will limit only the Download traffic, no rules are applied for Upload traffic since I didn't had any need for it, I'm not reaching upload limit. This shaper I have installed only for Residential users, who are limited at 550 Mbit/s of overall Bandwidth, what includes around 12000 users online with different rates limited 1 Mbit/s and 2 Mbit/s per user. The idea behind the scripts is for allowing different limits Day and Night, to give to the lowest priority to reach at least 22 Mbit/s after businesses hours, when buissnes clients do not use much bandwidth. For web video (youtube ...) 400 Kbit/s per user will e served using PCQ.

Bridge Setup

First, We create a bridge interface and name it as you like, I have named it ALLOT:

/interface bridge
add name=ALLOT

After that, assign ports to the bridge INTERNAL as a Local interface and EXTERNAL as Publc interface:

/interface bridge port
add bridge=ALLOT interface=INTERNAL
add bridge=ALLOT interface=EXTERNAL

Than the last thing about bridge is to enable ip firewall on it, so we can mangle.

/interface bridge settings
set use-ip-firewall=yes

For web video services, create Address-List for most of the Youtube, Metacafe, Youporn, Redtube etc.

/ip firewall address-list
add address=208.117.224.0/24 list=Youtube
add address=208.117.225.0/24 list=Youtube
add address=208.117.228.0/24 list=Youtube
add address=208.117.229.0/24 list=Youtube
add address=208.117.232.0/24 list=Youtube
add address=208.117.233.0/24 list=Youtube
add address=208.117.234.0/24 list=Youtube
add address=208.117.238.0/24 list=Youtube
add address=208.65.152.0/24 list=Youtube
add address=208.65.153.0/24 list=Youtube
add address=208.65.154.0/24 list=Youtube
add address=64.15.112.0/20 list=Youtube
add address=208.117.236.0/24 list=Youtube
add address=74.125.96.0/19 list=Youtube
add address=72.14.221.0/24 list=Youtube
add address=84.53.128.0/18 comment=Redtube list=Youtube
add address=87.248.192.0/19 comment=Youporn list=Youtube
add address=216.155.128.0/19 comment=Redtube list=Youtube
add address=208.73.208.0/21 comment=Redtube list=Youtube
add address=66.55.140.0/23 comment=Redtube list=Youtube
add address=74.125.208.0/24 list=Youtube

Mangle Setup

Here we mark the packets for the different traffic, be carefull to keep this order:

/ip firewall mangle
add action=mark-packet chain=forward new-packet-mark=icmp passthrough=no protocol=icmp
add action=mark-packet chain=forward dst-port=443 new-packet-mark=ssl passthrough=no protocol=tcp
add action=mark-packet chain=forward new-packet-mark=p2p p2p=all-p2p passthrough=no
add action=mark-packet chain=forward new-packet-mark=udp-100 packet-size=0-100 passthrough=no protocol=udp
add action=mark-packet chain=forward new-packet-mark=upd-500 packet-size=100-500 passthrough=no protocol=udp
add action=mark-packet chain=forward new-packet-mark=upd-other passthrough=no protocol=udp
add action=mark-packet chain=forward dst-port=1863 new-packet-mark=msn-messenger passthrough=no protocol=tcp
add action=mark-packet chain=forward dst-port=110 new-packet-mark=pop3 passthrough=no protocol=tcp
add action=mark-packet chain=forward dst-port=25 new-packet-mark=smtp passthrough=no protocol=tcp
add action=mark-packet chain=forward dst-port=143 new-packet-mark=imap passthrough=no protocol=tcp
add action=mark-packet chain=forward new-packet-mark=gre passthrough=no protocol=gre
add action=mark-packet chain=forward new-packet-mark=ipsec-esp passthrough=no protocol=ipsec-esp
add action=mark-packet chain=forward new-packet-mark=ipsec-ah passthrough=no protocol=ipsec-ah
add action=mark-packet chain=forward new-packet-mark=ipencap passthrough=no protocol=ipencap
add action=mark-packet chain=forward new-packet-mark=ipip passthrough=no protocol=ipip
add action=mark-packet chain=forward new-packet-mark=Youtube passthrough=no src-address-list=Youtube
add action=mark-packet chain=forward dst-port=80 new-packet-mark=http passthrough=no protocol=tcp
add action=mark-packet chain=forward connection-bytes=1-512000 new-packet-mark=0bytes passthrough=yes
add action=mark-packet chain=forward connection-bytes=512000-1000000 new-packet-mark=1Mbyte passthrough=yes
add action=mark-packet chain=forward connection-bytes=1000000-3000000 new-packet-mark=3Mbyte passthrough=yes
add action=mark-packet chain=forward connection-bytes=3000000-6000000 new-packet-mark=6Mbyte passthrough=yes
add action=mark-packet chain=forward connection-bytes=6000000-30000000 new-packet-mark=30Mbyte passthrough=yes
add action=mark-packet chain=forward connection-bytes=30000000-60000000 new-packet-mark=60Mbytes passthrough=yes
add action=mark-packet chain=forward connection-bytes=60000000-0 new-packet-mark=Infinite passthrough=yes

Queue Type

PCQ will be used only for Youtube and other web video

/queue type
add kind=pcq name=Youtube_down pcq-classifier=src-port,dst-port pcq-limit=50
pcq-rate=400000 pcq-total-limit=2000


Queue Tree

This is the Queue Tree that manages the marked packets.

For all rules except Youtube - queue=default, for all rules max-limit and limit-at are zeroes except where a value is specified.

/queue tree
add limit-at=550000000 max-limit=550000000 name=OVERALL parent=INTERNAL priority=5

	add name=PRIO1 parent=OVERALL priority=1
		add name=0-512 packet-mark=0bytes parent=PRIO1 priority=1
		add name=ICMP packet-mark=icmp parent=PRIO1 priority=1
		add name=POP3 packet-mark=pop3 parent=PRIO1 priority=1
		add name=SMTP packet-mark=smtp parent=PRIO1 priority=1
		add name=IMAP packet-mark=imap parent=PRIO1 priority=1
		add name=HTTP packet-mark=http parent=PRIO1 priority=1
		add name=SSL packet-mark=ssl parent=PRIO1 priority=1
		add name=MSN-MESSENGER packet-mark=msn-messenger parent=PRIO1 priority=1

	add name=PRIO3 parent=OVERALL priority=3
		add name=1Mbyte packet-mark=1Mbyte parent=PRIO3 priority=3

	add name=PRIO4 parent=OVERALL priority=4
		add name=3Mbyte packet-mark=3Mbyte parent=PRIO4 priority=4

	add name=PRIO5 parent=OVERALL priority=5
		add name=6Mbyte packet-mark=6Mbyte parent=PRIO5 priority=5

	add name=PRIO6 parent=OVERALL priority=6
		add name=30Mbyte packet-mark=30Mbyte parent=PRIO6 priority=6

	add name=PRIO7 parent=OVERALL priority=7
		add name=Youtube packet-mark=Youtube parent=PRIO7 priority=7 
		queue=Youtube_down
		add name=60Mbyte packet-mark=60Mbytes parent=PRIO7 priority=7

	add name=PRIO8 parent=OVERALL priority=8
		add name=Infinite packet-mark=Infinite parent=PRIO8 priority=8
		add name=GRE packet-mark=gre parent=PRIO8 priority=8
		add name=IPSEC-ESP packet-mark=ipsec-esp parent=PRIO8 priority=8
		add name=IPSEC-AH packet-mark=ipsec-ah parent=PRIO8 priority=8
		add name=P2P packet-mark=p2p parent=PRIO8 priority=8
		add name=IPENCAP packet-mark=ipencap parent=PRIO8 priority=8
		add name=IPIP packet-mark=ipip parent=PRIO8 priority=8

	add name=UDP parent=OVERALL priority=1
		add name=UDP-100 packet-mark=udp-100 parent=UDP priority=1
		add name=UDP-500 packet-mark=upd-500 parent=UDP priority=3
		add name=UDP-Other packet-mark=upd-other parent=UDP priority=8

add disabled=yes limit-at=22000000 max-limit=22000000 name=PRIO8-19h parent=INTERNAL priority=3
	add name=Infinite-19h packet-mark=Infinite parent=PRIO8-19h priority=8
	add name=P2P-19h packet-mark=p2p parent=PRIO8-19h priority=8
	add name=GRE-19h packet-mark=gre parent=PRIO8-19h priority=8
	add name=IPENCAP-19h packet-mark=ipencap parent=PRIO8-19h priority=8
	add name=IPIP-19h packet-mark=ipip parent=PRIO8-19h priority=8
	add name=IPSEC-AH-19h packet-mark=ipsec-ah parent=PRIO8-19h priority=8
	add name=IPSEC-ESP-19h packet-mark=ipsec-esp parent=PRIO8-19h priority=8

Scripts for changing Queue Tree at different times of day

We have some very useful scripts that change the Queue Tree at different times of the day. At 19h it will start to check the average rate of PRIO8 Queue and if it's below 20 Mbit/s it will disable it and enable PRIO8-19h what will guarantee 22Mbit/s for that kind of traffic. The other script will check the average rate of the OVERALL Queue and if the rate is below 510 Mbit/s it will disable PRIO8-19h and enable PRIO8 since there will be more than 22 MBit/s available:

/system script
add name=Day source="/queue tree enable PRIO8; /queue tree disable PRIO8-19h; 
/system scheduler disable Night; /system scheduler disable Overall-Night"
add name=Night source=":global checkrate [/queue tree get PRIO8 rate]\r\ 
\n:local rate 20000000\r\ \n\r\ \n:if  ( \$checkrate < \$rate ) do={\r\ \n     
/queue tree enable PRIO8-19h; /queue tree disable PRIO8\r\ \n}\r\ \n\r\ 
\n:if  ( \$checkrate > \$rate ) do={\r\ \n     /queue tree enable PRIO8; 
/queue tree disable PRIO8-19h\r\ \n}"
add name=Enable-Night source= "system scheduler enable Night; 
/system scheduler enable Overall-Night"
add name=Overall-Night source=":global checkrate 
[/queue tree get OVERALL rate]\r\ \n:local rate 510000000\r\ \n\r\ \n:if  
( \$checkrate < \$rate ) do={\r\ \n     /queue tree enable PRIO8; 
/queue tree disable PRIO8-19h\r\ \n}\r\ \n"

And the schedules that activate the scripts:

/system scheduler
add interval=1d name=Day on-event=Day start-time=01:00:00
add disabled=yes interval=15m name=Night on-event=Night start-time=19:00:00
add interval=1d name=Enable-Night on-event=Enable-Night start-time=18:55:00
add disabled=yes interval=15m name=Overall-Night on-event=Overall-Night start-time=19:10:00