Queue Tree , Mangle, & Connection-state

University of Babylon, IT College
Information Network Dep., Third Class, Second Semester
MTCNA Course
MikroTik Certified Network Associate
2014-2015
By M.Sc. I.T Alaa A. Mahdi
• Queue Tree
• Queue Types
• Queue Kinds
• Mangle
• Connection-state
Queue Tree
• Queue implementation in MikroTik
RouterOS is based on Hierarchical
Token Bucket (HTB).
• HTB allows to create hierarchical queue
structure and determine relations between
queues.
• In RouterOS, these hierarchical structures
can be attached at 4 different places:
1- global-in: represents all the input
interfaces in general (INGRESS queue).
Queues attached to global-in apply to
traffic that is received by the router before
the packet filtering
2- global-out: represents all the output
interfaces in general (EGRESS queue).
3- global-total: represents all input and
output interfaces together (in other words
it is aggregation of global-in and globalout).
Used in case when customers have
single limit for both, upload and download.
4- : - represents one
particular outgoing interface. Only traffic
that is designated to go out via this
interface will pass this HTB queue.
• Queue tree creates only one directional
queue in one of the HTBs. It is also the
only way how to add queue on the
separate interface. This way it is possible
to ease mangle configuration - you don t
need separate marks for download and
upload - only upload will get to Public
interface and only download will get to
Private interface .
• Also it is possible to have double queuing
(example: prioritization of traffic in globalin
or global-out, limitation per client on the
outgoing interface) If you have simple
queues and queue tree in the same HTB -
simple queues will get traffic first .
• Queue tree is not ordered - all traffic pass
it together.
• Sum of committed rates of all children
must be less or equal to amount of traffic
that is available to parent.
CIR(parent)* ? CIR(child1) +...+ CIR(childN)
• Maximal rate of any child must be less or
equal to maximal rate of the parent
• MIR (parent) ? MIR(child1) & MIR (parent) ?
MIR(child2) & ... & MIR (parent) ? MIR(childN (
Priority
• We already know that limit-at CIR to all
queues will be given out no matter what .
• Priority is responsible for distribution of
remaining parent queues traffic to child
queues so that they are able to reach
max-limit



Queue Types
• Sub-menu: /queue type
• This sub-menu lists by default created
queue types and allows to add new user
specific ones.
• By default RouterOS creates following predefined
queue types:
Queue Types
• [admin@MikroTik] /queue type> print
• 0 name="default" kind=pfifo pfifo-limit=50
• 1 name="ethernet-default" kind=pfifo pfifo-limit=50
• 2 name="wireless-default" kind=sfq sfq-perturb=5 sfq-allot=1514
• 3 name="synchronous-default" kind=red red-limit=60 red-minthreshold=
10 red-max-threshold=50 red-burst=20
• red-avg-packet=1000
• 4 name="hotspot-default" kind=sfq sfq-perturb=5 sfq-allot=1514
• 5 name="only-hardware-queue" kind=none
• 6 name="multi-queue-ethernet-default" kind=mq-pfifo mq-pfifolimit=
50
• 7 name="default-small" kind=pfifo pfifo-limit=10
Queue Kinds
• Queue kinds or Queuing (scheduling) algorithms
describe which packet will be transmitted next in
line. RouterOS supports several queuing
algorithms:
• BFIFO, PFIFO, MQ PFIFO
• RED
• SFQ
• PCQ
Mangle
• Mangle is a kind of marker that marks
packets for future processing with
special marks. Many other facilities in
RouterOS make use of these marks,
e.g. queue trees, NAT, routing. They
identify a packet based on its mark and
process it accordingly. The mangle
marks exist only within the router, they
are not transmitted across the network.
Marking packets
• Marking each packet is quite resource
expensive especially if rule has to match
against many parameters from IP header
or address list containing hundreds of
entries.
• Lets say we want to
• mark all tcp packets except tcp/80 and
match these packets against first address
list
• mark all udp packets and match them
against second address list.
• /ip firewall mangle
• add chain=forward
• protocol=tcp
• port=!80
• dst-address-list=first
• action=mark-packet
new-packet-mark=first
• add chain=forward
• protocol=udp
• dst-address-list=second
• action=mark-packet
new-packet-mark=second
• Setup looks quite simple and probably
will work without problems in small
networks. Now multiply count of
rules by 10, add few hundred entries in
address list, run 100Mbit of traffic over
this router and you will see how rapidly
CPU usage is increasing.
• The reason for such behavior is that
each rule reads IP header of every
packet and tries to match collected data
against parameters specified in firewall
rule.
Mangle optimize
• Fortunately if connection tracking is
enabled, we can use connection marks to
optimize our setup.
Mark-connection uses connection
tracking
• /ip firewall mangle
1- add chain=forward
• protocol=tcp
• port=!80
• dst-address-list=first
• connection-state=new
• action=mark-connection
new-connection-mark=first
2- add chain=forward
connection-mark=first
action=mark-packet
new-packet-mark=first -- You can use another
name --
passthrough=no
• add chain=forward protocol=udp
• dst-address-list=second
• connection-state=new
• action=mark-connection
• new-connection-mark=second
• add chain=forward
• connection-mark=second
• action=mark-packet
• new-packet-mark=second
• passthrough=no
• Now first rule will try to match data from
IP header only from first packet of new
connection and add connection mark.
• Next rule will no longer check IP header
for each packet, it will just compare
connection marks resulting in lower
CPU consumption.
• Additionally passthrough=no was added
that helps to reduce CPU consumption
even more.

connection-state
• Interprets the connection tracking analysis
data for a particular packet:
• established - a packet which belongs to an
existing connection
• invalid - a packet which could not be
identified for some reason
• new - the packet has started a new
connection, or otherwise associated with a
connection which has not seen packets in
both directions
• related - a packet which is related to, but not
part of an existing connection, such as ICMP
errors or a packet which begins FTP data
connection