Traffic Queue Example

Consider a scenario where a customer site is connected to your network via two independent wireless links using BGP for load balancing and failover. You want to deliver a 2M/2M service limited to the total traffic across both links.

The way to do it is to first mark packets as 'ingress' and 'egress' for all traffic coming IN to the router that you want to shape, mark them 'ingress', e.g:

ip firewall mangle add action=mark-packet chain=prerouting \
	disabled=no in-interface=wlan1 new-packet-mark=ingress passthrough=yes 

ip firewall mangle add action=mark-packet chain=prerouting \
	disabled=no in-interface=wlan2 new-packet-mark=ingress passthrough=yes

The prerouting chain is important in order to be sure to mark the packets in time to be trapped by the global-in queue:

Packet Flow: Mangle Rules and Queue Tree

For traffic going OUT, we mark the packets accordingly:

ip firewall mangle add action=mark-packet chain=postrouting \
	disabled=no new-packet-mark=egress out-interface=ether4 passthrough=yes 

ip firewall mangle add action=mark-packet chain=postrouting \
	disabled=no new-packet-mark=egress out-interface=ether5 passthrough=yes

note that this time we use the postrouting chain because it is only after the routing decision is made that we know what the exit interface will be.

Next step is to create the queue tree entries as child nodes of the global queues:

queue tree add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no \
	limit-at=2M max-limit=2M name=inbound packet-mark=ingress parent=global-in priority=8 queue=default 

queue tree add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no \
	limit-at=2M max-limit=2M name=outbound packet-mark=egress parent=global-out priority=8 queue=default

Next, I recommend that you change the default queue type since the default (pfifo) tends to produce a lopsided shaping profile. sfq (stochastic fair queue) or pcq (per connection queue) will give you a better balance across all interfaces:

FIFO (First-in First-out) queue delivers packets in the order they arrive at the queue

SFQ (Stochastic Fairness Queue) delivers packets with a round-robin approach producing a more even distribution across multiple interfaces

PCQ (Per-connection Queue) distributes available bandwidth evenly between source IP addresses

You can set the default queue type on the 'queue types' tab of queues control panel in winbox, or you can set the queue type in the specific queue properties.

The last thing that you might want to do might be to exclude or prioritise specific traffic types from these rules.

For example, you may want to prioritise voice traffic within the 2M limits - do that by keeping the rate limit on the 'inbound' and 'outbound' queues, but remove the packet mark spec. Next, create child nodes of each specifying the ingress/egress packet marks, and then add child nodes for voip packet marks with a higher priority (see queue-tree example attached)

QoS example

Another thing that you will probably want to do might be to prioritise or exclude traffic from your management network so that you will always be able to access the admin (winbox) interface to manage the router without having to complete with other traffic load on the network. Do this by adding a non-passthrough mangle rule at the top of the mangle chain that traps the relevant traffic (e.g. winbox port 8291) and prevents that traffic from being marked as ingress/egress etc. (note that you will need to do this in both inbound and outbound directions)

Last of all, if you want to differentiate between traffic that is traversing the node (i.e in wlan1 and out wlan2) and traffic that is delivered to/from that site, then you will need to carefully deal with the packet marking based on source/destination IP addresses as well as (or instead of) inbound and outbound interfaces.

If all you need are simple total in/out traffic limits, then the basic scheme outlined above should do the job.

Hope that helps clarify the queue system for this case. Feel free to come back with additional questions/comments if you need to.

Need help with your Mikrotik Configuration projects? As an authorised Mikrotik Consultant, we are available to assist on short term or contract basis. Contact us for more info.