MikroTik RouterOS simple queues

The task / preconditions

The users of the jumpNet use cheap ADSL or cable internet connections. These connections are constrained regarding their upload bandwidth and unfortunatelly, the latency of these connections becomes horrible when you use the full upload bandwidth. This is a behavior which can be observed on every system buffering packets during delivery. The extreme of this phenomenon is called bufferbloat [1].

To prevent the latency going nuts because of saturated upload bandwidth, you can artificially limit your upload bandwidth. Apart from improving latency, you normally get better and more constant throughput as well.

My use case

Maybe, if you have read the jumpNet article, you will be familiar with the network topology, if not, have a look:

My goal is to prevent people, who are downloading files from the file server, from rendering my internet connection unusable. This is really important because I use VoIP for phone calls and need a defined latency and sufficient remaining bandwidth.

So, the task is to limit the upload bandwidth the file server can use. Fortunately MikroTik's RouterOS implements a feature called "simple queues". Although it's called "simple" it has many useful features. For example you can specify the bandwidth limiting to match only targeted IPs/networks, protocols, multiple packet-marks, etc.

To achieve the described goal, I configured two things on my RB2011 [2]:

  • firewall mangle rule: mark all packets except ICMP
  • simple queue: limit the file server's upload for the jumpNet IP range to 8M

The configuration

Please ignore rule numbers 0 and 1, these are dynamic rules to clamp the TCP MSS for the OpenVPN connection. The mangle rule no. 2 adds a packet mark on every packet which is not ICMP:

Flags: X - disabled, I - invalid, D - dynamic
 0  D chain=forward action=change-mss new-mss=1360 passthrough=yes
      tcp-flags=syn protocol=tcp out-interface=ovpn-wa tcp-mss=1361-65535
      log=no log-prefix=""

 1  D chain=forward action=change-mss new-mss=1360 passthrough=yes
      tcp-flags=syn protocol=tcp in-interface=ovpn-wa tcp-mss=1361-65535
      log=no log-prefix=""

 2    chain=prerouting action=mark-packet new-packet-mark=not-icmp
      passthrough=yes protocol=!icmp log=no log-prefix=""

and the simple queue limits the upload to 8M:

[admin@FR-Z8-R] > /queue simple print
Flags: X - disabled, I - invalid, D - dynamic
 0    name="queue_filer" target=10.0.0.0/8,192.168.0.0/16 dst=10.10.1.6/32
      parent=none packet-marks=not-icmp priority=8/8 queue=default/default
      limit-at=8M/8M max-limit=8M/8M burst-limit=0/0 burst-threshold=0/0
      burst-time=0s/0s total-queue=default

So, everyone accessing the file server over the jumpNet will get 8M. As my upload is rated with 10M, there should be no problem with VoIP. Of course, this only limits the upload of the file server. To limit the upload in general, it might be useful to additionally limit the interface's bandwidth:

The MikroTik manual [3] explains simple queues and queues in general more detailed.

Short explanation

With this configuration I achieved my goal:

  • I limited the upload bandwidth of the file server to 8M
  • I still have low latency on my WAN
  • I do not mess with ICMP

Why am I handling ICMP packets differently?

For two reasons:

First, I use SmokePing [4] to monitor the latency in the jumpNet. So I do not want to add latency because of the queuing / bandwidth limiting. Second, generally it is not a good idea to mess around with ICMP as it handles many faults in IP and is used to debug problems.

Go back

My Whishlist

If the information I provided was helpful to you, I would really appreciate if you have a look on my Amazon whishlist.

I'm not begging for anything and I will continue to share my knowledge but of course I would be really happy to see some packages arriving ;-)