RouterOS 6.41版應用於設有伺服器的家用網路(四):QoS

Mikrotik RB450G外觀

100/40Mbps這樣的頻寬應該足以應付家用網路環境下大部分的情況,為什麼還需要做QoS(Quality of Service)?

個人的觀點,QoS的價值在於控制而不是限制,控制是將所有封包分門別類並依照其目的給予優先權和對應的保障與最大頻寬,在流量過大或滿載的時候分配頻寬,以至於重要的服務不至於延遲或停擺,才是QoS的目的。

做有效的流量控制之前,需要先將封包分類,做法就是給封包標上標記,這是比較沒爭議的原則。標記封包的做法百百種,有人說標記封包(Mark packet)前需要先標記連線(Mark connection),再拿連線標記(Connection-mark)來標記封包,有人說他根本沒標記過連線就直接標記封包;也有人說再標記連線時就要區分出上傳與下載,利用Postrouting配合Out interface=WAN來標記上傳,用Prerouting配合In interface=WAN來標記下載,而也有人說他在標記封包時才區分上下傳。

余松老師書裡有一句話是「Queue tree佇列樹規則只能創建一個方向的流控佇列,即一條佇列規則只能控制上行或者下行,當一個HTB建立,一條Queue tree規則只能限制一個方向的流量。因此在這樣的條件下允許在一個佇列規則裡設置一個獨立的介面,這種方式方便mangle配置,你不需要在一個mangle標記規則中去區分上行或下行,例如使用out-interface可設置WAN口獲取上行流量,設置LAN口獲取下行流量。」

又跟前面的不一樣

╮(╯_╰)╭ ╮(╯_╰)╭ ╮(╯_╰)╭ ╮(╯_╰)╭ ╮(╯_╰)╭ ╮(╯_╰)╭

我也不知道哪個是對的,以下是個人最後的做法,謹慎使用,個人認知或許有誤。

標記連線與標記封包都在/ip firewall mangle裡,而Mangle總共有五種Chain,分別為Prerouting、Input、Forward、Output與Postrouting,Mikrotik Wiki裡面有解釋Packet flow。

https://wiki.mikrotik.com/wiki/Manual:Packet_Flow

個人簡化成這樣
Packet flow

以DNS連線為例,LAN端發出一個DNS查詢的請求到WAN端,WAN收到請求後再將結果傳回LAN,這樣是一條連線,可以用forward chain來標示,不需區分上傳或下載,若需要特別標出LAN中特地主機的連線,再加上Src. Address或Src. Address List當作限縮條件。而封包的流動,我只想針對往外網的頻寬做QoS,內網不用理會,所以在標記封包時除了連線標記(Connection mark)之外,還用到了In-interface=WAN與Out-interface=WAN這二個條件。

個人QoS的策略如下(照順序)
  1. ICMP(Internet Control Message Protocol)
  2. DNS/NTP/VPN和Neptune Apex(魚缸控制器)
  3. 小型封包(0-256)
  4. 中型封包(257-1024)與魚缸監視器(影像串流)
  5. NAS的大型封包(1025-65535/通常是影像串流)
  6. 非NAS的TCP/UDP大型封包(1025-65535/通常是影像串流)

標記前先建立防火牆的網址清單會比較容易控管
/ip firewall address-list
add address=***.***.***.*** list=DHCP
add address=***.***.***.*** list=NAS
add address=***.***.***.*** list=APEX
add address=***.***.***.*** list=IPCam
add address=***.***.***.*** list=AquaCAM
add address=***.***.***.*** list=VPN

再來就是把封包全都標一標,上傳的封包可以用Post-routing再加上Out-interface=WAN來標記,而下載的封包可以用Pre-routing再加上In-interface=WAN來標記,撇除掉內網的流量,但實際使用發現沒有這麼準確,改成Forward才比較正確,原因不知為何。
/ip firewall mangle
add action=mark-connection chain=forward comment="ICMP connection" new-connection-mark=ICMP passthrough=yes protocol=icmp
add action=mark-packet chain=forward connection-mark=ICMP new-packet-mark=ICMP out-interface-list=WAN passthrough=no
add action=mark-packet chain=forward connection-mark=ICMP in-interface-list=WAN new-packet-mark=ICMP passthrough=no
add action=mark-connection chain=forward comment="APEX connection" new-connection-mark=APEX passthrough=yes src-address-list=APEX
add action=mark-packet chain=forward connection-mark=APEX new-packet-mark=APEX out-interface-list=WAN passthrough=no
add action=mark-packet chain=forward connection-mark=APEX in-interface-list=WAN new-packet-mark=APEX passthrough=no
add action=mark-connection chain=forward comment="AquaCAM connection" new-connection-mark=AquaCAM passthrough=yes src-address-list=AquaCAM
add action=mark-packet chain=forward connection-mark=AquaCAM new-packet-mark=AquaCAM out-interface-list=WAN passthrough=no
add action=mark-packet chain=forward connection-mark=AquaCAM in-interface-list=WAN new-packet-mark=AquaCAM passthrough=no
add action=mark-connection chain=forward comment="NAS connection" new-connection-mark=NAS passthrough=yes src-address-list=NAS
add action=mark-packet chain=forward connection-mark=NAS layer7-protocol=P2P new-packet-mark=NAS_P2P out-interface-list=WAN passthrough=no
add action=mark-packet chain=forward connection-mark=NAS in-interface-list=WAN layer7-protocol=P2P new-packet-mark=NAS_P2P passthrough=no
add action=mark-packet chain=forward connection-mark=NAS new-packet-mark=NAS_Small out-interface-list=WAN packet-size=0-256 passthrough=no
add action=mark-packet chain=forward connection-mark=NAS new-packet-mark=NAS_Medium out-interface-list=WAN packet-size=257-1024 passthrough=no
add action=mark-packet chain=forward connection-mark=NAS new-packet-mark=NAS_Large out-interface-list=WAN packet-size=1025-65535 passthrough=no
add action=mark-packet chain=forward connection-mark=NAS in-interface-list=WAN new-packet-mark=NAS_Small packet-size=0-256 passthrough=no
add action=mark-packet chain=forward connection-mark=NAS in-interface-list=WAN new-packet-mark=NAS_Medium packet-size=257-1024 passthrough=no
add action=mark-packet chain=forward connection-mark=NAS in-interface-list=WAN new-packet-mark=NAS_Large packet-size=1025-65535 passthrough=no
add action=mark-connection chain=forward comment="Others connection" new-connection-mark=Others passthrough=yes src-address=192.168.88.0/24
add action=mark-packet chain=forward connection-mark=Others new-packet-mark=Small out-interface-list=WAN packet-size=0-256 passthrough=no
add action=mark-packet chain=forward connection-mark=Others new-packet-mark=Medium out-interface-list=WAN packet-size=257-1024 passthrough=no
add action=mark-packet chain=forward connection-mark=Others new-packet-mark=Large out-interface-list=WAN packet-size=1025-65535 passthrough=no
add action=mark-packet chain=forward connection-mark=Others in-interface-list=WAN new-packet-mark=Small packet-size=0-256 passthrough=no
add action=mark-packet chain=forward connection-mark=Others in-interface-list=WAN new-packet-mark=Medium packet-size=257-1024 passthrough=no
add action=mark-packet chain=forward connection-mark=Others in-interface-list=WAN new-packet-mark=Large packet-size=1025-65535 passthrough=no
add action=mark-connection chain=input comment=Service in-interface-list=WAN new-connection-mark=Service passthrough=yes
add action=mark-connection chain=output new-connection-mark=Service out-interface-list=WAN passthrough=yes
add action=mark-packet chain=input connection-mark=Service new-packet-mark=Service passthrough=no protocol=tcp src-port=1723
add action=mark-packet chain=input connection-mark=Service new-packet-mark=Service passthrough=no protocol=udp src-port=500,1701,4500
add action=mark-packet chain=input connection-mark=Service new-packet-mark=Service passthrough=no protocol=gre
add action=mark-packet chain=output connection-mark=Service dst-port=53 new-packet-mark=Service passthrough=no protocol=tcp
add action=mark-packet chain=output connection-mark=Service dst-port=53,123 new-packet-mark=Service passthrough=no protocol=udp
add action=log chain=forward disabled=yes log-prefix=MangleCheck

其中有一條利用Layer7 protocol來標記P2P流量,不過用Synology Download Station測試並無法正確抓到BT的封包。
/ip firewall layer7-protocol
add name=P2P regexp="^.*(get|GET).+(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova\
|flixflux|torrentz|vertor|h33t|btscene|bitunity|bittoxic|thunderbytes|entertane|zoozle|vcdq|bitnova|bitsoup\
|meganova|fulldls|btbot|flixflux|seedpeer|fenopy|gpirate|commonbits).*\$"


Mangle的規則與Firewall filter一樣有先後順序之分,一個封包一旦標記了可以利用passthrough=no不要讓它往後流,最後一條再用action=log來檢查還有哪些剩餘的封包未標記。

最後再Queue tree中排序,依Upload/Download建立HTB,並帶入PCQ規則(max-limit為上限頻寬而limit-at是保障頻寬)
/queue tree
add max-limit=120M name=Download parent=bridge priority=1 queue=pcq-download-default
add max-limit=50M name=Upload parent=ether1 priority=1 queue=pcq-upload-default
add limit-at=1M max-limit=120M name=D1 packet-mark=ICMP parent=Download priority=1 queue=pcq-download-default
add limit-at=10M max-limit=120M name=D2 packet-mark=Service,APEX parent=Download priority=2 queue=pcq-download-default
add limit-at=10M max-limit=120M name=D3 packet-mark=NAS_Small,Small parent=Download priority=3 queue=pcq-download-default
add limit-at=20M max-limit=120M name=D4 packet-mark=NAS_Medium,Medium,AquaCAM parent=Download priority=4 queue=pcq-download-default
add limit-at=30M max-limit=120M name=D5 packet-mark=NAS_Large parent=Download priority=5 queue=pcq-download-default
add limit-at=30M max-limit=120M name=D6 packet-mark=Large parent=Download priority=6 queue=pcq-download-default
add limit-at=1M max-limit=50M name=U1 packet-mark=ICMP parent=Upload priority=1 queue=pcq-upload-default
add limit-at=5M max-limit=50M name=U2 packet-mark=Service,APEX parent=Upload priority=2 queue=pcq-upload-default
add limit-at=5M max-limit=50M name=U3 packet-mark=NAS_Small,Small parent=Upload priority=3 queue=pcq-upload-default
add limit-at=10M max-limit=50M name=U4 packet-mark=NAS_Medium,Medium,AquaCAM parent=Upload priority=4 queue=pcq-upload-default
add limit-at=15M max-limit=50M name=U5 packet-mark=NAS_Large parent=Upload priority=5 queue=pcq-upload-default
add limit-at=5M max-limit=50M name=U6 packet-mark=Large parent=Upload priority=6 queue=pcq-upload-default

Mangle與Queue tree的CPU耗用也需要考慮一下,在這個版本之前我的Mangle做的很詳細,造成流量滿載時CPU也跟著滿載,使得流量被打了折扣,這樣反而失去意義,附上幾個測試的例子:
手機從外網開啟DS File做NAS上的影片串流,上傳速度約4Mbps,手機上的流量顯示為500KB/s左右,差不多吻合,此時Router CPU耗用約2%左右。
WAN_Videostreaming

手機從外網開啟DS CAM看家中的監視器,上傳速度約400Kbps,CPU耗用約6%左右。
WAN_surveillance

改從內網的桌機使用SurveillanceStation看監視器做交叉測試,內網的封包並沒有標記,所以Queue tree上的Upload幾乎為零。
LAN_surveillance

用Speedtest測速,上傳滿載時(40Mbps),CPU耗用約40%。
Speedtest_upload

而下載滿載時,CPU耗用已近100%。
Speedtest_download

再用Hinet Dr. Speed測試,與Speedtest數字接近,上傳約42Mbps。
DrSpeed_upload

下載也是在95Mbps左右,先前測試過,若跳過Router,單純在小烏龜上做PPPoE上網,下載也差不多就是在95Mbps,沒跑到100Mbps過,所以這樣QoS的配置在我的RB450G上算是CPU資源與流量的一個平衡點。
DrSpeed_download

用Synology Download Station抓檔案,流量的確是在NAS_Large那個分類。
DownloadStation

張貼留言