Marking Traffic for Multi-WAN Queueing

by | Sep 16, 2011 | MikroTik, Networking | 3 comments

To mark traffic based on website I had to create rules to first identify the website then put the address of the website into an address list to then mark the traffic.  This had to be done two different ways, one for regular traffic (HTTP) and one for secure traffic (HTTPS).  To mark the HTTP traffic I used the content argument under the advanced tab.

 

Example:

/ip firewall mangle
add action=add-dst-to-address-list address-list=Video address-list-timeout=0s \
    chain=prerouting comment="Mark BBC Address" content=bbc.co.uk disabled=no \
    dst-port=80 protocol=tcp

Then to mark the secure traffic you have to use Layer7 Protocols.  To do this add an expression with the domain you are wanting to catch.

Example:

 

/ip firewall layer7-protocol
add name=youtube regexp=youtube.com

 

 

Then add the address to a list via Layer7:

 

/ip firewall mangle
add action=add-dst-to-address-list address-list=Video address-list-timeout=0s \
    chain=prerouting comment="Mark Youtube HTTPS" disabled=no dst-port=443 \
    layer7-protocol=youtube protocol=tcp

 

 

Once you have the sites in an address list you can create rules to mark the connections, then mark the packets within those connections to then been queued.  When marking the connections you create two rules for each connection in the forward chain.  One rule with the dst-port (upload) and/or out-interface and one with the src-port (download) and/or in-interface. If you are doing a QoS for traffic per WAN interface you will use in or out interface on every connection marking rule.  This will keep the traffic separated per WAN interface.  This will allow you to create four different queues, 1 global-in and 1 global-out for each WAN interface.

 

Example for address list connection marking:

 

/ip firewall mangle
add action=mark-connection chain=forward comment=\
    "Mark Video-Sites Connection Download" disabled=no in-interface=ether1 \
    new-connection-mark=qos5-conn1 passthrough=no src-address-list=Video

add action=mark-connection chain=forward comment=\
    "Mark Video-Sites Connection Upload" disabled=no dst-address-list=Video \
    new-connection-mark=qos5-conn1 out-interface=ether1 passthrough=no

add action=mark-connection chain=forward comment=\
    "Mark Video-Sites Connection Download" disabled=no in-interface=ether2 \
    new-connection-mark=qos5-conn2 passthrough=no src-address-list=Video

add action=mark-connection chain=forward comment=\
    "Mark Video-Sites Connection Upload" disabled=no dst-address-list=Video \
    new-connection-mark=qos5-conn2 out-interface=ether2 passthrough=no

 

 

Example for standard connection marking:

 

/ip firewall mangle
add action=mark-connection chain=forward comment="Mark HTTP Download" \
    disabled=no in-interface=ether1 new-connection-mark=qos4-conn1 \
    passthrough=no protocol=tcp src-port=80,443

add action=mark-connection chain=forward comment="Mark HTTP Upload" disabled=\
    no dst-port=80,443 new-connection-mark=qos4-conn1 out-interface=ether1 \
    passthrough=no protocol=tcp

add action=mark-connection chain=forward comment="Mark HTTP Download" \
    disabled=no in-interface=ether2 new-connection-mark=qos4-conn2 \
    passthrough=no protocol=tcp src-port=80,443

add action=mark-connection chain=forward comment="Mark HTTP Upload" disabled=\
    no dst-port=80,443 new-connection-mark=qos4-conn2 out-interface=ether2 \
    passthrough=no protocol=tcp

 

 

After you have marked your connections it is time to mark the packets in the each connection-mark so the queueing can take place.  For each connection-mark you will have two different rules for marking packets (four if your have 2 WAN, six with 3 WAN, etc.)  You will create one prerouting (download) and one postrouting (upload) rule for each WAN interface.  On the prerouting rule you will use in-interface and on the postrouting rule you will use out-interface.

 

Example:

 

/ip firewall mangle
add action=mark-packet chain=prerouting comment="QoS-4-CoNN1 Download" \
    connection-mark=qos4-conn1 disabled=no new-packet-mark=\
    qos4_conn1_download passthrough=no

add action=mark-packet chain=postrouting comment="QoS-4-CoNN1 Upload" \
    connection-mark=qos4-conn1 disabled=no new-packet-mark=qos4_conn1_upload \
    passthrough=no

add action=mark-packet chain=prerouting comment="QoS-4-CoNN2 Download" \
    connection-mark=qos4-conn2 disabled=no new-packet-mark=\
    qos4_conn2_download passthrough=no

add action=mark-packet chain=postrouting comment="QoS-4-CoNN2 Upload" \
    connection-mark=qos4-conn2 disabled=no new-packet-mark=qos4_conn2_upload \
    passthrough=no

 

To limit the users downloading via HTTP you can create rules to either switch queues based on the amount of data that has come through the connection (connection-bytes) or by the rate of the connection (connection-rate).  When creating connection-rate/byte rules you create a rule for both postrouting (upload) and prerouting (download) and also for both tcp and udp connection.  So on a dual-wan setup you will have 8 rules, four for tcp (prerouting and postrouting for each wan) and four for udp (prerouting and postrouting for each wan).  To set connection-rate or connection-bytes you must select either udp or tcp to enable the option.

 

Here is a very good description of connection-rate http://wiki.mikrotik.com/wiki/Connection_Rate

 

Example of connection-bytes:

 

/ip firewall mangle
add action=mark-packet chain=prerouting comment="Mark QoS-4 Download < 2mb CoNN1" connection-bytes=2000000-0 \
    connection-mark=qos4-conn1 disabled=no in-interface=ether1 new-packet-mark=qos8_conn1_download passthrough=no \
    protocol=tcp

add action=mark-packet chain=postrouting comment="Mark QoS-4 Upload < 2mb CoNN1" connection-bytes=2000000-0 \
    connection-mark=qos4-conn1 disabled=no new-packet-mark=qos8_conn1_upload out-interface=ether1 passthrough=no \
    protocol=tcp

add action=mark-packet chain=prerouting comment="Mark QoS-4 Download < 2mb CoNN2" connection-bytes=2000000-0 \
    connection-mark=qos4-conn2 disabled=no in-interface=ether2 new-packet-mark=qos8_conn2_download passthrough=no \
    protocol=tcp

add action=mark-packet chain=postrouting comment="Mark QoS-4 Upload < 2mb CoNN2" connection-bytes=2000000-0 \
    connection-mark=qos4-conn2 disabled=no new-packet-mark=qos8_conn2_upload out-interface=ether2 passthrough=no \
    protocol=tcp

add action=mark-packet chain=prerouting comment="Mark QoS-4 Download < 2mb CoNN1" connection-bytes=2000000-0 \
    connection-mark=qos4-conn1 disabled=no in-interface=ether1 new-packet-mark=qos8_conn1_download passthrough=no \
    protocol=udp

add action=mark-packet chain=postrouting comment="Mark QoS-4 Upload < 2mb CoNN1" connection-bytes=2000000-0 \
    connection-mark=qos4-conn1 disabled=no new-packet-mark=qos8_conn1_upload out-interface=ether1 passthrough=no \
    protocol=udp

add action=mark-packet chain=prerouting comment="Mark QoS-4 Download < 2mb CoNN2" connection-bytes=2000000-0 \
    connection-mark=qos4-conn2 disabled=no in-interface=ether2 new-packet-mark=qos8_conn2_download passthrough=no \
    protocol=udp

add action=mark-packet chain=postrouting comment="Mark QoS-4 Upload < 2mb CoNN2" connection-bytes=2000000-0 \
    connection-mark=qos4-conn2 disabled=no new-packet-mark=qos8_conn2_upload out-interface=ether2 passthrough=no \
    protocol=udp

 

Once you have gone through and marked all of your packets with a mark sending it to an upload or download queue (you can have 8 priorities per tree) per WAN interface you can create your queue tree to actually queue the traffic.  Click here to view my queue tree.

 

Here is the whole QoS section of my mangle rules:

 

/ip firewall mangle
add action=accept chain=postrouting comment="Mark Other Down" disabled=no out-interface=ether1 protocol=tcp src-port=\
    8291
add action=accept chain=prerouting comment="Mark Other Down" disabled=no dst-port=8291 in-interface=ether1 protocol=tcp
add action=add-dst-to-address-list address-list=Video address-list-timeout=0s chain=prerouting comment=\
    "Mark BBC Address" content=bbc.co.uk disabled=no dst-port=80 protocol=tcp
add action=add-dst-to-address-list address-list=Video address-list-timeout=0s chain=prerouting comment=\
    "Mark Youtube Address" content=youtube.com disabled=no dst-port=80 protocol=tcp
add action=add-dst-to-address-list address-list=Video address-list-timeout=0s chain=prerouting comment=\
    "Mark YouPorn Address" content=youporn.com disabled=no dst-port=80 protocol=tcp
add action=add-dst-to-address-list address-list=Video address-list-timeout=0s chain=prerouting comment=\
    "Mark GameTrailers Address" content=gametrailers.com disabled=no dst-port=80 protocol=tcp
add action=add-dst-to-address-list address-list=Video address-list-timeout=0s chain=prerouting comment=\
    "Mark NetFlix Address" content=netflix.com disabled=no dst-port=80 protocol=tcp
add action=add-dst-to-address-list address-list=Video address-list-timeout=0s chain=prerouting comment=\
    "Mark Facebook Address" content=facebook.com disabled=no dst-port=80 protocol=tcp
add action=add-dst-to-address-list address-list=Video address-list-timeout=0s chain=prerouting comment=\
    "Mark Own3D Address" content=own3d.tv disabled=no dst-port=80 protocol=tcp
add action=add-dst-to-address-list address-list=Video address-list-timeout=0s chain=prerouting comment=\
    "Mark Video Google Address" content=video.google.com disabled=no dst-port=80 protocol=tcp
add action=add-dst-to-address-list address-list=Video address-list-timeout=0s chain=prerouting comment=\
    "Mark Ted Address" content=ted.com disabled=no dst-port=80 protocol=tcp
add action=add-dst-to-address-list address-list=Video address-list-timeout=0s chain=prerouting comment=\
    "Mark Veoh Address" content=veoh.com disabled=no dst-port=80 protocol=tcp
add action=add-dst-to-address-list address-list=Video address-list-timeout=0s chain=prerouting comment=\
    "Mark VideoJug Address" content=videojug.com disabled=no dst-port=80 protocol=tcp
add action=add-dst-to-address-list address-list=Video address-list-timeout=0s chain=prerouting comment=\
    "Mark SpankWire Address" content=spankwire.com disabled=no dst-port=80 protocol=tcp
add action=add-dst-to-address-list address-list=Video address-list-timeout=0s chain=prerouting comment=\
    "Mark Tube8 Address" content=tube8.com disabled=no dst-port=80 protocol=tcp
add action=add-dst-to-address-list address-list=Video address-list-timeout=0s chain=prerouting comment=\
    "Mark RedTube Address" content=redtube.com disabled=no dst-port=80 protocol=tcp
add action=add-dst-to-address-list address-list=Video address-list-timeout=0s chain=prerouting comment=\
    "Mark OnLive Address" content=onlive.com disabled=no dst-port=80 protocol=tcp
add action=add-dst-to-address-list address-list=Video address-list-timeout=0s chain=prerouting comment=\
    "Mark Channel4 Address" content=channel4.com disabled=no dst-port=80 protocol=tcp
add action=add-dst-to-address-list address-list=Video address-list-timeout=0s chain=prerouting comment=\
    "Mark Hulu Address" content=hulu.com disabled=no dst-port=80 protocol=tcp
add action=add-dst-to-address-list address-list=Video address-list-timeout=0s chain=prerouting comment=\
    "Mark Youtube HTTPS" disabled=no dst-port=443 layer7-protocol=youtube protocol=tcp
add action=add-dst-to-address-list address-list=Video address-list-timeout=0s chain=prerouting comment=\
    "Mark Netflix HTTPS" disabled=no dst-port=443 layer7-protocol=netflix protocol=tcp
add action=add-dst-to-address-list address-list=Video address-list-timeout=0s chain=prerouting comment=\
    "Mark Facebook HTTPS" disabled=no dst-port=443 layer7-protocol=facebook protocol=tcp
add action=add-dst-to-address-list address-list=Video address-list-timeout=0s chain=prerouting comment="Mark veoh HTTPS" \
    disabled=no dst-port=443 layer7-protocol=veoh protocol=tcp
add action=add-dst-to-address-list address-list=Video address-list-timeout=0s chain=prerouting comment="Mark Hulu HTTPS" \
    disabled=no dst-port=443 layer7-protocol=hulu protocol=tcp
add action=add-dst-to-address-list address-list=SpeedTest address-list-timeout=0s chain=prerouting comment=\
    "Mark SpeedTest.net Address" content=speedtest.net disabled=no dst-port=80 protocol=tcp
add action=add-src-to-address-list address-list=SpeedTest address-list-timeout=0s chain=prerouting comment=\
    "Mark SpeedTest.net Address" content=speedtest.net disabled=no protocol=tcp src-port=80
add action=add-dst-to-address-list address-list=SpeedTest address-list-timeout=0s chain=prerouting comment=\
    "Mark ThinkBroadBand.com Address" content=thinkbroadband.com disabled=no dst-port=80 protocol=tcp
add action=add-src-to-address-list address-list=SpeedTest address-list-timeout=0s chain=prerouting comment=\
    "Mark ThinkBroadBand.com Address" content=thinkbroadband.com disabled=no protocol=tcp src-port=80
add action=add-dst-to-address-list address-list=SpeedTest address-list-timeout=0s chain=prerouting comment=\
    "Mark SpeakEasy.net Address" content=speakeasy.net disabled=no dst-port=80 protocol=tcp
add action=add-src-to-address-list address-list=SpeedTest address-list-timeout=0s chain=prerouting comment=\
    "Mark SpeakEasy.net Address" content=speakeasy.net disabled=no protocol=tcp src-port=80
add action=add-dst-to-address-list address-list=SpeedTest address-list-timeout=0s chain=prerouting comment=\
    "Mark TestMySpeed.com Address" content=testmyspeed.com disabled=no dst-port=80 protocol=tcp
add action=add-src-to-address-list address-list=SpeedTest address-list-timeout=0s chain=prerouting comment=\
    "Mark TestMySpeed.com Address" content=testmyspeed.com disabled=no protocol=tcp src-port=80
add action=add-dst-to-address-list address-list=SpeedTest address-list-timeout=0s chain=prerouting comment=\
    "Mark BroadBandSpeedChecker.com Address" content=broadbandspeedchecker.co.uk disabled=no dst-port=80 protocol=tcp
add action=add-src-to-address-list address-list=SpeedTest address-list-timeout=0s chain=prerouting comment=\
    "Mark BroadBandSpeedChecker.com Address" content=broadbandspeedchecker.co.uk disabled=no protocol=tcp src-port=80
add action=add-dst-to-address-list address-list=SpeedTest address-list-timeout=0s chain=prerouting comment=\
    "Mark bbc.co.uk/iplayer/diagnostics Address" content=bbc.co.uk/iplayer/diagnostics disabled=no dst-port=80 protocol=\
    tcp
add action=add-src-to-address-list address-list=SpeedTest address-list-timeout=0s chain=prerouting comment=\
    "Mark bbc.co.uk/iplayer/diagnostics Address" content=bbc.co.uk/iplayer/diagnostics disabled=no protocol=tcp \
    src-port=80
add action=add-dst-to-address-list address-list=SpeedTest address-list-timeout=0s chain=prerouting comment=\
    "Mark myvoipspeed.visualware.com Address" content=myvoipspeed.visualware.com disabled=no dst-port=80 protocol=tcp
add action=add-src-to-address-list address-list=SpeedTest address-list-timeout=0s chain=prerouting comment=\
    "Mark myvoipspeed.visualware.com Address" content=myvoipspeed.visualware.com disabled=no protocol=tcp src-port=80
add action=mark-connection chain=forward comment="Mark DNS Download" disabled=no in-interface=ether1 \
    new-connection-mark=qos3-conn1 passthrough=no protocol=udp src-port=53
add action=mark-connection chain=forward comment="Mark DNS Upload" disabled=no dst-port=53 new-connection-mark=\
    qos3-conn1 out-interface=ether1 passthrough=no protocol=udp
add action=mark-connection chain=forward comment="Mark ICMP Download" disabled=no in-interface=ether1 \
    new-connection-mark=qos3-conn1 passthrough=no protocol=icmp
add action=mark-connection chain=forward comment="Mark ICMP Upload" disabled=no new-connection-mark=qos3-conn1 \
    out-interface=ether1 passthrough=no protocol=icmp
add action=mark-connection chain=forward comment="Mark DNS Download" disabled=no in-interface=ether2 \
    new-connection-mark=qos3-conn2 passthrough=no protocol=udp src-port=53
add action=mark-connection chain=forward comment="Mark DNS Upload" disabled=no dst-port=53 new-connection-mark=\
    qos3-conn2 out-interface=ether2 passthrough=no protocol=udp
add action=mark-connection chain=forward comment="Mark ICMP Download" disabled=no in-interface=ether2 \
    new-connection-mark=qos3-conn2 passthrough=no protocol=icmp
add action=mark-connection chain=forward comment="Mark ICMP Upload" disabled=no new-connection-mark=qos3-conn2 \
    out-interface=ether2 passthrough=no protocol=icmp
add action=mark-connection chain=forward comment="VoIP TCP Download" disabled=no in-interface=ether1 \
    new-connection-mark=qos1-conn1 passthrough=no protocol=tcp src-port=5060-5061
add action=mark-connection chain=forward comment="VoIP TCP Upload" disabled=no dst-port=5060-5061 new-connection-mark=\
    qos1-conn1 out-interface=ether1 passthrough=no protocol=tcp
add action=mark-connection chain=forward comment="VoIP UDP Download" disabled=no in-interface=ether1 \
    new-connection-mark=qos1-conn1 passthrough=no protocol=udp src-port=5060-5061
add action=mark-connection chain=forward comment="VoIP UDP Upload" disabled=no dst-port=5060-5061 new-connection-mark=\
    qos1-conn1 out-interface=ether1 passthrough=no protocol=udp
add action=mark-connection chain=forward comment="VoIP TCP Download" disabled=no in-interface=ether2 \
    new-connection-mark=qos1-conn2 passthrough=no protocol=tcp src-port=5060-5061
add action=mark-connection chain=forward comment="VoIP TCP Upload" disabled=no dst-port=5060-5061 new-connection-mark=\
    qos1-conn2 out-interface=ether2 passthrough=no protocol=tcp
add action=mark-connection chain=forward comment="VoIP UDP Download" disabled=no in-interface=ether2 \
    new-connection-mark=qos1-conn2 passthrough=no protocol=udp src-port=5060-5061
add action=mark-connection chain=forward comment="VoIP UDP Upload" disabled=no dst-port=5060-5061 new-connection-mark=\
    qos1-conn2 out-interface=ether2 passthrough=no protocol=udp
add action=mark-connection chain=forward comment="Mark Video-Sites Connection Download" disabled=no in-interface=ether1 \
    new-connection-mark=qos5-conn1 passthrough=no src-address-list=Video
add action=mark-connection chain=forward comment="Mark Video-Sites Connection Upload" disabled=no dst-address-list=Video \
    new-connection-mark=qos5-conn1 out-interface=ether1 passthrough=no
add action=mark-connection chain=forward comment="Mark Video-Sites Connection Download" disabled=no in-interface=ether2 \
    new-connection-mark=qos5-conn2 passthrough=no src-address-list=Video
add action=mark-connection chain=forward comment="Mark Video-Sites Connection Upload" disabled=no dst-address-list=Video \
    new-connection-mark=qos5-conn2 out-interface=ether2 passthrough=no
add action=mark-connection chain=forward comment="Mark SpeedTest Connection Download" disabled=no in-interface=ether1 \
    new-connection-mark=qos2-conn1 passthrough=no src-address-list=SpeedTest
add action=mark-connection chain=forward comment="Mark SpeedTest Connection Upload" disabled=no dst-address-list=\
    SpeedTest new-connection-mark=qos2-conn1 out-interface=ether1 passthrough=no
add action=mark-connection chain=forward comment="Mark SpeedTest Connection Download" disabled=no in-interface=ether2 \
    new-connection-mark=qos2-conn2 passthrough=no src-address-list=SpeedTest
add action=mark-connection chain=forward comment="Mark SpeedTest Connection Upload" disabled=no dst-address-list=\
    SpeedTest new-connection-mark=qos2-conn2 out-interface=ether2 passthrough=no
add action=mark-connection chain=forward comment="XBL UDP Download" disabled=no in-interface=ether1 new-connection-mark=\
    qos6-conn1 passthrough=no protocol=udp src-port=88,3047
add action=mark-connection chain=forward comment="XBL UDP Upload" disabled=no dst-port=88,3047 new-connection-mark=\
    qos6-conn1 out-interface=ether1 passthrough=no protocol=udp
add action=mark-connection chain=forward comment="XBL TCP Download" disabled=no in-interface=ether1 new-connection-mark=\
    qos6-conn1 passthrough=no protocol=tcp src-port=3047
add action=mark-connection chain=forward comment="XBL TCP Upload" disabled=no dst-port=3047 new-connection-mark=\
    qos6-conn1 out-interface=ether1 passthrough=no protocol=tcp
add action=mark-connection chain=forward comment="Varios Games UDP Download" disabled=no in-interface=ether1 \
    new-connection-mark=qos6-conn1 passthrough=no protocol=udp src-port=6112-6119,3074,3075,3478,3479,4380,1500
add action=mark-connection chain=forward comment="Varios Games UDP Upload" disabled=no dst-port=\
    6112-6119,3074,3075,3478,3479,4380,1500 new-connection-mark=qos6-conn1 out-interface=ether1 passthrough=no protocol=\
    udp
add action=mark-connection chain=forward comment="Varios Games UDP Download" disabled=no in-interface=ether1 \
    new-connection-mark=qos6-conn1 passthrough=no protocol=udp src-port=3005,3101,28960,5000-5500,1200,27000-27030
add action=mark-connection chain=forward comment="Varios Games UDP Upload" disabled=no dst-port=\
    3005,3101,28960,5000-5500,1200,27000-27030 new-connection-mark=qos6-conn1 out-interface=ether1 passthrough=no \
    protocol=udp
add action=mark-connection chain=forward comment="Varios Games TCP Download" disabled=no in-interface=ether1 \
    new-connection-mark=qos6-conn1 passthrough=no protocol=tcp src-port=\
    6112-6119,4000,3724,2099,5222,5223,8393-8400,3074,27014-27050
add action=mark-connection chain=forward comment="Varios Games TCP Upload" disabled=no dst-port=\
    6112-6119,4000,3724,2099,5222,5223,8393-8400,3074,27014-27050 new-connection-mark=qos6-conn1 out-interface=ether1 \
    passthrough=no protocol=tcp
add action=mark-connection chain=forward comment="XBL UDP Download" disabled=no in-interface=ether2 new-connection-mark=\
    qos6-conn2 passthrough=no protocol=udp src-port=88,3047
add action=mark-connection chain=forward comment="XBL UDP Upload" disabled=no dst-port=88,3047 new-connection-mark=\
    qos6-conn2 out-interface=ether2 passthrough=no protocol=udp
add action=mark-connection chain=forward comment="XBL TCP Download" disabled=no in-interface=ether2 new-connection-mark=\
    qos6-conn2 passthrough=no protocol=tcp src-port=3047
add action=mark-connection chain=forward comment="XBL TCP Upload" disabled=no dst-port=3047 new-connection-mark=\
    qos6-conn2 out-interface=ether2 passthrough=no protocol=tcp
add action=mark-connection chain=forward comment="Varios Games UDP Download" disabled=no in-interface=ether2 \
    new-connection-mark=qos6-conn2 passthrough=no protocol=udp src-port=6112-6119,3074,3075,3478,3479,4380,1500
add action=mark-connection chain=forward comment="Varios Games UDP Upload" disabled=no dst-port=\
    6112-6119,3074,3075,3478,3479,4380,1500 new-connection-mark=qos6-conn2 out-interface=ether2 passthrough=no protocol=\
    udp
add action=mark-connection chain=forward comment="Varios Games UDP Download" disabled=no in-interface=ether2 \
    new-connection-mark=qos6-conn2 passthrough=no protocol=udp src-port=3005,3101,28960,5000-5500,1200,27000-27030
add action=mark-connection chain=forward comment="Varios Games UDP Upload" disabled=no dst-port=\
    3005,3101,28960,5000-5500,1200,27000-27030 new-connection-mark=qos6-conn2 out-interface=ether2 passthrough=no \
    protocol=udp
add action=mark-connection chain=forward comment="Varios Games TCP Download" disabled=no in-interface=ether2 \
    new-connection-mark=qos6-conn2 passthrough=no protocol=tcp src-port=\
    6112-6119,4000,3724,2099,5222,5223,8393-8400,3074,27014-27050
add action=mark-connection chain=forward comment="Varios Games TCP Upload" disabled=no dst-port=\
    6112-6119,4000,3724,2099,5222,5223,8393-8400,3074,27014-27050 new-connection-mark=qos6-conn2 out-interface=ether2 \
    passthrough=no protocol=tcp
add action=mark-connection chain=forward comment="Mark HTTP Upload" disabled=no dst-port=80,443 new-connection-mark=\
    qos4-conn1 out-interface=ether1 passthrough=no protocol=tcp
add action=mark-connection chain=forward comment="Mark HTTP Download" disabled=no in-interface=ether1 \
    new-connection-mark=qos4-conn1 passthrough=no protocol=tcp src-port=80,443
add action=mark-connection chain=forward comment="Mark HTTP Download" disabled=no in-interface=ether2 \
    new-connection-mark=qos4-conn2 passthrough=no protocol=tcp src-port=80,443
add action=mark-connection chain=forward comment="Mark HTTP Upload" disabled=no dst-port=80,443 new-connection-mark=\
    qos4-conn2 out-interface=ether2 passthrough=no protocol=tcp
add action=mark-connection chain=forward comment="Mark HTTP Download" disabled=no in-interface=ether1 \
    new-connection-mark=qos4-conn1 passthrough=no protocol=udp src-port=80,443
add action=mark-connection chain=forward comment="Mark HTTP Upload" disabled=no dst-port=80,443 new-connection-mark=\
    qos4-conn1 out-interface=ether1 passthrough=no protocol=udp
add action=mark-connection chain=forward comment="Mark HTTP Download" disabled=no in-interface=ether2 \
    new-connection-mark=qos4-conn2 passthrough=no protocol=udp src-port=80,443
add action=mark-connection chain=forward comment="Mark HTTP Upload" disabled=no dst-port=80,443 new-connection-mark=\
    qos4-conn2 out-interface=ether2 passthrough=no protocol=udp
add action=mark-connection chain=forward comment="Mark P2P Download" disabled=no in-interface=ether1 \
    new-connection-mark=qos8-conn1 p2p=all-p2p passthrough=no
add action=mark-connection chain=forward comment="Mark P2P Upload" disabled=no new-connection-mark=qos8-conn1 \
    out-interface=ether1 p2p=all-p2p passthrough=no
add action=mark-connection chain=forward comment="Mark P2P Download" disabled=no in-interface=ether2 \
    new-connection-mark=qos8-conn2 p2p=all-p2p passthrough=no
add action=mark-connection chain=forward comment="Mark P2P Upload" disabled=no new-connection-mark=qos8-conn2 \
    out-interface=ether2 p2p=all-p2p passthrough=no
add action=mark-connection chain=forward comment="Mark Other Down" disabled=no in-interface=ether1 new-connection-mark=\
    qos7-conn1 passthrough=no
add action=mark-connection chain=forward comment="Mark Other Up" disabled=no new-connection-mark=qos7-conn1 \
    out-interface=ether1 passthrough=no
add action=mark-connection chain=forward comment="Mark Other Down" disabled=no in-interface=ether2 new-connection-mark=\
    qos7-conn2 passthrough=no
add action=mark-connection chain=forward comment="Mark Other Up" disabled=no new-connection-mark=qos7-conn2 \
    out-interface=ether2 passthrough=no
add action=mark-packet chain=prerouting comment="QoS-1 Download CoNN1" connection-mark=qos1-conn1 disabled=no \
    in-interface=ether1 new-packet-mark=qos1_conn1_download passthrough=no
add action=mark-packet chain=postrouting comment="QoS-1 Upload CoNN1" connection-mark=qos1-conn1 disabled=no \
    new-packet-mark=qos1_conn1_upload out-interface=ether1 passthrough=no
add action=mark-packet chain=prerouting comment="QoS-1 Download CoNN2" connection-mark=qos1-conn2 disabled=no \
    in-interface=ether2 new-packet-mark=qos1_conn2_download passthrough=no
add action=mark-packet chain=postrouting comment="QoS-1 Upload CoNN2" connection-mark=qos1-conn2 disabled=no \
    new-packet-mark=qos1_conn2_upload out-interface=ether2 passthrough=no
add action=mark-packet chain=prerouting comment="QoS-2 Download CoNN1" connection-mark=qos2-conn1 disabled=no \
    in-interface=ether1 new-packet-mark=qos2_conn1_download passthrough=no
add action=mark-packet chain=postrouting comment="QoS-2 Upload CoNN1" connection-mark=qos2-conn1 disabled=no \
    new-packet-mark=qos2_conn1_upload out-interface=ether1 passthrough=no
add action=mark-packet chain=postrouting comment="QoS-2 Upload CoNN2" connection-mark=qos2-conn2 disabled=no \
    new-packet-mark=qos2_conn2_upload out-interface=ether2 passthrough=no
add action=mark-packet chain=prerouting comment="QoS-2 Download CoNN2" connection-mark=qos2-conn2 disabled=no \
    in-interface=ether2 new-packet-mark=qos2_conn2_download passthrough=no
add action=mark-packet chain=prerouting comment="QoS-3 Download CoNN1" connection-mark=qos3-conn1 disabled=no \
    in-interface=ether1 new-packet-mark=qos3_conn1_download passthrough=no
add action=mark-packet chain=postrouting comment="QoS-3 Upload CoNN1" connection-mark=qos3-conn1 disabled=no \
    new-packet-mark=qos3_conn1_upload out-interface=ether1 passthrough=no
add action=mark-packet chain=prerouting comment="QoS-3 Download CoNN2" connection-mark=qos3-conn2 disabled=no \
    in-interface=ether2 new-packet-mark=qos3_conn2_download passthrough=no
add action=mark-packet chain=postrouting comment="QoS-3 Upload CoNN2" connection-mark=qos3-conn2 disabled=no \
    new-packet-mark=qos3_conn2_upload out-interface=ether2 passthrough=no
add action=mark-packet chain=prerouting comment="Mark QoS-4 Download < 2mb CoNN1" connection-bytes=2000000-0 \
    connection-mark=qos4-conn1 disabled=no in-interface=ether1 new-packet-mark=qos8_conn1_download passthrough=no \
    protocol=tcp
add action=mark-packet chain=postrouting comment="Mark QoS-4 Upload < 2mb CoNN1" connection-bytes=2000000-0 \
    connection-mark=qos4-conn1 disabled=no new-packet-mark=qos8_conn1_upload out-interface=ether1 passthrough=no \
    protocol=tcp
add action=mark-packet chain=prerouting comment="Mark QoS-4 Download < 2mb CoNN2" connection-bytes=2000000-0 \
    connection-mark=qos4-conn2 disabled=no in-interface=ether2 new-packet-mark=qos8_conn2_download passthrough=no \
    protocol=tcp
add action=mark-packet chain=postrouting comment="Mark QoS-4 Upload < 2mb CoNN2" connection-bytes=2000000-0 \
    connection-mark=qos4-conn2 disabled=no new-packet-mark=qos8_conn2_upload out-interface=ether2 passthrough=no \
    protocol=tcp
add action=mark-packet chain=prerouting comment="Mark QoS-4 Download < 2mb CoNN1" connection-bytes=2000000-0 \
    connection-mark=qos4-conn1 disabled=no in-interface=ether1 new-packet-mark=qos8_conn1_download passthrough=no \
    protocol=udp
add action=mark-packet chain=postrouting comment="Mark QoS-4 Upload < 2mb CoNN1" connection-bytes=2000000-0 \
    connection-mark=qos4-conn1 disabled=no new-packet-mark=qos8_conn1_upload out-interface=ether1 passthrough=no \
    protocol=udp
add action=mark-packet chain=prerouting comment="Mark QoS-4 Download < 2mb CoNN2" connection-bytes=2000000-0 \
    connection-mark=qos4-conn2 disabled=no in-interface=ether2 new-packet-mark=qos8_conn2_download passthrough=no \
    protocol=udp
add action=mark-packet chain=postrouting comment="Mark QoS-4 Upload < 2mb CoNN2" connection-bytes=2000000-0 \
    connection-mark=qos4-conn2 disabled=no new-packet-mark=qos8_conn2_upload out-interface=ether2 passthrough=no \
    protocol=udp
add action=mark-packet chain=prerouting comment="QoS-4-CoNN1 Download" connection-mark=qos4-conn1 disabled=no \
    in-interface=ether1 new-packet-mark=qos4_conn1_download passthrough=no
add action=mark-packet chain=postrouting comment="QoS-4-CoNN1 Upload" connection-mark=qos4-conn1 disabled=no \
    new-packet-mark=qos4_conn1_upload out-interface=ether1 passthrough=no
add action=mark-packet chain=prerouting comment="QoS-4-CoNN2 Download" connection-mark=qos4-conn2 disabled=no \
    in-interface=ether2 new-packet-mark=qos4_conn2_download passthrough=no
add action=mark-packet chain=postrouting comment="QoS-4-CoNN2 Upload" connection-mark=qos4-conn2 disabled=no \
    new-packet-mark=qos4_conn2_upload out-interface=ether2 passthrough=no
add action=mark-packet chain=prerouting comment="QoS-5 Download CoNN1" connection-mark=qos5-conn1 disabled=no \
    in-interface=ether1 new-packet-mark=qos5_conn1_download passthrough=no
add action=mark-packet chain=postrouting comment="QoS-5 Upload CoNN1" connection-mark=qos5-conn1 disabled=no \
    new-packet-mark=qos5_conn1_upload out-interface=ether1 passthrough=no
add action=mark-packet chain=prerouting comment="QoS-5 Download CoNN2" connection-mark=qos5-conn2 disabled=no \
    in-interface=ether2 new-packet-mark=qos5_conn2_download passthrough=no
add action=mark-packet chain=postrouting comment="QoS-5 Upload CoNN2" connection-mark=qos5-conn2 disabled=no \
    new-packet-mark=qos5_conn2_upload out-interface=ether2 passthrough=no
add action=mark-packet chain=prerouting comment="QoS-6 Download CoNN1" connection-mark=qos6-conn1 disabled=no \
    in-interface=ether1 new-packet-mark=qos6_conn1_download passthrough=no
add action=mark-packet chain=postrouting comment="QoS-6 Upload CoNN1" connection-mark=qos6-conn1 disabled=no \
    new-packet-mark=qos6_conn1_upload out-interface=ether1 passthrough=no
add action=mark-packet chain=prerouting comment="QoS-6 Download CoNN2" connection-mark=qos6-conn2 disabled=no \
    in-interface=ether2 new-packet-mark=qos6_conn2_download passthrough=no
add action=mark-packet chain=postrouting comment="QoS-6 Upload CoNN2" connection-mark=qos6-conn2 disabled=no \
    new-packet-mark=qos6_conn2_upload out-interface=ether2 passthrough=no
add action=mark-packet chain=prerouting comment="Mark QoS-7 Download < 2mb" connection-bytes=500000-0 connection-mark=\
    qos7-conn1 disabled=no in-interface=ether1 new-packet-mark=qos8_conn1_download passthrough=no protocol=tcp
add action=mark-packet chain=postrouting comment="Mark QoS-7 Upload < 2mb" connection-bytes=500000-0 connection-mark=\
    qos7-conn1 disabled=no new-packet-mark=qos8_conn1_upload out-interface=ether1 passthrough=no protocol=tcp
add action=mark-packet chain=prerouting comment="Mark QoS-7 Download < 2mb" connection-bytes=500000-0 connection-mark=\
    qos7-conn1 disabled=no in-interface=ether1 new-packet-mark=qos8_conn1_download passthrough=no protocol=udp
add action=mark-packet chain=postrouting comment="Mark QoS-7 Upload < 2mb" connection-bytes=500000-0 connection-mark=\
    qos7-conn1 disabled=no new-packet-mark=qos8_conn1_upload out-interface=ether1 passthrough=no protocol=udp
add action=mark-packet chain=prerouting comment="Mark QoS-7 Download < 2mb" connection-bytes=500000-0 connection-mark=\
    qos7-conn2 disabled=no in-interface=ether2 new-packet-mark=qos8_conn2_download passthrough=no protocol=tcp
add action=mark-packet chain=postrouting comment="Mark QoS-7 Upload < 2mb" connection-bytes=500000-0 connection-mark=\
    qos7-conn2 disabled=no new-packet-mark=qos8_conn2_upload out-interface=ether2 passthrough=no protocol=tcp
add action=mark-packet chain=prerouting comment="Mark QoS-7 Download < 2mb" connection-bytes=500000-0 connection-mark=\
    qos7-conn2 disabled=no in-interface=ether2 new-packet-mark=qos8_conn2_download passthrough=no protocol=udp
add action=mark-packet chain=postrouting comment="Mark QoS-7 Upload < 2mb" connection-bytes=500000-0 connection-mark=\
    qos7-conn2 disabled=no new-packet-mark=qos8_conn2_upload out-interface=ether2 passthrough=no protocol=udp
add action=mark-packet chain=prerouting comment="QoS-7 Download CoNN1" connection-mark=qos7-conn1 disabled=no \
    in-interface=ether1 new-packet-mark=qos7_conn1_download passthrough=no
add action=mark-packet chain=postrouting comment="QoS-7 Upload CoNN1" connection-mark=qos7-conn1 disabled=no \
    new-packet-mark=qos7_conn1_upload out-interface=ether1 passthrough=no
add action=mark-packet chain=prerouting comment="QoS-7 Download CoNN2" connection-mark=qos7-conn2 disabled=no \
    in-interface=ether2 new-packet-mark=qos7_conn2_download passthrough=no
add action=mark-packet chain=postrouting comment="QoS-7 Upload CoNN2" connection-mark=qos7-conn2 disabled=no \
    new-packet-mark=qos7_conn2_upload out-interface=ether2 passthrough=no
add action=mark-packet chain=prerouting comment="QoS-8 Download CoNN1" connection-mark=qos8-conn1 disabled=no \
    in-interface=ether1 new-packet-mark=qos8_conn1_download passthrough=no
add action=mark-packet chain=postrouting comment="QoS-8 Upload CoNN1" connection-mark=qos8-conn1 disabled=no \
    new-packet-mark=qos8_conn1_upload out-interface=ether1 passthrough=no
add action=mark-packet chain=prerouting comment="QoS-8 Download CoNN2" connection-mark=qos8-conn2 disabled=no \
    in-interface=ether2 new-packet-mark=qos8_conn2_download passthrough=no
add action=mark-packet chain=postrouting comment="QoS-8 Upload CoNN2" connection-mark=qos8-conn2 disabled=no \
    new-packet-mark=qos8_conn2_upload out-interface=ether2 passthrough=no

3 Comments

  1. Mario Tello
    Mario Tello on May 24, 2014 at 4:57 PM

    For a couple of weeks had been looking for something like this until I found your post with some modifications I’m prioritizing by traffic type, http, netflix, dns, but what I could make is that an IP network implementation qos8 to all traffic, have any suggestions how to implement this?

    Thanks and regards

  2. CBrown
    CBrown on July 1, 2014 at 2:52 PM

    What are you trying to achieve? I am not quite sure I am following.

  3. Mario Tello
    Mario Tello on September 12, 2014 at 7:14 PM

    apply the lowest priority to the ip of my NAS (pyLoad, torrent, updates, debian-mirror)

Submit a Comment

Your email address will not be published. Required fields are marked *