求助一个咖啡厅布无线的问题

2014年买了个rb2011本来想深入学习ros的，但是很快就放弃了。ros wiki确实是有很多独到的文档，但是只要有linux经验很快就能将这些文档转换成openwrt下运行。https://wiki.mikrotik.com/wiki/ 。很多linux命令，ros的命令行也只是支持部分参数，必竟ros只是linux的子集，它用了一套它自己的语法格式对linux命令重新进行解释。当然当时放弃ros的最主要问题是脚本写起来太累人了。用linux gnu工具几句的事情，转换成ros运行的脚本可不容易。说到linux的qos，按说ros现在才仅仅有包到链接的过程，这都非常过时了。linux有connmark结构，这个就是所谓的包标记到链接的标记过程。但是最终都命中第一条规则。ros的我至今搞不清楚它是否是这种结构，按linux下的iptables规则自上而下的遍历过程，如果ros也这样遍历规则显然它比connmark结构低效，但是如果ros后台显示这样的规则，而真正的底层也是connmark结构，那也只能说不相上下。当然linux还有很多高级的用法。假如有13个vlan接口难道每个vlan都做1套qos？linux 有ifb接口，可以将所有的13个vlan流量都定向到统一的一个ifb0接口，统一做qos控制。
iptables -A POSTROUTING -t mangle -j CONNMARK –restore-markiptables -A POSTROUTING -t mangle -m mark ! –mark 0 -j ACCEPTiptables -A POSTROUTING -p tcp –dport 21 -t mangle -j MARK –set-mark 1iptables -A POSTROUTING -p tcp –dport 80 -t mangle -j MARK –set-mark 2iptables -A POSTROUTING -t mangle -j CONNMARK –save-mark复制代码
ros的v6 queue treeadd chain=prerouting protocol=tcp dst-port=53,22,23,123,3389,8123 in-interface=bridge2 action=mark-connection \ new-connection-mark=High-conn passthrough=yes comment=tcp_2add chain=prerouting protocol=udp dst-port=53 in-interface=bridge2 action=mark-connection \ new-connection-mark=High-conn passthrough=yes comment=udp_2add chain=prerouting in-interface=bridge2 connection-mark=High-conn action=mark-packet new-packet-mark=High passthrough=no#偷懒了就只写了一句 add chain=prerouting protocol=tcp dst-port=80,443,1080,1863,4662,8080,12000,14000 in-interface=bridge2 action=mark-connection \ new-connection-mark=Medium-conn passthrough=yes comment=tcp_3add chain=prerouting protocol=udp dst-port=4000-4030,4772,8000-8001 in-interface=bridge2 action=mark-connection \ new-connection-mark=Medium-conn passthrough=yes comment=udp_3add chain=prerouting in-interface=bridge2 connection-mark=Medium-conn action=mark-packet new-packet-mark=Medium passthrough=no复制代码
tc这工具太高深，用不来。只是用它来放行tcp握手包，而不是ros下的iptables length也就是所谓的小包匹配#$TC filter add dev $UDEV parent 1:0 prio 12 protocol arp handle 1 fw classid 1:20 # Arp traffic$TC filter add dev $UDEV parent 1: prio 13 protocol ip u32 match ip protocol 1 0xff flowid 1:20 #ICMP#$TC filter add dev $UDEV parent 1: prio 14 protocol ip u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid 1:20 #ACK$TC filter add dev $UDEV parent 1: prio 15 protocol ip u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x02 0x02 at 33 flowid 1:20 #SYN$TC filter add dev $UDEV parent 1: prio 17 protocol ip u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x01 0x01 at 33 flowid 1:20 #FIN$TC filter add dev $UDEV parent 1: prio 19 protocol ip u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x04 0x04 at 33 flowid 1:20 #RST复制代码以前做的端口qos，由于没有tc也就只能这样了。
#http://wiki.mikrotik.com/wiki/Manual:Queues_-_PCQ_Examples/ip firewall mangle add chain=forward dst-address=192.168.88.0/24 out-interface=bridge2 action=mark-connection new-connection-mark=Download-conn passthrough=yes/ip firewall mangle add chain=forward out-interface=bridge2 connection-mark=Download-conn action=mark-packet new-packet-mark=Downloadpassthrough=no#google关键词：实作RouterOS的HTB#这么多年一直对这个接口方向无法做到图形记忆，可以google 上面的关键词，作者简单的几句话就很容易理解#由于放在forward链所以用的out-interface接口 /queue type add name=download-queue kind=pcq pcq-classifier=dst-address/queue tree add name=Download parent=global max-limit=5300k/queue tree add name=PCQ_D parent=Download packet-mark=Download queue=download-queue priority=1###########################################################################################/ip firewall mangleadd chain=prerouting protocol=icmp in-interface=bridge2 new-packet-mark=SP1 action=mark-packet passthrough=no comment=icmpadd chain=prerouting protocol=tcp in-interface=bridge2 new-packet-mark=SP1 action=mark-packet passthrough=no tcp-flags=ack packet-size=0-123 comment=ackadd chain=prerouting protocol=tcp in-interface=bridge2 new-packet-mark=SP1 action=mark-packet passthrough=no tcp-flags=syn packet-size=0-666 comment=synadd chain=prerouting protocol=tcp in-interface=bridge2 new-packet-mark=SP2 action=mark-packet passthrough=no tcp-flags=fin comment=finadd chain=prerouting protocol=tcp in-interface=bridge2 new-packet-mark=SP2 action=mark-packet passthrough=no tcp-flags=rst comment=rst#上面是一些以包标记实现的所谓小包规则，但是我不知道如何验证它的效果，linux下是用tc u32匹配的。ros下google不到任何跟tc有关的资料。它的这些pack-size更像是linux下的iptables语法。#tc filter add dev $UDEV parent 1: prio 13 protocol ip u32 match ip protocol 1 0xff flowid 1:20 #ICMP#tc filter add dev $UDEV parent 1: prio 14 protocol ip u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid 1:20 #ACK#tc filter add dev $UDEV parent 1: prio 15 protocol ip u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x02 0x02 at 33 flowid 1:20 #SYN#tc filter add dev $UDEV parent 1: prio 17 protocol ip u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x01 0x01 at 33 flowid 1:20 #FIN#tc filter add dev $UDEV parent 1: prio 19 protocol ip u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x04 0x04 at 33 flowid 1:20 #RST/ip firewall mangleadd chain=prerouting protocol=tcp dst-port=2099,5060,5222,5223,6060,8088,8393-8400 in-interface=bridge2 action=mark-connection \ new-connection-mark=Highest-conn passthrough=yes comment=tcp_1add chain=prerouting protocol=udp dst-port=5000-5500,5060,6060,8088 in-interface=bridge2 action=mark-connection \ new-connection-mark=Highest-conn passthrough=yes comment=udp_1add chain=prerouting in-interface=bridge2 connection-mark=Highest-conn action=mark-packet new-packet-mark=Highest passthrough=no#一直在纠结Highest-conn跟Highest到底怎么写，最后在官方2011年文档里发现还是区别写的，按以前linux下的说法包标记和链接标记的位置#是有差别的，所以也区别写的。 #QoS Best Practice [url=home.php?mod=space uid=610341]@[/url] MUM USA 2009, pdf by Janis Megis, MikroTik#in-interface=bridge2 内网接口，填上主要避免与其它接口的数据包匹配#passthrough=no怎么理解，不通过吗?linux下的数据包在iptables 链里面都是从你书写的规则里自上而下匹配的，除非你指定了#RETURN。那么这个passthrough=no的意思就是当数据包和这条带有passthrough=no 的规则匹配成功时，则不再匹配这规则下面的剩余规则。如果规则特别多的时候，网络又异常繁忙，那#它就能大大减少匹配时间，提升效率。add chain=prerouting protocol=tcp dst-port=53,22,23,123,3389,8123 in-interface=bridge2 action=mark-connection \ new-connection-mark=High-conn passthrough=yes comment=tcp_2add chain=prerouting protocol=udp dst-port=53 in-interface=bridge2 action=mark-connection \ new-connection-mark=High-conn passthrough=yes comment=udp_2add chain=prerouting in-interface=bridge2 connection-mark=High-conn action=mark-packet new-packet-mark=High passthrough=no#偷懒了就只写了一句 add chain=prerouting protocol=tcp dst-port=80,443,1080,1863,4662,8080,12000,14000 in-interface=bridge2 action=mark-connection \ new-connection-mark=Medium-conn passthrough=yes comment=tcp_3add chain=prerouting protocol=udp dst-port=4000-4030,4772,8000-8001 in-interface=bridge2 action=mark-connection \ new-connection-mark=Medium-conn passthrough=yes comment=udp_3add chain=prerouting in-interface=bridge2 connection-mark=Medium-conn action=mark-packet new-packet-mark=Medium passthrough=noadd chain=prerouting protocol=tcp dst-port=20,21,25,1024-65535 in-interface=bridge2 action=mark-connection \ new-connection-mark=Low-conn passthrough=yes comment=tcp_4add chain=prerouting protocol=udp dst-port=1-65535 in-interface=bridge2 action=mark-connection \ new-connection-mark=Low-conn passthrough=yes comment=udp_4add chain=prerouting in-interface=bridge2 connection-mark=Low-conn action=mark-packet new-packet-mark=Low passthrough=no{:local UPLINK 800;:local High 0:local Medium 0:local Mediuml:local Lowm 0:local Lowl 0:local k k;/queue treeadd name=Upload parent=global max-limit= $UPLINK$k :set Medium ($UPLINK * 8 / 10)add name=Queue_1:2 parent=Upload max-limit= $Medium$k limit-at= $Medium$k add name=1_Highest parent=Upload packet-mark=Highest limit-at= $Medium$k max-limit= $UPLINK$k priority=1 add name=Queue_ICMPACKSYN parent=Upload packet-mark=SP1 limit-at= $Medium$k max-limit= $UPLINK$k priority=2 add name=Queue_FINRST parent=Upload packet-mark=SP2 limit-at= $Medium$k max-limit= $UPLINK$k priority=3:set High ($UPLINK * 1 / 10)add name=2_High parent=Upload packet-mark=High limit-at= $High$k max-limit= $UPLINK$k priority=4:set Mediuml ($UPLINK * 5 / 100)add name=3_Medium parent=Queue_1:2 packet-mark=Medium limit-at= $Mediuml$k max-limit= $Medium$k priority=5:set Lowm ($UPLINK * 70 / 100):set Lowl ($UPLINK * 3 / 100)add name=4_Low parent=Queue_1:2 packet-mark=Low limit-at= $Lowl$k max-limit= $Lowm$k queue=hotspot-default priority=8#按60/80 流量和延迟对比关系做的htb实现}简单说一下simple queue 和 pcq的差别。官方有关pcq的具体实现只是简单的说它是sfq的一种类型，从我自己测试过程也没注意到类似官方wiki的那种平分带宽的过程。倒是指定了pcq-rate值以后看到了限制。pcq主要是来解决simple queue亢长匹配而导致的效率问题。虽然官方提到在v6版本simpe queue效率提升了很多，单机没采用上行端口QOS的情况，特别还有web下载的时候感觉很慢啊。下面的3段代码实现了以前linux下一个根据udp数量来限速的过程。按官方文档QOS流量方向queue tree simple queue，所以再用simple queue对特定IP进行限速没问题。#生成LAN IP地址列表/ ip firewall mangle add chain=prerouting src-address=192.168.88.0/24 action=add-src-to-address-list \ address-list=LAN address-list-timeout=1m comment= disabled=no#{:local ip 0;:local udpn 0;:foreach a in=[/ip fir address-list find where list=LAN address!=192.168.88.1] do={#不包含网关ip:set ip [/ip fir address-list get $a address] :set udpn [/ip firewall connection print count-only where src-address~ ^$ip: and protocol= udp ]#对UDP超限的用户生成simple队列，由于simple在htb后面，有效:if ($udpn 10) do={/queue simple add name=$ip target= $ip max-limit=800K/800K queue= hotspot-default disabled=no} else={:put false}}}#批量删除所有simple queue/queue simple :foreach i in=[find] do={ remove $i; } Manual:Queues – PCQhttp://wiki.mikrotik.com/wiki/Manual:Queues_-_PCQ 复制代码