Syed Jahanzaib Personal Blog to Share Knowledge !

August 4, 2011

Howto exempt rate limit for FTP Server Behind MT DMZ in placment of Dynamic Queues !

Filed under: Mikrotik Related — Tags: , , , , , , , , — Syed Jahanzaib / Pinochio~:) @ 6:31 AM

Consider the following scenario !

As you can see, FTP servers are placed behind Mikrotik DMZ, when user connects via pppoe server, dynamic queue is created for that user according to his package, lets say 512k, now the problem is this restriction also applied on local FTP server placed behind mikrotik DMZ, and we don’t want to limit speed for Local FTP.

The solution I found was to make mangle rules that mark packets TO/FROM the FTP server, and add Queue tree at my desired speed or at line speed for those marks.

This works for me. JUST MAKE SURE YOUR FTP SERVERS HAVE MIKROTIK IP AS THERE DEFAULT GATEWAY ๐Ÿ™‚ This is important so that you can user original ip on the the FTP server rather then just mikrotik ip.


Scenario # 1 – Limit FTP queue to 3mb per user

We have FTP servers hosted in DMZ (at separate port) having ip address of 10.0.0.x series. So we will simply create address list and add ftp server’s ip addresses in it. using of address have added advantage, you can simply add remove ip directly in this list, so you wont have to touch the rules again, plus you can use script to dynamically add remove servers ip, with timeout as well.


/ip firewall address-list
add address=10.0.0.10 list=FTP_SERVER
add address=10.0.0.11 list=FTP_SERVER

# Marking packets going to FTP Servers
/ip firewall mangle
add action=mark-connection chain=prerouting comment="MARK CONN GOING TO FTP SERVER " dst-address-list=FTP_SERVER new-connection-mark=ftp_conn passthrough=yes
add action=mark-packet chain=prerouting comment="MARK PKTS GOING TO FTP SERVER " connection-mark=ftp_conn new-packet-mark=ftp_pkts passthrough=yes

# Creating PCQ base Queue - 3mb per user
/queue type
add kind=pcq name=ftp-download-3MB pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=31M pcq-src-address6-mask=64
add kind=pcq name=ftp-upload-3MB pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=31M pcq-src-address6-mask=64

#- Make sure you move this simple queue on TOP, or else it will not work
/queue simple
add comment="Allow 3 MB FTP Download per user by zaib" name="ftp 1g" packet-marks=ftp_pkts queue=ftp-upload-3MB/ftp-download-3MB target=""


Scenario #2:

172.16.0.0/16 are my pppoe client ip pool.
192.168.250.0/24
is FTP server pool. Behind Mikrotik DMZ.

On mikrotik, I created following rules and FTP servers exempted from dynamic queue rate limit and ftp data delivered at LAN speed , all works ok ๐Ÿ™‚

[Mikrotik 5.x ROS Code]


/ip firewall mangle add chain=prerouting src-address=172.16.0.0/16 dst-address=192.168.250.0/24 action=mark-packet new-packet-mark=ftp-up

/ip firewall mangle add chain=postrouting dst-address=172.16.0.0/16 src-address=192.168.250.0/24 action=mark-packet new-packet-mark=ftp-down

/queue type add name=ftp-exempt kind=sfq
/queue tree add name=ftp-up parent=global-in packet-mark=ftp-up queue=ftp-exempt max-limit=100M
/queue tree add name=ftp-down parent=global-out packet-mark=ftp-down queue=ftp-exempt max-limit=100M




ANOTHER EXAMPLE TO MARK TRAFFIC FROM SPECIFIC CLIENTS GOING TO X.X.X.X LOCATION.

for MIKROTIK 6.XX

Scenario:

We want to mark traffic from specific users like expired users, and mark there traffic going to FTP Server, and limit there speed per ip.
IP POOL INFO:

pppoe-pool = 172.16.0.0/16

EXPIRED pool = 192.168.255.0/24
FTP Server = 10.0.0.100

First mark traffic in mangle section , SOURCE should be EXPIRED USERS IP SUBNET , and DESTINATION should be FTP SERVER IP.


/ip firewall mangle
add action=mark-packet chain=prerouting comment="MARK TRAFFIC of EXPIRED USERS GOING TO FTP SERVER" dst-address=10.0.0.100 new-packet-mark=expired_users_ftp_access passthrough=no src-address=192.168.255.0/24

# Now add queue in TYPE for per user implementation, 32kb per ip

/queue type
add kind=pcq name=ftp-download-32k pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=32k pcq-src-address6-mask=64
add kind=pcq name=ftp-upload-32k pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=32k pcq-src-address6-mask=64
# Finally add SIMPLE queue that will limit 32k per ip (only expired pool)

/queue simple
add comment="FTP for EXPIRED USERS / 32kb PER USER " name="ftp queue 32k for expired usersย  pool" packet-marks=expired_users_ftp_access queue=ftp-upload-32k/ftp-download-32k target=""


Another Example to mark traffic going to FTP Server using MANGLE ,and restrict per user bandwidth using PCQ [updated 26-JAN-2016]

FTP SERVER IP = 10.0.1.5 AND 10.0.1.6

FOLLOWING code will mark traffic for 1.5 and 1.6 and in queue it will create pcq base bandwidth to restrict 4mb per user. Also it will give priority to ICMP packets as well.


/ip firewall mangle

# MARK ICMP PACKETS

add action=mark-connection chain=prerouting new-connection-mark=icmp-con protocol=icmp

add action=mark-packet chain=prerouting connection-mark=icmp-con new-packet-mark=icmp-pkt passthrough=no protocol=icmp

# ACCEPT FTP TRAFFIC , BYPASS PCC

add chain=prerouting comment="accept server4 n radius from being processed by PCC / zaib" dst-address-list=ALLOWED_SERVERS

# MARK TRAFFIC GOING TO FTP LIKE .15 AND 1.6

add action=mark-packet chain=prerouting comment="MARK TRAFFIC GOING TO FTP SERVER _ 1.6" new-packet-mark=ftp_1.6 passthrough=no src-address=10.0.1.6

add action=mark-packet chain=prerouting comment="MARK TRAFFIC GOING TO FTP SERVER _ 1.5" new-packet-mark=ftp_1.5 passthrough=no src-address=10.0.1.5

# CREATE PCQ BASE QUEUE / 4 MB PER USER

/queue type

add kind=pcq name=ftp-download-4MB pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=40M pcq-src-address6-mask=64

add kind=pcq name=ftp-upload-4MB pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=40M pcq-src-address6-mask=64

# CREATE QUEUE TO GIVE HIGH PRIORITY TO ICMP AND FTP

/queue simple

#ICMP

add max-limit=128k/128k name=ICMP_Hi_Priority packet-marks=icmp-pkt target=""

#FTP

add name=FTP_10.0.1.6_DOWN_LIMIT packet-marks=ftp_1.6 queue=ftp-upload-4MB/ftp-download-4MB target=""

add name=FTP_10.0.1.5_DOWN_LIMIT packet-marks=ftp_1.5 queue=ftp-upload-4MB/ftp-download-4MB target=""


Regqard’s
Syed Jahanzaib

Advertisements

39 Comments »

  1. thanks bhai………aur bhai spelling ki mistake hai woh sai kar dy
    could also create a simple queue for FPT servers but Dynamic Queues always
    yeh upper line mai aap ny ftp ko fpt likh dia hai

    Like

    Comment by usmans — August 12, 2011 @ 6:31 PM

    • sir.
      mere hfs wale server per net nahi chal rha ha plz help me

      Like

      Comment by king atif — September 26, 2017 @ 1:25 PM

  2. Interesting, thanks i think your doing great job sharing all this information… keep it up.

    well can you exempt traffic accounting as well assuming there is a Radius in place???

    i have been experimenting on Mikrotik PPPoE server and Radius Manager, i want to limit the total traffic of each user (daily/monthly) but i still want to have a local FTP/HTTP services that shouldn’t be counted in the users traffics…

    i googled a lot it doesn’t seems to be possible…

    Any idea…

    Like

    Comment by Maxlee — September 11, 2011 @ 8:30 AM

    • Hmmm that’s interesting query, and yes it is sometimes required in some specific scenario like yours.

      I will do some testing for your requirement and will let you know.

      One RECOMMENDED ‘workaround’ is to setup your FTP sharing server on LINUX OS and place it on user subnet. This way user request will directly HIT the local FTP, and will not go through mikrotik thus it will bypass the RM accounting. Configure it to use authentication using Radius. This way users will be able to use the FTP server with / without pppoe. POPUP will appear to user asking for authentication, which will be verified via RADIUS server. For more idea see the link. (FYI, RM use FREERADIUS as its backend)

      http://freeradius.org/mod_auth_radius/

      For Windows there is an addon (costs upto 400$) which can enable your windows base IIS FTP to use the RADIUS server for authentication. It does the job nicely too ๐Ÿ™‚

      Like

      Comment by Pinochio / zaib — September 11, 2011 @ 10:47 AM

  3. bro its not working with hotspot

    Like

    Comment by usmans — September 12, 2011 @ 5:14 AM

  4. Thanks bro
    Works well for local users but not for NanoStation CPE, where the wifi CPE dial the pppoe connection without looking for an ip from the DHCP.

    in my case most of my users are behind the wifi cpe and i am trying to standardize on pppoe no local ips traffic…

    Like

    Comment by Maxlee — September 16, 2011 @ 2:21 PM

    • When the CPE dials the pppoe connection, after successfully connection, This CPE must be getting an IP Address from the pppoe server , Right?

      Use that pool.

      Like

      Comment by Pinochio / zaib — September 16, 2011 @ 2:37 PM

  5. salam brother
    bhai yeh hotspot k sath work nai kar raha lkin pppoe k sath 100% work kar raha hai

    Like

    Comment by usmans — September 24, 2011 @ 1:57 AM

    • Well , it do work with Hotspot too, basically it can work with any scenario. Just modify it according to your network. Make a rule for dst FTP address, and put it in unlimited bandwidth pool.

      Like

      Comment by Pinochio~:) — September 24, 2011 @ 10:28 AM

  6. sir i want to limit simple ftp speed because i am runnig wireless network you know in wireless network throughtput limited as cable network
    Please Help

    Like

    Comment by asif — February 2, 2012 @ 10:03 PM

  7. Sir ye mery liye working nhe kar raha. main ftp server sy mikrotik py ping to kar sakata hu per kisi bhi pppoe client sy ftp server py ping nhe hoti

    Like

    Comment by Muhammad Abdullah Butt — April 9, 2012 @ 3:57 AM

    • On you FTP server, Add gateway in its TCP/IP properties , pointing to Mikrotik
      for example if your mikrotik interface ip is 192.168.10.1 and ftp server ip is 192.168.10.2
      then you may define default gateway in FTP Server 192.168.10.1 (means you are telling FTP to go through Mikrotik interface, which will have all the user info including subnet)

      Like

      Comment by Syed Jahanzaib / Pinochio~:) — April 9, 2012 @ 8:30 AM

  8. i have tried this with hotspot. but its not working well. hotspot users getting same speed limit as define in profile.my senario is.
    mikrotik server
    —————-
    Enterface1= WAN (192.168.11.8/24)
    Enterface2=LAN (192.168.200.1/24) Hotspot and DHCP
    Enterface3=Ftp (192.168.250.1/24)

    FTP server
    ———
    Enterface1=
    ip address=192.168.250.2
    subnetmask=255.255.255.0
    prefered DNS=192.168.250.1

    hotspot is working fine. and giving the speed limit as defined inside profile speed limit on internet trafic. after adding ftp server. i have aded above mangle and quee rules. but i m getting these 2 errors.

    1= when i try to open \\server its not respond and when i type \\192.168.250.2 then ftp server goes open. why its not opening with name of the computer instead of the ip?

    2= rate limit as defined in hotspot profile is still applying on the ftp trafic. even i have aded the quee rulles as you mentioned above.. but still the same.

    Kindly trouble shoot about this scenario

    Like

    Comment by Maria — April 29, 2012 @ 1:41 PM

  9. waiting for your reply sir?

    Like

    Comment by Maria — May 2, 2012 @ 11:27 PM

  10. Hi,

    I have been following this blog for quite some time,

    I have been using Radius Manager along with Mikrotik for Wi-Fi Hotspot. .

    we have restricted bandwidth for Wifi users in Radius manager ..

    Like we have 2 networks , the customer to these network should get full Bandwidth without restriction(that we had in radius manager). The restriction should be applicable onl,y when they browse/download/upload from international sites.

    is there any solution to this.

    Regards,
    Shiva

    Like

    Comment by Shiva Thapa — March 3, 2013 @ 3:12 PM

  11. IS It possible to assign a specific speed limit to each ip address? while using FTP server behind Mikrotik? in above you are allowing full speed to each ip address. is there any way. to assign a specific speed limit rather then the pppoe proflie limit?

    Like

    Comment by Ash — June 5, 2013 @ 3:00 PM

  12. i have successfully done it. But now faceing another Isue. i can create only one session for FTP server. i mean to say. when i open ftp server via \\server-ip. and start copy file from there. and on the same time from another client pc. when i open \\server-ip . then it break the previous session.can i know why it limiting only 1 connection . how can i allow multiple sessions. so that All 10 pcs can open ftp server and can copy files in the same time?

    Like

    Comment by Ash — June 10, 2013 @ 1:21 PM

  13. queue tree make load cpu 100% when i try to download from local server

    Like

    Comment by kidx13 — March 15, 2014 @ 5:35 PM

    • It depends on your hardware and downloads.
      to put FTP behind DMZ, you should have decent amount of mikrotik CPU power including GB connectivity.

      You should also consider having queues for FTP so that it may not bog down your mikrotik processing.

      Like

      Comment by Syed Jahanzaib / Pinochio~:) — March 17, 2014 @ 3:58 PM

  14. Dear Jhanzaib bhai,

    Asslam O Allaikum

    Jhanzaib bhai maine Mikrotik main hotspot and pppoe configure kia hua hy ek he interface per, and maine mikrotik k sath HFS server bhi lagaya hy, laikin issue yeh araha hy k user k pas HFS ki speed bhe utne he jarahi hy jitni hotspot ya pppoe ki profile se user ko assign hoe hy.

    Main chahta hun k users k pas HFS full speed main chaly or internet assigned speed main he chaly.

    Please isk lea bataden k mujhy kia kerna hoga?

    Ethernet 1: WAN (192.168.1.2)

    Ethernet 2: Local area network Hotspot and PPPOE (172.168.1.1/24)

    Ethernet 3: DHCP server with HFS i.p (182.168.0.2)

    Like

    Comment by raheel — March 27, 2014 @ 4:47 PM

  15. Dear Bro,
    my mikrotik version 6.5

    i have file sharing server behind the mikrokit, but my hotspot and pppoe users still getting assigned speed,
    i want that my all Hotspot users can get full speed for HFS or my assigned speed to internet.

    Wan: 192.168.1.1/24
    Lan: 172.168..1.1/24 configured Hotspot and PPPoe Server for my local network
    Lan2: 182.168.0.1/24 DHCP Server Configured for only file Sharing Server

    i configured from this script, but it is not working

    /ip firewall mangle
    add action=mark-packet chain=prerouting dst-address=182.168.0.0/24 new-packet-mark=ftp-up src-address=172.168.0.0/24
    add action=mark-packet chain=postrouting dst-address=172.168.0.0/24 new-packet-mark=ftp-down src-address=182.168.0.0/24

    /queue tree
    add limit-at=100M max-limit=100M name=ftp-up packet-mark=ftp-up parent=global queue=ftp-exempt
    add limit-at=100M max-limit=100M name=ftp-down packet-mark=ftp-down parent=global queue=ftp-exempt

    please tell me how to assigned unlimited speed on file sharing server for mikrotik hotspot and pppoe users ๐Ÿ˜ฆ

    Raheel

    Like

    Comment by Raheel — March 28, 2014 @ 9:04 AM

  16. Syed Jahanzaib
    In Mikrotik SERVER FTP Server speed is default according to your Above configuration But hotspot Server not work Properly…
    And FTP Server outputSpeed is Only 4MB and i am using Mikrotik 750..And My Intermet Package is 4MB…
    Please sir, Help me in this issue…

    Like

    Comment by Adeel Riaz — June 16, 2014 @ 2:45 AM

  17. sir,
    Above configuration is not apply only on hot spot server downloading….please sir, solve this issue…

    Like

    Comment by Adeel Riaz — June 17, 2014 @ 2:19 AM

  18. anyone has successfully tried using mikrtik version 6.4 or lower version ? (sorry for my bad english)

    Like

    Comment by Asri Rachman — September 29, 2014 @ 8:09 AM

    • for ver 6.x , you should be using simple queue.

      Like

      Comment by Syed Jahanzaib / Pinochio~:) — September 30, 2014 @ 10:10 AM

      • can explain what that means?
        if after making a mangle and queue tree, I also make liminya in simple queue?

        Like

        Comment by Asri Rachman — September 30, 2014 @ 1:10 PM

    • for 5.x, you can use mangle + use queue tree,
      for 6.x you can use mangle + simple queues,
      they work for sure.

      Like

      Comment by Syed Jahanzaib / Pinochio~:) — October 3, 2014 @ 9:20 AM

      • not working in 6.x i have tested so many times, in 6.5 and 6.18 also.

        Like

        Comment by raheel — October 3, 2014 @ 11:11 AM

      • can you share share the script for mikrotik v6 with hotspot ?

        Like

        Comment by Asri Rachman — October 7, 2014 @ 6:58 AM

      • Not working with 6.x

        Like

        Comment by Fayyaz chaudhary — October 29, 2016 @ 7:18 PM

  19. sir can u plz make a video for this i tried alot but now working

    Like

    Comment by m — June 17, 2016 @ 5:39 PM

  20. i tried but not woring for me plz Janzaib bhai help…. ppoe cleint k pas iun k package k hisab se spee jarahe ha hfs server per

    Like

    Comment by m — October 1, 2016 @ 12:21 PM

  21. Assalam O Elykum Jahanzeb bhai, mujhe kuch settings puchni hy apsy
    mene hotspot or pppoe configure kia hua hy main connect ka net use kr raha hun or load balancing karni hy, dusra ye ky mere apna ek webserver hy jismn files hain download krny ky lye, main chah raha hun ky jub apny server sy download krun to limit na lagy full speed aye, apki ye wali script kam nhe kr rahi or mujhe samajh bhi nhe araha dusri scripts bhi try ki mene, mere jo server hy woh mikrotik sy pehly jo tplink ka router lagaya hy usky satah hy
    e.g: pehly connect ki jo cable arahi hy woh tplink ky router main laga ky pptp dial kia phir router ky ek port sy cable apny server main lagai hy or dusri port mikrotik main ja rahi hy
    tp link ky router ki ip: 192.168.99.1 hy
    or mikrotik ky wan port ki ip: 192.168.99.2 hy or lan port ki ip 172.16.1.1 hy jo dhcp or hotspot dono ky lye hy or pppoe ki ip 172.16.3.1 hy

    ab ap koi solution btaen

    mujhe ye bhi krna tha ky kuch sites block krni hy, mene layer 7 sy try kia tha lekin us sy sari sites block ho ja rahi hain

    Like

    Comment by Arsalan Siddiqui — November 23, 2016 @ 4:44 PM

  22. SIR,
    BAQI SUB TO OK HO GYA HA BUS HFS PER NET NE CHAL RHA HA

    Like

    Comment by KING ATIF — September 6, 2017 @ 5:44 PM

  23. SIR,
    BAQI SUB TO OK HO GYA HSA BUS HFS PER NET NE CHAL RHA HA

    Like

    Comment by KING ATIF — September 6, 2017 @ 5:44 PM

  24. sir.
    internet is not working on the server

    Like

    Comment by king atif — September 26, 2017 @ 1:20 PM


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: