Syed Jahanzaib Personal Blog to Share Knowledge !

August 4, 2011

Howto exempt rate limit for FTP Server Behind MT DMZ in placment of Dynamic Queues !

Filed under: Mikrotik Related — Tags: , , , , , , , , — Syed Jahanzaib / Pinochio~:) @ 6:31 AM

Consider the following scenario !

As you can see, FTP servers are placed behind Mikrotik DMZ, when user connects via pppoe server, dynamic queue is created for that user according to his package, lets say 512k, now the problem is this restriction also applied on local FTP server placed behind mikrotik DMZ, and we don’t want to limit speed for Local FTP.

The solution I found was to make mangle rules that mark packets TO/FROM the FTP server, and add Queue tree at my desired speed or at line speed for those marks.

This works for me. JUST MAKE SURE YOUR FTP SERVERS HAVE MIKROTIK IP AS THERE DEFAULT GATEWAY🙂 This is important so that you can user original ip on the the FTP server rather then just mikrotik ip.



Scenario: are my pppoe client ip pool.
is FTP server pool. Behind Mikrotik DMZ.

On mikrotik, I created following rules and FTP servers exempted from dynamic queue rate limit and ftp data delivered at LAN speed , all works ok🙂

[Mikrotik 5.x ROS Code]

/ip firewall mangle add chain=prerouting src-address= dst-address= action=mark-packet new-packet-mark=ftp-up

/ip firewall mangle add chain=postrouting dst-address= src-address= action=mark-packet new-packet-mark=ftp-down

/queue type add name=ftp-exempt kind=sfq
/queue tree add name=ftp-up parent=global-in packet-mark=ftp-up queue=ftp-exempt max-limit=100M
/queue tree add name=ftp-down parent=global-out packet-mark=ftp-down queue=ftp-exempt max-limit=100M







We want to mark traffic from specific users like expired users, and mark there traffic going to FTP Server, and limit there speed per ip.

pppoe-pool =

EXPIRED pool =
FTP Server =


First mark traffic in mangle section , SOURCE should be EXPIRED USERS IP SUBNET , and DESTINATION should be FTP SERVER IP.

/ip firewall mangle
add action=mark-packet chain=prerouting comment="MARK TRAFFIC of EXPIRED USERS GOING TO FTP SERVER" dst-address= new-packet-mark=expired_users_ftp_access passthrough=no src-address=

# Now add queue in TYPE for per user implementation, 32kb per ip

/queue type
add kind=pcq name=ftp-download-32k pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=32k pcq-src-address6-mask=64
add kind=pcq name=ftp-upload-32k pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=32k pcq-src-address6-mask=64
# Finally add SIMPLE queue that will limit 32k per ip (only expired pool)

/queue simple
add comment="FTP for EXPIRED USERS / 32kb PER USER " name="ftp queue 32k for expired users  pool" packet-marks=expired_users_ftp_access queue=ftp-upload-32k/ftp-download-32k target=""

Another Example to mark traffic going to FTP Server using MANGLE ,and restrict per user bandwidth using PCQ [updated 26-JAN-2016]


FOLLOWING code will mark traffic for 1.5 and 1.6 and in queue it will create pcq base bandwidth to restrict 4mb per user. Also it will give priority to ICMP packets as well.

/ip firewall mangle


add action=mark-connection chain=prerouting new-connection-mark=icmp-con protocol=icmp

add action=mark-packet chain=prerouting connection-mark=icmp-con new-packet-mark=icmp-pkt passthrough=no protocol=icmp


add chain=prerouting comment="accept server4 n radius from being processed by PCC / zaib" dst-address-list=ALLOWED_SERVERS


add action=mark-packet chain=prerouting comment="MARK TRAFFIC GOING TO FTP SERVER _ 1.6" new-packet-mark=ftp_1.6 passthrough=no src-address=

add action=mark-packet chain=prerouting comment="MARK TRAFFIC GOING TO FTP SERVER _ 1.5" new-packet-mark=ftp_1.5 passthrough=no src-address=


/queue type

add kind=pcq name=ftp-download-4MB pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=40M pcq-src-address6-mask=64

add kind=pcq name=ftp-upload-4MB pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=40M pcq-src-address6-mask=64


/queue simple


add max-limit=128k/128k name=ICMP_Hi_Priority packet-marks=icmp-pkt target=""


add name=FTP_10.0.1.6_DOWN_LIMIT packet-marks=ftp_1.6 queue=ftp-upload-4MB/ftp-download-4MB target=""

add name=FTP_10.0.1.5_DOWN_LIMIT packet-marks=ftp_1.5 queue=ftp-upload-4MB/ftp-download-4MB target=""


Syed Jahanzaib


  1. thanks bhai………aur bhai spelling ki mistake hai woh sai kar dy
    could also create a simple queue for FPT servers but Dynamic Queues always
    yeh upper line mai aap ny ftp ko fpt likh dia hai

    Comment by usmans — August 12, 2011 @ 6:31 PM

  2. Interesting, thanks i think your doing great job sharing all this information… keep it up.

    well can you exempt traffic accounting as well assuming there is a Radius in place???

    i have been experimenting on Mikrotik PPPoE server and Radius Manager, i want to limit the total traffic of each user (daily/monthly) but i still want to have a local FTP/HTTP services that shouldn’t be counted in the users traffics…

    i googled a lot it doesn’t seems to be possible…

    Any idea…

    Comment by Maxlee — September 11, 2011 @ 8:30 AM

    • Hmmm that’s interesting query, and yes it is sometimes required in some specific scenario like yours.

      I will do some testing for your requirement and will let you know.

      One RECOMMENDED ‘workaround’ is to setup your FTP sharing server on LINUX OS and place it on user subnet. This way user request will directly HIT the local FTP, and will not go through mikrotik thus it will bypass the RM accounting. Configure it to use authentication using Radius. This way users will be able to use the FTP server with / without pppoe. POPUP will appear to user asking for authentication, which will be verified via RADIUS server. For more idea see the link. (FYI, RM use FREERADIUS as its backend)

      For Windows there is an addon (costs upto 400$) which can enable your windows base IIS FTP to use the RADIUS server for authentication. It does the job nicely too🙂

      Comment by Pinochio / zaib — September 11, 2011 @ 10:47 AM

  3. bro its not working with hotspot

    Comment by usmans — September 12, 2011 @ 5:14 AM

  4. Thanks bro
    Works well for local users but not for NanoStation CPE, where the wifi CPE dial the pppoe connection without looking for an ip from the DHCP.

    in my case most of my users are behind the wifi cpe and i am trying to standardize on pppoe no local ips traffic…

    Comment by Maxlee — September 16, 2011 @ 2:21 PM

    • When the CPE dials the pppoe connection, after successfully connection, This CPE must be getting an IP Address from the pppoe server , Right?

      Use that pool.

      Comment by Pinochio / zaib — September 16, 2011 @ 2:37 PM

  5. salam brother
    bhai yeh hotspot k sath work nai kar raha lkin pppoe k sath 100% work kar raha hai

    Comment by usmans — September 24, 2011 @ 1:57 AM

    • Well , it do work with Hotspot too, basically it can work with any scenario. Just modify it according to your network. Make a rule for dst FTP address, and put it in unlimited bandwidth pool.

      Comment by Pinochio~:) — September 24, 2011 @ 10:28 AM

  6. sir i want to limit simple ftp speed because i am runnig wireless network you know in wireless network throughtput limited as cable network
    Please Help

    Comment by asif — February 2, 2012 @ 10:03 PM

  7. Sir ye mery liye working nhe kar raha. main ftp server sy mikrotik py ping to kar sakata hu per kisi bhi pppoe client sy ftp server py ping nhe hoti

    Comment by Muhammad Abdullah Butt — April 9, 2012 @ 3:57 AM

    • On you FTP server, Add gateway in its TCP/IP properties , pointing to Mikrotik
      for example if your mikrotik interface ip is and ftp server ip is
      then you may define default gateway in FTP Server (means you are telling FTP to go through Mikrotik interface, which will have all the user info including subnet)

      Comment by Syed Jahanzaib / Pinochio~:) — April 9, 2012 @ 8:30 AM

  8. i have tried this with hotspot. but its not working well. hotspot users getting same speed limit as define in senario is.
    mikrotik server
    Enterface1= WAN (
    Enterface2=LAN ( Hotspot and DHCP
    Enterface3=Ftp (

    FTP server
    ip address=
    prefered DNS=

    hotspot is working fine. and giving the speed limit as defined inside profile speed limit on internet trafic. after adding ftp server. i have aded above mangle and quee rules. but i m getting these 2 errors.

    1= when i try to open \\server its not respond and when i type \\ then ftp server goes open. why its not opening with name of the computer instead of the ip?

    2= rate limit as defined in hotspot profile is still applying on the ftp trafic. even i have aded the quee rulles as you mentioned above.. but still the same.

    Kindly trouble shoot about this scenario

    Comment by Maria — April 29, 2012 @ 1:41 PM

  9. waiting for your reply sir?

    Comment by Maria — May 2, 2012 @ 11:27 PM

  10. Hi,

    I have been following this blog for quite some time,

    I have been using Radius Manager along with Mikrotik for Wi-Fi Hotspot. .

    we have restricted bandwidth for Wifi users in Radius manager ..

    Like we have 2 networks , the customer to these network should get full Bandwidth without restriction(that we had in radius manager). The restriction should be applicable onl,y when they browse/download/upload from international sites.

    is there any solution to this.


    Comment by Shiva Thapa — March 3, 2013 @ 3:12 PM

  11. IS It possible to assign a specific speed limit to each ip address? while using FTP server behind Mikrotik? in above you are allowing full speed to each ip address. is there any way. to assign a specific speed limit rather then the pppoe proflie limit?

    Comment by Ash — June 5, 2013 @ 3:00 PM

  12. i have successfully done it. But now faceing another Isue. i can create only one session for FTP server. i mean to say. when i open ftp server via \\server-ip. and start copy file from there. and on the same time from another client pc. when i open \\server-ip . then it break the previous session.can i know why it limiting only 1 connection . how can i allow multiple sessions. so that All 10 pcs can open ftp server and can copy files in the same time?

    Comment by Ash — June 10, 2013 @ 1:21 PM

  13. queue tree make load cpu 100% when i try to download from local server

    Comment by kidx13 — March 15, 2014 @ 5:35 PM

    • It depends on your hardware and downloads.
      to put FTP behind DMZ, you should have decent amount of mikrotik CPU power including GB connectivity.

      You should also consider having queues for FTP so that it may not bog down your mikrotik processing.

      Comment by Syed Jahanzaib / Pinochio~:) — March 17, 2014 @ 3:58 PM

  14. Dear Jhanzaib bhai,

    Asslam O Allaikum

    Jhanzaib bhai maine Mikrotik main hotspot and pppoe configure kia hua hy ek he interface per, and maine mikrotik k sath HFS server bhi lagaya hy, laikin issue yeh araha hy k user k pas HFS ki speed bhe utne he jarahi hy jitni hotspot ya pppoe ki profile se user ko assign hoe hy.

    Main chahta hun k users k pas HFS full speed main chaly or internet assigned speed main he chaly.

    Please isk lea bataden k mujhy kia kerna hoga?

    Ethernet 1: WAN (

    Ethernet 2: Local area network Hotspot and PPPOE (

    Ethernet 3: DHCP server with HFS i.p (

    Comment by raheel — March 27, 2014 @ 4:47 PM

  15. Dear Bro,
    my mikrotik version 6.5

    i have file sharing server behind the mikrokit, but my hotspot and pppoe users still getting assigned speed,
    i want that my all Hotspot users can get full speed for HFS or my assigned speed to internet.

    Lan: 172.168..1.1/24 configured Hotspot and PPPoe Server for my local network
    Lan2: DHCP Server Configured for only file Sharing Server

    i configured from this script, but it is not working

    /ip firewall mangle
    add action=mark-packet chain=prerouting dst-address= new-packet-mark=ftp-up src-address=
    add action=mark-packet chain=postrouting dst-address= new-packet-mark=ftp-down src-address=

    /queue tree
    add limit-at=100M max-limit=100M name=ftp-up packet-mark=ftp-up parent=global queue=ftp-exempt
    add limit-at=100M max-limit=100M name=ftp-down packet-mark=ftp-down parent=global queue=ftp-exempt

    please tell me how to assigned unlimited speed on file sharing server for mikrotik hotspot and pppoe users😦


    Comment by Raheel — March 28, 2014 @ 9:04 AM

  16. Syed Jahanzaib
    In Mikrotik SERVER FTP Server speed is default according to your Above configuration But hotspot Server not work Properly…
    And FTP Server outputSpeed is Only 4MB and i am using Mikrotik 750..And My Intermet Package is 4MB…
    Please sir, Help me in this issue…

    Comment by Adeel Riaz — June 16, 2014 @ 2:45 AM

  17. sir,
    Above configuration is not apply only on hot spot server downloading….please sir, solve this issue…

    Comment by Adeel Riaz — June 17, 2014 @ 2:19 AM

  18. anyone has successfully tried using mikrtik version 6.4 or lower version ? (sorry for my bad english)

    Comment by Asri Rachman — September 29, 2014 @ 8:09 AM

    • for ver 6.x , you should be using simple queue.

      Comment by Syed Jahanzaib / Pinochio~:) — September 30, 2014 @ 10:10 AM

      • can explain what that means?
        if after making a mangle and queue tree, I also make liminya in simple queue?

        Comment by Asri Rachman — September 30, 2014 @ 1:10 PM

    • for 5.x, you can use mangle + use queue tree,
      for 6.x you can use mangle + simple queues,
      they work for sure.

      Comment by Syed Jahanzaib / Pinochio~:) — October 3, 2014 @ 9:20 AM

      • not working in 6.x i have tested so many times, in 6.5 and 6.18 also.

        Comment by raheel — October 3, 2014 @ 11:11 AM

      • can you share share the script for mikrotik v6 with hotspot ?

        Comment by Asri Rachman — October 7, 2014 @ 6:58 AM

  19. sir can u plz make a video for this i tried alot but now working

    Comment by m — June 17, 2016 @ 5:39 PM

  20. i tried but not woring for me plz Janzaib bhai help…. ppoe cleint k pas iun k package k hisab se spee jarahe ha hfs server per

    Comment by m — October 1, 2016 @ 12:21 PM

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at

%d bloggers like this: