Syed Jahanzaib Personnel Blog to Share Knowledge !

January 5, 2012

QOS with Mikrotik [Reference Guide]



QOS With Mikrotik

Following are few scenarios for some examples : I will add more soon.

1# Limit user traffic using PCQ (also useful for Hotspot Bypassed MAC address)

To limit all users 192.168.1.0/24 to 512kb epr user, using PCQ, use following script.


/queue type

add kind=pcq name=download-512kb pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 pcq-dst-address6-mask=64 pcq-limit=50 pcq-rate=524288 \
pcq-src-address-mask=32 pcq-src-address6-mask=64 pcq-total-limit=2000

add kind=pcq name=upload-512kb pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 pcq-dst-address6-mask=64 pcq-limit=50 pcq-rate=524288 \
pcq-src-address-mask=32 pcq-src-address6-mask=64 pcq-total-limit=2000

/queue simple
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s comment="Limit every Users at 512kb using PCQ. Can be used for hotspot BYPASSED macs too. Can be used for multi purpose  Syed Jahanzaib" \
direction=both disabled=no interface=all limit-at=0/0 max-limit=0/0 name=512k-limit packet-marks="" parent=none priority=8 queue=upload-512kb/download-512kb target-addresses=192.168.1.0/24 \
total-queue=default-small

Change the Bandwidth and Target IP addresses to meet your local requirements.
Bandwidth example:
512k = 524288
1mb = 1048576
2mb = 2097152
4mb = 4194304

Result as showed in the image below . . .

queue-pcq-per-user

2# Allowing specific extension Low Priority over other traffic

In this example we are marking traffic via mangle rules. .iso extension is marked as low priority traffic , and all other traffic is marked as hi priority traffic.

For example We have 256kb internet bandwidth in total. and we want that when users are downloading any .iso file, it gets low priority over other traffic i.e browsing etc. Use the following.

/ip firewall mangle

add action=mark-connection chain=postrouting comment="Mark Conn for .iso Ext" content=iso disabled=no new-connection-mark=iso-conn passthrough=yes

add action=mark-packet chain=postrouting comment="Mark Pkts for iso-conn Ext" connection-mark=iso-conn disabled=no new-packet-mark=lo-prio-traffic-pkts passthrough=no

add action=mark-connection chain=postrouting comment="Mark Conn for all other traffic" content=!iso disabled=no new-connection-mark=hi-prio-traffic-conn passthrough=yes

add action=mark-packet chain=postrouting comment="Mark Pkts for all other traffic" connection-mark=hi-prio-traffic-conn disabled=no new-packet-mark=hi-prio-traffic-pkts passthrough=no

/queue simple add name=wan_conn_limit interface=ether1 max-limit=256k/256k

/queue simple add name=hi-prio-traffic interface=ether1 parent=wan_conn_limit packet-marks=hi-prio-traffic-pkts priority=1

/queue simple add name=lo-prio-traffic packet-marks=lo-prio-traffic-pkts interface=ether1 parent=wan_conn_limit priority=8

3# Allowing Specific File Extensions High / Limited / Unlimited Bandwidth

For example, You have a network and every user have there bandwidth limited at 256kb. Now you want that if a user is downloading .FLV video file , He can view/download it at unlimited speed regardless of his allowed speed limit, i.e 256kb package, Use the following.

First mark all packets with .flv extention.

/ip firewall mangle
add action=mark-connection chain=postrouting comment="Mark Conn for .flv Ext" content=flv disabled=no new-connection-mark=flv-conn passthrough=yes

add action=mark-packet chain=postrouting comment="Mark Pkts for flv-conn Ext" connection-mark=flv-conn disabled=no new-packet-mark=flv passthrough=no

Now Create a Queue Tree and Set Unlimited or Limited Bandwidth (OR As per your requirements if you want to allot specific amount, set it) to Marked Packets

/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=100M max-limit=100M name=Unlimited-Speed-4-Marked-Pkts packet-mark=flv parent=global-out priority=1 queue=defaul

You can use the same in reverse to limit specific extension type bandwidth usage.

4# Allowing Specific Ports High Priority over other traffic

First we need to mark protocols. (In this example we are using SMTP port 25 )

/ip firewall mangle add chain=prerouting protocol=tcp port=25 connection-state=new action=mark-connection new-connection-mark=hi_prio_conn
/ip firewall mangle add chain=prerouting connection-mark=hi_prio_conn action=mark-packet new-packet-mark=hi_prio_conn_pkts

Now we will create Simple Queue and give high priority to marked packets and other packets low priority. (In this example we have 2Mb WAN connection)

/queue simple add name=wan_conn_limit interface=ether1 max-limit=2M/2M
/queue simple add name=prio interface=ether1 parent=wan_conn_limit packet-marks=hi_prio_conn_pkts priority=1
/queue simple add name=other interface=ether1 parent=Internet priority=8

Now SMTP traffic will get higher priority over other traffic.

5# Equal Distribution of Bandwidth for a number of users using PCQ

If you have a 512 kbps WAN connection and you want to share this equally among your users  but if only one pc is active it should have the full 512 kbps, if 2 pcs are active 256 kbps each and vise versa.
As shown in the image below . . .


Use the following:

/queue type add name="PCQ_download" kind=pcq pcq-rate=512k pcq-classifier=dst-address
/queue type add name="PCQ_upload" kind=pcq pcq-rate=512k pcq-classifier=src-address

/queue simple add queue=PCQ_upload/PCQ_download target-addresses=192.168.2.0/24

6# Limiting Single User Bandwidth via Simple QUEUE (Lookout for order number)

/queue simple add name="Limiting Zaib to 256kb" target-addresses=192.168.2.6 max-limit=256k/256k

7# Simple Queue with BURST

Following simple queue with BURST

- Limit user at 64kb in general.
- When the user will download at full 64kbps speed, he will be able to burst upto 256kb for 5 seconds. after 5 seconds , user will fall to 64kb again for next 5 seconds.

In short 5 seconds on load 256kbps, and next 5 seconds, 64kbp.

/queue simple

add burst-limit=256k/256k burst-threshold=128k/128k burst-time=20s/20s direction=both disabled=no interface=all limit-at=0/0 max-limit=64k/64k name=queue1 \

packet-marks="" parent=none priority=8 queue=default-small/default-small target-addresses=172.16.0.10/32 total-queue=default-small

.

.

.

8# Give specific web site assigned Bandwidth on per user basis [updated: 14th April, 2014]

For example you want to limit bandwidth on per user basis for SPECIFIC WEBSITE ONLY. Let’s say 4mb per user for facebook.com
The logic is simple.
1- First create a script that adds the web site ip to an address list.
2- Add scheduler that runs above script after every 5 minutes so that even if the web site ip gets changes, it will update accordingly.
3- Now mark connection and packets for above created address list.
4- Add PCQ queue type (Bandwidth that will be distributed on per user basis using single simple queue)
5- Finally add a simple queue that will distribute bandwidth for marked packets using PCQ for per user basis.


/system script
add name=facebook-list policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api source="# Script to add Facebook DNS IP addressess \r\
\n# Syed Jahanzaib / aacable@hotmail.com\r\
\n:log warning \"Script Started ... Adding Facebook DNS ip's to address list name   facebook_dns_ips\"\r\
\n:foreach i in=[/ip dns cache find] do={\r\
\n:local bNew \"true\";\r\
\n:local cacheName [/ip dns cache all get \$i name] ;\r\
\n:if ([:find \$cacheName \"facebook\"] != 0) do={\r\
\n:local tmpAddress [/ip dns cache get \$i address] ;\r\
\n:put \$tmpAddress;\r\
\n:if ( [/ip firewall address-list find ] = \"\") do={\r\
\n:log info (\"added entry: \$[/ip dns cache get \$i name] IP \$tmpAddress\");\r\
\n/ip firewall address-list add address=\$tmpAddress list=facebook_dns_ips comment=\$cacheName;\r\
\n} else={\r\
\n:foreach j in=[/ip firewall address-list find ] do={\r\
\n:if ( [/ip firewall address-list get \$j address] = \$tmpAddress ) do={\r\
\n:set bNew \"false\";\r\
\n}\r\
\n}\r\
\n:if ( \$bNew = \"true\" ) do={\r\
\n:log info (\"added entry: \$[/ip dns cache get \$i name] IP \$tmpAddress\");\r\
\n/ip firewall address-list add address=\$tmpAddress list=facebook_dns_ips comment=\$cacheName;\r\
\n}\r\
\n}\r\
\n}\r\
\n}\r\
\n# Script Ended..."


/system scheduler
add comment="Add Facebook IP's to address list name facebook-list after every 5 minutes / zaib" disabled=no interval=5m name=add_fb_to_list_scheduler_every_5mnts on-event=facebook-list policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api start-date=feb/11/2014 start-time=00:00:00


/ip firewall mangle
add action=mark-connection chain=postrouting comment="Mark Conn for FB Site / zaib" disabled=no dst-address-list=facebook_dns_ips new-connection-mark=FB-conn passthrough=yes
add action=mark-packet chain=postrouting comment="Mark Packtes for FB-CONN / zaib" connection-mark=FB-conn disabled=no new-packet-mark=FB_Packets passthrough=no


/queue type
add kind=pcq name=Download-4mb pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 pcq-dst-address6-mask=64 pcq-limit=50 pcq-rate=4194304 \
pcq-src-address-mask=32 pcq-src-address6-mask=64 pcq-total-limit=2000
add kind=pcq name=Upload-4mb pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 pcq-dst-address6-mask=64 pcq-limit=50 pcq-rate=4194304 \
pcq-src-address-mask=32 pcq-src-address6-mask=64 pcq-total-limit=2000

/queue simple
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s comment="Limit FB speed 4mb per user using PCQ  / Syed Jahanzaib" direction=both disabled=no interface=all limit-at=0/0 max-limit=0/0 name=\
4mb_Limit_For_FB_Per_User packet-marks=FB_Packets parent=none priority=8 queue=Upload-4mb/Download-4mb target-addresses="" total-queue=default-small

 

Do remember, its just an example to show you how you can twist things, You can modify it as per your requirements :)

Syed Jahanzaib

Mikrotik Limiting User Access via DHCP via /32 + Forcing Users to use your DHCP Server Only !


Recently a friend of mine who is operating local internet service in my area was annoyed by virus flooding / broadcast and Vypress Chat softwares via which users communicate with each other and get united against the service provider :p and he can’t afford to install manageable switches on his network to isolate users, So he asked my help to isolate them. I used this little trick to Minimize the network flooding and to isolate users.
But Remember It’s not 100% fool proof , It just makes it a bit more difficult to scan other users using this trick, but it is easier to change IP and your MAC address as client have full control over there pc’s. It just At it’s best,  prevents normal/casual users, but there is nothing to prevent people that are  determined to do so.
If you want to isolate your clients , set up client isolation on the AP’s/ OR Do Port isolation on the switch ports . Then no matter what settings user places on their PC, they will not be able to scan and find other hosts on the network.

In this example, this Operator had PPPoE Server with DHCP service. All users gets ip of 10.0.0.0/8 subnet via his mikrotik’s dhcp server , This way flooding from one pc can be broadcast to all over the pc’s on the network, so I just change the netmask to 32 , this way user will not be able to communicate with any other pc on the lan, even with the server, but You can connect the pppoe service because it works on mac address broadcast. After connecting to pppoe , user will be able to use internet without any issue.

This trick is also useful for wireless networks, where you want to minimize file sharing between users which can also be done via AP.

Goto IP > DHCP SERVER >Double click on your DHCP server,
Click on “Add ARP For Leases
As shown in the image below . . .


 

Now Goto IP > DHCP SERVER > Networks ,
CLick on + icon,
in Address, type 0.0.0.0/0
in Netmask , type 32

As shown in the image below . . .

.

Also if you want to restrict users that only those users who gets ips from your DHCP  server should be able to communicate with your server, Follow the tip below.

Goto Interface > Double Click on your LAN interface
in ARP , select reply-only


This way, You will Force anyone to use your DHCP only, If a user manually enters IP  address on his PC , he will not be able to communicate with your server and use the internet service.

Regard’s
Syed Jahanzaib

The Silver is the New Black Theme Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 2,045 other followers