Consider the following scenario !
As you can see, FTP servers are placed behind Mikrotik DMZ, when user connects via pppoe server, dynamic queue is created for that user according to his package, lets say 512k, now the problem is this restriction also applied on local FTP server placed behind mikrotik DMZ, and we don’t want to limit speed for Local FTP.
The solution I found was to make mangle rules that mark packets TO/FROM the FTP server, and add Queue tree at my desired speed or at line speed for those marks.
This works for me. JUST MAKE SURE YOUR FTP SERVERS HAVE MIKROTIK IP AS THERE DEFAULT GATEWAY 🙂 This is important so that you can user original ip on the the FTP server rather then just mikrotik ip.
Scenario # 1 – Limit FTP queue to 3mb per user
We have FTP servers hosted in DMZ (at separate port) having ip address of 10.0.0.x series. So we will simply create address list and add ftp server’s ip addresses in it. using of address have added advantage, you can simply add remove ip directly in this list, so you wont have to touch the rules again, plus you can use script to dynamically add remove servers ip, with timeout as well.
/ip firewall address-list add address=10.0.0.10 list=FTP_SERVER add address=10.0.0.11 list=FTP_SERVER # Marking packets going to FTP Servers /ip firewall mangle add action=mark-connection chain=prerouting comment="MARK CONN GOING TO FTP SERVER " dst-address-list=FTP_SERVER new-connection-mark=ftp_conn passthrough=yes add action=mark-packet chain=prerouting comment="MARK PKTS GOING TO FTP SERVER " connection-mark=ftp_conn new-packet-mark=ftp_pkts passthrough=yes # Creating PCQ base Queue - 3mb per user /queue type add kind=pcq name=ftp-download-3MB pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=31M pcq-src-address6-mask=64 add kind=pcq name=ftp-upload-3MB pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=31M pcq-src-address6-mask=64 #- Make sure you move this simple queue on TOP, or else it will not work /queue simple add comment="Allow 3 MB FTP Download per user by zaib" name="ftp 1g" packet-marks=ftp_pkts queue=ftp-upload-3MB/ftp-download-3MB target=""
Scenario #2:
172.16.0.0/16 are my pppoe client ip pool.
192.168.250.0/24 is FTP server pool. Behind Mikrotik DMZ.
On mikrotik, I created following rules and FTP servers exempted from dynamic queue rate limit and ftp data delivered at LAN speed , all works ok 🙂
[Mikrotik 5.x ROS Code]
/ip firewall mangle add chain=prerouting src-address=172.16.0.0/16 dst-address=192.168.250.0/24 action=mark-packet new-packet-mark=ftp-up /ip firewall mangle add chain=postrouting dst-address=172.16.0.0/16 src-address=192.168.250.0/24 action=mark-packet new-packet-mark=ftp-down /queue type add name=ftp-exempt kind=sfq /queue tree add name=ftp-up parent=global-in packet-mark=ftp-up queue=ftp-exempt max-limit=100M /queue tree add name=ftp-down parent=global-out packet-mark=ftp-down queue=ftp-exempt max-limit=100M
ANOTHER EXAMPLE TO MARK TRAFFIC FROM SPECIFIC CLIENTS GOING TO X.X.X.X LOCATION.
for MIKROTIK 6.XX
Scenario:
We want to mark traffic from specific users like expired users, and mark there traffic going to FTP Server, and limit there speed per ip.
IP POOL INFO:
pppoe-pool = 172.16.0.0/16
EXPIRED pool = 192.168.255.0/24
FTP Server = 10.0.0.100
First mark traffic in mangle section , SOURCE should be EXPIRED USERS IP SUBNET , and DESTINATION should be FTP SERVER IP.
/ip firewall mangle add action=mark-packet chain=prerouting comment="MARK TRAFFIC of EXPIRED USERS GOING TO FTP SERVER" dst-address=10.0.0.100 new-packet-mark=expired_users_ftp_access passthrough=no src-address=192.168.255.0/24 # Now add queue in TYPE for per user implementation, 32kb per ip /queue type add kind=pcq name=ftp-download-32k pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=32k pcq-src-address6-mask=64 add kind=pcq name=ftp-upload-32k pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=32k pcq-src-address6-mask=64 # Finally add SIMPLE queue that will limit 32k per ip (only expired pool) /queue simple add comment="FTP for EXPIRED USERS / 32kb PER USER " name="ftp queue 32k for expired users pool" packet-marks=expired_users_ftp_access queue=ftp-upload-32k/ftp-download-32k target=""
Another Example to mark traffic going to FTP Server using MANGLE ,and restrict per user bandwidth using PCQ [updated 26-JAN-2016]
FTP SERVER IP = 10.0.1.5 AND 10.0.1.6
FOLLOWING code will mark traffic for 1.5 and 1.6 and in queue it will create pcq base bandwidth to restrict 4mb per user. Also it will give priority to ICMP packets as well.
/ip firewall mangle # MARK ICMP PACKETS add action=mark-connection chain=prerouting new-connection-mark=icmp-con protocol=icmp add action=mark-packet chain=prerouting connection-mark=icmp-con new-packet-mark=icmp-pkt passthrough=no protocol=icmp # ACCEPT FTP TRAFFIC , BYPASS PCC add chain=prerouting comment="accept server4 n radius from being processed by PCC / zaib" dst-address-list=ALLOWED_SERVERS # MARK TRAFFIC GOING TO FTP LIKE .15 AND 1.6 add action=mark-packet chain=prerouting comment="MARK TRAFFIC GOING TO FTP SERVER _ 1.6" new-packet-mark=ftp_1.6 passthrough=no src-address=10.0.1.6 add action=mark-packet chain=prerouting comment="MARK TRAFFIC GOING TO FTP SERVER _ 1.5" new-packet-mark=ftp_1.5 passthrough=no src-address=10.0.1.5 # CREATE PCQ BASE QUEUE / 4 MB PER USER /queue type add kind=pcq name=ftp-download-4MB pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=40M pcq-src-address6-mask=64 add kind=pcq name=ftp-upload-4MB pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=40M pcq-src-address6-mask=64 # CREATE QUEUE TO GIVE HIGH PRIORITY TO ICMP AND FTP /queue simple #ICMP add max-limit=128k/128k name=ICMP_Hi_Priority packet-marks=icmp-pkt target="" #FTP add name=FTP_10.0.1.6_DOWN_LIMIT packet-marks=ftp_1.6 queue=ftp-upload-4MB/ftp-download-4MB target="" add name=FTP_10.0.1.5_DOWN_LIMIT packet-marks=ftp_1.5 queue=ftp-upload-4MB/ftp-download-4MB target=""
Regqard’s
Syed Jahanzaib
Syed Jahanzaib - Personal Blog to Share Knowledge ! 