Hi all, i need some advise please, is there any way to limit bandwidth based on port (like just limit using port 80&443, and leave open for pop&smtp) ?.
And how to limit bandwidth for certain website so if ip 10.10.0.1 wants to access facebook,rapidshare,etc the bandwidth will limit, i've try using dst-address but it's limit not work and browsing still fast,
what should i check more about this ?


please advise and thank's a lot.

Use packet marks in mangle to mark the packets, and include "protocol=tcp dst-port=80,443". Then make queues based on the packet marks.

You cannot go based on host name in DNS form (www.Facebook.com), you have to figure out the IPs they use, add them to a firewall address list, and then refer to it in the same mangle rule via dst-address-list.

Really, RouterOS by itself is a rather poor tool for what you are trying to do. There are specialized tools for content filtering and policing.

Thank's for your reply fewi, i have tried using mangle first to, : and in the simple queue i just add the packet marks based on mangle, but it's not work and when i browsing the web the speed is same, need advise please,

fewi, sorry, need more enlightment please about your second part explanation, can i just write the ip dst i want to limit when access it on the dst-address(simple queue) or i must put in the mangle and the mark the packet like the case above ?
If i can put the ip i want to limit when access it via dst-address(simple queue), it can't work on me, cause i have tested it.

Right now i setup the connection internet using web proxy mikrotik, is there any related that make my mangle rule not work?,

sorry about this question and thank's a lot.

It would go into the mangle rule, not the queue.

And yes, the proxy is why this isn't working. Using a proxy means there are two connections: from client to proxy, then from proxy to server.

Change the mangle chain to 'output'. I should have been more explicit: you also need to track connections with connection marks and mark packets based on them.

Using a proxy makes this somewhat futile. It makes sense to limit traffic through the router, but with the inbound traffic terminating on the router proxy process you've already used bandwidth to get it there - why rate limit that? And since the connection back to client is separate and cannot be determined to be connected you cannot rate limit that leg. Using a proxy and a rate limit is - in my opinion - pointless. Though since you use a destination address list you could not proxy traffic to just those destinations by accepting that traffic before redirecting everything else to the proxy.

Thank's for your enlightment fewi, it's very explainable for me and also very help me to figured out this issue.


cheers,