Hi,
Please take a look at the diagram of my network.
I need to limit the download speed for different clients in different VLAN. To use the Queue Tree need to write rules for Mangle.
How to tag only those packets that come from the Internet to users and exclude inter VLAN traffic?
Code: Select all
[admin@GH] > /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 address=192.168.1.1/24 network=192.168.1.0 interface=vlan1 - Management
actual-interface=vlan1 - Management
1 address=178.72.90.12/27 network=178.72.90.0 interface=ether1-gateway
actual-interface=ether1-gateway
2 address=192.168.5.1/24 network=192.168.5.0 interface=vlan5 - Free Wi-Fi
actual-interface=vlan5 - Free Wi-Fi
3 address=192.168.10.50/24 network=192.168.10.0 interface=valn10 - Rkeeper
actual-interface=valn10 - Rkeeper
4 address=192.168.11.1/24 network=192.168.11.0 interface=vlan11 - Bank
actual-interface=vlan11 - Bank
5 address=192.168.150.1/24 network=192.168.150.0 interface=vlan500 -Fedor
actual-interface=vlan500 -Fedor
6 address=192.168.12.1/24 network=192.168.12.0
interface=vlan12 - Unspecified devices
actual-interface=vlan12 - Unspecified devices
7 address=192.168.4.1/24 network=192.168.4.0 interface=vlan4 - Wi-Fi corporat>
actual-interface=vlan4 - Wi-Fi corporate
8 address=192.168.6.1/24 network=192.168.6.0 interface=vlan6 - Office PCs
actual-interface=vlan6 - Office PCs
9 address=192.168.7.1/24 network=192.168.7.0 interface=vlan7 - Video
actual-interface=vlan7 - Video
10 address=192.168.13.1/24 network=192.168.13.0 interface=vlan13 - Guests
actual-interface=vlan13 - Guests
11 D address=192.168.9.100/32 network=192.168.9.1 interface=<l2tp-ranevskaya>
actual-interface=<l2tp-ranevskaya>
Code: Select all
[admin@GH] >> interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE MTU L2MTU MAX-L2MTU
0 R ether1-gateway ether 1500 1526 1526
1 R ether2-local ether 1500 1520 1520
2 ether3-local ether 1500 1520 1520
3 ether4-local ether 1500 1520 1520
4 ether5-local ether 1500 1520 1520
5 R vlan11 - Bank vlan 1500 1516
6 R vlan1 - Management vlan 1500 1516
7 R vlan5 - Free Wi-Fi vlan 1500 1516
8 R valn10 - Rkeeper vlan 1500 1516
9 X GH-Ranevskaya eoip-tunnel 1500
10 X GH-Ranevskaya Bridge bridge 1500
11 R vlan500 -Fedor vlan 1500 1516
12 R vlan12 - Unspecified devices vlan 1500 1516
13 R vlan4 - Wi-Fi corporate vlan 1500 1516
14 R vlan6 - Office PCs vlan 1500 1516
15 R vlan7 - Video vlan 1500 1516
16 R vlan13 - Guests vlan 1500 1516
17 DR <pppoe-reception> pppoe-in 1480
18 DR <l2tp-ranevskaya> l2tp-in 1460
Code: Select all
[admin@GH] >> ip firewall export
# may/06/2012 17:21:57 by RouterOS 5.15
# software id = CW3N-DADX
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=\
10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s \
tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s \
udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=drop chain=forward disabled=no in-interface=ether1-gateway p2p=\
all-p2p
add action=accept chain=input comment="access to WinBox from Inet" disabled=no \
dst-port=8291 in-interface=ether1-gateway protocol=tcp
add action=accept chain=input disabled=no dst-port=1723 in-interface=\
ether1-gateway protocol=tcp
add action=accept chain=input disabled=no in-interface=ether1-gateway protocol=\
gre
add action=accept chain=input disabled=no dst-port=1701 in-interface=\
ether1-gateway protocol=tcp
add action=accept chain=input disabled=no dst-port=1701 in-interface=\
ether1-gateway protocol=udp
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \
disabled=yes
add action=accept chain=input comment="default configuration" disabled=no \
protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=\
established disabled=no in-interface=ether1-gateway
add action=accept chain=input comment="default configuration" connection-state=\
related disabled=no in-interface=ether1-gateway
add action=drop chain=input comment="default configuration" disabled=no \
in-interface=ether1-gateway
/ip firewall mangle
add action=mark-connection chain=forward disabled=no new-connection-mark=\
"vlan7 con-down" passthrough=yes src-address=192.168.7.0/24
add action=mark-packet chain=forward connection-mark="vlan7 con-down" disabled=\
no in-interface=ether1-gateway new-packet-mark="vlan7 packet down" \
passthrough=yes protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="PPPoE Server" disabled=no out-interface=ether1-gateway \
src-address=192.168.40.0/24 to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="PPPoE Server Wi-Fi corporate" disabled=no out-interface=\
ether1-gateway src-address=192.168.44.0/24 to-addresses=0.0.0.0
add action=masquerade chain=srcnat disabled=no out-interface=ether1-gateway src-address=192.168.11.0/24
add action=masquerade chain=srcnat comment="vlan10 PPPoE" disabled=no out-interface=ether1-gateway \
src-address=192.168.50.0/24
add action=masquerade chain=srcnat comment="vlan6 - Office users" disabled=no out-interface=\
ether1-gateway src-address=192.168.6.0/24
add action=masquerade chain=srcnat comment="vlan7 - Video" disabled=no out-interface=ether1-gateway \
src-address=192.168.7.0/24
add action=masquerade chain=srcnat comment="vlan4 - Wi-Fi corporate" disabled=no out-interface=\
ether1-gateway src-address=192.168.4.0/24
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes \
to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="masquerade hotspot network" disabled=no out-interface=\
ether1-gateway src-address=192.168.5.0/24 to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="Fedor " disabled=no out-interface=ether1-gateway src-address=\
192.168.150.0/24 to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="vlan13 - Guests internet" disabled=no out-interface=\
ether1-gateway src-address=192.168.13.0/24