Bandwidth limiting...need some good examples

compgeeks · May 4, 2006, 3:01pm

I just upgraded some Mikrotiks to 2.9.23 that are covering an apartment complex. Does anyone have some good firewall and bandwidth limiting examples that they want to share. The rules in the docs are very basic. I assume that I also need to limit connections per client? If there is some information out there I can use with my Mikrotik, I would greatly appreciate it.

Thanks,
Steve

dfwair · May 5, 2006, 3:26pm

Are you using RADIUS to authenticate clients and PPPoE? You can set the bandwidth limiting preferences through the RADIUS controls. If they are static, a simple queue per user will suffice.

As far as firewalling goes, it is going to be best to firewall the whole box. I am not sure how to do dynamic firewall rules on PPPoE, or if it is even possible. This could be tested with the ascend packet in/out filters, but the question still is will it work at all? Anybody else have an answer for this?

Some basic rules can be created for your firewall if you want to give an example of what all you are trying to block inbound. Outbound filters are very similar, but include what you are looking for.

The bottom line is that the question is too vague.

andrewluck · May 5, 2006, 3:45pm

http://wiki.mikrotik.com/wiki/MikroTik_RouterOS

Regards

Andrew

fatonk · May 6, 2006, 7:16am

does all clients have the same bandwitdh capacity UP and DOWN.

regards

faton

compgeeks · May 9, 2006, 5:53pm

The network is pretty open. I’m allowing all access but I wanted to limit download speed per user to about 512Kand upload to about 128K. Then within that, limit P2P traffic to 64k up and down, and also block numerous connection to limit virus/spyware activity. Any suggestions on this specifically?

Thanks,

Steve

rz8168 · May 9, 2006, 7:01pm

I’m trying to set up like what you are requesting but unfortunately, no success. And as far as I know, no one has done that. I’m trying to set up PCQ 1.5Mbps/256Kbps per connection and within that, limit P2P down to 128K/128K.

rz8168 · May 9, 2006, 7:15pm

oh by the way, if you want to just limit per connection to 512Kb/128Kb, you can use simple queue or queue tree.

Add two PCQ queue type
download-limit 512K
upload-limit 128K

In simple queue, add target-address subnet (your client ip subnet say 123.123.123.0/24), setup Upload Limit queue type to “upload-limit” and Download-Limit queue type to “download-limit”.

Now your client is limited.

As for viruses, use filter to drop the viruses.

queue tree, you’ll need to mangle your packets but for simple queue, all you need is ip address subnet.

rz8168 · May 9, 2006, 7:25pm

Here’s the config from my firewall. I substituted the real ips with 123.123.x.x. This config will limit each IP to 1600K/256K on an DS3 pipe.

[sysadmin@LAX-Firewall] queue simple> pr
Flags: X - disabled, I - invalid, D - dynamic
0 name=“Global Traffic” target-addresses=123.123.121.0/24,123.123.122.0/24,123.123.123.0/24,123.123.127.0/24,123.123.128.0/24 dst-address=0.0.0.0/0 interface=all parent=none direction=both priority=5 limit-at=0/0 max-limit=35000000/35000000 total-queue=default

1 name=“Management” target-addresses=123.123.128.0/24 dst-address=0.0.0.0/0 interface=all parent=Global Traffic direction=both priority=1 queue=default/default limit-at=0/0 max-limit=0/0 total-queue=default

2 name=“Tenants” dst-address=0.0.0.0/0 interface=all parent=Global Traffic direction=both priority=8 queue=outbound-limit/inbound-limit limit-at=0/0 max-limit=0/0 total-queue=default

[sysadmin@LAX-Firewall] queue type> pr
0 name=“inbound-limit” kind=pcq pcq-rate=1600000 pcq-limit=50 pcq-classifier=dst-address pcq-total-limit=2000

1 name=“outbound-limit” kind=pcq pcq-rate=256000 pcq-limit=50 pcq-classifier=src-address pcq-total-limit=2000

onowojemma · May 23, 2006, 6:51pm

I need some help before now my network was very bad untill us use the config below it work but there are some site that don’t just work and are not able to sign in to http://www.mail.yahoo.com hotmail .com gmail.com and yahoo messenger when i increase the pcq rate thelink will be slow and can’t even open a webpage
/ queue type

add name=“pcq-download” kind=pcq pcq-rate=64000 pcq-limit=50
pcq-classifier=dst-address pcq-total-limit=2000
add name=“pcq-upload” kind=pcq pcq-rate=34000 pcq-limit=50
pcq-classifier=src-address pcq-total-limit=2000
add name=“default-small” kind=pfifo pfifo-limit=10
/ queue tree
add name=“Upload” parent=internet packet-mark=users limit-at=0
queue=pcq-upload priority=8 max-limit=0 burst-limit=0 burst-threshold=0
burst-time=0s disabled=no
add name=“Download” parent=dhcp packet-mark=users limit-at=0
queue=pcq-download priority=8 max-limit=0 burst-limit=0 burst-threshold=0
burst-time=0s disabled=no
[admin@SCPC] queue>

cibernet · May 23, 2006, 10:17pm

onowojemma:

I need some help before now my network was very bad untill us use the config below it work but there are some site that don’t just work and are not able to sign in to http://www.mail.yahoo.com hotmail .com gmail.com and yahoo messenger when i increase the pcq rate thelink will be slow and can’t even open a webpage
/ queue type

add name=“pcq-download” kind=pcq pcq-rate=64000 pcq-limit=50
pcq-classifier=dst-address pcq-total-limit=2000
add name=“pcq-upload” kind=pcq pcq-rate=34000 pcq-limit=50
pcq-classifier=src-address pcq-total-limit=2000
add name=“default-small” kind=pfifo pfifo-limit=10
/ queue tree
add name=“Upload” parent=internet packet-mark=users limit-at=0
queue=pcq-upload priority=8 max-limit=0 burst-limit=0 burst-threshold=0
burst-time=0s disabled=no
add name=“Download” parent=dhcp packet-mark=users limit-at=0
queue=pcq-download priority=8 max-limit=0 burst-limit=0 burst-threshold=0
burst-time=0s disabled=no
[admin@SCPC] queue>

Don´t post the same more than one time please…