bandwith limiting question for random ips on a public block

RouterOS General
1

Below is my configuration
Ip addresses are all public. But changed due to security concerns

ISP -----------------> MIKROTIK ------------------------> Layer 2 SWITCH -----> COLO SERVERS
212.1.2.15------wan: 212.1.2.16/32 lan: 88.1.1.1/24 --------------------------88.1.1.2 - 88.1.1.253

all main routing is done from ISP side. 88.1.1.1/24 ip block routed serially over 212.1.2.16 by my ISP.
I have got 10 servers for colocation, each have 5-10 ip addresses but not matching cidr rules. for example

colo server1 ips: 88.1.1.2, 88.1.1.6, 88.1.1.200 ...
colo server2 ips: 88.1.1.56, 88.1.1.78, 88.1.1.112 ...
colo server3 ips: 88.1.1.3, 88.1.1.34, 88.1.1.98 ...
etc...

What I want to do is limit bandwidth for each of these colo servers:for example :
colo server1 gets 2 mbit upload / 10 mbit download
colo server2 gets 4 mbit upload / 4 Mbit download
colo server3 gets 6 mbit upload / 1 Mbit download etc.

I tried 2 different ways for this:
1- Limiting server by mac address:
first mangle rules:

0 chain=prerouting action=mark-packet new-packet-mark=colo-server1 passthrough=yes src-mac-address=00:33:A4:76:5B:80

then simple queue rules:

0 name="colo server 1" dst-address=0.0.0.0/0 interface=all parent=none packet-marks=colo-server1 direction=both priority=8 queue=default/default limit-at=1000000/0
max-limit=1000000/0 total-queue=default-small

NOT WORKING for download: Graphs are not useful bla bla...

2- Limiting server by ip addresses:
first create an ip address-list for servers:
0 colo-server1 88.1.1.2
1 colo-server1 88.1.1.6
2 colo-server1 88.1.1.200

then mangle:

5 chain=prerouting action=mark-packet new-packet-mark=colo-server1 passthrough=no src-address-list=colo-server1

6 chain=prerouting action=mark-packet new-packet-mark=colo-server1 passthrough=no dst-address-list=colo-server1

then simple queue

4 name="colo server 1" dst-address=0.0.0.0/0 interface=all parent=none packet-marks=colo-server1 direction=both priority=8 queue=default-small/default-small
limit-at=2000000/1000000 max-limit=2000000/1000000 total-queue=default-small

NOT WORKING as expected. Graphs are not as expected.
Maybe works if created 2 seperate simple queue rules for upload and download.

I know that my rules are not near from perfect. But I just wanted to demonstrate what I am trying to do.

Anyway back to my original question:
How can I limit bandwidth for ip address lists not matching cidr rules?

2

static-x -

Looks like you are trying to handle traffic to/from your colo servers - you almost have it with what you have above.

Try this:
add chain=prerouting dst-address-list=colo-server1 in-interface=XX connection-state=new
action=mark-connection new-connection-mark=colo-server1 passthrough=yes

add chain=prerouting dst-address-list=colo-server1 in-interface=XX action=mark-connection
new-connection-mark=colo-server1 passthrough=yes

add chain=prerouting connection-mark=colo-server1 action=mark-packet
new-packet-mark=colo-serer1-packet passthrough=no


**Note ** in-interface would be the Internet side of your MT, not the server side.

\

  1. Mark new connections (if any) going to dst-addr list of colo-sever1
  2. Mark exisiting connections (once a connection is marked by ‘new-connection’ the subsequent data packets will not be marked unless we use this rule to mark them - why - because they are not ‘new’ anymore…)
  3. Using the connection mark, mark ALL packets to the dst-addr of colo-server1

Now you can use the queues to control up/down traffic based on the packet mark. This should control both data to the server and data the server serves up to the Internet.

You may need to adjust the depth of the queues to handle bursts of data - you cannot control how fast the data is sent to the MT, you certainly would like to avoid re-transmissions of the data so watch your queue depth, 10 packets, 50 packets, maybe even 500 packets deep.


Thom

3

Hi Thom
I tried your rules.
But it’s still not working as I wanted.

seems like upload and download bytes are equal after adding a simple queue for this colo-server1-packet mark.

maybe I am doing something wrong when adding the simple queue rule.

can you please also write how to add the simple queue rule after your rules above?

4

static-x
Why don’t you post what you have now…that would make it easier than me guessing…

Post your mangle rules (firewall) and your queue rules.

You can send them to me directly if you don’t want them on the forum…my email address is in my signature below.

Thom

5

ok I will send them to your email now.
After this if we can find some solution I will be very happy to post it here :slight_smile:

6

I am using mikrotik v3.0 rc11
After some mails and some tests the solution to my problem is very very easy.
I don’t know why I did not test this before.
Thom suggest putting Ip’s on a single queue rule not using any address-lists or any mangle rules.And this works as expected.

Here is the solution.

If you have a setup like me which you can read above and want to cap servers with ip addresses which did not follow any cidr rules or subnet rules behind mikrotik all you have to do is add ip addresses to a single simple queue like that:

 x    name="CAPPED COLO SERVER 1" target-addresses=88.1.1.2/32,88.1.134/32,88.1.1.167/32 dst-address=0.0.0.0/0 interface=all parent=none direction=both priority=8
      queue=default-small/default-small limit-at=512000/1000000 max-limit=512000/1000000 total-queue=default-small

1- create a simple queue as you wanted.
2- add ip addresses belong to your server to target address directive

That’s all.

The interesting thing is although I searched forums, wiki and manuals several times. I never ever read anywhere that this will work for different ips which does not belongs to a subnet. Anyway this works as I wanted in such a easy way.

I thank a lot to Thom who helps me with this problem.