Is there a way with the ROS to have “Comcast”-like bandwidth limiting, i.e. not based on a customer IP addresses or even their client MAC addresses, but on the single MAC address of the customer’s end/edge device (i.e. wired or wireless router/switch) that all of the customer’s clients would connect through?
to do that, you’d need to have the CPE at the clients house NAT from it’s ip address(wan ip) to a dhcp server or whatever you like on the routerboard, so that the ip address of the CPE was in a queue. then anything connected to the CPE would automatically be limited by the queue on the AP, or whereever you had it. Radius would also accomplish this as well.
cable modems perform QoS on the modem itself, at the customer site. if you have control of the CPE (RouterOS) you can do the same thing.
Comcast must perform QoS at the modem level, as my personal Comcast public IP can change but my up and down bandwidth remains the same.
Unfortunately:
- The switches we’re using for CPE devices don’t do QoS,
- DHCP is being passed out from our Mikrotik to and through the CPEs directly to the clients or to their routers (like Comcast would do)
- We’re not recording the MAC addresses of each device a customer has (as Comcast wouldn’t do)
- We’re not recording the host names of each device a customer has (as Comcast wouldn’t do)
With all these limitations, I’m not certain I could do unique bandwidth control on a user by user basis (i.e. customer X gets 1/1, customer Y gets 5/5)
Are you kidding? Whats the problem with differentiating the users by IP address?
It depends on your specific network. If you want to link a MAC address to a bandwidth limit - it can be done with scripts.
Tell us more about the specific limitation you may be experiencing, put in the context of your network, and we will have a chance to come up with a more specific solution 
Our network is a geographically-disperse wired network with consistent monthly subscribers, each with multiple networked devices (desktops, laptops, printers, Tivos, iPods, XBoxes, PS3s, etc).
- Like Comcast, our CPE devices are on a separate IP network from our customer IP network for management purposes.
- Like Comcast, our customers receive IPs via DHCP from our router.
- Unlike Comcast, we only give out private NAT’ted IPs, and we give out as many private IPs as the customer needs (in essence, providing the function a customer’s router would provide)
- Like Comcast, we don’t care if a customer has a single device behind their CPE or a router with multiple devices.
- Like Comcast, we keep track of our CPE information, but we won’t know the IP or MAC address of each device our hundreds (and eventually thousands) of customers will have, nor will we keep track of the IP address that our CPE devices receive from the main DHCP server (although we could, as our CPEs come from the same manufacturer and have same first 6 MAC address characters and we statically set their IPs using scripts).
Therefore, I would like to do bandwidth control by the MAC address of each CPE that we install between our network and the customer’s home, regardless of what they have behind the CPE.
The simplest solution would be to purchase CPEs that are QoS-capable and do bandwidth control at that level. However, for this particular batch of CPEs we didn’t. Therefore, is there a way the ROS can recognize what CPE MAC address any and all customer traffic is coming through, and apply bandwidth controls based on the CPE’s MAC address that would affect said traffic?
contradiction - your DHCP serves all customers devices, than the CPE is a switch?
the CPE has a MAC address then the CPE is a NAT Rotuer ?
Correct, the CPE is a switch (albeit one with additional features - SIP, VLANs, IGMP) with a MAC address, but it switches/passes all traffic to the RB600 which serves DHCP and performs the NAT function under /ip firewall nat.
In any case, lets say the customer plugs a bunch of hosts in the CPE and somehow, I don’t know how, all that traffic comes and goes to the MAC address of the CPE. In this case you can Mangle the traffic by Source MAC address - mark the connection first and then mark the packets of that connection for downstream and upstream.
In the case each users device comes with its own MAC address, which I guess is the case - you could make that fancy switch CPE of yours adda a VLAN tag that is different for each user, (~4090~4096 different VLANs maximum) then add those VLANs inside the RouterBOARD and you can mangle and do your magic and differentiate between each users traffic
If your case is different - tell me and I will come up with something 
lol.
I’m sorry it took so long to reply; I’ve been busting my hump on this without resolution.
Basically, I need to know if Ethernet headers contain the MAC address of every switch a packet passes through. I don’t think there is enough room in a header to accomplish this, but I thought I would ask.
The situation is as you described: clients with their MACs are connecting to a switch, which is then connected to two other switches before their packets reach my router. I would like to perform QoS bandwidth limiting on the MAC of the first switch those packets encounter once they leave the client, but I don’t think this is possible.
VLANs is a good idea, but unfortunately our entire network is VLANed and I would have to enter VLANs for hundreds of clients in at least 6 switches throughout the installation to make this doable. While I could sit down and do this I’d rather not.
a switch will not change a MAC, it just forwards one. and it can only flow thru a max of 2 switches before it has to be layer 3 routed or bridged.
so your main issue is that you are seeing ALL of the clients MACs, and not your CPEs MAC ?
Sorry to contradict, but that kind of sounds like some version of the 5-4-3 rule, which only really applies to 10baseT on old hardware. You easily can (though you not necessarily should) have more switches on a modern network.
talktozee Don’t add VLANs on the switches those frames pass through! You have “trunking” (IEEE 802.1Q) for that.
So you are worried about configuration and management overhead, too much work, too complex config?
If you see all the MAC addresses of every device the client connects to their CPE, that CPE is a switch and it does not add anyting to the frame - no MAC address no nothing. Only thing it can add that is useful for you is a VLAN tag! Or give us the datasheet of the CPE to see if there is another option!!!
So you are running a commercial operation and you ask these questions? Hire a Network Administrator.
NetworkPro: for everything between the CPE and the network closet we’re using Allied Telesyn switches, which are a first for me. Do they have something like VTP?
I’m not adverse to too much work, but in IT, there’s usually an optimal path from problem to solution - I’m simply trying to find that path.
As was previously stated, yes, the CPE devices are switches so they’re simply passing the MACs of the clients behind the switch. The switches are Telco Systems EdgeGate 232s; the publicly available datasheets are slim, but the switches act as any switch does so there isn’t much to find out.
This particular network design was made mandatory by a vendor we use. Yes, this is a commercial operation. No, I’m not a bona fide network admin. But I’m what they have, and I know enough to ask the right questions and get the right answers, and the right answer is “use QoS-capable CPEs next time”. For this particular issue, I will probably do what NetworkPro suggests and create a VLAN per customer.
yes, if you tag their traffic to a customer vlan it will then give you a way to detect what traffic is coming from what client as a whole.
so right now your clients can talk to each other directly without your router?
Sam
VLANs are probably the fix to my issue, although for other people reading this post, I would recommend QoS-capable routers/switches (as our CPEs are VLAN-capable, while many aren’t).
No, clients cannot talk to each other, as ALL DHCP (for both our CPEs and clients behind the CPEs) and packet traffic is routed through our RB600. This has been verified on-site with multiple tests.
OK good, I’m glad we understand each other
This CPE can not do traffic shaping? Maybe if you talk to the vendor they can supply a new firware that can limit the bw?
Be sure to not include the Voice VLAN in the shaping setup in the CPE and everywhere else for that matter. I mean where there is a limit - let this limit Not apply to VoIP (SIP Control +Voice UDP traffic) and/or give that traffic priority with a Queue Tree setup…
Also sometimes the vendor of the access solution could provide a way of differentiating and shaping and monitoring etc. so ask them…