Hello.
I have 5 LAN subnets, every subnet is NATed to public address.
I want guarantee every subnet 1Mbit/s from 5Mbit/s speed (exactly 1/5 of max. speed),
but when line is not fully used, I want give possibility using of full line to active subnets.
So for example when two LANs are active, I want guarantee 2.5MBit/s to both subnets.
And when one subnet will download at only 100kbit/s speed,
rest guaranteed badwitdh 900kbit/s will be available for other subnets.
Is is possible and how. Or is this normal shaping quality? Or is it too complicated?
Thank you very much for basic help becouse I don’t how to start.
maybe something like that will help you
Thank you kazanova. There is only first example, second and third is missing. I think I need second one: “Certain Bandwidth Equal Distribution between Users”. In first example, rule is applied for all computers in one subnet. How can I apply it on different subnets. Can I apply it on nated public addresses?
it all about PCQ
Your best bet is to not use PCQ because that is used to differentiate substreams into dynamic queues for each stream, and you’re trying to do the exact opposite: put many substreams (all streams from a particular subnet) into one big queue.
As you can see from http://wiki.mikrotik.com/wiki/Manual:Queue#Flow_Identifiers_2 you can identify flows to put into a queue by packet mark, so all you need to do is mark all packets to and from the subnets with the same packet mark in the firewall mangle section (best done based on src-address=subnet/mask and dst-address=subnet/mask).
Then create an upload queue with your maximum available bandwidth assigned to it for limit-at and max-limit, then create child queues for each packet mark that identifies a subnet and set the limit-at to the CIR and max-limit to the bandwidth assigned to the parent. Do that for all subnets, and create equivalent queues for download.
Thank you for help. In queue there is upload/download in one setting, can I use it together?
I have limit 5M guaranteed from my ISP, but sometimes limit is bigger.
When I use 5M I probably not use some overlimit, can I add unlimited max-limit to one of subnets?
I set passthrough to no, is it correct?
ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=prerouting action=mark-packet new-packet-mark=one passthrough=no src-address=192.168.1.0/24
1 chain=prerouting action=mark-packet new-packet-mark=one passthrough=no dst-address=192.168.1.0/24
2 chain=prerouting action=mark-packet new-packet-mark=two passthrough=no src-address=192.168.2.0/24
3 chain=prerouting action=mark-packet new-packet-mark=two passthrough=no dst-address=192.168.2.0/24
4 chain=prerouting action=mark-packet new-packet-mark=three passthrough=no src-address=192.168.3.0/24
5 chain=prerouting action=mark-packet new-packet-mark=three passthrough=no dst-address=192.168.3.0/24
[abatyse@MikroTik] > /queue simple print
Flags: X - disabled, I - invalid, D - dynamic
0 name="queue" parent=none direction=both limit-at=5M/5M max-limit=5M/5M
1 name="one" parent=queue packet-marks=one direction=both limit-at=1M/1M max-limit=5M/5M
2 name="two" parent=queue packet-marks=two direction=both limit-at=1M/1M max-limit=5M/5M
3 name="three" parent=queue packet-marks=three direction=both limit-at=1M/1M max-limit=5M/5M
Sorry, I should have been more clear. These aren’t simple queues, simple queues don’t share well with one another. You want to create queue trees (HTB).
You can’t mark packets to the clients (dst-address=subnet/mask) in mangle in the prerouting chain because at that point source NAT hasn’t been undone yet, the packet would still have a public IP address.
Something like this should work:
/ip firewall mangle
add chain=prerouting action=mark-packet new-packet-mark=one-up passthrough=no src-address=192.168.1.0/24
add chain=postrouting action=mark-packet new-packet-mark=one-down passthrough=no dst-address=192.168.1.0/24
add chain=prerouting action=mark-packet new-packet-mark=two-up passthrough=no src-address=192.168.2.0/24
add chain=postrouting action=mark-packet new-packet-mark=two-down passthrough=no dst-address=192.168.2.0/24
add chain=prerouting action=mark-packet new-packet-mark=three-up passthrough=no src-address=192.168.3.0/24
add chain=postrouting action=mark-packet new-packet-mark=three-down passthrough=no dst-address=192.168.3.0/24
/queue tree
add name=up parent=global-in limit-at=5000000 max-limit=5000000
add name=one-up parent=up packet-mark=one-up limit-at=1000000 max-limit=5000000
add name=two-up parent=up packet-mark=two-up limit-at=1000000 max-limit=5000000
add name=three-up parent=up packet-mark=three-up limit-at=1000000 max-limit=5000000
add name=down parent=global-out limit-at=5000000 max-limit=5000000
add name=one-down parent=down packet-mark=one-down limit-at=1000000 max-limit=5000000
add name=two-down parent=down packet-mark=two-down limit-at=1000000 max-limit=5000000
add name=three-down parent=down packet-mark=three-down limit-at=1000000 max-limit=5000000
Yes, passthrough=no is a good idea since you’re done processing once you’ve hit that rule - no reason to check anything further down.
Yes, you can oversubscribe the max-limit on one of the child queues, but then you also have to oversubscribe the parent queue accordingly.
Fewi thank you for correct my mistakes, I will try do traffic tests with these settings.
I add to prerouting and postrouting rules opposite (dst<->src) same (LAN) subnet with exiclamation mark,
becouse I don’t want limit local traffic in subnet, only internet traffic, is it right?
Depends - are you talking about traffic on the same subnet (192.168.1.0/24 to 192.168.1.0/24), or traffic between local subnets (192.168.1.0/24 and 192.168.2.0/24)? The former wouldn’t go through the router at all, hosts on the same subnet talk to each other directly, and the router itself on that interface usually doesn’t have enough traffic with the hosts on the subnet to warrant worrying about that.
I means computers on same subnet. So I don’t have to add this rule. (I check it 
) Does anybody knows any win sw for testing traffic?