HELP! ccr2004_1g_12s_2xs how to limit traffic in a bridged interface?

Drivertel_2025 · November 3, 2025, 8:24pm

Hi colleagues, I have a CCR2004_1G_12S_2XS with RouterOS 7.16.2 and the scenario described in the image. I need to limit the total traffic on port SFP28_1 and I've tried several ways using Queue without success. Is there a way to limit the bandwidth of that interface?
My IPS provides two gateways in two different subnets, xxx.100.197.56/29 and xxx.100.197.176/28, connected to port SFP28-1.
On port SFP28-2, another router with IPs xxx.0.197.179-184 accesses the internet through gateway xxx.100.197.177 via the bridge.
On SFP1, another router with IP xxx.100.186.178 accesses the internet through gateway xxx.100.197.177 via the bridge.
The CCR2004, from SFP5 to SFP12, has eight LANs configured with IPs 192.168.10.1 to 192.168.80.1, each in a different VLAN. The SFP28-1 interface is configured with IP addresses xxx.100.197.58-62 and accesses the internet through the gateway xxx.100.197.57. The firewall is configured with src-nat to addresses.

SFP28-1, SFP28-2, SFP1, SFP2, and SFP3 are connected via a bridge.

My provider has configured an unlimited connection with on-demand billing, so I need to limit the traffic on the SFP28-1 interface to account for service costs.

thank you, regards.

anav · November 3, 2025, 10:39pm

Good day, what I would need is some clarity and more information.

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys, dhcp lease lists )

So I understand you have a ROUTER that you want to use as ROUTER not a switch right ??
You have connections to other routers, but this is confusing.
This router is the main router connected to the internet>>
No clue what free IPs, are, didnt know they cost money.

YOu need a network diagram to detail the connections and the vlans travelling between devices.

Lastly, the Title makes one think the Router is somehow limiting traffic, but the text seems to indicate you want to learn how to limit traffic??

Drivertel_2025 · November 4, 2025, 2:08am

I edited the post to give you details; if you know how, please help me.

tdw · November 4, 2025, 3:43am

This is one of the few cases the bridge use-ip-firewall=yes setting is required. This forces the bridged traffic to traverse the firewall chains, which are also used for traffic queue handling, then apply queues to the IP addresses.

As the CCR2004 does not have a hardware switch chip all of the processing is handled by the CPU, you will almost certainly not get 25Gbps throughput as you cannot use fastpath together with queues.

Drivertel_2025 · November 4, 2025, 10:08pm

Okay, thank you very much, I understand. Could you help me with some tips on how to do it from Winbox?

CGGXANNX · November 5, 2025, 7:32am

Could you clarify the IP address reserved for the router plugged into sfp-sfplus1? It doesn't look like it belongs to the two ranges. And if it was a typo, and the address was xxx.100.197.178, then it doesn't match your picture, in your picture it says the address is from the 1st subnet (xxx.100.197.56/29).

Drivertel_2025 · November 6, 2025, 7:47pm

The CCR2004's SFP28-1 interface is configured with IP addresses xxx.197.100.58-62 and gateway xxx.197.100.57 on the xxx.100.197.56/29 subnet.
Another router is connected to the SFP28-2 interface with IP addresses xxx.197.100.179-186 and gateway xxx.197.100.177 on the xxx.100.197.176/28 subnet.
Another router is connected to the SFP-SFPlus1 interface with IP address xxx.197.100.178 and gateway xxx.197.100.177 on the xxx.100.197.176/28 subnet.
All three interfaces are bridged.

I need to limit global traffic, specifically on the sfp28-1 interface.

CGGXANNX · November 7, 2025, 9:39am

Thanks for the clarification. So, both of the other routers are in the xxx.100.197.176/28.

First, you'll need to pull sfp28-1 out of the bridge red-bridge. The red-bridge can keep sfp28-2, sfp-sfpplus1, sfp-sfpplus2, sfp-sfpplus3 as member. The port sfp28-1 will be a stand-alone, none-slave, port.
Next, you will move all of the setups related to the xxx.100.197.56/29 subnet from of the red-bridge to sfp28-1, things like:
- IP address assignments related to xxx.100.197.56/29
- Routes related to addresses in xxx.100.197.56/29
- SRCNAT rules related to addresses in xxx.100.197.56/29
- Interface list membership, such as WAN list membership
If they were referencing red-bridge, then they should now reference sfp28-1 instead. sfp28-1 is the WAN interface, red-bridge is no longer the WAN interface when it comes to everything related to the xxx.100.197.56/29 subnet.
Verify that the router and clients in the yellow-bridge / yellow-ports have normal internet connectivity, using the right gateway and public facing IP addresses (in the xxx.100.197.56/29 subnet) after those changes.

Next, we'll handle the red-bridge and the xxx.100.197.176/28 subnet:

We assign this /32 IP address entry to the interface sfp28-1:
```
/ip address
add address=xxx.100.197.190/32 interface=`sfp28-1` network=xxx.100.197.177
```
Here we assign the address xxx.100.197.190 from the end of the available range to the CCR2004 on sfp28-1. The network address chosen is xxx.100.197.177 which is the address of the gateway.

Add 12 published=yes ARP entries on sfp28-1 for the addresses xxx.100.197.178 - xxx.100.197.189:

/ip arp
add address=xxx.100.197.178 interface=sfp28-1 published=yes
add address=xxx.100.197.179 interface=sfp28-1 published=yes
add address=xxx.100.197.180 interface=sfp28-1 published=yes
# ...
add address=xxx.100.197.188 interface=sfp28-1 published=yes
add address=xxx.100.197.189 interface=sfp28-1 published=yes

Remove any current IP address and static route assignment on the red-bridge interface.
Assign this IP address entry on the red-bridge interface for the CCR2004:
```
/ip address
add address=xxx.100.197.190/28 interface=red-bridge network=xxx.100.197.176
```
Note that here we give the router the address xxx.100.197.190 too, although the router already has the same address on sfp28-1 , that's not a problem.
Add static published ARP entry for xxx.100.197.177 (the ISP gateway) on this red-bridge interface:
```
/ip arp
add address=xxx.100.197.177 interface=red-bridge published=yes
```
Note the interface here, it's red-bridge not sfp28-1 !
The two routers connected to sfp28-2 and sfp-sfpplus1 of the red-bridge keeps their current static address and gateway assignment, no changes needed.

Make sure that the firewall do not perform any SRCNAT / masquerade for src-address=xxx.100.197.176/28 when out-interface=sfp28-1 at all!
Configure firewall if needed to allow forwarding to / from the xxx.100.197.176/28 subnet.
You can now limit the outgoing traffic on the sfp28-1 as you wish. Additional traffic shaping can also be performed for the red-bridge and its subnet.

Drivertel_2025 · November 11, 2025, 8:36pm

Dear, thank you so much for your help. I tried the changes, but they didn't work. Perhaps the problem is in "Configure firewall if needed to allow forwarding to / from the xxx.100.197.176/28 subnet." I'm not sure what I should do or how.

CGGXANNX · November 13, 2025, 5:57am

Hi sorry for the delay, I missed your reply.

It's difficult to say without seeing your current configuration. If possible, export your configuration into a file with:

/export hide-sensitive file=config

Then download config.rsc to your computer, open it with a text editor and censor the private information like keys, MAC addresses, public IP addresses, etc...

Then paste the censored content here in a reply, between these:

```routeros
paste your content here
````

for review.