Hi, I have created a hotspot with rate limit in users but the rate limit is not working. Anyone can use all the available rate without obeying the limits.
This is my full configuration.
# aug/13/2015 14:03:27 by RouterOS 6.30.2
# software id = 0Q9T-F9WG
#
/interface bridge
add name=br.lan
/interface ethernet
set [ find default-name=ether1 ] name=ether1.wan
set [ find default-name=ether2 ] name=ether2.wan
set [ find default-name=ether3 ] name=ether3.lan
set [ find default-name=ether4 ] name=ether4.lan
set [ find default-name=ether5 ] name=ether5.lan
set [ find default-name=ether6 ] name=ether6.lan
set [ find default-name=ether7 ] name=ether7.lan
set [ find default-name=ether8 ] name=ether8.lan
set [ find default-name=ether9 ] name=ether9.lan
set [ find default-name=ether10 ] name=ether10.lan
/interface vlan
add interface=br.lan l2mtu=1594 name=vlan10 vlan-id=10
/ip hotspot profile
add http-cookie-lifetime=1w login-by=cookie,http-chap,mac-cookie name=hsprof1
/ip hotspot
add disabled=no idle-timeout=none interface=vlan10 name=server1 profile=\
hsprof1
/ip hotspot user profile
add mac-cookie-timeout=1w name=uprof1 shared-users=1000
add mac-cookie-timeout=1w name=uprof2 rate-limit=512k/2m shared-users=1000
/ip pool
add name=dhcp_pool1 ranges=192.168.20.20-192.168.20.254
add name=dhcp_pool2 ranges=10.50.8.2-10.50.11.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool1 disabled=no interface=br.lan \
lease-time=1w name=dhcp1
add add-arp=yes address-pool=dhcp_pool2 disabled=no interface=vlan10 \
lease-time=1w name=dhcp2
/interface bridge port
add bridge=br.lan interface=ether3.lan
add bridge=br.lan interface=ether4.lan
add bridge=br.lan interface=ether5.lan
add bridge=br.lan interface=ether6.lan
add bridge=br.lan interface=ether7.lan
add bridge=br.lan interface=ether8.lan
add bridge=br.lan interface=ether9.lan
add bridge=br.lan interface=ether10.lan
/ip address
add address=192.168.20.1/24 interface=br.lan network=192.168.20.0
add address=192.168.194.2/24 interface=ether1.wan network=192.168.194.0
add address=192.168.195.2/24 interface=ether2.wan network=192.168.195.0
add address=10.50.8.1/22 interface=vlan10 network=10.50.8.0
/ip dhcp-server network
add address=10.50.8.0/22 dns-server=10.50.8.1 gateway=10.50.8.1
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall address-list
add address=192.168.20.0/24 list=safe
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=fasttrack-connection chain=forward
add chain=input comment="accept established connection packets" \
connection-state=established
add chain=input comment="accept related connection packets" connection-state=\
related
add action=drop chain=input comment="drop invalid packets" connection-state=\
invalid
add chain=input comment="Allow access to router from known network" \
src-address-list=safe
add action=drop chain=input comment="detect and drop port scan connections" \
protocol=tcp psd=21,3s,3,1
add action=tarpit chain=input comment="suppress DoS attack" connection-limit=\
3,32 protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list \
address-list-timeout=1d chain=input comment="detect DoS attack" \
connection-limit=10,32 protocol=tcp
add action=jump chain=input comment="jump to chain ICMP" jump-target=ICMP \
protocol=icmp
add action=jump chain=input comment="jump to chain services" jump-target=\
services
add chain=input comment="Allow Broadcast Traffic" dst-address-type=broadcast
add action=log chain=input log-prefix=Filter:
add action=drop chain=input comment="drop everything else"
add chain=ICMP comment="0:0 and limit for 5pac/s" icmp-options=0 limit=5,5 \
protocol=icmp
add chain=ICMP comment="3:3 and limit for 5pac/s" icmp-options=3:3 limit=5,5 \
protocol=icmp
add chain=ICMP comment="3:4 and limit for 5pac/s" icmp-options=3:4 limit=5,5 \
protocol=icmp
add chain=ICMP comment="8:0 and limit for 5pac/s" icmp-options=8 limit=5,5 \
protocol=icmp
add chain=ICMP comment="11:0 and limit for 5pac/s" icmp-options=11 limit=5,5 \
protocol=icmp
add action=drop chain=ICMP comment="Drop everything else" protocol=icmp
add chain=services comment="accept localhost" dst-address=127.0.0.1 \
src-address=127.0.0.1
add chain=services comment="allow MACwinbox " dst-port=20561 protocol=udp
add chain=services comment="Bandwidth server" dst-port=2000 protocol=tcp
add chain=services comment=" MT Discovery Protocol" dst-port=5678 protocol=\
udp
add chain=services comment="allow SNMP" dst-port=161 protocol=tcp
add chain=services comment="Allow BGP" dst-port=179 protocol=tcp
add chain=services comment="allow BGP" dst-port=5000-5100 protocol=udp
add chain=services comment="Allow NTP" dst-port=123 protocol=udp
add chain=services comment="Allow PPTP" dst-port=1723 protocol=tcp
add chain=services comment="allow PPTP and EoIP" protocol=gre
add chain=services comment="allow DNS request" dst-port=53 protocol=tcp
add chain=services comment="Allow DNS request" dst-port=53 protocol=udp
add chain=services comment=UPnP dst-port=1900 protocol=udp
add chain=services comment=UPnP dst-port=2828 protocol=tcp
add chain=services comment="allow DHCP" dst-port=67-68 protocol=udp
add chain=services comment="allow Web Proxy" dst-port=8080 protocol=tcp
add chain=services comment="allow IPIP" protocol=ipencap
add chain=services comment="allow https for Hotspot" dst-port=443 protocol=\
tcp
add chain=services comment="allow Socks for Hotspot" dst-port=1080 protocol=\
tcp
add chain=services comment="allow IPSec connections" dst-port=500 protocol=\
udp
add chain=services comment="allow IPSec" protocol=ipsec-esp
add chain=services comment="allow IPSec" protocol=ipsec-ah
add chain=services comment="allow RIP" dst-port=520-521 protocol=udp
add chain=services comment="allow OSPF" protocol=ospf
add action=return chain=services
/ip firewall mangle
add chain=prerouting dst-address=192.168.194.0/24 in-interface=br.lan
add chain=prerouting dst-address=192.168.195.0/24 in-interface=br.lan
add chain=prerouting dst-address=192.168.20.0/24 in-interface=vlan10
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
ether1.wan new-connection-mark=wan1_conn
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
ether2.wan new-connection-mark=wan2_conn
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface=ether1.wan new-connection-mark=wan1_conn
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface=ether2.wan new-connection-mark=wan2_conn
add action=mark-routing chain=output connection-mark=wan1_conn \
new-routing-mark=to_wan1
add action=mark-routing chain=output connection-mark=wan2_conn \
new-routing-mark=to_wan2
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface=br.lan new-connection-mark=wan1_conn \
per-connection-classifier=src-address:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface=br.lan new-connection-mark=wan2_conn \
per-connection-classifier=src-address:2/1
add action=mark-routing chain=prerouting connection-mark=wan1_conn \
in-interface=br.lan new-routing-mark=to_wan1
add action=mark-routing chain=prerouting connection-mark=wan2_conn \
in-interface=br.lan new-routing-mark=to_wan2
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local hotspot=auth in-interface=vlan10 \
new-connection-mark=wan1_conn per-connection-classifier=src-address:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local hotspot=auth in-interface=vlan10 \
new-connection-mark=wan2_conn per-connection-classifier=src-address:2/1
add action=mark-routing chain=prerouting connection-mark=wan1_conn \
in-interface=vlan10 new-routing-mark=to_wan1
add action=mark-routing chain=prerouting connection-mark=wan2_conn \
in-interface=vlan10 new-routing-mark=to_wan2
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat out-interface=ether1.wan
add action=masquerade chain=srcnat out-interface=ether2.wan
add action=masquerade chain=srcnat out-interface=br.lan
add action=masquerade chain=srcnat out-interface=vlan10
/ip hotspot user
add name=1234 password=1234 profile=uprof2
/ip route
add check-gateway=ping distance=1 gateway=192.168.194.1 routing-mark=to_wan1
add check-gateway=ping distance=1 gateway=192.168.195.1 routing-mark=to_wan2
add check-gateway=ping distance=1 gateway=192.168.194.1
add check-gateway=ping distance=2 gateway=192.168.195.1
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Athens
/system ntp client
set enabled=yes primary-ntp=152.118.24.8 secondary-ntp=202.169.224.16
/system scheduler
add interval=1h name=schedule1 on-event=\
"/ip hotspot host remove [find authorized=no]" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
aug/12/2015 start-time=09:54:32
/tool romon port
add
Can you help me?
Thanks