Thanks to fewi I have implemented basic setup with bandwidth limits, as seen in: HowTo: Initial Configuration.
Now, for few days I’ve been struggling to implement basic QoS as tutored in: Very Simple,Functional QoS Setup For Begginers.
I’ve been learning since I got my MT router, but when it comes to Queues my head grows rapidly and starts to hurt a lot, so any help would be appriciated 
.
Simply put: I want to prioritize all traffic but further to bandwidth limit some of my (DCHP assigned) LAN clinets.
The idea I would like to achieve looks like this:
If anyone needs my detailed network diagram, here’s one:
And here is what I’ve done from sctratch so far and it’s working like charm (thanks again you guys):
# Replace admin account
[admin@MiktoTik] > /user add name=penguin password=********** group=full
[penguin@MiktoTik] > /user remove admin
# Rename ether1 interface and set rest of interfaces switched
[penguin@MiktoTik] > /interface set ether1 name=Ether1-WAN_ISP
[penguin@MiktoTik] > /interface set ether2 name=Ether2-Server
[penguin@MiktoTik] > /interface set ether3 name=Ether3-LAN_WiFi_AP
[penguin@MiktoTik] > /interface set ether4 name=Ether4-LAN_Switch
[penguin@MiktoTik] > /interface set ether5 name=Ether5-LAB
[penguin@MiktoTik] > /interface ethernet set Ether3-LAN_WiFi_AP master-port=Ether2-Server
[penguin@MiktoTik] > /interface ethernet set Ether4-LAN_Switch master-port=Ether2-Server
[penguin@MiktoTik] > /interface ethernet set Ether5-LAB master-port=Ether2-Server
# Set ip addresses on interfaces
[penguin@MiktoTik] > /ip address add address=192.168.81.1/26 interface=Ether2-Server
[penguin@MiktoTik] > /ip address add address=192.168.77.1/27 interface=Ether5-LAB
# Set DHCP Client for dynamic public IP on WAN_ISP port
[penguin@MiktoTik] > /ip dhcp-client add interface=Ether1-WAN_ISP disabled=no
# Set DNS to allow access
[penguin@MiktoTik] > /ip dns set allow-remote-requests=yes
# Allow Telnet between other MikroTik routers in LAN and WinBox access
[penguin@MiktoTik] > /tool mac-server remove [find]
[penguin@MiktoTik] > /tool mac-server add interface=Ether2-Server disabled=no
[penguin@MiktoTik] > /tool mac-server add interface=Ether3-LAN_WiFi_AP disabled=no
[penguin@MiktoTik] > /tool mac-server add interface=Ether4-LAN_Switch disabled=no
[penguin@MiktoTik] > /tool mac-server add interface=Ether5-LAB disabled=no
[penguin@MiktoTik] > /tool mac-server mac-winbox disable [find]
[penguin@MiktoTik] > /tool mac-server mac-winbox add interface=Ether2-Server disabled=no
[penguin@MiktoTik] > /tool mac-server mac-winbox add interface=Ether5-LAB disabled=no
# Disable network discovery on WAN port
[penguin@MiktoTik] > /ip neighbor discovery set [find name=Ether1-WAN_ISP] discover=no
# Mark packtes for future processing:
# Create "DHCP_UpLimit" and "DHCP_DownLimit" marking to rate limit DHCP Clients (by Scope IP address leases)
[penguin@MiktoTik] > /ip firewall mangle add chain=prerouting in-interface=Ether2-Server src-address=192.168.81.30-192.168.81.50 \
action=mark-packet new-packet-mark=DHCP_UpLimit
[penguin@MiktoTik] > /ip firewall mangle add chain=postrouting out-interface=Ether2-Server dst-address=192.168.81.30-192.168.81.50 \
action=mark-packet new-packet-mark=DHCP_DownLimit
# SFQ (Stochastic Fairness Queuing) hashing for rate limiting DHCP Clinet packets
[penguin@MiktoTik] > /queue type add name=DHCP_UpLimit kind=sfq
[penguin@MiktoTik] > /queue type add name=DHCP_DownLimit kind=sfq
# Create Queue Tree to setup DHCP Clients limits:
#
# DHCP Limits
# ===========
# Upload: 192k
# Download: 3072k
[penguin@MiktoTik] > /queue tree add name=DHCP_UpLimit parent=global-in limit-at=0 queue=DHCP_UpLimit max-limit=192000 packet-mark=DHCP_UpLimit
[penguin@MiktoTik] > /queue tree add name=DHCP_DownLimit parent=global-out limit-at=0 queue=DHCP_DownLimit max-limit=3072000 packet-mark=DHCP_DownLimit
# Set NAT for outbound traffic on WAN_ISP port
[penguin@MiktoTik] > /ip firewall nat add chain=srcnat out-interface=Ether1-WAN_ISP action=masquerade
# Set Port Forwarding to Server LAN IP (modded for use of Hairpin NAT: no "in-interface" argument and added "dst-address-type")
[penguin@MiktoTik] > /ip firewall nat add chain=dstnat dst-address-type=local protocol=tcp \
dst-port=20,21,22,25,53,80,110,443,465,995,3389,5900,40040,40050 action=dst-nat to-address=192.168.81.11
[penguin@MiktoTik] > /ip firewall nat add chain=dstnat dst-address-type=local protocol=udp dst-port=22,53,123,10050 action=dst-nat to-address=192.168.81.11
# Allow to ping Server from WAN (modded for use of Hairpin NAT: no "in-interface" argument and added "dst-address-type")
[penguin@MiktoTik] > /ip firewall nat add chain=dstnat dst-address-type=local protocol=icmp action=dst-nat to-address=192.168.81.11
# Set Hairpin NAT:
# Allow Server resources (FTP and Web) defined for WAN clients to work for LAN clients without use of DNS
[penguin@MiktoTik] > /ip firewall nat add chain=srcnat src-address=192.168.81.0/26 dst-address=192.168.81.11 protocol=tcp dst-port=21,80,443 \
out-interface=Ether2-Server action=masquerade comment="Hairpin NAT"
# Set stateful firewall (with limited pings to Server allowed)
[penguin@MiktoTik] > /ip firewall filter add chain=input connection-state=established action=accept
[penguin@MiktoTik] > /ip firewall filter add chain=input connection-state=related action=accept
[penguin@MiktoTik] > /ip firewall filter add chain=input connection-state=invalid action=drop
[penguin@MiktoTik] > /ip firewall filter add chain=input in-interface=Ether2-Server action=accept
[penguin@MiktoTik] > /ip firewall filter add chain=input protocol=icmp limit=50/5s,2 action=accept comment="Allow limited pings"
[penguin@MiktoTik] > /ip firewall filter add chain=input protocol=icmp action=drop comment="Drop excess pings"
[penguin@MiktoTik] > /ip firewall filter add chain=input protocol=tcp dst-port=22 action=accept comment="SSH for Secure Shell Administration"
[penguin@MiktoTik] > /ip firewall filter add chain=input protocol=tcp dst-port=8291 action=accept comment="WinBox Administration"
[penguin@MiktoTik] > /ip firewall filter add chain=input action=drop
[penguin@MiktoTik] > /ip firewall filter add chain=forward connection-state=established action=accept
[penguin@MiktoTik] > /ip firewall filter add chain=forward connection-state=related action=accept
[penguin@MiktoTik] > /ip firewall filter add chain=forward connection-state=invalid action=drop
[penguin@MiktoTik] > /ip firewall filter add chain=forward in-interface=Ether2-Server action=accept
[penguin@MiktoTik] > /ip firewall filter add chain=forward dst-address=192.168.81.11 protocol=tcp \
dst-port=20,21,22,25,53,80,110,443,465,995,3389,5900,40040,40050 action=accept comment="TCP Port Forwarding"
[penguin@MiktoTik] > /ip firewall filter add chain=forward dst-address=192.168.81.11 protocol=udp dst-port=22,53,123,10050 action=accept \
comment="UDP Port Forwarding"
[penguin@MiktoTik] > /ip firewall filter add chain=forward dst-address=192.168.81.11 protocol=icmp action=accept comment="ICMP Protocol Forwarding"
[penguin@MiktoTik] > /ip firewall filter add chain=forward action=drop
Since I’m total beginner any help would be appriciated on how to create that Queue tree for QoS.
Thanks in advance,
penguin