limit http and https traffic to 17Mbp/s

Hi, We have a network consist of a /21 subnet. (so a lot of devices.
We have a router with a /29 network that pass all traffic to our core switch. This core switch is also doing the main routing in our business.
Now we need to limit http and https in and outbount traffic to max 17 Mbp/s

Can we use this?
http://wiki.mikrotik.com/wiki/TransparentTrafficShaper
Can we place this transparant between the router and the core switch?
Router has IP 10.180.112.1/29 and the core switch has IP 10.180.112.2/29 and allso do the routing to all VLANS 10.180.112.0/21

That would work, but you could just implement the same measures in the IP firewall of the router itself. You won’t have another device that might fail, and you wouldn’t need to use bridging.

In your case, instead of several classes of traffic, you could just classify connections as web and other, and use two queues, with the “other” queue having no limit, but with the web queue having a higher priority so that it gets its 17M but then caps out.

(you should probably make the web queue as a pcq per internal IP address as the selector)

Hi, Thanks for your reply.
The reason I choose to add a transparent bridge is because the Router is not managed by us and the Core Switch is a HP Procurve and is not able to do traffic shaping.

I need to prioritise Citrix traffice to our lan and HTTP and HTTPS to the internet.
What classes do I need? and how to configure? Target and destination?

Is there anyone how can help?
I like to have http, https and citirx traffic in the queue.

Just implement the example you linked, and change the port numbers around to match your needs.
I would recommend that you modify the marking rule which marks the HTTP connections by chainging dst-port=80 to be dst-port=80,443

If you want Citrix in the same queue, just put its port number into the same list above also.

Hi, thanks.
I also thought it was that easy.
But when I add the HTTPS, tnat it stop working


/ interface bridge
add name=“bridge1”
/ interface bridge port
add interface=ether2 bridge=bridge1
add interface=ether3 bridge=bridge1
/ interface bridge settings
set use-ip-firewall=yes

/ ip firewall mangle
add chain=prerouting protocol=tcp dst-port=80 action=mark-connection
new-connection-mark=http_conn passthrough=yes
add chain=prerouting connection-mark=http_conn action=mark-packet
new-packet-mark=http passthrough=no
add chain=prerouting HTTPS=tcp action=mark-connection
new-connection-mark=https_conn passthrough=yes
add chain=prerouting connection-mark=https_conn action=mark-packet
new-packet-mark=https passthrough=no
add chain=prerouting action=mark-connection new-connection-mark=other_conn
passthrough=yes
add chain=prerouting connection-mark=other_conn action=mark-packet
new-packet-mark=other passthrough=no

/ queue simple
add name=“main” target-addresses=10.0.0.12/32 max-limit=256000/512000
add name=“http” parent=main packet-marks=http,https max-limit=240000/500000 priority=1
add name=“other” parent=main packet-marks=other max-limit=128000/128000 priority=4

Instead of putting multiple marks in the http queue why not mark http and https with the same mark, e.g. ‘Web’?

I know that this thread is kind of old but I am trying to implement a transparent queue based on the wiki at http://wiki.mikrotik.com/wiki/TransparentTrafficShaper and the post above

I know that the OS version has changed but I cannot figure out the proper command to implement the connection marks. Here is the error that I received on any of them

/queue simple> add name=“p2p” parent=main packet-marks=p2p max-limit=264000/164000 priority=8
expected value of download-priority (line 1 column 79)

I have found that most of the wiki pages are out of date and I usually have to dig deep in the forums to find an answer but this one is particularly hard to find.