Hello everyone, the following is the answer generated by AI. I am not sure if it is correct. If you have used it in production environment, please tell me. My idea is that if it is feasible, mark IPv4 and IPv6 as different connection tags, and then mark these two connection tags as the same packet tag, and apply speed limit to the mixed packets in the queue tree, you can achieve an effect similar to the switch port speed limit. That is, assuming the speed limit is 300M, IPv4 or IPv6 alone can reach 300M, and mixed use of IPv4 and IPv6 to download can only reach 300M.
#Here is the AI ​​conclusion
Yes, in MikroTik RouterOS, it is absolutely possible to use multiple different connection-marks to assign the same packet-mark. This is useful when you want to classify various types of connections into a single traffic class for shaping, prioritization, or accounting purposes.

For example, you may have:

/ip firewall mangle
add chain=forward protocol=tcp dst-port=80 action=mark-connection new-connection-mark=web_conn
add chain=forward protocol=tcp dst-port=443 action=mark-connection new-connection-mark=ssl_conn
These rules mark HTTP and HTTPS connections separately with web_conn and ssl_conn.

Then, you can assign the same packet-mark to both, like this:

/ip firewall mangle
add chain=forward connection-mark=web_conn action=mark-packet new-packet-mark=web_ssl_traffic
add chain=forward connection-mark=ssl_conn action=mark-packet new-packet-mark=web_ssl_traffic
Although the connections are marked differently, their packets are grouped under the same packet-mark=web_ssl_traffic, which can now be used in queues or accounting.

Note that this cannot be done in a single rule — each connection-mark needs a separate rule to match and apply the packet-mark.

Also, RouterOS fully supports setting the same packet-mark across multiple rules. It does not complain or conflict if several rules assign the same packet-mark value — in fact, this is a common and efficient technique for aggregating similar traffic types under a unified bandwidth policy or priority class.

For instance, in a queue configuration:

/queue simple
add name=“web+ssl” packet-marks=web_ssl_traffic max-limit=20M/20M
This queue will manage all traffic that originated from either HTTP or HTTPS connections, because both were mapped to the same packet mark.

In conclusion, RouterOS gives you the flexibility to group different connections into a single traffic policy, simply by using multiple mark-packet rules with the same target packet-mark.

I just tested it in the lab environment. The download speed of IPv4 or IPv6 can reach 300M. If both IPv4 and IPv6 are used, the download speed can reach 600M. In addition, when there are multiple lines in the external network, the upload speed limit of IPv6 is invalid. The upload speed can easily exceed the speed limit. This method cannot achieve the effect of switch port speed limit.

IMO it can be achieved without marking connections and quite easy with queue trees:

/ip firewall mangle
add action=mark-packet chain=forward in-interface="LAN_interface" new-packet-mark=upload out-interface="WAN_interface" packet-mark=no-mark
add action=mark-packet chain=forward in-interface="WAN_interface" new-packet-mark=download out-interface="LAN_interface" packet-mark=no-mark

/ipv6 firewall mangle
add action=mark-packet chain=forward in-interface="LAN_interface" new-packet-mark=upload out-interface="WAN_interface" packet-mark=no-mark
add action=mark-packet chain=forward in-interface="WAN_interface" new-packet-mark=download out-interface="LAN_interface" packet-mark=no-mark

/queue tree
add max-limit=300M name=download_limit packet-mark=download parent=global
add max-limit=300M name=upload_limit packet-mark=upload parent=global

1. This method of directly marking packets has a higher system overhead than marking the connection first and then marking the packets.
2. I have 12 ADSL lines outside, multiple LANs inside, DHCP and PPPoe. How do I use in-interface for PPPoe inside?
3. I want to apply different speed limit policies to different users. The above packet marking cannot meet the refined speed limit requirements.
4. I tested the above speed limit method and used PCQ in the queue tree. I found that even with this method, the same terminal can still reach 600M when downloading IPv4 and IPv6 at the same time. I imagine that different terminals have different speed limit values. No matter whether they use IPv4 or IPv6 alone or at the same time, the total bandwidth of this terminal can only reach the limit value.

1. It can be changed to connection marking first and then packet marking
2. Through server bindings
3. You add leafs to the queue but more details are needed - how exactly do the users connect, what speed limits should be applied, etc.
4. Perhaps post the config to have a look

External PPPoE dialup interfaces

/interface pppoe-client
add name=pppoe-out1 interface=ether1 user=isp1-user password=isp1-pass disabled=no add-default-route=no
add name=pppoe-out2 interface=ether2 user=isp2-user password=isp2-pass disabled=no add-default-route=no

===== 2. Address Pool Configuration =====

IPv4 address pool for LAN

/ip pool
add name=pool-dhcp-ipv4 ranges=192.168.1.2-192.168.1.254

IPv6 prefix pools for LAN

/ipv6 pool
add name=ipv6-dhcp-ra-pool prefix=fd00:1000::/48 prefix-length=64
add name=ipv6-dhcp-pd-pool prefix=fd00:2000::/48 prefix-length=60

===== 3. PCQ Configuration =====

PCQ for upload limiting

/queue type
add name=pcq-upload kind=pcq pcq-rate=10M pcq-limit=50 pcq-classifier=src-address pcq-total-limit=2000

PCQ for download limiting

/queue type
add name=pcq-download kind=pcq pcq-rate=10M pcq-limit=50 pcq-classifier=dst-address pcq-total-limit=2000

===== 4. LAN IP Configuration =====

Internal LAN address

/ip address
add address=192.168.1.1/24 interface=ether3 comment="LAN Gateway"

IPv6 address for LAN

/ipv6 address
add address=fd00:1000::1/64 interface=ether3 advertise=yes comment="LAN IPv6"

===== 5. DHCP Configuration =====

IPv4 DHCP server for ether3

/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1 dns-server=8.8.8.8,1.1.1.1

/ip dhcp-server
add name=dhcp-server interface=ether3 address-pool=pool-dhcp-ipv4 lease-time=1d disabled=no

===== 6. IPv6 Configuration =====

Enable IPv6

/ipv6 settings
set accept-router-advertisements=yes accept-redirects=yes forward=yes

IPv6 DHCP client on PPPoE interfaces (get prefix from ISP)

/ipv6 dhcp-client
add interface=pppoe-out1 request=prefix add-default-route=yes
add interface=pppoe-out2 request=prefix add-default-route=no

IPv6 RA configuration for ether3 (LAN)

/ipv6 nd
add interface=ether3 ra-interval=20s-60s hop-limit=64 advertise-mac-address=yes managed-address-flag=yes other-config-flag=yes

IPv6 DHCPv6-PD server for ether3

/ipv6 dhcp-server
add name=dhcpv6-server interface=ether3 address-pool=ipv6-dhcp-pd-pool lease-time=1d

===== 7. Routing Table Configuration =====

Create routing tables for dual WAN

/routing table
add name=to-isp1 fib
add name=to-isp2 fib
add name=to-isp1-v6 fib
add name=to-isp2-v6 fib

===== 8. Mangle Rules Configuration =====

/ip firewall mangle

IPv4 PCC load balancing marking

add chain=prerouting src-address=192.168.1.2-192.168.1.254 per-connection-classifier=both-addresses-and-ports:2/0 action=mark-connection new-connection-mark=ISP1_conn passthrough=yes
add chain=prerouting src-address=192.168.1.2-192.168.1.254 per-connection-classifier=both-addresses-and-ports:2/1 action=mark-connection new-connection-mark=ISP2_conn passthrough=yes

IPv4 routing marking

add chain=prerouting src-address=192.168.1.2-192.168.1.254 connection-mark=ISP1_conn action=mark-routing new-routing-mark=to-isp1 passthrough=yes
add chain=prerouting src-address=192.168.1.2-192.168.1.254 connection-mark=ISP2_conn action=mark-routing new-routing-mark=to-isp2 passthrough=yes

IPv4 traffic marking for rate limiting

add chain=forward src-address=192.168.1.2-192.168.1.254 action=mark-packet new-packet-mark=up passthrough=no
add chain=forward dst-address=192.168.1.2-192.168.1.254 action=mark-packet new-packet-mark=down passthrough=no

IPv6 Mangle rules

/ipv6 firewall mangle

IPv6 PCC load balancing marking

add chain=prerouting src-address=fd00:1000::/48 per-connection-classifier=both-addresses-and-ports:2/0 action=mark-connection new-connection-mark=ISP1_conn_v6 passthrough=yes
add chain=prerouting src-address=fd00:1000::/48 per-connection-classifier=both-addresses-and-ports:2/1 action=mark-connection new-connection-mark=ISP2_conn_v6 passthrough=yes
add chain=prerouting src-address=fd00:2000::/48 per-connection-classifier=both-addresses-and-ports:2/0 action=mark-connection new-connection-mark=ISP1_conn_v6 passthrough=yes
add chain=prerouting src-address=fd00:2000::/48 per-connection-classifier=both-addresses-and-ports:2/1 action=mark-connection new-connection-mark=ISP2_conn_v6 passthrough=yes

IPv6 routing marking

add chain=prerouting src-address=fd00:1000::/48 connection-mark=ISP1_conn_v6 action=mark-routing new-routing-mark=to-isp1-v6 passthrough=yes
add chain=prerouting src-address=fd00:1000::/48 connection-mark=ISP2_conn_v6 action=mark-routing new-routing-mark=to-isp2-v6 passthrough=yes
add chain=prerouting src-address=fd00:2000::/48 connection-mark=ISP1_conn_v6 action=mark-routing new-routing-mark=to-isp1-v6 passthrough=yes
add chain=prerouting src-address=fd00:2000::/48 connection-mark=ISP2_conn_v6 action=mark-routing new-routing-mark=to-isp2-v6 passthrough=yes

IPv6 traffic marking for rate limiting (unified with IPv4)

add chain=forward src-address=fd00:1000::/48 action=mark-packet new-packet-mark=up passthrough=no
add chain=forward src-address=fd00:2000::/48 action=mark-packet new-packet-mark=up passthrough=no
add chain=forward dst-address=fd00:1000::/48 action=mark-packet new-packet-mark=down passthrough=no
add chain=forward dst-address=fd00:2000::/48 action=mark-packet new-packet-mark=down passthrough=no

===== 9. NAT Configuration =====

IPv4 NAT

/ip firewall nat
add chain=srcnat out-interface=pppoe-out1 action=masquerade
add chain=srcnat out-interface=pppoe-out2 action=masquerade

IPv6 NAT66 (usually not needed with PPPoE IPv6, but included for compatibility)

/ipv6 firewall nat
add chain=srcnat out-interface=pppoe-out1 action=masquerade
add chain=srcnat out-interface=pppoe-out2 action=masquerade

===== 10. Routing Configuration =====

IPv4 default routes

/ip route
add dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-table=to-isp1 distance=1 check-gateway=ping comment="ISP1 Route"
add dst-address=0.0.0.0/0 gateway=pppoe-out2 routing-table=to-isp2 distance=1 check-gateway=ping comment="ISP2 Route"

IPv4 main routes (failover)

add dst-address=0.0.0.0/0 gateway=pppoe-out1 distance=1 check-gateway=ping comment="ISP1 Main"
add dst-address=0.0.0.0/0 gateway=pppoe-out2 distance=2 check-gateway=ping comment="ISP2 Backup"

IPv6 default routes

/ipv6 route
add dst-address=::/0 gateway=pppoe-out1 routing-table=to-isp1-v6 distance=1 check-gateway=ping comment="ISP1 IPv6 Route"
add dst-address=::/0 gateway=pppoe-out2 routing-table=to-isp2-v6 distance=1 check-gateway=ping comment="ISP2 IPv6 Route"

IPv6 main routes (failover)

add dst-address=::/0 gateway=pppoe-out1 distance=1 check-gateway=ping comment="ISP1 IPv6 Main"
add dst-address=::/0 gateway=pppoe-out2 distance=2 check-gateway=ping comment="ISP2 IPv6 Backup"

===== 11. Queue Tree Rate Limiting Configuration =====

/queue tree

Upload rate limiting (IPv4 + IPv6 unified)

add name=upload parent=global packet-mark=up queue=pcq-upload priority=8

Download rate limiting (IPv4 + IPv6 unified)

add name=download parent=global packet-mark=down queue=pcq-download priority=8

You haven’t specified a max limit on the main queues

PCQ: pcq-rate=10M, Queue Tree: limit-at=30M, max-limit=80M, 10 terminals:
Single Terminal Online:

Terminal speed: 10M (limited by PCQ pcq-rate ceiling)
Despite 80M total bandwidth available, individual PCQ rate limit cannot be exceeded

All 10 Terminals Online:

Total demand: 10M × 10 = 100M
Available bandwidth: max-limit = 80M
Actual allocation: 80M ÷ 10 = 8M per terminal
Each terminal receives less than its PCQ limit due to aggregate bandwidth constraint

Key Principle:
max-limit controls the total bandwidth pool shared among all members, not individual terminal limits. When aggregate demand exceeds max-limit, bandwidth is proportionally distributed among active clients.
Fundamental Implementation Challenges:

The suggested method would require creating individual packet-marks for each terminal, encompassing both IPv4 and IPv6 traffic. This approach faces critical implementation barriers:
Scalability Crisis:

With 200+ IPv4 terminals plus corresponding IPv6 addresses, hundreds of unique packet-marks would be required
Each terminal needs separate mangle rules for both protocol stacks
Configuration complexity grows exponentially with network size

Operational Infeasibility:

Manual creation and maintenance of hundreds of mangle rules
Each client addition/removal requires individual rule modifications
No dynamic adaptation to network changes
Error-prone configuration management at scale

Performance Degradation:

Extensive mangle rule sets significantly impact router performance
Packet processing overhead increases with rule quantity
System resources consumed by rule evaluation rather than forwarding

DHCP Environment Incompatibility:

The core challenge remains: existing QoS mechanisms operate at the protocol level, while the desired outcome requires device-level control across multiple protocol stacks - a fundamental architectural mismatch that current RouterOS implementations cannot elegantly resolve at scale.
The result of the control in the example is that if a single terminal downloads 20M, the upload will exceed 20M (in the case of multiple external networks, IPv6 upload control is not strict).

This is inconsistent with the expected total bandwidth of 10M for IPv4 and IPv6.
PCQ pcq-rate acts as a hard cap per client