X2
Thanks, and much appreciation to Tom for this years of free communitary btest service 
Hello,
I’m currently trying to set up a Bandwidth Test server that automatically disconnects the client after 1 minute.
How did you manage to do it?
got used your server services in my previous test, thanks for rendering your btest server. its a great help when setting with a new machine I am not able to post it here the results, hope in the future can do so if your server is up again. Bless you!
This is/was my public btest server
export:
/interface ethernet
set [ find default-name=ether1 ] advertise=1G-baseT-full disable-running-check=no loop-protect=off
set [ find default-name=ether2 ] advertise=1G-baseT-full disable-running-check=no loop-protect=off
/queue simple
add burst-limit=1512M/0 burst-threshold=256M/0 burst-time=16m40s/0s max-limit=512M/0 name=Ether1-A-IPv4-From-Internet-AltFaster target=ether1
add burst-limit=0/1512M burst-threshold=0/256M burst-time=0s/16m40s max-limit=0/512M name=Ether1-B-IPv4-To-Internet-AltFaster target=ether1
add burst-limit=1512M/0 burst-threshold=256M/0 burst-time=16m40s/0s max-limit=512M/0 name=Ether2-A-IPv6-From-Internet-AltFaster target=ether2
add burst-limit=0/1512M burst-threshold=0/256M burst-time=0s/16m40s max-limit=0/512M name=Ether2-B-IPv6-To-Internet-AltFaster target=ether2
/routing bgp template
set default disabled=yes output.network=bgp-networks routing-table=main
/user group
add name=btest policy=test,winbox,!local,!telnet,!ssh,!ftp,!reboot,!read,!write,!policy,!password,!web,!sniff,!sensitive,!api,!romon,!rest-api
/ip firewall connection tracking
set udp-timeout=10s
/ip address
add address=23.162.144.123/28 interface=ether1 network=23.162.144.112
/ip dhcp-client
add disabled=yes interface=ether1
/ip firewall address-list
add address=10.0.0.0/8 comment=01-06-Permanently-BLOCK-These-IP-Addresses list=blocklist
add address=100.64.0.0/12 list=tester
add address=23.162.144.0/24 list=AllowAnything
/ip firewall filter
add action=drop chain=input comment=“Block all Pings to this CHR” in-interface=ether1 protocol=icmp src-address-list=!AllowAnything
add action=drop chain=input comment=“Block Winbox to ether1 TCP-Port8291” dst-port=8291 in-interface=ether1 protocol=tcp src-address-list=!AllowAnything
add action=drop chain=input comment=“Block SNMP ether1 TCP-Port8291” dst-port=161 in-interface=ether1 protocol=udp src-address-list=!AllowAnything
add action=drop chain=input comment=“Block anything to ether1 TCP-Port81” dst-port=81 in-interface=ether1 protocol=tcp src-address-list=!AllowAnything
/ip firewall raw
add action=accept chain=prerouting comment=“0-accept testers” src-address-list=tester
add action=add-src-to-address-list address-list=RetryDuringTimeout2 address-list-timeout=4d3h chain=prerouting comment=“0.4-drop previous testers drop” disabled=yes src-address-list=previous
add action=add-src-to-address-list address-list=previous address-list-timeout=1w chain=prerouting comment=“0.5-drop previous testers drop ( penilize - remote admin tried again during timeout period - add another 4 days to timeout” src-address-list=previous
add action=drop chain=prerouting comment=“1-drop previous testers drop” src-address-list=previous
add action=add-src-to-address-list address-list=tester address-list-timeout=10m chain=prerouting comment=“2-add to address list → tester ( was a TCP tester )” dst-port=2000-2100 protocol=tcp
add action=add-src-to-address-list address-list=tester address-list-timeout=10m chain=prerouting comment=“3-add to address list → tester ( was a UDP tester )” dst-port=2000-2100 protocol=udp
add action=add-src-to-address-list address-list=previous address-list-timeout=1d1h59m59s chain=prerouting comment=“4-add to address list → previous ( previous TCP tester )” dst-port=2000-2100 protocol=tcp
add action=add-src-to-address-list address-list=previous address-list-timeout=1d1h59m59s chain=prerouting comment=“5-add to address list → previous ( previous UDP tester )” dst-port=2000-2100 protocol=udp
/ipv6 firewall raw
add action=accept chain=prerouting comment=“IPv6=testers accepted” src-address-list=IPv6-tester
add action=drop chain=prerouting comment=“IPv6-previous testers drop” src-address-list=IPv6-previous
add action=add-src-to-address-list address-list=IPv6-tester address-list-timeout=2m chain=prerouting comment=“IPv6-add to tester” dst-port=2000-2100 protocol=tcp
add action=add-src-to-address-list address-list=IPv6-tester address-list-timeout=2m chain=prerouting comment=“IPv6-add to tester” dst-port=2000-2100 protocol=udp
add action=add-src-to-address-list address-list=IPv6-previous address-list-timeout=59m chain=prerouting comment=“IPv6-add to previous” dst-port=2000-2100 protocol=tcp
add action=add-src-to-address-list address-list=IPv6-previous address-list-timeout=59m chain=prerouting comment=“IPv6-add to previous” dst-port=2000-2100 protocol=udp
/system identity
set name=23-162-144-123-CHR-P10-btest-server
/tool bandwidth-server
set max-sessions=500
I think that’s it.
I used ether1 for IPv4 and ether2 for IPv6
North Idaho Tom Jones
Thank you a lot.
I don’t really get how it works.
I don’t understand how your firewall works.
With this configuration you are able to disconnect a user after x minutes ?
Just give it a try on a local Mikrotik.
There are two things going on.
- /queue simple
- and the use of address lists in the fw section
The /queue simple limits maximum bandwidth and how much data can pass b4 bringing things down to a crawl.
The address-list ( look at the time settings ) , define how often somebody can repeat a test.
Both of these prevent tests that consume all of you bandwidth for long periods of time , and the other setting prevents the same tester from repeating tests then repeating test then repeating test which forces a wait period b4 they can test again.
Also , in the firewall , there is a block ICMP ping setting. This was added to prevent ICMP ping speed tests.
I’m pretty sure somebody smarter than myself could probably re-write the entire set of configurations to make a better btest server that could stand up better to abuse and auto-script cron-time-schedule repeat testers , and better detect when an ISP is using a cron-script to auto test every one of their customers to a remote btest server.
I always wanted have a front-end web server that after bot checks would generate a random btest user/password , then auto remove it 10-minutes later. Just long enough for a btest but not long enough to test an ISPs entire network and prevent time-cron-scheduled auto btests that occur ever hour or day or week.
North Idaho Tom Jones
re btest / speedtest / iperf
It would be interesting if somebody made a speedtest server that did something like this:
- http to the web server , authenticate , verify not a bot , verify also by email.
- Ask a question ( traditional windows browser speed test , or Mikrotik btest , or iperf / iperf3 )
- then have the web server configure a temp login for the speedtest selected - allow enough time for a speedtest , then auto remove the temp login.
– ( and have some user admin settings for max speeds allowed , how many testers at the same time , log the user and remote IP , and support a blacklist of IPs who are always blocked , and similar optional admin settings to manage the speedtest bandwidth test server.
I would think this type of bandwidth test server is plausible , and if I remember there is or was a stand-alone Mikrotik btest server that can run under windows or was it Linux ???
If somebody ( Mikrotik ?? ) came out with something better than what I was using , I might be willing to run another btest bandwidth test server again.
Interesting. While would recommend it, I suspect it be would possible to abuse /ip/hotspot and user-manager to get a session.
Related, if goals was to run your btest service for your users/customers (i.e. not a truly open one like TomjNorthIdaho), you might be able to use RADIUS and other schemes for login, than just a fixed password and src-address.
Re: … if goals was to run your btest service for your users/customer … not a truly open one …
If for my customers ( my local users ) , I would just spin up three dedicated servers and restrict to only my IP address
I am actually referring to a open access servers.
Related info …
At my ISP , I run two sets of btest servers ( for my ISP customer networks to test to )
- one btest server is used to test and measure the maximum throughput of a fiber or wireless customer ( find the maximum possible speed ).
- my second btest server is after a client’s traffic has gone through my customer bandwidth shapers ( verify customer purchased account speeds are correct and not slower or faster than what the customer is purchasing ).
I have also used it for several years. Thank you very much Tom for these several years
Thank you Tom for your years of servers and service. Wishing you continued success.
Hi, I’ve try to be sure from several IPs, I got auth failed using password I-Am-Not-A-Cron-Script and user according the first post, pity 
Certo che sei sveglio…
according the first post the free service no longer exist
Public-Mikrotik-Bandwidth-Test-Server(s) ( now shutdown as of April 1st 2025 )
***** IMPORTANT INFORMATION *****
I will be shutting down the btest server I maintain on April 1’st 2025
It’s been on-line for around 10-years and has seen countless terra-bytes pass through it during this time.
Closing the topic
Update - I shutdown the Public-Mikrotik-Bandwidth-Test-Server(s) I maintained on April 1’st 2025 - because of all the cron scheduled never-ending btests I was getting all-of-the-time. I figured that well over two-thirds of all of the btests were non-humans - and automatic time-based scripts ( so that other admins could automatically have all of their ISP customers perform speed test to my server. No matter how many times I posted only manual btest(s) performed by a human Mikrotik operator.
Now over two months later , my now private btest server ( same IP addresses ) is still getting hit with hundreds of daily btest attempts - which they now fail because the login & password was changed.
I would like to - but I won’t - create an auto reverse direction denial-of-service back to those repeating networks. A 10+ Gig denial-of-service might get their attention.
- If somebody reading this post had one , please disable your automatic btest(s) to my now private btest server.
North Idaho Tom Jones
1 Like
maybe connection attempts are made for automated scripts on compromised devices or bots
dont know what jurisdiction you are, but if you take some action which disrupt operation of another network maybe you can become liable, suable or even prosecuted
you must blackhole your ip address for a while maybe a year so that connections does not get any kind of answer
try abuse contacts of AS originating the connections
I would like to - but I won’t