setting up bandwidth shaping on a PPPOE WISP mikrotik.

ok so ive managed to get a tcp connection limit per user rule working, now i want to set some basic shaping rules since i only have a 5.5mb/5.5mb pipe to service a bunch of people.

what ive run into is that when a pppoe user is logged in, it sets its own simple queue seperate from the main queue. i have a screenshot to illistrate.

What happened is that the main queue overrulled the pppoe queue and the speeds set for the individual user were ignored (a 850k/300k user was getting 5.5mbit up/down).

I set the main queue to ether2 (lan interface) and now pppoe users are having thier speeds limited properly based on thier WISP package(getting 850k/300k), but im unsure if the global shaping rules will kick in once the pipe fills up. my pppoe users get a 10.10.0.1-10.10.1.255 ip address so i set the main queue for 10.10.0.0/23. This should mean that the entire 10.10.0.1-10.10.1.255 range should have to obide by the rules i set for that 5.5mb pipe right?

should this work? thoughts? suggestions?

also, would anyone have any idea why my pppoe users would have proper download throttleing, but the upload appears to be wide open. hotspot users work properly.

bump, anyone have any insight on these issues?

ok, my vender came in with the save, the bridge that was configured on this router was seeing the download, but not the upload traffic. we disabled the bridge and uploads are being throttled appropriatly, since all our mikrotiks only use the wan and 1 lan port, a bridge is not needed.


now on to figure out if my queue rules will work the way i want to.

alright so further testing indicates that indeed, a pppoe session will ignore my 10.10.0.0/22 shaping rules. i think my only option is to setup a transparant bridge shaper MT in front of my pppoe termination MT.


unless someone knows how to do this all on the same box?

found another way to do this maybe. i abandoned a simple queue and just set up priorities in the queue tree area with ether 1 (wan) as the parent. the pppoe user gets its right speed and the queue tree is logging traffic as going thru it. I can live without setting limits on how fast the traffic types are allowed to go so long as http gets priority 1. have a look here and comment on how you think this will work.

Deer12,
can u help me send to me the step by step you used in achieving this shaped stuff and queuing in mikrotik using winbox, cus i am facing the same issue as you have solved it.

I have about 128kbps/512kbps bandwidth to share among my users in my network. My lan users on ether2 (dhcp) and hotspot users on ether3 while my WAN is ether1. i want a situation where my users in both ether2 and 3 are shaped based on setting priorities for http with highest priority and p2p least priority.

Again, i want to enable connection limits for both ether2 and 3 to a maximum of 25 connections per ip.

You can PM or post your steps here so that we can learn.

Thanks

My network consists of the following layers..

CORE
|
DISTRIBUTION
|
ACCESS

The core layer is basically my handoff to our ISP’s MPLS Fiber.

Distribution consists of routers, firewalls, bandwidth controls, and other network resources such as: DNS, MAIL, etc.

At the distribution layer’s WAN router(s) (connecting to the core), is where I implement Network wide based traffic controls. Much like what you’re trying to do with HTTP, VOIP, P2P, setting up queues and priorities for these types of traffic.

The access layer consists of my PPPoE Access Concentrators. Using mikrotik as the PPPoE server, and RADIUS simple queues are dynamically generated when the user logs in to reflect the subscription level of the customer. The WAN ports of the access concentrators connect to the distribution layer routers/switches.

You’re trying to do all of this one device, which I don’t think you can do because simple queues I believe override the Queue Tree. You may want to refer to the documentation.

It’s possible to do a nested tree heirachy on a single device… creating a tree for PPPoE users, hotspot user, etc assigning them to their respective interfaces and nesting the various protocol and priorities underneath it. In my opinion it’s not very scalable. What if you want to offer more than a single speed tier to your customers?

Adding the extra layer in the network gives you more control to firewall/shape bandwidth at the desired layers. If you got it working using another method great, this is just my two cents.

The screen shots don’t really give enough information on your queue setup, it’d be better to do a

/queue export

and copy/paste the info here to see exactly what you’ve done.

for the shaping i followed the guide on the mikrotik wiki for creating a transparent bridged shaper, except i didnt have mine bridged. i ended up using some of what i learned in there and applying it to a queue tree instread of simple queue. the instructions for marking packets is bang on.

http://wiki.mikrotik.com/wiki/TransparentTrafficShaper

As for the connection limits, i added a filter ruleand the options i set were: chain-forward, protocol tcp. in the extra tab i set my connection limit, netmask32, for the action i set it to reject-tcp reset. notice how i didnt specify a source address, i left it un-filled.

here is the log and rule stats to show it dropping at the 61 mark.

/queue type
set default kind=pfifo name=default pfifo-limit=50
set ethernet-default kind=pfifo name=ethernet-default pfifo-limit=50
set wireless-default kind=sfq name=wireless-default sfq-allot=1514
sfq-perturb=5
set synchronous-default kind=red name=synchronous-default red-avg-packet=1000
red-burst=20 red-limit=60 red-max-threshold=50 red-min-threshold=10
set hotspot-default kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=
5
set default-small kind=pfifo name=default-small pfifo-limit=10
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
max-limit=0 name=http packet-mark=http_conn parent=global-total priority=
1 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
max-limit=0 name=pop packet-mark=pop_conn parent=global-total priority=2
queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
max-limit=0 name=smtp packet-mark=smtp_conn parent=global-total priority=
3 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
max-limit=0 name=other packet-mark=other_conn parent=global-total
priority=4 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
max-limit=0 name=p2p packet-mark=p2p_conn parent=global-total priority=8
queue=default
/queue interface
set ether1 queue=ethernet-default
set ether2 queue=ethernet-default
set ether3 queue=ethernet-default
set pppoe-in1 queue=default
set pptp-in1 queue=default



In testing, i have been able to log into different tier’d speeds no problem, i am using radius for pppoe tho, does that make a difference?

I have read the manual in the link several times without understanding it. That is why i needed step-by-step on how u achived the bandwidth shaping, as that is the most important aspect in network management.

I really need this cus i dont want one person who just connected to my network thru hotspot, to just use up the whole bandwdith that is availaible to others.

please, your help wil be appreciated here. At least with winbox picture of your queue tree and others.

well, currently in my setup, i dont have any hotspot users, but i believe since a hotspot server creates it’s own interface, you should be able to follow the article to first mark your different traffic types. you literally can just copy and paste some of those items into you console (after you have modified some of the details to match your current setup)

once the types of traffic are marked you can create either a simple queue or a queue tree, for the interface, you will have to make sure it is set to hotspot i think. im not 100% sure since im not deploying hotspots. Try specifying different interface types till you see queue’d up traffic.

you will want to get a test unit and trial and error till you can see the traffic being properly classed and sorted. took me a few workdays of trial and error to get it right.

Ill be honest, im not intending on writing a full step by step configuration guide for my perticular setup at the moment. I will be doing it in the future for my fellow employees who are going to end up having to learn this, but I don’t have the time to sling documentation at the moment. I know that wont help you now. I had to make do with hired consultants and the wiki documentation and the odd tip here and there to get our setup to where it is at right now. but if you keep an eye on this thread, within the next month or so I will be making a guide with pictures detailing process from shrinkwrap to deployment.

i found a way i might be able to help you. i have discovered the magic that is the command line.


goto a new terminal window in winbox.

type in: ip firewall

copy and paste this sucker in your command line, and hit enter.

add action=reject chain=forward comment=“tcp connection limit” connection-limit=60,32 disabled=no protocol=
tcp reject-with=tcp-reset

this is the tcp connection limit rule i have, it limits every ip address to 60 tcp connections, it helps keep bit torrent under control, also viruses and crap.

type / to get back to the root and hit enter.

for my filter i have setup first type in: ip firewall, hit enter, type mangle, then copy and paste this sucker:

add action=mark-connection chain=prerouting comment=“http mark” disabled=no dst-port=80 new-connection-mark=
http_conn passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting comment=“” connection-mark=http_conn disabled=no new-packet-mark=
http_conn passthrough=no
add action=mark-connection chain=prerouting comment=“p2p mark” disabled=no new-connection-mark=p2p_conn p2p=
all-p2p passthrough=yes
add action=mark-packet chain=prerouting comment=“” connection-mark=p2p_conn disabled=no new-packet-mark=
p2p_conn passthrough=no
add action=mark-connection chain=prerouting comment=“smtp mark” disabled=no dst-port=25 new-connection-mark=
smtp_conn passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting comment=“” connection-mark=smtp_conn disabled=no new-packet-mark=
smtp_conn passthrough=no
add action=mark-connection chain=prerouting comment=“pop mark” disabled=no dst-port=110 new-connection-mark=
pop_conn passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting comment=“” connection-mark=pop_conn disabled=no new-packet-mark=
pop_conn passthrough=no
add action=mark-connection chain=prerouting comment=“other connections” disabled=no new-connection-mark=
other_conn passthrough=yes
add action=mark-packet chain=prerouting comment=“” connection-mark=other_conn disabled=no new-packet-mark=
other_conn passthrough=no
add action=mark-connection chain=prerouting comment=“sip mark” connection-type=sip disabled=no
new-connection-mark=sip_conn passthrough=yes
add action=mark-packet chain=prerouting comment=“” disabled=no new-packet-mark=sip_conn packet-mark=sip_conn
passthrough=yes

this marks all traffic accordingly as 1 of the following:


sip, http, pop, smtp, other, p2p.

type / to get back to the root and hit enter.

now for the queue tree, this is easy to setup in winbox, but for a nice copy and paste to the command line type in

type queue, hit enter, type tree, hit enter.

copy and paste this sucker in there and hit enter:

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=sip packet-mark=sip_conn parent=
global-total priority=1 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=http packet-mark=http_conn parent=
global-total priority=2 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=pop packet-mark=pop_conn parent=
global-total priority=3 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=smtp packet-mark=smtp_conn parent=
global-total priority=4 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=other packet-mark=other_conn parent=
global-total priority=5 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=p2p packet-mark=p2p_conn parent=
global-total priority=8 queue=default

this will build your queue rules for you.

i have it set up as following

sip priority 1
http priority2
pop priority 3
smtp priority4
other priority 5
p2p priority 8

i have found that a lot of p2p gets classed in the other catagory, but thats ok because so long as http and mail flows unabaited im happy.

once you see what the rules look like in winbox after you make them here, maybe you can get an idea how to build modify the rules yourself.

hope this helps.

ps, modify the line for tcp connection limits to 25 connections instead of my 60


also, in the queue area in queue tree, if you open each queue tree item you can specify how much bandwidth in bits you want allowed at once… which i think, is pretty cool

Thanks for making things simplier for me.

But i want to ask something, concerning priorites in the bandwidth issues/shaping.

[quote=“derr12”]

i have it set up as following

sip priority 1
http priority2
pop priority 3
smtp priority4
other priority 5
p2p priority 8

i have found that a lot of p2p gets classed in the other catagory, but thats ok because so long as http and mail flows unabaited im happy.

From the above, it means p2p with priority 8 is given the highest priority over others, if that is true, but i want my lan/hotspot users to have highest priority for http. How are bandwidth priority set in mikrotik so that i can choose the one i want for my network.

I am not clarified on this settings,
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=sip packet-mark=sip_conn parent=
global-total priority=1 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=http packet-mark=http_conn parent=
global-total priority=2 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=pop packet-mark=pop_conn parent=
global-total priority=3 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=smtp packet-mark=smtp_conn parent=
global-total priority=4 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=other packet-mark=other_conn parent=
global-total priority=5 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=p2p packet-mark=p2p_conn parent=
global-total priority=8 queue=default


Assuming, i have such bandwidth from my isp, uplink = 128kbps and downlink = 512kbps, how do i share it based on the queue shaping above, so that I can have some heavy users shaped this way,
heavy users = 64/128
middle users = 32/64
light users = 32/32

thanks once again

I have been able to shape based on the steps outlined by deer12.

My question is, how can i limit and give bandwidt to my hotspot users because from the queue, they are showing unlimited in both upload and and download, as shown in the picture. i have tried to make some adjustments on it, yet it is not allowing me the option of doing that.

Again, how and where do i set the actual bandwidth for all my users.

Thanks for your response

The ‘D’ stands for dynamic - the entry is dynamically created, and that’s why you can’t edit it. Its value comes from the rate limit on the Hotspot Server Profile. Edit the rate limit of the profile, and the values shown for the dynamic queue entry will change along with it.

However, you should note that each user of the Hotspot will have its own dynamic queue created - and those are the rate limits applied once the user has authenticated. The queue in your picture is only applied to non-authenticated traffic (so connections that display the login page, or connections that are permitted via the walled garden).

Thanks,
my main concern is to sahpe my hotspot users because the mikrotik is set up for them mostly for authentication and others.

thanks

I am having some problems with my link, my hotspot users are complaining to bad that when they want to open a page, it will show error in connetion/connection reset. Why is it doing like that.

Here is my firewall filter settings
[admin@Installer] /ip firewall filter> pr
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough

1 ;;; Allow limited pings
chain=input action=accept protocol=icmp limit=50/5s,2

2 ;;; Drop excess pings
chain=input action=drop protocol=icmp

3 ;;; tcp Connection limit
chain=forward action=reject reject-with=tcp-reset protocol=tcp
connection-limit=31,32