Hi guys,
I’m struggling to implement traffic shaping with a hEX S (v6.45.6) for the following design, involving traffic tagged and untagged. All my attempts were unsuccessful either with simple queue or with mangle rules + queues.
I’ve created two bridges on hEX S:

1. Bridge_A = traffic tagged vlan_id 101 from ether2 to ether4
2. Bridge_B =
   a. traffic tagged vlan_id 102 from ether2 to ether 4
   b. traffic tagged vlan_id 102 from ether2 to untagged port ether 3 (access)
   I’ve tried to create simple queues to limit the traffic based of the interface (target port) but nothing’s happening
   I’ve tried to create mangle rules marking in/out connections on interface and then making queues to limit the traffic but nothing’s happening

Could you please help me to implement this traffic shaping & policing?

1. ether 2 – bandwidth limit = 100M UL/DL
2. ether 2 _vlan_101 – bandwidth limit = 2M UL/DL
3. ether 2 _vlan_102 – bandwidth limit = 98M UL/DL
4. ether 3 – bandwidth limit = 20M UL/DL
5. ether 4 – bandwidth limit = 80M UL/DL
6. ether 4_vlan_102 – bandwidth limit = 80M UL/DL

Thank you in advance!

Hi guys,

The only point where I can control the bandwidth is on ether3, since the traffic is untagged and I can create a simple queue which can have as target the IP address of the ServerA.
I didn’t find yet a solution for those two vlans (101,102) which are bridged from ether2 to ether4.

Is there anybody can help on this matter please?
Thank you advance!

Do I get you right that you want to limit throughput of the traffic being bridged (i.e. not routed) between ether2 and ether4?

Hi Sindy,
Sorry for this late reply. I did not manage to make any progress to fix it up, so I still need your help.
Indeed, I want to limit throughput for the traffic being bridged between ether2 and ether4. I had many attempts to use as target the interface the all of them were unsuccessful.
Do you have an idea how can I do it?

Here under the config :

[admin@XXXXXX] > export

add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN
/ip firewall mangle
add action=passthrough chain=forward src-mac-address=50:2F:A8:F8:33:F0
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=10.1.1.1
add distance=1 dst-address=192.168.70.0/24 gateway=169.254.1.2
/system identity
set name=XXXXXX
/tool graphing interface
add interface=MGMT
add interface=Services
add interface=bridge
add interface=ether2
add interface=ether3
add interface=ether4
add interface=vlan101-eth2
add interface=vlan101-eth4
add interface=vlan102-eth2
add interface=vlan102-eth4
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set file-limit=10000000KiB file-name=ether4_vlan101 filter-interface=vlan101-eth4 memory-limit=1000000KiB
/tool traffic-monitor
add interface=bridge name=bridge threshold=0
add interface=MGMT name=MGMT threshold=0
add interface=Services name=Services threshold=0
add interface=ether2 name=ether-2 threshold=0
add interface=ether3 name=ether3 threshold=0
add interface=ether4 name=ether4 threshold=0
add interface=vlan101-eth2 name=vlna101-eth2 threshold=0
add interface=vlan102-eth2 name=vlna102-eth2 threshold=0
add interface=vlan101-eth4 name=vlna101-eth4 threshold=0
add interface=vlan102-eth4 name=vlna102-eth4 threshold=0


Thank you in advance!

Hi guys,

Can somebody help on this please?

Sorry, I’ve confused two similar topics so I didn’t care much about the notifications of this one.

To make it possible for bridged packets to be queued, you have to disable hardware acceleration of the bridge (/interface bridge port set [find interface~“ether[24]”] hw=no), and under /interface bridge settings, you have to set use-ip-firewall and use-ip-firewall-for-vlan (in your case) to yes.
Once you do this, you can use /interface bridge filter rules with action=mark-packet to assign packet-marks to frames being bridged depending on their in-interface, vlan-id, and maybe other criteria, and use queues in /queue tree marked with those packet-marks to handle the traffic.

If you need a more detailed description, give me more detailed classification criteria.

I have updated my articles on traffic shaping (QoS). See the link in my signature.

You made my day