Community discussions

 
SEE
just joined
Topic Author
Posts: 4
Joined: Fri Sep 10, 2010 7:48 pm

How to male bandwidth limimitation with miltiple VLAN`s

Sun May 06, 2012 2:24 pm

Image

Hi,

Please take a look at the diagram of my network.
I need to limit the download speed for different clients in different VLAN. To use the Queue Tree need to write rules for Mangle.
How to tag only those packets that come from the Internet to users and exclude inter VLAN traffic?
[admin@GH] > /ip address print detail             
Flags: X - disabled, I - invalid, D - dynamic 
 0   address=192.168.1.1/24 network=192.168.1.0 interface=vlan1 - Management 
     actual-interface=vlan1 - Management 

 1   address=178.72.90.12/27 network=178.72.90.0 interface=ether1-gateway 
     actual-interface=ether1-gateway 

 2   address=192.168.5.1/24 network=192.168.5.0 interface=vlan5 - Free Wi-Fi 
     actual-interface=vlan5 - Free Wi-Fi 

 3   address=192.168.10.50/24 network=192.168.10.0 interface=valn10 - Rkeeper 
     actual-interface=valn10 - Rkeeper 

 4   address=192.168.11.1/24 network=192.168.11.0 interface=vlan11 - Bank 
     actual-interface=vlan11 - Bank 

 5   address=192.168.150.1/24 network=192.168.150.0 interface=vlan500 -Fedor 
     actual-interface=vlan500 -Fedor 

 6   address=192.168.12.1/24 network=192.168.12.0 
     interface=vlan12 - Unspecified devices 
     actual-interface=vlan12 - Unspecified devices 

 7   address=192.168.4.1/24 network=192.168.4.0 interface=vlan4 - Wi-Fi corporat>
     actual-interface=vlan4 - Wi-Fi corporate 

 8   address=192.168.6.1/24 network=192.168.6.0 interface=vlan6 - Office PCs 
     actual-interface=vlan6 - Office PCs 

 9   address=192.168.7.1/24 network=192.168.7.0 interface=vlan7 - Video 
     actual-interface=vlan7 - Video 

10   address=192.168.13.1/24 network=192.168.13.0 interface=vlan13 - Guests 
     actual-interface=vlan13 - Guests 

11 D address=192.168.9.100/32 network=192.168.9.1 interface=<l2tp-ranevskaya> 
     actual-interface=<l2tp-ranevskaya> 
[admin@GH] >> interface print 
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                               TYPE               MTU L2MTU  MAX-L2MTU
 0  R  ether1-gateway                     ether             1500  1526       1526
 1  R  ether2-local                       ether             1500  1520       1520
 2     ether3-local                       ether             1500  1520       1520
 3     ether4-local                       ether             1500  1520       1520
 4     ether5-local                       ether             1500  1520       1520
 5  R  vlan11 - Bank                      vlan              1500  1516
 6  R  vlan1 - Management                 vlan              1500  1516
 7  R  vlan5 - Free Wi-Fi                 vlan              1500  1516
 8  R  valn10 - Rkeeper                   vlan              1500  1516
 9  X  GH-Ranevskaya                      eoip-tunnel       1500
10  X  GH-Ranevskaya Bridge               bridge            1500
11  R  vlan500 -Fedor                     vlan              1500  1516
12  R  vlan12 - Unspecified devices       vlan              1500  1516
13  R  vlan4 - Wi-Fi corporate            vlan              1500  1516
14  R  vlan6 - Office PCs                 vlan              1500  1516
15  R  vlan7 - Video                      vlan              1500  1516
16  R  vlan13 - Guests                    vlan              1500  1516
17 DR  <pppoe-reception>                  pppoe-in          1480
18 DR  <l2tp-ranevskaya>                  l2tp-in           1460
[admin@GH] >> ip firewall export 
# may/06/2012 17:21:57 by RouterOS 5.15
# software id = CW3N-DADX
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=\
    10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s \
    tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s \
    udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=drop chain=forward disabled=no in-interface=ether1-gateway p2p=\
    all-p2p
add action=accept chain=input comment="access to WinBox from Inet" disabled=no \
    dst-port=8291 in-interface=ether1-gateway protocol=tcp
add action=accept chain=input disabled=no dst-port=1723 in-interface=\
    ether1-gateway protocol=tcp
add action=accept chain=input disabled=no in-interface=ether1-gateway protocol=\
    gre
add action=accept chain=input disabled=no dst-port=1701 in-interface=\
    ether1-gateway protocol=tcp
add action=accept chain=input disabled=no dst-port=1701 in-interface=\
    ether1-gateway protocol=udp
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \
    disabled=yes
add action=accept chain=input comment="default configuration" disabled=no \
    protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=\
    established disabled=no in-interface=ether1-gateway
add action=accept chain=input comment="default configuration" connection-state=\
    related disabled=no in-interface=ether1-gateway
add action=drop chain=input comment="default configuration" disabled=no \
    in-interface=ether1-gateway
/ip firewall mangle
add action=mark-connection chain=forward disabled=no new-connection-mark=\
    "vlan7 con-down" passthrough=yes src-address=192.168.7.0/24
add action=mark-packet chain=forward connection-mark="vlan7 con-down" disabled=\
    no in-interface=ether1-gateway new-packet-mark="vlan7 packet down" \
    passthrough=yes protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="PPPoE Server" disabled=no out-interface=ether1-gateway \
    src-address=192.168.40.0/24 to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="PPPoE Server Wi-Fi corporate" disabled=no out-interface=\
    ether1-gateway src-address=192.168.44.0/24 to-addresses=0.0.0.0
add action=masquerade chain=srcnat disabled=no out-interface=ether1-gateway src-address=192.168.11.0/24
add action=masquerade chain=srcnat comment="vlan10 PPPoE" disabled=no out-interface=ether1-gateway \
    src-address=192.168.50.0/24
add action=masquerade chain=srcnat comment="vlan6 - Office users" disabled=no out-interface=\
    ether1-gateway src-address=192.168.6.0/24
add action=masquerade chain=srcnat comment="vlan7 - Video" disabled=no out-interface=ether1-gateway \
    src-address=192.168.7.0/24
add action=masquerade chain=srcnat comment="vlan4 - Wi-Fi corporate" disabled=no out-interface=\
    ether1-gateway src-address=192.168.4.0/24
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes \
    to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="masquerade hotspot network" disabled=no out-interface=\
    ether1-gateway src-address=192.168.5.0/24 to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="Fedor " disabled=no out-interface=ether1-gateway src-address=\
    192.168.150.0/24 to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="vlan13 - Guests internet" disabled=no out-interface=\
    ether1-gateway src-address=192.168.13.0/24

 
User avatar
dasiu
Trainer
Trainer
Posts: 232
Joined: Fri Jan 30, 2009 11:41 am
Location: Reading, UK
Contact:

Re: How to male bandwidth limimitation with miltiple VLAN`s

Mon May 07, 2012 3:29 pm

How to tag only those packets that come from the Internet to users and exclude inter VLAN traffic?
You already did that :).
/ip firewall mangle
add action=mark-connection chain=forward disabled=no new-connection-mark=\
"vlan7 con-down" passthrough=yes src-address=192.168.7.0/24
add action=mark-packet chain=forward connection-mark="vlan7 con-down" disabled=\
no in-interface=ether1-gateway new-packet-mark="vlan7 packet down" \
passthrough=yes protocol=tcp
Exactly like that :). Only add "connection-state=new" to the first rule, and unset "protocol" in the second rule. And repeat it for each VLAN. That is what you need to mark the download packets for each VLAN - and then use the packet-marks in /queue tree.

I have also one suggestion about your firewall NAT rules:
/ip firewall nat
add action=masquerade chain=srcnat comment="PPPoE Server" disabled=no out-interface=ether1-gateway \
src-address=192.168.40.0/24 to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="PPPoE Server Wi-Fi corporate" disabled=no out-interface=\
ether1-gateway src-address=192.168.44.0/24 to-addresses=0.0.0.0
add action=masquerade chain=srcnat disabled=no out-interface=ether1-gateway src-address=192.168.11.0/24
add action=masquerade chain=srcnat comment="vlan10 PPPoE" disabled=no out-interface=ether1-gateway \
src-address=192.168.50.0/24
add action=masquerade chain=srcnat comment="vlan6 - Office users" disabled=no out-interface=\
ether1-gateway src-address=192.168.6.0/24
add action=masquerade chain=srcnat comment="vlan7 - Video" disabled=no out-interface=ether1-gateway \
src-address=192.168.7.0/24
add action=masquerade chain=srcnat comment="vlan4 - Wi-Fi corporate" disabled=no out-interface=\
ether1-gateway src-address=192.168.4.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" disabled=no out-interface=\
ether1-gateway src-address=192.168.5.0/24 to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="Fedor " disabled=no out-interface=ether1-gateway src-address=\
192.168.150.0/24 to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="vlan13 - Guests internet" disabled=no out-interface=\
ether1-gateway src-address=192.168.13.0/24
You could set ONE rule instead:
add action=masquerade chain=srcnat out-interface=ether1-gateway src-address-list=nat-addresses
and then specify the IP address pools in /ip firewall address-list.

Who is online

Users browsing this forum: No registered users and 75 guests