Community discussions

MikroTik App
 
felipefonsecabh
just joined
Topic Author
Posts: 21
Joined: Wed May 20, 2020 9:57 pm
Location: Brazil

Limit traffic in specific port

Tue Jul 05, 2022 2:25 pm

Hi!
I have a RB760IGs, and i have a basic question.
I configured a bridge and insert ports 3,4 and 5 in the bridge.

But, i want to limit the traffic at port 4 only. I try these configurations:
confg1.png
config2.png
But doesn't work. Any ideas? Thanks a lot!
You do not have the required permissions to view the files attached to this post.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Limit traffic in specific port

Tue Jul 05, 2022 2:59 pm

on bridge settings enable firewall and all traffic goes to cpu, all is slower and you can use queues
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Limit traffic in specific port

Tue Jul 05, 2022 3:30 pm

What is connected on ether 4 ?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Limit traffic in specific port

Tue Jul 05, 2022 3:49 pm

I'm curious, like a cat,
about why you asked, that...
;)
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Limit traffic in specific port

Tue Jul 05, 2022 4:03 pm

:lol:
I just want to understand what type of traffic the OP wants to limit...
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Limit traffic in specific port

Tue Jul 05, 2022 5:27 pm

on bridge settings enable firewall and all traffic goes to cpu, all is slower and you can use queues
Curious cat, let me ask you another question. Enabling use-ip-firewall in bridge settings is definitely the only way to force L2 forwarding through queues, but as you recommend it this lightheartedly, how do you deal with the havoc it causes on NAT?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Limit traffic in specific port

Tue Jul 05, 2022 7:41 pm

Good question, for sure,
but I want you reassure,
if I don't know all the configurations,
how can I make other assumptions ???
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Limit traffic in specific port

Tue Jul 05, 2022 8:01 pm

Never tried to rhyme in English,
so it's going to be childish:
keep preparing for the worst,
so in laughter you could burst
once it turns out could be worse
than you expected at first!

In plain words, I try hard not to propose solutions without mentioning possible negative effects, and the one of enabling use-ip-firewall for the bridges is a huge one, and also unexpected.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Limit traffic in specific port

Tue Jul 05, 2022 8:06 pm

how do you deal with the havoc it causes on NAT?
@sindy, what do you mean ?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Limit traffic in specific port

Tue Jul 05, 2022 8:11 pm

@sindy, what do you mean ?
Try and see... if I remember correctly, the packets were handled by NAT rules already during the bridging phase, so their addresses changed before reaching the routing, or something alike. I would have to google for the details, it was discussed here more than a year ago.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Limit traffic in specific port

Tue Jul 05, 2022 8:22 pm

Maybe you mean that the packets will pass through the prerouting, forward and postrouting chains while still in the Bridge ?
https://help.mikrotik.com/docs/display/ ... dgeForward
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Limit traffic in specific port

Tue Jul 05, 2022 8:29 pm

 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Limit traffic in specific port

Tue Jul 05, 2022 8:30 pm

on bridge settings enable firewall and all traffic goes to cpu, all is slower and you can use queues
In certain network configurations, you might need to enable additional processing on routing chains for bridged traffic, for example, to use simple queues or an IP firewall. This can be done when the use-ip-firewall is enabled under the bridge settings. Note that additional processing will consume more CPU resources to handle these packets.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Limit traffic in specific port

Tue Jul 05, 2022 8:31 pm

Maybe you mean that the packets will pass through the prerouting, forward and postrouting chains while still in the Bridge ?
https://help.mikrotik.com/docs/display/ ... dgeForward
Of course I do, but that's the obvious part. The non-obvious one are the consequences this has when the packets are bridged from a host to the CPU, because in such case they pass through the prerouting (including dst-nat), forward, and postrouting (including src-nat) chains twice (or even three times if the packets are routed from one bridge to another).
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Limit traffic in specific port

Tue Jul 05, 2022 8:34 pm

@rextended the diagram is the same :D
@sindy, right...
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Limit traffic in specific port

Tue Jul 05, 2022 8:48 pm

 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Limit traffic in specific port

Tue Jul 05, 2022 8:55 pm

:lol:
I mean the number sequence indeed is different.. so at one point you are right...
But i was looking at the actual diagram ignoring the numbering...
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Limit traffic in specific port

Tue Jul 05, 2022 9:06 pm

Ops... :-P I misunderstand...
 
felipefonsecabh
just joined
Topic Author
Posts: 21
Joined: Wed May 20, 2020 9:57 pm
Location: Brazil

Re: Limit traffic in specific port

Tue Jul 05, 2022 9:14 pm

I'm curious, like a cat,
about why you asked, that...
;)
Rsrs

Our company controls hydroelectric plants remotely, and the internet links have very limited bandwidth. A router is connected to this port and the employees there consume almost all the bandwidth (1mbps :/), and thus the traffic with important automation devices (which are also on the bridge is harmed).

The ether4 only works to employees access the internet and access automation devices in LAN.

I can put this port in other bridge, this way it's easier to limit traffic?
Last edited by felipefonsecabh on Tue Jul 05, 2022 9:18 pm, edited 1 time in total.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Limit traffic in specific port

Tue Jul 05, 2022 9:16 pm

I can put this port in other bridge, this way it's easier to limit traffic?
Shaping traffic will be equally easy or complex, but you'll avoid the side effects if you move the port to a separate subnet/vlan/bridge.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Limit traffic in specific port

Tue Jul 05, 2022 9:49 pm

The ether4 only works to employees access the internet and access automation devices in LAN.
You don't even need use separate subnets if the automation devices use one address range and the employees use another, as you can link the bandwidth limitation to the addresses. But this is only true if you don't need to limit the bandwidth between the employees' PCs and the automation devices - I can imagine an upset employee to flood the automation gear with traffic locally.

the employees there consume almost all the bandwidth (1mbps :/), and thus the traffic with important automation devices (which are also on the bridge) is harmed.
There is a catch - you can only enforce bandwidth in outgoing direction. So you can limit the download from internet towards the employees' PCs only by throttling the output on LAN, which means that at the beginning of each download TCP session, the data will clog the uplink for a while, until the feedback tells the server that there's no point in sending this fast. So the automation protocols must be able to deal with some loss even if you enforce download bandwidth this way.

If they don't, and if the power plants are connected to the internet directly rather than via company's own infrastructure and you use VPN tunnels to talk to the automation devices, force the employees' access to internet through the HQ router by means of the VPN as well, as then you can control the bandwidth already when sending the traffic through the bottleneck. Doing so will waste some bandwidth for the VPN overhead but it will prevent any loss on the automation protocols.

Who is online

Users browsing this forum: Amazon [Bot], Bing [Bot], iustin and 88 guests