Community discussions

MikroTik App
 
ZunA
just joined
Topic Author
Posts: 1
Joined: Fri May 05, 2023 10:09 am

CAP and limiting bandwidth

Fri May 05, 2023 10:17 am

Hi,

I have one router RB951G-2HnD as main without wifi on it and 6 others (also RB951G-2HnD) connected to it to cover whole building. They are in CAPs mode with two wi fi networks (ssid). One for public use (internet) and one for few selected users (private).

That works fine but, I need to setup bandwidth limit on internet ssid for example 5/1 (download and uploads) for each router (or different bandwidth for each one if it is possible) and private ssid to be unlimited.

How to set up that? I tried few thing but nothing works. When I connect them without CAPs it works, but I change settings to CAPs for easy manage (change password on internet ssid periodicly).

Thnx.

My configuration on main is
# may/05/2023 08:56:42 by RouterOS 7.8
# software id = YJM6-***
#
# model = RB951G-2HnD
# serial number = ***
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz extension-channel=Ce frequency=\
    2437 name=channel1
/interface bridge
add name=bridge-internet
add name=bridge-private
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    use-peer-dns=yes user=***
/interface wireless
set [ find default-name=wlan1 ] mode=ap-bridge ssid=MikroTik wireless-protocol=\
    802.11
/caps-man datapath
add bridge=bridge-private local-forwarding=no name=datapath-private
add bridge=bridge-internet name=datapath-internet
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=security-private
add authentication-types=wpa2-psk encryption=aes-ccm name=security-internet
/caps-man configuration
add channel=channel1 country="bosnia and herzegovina" datapath=datapath-private \
    distance=dynamic installation=any mode=ap name=cfg-private security=\
    security-private ssid=private
add channel=channel1 country="bosnia and herzegovina" datapath=\
    datapath-internet distance=dynamic installation=any mode=ap name=\
    cfg-internet security=security-internet ssid=internet
/caps-man interface
add channel.frequency=2437 configuration=cfg-internet configuration.mode=ap \
    disabled=no mac-address=00:00:00:00:00:00 master-interface=none name=cap2 \
    radio-mac=00:00:00:00:00:00 radio-name=""
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256 \
    hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=\
    aes-256-cbc,aes-128-cbc
/ip pool
add name=pool-private ranges=192.168.1.30-192.168.1.199
add name=pool-internet ranges=10.0.0.30-10.0.1.250
/ip dhcp-server
add address-pool=pool-private interface=bridge-private name=dhcp-private
add address-pool=pool-internet interface=bridge-internet lease-time=1h name=\
    dhcp-internet
/caps-man access-list
add action=accept allow-signal-out-of-range=10s disabled=no interface=any \
    signal-range=-85..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s disabled=no interface=any \
    signal-range=-120..-86 ssid-regexp=""
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cfg-private \
    slave-configurations=cfg-internet
/interface bridge port
add bridge=bridge-private interface=ether2
add bridge=bridge-private interface=ether3
add bridge=bridge-private interface=ether4
add bridge=bridge-private interface=ether5
add bridge=bridge-private interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=pppoe-out1 list=WAN
add interface=bridge-private list=LAN
/ip address
add address=192.168.1.1/24 interface=bridge-private network=192.168.1.0
add address=10.0.0.1/8 interface=bridge-internet network=10.0.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=yes interface=ether1
/ip dhcp-server network
add address=10.0.0.0/8 dns-server=208.67.222.222,8.8.8.8,1.1.1.1 gateway=\
    10.0.0.1
add address=192.168.1.0/24 dns-server=8.8.8.8,208.67.222.222,1.1.1.1,8.8.4.4 \
    gateway=192.168.1.1 netmask=24
/ip dns
set servers=8.8.8.8
/ip firewall filter
add action=accept chain=forward out-interface-list=WAN src-address=\
    192.168.252.0/24
add action=accept chain=input protocol=icmp
add action=accept chain=forward dst-address=192.168.252.0/24 in-interface-list=\
    WAN
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input dst-port=500,1701,4500 in-interface=ether1 \
    protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=\
    udp
add action=accept chain=input dst-port=8291 protocol=tcp
add action=drop chain=input in-interface-list=!LAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=dst-nat chain=dstnat dst-port=81 in-interface=pppoe-out1 protocol=\
    tcp to-addresses=192.168.1.200 to-ports=81
add action=dst-nat chain=dstnat dst-port=10000 in-interface=pppoe-out1 \
    protocol=tcp to-addresses=192.168.1.200 to-ports=10000
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=dst-nat chain=dstnat dst-port=81 in-interface=pppoe-out1 protocol=\
    tcp to-addresses=192.168.1.200 to-ports=81
add action=dst-nat chain=dstnat dst-port=10000 in-interface=pppoe-out1 \
    protocol=tcp to-addresses=192.168.1.200 to-ports=10000
add action=dst-nat chain=dstnat dst-port=82 in-interface=pppoe-out1 protocol=\
    tcp to-addresses=192.168.1.202 to-ports=80
add action=dst-nat chain=dstnat dst-port=82 in-interface=pppoe-out1 protocol=\
    udp to-addresses=192.168.1.202 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-port=83 in-interface=\
    pppoe-out1 protocol=tcp to-addresses=192.168.1.206 to-ports=80
add action=dst-nat chain=dstnat dst-limit=1,5,dst-address/1m40s dst-port=3389 \
    in-interface=pppoe-out1 limit=1,5:packet protocol=tcp to-addresses=\
    192.168.1.241 to-ports=3389
add action=masquerade chain=srcnat comment="default configuration" disabled=yes \
    out-interface=all-ethernet
add action=dst-nat chain=dstnat disabled=yes dst-port=83 in-interface=\
    pppoe-out1 port="" protocol=udp src-port="" to-addresses=192.168.1.206 \
    to-ports=80
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
    192.168.252.0/24
/ip service
set ssh disabled=yes
/system clock
set time-zone-name=Europe/Sarajevo
/system identity
set name=Router
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Who is online

Users browsing this forum: Bing [Bot] and 52 guests