Sunday, July 12, 2015

Controlling user bandwidth by Firewall and Queues in Mikrotik Router

Heavy downloads and uploads has become problems in most of networks now days, as users are running different bandwidth hungry applications such as peer-to-peer, video downloads etc which lead to slow down of whole network because of only one single user or some few users who are doing heavy downloads/uploads.
This lab is going to show you how to limit all users to specific speed in three simple steps using firewall mangle rules and queues in mikrotik router, in this lab am going to limit all users at 1Mbps bandwidth speed, which means that will be maximum speed reached by each particular user in the network despite available bandwidth.

Below are steps

a.  Create a customized queue types with preferred speed for each individual user,

Command:

/queue types

add name="PCQ_Download" kind=pcq pcq-rate=1M pcq-limit=50 
     pcq-classifier=dst-address pcq-total-limit=2000 pcq-burst-rate=0 
     pcq-burst-threshold=0 pcq-burst-time=10s pcq-src-address-mask=32 
     pcq-dst-address-mask=32 pcq-src-address6-mask=64 pcq-dst-address6-mask=64 

add name="PCQ_Upload" kind=pcq pcq-rate=1M pcq-limit=50 
     pcq-classifier=dst-address pcq-total-limit=2000 pcq-burst-rate=0 
     pcq-burst-threshold=0 pcq-burst-time=10s pcq-src-address-mask=32 
     pcq-dst-address-mask=32 pcq-src-address6-mask=64 pcq-dst-address6-mask=6


By winbox or web config:

Go to Queues-Queue Types, and add , example below is for PCQ_Download


b. Mark all the packet, which is to be queued for specific speed

Command:

/ip firewall mangle
 add chain=prerouting action=mark-packet new-packet-mark=user_download 
     passthrough=yes in-interface=wlan1-gateway 

 add chain=prerouting action=mark-packet new-packet-mark=user_upload 
     passthrough=yes in-interface=ether1-local

Note am marking download packets from wan interface in which for my case is wireless interface because am using wireless radio as a router, also am marking upload from LAN interfaces in which from this lab is ether1-local

By winbox or web config:
Go to ip firewall mangle , and add, example below is for user dowload




c. Finally create a tree queue for limiting every individual user speed

Command:

/queue tree
  add name="UserDownload" parent=global packet-mark=user_download 
     limit-at=0 queue=PCQ_Download priority=8 max-limit=0 burst-limit=0 
     burst-threshold=0 burst-time=0s 

  add name="UserUpload" parent=global packet-mark=user_upload limit-at=0 
     queue=PCQ_Upload priority=8 max-limit=0 burst-limit=0 
     burst-threshold=0 burst-time=0

By winbox or web config:
Go to queue tree , and add, example below is for user dowload

You're done, below is the torch output before and after settings

Before:

Single user was able to reach 2.2Mbps


After:
All users are limited at 1Mbps as per our setting


Hope it help someone, drop me a comment, if you face difficulties implementing any of the step.

Cheers!