I am trying to use MikroTik as a bandwidth shaper inside an existing wireless network.
Because I already have a Soekris 4521 that is not presently being used for anything, I am using it for my first platform.
The existing topology is this:
Access points at different sites connect to a mix of router and switches.
The routers are performing subnetting into a /27 system, with each subnet assigned to an access point.
Some subnets overlap where the switches are being used.
The connections between the switches and routers is being done through a wireless backbone.
All of this works decently, but we have never had the bandwidth controls that we wanted.
Our first bandwidth shaper was a commercial unit that did not work as advertised. Our second was a custom programmed unit that never went online because the coder kept telling us he still had changes to finish.
Instead of this single centralized bandwidth control, I want to go to a distributed system. This is a step in the direction of using MikroTik as future access points where all functions of the AP, Bandwidth control, and router will be done in one smaller, less expensive unit.
This will also have some long-term benefits for traffic monitoring if we need to locate a spammer, virus, etc.
After looking at the documentation, I set up a basic P2P limit, and it seems to work. I need to do more extensive testing to be certain.
Then I began looking in to full traffic shaping, and every reference I see talks about a handful of machines.
Since I am not dealing with a handful, I tried making something more generic, yet flexible.
I seem to be able to control things, but I run into a few oddities.
Please remember, in the below the network topology is multiple /27s that I am trying to find a generic solution for controlling, but yet which can be modified for specific customers. So to do the generic part, I am trying things with a /24 in the rule sets. For the specific I am using a test machine with a /32 based rule to hit just it.
The Soekris running MikroTik 2.8.16 is set up as a bridge, with 10.0.0.20 on one port so that I can talk to it and manage it.
The machines I am testing with are 1 hard set to 192.168.1.5 and 10.0.0.21 so it can surf and manage things and two being auto assigned so they can only surf. The DHCP server is on the other side of the MikroTik.
Issue 1) Wrong direction?
First I tried something based off the P2P solution. I used a /24 in a hope that I could make a single configuration that could be uploaded to future MikroTik boxes. That way it could be placed at any site with little or no modification.
ip firewall mangle add src-address=192.168.1.0/24 mark-flow=users-out action=passthrough
ip firewall mangle add dst-address=192.168.1.0/24 mark-flow=users-in action=passthrough
queue type add name="users-in" kind=pcq pcq-rate=1572864 pcq-classifier=dst-address
queue type add name="users-out" kind=pcq pcq-rate=786432 pcq-classifier=src-address
queue tree add name="users-in" parent=global-in flow=users-in queue=users-in
queue tree add name="users-out" parent=global-out flow=users-out queue=users-out
This seemed to work, but when I tried it, the rate limits were reversed. This made no sense to me at the time.
Later I began to wonder if this had anything to do with the fact that both the machine and gateway fall in 192.168.1.0/24, and the MikroTik machine is a bridge between them.
Issue 2) Slower but not faster
I want to make the default speed average. Then, for each client that needs, I want to open up speed for them.
The second thing I tried was slowing down a specific customer. I did this to the 192.168.1.5 IP and it worked perfectly.
Then I tried setting the queue type pcq-rate for both in and out to 2000000 so that it would be faster than the users-in and users-out queues.
This did not work.
Commands typed for slowing down more were:
ip firewall mangle add src-address=192.168.1.5/32 mark-flow=user192.168.1.5-out action=passthrough
ip firewall mangle add dst-address=192.168.1.5/32 mark-flow=user192.168.1.5-in action=passthrough
queue type add name="user192.168.1.5-out" kind=pcq pcq-rate=78643 pcq-classifier=src-address
queue type add name="user192.168.1.5-in" kind=pcq pcq-rate=157286 pcq-classifier=dst-address
queue tree add name="user192.168.1.5-in" parent=global-in flow=user192.168.1.5-in queue=user192.168.1.5-in
queue tree add name="user192.168.1.5-out" parent=global-out flow=user192.168.1.5-out queue=user192.168.1.5-out
For speeding up I used:
queue type set user192.168.1.5-out pcq-rate=2000000
queue type set user192.168.1.5-in pcq-rate=2000000
Issue 3) Problem parents
Because my attempt to control things had not worked the way I thought, and I had read about how speed limits were done while exiting the port, I removed all the limits, and then tried again.
This time I chose different parents than the global ports.
ip firewall mangle add src-address=192.168.1.0/24 mark-flow=users-out action=passthrough
ip firewall mangle add dst-address=192.168.1.0/24 mark-flow=users-in action=passthrough
queue type add name="users-in" kind=pcq pcq-rate=1572864 pcq-classifier=dst-address
queue type add name="users-out" kind=pcq pcq-rate=786432 pcq-classifier=src-address
queue tree add name="users-in" parent=ether2 flow=users-in queue=users-in
queue tree add name="users-out" parent=ether1 flow=users-out queue=users-out
At that point, I got regulated download, and unregulated upload.
As I have been thinking about it, I thought perhaps a second set of trees were needed. Perhaps something like this added to the above:
queue tree add name="users-in2" parent=ether1 flow=users-in queue=users-in
queue tree add name="users-out2" parent=ether2 flow=users-out queue=users-out
That is basically 2 sets of trees, one for in, one for out, to feed the tagged IPs to the proper queues.
But before I started really monkeying around with settings I decided to see if someone had a written up solution.
So far I have made several web searches, I have not had much luck.
My next choice is asking the MikroTik user community if that have any similar configurations, and suggestions.
To sum up, I need MikroTik as a bridge between an access point and a switch or router, with bandwidth control, but with the subnet it will be controlling existing on both sides of the bridge.
I would like a default slower speed, and the ability to increase speeds for specific clients.
Any suggestions?
Any examples? I do better at breaking down examples and making sense of them than I do at reading long manuals.
This is a write up of my working config... slightly different to what you want, but will give you a good idea:
http://www.wanakaonline.net/networkstuf ... ontrol.asp
All my local traffic is pooled and runs at 5mbps, which is similair to what you want to do... then I limit all my customers individually...
Took me a while to work it all out. I'm also now using some simple queues that I havent documented yet. All they do is limit the overall bandwidth, ie the total Upload + Total Download for each client.
http://www.wanakaonline.net/networkstuf ... ontrol.asp
All my local traffic is pooled and runs at 5mbps, which is similair to what you want to do... then I limit all my customers individually...
Took me a while to work it all out. I'm also now using some simple queues that I havent documented yet. All they do is limit the overall bandwidth, ie the total Upload + Total Download for each client.
I'm actually using an old P200MMX with 64mb RAM to control everything... never goes over 25% CPU and 27mb Ram usage...
The killer is P2P control. If I mangle all my P2P traffic my processor usage jumps to 60%. Although I'm controlling a 10mbps network, that has avg usage of 4.2mbps local and 1.2mbps internet.
The killer is P2P control. If I mangle all my P2P traffic my processor usage jumps to 60%. Although I'm controlling a 10mbps network, that has avg usage of 4.2mbps local and 1.2mbps internet.
wjw, thanks for the info. I'll be going through that soon and see how it all works for me.
mag, look into Mini-ITX motherboards. You can get ones with built in fanless CPUs running a lot faster than the MikroTik Routerboard or the Soekris. Then you buy the MikroTik RouterOS on an IDE flash that plugs right in.
A few other people have been doing this. It was one of the things I was looking at already and which lead me to MikroTik for the OS.
Most of the other SBC + imbedded OS "solutions" I have found always ended up with driver issues, or not enough development. MikroTik seems to cover the driver part nicely, which only leaves getting a more powerful SBC.
Mini-ITX based units can get you that power, and even have a PCI slot so you can add a 4 port ethernet, and have a 5 port router, or a PCI to multi Mini-PCI and have a wireless AP with several antennas.
mag, look into Mini-ITX motherboards. You can get ones with built in fanless CPUs running a lot faster than the MikroTik Routerboard or the Soekris. Then you buy the MikroTik RouterOS on an IDE flash that plugs right in.
A few other people have been doing this. It was one of the things I was looking at already and which lead me to MikroTik for the OS.
Most of the other SBC + imbedded OS "solutions" I have found always ended up with driver issues, or not enough development. MikroTik seems to cover the driver part nicely, which only leaves getting a more powerful SBC.
Mini-ITX based units can get you that power, and even have a PCI slot so you can add a 4 port ethernet, and have a 5 port router, or a PCI to multi Mini-PCI and have a wireless AP with several antennas.
I'm in the process of building a shaper using a Via Epia PD6000 with a CF-IDE+64Mb CF combination. All appears to be working nicely. Shaping on a 2Mbit link hardly sees the usage jump above 5% with general shaping rules. I'm going to test it further with quite a few clients behind it. I'm also taking the bridge route using the two onboard interfaces (Via Rhine III). The case is a Morex/Procase 3688. The posted configs are appreciated.mag, look into Mini-ITX motherboards. You can get ones with built in fanless CPUs running a lot faster than the MikroTik Routerboard or the Soekris. Then you buy the MikroTik RouterOS on an IDE flash that plugs right in.
It's funny how the northbridge gets hotter than the CPU.