How control bandwidth with mikrotik queue

Question

I have a mikrotik router and i want to limit the speed of wlan users. I create a queue for target = wlan and set the limit downloa and upload = 64k, but when i test it, this seems not working correctly! Test download speed > 500k. The router config is default. How can i do that

/interface bridge
add admin-mac=E4:8D:8C:46:C7:0F auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=PNG1 \
    wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
/ip neighbor discovery
set ether1 discover=no
set bridge comment=defconf
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys wpa-pre-shared-key=noor3664 wpa2-pre-shared-key=noor3664
/ip hotspot profile
add dns-name=so.zzz hotspot-address=10.5.50.1 login-by=http-pap name=hsprof1 \
    use-radius=yes
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=hs-pool-2 ranges=10.5.50.2-10.5.50.254
/ip dhcp-server
add address-pool=dhcp authoritative=after-10sec-delay disabled=no interface=\
    bridge name=defconf
add address-pool=hs-pool-2 interface=ether2-master lease-time=1h name=dhcp1
/ip hotspot
add address-pool=hs-pool-2 addresses-per-mac=1 interface=ether2-master name=\
    hotspot1 profile=hsprof1
/ip hotspot user profile
add address-pool=hs-pool-2 advertise=yes advertise-interval="" advertise-url="" \
    name=uprof1 open-status-page=http-login transparent-proxy=yes
/queue type
set 0 pfifo-limit=200
/queue interface
set ether2-master queue=default-small
/queue simple
add limit-at=30k/30k max-limit=30k/30k name=queue1 queue=default/default \
    target=bridge total-queue=default
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add auto-isolate=yes bridge=bridge interface=wlan1
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.5.50.1/24 comment="hotspot network" interface=ether2-master \
    network=10.5.50.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=10.5.50.0/24 comment="hotspot network" gateway=10.5.50.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=4.2.2.4
/ip dns static
add address=10.5.50.1 name=router
/ip firewall filter
add chain=input comment="defconf: accept ICMP" protocol=icmp
add chain=input comment="defconf: accept established,related" connection-state=\
    established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=\
    ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=\
    ether1
add action=masquerade chain=srcnat comment="masquerade hotspot net
    src-address=10.5.50.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot net
    src-address=10.5.50.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot net
    src-address=10.5.50.0/24
/ip hotspot user
add name=admin
/radius
add address=192.168.88.1 service=hotspot
add address=192.168.88.1 service=hotspot
/system clock
set time-zone-name=Asia/Tehran
/system leds
set 0 interface=wlan1
/system routerboard settings
set protected-routerboot=disabled
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge
[admin@MikroTik] >

Did you read through any of the plenty of tutorials on the mikrotik site? — TomTom, Jun 17 '16 at 19:16

score 1 · Answer 1 · answered Jun 20 '16 at 10:26

Disable any fasttrack rules on your firewall.

Fasttrack will bypass pretty much the whole stack - including the queues.

It's mentioned very clearly in the documentation.
http://wiki.mikrotik.com/wiki/Manual:Wiki/Fasttrack

Description

IPv4 FastTrack handler is automatically used for marked connections. Use firewall action "fasttrack-connection" to mark connections for fasttrack. Currently only TCP and UDP connections can be actually fasttracked (even though any connection can be marked for fasttrack). IPv4 FastTrack handler supports NAT (SNAT, DNAT or both).

Note that not all packets in a connection can be fasttracked, so it is likely to see some packets going through slow path even though connection is marked for fasttrack. This is the reason why fasttrack-connection is usually followed be identical action=accept rule. Fasttracked packets bypass firewall, connection tracking, simple queues, queue tree with parent=global, ip traffic-flow(restriction removed in 6.33), ip accounting, ipsec, hotspot universal client, vrf assignment, so it is up to administrator to make sure fasttrack does not interfere with other configuration;

score 0 · Answer 2 · answered Aug 18 '17 at 05:02

You need simple queue with PCQ in order to control all (or specific range) users bandwidth. following are one example:

/ip firewall address-list
add address=10.0.0.20-10.0.0.255 list=USER_LIST

# Marking packets going to USER_LIST
/ip firewall mangle
add action=mark-connection chain=prerouting comment="MARK CONN USER_LIST" src-address-list=USER_LIST new-connection-mark=user_conn passthrough=yes
add action=mark-packet chain=prerouting comment="MARK PKTS USER_LIST" connection-mark=user_conn new-packet-mark=user_pkts passthrough=yes

# Creating PCQ base Queue - 512k per user
/queue type
add kind=pcq name=user-download-512k pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=512k pcq-src-address6-mask=64
add kind=pcq name=user-upload-512k pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=512k pcq-src-address6-mask=64

#- Make sure you move this simple queue on TOP, or else it will not work
/queue simple
add comment="Allow 512k Down/up per user by zaib" name="512k per user" packet-marks=user_pkts queue=user-upload-512k/user-download-512k target=""

More Info here.queue example

How control bandwidth with mikrotik queue

2 Answers2