Contents
[hide][edit] 1. Introdution
Let's consider the scenario, when you want to apply different limits for many users to Local and Oversea traffic and don`t want load cpu with a lot of simple queues and you want sell for customers 3 bandwitch rates.
1.12/6 Mbps Latvian Traffic 1Mbps/512Kbps Overseas traffic
2.6/3 Mbps Latvian Traffic 512kbps/256Kbps Overseas traffic
3.4/2 Mbps Latvian Traffic 256Kbps/128Kbps Overseas traffic
Queue trees will limit data rate for the Local country traffic and Oversea traffic In this scenario local country is Latvia. List of all Latvian subnets located at http://www.nic.lv/local.net
[edit] 2. Configuration
/ ip firewall address-list
add list=12/6 address=192.168.0.2 comment="12/6mbps Local traffic 1mbps/512kbps oversea"
add list=6/3 address=192.168.0.3 comment="6/3mbps Local traffic 512kbps/256kbps oversea"
add list=4/2 address=192.168.0.4 comment="4/2mbps Local traffic 256kbps/128kbps oversea"
add list=Latvia address=159.148.0.0/16 comment="" disabled=no
add list=Latvia address=193.41.195.0/24 comment="" disabled=no
add list=Latvia address=193.41.33.0/24 comment="" disabled=no
add list=Latvia address=193.41.45.0/24 comment="" disabled=no
add list=Latvia address=193.68.64.0/19 comment="" disabled=no
add list=Latvia address=193.108.29.0/24 comment="" disabled=no
add list=Latvia address=193.108.144.0/22 comment="" disabled=no
add list=Latvia address=193.108.185.0/24 comment="" disabled=no
/ ip firewall mangle
add chain=forward action=mark-packet new-packet-mark=LV_DL_6M passthrough=yes \
in-interface=public src-address-list=latvia comment="Default mangle for \
Latvia Download" disabled=no
add chain=forward action=mark-packet new-packet-mark=LV_UL_3M passthrough=yes \
in-interface=local dst-address-list=latvia comment="Default mangle for \
Latvia Upload" disabled=no
add chain=forward action=mark-packet new-packet-mark=OS_DL_512k \
passthrough=yes in-interface=public src-address-list=!latvia \
comment="Default mangle for Oversea Download" disabled=no
add chain=forward action=mark-packet new-packet-mark=OS_UL_256k \
passthrough=yes in-interface=local dst-address-list=!latvia \
comment="Default mangle for Oversea Upload" disabled=no
add chain=forward action=mark-packet new-packet-mark=LV_DL_12M passthrough=no \
in-interface=public src-address-list=latvia dst-address-list=12/6 \
comment="Tarif 12/6 Latvia Download" disabled=no
add chain=forward action=mark-packet new-packet-mark=LV_UL_6M passthrough=no \
in-interface=local src-address-list=12/6 dst-address-list=latvia \
comment="Tarif 12/6 Latvia Upload" disabled=no
add chain=forward action=mark-packet new-packet-mark=OS_DL_1M passthrough=no \
in-interface=public src-address-list=!latvia dst-address-list=12/6 \
comment="Tarif 12/6 Oversea Download" disabled=no
add chain=forward action=mark-packet new-packet-mark=OS_UL_512k passthrough=no \
in-interface=local src-address-list=12/6 dst-address-list=!latvia \
comment="Tarif 12/6 Oversea Upload" disabled=no
add chain=forward action=mark-packet new-packet-mark=LV_DL_4M passthrough=no \
in-interface=public src-address-list=latvia dst-address-list=4/2 \
comment="Tarif 4/2 Latvia Download" disabled=no
add chain=forward action=mark-packet new-packet-mark=LV_UL_2M passthrough=no \
in-interface=local src-address-list=4/2 dst-address-list=latvia \
comment="Tarif 4/2 Latvia Upload" disabled=no
add chain=forward action=mark-packet new-packet-mark=OS_DL_256k passthrough=no \
in-interface=public src-address-list=!latvia dst-address-list=4/2 \
comment="Tarif 4/2 Oversea Download" disabled=no
add chain=forward action=mark-packet new-packet-mark=OS_UL_128k passthrough=no \
in-interface=local src-address-list=4/2 dst-address-list=!latvia \
comment="Tarif 4/2 Oversea Upload" disabled=no
/ queue type
add name="LV_DL_12M" kind=pcq pcq-rate=12000000 pcq-limit=50 \
pcq-classifier=dst-address pcq-total-limit=2000
add name="LV_DL_6M" kind=pcq pcq-rate=6000000 pcq-limit=50 \
pcq-classifier=dst-address pcq-total-limit=2000
add name="LV_DL_4M" kind=pcq pcq-rate=4000000 pcq-limit=50 \
pcq-classifier=dst-address pcq-total-limit=2000
add name="LV_UL_6M" kind=pcq pcq-rate=6000000 pcq-limit=50 \
pcq-classifier=src-address pcq-total-limit=2000
add name="LV_UL_3M" kind=pcq pcq-rate=3000000 pcq-limit=50 \
pcq-classifier=src-address pcq-total-limit=2000
add name="LV_UL_2M" kind=pcq pcq-rate=2000000 pcq-limit=50 \
pcq-classifier=src-address pcq-total-limit=2000
add name="OS_DL_1M" kind=pcq pcq-rate=1000000 pcq-limit=50 \
pcq-classifier=dst-address pcq-total-limit=2000
add name="OS_DL_512k" kind=pcq pcq-rate=512000 pcq-limit=50 \
pcq-classifier=dst-address pcq-total-limit=2000
add name="OS_DL_256k" kind=pcq pcq-rate=256000 pcq-limit=50 \
pcq-classifier=dst-address pcq-total-limit=2000
add name="OS_UL_512k" kind=pcq pcq-rate=512000 pcq-limit=50 \
pcq-classifier=src-address pcq-total-limit=2000
add name="OS_UL_256k" kind=pcq pcq-rate=256000 pcq-limit=50 \
pcq-classifier=src-address pcq-total-limit=2000
add name="OS_UL_128k" kind=pcq pcq-rate=128000 pcq-limit=50 \
pcq-classifier=src-address pcq-total-limit=2000
/ queue tree
add name="LV_DL_12M" parent=local packet-mark=LV_DL_12M limit-at=0 queue=LV_DL_12M priority=8 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="LV_DL_6M" parent=local packet-mark=LV_DL_6M limit-at=0 queue=LV_DL_6M priority=8 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="LV_UL_2M" parent=public packet-mark=LV_UL_2M limit-at=0 queue=LV_UL_2M priority=8 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="LV_DL_4M" parent=local packet-mark=LV_DL_4M limit-at=0 queue=LV_DL_4M priority=8 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="LV_UL_3M" parent=public packet-mark=LV_UL_3M limit-at=0 queue=LV_UL_3M priority=8 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="LV_UL_6M" parent=public packet-mark=LV_UL_6M limit-at=0 queue=LV_UL_6M priority=8 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="OS_DL_1M" parent=local packet-mark=OS_DL_1M limit-at=0 queue=OS_DL_1M priority=8 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="OS_DL_256k" parent=local packet-mark=OS_DL_256k limit-at=0 queue=OS_DL_256k priority=8 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="OS_DL_512k" parent=local packet-mark=OS_DL_512k limit-at=0 queue=OS_DL_512k priority=8 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="OS_UL_128k" parent=public packet-mark=OS_UL_128k limit-at=0 queue=OS_UL_128k priority=8 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="OS_UL_256k" parent=public packet-mark=OS_UL_256k limit-at=0 queue=OS_UL_256k priority=8 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="OS_UL_512k" parent=public packet-mark=OS_UL_512k limit-at=0 queue=OS_UL_512k priority=8 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
[edit] 3. Explanation
In /ip firewall address-list we created 3 lists for bandwitch profiles and list with name Latvia with latvian subnets In /ip firewall mangle we created address list based packet marks for bandwitch profiles. All ips witch is not included in any address list will have second bandwitch profiles rates. In /queue types we created pcq types for bandwitch profiles. In /queue tree we created rules with Local/Overseas packet marks and queue types for bandwitch profiles.
Now customer with ip 192.168.0.2 have 1 profile rates, customer with ip 192.168.0.3 have 2 profile rates, client with ip 192.168.0.4 have 3 profile rates and all others have 2 bandwitch rates, so all traffic will be limited and your cpu power will be free for other tasks.
[edit] Important note
This setup will work correctly if local network is not masqueraded. If masquerade is used then parent for all upload queues must be 'global-out' instead of 'public'. The reason for this is that pcq_upload classifier is source address. In case of masquerading source address is changed to public IP address. If queue is set to 'public' interface pcq will think that all packets are coming from one source ( public IP ). PCQ must see source address before masquerading occurs, according to packet flow diagram from manual 'global-out' is before 'src-nat'.
No comments:
Post a Comment