Assumptions
Firstly, we have to make movement marking.
Marking is a process consisting in virtually data mark, which has some distinctive features (e.g. IP address or port).In order to form dynamic movement for users group, there are two ways:
by IP address – it is a effective way in case of routing and NAT.
by MAC address – very effective way in case of transparent bridge.
We will take up first way – the marking by user IP address.
1.2 A few words about scripts:
I would like to recommend using of scripts with a lot of entries generating, because the script makes it more comfortable.
In order to use of scripts (winbox) one should choose 'System -> Scripts' from left menu.
At follow up of report, the script made by internal scripts interpreter at the system will be marked as “(script)”.
Then, at new window, click on “+” symbol.
Entry the script content to field “Source”. One should avoid too much spaces in the script.
After accepting, one should mark script chosen and click the “Run Script” button.
Packets marking - configuration
The first script we have to make is:
(script)
for x from 2 to 254 do={ /ip firewall mangle add chain=prerouting src-address=(192.168.0. . $x ) action=mark-packet new-packet-mark=( $x . upload ) passthrough=no }
This script marks movement from user, that is its upload.
In order to change address class from 192.168.0 one should entry edit “src-address=(192.168.0.)”. It is very important to put full stops at the same place as at above example.
The situation is similar in case of scope from 2 to 254. We might edit that scope very easily by entering value, which are satisfied for us.
(skrypt)
:for x from 2 to 254 do={ /ip firewall mangle add chain=postrouting dst-address=(192.168.0. . $x ) action=mark-packet new-packet-mark=( $x . download ) passthrough=no }
and this is the mark at the internet -> user direction, that is its download.
New queue type creating
The preceded entries (terminal) one should make by entering from terminal:
(terminal)
/queue type add name="sfq" kind=sfq sfq-perturb=5 sfq-allot=1514
The element above has decided about the algorithm, which enables bandwidth division process at range of one group/ category.
The main queue creating
The process of clearly forming movement occure at the main queue, which are consistent with htb on algorithm rule. This algorithm is defined by “queue type”.
The bandwidth limiting : “input” <=> “output” at the system is made ours purpose up. So, we ought to create the main queue (parent), which will take control at secondary queues “(children)”, and also appropriately on:
external interface (Internet) – forming queue UPLOAD
local interface – LAN – forming queue DOWNLOAD
By the way, we will use from possible of maximal bandwidth control, acessing for given transmit direction, in order to control eventually global transgressions.
(terminal)
/queue tree add name="Download" parent=Lan queue=sfq max-limit=1730k
The new queue will be come into, which will be assigned to interial LAN.
(terminal)
/queue tree add name="Upload" parent=Internet queue=sfq max-limit=1730k
The new queue will be come into, which will be assigned to external Internet interface.
The above example assumes use of symmetrical connection POLPAK 2Mbps. As we could see, the 2048 Kbps was reduced at about 10%, in order to ensure service level by maximal queue use. Additional upload protection for DSL connections is very important, that is why I suggest maximal (real) value reducing by even 30%.
Adding proper queues
Having the main queues (parent), the subscribers are assigned to 'parent' and at appropriately priorities they would divide theirs band. The scripts, which are selected well, will make the situation effectively and quickly for entire range: from 2 to 254.
(script)
:for z from 2 to 254 do={ /queue tree add parent=Download packet-mark=( $z . download ) limit- at=32000 queue=sfq priority=7 max-limit=256000 }
The script will generate 254 queues. Each of those will be limiting the download for single mark (IP address), guaranteeing it the 32Kbps bandwidth and limiting to 256Kbps. The guarantee would be consisted in accounting two virtually queues: first, the limit-at counting (guaranteed speed), and the second one, max-limit (maximal speed), taking into consideration that limit-at queue will proceed through separate and higher prioritised path for the moment of limit-at value exceeding.
After limit-at exceeding, the value of priority becomes ignorable (an equal as lowest: 8). It means, that users who blocking up the link would be ignored at the moment, when new user will have wanted to use to 32Kbps of bandwidth. Thanks to such action- one might receive a quite steady put of link and also appropriate access level for service. The limit-at value should be equal to divided real value of link by users number and multiplied by simultaneity ratio (at about 3).
(script)
:for b from 2 to 254 do={ /queue tree add parent=Upload packet-mark=( $b . upload ) limit-at=32000 queue=sfq priority=7 max-limit=220000 }
Now, the Upload. I recommend saving of upload, even for symmetrical links, especially by large overbooking (when we send more than we have), because lower of upload in p2p programs causes low of download load.
Optimisation
We might remove the ICMP movement from the mark. It is very useful when we want to provide good PINGs, regardless of exploit degree for link and individula queues of users.
In this case, one have to add following (terminal) at the beginnig (before others rules at/IP firewall mangle):
(terminal)
/ip firewall mangle add chain=prerouting protocol=icmp action=accept
The rule above will remove the ICMP movement from the rest of disguise rules.
We also may use a few of another marks for every user, individually set amount of given movement type, which user can operate.However one should remember that a lot of entries number is not necessarily good. All depends on movement generating and computational power of device.
The test device based on the Pentium III 1000MHz processor will be proved useful even by movement of 1000 users ,but on condition we resign many additional functions, (as 'connection tracking' or wide use of firewall) and create almost transparently bandwidth – manger.
At the RouterOS 3.0 system it is possible to use multithreading and theoretically the additional processor should performance redouble, but in practise, I would not raly on that. The strong devices by Intel with one-kernel are the best for the movement forming with MikroTik.
