Suppose in One Network ..
we want to separate the velocity extentions. avi,. flv,. zip,. exe etc. based on the ip address that is different for the average stay by browsing the entire bandwidth using queue trees, here's how:
Like Topology above:
Total PC = 20 PC
Example ip address
To the internet: 192.168.9.16 - ethernet1 Miktotik to Modem
PC client: 192.168.11.254 - Ethernet2 Mikrotik The HUB
Computer 1 Up to 5:
Ip address = 192.168.11.1-192.168.11.5
Limit extensions such as zip, zip, rar, exe = 512 KB
Browsing = For the average throughout the Bandwidth
Computer 6 to 10:
Ip address :192.168.11.6-192 .168.11.10
Limit extensions such as zip, zip, rar, exe = 256 KB
Browsing = For the average throughout the Bandwidth
Computer 11 to 20
Ip address = 192.168.11.6-192.168.11.10
Limit extensions such as zip, zip, rar, exe = 1 MB
Browsing = For the average throughout the Bandwidth
Let's get started:
Remote your Mikrotik Winbox, which leads to make sure Ethernet Modem has been given a public name, if not please rename the name of the public, and which leads to an Ethernet hub has been given a local name, if not please rename the local name.
Next make sure ip firewall nat in mikrotik is empty, because we will create a NAT based on the address list,
Next we make the ip address for Ethernet Modem leading to the public.
Click on "New Terminal" in winbox and type the command:
Below is an example ip address only, please adjust the ip addresses that point to your modem each:
/ Ip address add address = 192.168.9.16 \
netmask = 255.255.255.0 \
interface = public \
comment = "IP ADDRESS TO MODEM"
Next we make the ip address to an Ethernet hub that leads to the local.
Click on "New Terminal" in winbox and type the command:
Below is an example ip address only, please adjust the ip addresses that point to your client PCs each:
/ Ip address add address = 192.168.11.254 \
netmask = 255.255.255.0 \
interface = local \
comment = "IP ADDRESS TO THE PC CLIENT"
Next we enter the gateway in the "New Terminal":
Below is the gateway ip for example only, please adjust with each gateway ip:
/ Ip route add gateway = 192.168.9.1
Next we enter the DNS in the "New Terminal":
Below is an example DNS ip only, please adjust the DNS ip each - each:
Command control for Mikrotik Os 4 Go to bottom:
/ Ip dns set primary-dns = 203.130.193.74 \
; / Ip dns set secondary-dns = 203 130 206 250 \
allow-remote-requests = yes
Command control for Mikrotik Os 4 Go up:
/ Ip set dns servers = 203.130.193.74,203.130.206.250 \
allow-remote-requests = yes
Next we create the address list for ip address - ip address that we will to limit its extension, the command in the "New Terminal":
A. For the ip address 512 k limit extension:
/ Ip firewall address-list \
add list = "LIMIT IP Extention 512 K" \
address = 192.168.11.1 \
comment = "PC 1"
/ Ip firewall address-list \
add list = "LIMIT IP Extention 512 K" \
address = 192.168.11.2 \
comment = "PC 2"
/ Ip firewall address-list \
add list = "LIMIT IP Extention 512 K" \
address = 192.168.11.3 \
comment = "PC 3"
/ Ip firewall address-list \
add list = "LIMIT IP Extention 512 K" \
address = 192.168.11.4 \
comment = "PC 4"
/ Ip firewall address-list \
add list = "LIMIT IP Extention 512 K" \
address = 192.168.11.5 \
comment = "PC 5"
B. For the ip address 256 k limit extension:
/ Ip firewall address-list \
add list = "LIMIT IP Extention 256 K" \
address = 192.168.11.6 \
comment = "PC 6"
/ Ip firewall address-list \
add list = "LIMIT IP Extention 256 K" \
address = 192.168.11.7 \
comment = "PC 7"
/ Ip firewall address-list \
add list = "LIMIT IP Extention 256 K" \
address = 192.168.11.8 \
comment = "PC 8"
/ Ip firewall address-list \
add list = "LIMIT IP Extention 256 K" \
address = 192.168.11.9 \
comment = "PC 9"
/ Ip firewall address-list \
add list = "LIMIT IP Extention 256 K" \
address = 192.168.11.10 \
comment = "PC 10"
C. For the ip address 1 MB limit extension:
/ Ip firewall address-list \
add list = "IP Extention LIMIT 1 MB" \
address = 192.168.11.11 \
comment = "PC 11"
/ Ip firewall address-list \
add list = "IP Extention LIMIT 1 MB" \
address = 192.168.11.12 \
comment = "PC 12"
/ Ip firewall address-list \
add list = "IP Extention LIMIT 1 MB" \
address = 192.168.11.13 \
comment = "PC 13"
/ Ip firewall address-list \
add list = "IP Extention LIMIT 1 MB" \
address = 192.168.11.14 \
comment = "PC 14"
/ Ip firewall address-list \
add list = "IP Extention LIMIT 1 MB" \
address = 192.168.11.15 \
comment = "PC 15"
/ Ip firewall address-list \
add list = "IP Extention LIMIT 1 MB" \
address = 192.168.11.16 \
comment = "PC 16"
/ Ip firewall address-list \
add list = "IP Extention LIMIT 1 MB" \
address = 192.168.11.17 \
comment = "PC 17"
/ Ip firewall address-list \
add list = "IP Extention LIMIT 1 MB" \
address = 192.168.11.18 \
comment = "PC 18"
/ Ip firewall address-list \
add list = "IP Extention LIMIT 1 MB" \
address = 192.168.11.19 \
comment = "PC 19"
/ Ip firewall address-list \
add list = "IP Extention LIMIT 1 MB" \
address = 192.168.11.20 \
comment = "PC 20"
Next we create a NAT for each address that the above list, with action masquerade, in "New Terminal":
/ Ip firewall nat add chain = srcnat action = masquerade \
src-address-list = "LIMIT IP Extention 512 K" \
out-interface = public \
comment = "MASQUERADE LIMIT extention 512 K"
/ Ip firewall nat add chain = srcnat action = masquerade \
src-address-list = "LIMIT IP Extention 256 K" \
out-interface = public \
comment = "MASQUERADE LIMIT extention 256 K"
/ Ip firewall nat add chain = srcnat action = masquerade \
src-address-list = "IP Extention LIMIT 1 MB" \
out-interface = public \
comment = "MASQUERADE extention LIMIT 1 MB"
Next we create the file extention with layer7 regexp, in "New Terminal":
/ Ip firewall layer7-protocol add name = "YOUTUBE layer7" regexp = "http / (0 \ \ .9 | 1 \ \ .0 | 1 \ \ .1) [\ \ x09-\ \ x0d] [1-5 ] [0-9] [0-9] [\ \ x09-\ \ x0d -~]*( content-type: video) "
/ Ip firewall layer7-protocol add name = "EXE layer7" regexp = "\ \. (Exe)"
/ Ip firewall layer7-protocol add name = "RAR layer7" regexp = "\ \. (Zip)"
/ Ip firewall layer7-protocol add name = "ZIP layer7" regexp = "\ \. (Zip)"
/ Ip firewall layer7-protocol add name = "7z layer7" regexp = "\ \. (7z)"
/ Ip firewall layer7-protocol add name = "WMV layer7" regexp = "\ \. (Wmv)"
/ Ip firewall layer7-protocol add name = "MPG layer7" regexp = "\ \. (Mpg)"
/ Ip firewall layer7-protocol add name = "MPEG layer7" regexp = "\ \. (Archive)"
/ Ip firewall layer7-protocol add name = "AVI layer7" regexp = "\ \. (Avi)"
/ Ip firewall layer7-protocol add name = "FLV layer7" regexp = "\ \. (Flv)"
/ Ip firewall layer7-protocol add name = "WAV layer7" regexp = "\ \. (Wav)"
/ Ip firewall layer7-protocol add name = "MP3 layer7" regexp = "\ \. (Mp3)"
/ Ip firewall layer7-protocol add name = "MP4 layer7" regexp = "\ \. (Mp4)"
/ Ip firewall layer7-protocol add name = "ISO layer7" regexp = "\ \. (Iso)"
Then we make extension bersasarkan Mangle to limit the source address list that we have set.
A. Mangle To Limit Extension 512K:
In "New Terminal" Winbox:
/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "7z layer7 512K" \
passthrough = no dst-address-list = "LIMIT IP Extention 512 K" \
layer7-protocol = "7z layer7" \
comment = "7z layer7 DOWNLOAD 512K"
/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "AVI layer7 512K" \
passthrough = no dst-address-list = "LIMIT IP Extention 512 K" \
layer7-protocol = "AVI layer7" \
comment = "layer7 AVI DOWNLOAD 512K"
/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "layer7 512K EXE" \
passthrough = no dst-address-list = "LIMIT IP Extention 512 K" \
layer7-protocol = "EXE layer7" \
comment = "layer7 DOWNLOAD EXE 512K"
/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "FLV layer7 512K" \
passthrough = no dst-address-list = "LIMIT IP Extention 512 K" \
layer7-protocol = "FLV layer7" \
comment = "layer7 FLV DOWNLOAD 512K"
/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "ISO layer7 512K" \
passthrough = no dst-address-list = "LIMIT IP Extention 512 K" \
layer7-protocol = "ISO layer7" \
comment = "ISO layer7 DOWNLOAD 512K"
/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "layer7 MP3 512k" \
passthrough = no dst-address-list = "LIMIT IP Extention 512 K" \
layer7-protocol = "MP3 layer7" \
comment = "layer7 DOWNLOAD MP3 512k"
/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "MP4 layer7 512K" \
passthrough = no dst-address-list = "LIMIT IP Extention 512 K" \
layer7-protocol = "MP4 layer7" \
comment = "layer7 MP4 DOWNLOAD 512K"
/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "MPEG layer7 512K" \
passthrough = no dst-address-list = "LIMIT IP Extention 512 K" \
layer7-protocol = "MPEG layer7" \
comment = "layer7 MPEG 512k DOWNLOAD"
/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "layer7 MPG 512K" \
passthrough = no dst-address-list = "LIMIT IP Extention 512 K" \
layer7-protocol = "MPG layer7" \
comment = "layer7 MPG DOWNLOAD 512K"
/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "layer7 RAR 512K" \
passthrough = no dst-address-list = "LIMIT IP Extention 512 K" \
layer7-protocol = "RAR layer7" \
comment = "layer7 DOWNLOAD RAR 512K"
/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "layer7 WAV 512K" \
passthrough = no dst-address-list = "LIMIT IP Extention 512 K" \
layer7-protocol = "WAV layer7" \
comment = "layer7 WAV DOWNLOAD 512K"
/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "layer7 WMV 512K" \
passthrough = no dst-address-list = "LIMIT IP Extention 512 K" \
layer7-protocol = "WMV layer7" \
comment = "layer7 WMV DOWNLOAD 512K"
/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "YOUTUBE layer7 512K" \
passthrough = no dst-address-list = "LIMIT IP Extention 512 K" \
layer7-protocol = "YOUTUBE layer7" \
comment = "layer7 YOUTUBE DOWNLOAD 512K"
/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "layer7 ZIP 512K" \
passthrough = no dst-address-list = "LIMIT IP Extention 512 K" \
layer7-protocol = "ZIP layer7" \
comment = "layer7 DOWNLOAD ZIP 512K"
B. Mangle To Limit Extension 256K:
In "New Terminal" Winbox:
/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "7z layer7 256K" \
passthrough = no dst-address-list = "LIMIT IP Extention 256 K" \
layer7-protocol = "7z layer7" \
comment = "7z layer7 DOWNLOAD 256K"
/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "AVI layer7 256K" \
passthrough = no dst-address-list = "LIMIT IP Extention 256 K" \
layer7-protocol = "AVI layer7" \
comment = "layer7 AVI DOWNLOAD 256K"
/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "layer7 256K EXE" \
passthrough = no dst-address-list = "LIMIT IP Extention 256 K" \
layer7-protocol = "EXE layer7" \
comment = "layer7 DOWNLOAD EXE 256K"
/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "FLV layer7 256K" \
passthrough = no dst-address-list = "LIMIT IP Extention 256 K" \
layer7-protocol = "FLV layer7" \
comment = "layer7 FLV DOWNLOAD 256K"
/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "ISO layer7 256K" \
passthrough = no dst-address-list = "LIMIT IP Extention 256 K" \
layer7-protocol = "ISO layer7" \
comment = "ISO layer7 DOWNLOAD 256K"
/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "layer7 MP3 256k" \
passthrough = no dst-address-list = "LIMIT IP Extention 256 K" \
layer7-protocol = "MP3 layer7" \
comment = "layer7 MP3 DOWNLOAD 256K"
/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "MP4 layer7 256K" \
passthrough = no dst-address-list = "LIMIT IP Extention 256 K" \
layer7-protocol = "MP4 layer7" \
comment = "layer7 MP4 DOWNLOAD 256K"
/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "MPEG layer7 256K" \
passthrough = no dst-address-list = "LIMIT IP Extention 256 K" \
layer7-protocol = "MPEG layer7" \
comment = "layer7 MPEG 256k DOWNLOAD"
/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "layer7 MPG 256K" \
passthrough = no dst-address-list = "LIMIT IP Extention 256 K" \
layer7-protocol = "MPG layer7" \
comment = "layer7 MPG DOWNLOAD 256K"
/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "layer7 RAR 256K" \
passthrough = no dst-address-list = "LIMIT IP Extention 256 K" \
layer7-protocol = "RAR layer7" \
comment = "layer7 DOWNLOAD RAR 256K"
/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "layer7 WAV 256K" \
passthrough = no dst-address-list = "LIMIT IP Extention 256 K" \
layer7-protocol = "WAV layer7" \
comment = "layer7 WAV DOWNLOAD 256K"
/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "layer7 WMV 256K" \
passthrough = no dst-address-list = "LIMIT IP Extention 256 K" \
layer7-protocol = "WMV layer7" \
comment = "layer7 WMV DOWNLOAD 256K"
/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "YOUTUBE layer7 256K" \
passthrough = no dst-address-list = "LIMIT IP Extention 256 K" \
layer7-protocol = "YOUTUBE layer7" \
comment = "layer7 YOUTUBE DOWNLOAD 256K"
/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "layer7 ZIP 256K" \
passthrough = no dst-address-list = "LIMIT IP Extention 256 K" \
layer7-protocol = "ZIP layer7" \
comment = "layer7 DOWNLOAD ZIP 256K"
C. Mangle To Limit Extension 1 MB:
In "New Terminal" Winbox:
/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "7z layer7 1MB" \
passthrough = no dst-address-list = "IP Extention LIMIT 1 MB" \
layer7-protocol = "7z layer7" \
comment = "7z layer7 DOWNLOAD 1MB"
/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "layer7 1MB AVI" \
passthrough = no dst-address-list = "IP Extention LIMIT 1 MB" \
layer7-protocol = "AVI layer7" \
comment = "layer7 AVI DOWNLOAD 1MB"
/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "layer7 1MB EXE" \
passthrough = no dst-address-list = "IP Extention LIMIT 1 MB" \
layer7-protocol = "EXE layer7" \
comment = "layer7 DOWNLOAD EXE 1MB"
/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "FLV layer7 1MB" \
passthrough = no dst-address-list = "IP Extention LIMIT 1 MB" \
layer7-protocol = "FLV layer7" \
comment = "layer7 FLV DOWNLOAD 1MB"
/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "ISO layer7 1MB" \
passthrough = no dst-address-list = "IP Extention LIMIT 1 MB" \
layer7-protocol = "ISO layer7" \
comment = "ISO layer7 DOWNLOAD 1MB"
/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "layer7 1MB MP3" \
passthrough = no dst-address-list = "IP Extention LIMIT 1 MB" \
layer7-protocol = "MP3 layer7" \
comment = "layer7 MP3 DOWNLOAD 1MB"
/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "MP4 layer7 1MB" \
passthrough = no dst-address-list = "IP Extention LIMIT 1 MB" \
layer7-protocol = "MP4 layer7" \
comment = "layer7 MP4 DOWNLOAD 1MB"
/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "MPEG layer7 1MB" \
passthrough = no dst-address-list = "IP Extention LIMIT 1 MB" \
layer7-protocol = "MPEG layer7" \
comment = "MPEG layer7 DOWNLOAD 1MB"
/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "layer7 MPG 1MB" \
passthrough = no dst-address-list = "IP Extention LIMIT 1 MB" \
layer7-protocol = "MPG layer7" \
comment = "layer7 MPG DOWNLOAD 1MB"
/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "layer7 1MB RAR" \
passthrough = no dst-address-list = "IP Extention LIMIT 1 MB" \
layer7-protocol = "RAR layer7" \
comment = "layer7 RAR DOWNLOAD 1MB"
/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "layer7 1MB WAV" \
passthrough = no dst-address-list = "IP Extention LIMIT 1 MB" \
layer7-protocol = "WAV layer7" \
comment = "layer7 WAV DOWNLOAD 1MB"
/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "layer7 WMV 1MB" \
passthrough = no dst-address-list = "IP Extention LIMIT 1 MB" \
layer7-protocol = "WMV layer7" \
comment = "layer7 DOWNLOAD WMV 1MB"
/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "YOUTUBE layer7 1MB" \
passthrough = no dst-address-list = "IP Extention LIMIT 1 MB" \
layer7-protocol = "YOUTUBE layer7" \
comment = "layer7 YOUTUBE DOWNLOAD 1MB"
/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "layer7 ZIP 1MB" \
passthrough = no dst-address-list = "IP Extention LIMIT 1 MB" \
layer7-protocol = "ZIP layer7" \
comment = "layer7 DOWNLOAD ZIP 1MB"
We Create Queue Tree next to its limits:
A. For ip = 192.168.1.1-192.168.1.5 = 512 KB
In "New Terminal" Winbox:
/ Queue tree add name = "LIMIT extention" parent = global-out \
limit-at = 0 priority = 1 max-limit = 0 \
burst-limit = 0 burst-threshold = 0 burst-time = 0s
/ Queue tree add name = "192.168.1.1-192.168.1.5" \
parent = "LIMIT extention" \
packet-mark = "7z layer7 512K, \
AVI layer7 512K, 512K EXE layer7, \
FLV layer7 512K, 512K layer7 ISO, \
Layer7 512K MP3, MP4 layer7 512K, \
Layer7 512K MPEG, MPG layer7 512K, \
Layer7 RAR 512K, 512K WAV layer7, \
Layer7 WMV 512K, 512K YOUTUBE layer7, \
ZIP 512K layer7 "limit-at = 0 queue = default \
priority = 1 max-limit = 512k burst-limit = 0 \
burst-threshold = 0 burst-time = 0s
B. For ip = 192.168.1.6-192.168.1.10 = 256 KB
In "New Terminal" Winbox:
/ Queue tree add name = "192.168.1.6-192.168.6.10" \
parent = "LIMIT extention" \
packet-mark = "7z layer7 256K, \
AVI layer7 256K, 256K EXE layer7, \
FLV layer7 256K, 256K layer7 ISO, \
Layer7 256K MP3, MP4 layer7 256K, \
Layer7 256K MPEG, MPG layer7 256K, \
Layer7 RAR 256K, 256K WAV layer7, \
Layer7 WMV 256K, 256K YOUTUBE layer7, \
ZIP 256K layer7 "limit-at = 0 queue = default \
priority = 1 max-limit = 256k burst-limit = 0 \
burst-threshold = 0 burst-time = 0s
C. For ip = 192.168.1.11-192.168.1.20 = 1 MB
In "New Terminal" Winbox:
/ Queue tree add name = "192.168.1.11-192.168.11.20" \
parent = "LIMIT extention" \
packet-mark = "7z layer7 1MB, 1MB layer7 AVI, \
EXE layer7 1MB, 1MB layer7 FLV, ISO layer7 1MB, \
MP3 layer7 1MB, 1MB layer7 MP4, MPEG layer7 1MB, \
Layer7 MPG 1MB, 1MB RAR layer7, WAV layer7 1MB, \
Layer7 WMV 1MB, 1MB layer7 YOUTUBE, \
ZIP 1MB layer7 "limit-at = 0 queue = default \
priority = 1 max-limit = 1M burst-limit = 0 \
burst-threshold = 0 burst-time = 0s
Next we try,
With the first ip address 192.168.1.1 on your PC and then my test download
which has the specified ip 192.168.1.1 to 192.168.1.5 with a limit of 512 KB successful extention terlimit with evidence that the 512 KB limit extensions in queue trees become red.
Next we try, with the ip address 192.168.1.6 on the PC then I test download,
which has the specified ip 192.168.1.6 to 192.168.1.10 with a limit of 256 KB successful extention terlimit with evidence that the 256 KB limit extensions in queue trees become red.
Next we try, with IP address 192.168.1.11 on the PC then I test download:
which has the specified ip 192.168.1.11 to 192.168.1.20 with a limit of 1 MB of successful extensions terlimit with evidence that the limit extention part 1 MB in queue trees become red.
Finished work ... good mood ... good luck ...