TransparentTrafficShaper

From MikroTik Wiki

Introduction

This example shows how to configure a transparent traffic shaper. The transparent traffic shaper is essentially a bridge that is able to differentiate and prioritize traffic that passes through it.

Consider the following network layout:

We will configure one queue limiting the total throughput to the client and three sub-queues that limit HTTP, P2P and all other traffic separately.

Quick Start for Impatient

Configuration snippet from the MikroTik router:

/ interface bridge  add name="bridge1" / interface bridge port  add interface=ether2 bridge=bridge1  add interface=ether3 bridge=bridge1  / interface bridge settings set use-ip-firewall=yes  / ip firewall mangle  add chain=prerouting protocol=tcp dst-port=80 action=mark-connection \     new-connection-mark=http_conn passthrough=yes add chain=prerouting connection-mark=http_conn action=mark-packet \     new-packet-mark=http passthrough=no add chain=prerouting p2p=all-p2p action=mark-connection \     new-connection-mark=p2p_conn passthrough=yes add chain=prerouting connection-mark=p2p_conn action=mark-packet \     new-packet-mark=p2p passthrough=no add chain=prerouting action=mark-connection new-connection-mark=other_conn \     passthrough=yes add chain=prerouting connection-mark=other_conn action=mark-packet \     new-packet-mark=other passthrough=no  / queue simple  add name="main" target-addresses=10.0.0.12/32 max-limit=256000/512000 add name="http" parent=main packet-marks=http max-limit=240000/500000 add name="p2p" parent=main packet-marks=p2p max-limit=64000/64000 add name="other" parent=main packet-marks=other max-limit=128000/128000

Explanation

Each piece of code is followed by the explanation of what it actually does.

Bridge

/ interface bridge  add name="bridge1" / interface bridge port  add interface=ether2 bridge=bridge1  add interface=ether3 bridge=bridge1

We create a new bridge interface and assign two ethernet interfaces to it. Thus the prospective traffic shaper will be completely transparent to the client.

V3

/ interface bridge settings set use-ip-firewall=yes

Bridged packets behavior is changed on RouterOS v3. Use command to make bridged packets go trough 'ip firewall', by default bridged traffic is not going over 'ip firewall'.

Mangle

/ ip firewall mangle  add chain=prerouting protocol=tcp dst-port=80 action=mark-connection \     new-connection-mark=http_conn passthrough=yes add chain=prerouting connection-mark=http_conn action=mark-packet \     new-packet-mark=http passthrough=no

All traffic destined to TCP port 80 is likely to be HTTP traffic and therefore is being marked with the packet mark http. Note, that the first rule has passthrough=yes while the second one has passthrough=no. (You can obtain additional information about mangle at http://www.mikrotik.com/docs/ros/2.9/ip/mangle)

/ ip firewall mangle  add chain=prerouting p2p=all-p2p action=mark-connection \     new-connection-mark=p2p_conn passthrough=yes add chain=prerouting connection-mark=p2p_conn action=mark-packet \     new-packet-mark=p2p passthrough=no add chain=prerouting action=mark-connection new-connection-mark=other_conn \     passthrough=yes add chain=prerouting connection-mark=other_conn action=mark-packet \     new-packet-mark=other passthrough=no

Same as above, P2P traffic is marked with the packet mark p2p and all other traffic is marked with the packet mark other.

Queues

/ queue simple  add name="main" target-addresses=10.0.0.12/32 max-limit=256000/512000

We create a queue that limits all the traffic going to/from the client (specified by the target-address) to 256k/512k.

/ queue simple  add name="http" parent=main packet-marks=http max-limit=240000/500000 add name="p2p" parent=main packet-marks=p2p max-limit=64000/64000 add name="other" parent=main packet-marks=other max-limit=128000/128000

All sub-queues have the main queue as the parent, thus the aggregate data rate could not exceed limits specified in the main queue. Note, that http queue has higher priority than other queues, meaning that HTTP downloads are prioritized.

Retrieved from "http://wiki.mikrotik.com/wiki/TransparentTrafficShaper"

Category: QoS

============================================================

PCQ Examples

From MikroTik Wiki

Jump to: navigation, search

Per Connection Queue (PCQ) is a queuing discipline that can be used to dynamically equalize or shape traffic for multiple users, using little administration. It is possible to divide PCQ scenarios into three major groups: equal bandwidth for a number of users, certain bandwidth equal distribution between users, unknown bandwidth equal distribution between users.

Equal Bandwidth for a Number of Users

Use PCQ type queue when you need to equalize the bandwidth [and set max limit] for a number of users. We will set the 64kbps download and 32kbps upload limits.

There are two ways how to make this: using mangle and queue trees, or, using simple queues.

1. Mark all packets with packet-mark all:

/ip firewall mangle add chain=prerouting action=mark-packet new-packet-mark=all passthrough=no

2. Setup two PCQ queue types - one for download and one for upload. dst-address is classifier for user's download traffic, src-address for upload traffic:

/queue type add name="PCQ_download" kind=pcq pcq-rate=64000 pcq-classifier=dst-address /queue type add name="PCQ_upload" kind=pcq pcq-rate=32000 pcq-classifier=src-address

3. Finally, two queue rules are required, one for download and one for upload:

/queue tree add parent=global-in queue=PCQ_download packet-mark=all /queue tree add parent=global-out queue=PCQ_upload packet-mark=all

If you don't like using mangle and queue trees, you can skip step 1, do step 2, and step 3 would be to create one simple queue as shown here:

/queue simple add queue=PCQ_upload/PCQ_download target-addresses=192.168.0.0/24

Certain Bandwidth Equal Distribution between Users

Unknown Bandwidth Equal Distribution between Users

Retrieved from "http://wiki.mikrotik.com/wiki/PCQ_Examples"

Category: QoS

=============================================

Load Balancing

From MikroTik Wiki

Jump to: navigation, search

Spanish version of this article: Balanceo de carga mejorado atravéz de multiples gateway (wan)

With NAT and policy routing, with working HTTPS, IM and large downloads

Consider the following network layout:

[hide]

Quick Start for Impatient

Configuration export from the gateway router:

/ ip address  add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local comment="" \     disabled=no  add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=wlan2 \     comment="" disabled=no  add address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=wlan1 \     comment="" disabled=no / ip firewall mangle add chain=prerouting in-interface=Local connection-state=new nth=1,1,0 \     action=mark-connection new-connection-mark=odd passthrough=yes comment="" \     disabled=no  add chain=prerouting in-interface=Local connection-mark=odd action=mark-routing \     new-routing-mark=odd passthrough=no comment="" disabled=no  add chain=prerouting in-interface=Local connection-state=new nth=1,1,1 \     action=mark-connection new-connection-mark=even passthrough=yes comment="" \     disabled=no  add chain=prerouting in-interface=Local connection-mark=even action=mark-routing \     new-routing-mark=even passthrough=no comment="" disabled=no  / ip firewall nat  add chain=srcnat connection-mark=odd action=src-nat to-addresses=10.111.0.2 \     to-ports=0-65535 comment="" disabled=no  add chain=srcnat connection-mark=even action=src-nat to-addresses=10.112.0.2 \     to-ports=0-65535 comment="" disabled=no  / ip route  add dst-address=0.0.0.0/0 gateway=10.111.0.1 scope=255 target-scope=10 routing-mark=odd \     comment="" disabled=no  add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 routing-mark=even \     comment="" disabled=no  add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 comment="" \     disabled=no

Explanation

First we give a code snippet and then explain what it actually does.

Mangle

/ ip address  add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local comment="" \     disabled=no  add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=wlan2 \     comment="" disabled=no  add address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=wlan1 \     comment="" disabled=no

The router has two upstream (WAN) interfaces with the addresses of 10.111.0.2/24 and 10.112.0.2/24. The LAN interface has the name "Local" and IP address of 192.168.0.1/24.

/ ip firewall mangle  add chain=prerouting in-interface=Local connection-state=new nth=1,1,0 \     action=mark-connection new-connection-mark=odd passthrough=yes comment="" \     disabled=no

First we take every second packet that establishes new session (note connection-state=new), and mark it with connection mark "odd". Consequently all successive packets belonging to the same session will carry the connection mark "odd". Note that we are passing these packets to the second rule (passthrough=yes) to place a routing mark on these packets in addition to the connection mark.

add chain=prerouting in-interface=Local connection-mark=odd action=mark-routing \     new-routing-mark=odd passthrough=no comment="" disabled=no

The rule above places the routing mark "odd" on all packets that belong to the "odd" connection and stops processing all other mangle in prerouting chain rules for these packets.

add chain=prerouting in-interface=Local connection-state=new nth=1,1,1 \     action=mark-connection new-connection-mark=even passthrough=yes comment="" \     disabled=no  add chain=prerouting in-interface=Local connection-mark=even action=mark-routing \     new-routing-mark=even passthrough=no comment="" disabled=no

These rules do the same for the remaining half of the traffic as the first two rules for the first half of the traffic.

The code above effectively means that each new connection initiated through the router from the local network will be marked as either "odd" or "even" with both routing and connection marks.

NAT

/ ip firewall nat  add chain=srcnat connection-mark=odd action=src-nat to-addresses=10.111.0.2 \     to-ports=0-65535 comment="" disabled=no  add chain=srcnat connection-mark=even action=src-nat to-addresses=10.112.0.2 \     to-ports=0-65535 comment="" disabled=no

All traffic marked "odd" is being NATted to source IP address of 10.111.0.2, while traffic marked "even" gets "10.112.0.2" source IP address.

Routing

/ ip route  add dst-address=0.0.0.0/0 gateway=10.111.0.1 scope=255 target-scope=10 routing-mark=odd \     comment="" disabled=no  add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 routing-mark=even \     comment="" disabled=no  add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 comment="" \     disabled=no comment="gateway for the router itself"

For all traffic marked "odd" (consequently having 10.111.0.2 translated source address) we use 10.111.0.1 gateway. In the same manner all traffic marked "even" is routed through the 10.112.0.1 gateway. Finally, we have one additional entry specifying that traffic from the router itself (the traffic without any routing marks) should go to 10.112.0.1 gateway.

Retrieved from "http://wiki.mikrotik.com/wiki/Load_Balancing"

Categories: Routing | QoS

=====================================================

Per-Traffic Load Balancing

From MikroTik Wiki

Jump to: navigation, search

Nota: Este artículo puede encontrarse en español aquí: http://wiki.mikrotik.com/wiki/Balanceo_de_carga_por_tipo_de_trafico

[hide]

[edit] Introduction

Bandwidth management is an essential part of every day operation for typical ISP's, business, and even everyday home users. There are many different types of management tools available to RouterOS users, QoS, rate-limitng, packet-limiting, to name few

I personally operate a wireless ISP in an area that has no other type of conventional high-speed internet conection (ie. cable, fibre or DSL). Not having access to fibre myself, I am in a situation where the single fastest backbone connection I can get does not provide enough bandwidth for me to have only one connection. As a result of this limitation load-balancing multiple internet backbone connections is very important.

In the past I have used ECMP, persisten per connection styled load-balancing (see http://wiki.mikrotik.com/wiki/Load_Balancing), as well as various other methods However, I found all of then lacking in various different areas (not load-balancing correctly, broken large HTTP downloads, IM problems, to name a few issues). I then investigated a way to give me more control over my bandwidth while minimizing the potential problems. The end result was a per-traffic type of load-balancing. This tutorial is designed address that one specific area in depth, at a later date, I may expand/add additional info on fail-over, and other topics

[edit] Functions of RouterOS used

Firewall mangle rules
Firewall address-lists
Routing

[edit] Step 1 - How to break up to traffic

Before you even log onto your RouterOS box, you should have an idea of how you want to divide your traffic, and have an understanding of what traffic can and what traffic can't be broken up.

Here is an example of what you may want to attempt to separate (in no particular order)

HTTP traffic (port 80)
SSL traffic (port 443)
POP3 traffic (port 110)
SMTP traffic (port 25)
P2P traffic (various port)
Unknown traffic (various port)

After making a list of the traffic type, and the ports they operate on, you need to look at the list and decide if it is at all even capable of being forced out a certain internet connection.exión a internet.

Using the above list as an example here is what I came up with

HTTP traffic (no problems found yet)
SSL traffic (some issues, for normal SSL websites and 90% of all software it is not a problem, I'll explain why issues can arise later)
POP3 traffic (no problems found yet)
SMTP traffic (no problems found yet)
P2P traffic (must go out same internet connection as Unknown Traffic, I'll explain why this is later)
Unknown traffic (must go out same internet connection as P2P traffic, I'll explain why this is later)

Now for a quick explanation of why there can be some issues depending on the traffic type. Some websites/programs do not play friendly with multiple requests from different IP addresses, this is the reason why ECMP has so many problems. I will provide a simple solution to the rare conditions where load-balancing can't be completed.

Again using the above as an example lets explain where and why issues can be arise. SSL - The beauty of a website is that are separate requests for different data, ie. loading pictures from 3 different sources would be a request to each respective server. The result is if a we have a website that uses both SSL and HTTP traffic we know that in most cases the website will just answer the request without care of the originating IP address. However, and this is a special case, if the website/program developer checks where the requests are originating and they find that the IP are different, they may not succesfully answer those requests (this can be by design or by accident). I had 2 cases of this, in both cases it was secured medical websites that where using it as a method of protecting their data.

P2P and Unknown - I am addressing these together because the issue is one and the same. RouterOS doesn't identify P2P based on any single condition, but instead analyzes the packets! This means RouterOS needs time to watch the data before it realizes that is in fact P2P traffic. As a result RouterOS doesn't know the data is P2P until AFTER the connection is made. This is important because the only way to send data out a specific internet connection you must know that traffic is BEFORE the connection is made. So as with P2P traffic, unknown traffic is just that, it is unknown. By marking the unknown traffic though you can control what internet connection is used for both P2P and the left over unknown traffic (very useful!)

[edit] Step 2 - Setting Up the Network

Before we get to the real point of this tutorial we need a fictious network we can use as an example.

client computers (172.18.1.0/24)
Internet Gateways (10.0.1.1/24, 10 0.2.1/24)
RouterOS IPs (10.0.1.2/24, 10.0.2.2/24)

Asuming that the IPs, default routes, and DNS settings are already in place the following allow users to get internet access.

Create Address-List for permitted use of internet

/ ip firewall address-list add list="Salida_Internet" address=172.18.1.0/24 comment="" disabled=no

Create Address-List to bypass load-balancing

/ ip firewall address-list add list="WAN-01" address=172.18.1.24/32 comment="" disabled=no add list="WAN-02" address=172.18.1.76/32 comment="" disabled=no

Apply 'Masquerading'to the traffic leaving the WAN interfaces

/ ip firewall nat  add chain=srcnat action=masquerade out-interface="WAN - 01" src-address-list="Allowed - Internet" comment="Gateway 10.0.1.1/24" disabled=no  add chain=srcnat action=masquerade out-interface="WAN - 02" src-address-list="Allowed - Internet" comment="Gateway 10.0.2.1/24" disabled=no

Clients should be able to browse the internet, however only one internet connection would be used (the current default route in RouterOS)

[edit] Step 3 - Using RouterOS's Mangle Tool to mark specific traffic

This following is the necessary RouterOS commands to mark particular traffic for a certain route, we are using the same example for traffic types as in the beginning, HTTP, SSL, POP3, SMTP, P2P, and Unknown

/ ip firewall mangle  add chain=prerouting action=mark-routing new-routing-mark="WAN-01" src-address-list="WAN-01" passthrough=no comment="" disabled=no  add chain=prerouting action=mark-routing new-routing-mark="WAN-02" src-address-list="WAN-02" passthrough=no comment="" disabled=no  add chain=prerouting action=mark-routing new-routing-mark="HTTP traffic" passthrough=no dst-port=80 protocol=tcp comment="" disabled=no  add chain=prerouting action=mark-routing new-routing-mark="SSL traffic" passthrough=no dst-port=443 protocol=tcp comment="" disabled=no  add chain=prerouting action=mark-routing new-routing-mark="POP3 traffic" passthrough=no dst-port=110 protocol=tcp comment="" disabled=no  add chain=prerouting action=mark-routing new-routing-mark="SMTP traffic" passthrough=no dst-port=25 protocol=tcp comment="" disabled=no  add chain=prerouting action=mark-routing new-routing-mark="P2P traffic" passthrough=no p2p=all-p2p comment="" disabled=no  add chain=prerouting action=mark-routing new-routing-mark="Unknown traffic" passthrough=no comment="" disabled=no

The first two lines provide a method of marking particular clients to bypass the load-balancing and use only a certain internet connection for all of their traffic. The following lines with mark traffic based on the dst-port, notice how we are not passing though, also notice that we are marking all traffic, even if not known, this always for a different internet connection to be specified fot the Unknown and P2P instead of using the router's default route. I also mark P2P separately even though it must go out the same internet connection as Unknown traffic. I do this for a couple of reasons, one is that I could easily stop all traffic by simply disabling a route, and the other is in my RouterOS configuration I use a lot of QoS, it very easy to remember how everything is configured if the QoS mirrors the load-balancing

So now we are marking traffic for their respectives routes, next is to add those actual routes.

[edit] Step 4 - Using the routing functions of RouterOS to force traffic ou certain internet connections

This following is the necessary RouterOS commands to provide routes for the marked HTTP, SSL, POP3, SMTP, P2P, and Unknown Traffic

/ ip route  add dst-address=0.0.0.0/0 gateway=10.0.1.1 scope=255 target-scope=10 routing-mark="WAN - 01" comment="" disabled=no add dst-address=0.0.0.0/0 gateway=10.0.2.1 scope=255 target-scope=10 routing-mark="WAN - 02" comment="" disabled=no add dst-address=0.0.0.0/0 gateway=10.0.2.1 scope=255 target-scope=10 routing-mark="HTTP traffic" comment="" disabled=no  add dst-address=0.0.0.0/0 gateway=10.0.2.1 scope=255 target-scope=10 routing-mark="SSL traffic" comment="" disabled=no  add dst-address=0.0.0.0/0 gateway=10.0.2.1 scope=255 target-scope=10 routing-mark="POP3 traffic" comment="" disabled=no  add dst-address=0.0.0.0/0 gateway=10.0.1.1 scope=255 target-scope=10 routing-mark="SMTP traffic" comment="" disabled=no  add dst-address=0.0.0.0/0 gateway=10.0.1.1 scope=255 target-scope=10 routing-mark="P2P traffic" comment="" disabled=no  add dst-address=0.0.0.0/0 gateway=10.0.1.1 scope=255 target-scope=10 routing-mark="Unknown traffic" comment="" disabled=no

The first two lines provide the routes necessary to give the clients that are not being load-balanced via traffic type the correct gateway to the internet. The remaining lines are the routes necessary to provide the appropiate gateway based on traffic type

[edit] Step 5 - Review what you've created

What did you do: * You intelligently broke up your internet traffic into different types * Your marked that traffic using the Mangle Tool of RouterOS * You created a bypass list to allow certain IP to bypass the Per-Traffic Load-Balancing * You assigned particular routes based on the traffic you marked with Mangle

[edit] Conclusion

What you have done is very powerful and this tutorial provides just the tip of the iceberg so to say. The traffic types I have listed here are only a small amout of the total and you may want to add many others (ie. DNS, Terminal Services, ICMP, etc). This can be used is a great deal of different ways be it in a small offfice enviroment (separating your email usage from your browsing) or a large wireless ISP (for load-balancing). Some tips and final thougths

1. Think though what you want to achieve before you start 2. Pay attention to the traffic of type on each line (is it incoming intensive or outgoing intensive) 3. Finally experiment, nothing better then finding better, faster, and more intelligent ways to improve your services with a little capital costs

Retrieved from "http://wiki.mikrotik.com/wiki/Per-Traffic_Load_Balancing"

Category: Routing

================================================

How to apply different limits for Local/Overseas traffic

From MikroTik Wiki

Jump to: navigation, search

[hide]

Introduction

Let's consider the scenario, when you want to apply different limit to Local and Oversea traffic. Oversea traffic - traffic that doesn't belong to the Local country traffic.

To distinguish oversea traffic from Local country traffic, we will use 'mangle marks' and 'address-list' features. It will place appropriate marks to the packets to/from the Local country and Oversea networks. Local traffic is 'latvian traffic' in the particular example, list of network numbers belonging to ISPs in Latvia can be extracted from file: http://www.nic.lv/local.net

Note, 'address-list' entries should be replaced with respective addresses, if your router isn't located in Latvia. To find the actual list of network numbers belonging to your country, use Google or any other resources.

Simple queues will limit data rate for the Local country traffic and Oversea traffic.

Quick Start for Impatient

Configuration export from the router:

/ ip firewall address-list  add list=Latvia address=159.148.0.0/16 comment="" disabled=no  add list=Latvia address=193.41.195.0/24 comment="" disabled=no  add list=Latvia address=193.41.33.0/24 comment="" disabled=no  add list=Latvia address=193.41.45.0/24 comment="" disabled=no  add list=Latvia address=193.68.64.0/19 comment="" disabled=no  add list=Latvia address=193.108.29.0/24 comment="" disabled=no  add list=Latvia address=193.108.144.0/22 comment="" disabled=no  add list=Latvia address=193.108.185.0/24 comment="" disabled=no  add list=Latvia address=193.109.211.0/24 comment="" disabled=no  add list=Latvia address=193.109.85.0/24 comment="" disabled=no  add list=Latvia address=193.110.8.0/23 comment="" disabled=no  add list=Latvia address=193.110.164.0/23 comment="" disabled=no  ... add list=Latvia address=193.111.244.0/22 comment="" disabled=no   / ip firewall mangle  add chain=prerouting src-address=192.168.100.0/24 action=mark-connection \     new-connection-mark="Con Entire Traffic" passthrough=yes \     comment="Mark-connection All Traffic" disabled=no  add chain=prerouting src-address=192.168.100.0/24 connection-mark="Con Entire \     Traffic" dst-address-list=!Latvia action=mark-connection \     new-connection-mark="Con Oversea" passthrough=yes comment="Mark-connection \     Oversea Traffic" disabled=no  add chain=prerouting connection-mark="Con Oversea" action=mark-packet \     new-packet-mark="Oversea traffic" passthrough=no comment="Mark-packet \     Oversea Traffic" disabled=no  add chain=prerouting action=mark-packet new-packet-mark="Local Country Traffic" \     passthrough=no comment="Mark-packet Local Country Traffic" disabled=no   / queue simple add name="Oversea" target-addresses=192.168.100.254/32 dst-address=0.0.0.0/0 \     interface=all parent=none packet-marks="Oversea traffic" direction=both \     priority=8 queue=default-small/default-small limit-at=0/0 \     max-limit=256000/256000 total-queue=default-small disabled=no  add name="Local Country" target-addresses=192.168.100.254/32 dst-address=0.0.0.0/0 \     interface=all parent=none packet-marks="Local Country Traffic" direction=both \     priority=8 queue=default-small/default-small limit-at=0/0 \     max-limit=1024000/1024000 total-queue=default-small disabled=no

Explanation

Address-list

First we create Local country address-list, where are placed list of network numbers belonging to ISPs in Latvia (any other country network addresses can be used instead). Full address-list configuration is not included (too many address-list entries), but address-list idea is clear. Networks added to the list 'Latvia':

/ ip firewall address-list  add list=Latvia address=159.148.0.0/16 comment="" disabled=no  add list=Latvia address=193.41.195.0/24 comment="" disabled=no  add list=Latvia address=193.41.33.0/24 comment="" disabled=no  add list=Latvia address=193.41.45.0/24 comment="" disabled=no  add list=Latvia address=193.68.64.0/19 comment="" disabled=no  add list=Latvia address=193.108.29.0/24 comment="" disabled=no  add list=Latvia address=193.108.144.0/22 comment="" disabled=no  add list=Latvia address=193.108.185.0/24 comment="" disabled=no  add list=Latvia address=193.109.211.0/24 comment="" disabled=no  add list=Latvia address=193.109.85.0/24 comment="" disabled=no  add list=Latvia address=193.110.8.0/23 comment="" disabled=no  add list=Latvia address=193.110.164.0/23 comment="" disabled=no  ... add list=Latvia address=193.111.244.0/22 comment="" disabled=no

Note, it's much easier to create/edit such list with Excel or any other similar program.

Mangle

First we add rule to mark connections that belong to local router's subnet (192.168.100.0/24). Second rule marks connections between local subnet and overseas networks. Third rule marks oversea packets and exclude them from mangle table (passtrough=no). Finally, the last rule places packet mark on all packets that belong to Local country traffic.

/ ip firewall mangle  add chain=prerouting src-address=192.168.100.0/24 action=mark-connection \     new-connection-mark="Con Entire Traffic" passthrough=yes \     comment="Mark-connection All Traffic" disabled=no  add chain=prerouting src-address=192.168.100.0/24 connection-mark="Con Entire \     Traffic" dst-address-list=!Latvia action=mark-connection \     new-connection-mark="Con Oversea" passthrough=yes comment="Mark-connection \     Oversea Traffic" disabled=no  add chain=prerouting connection-mark="Con Oversea" action=mark-packet \     new-packet-mark="Oversea traffic" passthrough=no comment="Mark-packet \     Oversea Traffic" disabled=no  add chain=prerouting action=mark-packet new-packet-mark="Local Country Traffic" \     passthrough=no comment="Mark-packet Local Country Traffic" disabled=no

Simple Queue

Queue configuration is quite simple in the particular case. 192.168.100.254 is the local network host. First rule sets limit 256k/256k to Oversea traffic for the particular host. Respectively second simple queue set limit 1M/1M for Local country traffic.

/ queue simple add name="Oversea" target-addresses=192.168.100.254/32 dst-address=0.0.0.0/0 \     interface=all parent=none packet-marks="Oversea traffic" direction=both \     priority=8 queue=default-small/default-small limit-at=0/0 \     max-limit=256000/256000 total-queue=default-small disabled=no add name="Local Country" target-addresses=192.168.100.254/32 dst-address=0.0.0.0/0 \     interface=all parent=none packet-marks="Local Country Traffic" direction=both \     priority=8 queue=default-small/default-small limit-at=0/0 \     max-limit=1024000/1024000 total-queue=default-small disabled=no

Retrieved from "http://wiki.mikrotik.com/wiki/How_to_apply_different_limits_for_Local/Overseas_traffic"

Category: QoS

=======================================================

Different limits for Local/Overseas traffic for 3 bandwitch rates using pcq and queue tree

From MikroTik Wiki

Jump to: navigation, search

[hide]

[edit] 1. Introdution

Let's consider the scenario, when you want to apply different limits for many users to Local and Oversea traffic and don`t want load cpu with a lot of simple queues and you want sell for customers 3 bandwitch rates.

1.12/6 Mbps Latvian Traffic 1Mbps/512Kbps Overseas traffic 2.6/3 Mbps Latvian Traffic 512kbps/256Kbps Overseas traffic 3.4/2 Mbps Latvian Traffic 256Kbps/128Kbps Overseas traffic

Queue trees will limit data rate for the Local country traffic and Oversea traffic In this scenario local country is Latvia. List of all Latvian subnets located at http://www.nic.lv/local.net

[edit] 2. Configuration

/ ip firewall address-list  add list=12/6 address=192.168.0.2 comment="12/6mbps Local traffic 1mbps/512kbps oversea" add list=6/3 address=192.168.0.3 comment="6/3mbps Local traffic 512kbps/256kbps oversea" add list=4/2 address=192.168.0.4 comment="4/2mbps Local traffic 256kbps/128kbps oversea" add list=Latvia address=159.148.0.0/16 comment="" disabled=no  add list=Latvia address=193.41.195.0/24 comment="" disabled=no  add list=Latvia address=193.41.33.0/24 comment="" disabled=no  add list=Latvia address=193.41.45.0/24 comment="" disabled=no  add list=Latvia address=193.68.64.0/19 comment="" disabled=no  add list=Latvia address=193.108.29.0/24 comment="" disabled=no  add list=Latvia address=193.108.144.0/22 comment="" disabled=no  add list=Latvia address=193.108.185.0/24 comment="" disabled=no   / ip firewall mangle  add chain=forward action=mark-packet new-packet-mark=LV_DL_6M passthrough=yes \     in-interface=public src-address-list=latvia comment="Default mangle for \     Latvia Download" disabled=no  add chain=forward action=mark-packet new-packet-mark=LV_UL_3M passthrough=yes \     in-interface=local dst-address-list=latvia comment="Default mangle for \     Latvia Upload" disabled=no  add chain=forward action=mark-packet new-packet-mark=OS_DL_512k \     passthrough=yes in-interface=public src-address-list=!latvia \     comment="Default mangle for Oversea Download" disabled=no  add chain=forward action=mark-packet new-packet-mark=OS_UL_256k \     passthrough=yes in-interface=local dst-address-list=!latvia \     comment="Default mangle for Oversea Upload" disabled=no  add chain=forward action=mark-packet new-packet-mark=LV_DL_12M passthrough=no \     in-interface=public src-address-list=latvia dst-address-list=12/6 \     comment="Tarif 12/6 Latvia Download" disabled=no  add chain=forward action=mark-packet new-packet-mark=LV_UL_6M passthrough=no \     in-interface=local src-address-list=12/6 dst-address-list=latvia \     comment="Tarif 12/6 Latvia Upload" disabled=no  add chain=forward action=mark-packet new-packet-mark=OS_DL_1M passthrough=no \     in-interface=public src-address-list=!latvia dst-address-list=12/6 \     comment="Tarif 12/6 Oversea Download" disabled=no  add chain=forward action=mark-packet new-packet-mark=OS_UL_512k passthrough=no \     in-interface=local src-address-list=12/6 dst-address-list=!latvia \     comment="Tarif 12/6 Oversea Upload" disabled=no  add chain=forward action=mark-packet new-packet-mark=LV_DL_4M passthrough=no \     in-interface=public src-address-list=latvia dst-address-list=4/2 \     comment="Tarif 4/2 Latvia Download" disabled=no  add chain=forward action=mark-packet new-packet-mark=LV_UL_2M passthrough=no \     in-interface=local src-address-list=4/2 dst-address-list=latvia \     comment="Tarif 4/2 Latvia Upload" disabled=no  add chain=forward action=mark-packet new-packet-mark=OS_DL_256k passthrough=no \     in-interface=public src-address-list=!latvia dst-address-list=4/2 \     comment="Tarif 4/2 Oversea Download" disabled=no  add chain=forward action=mark-packet new-packet-mark=OS_UL_128k passthrough=no \     in-interface=local src-address-list=4/2 dst-address-list=!latvia \     comment="Tarif 4/2 Oversea Upload" disabled=no    / queue type add name="LV_DL_12M" kind=pcq pcq-rate=12000000 pcq-limit=50 \     pcq-classifier=dst-address pcq-total-limit=2000  add name="LV_DL_6M" kind=pcq pcq-rate=6000000 pcq-limit=50 \     pcq-classifier=dst-address pcq-total-limit=2000  add name="LV_DL_4M" kind=pcq pcq-rate=4000000 pcq-limit=50 \     pcq-classifier=dst-address pcq-total-limit=2000  add name="LV_UL_6M" kind=pcq pcq-rate=6000000 pcq-limit=50 \     pcq-classifier=src-address pcq-total-limit=2000  add name="LV_UL_3M" kind=pcq pcq-rate=3000000 pcq-limit=50 \     pcq-classifier=src-address pcq-total-limit=2000  add name="LV_UL_2M" kind=pcq pcq-rate=2000000 pcq-limit=50 \     pcq-classifier=src-address pcq-total-limit=2000  add name="OS_DL_1M" kind=pcq pcq-rate=1000000 pcq-limit=50 \     pcq-classifier=dst-address pcq-total-limit=2000  add name="OS_DL_512k" kind=pcq pcq-rate=512000 pcq-limit=50 \     pcq-classifier=dst-address pcq-total-limit=2000  add name="OS_DL_256k" kind=pcq pcq-rate=256000 pcq-limit=50 \     pcq-classifier=dst-address pcq-total-limit=2000  add name="OS_UL_512k" kind=pcq pcq-rate=512000 pcq-limit=50 \     pcq-classifier=src-address pcq-total-limit=2000  add name="OS_UL_256k" kind=pcq pcq-rate=256000 pcq-limit=50 \     pcq-classifier=src-address pcq-total-limit=2000  add name="OS_UL_128k" kind=pcq pcq-rate=128000 pcq-limit=50 \     pcq-classifier=src-address pcq-total-limit=2000   / queue tree  add name="LV_DL_12M" parent=local packet-mark=LV_DL_12M limit-at=0 queue=LV_DL_12M priority=8 max-limit=0 burst-limit=0 \ burst-threshold=0 burst-time=0s disabled=no  add name="LV_DL_6M" parent=local packet-mark=LV_DL_6M limit-at=0 queue=LV_DL_6M priority=8 max-limit=0 burst-limit=0 \  burst-threshold=0 burst-time=0s disabled=no  add name="LV_UL_2M" parent=public packet-mark=LV_UL_2M limit-at=0 queue=LV_UL_2M priority=8 max-limit=0 burst-limit=0 \  burst-threshold=0 burst-time=0s disabled=no  add name="LV_DL_4M" parent=local packet-mark=LV_DL_4M limit-at=0 queue=LV_DL_4M priority=8 max-limit=0 burst-limit=0 \  burst-threshold=0 burst-time=0s disabled=no  add name="LV_UL_3M" parent=public packet-mark=LV_UL_3M limit-at=0 queue=LV_UL_3M priority=8 max-limit=0 burst-limit=0 \  burst-threshold=0 burst-time=0s disabled=no  add name="LV_UL_6M" parent=public packet-mark=LV_UL_6M limit-at=0 queue=LV_UL_6M priority=8 max-limit=0 burst-limit=0 \  burst-threshold=0 burst-time=0s disabled=no  add name="OS_DL_1M" parent=local packet-mark=OS_DL_1M limit-at=0 queue=OS_DL_1M priority=8 max-limit=0 burst-limit=0  \  burst-threshold=0 burst-time=0s  disabled=no  add name="OS_DL_256k" parent=local packet-mark=OS_DL_256k limit-at=0 queue=OS_DL_256k priority=8 max-limit=0 burst-limit=0 \ burst-threshold=0 burst-time=0s disabled=no  add name="OS_DL_512k" parent=local packet-mark=OS_DL_512k limit-at=0 queue=OS_DL_512k priority=8 max-limit=0 burst-limit=0 \ burst-threshold=0 burst-time=0s disabled=no  add name="OS_UL_128k" parent=public packet-mark=OS_UL_128k limit-at=0 queue=OS_UL_128k priority=8 max-limit=0 burst-limit=0 \ burst-threshold=0 burst-time=0s disabled=no  add name="OS_UL_256k" parent=public packet-mark=OS_UL_256k limit-at=0 queue=OS_UL_256k priority=8 max-limit=0 burst-limit=0 \ burst-threshold=0 burst-time=0s disabled=no add name="OS_UL_512k" parent=public packet-mark=OS_UL_512k limit-at=0 queue=OS_UL_512k priority=8 max-limit=0 burst-limit=0 \ burst-threshold=0 burst-time=0s disabled=no

[edit] 3. Explanation

In /ip firewall address-list we created 3 lists for bandwitch profiles and list with name Latvia with latvian subnets In /ip firewall mangle we created address list based packet marks for bandwitch profiles. All ips witch is not included in any address list will have second bandwitch profiles rates. In /queue types we created pcq types for bandwitch profiles. In /queue tree we created rules with Local/Overseas packet marks and queue types for bandwitch profiles.

Now customer with ip 192.168.0.2 have 1 profile rates, customer with ip 192.168.0.3 have 2 profile rates, client with ip 192.168.0.4 have 3 profile rates and all others have 2 bandwitch rates, so all traffic will be limited and your cpu power will be free for other tasks.

[edit] Important note

This setup will work correctly if local network is not masqueraded. If masquerade is used then parent for all upload queues must be 'global-out' instead of 'public'. The reason for this is that pcq_upload classifier is source address. In case of masquerading source address is changed to public IP address. If queue is set to 'public' interface pcq will think that all packets are coming from one source ( public IP ). PCQ must see source address before masquerading occurs, according to packet flow diagram from manual 'global-out' is before 'src-nat'.

Retrieved from "http://wiki.mikrotik.com/wiki/Different_limits_for_Local/Overseas_traffic_for_3_bandwitch_rates_using_pcq_and_queue_tree"

Category: QoS

=====================================================

Queue with Masquerading and Internal Web-Proxy

From MikroTik Wiki

Jump to: navigation, search

[hide]

[edit] Introduction

This page will tak about how to make QUEUE TREE in RouterOS that also running Web-Proxy and Masquerading. Several topics in forum say it's impossible to do.

In version 2.9.x, we can not know which traffic is HIT and which traffic is MISS from web-proxy. Several people want to make a configuration, to let cache data in proxy (HIT traffic) deliver in maximum possible speed. In other word, if we already have the requested data, those process will not queued.

In ver 3.0 we can do this, using TOS header modification in web-proxy feature. We can set any TOS value for the HIT traffic, and make it as parameter in mangle.

[edit] Basic Setup

First, let's set the basic setting first. I'm using a machine with 2 network interface:

admin@instaler] > in pr #    NAME       TYPE    RX-RATE    TX-RATE    MTU   0  R public     ether   0          0          1500  1  R lan        wlan    0          0          1500

And this is the IP Address for each interface:

[admin@instaler] > ip ad pr Flags: X - disabled, I - invalid, D - dynamic  #  ADDRESS           NETWORK      BROADCAST      INTERFACE 0  192.168.0.217/24  192.168.0.0  192.168.0.255  public    1  172.21.1.1/24     172.21.1.0   172.21.1.255   lan

Don't forget to set the transparant web-proxy. We set cache-hit-dscp: 4.

[admin@instaler] > ip proxy pr                     enabled: yes                 src-address: 0.0.0.0                        port: 3128                parent-proxy: 0.0.0.0           parent-proxy-port: 0                 cache-drive: system         cache-administrator: "webmaster"              max-cache-size: none               cache-on-disk: yes  maximal-client-connections: 600  maximal-server-connections: 600              max-fresh-time: 3d       serialize-connections: yes              cache-hit-dscp: 4

[edit] Firewall NAT

Make 2 NAT rules, 1 for Masquerading, and the other for redirecting transparant proxy.

[admin@instaler] ip firewall nat> pr Flags: X - disabled, I - invalid, D - dynamic  0   chain=srcnat out-interface=public      src-address=172.21.1.0/24 action=masquerade  1   chain=dstnat in-interface=lan src-address=172.21.1.0/24      protocol=tcp dst-port=80 action=redirect to-ports=3128

[edit] Mangle Setup

And now is the most important part in this case.

If we want to make HIT traffic from web proxy not queued, we have to make a mangle to handle this traffic. Put this rule on the beginning of the mangle, as it will check first.

[admin@instaler] > ip firewall mangle print Flags: X - disabled, I - invalid, D - dynamic  0   ;;; HIT TRAFFIC FROM PROXY     chain=output out-interface=lan     dscp=4 action=mark-packet      new-packet-mark=proxy-hit passthrough=no

As we will make Queue for uplink and downlink traffic, we need 2 packet-mark. In this example, we use "test-up" for uplink traffic, and "test-down" for downlink traffic.

For uplink traffic, it's quite simple. We need only one rule, using SRC-ADDRESS and IN-INTERFACE parameters, and using PREROUTING chain. Rule number #1.

But for downlink, we have to make sevaral rules. As we use masquerading, we need Connection Mark, named as "test-conn". Rule no #2.

Then we have to make 2 more rules. First rule is for non-HTTP connection / direct connection. We use chain forward, as the data traveling through the router. Rule no #3.

The second rule is for data coming from web-proxy to the client (MISS traffic). We use OUTPUT chain, as the data coming from internal process in the router itself. Rule no #4.

For both rules (no #3 and #4) we named it "test-down".

Please be aware, we use passthrough only for connection mark (rule no #2).

[admin@instaler] > ip firewall mangle print Flags: X - disabled, I - invalid, D - dynamic  1   ;;; UP TRAFFIC     chain=prerouting in-interface=lan      src-address=172.21.1.0/24 action=mark-packet      new-packet-mark=test-up passthrough=no   2   ;;; CONN-MARK     chain=forward src-address=172.21.1.0/24      action=mark-connection      new-connection-mark=test-conn passthrough=yes   3   ;;; DOWN-DIRECT CONNECTION     chain=forward in-interface=public      connection-mark=test-conn action=mark-packet      new-packet-mark=test-down passthrough=no   4   ;;; DOWN-VIA PROXY     chain=output out-interface=lan      dst-address=172.21.1.0/24 action=mark-packet      new-packet-mark=test-down passthrough=no

[edit] Queue Tree Setup

And now, the queue tree setting. We need one rule for downlink and one rule for uplink. Be careful when choosing the parent. for downlink traffic, we use parent "lan", the interface name for local network. And for uplink, we are using parent "global-in".

[admin@instaler] > queue tree pr Flags: X - disabled, I - invalid  0   name="downstream" parent=lan packet-mark=test-down      limit-at=32000 queue=default priority=8      max-limit=32000 burst-limit=0      burst-threshold=0 burst-time=0s   1   name="upstream" parent=global-in      packet-mark=test-up limit-at=32000      queue=default priority=8      max-limit=32000 burst-limit=0      burst-threshold=0 burst-time=0s

You can use those mangle also with PCQ.

Retrieved from "http://wiki.mikrotik.com/wiki/Queue_with_Masquerading_and_Internal_Web-Proxy"

Category: QoS

======================================================

Queue Tree with more than two interfaces

From MikroTik Wiki

Jump to: navigation, search

[edit] Basic Setup

This page will talk about how to make QUEUE TREE in RouterOS that with Masquerading for more than two interfaces. It's for sharing internet connection among users on each interfaces. In manual this possibility isn't written.

First, let's set the basic setting first. I'm using a machine with 3 or more network interfaces:

[admin@instaler] > in pr #    NAME       TYPE    RX-RATE    TX-RATE    MTU   0  R public     ether   0          0          1500  1  R wifi1      wlan    0          0          1500 2  R wifi2      wlan    0          0          1500 3  R wifi3      wlan    0          0          1500

And this is the IP Addresses for each interface:

[admin@instaler] > ip ad pr Flags: X - disabled, I - invalid, D - dynamic  #  ADDRESS           NETWORK      BROADCAST      INTERFACE 0  10.20.1.0/24      10.20.1.0    10.20.1.255    public    1  10.10.2.0/24      10.10.2.0    10.10.2.255    wifi1 2  10.10.3.0/24      10.10.3.0    10.10.3.255    wifi2 3  10.10.4.0/24      10.10.4.0    10.10.4.255    wifi3

On the public you can add NAT or proxy if you want.

[edit] Mangle Setup

And now is the most important part in this case.

We need to mark our users. One connection for upload and second for download. In this example I add mangle for one user. At the end I add mangle for local transmission because I don't QoS local trafic emong users. But for user I need to separate upload and download.

[admin@instaler] ip firewall mangle> print Flags: X - disabled, I - invalid, D - dynamic      disabled=no  0 chain=forward src-address=10.10.2.36 action=mark-connection \    new-connection-mark=users-userU passthrough=yes comment="" disabled=no  1 chain=forward dst-address=10.10.2.36 action=mark-connection \    new-connection-mark=users-userD passthrough=yes comment="" disabled=no  2 chain=forward connection-mark=users-userU action=mark-packet \    new-packet-mark=userU passthrough=yes comment="" disabled=no  3 chain=forward connection-mark=users-userD action=mark-packet \    new-packet-mark=userD passthrough=yes comment="" disabled=no

98  chain=forward src-address=10.10.0.0/16 dst-address=10.10.0.0/16      action=mark-connection new-connection-mark=users-lokal passthrough=yes  99  chain=forward connection-mark=users-lokal action=mark-packet      new-packet-mark=lokalTrafic passthrough=yes

[edit] Queue Tree Setup

And now, the queue tree setting. We need one rule for downlink and one rule for uplink. Be careful when choosing the parent. for downlink traffic, we use parent "global-out", because we have two or more downloading interfaces. And for uplink, we are using parent "public", we want QoS uplink traffic. (I'm using pcq-up and download from manual) This example is for 2Mb/1Mb

[admin@instaler] > queue tree pr Flags: X - disabled, I - invalid  0   name="Download" parent=global-out packet-mark="" limit-at=0      queue=pcq-download priority=1 max-limit=2000000 burst-limit=0      burst-threshold=0 burst-time=0s

1   name="Upload" parent=WGW packet-mark="" limit-at=0 queue=pcq-upload      priority=1 max-limit=1000000 burst-limit=0 burst-threshold=0      burst-time=0s

Now we add our user:

2   name="user10D" parent=Download packet-mark=userD limit-at=0      queue=pcq-download priority=5 max-limit=0 burst-limit=0      burst-threshold=0 burst-time=0s

3   name="user10U" parent=Upload packet-mark=userU limit-at=0      queue=pcq-upload priority=5 max-limit=0 burst-limit=0 burst-threshold=0      burst-time=0s

Retrieved from "http://wiki.mikrotik.com/wiki/Queue_Tree_with_more_than_two_interfaces"

Category: QoS

===============================================

Limit Different Bandwidth In Day and Night

From MikroTik Wiki

Jump to: navigation, search

Limit Different Bandwidth In Day and Night.

There are lot many ways to limit bandwidth for day and Night, but personally I found this is the easiest way, Here it is.

I have used Simple Queue, Script and Scheduler.

Suppose we have one network 192.168.1.0/24 and want to limit Bandwidth for day and Night Time.

Network 192.168.1.0/24 Bandwidth = 06:00am – 18:00pm – 1Mbps.  Bandwidth = 18:00pm – 06:00am – 2Mbps.

Create two simple queues for the same network with different Bandwidth Limit.

/queue simple #name=”Day” target-addresses=192.168.1.0/24 dst-address=0.0.0.0/0 interface= parent=none direction=both priority=8  queue=default-small/default-small limit-at=512k/512k  max-limit=1M/1M total-queue=default-small  #name=”Night” target-addresses=192.168.1.0/24 dst-address=0.0.0.0/0 interface= parent=none direction=both priority=8 queue=default-small/default-small limit-at=1M/1M  max-limit=2M/2M total-queue=default-small

Now, write scripts

/system script #name=”Day” source=/queue simple enable Day; /queue simple disable Night  #name=”Night” source=/queue simple enable Night; /queue simple disable Day

Finally, Schedule it

/system scheduler #name=”Day” on-event=Day start-date=oct/13/2007 start-time=06:00:00 interval=1d  #name=”Night” on-event=Night start-date=oct/13/2007 start-time=18:00:00 interval=1d

scripts

Retrieved from "http://wiki.mikrotik.com/wiki/Limit_Different_Bandwidth_In_Day_and_Night"

Categories: QoS | Scripting

================================================

Different bandwidth in day and night for several categories of users

From MikroTik Wiki

Jump to: navigation, search

[hide]

[edit] Introduction

Maybe you have many users, institutions, and alike, that use the internet during the day. And maybe you have "power users" that have two jobs, come home at 19.00 and they want to make it all at once, read mail, chat, download with p2p programs, etc.

Let's say you have corporate users / institutions / government. People that arrive at 07.00 and leave the office 18.00 at most. You reserve them 1 mbit/s all the time. Most of your home users are using maximum bandwidth after 15.00 and just after midnight. You decide to allow them to use all the bandwidth you can afford, after the "big" clients get offline ( institutions, and alike, wich pay big money for quality services)

So, you decide you may "lend" some of the bandwidth of the users that are not working, while they are not...

[edit] How ?

You can of course add 2 ( two ) queues for each limit you want to put, but you can also put a single queue, and modify it's limits from a script.

That's the way we will do it. Might just be simpler. Why ? You keep the limits for different type of users in a single place ( the script). Also you can graph a single queue, that may be more acceptable for you and for some users if you allow them to view their traffic graphs.

Premises:

You are using simple queues to limit the traffic.

( This can be easily adapted to queue tree, by modifying limits in the queue tree.... but that's another story. Work it out yourself.)

You have 3 types of users:

- 256k/256k at day, 1M/1M at night

- 512k/512k at day, 2M/2M at night

- 1M/1M at day, 4M/4M at night

You limit your users by individual simple queues, and distinction among categories is by comment.

( I put this also on queue name to make it easier to see. It seems to me that winbox does not display comments on simple queues on v3.6, at least on the RB I am working with right now :(, but the console uses them right and the scripts work fine )

How do we do it?

- Put simple queues with established limits, and distinctive queue _comment_ for each category of users. ( eg. ""Vasile_CAT1"", ""Vasile2_CAT2"", etc as queue names, and [CAT1, CAT2 will be the category identifiers, put in comment]

- Establish limits for each category: CAT1, CAT2, etc., we will modify this from the 2 scripts that handle everything.

- Put the script to run from the scheduler every 24 hours, and modify limits for day/night, reg. each category of users. The script for the "day" starts 06.00 hours, and ends 18.00 hours, when the script for the "night" starts, enabling the night modifications.

[edit] Setup NTP Client

Ok. Now, for this to work, first of all sync your clock. Or you might get strange results and complains, if your clock is out of sync :)

/system ntp client  set enabled=yes mode=unicast primary-ntp=213.239.154.12 secondary-ntp=213.249.66.35

( You can put primary-ntp and secondary-npt to be resolved to whatever 0.europe.pool.ntp.org and 1.europe.pool.ntp.org is pointing to. Please replace "europe" with your continent, for further improvement on response times and proximity. See ntp.org for further information )

[edit] Setup the queues

( I put 4 for this example only. you can setup as many as you like, it does not matter )

/queue simple  add comment="CAT1" direction=both disabled=no dst-address=192.168.4.15/32 \     max-limit=256000/256000 name="George_CAT1" parent=none priority=8 \     queue=default-small/default-small add comment="CAT1" direction=both disabled=no dst-address=192.168.4.16/32 \     max-limit=256000/256000 name="Robinson_CAT1" parent=none priority=8 \     queue=default-small/default-small add comment="CAT2" direction=both disabled=no dst-address=192.168.4.17/32 \     max-limit=512000/512000 name="Crusoe_CAT2" parent=none priority=8 \     queue=default-small/default-small add comment="CAT3" direction=both disabled=no dst-address=192.168.4.18/32 \     max-limit=1024000/1024000 name="Momma_CAT3" parent=none priority=8 \     queue=default-small/default-small

Now, these were the queues. Let's see:

[edit] Setup the scripts

For the "day" limits:

/system scheduler  add comment="" disabled=no interval=1d name="Day" on-event="/queue simple\r\nset [find \     comment=CAT1] max-limit=256000/256000\r\nset [find comment=CAT2] \     max-limit=512000/512000\r\nset [find comment=CAT3] max-limit=1024000/1024000\r\n" \     start-date=jan/01/1970 start-time=06:00:00

For the "night" limits:

/system scheduler  add comment="" disabled=no interval=1d name="Night" on-event="/queue simple\r\nset [find \     comment=CAT1] max-limit=1024000/1024000\r\nset [find comment=CAT2] \     max-limit=2048000/2048000\r\nset [find comment=CAT3] max-limit=4096000/4096000\r\n" \     start-date=jan/01/1970 start-time=18:00:00

Well, in clear text, they look (better)like this:

DAY:

/queue simple set [find comment=CAT1] max-limit=256000/256000 set [find comment=CAT2] max-limit=512000/512000 set [find comment=CAT3] max-limit=1024000/1024000

NIGHT:

/queue simple set [find comment=CAT1] max-limit=1024000/1024000 set [find comment=CAT2] max-limit=2048000/2048000 set [find comment=CAT3] max-limit=4096000/4096000

Each script is put to run at 1 day interval, "Day" script starts at 06.00, "Night" script starts at 18.00.

DONE !

Implement in your systems.

Put your own limits on categories. You can put how many categories you like, with whatever identifiers you like, remember to update scripts. :)

You can edit the limits of queue tree, if you want to enable it with different limits at night. ( you can for example allow p2p with different limit at night, whether you decided how to limit it by mangle and routing marks, or by simple queues, whatever.

Have a nice scripting.

Retrieved from "http://wiki.mikrotik.com/wiki/Different_bandwidth_in_day_and_night_for_several_categories_of_users"

Categories: QoS | Scripting

==========================================================

Mangle, Queue Tree and prio by fly man ... almost done

From MikroTik Wiki

Jump to: navigation, search

As we know ‘simple queue’ marks packets from/to target ip and queues them using global-in/global-out parents for packets at the local side of router. If we want to queue services using ‘queue tree’ we can do it at the local or public side. However if we want to use ‘simple queue’ and ‘queue tree’ for services we don’t have that choice. Packets are marked at the local side and queued by ‘simple queue’ (we can’t see it in /ip firewall mange and /queue tree). The second marking and the ‘queue tree’ at the local side won’t work. That’s why, for services we need to mark packets incoming/outgoing (prerouting/postrouting) at the public side of router.

/interface set ether1 name=wan /interface set ether2 name=lan

/ip  address  add  address=192.168.0.1/24 interface=lan /ip  address  add  address=1.0.0.2/24 interface=wan /ip route  add gateway=1.0.0.1

/ip firewall nat  add chain=srcnat action=masquerade src-address=192.168.0.0/24

At first we make simple queue, for example:

!!! set your internet speed on MAX-LIMIT at QOS rule

/queues simple add name="QOS" dst-address=0.0.0.0/0 interface=all parent=none direction=both \    priority=8 queue=default-small/default-small limit-at=0/0 \    max-limit=1000000/1800000 total-queue=default-small disabled=no :for z from 2 to 254 do={/queue simple add name=(0. . $z) target-addresses=(192.168.0. . $z) \ parent="QOS" interface=all priority=4 queue=default/default max-limit=128000/530000 \ total-queue=default}

Now we mark packets for the services

/ ip firewall mangle  add chain=prerouting action=mark-packet new-packet-mark=icmp_in passthrough=no \    in-interface=wan protocol=icmp comment="icmp" disabled=no  add chain=postrouting action=mark-packet new-packet-mark=icmp_out \    passthrough=no out-interface=wan protocol=icmp comment="" disabled=no  add chain=prerouting action=mark-packet new-packet-mark=p2p_in passthrough=no \    p2p=all-p2p in-interface=wan comment="p2p" disabled=no  add chain=postrouting action=mark-packet new-packet-mark=p2p_out \    passthrough=no p2p=all-p2p out-interface=wan comment="" disabled=no  add chain=prerouting action=mark-packet new-packet-mark=pop3_in passthrough=no \    in-interface=wan src-port=110 protocol=tcp comment="pop3" disabled=no  add chain=postrouting action=mark-packet new-packet-mark=pop3_out \    passthrough=no out-interface=wan dst-port=110 protocol=tcp comment="" \    disabled=no  add chain=prerouting action=mark-packet new-packet-mark=smtp_in passthrough=no \    in-interface=wan src-port=25 protocol=tcp comment="smtp" disabled=no  add chain=postrouting action=mark-packet new-packet-mark=smtp_out \    passthrough=no out-interface=wan dst-port=25 protocol=tcp comment="" \    disabled=no  add chain=prerouting action=mark-packet new-packet-mark=imap_in passthrough=no \    in-interface=wan src-port=143 protocol=tcp comment="imap" disabled=no  add chain=postrouting action=mark-packet new-packet-mark=imap_out \    passthrough=no out-interface=wan dst-port=143 protocol=tcp comment="" \    disabled=no  add chain=prerouting action=mark-packet new-packet-mark=ssh_in passthrough=no \    in-interface=wan dst-port=22 protocol=tcp comment="ssh" disabled=no  add chain=postrouting action=mark-packet new-packet-mark=ssh_out \    passthrough=no out-interface=wan src-port=22 protocol=tcp comment="" \    disabled=no  add chain=prerouting action=mark-packet new-packet-mark=winbox_in \    passthrough=no in-interface=wan dst-port=8291 protocol=tcp \    comment="winbox" disabled=no  add chain=postrouting action=mark-packet new-packet-mark=winbox_out \    passthrough=no out-interface=wan src-port=8291 protocol=tcp comment="" \    disabled=no  add chain=prerouting action=mark-packet new-packet-mark=dns_in passthrough=no \    in-interface=wan src-port=53 protocol=udp comment="dns" disabled=no  add chain=postrouting action=mark-packet new-packet-mark=dns_out \    passthrough=no out-interface=wan dst-port=53 protocol=udp comment="" \    disabled=no  add chain=prerouting action=mark-packet new-packet-mark=www_in passthrough=no \    in-interface=wan src-port=80 protocol=tcp comment="www" disabled=no  add chain=postrouting action=mark-packet new-packet-mark=www_out \    passthrough=no out-interface=wan dst-port=80 protocol=tcp comment="" \    disabled=no  add chain=prerouting action=mark-packet new-packet-mark=ssl_in passthrough=no \    in-interface=wan src-port=443 protocol=tcp comment="ssl" disabled=no  add chain=postrouting action=mark-packet new-packet-mark=ssl_out \    passthrough=no out-interface=wan dst-port=443 protocol=tcp comment="" \    disabled=no  add chain=prerouting action=mark-packet new-packet-mark=udp_in passthrough=no \    in-interface=wan protocol=udp comment="udp" disabled=no  add chain=postrouting action=mark-packet new-packet-mark=udp_out \    passthrough=no out-interface=wan protocol=udp comment="" disabled=no  add chain=prerouting action=mark-packet new-packet-mark=tcp_in passthrough=no \    in-interface=wan protocol=tcp comment="tcp" disabled=no  add chain=postrouting action=mark-packet new-packet-mark=tcp_out \    passthrough=no out-interface=wan protocol=tcp comment="" disabled=no  add chain=prerouting action=mark-packet new-packet-mark=other_in \    passthrough=no in-interface=wan comment="other" disabled=no  add chain=postrouting action=mark-packet new-packet-mark=other_out \    passthrough=no out-interface=wan comment="" disabled=no

after that we can make queue tree:

/queue tree  add name="upload_wan1" parent=global-out packet-mark="" limit-at=0 \    queue=wireless-default priority=4 max-limit=0 burst-limit=0 \    burst-threshold=0 burst-time=0s disabled=no  add name="icmp_down" parent=global-in packet-mark=icmp_in limit-at=0 \    queue=wireless-default priority=1 max-limit=0 burst-limit=0 \    burst-threshold=0 burst-time=0s disabled=no  add name="icmp_up" parent=global-out packet-mark=icmp_out limit-at=0 \    queue=wireless-default priority=1 max-limit=0 burst-limit=0 \    burst-threshold=0 burst-time=0s disabled=no  add name="winbox_down" parent=global-in packet-mark=winbox_in limit-at=0 \    queue=wireless-default priority=1 max-limit=0 burst-limit=0 \    burst-threshold=0 burst-time=0s disabled=no  add name="winbox_up" parent=global-out packet-mark=winbox_out limit-at=0 \    queue=wireless-default priority=1 max-limit=0 burst-limit=0 \    burst-threshold=0 burst-time=0s disabled=no  add name="dns_down" parent=global-in packet-mark=dns_in limit-at=0 \    queue=wireless-default priority=1 max-limit=0 burst-limit=0 \    burst-threshold=0 burst-time=0s disabled=no  add name="dns_up" parent=global-out packet-mark=dns_out limit-at=0 \    queue=wireless-default priority=1 max-limit=0 burst-limit=0 \    burst-threshold=0 burst-time=0s disabled=no  add name="www_up" parent=upload_wan1 packet-mark=www_out limit-at=0 \    queue=wireless-default priority=2 max-limit=0 burst-limit=0 \    burst-threshold=0 burst-time=0s disabled=no  add name="ssl_up" parent=upload_wan1 packet-mark=ssl_out limit-at=0 \    queue=wireless-default priority=1 max-limit=0 burst-limit=0 \    burst-threshold=0 burst-time=0s disabled=no  add name="p2p_up" parent=upload_wan1 packet-mark=p2p_out limit-at=0 \    queue=wireless-default priority=8 max-limit=0 burst-limit=0 \    burst-threshold=0 burst-time=0s disabled=no  add name="udp_up" parent=upload_wan1 packet-mark=udp_out limit-at=0 \    queue=wireless-default priority=6 max-limit=0 burst-limit=0 \    burst-threshold=0 burst-time=0s disabled=no  add name="tcp_up" parent=upload_wan1 packet-mark=tcp_out limit-at=0 \    queue=wireless-default priority=4 max-limit=0 burst-limit=0 \    burst-threshold=0 burst-time=0s disabled=no  add name="other_up" parent=upload_wan1 packet-mark=other_out limit-at=0 \    queue=wireless-default priority=7 max-limit=0 burst-limit=0 \    burst-threshold=0 burst-time=0s disabled=no  add name="download_wan1" parent=global-in packet-mark="" limit-at=0 \    queue=wireless-default priority=4 max-limit=0 burst-limit=0 \    burst-threshold=0 burst-time=0s disabled=no  add name="www_down" parent=download_wan1 packet-mark=www_in limit-at=0 \    queue=wireless-default priority=2 max-limit=0 burst-limit=0 \    burst-threshold=0 burst-time=0s disabled=no  add name="ssl_down" parent=download_wan1 packet-mark=ssl_in limit-at=0 \    queue=wireless-default priority=1 max-limit=0 burst-limit=0 \    burst-threshold=0 burst-time=0s disabled=no  add name="p2p_down" parent=download_wan1 packet-mark=p2p_in limit-at=0 \    queue=wireless-default priority=8 max-limit=0 burst-limit=0 \    burst-threshold=0 burst-time=0s disabled=no  add name="udp_down" parent=download_wan1 packet-mark=udp_in limit-at=0 \    queue=wireless-default priority=6 max-limit=0 burst-limit=0 \    burst-threshold=0 burst-time=0s disabled=no  add name="tcp_down" parent=download_wan1 packet-mark=tcp_in limit-at=0 \    queue=wireless-default priority=4 max-limit=0 burst-limit=0 \    burst-threshold=0 burst-time=0s disabled=no  add name="other" parent=download_wan1 packet-mark=other_in limit-at=0 \    queue=wireless-default priority=7 max-limit=0 burst-limit=0 \    burst-threshold=0 burst-time=0s disabled=no  add name="ssh_down" parent=global-in packet-mark=ssh_in limit-at=0 \    queue=wireless-default priority=1 max-limit=0 burst-limit=0 \    burst-threshold=0 burst-time=0s disabled=no  add name="ssh_up" parent=global-out packet-mark=ssh_out limit-at=0 \    queue=wireless-default priority=1 max-limit=0 burst-limit=0 \    burst-threshold=0 burst-time=0s disabled=no  add name="pop3_down" parent=download_wan1 packet-mark=pop3_in limit-at=0 \    queue=wireless-default priority=5 max-limit=0 burst-limit=0 \    burst-threshold=0 burst-time=0s disabled=no  add name="smtp_down" parent=download packet-mark=smtp_in limit-at=0 \    queue=wireless-default priority=5 max-limit=0 burst-limit=0 \    burst-threshold=0 burst-time=0s disabled=no  add name="imap_down" parent=download packet-mark=imap_in limit-at=0 \    queue=wireless-default priority=5 max-limit=0 burst-limit=0 \    burst-threshold=0 burst-time=0s disabled=no  add name="imap_up" parent=upload packet-mark=imap_out limit-at=0 \    queue=wireless-default priority=5 max-limit=0 burst-limit=0 \    burst-threshold=0 burst-time=0s disabled=no  add name="smtp_out" parent=upload packet-mark=smtp_out limit-at=0 \    queue=wireless-default priority=5 max-limit=0 burst-limit=0 \    burst-threshold=0 burst-time=0s disabled=no  add name="pop3_up" parent=upload packet-mark=pop3_out limit-at=0 \    queue=wireless-default priority=5 max-limit=0 burst-limit=0 \    burst-threshold=0 burst-time=0s disabled=no

We have several basic download/upload queues:

- wan

- icmp

- winbox

- dns

Icmp, dns and winbox have the highest priority to ensure low ping, quick answer of dns server and winbox connection without any problems. The second is wan. In wan tree we decide which service has the highest priority, for which one we want to guarantee bandwidth or decrease speed.

Retrieved from "http://wiki.mikrotik.com/wiki/Mangle%2C_Queue_Tree_and_prio_by_fly_man_..._almost_done"

==================================================

Hotspot, apply different limits and different traffic priorities

From MikroTik Wiki

Jump to: navigation, search

[edit] Introduction

Many users are always asking about how to prioritize the traffic using the Mikrotik RouterOS Hotspot service.
The following method helps to manage the network traffic and customize it the way you want. It also insure to provide the correct service for a specific use in a big network, giving priority for the VIPs, Special users or services in a congested network.
Also, you can use the same method if you want to make sure that heavy users should not keep downloading or uploading files for long period in order to save the rest of available traffic for light users who are looking for good speed for browsing or occasionally access. This can be applied using the burst limit or a combination of minimum and burst limit with priority.
The trick with bandwidth management in Hotspot is to use the Users Profiles, and assign the different type of speeds that is related to a specific group.

[edit] The question is, How to do that?

Using the Winbox, in: IP >> Hotspot >> User Profiles >> rate limit:
use the following string: x1k/y1k x2k/y2k x3k/y3k x5/y5 P x6k/y6k

where:
x1k/y1k: Rate (txrate/rxrate i.e 128k/1024k)
x2k/y2k: Burst Rate (i.e 256k/2048k)
x3k/y3k: Burst Threshold (i.e 160k/1280k)
x5/y5: Burst Time (in seconds i.e: 60/60)
Priority: P (use integer from 1-8)
Minimum rate: x6k/y6k (i.e 32k/256k)

for example: 24k/128k 32k/256k 24k/196k 30/30 8 16k/64k

The following example show you what you have to do exactly:

means:
Rate:24k/128k
Burst Rate: 32k/256k
Burst Threshold: 24k/196k
Burst Time: 30/30
Priority: 8
Minimum rate: 16k/64k

In Queues table, you can see what happened exactly for the user having the same profile:

Also, you can check the configured priority here:

if you just want to use rate and priority, then use:
Rate, Burst Rate, Burst Priority, Minimum rate.

=========================================================

Cable setup

From MikroTik Wiki

Jump to: navigation, search

[edit] Basic Internet Sharing with Bandwidth Limiting

This tutorial explains how to configure a router to share a single Internet connection (WAN) among multiple local computers (LAN) using NAT.

First we will configure interface that is connected to WAN.

/ ip address add address=192.168.1.20/24 network=192.168.1.0 broadcast=192.168.1.255 interface=ether2

Now one interface is configured and connected to WAN (with ip 192.168.1.20/24). Now we will configure second interface for our Local Network.

/ ip address add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=ether1

Now we will configure DHCP using WinBOX, download Winbox from http://www.mikrotik.com and login to you MT Router. Then goto IP > DHCP-Server, now press Setup Button, then you will see a similar window as shown below. Just select the interface that you have configured for your Local Network (as in our example it is ether1), now just press Next till the end of setup.

Now we will configure DNS for our local network. Goto IP > DNS, press Settings button then add you Primary and Secondary DNS Server IP as provided by your Internet Service Provider. Also make sure that you select "Allow Remote Requests", so that you can give your MT Router's IP as a DNS Server to your Clients. Then Apply and OK.

Now we will configure NATing for our Local Network. Goto IP > Firewall, goto NAT table press the plus sign which will allow you to add new firewall rules. Select chain=srcnat, then set Src. Address=192.168.0.0/24 (ip range of your local network), then select Out.Interface=ether2 (interface connected WAN), as shown below.

Now goto Action Tab in the same window, then select Action=Masquerade, then Apply and OK.

Now we will setup Bandwidth restriction (10kbps per IP in 192.168.0.0/24 range). Goto Queues, then goto Queue Types, then press the plus sign to add a custom Queue Type. In the name field enter your desired name, select kind=pcq. As shown below.

Now goto Settings Tab in the same window, and enter the Rate to 10000 (i.e equal to 10kbps), also select Dst. Address, as shown below.

Now for Upload limit repeat the same procedure to create another Queue Type name it something different and in the Settings Tab instead of selecting Dst. Address this time select Src. Address. Apply and OK

Now in the Queues window goto Simple Queues Tab, and add a new simple queue by pressing plus sign. Enter your desired name, then add a Target Address=192.168.0.0/24 the IP Range of your local network.

Now goto Advanced Tab in the same window and in Queue Type in the Target Upload select the Queue Type that we created before for upload restriction purpose, do the same for Target Download. As shown below. Press Apply and OK.

As per the steps shown and performed, you should now have an up and running MT Router, that will serve Internet Service to local network with IP Range 192.168.0.0/24 that will be given by the DHCP Server.

Hope this will help out many people.

Created by Mudasir Mirza

Retrieved from "http://wiki.mikrotik.com/wiki/Cable_setup"

======================================================

Basic traffic shaping based on layer-7 protocols

From MikroTik Wiki

Jump to: navigation, search

If we want to secure decent internet browsing for more users using same internet conection, but we don't want to disable any protocols (such as p2p), just to make higer priority on http, we can use these rules.

Packets are marked at the public side in /ip firewall mangle. Packets are marked based on layer-7 signatures and then queued.

First we add layer7 signatures to router:

/ip firewall layer7-protocol add comment="" name=edonkey regexp="^[\C5\D4\E3-\E5].\?.\?.\?.\?([\01\02\05\14\    \15\16\18\19\1A\1B\1C !234568@ABCFGHIJKLMNOPQRSTUVWX[`\81\82\90\91\93\96\    \97\98\99\9A\9B\9C\9E\A0\A1\A2\A3\A4]|Y................\?[ -~]|\96....\$)" add comment="" name=goboogy regexp="|^get /getfilebyhash\\.cgi\\\?|^\    get /queue_register\\.cgi\\\?|^get /getupdowninfo\\.cgi\\\?" add comment="" name=soribada regexp="^GETMP3\r\    \nFilename|^\01.\?.\?.\?(Q:\\+|Q2:)|^\10[\14-\16]\10[\15-\17].\?.\?.\?.\?\    \$" add comment="" name=rdp regexp=rdpdr.*cliprdr.*rdpsnd add comment="" name=gnutella regexp="^(gnd[\01\02]\?.\?.\?\01|gnutella connect\    /[012]\\.[0-9]\r\    \n|get /uri-res/n2r\\\?urn:sha1:|get /.*user-agent: (gtk-gnutella|bearshar\    e|mactella|gnucleus|gnotella|limewire|imesh)|get /.*content-type: applicat\    ion/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]\?[\    0-9]\?\\.[1-9][0-9]\?[0-9]\?\\.[1-9][0-9]\?[0-9]\?\\.[1-9][0-9]\?[0-9]\?:[\    1-9][0-9]\?[0-9]\?[0-9]\?|gnutella.*content-type: application/x-gnutella|.\    ..................\?lime)" add comment="" name=cvs regexp="^BEGIN (AUTH|VERIFICATION|GSSAPI) REQUEST\    \n" add comment="" name=nbns regexp="\01\10\01|\\)\10\01\01|0\10\01" add comment="" name=shoutcast regexp=\    "icy [1-5][0-9][0-9] [\t-\r -~]*(content-type:audio|icy-)" add comment="" name=dns regexp="^.\?.\?.\?.\?[\01\02].\?.\?.\?.\?.\?.\?[\01-\?\    ][a-z0-9][\01-\?a-z]*[\02-\06][a-z][a-z][fglmoprstuvz]\?[aeop]\?(um)\?[\01\    -\10\1C][\01\03\04\FF]" add comment="" name=quake-halflife regexp="^\FF\FF\FF\FFget(info|challenge)" add comment="" name=poco regexp="^\80\94\    \n\01....\1F\9E" add comment="" name=ciscovpn regexp="^\01\F4\01\F4" add comment="" name=x11 regexp="^[lb].\?\0B" add comment="" name=xboxlive regexp="^X\80........\F3|^\06XN" add comment="" name=applejuice regexp="^ajprot\r\    \n" add comment="" name=zmaap regexp="^\1B\D7;H[\01\02]\01\?\01" add comment="" name=live365 regexp=membername.*session.*player add comment="" name=rlogin regexp=\    "^[a-z][a-z0-9][a-z0-9]+/[1-9][0-9]\?[0-9]\?[0-9]\?00" add comment="" name=http regexp="http/(0\\.9|1\\.0|1\\.1) [1-5][0-9][0-9] [\t-\    \r -~]*(connection:|content-type:|content-length:|date:)|post [\t-\r -~]* \    http/[01]\\.[019]" add comment="" name=sip regexp=\    "^(invite|register|cancel) sip[\t-\r -~]*sip/[0-2]\\.[0-9]" add comment="" name=pop3 regexp="^(\\+ok |-err )" add comment="" name=smb regexp="\FFsmb[r%]" add comment="" name=quake1 regexp="^\80\0C\01quake\03" add comment="" name=lpd regexp="^(\01[!-~]+|\02[!-~]+\    \n.[\01\02\03][\01-\    \n -~]*|[\03\04][!-~]+[\t-\r]+[a-z][\t-\r -~]*|\05[!-~]+[\t-\r]+([a-z][!-~\    ]*[\t-\r]+[1-9][0-9]\?[0-9]\?|root[\t-\r]+[!-~]+).*)\    \n\$" add comment="" name=mute regexp=\    "^(Public|AES)Key: [0-9a-f]*\    \nEnd(Public|AES)Key\    \n\$" add comment="" name=ssh regexp="^ssh-[12]\\.[0-9]" add comment="" name=jabber regexp=\    ".\?.\?.\?.\?.\?.\?.\?.\?>|\\\?.\?.\?.\?.\?.\?.\?.\?.\?\\\    \?|@.\?.\?.\?.\?.\?.\?.\?.\?@|A.\?.\?.\?.\?.\?.\?.\?.\?A|B.\?.\?.\?.\?.\?.\    \?.\?.\?B|C.\?.\?.\?.\?.\?.\?.\?.\?C|D.\?.\?.\?.\?.\?.\?.\?.\?D|E.\?.\?.\?\    .\?.\?.\?.\?.\?E|F.\?.\?.\?.\?.\?.\?.\?.\?F|G.\?.\?.\?.\?.\?.\?.\?.\?G|H.\    \?.\?.\?.\?.\?.\?.\?.\?H|I.\?.\?.\?.\?.\?.\?.\?.\?I|J.\?.\?.\?.\?.\?.\?.\?\    .\?J|K.\?.\?.\?.\?.\?.\?.\?.\?K|L.\?.\?.\?.\?.\?.\?.\?.\?L|M.\?.\?.\?.\?.\    \?.\?.\?.\?M|N.\?.\?.\?.\?.\?.\?.\?.\?N|O.\?.\?.\?.\?.\?.\?.\?.\?O|P.\?.\?\    .\?.\?.\?.\?.\?.\?P|Q.\?.\?.\?.\?.\?.\?.\?.\?Q|R.\?.\?.\?.\?.\?.\?.\?.\?R|\    S.\?.\?.\?.\?.\?.\?.\?.\?S|T.\?.\?.\?.\?.\?.\?.\?.\?T|U.\?.\?.\?.\?.\?.\?.\    \?.\?U|V.\?.\?.\?.\?.\?.\?.\?.\?V|W.\?.\?.\?.\?.\?.\?.\?.\?W|X.\?.\?.\?.\?\    .\?.\?.\?.\?X|Y.\?.\?.\?.\?.\?.\?.\?.\?Y|Z.\?.\?.\?.\?.\?.\?.\?.\?Z|\\[.\?\    .\?.\?.\?.\?.\?.\?.\?\\[|\\].\?.\?.\?.\?.\?.\?.\?.\?\\]|\\].\?.\?.\?.\?.\?\    .\?.\?.\?\\]|\\^.\?.\?.\?.\?.\?.\?.\?.\?\\^|_.\?.\?.\?.\?.\?.\?.\?.\?_|`.\    \?.\?.\?.\?.\?.\?.\?.\?`|a.\?.\?.\?.\?.\?.\?.\?.\?a|b.\?.\?.\?.\?.\?.\?.\?\    .\?b|c.\?.\?.\?.\?.\?.\?.\?.\?c|d.\?.\?.\?.\?.\?.\?.\?.\?d|e.\?.\?.\?.\?.\    \?.\?.\?.\?e|f.\?.\?.\?.\?.\?.\?.\?.\?f|g.\?.\?.\?.\?.\?.\?.\?.\?g|h.\?.\?\    .\?.\?.\?.\?.\?.\?h|i.\?.\?.\?.\?.\?.\?.\?.\?i|j.\?.\?.\?.\?.\?.\?.\?.\?j|\    k.\?.\?.\?.\?.\?.\?.\?.\?k|l.\?.\?.\?.\?.\?.\?.\?.\?l|m.\?.\?.\?.\?.\?.\?.\    \?.\?m|n.\?.\?.\?.\?.\?.\?.\?.\?n|o.\?.\?.\?.\?.\?.\?.\?.\?o|p.\?.\?.\?.\?\    .\?.\?.\?.\?p|q.\?.\?.\?.\?.\?.\?.\?.\?q|r.\?.\?.\?.\?.\?.\?.\?.\?r|s.\?.\    \?.\?.\?.\?.\?.\?.\?s|t.\?.\?.\?.\?.\?.\?.\?.\?t|u.\?.\?.\?.\?.\?.\?.\?.\?\    u|v.\?.\?.\?.\?.\?.\?.\?.\?v|w.\?.\?.\?.\?.\?.\?.\?.\?w|x.\?.\?.\?.\?.\?.\    \?.\?.\?x|y.\?.\?.\?.\?.\?.\?.\?.\?y|z.\?.\?.\?.\?.\?.\?.\?.\?z|\\{.\?.\?.\    \?.\?.\?.\?.\?.\?\\{|\\|.\?.\?.\?.\?.\?.\?.\?.\?\\||\\}.\?.\?.\?.\?.\?.\?.\    \?.\?\\}|~.\?.\?.\?.\?.\?.\?.\?.\?~|\7F.\?.\?.\?.\?.\?.\?.\?.\?\7F|\80.\?.\    \?.\?.\?.\?.\?.\?.\?\80|\81.\?.\?.\?.\?.\?.\?.\?.\?\81|\82.\?.\?.\?.\?.\?.\    \?.\?.\?\82|\83.\?.\?.\?.\?.\?.\?.\?.\?\83|\84.\?.\?.\?.\?.\?.\?.\?.\?\84|\    \85.\?.\?.\?.\?.\?.\?.\?.\?\85|\86.\?.\?.\?.\?.\?.\?.\?.\?\86|\87.\?.\?.\?\    .\?.\?.\?.\?.\?\87|\88.\?.\?.\?.\?.\?.\?.\?.\?\88|\89.\?.\?.\?.\?.\?.\?.\?\    .\?\89|\8A.\?.\?.\?.\?.\?.\?.\?.\?\8A|\8B.\?.\?.\?.\?.\?.\?.\?.\?\8B|\8C.\    \?.\?.\?.\?.\?.\?.\?.\?\8C|\8D.\?.\?.\?.\?.\?.\?.\?.\?\8D|\8E.\?.\?.\?.\?.\    \?.\?.\?.\?\8E|\8F.\?.\?.\?.\?.\?.\?.\?.\?\8F|\90.\?.\?.\?.\?.\?.\?.\?.\?\    \90|\91.\?.\?.\?.\?.\?.\?.\?.\?\91|\92.\?.\?.\?.\?.\?.\?.\?.\?\92|\93.\?.\    \?.\?.\?.\?.\?.\?.\?\93|\94.\?.\?.\?.\?.\?.\?.\?.\?\94|\95.\?.\?.\?.\?.\?.\    \?.\?.\?\95|\96.\?.\?.\?.\?.\?.\?.\?.\?\96|\97.\?.\?.\?.\?.\?.\?.\?.\?\97|\    \98.\?.\?.\?.\?.\?.\?.\?.\?\98|\99.\?.\?.\?.\?.\?.\?.\?.\?\99|\9A.\?.\?.\?\    .\?.\?.\?.\?.\?\9A|\9B.\?.\?.\?.\?.\?.\?.\?.\?\9B|\9C.\?.\?.\?.\?.\?.\?.\?\    .\?\9C|\9D.\?.\?.\?.\?.\?.\?.\?.\?\9D|\9E.\?.\?.\?.\?.\?.\?.\?.\?\9E|\9F.\    \?.\?.\?.\?.\?.\?.\?.\?\9F|\A0.\?.\?.\?.\?.\?.\?.\?.\?\A0|\A1.\?.\?.\?.\?.\    \?.\?.\?.\?\A1|\A2.\?.\?.\?.\?.\?.\?.\?.\?\A2|\A3.\?.\?.\?.\?.\?.\?.\?.\?\    \A3|\A4.\?.\?.\?.\?.\?.\?.\?.\?\A4|\A5.\?.\?.\?.\?.\?.\?.\?.\?\A5|\A6.\?.\    \?.\?.\?.\?.\?.\?.\?\A6|\A7.\?.\?.\?.\?.\?.\?.\?.\?\A7|\A8.\?.\?.\?.\?.\?.\    \?.\?.\?\A8|\A9.\?.\?.\?.\?.\?.\?.\?.\?\A9|\AA.\?.\?.\?.\?.\?.\?.\?.\?\AA|\    \AB.\?.\?.\?.\?.\?.\?.\?.\?\AB|\AC.\?.\?.\?.\?.\?.\?.\?.\?\AC|\AD.\?.\?.\?\    .\?.\?.\?.\?.\?\AD|\AE.\?.\?.\?.\?.\?.\?.\?.\?\AE|\AF.\?.\?.\?.\?.\?.\?.\?\    .\?\AF|\B0.\?.\?.\?.\?.\?.\?.\?.\?\B0|\B1.\?.\?.\?.\?.\?.\?.\?.\?\B1|\B2.\    \?.\?.\?.\?.\?.\?.\?.\?\B2|\B3.\?.\?.\?.\?.\?.\?.\?.\?\B3|\B4.\?.\?.\?.\?.\    \?.\?.\?.\?\B4|\B5.\?.\?.\?.\?.\?.\?.\?.\?\B5|\B6.\?.\?.\?.\?.\?.\?.\?.\?\    \B6|\B7.\?.\?.\?.\?.\?.\?.\?.\?\B7|\B8.\?.\?.\?.\?.\?.\?.\?.\?\B8|\B9.\?.\    \?.\?.\?.\?.\?.\?.\?\B9|\BA.\?.\?.\?.\?.\?.\?.\?.\?\BA|\BB.\?.\?.\?.\?.\?.\    \?.\?.\?\BB|\BC.\?.\?.\?.\?.\?.\?.\?.\?\BC|\BD.\?.\?.\?.\?.\?.\?.\?.\?\BD|\    \BE.\?.\?.\?.\?.\?.\?.\?.\?\BE|\BF.\?.\?.\?.\?.\?.\?.\?.\?\BF|\C0.\?.\?.\?\    .\?.\?.\?.\?.\?\C0|\C1.\?.\?.\?.\?.\?.\?.\?.\?\C1|\C2.\?.\?.\?.\?.\?.\?.\?\    .\?\C2|\C3.\?.\?.\?.\?.\?.\?.\?.\?\C3|\C4.\?.\?.\?.\?.\?.\?.\?.\?\C4|\C5.\    \?.\?.\?.\?.\?.\?.\?.\?\C5|\C6.\?.\?.\?.\?.\?.\?.\?.\?\C6|\C7.\?.\?.\?.\?.\    \?.\?.\?.\?\C7|\C8.\?.\?.\?.\?.\?.\?.\?.\?\C8|\C9.\?.\?.\?.\?.\?.\?.\?.\?\    \C9|\CA.\?.\?.\?.\?.\?.\?.\?.\?\CA|\CB.\?.\?.\?.\?.\?.\?.\?.\?\CB|\CC.\?.\    \?.\?.\?.\?.\?.\?.\?\CC|\CD.\?.\?.\?.\?.\?.\?.\?.\?\CD|\CE.\?.\?.\?.\?.\?.\    \?.\?.\?\CE|\CF.\?.\?.\?.\?.\?.\?.\?.\?\CF|\D0.\?.\?.\?.\?.\?.\?.\?.\?\D0|\    \D1.\?.\?.\?.\?.\?.\?.\?.\?\D1|\D2.\?.\?.\?.\?.\?.\?.\?.\?\D2|\D3.\?.\?.\?\    .\?.\?.\?.\?.\?\D3|\D4.\?.\?.\?.\?.\?.\?.\?.\?\D4|\D5.\?.\?.\?.\?.\?.\?.\?\    .\?\D5|\D6.\?.\?.\?.\?.\?.\?.\?.\?\D6|\D7.\?.\?.\?.\?.\?.\?.\?.\?\D7|\D8.\    \?.\?.\?.\?.\?.\?.\?.\?\D8|\D9.\?.\?.\?.\?.\?.\?.\?.\?\D9|\DA.\?.\?.\?.\?.\    \?.\?.\?.\?\DA|\DB.\?.\?.\?.\?.\?.\?.\?.\?\DB|\DC.\?.\?.\?.\?.\?.\?.\?.\?\    \DC|\DD.\?.\?.\?.\?.\?.\?.\?.\?\DD|\DE.\?.\?.\?.\?.\?.\?.\?.\?\DE|\DF.\?.\    \?.\?.\?.\?.\?.\?.\?\DF|\E0.\?.\?.\?.\?.\?.\?.\?.\?\E0|\E1.\?.\?.\?.\?.\?.\    \?.\?.\?\E1|\E2.\?.\?.\?.\?.\?.\?.\?.\?\E2|\E3.\?.\?.\?.\?.\?.\?.\?.\?\E3|\    \E4.\?.\?.\?.\?.\?.\?.\?.\?\E4|\E5.\?.\?.\?.\?.\?.\?.\?.\?\E5|\E6.\?.\?.\?\    .\?.\?.\?.\?.\?\E6|\E7.\?.\?.\?.\?.\?.\?.\?.\?\E7|\E8.\?.\?.\?.\?.\?.\?.\?\    .\?\E8|\E9.\?.\?.\?.\?.\?.\?.\?.\?\E9|\EA.\?.\?.\?.\?.\?.\?.\?.\?\EA|\EB.\    \?.\?.\?.\?.\?.\?.\?.\?\EB|\EC.\?.\?.\?.\?.\?.\?.\?.\?\EC|\ED.\?.\?.\?.\?.\    \?.\?.\?.\?\ED|\EE.\?.\?.\?.\?.\?.\?.\?.\?\EE|\EF.\?.\?.\?.\?.\?.\?.\?.\?\    \EF|\F0.\?.\?.\?.\?.\?.\?.\?.\?\F0|\F1.\?.\?.\?.\?.\?.\?.\?.\?\F1|\F2.\?.\    \?.\?.\?.\?.\?.\?.\?\F2|\F3.\?.\?.\?.\?.\?.\?.\?.\?\F3|\F4.\?.\?.\?.\?.\?.\    \?.\?.\?\F4|\F5.\?.\?.\?.\?.\?.\?.\?.\?\F5|\F6.\?.\?.\?.\?.\?.\?.\?.\?\F6|\    \F7.\?.\?.\?.\?.\?.\?.\?.\?\F7|\F8.\?.\?.\?.\?.\?.\?.\?.\?\F8|\F9.\?.\?.\?\    .\?.\?.\?.\?.\?\F9|\FA.\?.\?.\?.\?.\?.\?.\?.\?\FA|\FB.\?.\?.\?.\?.\?.\?.\?\    .\?\FB|\FC.\?.\?.\?.\?.\?.\?.\?.\?\FC|\FD.\?.\?.\?.\?.\?.\?.\?.\?\FD|\FE.\    \?.\?.\?.\?.\?.\?.\?.\?\FE|\FF.\?.\?.\?.\?.\?.\?.\?.\?\FF)" add comment="" name=skypetoskype regexp="^..\02............." add comment="" name=counterstrike-source regexp=\    "^\FF\FF\FF\FF.*cstrikeCounter-Strike" add comment="" name=halflife2-deathmatch regexp=\    "^\FF\FF\FF\FF.*hl2mpDeathmatch" add comment="" name=freenet regexp="^\01[\08\t][\03\04]" add comment="" name=battlefield2 regexp="^(\11 \01...\?\11|\FE\FD.\?.\?.\?.\?.\    \?.\?(\14\01\06|\FF\FF\FF))|[]\01].\?battlefield2" add comment="" name=napster regexp="^(.[\02\06][!-~]+ [!-~]+ [0-9][0-9]\?[0-9]\    \?[0-9]\?[0-9]\? \"[\t-\r -~]+\" ([0-9]|10)|1(send|get)[!-~]+ \"[\t-\r -~]\    +\")" add comment="" name=soulseek regexp=\    "^(\05..\?|.\01.[ -~]+\01F..\?.\?.\?.\?.\?.\?.\?)\$" add comment="" name=xunlei regexp="^[()]...\?.\?.\?(reg|get|query)" add comment="" name=ssl regexp=\    "^(.\?.\?\16\03.*\16\03|.\?.\?\01\03\01\?.*\0B)" add comment="" name=citrix regexp="2&\85\92X" add comment="" name=whois regexp="^[ !-~]+\r\    \n\$" add comment="" name=dayofdefeat-source regexp=\    "^\FF\FF\FF\FF.*dodDay of Defeat" add comment="" name=teamspeak regexp="^\F4\BE\03.*teamspeak" add comment="" name=worldofwarcraft regexp="^\06\EC\01" add comment="" name=ventrilo regexp="^..\?v\\\$\CF" add comment="" name=http-rtsp regexp="^(get[\t-\r -~]* Accept: application/x-r\    tsp-tunnelled|http/(0\\.9|1\\.0|1\\.1) [1-5][0-9][0-9] [\t-\r -~]*a=contro\    l:rtsp://)" add comment="" name=thecircle regexp=\    "^t\03ni.\?[\01-\06]\?t[\01-\05]s[\    \n\0B](glob|who are you\$|query data)" add comment="" name=uucp regexp="^\10here=" add comment="" name=pcanywhere regexp="^(nq|st)\$" add comment="" name=subversion regexp="^\\( success \\( 1 2 \\(" add comment="" name=imesh regexp="^(post[\t-\r -~]*.............\    ...................|4\80\?\r\?\FC\FF\04|get[\t-\    \r -~]*Host: imsh\\.download-prod\\.musicnet\\.com|\02(\01|\02)\83.\?.\?.\    \?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?\    .\?\02(\01|\02)\83)" add comment="" name=cimd regexp="\02[0-4][0-9]:[0-9]+.*\03\$" add comment="" name=mohaa regexp="^\FF\FF\FF\FFgetstatus\    \n" add comment="" name=stun regexp="^[\01\02]................\?\$" add comment="" name=tor regexp=TOR1.* add comment="" name=radmin regexp="^\01\01(\08\08|\1B\1B)\$" add comment="" name=unset regexp=. add comment="" name=chikka regexp="^CTPv1.[123] Kamusta.*\r\    \n\$" add comment="" name=replaytv-ivs regexp="^(get /ivs-IVSGetFileChunk|http/(0\\.\    9|1\\.0|1\\.1) [1-5][0-9][0-9] [\t-\r -~]*#####REPLAY_CHUNK_START#####)" add comment="" name=armagetron regexp=YCLC_E|CYEL

Then we create mangle rules - substitute dsl interface in this example to suit your needs (wan, ether1 etc.)

/ip firewall mangle add action=mark-packet chain=prerouting comment=100bao_p2p disabled=no \    in-interface=dsl layer7-protocol=100bao new-packet-mark=100bao_p2p_in \    passthrough=yes add action=mark-packet chain=postrouting comment="" disabled=no \    layer7-protocol=100bao new-packet-mark=100bao_p2p_out out-interface=dsl \    passthrough=yes add action=mark-packet chain=prerouting comment="aim mesenger" disabled=no \    in-interface=dsl layer7-protocol=aim new-packet-mark=aim_mesanger_in \    passthrough=yes add action=mark-packet chain=postrouting comment="" disabled=no \    layer7-protocol=aim new-packet-mark=aim_mesanger_out out-interface=dsl \    passthrough=yes add action=mark-packet chain=prerouting comment=aim_messenger_web disabled=no \    in-interface=dsl layer7-protocol=aimwebcontent new-packet-mark=\    aim_mesenger_web_in passthrough=yes add action=mark-packet chain=postrouting comment="" disabled=no \    layer7-protocol=aimwebcontent new-packet-mark=aim_mesenger_web_out \    out-interface=dsl passthrough=yes add action=mark-packet chain=prerouting comment=applejuice_p2p disabled=no \    in-interface=dsl layer7-protocol=applejuice new-packet-mark=applejuice_in \    passthrough=yes add action=mark-packet chain=postrouting comment="" disabled=no \    layer7-protocol=applejuice new-packet-mark=applejuice_out out-interface=\    dsl passthrough=yes add action=mark-packet chain=prerouting comment=ares_p2p disabled=no \    in-interface=dsl layer7-protocol=ares new-packet-mark=ares_p2p_in \    passthrough=yes add action=mark-packet chain=postrouting comment="" disabled=no \    layer7-protocol=ares new-packet-mark=ares_p2p_out out-interface=dsl \    passthrough=yes add action=mark-packet chain=prerouting comment=bgp_routing disabled=no \    in-interface=dsl layer7-protocol=bgp new-packet-mark=bgp_routing_in \    passthrough=yes add action=mark-packet chain=postrouting comment="" disabled=no \    layer7-protocol=bgp new-packet-mark=bgp_routing_out out-interface=dsl \    passthrough=yes add action=mark-packet chain=prerouting comment=bittorent_p2p disabled=no \    in-interface=dsl layer7-protocol=bittorrent new-packet-mark=bittorent_in \    passthrough=yes add action=mark-packet chain=postrouting comment="" disabled=no \    layer7-protocol=bittorrent new-packet-mark=bittorent_out out-interface=\    dsl passthrough=yes add action=mark-packet chain=prerouting comment=dhcp disabled=no \    in-interface=dsl layer7-protocol=dhcp new-packet-mark=dhcp_in \    passthrough=yes add action=mark-packet chain=postrouting comment="" disabled=no \    layer7-protocol=dhcp new-packet-mark=dhcp_out out-interface=dsl \    passthrough=yes add action=mark-packet chain=prerouting comment=\    "Direct Connect - P2P filesharing " disabled=no in-interface=dsl \    layer7-protocol=directconnect new-packet-mark=DC_p2p_in passthrough=yes add action=mark-packet chain=postrouting comment="" disabled=no \    layer7-protocol=directconnect new-packet-mark=DC_p2p_out out-interface=\    dsl passthrough=yes add action=mark-packet chain=prerouting comment="DNS - Domain Name System " \    disabled=no in-interface=dsl layer7-protocol=dns new-packet-mark=DNS_in \    passthrough=yes add action=mark-packet chain=postrouting comment="" disabled=no \    layer7-protocol=dns new-packet-mark=DNS_out out-interface=dsl \    passthrough=yes add action=mark-packet chain=prerouting comment=\    "eDonkey2000 - P2P filesharing " disabled=no in-interface=dsl \    layer7-protocol=edonkey new-packet-mark=edonkey_p2p_in passthrough=yes add action=mark-packet chain=postrouting comment="" disabled=no \    layer7-protocol=edonkey new-packet-mark=edonkey_p2p_out out-interface=dsl \    passthrough=yes add action=mark-packet chain=prerouting comment=\    "FastTrack - P2P filesharing (Kazaa, Morpheus, iMesh, Grokster, etc)" \    disabled=no in-interface=dsl layer7-protocol=fasttrack new-packet-mark=\    fasttrack_p2p_in passthrough=yes add action=mark-packet chain=postrouting comment="" disabled=no \    layer7-protocol=fasttrack new-packet-mark=fasttrack_p2p_out \    out-interface=dsl passthrough=yes add action=mark-packet chain=prerouting comment=\    "FTP - File Transfer Protocol " disabled=no in-interface=dsl \    layer7-protocol=ftp new-packet-mark=ftp_in passthrough=yes add action=mark-packet chain=postrouting comment="" disabled=no \    layer7-protocol=ftp new-packet-mark=ftp_out out-interface=dsl \    passthrough=yes add action=mark-packet chain=prerouting comment="GnucleusLAN - LAN-only P2P " \    disabled=no in-interface=dsl layer7-protocol=gnucleuslan new-packet-mark=\    gnu_p2p_in passthrough=yes add action=mark-packet chain=postrouting comment="" disabled=no \    layer7-protocol=gnucleuslan new-packet-mark=gnu_p2p_out out-interface=dsl \    passthrough=yes add action=mark-packet chain=prerouting comment="Gnutella - P2P filesharing" \    disabled=no in-interface=dsl layer7-protocol=gnutella new-packet-mark=\    gnutella_p2p_in passthrough=yes add action=mark-packet chain=postrouting comment="" disabled=no \    layer7-protocol=gnutella new-packet-mark=gnutella_p2p_out out-interface=\    dsl passthrough=yes add action=mark-packet chain=prerouting comment=\    "GoBoogy - a Korean P2P protocol" disabled=no in-interface=dsl \    layer7-protocol=goboogy new-packet-mark=gobogy_p2p_in passthrough=yes add action=mark-packet chain=postrouting comment="" disabled=no \    layer7-protocol=goboogy new-packet-mark=gobogy_p2p_out out-interface=dsl \    passthrough=yes add action=mark-packet chain=prerouting comment="H.323 - Voice over IP" \    disabled=no in-interface=dsl layer7-protocol=h323 new-packet-mark=\    h323_voiceoverip_in passthrough=yes add action=mark-packet chain=postrouting comment="" disabled=no \    layer7-protocol=h323 new-packet-mark=h323_voiceoverip_out out-interface=\    dsl passthrough=yes add action=mark-packet chain=prerouting comment="RTSP tunneled within HTTP" \    disabled=no in-interface=dsl layer7-protocol=http-rtsp new-packet-mark=\    httprtsp_in passthrough=yes add action=mark-packet chain=postrouting comment="" disabled=no \    layer7-protocol=http-rtsp new-packet-mark=httprtsp_out out-interface=dsl \    passthrough=yes add action=mark-packet chain=prerouting comment=\    "www HyperText Transfer Protocol " disabled=no in-interface=dsl \    layer7-protocol=http new-packet-mark=http_in passthrough=yes add action=mark-packet chain=postrouting comment="" disabled=no \    layer7-protocol=http new-packet-mark=http_out out-interface=dsl \    passthrough=yes add action=mark-packet chain=prerouting comment=\    "Ident - Identification Protocol - RFC 1413" disabled=no in-interface=dsl \    layer7-protocol=ident new-packet-mark=ident_in passthrough=yes add action=mark-packet chain=postrouting comment="" disabled=no \    layer7-protocol=ident new-packet-mark=ident_out out-interface=dsl \    passthrough=yes add action=mark-packet chain=prerouting comment=\    "IMAP - Internet Message Access Protocol (A common e-mail protocol)" \    disabled=no in-interface=dsl layer7-protocol=imap new-packet-mark=imap_in \    passthrough=yes add action=mark-packet chain=postrouting comment="" disabled=no \    layer7-protocol=imap new-packet-mark=imap_out out-interface=dsl \    passthrough=yes add action=mark-packet chain=prerouting comment=\    "iMesh - the native protocol of iMesh, a P2P application " disabled=no \    in-interface=dsl layer7-protocol=imesh new-packet-mark=imesh_p2p_in \    passthrough=yes add action=mark-packet chain=postrouting comment="" disabled=no \    layer7-protocol=imesh new-packet-mark=imesh_p2p_out out-interface=dsl \    passthrough=yes add action=mark-packet chain=prerouting comment="IRC - Internet Relay Chat" \    disabled=no in-interface=dsl layer7-protocol=irc new-packet-mark=irc_in \    passthrough=yes add action=mark-packet chain=postrouting comment="" disabled=no \    layer7-protocol=irc new-packet-mark=irc_out out-interface=dsl \    passthrough=yes add action=mark-packet chain=prerouting comment=\    "KuGoo - a Chinese P2P program " disabled=no in-interface=dsl \    layer7-protocol=kugoo new-packet-mark=koogo_in passthrough=yes add action=mark-packet chain=postrouting comment="" disabled=no \    layer7-protocol=kugoo new-packet-mark=koogo_out out-interface=dsl \    passthrough=yes add action=mark-packet chain=prerouting comment=\    "MSN (Micosoft Network) Messenger file transfers " disabled=no \    in-interface=dsl layer7-protocol=msn-filetransfer new-packet-mark=\    msnfile_in passthrough=yes add action=mark-packet chain=postrouting comment="" disabled=no \    layer7-protocol=msn-filetransfer new-packet-mark=msnfile_out \    out-interface=dsl passthrough=yes add action=mark-packet chain=prerouting comment="MSN Messenger " disabled=no \    in-interface=dsl layer7-protocol=msnmessenger new-packet-mark=msn_in \    passthrough=yes add action=mark-packet chain=postrouting comment="" disabled=no \    layer7-protocol=msnmessenger new-packet-mark=msn_out out-interface=dsl \    passthrough=yes add action=mark-packet chain=prerouting comment="MUTE - P2P filesharing " \    disabled=no in-interface=dsl layer7-protocol=mute new-packet-mark=\    mute_p2p_in passthrough=yes add action=mark-packet chain=postrouting comment="" disabled=no \    layer7-protocol=mute new-packet-mark=mute_p2p_out out-interface=dsl \    passthrough=yes add action=mark-packet chain=prerouting comment="Napster - P2P filesharing" \    disabled=no in-interface=dsl layer7-protocol=napster new-packet-mark=\    napster_in passthrough=yes add action=mark-packet chain=postrouting comment="" disabled=no \    layer7-protocol=napster new-packet-mark=napster_out out-interface=dsl \    passthrough=yes add action=mark-packet chain=prerouting comment=\    "NetBIOS - Network Basic Input Output System" disabled=no in-interface=\    dsl layer7-protocol=netbios new-packet-mark=netbios_in passthrough=yes add action=mark-packet chain=postrouting comment="" disabled=no \    layer7-protocol=netbios new-packet-mark=netbios_out out-interface=dsl \    passthrough=yes add action=mark-packet chain=prerouting comment=\    "NNTP - Network News Transfer Protocol " disabled=no in-interface=dsl \    layer7-protocol=nntp new-packet-mark=nntp_in passthrough=yes add action=mark-packet chain=postrouting comment="" disabled=no \    layer7-protocol=nntp new-packet-mark=nntp_out out-interface=dsl \    passthrough=yes add action=mark-packet chain=prerouting comment=\    "SNTP - (Simple) Network Time Protocol " disabled=no in-interface=dsl \    layer7-protocol=ntp new-packet-mark=ntp_in passthrough=yes add action=mark-packet chain=postrouting comment="" disabled=no \    layer7-protocol=ntp new-packet-mark=ntp_out out-interface=dsl \    passthrough=yes add action=mark-packet chain=prerouting comment=\    "Remote Administrator - remote desktop for MS Windows" disabled=no \    in-interface=dsl layer7-protocol=radmin new-packet-mark=radmin_in \    passthrough=yes add action=mark-packet chain=postrouting comment="" disabled=no \    layer7-protocol=radmin new-packet-mark=radmin_out out-interface=dsl \    passthrough=yes add action=mark-packet chain=prerouting comment=\    "Remote Desktop Protocol (used in Windows Terminal Services)" disabled=no \    in-interface=dsl layer7-protocol=rdp new-packet-mark=rdp_in passthrough=\    yes add action=mark-packet chain=postrouting comment="" disabled=no \    layer7-protocol=rdp new-packet-mark=rdp_out out-interface=dsl \    passthrough=yes add action=mark-packet chain=prerouting comment=\    "RTSP - Real Time Streaming Protocol " disabled=no in-interface=dsl \    layer7-protocol=rtsp new-packet-mark=rtsp_in passthrough=yes add action=mark-packet chain=postrouting comment="" disabled=no \    layer7-protocol=rtsp new-packet-mark=rtsp_out out-interface=dsl \    passthrough=yes add action=mark-packet chain=prerouting comment=\    "SIP - Session Initiation Protocol - Internet telephony " disabled=no \    in-interface=dsl layer7-protocol=sip new-packet-mark=sip_in passthrough=\    yes add action=mark-packet chain=postrouting comment="" disabled=no \    layer7-protocol=sip new-packet-mark=sip_out out-interface=dsl \    passthrough=yes add action=mark-packet chain=prerouting comment=\    "Skype to phone - UDP voice call " disabled=no in-interface=dsl \    layer7-protocol=skypeout new-packet-mark=skypeout_in passthrough=yes add action=mark-packet chain=postrouting comment="" disabled=no \    layer7-protocol=skypeout new-packet-mark=skypeout_out out-interface=dsl \    passthrough=yes add action=mark-packet chain=prerouting comment=\    "Skype to Skype - UDP voice call " disabled=no in-interface=dsl \    layer7-protocol=skypetoskype new-packet-mark=skype2skype_in passthrough=\    yes add action=mark-packet chain=postrouting comment="" disabled=no \    layer7-protocol=skypetoskype new-packet-mark=skype2skype_out \    out-interface=dsl passthrough=yes add action=mark-packet chain=prerouting comment=\    "POP3 - Post Office Protocol version 3" disabled=no in-interface=dsl \    layer7-protocol=pop3 new-packet-mark=pop3_in passthrough=yes add action=mark-packet chain=postrouting comment="" disabled=no \    layer7-protocol=pop3 new-packet-mark=pop3_out out-interface=dsl \    passthrough=yes add action=mark-packet chain=prerouting comment=\    "SMTP - Simple Mail Transfer Protocol " disabled=no in-interface=dsl \    layer7-protocol=smtp new-packet-mark=smtp_in passthrough=yes add action=mark-packet chain=postrouting comment="" disabled=no \    layer7-protocol=smtp new-packet-mark=smtp_out out-interface=dsl \    passthrough=yes add action=mark-packet chain=prerouting comment=\    "SNMP - Simple Network Management Protocol " disabled=no in-interface=dsl \    layer7-protocol=snmp new-packet-mark=snmp_in passthrough=yes add action=mark-packet chain=postrouting comment="" disabled=no \    layer7-protocol=snmp new-packet-mark=snmp_out out-interface=dsl \    passthrough=yes add action=mark-packet chain=prerouting comment="Soulseek - P2P filesharing " \    disabled=no in-interface=dsl layer7-protocol=soulseek new-packet-mark=\    soulsek_in passthrough=yes add action=mark-packet chain=postrouting comment="" disabled=no \    layer7-protocol=soulseek new-packet-mark=soulsek_out out-interface=dsl \    passthrough=yes add action=mark-packet chain=prerouting comment="SSH - Secure SHell" \    disabled=no in-interface=dsl layer7-protocol=ssh new-packet-mark=ssh_in \    passthrough=yes add action=mark-packet chain=postrouting comment="" disabled=no \    layer7-protocol=ssh new-packet-mark=ssh_out out-interface=dsl \    passthrough=yes add action=mark-packet chain=prerouting comment=\    "SSL and TLS - Secure Socket Layer / Transport Layer Security " disabled=\    no in-interface=dsl layer7-protocol=ssl new-packet-mark=ssl_in \    passthrough=yes add action=mark-packet chain=postrouting comment="" disabled=no \    layer7-protocol=ssl new-packet-mark=ssl_out out-interface=dsl \    passthrough=yes add action=mark-packet chain=prerouting comment=vnc disabled=no in-interface=\    dsl layer7-protocol=vnc new-packet-mark=vnc_in passthrough=yes add action=mark-packet chain=postrouting comment="" disabled=no \    layer7-protocol=vnc new-packet-mark=vnc_out out-interface=dsl \    passthrough=yes add action=mark-packet chain=prerouting comment=\    "TeamSpeak - VoIP application " disabled=no in-interface=dsl \    layer7-protocol=teamspeak new-packet-mark=teamspeak_in passthrough=yes add action=mark-packet chain=postrouting comment="" disabled=no \    layer7-protocol=teamspeak new-packet-mark=teamspeak_out out-interface=dsl \    passthrough=yes

Then we create quueue tree, and change Max upload and download speed under DSL_IN and DSL_OUT (global-in gloabal-out) and chanege priority rules to suit your needs:

/queue tree add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=\    10000000 max-limit=11000000 name=DSL_IN packet-mark="" parent=global-in \    priority=1 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=100bao_p2p_in packet-mark=100bao_p2p_in parent=DSL_IN \    priority=8 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=aim_mesanger_in packet-mark=aim_mesanger_in parent=\    DSL_IN priority=6 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=aim_mesenger_web_in packet-mark=aim_mesenger_web_in \    parent=DSL_IN priority=6 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=applejuice_in packet-mark=applejuice_in parent=DSL_IN \    priority=7 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=ares_p2p_in packet-mark=ares_p2p_in parent=DSL_IN \    priority=7 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=http_in packet-mark=http_in parent=DSL_IN priority=2 \    queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=bittorent_in packet-mark=bittorent_in parent=DSL_IN \    priority=7 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=dhcp_in packet-mark=dhcp_in parent=DSL_IN priority=2 \    queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=DC_p2p_in packet-mark=DC_p2p_in parent=DSL_IN priority=7 \    queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=DNS_in packet-mark=DNS_in parent=DSL_IN priority=1 \    queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=edonkey_p2p_in packet-mark=edonkey_p2p_in parent=DSL_IN \    priority=7 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=fasttrack_p2p_in packet-mark=fasttrack_p2p_in parent=\    DSL_IN priority=7 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=ftp_in packet-mark=ftp_in parent=DSL_IN priority=5 \    queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=gnu_p2p_in packet-mark=gnu_p2p_in parent=DSL_IN \    priority=7 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=gnutella_p2p_in packet-mark=gnutella_p2p_in parent=\    DSL_IN priority=7 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=gobogy_p2p_in packet-mark=gobogy_p2p_in parent=DSL_IN \    priority=7 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=h323_voiceoverip_in packet-mark=h323_voiceoverip_in \    parent=DSL_IN priority=4 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=httprtsp_in packet-mark=httprtsp_in parent=DSL_IN \    priority=5 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=ident_in packet-mark=ident_in parent=DSL_IN priority=2 \    queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=imap_in packet-mark=imap_in parent=DSL_IN priority=2 \    queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=imesh_p2p_in packet-mark=imesh_p2p_in parent=DSL_IN \    priority=7 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=irc_in packet-mark=irc_in parent=DSL_IN priority=5 \    queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=msnfile_in packet-mark=msnfile_in parent=DSL_IN \    priority=6 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=mute_p2p_in packet-mark=mute_p2p_in parent=DSL_IN \    priority=7 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=napster_in packet-mark=napster_in parent=DSL_IN \    priority=7 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=netbios_in packet-mark=netbios_in parent=DSL_IN \    priority=2 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=nntp_in packet-mark=nntp_in parent=DSL_IN priority=2 \    queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=radmin_in packet-mark=radmin_in parent=DSL_IN priority=4 \    queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=ntp_in packet-mark=ntp_in parent=DSL_IN priority=2 \    queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=rdp_in packet-mark=rdp_in parent=DSL_IN priority=4 \    queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=rtsp_in packet-mark=rtsp_in parent=DSL_IN priority=6 \    queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=sip_in packet-mark=sip_in parent=DSL_IN priority=4 \    queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=skypeout_in packet-mark=skypeout_in parent=DSL_IN \    priority=5 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=skype2skype_in packet-mark=skype2skype_in parent=DSL_IN \    priority=5 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=pop3_in packet-mark=pop3_in parent=DSL_IN priority=5 \    queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=smtp_in packet-mark=smtp_in parent=DSL_IN priority=2 \    queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=snmp_in packet-mark=snmp_in parent=DSL_IN priority=2 \    queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=soulsek_in packet-mark=soulsek_in parent=DSL_IN \    priority=7 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=ssh_in packet-mark=ssh_in parent=DSL_IN priority=3 \    queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=ssl_in packet-mark=ssl_in parent=DSL_IN priority=2 \    queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=vnc_in packet-mark=vnc_in parent=DSL_IN priority=4 \    queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=teamspeak_in packet-mark=teamspeak_in parent=DSL_IN \    priority=4 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=500000 \    max-limit=600000 name=DSL_OUT packet-mark="" parent=global-out priority=1 \    queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=100bao_p2p_out packet-mark=100bao_p2p_out parent=DSL_OUT \    priority=7 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=aim_mesanger_out packet-mark=aim_mesanger_out parent=\    DSL_OUT priority=6 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=aim_mesenger_web_out packet-mark=aim_mesenger_web_out \    parent=DSL_OUT priority=7 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=ares_p2p_out packet-mark=ares_p2p_out parent=DSL_OUT \    priority=7 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=bgp_routing_out packet-mark=bgp_routing_out parent=\    DSL_OUT priority=2 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=bittorent_out packet-mark=bittorent_out parent=DSL_OUT \    priority=7 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=dhcp_out packet-mark=dhcp_out parent=DSL_OUT priority=2 \    queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=DC_p2p_out packet-mark=DC_p2p_out parent=DSL_OUT \    priority=7 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=DNS_out packet-mark=DNS_out parent=DSL_OUT priority=1 \    queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=edonkey_p2p_out packet-mark=edonkey_p2p_out parent=\    DSL_OUT priority=7 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=fasttrack_p2p_out packet-mark=fasttrack_p2p_out parent=\    DSL_OUT priority=7 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=ftp_out packet-mark=ftp_out parent=DSL_OUT priority=5 \    queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=gnu_p2p_out packet-mark=gnu_p2p_out parent=DSL_OUT \    priority=7 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=gnutella_p2p_out packet-mark=gnutella_p2p_out parent=\    DSL_OUT priority=7 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=gobogy_p2p_out packet-mark=gobogy_p2p_out parent=DSL_OUT \    priority=7 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=h323_voiceoverip_out packet-mark=h323_voiceoverip_out \    parent=DSL_OUT priority=4 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=httprtsp_out packet-mark=httprtsp_out parent=DSL_OUT \    priority=5 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=http_out packet-mark=http_out parent=DSL_OUT priority=3 \    queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=ident_out packet-mark=ident_out parent=DSL_OUT priority=\    2 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=imap_out packet-mark=imap_out parent=DSL_OUT priority=2 \    queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=imesh_p2p_out packet-mark=imesh_p2p_out parent=DSL_OUT \    priority=7 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=irc_out packet-mark=irc_out parent=DSL_OUT priority=4 \    queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=koogo_out packet-mark=koogo_out parent=DSL_OUT priority=\    7 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=msnfile_out packet-mark=msnfile_out parent=DSL_OUT \    priority=6 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=msn_out packet-mark=msn_out parent=DSL_OUT priority=5 \    queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=mute_p2p_out packet-mark=mute_p2p_out parent=DSL_OUT \    priority=7 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=napster_out packet-mark=napster_out parent=DSL_OUT \    priority=7 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=netbios_out packet-mark=netbios_out parent=DSL_OUT \    priority=2 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=nntp_out packet-mark=nntp_out parent=DSL_OUT priority=2 \    queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=ntp_out packet-mark=ntp_out parent=DSL_OUT priority=2 \    queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=radmin_out packet-mark=radmin_out parent=DSL_OUT \    priority=4 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=rdp_out packet-mark=rdp_out parent=DSL_OUT priority=4 \    queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=rtsp_out packet-mark=rtsp_out parent=DSL_OUT priority=5 \    queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=sip_out packet-mark=sip_out parent=DSL_OUT priority=4 \    queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=skypeout_out packet-mark=skypeout_out parent=DSL_OUT \    priority=5 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=skype2skype_out packet-mark=skype2skype_out parent=\    DSL_OUT priority=5 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=pop3_out packet-mark=pop3_out parent=DSL_OUT priority=4 \    queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=smtp_out packet-mark=smtp_out parent=DSL_OUT priority=2 \    queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=snmp_out packet-mark=snmp_out parent=DSL_OUT priority=2 \    queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=soulsek_out packet-mark=soulsek_out parent=DSL_OUT \    priority=7 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=ssh_out packet-mark=ssh_out parent=DSL_OUT priority=3 \    queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=ssl_out packet-mark=ssl_out parent=DSL_OUT priority=2 \    queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=vnc_out packet-mark=vnc_out parent=DSL_OUT priority=5 \    queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=teamspeak_out packet-mark=teamspeak_out parent=DSL_OUT \    priority=5 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=applejuice_out packet-mark=applejuice_out parent=DSL_OUT \    priority=7 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \    max-limit=0 name=msn_in packet-mark=msn_in parent=DSL_IN priority=5 \    queue=default

=======================================================================

TransparentTrafficShaper

From MikroTik Wiki

Contents

Introduction

Quick Start for Impatient

Explanation

Bridge

V3

Mangle

Queues

PCQ Examples

From MikroTik Wiki

Equal Bandwidth for a Number of Users

Certain Bandwidth Equal Distribution between Users

Unknown Bandwidth Equal Distribution between Users

Load Balancing

From MikroTik Wiki

Contents

Quick Start for Impatient

Explanation

Mangle

NAT

Routing

Per-Traffic Load Balancing

From MikroTik Wiki

Contents

[edit] Introduction

[edit] Functions of RouterOS used

[edit] Step 1 - How to break up to traffic

[edit] Step 2 - Setting Up the Network

[edit] Step 3 - Using RouterOS's Mangle Tool to mark specific traffic

[edit] Step 4 - Using the routing functions of RouterOS to force traffic ou certain internet connections

[edit] Step 5 - Review what you've created

[edit] Conclusion

How to apply different limits for Local/Overseas traffic

From MikroTik Wiki

Contents

Introduction

Quick Start for Impatient

Explanation

Address-list

Mangle

Simple Queue

Different limits for Local/Overseas traffic for 3 bandwitch rates using pcq and queue tree

From MikroTik Wiki

Contents

[edit] 1. Introdution

[edit] 2. Configuration

[edit] 3. Explanation

[edit] Important note

Queue with Masquerading and Internal Web-Proxy

From MikroTik Wiki

Contents

[edit] Introduction

[edit] Basic Setup

[edit] Firewall NAT

[edit] Mangle Setup

[edit] Queue Tree Setup

Queue Tree with more than two interfaces

From MikroTik Wiki

[edit] Basic Setup

[edit] Mangle Setup

[edit] Queue Tree Setup

Limit Different Bandwidth In Day and Night

From MikroTik Wiki

Different bandwidth in day and night for several categories of users

From MikroTik Wiki

Contents

[edit] Introduction

[edit] How ?

[edit] Setup NTP Client

[edit] Setup the queues

[edit] Setup the scripts

Mangle, Queue Tree and prio by fly man ... almost done

From MikroTik Wiki

Hotspot, apply different limits and different traffic priorities

From MikroTik Wiki

[edit] Introduction

[edit] The question is, How to do that?

Cable setup