MikroTik Router OS V3.0 User Manual

							!
	
 #	
 @
 &!#@ 8	2 
	  &3$ 
  05$ 
	 
 
 
 

 
 	
  !#@  
  	
 	
 
7
 	
 ,	
 	
 ( 
 


	 ( 	 
 
  8 + 
	  	  
8 

  	 
 &7	

7	 7
 	
 
7
  
 		
 	   !#@ 	
 	
 
 	
	
 

 8
  !#@ 8 	
 

	
 /-C 	
 	
 
 	 /.-D 8 	(		  
 	

F	 	
 
 
 	 #*# 7 /-C 	
  
 
 	 
	
 8 

  
 	



 &	  


  
 
 (	 
 /.7
 

   
 
 	

  8 
/.-D !
	
 
	
  
 8
 
  ( 
 
	
 	
  	
 

	

   	 	
	  	 
 
 	 8 +
	:

 
 	

	
 	
 	
 ( 
 
 
	 
 
 8  
	
 
 		
 	
	   
		
 
 
 	 8  	 
 
  
7
 	
 8:


 	 8 
 	 


0 !#@  

 
 
 
 
	
 



  

 
	( !#@  	 

	 
 


PCQ
 (  !#@ 
 $ 3



 @
 &$3@ 	 	
 *
  
 
 	
8
 
 
 
 ! 
	
 	
  	
 
	

 *
  	
 ( (
  !#@ 

 
 
	


	
 $3@ 	 	
 8 	 
 
:
	
		
 F	 8 	 	 	
	
	
 
 :
	
 2 :


	
  

	 2  	 $3@ 8 	


  	
 
	

:




	

 
 	 

	
 
 	  $3@ 
 	
 	  
  	
Page 290 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							*  	 
 	
 

 	 	
 
 

  *$ 	  
 

 

 8 9  	
  
 
	

  8	2	

  	 8 
 

:
		
 $	 
 
 
	

 	
  
  
  

	   	

	 

8 *   	

	 
 
 
 A	 

	 	 
	  
 $ 

	    
7	 &	 
% 

 	
  	

 
   	

	 
 
 
 $ 

	 	 
	  


     7	 7   	
 	 
  8	2 	  

 !	 	
 

  
	 
 
 
	
 	
	    	
 $3@ 
 
 
 	



	
 8	2 	
 	
 8 	  
:
	
 
 
:

+M $3@ 	
 
 
 
		 8	2  	 
	  
  
 

 	

	

 *
 	
 $3@
		 8	2 
 8  
:
 4
 	 	  8	2	

 7 	 8 	 
 	
	
 
  
( 
  	

RED
	
 F	 5


 &	 

 	 	
 F	 5 	 
   
 	
	   	 8

	
  
 
 	( 

 


  


 
 	(	 8 2 6
 

	(	 8 2 	

   F5 
	
 
  	
 	
 
 
	

	
 	
 	 
 	(	 8 2   

 
 	(	 8 2 	 


    
( 8 2 	
 	
 

    
	
 


  	 
 	
  

  ( 	
  
   
  	 	 
 

 8 2 6
 
 	(	 8 2 	
    	 	 

		
 	  

 
 	(	 8 2  

   
 (	 &	
  

 	

		

   	
(	
 		

 	(	 8 2(1-W)*avg+W*q 
•q- current queue length
•W- queue weight defined as burst+1-min=(1-(1-W)^burst)/W. Note that log(W) value ir
rounded to integer (so W can be 1, 0.1, 0.01, etc.). It is determined experimantally that in many
generic cases, W is near to min/10*burst
	
 (	  
	
 
	  .U 
 -U 	 
 	(	 8 2  


  

  pb=0.02*(avg-min)/(max-min)
Page 291 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							 	
 
 	
 
	
 
	
 
 
8 	
 

 
 
 	
	
 	 pa=pb/(1-count*pb)
*
  
 

	 
	
 	 
(	 (min+2*max)/3 +
 	 

   


  
9
 
	
 
 
 	 	(
	


  	

  	


	


0 
 

 
 
  	
	 	
 	 
  	
 	
 3$7

Property Description
bfifo-limit(integer; default:15000) - maximum number of bytes that the BFIFO queue can hold
kind(bfifo|pcq|pfifo|red|sfq) - which queuing discipline to use
•bfifo- Bytes First-In, First-Out
•pcq- Per Connection Queue
•pfifo- Packets First-In, First-Out
•red- Random Early Detection
•sfq- Stohastic Fairness Queuing
name(name) - reference name of the queue type
pcq-classifier(dst-address|dst-port|src-address|src-port; default:) - list classifiers for
grouping packets into PCQ subqueues. Several classifiers can be used at once, e.g.,
src-address,src-port will group all packets with different source address and source-ports into
separate subqueues
pcq-limit(integer; default:50) - number of packets that a single PCQ sub-queue can hold
pcq-rate(integer; default:0) - maximal data rate allowed for each PCQ sub-queue. This is a rate
cap, as the subqueues will be equalized anyway
•0- no limitation set (only equalize rates between subqueues)
pcq-total-limit(integer; default:2000) - number of packets that the whole PCQ queue can hold
pfifo-limit(integer) - maximum number of packets that the PFIFO queue can hold
red-avg-packet(integer; default:1000) - average packet size, used for tuning average queue
recalculation time
red-burst(integer) - a measure of how fast the average queue size will be influenced by the real
queue size, given in bytes. Larger values will smooth the changes, so longer bursts will be allowed
Page 292 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							red-limit(integer) - hard limit on queue size in bytes. If the real queue size (not average) exceeds
this value then all further packets will be discarded until the queue size drops below. This should be
higher than red-max-threshold+red-burst
red-max-threshold(integer) - upper limit for average queue size, in bytes. When the size reaches
this value, all further packets shall be dropped
red-min-threshold(integer) - lower limit for average queue size, in bytes. When the size reaches
this value, RED starts to drop packets randomly with a calculated probability
sfq-allot(integer; default:1514) - amount of bytes that a subqueue is allowed to send before the
next subqueue gets a turn (amount of bytes which can be sent from a subqueue in a single
round-robin turn), should be at least 1514 for links with 1500 byte MTU
sfq-perturb(integer; default:5) - how often to shake (perturb) SFQs hashing algorithm, in seconds
Interface Default Queues
Home menu level:/queue interface
Description
*
  
 
 	
 ( 	
 

	 
 	( 
  
8 
 	 8 (
    

 	

 


 
	 	
 	 ,  	
  
 8 
      
	



 	
	
9
 
	
 
  
 
 8  	 
 

	 
 

	 	
 8  
 

	
(  
	
 	
	 

	   
 
 	  	 	
 
	
  
 
 
 

	
	 
 

  8 
 
 ,) 
  
 
 	
 
	
 	 

 
 	 

 

 &	
 
(  
 
	
 	
  
 	
 
 
 ,) 
 	
 
 

	
 	 
 
	 	

Property Description
interface(read-only: name) - name of the interface
queue(name; default:default) - queue type which will be used for the interface
Example
!
 
  

	 
 $
	
8
[admin@MikroTik] queue interface> set 0 queue=wireless-default[admin@MikroTik] queue interface> print# INTERFACE QUEUE0 wlan1 wireless-default[admin@MikroTik] queue interface>
Simple Queues
Description
 
 	 
 
 	
	 	
   *$ 	 	
1 

  
   8
E 	
 	   8 
  	(	
 @! 		

  	(  

	
 	

Page 293 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							•$7
7 
	 8

•+
 8  
 
 
 

(	
•$

•0
 
 	
 	 /ip firewall mangle
•!	
  

	 
	 &
 
  
 

	  	 ? 
	
Property Description
burst-limit(integerinteger) - maximum data rate which can be reached while the burst is active, in
form of in/out (target upload/download)
burst-threshold(integerinteger) - average data rate limit, until which the burst is allowed. If the
average data rate over the last burst-time seconds is less than burst-threshold, the actual data rate
may reach burst-limit. Otherwise the hard limit is reset to max-limit. Set in form of in/out (target
upload/download)
burst-time(integerinteger) - period of time, in seconds, over which the average data rate is
calculated, in form of in/out (target upload/download)
direction(none|both|upload|download) - traffic flow directions from the targets point of view,
affected by this queue
•none- the queue is effectively inactive
•both- the queue limits both target upload and target download
•upload- the queue limits only target upload, leaving the download rates unlimited
•download- the queue limits only target download, leaving the upload rates unlimited
dst-address(IP addressnetmask) - destination address to match
dst-netmask(netmask) - netmask for dst-address
interface(text) - interface, this queue applies to (i.e., the interface the target is connected to)
limit-at(integerinteger) - CIR, in form of in/out (target upload/download)
max-limit(integerinteger) - MIR (in case burst is not active), in form of in/out (target
upload/download)
name(text) - descriptive name of the queue
p2p(all-p2p|bit-torrent|blubster|direct-connect|edonkey|fasttrack|gnutella|soulseek|
winmx) - which type of P2P traffic to match
•all-p2p- match all P2P traffic
packet-marks(multiple choice: name; default:) - list of packet marks (set by /ip firewall
mangle) to match. Multiple packet marks are separated by commas (,)
parent(name) - name of the parent queue in the hierarchy. Can only be another simple queue
priority(integer: 1..8) - priority of the queue. 1 is the highest, 8 - the lowest
queue(namename; default:default/default) - name of the queue from /queue type, in form of
in/out
target-addresses(multiple choice: IP addressnetmask) - limitation target IP addresses (source
addresses). Multiple addresses are separated by commas
time(timetimesat|fri|thu|wed|tue|mon|sun; default:) - limit queue effect to a specified
Page 294 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							time period
total-burst-limit(integer) - burst limit for global-total (cumulative rate, upload + download) queue
total-burst-threshold(integer) - burst threshold for global-total (cumulative rate, upload +
download) queue
total-burst-time(time) - burst time for global-total queue
total-limit-at(integer) - limit-at for global-total (cumulative rate, upload + download) queue
total-max-limit(integer) - max-limit for global-total (cumulative rate, upload + download) queue
total-queue(name) - queuing discipline to use for global-total queue
Queue Trees
Home menu level:/queue tree
Description
 8 
    
  	

 
  
	
 	
	 	
 		

 	 
 


   *$ 	 
 +
 
  	( 
 	 	
  
 	 	 

 	
$
	
 

  
 	 	 	
 

  	
  
 8 

Property Description
burst-limit(integer) - maximum data rate which can be reached while the burst is active
burst-threshold(integer) - average data rate limit, until which the burst is allowed. If the average
data rate over the last burst-time seconds is less than burst-threshold, the actual data rate may reach
burst-limit. Otherwise the hard limit is reset to max-limit
burst-time(time) - period of time, in seconds, over which the average data rate is calculated
limit-at(integer) - CIR
max-limit(integer) - MIR (in case burst is not active)
name(text) - descriptive name for the queue
packet-mark(text) - packet flow mark (set by /ip firewall mangle) to match. This creates a filter
that puts the packets with the given mark into this queue
parent(text) - name of the parent queue. The top-level parents are the available interfaces (actually,
main HTB). Lower level parents can be other tree queues
priority(integer: 1..8) - priority of the queue. 1 is the highest, 8 - the lowest
queue(text) - name of the queue type. Types are defined under /queue type
Application Examples
Example of emulating a 128Kibps/64Kibps Line
+  	

 
 	
 	 /-CL 
	 	
 GDL 	 
 



 *$ 


!&%!)(%+%+&1  

  ( 
 
 A	 

	  
% 
  	


 
  
 
 
 		
Page 295 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							 ( 
 
	

     8
*$ 	 
  

[admin@MikroTik] ip address> printFlags: X - disabled, I - invalid, D - dynamic# ADDRESS NETWORK BROADCAST INTERFACE0 192.168.0.254/24 192.168.0.0 192.168.0.255 Local1 10.5.8.104/24 10.5.8.0 10.5.8.255 Public[admin@MikroTik] ip address>
+
 

[admin@MikroTik] ip route> printFlags: X - disabled, A - active, D - dynamic,C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,B - blackhole, U - unreachable, P - prohibit# DST-ADDRESS PREF-SRC G GATEWAY DIS INTE...0 A S 0.0.0.0/0 r 10.5.8.1 1 Public1 ADC 10.5.8.0/24 10.5.8.104 0 Public2 ADC 192.168.0.0/24 192.168.0.254 0 Local[admin@MikroTik] ip route>
+ 	  8    
 
 
	 
	 
 /-CL1 	
 	 
 GDL1  



 
 

!&%!)(%+%+&1 (  
 

	7
Page 296 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							[admin@MikroTik] queue simple> add name=Limit-Local interface=Local \\... target-address=192.168.0.0/24 max-limit=65536/131072[admin@MikroTik] queue simple> printFlags: X - disabled, I - invalid, D - dynamic0 name=Limit-Local target-addresses=192.168.0.0/24 dst-address=0.0.0.0/0interface=Local parent=none priority=8 queue=default/defaultlimit-at=0/0 max-limit=65536/131072 total-queue=default[admin@MikroTik] queue simple>



		
 
 
 
 	 	(		 	

 # 
 

% 

  ( 

(	)**2)!2!+9&	
 
	
 
  
 	  /:/.N-  
	 	
 G
$	  	

 
  
 (  
 
   	 	 8  
 

 	
 
	


&


++ 	
 
 
	

 	
 ( 
 
 
 


  
 

[admin@MikroTik] queue simple> add name=Server target-addresses=192.168.0.1/32 \\... interface=Local[admin@MikroTik] queue simple> printFlags: X - disabled, I - invalid, D - dynamic0 name=Limit-Local target-addresses=192.168.0.0/24 dst-address=0.0.0.0/0interface=Local parent=none priority=8 queue=default/defaultlimit-at=0/0 max-limit=65536/131072 total-queue=default
1 name=Server target-addresses=192.168.0.1/32 dst-address=0.0.0.0/0interface=Local parent=none priority=8 queue=default/defaultlimit-at=0/0 max-limit=0/0 total-queue=default[admin@MikroTik] queue simple> mo 1 0[admin@MikroTik] queue simple> printFlags: X - disabled, I - invalid, D - dynamic0 name=Server target-addresses=192.168.0.1/32 dst-address=0.0.0.0/0interface=Local parent=none priority=8 queue=default/defaultlimit-at=0/0 max-limit=0/0 total-queue=default
1 name=Limit-Local target-addresses=192.168.0.0/24 dst-address=0.0.0.0/0interface=Local parent=none priority=8 queue=default/defaultlimit-at=0/0 max-limit=65536/131072 total-queue=default[admin@MikroTik] queue simple>
Queue Tree Example With Masquerading
*
 
 ( 	  	
 /-CL1 
	 	
 GDL1 	 
	  
 	 

 *


 	   		

 -
						

							1.+
 
 	 
 !(% 
	 	
 	 
	 6
 
 
    	 
 






 	
 
 
 
 
 	 	
  
 
 
 




[admin@MikroTik] ip firewall mangle> add src-address=192.168.0.1/32 \\... action=mark-connection new-connection-mark=server-con chain=prerouting[admin@MikroTik] ip firewall mangle> add connection-mark=server-con \\... action=mark-packet new-packet-mark=server chain=prerouting[admin@MikroTik] ip firewall mangle> printFlags: X - disabled, I - invalid, D - dynamic0 chain=prerouting src-address=192.168.0.1 action=mark-connectionnew-connection-mark=server-con
1 chain=prerouting connection-mark=server-con action=mark-packetnew-packet-mark=server[admin@MikroTik] ip firewall mangle>
2. 	  A	
 	
 6
	


[admin@MikroTik] ip firewall mangle> add src-address=192.168.0.2 \\... action=mark-connection new-connection-mark=lap_works-con chain=prerouting[admin@MikroTik] ip firewall mangle> add src-address=192.168.0.3 \\... action=mark-connection new-connection-mark=lap_works-con chain=prerouting[admin@MikroTik] ip firewall mangle> add connection-mark=lap_works-con \\... action=mark-packet new-packet-mark=lap_work chain=prerouting[admin@MikroTik] ip firewall mangle> printFlags: X - disabled, I - invalid, D - dynamic0 chain=prerouting src-address=192.168.0.1 action=mark-connection
Page 298 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							new-connection-mark=server-con
1 chain=prerouting connection-mark=server-con action=mark-packetnew-packet-mark=server
2 chain=prerouting src-address=192.168.0.2 action=mark-connectionnew-connection-mark=lap_works-con
3 chain=prerouting src-address=192.168.0.3 action=mark-connectionnew-connection-mark=lap_works-con
4 chain=prerouting connection-mark=lap_works-con action=mark-packetnew-packet-mark=lap_work[admin@MikroTik] ip firewall mangle>
+  	
   	 



 
	
 
  A	
 	
 6
	

 
 
 	 
3.*
: 
	  
	
  
 !(% 
	 	
 	
[admin@MikroTik] queue tree> add name=Server-Download parent=Local \\... limit-at=131072 packet-mark=server max-limit=262144[admin@MikroTik] queue tree> add name=Server-Upload parent=Public \\... limit-at=65536 packet-mark=server max-limit=131072[admin@MikroTik] queue tree> printFlags: X - disabled, I - invalid0 name=Server-Download parent=Local packet-mark=server limit-at=131072queue=default priority=8 max-limit=262144 burst-limit=0burst-threshold=0 burst-time=0s
1 name=Server-Upload parent=Public packet-mark=server limit-at=65536queue=default priority=8 max-limit=131072 burst-limit=0burst-threshold=0 burst-time=0s[admin@MikroTik] queue tree>
+
 	 
  A	
 	
 6
	


[admin@MikroTik] queue tree> add name=Laptop-Wkst-Down parent=Local \\... packet-mark=lap_work limit-at=65535 max-limit=262144[admin@MikroTik] queue tree> add name=Laptop-Wkst-Up parent=Public \\... packet-mark=lap_work limit-at=32768 max-limit=131072[admin@MikroTik] queue tree> printFlags: X - disabled, I - invalid0 name=Server-Download parent=Local packet-mark=server limit-at=131072queue=default priority=8 max-limit=262144 burst-limit=0burst-threshold=0 burst-time=0s
1 name=Server-Upload parent=Public packet-mark=server limit-at=65536queue=default priority=8 max-limit=131072 burst-limit=0burst-threshold=0 burst-time=0s
2 name=Laptop-Wkst-Down parent=Local packet-mark=lap_work limit-at=65535queue=default priority=8 max-limit=262144 burst-limit=0burst-threshold=0 burst-time=0s
3 name=Laptop-Wkst-Up parent=Public packet-mark=lap_work limit-at=32768queue=default priority=8 max-limit=131072 burst-limit=0burst-threshold=0 burst-time=0s[admin@MikroTik] queue tree>
Equal bandwidth sharing among users
 	   
 8	 	 /. 
	 	
 - 	 	
 	
(  
 



!&%!)(%+%+&1 *
 . 
	
 - 
 I
 C  	
 ( (	 

  
	

 
 
 
 	

 
  	 	

 &/.  

 
  ( <
 	 
 	   	  
  	 (	   
	
 - 
Page 299 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners.