MIKROTIK ADVANCED TRAINING

TRAFFIC CONTROL

PRESENTED BY Oky Tria Saputra

ID-Networkers & trainingmikrotik.com

 2

TRAFFIC CONTROL OUTLINE

DNS Web Proxy Firewall filter/nat/mangle
o DNS Cache / Server o Proxy rule lists o Connection tracking
o Static DNS FIltering o Access list o Firewall Filter
o Direct Access list o Firewall NAT
DHCP o Cache list o Firewall Mangle
o DHCP Server o Regular expression
o DHCP Client
o DHCP Relay Quality of Service
o HTB
o Queue simple and tree

ID-NETWORKERS | www.training-mikrotik.com
 3

DOMAIN NAME SYSTEM

ID-NETWORKERS | www.training-mikrotik.com
 4

Domain Name System

• DNS (Domain Name System) is used to translate
domain names into IP addresses.
• We more easily remember domain name
google.com compared with IP addresses of
google.com.
• Domain is like a phone book, where we easier to
type name of website (domain) rather than IP
address

www.trainingmikrotik.com
Host Subdomain Top-Level Domain
ID-NETWORKERS | www.training-mikrotik.com
 5

Domain Name System

• DNS client is used only by router in web-

proxy, DHCP server and hotspot
configuration
• Enable “Allow Remote Requests” option to
transform DNS client into DNS cache
• DNS cache allows to use your router
instead of remote DNS server, as all
caches - it will minimizes resolving time

ID-NETWORKERS | www.training-mikrotik.com
 6

LAB - DNS Configuration

ID-NETWORKERS | www.training-mikrotik.com
 7

Static DNS
• DNS Cache can also serve as a simple DNS
server.
• For each static DNS settings, the router will add
the parameter "A" and "PTR" is automatically.
 "A" - Address Mapping Domain to IP Address
 "PTR" - To map the Reverse DNS
• Static DNS will override dynamic entries in the
DNS cache

ID-NETWORKERS | www.training-mikrotik.com
 8

Transparent Static DNS

• For example we want to manipulate domain
trainingmikrotik.com to the IP address that does not
really belong to trainingmikrotik.com, we resolve to
another IP of the web server
• Or we want to make own domain for our local address
• The trick is as follows:
• Set MikroTik as DNS cache/server by check allow
remoter request in IP dns menu
• Set at least one primary DNS
• Set static DNS for the domain that we want to
manipulate
• Create a dst-nat rule that any DNS traffic coming from
LAN trough router have to redirect to the router itself
ID-NETWORKERS | www.training-mikrotik.com
 9

LAB- Static DNS

• Every client that request DNS to outside network (for example to
goggle public dns 8.8.8.8) will force to using our router dns server
• Then we manipulate dns response by make static DNS in our router
Mikrotik_wifi

Dns request

Redirect to the router

ID-NETWORKERS | www.training-mikrotik.com
 10

LAB - DNS Static

IP of your web server

ID-NETWORKERS | www.training-mikrotik.com
 11

LAB - DNS Static

In IP firewall NAT, make rule to make transparent DNS

ID-NETWORKERS | www.training-mikrotik.com
 12

LAB - DNS Static

Check DNS cache in IP>DNS>cache

ID-NETWORKERS | www.training-mikrotik.com
 13

DHCP
Dynamic Host Configuration Protocol

ID-NETWORKERS | www.training-mikrotik.com
 14

DHCP
• The Dynamic Host Configuration Protocol is
used for dynamic distribution of network setting
such as:
• IP address and netmask
• Default gateway address
• DNS and NTP server addresses
• More than 100 other custom option
(supported only by specific DHCP clients)
• DHCP is basically insecure system and should
only be used in own trusted networks

ID-NETWORKERS | www.training-mikrotik.com
 15

DHCP Communication Step

• DHCP Discovery
src-mac=<client>, dst-mac=<broadcast>, protocol=udp,
src-ip=0.0.0.0:68, dst-ip=255.255.255.255:67
• DHCP Offer
src-mac=<DHCP-server>, dst-mac=<broadcast>, protocol=udp,
src-ip=<DHCP-Server>:67, dst-ip=255.255.255.255:67
• DHCP Request
src-mac=<client>, dst-mac=<broadcast>, protocol=udp,
src-ip=0.0.0.0:68, dst-ip=255.255.255.255:67
• DHCP Acknowledgement
src-mac=<DHCP-server>, dst-mac=<broadcast>, protocol=udp,
src-ip=<DHCP-Server>:67, dst-ip=255.255.255.255:67

ID-NETWORKERS | www.training-mikrotik.com
 16

DHCP Server
• DHCP server can be run on each interface on the router, even
on some virtual interface.
• One interface only can run 1 DHCP server.
• To easily DHCP server settings, add the IP address first for
the interface will run DHCP server.
• DHCP server settings on the menu IP> DHCP Server> DHCP
Setup, just follow the step easily

ID-NETWORKERS | www.training-mikrotik.com
 17

LAB DHCP Server Client

• One participant become client another participant become DHCP station

• Activating DHCP logging in menu
System>logging>add topic=dhcp action=memory

ID-NETWORKERS | www.training-mikrotik.com
 18

DHCP Client Communication Step

ID-NETWORKERS | www.training-mikrotik.com
 19

DHCP Server Communication Step

ID-NETWORKERS | www.training-mikrotik.com
 20

DHCP Client Identification

• There can be only one DHCP server/relay per
interface on the router
• To create DHCP server you must have
1. IP address on desired DHCP server interface
2. Address pool for clients
3. Information about planned DHCP network
• All 3 options must correspond
• “Store Lease on Disk” is How frequently lease
changes should be stored on disk

ID-NETWORKERS | www.training-mikrotik.com
 21

DHCP Options
• Implemented DHCP options
̶ Subnet-Mask (option 1) - netmask
̶ Router (option 3) - gateway
̶ Domain-Server (option 6) - dns-server
̶ Domain-Name (option 15) - domain
̶ NTP-Servers (option 42) - ntp-server
̶ NETBIOS-Name-Server (option 44) - wins-server
• Custom DHCP options (Example:)
Classless Static Route (C) - “0x100A270A260101” =
“network=10.39.0.0/16 gateway=10.38.1.1”
• For completed DHCP code, see:
http://www.iana.org/assignments/bootp-dhcp-parameters

ID-NETWORKERS | www.training-mikrotik.com
 22

DHCP Options
Raw Format of 10.39.0.0/16 and 10.38.1.1:
• 0x | 10 | 0A27 | 0A260101 | all
• 0x – Hex Number
• 10 – Subnet/Prefix = 16
• 0A27 – Network = 10.39.0.0
• 0A260101 – Gateway = 10.38.1.1

To convert decimal to hex you can using calculator or online converter

like http://www.binaryhexconverter.com/decimal-to-hex-converter

ID-NETWORKERS | www.training-mikrotik.com
 23

LAB DHCP Server Option

Static route

• With DHCP option, give the client static route to

network=10.39.0.0/16 gateway=10.38.1.1
• Make DHCP option in menu
IP>DHCP option>add name=additional-route code=121 value= 0x100A270A260101
• Asign dhcp option in IP DHCP Server Network
ID-NETWORKERS | www.training-mikrotik.com
 24

LAB - DHCP Options

Create DHCP option, and assign to DHCP

network

ID-NETWORKERS | www.training-mikrotik.com
 25

DHCP Options
• IP address pools are used to define range of IP
addresses for dynamic distribution (DHCP, PPP,
Hotspot)
• Address pool must exclude already address that
already used as static device (such as server)
• It is possible to assign more that one range in IP pool
• It is possible to chain several pools together by using
“Next Pool” option
• By default the IP address will start give IP from the
bigger one from the pool.

ID-NETWORKERS | www.training-mikrotik.com
 26

IP Pool

ID-NETWORKERS | www.training-mikrotik.com
 27

DHCP Server Settings

ID-NETWORKERS | www.training-mikrotik.com
 28

DHCP Server Settings

• Relay – if we want to using DHCP relay
• Src.address – specifies DHCP servers address if more
than one IP on DHCP server's interface
• Leases Time - The time that a client may use the
assigned address.
• Add ARP For Leases – allow to add ARP entries for
leases if interface ARP=reply-only
• Always Broadcast – allow communication with non-
standard clients like pseudo-bridges
• Use- Radius - Whether to use RADIUS server for
dynamic leases

ID-NETWORKERS | www.training-mikrotik.com
 29

DHCP Relay
• DHCP Relay is just like a proxy that receive
DHCP discovery and request and resend them
to the DHCP server
• There can be only one DHCP relay between
DHCP server and DHCP client
• DHCP communication with relay does not
require IP address on the relay,
• But DHCP Relay's “local address” option must
be same with DHCP Server's “relay address”
option

ID-NETWORKERS | www.training-mikrotik.com
 30

LAB - DHCP Relay

Make one of router become DHCP server, another become DHCP Relay

Ether1 Ether1
192.168.1.1/24 192.168.1.2/24

Ether2
192.168.22.1/24

ID-NETWORKERS | www.training-mikrotik.com
 31

LAB - DHCP Relay

Configures DHCP Server, and DHCP Server Network

Network and Relay’s local address

ID-NETWORKERS | www.training-mikrotik.com
 32

LAB - DHCP Relay

Configures DHCP Relay

Interface LAN

IP address of interface LAN

Configure client as DHCP client at the laptop and it should get IP from DHCP
server

ID-NETWORKERS | www.training-mikrotik.com
 33

PROXY
MikroTik HTTP Proxy

ID-NETWORKERS | www.training-mikrotik.com
 34

Web Proxy
• Web-proxy have 3 mayor features
– HTTP and FTP traffic caching
– DNS name filtering
– DNS redirection
• Web-proxy have two operation modes
– Regular – browser must be configured to use this
proxy
– Transparent – this proxy is not visible for
customers NAT rules must be applied

ID-NETWORKERS | www.training-mikrotik.com
 35

Web Proxy
• Without Proxy

• With Proxy

ID-NETWORKERS | www.training-mikrotik.com
 36

Web Proxy Feature

• Regular HTTP proxy
• Transparent proxy
Can serve also as transparent and normal at the same time
• Access list
Based on the source, destination, URL and requested method
• Cache Access list
Determine which objects are stored in the cache
• Direct Access List
Set the connection which is accessed directly and the other through
a proxy server
• Logging facility
Logging url access / connection from the client

ID-NETWORKERS | www.training-mikrotik.com
 37

LAB - Web Proxy

• Topology

ID-NETWORKERS | www.training-mikrotik.com
 38

LAB - Web Proxy

• Enable Web Proxy in menu IP>Web Proxy

ID-NETWORKERS | www.training-mikrotik.com
 39

LAB – Transparent Web Proxy

• To use proxy we need to set proxy manually on client browser
• Or you can make transparent proxy by force all http traffic from local
to go to port 8080 on the router its self
• Configuration in menu IP>Firewall>NAT
/ip firewall nat
add chain=dstnat protocol=tcp
dst-port=80 in-interface=etherLAN action=redirect to-ports=8080

ID-NETWORKERS | www.training-mikrotik.com
 40

LAB - Web Proxy

Check your proxy setting by access web that can detect the proxy connection, open url
www.indonesiacyber.net

Check on your router at IP>Web Proxy> Connections menu

ID-NETWORKERS | www.training-mikrotik.com
 41

LAB - Web Proxy Access Rule

Block http to go to url that has contain word “playboy”

ID-NETWORKERS | www.training-mikrotik.com
 42

Web-Proxy Access Rule

Block http to go to URL that has contain word “playboy” and redirect to
trainingmikrotik.com

ID-NETWORKERS | www.training-mikrotik.com
 43

Web Proxy URL Filtering

http://www.domain.com/path1/path2/file1.jpg

Destination host Destination path

• Special Characters
* = any character/characters
? = one character
• Example
www.do?ai?.com
www.domain.*
*domain*
• Also support regular expression format

ID-NETWORKERS | www.training-mikrotik.com
 44

Web Proxy URL Filtering

• We can also filtering clients to download files type like .mp3, .exe,
.dat, .avi,…etc, by define in the url path
• For example:
/ip proxy access
add path=*.exe action=deny
add path=*.mp3 action=deny
add path=*.zip action=deny
add path=*.rar action=deny

ID-NETWORKERS | www.training-mikrotik.com
 45

Web-Proxy Options
• Maximal-client-
connections - number of
connections accepted from
clients
• Maximal-server-
connections - number of
connections made by
server

ID-NETWORKERS | www.training-mikrotik.com
 46

Web-Proxy Caching
• No caching
• Max-cache-size = none
• Cache to RAM
• Max-cache-size ≠ none
• Cache-on-disk = no
• Cache to HDD
• Max-cache-size ≠ none
• Cache-on-disk = yes
• Cache drive
• Choose partition

ID-NETWORKERS | www.training-mikrotik.com
 47

Web-Proxy Rule List

• Web-proxy supports 3 sets of rules for HTTP
request filtering
• Access List – dictates policy whether to allow
specific HTTP request or not
• Direct Access List – list works only if parent-
proxy is specified – dictates policy whether to
bypass parent proxy for specific HTTP
request or not.
• Cache List – dictates policy whether to allow
specific HTTP request be cached or not

ID-NETWORKERS | www.training-mikrotik.com
 48

FIREWALL
Basic & Advanced

ID-NETWORKERS | www.training-mikrotik.com
 49

Connection Tracking
• Connection Tracking is the heart of firewall, it
gathers and manages information about all
active connections.
• By disabling the connection tracking system you
will lose functionality of the NAT and most of the
filter and mangle conditions.
• Each connection tracking table entry represents
bidirectional data exchange
• Connection tracking takes a lot of CPU
resources (disable it, if you don't use firewall)

ID-NETWORKERS | www.training-mikrotik.com
 50

Connection State
• Connection state is a status assigned to each packet by
connection tracking system:
– New – packet is opening a new connection
– Established – packet belongs to already known
connection
– Invalid – packet does not belong to any of the known
connections
– Related – packet is also opening a new connection,
but it is in some kind relation to already known
connection
• Connection state not same with TCP state in connection
tracking
ID-NETWORKERS | www.training-mikrotik.com
 51

Firewall Basic
• Each firewall filter rules are organized in a chain and read
sequentially.
• Each chain will be read by the router from top to bottom.
• In Firewall Filter Rule there 3 default chain
• input – processes packets sent to the router
• output – processes packets sent by the router
• forward – processes packets sent through the router
• In addition to the 3 default chain, We can make chain by our self as
needed.
• Every user-defined chain should subordinate to at least one of the
default chains
• To implemented the right chain we need to know about packet flow
in the router

ID-NETWORKERS | www.training-mikrotik.com
 52

Packet Flow
• Simple Diagram

ID-NETWORKERS | www.training-mikrotik.com
 53

Packet Flow
• Diagram showing the process flow of data packets

ID-NETWORKERS | www.training-mikrotik.com
 54

Packet Flow
• Traffic going in to the router (input)

ID-NETWORKERS | www.training-mikrotik.com
 55

Packet Flow
• Traffic going out from the router itself (output)

ID-NETWORKERS | www.training-mikrotik.com
 56

Packet Flow
• Traffic pass-through the router (forward)

ID-NETWORKERS | www.training-mikrotik.com
 57

Firewall on Bridge
If we want to use IP Firewall in bridge devices, we need to activate

ID-NETWORKERS | www.training-mikrotik.com
 58

Firewall Strategy
• Rule IF….THEN….
• IF packet match with our define criteria.
• THEN what will we do for that packet?
• In IP firewall IF condition define in tab General,
Advanced and Extra, and THEN condition define
in Action tab

ID-NETWORKERS | www.training-mikrotik.com
 59

Firewall Strategy
• Drop all unneeded, accept everything else

If there is no firewall, by default mikrotik accept all connection

ID-NETWORKERS | www.training-mikrotik.com
 60

Firewall Strategy
• Accept only needed, drop everything else

ID-NETWORKERS | www.training-mikrotik.com
 61

RouterOS Local Services

• We can filter it with chain input

ID-NETWORKERS | www.training-mikrotik.com
 62

IP Firewall Filter Rule (Extra)

ID-NETWORKERS | www.training-mikrotik.com
 63

IP Firewall Filter Rule (Extra)

dst-limit
• To limit number of packet in one second to one IP or and
protocol and port
classifier :
• addresses and dst-port
• dst-address
• dst-address and dst-port
• src-address and dst-address
expire :
specifies interval after which recored ip address /port will be
deleted (optional)

ID-NETWORKERS | www.training-mikrotik.com
 64

IP Firewall Filter Rule (Extra)

dst-limit

• count - maximum average packet rate measured in packets per time interval
• time - specifies the time interval in which the packet rate is measured
(optional)
• burst - number of packets which are not counted by packet rate
• mode - the classifier for packet rate limiting
ID-NETWORKERS | www.training-mikrotik.com
 65

IP Firewall Filter Rule (Extra)

connection-limit
to limit connection per IP address or per block IP address
Example:
limit 200 connection in every /26

mean rule will be match if connection under 200 for /26

IPs.

ID-NETWORKERS | www.training-mikrotik.com
 66

IP Firewall Filter Rule (Extra)

limit
to limit data packet, usually for packet that not have real
Connection
Example: icmp data

limit 5 pps (packets per second) with 5 packet burst, and

drop for the next icmp packet

ID-NETWORKERS | www.training-mikrotik.com
 67

IP Firewall Filter Rule (Extra)

src/dst-address-type:
unicast – IP Address as usually use
local – IP Address that installed on the router
broadcast – IP Address broadcast
multicast – IP address that use to multicast

ID-NETWORKERS | www.training-mikrotik.com
 68

IP Firewall Filter Rule (Extra) - PSD

PSD (Port Scan Detection)

Filter or and identify port scanning (TCP)
low port : 0 – 1023
high port : 1024 - 65535

ID-NETWORKERS | www.training-mikrotik.com
 69

IP Firewall Filter Rule (Extra) – Connection Limit

• Download nmap from nmap.org and install your laptop

• Make firewall rule to detect and put src ip address of the
PSD attacker on the address-list

/ip firewall filter

add action=add-src-to-address-list address-list=attacker
address-list-timeout=2m chain=input psd=21,3s,3,1

• Scan your router using nmap software

cmd>Nmap 192.168.88.1

ID-NETWORKERS | www.training-mikrotik.com
 70

User Define/Custom Chain

• Every user-defined chain should subordinate to at least one of the default
chains using action=jump to define chain
• We no need to make more than one action in different “if” condition.

ID-NETWORKERS | www.training-mikrotik.com
 71

User Define/Custom Chain

ID-NETWORKERS | www.training-mikrotik.com
 72

IP Firewall Mangle

ID-NETWORKERS | www.training-mikrotik.com
 73

IP Firewall Mangle
• Use to IP packet marking and IP header fields
adjustment
• The mangle facility allows to mark IP packets with
special marks.
• These marks are used by other router facilities like
routing and bandwidth management to identify the
packets.
• Additionally, the mangle facility is used to modify some
fields in the IP header, like TOS (DSCP) and TTL fields.
• Mangle will be used by router its self, mean mangle can’t
transfer to another router

ID-NETWORKERS | www.training-mikrotik.com
 74

IP Firewall Mangle
• Like IP firewall filter, mangle rules are organized in chains
• There are five built-in chains:
• Prerouting- making a mark before Global-In queue
• Postrouting - making a mark before Global-Out queue
• Input - making a mark before Input filter
• Output - making a mark before Output filter
• Forward - making a mark before Forward filter
• New user-defined chains can be added, as necessary

ID-NETWORKERS | www.training-mikrotik.com
 75

IP Firewall Mangle Diagram

ID-NETWORKERS | www.training-mikrotik.com
 76

Traffic Flow version 6

• Diagram showing the process flow of data packets RouterOS Versi 6.x

ID-NETWORKERS | www.training-mikrotik.com
 77

IP Firewall Mangle Action

• There are 7 more actions in the mangle:
• mark-connection – mark connection (mark only

first packet)
• mark-packet – mark a flow (all packets)

• mark-routing - mark packets for policy routing

• change MSS - change maximum segment size of

the packet
• change TOS - change type of service

• change TTL - change time to live

• strip IPv4 options

ID-NETWORKERS | www.training-mikrotik.com
 78

Mark Connection
• Use mark connection to identify one or group
of connections with the specific connection
mark
• Connection marks are stored in the
connection tracking table
• There can be only one connection mark for
one connection.
• Connection tracking helps to associate each
packet to a specific connection (connection
mark)

ID-NETWORKERS | www.training-mikrotik.com
 79

Mark Connection Rule

ID-NETWORKERS | www.training-mikrotik.com
 80

Mark Packet Rule

ID-NETWORKERS | www.training-mikrotik.com
 81

Mark Connection and Mark Packet Rule

ID-NETWORKERS | www.training-mikrotik.com
 82

Mark Packet
Packets can be marked
• Indirectly. Using the connection tracking
facility, based on previously created
connection marks (faster)
• Directly. Without the connection tracking
- no connection marks necessary, router
will compare each packet to a given
conditions (this process imitates some of
the connection tracking features)

ID-NETWORKERS | www.training-mikrotik.com
 83

Mangle Passtrough

ID-NETWORKERS | www.training-mikrotik.com
 84

Mangle Passtrough

ID-NETWORKERS | www.training-mikrotik.com
 85

IP Firewall Mangle NTH

• NTH is one of mangle feature that can be used for load balancing
or load sharing by counting packet that has “new” connection state
• We can call NTH with Peer Packet Load Balancing

• “Every” is sum of packet in one group, “Packet” is squence number

to start counting
• If we use NTH as load balancing with masquarade, sometime we
will loosing session, for example, we need to re-login to website
that remember the session

ID-NETWORKERS | www.training-mikrotik.com
 86

IP Firewall Mangle NTH

3,1
LOCAL
3,2 INTERNET

3,3

/ip firewall mangle

add action=mark-routing chain=prerouting new-routing-mark=first nth=3,1
add action=mark-routing chain=prerouting new-routing-mark=second nth=3,2
add action=mark-routing chain=prerouting new-routing-mark=third nth=3,3

/ip route add gateway=ISP1 routing-mark=first

/ip route add gateway=ISP2 routing-mark=second
/ip route add gateway=ISP3 routing-mark=second

ID-NETWORKERS | www.training-mikrotik.com
 87

IP Firewall Mangle PCC

• PCC (Peer Connection Classified) is load balancing based on
connection
• Same with NTH, PCC dividing the packets by counting it, but PCC
will identify packets in one connection base on : dst-address, src-
address, both-addresses, dst-port, src-port, both-ports, dst-
address-and-port,src-address-and-port,both-addresses-and-ports

• Mean packet will be counted every 2 packets, and will start with
packet number 0 (first packet)
• NTH counting packet start from 1 but PCC counting packet start
from 0

ID-NETWORKERS | www.training-mikrotik.com
 88

IP Firewall Mangle PCC

3,0
LOCAL
3,1 INTERNET

3,2

/ip firewall mangle

add action=mark-routing chain=prerouting new-routing-mark=first per-connection-classifier=both-
addresses 3/0
add action=mark-routing chain=prerouting new-routing-mark=second per-connection-classifier=both-
addresses 3/1
add action=mark-routing chain=prerouting new-routing-mark=third per-connection-classifier=both-
addresses 3/2

/ip route add gateway=ISP1 routing-mark=first

/ip route add gateway=ISP2 routing-mark=second
/ip route add gateway=ISP3 routing-mark=third

ID-NETWORKERS | www.training-mikrotik.com
 89

HTB
Hierarchical Token Bucket

ID-NETWORKERS | www.training-mikrotik.com
 90

HTB
• All Quality of Service implementation in
RouterOS is based on Hierarchical Token Bucket
• HTB allows to create hierarchical queue structure
and determine relations between parent and
child queues and relation between child queues
• RouterOS V5 support 3 virtual HTBs (global-in,
global-total, global-out) and one more just before
every interface

ID-NETWORKERS | www.training-mikrotik.com
 91

Mangle and HTB

ID-NETWORKERS | www.training-mikrotik.com
 92

Mange and HTB

• When packet travels through the router, it passes all 4 HTB trees
• When packet travels to the router, it passes only global-in and global-total HTB.
• When packet travels from the router, it passes global-out, global-total and interface
HTB.

ID-NETWORKERS | www.training-mikrotik.com
 93

HTB
• As soon as queue have at least one child it
become parent queue
• All child queues (don't matter how many levels of
parents they have) are on the same bottom level
of HTB
• Child queues make actual traffic consumption,
parent queues are responsible only for traffic
distribution
• Child queues will get limit-at first and then rest of
the traffic will distributed by parents

ID-NETWORKERS | www.training-mikrotik.com
 94

HTB Structure

ID-NETWORKERS | www.training-mikrotik.com
 95

HTB Limitation
• HTB has two rate limits:
• CIR (Committed Information Rate) – (limit-at in

RouterOS) worst case scenario, flow will get this

amount of traffic no matter what (assuming we can
actually send so much data)
• MIR (Maximal Information Rate) – (max-limit in

RouterOS) best case scenario, rate that flow can get

up to, if there queue's parent has spare bandwidth
• At first HTB will try to satisfy/meet every child queue's
limit-at – only then it will try to reach max-limit

ID-NETWORKERS | www.training-mikrotik.com
 96

HTB Limitation
• Maximal rate of the parent should be equal or
bigger than sum of committed rates of the
children
• MIR (parent) ≥ CIR(child1) +...+ CIR(childN)
• Maximal rate of any child should be less or
equal to maximal rate of the parent
• MIR (parent) ≥ MIR(child1)
• MIR (parent) ≥ MIR(child2)
• MIR (parent) ≥ MIR(childN)

ID-NETWORKERS | www.training-mikrotik.com
 97

HTB Limitation
Max-limit parent should be equal or bigger than
summary of limit-at of the clients
• max-limit(parent) >= limit-at(child1) + .... + limit-
at(child*)
example:
• queue1 – limit-at=512k – parent=parent1
• queue2 – limit-at=512k – parent=parent1
• queue3 – limit-at=512k – parent=parent1
max-limit parent1 at least (512k*3) or 1,5M, if less
than 1,5M max-limit will not work properly

ID-NETWORKERS | www.training-mikrotik.com
 98

HTB Limitation
Max-limit parent should be equal or bigger than
summary of limit-at of the clients
• max-limit(parent) >= limit-at(child1) + .... + limit-
at(child*)
example:
• queue1 – limit-at=512k – parent=parent1
• queue2 – limit-at=512k – parent=parent1
• queue3 – limit-at=512k – parent=parent1
max-limit parent1 at least (512k*3) or 1,5M, if less
than 1,5M max-limit will not work properly

ID-NETWORKERS | www.training-mikrotik.com
 99

Tips
• Top of the parent no need limit-at and priority
parameter
• Priority only work in the last child, comparing all
of end child
• Priority will be calculate after all limit-at (CIR)
was delivered. And the rest bandwidth will be
distribute by looking the priority of the childs

ID-NETWORKERS | www.training-mikrotik.com
 100

Tips
• Top of the parent no need limit-at and priority
parameter
• Priority only work in the last child, comparing all
of end child
• Priority will be calculate after all limit-at (CIR)
was delivered. And the rest bandwidth will be
distribute by looking the priority of the childs

ID-NETWORKERS | www.training-mikrotik.com
 101

HTB Distribution (1)

• B and C will get 2M

• If C not using internet, then B can get 4M

ID-NETWORKERS | www.training-mikrotik.com
 102

HTB Distribution (2)

• Even max-limit of the parent is 2M, child B and C still can get 2M, that way
max-limit parent >= total limit-at of all clients
• If B not using internet C still cant up until 4M, but still on 2M

ID-NETWORKERS | www.training-mikrotik.com
 103

HTB Distribution (3)

• B will get bandwidth more than limit-at because priority is 1, higher than C
that has priority 8

ID-NETWORKERS | www.training-mikrotik.com
 104

HTB Distribution (4)

• Client B, C1 and C2, will get 2mbps, as their limit-at

ID-NETWORKERS | www.training-mikrotik.com
 105

HTB Distribution (5)

• C1 and C2 can up until max-limit, because their parent(C) hasl imit-at up to

4mbps

ID-NETWORKERS | www.training-mikrotik.com
 106

HTB Distribution (6)

• If all of limit-at has been fulfilled, the rest of bandwidth will be devided by
priority

ID-NETWORKERS | www.training-mikrotik.com
 107

HTB Distribution (7)

• Priority of parent (rule that has level 0) is not affected.

ID-NETWORKERS | www.training-mikrotik.com
 108

HTB Distribution (8)

• All child will get traffic 2mpps

ID-NETWORKERS | www.training-mikrotik.com
 109

HTB Distribution (9)

• C1, C2, C3 will get 2mbps because priority higher B1 and B2

ID-NETWORKERS | www.training-mikrotik.com
 110

HTB Distribution (10)

• Queue-B will get 4mbps because limit-at its limit-at.

• C1 > C2 and C1 > C3 because theri priority

ID-NETWORKERS | www.training-mikrotik.com