Nov 232016

When I last time did LAN port isolation, it seemingly ended with a success. And yes, I have ran with that config for a while without problems. However, at one point, I decided to implement bandwidth limits per port using queues. However, a speed test has shown that while download speed looking from WAN side was throttled, my maximum upload speed wasn’t observed.

I won’t get too much into why it is so. It’s sufficient to say you cannot set upload speed on interface if it is a slave. Guess what, interfaces belonging to a bridge are slaves. It doesn’t matter if you place each interface in its separate bridge – as was my first attempt – while your upload will be throttled, your download limiting will not work.

The only configuration I’ve found working was to have each interface manage its own network – thus each being the master.

The easiest way to configure this is to enter commands into New Terminal from WinBox. I will write commands assuming all bridges, their ports, and each mentioned section are completely empty as we start.

First we need to give a separate IP to each interface facing our internal LAN:

/ip address
add address= interface=ether2 network= disabled=no
add address= interface=ether3 network= disabled=no
add address= interface=ether4 network= disabled=no
add address= interface=ether5 network= disabled=no

Next we define multiple DHCP pools – in this case 4 of them:

/ip pool
add name=pool1 ranges=
add name=pool2 ranges=
add name=pool3 ranges=
add name=pool4 ranges=

Of course, adding a separate DHCP server for each of these pools is needed:

/ip dhcp-server
add name=server1 interface=ether2 address-pool=pool1 disabled=no
add name=server2 interface=ether3 address-pool=pool2 disabled=no
add name=server3 interface=ether4 address-pool=pool3 disabled=no
add name=server4 interface=ether5 address-pool=pool4 disabled=no

DHCP network for each follows:

/ip dhcp-server network
add address= gateway= netmask=24
add address= gateway= netmask=24
add address= gateway= netmask=24
add address= gateway= netmask=24

Quick stop to verify routes is in order. Assuming you all is done correctly four new dynamic routes should appear (it is ok for disconnected ports to have distance 255):

/ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
 0 ADS                       1
 1 ADC  ether2              0
 2  DC  ether3            255
 3 ADC  ether4              0
 4 ADC  ether5              0
 5 ADC     ether1              0

Assuming you don’t have NAT masquarade setup from before, let’s setup one now. If you do have it already in IP Firewall NAT, simply skip this step:

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 disabled=no

After all this we can finally add traffic limiting queues. In my case the first two ports didn’t have any limits, third had 1 Mbit/s upload and download, and the last interface had 128 kbits/s upload and 256 kbits/s download:

/queue simple
add name=queue1 target=ether2 max-limit=0/0
add name=queue2 target=ether3 max-limit=0/0
add name=queue3 target=ether4 max-limit=1M/1M
add name=queue4 target=ether5 max-limit=128k/256k

To isolate LAN ports we again use the firewall rules allowing the new connections only toward ether1 (WAN) interface:

/ip firewall filter
add action=accept chain=forward connection-state=established comment="Allow established"
add action=accept chain=forward connection-state=related comment="Allow related"
add action=accept chain=forward out-interface=ether1 comment="Allow WAN"
add action=drop chain=forward comment="Drop everything else"

PS: There is quite nice guide at Networking For Integrators. They use a quite similar approach for the purpose of segregating multiple networks.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>