Isolating Mikrotik LAN Ports With Queue Support

When I last time did LAN port isolation, it seemingly ended with a success. And yes, I have ran with that config for a while without problems. However, at one point, I decided to implement bandwidth limits per port using queues. However, a speed test has shown that while download speed looking from WAN side was throttled, my maximum upload speed wasn't observed.

I won't get too much into why it is so. It's sufficient to say you cannot set upload speed on interface if it is a slave. Guess what, interfaces belonging to a bridge are slaves. It doesn't matter if you place each interface in its separate bridge - as was my first attempt - while your upload will be throttled, your download limiting will not work.

The only configuration I've found working was to have each interface manage its own network - thus each being the master.

The easiest way to configure this is to enter commands into New Terminal from WinBox. I will write commands assuming all bridges, their ports, and each mentioned section are completely empty as we start.

First we need to give a separate IP to each interface facing our internal LAN:

/ip address
add address= interface=ether2 network= disabled=no
add address= interface=ether3 network= disabled=no
add address= interface=ether4 network= disabled=no
add address= interface=ether5 network= disabled=no

Next we define multiple DHCP pools - in this case 4 of them:

/ip pool
add name=pool1 ranges=
add name=pool2 ranges=
add name=pool3 ranges=
add name=pool4 ranges=

Of course, adding a separate DHCP server for each of these pools is needed:

/ip dhcp-server
add name=server1 interface=ether2 address-pool=pool1 disabled=no
add name=server2 interface=ether3 address-pool=pool2 disabled=no
add name=server3 interface=ether4 address-pool=pool3 disabled=no
add name=server4 interface=ether5 address-pool=pool4 disabled=no

DHCP network for each follows:

/ip dhcp-server network
add address= gateway= netmask=24
add address= gateway= netmask=24
add address= gateway= netmask=24
add address= gateway= netmask=24

Quick stop to verify routes is in order. Assuming you all is done correctly four new dynamic routes should appear (it is ok for disconnected ports to have distance 255):

/ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 ADS 1
1 ADC ether2 0
2 DC ether3 255
3 ADC ether4 0
4 ADC ether5 0
5 ADC ether1 0

Assuming you don't have NAT masquarade setup from before, let's setup one now. If you do have it already in IP Firewall NAT, simply skip this step:

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 disabled=no

After all this we can finally add traffic limiting queues. In my case the first two ports didn't have any limits, third had 1 Mbit/s upload and download, and the last interface had 128 kbits/s upload and 256 kbits/s download:

/queue simple
add name=queue1 target=ether2 max-limit=0/0
add name=queue2 target=ether3 max-limit=0/0
add name=queue3 target=ether4 max-limit=1M/1M
add name=queue4 target=ether5 max-limit=128k/256k

To isolate LAN ports we again use the firewall rules allowing the new connections only toward ether1 (WAN) interface:

/ip firewall filter
add action=accept chain=forward connection-state=established comment="Allow established"
add action=accept chain=forward connection-state=related comment="Allow related"
add action=accept chain=forward out-interface=ether1 comment="Allow WAN"
add action=drop chain=forward comment="Drop everything else"

PS: There is quite nice guide at Networking For Integrators. They use a quite similar approach for the purpose of segregating multiple networks.

Leave a Reply

Your email address will not be published. Required fields are marked *