This post is about RouterOS traffic shaping of my guest network. This WiFi network has a simple password (at least one I can remember) and is used for guests who come to visit me at home. Usually guests join this network with mobile devices.
Since I don’t want these devices to use alot of my general bandwidth, I added traffic shaping for this subnet and can make sure, the resources stay in their limits.
RouterOS Firewall Configuration
The setup is straight forward and pretty simple. At first, we have to mark those packages which we want to check.
For each specific layer 7 protocol (e.g. http or https) we first mark the connection (using passthrough=yes) and then mark each single packet for this connection. For packet marks we must set passthrough=no.
In my setup I just make a difference for http and https (which probably will be used in most cases) and all other protocols. As you can see, I tag both, http and https, with the same http-pkt marker tag.
/ip firewall mangle
add action=mark-connection chain=prerouting dst-port=80 in-interface="guest" \
new-connection-mark=http-conn protocol=tcp
add action=mark-packet chain=prerouting connection-mark=http-conn \
new-packet-mark=http-pkt passthrough=no
add action=mark-connection chain=prerouting dst-port=443 in-interface="guest" \
new-connection-mark=http-conn protocol=tcp
add action=mark-packet chain=prerouting connection-mark=http-conn \
new-packet-mark=http-pkt passthrough=no
add action=mark-connection chain=prerouting in-interface="guest" \
new-connection-mark=other-conn protocol=tcp
add action=mark-packet chain=prerouting connection-mark=other-conn \
new-packet-mark=other-pkt passthrough=no
RouterOS Traffic Shaping
RouterOS Queue List Window
As you can easily see, I set the CIR (Committed Information Rate) to 512kbit/sec and the MIR (Maximum Information Rate) to 1.024kbis/sec for the http/https traffic. For everything else, the CIR is 256kbit/sec and MIR is 512kbit/sec.
/queue tree
add comment="http traffic gets high prio" limit-at=524288 max-limit=1048576 \
name=guest-http packet-mark=http-pkt parent="guest" priority=1 \
queue=wireless-default
add comment="everything else has low prio" limit-at=262144 max-limit=524288 \
name=guest-other packet-mark=other-pkt parent="guest" queue=\
wireless-default
So that’s it. After this is done, my guest network is locked in with low bandwidth usage and can’t bother my home network very much.
