. :   Limit user/IP by volume   : .



Today a customer called and asked me how he (I *G*) could limit every client on his LAN to a certain amount of traffic (volume, not speed!). He's running a small wireless network behind his Mikrotik router and wants the guys and girls to behave ;-) I remembered that I read something like that on the Mikrotik Wiki some time ago and started to search for the article. The article was found pretty quickly and I tried it on a RB133 with RouterOS 2.9.50. Everything worked fine, but my customer was running RouterOS v3.... After some f#cking around with the "new" v3 syntax I got it to run on my RB532 with version 3.3 The script on the Mikrotik Wiki is working fine, but as mentioned above, my customer was running v3, wanted a script to create queues for ALL his LAN IPs, a script to slow down heavy users, maybe even block them and reset the rules on the first day of every month automatically! As I'm a very nice person I solved this problem for him ;-)

First I had to create the queues for every IP on his LAN segment:

   /queue simple
   :for i from=1 to=254 do={
    add name=("192.168.7.$i") target-addresses=("192.168.7.$i") \
    dst-address=0.0.0.0/0 interface=all limit-at=0/0 max-limit=0/0 disabled=no
   }

This small script creates queues from 192.168.7.1 up to 192.168.7.254 with NO rate limiting! We just need those queues for accounting (at least untill now). You could also limit every IP to a certain rate (for example 2mbit) and if the client shoots through his allowed amount of traffic you slow him down to, let's say, 128kbit. I didn't need that here because all of his clients are limited on their Routerboards.

Then I had solve the problem for the automatic reset:

   :local date
   :local day
   :set date [/system clock get date]
   :set day [:pick $date 5 6]
   /queue simple
    :if (day = 01) do={
     reset-counters-all
      :for i from=1 to=254 do={
      set [find target-addresses="192.168.7.$i/32"] max-limit=0/0
      }
   }

The scheduler runs this script every day. If the date (hopefully correctly set!!!) returns that it is day 01 all counters for the queues created above are cleared AND the rate limiting is set to 0 (unlimited) again!

So we have the queues, we have a script that clears the counters every month and now we need the v3aware script that throttles our heavy users down to a lower rate:

   :local traffic
   /queue simple
     :for i from=1 to=254 do={
      :set traffic [get [find target-addresses="192.168.7.$i/32"] total-bytes]
       :if ($traffic > 1000000000) do={
        set [find target-addresses="192.168.7.$i/32"] max-limit=128000/128000
       }
      }

This script reads the total-bytes of every queue. If the total-bytes of a certain IP exceed 1.000.000.000 bytes, that IP will be limited to 128 up/down for the rest of the month. It depends on your router hardware how often you can run this script. More often means you will get a more accurate result, so iff you are running a RB1000 you can run it for example every hour, but on a RB150 with some traffic/firewall/nat the script needs about 1 hour(!!!) to check 254 queues. Please be patient on slower hardware and don't let the scheduler run it every 5 minutes ;-)
If you don't need to check 254 queues, for example if you have only 10 workstations ranging from 192.168.7.1 to 192.168.7.10 just change the ":for i from=1 to=254" to ":for i from=1 to=10" or whatever you need.

If you are the dean of mean, you could also completely block user who reach the limit. This would be done by the following script:

   :local traffic
   /queue simple
     :for i from=1 to=254 do={
      :set traffic [get [find target-addresses="192.168.7.$i/32"] total-bytes]
       :if ($traffic > 1000000000) do={
        /ip firewall filter \
           add chain=forward comment="Oh behave, baby!" \
           src-address=("192.168.7.$i") dst-address=0.0.0.0/0 action=drop
       }
      }








Disclaimer: Use on your own risk, absolutely no warranty and.... please be nice to your clients, don't punish them too much ;-)



Q: Total bytes?
A: Yeah. This script uses total-bytes, which means UP- and DOWNLOAD! So 700MB download and 301MB upload is enough to limit you :-p

Q: Well, sucker... I'll download 1 gig and pull the plug to reboot the router! :-p
A: Great idea ;-) I know about that "problem". Mikrotik clears the counters on every reboot, but I don't care about that, because even if your secretary/trainee/or whoever you are trying to limit knows about this issue, it's YOUR job to keep them away from your network infrastructure!!!!!! Or are you trying to limit yourself? ;-)