2012-Q1 Mikrotik: Contention Rates Implementation Guide

Implementing Contention buckets can be achieved in a fairly simple way while using the RADIUS integration with Mikrotiks and PPPoE. The implementation is based on the 'Filter-Id' RADIUS reply attribute. If such attribute is returned from SIMPLer on customer authentication the Mikrotik will create two dynamic rules in the firewall that can be used to create a dynamic IP list that will then be used for packet tagging. Finally the packet tags are used to put the customer traffic under the appropiate QoS queue.

The first step to get the Contention Rates up and running is to setup the Queues Tree on the Mikrotik controller. This can be achieved either from a shell console or using the Winbox GUI interface. For testing using Winbox is recommended - while for a production environment it would be best to come up with a set of commands that can initialize the SAME queues tree on each Mikrotik unit. Setting up HTB queues are covered under the following link:


Important things to note while setting up the Queues are packet marks used to categorize the packets stream to a particular queue. Packets must be marked with the same packet marks in Mikrotik Firewall to direct the traffic to the appropriate queue. The Mikrotik firewall setup must meet the following guidelines:

    • Create IP List - 'Internal IP List' that will cover all IP addresses used by customers on the Mikrotik. This will be very important while marking the packets.

    • In 'forward' tab:

      1. All packets must be forwarded to 'ppp' firewall chain using jump rule

      2. The 'ppp' rules will be created automatically once a ppp connection is authenticated. If a 'Filter-Id' attribute is sent back from RADIUS - two 'ppp' chain 'jump' rules will be created that will forward processing the packets in firewall to a chain specified in the Filter-In attribute (i.e. if the Filter-In is set to Bucket1 the jump rule for the PPPoE user will direct his packets to firewall chain 'Bucket1' and that chain must be created if we wish to process the packets any further)

      3. There must be a chain set for each 'Filter-Id' we use. The best practice for these chains is to use the SRC and DST IP addresses (use 'Internal IP List' to make sure only internal IP addresses are marked) to add the IP's to a dynamic firewall IP List that will than be used under 'mangle' firewall table

    • In 'mangle' tab:

    1. Create rules that will mark connections for each IP from the dynamic firewall IP Lists (one for each bucket) with a 'BucketX' mark

    2. Create rules to mark packets pre-marked with a connection mark with 'packet marks' - these packet marks will be used by queues

Azotel | River House | Blackpool Park | Cork | Ireland

US +1-312-239-0680 | IE +353-21-234-8100 | UK +44-207-193-4170 | SA +27-11-083-6900