PPTPServer

A minimalistic HowTo for using a MT Router OS as PPTP-Server, based on 2.9.x. Use it on your own risk.

I prefer bridge-groups as they are always up and one can add physical interfaces later. The arp=proxy-arp is important.

N.B. 8 Oct 2007: "set gre disabled=no" is not active on RouterOS 3.0rc5

/ interface ethernet
set ether1 name="ether1"

/ interface bridge
add name="lan" arp=proxy-arp

/ interface bridge port
add interface=ether1 bridge=lan

/ ip address
add address=192.168.0.1/24 interface=lan

/ ip dns
allow-remote-requests=yes

/ ip firewall service-port
set gre disabled=no
set pptp disabled=no

/ ip pool
add name="pptp" ranges=192.168.0.200-192.168.0.229

/ ppp profile
add name="pptp-in" local-address=192.168.0.1 remote-address=pptp use-encryption=required only-one=yes change-tcp-mss=yes dns-server=192.168.0.1

/ interface pptp-server server
set enabled=yes max-mtu=1460 max-mru=1460 authentication=chap,mschap1,mschap2 default-profile=pptp-in

/ ppp secret
add name="user-1" service=pptp password="******" profile=pptp-in
add name="user-2" service=pptp password="******" profile=pptp-in
# ...

[Mikrotik] Per Connection Queue (PCQ)

Per Connection Queue (PCQ) is a queuing discipline that can be used to dynamically equalize or shape traffic for multiple users, using little administration. It is possible to divide PCQ scenarios into three major groups: equal bandwidth for a number of users, certain bandwidth equal distribution between users, unknown bandwidth equal distribution between users.

Equal Bandwidth for a Number of Users

Use PCQ type queue when you need to equalize the bandwidth [and set max limit] for a number of users. We will set the 64kbps download and 32kbps upload limits.

Image:PCQ.png

There are two ways how to make this: using mangle and queue trees, or, using simple queues.

1. Mark all packets with packet-mark all:

/ip firewall mangle add chain=prerouting action=mark-packet new-packet-mark=all passthrough=no


2. Setup two PCQ queue types - one for download and one for upload. dst-address is classifier for user's download traffic, src-address for upload traffic:

/queue type add name="PCQ_download" kind=pcq pcq-rate=64000 pcq-classifier=dst-address
/queue type add name="PCQ_upload" kind=pcq pcq-rate=32000 pcq-classifier=src-address


3. Finally, two queue rules are required, one for download and one for upload:

/queue tree add parent=global-in queue=PCQ_download packet-mark=all
/queue tree add parent=global-out queue=PCQ_upload packet-mark=all

If you don't like using mangle and queue trees, you can skip step 1, do step 2, and step 3 would be to create one simple queue as shown here:

/queue simple add queue=PCQ_upload/PCQ_download target-addresses=192.168.0.0/24

[Mikrotik]Transparent Traffic Shaper

We will configure one queue limiting the total throughput to the client and three sub-queues that limit HTTP, P2P and all other traffic separately.

Quick Start for Impatient
Configuration snippet from the MikroTik router:

/ interface bridge
add name="bridge1"
/ interface bridge port
add interface=ether2 bridge=bridge1
add interface=ether3 bridge=bridge1

/ ip firewall mangle
add chain=prerouting protocol=tcp dst-port=80 action=mark-connection \
new-connection-mark=http_conn passthrough=yes
add chain=prerouting connection-mark=http_conn action=mark-packet \
new-packet-mark=http passthrough=no
add chain=prerouting p2p=all-p2p action=mark-connection \
new-connection-mark=p2p_conn passthrough=yes
add chain=prerouting connection-mark=p2p_conn action=mark-packet \
new-packet-mark=p2p passthrough=no
add chain=prerouting action=mark-connection new-connection-mark=other_conn \
passthrough=yes
add chain=prerouting connection-mark=other_conn action=mark-packet \
new-packet-mark=other passthrough=no

/ queue simple
add name="main" target-addresses=10.0.0.12/32 max-limit=256000/512000
add name="http" parent=main packet-marks=http max-limit=240000/500000
add name="p2p" parent=main packet-marks=p2p max-limit=64000/64000
add name="other" parent=main packet-marks=other max-limit=128000/128000
[edit] Explanation
Each piece of code is followed by the explanation of what it actually does.

[edit] Bridge
/ interface bridge
add name="bridge1"
/ interface bridge port
add interface=ether2 bridge=bridge1
add interface=ether3 bridge=bridge1
We create a new bridge interface and assign two ethernet interfaces to it. Thus the prospective traffic shaper will be completely transparent to the client.

[edit] Mangle
/ ip firewall mangle
add chain=prerouting protocol=tcp dst-port=80 action=mark-connection \
new-connection-mark=http_conn passthrough=yes
add chain=prerouting connection-mark=http_conn action=mark-packet \
new-packet-mark=http passthrough=no
All traffic destined to TCP port 80 is likely to be HTTP traffic and therefore is being marked with the packet mark http. Note, that the first rule has passthrough=yes while the second one has passthrough=no. (You can obtain additional information about mangle at http://www.mikrotik.com/docs/ros/2.9/ip/mangle)

/ ip firewall mangle
add chain=prerouting p2p=all-p2p action=mark-connection \
new-connection-mark=p2p_conn passthrough=yes
add chain=prerouting connection-mark=p2p_conn action=mark-packet \
new-packet-mark=p2p passthrough=no
add chain=prerouting action=mark-connection new-connection-mark=other_conn \
passthrough=yes
add chain=prerouting connection-mark=other_conn action=mark-packet \
new-packet-mark=other passthrough=noSame as above, P2P traffic is marked with the packet mark p2p and all other traffic is marked with the packet mark other.

[edit] Queues
/ queue simple
add name="main" target-addresses=10.0.0.12/32 max-limit=256000/512000
We create a queue that limits all the traffic going to/from the client (specified by the target-address) to 256k/512k.

/ queue simple
add name="http" parent=main packet-marks=http max-limit=240000/500000
add name="p2p" parent=main packet-marks=p2p max-limit=64000/64000
add name="other" parent=main packet-marks=other max-limit=128000/128000
All sub-queues have the main queue as the parent, thus the aggregate data rate could not exceed limits specified in the main queue. Note, that http queue has higher priority than other queues, meaning that HTTP downloads are prioritized.