Limiting bandwidth available to specific device(s) on MikroTik routers.
Having moved back to the Texas Hill Country, I'm on an LTE internet connection for both work and home, forcing me to be more cautious with my bandwidth consuption. This was driven by my inability to limit bandwith / video quality when using the Amazon Prime Video client on a Roku 3 -- a 45 minute episode of Justified burned about 1.25GB of data.
Unlike Netflix, I could find no mechanism with which I could limit video quality on Prime Video, either on the Roku 3 client on in my Amazon account. These notes document my forray into brute-force bandwidth throttling for Prime Video on a Roku 3.
I'm using a MikroTik
OmniTik 5 ac router / access point. For an inexpensive
piece of equipment, it offers some tremendous functionality. Relevant in this
context is it's support for Cisco's NetFlow, which can stream network
performance/protocol/endpoint information to a remote monitoring system for
For a monitoring system, I chose to use
ntopng), as it was the
easiest to get running via
macports. After installation, I ran it via the
ntop --user khe --db-file-path "$HOME/ntop"
It can be configured via
macports to start as a service at boot time.
Once it's running, it can be accessed via browser at
Using the web interface, configure
ntop to accept NetFlow data from the
NetFlow Device, click
Set Interface Name
Local Collector UDP Port, click
- Enter the MikroTik router's address/netmask as the
Virtual NetFlow Interface Network Addres, click
Set Interface Address.
At this point,
ntop is listening for NetFlow data on port
Configuring the MikroTik Router
Although I have an OmniTik router, these instructions will apply to any
MikroTik router running
RouterOS 6. Enter the following RouterOS commands
via ssh or WinBox:
/ip traffic-flow set enabled=yes interfaces=all /ip traffic-flow target add dst-address=192.168.88.199 port=2055 version=5
The IP address shown is that of the machine running
ntop to Monitor Bandwidth/Traffic
Once RouterOS is configured, data should appear in
ntop. If it
Utils->ViewLog for possible hints about the problem.
ntop is simple. For example, browsing to
IP->Summary->Traffic will display bandwidth usage by IP. Within
Network Traffic page, clicking on an IP will display detailed
information about traffic to/from the IP.
I am new to RouterOS; it's quite possible there are better ways to accomplish my goal.
Apparently the key to any of the bandwith limiting mechanisms is the
fasttrack feature. When
fasttrack is enabled, many portions of the typical
packet flow within the switch are bypassed. This seemingly includes bandwidth
control, among many other things. This explains why a number of my early
attempts at controlling bandwidth failed.
The first step, then, is to disable
fasttrack. This can reduce router
performance due to the increased packet processing overhead, but my network is
lightly used overall and I had to find some way to control bandwidth. To
fasttrack, run the command
/ip firewall filter print and look for
the rule that starts
;;; defconf: fasttrack. In my case, it was rule #7.
fasttrack, disable it's firewall rule via:
/ip firewall filter disable numbers=7.
There are at least two ways to control bandwidth by IP. One involves the creation of a Queue which is linked to the IP. The other involves using DHCP settings to limit bandwidth. I chose the latter because either approach involves ensuring the target device has a stable static IP.
Limit Bandwidth via DHCP
I chose 256Kb/s as a starting point; this is about 115MB/hour. This represents at least a ten-fold decrease in bandwidth utilization for APV. I found that NetFlix would function at even lower rates but that Prime Video would not. This setting provides a suitably pixelated image on both services, making it apparent that bandwidth is being throttled.
I should point out that this approach throttles bandwidth to anything accessing the network from the Roku -- Prime Video, Netflix, HULU, whatever... -- it's a pretty blunt instrument.
Find the IP and MAC of the device you wish to rate limit. In my case, the Roku had already been on the network and had a DHCP lease. Find it by:
/ip dhcp-server lease print
Use the IP and MAC from the previous step and change it to a static IP and set a rate limit:
/ip dhcp-server lease add address=192.168.88.244 address-lists="" dhcp-option="" disabled=no insert-queue-before=first mac-address=B0:A7:37:EB:E6:29 rate-limit=256k server=defconf
Although I'm using
ntop to monitor bandwidth conumption overall long-term,
it leaves a little to be desired if one is tweaking RouterOS settings and
looking for near-real-time data. RouterOS can help here. Graphs are
available in both WinBox and the web interface. I actually prefer the web
interface for this as the axes are well labeled, whereas there are no units
labels on the WinBox graphs.
With the RouterOS in
WebFig mode, click on 'Interfaces', choose the
relevant interface, and scroll to the bottom of the page for real-time
bandwidth graphs. I haven't been able to find a built-in way to graph
bandwidth for IP addresses.
Note that when looking at an individual interface, the 'Overall Stats'
tab shows cumulative Tx/Rx data. It also allows the counters to be reset.
Depending upon your situation, this may be all you need, allowing one to
I expect to add a Plex client to the Roku in a month or so. At that time, I'll have to revisit this plan. Granting the Roku unlimited bandwidth when accessing a local Plex server may require revisiting the use of Queues.