AI Block Lab - Linux Server Tutorials
Linux Server Tutorials
MikroTik Traffic Classification Using Mangle (LocalToGlobal, GlobalToLocal, LocalToLocal)
This guide explains how to classify network traffic in
RouterOS running on
MikroTik routers using
Firewall Mangle.
The goal is to divide traffic into five logical directions:
- LocalToGlobal – client traffic going to the Internet
- GlobalToLocal – Internet traffic coming to clients
- LocalToLocal – traffic between subscribers in the same network
- LocalToMikrotik – traffic from subscribers to the router
- MikrotikToLocal – traffic generated by the router to clients
This traffic model is very useful for Internet Service Providers and large
local networks because it allows:
- bandwidth shaping using Queue Tree and PCQ
- blocking client-to-client traffic
- prioritizing management or service traffic
- monitoring router-generated traffic
1. Network Concept
The following diagram represents the logical traffic directions:
Client → Internet LocalToGlobal Internet → Client GlobalToLocal Client → Client LocalToLocal Client → Router LocalToMikrotik Router → Client MikrotikToLocal
To implement this architecture we will use two steps:
- Mark connections
- Mark packets based on those connections
2. Creating an Address List for Local Networks
First create an address list that contains all subscriber networks.
This list will be used to detect internal traffic.
/ip firewall address-list add list=Local address=10.0.0.0/8 add list=Local address=172.16.0.0/12 add list=Local address=192.168.0.0/16
If your network uses a different addressing scheme, replace these ranges with
your actual subscriber networks.
3. Marking Connections
Connection marking is the first step.
Each new connection will be assigned a specific direction label.
LocalToGlobal (Client → Internet)
/ip firewall mangle add chain=prerouting \ src-address-list=Local \ dst-address-list=!Local \ connection-mark=no-mark \ action=mark-connection \ new-connection-mark=LocalToGlobal_conn \ passthrough=yes
GlobalToLocal (Internet → Client)
add chain=prerouting \ src-address-list=!Local \ dst-address-list=Local \ connection-mark=no-mark \ action=mark-connection \ new-connection-mark=GlobalToLocal_conn \ passthrough=yes
LocalToLocal (Client → Client)
add chain=prerouting \ src-address-list=Local \ dst-address-list=Local \ connection-mark=no-mark \ action=mark-connection \ new-connection-mark=LocalToLocal_conn \ passthrough=yes
LocalToMikrotik (Client → Router)
add chain=input \ src-address-list=Local \ connection-mark=no-mark \ action=mark-connection \ new-connection-mark=LocalToMikrotik_conn \ passthrough=yes
MikrotikToLocal (Router → Client)
add chain=output \ dst-address-list=Local \ connection-mark=no-mark \ action=mark-connection \ new-connection-mark=MikrotikToLocal_conn \ passthrough=yes
4. Marking Packets
Once connections are marked, we classify packets belonging to those connections.
These packet marks are later used for traffic shaping and filtering.
Internet Upload Traffic
add chain=forward \ connection-mark=LocalToGlobal_conn \ action=mark-packet \ new-packet-mark=LocalToGlobal_pkt \ passthrough=no
Internet Download Traffic
add chain=forward \ connection-mark=GlobalToLocal_conn \ action=mark-packet \ new-packet-mark=GlobalToLocal_pkt \ passthrough=no
Local Network Traffic
add chain=forward \ connection-mark=LocalToLocal_conn \ action=mark-packet \ new-packet-mark=LocalToLocal_pkt \ passthrough=no
Traffic to Router
add chain=input \ connection-mark=LocalToMikrotik_conn \ action=mark-packet \ new-packet-mark=LocalToMikrotik_pkt \ passthrough=no
Router Generated Traffic
add chain=output \ connection-mark=MikrotikToLocal_conn \ action=mark-packet \ new-packet-mark=MikrotikToLocal_pkt \ passthrough=no
5. Practical Use Cases
Bandwidth Limiting
The marks
LocalToGlobal_pkt and GlobalToLocal_pkt
can be used with Queue Tree to limit upload and download speeds per subscriber.
Blocking Client-to-Client Traffic
/ip firewall filter add chain=forward connection-mark=LocalToLocal_conn action=drop
This prevents subscribers from accessing devices of other subscribers.
Allowing Router Access
Even when LocalToLocal traffic is blocked, clients can still reach the router
using the
LocalToMikrotik direction for services like:
- DNS
- DHCP
- WinBox
- API
- Monitoring
6. Important Notes
- Disable FastTrack if Queue Tree shaping is used.
- Ensure address lists correctly represent your network.
- Keep connection marking rules above packet marking rules.
- Test rules using
/ip firewall mangle print stats.
Conclusion
This five-direction traffic classification model provides a flexible and
powerful framework for managing large subscriber networks on MikroTik routers.
By clearly separating Internet traffic, local traffic, and router traffic,
network administrators gain precise control over bandwidth usage, security,
and service prioritization.