Mikrotik… need I say More?
Show MenuHide Menu

Mikrotik Firewall Mangle and Queue Tree example

March 2, 2013

Mikrotik Firewall Mangle and Queue Trees Example HOW TO

by Travis Kenner

PLEASE NOTE: For any configuration examples please visit the Mikrotik Forums for help and support. There are some really knowledgeable people on the forums who will be able to help you with your individual setups.


Mikrotik RB750GL Running Package version 6.0rc11

NOTE: I am no Mikrotik expert and definitely don’t fully understand Mangling and Queues but I will correct and add to this blog as I learn.

I decided to put this together after I could not find a clear and concise example of how to use the Mikrotik Mangle and Queue functionality.

Marking a connection? Packet Mark, route mark, connection mark, Queue Tree???? Anything I found was vague, felt incomplete or just didn’t explain enough of the what and the how.

So What is Mikrotiks IP Firewall Mangle?
Here is the Wiki that explains it: http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Mangle

Here is the Summary copied straight from the Wiki:
Mangle is a kind of ‘marker’ that marks packets for future processing with special marks. Many other facilities in RouterOS make use of these marks, e.g. queue trees, NAT, routing. They identify a packet based on its mark and process it accordingly. The mangle marks exist only within the router, they are not transmitted across the network.

Using Mangle we can mark Packets, Connections or Routes (I will go into the first two in a bit) and then based on the marks / identifying the packets we can do something to them such as QoS (Quality of Service) on VOIP traffic, or make HTTP traffic takes precedence over another type of traffic or maybe if were feeling mischievous well mark all traffic going to our wife’s favorite website and make it feel like she’s using Old Time Dial UP Internet by limiting the bandwidth down to 1 kbps LOL. Yah she didn’t like that.

So how do we go about mangling packets? Lets get started:

Marking your Connections or Packets:
When mangling you have a choice of where you want to start mangling your data. Knowing where to mark them in the flow of data is important.
Here is the Mikrotik Wiki link for how packets flow through a Mikrotik:http://wiki.mikrotik.com/wiki/Manual:Packet_Flow
Here is another Link for Packet flow from Mikrotiks documentation: http://www.mikrotik.com/testdocs/ros/2.9/ip/flow.php

Here is a summery straight from Mikrotik documentation on prerouting, postrouting and forward chain.

Routed traffic

The traffic received for the router’s MAC address on the respective port, is passed to the routing procedures and can be of one of these four types:

  • the traffic which is destined to the router itself. The IP packets has destination address equal to one of the router’s IP addresses. A packet enters the router through the input interface, sequentially traverses prerouting and input chains and ends up in the local process. Consequently, a packet can be filtered in the input chain filter and mangled in two places: the input and the prerouting chain filters.
  • the traffic is originated from the router. In this case the IP packets have their source addresses identical to one of the router’s IP addresses. Such packets travel through the output chain, then they are passed to the routing facility where an appropriate routing path for each packet is determined and leave through the postrouting chain.
  • routable traffic, which is received at the router’s MAC address, has an IP address different from any of the router’s own addresses, and its destination can be found in the routing tables. These packets go through the prerouting, forward and postrouting chains.
  • unroutable traffic, which is received at the router’s MAC address, has an IP address different from any of the router’s own addresses, but its destination can not be found in the routing tables. These packets go through the prerouting and stop in the routing recision.

The actions imposed by various router facilities are sequentially applied to a packet in each of the default chains. The exact order they are applied is pictured in the bottom of the flow diagram. Exempli gratia, for a packet passing postrouting chain the mangle rules are applied first, two types of queuing come in second place and finally source NAT is performed on packets that need to be natted.

Note, that any given packet can come through only one of the input, forward or output chains.

Bridged Traffic

In case the incoming traffic needs to be bridged (do not confuse it with the traffic coming to the bridge interface at the router’s own MAC address and, thus, classified as routed traffic) it is first determined whether it is an IP traffic or not. After that, IP traffic goes through the prerouting, forward and postrouting chains, while non-IP traffic bypasses all IP firewall rules and goes directly to the interface queue. Both types of traffic, however, undergo the full set of bridge firewall chains anyway, regardless of the protocol.


Choosing your Chain Mangle Point:

Breaking it down a little simpler:
PreRouting – The chain where Masquerade or SRC NAT happen
– Prerouting in layman’s terms is marking packets just as it is entering your firewall flow processing from the port it was received on.
– 99% of your packet mangling will be PreRouting

Post Routing – Packets are marked leaving your firewall flow

Forward – This chain is the packets that flow through your router after the pre-routing but before post-routing


After you choose where you want to start (and this is important as knowing how data flow through your Mikrotik is VERY important) mangling,  your next decision is how do you want to mark your data. Understanding how you want to mark your connection is just as important as to where along the flow of the data through your firewall you want to mark the data.
There are 3 Types of Marking I will note:
Again this is taken right from the Wiki

mark-connection – place a mark specified by the new-connection-mark parameter on the entire connection that matches the rule
mark-packet – place a mark specified by the new-packet-mark parameter on a packet that matches the rule
mark-routing – place a mark specified by the new-routing-mark parameter on a packet. This kind of marks is used for policy routing purposes only

1. Mark the Connection
– Marking the connection means that you mark your data as a Whole Connection
– An Example is that instead of marking EVERY packet as it flows though your Mikrotik instead you choose what you want to identify / mark and you mark the connection at the start and then all packets from that connection are a part of that connection mark

2. Mark the Packet
– When you choose mark packet you will mangle / mark every single packet as it flows through the Mikrotik. This eats up more CPU than just marking a connection

3. Mark the Route
– Marking a route is used for Policy Based routing. As I understand it more I will write more on this subject


Let’s get to marking some data / packets that are of interest to us:

Say you want to mark all Web Traffic so that you can either restrict it, throttle it or do something with it.

How to mark HTTP Traffic

Logon to your Mikrotik Firewall
Click on the IP Menu Button on the left side
Click Firewall from the pop up menu
Click the Mangle TAB from the window that opens
Here is where you set all your Mangle Rules

Here is the command to add a HTTP mangle to you mangle window
Simply copy the code below and paste it as a whole into  your terminal window to add it to your Mikrotik

(To paste code into a terminal window Mikrotik has a Menu item on the left called New Terminal. Clicking this menu button will open a terminal windows / session. Using this terminal you can enter commands or paste codes directly so that you don’t have to type them out all the time if you have them in a notepad  or text file. NOTE: don’t paste code into your terminal that you do not understand how it works. This could compromise your firewalls security or do things that you are not aware of.)
Copy the code from in between the == Code ==  and == End Code == Lines.

== Code ==
/ip firewall mangle
add action=mark-connection chain=prerouting comment=”Mark HTTP” dst-port=80 \
new-connection-mark=HTTP-Conn protocol=tcp src-address=

add action=mark-packet chain=prerouting connection-mark=HTTP-Conn \
new-packet-mark=HTTP-Marked passthrough=no
== End Code==

What does this do. Let’s break it down piece by piece.
chain=prerouting (This command says mark the Connection on the Prerouting Chain for all data flowing into the Mikrotik)
src-address (This is the subnet I am narrowing down my mangle rule to be applied to)
protocol=tcp (Again another part of narrowing what I am trying to mangle
dst-port=80 (Since HTTP traffic flows over TCP port 80 I am adding this to my mangle again to help narrow down what to mangle)
add action=mark-connection (This command tells the mangle rule that we are going to mark the Connection not the Packet)
new-connection-mark=HTTP-Con (This is the name I am going to give to identify my HTTP marked connection. Notice I use HTTP for web traffic and Conn to signify Connection)
comment (This is where you can put a comment if you want. I like to comment as it helps me remember what I was mangling. After you get a long list of mangles it all blurs together)

OK now the second part of the code:
chain=prerouting (Again I am starting my marking just as data is coming into the port on the firewall and entering the processing queue)
connection-mark=HTTP-Conn (I enable this because I am passing the above marking that I did to this next magle rule to mark the PACKETS as the above rule marked the CONNECTION. The reason we do this trick is so that I can pass a Tree Queue the Marked Packets later using less CPU power.) (At a later time I will explain this technique more.)
add action=mark-packet (Here again we are now marking the PACKET and not the CONNECTION like above)
new-packet-mark=HTTP-Marked (Again we are now naming the packet marking so when we are using this mangle in a Queue we know what we were marking)
passthrough=no (If this is checked to yes ((checked)) then the mangle rule is processed and we continue to the next mangle rule. If it is unchecked ((no)) then when this mangle rule is process it hits the passthrough and stops.

OK WOW I hope that was clear. We now have a mangle rule setup to catch TCP port 80 Traffic from the IP Subnet range of and we are packet marking it as HTTP-Marked and Connection marking it as HTTP-Conn


Now lets use a Mikrotik Tree Queue to throttle it as an example of what we can do with it.
Again here is some Code you can use to setup a queue tree

== Code ==
/queue tree
add name=”HTTP-Queue” packet-mark=HTTP-Marked parent=ether1-gateway priority=2 queue=default
== End Code ==

Ok lets break this down:
add name=”HTTP-Queue” (This is just what you are going name your queue so when you look at it you know what you are queuing)
packet-mark=HTTP-Marked (This is the name of that Packet Marking that you did in the mangle rules. This is how you apply what you are doing in your queue to the traffic you want to manipulate)
parent=ether1-gateway (This is where you are applying  this queue in the Flow of Traffic. There are many points if you look under Parent in Winbox when looking at Tree Queues)
priority=2 (This is the priority you give to that traffic over other queue that you may have if you have several queues. IE how you would have a queue for VOIP and set it to 1 and then set HTTP to 2 so that VOIP takes precedence over HTTP traffic)
queue=default (This is the Queue Type. I will alter talk about this as I start to understand it more. For now I will add a Mikrotik link that talks more about it)

Now to start throttling you also set the Limit At and Max Limit. They must both be set.
In WinBox navigate to the Queues | Queue Tree and Double Click the HTTP Queue that you made.
Under the General TAB there will be the Limit At and Max Limit options.

Note that these are in bits per second.
Let’s say that you want to throttle your HTTP traffic from connection to feel like good ole dialup internet from way back. Click in the Limit at box and type in 14400 and Max Limit set to 14400.
Everyone on the subnet will now feel like they are sharing a 14.4 USR Robotics dial up internet connection. Welcome back to the Good Ole Days???? LOL

Hopefully this Blog will give you ideas on what you can start doing with Tree Queues and Mangling Rules:

Link for Mikrotik Queues and Types : http://wiki.mikrotik.com/wiki/Manual:Queue


I will update this article as I learn more and correct myself on things I don’t fully understand yet.

Ali Fanaei
May 15, 2016 at 7:15 am

Dear Travis, Thanks very much for your terrific explanation.
I visited many Mikrotik video but i didn’t know finally why is the reason of using mark-connection when packet-mark is already exited. Infact that was the best article for starting mangle rather than mikrotik wiki or mum that i found. so thanks again for this job.

March 23, 2016 at 7:02 am

Great explanation man. Thanks.

July 26, 2015 at 6:00 am

Thank you, this is clear and straight to the point.
Congrats, hope by now you have inputs on this issues, if so keep sharing.


July 23, 2015 at 10:27 am

Really enjoyed this article I was never sure about mangle but now it all makes sense thank you!!!

June 10, 2015 at 6:54 am

Hey all,
I have question about droping all broadcast packet on Mikrotik. I want to only accept local address 10.X.X.X (without access NET, just local traffic). And MGMT- control mikrotik. Other packet droping, so not show in wireshark and tcpdump. It´s possible or not? If yes please write me link or Manual. Thank´s advance

September 12, 2014 at 2:24 pm

Thanx Travis so clear

    September 26, 2014 at 12:28 am

    Thank you
    Too bad I don’t have more time to write more…
    IT can be so hectic lol.

August 7, 2014 at 7:51 am

so clearly.. thanks ..
but how to limit upload speed ? this method is to limit download speed right?

    August 13, 2014 at 1:41 am

    Download, upload doesn’t matter. If you mark incoming or your IPS address / subnet then you can throttle incoming. If you mark / throttle your own IP subnet then you could say that is your outgoing.

June 6, 2014 at 12:15 pm

== Code ==
/ip firewall mangle
add action=mark-connection chain=prerouting comment=”Mark HTTP” dst-port=80 \
new-connection-mark=HTTP-Conn protocol=tcp src-address=

add action=mark-packet chain=prerouting connection-mark=HTTP-Conn \
new-packet-mark=HTTP-Marked passthrough=no
== End Code==

i has try, tnk

why limit bandwith if user have IDM or torent, layer 7 not work when proxy enable


    July 10, 2014 at 5:03 pm

    Hi Irvina
    I only blog about my experiences with MikroTik. For MikroTik support please head over to their forums.

April 16, 2014 at 5:36 pm

Very informative, please keep it continue, you are doing a great help to Mikrotik community. Thanks a millions…

April 5, 2014 at 5:29 am

good explanation see more…….. http://mikrotikroutersetup.blogspot.com

June 6, 2013 at 3:06 pm

Great explanation! I read the wiki and don’t understand a little bit. They should add your explanation of mangling to the wiki.

May 30, 2013 at 8:34 pm

Awesome. You state that you’ll explain why you’re marking packets later. I’m ready for later :-). Only marking the connection makes sense. Buy why then packets?

    June 1, 2013 at 5:01 pm


    I apologize that I have not responded. I am on the road rolling out some servers so don’t have time to update my website. I can’t make any promises if I will be able to write more but hopefully I will get some time.


      June 4, 2013 at 7:09 pm

      No problem. I think I figured it out. You can see my post on the MikroTik’s forum entitled, “Using RouterOS to prioritize (Qos) traffic for a Class C network”.

May 20, 2013 at 2:26 pm

Dear Sir,

pls how can we deploy slide show on a login page of mikrotik hotspot .

thank u


May 10, 2013 at 4:20 pm

Great! Thanks, good explanation and useful.

May 8, 2013 at 3:38 am

most clearly mangle explanations I’ve ever read. Thanks.

Leave a Reply

Your email address will not be published. Required fields are marked *

3 visitors online now
3 guests, 0 members
Max visitors today: 20 at 06:25 am UTC
This month: 29 at 01-05-2018 09:37 am UTC
This year: 29 at 01-05-2018 09:37 am UTC
All time: 47 at 01-03-2017 08:06 pm UTC