MikroTik Queue Management & Bandwidth Control Guide for Lebanon
Bandwidth Management Is Critical for Lebanese Networks
Lebanon faces a unique bandwidth challenge. International internet transit is expensive and limited compared to most countries in the Middle East. ISPs, WISPs, and businesses operating in Lebanon must squeeze maximum value from every megabit of upstream capacity. Overselling bandwidth is standard practice for any ISP, but without proper queue management, a single heavy user downloading torrents can starve hundreds of other subscribers.
MikroTik RouterOS provides the most granular bandwidth management tools available on any platform at this price point. Every MikroTik router β from the hEX PoE managing a small office to the CCR2216-1G-12XS-2XQ running thousands of ISP subscribers β uses the same queue engine. This guide covers everything Lebanese network engineers need to implement fair, efficient bandwidth allocation.
Understanding RouterOS Queue Architecture
RouterOS offers two queue systems: Simple Queues and Queue Trees. Both use the same underlying HTB (Hierarchical Token Bucket) algorithm, but they differ in how you configure and manage them. Choosing the right one depends on your network size, complexity, and management style.
Simple Queues β The Straightforward Approach
Simple Queues are self-contained rules that combine a target (IP address, subnet, or interface), rate limits, burst settings, and optional packet marking into a single configuration entry. They are processed in order from top to bottom, and the first matching queue handles the traffic.
Use Simple Queues when:
- You manage fewer than 200 subscribers or devices
- Each client needs a fixed upload/download limit
- You prefer per-client visibility in Winbox with real-time graphs
- You do not need complex traffic classification beyond IP address
Simple Queues are the go-to choice for small Lebanese ISPs serving a neighborhood or a building, offices managing departmental bandwidth, and hotspot deployments at hotels and restaurants.
Queue Trees β The Scalable Architecture
Queue Trees separate traffic classification from bandwidth allocation. First, you mark packets using firewall mangle rules. Then, you build a tree of queues that reference those marks. This two-step process gives you complete control over how traffic is categorized and prioritized.
Use Queue Trees when:
- You manage more than 200 subscribers
- You need multi-level traffic prioritization (VoIP above browsing above downloads)
- You want to classify traffic by protocol, port, or content type β not just IP address
- You need parent-child queue hierarchies for departmental or plan-based allocation
Queue Trees are the standard for medium and large Lebanese ISPs, WISPs serving tower sites across Mount Lebanon and the Bekaa Valley, and enterprise networks requiring application-level QoS.
HTB: The Engine Behind Both Queue Types
Hierarchical Token Bucket (HTB) is the scheduling algorithm that powers all RouterOS queues. Understanding HTB is essential for designing effective bandwidth policies.
Key HTB Concepts
- max-limit: The absolute maximum rate a queue can achieve. Traffic is never allowed to exceed this value, even if spare bandwidth exists. This is the speed your customer pays for.
- limit-at (CIR β Committed Information Rate): The guaranteed minimum rate. HTB ensures this bandwidth is always available for the queue, regardless of how congested the parent is. This is the speed you promise your customer will always receive.
- priority: When spare bandwidth is available beyond all queues' limit-at values, higher priority queues borrow first. Priority ranges from 1 (highest) to 8 (lowest). Use this to ensure VoIP and management traffic get surplus bandwidth before bulk downloads.
- parent: Each queue can have a parent queue, creating a hierarchy. Child queues share the parent's max-limit. The parent's max-limit is the total bandwidth available for all children combined.
HTB Bandwidth Distribution Example
Consider a Lebanese ISP with a 100 Mbps upstream link and three subscriber plans:
- Premium Plan (20 users): limit-at=2M, max-limit=10M, priority=3
- Standard Plan (50 users): limit-at=1M, max-limit=5M, priority=5
- Basic Plan (80 users): limit-at=512k, max-limit=3M, priority=7
Total guaranteed bandwidth (CIR): 20x2 + 50x1 + 80x0.5 = 130 Mbps β exceeding the 100 Mbps link. This is intentional oversubscription. In practice, not all subscribers use their CIR simultaneously. HTB dynamically distributes spare bandwidth based on priority, so Premium users burst higher when the link is not fully loaded.
Per Connection Queuing (PCQ) β Fair Sharing Made Simple
PCQ is a queue type that automatically creates sub-queues for each unique IP address or connection. Instead of creating hundreds of individual queue rules, you create one PCQ-based queue that dynamically divides bandwidth equally among all active users.
How PCQ Works
You define a PCQ queue type with a classifier (typically src-address for upload or dst-address for download) and a rate limit. RouterOS automatically creates a virtual sub-queue for each unique address it sees, limiting each to the specified rate. When users disconnect, their sub-queues are removed automatically.
PCQ Queue Type Configuration
Create two PCQ queue types β one for download and one for upload. The download type classifies by dst-address (because downloaded traffic is destined for the client), and the upload type classifies by src-address (because uploaded traffic originates from the client). Set the per-user rate to your desired limit.
In the RouterOS terminal:
/queue type add name=pcq-download-2M kind=pcq pcq-rate=2M pcq-classifier=dst-address/queue type add name=pcq-upload-1M kind=pcq pcq-rate=1M pcq-classifier=src-addressThen apply these types to a Simple Queue targeting your subscriber subnet:
/queue simple add name=subscribers target=192.168.1.0/24 queue=pcq-upload-1M/pcq-download-2M max-limit=100M/100MEvery device on the 192.168.1.0/24 subnet now receives up to 2 Mbps download and 1 Mbps upload. The parent max-limit of 100M caps the aggregate for all users combined.
PCQ Advantages for Lebanese ISPs
- Zero per-subscriber configuration: Add or remove clients from the subnet without touching queue rules. The PCQ queue type handles it dynamically.
- Fair distribution: When the total link is congested, PCQ divides available bandwidth equally. No single user can monopolize the connection.
- Low CPU overhead: One queue rule handles hundreds of users, using less CPU than hundreds of individual Simple Queue entries. Critical for routers like the hEX S where CPU cycles are limited.
Building a Queue Tree for ISP Bandwidth Management
For ISPs managing differentiated service plans, Queue Trees with mangle marking provide the most flexible architecture. Here is a step-by-step approach used by Lebanese ISPs.
Step 1: Mark Connections and Packets with Mangle
Create mangle rules to classify traffic. For a two-plan ISP (Premium and Basic), use address lists to identify which subscribers belong to which plan:
/ip firewall address-list add list=plan-premium address=10.0.1.0/24/ip firewall address-list add list=plan-basic address=10.0.2.0/24Mark connections in the prerouting chain:
/ip firewall mangle add chain=prerouting src-address-list=plan-premium action=mark-connection new-connection-mark=conn-premium passthrough=yes/ip firewall mangle add chain=prerouting src-address-list=plan-basic action=mark-connection new-connection-mark=conn-basic passthrough=yesThen mark packets based on the connection marks:
/ip firewall mangle add chain=prerouting connection-mark=conn-premium action=mark-packet new-packet-mark=pkt-premium passthrough=no/ip firewall mangle add chain=prerouting connection-mark=conn-basic action=mark-packet new-packet-mark=pkt-basic passthrough=noStep 2: Build the Queue Tree
Create the parent queue on the WAN interface (for upload) or the global-in pseudo-interface (for download):
/queue tree add name=total-download parent=global max-limit=100M/queue tree add name=premium-download parent=total-download packet-mark=pkt-premium limit-at=40M max-limit=80M priority=3 queue=pcq-download-2M/queue tree add name=basic-download parent=total-download packet-mark=pkt-basic limit-at=20M max-limit=50M priority=6 queue=pcq-download-1MThis creates a hierarchy where Premium subscribers share 40 Mbps guaranteed (up to 80 Mbps when spare capacity exists), and Basic subscribers share 20 Mbps guaranteed (up to 50 Mbps). Within each tier, PCQ distributes bandwidth fairly per subscriber.
Step 3: Mirror for Upload
Repeat the queue tree on the WAN interface for upload traffic, using upload-specific PCQ types and appropriate upload limits. Lebanese ISP plans typically offer asymmetric speeds (higher download than upload), reflecting the asymmetric nature of most internet usage.
Burst Configuration β Give Users a Speed Boost
Burst allows a queue to temporarily exceed its max-limit for short periods. When a subscriber starts a download, they get a burst of higher speed for the first few seconds before settling to the normal rate. This makes web browsing feel faster (pages load in the burst window) without increasing sustained bandwidth consumption.
Burst Parameters Explained
- burst-limit: The maximum speed during a burst. Set this to 2-4 times the max-limit.
- burst-threshold: The average rate below which bursting is allowed. When the user's average rate drops below this value, they become eligible for a burst. Typically set to 75-80% of max-limit.
- burst-time: The time window over which the average rate is calculated. Longer burst-time means longer bursts but less responsive triggering. Values of 8-16 seconds are common.
Burst Configuration Example
For a 5 Mbps subscriber plan with burst to 15 Mbps:
/queue simple add name=client-burst target=192.168.1.100/32 max-limit=1M/5M burst-limit=3M/15M burst-threshold=800k/4M burst-time=10s/10sWhen this subscriber begins downloading, they receive up to 15 Mbps for several seconds. As the average rate rises above 4 Mbps (burst-threshold), the burst disengages and speed drops to the normal 5 Mbps max-limit. Lebanese ISPs frequently use burst to differentiate plans β the same 5M base plan feels significantly faster with burst enabled, allowing ISPs to charge a premium for burst-enabled tiers.
Winbox vs CLI for Queue Management
Winbox (GUI)
Winbox provides visual queue management through Queues > Simple Queues and Queues > Queue Tree tabs. Advantages include real-time traffic graphs per queue, drag-and-drop reordering of Simple Queues, and an intuitive interface for operators who manage queues infrequently. For small ISPs and office administrators in Lebanon, Winbox is sufficient for day-to-day queue management.
RouterOS CLI (Terminal)
The CLI is essential for bulk operations and automation. When an ISP needs to create 500 subscriber queues from a RADIUS database or modify rate limits across all plans simultaneously, the CLI is the only practical option. RouterOS scripting allows scheduled queue adjustments β for example, increasing burst limits during off-peak hours (midnight to 6 AM in Lebanon) and reducing them during peak evening hours.
Example script to adjust all Basic plan queues at night:
/queue simple set [find where comment="plan-basic"] max-limit=2M/8M burst-limit=4M/20MSchedule this with the RouterOS scheduler to run at midnight and revert at 7 AM. This approach helps Lebanese ISPs manage their expensive international bandwidth by shifting heavy usage to off-peak windows.
Choosing the Right MikroTik Router for Queue Management
Queue processing is CPU-intensive. Every packet passing through the router is checked against queue rules, metered, and potentially shaped. The router must have enough CPU power to handle queuing at wire speed without dropping packets or adding latency.
Small Networks (Up to 50 Users)
The hEX PoE or hEX S handles Simple Queues for up to 50 users at aggregate speeds under 200 Mbps. The hAP AX3 provides more CPU headroom and adds WiFi 6, making it ideal for small hotspot deployments where the router also serves as an access point.
Medium ISPs (50-500 Subscribers)
The CCR2004-16G-2S+ is the workhorse for medium-sized Lebanese ISPs. Its four ARM64 cores at 1.7 GHz handle Queue Trees with PCQ for hundreds of subscribers. The 16 Gigabit ports connect directly to access switches, and the dual 10G SFP+ ports provide upstream connectivity. Pair it with CRS326-24G-2S+RM switches for subscriber aggregation.
Large ISPs (500-2000+ Subscribers)
The CCR2116-12G-4S+ with its 16 cores at 2 GHz and 16 GB RAM is the standard choice for large Lebanese ISPs. It handles thousands of queue rules, full BGP tables, and PPPoE termination simultaneously. For the absolute largest deployments, the CCR2216-1G-12XS-2XQ provides 72 cores β a true carrier-grade routing platform.
PoE Managed Switches for Subscriber Access
Queue management happens on the router, but the access layer switches matter too. The CRS328-24P-4S+RM provides 24 PoE ports for powering CPE devices and 4 SFP+ uplinks to the router. Proper switch infrastructure ensures packets reach the router's queue engine without bottlenecks.
Common Queue Management Mistakes
Lebanese network engineers frequently encounter these pitfalls when configuring MikroTik queues:
1. Overcommitting limit-at (CIR)
The sum of all child queue limit-at values must not exceed the parent's max-limit. If your upstream link is 100 Mbps but your total CIR across all subscribers is 300 Mbps, HTB cannot guarantee the promised minimum to every subscriber during peak hours. Keep total CIR at 60-80% of your upstream capacity to account for overhead and peak variability.
2. Ignoring Upload Queues
Many administrators configure download queues but forget upload limits. Uncontrolled upload traffic β especially from cloud backup services, torrent seeding, and video calls β saturates the upstream link, causing packet loss and latency for all subscribers. Always configure both directions.
3. Placing Simple Queues in Wrong Order
Simple Queues process top to bottom. A broad rule matching an entire subnet placed above specific per-client rules will catch all traffic, and the per-client rules will never fire. Always place the most specific rules at the top and the catch-all rules at the bottom.
4. Using Queue Trees Without Mangle Marks
Queue Tree queues only process traffic that matches their packet-mark. If a mangle rule is misconfigured or missing, the traffic passes through unqueued. Always verify mangle rules are marking traffic correctly before building Queue Trees. Use the Counters column in the mangle rule list to confirm packets are being marked.
5. Not Accounting for Overhead
Ethernet frame overhead, PPPoE encapsulation (8 bytes), and VLAN tags add to the actual bandwidth consumed. A subscriber limited to 10 Mbps at the IP layer actually consumes approximately 10.5-11 Mbps at the Ethernet layer. For precise control, account for these overheads in your queue calculations.
Fair Usage Policies for Lebanese ISPs
Lebanese ISPs with limited and expensive international bandwidth need fair usage policies (FUP) to prevent abuse while providing a good experience for the majority of subscribers.
Time-Based Policies
Reduce speed limits during peak hours (6 PM to midnight in Lebanon) and allow higher speeds during off-peak times. Use RouterOS scheduler scripts to adjust queue parameters automatically. This smooths traffic patterns and improves the perceived quality for evening web browsing and streaming.
Volume-Based Policies
Track per-subscriber usage with RouterOS accounting or an external RADIUS server. When a subscriber exceeds a monthly data cap (e.g., 200 GB), move them to a lower-speed queue. This requires scripting or RADIUS integration with bandwidth profile switching via PPP or DHCP lease scripts.
Protocol-Based Prioritization
Use mangle rules to identify traffic types and assign different priorities in Queue Trees:
- Priority 1: VoIP (SIP, RTP) and DNS β latency-sensitive, low bandwidth
- Priority 3: HTTP/HTTPS web browsing β burst-friendly, moderate bandwidth
- Priority 5: Video streaming (detected by connection duration and throughput pattern) β steady bandwidth
- Priority 7: Bulk downloads, torrent traffic, cloud sync β bandwidth-hungry, latency-tolerant
This hierarchy ensures VoIP calls stay clear even when the link is saturated with streaming and downloads β critical for Lebanese businesses relying on VoIP for affordable international communication.
RADIUS Integration for Large-Scale Queue Management
ISPs managing more than 200 subscribers should integrate RouterOS with a RADIUS server for centralized queue management. When a PPPoE subscriber connects, RADIUS sends rate-limit attributes that RouterOS applies automatically as a dynamic Simple Queue. Changing a subscriber's plan updates the RADIUS profile β no need to touch the router configuration.
RADIUS-based queuing eliminates the need for static queue rules, supports real-time plan changes, and integrates with billing systems. Most Lebanese ISPs running the CCR2116 or RB1100AHx4 at their PPPoE concentrator use RADIUS for subscriber management.
Monitoring Queue Performance
Effective queue management requires ongoing monitoring. RouterOS provides several monitoring tools:
- Queue Counters: Each queue shows bytes, packets, dropped packets, and queued packets. High drop counts indicate the queue is saturated and the max-limit is too low for the subscriber's demand.
- Torch: Real-time per-connection bandwidth monitor. Use Torch on the WAN interface to identify which subscribers or connections consume the most bandwidth at any given moment.
- Graphing: Enable SNMP or use the RouterOS graphing feature to track queue utilization over time. Identify peak hours and plan capacity upgrades accordingly.
- Traffic Flow: Export NetFlow data from RouterOS to an external collector for detailed per-subscriber, per-protocol traffic analysis.
Where to Buy MikroTik Queue-Capable Routers in Lebanon
HI-GAIN is Lebanon's authorized MikroTik distributor, stocking every router mentioned in this guide at our warehouse in Dora, Beirut. Whether you need a hEX PoE for a small office or a CCR2216 for a carrier-grade ISP deployment, we provide local warranty, technical consultation, and same-day pickup.
Our engineering team can advise on queue architecture design for your specific subscriber count and bandwidth capacity. Call us at +961 3 337 666, check real-time router availability, or browse our complete MikroTik router catalog. For a broader ISP deployment guide, read our complete guide to building a WISP network in Lebanon and our MikroTik firewall configuration guide.