learn how to Shape Download Traffic only & leave Browsing

hazemamer7 · Fri Jun 11, 2010 5:40 am

This is a way to isolate between download & Browsing and to give the user speed for example 64 Kb/sec for download but if he browsed the internet and surfing web sites for just browsing
he will browse the web pages with the entire network speed for example suppose that it's
4 Mb/sec

and we took 64 kb for just an example
you can change it with what ever you want to

/ip firewall layer7-protocol
add comment="" name="Extension \" .exe \"" regexp="\\.(exe)"
add comment="" name="Extension \" .rar \"" regexp="\\.(rar)"
add comment="" name="Extension \" .zip \"" regexp="\\.(zip)"
add comment="" name="Extension \" .7z \"" regexp="\\.(7z)"
add comment="" name="Extension \" .cab \"" regexp="\\.(cab)"
add comment="" name="Extension \" .asf \"" regexp="\\.(asf)"
add comment="" name="Extension \" .mov \"" regexp="\\.(mov)"
add comment="" name="Extension \" .wmv \"" regexp="\\.(wmv)"
add comment="" name="Extension \" .mpg \"" regexp="\\.(mpg)"
add comment="" name="Extension \" .mpeg \"" regexp="\\.(mpeg)"
add comment="" name="Extension \" .mkv \"" regexp="\\.(mkv)"
add comment="" name="Extension \" .avi \"" regexp="\\.(avi)"
add comment="" name="Extension \" .flv \"" regexp="\\.(flv)"
add comment="" name="Extension \" .pdf \"" regexp="\\.(pdf)"
add comment="" name="Extension \" .wav \"" regexp="\\.(wav)"
add comment="" name="Extension \" .rm \"" regexp="\\.(rm)"
add comment="" name="Extension \" .mp3 \"" regexp="\\.(mp3)"
add comment="" name="Extension \" .mp4 \"" regexp="\\.(mp4)"
add comment="" name="Extension \" .ram \"" regexp="\\.(ram)"
add comment="" name="Extension \" .rmvb \"" regexp="\\.(rmvb)"
add comment="" name="Extension \" .dat \"" regexp="\\.(dat)"
add comment="" name="Extension \" .daa \"" regexp="\\.(daa)"
add comment="" name="Extension \" .iso \"" regexp="\\.(iso)"
add comment="" name="Extension \" .nrg \"" regexp="\\.(nrg)"
add comment="" name="Extension \" .bin \"" regexp="\\.(bin)"
add comment="" name="Extension \" .vcd \"" regexp="\\.(vcd)"

/ip firewall mangle
add action=mark-connection chain=prerouting comment="7z DOWNS" disabled=no layer7-protocol="Extension \" .7z \"" new-connection-mark="7z DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="7z DOWNS" disabled=no new-packet-mark=7z passthrough=no protocol=tcp

add action=mark-connection chain=prerouting comment="asf DOWNS" disabled=no layer7-protocol="Extension \" .asf \"" new-connection-mark="asf DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="asf DOWNS" disabled=no new-packet-mark=asf passthrough=no protocol=tcp

add action=mark-connection chain=prerouting comment="avi DOWNS" disabled=no layer7-protocol="Extension \" .avi \"" new-connection-mark="avi DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="avi DOWNS" disabled=no new-packet-mark=avi passthrough=no protocol=tcp

add action=mark-connection chain=prerouting comment="bin DOWNS" disabled=no layer7-protocol="Extension \" .bin \"" new-connection-mark="bin DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="bin DOWNS" disabled=no new-packet-mark=bin passthrough=no protocol=tcp

add action=mark-connection chain=prerouting comment="flv DOWNS" disabled=no layer7-protocol="Extension \" .flv \"" new-connection-mark="flv DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="flv DOWNS" disabled=no new-packet-mark=flv passthrough=no protocol=tcp

add action=mark-connection chain=prerouting comment="iso DOWNS" disabled=no layer7-protocol="Extension \" .iso \"" new-connection-mark="iso DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark= "iso DOWNS" disabled=no new-packet-mark=iso passthrough=no protocol=tcp

add action=mark-connection chain=prerouting comment="mkv DOWNS" disabled=no layer7-protocol="Extension \" .mkv \"" new-connection-mark="mkv DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="mkv DOWNS" disabled=no new-packet-mark=mkv passthrough=no protocol=tcp

add action=mark-connection chain=prerouting comment="exe DOWNS" disabled=no layer7-protocol="Extension \" .exe \"" new-connection-mark="exe DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="exe DOWNS" disabled=no new-packet-mark=exe passthrough=no protocol=tcp

add action=mark-connection chain=prerouting comment="mov DOWNS" disabled=no layer7-protocol="Extension \" .mov \"" new-connection-mark="mov DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="mov DOWNS" disabled=no new-packet-mark=mov passthrough=no protocol=tcp

add action=mark-connection chain=prerouting comment="mp3 DOWNS" disabled=no layer7-protocol="Extension \" .mp3 \"" new-connection-mark="mp3 DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="mp3 DOWNS" disabled=no new-packet-mark=mp3 passthrough=no protocol=tcp

add action=mark-connection chain=prerouting comment="mp4 DOWNS" disabled=no layer7-protocol="Extension \" .mp4 \"" new-connection-mark="mp4 DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="mp4 DOWNS" disabled=no new-packet-mark=mp4 passthrough=no protocol=tcp

add action=mark-connection chain=prerouting comment="mpeg DOWNS" disabled=no layer7-protocol="Extension \" .mpeg \"" new-connection-mark="mpeg DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="mpeg DOWNS" disabled=no new-packet-mark=mpeg passthrough=no protocol=tcp

add action=mark-connection chain=prerouting comment="mpg DOWNS" disabled=no layer7-protocol="Extension \" .mpg \"" new-connection-mark="mpg DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="mpg DOWNS" disabled=no new-packet-mark=mpg passthrough=no protocol=tcp

add action=mark-connection chain=prerouting comment="nrg DOWNS" disabled=no layer7-protocol="Extension \" .nrg \"" new-connection-mark="nrg DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="nrg DOWNS" disabled=no new-packet-mark=nrg passthrough=no protocol=tcp

add action=mark-connection chain=prerouting comment="pdf DOWNS" disabled=no layer7-protocol="Extension \" .pdf \"" new-connection-mark="pdf DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="pdf DOWNS" disabled=no new-packet-mark=pdf passthrough=no protocol=tcp

add action=mark-connection chain=prerouting comment="ram DOWNS" disabled=no layer7-protocol="Extension \" .ram \"" new-connection-mark="ram DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="ram DOWNS" disabled=no new-packet-mark=ram passthrough=no protocol=tcp

add action=mark-connection chain=prerouting comment="rar DOWNS" disabled=no layer7-protocol="Extension \" .rar \"" new-connection-mark="rar DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="rar DOWNS" disabled=no new-packet-mark=rar passthrough=no protocol=tcp

add action=mark-connection chain=prerouting comment="rm DOWNS" disabled=no layer7-protocol="Extension \" .rm \"" new-connection-mark="rm DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="rm DOWNS" disabled=no new-packet-mark=rm passthrough=no protocol=tcp

add action=mark-connection chain=prerouting comment="rmvb DOWNS" disabled=no layer7-protocol="Extension \" .rmvb \"" new-connection-mark="rmvb DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="rmvb DOWNS" disabled=no new-packet-mark=rmvb passthrough=no protocol=tcp

add action=mark-connection chain=prerouting comment="wav DOWNS" disabled=no layer7-protocol="Extension \" .wav \"" new-connection-mark="wav DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="wav DOWNS" disabled=no new-packet-mark=wav passthrough=no protocol=tcp

add action=mark-connection chain=prerouting comment="wma DOWNS" disabled=no layer7-protocol="Extension \" .wma \"" new-connection-mark="wma DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="wma DOWNS" disabled=no new-packet-mark=wma passthrough=no protocol=tcp

add action=mark-connection chain=prerouting comment="wmv DOWNS" disabled=no layer7-protocol="Extension \" .wmv \"" new-connection-mark="wmv DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="wmv DOWNS" disabled=no new-packet-mark=wmv passthrough=no protocol=tcp

add action=mark-connection chain=prerouting comment="zip DOWNS" disabled=no layer7-protocol="Extension \" .zip \"" new-connection-mark="zip DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="zip DOWNS" disabled=no new-packet-mark=zip passthrough=no protocol=tcp

add action=mark-connection chain=prerouting comment="youtube DOWNS" disabled=no layer7-protocol="YouTube " new-connection-mark="youtube DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="youtube DOWNS" disabled=no new-packet-mark=youtube passthrough=no protocol=tcp

add action=mark-connection chain=prerouting comment="daa DOWNS" disabled=no layer7-protocol="Extension \" .daa \"" new-connection-mark="daa DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="daa DOWNS" disabled=no new-packet-mark=daa passthrough=no protocol=tcp

add action=mark-connection chain=prerouting comment="dat DOWNS" disabled=no layer7-protocol="Extension \" .dat \"" new-connection-mark="dat DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="dat DOWNS" disabled=no new-packet-mark=dat passthrough=no protocol=tcp

add action=mark-connection chain=prerouting comment="vcd DOWNS" disabled=no layer7-protocol="Extension \" .vcd \"" new-connection-mark="vcd DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="vcd DOWNS" disabled=no new-packet-mark=vcd passthrough=no protocol=tcp

add action=mark-connection chain=prerouting comment="cab DOWNS" disabled=no layer7-protocol="Extension \" .cab \"" new-connection-mark="cab DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="cab DOWNS" disabled=no new-packet-mark=cab passthrough=no protocol=tcp

/queue type
set default-small kind=pcq name=default-small pcq-classifier=src-address,dst-address,src-port,dst-port pcq-limit=50 pcq-rate=0 pcq-total-limit=2000

/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no max-limit=1M name=Download_queue packet-mark="exe,flv,rar,zip,7z,bin,mp3,mp4,wav,pdf,asf,avi,mov,wmv,mpg,mpeg,rm,iso,nrg,daa,vcd,cab,3gp,ram,rmvb,mkv,wma,youtube" parent=global-out priority=8 queue=default-small

This shape download + upload with only 1 Mb/sec to the whole Network

if you want just to shape download you can use in layer7 regexp this rule for example

/ip firewall layer7-protocol
add comment="" name="Extension \" .exe \"" regexp="^.*get.+\\.exe.*\$"

and apply it to the rest of the extensions

if you want to shape upload only use this code in layer7

/ip firewall layer7-protocol
add comment="" name="Extension \" .exe \"" regexp="^.*set.+\\.exe.*\$"

********************************************************************

and you can shape Download Traffic by 64 kb on one IP like 192.168.0.2 using simple Queue instead of Queue Tree like this

/queue simple
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s comment="" direction=both disabled=no dst-address=0.0.0.0/0 interface=all limit-at=1M/1M max-limit=1M/1M name="download max" packet-marks=exe,flv,rar,zip,7z,bin,mp3,mp4,wav,pdf,asf,avi,mov,wmv,mpg,mpeg,rm,iso,nrg,daa,vcd,cab,3gp,ram,rmvb,mkv,wma,youtube parent=none priority=8 queue=default-small/default-small total-queue=default-small

and then make 64 Kb a speed for the Specified user in this parent group and refer to it's parent the first rule like this

add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s comment="" direction=both disabled=no dst-address=0.0.0.0/0 interface=all limit-at=64k/64k max-limit=64k/64k name="User \" 192.168.0.2 \"" parent="download max" priority=8 queue=default-small/default-small target-addresses=192.168.0.2/32 total-queue=default-small

using this we can Shape IP 192.168.0.2 Download Traffic By 64 Kb
or what ever the speed we want to do it for the client.

the only problem this code is not working with loadbalancing ADSL Lines
is there any way to make it work ???
any one know how to do both Load Balancing + Shape download Traffic please tell us .

Notice : All code above applied on 3.3 Mikrotik OS Version

kazanova · Sat Jun 12, 2010 7:12 pm

any comment in this post

lukkes · Sat Jun 12, 2010 8:22 pm

very good job, what about the cpu resources? have you tested it with how many clients?

fewi · Sat Jun 12, 2010 9:15 pm

very good job, what about the cpu resources? have you tested it with how many clients?

I'd be concerned about that, too.

The configuration can be significantly optimized:

- There's no need for passthrough=yes on all those mark-connection rules as a connection already identified as downloading a 7z file doesn't need to undergo checks on whether it's download an EXE file.
- You should also put a rule that checks if there's already a connection mark at the very top so that an already identified connection (from an earlier packet) never is checked again (connection-mark=!no-mark action=accept). Layer 7 scanning for a regex is pretty much the most expensive thing you could do, so you should do it as little as possible.
- There's also no need to do this for anything but HTTP traffic - it'll be rare that that happens outside of tcp/80, tcp/3128, tcp/8080 and tcp/8888 and it's probably worth missing a few connection but not scanning absolutely anything.
- Lastly, start out with the rules in alphabetical order but ensure to watch packet counters and sort them so that the most often hit rules come first.

As an example for three file extensions:

/ip firewall mangle
add chain=prerouting action=jump jump-target=markL7packet connection-mark=!no-mark
add chain=prerouting action=jump jump-target=markL7conn protocol=tcp dst-port=80,3128,8080,8888

add action=mark-connection chain=markL7conn comment="mpeg DOWNS" disabled=no layer7-protocol="Extension \" .mpeg \"" new-connection-mark="mpeg DOWNS" passthrough=no
add action=mark-connection chain=markL7conn comment="mpg DOWNS" disabled=no layer7-protocol="Extension \" .mpg \"" new-connection-mark="mpg DOWNS" passthrough=no
add action=mark-connection chain=markL7conn comment="nrg DOWNS" disabled=no layer7-protocol="Extension \" .nrg \"" new-connection-mark="nrg DOWNS" passthrough=no

add action=mark-packet chain=markL7packet connection-mark="mpeg DOWNS" disabled=no new-packet-mark=mpeg passthrough=no 
add action=mark-packet chain=markL7packet connection-mark="mpg DOWNS" disabled=no new-packet-mark=mpeg passthrough=no 
add action=mark-packet chain=markL7packet connection-mark="nrg DOWNS" disabled=no new-packet-mark=mpeg passthrough=no

The packet on which the connection is identified won't be marked and thus won't be rate limited, but that's one packet and for a download of a larger file that's going to be insignificant. You'll still want to order the rules with highest hit count first after running for a while.

kazanova · Sun Jun 20, 2010 9:15 pm

add comment="" name="Extension \" .exe \"" regexp="\\.(exe)"
add comment="" name="Extension \" .exe \"" regexp="\\.(zip)"

question can we make it in one line
to add tow extension toghether

Chupaka · Tue Jun 22, 2010 5:47 pm

add comment="" name="Extension \" .exe \"" regexp="\\.(exe)"
add comment="" name="Extension \" .exe \"" regexp="\\.(zip)"

question can we make it in one line
to add tow extension toghether

try

add name="ExtensionZ" regexp="\\.(zip|exe)"

hazemamer7 · Wed Jul 21, 2010 4:04 am

The packet on which the connection is identified won't be marked and thus won't be rate limited, but that's one packet and for a download of a larger file that's going to be insignificant. You'll still want to order the rules with highest hit count first after running for a while.

Eng: fewi sorry correction has been made to the code try it again

eghtedari2000 · Thu Jan 06, 2011 8:27 am

add comment="" name="Extension \" .exe \"" regexp="\\.(exe)"
add comment="" name="Extension \" .exe \"" regexp="\\.(zip)"

question can we make it in one line
to add tow extension toghether
try

add name="ExtensionZ" regexp="\\.(zip|exe)"

samsoft08 · Fri Sep 14, 2012 11:33 pm

add comment="" name="Extension \" .exe \"" regexp="\\.(exe)"
add comment="" name="Extension \" .exe \"" regexp="\\.(zip)"

question can we make it in one line
to add tow extension toghether
try

add name="ExtensionZ" regexp="\\.(zip|exe)"

doesn't work ... is there any way to merge the whole list of extensions in one line ??

dreamrider · Sat Jul 06, 2013 9:52 am

Yeah, old topic, but - I have this question, too. What is an answer? It's possible merge all extensions in one line?

hazemamer7 · Tue Nov 05, 2013 7:01 am

Mr dreamrider , Samsoft08 and kazanova :
about your question if we can add all extensions in 1 line i say ;

yes it can be
and here it is

/ip firewall layer7-protocol
add name=test regexp="^(.*)(.exe|.rar|.zip|.7z|.iso|.nrg|.daa|.dat|.vcd|.flv|.mp4|.mov|.avi|.asf|.mpg|.mpeg|.wmv|. ra|.rar|.mp3|.wav|.ram|.rmvb|.mkv|.cab|.chm|.ctf|. flg)(.*)\\\$|videoplayback"

test this and tell me , and you know of course what to do with mangle , it's just only 1 mangle rule for all extensions , and i just added each extensions in one line because it was my first time to discover a L7 code that can detect downloadable files,

and this 1 line is from Mahmoud Abo Aldahab efforts,
and there is another code can make extensions in 3x seperated L7 Lines

\.(exe)|\.(rar)|\.(zip)|\.(7z)|\.(iso)|\.(nrg)|\.(daa)|\.(dat)|\.(vcd)

\.(flv)|\.(mp4)|\.(mov)|\.(avi)|\.(asf)|\.(mpg)|\.(mpeg)|\.(wmv)

\.(ra)|\.(mp3)|\.(wav)|\.(ram)|\.(rmvb)|\.(mkv)|videoplayback

and of course if you use 3x lines you have to do 1 mangle rules for each L7 rule , good luck for all.

dreamrider · Tue Nov 05, 2013 10:04 am

@hazemamer7

/ip firewall layer7-protocol
add name=test regexp="^(.*)(.exe|.rar|.zip|.7z|.iso|.nrg|.daa|.dat|.vcd|.flv|.mp4|.mov|.avi|.asf|.mpg|.mpeg|.wmv|. ra|.rar|.mp3|.wav|.ram|.rmvb|.mkv|.cab|.chm|.ctf|. flg)(.*)\\\$|videoplayback"

At first testing minutes - youtube watching is blocked, *.rar downloading is blocked, *.mp4 downloading from youtube is allowed, this forum - is blocked

Will continue to test. Thanks.

Tue Nov 05, 2013 10:05 am

This will block everything, not just file extensions. It will block any page that mentions ".dat" in it's text. Not just the downloads.

dreamrider · Tue Nov 05, 2013 10:18 am

It will block any page that mentions ".dat" in it's text. Not just the downloads.

I began to understand, tests continue ... But why downloading *.mp4 from youtube is allowed? In rule text - extension *.mp4 present.

Tue Nov 05, 2013 10:19 am

It will block any page that mentions ".dat" in it's text. Not just the downloads.
I began to understand, tests continue ... But why downloading *.mp4 from youtube is allowed? In rule text - extension *.mp4 present.

Could be that youtube works over HTTPS, then you will not see the contents of the page, it's encrypted

hazemamer7 · Thu Nov 14, 2013 2:45 pm

Test this and tell me

\.(exe)|\.(rar)|\.(zip)|\.(7z)|\.(iso)|\.(nrg)|\.(daa)|\.(dat)|\.(vcd)

\.(flv)|\.(mp4)|\.(mov)|\.(avi)|\.(asf)|\.(mpg)|\.(mpeg)|\.(wmv)

\.(ra)|\.(mp3)|\.(wav)|\.(ram)|\.(rmvb)|\.(mkv)|videoplayback

and of course each layer7 code line need 1 mangle rule to mark the packet for the queues,
test and tell me and if still not work i can provide you with video of proving that it works.

dreamrider · Sun Nov 17, 2013 7:42 pm

@ hazemamer7
Can you write a complete code for at least one line? Begining, i mean. With regexp=. Or what else there need..
Thank you!

hazemamer7 · Sat Nov 23, 2013 10:27 pm

Dreamrider
here it is the code ,and if it works reply to me that it works
********************************************************************************************************************************************************************************

/ip firewall layer7-protocol
add name=ext1 regexp="\\.(exe)|\\.(rar)|\\.(zip)|\\.(7z)|\\.(iso)|\\.(nrg)|\\.\
(daa)|\\.(dat)|\\.(vcd)"
add name=ext2 regexp="\\.(flv)|\\.(mp4)|\\.(mov)|\\.(avi)|\\.(asf)|\\.(mpg)|\\\
.(mpeg)|\\.(wmv)"
add name=ext3 regexp=\
"\\.(ra)|\\.(mp3)|\\.(wav)|\\.(ram)|\\.(rmvb)|\\.(mkv)|videoplayback"

/ip firewall mangle
add action=mark-packet chain=prerouting layer7-protocol=ext1 new-packet-mark=\
download1
add action=mark-packet chain=prerouting layer7-protocol=ext2 new-packet-mark=\
download2
add action=mark-packet chain=prerouting layer7-protocol=ext3 new-packet-mark=\
download3

/queue type
add kind=pcq name=pcqmanual pcq-classifier=src-address,dst-address,src-port \
pcq-dst-address6-mask=64 pcq-rate=400k pcq-src-address6-mask=64 \
pcq-total-limit=5000

/queue tree
add max-limit=3M name=limitspeed packet-mark=download1,download2,download3 \
parent=global queue=pcqmanual

**********************************************************************************************************************************************************************

in queue tree (max-limit=3M) >>> this make the max download rate in the network = 3 Mb/sec
in queue type (pcq-rate=400k) >>> this make the speed for each user = 400 kb/sec = 50 KB/sec

you can edit those for get the optimum option for you,

try to download this link as a test

http://ardownload.adobe.com/pub/adobe/r ... _en_US.exe

do not forget if it works to tell us.

dreamrider · Mon Nov 25, 2013 9:00 am

@ hazemamer7
I do not need too complicated rules and I do not use mangles and queues for that.

There is part of my firewall rules that works perfectly for me. No more any downloads! Browsing works wherever I have tried. Thank you for working code!

/ip firewall layer7-protocol
add name=ext1 regexp="\\.(exe)|\\.(rar)|\\.(zip)|\\.(7z)|\\.(iso)|\\.(nrg)|\\.\
    (daa)|\\.(dat)|\\.(vcd)"
add name=ext2 regexp="\\.(flv)|\\.(mp4)|\\.(mov)|\\.(avi)|\\.(asf)|\\.(mpg)|\\\
    .(mpeg)|\\.(wmv)"
add name=ext3 regexp=\
    "\\.(ra)|\\.(mp3)|\\.(wav)|\\.(ram)|\\.(rmvb)|\\.(mkv)|videoplayback"
	
/ip firewall filter
add action=jump chain=forward jump-target=drop layer7-protocol=ext1
add action=jump chain=forward jump-target=drop layer7-protocol=ext2
add action=jump chain=forward jump-target=drop layer7-protocol=ext3
add action=drop chain=drop comment="Drop Everything that we drop"

P.S. But I can't submit this answer... Works blocking rule ext3... Hm?

troy · Mon Nov 25, 2013 11:47 pm

Curious..

It's been a while since I've dug into the HTTP protocol, but aren't there some headers that you could key in on?

IMO, the best, first test, would be Content-Length (if we could actually use the number from the string). Small files could be let through, with medium and large files being queued.

Next, would be the Content-Disposition, which should contain a filename. This filename would be where you would want to check for the type.

Content-Type might be another header that could be looked at, which could help identify specific mime types.

-Troy

dreamrider · Wed Nov 27, 2013 1:35 am

@ troy
Content-Length
Yes, this could be interesting deal. Allow to download a few kilobytes and then block a connection. Rules with slow down download speed is not what I need.
Sorry, my english is too bad, but I think - you understand me

dreamrider · Thu Nov 28, 2013 1:31 am

@ hazemamer7
Yours complete code works very interesting, too! One question - how to mark packets and create queues for disabling some adresses (address-list) from those fine limiting rules?

hazemamer7 · Sun Jan 05, 2014 6:26 pm

@ hazemamer7
Yours complete code works very interesting, too! One question - how to mark packets and create queues for disabling some adresses (address-list) from those fine limiting rules?

This can be done using simple queue instead of queue tree

you will use my L7 and my mangle codes only and do not use queue tree and go use only queue simple
and it will be like this
1-add new simple queue rule for all network.
2-add new simple rule for the one(or group) that you want to exclude from network rule.
3- Be sure that you are sorting rules using # and always the excluded rule is most above and for example:
your internal network range is 192.168.1.0/24 and you put for it 2Mb/s for download
and the user that you want it to take full speed is 192.168.1.26 so the code will be like this

/queue simple
add name=26 packet-marks=download1,download2,download3 queue=\
    pcqmanual/pcqmanual target=192.168.1.26/32
add max-limit=256k/2M name=all packet-marks=download1,download2,download3 \
    queue=pcqmanual/pcqmanual target=192.168.1.0/24

and the entire code will be like this

/ip firewall layer7-protocol
add name=ext1 regexp="\\.(exe)|\\.(rar)|\\.(zip)|\\.(7z)|\\.(iso)|\\.(nrg)|\\.\
(daa)|\\.(dat)|\\.(vcd)"
add name=ext2 regexp="\\.(flv)|\\.(mp4)|\\.(mov)|\\.(avi)|\\.(asf)|\\.(mpg)|\\\
.(mpeg)|\\.(wmv)"
add name=ext3 regexp=\
"\\.(ra)|\\.(mp3)|\\.(wav)|\\.(ram)|\\.(rmvb)|\\.(mkv)|videoplayback"


/ip firewall mangle
add action=mark-packet chain=prerouting layer7-protocol=ext1 new-packet-mark=\
download1
add action=mark-packet chain=prerouting layer7-protocol=ext2 new-packet-mark=\
download2
add action=mark-packet chain=prerouting layer7-protocol=ext3 new-packet-mark=\
download3

/queue type
set 0 pfifo-limit=150
add kind=pcq name=pcqmanual pcq-classifier=src-address,dst-address,src-port pcq-dst-address6-mask=64 \
    pcq-src-address6-mask=64 pcq-total-limit=5000
set 10 kind=pcq pcq-classifier=src-address,dst-address,src-port pcq-rate=400k pcq-total-limit=5000

/queue simple
add name=26 packet-marks=download1,download2,download3 queue=\
    pcqmanual/pcqmanual target=192.168.1.26/32
add max-limit=256k/2M name=all packet-marks=download1,download2,download3 \
    queue=pcqmanual/pcqmanual target=192.168.1.0/24

and do not forget to make 192.168.1.26 is the first rule and hole network rule is the second, and if there is much excluded ip's you will make hole network rule at last one.

Do not forget to test and tell me about result, and sorry for late answer.

hazemamer7 · Sun Jan 05, 2014 6:43 pm

This will block everything, not just file extensions. It will block any page that mentions ".dat" in it's text. Not just the downloads.

i do not understand you ,
what will block everything ?is it my code? or you mean another thing ?

dreamrider · Tue Feb 11, 2014 2:02 pm

@ hazemamer7
Rules works, but I was made some changes:

/queue simple
add name=26 packet-marks=download1,download2,download3 queue=\
    default/default target=192.168.1.26/32
add max-limit=256k/2M name=all packet-marks=download1,download2,download3 \
    queue=pcqmanual/pcqmanual target=192.168.1.0/24

In first simple queue - for excluding IP address - I had change queue type to default.
Exclusions in this mode works for me. All another code stays yours, I was changed only IP's and max limits according of my network needs. I'm very glad, thank you!
Sorry for my english again

learn how to Shape Download Traffic only & leave Browsing

learn how to Shape Download Traffic only & leave Browsing

Re: learn how to Shape Download Traffic only & leave Browsin

Re: learn how to Shape Download Traffic only & leave Browsin

Re: learn how to Shape Download Traffic only & leave Browsin

Re: learn how to Shape Download Traffic only & leave Browsin

Re: learn how to Shape Download Traffic only & leave Browsin

Re: learn how to Shape Download Traffic only & leave Browsin

Re: learn how to Shape Download Traffic only & leave Browsin

Re: learn how to Shape Download Traffic only & leave Browsin

Re: learn how to Shape Download Traffic only & leave Browsin

Re: learn how to Shape Download Traffic only & leave Browsin

Re: learn how to Shape Download Traffic only & leave Browsin

Re: learn how to Shape Download Traffic only & leave Browsin

Re: learn how to Shape Download Traffic only & leave Browsin

Re: learn how to Shape Download Traffic only & leave Browsin

Re: learn how to Shape Download Traffic only & leave Browsin

Re: learn how to Shape Download Traffic only & leave Browsin

Re: learn how to Shape Download Traffic only & leave Browsin

Re: learn how to Shape Download Traffic only & leave Browsin

Re: learn how to Shape Download Traffic only & leave Browsin

Re: learn how to Shape Download Traffic only & leave Browsin

Re: learn how to Shape Download Traffic only & leave Browsin

Re: learn how to Shape Download Traffic only & leave Browsin

Re: learn how to Shape Download Traffic only & leave Browsin

Re: learn how to Shape Download Traffic only & leave Browsin