Community discussions

MikroTik App
 
servaris
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Tue May 20, 2014 4:30 pm
Location: Planet Earth
Contact:

How to setup QoS and some firewall rules?

Tue May 20, 2014 5:26 pm

Hi,
Just received an RB2011UiAS and have it somewhat setup. That is, all LAN clients can access other computers on the LAN and access Internet. We have a few IP phones which use VPN (OpenVPN setup on REMOTE FreePBX Server). Local SIP phones show up on remote FreePBX as coming from 10.8.0.6 (FreePBX Server is facing Internet with routeable IP address).

Prior to have a Mikrotic router (never had a 'comercial' router before), used a Servaris Desktop with dual NICs running FreeBSD 9.2 as our 'router' and also employed PF firewall. In the firewall I have QoS, Queues and port Redirection set up as follows:

Definitions:
voip_ports="{ 5004, 5060:5080, 5160, 10000:20000 }" # Define 'voip_ports' used in PF code
Redirection:
rdr pass on $ext_if proto tcp from any to any port 10069 -> 192.168.0.3 port 22 # Redirect port 10069 to a Server on LAN and send to port 22
rdr pass on $ext_if proto tcp from any to any port 5909 -> 192.168.2.6 port 5909 # Redirect port 5909 to a box running VirtualBox


QoS Setup, 7 = highest priority and 1 = lowest priority:
altq on $ext_if priq bandwidth 50Mb queue { std_in, voip_in tcp_ack_in low_pri_in } # state amount of available bandwidth and use queuing
queue std_in priority 4 priq (default) # define standard inbound and its priority
queue low_pri_in priority 1 # define low priority queue
queue voip_in priority 6 # define the VoIP priority
queue tcp_ack_in priority 7


Filter Rules:
pass out on $ext_if inet proto tcp from ($ext_if) to any flags S/SA keep state queue (std_out, tcp_ack_out)
pass out on $ext_if inet proto udp from any to any port $vpn keep state tag Voip queue voip_out # Pass out SIP ports going to VPN and prioritize them
pass out on $ext_if inet proto udp from any to any port $voip_ports keep state tag Voip queue voip_out  # pass out SIP and prioritize them - non VPN phones
pass out on $ext_if inet proto {tcp udp} from ($ext_if) to any port $low_pri keep state queue low_pri_out # pass out everything else on a low priority 

pass out on $ext_if proto tcp from any to any port $low_pri queue low_pri_out
pass in on $ext_if inet proto udp from any port $voip_ports to any keep state queue voip_in  # pass INBOUND packets for SIP Phones and prioritize the packets
pass in on $ext_if inet proto tcp from any to any port $tcp_services keep state queue std_in # Pass INBOUND packets for everything else on a low priority
pass in on $int_if inet proto tcp from any to any port $tcp_services keep state queue std_in # pass packets for LAN on internal NIC 
Right now I only have a 3com unmanaged switch to which all LAN devices are attached.

The RB2011UiAS currently has:
wlan = Wireless (setup with access list # does that mean if the MAC address is NOT in access list other Wireless devices will NOT be able to use our wlan? 
port 1 = WAN 
port 2 = 192.168.0.1/24, 192.168.1.1/24 and 192.168.2.1/24 (would it make sense to just use 192.168.0.1/23 ?) 
Port 2 also has 192.168.88.1/24 (Default config - i did not touch it as not sure if altering or deleting this would stop it all from working)
Under DHCP Server, what I setup last night is displayed in RED. Does that mean its not working?
The big question is, how would I get the Mikrotik router to do the same as the above? I have looked in the forums but would like to see what some people here suggest.

Thank you in advance for any help.

Who is online

Users browsing this forum: Fogga, holvoetn and 50 guests