Community discussions

MikroTik App
  4. RouterOS
  5. General

Firewall, Que and traffic split

Post Reply
 
DirtyHarry
just joined
Topic Author
Posts: 16
Joined: Thu Apr 14, 2016 4:22 pm

Firewall, Que and traffic split

Tue Oct 04, 2016 9:58 am

Looks like I posted in the wrong section, apologies. Mods, please merge the two threads or delete that one.

Original post in basics section http://forum.mikrotik.com/viewtopic.php?f=13&t=112956

I'm quite new to the more advancing setting up of the mikrotiks looks like they can do quite a bit. I have used mikroitks but mostly on the wireless side, not much for routing etc etc.
I am trying to setup my mikrotik as the router in my complex where internet is a bit of an issue. I am one of the only houses that has internet and I am distributing it to 3 other houses. At the moment just doesn't feel like it's working, please could you guys have a look and advise on what I need to change?
What I am tyring to setup:
- MT doing PPPoE dial to ISP
- PPPoE server with Userman for clients to connect (2Mb/256k) each.
- MT firewall to protect against outside attacks (been getting spam reported by my ISP)
- MT Bandwidth management/QoS in following priority:

HIGHEST TO LOWEST

1 - HTTP and normal browsing (Also mobile phone browsing - social media eg. Instagram, Twitter etc.)

2 - YouTube and Streaming

3 - Skype etc. (Could possibly join no.2 above)

4 - Online Gaming

5/Lowest - P2P torrents *May get full speed if the network is not under strain, but all other protocols should take preference over this. i.e can run at full speed, but the moment somebody needs to browse, YouTube or Skype, and bandwidth is low, torrent speed should drop to say 20kbps.

I've noticed that at the moment there seems to be no order of priority on the network. So like, at home if a torrent is running, I'll struggle with instagram or even normal browsing on my phone, or even to browse or YouTube on the PC running the torrent.
Code: Select all
/interface ethernet
set [ find default-name=ether1 ] mtu=1492 name=ether1-gateway
set [ find default-name=ether2 ] mtu=1492 name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=\
    ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=\
    ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=\
    ether5-slave-local
/interface pppoe-client
add add-default-route=yes allow=pap disabled=no interface=ether1-gateway \
    max-mru=1400 max-mtu=1400 mrru=1600 name=pppoe-out1 password=1daa8h \
    use-peer-dns=yes user=zaahids@afrihost.co.za
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.50
add name=PPPoE ranges=192.168.88.100-192.168.88.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether2-master-local name=default
/ppp profile
set *0 dns-server=192.168.88.2 local-address=PPPoE
/tool user-manager customer
set admin access=\
    own-routers,own-users,own-profiles,own-limits,config-payment-gw
/tool user-manager profile
add name=8Mbit name-for-users="" override-shared-users=unlimited owner=admin \
    price=449 starts-at=logon validity=0s
add name=2Mbit name-for-users="" override-shared-users=unlimited owner=admin \
    price=449 starts-at=logon validity=0s
add name=4Mbit name-for-users="" override-shared-users=unlimited owner=admin \
    price=0 starts-at=logon validity=0s
add name=1Mbit name-for-users="" override-shared-users=off owner=admin price=\
    0 starts-at=logon validity=0s
/tool user-manager profile limitation
add address-list="" download-limit=0B group-name="" ip-pool="" name=8Mbit \
    owner=admin rate-limit-min-rx=262144B rate-limit-min-tx=2097152B \
    rate-limit-priority=1 rate-limit-rx=524288B rate-limit-tx=8388608B \
    transfer-limit=0B upload-limit=0B uptime-limit=0s
add address-list="" download-limit=0B group-name="" ip-pool="" name=2Mbit \
    owner=admin rate-limit-min-rx=131072B rate-limit-min-tx=1048576B \
    rate-limit-priority=1 rate-limit-rx=262144B rate-limit-tx=1843200B \
    transfer-limit=0B upload-limit=0B uptime-limit=0s
add address-list="" download-limit=0B group-name="" ip-pool="" name=4Mbit \
    owner=admin rate-limit-min-rx=262144B rate-limit-min-tx=2097152B \
    rate-limit-priority=1 rate-limit-rx=262144B rate-limit-tx=4194304B \
    transfer-limit=0B upload-limit=0B uptime-limit=0s
add address-list="" download-limit=0B group-name="" ip-pool="" name=1Mbit \
    owner=admin rate-limit-min-rx=262144B rate-limit-min-tx=1048576B \
    rate-limit-priority=1 rate-limit-rx=262144B rate-limit-tx=1048576B \
    transfer-limit=0B upload-limit=0B uptime-limit=0s
/interface pppoe-server server
add authentication=pap disabled=no interface=ether2-master-local max-mru=1360 \
    max-mtu=1360 mrru=1600 one-session-per-host=yes service-name=Internet
/ip address
add address=192.168.88.2/24 interface=ether2-master-local network=\
    192.168.88.0
add address=10.0.0.2 interface=ether1-gateway network=10.0.0.0
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" dns-server=\
    192.168.88.2 gateway=192.168.88.2 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add chain=input comment="default configuratiion" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input in-interface=pppoe-out1 protocol=tcp
add chain=input in-interface=pppoe-out1 protocol=udp
add chain=input
add action=drop chain=input comment=defaultconfiguration in-interface=\
    pppoe-out1
add chain=output
add chain=forward src-address=192.168.88.0/24
add chain=forward dst-address=192.168.88.0/24
/ip firewall nat
add action=masquerade chain=src-nat comment="NAT to ADSL Modem" dst-address=\
    10.0.0.2 out-interface=ether1-gateway src-address=10.0.0.0/24 \
    to-addresses=192.168.88.10
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=pppoe-out1 to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=pppoe-out1 to-addresses=0.0.0.0
add action=masquerade chain=srcnat out-interface=ether2-master-local \
    src-address=192.168.88.2
/ip proxy
set anonymous=yes enabled=yes max-cache-size=none port=53281
/ip route
add distance=1 dst-address=10.0.0.2/32 gateway=ether1-gateway
add distance=1 dst-address=192.168.88.1/32 gateway=ether1-gateway pref-src=\
    192.168.88.1
add distance=1 dst-address=192.168.88.2/32 gateway=ether2-master-local
add distance=1 dst-address=192.168.88.3/32 gateway=ether2-master-local
/ppp aaa
set use-radius=yes
/radius
add address=192.168.88.2 service=ppp
/radius incoming
set accept=yes port=1700
/system clock
set time-zone-autodetect=no time-zone-name=Africa/Johannesburg
/tool user-manager database
set db-path=user-manager
/tool user-manager profile profile-limitation
add from-time=0s limitation=8Mbit till-time=23h59m59s weekdays=\
    sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=2Mbit profile=2Mbit till-time=23h59m59s weekdays=\
    sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=4Mbit profile=4Mbit till-time=23h59m59s weekdays=\
    sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=8Mbit profile=8Mbit till-time=23h59m59s weekdays=\
    sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=1Mbit profile=1Mbit till-time=23h59m59s weekdays=\
    sunday,monday,tuesday,wednesday,thursday,friday,saturday
/tool user-manager router
add coa-port=1700 customer=admin disabled=no ip-address=192.168.88.2 log=\
    auth-fail name=RB750UP shared-secret="" use-coa=yes
/tool user-manager user
add customer=admin disabled=no ip-address=192.168.88.110 password=samodien \
    shared-users=1 username=samodien@spiderweb wireless-enc-algo=none \
    wireless-enc-key="" wireless-psk=""
add customer=admin disabled=no ip-address=192.168.88.102 password=davis \
    shared-users=unlimited username=davis@spiderweb wireless-enc-algo=none \
    wireless-enc-key="" wireless-psk=""
add customer=admin disabled=no ip-address=192.168.88.103 password=domingo \
    shared-users=unlimited username=domingo@spiderweb wireless-enc-algo=none \
    wireless-enc-key="" wireless-psk=""
Could someone guide me in the right direction atleast? Trying to help a friend of mine.
My thinking is, too many NAT protocols yes? Also, can you add a PPPoE server where there already a PPPOE dial up?
I have never used a firewall setup on the mikrotik so a simple script on there should work? I have also not been able to setup a que tree successfully as per my needs above.

The equipment used from start to finish is as follows ADSL router in bridge mode-->Mikrotik doing PPPOE dial up with all the rules and routing necessary-->Ubiquiti AP to distribute to neighbors-->each neighbor has a TP-Link device to connect to AP and then connect internally.

My thinking is to have a subnet for each house? Or a different IP range, but can you assign more than one IP range per port? How would it work?
Top
 
DirtyHarry
just joined
Topic Author
Posts: 16
Joined: Thu Apr 14, 2016 4:22 pm

Re: Firewall, Que and traffic split

Wed Oct 05, 2016 7:52 am

Anyone? Please?

Any links where I can learn each portion individually at least?
Top
 
DirtyHarry
just joined
Topic Author
Posts: 16
Joined: Thu Apr 14, 2016 4:22 pm

Re: Firewall, Que and traffic split

Mon Oct 10, 2016 1:34 pm

I think I have found a basic firewall script. I thin kit works as I was not able to monitor via snmp as well as my internet dropped completely until I removed the one ip range I was blocking.

I am still reading up on the queueing, still cannot find what I am looking for, or I do not understand it which is a strong possibility. Cannot believe there is no-one that has set it up the way I need, I cannot be the only one.

From what I have learned, I need to mark the packets, queue them as well as give them priority. Doesn't sound too difficult, I just do not know how to mark them per application.
Top
Post Reply
  4. RouterOS
  5. General