Community discussions

MikroTik App
 
umfunix
just joined
Topic Author
Posts: 3
Joined: Tue Apr 25, 2017 5:08 pm

Messed up config - SLOW internet

Mon Mar 26, 2018 12:11 pm

Please help....

My internet became extremely slow and I can't seem to find the reason. I have 2 Wans, wan1 (2Mbps up and wonload), wan2 (10Mbps download,, 2Mbs upload). All traffic can be balanced but I would like to prioritse VOIP and Teamviewer and my YouTube channel upload should be forced through WAN1.

Help to simplify my config and to achieve my goal, would be greatly appreciated.
# mar/26/2018 10:24:43 by RouterOS 6.41.2
# software id = TW78-W5YU
#
# model = RouterBOARD 952Ui-5ac2nD

#Interface setup
/interface bridge
add name=bridge1

/interface ethernet
set [ find default-name=ether2 ] name=ether2_LAN
set [ find default-name=ether3 ] comment=WAN1 name=ether3_WAN1
set [ find default-name=ether4 ] comment=WAN2 name=ether4_WAN2

/interface wireless
set [ find default-name=wlan2 ] disabled=no ssid=xxxx

/interface list
add name=local
add name=WANs

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=xxxx
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    management-protection=allowed mode=dynamic-keys name=profile1 \
    supplicant-identity="" wpa-pre-shared-key=xxxx wpa2-pre-shared-key=\
    xxxx
	
/interface wireless
set [ find default-name=wlan1 ] disabled=no mode=ap-bridge radio-name=\
    MikrotikHap security-profile=profile1 ssid=xxxx
	
/interface bridge port
add bridge=bridge1 hw=no interface=ether2_LAN
add bridge=bridge1 hw=no interface=wlan1

/interface list member
add interface=wlan1 list=local
add interface=ether4_WAN2 list=local
add comment=WAN1 interface=ether3_WAN1 list=local
add interface=ether2_LAN list=local
add interface=ether3_WAN1 list=WANs
add comment=WAN2 interface=ether4_WAN2 list=WANs

/interface wireless access-list
add authentication=no interface=wlan1 mac-address=xx:xx:xx:xx:xx:xx \
    vlan-mode=no-tag

#IP Addresses
/ip address
add address=10.0.0.x/24 interface=ether2_LAN network=10.0.0.0
add address=10.0.x1.x/24 comment=WAN1 interface=ether3_WAN1 network=\
    10.0.x1.0
add address=10.0.x2.x/24 comment=WAN2 interface=ether4_WAN2 network=10.0.x2.0
	
/ip dns
set allow-remote-requests=yes cache-size=5000KiB max-udp-packet-size=512 \
    servers=10.0.0.xx,8.8.8.8
	
/ip dns static
add address=10.0.0.xx name=router

#Mangle Rules
/ip firewall mangle
add action=accept chain=prerouting comment="WAN2 accept" dst-address=10.0.x2.xx \
    in-interface=bridge1
add action=accept chain=prerouting comment="WAN1 accept" dst-address=\
    10.0.x1.xx in-interface=bridge1
add action=accept chain=forward comment="DNS" connection-state="" \
    port=53 protocol=udp
add action=mark-connection chain=forward comment="sip-conn1 VoIP mark" \
    dst-address=xxx.xxx.xxx.xxx dst-port=5060 new-connection-mark=sip-conn1 \
    passthrough=yes protocol=tcp
add action=mark-connection chain=forward comment="sip-conn2 VoIP mark" \
    dst-address=xxx.xxx.xxx.xxx dst-port=5060 new-connection-mark=sip-conn2 \
    passthrough=yes protocol=tcp
add action=mark-connection chain=forward comment="rtp-conn1 VoIP mark" \
    dst-address=xxx.xxx.xxx.xxx new-connection-mark=rtp-conn1 passthrough=yes \
    port=10000-20000 protocol=udp
add action=mark-connection chain=forward comment="rtp-conn2 VoIP mark" \
    dst-address=xxx.xxx.xxx.xxx new-connection-mark=rtp-conn2 passthrough=yes \
    port=10000-20000 protocol=udp
add action=mark-packet chain=forward comment="rtp-pkt1 VoIP mark" \
    connection-mark=rtp-conn1 new-packet-mark=rtp-pkt1 passthrough=yes
add action=mark-packet chain=forward comment="rtp-pkt2 VoIP mark" \
    connection-mark=rtp-conn2 new-packet-mark=rtp-pkt2 passthrough=yes
add action=change-dscp chain=postrouting comment="DSCP 46" new-dscp=46 \
    out-interface=ether3_WAN1 packet-mark=rtp-pkt1 passthrough=yes
add action=change-dscp chain=postrouting comment="DSCP 46" new-dscp=46 \
    out-interface=ether4_WAN2 packet-mark=rtp-pkt2 passthrough=yes
add action=mark-packet chain=forward comment="sip-pkt1 VoIP mark" \
    connection-mark=sip-conn1 new-packet-mark=sip-pkt1 passthrough=yes
add action=mark-packet chain=forward comment="sip-pkt1 VoIP mark" \
    connection-mark=sip-conn2 new-packet-mark=sip-pkt2 passthrough=yes
add action=mark-connection chain=prerouting comment="WAN1 cm 3/1 out" \
    connection-mark=no-mark dst-address-type=!local in-interface=bridge1 \
    new-connection-mark=WAN1_cm passthrough=yes per-connection-classifier=\
    both-addresses:3/1
add action=mark-connection chain=prerouting comment="WAN2 cm 3/0 out" \
    connection-mark=no-mark dst-address-type=!local in-interface=bridge1 \
    new-connection-mark=WAN2_cm passthrough=yes per-connection-classifier=\
    both-addresses:3/0
add action=mark-connection chain=prerouting comment="WAN2 cm 3/2 out" \
    connection-mark=no-mark dst-address-type=!local in-interface=bridge1 \
    new-connection-mark=WAN2_cm passthrough=yes per-connection-classifier=\
    both-addresses:3/2
add action=mark-routing chain=prerouting comment="WAN1 route mrk" \
    connection-mark=WAN1_cm in-interface=bridge1 new-routing-mark=to_WAN1 \
    passthrough=yes
add action=mark-routing chain=prerouting comment="WAN2 route mrk" \
    connection-mark=WAN2_cm in-interface=bridge1 new-routing-mark=to_WAN2 \
    passthrough=yes
add action=mark-routing chain=output comment="WAN1 route mrk" \
    connection-mark=WAN1_cm new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output comment="WAN2 route mrk" \
    connection-mark=WAN2_cm new-routing-mark=to_WAN2 passthrough=yes
add action=mark-connection chain=prerouting comment="WAN1 cm in" \
    connection-mark=no-mark in-interface=ether3_WAN1 new-connection-mark=\
    WAN1_cm passthrough=yes
add action=mark-connection chain=prerouting comment="WAN2 cm in" \
    connection-mark=no-mark in-interface=ether4_WAN2 new-connection-mark=\
    WAN2_cm passthrough=yes
add action=mark-routing chain=prerouting comment="WAN1 route mrk" \
    connection-mark=WAN1_cm in-interface=bridge1 new-routing-mark=to_WAN1 \
    passthrough=yes
add action=mark-routing chain=prerouting comment="WAN2 route mrk" \
    connection-mark=WAN2_cm in-interface=bridge1 new-routing-mark=to_WAN2 \
    passthrough=yes
add action=mark-connection chain=prerouting comment=\
    "Mark - Downloads & Uploads" connection-bytes=1000000-0 \
    new-connection-mark=Downloads passthrough=yes port=80,443 protocol=tcp
add action=mark-packet chain=prerouting comment=\
    "Packet - Downloads & Uploads" connection-mark=Downloads new-packet-mark=\
    Downloads passthrough=no
add action=mark-connection chain=output comment="Mark - Uploads" \
    new-connection-mark=Uploads out-interface-list=WANs passthrough=yes port=\
    80,443 protocol=tcp
add action=mark-packet chain=output comment="Packet - Uploads" \
    connection-mark=Uploads new-packet-mark=Uploads passthrough=no
add action=mark-connection chain=prerouting comment="Mark - Browsing" \
    connection-bytes=0-1000000 new-connection-mark=Browsing passthrough=yes \
    port=80,443 protocol=tcp
add action=mark-packet chain=prerouting comment="Packet - Browsing" \
    connection-mark=Browsing new-packet-mark=Browsing passthrough=no
add action=mark-packet chain=forward comment=youtube new-packet-mark=Youtube \
    passthrough=no src-address-list=Youtube
add action=mark-routing chain=prerouting comment="Mark YouTube" \
    dst-address-list=Youtube new-routing-mark=target_website_packets \
    passthrough=yes
add action=mark-connection chain=prerouting comment=\
    "Mark - Teamviewer port tcp" new-connection-mark=Teamviewer passthrough=\
    yes port=5938 protocol=tcp
add action=mark-connection chain=prerouting comment=\
    "Mark - Teamviewer port udp" new-connection-mark=Teamviewer passthrough=\
    yes port=5938 protocol=udp
add action=mark-packet chain=prerouting comment="Packet - Temviewer" \
    connection-mark=Teamviewer new-packet-mark=Teamviewer passthrough=no
add action=mark-packet chain=prerouting comment="Packet - RemoteApps" \
    connection-mark=RemoteApps new-packet-mark=RemoteApps passthrough=no
add action=accept chain=forward comment="DNS (TKSJa)" connection-state="" \
    port=53 protocol=tcp
add action=mark-connection chain=prerouting comment="Mark - DNS tcp" \
    new-connection-mark=DNS passthrough=yes port=53 protocol=tcp
add action=mark-connection chain=prerouting comment="Mark - DNS udp" \
    new-connection-mark=DNS passthrough=yes port=53 protocol=udp
add action=mark-packet chain=prerouting comment="Packet - DNS" \
    connection-mark=DNS new-packet-mark=DNS passthrough=no
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="Port scanners to list " \
    protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
    protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
    tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
    tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
    tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
    tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=add-dst-to-address-list address-list=Youtube address-list-timeout=\
    10m chain=prerouting comment=youtube content=youtube.com dst-port=80,443 \
    protocol=tcp
	
#NAT
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether3_WAN1
add action=masquerade chain=srcnat out-interface=ether3_WAN1 routing-mark=\
    wan1-route
add action=masquerade chain=srcnat out-interface=ether4_WAN2
add action=masquerade chain=srcnat out-interface=ether4_WAN2 routing-mark=\
    wan2-route
add action=accept chain=srcnat dst-port=80 protocol=tcp

#IP Routes
/ip route
add comment="Route for marked packets for target web marked packets" \
    distance=1 gateway=ether3_WAN1 routing-mark=target_website_packets
add comment=WAN1->inet distance=1 gateway=10.0.x1.xx routing-mark=w1-route \
    scope=10
add comment=WAN2->inet distance=1 gateway=10.0.x2.xx routing-mark=w2-route \
    scope=10
add distance=1 gateway=10.0.0.xx routing-mark=squid-route
add comment=WAN2 distance=1 gateway=10.0.x2.xx scope=10
add comment=WAN1 distance=1 gateway=10.0.x1.xx scope=10


#Queues
/queue type
set 0 pfifo-limit=100
add kind=pcq name=pcq-normal-dwnld pcq-classifier=dst-address pcq-limit=0KiB \
    pcq-rate=10M pcq-total-limit=8000KiB
add kind=pcq name=pcq-high-upld pcq-classifier=src-address pcq-limit=0KiB \
    pcq-rate=10M pcq-total-limit=3000KiB
add kind=pcq name=pcq-high-dwnld pcq-classifier=dst-address pcq-limit=0KiB \
    pcq-rate=10M pcq-total-limit=8000KiB
add kind=pcq name=pcq-normal-upld pcq-classifier=src-address pcq-limit=0KiB \
    pcq-rate=10M pcq-total-limit=3000KiB
add kind=pcq name=Download pcq-classifier=dst-address pcq-dst-address6-mask=\
    64 pcq-src-address6-mask=64
add kind=pcq name=Upload pcq-classifier=src-address pcq-dst-address6-mask=64 \
    pcq-src-address6-mask=64
	
/queue interface
set ether2_LAN queue=ethernet-default
set ether3_WAN1 queue=ethernet-default
set ether4_WAN2 queue=ethernet-default

/queue simple
add comment="Managment Traffic" disabled=yes name=Managment packet-marks=\
    Managment priority=1/1 queue=default/default
	
/queue tree
add comment="" name="All Bandwidth" parent=global priority=1 queue=\
    default
add name="Unlimited for cache" packet-mark=cache parent=global priority=4 \
    queue=default
add comment="" name=Download packet-mark="" parent="All Bandwidth" \
    priority=2 queue=default
add comment="" name=Upload parent="All Bandwidth" priority=1 queue=\
    default
add comment="RTP queue parent upload" limit-at=600k max-limit=600k name=\
    "VoIP1 up pri 1" packet-mark=rtp-pkt1 parent=Upload priority=1 queue=\
    default
add comment="RTP queue parent upload" limit-at=600k max-limit=600k name=\
    "VoIP2 up pri 1" packet-mark=rtp-pkt2 parent=Upload priority=1 queue=\
    default
add comment="SIP queue" limit-at=450k max-limit=450k name="VoIP1 pri 2" \
    packet-mark=sip-pkt1 parent=Upload priority=2 queue=default
add comment="SIP queue" limit-at=450k max-limit=450k name="VoIP2 pri 2" \
    packet-mark=sip-pkt2 parent=Upload priority=2 queue=default
add name=ICMP packet-mark=ICMP parent=global priority=1 queue=default
add name=Managment packet-mark=Managment parent=global priority=1 queue=\
    default
add limit-at=4M max-limit=4M name="Total Bandwidth Upload" parent=\
    "All Bandwidth" priority=2 queue=Upload
add bucket-size=0.01 name="ICMP - tx" packet-mark=ICMP parent=\
    "Total Bandwidth Upload" priority=1
add bucket-size=0.01 name="Browsing - tx" packet-mark=Browsing parent=\
    "Total Bandwidth Upload" priority=3 queue=default
add bucket-size=0.01 name=Uploads packet-mark=Uploads parent=\
    "Total Bandwidth Upload" priority=3 queue=default
add bucket-size=0.01 name="Remote Apps - tx" packet-mark=RemoteApps parent=\
    "Total Bandwidth Upload" priority=3 queue=default
add bucket-size=0.01 name="Other - tx" packet-mark=no-mark parent=\
    "Total Bandwidth Upload" priority=3
add max-limit=10M name="Total Bandwidth Download" parent="All Bandwidth" \
    priority=2 queue=Download
add name="ICMP - rx" packet-mark=ICMP parent="Total Bandwidth Download" \
    priority=1
add name="Browsing - rx" packet-mark=Browsing parent=\
    "Total Bandwidth Download" priority=3 queue=default
add name=Downloads packet-mark=Downloads parent="Total Bandwidth Download" \
    priority=3 queue=default
add name="Remote Apps - rx" packet-mark=RemoteApps parent=\
    "Total Bandwidth Download" priority=3 queue=default
add name="DNS - rx" packet-mark=DNS parent="Total Bandwidth Download" \
    priority=1
add name="Other - rx" packet-mark=no-mark parent="Total Bandwidth Download" \
    priority=3
add bucket-size=0.01 name=Teamviewer packet-mark=Teamviewer parent=\
    "All Bandwidth" priority=1 queue=default
add bucket-size=0.01 comment=YouTube max-limit=10M name=YouTube packet-mark=\
    Youtube parent="All Bandwidth" priority=1 queue=Download
add name="VoIP up" packet-mark=VoIP-up-pkt parent="All Bandwidth" priority=2 \
    queue=default
add name="VoIP down" packet-mark=VoIP-dwn-pkt parent="All Bandwidth" \
    priority=2 queue=default
	
	
#DHCP
/ip dhcp-client option
add code=46 name=netbios value=0x08

/ip dhcp-server option
add code=46 name=Netbios value=0x08

/ip pool
add name=dhcp_pool1 ranges=10.0.0.xxx,10.0.0.xxx-10.0.0.xxx
add name=dhcp_pool2 ranges=10.0.0.xx,10.0.0.xx-10.0.0.xx
add name=dhcp_pool4 ranges=10.0.0.xx,10.0.0.xx-10.0.0.xx

/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool1 bootp-support=dynamic disabled=no \
    interface=bridge1 name=dhcp1

/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=bridge1

/ip dhcp-server lease
add address=10.0.0.xx client-id=LexMPrnEth mac-address=xx:xx:xx:xx:xx:xx \
    server=dhcp1
	
/ip dhcp-server network
add address=10.0.0.xx/24 dns-server=8.8.8.8,10.0.0.xx gateway=10.0.0.xx netmask=\
    24 ntp-server=196.2.45.66
add address=10.0.x1.0/24 dns-server=8.8.8.8 gateway=10.0.x1.xx netmask=24
add address=10.0.x2.0/24 dns-server=8.8.8.8 gateway=10.0.x2.xx netmask=24

#Layer7
/ip firewall layer7-protocol
add name=youtube regexp="^.*(youtube\\.com|googlevideo\\.com).*\$"
add name=VIDEO-L7 regexp="^.*(youtube.com).*\\\$"
add name=sip regexp=\
    "^(invite|register|cancel) sip[\t-\r -~]*sip/[0-2]\\.[0-9]"
add name=h323 regexp=\
    "^\03..\?\08...\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?\05"
add name=bittorrent regexp="^(\13bittorrent protocol|azver\01\$|get /scrape\\\
    \?info_hash=)|d1:ad2:id20:|\08'7P\\)[RP]"
add name=Stream regexp="^.+(youtube|dailymotion|metacafe|mccont).*\$"
add name=streaming regexp=videoplayback|video
add name=layer7-bittorrent-exp regexp="^(\\x13bittorrent protocol|azver\\x01\$\
    |get /scrape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet\
    /|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
add name=torrent-dns regexp="^.+(torrent|thepiratebay|isohunt|demonii|bittorre\
    nt|entertane|demonoid|btjunkie|mininova|flixflux|torrentz|vertor|h33t|btsc\
    ene|bitunity|bittoxic|thunderbytes|entertane|zoozle|vcdq|bitnova|bitsoup|m\
    eganova|fulldls|btbot|flixflux|seedpeer|fenopy|gpirate|utorrent|commonbits\
    ).*\$"
add name=torrent-www regexp="^.*(get|GET).+(torrent|thepiratebay|isohunt|enter\
    tane|demonoid|btjunkie|mininova|flixflux|torrentz|vertor|h33t|btscene|bitu\
    nity|bittoxic|thunderbytes|entertane|zoozle|vcdq|bitnova|bitsoup|meganova|\
    fulldls|btbot|flixflux|seedpeer|fenopy|gpirate|commonbits).*\$"
add name=torrentsites regexp="^.*(get|GET).+(torrent|thepiratebay|isohunt|ente\
    rtane|demonoid|btjunkie|mininova|flixflux|torrentz|vertor|h33t|btscene|bit\
    unity|bittoxic|thunderbytes|entertane|zoozle|vcdq|bitnova|bitsoup|eganova|\
    fulldls|btbot|flixflux|seedpeer|fenopy|gpirate|commonbits).*\$"
	
	
#SNMP
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0


/ip firewall address-list
add address=10.0.x1.0/24 list=local
add address=10.0.x2.0/24 list=local
add address=10.0.0.0/24 list=local
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=Bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=Bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
    need this subnet before enable it" list=Bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=Bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
    Bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=Bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=Bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=Bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" \
    list=Bogons
add address=10.0.x2.0/24 list=WANs
add address=10.0.x1.0/24 list=WANs
add address=196.28.95.12 comment="WAN2 sip server" list=VoIP
add address=196.2.147.146 comment="VBX sip server" list=VoIP
add address=10.0.0.xx list=high-prior comment="personal pc"
add address=10.0.0.xx list=high-prior comment="personal laptop"
add address=10.0.0.xxx list=high-prior comment="other pc"
add address=173.194.0.0/16 list=Youtube
add address=208.65.152.0/22 list=Youtube
add address=64.15.112.0/20 list=Youtube
add address=74.125.96.0/19 list=Youtube
add address=72.14.221.0/24 list=Youtube
add address=84.53.128.0/18 list=Youtube
add address=87.248.192.0/19 list=Youtube
add address=216.155.128.0/19 list=Youtube
add address=208.73.208.0/21 list=Youtube
add address=66.55.140.0/23 list=Youtube
add address=74.125.208.0/24 list=Youtube
add address=208.117.224.0/19 list=Youtube
add address=10.0.0.xx comment=router list=TARGET_WEB_SITE_dns_ips

#IP Firewall Filter
/ip firewall filter
add action=jump chain=forward comment="Known virus ports DELETE" disabled=yes \
    jump-target=known_viruses
add action=jump chain=forward comment=\
    "kill known bad source addresses DELETE" disabled=yes jump-target=\
    bad_people
add action=jump chain=forward comment="Jump to Accepted List" disabled=yes \
    jump-target=accept_list
add action=accept chain=input comment="email allow established connections" \
    connection-state=established disabled=yes dst-address=78.46.7.31 \
    dst-port=587 protocol=tcp src-address=78.46.7.31 src-port=110
add action=accept chain=accept_list comment="Forward HTTP to webserver" \
    dst-address=10.0.x1.xx dst-port=80 protocol=tcp
add action=accept chain=accept_list comment="Forward HTTPS to webserver" \
    dst-address=10.0.x1.xx dst-port=443 protocol=tcp
add action=accept chain=accept_list comment="Forward HTTP to webserver" \
    dst-address=10.0.x2.xx dst-port=80 protocol=tcp
add action=accept chain=accept_list comment="Forward HTTPS to webserver" \
    dst-address=10.0.x2.xx dst-port=443 protocol=tcp
add action=accept chain=accept_list comment="Forward FTP to Server" \
    dst-address=10.0.x1.xx dst-port=21 protocol=tcp
add action=accept chain=accept_list comment="Forward RDP to Server" \
    dst-address=10.0.x1.xx dst-port=3389 protocol=tcp src-port=3389
add action=accept chain=accept_list comment="Forward FTP to Server" \
    dst-address=10.0.x2.xx dst-port=21 protocol=tcp
add action=accept chain=accept_list comment="Forward RDP to Server" \
    dst-address=10.0.x2.xx dst-port=3389 protocol=tcp src-port=3389
add action=accept chain=forward comment="Allow WIFI access to ALL" \
    src-address=10.0.0.0/24
add action=accept chain=output content="530 Login incorrect" dst-limit=\
    1/1m,9,dst-address/1m protocol=tcp
add action=accept chain=forward comment=\
    "allow established connections DELETE" connection-state=established
add action=accept chain=forward comment="allow related connections DELETE" \
    connection-state=related
add action=accept chain=forward comment="Allow All"
add action=drop chain=input comment="dropping port scanners" disabled=yes \
    src-address-list="port scanners"
add action=drop chain=known_viruses comment="windows - not EXACTLY a virus" \
    disabled=yes dst-port=135-139 protocol=tcp
add action=drop chain=known_viruses comment="windows - not EXACTLY a virus" \
    disabled=yes dst-port=135-139 protocol=udp
add action=drop chain=known_viruses comment=\
    "winXP netbios not EXACTLY a virus" disabled=yes dst-port=445 protocol=\
    udp
add action=drop chain=known_viruses comment=\
    "winXP netbios not EXACTLY a virus" disabled=yes dst-port=445 protocol=\
    tcp
add action=drop chain=known_viruses comment="msblast worm" disabled=yes \
    dst-port=593 protocol=tcp
add action=drop chain=known_viruses comment="msblast worm" disabled=yes \
    dst-port=4444 protocol=tcp
add action=drop chain=known_viruses comment="WITTY worm" disabled=yes \
    dst-port=4000 protocol=tcp
add action=drop chain=known_viruses comment="SoBig.f worm" disabled=yes \
    dst-port=995-999 protocol=tcp
add action=drop chain=known_viruses comment="SoBig.f worm" disabled=yes \
    dst-port=8998 protocol=tcp
add action=drop chain=known_viruses comment="beagle worm" disabled=yes \
    dst-port=2745 protocol=tcp
add action=drop chain=known_viruses comment="beagle worm" disabled=yes \
    dst-port=4751 protocol=tcp
add action=drop chain=known_viruses comment="SQL Slammer" disabled=yes \
    dst-port=1434 protocol=tcp
add action=drop chain=bad_people comment="Known Spammer" disabled=yes \
    src-address=81.180.98.3
add action=drop chain=bad_people comment="Known Spammer" disabled=yes \
    src-address=24.73.97.226
add action=drop chain=bad_people comment=\
    "http://isc.incidents.org/top10.html listed" disabled=yes src-address=\
    67.75.20.112
add action=drop chain=bad_people disabled=yes src-address=218.104.138.166
add action=drop chain=bad_people disabled=yes src-address=212.3.250.194
add action=drop chain=bad_people disabled=yes src-address=203.94.243.191
add action=drop chain=bad_people disabled=yes src-address=202.101.235.100
add action=drop chain=bad_people disabled=yes src-address=58.16.228.42
add action=drop chain=bad_people disabled=yes src-address=58.248.8.2
add action=drop chain=bad_people disabled=yes src-address=202.99.11.99
add action=drop chain=bad_people disabled=yes src-address=218.52.237.219
add action=drop chain=bad_people disabled=yes src-address=222.173.101.157
add action=drop chain=bad_people disabled=yes src-address=58.242.34.235
add action=drop chain=bad_people disabled=yes src-address=222.80.184.23
add action=drop chain=input comment="drop ssh brute forcers" disabled=yes \
    dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new disabled=yes \
    dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input connection-state=new disabled=yes \
    dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new disabled=yes \
    dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new disabled=yes \
    dst-port=22 protocol=tcp
add action=drop chain=input comment=\
    "allows only 10 FTP login incorrect answers per minute" disabled=yes \
    dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=add-dst-to-address-list address-list=ftp_blacklist \
    address-list-timeout=3h chain=output content="530 Login incorrect" \
    disabled=yes protocol=tcp
add action=drop chain=forward comment="drop invalid connections DELETE" \
    connection-state=invalid disabled=yes
	

#Proxy
/ip proxy
set always-from-cache=yes anonymous=yes cache-administrator=admin \
    cache-on-disk=yes enabled=yes max-cache-size=3000000KiB src-address=\
    0.0.0.0
	

#Logging
/system logging
add action=disk topics=web-proxy
add action=squid topics=web-proxy

/system logging action
add disk-file-name="" name=webproxy target=disk
add name=squid remote=10.0.0.xx remote-port=8080 target=remote

#Scheduler
/system scheduler
add disabled=yes interval=8h name=target_web_site on-event=target_web_site \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive \
    start-date=mar/26/2018 start-time=08:00:00
add comment=" Update DDNS" interval=5m name=ddns_scheduler on-event=\
    " /system  script  run  ddns\r \
    \n " policy=read,write,test start-time=startup
	
#Scripts
/system script
add name=target_web_site owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
    ##############################################\r\
    \n# script name: target_web_site\r\
    \n# Script to add TARGET_WEB_SITE DNS IP addresses\r\
    \n# Syed Jahanzaib / aacable@hotmail.com\r\
    \n# Script Source: N/A / GOOGLE : )\r\
    \n \r\
    \n:log warning \"Script Started ... Adding TARGET_WEB_SITE DNS ip's to add\
    ress list name TARGET_WEB_SITE_dns_ips\"\r\
    \n:foreach i in=[/ip dns cache find] do={\r\
    \n:local bNew \"true\";\r\
    \n:local cacheName [/ip dns cache all get \$i name] ;\r\
    \n:if ([:find \$cacheName \"aacable.wordpress.com\"] != 0) do={\r\
    \n:local tmpAddress [/ip dns cache get \$i address] ;\r\
    \n:put \$tmpAddress;\r\
    \n:if ( [/ip firewall address-list find ] = \"\") do={\r\
    \n:log info (\"added entry: \$[/ip dns cache get \$i name] IP \$tmpAddress\
    \");\r\
    \n/ip firewall address-list add address=\$tmpAddress list=TARGET_WEB_SITE_\
    dns_ips comment=\$cacheName;\r\
    \n} else={\r\
    \n:foreach j in=[/ip firewall address-list find ] do={\r\
    \n:if ( [/ip firewall address-list get \$j address] = \$tmpAddress ) do={\
    \r\
    \n:set bNew \"false\";\r\
    \n}\r\
    \n}\r\
    \n:if ( \$bNew = \"true\" ) do={\r\
    \n:log info (\"added entry: \$[/ip dns cache get \$i name] IP \$tmpAddress\
    \");\r\
    \n/ip firewall address-list add address=\$tmpAddress list=TARGET_WEB_SITE_\
    dns_ips comment=\$cacheName;\r\
    \n}\r\
    \n}\r\
    \n}\r\
    \n}\r\
    \n# TARGET_WEB_SITE DNS IP ADD Script Ended ..."
add comment="ddns Client update script" name=ddns owner=admin policy=\
    read,write,test source="\\r\\\r\
    \n\\n# get the current IP address from the internet\\r\\\r\
    \n\\n/tool fetch mode=http address=\"checkip.dynu.com\" src-path=\"/\" \\r\
    \\\r\
    \n\\ndst-path=\"/dynu.checkip.html\"\\r\\\r\
    \n\\n:local result [/file get dynu.checkip.html contents]\\r\\\r\
    \n\\n#\\r\\\r\
    \n\\n# parse the current IP result\\r\\\r\
    \n\\n:local resultLen [:len \$result]\\r\\\r\
    \n\\n:local startLoc [:find \$result \": \" -1]\\r\\\r\
    \n\\n:set startLoc (\$startLoc + 2)\\r\\\r\
    \n\\n:local currentIP [:pick \$result \$startLoc \$resultLen]\\r\\\r\
    \n\\n:global ddnsuser xxx\\r\\\r\
    \n\\n:global ddnspass \"xxx\"\\r\\\r\
    \n\\n:global ddnshost \"xxx\"\\r\\\r\
    \n\\n:global ipddns [:resolve \$ddnshost];\\r\\\r\
    \n\\n#:global ipddns\\r\\\r\
    \n\\n#\\r\\\r\
    \n\\n:if (\$ipddns != \$currentIP) do={\\r\\\r\
    \n\\n:log info (\"DynuDDNS: IP-Dynu = \$ipddns\")\\r\\\r\
    \n\\n:log info (\"DynuDDNS: IP-Fresh = \$currentIP\")\\r\\\r\
    \n\\n:log info \"DynuDDNS: Update IP needed, Sending UPDATE...!\"\\r\\\r\
    \n\\n:global str \"/nic/update\?hostname=\$ddnshost&myip=\$currentIP\"\\r\
    \\\r\
    \n\\n:log info \"currentIP is \$currentIP\"\\r\\\r\
    \n\\n/tool fetch address=api.dynu.com src-path=\$str mode=http user=\$ddns\
    user password=\$ddnspass \\r\\\r\
    \n\\ndst-path=(\"/Dynu.\".\$ddnshost)\\r\\\r\
    \n\\n:delay 1\\r\\\r\
    \n\\n:global str [/file find name=\"Dynu.\$ddnshost\"];\\r\\\r\
    \n\\n/file remove \$str\\r\\\r\
    \n\\n:global ipddns \$currentIP\\r\\\r\
    \n\\n:log info \"DynuDDNS: IP updated to \$currentIP!\"\\r\\\r\
    \n\\n} else={\\r\\\r\
    \n\\n:log info \"DynuDDNS: No change needed\";\\r\\\r\
    \n\\n}"
	
#Hotspot
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot

#Traffic Monitor
/tool traffic-monitor
add interface=bridge1 name=tmon1
 
User avatar
Ishtiaque
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Sat Jul 30, 2016 5:17 pm
Location: Bangladesh
Contact:

Re: Messed up config - SLOW internet

Wed Jul 18, 2018 7:21 am

Dear ,
Set PCQ LIMIT to 50 . don't decrease this . you can increase this value .

Change to this
add kind=pcq name=pcq-normal-dwnld pcq-classifier=dst-address pcq-limit=50KiB \
pcq-rate=10M pcq-total-limit=8000KiB
 
User avatar
Ishtiaque
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Sat Jul 30, 2016 5:17 pm
Location: Bangladesh
Contact:

Re: Messed up config - SLOW internet

Tue Jan 04, 2022 1:12 pm

Please help....

My internet became extremely slow and I can't seem to find the reason. I have 2 Wans, wan1 (2Mbps up and wonload), wan2 (10Mbps download,, 2Mbs upload). All traffic can be balanced but I would like to prioritse VOIP and Teamviewer and my YouTube channel upload should be forced through WAN1.

Help to simplify my config and to achieve my goal, would be greatly appreciated.
# mar/26/2018 10:24:43 by RouterOS 6.41.2
# software id = TW78-W5YU
#
# model = RouterBOARD 952Ui-5ac2nD

#Interface setup
/interface bridge
add name=bridge1

/interface ethernet
set [ find default-name=ether2 ] name=ether2_LAN
set [ find default-name=ether3 ] comment=WAN1 name=ether3_WAN1
set [ find default-name=ether4 ] comment=WAN2 name=ether4_WAN2

/interface wireless
set [ find default-name=wlan2 ] disabled=no ssid=xxxx

/interface list
add name=local
add name=WANs

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=xxxx
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    management-protection=allowed mode=dynamic-keys name=profile1 \
    supplicant-identity="" wpa-pre-shared-key=xxxx wpa2-pre-shared-key=\
    xxxx
	
/interface wireless
set [ find default-name=wlan1 ] disabled=no mode=ap-bridge radio-name=\
    MikrotikHap security-profile=profile1 ssid=xxxx
	
/interface bridge port
add bridge=bridge1 hw=no interface=ether2_LAN
add bridge=bridge1 hw=no interface=wlan1

/interface list member
add interface=wlan1 list=local
add interface=ether4_WAN2 list=local
add comment=WAN1 interface=ether3_WAN1 list=local
add interface=ether2_LAN list=local
add interface=ether3_WAN1 list=WANs
add comment=WAN2 interface=ether4_WAN2 list=WANs

/interface wireless access-list
add authentication=no interface=wlan1 mac-address=xx:xx:xx:xx:xx:xx \
    vlan-mode=no-tag

#IP Addresses
/ip address
add address=10.0.0.x/24 interface=ether2_LAN network=10.0.0.0
add address=10.0.x1.x/24 comment=WAN1 interface=ether3_WAN1 network=\
    10.0.x1.0
add address=10.0.x2.x/24 comment=WAN2 interface=ether4_WAN2 network=10.0.x2.0
	
/ip dns
set allow-remote-requests=yes cache-size=5000KiB max-udp-packet-size=512 \
    servers=10.0.0.xx,8.8.8.8
	
/ip dns static
add address=10.0.0.xx name=router

#Mangle Rules
/ip firewall mangle
add action=accept chain=prerouting comment="WAN2 accept" dst-address=10.0.x2.xx \
    in-interface=bridge1
add action=accept chain=prerouting comment="WAN1 accept" dst-address=\
    10.0.x1.xx in-interface=bridge1
add action=accept chain=forward comment="DNS" connection-state="" \
    port=53 protocol=udp
add action=mark-connection chain=forward comment="sip-conn1 VoIP mark" \
    dst-address=xxx.xxx.xxx.xxx dst-port=5060 new-connection-mark=sip-conn1 \
    passthrough=yes protocol=tcp
add action=mark-connection chain=forward comment="sip-conn2 VoIP mark" \
    dst-address=xxx.xxx.xxx.xxx dst-port=5060 new-connection-mark=sip-conn2 \
    passthrough=yes protocol=tcp
add action=mark-connection chain=forward comment="rtp-conn1 VoIP mark" \
    dst-address=xxx.xxx.xxx.xxx new-connection-mark=rtp-conn1 passthrough=yes \
    port=10000-20000 protocol=udp
add action=mark-connection chain=forward comment="rtp-conn2 VoIP mark" \
    dst-address=xxx.xxx.xxx.xxx new-connection-mark=rtp-conn2 passthrough=yes \
    port=10000-20000 protocol=udp
add action=mark-packet chain=forward comment="rtp-pkt1 VoIP mark" \
    connection-mark=rtp-conn1 new-packet-mark=rtp-pkt1 passthrough=yes
add action=mark-packet chain=forward comment="rtp-pkt2 VoIP mark" \
    connection-mark=rtp-conn2 new-packet-mark=rtp-pkt2 passthrough=yes
add action=change-dscp chain=postrouting comment="DSCP 46" new-dscp=46 \
    out-interface=ether3_WAN1 packet-mark=rtp-pkt1 passthrough=yes
add action=change-dscp chain=postrouting comment="DSCP 46" new-dscp=46 \
    out-interface=ether4_WAN2 packet-mark=rtp-pkt2 passthrough=yes
add action=mark-packet chain=forward comment="sip-pkt1 VoIP mark" \
    connection-mark=sip-conn1 new-packet-mark=sip-pkt1 passthrough=yes
add action=mark-packet chain=forward comment="sip-pkt1 VoIP mark" \
    connection-mark=sip-conn2 new-packet-mark=sip-pkt2 passthrough=yes
add action=mark-connection chain=prerouting comment="WAN1 cm 3/1 out" \
    connection-mark=no-mark dst-address-type=!local in-interface=bridge1 \
    new-connection-mark=WAN1_cm passthrough=yes per-connection-classifier=\
    both-addresses:3/1
add action=mark-connection chain=prerouting comment="WAN2 cm 3/0 out" \
    connection-mark=no-mark dst-address-type=!local in-interface=bridge1 \
    new-connection-mark=WAN2_cm passthrough=yes per-connection-classifier=\
    both-addresses:3/0
add action=mark-connection chain=prerouting comment="WAN2 cm 3/2 out" \
    connection-mark=no-mark dst-address-type=!local in-interface=bridge1 \
    new-connection-mark=WAN2_cm passthrough=yes per-connection-classifier=\
    both-addresses:3/2
add action=mark-routing chain=prerouting comment="WAN1 route mrk" \
    connection-mark=WAN1_cm in-interface=bridge1 new-routing-mark=to_WAN1 \
    passthrough=yes
add action=mark-routing chain=prerouting comment="WAN2 route mrk" \
    connection-mark=WAN2_cm in-interface=bridge1 new-routing-mark=to_WAN2 \
    passthrough=yes
add action=mark-routing chain=output comment="WAN1 route mrk" \
    connection-mark=WAN1_cm new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output comment="WAN2 route mrk" \
    connection-mark=WAN2_cm new-routing-mark=to_WAN2 passthrough=yes
add action=mark-connection chain=prerouting comment="WAN1 cm in" \
    connection-mark=no-mark in-interface=ether3_WAN1 new-connection-mark=\
    WAN1_cm passthrough=yes
add action=mark-connection chain=prerouting comment="WAN2 cm in" \
    connection-mark=no-mark in-interface=ether4_WAN2 new-connection-mark=\
    WAN2_cm passthrough=yes
add action=mark-routing chain=prerouting comment="WAN1 route mrk" \
    connection-mark=WAN1_cm in-interface=bridge1 new-routing-mark=to_WAN1 \
    passthrough=yes
add action=mark-routing chain=prerouting comment="WAN2 route mrk" \
    connection-mark=WAN2_cm in-interface=bridge1 new-routing-mark=to_WAN2 \
    passthrough=yes
add action=mark-connection chain=prerouting comment=\
    "Mark - Downloads & Uploads" connection-bytes=1000000-0 \
    new-connection-mark=Downloads passthrough=yes port=80,443 protocol=tcp
add action=mark-packet chain=prerouting comment=\
    "Packet - Downloads & Uploads" connection-mark=Downloads new-packet-mark=\
    Downloads passthrough=no
add action=mark-connection chain=output comment="Mark - Uploads" \
    new-connection-mark=Uploads out-interface-list=WANs passthrough=yes port=\
    80,443 protocol=tcp
add action=mark-packet chain=output comment="Packet - Uploads" \
    connection-mark=Uploads new-packet-mark=Uploads passthrough=no
add action=mark-connection chain=prerouting comment="Mark - Browsing" \
    connection-bytes=0-1000000 new-connection-mark=Browsing passthrough=yes \
    port=80,443 protocol=tcp
add action=mark-packet chain=prerouting comment="Packet - Browsing" \
    connection-mark=Browsing new-packet-mark=Browsing passthrough=no
add action=mark-packet chain=forward comment=youtube new-packet-mark=Youtube \
    passthrough=no src-address-list=Youtube
add action=mark-routing chain=prerouting comment="Mark YouTube" \
    dst-address-list=Youtube new-routing-mark=target_website_packets \
    passthrough=yes
add action=mark-connection chain=prerouting comment=\
    "Mark - Teamviewer port tcp" new-connection-mark=Teamviewer passthrough=\
    yes port=5938 protocol=tcp
add action=mark-connection chain=prerouting comment=\
    "Mark - Teamviewer port udp" new-connection-mark=Teamviewer passthrough=\
    yes port=5938 protocol=udp
add action=mark-packet chain=prerouting comment="Packet - Temviewer" \
    connection-mark=Teamviewer new-packet-mark=Teamviewer passthrough=no
add action=mark-packet chain=prerouting comment="Packet - RemoteApps" \
    connection-mark=RemoteApps new-packet-mark=RemoteApps passthrough=no
add action=accept chain=forward comment="DNS (TKSJa)" connection-state="" \
    port=53 protocol=tcp
add action=mark-connection chain=prerouting comment="Mark - DNS tcp" \
    new-connection-mark=DNS passthrough=yes port=53 protocol=tcp
add action=mark-connection chain=prerouting comment="Mark - DNS udp" \
    new-connection-mark=DNS passthrough=yes port=53 protocol=udp
add action=mark-packet chain=prerouting comment="Packet - DNS" \
    connection-mark=DNS new-packet-mark=DNS passthrough=no
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="Port scanners to list " \
    protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
    protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
    tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
    tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
    tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
    tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=add-dst-to-address-list address-list=Youtube address-list-timeout=\
    10m chain=prerouting comment=youtube content=youtube.com dst-port=80,443 \
    protocol=tcp
	
#NAT
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether3_WAN1
add action=masquerade chain=srcnat out-interface=ether3_WAN1 routing-mark=\
    wan1-route
add action=masquerade chain=srcnat out-interface=ether4_WAN2
add action=masquerade chain=srcnat out-interface=ether4_WAN2 routing-mark=\
    wan2-route
add action=accept chain=srcnat dst-port=80 protocol=tcp

#IP Routes
/ip route
add comment="Route for marked packets for target web marked packets" \
    distance=1 gateway=ether3_WAN1 routing-mark=target_website_packets
add comment=WAN1->inet distance=1 gateway=10.0.x1.xx routing-mark=w1-route \
    scope=10
add comment=WAN2->inet distance=1 gateway=10.0.x2.xx routing-mark=w2-route \
    scope=10
add distance=1 gateway=10.0.0.xx routing-mark=squid-route
add comment=WAN2 distance=1 gateway=10.0.x2.xx scope=10
add comment=WAN1 distance=1 gateway=10.0.x1.xx scope=10


#Queues
/queue type
set 0 pfifo-limit=100
add kind=pcq name=pcq-normal-dwnld pcq-classifier=dst-address pcq-limit=0KiB \
    pcq-rate=10M pcq-total-limit=8000KiB
add kind=pcq name=pcq-high-upld pcq-classifier=src-address pcq-limit=0KiB \
    pcq-rate=10M pcq-total-limit=3000KiB
add kind=pcq name=pcq-high-dwnld pcq-classifier=dst-address pcq-limit=0KiB \
    pcq-rate=10M pcq-total-limit=8000KiB
add kind=pcq name=pcq-normal-upld pcq-classifier=src-address pcq-limit=0KiB \
    pcq-rate=10M pcq-total-limit=3000KiB
add kind=pcq name=Download pcq-classifier=dst-address pcq-dst-address6-mask=\
    64 pcq-src-address6-mask=64
add kind=pcq name=Upload pcq-classifier=src-address pcq-dst-address6-mask=64 \
    pcq-src-address6-mask=64
	
/queue interface
set ether2_LAN queue=ethernet-default
set ether3_WAN1 queue=ethernet-default
set ether4_WAN2 queue=ethernet-default

/queue simple
add comment="Managment Traffic" disabled=yes name=Managment packet-marks=\
    Managment priority=1/1 queue=default/default
	
/queue tree
add comment="" name="All Bandwidth" parent=global priority=1 queue=\
    default
add name="Unlimited for cache" packet-mark=cache parent=global priority=4 \
    queue=default
add comment="" name=Download packet-mark="" parent="All Bandwidth" \
    priority=2 queue=default
add comment="" name=Upload parent="All Bandwidth" priority=1 queue=\
    default
add comment="RTP queue parent upload" limit-at=600k max-limit=600k name=\
    "VoIP1 up pri 1" packet-mark=rtp-pkt1 parent=Upload priority=1 queue=\
    default
add comment="RTP queue parent upload" limit-at=600k max-limit=600k name=\
    "VoIP2 up pri 1" packet-mark=rtp-pkt2 parent=Upload priority=1 queue=\
    default
add comment="SIP queue" limit-at=450k max-limit=450k name="VoIP1 pri 2" \
    packet-mark=sip-pkt1 parent=Upload priority=2 queue=default
add comment="SIP queue" limit-at=450k max-limit=450k name="VoIP2 pri 2" \
    packet-mark=sip-pkt2 parent=Upload priority=2 queue=default
add name=ICMP packet-mark=ICMP parent=global priority=1 queue=default
add name=Managment packet-mark=Managment parent=global priority=1 queue=\
    default
add limit-at=4M max-limit=4M name="Total Bandwidth Upload" parent=\
    "All Bandwidth" priority=2 queue=Upload
add bucket-size=0.01 name="ICMP - tx" packet-mark=ICMP parent=\
    "Total Bandwidth Upload" priority=1
add bucket-size=0.01 name="Browsing - tx" packet-mark=Browsing parent=\
    "Total Bandwidth Upload" priority=3 queue=default
add bucket-size=0.01 name=Uploads packet-mark=Uploads parent=\
    "Total Bandwidth Upload" priority=3 queue=default
add bucket-size=0.01 name="Remote Apps - tx" packet-mark=RemoteApps parent=\
    "Total Bandwidth Upload" priority=3 queue=default
add bucket-size=0.01 name="Other - tx" packet-mark=no-mark parent=\
    "Total Bandwidth Upload" priority=3
add max-limit=10M name="Total Bandwidth Download" parent="All Bandwidth" \
    priority=2 queue=Download
add name="ICMP - rx" packet-mark=ICMP parent="Total Bandwidth Download" \
    priority=1
add name="Browsing - rx" packet-mark=Browsing parent=\
    "Total Bandwidth Download" priority=3 queue=default
add name=Downloads packet-mark=Downloads parent="Total Bandwidth Download" \
    priority=3 queue=default
add name="Remote Apps - rx" packet-mark=RemoteApps parent=\
    "Total Bandwidth Download" priority=3 queue=default
add name="DNS - rx" packet-mark=DNS parent="Total Bandwidth Download" \
    priority=1
add name="Other - rx" packet-mark=no-mark parent="Total Bandwidth Download" \
    priority=3
add bucket-size=0.01 name=Teamviewer packet-mark=Teamviewer parent=\
    "All Bandwidth" priority=1 queue=default
add bucket-size=0.01 comment=YouTube max-limit=10M name=YouTube packet-mark=\
    Youtube parent="All Bandwidth" priority=1 queue=Download
add name="VoIP up" packet-mark=VoIP-up-pkt parent="All Bandwidth" priority=2 \
    queue=default
add name="VoIP down" packet-mark=VoIP-dwn-pkt parent="All Bandwidth" \
    priority=2 queue=default
	
	
#DHCP
/ip dhcp-client option
add code=46 name=netbios value=0x08

/ip dhcp-server option
add code=46 name=Netbios value=0x08

/ip pool
add name=dhcp_pool1 ranges=10.0.0.xxx,10.0.0.xxx-10.0.0.xxx
add name=dhcp_pool2 ranges=10.0.0.xx,10.0.0.xx-10.0.0.xx
add name=dhcp_pool4 ranges=10.0.0.xx,10.0.0.xx-10.0.0.xx

/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool1 bootp-support=dynamic disabled=no \
    interface=bridge1 name=dhcp1

/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=bridge1

/ip dhcp-server lease
add address=10.0.0.xx client-id=LexMPrnEth mac-address=xx:xx:xx:xx:xx:xx \
    server=dhcp1
	
/ip dhcp-server network
add address=10.0.0.xx/24 dns-server=8.8.8.8,10.0.0.xx gateway=10.0.0.xx netmask=\
    24 ntp-server=196.2.45.66
add address=10.0.x1.0/24 dns-server=8.8.8.8 gateway=10.0.x1.xx netmask=24
add address=10.0.x2.0/24 dns-server=8.8.8.8 gateway=10.0.x2.xx netmask=24

#Layer7
/ip firewall layer7-protocol
add name=youtube regexp="^.*(youtube\\.com|googlevideo\\.com).*\$"
add name=VIDEO-L7 regexp="^.*(youtube.com).*\\\$"
add name=sip regexp=\
    "^(invite|register|cancel) sip[\t-\r -~]*sip/[0-2]\\.[0-9]"
add name=h323 regexp=\
    "^\03..\?\08...\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?\05"
add name=bittorrent regexp="^(\13bittorrent protocol|azver\01\$|get /scrape\\\
    \?info_hash=)|d1:ad2:id20:|\08'7P\\)[RP]"
add name=Stream regexp="^.+(youtube|dailymotion|metacafe|mccont).*\$"
add name=streaming regexp=videoplayback|video
add name=layer7-bittorrent-exp regexp="^(\\x13bittorrent protocol|azver\\x01\$\
    |get /scrape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet\
    /|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
add name=torrent-dns regexp="^.+(torrent|thepiratebay|isohunt|demonii|bittorre\
    nt|entertane|demonoid|btjunkie|mininova|flixflux|torrentz|vertor|h33t|btsc\
    ene|bitunity|bittoxic|thunderbytes|entertane|zoozle|vcdq|bitnova|bitsoup|m\
    eganova|fulldls|btbot|flixflux|seedpeer|fenopy|gpirate|utorrent|commonbits\
    ).*\$"
add name=torrent-www regexp="^.*(get|GET).+(torrent|thepiratebay|isohunt|enter\
    tane|demonoid|btjunkie|mininova|flixflux|torrentz|vertor|h33t|btscene|bitu\
    nity|bittoxic|thunderbytes|entertane|zoozle|vcdq|bitnova|bitsoup|meganova|\
    fulldls|btbot|flixflux|seedpeer|fenopy|gpirate|commonbits).*\$"
add name=torrentsites regexp="^.*(get|GET).+(torrent|thepiratebay|isohunt|ente\
    rtane|demonoid|btjunkie|mininova|flixflux|torrentz|vertor|h33t|btscene|bit\
    unity|bittoxic|thunderbytes|entertane|zoozle|vcdq|bitnova|bitsoup|eganova|\
    fulldls|btbot|flixflux|seedpeer|fenopy|gpirate|commonbits).*\$"
	
	
#SNMP
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0


/ip firewall address-list
add address=10.0.x1.0/24 list=local
add address=10.0.x2.0/24 list=local
add address=10.0.0.0/24 list=local
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=Bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=Bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
    need this subnet before enable it" list=Bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=Bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
    Bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=Bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=Bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=Bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" \
    list=Bogons
add address=10.0.x2.0/24 list=WANs
add address=10.0.x1.0/24 list=WANs
add address=196.28.95.12 comment="WAN2 sip server" list=VoIP
add address=196.2.147.146 comment="VBX sip server" list=VoIP
add address=10.0.0.xx list=high-prior comment="personal pc"
add address=10.0.0.xx list=high-prior comment="personal laptop"
add address=10.0.0.xxx list=high-prior comment="other pc"
add address=173.194.0.0/16 list=Youtube
add address=208.65.152.0/22 list=Youtube
add address=64.15.112.0/20 list=Youtube
add address=74.125.96.0/19 list=Youtube
add address=72.14.221.0/24 list=Youtube
add address=84.53.128.0/18 list=Youtube
add address=87.248.192.0/19 list=Youtube
add address=216.155.128.0/19 list=Youtube
add address=208.73.208.0/21 list=Youtube
add address=66.55.140.0/23 list=Youtube
add address=74.125.208.0/24 list=Youtube
add address=208.117.224.0/19 list=Youtube
add address=10.0.0.xx comment=router list=TARGET_WEB_SITE_dns_ips

#IP Firewall Filter
/ip firewall filter
add action=jump chain=forward comment="Known virus ports DELETE" disabled=yes \
    jump-target=known_viruses
add action=jump chain=forward comment=\
    "kill known bad source addresses DELETE" disabled=yes jump-target=\
    bad_people
add action=jump chain=forward comment="Jump to Accepted List" disabled=yes \
    jump-target=accept_list
add action=accept chain=input comment="email allow established connections" \
    connection-state=established disabled=yes dst-address=78.46.7.31 \
    dst-port=587 protocol=tcp src-address=78.46.7.31 src-port=110
add action=accept chain=accept_list comment="Forward HTTP to webserver" \
    dst-address=10.0.x1.xx dst-port=80 protocol=tcp
add action=accept chain=accept_list comment="Forward HTTPS to webserver" \
    dst-address=10.0.x1.xx dst-port=443 protocol=tcp
add action=accept chain=accept_list comment="Forward HTTP to webserver" \
    dst-address=10.0.x2.xx dst-port=80 protocol=tcp
add action=accept chain=accept_list comment="Forward HTTPS to webserver" \
    dst-address=10.0.x2.xx dst-port=443 protocol=tcp
add action=accept chain=accept_list comment="Forward FTP to Server" \
    dst-address=10.0.x1.xx dst-port=21 protocol=tcp
add action=accept chain=accept_list comment="Forward RDP to Server" \
    dst-address=10.0.x1.xx dst-port=3389 protocol=tcp src-port=3389
add action=accept chain=accept_list comment="Forward FTP to Server" \
    dst-address=10.0.x2.xx dst-port=21 protocol=tcp
add action=accept chain=accept_list comment="Forward RDP to Server" \
    dst-address=10.0.x2.xx dst-port=3389 protocol=tcp src-port=3389
add action=accept chain=forward comment="Allow WIFI access to ALL" \
    src-address=10.0.0.0/24
add action=accept chain=output content="530 Login incorrect" dst-limit=\
    1/1m,9,dst-address/1m protocol=tcp
add action=accept chain=forward comment=\
    "allow established connections DELETE" connection-state=established
add action=accept chain=forward comment="allow related connections DELETE" \
    connection-state=related
add action=accept chain=forward comment="Allow All"
add action=drop chain=input comment="dropping port scanners" disabled=yes \
    src-address-list="port scanners"
add action=drop chain=known_viruses comment="windows - not EXACTLY a virus" \
    disabled=yes dst-port=135-139 protocol=tcp
add action=drop chain=known_viruses comment="windows - not EXACTLY a virus" \
    disabled=yes dst-port=135-139 protocol=udp
add action=drop chain=known_viruses comment=\
    "winXP netbios not EXACTLY a virus" disabled=yes dst-port=445 protocol=\
    udp
add action=drop chain=known_viruses comment=\
    "winXP netbios not EXACTLY a virus" disabled=yes dst-port=445 protocol=\
    tcp
add action=drop chain=known_viruses comment="msblast worm" disabled=yes \
    dst-port=593 protocol=tcp
add action=drop chain=known_viruses comment="msblast worm" disabled=yes \
    dst-port=4444 protocol=tcp
add action=drop chain=known_viruses comment="WITTY worm" disabled=yes \
    dst-port=4000 protocol=tcp
add action=drop chain=known_viruses comment="SoBig.f worm" disabled=yes \
    dst-port=995-999 protocol=tcp
add action=drop chain=known_viruses comment="SoBig.f worm" disabled=yes \
    dst-port=8998 protocol=tcp
add action=drop chain=known_viruses comment="beagle worm" disabled=yes \
    dst-port=2745 protocol=tcp
add action=drop chain=known_viruses comment="beagle worm" disabled=yes \
    dst-port=4751 protocol=tcp
add action=drop chain=known_viruses comment="SQL Slammer" disabled=yes \
    dst-port=1434 protocol=tcp
add action=drop chain=bad_people comment="Known Spammer" disabled=yes \
    src-address=81.180.98.3
add action=drop chain=bad_people comment="Known Spammer" disabled=yes \
    src-address=24.73.97.226
add action=drop chain=bad_people comment=\
    "http://isc.incidents.org/top10.html listed" disabled=yes src-address=\
    67.75.20.112
add action=drop chain=bad_people disabled=yes src-address=218.104.138.166
add action=drop chain=bad_people disabled=yes src-address=212.3.250.194
add action=drop chain=bad_people disabled=yes src-address=203.94.243.191
add action=drop chain=bad_people disabled=yes src-address=202.101.235.100
add action=drop chain=bad_people disabled=yes src-address=58.16.228.42
add action=drop chain=bad_people disabled=yes src-address=58.248.8.2
add action=drop chain=bad_people disabled=yes src-address=202.99.11.99
add action=drop chain=bad_people disabled=yes src-address=218.52.237.219
add action=drop chain=bad_people disabled=yes src-address=222.173.101.157
add action=drop chain=bad_people disabled=yes src-address=58.242.34.235
add action=drop chain=bad_people disabled=yes src-address=222.80.184.23
add action=drop chain=input comment="drop ssh brute forcers" disabled=yes \
    dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new disabled=yes \
    dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input connection-state=new disabled=yes \
    dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new disabled=yes \
    dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new disabled=yes \
    dst-port=22 protocol=tcp
add action=drop chain=input comment=\
    "allows only 10 FTP login incorrect answers per minute" disabled=yes \
    dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=add-dst-to-address-list address-list=ftp_blacklist \
    address-list-timeout=3h chain=output content="530 Login incorrect" \
    disabled=yes protocol=tcp
add action=drop chain=forward comment="drop invalid connections DELETE" \
    connection-state=invalid disabled=yes
	

#Proxy
/ip proxy
set always-from-cache=yes anonymous=yes cache-administrator=admin \
    cache-on-disk=yes enabled=yes max-cache-size=3000000KiB src-address=\
    0.0.0.0
	

#Logging
/system logging
add action=disk topics=web-proxy
add action=squid topics=web-proxy

/system logging action
add disk-file-name="" name=webproxy target=disk
add name=squid remote=10.0.0.xx remote-port=8080 target=remote

#Scheduler
/system scheduler
add disabled=yes interval=8h name=target_web_site on-event=target_web_site \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive \
    start-date=mar/26/2018 start-time=08:00:00
add comment=" Update DDNS" interval=5m name=ddns_scheduler on-event=\
    " /system  script  run  ddns\r \
    \n " policy=read,write,test start-time=startup
	
#Scripts
/system script
add name=target_web_site owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
    ##############################################\r\
    \n# script name: target_web_site\r\
    \n# Script to add TARGET_WEB_SITE DNS IP addresses\r\
    \n# Syed Jahanzaib / aacable@hotmail.com\r\
    \n# Script Source: N/A / GOOGLE : )\r\
    \n \r\
    \n:log warning \"Script Started ... Adding TARGET_WEB_SITE DNS ip's to add\
    ress list name TARGET_WEB_SITE_dns_ips\"\r\
    \n:foreach i in=[/ip dns cache find] do={\r\
    \n:local bNew \"true\";\r\
    \n:local cacheName [/ip dns cache all get \$i name] ;\r\
    \n:if ([:find \$cacheName \"aacable.wordpress.com\"] != 0) do={\r\
    \n:local tmpAddress [/ip dns cache get \$i address] ;\r\
    \n:put \$tmpAddress;\r\
    \n:if ( [/ip firewall address-list find ] = \"\") do={\r\
    \n:log info (\"added entry: \$[/ip dns cache get \$i name] IP \$tmpAddress\
    \");\r\
    \n/ip firewall address-list add address=\$tmpAddress list=TARGET_WEB_SITE_\
    dns_ips comment=\$cacheName;\r\
    \n} else={\r\
    \n:foreach j in=[/ip firewall address-list find ] do={\r\
    \n:if ( [/ip firewall address-list get \$j address] = \$tmpAddress ) do={\
    \r\
    \n:set bNew \"false\";\r\
    \n}\r\
    \n}\r\
    \n:if ( \$bNew = \"true\" ) do={\r\
    \n:log info (\"added entry: \$[/ip dns cache get \$i name] IP \$tmpAddress\
    \");\r\
    \n/ip firewall address-list add address=\$tmpAddress list=TARGET_WEB_SITE_\
    dns_ips comment=\$cacheName;\r\
    \n}\r\
    \n}\r\
    \n}\r\
    \n}\r\
    \n# TARGET_WEB_SITE DNS IP ADD Script Ended ..."
add comment="ddns Client update script" name=ddns owner=admin policy=\
    read,write,test source="\\r\\\r\
    \n\\n# get the current IP address from the internet\\r\\\r\
    \n\\n/tool fetch mode=http address=\"checkip.dynu.com\" src-path=\"/\" \\r\
    \\\r\
    \n\\ndst-path=\"/dynu.checkip.html\"\\r\\\r\
    \n\\n:local result [/file get dynu.checkip.html contents]\\r\\\r\
    \n\\n#\\r\\\r\
    \n\\n# parse the current IP result\\r\\\r\
    \n\\n:local resultLen [:len \$result]\\r\\\r\
    \n\\n:local startLoc [:find \$result \": \" -1]\\r\\\r\
    \n\\n:set startLoc (\$startLoc + 2)\\r\\\r\
    \n\\n:local currentIP [:pick \$result \$startLoc \$resultLen]\\r\\\r\
    \n\\n:global ddnsuser xxx\\r\\\r\
    \n\\n:global ddnspass \"xxx\"\\r\\\r\
    \n\\n:global ddnshost \"xxx\"\\r\\\r\
    \n\\n:global ipddns [:resolve \$ddnshost];\\r\\\r\
    \n\\n#:global ipddns\\r\\\r\
    \n\\n#\\r\\\r\
    \n\\n:if (\$ipddns != \$currentIP) do={\\r\\\r\
    \n\\n:log info (\"DynuDDNS: IP-Dynu = \$ipddns\")\\r\\\r\
    \n\\n:log info (\"DynuDDNS: IP-Fresh = \$currentIP\")\\r\\\r\
    \n\\n:log info \"DynuDDNS: Update IP needed, Sending UPDATE...!\"\\r\\\r\
    \n\\n:global str \"/nic/update\?hostname=\$ddnshost&myip=\$currentIP\"\\r\
    \\\r\
    \n\\n:log info \"currentIP is \$currentIP\"\\r\\\r\
    \n\\n/tool fetch address=api.dynu.com src-path=\$str mode=http user=\$ddns\
    user password=\$ddnspass \\r\\\r\
    \n\\ndst-path=(\"/Dynu.\".\$ddnshost)\\r\\\r\
    \n\\n:delay 1\\r\\\r\
    \n\\n:global str [/file find name=\"Dynu.\$ddnshost\"];\\r\\\r\
    \n\\n/file remove \$str\\r\\\r\
    \n\\n:global ipddns \$currentIP\\r\\\r\
    \n\\n:log info \"DynuDDNS: IP updated to \$currentIP!\"\\r\\\r\
    \n\\n} else={\\r\\\r\
    \n\\n:log info \"DynuDDNS: No change needed\";\\r\\\r\
    \n\\n}"
	
#Hotspot
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot

#Traffic Monitor
/tool traffic-monitor
add interface=bridge1 name=tmon1
If There is No Hardware Issues or Your Service provider Issue , Then Please work on QUEUE ( Simple Q and Q Type ) and Nat , Check Route and Gateway test And Distance -- also check DNS
My Request Repost your configuration .
Thank you.

Who is online

Users browsing this forum: No registered users and 35 guests