Hi guys,
I am a noob in regards to the world of Mikrotik and I have been implementing little by little configurations to my Rb. I have been using L7 for the management of YouTube so my devices could use specific bandwidth and the rest of the clients use a specific amount of shared bandwidth. Everything was fine but, since I implemented QoS (which I consider is not properly done) for some reason my MacBook Pro is no being marked for the specific bandwidth I had been using previously.

I also included Web Proxy to my MicroSD with queue tree but not sure if it is working properly. I am wondering there are lots of problems with parenting in the queue tree tab. Also, I am not sure if the QoS is being properly set. Can I have your recommendations?

Another aspect that I haven not been able to fix is the NAT for PSN and Xbox Live. I even activated UPnP and no luck. Is it properly configured? I am balancing from another RB which has UPnP activated as well. I am always getting strict NAT.

Print:

model = RB450Gx4
# serial number = 8D8808******
/interface ethernet
set [ find default-name=ether1 ] name=LAN
set [ find default-name=ether5 ] name=WAN
set [ find default-name=ether2 ] disabled=yes name=WAN2
set [ find default-name=ether3 ] disabled=yes name=WAN3
set [ find default-name=ether4 ] disabled=yes name=WAN4

/interface vlan
add interface=LAN name=VLAN_VPN vlan-id=1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip dhcp-server
add disabled=no interface=LAN name=dhcp1

/ip firewall layer7-protocol
add name=YouTube regexp=\
"^.+(youtube.com|m.youtube.com|googlevideo.com|youtu.be).+\\\$"
add name=Netflix regexp="^.+(netflix|netflix.com|netflixvideo.com|cdn-0.nflximg.\
com|dnmt.nflximg.net|ichnaea.netflix.com|ichnaea.geo.netflix.com|moderate.ft\
l.netflix.com).+\\\$"

/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=\
aes-256-cbc,aes-256-ctr,aes-128-cbc,aes-128-ctr,3des

/ip pool
add name=DHCP_Pool ranges=10.50.10.2-10.50.10.254
add name=L2TP_Pool ranges=10.50.15.2-10.50.15.254

/ipv6 dhcp-server
add address-pool="IPv6 Pool" interface=LAN name="DHCPv6 Server"
/ipv6 pool
add name="IPv6 Pool" prefix-length=63
/ppp profile
add local-address=10.50.15.1 name=L2TP remote-address=L2TP_Pool

/queue simple
add max-limit=10M/20M name="MacBook Pro WIFI" target=10.50.10.253/32
add max-limit=10M/40M name="MacBook Pro LAN" target=10.50.10.254/32
add max-limit=10M/20M name="iPhone 8 Plus" target=10.50.10.252/32
add max-limit=10M/20M name="iPad Pro 10.5 Cellular" target=10.50.10.250/32
add max-limit=10M/20M name="Toshiba PC" target=10.50.10.237/32
add max-limit=512k/3M name="New Nintendo 3DS" target=10.50.10.248/32
add max-limit=512k/3M name=PSVITA target=10.50.10.247/32
add max-limit=512k/3M name="PS4 Sala" target=10.50.10.246/32
add max-limit=1M/5M name="Router Sala" target=10.50.10.202/32
add max-limit=5M/10M name=Kasami_Router target=10.50.10.101/32
add burst-limit=1M/5M burst-threshold=256k/2M burst-time=5m/5m max-limit=\
256k/2M name="Kasami_PC Ariel" target=10.50.10.241/32
add burst-limit=512k/2M burst-threshold=128k/1M burst-time=5m/5m max-limit=\
128k/1M name=Herminia_Router target=10.50.10.110/32
add burst-limit=5M/20M burst-threshold=1M/10M burst-time=5m/5m max-limit=1M/10M \
name="Jaimito_Router Sala" target=10.50.10.112/32
add burst-limit=512k/2M burst-threshold=128k/1M burst-time=5m/5m max-limit=\
128k/1M name=Suly_Router target=10.50.10.114/32
add max-limit=384k/1M name="Panchi_Old Router Sala" target=10.50.10.102/32
add max-limit=1M/10M name="Amazon Fire TV" target=10.50.10.245/32
add max-limit=1M/30M name="Xbox One Ernesto" target=10.50.10.240/32

/queue type
add kind=sfq name=Download_SFQ
add kind=sfq name=Upload_SFQ

/queue tree
add name=YouTube parent=global queue=pcq-download-default
add max-limit=10M name="Shared Bandwidth - YouTube" packet-mark=YouTube parent=\
YouTube queue=pcq-download-default
add max-limit=9M name="iPhone 8 Plus" packet-mark="iPhone 8 Plus_Down" parent=\
YouTube queue=pcq-download-default
add max-limit=9M name="iPad Pro 10.5 Cellular" packet-mark=\
"iPad Pro 10.5 Cellular_Down" parent=YouTube queue=pcq-download-default
add name=Netflix parent=global queue=pcq-download-default
add max-limit=2M name="Amazon Fire TV" packet-mark="Amazon Fire TV_Down" \
parent=Netflix queue=pcq-download-default
add max-limit=5M name="Shared Bandwidth - Netflix" packet-mark=Netflix parent=\
Netflix queue=pcq-download-default
add name="- QOS Download -" parent=LAN priority=1 queue=Download_SFQ
add name="Prio 1 (ICMP, DNS)" packet-mark="PRIO 1" parent="- QOS Download -" \
priority=1 queue=Download_SFQ
add name="Prio 2 (Games, RTSP, VoIP)" packet-mark="PRIO 2" parent=\
"- QOS Download -" priority=2 queue=Download_SFQ
add name="Prio 3 (Web)" packet-mark="PRIO 3" parent="- QOS Download -" \
priority=3 queue=Download_SFQ
add name="Prio 4 (Working Ports)" packet-mark="PRIO 4" parent=\
"- QOS Download -" priority=4 queue=Download_SFQ
add name="Prio 5 (Others)" packet-mark="PRIO 5" parent="- QOS Download -" \
priority=5 queue=Download_SFQ
add name="Prio 7 (Http, Downloads >50mb)" packet-mark="PRIO 7" parent=\
"- QOS Download -" priority=7 queue=Download_SFQ
add name="- QOS Upload -" parent=WAN priority=1 queue=Upload_SFQ
add name="Prio 1 (ICMP, DNS)_U" packet-mark="PRIO 1" parent="- QOS Upload -" \
priority=1 queue=Upload_SFQ
add name="Prio 2 (Games, RTSP, VoIP)_U" packet-mark="PRIO 2" parent=\
"- QOS Upload -" priority=2 queue=Upload_SFQ
add name="Prio 3 (Web)_U" packet-mark="PRIO 3" parent="- QOS Upload -" \
priority=3 queue=Upload_SFQ
add name="Prio 4 (Working Ports)_U" packet-mark="PRIO 4" parent=\
"- QOS Upload -" priority=4 queue=Upload_SFQ
add name="Prio 5 (Others)_U" packet-mark="PRIO 5" parent="- QOS Upload -" \
priority=5 queue=Upload_SFQ
add name="Prio 7 (Http, Downloads >50mb)_U" packet-mark="PRIO 7" parent=\
"- QOS Upload -" priority=7 queue=Upload_SFQ
add name="Web Cache - Download" packet-mark="Web Cache - Download" parent=\
global queue=default
add max-limit=9M name="MacBook Pro WIFI" packet-mark="MacBook Pro WIFI_Down" \
parent=YouTube queue=pcq-download-default
add max-limit=9M name="MacBook Pro LAN" packet-mark="MacBook Pro LAN_Down" \
parent=YouTube queue=pcq-download-default

/interface bridge settings
set use-ip-firewall=yes

/ip settings
set allow-fast-path=no
/interface l2tp-server server
set default-profile=L2TP enabled=yes ipsec-secret=**** use-ipsec=yes

/ip address
add address=10.50.10.1/24 interface=LAN network=10.50.10.0
add address=10.50.15.1/24 interface=VLAN_VPN network=10.50.15.0

/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=\
WAN use-peer-dns=no use-peer-ntp=no
add dhcp-options=hostname,clientid interface=WAN use-peer-dns=no use-peer-ntp=\
no

/ip dhcp-server network
add address=10.50.10.0/24 gateway=10.50.10.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=4w2d cache-size=4096KiB servers=\
1.1.1.1,8.8.8.8,201.224.73.162,201.225.225.226,208.67.222.222

/ip firewall address-list
add address=10.50.10.240 list=GAMING
add address=10.50.10.241 comment="Kasami_PC Ariel" list=GAMING
add address=10.50.10.242 list=GAMING
add address=10.50.10.243 list=GAMING
add address=10.50.10.244 list=GAMING
add address=10.50.10.245 list=GAMING
add address=10.50.10.246 comment="PS4 Sala" list=GAMING
add address=10.50.10.247 comment=PSVITA list=GAMING
add address=10.50.10.248 list=GAMING
add address=10.50.10.249 list=GAMING
add address=10.50.10.2-10.50.10.254 list=DNS
add address=10.50.15.2-10.50.15.254 list="L2TP VPN"

/ip firewall filter
add action=accept chain=input comment="L2TP VPN" dst-port=500,1701,4500 \
in-interface=WAN protocol=udp
add action=accept chain=input in-interface=WAN protocol=ipsec-esp
add action=drop chain=forward comment="Block DNS Attacks" dst-port=53 \
in-interface=WAN protocol=tcp
add action=drop chain=forward dst-port=53 in-interface=WAN protocol=udp
add action=drop chain=input comment="Block Web Cache Attacks" dst-port=8080 \
in-interface=WAN protocol=tcp
add action=accept chain=forward comment="DMZ Gaming" connection-nat-state=\
dstnat connection-state=established,related,new,untracked disabled=yes \
in-interface=WAN
add action=accept chain=input comment=Winbox disabled=yes dst-port=8291 \
protocol=tcp
add action=accept chain=input comment="Firewall WAN" connection-state=\
established,related disabled=yes dst-port=8291 in-interface=WAN protocol=\
tcp
add action=drop chain=input disabled=yes in-interface=WAN

/ip firewall mangle
add action=mark-connection chain=prerouting comment="Games QoS" disabled=yes \
dst-port=1-65535 new-connection-mark=Games passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting disabled=yes dst-port=1-65535 \
new-connection-mark=Games passthrough=yes protocol=udp
add action=mark-connection chain=forward connection-mark=Games_Conn disabled=\
yes dst-address=0.0.0.0/0 new-connection-mark=Games_Conn passthrough=yes
add action=mark-packet chain=forward connection-mark=Games_Conn disabled=yes \
new-packet-mark=Games_Conn passthrough=no
add action=mark-routing chain=prerouting comment="L2TP VPN" disabled=yes \
new-routing-mark=VPN passthrough=no src-address-list="L2TP VPN"
add action=mark-connection chain=output comment="Web Cache" disabled=yes dscp=4 \
dst-port=8080 new-connection-mark="Web Cache - Download" passthrough=no \
protocol=tcp
add action=mark-packet chain=output new-packet-mark="Web Cache - Download" \
passthrough=no
add action=mark-connection chain=prerouting comment=\
":: QoS - Prio 1 (ICMP, DNS)" new-connection-mark="PRIO 1" passthrough=yes \
protocol=icmp
add action=mark-connection chain=prerouting dst-port=53 new-connection-mark=\
"PRIO 1" passthrough=yes protocol=udp
add action=mark-connection chain=output dst-port=53 new-connection-mark=\
"PRIO 1" passthrough=yes protocol=udp
add action=mark-packet chain=prerouting connection-mark="PRIO 1" \
new-packet-mark="PRIO 1" passthrough=yes
add action=jump chain=prerouting jump-target="finish process" packet-mark=\
"PRIO 1"
add action=mark-connection chain=prerouting comment=\
":: QoS - Prio 2 (Games, RTSP, VoIP)" dst-port=\
53,88,554,3074-3076,3478-3480,3658,5060-5065,5090,5223,27000-27036 \
new-connection-mark="PRIO 2" passthrough=yes protocol=udp
add action=mark-connection chain=prerouting dst-port=\
554,777,1863,2195,2196,5090,5190,5222,5223,5228 new-connection-mark=\
"PRIO 2" passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting connection-mark="PRIO 2" \
new-packet-mark="PRIO 2" passthrough=yes
add action=jump chain=prerouting jump-target="finish process" packet-mark=\
"PRIO 2"
add action=mark-connection chain=prerouting comment=":: QoS - Prio 3 (Web)" \
dst-port=80,443,8000-9000 new-connection-mark="PRIO 3" passthrough=yes \
protocol=tcp
add action=mark-packet chain=prerouting connection-mark="PRIO 3" \
new-packet-mark="PRIO 3" passthrough=yes
add action=jump chain=prerouting jump-target="finish process" packet-mark=\
"PRIO 3"
add action=mark-connection chain=prerouting comment=\
":: QoS - Prio 4 (Working Ports)" dst-port=25,110,143,3389,1723,21-23 \
new-connection-mark="PRIO 4" passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting connection-mark="PRIO 4" \
new-packet-mark="PRIO 4" passthrough=yes
add action=jump chain=prerouting jump-target="finish process" packet-mark=\
"PRIO 4"
add action=mark-connection chain=prerouting comment=":: QoS - Prio 5 (Others)" \
new-connection-mark="PRIO 5" passthrough=yes
add action=mark-packet chain=prerouting connection-mark="PRIO 5" \
new-packet-mark="PRIO 5" passthrough=yes
add action=mark-connection chain=prerouting comment=\
":: QoS - Prio 7 (Http, Downloads >50mb)" connection-bytes=50000000-0 \
new-connection-mark="PRIO 7" passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting connection-mark="PRIO 7" \
new-packet-mark="PRIO 7" passthrough=yes
add action=jump chain=prerouting jump-target="finish process" packet-mark=\
"PRIO 7"
add action=accept chain="finish process"
add action=mark-connection chain=prerouting comment="YouTube Bandwidth" \
layer7-protocol=YouTube new-connection-mark=YouTube_Conn passthrough=yes
add action=mark-packet chain=prerouting connection-mark=YouTube_Conn \
new-packet-mark=YouTube passthrough=yes
add action=mark-connection chain=forward comment=\
"YouTube Limit - MacBook Pro LAN" connection-mark=YouTube_Conn dst-address=\
10.50.10.254 new-connection-mark="MacBook Pro LAN_DConn" passthrough=yes
add action=mark-packet chain=forward connection-mark="MacBook Pro LAN_DConn" \
new-packet-mark="MacBook Pro LAN_Down" passthrough=yes
add action=mark-connection chain=forward comment=\
"YouTube Limit - MacBook Pro WIFI" connection-mark=YouTube_Conn \
dst-address=10.50.10.253 new-connection-mark="MacBook Pro WIFI_DConn" \
passthrough=yes
add action=mark-packet chain=forward connection-mark="MacBook Pro WIFI_DConn" \
new-packet-mark="MacBook Pro WIFI_Down" passthrough=yes
add action=mark-connection chain=forward comment=\
"YouTube Limit - iPhone 8 Plus" connection-mark=YouTube_Conn dst-address=\
10.50.10.252 new-connection-mark="iPhone 8 Plus_DConn" passthrough=yes
add action=mark-packet chain=forward connection-mark="iPhone 8 Plus_DConn" \
new-packet-mark="iPhone 8 Plus_Down" passthrough=yes
add action=mark-connection chain=forward comment=\
"YouTube Limit - iPad Pro 10.5 Cellular" connection-mark=YouTube_Conn \
dst-address=10.50.10.250 new-connection-mark="iPad Pro 10.5 Cellular_DConn" \
passthrough=yes
add action=mark-packet chain=forward connection-mark=\
"iPad Pro 10.5 Cellular_DConn" new-packet-mark=\
"iPad Pro 10.5 Cellular_Down" passthrough=yes
add action=mark-connection chain=prerouting comment="Netflix Bandwidth" \
layer7-protocol=Netflix new-connection-mark=Netflix_Conn passthrough=yes
add action=mark-packet chain=prerouting connection-mark=Netflix_Conn \
new-packet-mark=Netflix passthrough=yes
add action=mark-connection chain=forward comment=\
"Netflix Limit - Amazon Fire TV" connection-mark=Netflix_Conn dst-address=\
10.50.10.245 new-connection-mark="Amazon Fire TV_DConn" passthrough=yes
add action=mark-packet chain=forward connection-mark="Amazon Fire TV_DConn" \
new-packet-mark="Amazon Fire TV_Down" passthrough=yes

/ip firewall nat
add action=masquerade chain=srcnat comment=Internet out-interface=WAN
add action=masquerade chain=srcnat comment="L2TP VPN" out-interface=VLAN_VPN
add action=redirect chain=dstnat comment="DNS Redirection" dst-port=53 \
in-interface=LAN protocol=udp to-ports=53
add action=redirect chain=dstnat comment="Web Cache Redirection" dst-port=80 \
protocol=tcp to-ports=8080
add action=dst-nat chain=dstnat comment=DNS disabled=yes dst-port=53 \
in-interface=!WAN protocol=udp src-address-list=DNS to-addresses=10.50.10.1 \
to-ports=53
add action=dst-nat chain=dstnat disabled=yes dst-address=10.50.5.100 dst-port=\
1-65535 in-interface=WAN protocol=udp to-addresses=\
10.50.10.240-10.50.10.249 to-ports=1-65535
add action=dst-nat chain=dstnat comment="DMZ Gaming" disabled=yes dst-address=\
10.50.5.100 dst-port=1-65535 in-interface=WAN protocol=tcp to-addresses=\
10.50.10.240-10.50.10.249 to-ports=1-65535
add action=dst-nat chain=dstnat disabled=yes dst-address=10.50.5.100 dst-port=\
1-65535 in-interface=WAN protocol=udp to-addresses=\
10.50.10.240-10.50.10.249 to-ports=1-65535
add action=dst-nat chain=dstnat comment="Kasami_Router Sala" disabled=yes \
dst-port=2018 in-interface=WAN protocol=tcp to-addresses=10.50.10.101 \
to-ports=2018
add action=dst-nat chain=dstnat comment=Jaimito disabled=yes dst-port=9989 \
in-interface=WAN protocol=tcp to-addresses=10.50.10.111 to-ports=9989

/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0

/ip proxy
set always-from-cache=yes cache-on-disk=yes cache-path=disk1 enabled=yes \
max-cache-object-size=524288KiB max-fresh-time=5d

/ip route
add comment="VPN Mark" disabled=yes distance=1 gateway=VLAN_VPN routing-mark=\
VPN
add comment="Internet Static" distance=1 gateway=10.50.5.1

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes

/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=WAN type=external
add interface=LAN type=internal

/ipv6 dhcp-client
add add-default-route=yes interface=LAN pool-name="IPv6 Pool" \
pool-prefix-length=63 request=address

/ppp l2tp-secret
add address=10.50.15.1/32 secret=gehena
/ppp secret
add name=Admin password=gehena profile=L2TP service=l2tp

/system clock
set time-zone-name=America/P*****

/system identity
set name=RB450Gx4

/system ntp client
set enabled=yes primary-ntp=216.239.35.0 secondary-ntp=216.239.35.0

/system routerboard settings
set auto-upgrade=yes silent-boot=no

/tool e-mail
set from="" start-tls=yes

/tool netwatch
add comment=PSVITA down-script="\"/ip firewall nat disable [find comment=DMZ GAM\
ING]\" host=10.50.10.247 interval=30s up-script=\"/ip firewall nat enable [f\
ind comment=DMZ GAMING]\"" host=10.50.10.247
add comment=PS4 down-script="\"/ip firewall nat disable [find comment=DMZ GAMING\
]\" host=10.50.10.246 interval=30s up-script=\"/ip firewall nat enable [find\
\_comment=DMZ GAMING]\"" host=10.50.10.246

/tool romon
set enabled=yes

Not even an advice

I posted something similar a while back and was disappointed at the lack of response too.... not sure why exactly but it does take a little bit to look through the config.... maybe that's it... anyway

I won't comment on the queues because I don't use them much.
Your firewall section looks like it needs some work. It currently looks like it has winbox open to the internet

I've reordered your firewall rules so that input are at the top and forward are at the bottom. This is functionally the same as far as the router is concerned but it's much more readable this way.
The approach of dropping certain ports on the input chain isn't the best. I would allow what you specifically need and then drop everything else.

Your drop everything input rule is disabled as well as your accept winbox rule. I would turn on the winbox rule and only allow from a trusted source address or address-list. Create an allow rule for your web cache and DNS and only accept from LAN addresses. Your drop DNS attacks should probably be an input rule as well as the port 53 rule following it, but should be irrelevant by the time we're done.You should maybe use the safe mode feature and have a good backup/export in case you lock yourself out of the router. When that is working, then move the drop everything input rule to the bottom of the input rules and enable.
The DMZ gaming rule looks a little dangerous if enabled because it looks like it allow most anything.

Sorry, I don't have more time, but that should make it much safer. You should also check out the pinned thread on hacked routers because yours could potentially be compromised with your current rules.

viewtopic.php?f=21&t=137572

Also your /ip firewall layer7-protocol rules probably don't work? As far as I know, now that https is everywhere the layer 7 stuff doesn't work any more because it's encrypted. You can create an address-list with the youtube and netflix dns addresses and then create a firewall filter rule to drop them on the forward chain.

Also your /ip firewall layer7-protocol rules probably don't work? As far as I know, now that https is everywhere the layer 7 stuff doesn't work any more because it's encrypted. You can create an address-list with the youtube and netflix dns addresses and then create a firewall filter rule to drop them on the forward chain.

Hi,

Thanks for your willingness to help. I will check those line by line appreciated.
In regards to L7, its purpose in my case is to limit bandwidth only and so far, I still can do it but not to my PC but to other devices. It might be a bug because all settings are similar.

Thanks again for your time