I've managed to setup an RB2011 with 4 VLANs / DHCP servers. I'm now looking at queues to prioritise certain traffic. I'm following the tutorial here.
I've adjusted the bandwidth to reflect my connection (60Mbps symmetrical) and the mangle rules to identify my RTMP traffic instead of VOIP. I've also disabled fasttrack as recommend in the link.
In post 2 of the link, I got an error adding these lines:
Code: Select all
/queue/tree
add name=DOWN max-limit=60M parent=LAN bucket-size=0.01 queue=default
input does not match any value of parent
add name=UP max-limit=60M parent=WAN bucket-size=0.01 queue=default
input does not match any value of parent
For some reason, WAN and LAN are not available for the parent option. Perhaps because of the way I have setup the VLANs?
The queue tree documentation uses global, so I have set the parent to global for both up and down but this area is new to me so I'm not sure that's right!
Would one of the knowledgable folk on this forum mind taking a quick look at my config to see if it's ok? The mangle rules seem to correctly identify the traffic, I'm just not sure whether the actual prioritisation is working and it's a bit difficult to test without deploying it to the production environment.
many thanks for any advice
Code: Select all
# apr/12/2023 18:48:44 by RouterOS 7.8
# software id = T6ZD-3KQV
#
# model = RB2011UiAS
# serial number = **************
/interface bridge
add name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=bridge name=BOOTH_VLAN vlan-id=20
add interface=bridge name=MGMT_VLAN vlan-id=10
add interface=bridge name=PUBLIC_VLAN vlan-id=40
add interface=bridge name=STAFF_VLAN vlan-id=30
/interface list
add name=WAN
add name=LAN
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool_MGMT ranges=10.0.10.10-10.0.10.254
add name=dhcp_pool_BOOTH ranges=10.0.20.10-10.0.20.254
add name=dhcp_pool_STAFF ranges=10.0.30.10-10.0.30.254
add name=dhcp_pool_PUBLIC ranges=10.0.40.2-10.0.40.254
/ip dhcp-server
add address-pool=dhcp_pool_MGMT interface=MGMT_VLAN lease-time=1d name=dhcp_MGMT
add address-pool=dhcp_pool_BOOTH interface=BOOTH_VLAN lease-time=8h name=dhcp_BOOTH
add address-pool=dhcp_pool_STAFF interface=STAFF_VLAN lease-time=1d name=dhcp_STAFF
add address-pool=dhcp_pool_PUBLIC interface=PUBLIC_VLAN lease-time=2h name=dhcp_PUBLIC
/port
set 0 name=serial0
/queue tree
add bucket-size=0.01 limit-at=10M max-limit=54M name=DOWN parent=global queue=default
add name="1. RTMP" packet-mark=RTMP parent=DOWN priority=1 queue=default
add name="2. DNS" packet-mark=DNS parent=DOWN priority=2 queue=default
add name="3. ACK" packet-mark=ACK parent=DOWN priority=3 queue=default
add name="4. UDP" packet-mark=UDP parent=DOWN priority=3 queue=default
add name="5. ICMP" packet-mark=ICMP parent=DOWN priority=4 queue=default
add name="6. HTTP" packet-mark=HTTP parent=DOWN priority=5 queue=default
add name="7. HTTP_BIG" packet-mark=HTTP_BIG parent=DOWN priority=6 queue=default
add name="8. QUIC" packet-mark=QUIC parent=DOWN priority=7 queue=default
add name="9. OTHER" packet-mark=OTHER parent=DOWN queue=default
add bucket-size=0.01 limit-at=10M max-limit=54M name=UP parent=global queue=default
add name="1. RTMP_" packet-mark=RTMP parent=UP priority=1 queue=default
add name="2. DNS_" packet-mark=DNS parent=UP priority=2 queue=default
add name="3. ACK_" packet-mark=ACK parent=UP priority=3 queue=default
add name="4. UDP_" packet-mark=UDP parent=UP priority=3 queue=default
add name="5. ICMP_" packet-mark=ICMP parent=UP priority=4 queue=default
add name="6. HTTP_" packet-mark=HTTP parent=UP priority=5 queue=default
add name="7. HTTP_BIG_" packet-mark=HTTP_BIG parent=UP priority=6 queue=default
add name="8. QUIC_" packet-mark=QUIC parent=UP priority=7 queue=default
add name="9. OTHER_" packet-mark=OTHER parent=UP queue=default
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether2
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether10 pvid=10
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4 pvid=20
add bridge=bridge interface=ether5 pvid=20
add bridge=bridge interface=ether6 pvid=30
add bridge=bridge interface=ether7 pvid=20
add bridge=bridge interface=ether8 pvid=20
add bridge=bridge interface=ether9 pvid=20
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2 untagged=ether10 vlan-ids=10
add bridge=bridge tagged=bridge,ether2 vlan-ids=20,30,40
/interface list member
add interface=ether1 list=WAN
add interface=PUBLIC_VLAN list=LAN
add interface=STAFF_VLAN list=LAN
add interface=BOOTH_VLAN list=LAN
add interface=MGMT_VLAN list=LAN
add interface=MGMT_VLAN list=MGMT
/ip address
add address=10.0.10.1/24 interface=MGMT_VLAN network=10.0.10.0
add address=10.0.20.1/24 interface=BOOTH_VLAN network=10.0.20.0
add address=10.0.30.1/24 interface=STAFF_VLAN network=10.0.30.0
add address=10.0.40.1/24 interface=PUBLIC_VLAN network=10.0.40.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=10.0.10.2 client-id=1:d4:1a:d1:49:18:25 comment="Access Point" mac-address=D4:1A:D1:49:18:25 server=dhcp_MGMT
add address=10.0.20.2 comment=Pi mac-address=B8:27:EB:F8:F5:AF server=dhcp_BOOTH
add address=10.0.10.3 comment=Switch mac-address=F4:8C:EB:24:3E:68 server=dhcp_MGMT
add address=10.0.20.3 comment=NAS mac-address=00:11:32:C7:AE:02 server=dhcp_BOOTH
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=9.9.9.9 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=9.9.9.9 gateway=10.0.20.1
add address=10.0.30.0/24 dns-server=9.9.9.9 gateway=10.0.30.1
add address=10.0.40.0/24 dns-server=9.9.9.9 gateway=10.0.40.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip firewall filter
add action=accept chain=input comment="allow SSH" dst-port=22 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment=internet in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
add action=drop chain=forward comment="drop access to clients behind NAT from WAN" connection-nat-state=!dstnat connection-state=new in-interface=ether1
/ip firewall mangle
add action=mark-connection chain=prerouting comment=DNS connection-state=new new-connection-mark=DNS passthrough=yes port=53 protocol=udp
add action=mark-packet chain=prerouting connection-mark=DNS new-packet-mark=DNS passthrough=no
add action=mark-connection chain=postrouting connection-state=new new-connection-mark=DNS passthrough=yes port=53 protocol=udp
add action=mark-packet chain=postrouting connection-mark=DNS new-packet-mark=DNS passthrough=no
add action=mark-connection chain=prerouting comment=RTMP new-connection-mark=RTMP passthrough=yes port=1935 protocol=tcp
add action=mark-packet chain=prerouting connection-mark=RTMP new-packet-mark=RTMP passthrough=no
add action=mark-connection chain=prerouting comment=QUIC connection-state=new new-connection-mark=QUIC passthrough=yes port=80,443 protocol=udp
add action=mark-packet chain=prerouting connection-mark=QUIC new-packet-mark=QUIC passthrough=no
add action=mark-connection chain=prerouting comment=UDP connection-state=new new-connection-mark=UDP passthrough=yes protocol=udp
add action=mark-packet chain=prerouting connection-mark=UDP new-packet-mark=UDP passthrough=no
add action=mark-connection chain=prerouting comment=ICMP connection-state=new new-connection-mark=ICMP passthrough=yes protocol=icmp
add action=mark-packet chain=prerouting connection-mark=ICMP new-packet-mark=ICMP passthrough=no
add action=mark-connection chain=postrouting connection-state=new new-connection-mark=ICMP passthrough=yes protocol=icmp
add action=mark-packet chain=postrouting connection-mark=ICMP new-packet-mark=ICMP passthrough=no
add action=mark-packet chain=postrouting comment=ACK new-packet-mark=ACK packet-size=0-123 passthrough=no protocol=tcp tcp-flags=ack
add action=mark-packet chain=prerouting new-packet-mark=ACK packet-size=0-123 passthrough=no protocol=tcp tcp-flags=ack
add action=mark-connection chain=prerouting comment=HTTP connection-mark=no-mark connection-state=new new-connection-mark=HTTP passthrough=yes port=80,443 protocol=tcp
add action=mark-connection chain=prerouting connection-bytes=5000000-0 connection-mark=HTTP connection-rate=2M-60M new-connection-mark=HTTP_BIG passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting connection-mark=HTTP_BIG new-packet-mark=HTTP_BIG passthrough=no
add action=mark-packet chain=prerouting connection-mark=HTTP new-packet-mark=HTTP passthrough=no
add action=mark-connection chain=prerouting comment=OTHER connection-state=new new-connection-mark=POP3 passthrough=yes port=995,465,587 protocol=tcp
add action=mark-packet chain=prerouting connection-mark=POP3 new-packet-mark=OTHER passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark new-connection-mark=OTHER passthrough=yes
add action=mark-packet chain=prerouting connection-mark=OTHER new-packet-mark=OTHER passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=22
set api disabled=yes
/ip ssh
set forwarding-enabled=remote strong-crypto=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/London
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.uk.pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=MGMT
/tool mac-server mac-winbox
set allowed-interface-list=MGMT