Community discussions

MikroTik App
  4. RouterOS
  5. Scripting

Firewall Filter and Mangle Rules and Queue Trees for Qos

Post Reply
 
User avatar
BrasDeutscher
newbie
Topic Author
Posts: 41
Joined: Sat Sep 03, 2016 12:31 am
Location: Brazil

Firewall Filter and Mangle Rules and Queue Trees for Qos

Mon Oct 03, 2016 11:39 pm

!!-- this Script has 559 Lines --!!
!!-- If your Router have a low CPU do not use this Script in New Terminal, Insert to System Scripts and Run --!!



## Firewall Filter and Mangle Rules and Queue Trees for Qos ##
## Testet under RouterOS 6.38rc7 ##
## Written by BrasDeutscher,PA,Brazil ##
{
## Set your new chain name here ##
:global id "Qos"

## Set the incoming-interface name here ##
:global int "br1"

## Set here the Fw address-list timeout here ##
:global t "1d"

## Set here passtrough yes or no for mangle rules ##
:global pass "no"


## !!-- DO NOT CHANGE ANY MORE BELOW --!! ##
:global l
:global com
:global g
:global qtp "hotspot-default"
:global npm1
:global com1
:global npm2
:global com2
:global npm3
:global com3
:global fi
:global nm "prof1"
:global q1 ("$nm" . "-a")
:global q2 ("$nm" . "-b")
:global q3 ("$nm" . "-c")
:global par1 "$q1"
:global par2 "$q2"
:global par3 "$q3"
:global xcalc ($xx * 1000)
######################################################################################
## !- default for q1 -! ##
:global x "1024"
:global bl1q1 ("$x" . "k")
# burst-threshold #
:global bth1q1 "512k"
# burst-time #
:global bti1q1 "8s"
# limit-at #
:global la1q1 "256k"
# max-limit #
:global ml1q1 "768k"
# queue type options are default, default-small, hotspot-default or wireless-default #
:global qut1q1 "hotspot-default"
## !- default for q2 -! ##
# burst-limit #
:global bl1q2 "768k"
# burst-threshold #
:global bth1q2 "400k"
# burst-time #
:global bti1q2 "8s"
# limit-at #
:global la1q2 "128k"
# max-limit #
:global ml1q2 "512k"
# queue type options are default, default-small, hotspot-default or wireless-default #
:global qut1q2 "hotspot-default"
## !- default for q3 -! ##
# burst-limit #
:global bl1q3 "512k"
# burst-threshold #
:global bth1q3 "200k"
# burst-time #
:global bti1q3 "8s"
# limit-at #
:global la1q3 "64k"
# max-limit #
:global ml1q3 "256k"
# queue type options are default, default-small, hotspot-default or wireless-default #
:global qut1q3 "hotspot-default"
######################################################################################
## HERE YOU CAN SET YOUR OWN BANDWIDTH LIMITATIONS FOR QUEUE-TREE PARENTS ##
######################################################################################
## !- When you change the value from burst-limit value -! ##
## !- The script sets your own bandwidth configuration below -! ##
## !- bandwidth change for q1 -! ##
# burst-limit #
:global xx "1024"

:global bl2q1 ("$xx" . "k")

## !- bandwidth change for q1 -! ##
# burst-threshold #
:global bth2q1 "512k"
# burst-time #
:global bti2q1 "8s"
# limit-at #
:global la2q1 "256k"
# max-limit #
:global ml2q1 "768k"
# queue type options are default, default-small, hotspot-default or wireless-default #
:global qut2q1 "hotspot-default"

## !- bandwidth change for q2 -! ##
# burst-limit #
:global bl2q2 "768k"
# burst-threshold #
:global bth2q2 "400k"
# burst-time #
:global bti2q2 "8s"
# limit-at #
:global la2q2 "128k"
# max-limit #
:global ml2q2 "512k"
# queue type options are default, default-small, hotspot-default or wireless-default #
:global qut2q2 "hotspot-default"

## !- bandwidth change for q3 -! ##
# burst-limit #
:global bl2q3 "512k"
# burst-threshold #
:global bth2q3 "200k"
# burst-time #
:global bti2q3 "8s"
# limit-at #
:global la2q3 "64k"
# max-limit #
:global ml2q3 "256k"
# queue type options are default, default-small, hotspot-default or wireless-default #
:global qut2q3 "hotspot-default"
######################################################################################
## !!-- DO NOT CHANGE ANY MORE BELOW, THIS CAN BREAKE THE SCRIPT --!! ##
######################################################################################
:if ([/queue tree find where (name~"$nm") ] = "" ) do={
:delay 100ms;
/queue tree add burst-limit="$bl1q1" burst-threshold="$bth1q1" burst-time="$bti1q1" comment="$q1" \
limit-at="$la1q1" max-limit="$ml1q1" name="$q1" packet-mark=no-mark parent=\
global priority=2 queue="$qut1q1";
:delay 100ms;
/queue tree add burst-limit="$bl1q2" burst-threshold="$bth1q2" burst-time="$bti1q2" comment="$q2" \
limit-at="$la1q2" max-limit="$ml1q2" name="$q2" packet-mark=no-mark parent=\
global priority=4 queue="$qut1q2";
:delay 100ms;
/queue tree add burst-limit="$bl1q3" burst-threshold="$bth1q3" burst-time="$bti1q3" comment="$q3" \
limit-at="$la1q3" max-limit="$ml1q3" name="$q3" packet-mark=no-mark parent=\
global priority=8 queue="$qut1q3";
:log warning ("Creating New Queue-Tree Parents");
} else={
:set fi [/queue tree get [find where name="$q1" ] burst-limit ];
:if ($fi != $xcalc) do={
:delay 100ms;
/queue tree set [find where name="$q1" ] burst-limit="$bl2q1" burst-threshold="$bth2q1" \
burst-time="$bti2q1" limit-at="$la2q1" max-limit="$ml2q1" queue="$qut2q1";
:delay 100ms;
/queue tree set [find where name="$q2" ] burst-limit="$bl2q2" burst-threshold="$bth2q2" \
burst-time="$bti2q2" limit-at="$la2q2" max-limit="$ml2q2" queue="$qut2q2";
:delay 100ms;
/queue tree set [find where name="$q3" ] burst-limit="$bl2q2" burst-threshold="$bth2q2" \
burst-time="$bti2q2" limit-at="$la2q2" max-limit="$ml2q2" queue="$qut2q2";
:log warning ("Setting new Bandwidth from existing Queue-Tree Parents");
}}
:if ([/ip firewall filter find where ! dynamic (comment~"$id") ] = "" ) do={
:log warning ("Creating New Fw Filter Rules for $id");
/ip firewall filter add action=jump chain=forward comment="$id - Jump Filter" in-interface="$int" \
jump-target="$id";
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="mail-client" \
address-list-timeout=$t chain="$id" comment="$id - mail-client - 2" \
dst-port=110,143,993,995 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="ubuntu.com" \
address-list-timeout=$t chain="$id" comment="$id - ubuntu.com - 2" content="ubuntu.com" \
dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="login.live.com" \
address-list-timeout=$t chain="$id" comment="$id - login.live.com - 2" content="\
login.live.com" dst-port=443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="outlook.live.com" \
address-list-timeout=$t chain="$id" comment="$id - outlook.live.com - 2" content="\
outlook.live.com" dst-port=443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="onedrive.live.com" \
address-list-timeout=$t chain="$id" comment="$id - onedrive.live.com - 2" content="\
onedrive.live.com" dst-port=443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="skype.com" \
address-list-timeout=$t chain="$id" comment="$id - skype.com - 2" content="skype.com" \
dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="msg.yahoo.com" \
address-list-timeout=$t chain="$id" comment="$id - msg.yahoo.com - 2" content="\
msg.yahoo.com" dst-port=20,23,25,80,119,5050,8001,8002 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="vc.yahoo.com" \
address-list-timeout=$t chain="$id" comment="$id - vc.yahoo.com - tcp - 2" content="\
vc.yahoo.com" dst-port=5000-5010 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="vc.yahoo.com" \
address-list-timeout=$t chain="$id" comment="$id - vc.yahoo.com - udp - 2" content="\
vc.yahoo.com" dst-port=5000-5010 in-interface="$int" protocol=udp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="windowsupdate.microsoft.com" \
address-list-timeout=$t chain="$id" comment="$id - windowsupdate.microsoft.com - 2" content="\
windowsupdate.microsoft.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="update.microsoft.com" \
address-list-timeout=$t chain="$id" comment="$id - update.microsoft.com - 2" content="\
update.microsoft.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="download.windowsupdate.com" \
address-list-timeout=$t chain="$id" comment="$id - download.windowsupdate.com - 2" content="\
download.windowsupdate.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="download.microsoft.com" \
address-list-timeout=$t chain="$id" comment="$id - download.microsoft.com - 2" content="\
download.microsoft.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="ntservicepack.microsoft.com" \
address-list-timeout=$t chain="$id" comment="$id - ntservicepack.microsoft.com - 2" content="\
ntservicepack.microsoft.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="windowsupdate.com" \
address-list-timeout=$t chain="$id" comment="$id - windowsupdate.com - 2" content="\
windowsupdate.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="update" \
address-list-timeout=$t chain="$id" comment="$id - update - 2" content="\
update" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="microsoft.com" \
address-list-timeout=$t chain="$id" comment="$id - microsoft.com - 2" content="\
microsoft.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="voip-tcp" \
address-list-timeout=$t chain="$id" comment="$id - voip-tcp - 2" \
dst-port=5060-5061 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="voip-udp" \
address-list-timeout=$t chain="$id" comment="$id - voip-udp - 2" \
dst-port=5060-5061 in-interface="$int" protocol=udp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="icmp" \
address-list-timeout=$t chain="$id" comment="$id - icmp - 2" in-interface="$int" \
protocol=icmp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="facebook.com" \
address-list-timeout=$t chain="$id" comment="$id - facebook.com - 4" content="\
facebook.com" dst-port=443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="forum.mikrotik.com" \
address-list-timeout=$t chain="$id" comment="$id - forum.mikrotik.com - 4" content="\
forum.mikrotik.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="google.com" \
address-list-timeout=$t chain="$id" comment="$id - google.com - 4" content="google.com" \
dst-port=443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="bing.com" \
address-list-timeout=$t chain="$id" comment="$id - bing.com - 4" content="bing.com" \
dst-port=80 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="mikrotik.com" \
address-list-timeout=$t chain="$id" comment="$id - mikrotik.com - 4" content="\
mikrotik.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="msn.com" address-list-timeout=$t \
chain="$id" comment="$id - msn.com - 4" content="msn.com" dst-port=80 in-interface="$int" \
protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="yahoo.com" \
address-list-timeout=$t chain="$id" comment="$id - yahoo.com - 4" content="yahoo.com" \
dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="download" \
address-list-timeout=$t chain="$id" comment="$id - download - 8" content="download" \
dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-bin" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-bin - 8" in-interface="$int" \
layer7-protocol=BIN protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-7z" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-7z - 8" in-interface="$int" \
layer7-protocol=7z protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-exe" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-exe - 8" in-interface="$int" \
layer7-protocol=EXE protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-rar" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-rar - 8" in-interface="$int" \
layer7-protocol=RAR protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-iso" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-iso - 8" in-interface="$int" \
layer7-protocol=ISO protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-mIVa" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-mIVa - 8" in-interface="$int" \
layer7-protocol=M4A protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-mpIII" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-mpIII - 8" in-interface="$int" \
layer7-protocol=MP3 protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-mpIV" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-mpIV - 8" in-interface="$int" \
layer7-protocol=MP4 protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-wma" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-wma - 8" in-interface="$int" \
layer7-protocol=WMA protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-zip" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-zip - 8" in-interface="$int" \
layer7-protocol=ZIP protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="video" address-list-timeout=$t \
chain="$id" comment="$id - video - 8" content="video" dst-port=80,443 in-interface="$int" \
protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="webcam.yahoo.com" \
address-list-timeout=$t chain="$id" comment="$id - webcam.yahoo.com - 8" content="\
webcam.yahoo.com" dst-port=5100 in-interface="$int" protocol=tcp;
} else={
:log error ("REMOVING OLD $id FW FILTER RULES");
:delay 100ms;
/ip firewall filter remove [find where ! dynamic (comment~"$id") ];
:log warning ("Creating New Fw Filter Rules for $id");
:delay 100ms;
/ip firewall filter add action=jump chain=forward comment="$id - Jump Filter" in-interface="$int" \
jump-target="$id";
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="mail-client" \
address-list-timeout=$t chain="$id" comment="$id - mail-client - 2" \
dst-port=110,143,993,995 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="ubuntu.com" \
address-list-timeout=$t chain="$id" comment="$id - ubuntu.com - 2" content="ubuntu.com" \
dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="login.live.com" \
address-list-timeout=$t chain="$id" comment="$id - login.live.com - 2" content="\
login.live.com" dst-port=443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="outlook.live.com" \
address-list-timeout=$t chain="$id" comment="$id - outlook.live.com - 2" content="\
outlook.live.com" dst-port=443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="onedrive.live.com" \
address-list-timeout=$t chain="$id" comment="$id - onedrive.live.com - 2" content="\
onedrive.live.com" dst-port=443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="skype.com" \
address-list-timeout=$t chain="$id" comment="$id - skype.com - 2" content="skype.com" \
dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="msg.yahoo.com" \
address-list-timeout=$t chain="$id" comment="$id - msg.yahoo.com - 2" content="\
msg.yahoo.com" dst-port=20,23,25,80,119,5050,8001,8002 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="vc.yahoo.com" \
address-list-timeout=$t chain="$id" comment="$id - vc.yahoo.com - tcp - 2" content="\
vc.yahoo.com" dst-port=5000-5010 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="vc.yahoo.com" \
address-list-timeout=$t chain="$id" comment="$id - vc.yahoo.com - udp - 2" content="\
vc.yahoo.com" dst-port=5000-5010 in-interface="$int" protocol=udp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="windowsupdate.microsoft.com" \
address-list-timeout=$t chain="$id" comment="$id - windowsupdate.microsoft.com - 2" content="\
windowsupdate.microsoft.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="update.microsoft.com" \
address-list-timeout=$t chain="$id" comment="$id - update.microsoft.com - 2" content="\
update.microsoft.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="download.windowsupdate.com" \
address-list-timeout=$t chain="$id" comment="$id - download.windowsupdate.com - 2" content="\
download.windowsupdate.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="download.microsoft.com" \
address-list-timeout=$t chain="$id" comment="$id - download.microsoft.com - 2" content="\
download.microsoft.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="ntservicepack.microsoft.com" \
address-list-timeout=$t chain="$id" comment="$id - ntservicepack.microsoft.com - 2" content="\
ntservicepack.microsoft.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="windowsupdate.com" \
address-list-timeout=$t chain="$id" comment="$id - windowsupdate.com - 2" content="\
windowsupdate.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="update" \
address-list-timeout=$t chain="$id" comment="$id - update - 2" content="\
update" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="microsoft.com" \
address-list-timeout=$t chain="$id" comment="$id - microsoft.com - 2" content="\
microsoft.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="voip-tcp" \
address-list-timeout=$t chain="$id" comment="$id - voip-tcp - 2" \
dst-port=5060-5061 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="voip-udp" \
address-list-timeout=$t chain="$id" comment="$id - voip-udp - 2" \
dst-port=5060-5061 in-interface="$int" protocol=udp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="icmp" \
address-list-timeout=$t chain="$id" comment="$id - icmp - 2" in-interface="$int" \
protocol=icmp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="facebook.com" \
address-list-timeout=$t chain="$id" comment="$id - facebook.com - 4" content="\
facebook.com" dst-port=443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="forum.mikrotik.com" \
address-list-timeout=$t chain="$id" comment="$id - forum.mikrotik.com - 4" content="\
forum.mikrotik.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="google.com" \
address-list-timeout=$t chain="$id" comment="$id - google.com - 4" content="google.com" \
dst-port=443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="bing.com" \
address-list-timeout=$t chain="$id" comment="$id - bing.com - 4" content="bing.com" \
dst-port=80 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="mikrotik.com" \
address-list-timeout=$t chain="$id" comment="$id - mikrotik.com - 4" content="\
mikrotik.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="msn.com" address-list-timeout=$t \
chain="$id" comment="$id - msn.com - 4" content="msn.com" dst-port=80 in-interface="$int" \
protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="yahoo.com" \
address-list-timeout=$t chain="$id" comment="$id - yahoo.com - 4" content="yahoo.com" \
dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="download" \
address-list-timeout=$t chain="$id" comment="$id - download - 8" content="download" \
dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-bin" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-bin - 8" in-interface="$int" \
layer7-protocol=BIN protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-7z" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-7z - 8" in-interface="$int" \
layer7-protocol=7z protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-exe" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-exe - 8" in-interface="$int" \
layer7-protocol=EXE protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-rar" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-rar - 8" in-interface="$int" \
layer7-protocol=RAR protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-iso" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-iso - 8" in-interface="$int" \
layer7-protocol=ISO protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-mIVa" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-mIVa - 8" in-interface="$int" \
layer7-protocol=M4A protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-mpIII" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-mpIII - 8" in-interface="$int" \
layer7-protocol=MP3 protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-mpIV" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-mpIV - 8" in-interface="$int" \
layer7-protocol=MP4 protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-wma" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-wma - 8" in-interface="$int" \
layer7-protocol=WMA protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-zip" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-zip - 8" in-interface="$int" \
layer7-protocol=ZIP protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="video" address-list-timeout=$t \
chain="$id" comment="$id - video - 8" content="video" dst-port=80,443 in-interface="$int" \
protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="webcam.yahoo.com" \
address-list-timeout=$t chain="$id" comment="$id - webcam.yahoo.com - 8" content="\
webcam.yahoo.com" dst-port=5100 in-interface="$int" protocol=tcp;
}
:if ([/ip firewall filter find where ! dynamic chain="$id" ] != "" ) do={
:foreach fw in=[/ip firewall filter find where ! dynamic chain="$id" ] do={
:set l [/ip firewall filter get $fw address-list ];
:set com [/ip firewall filter get $fw comment ];
:set g [/ip firewall filter get $fw in-interface ];
:if ([/ip firewall mangle find where ! dynamic chain=postrouting \
out-interface="$g" comment="$com" ] = "" ) do={
:log warning ("Creating New Fw Mangle Rules for $id");
:delay 100ms;
/ip firewall mangle add action=mark-packet chain=postrouting comment="$com" new-packet-mark="$l" \
out-interface="$g" passthrough=$pass src-address-list="$l";
} else={
:log error ("REMOVING OLD Fw MANGLE RULES FOR $id");
:delay 100ms;
/ip firewall mangle remove [find where chain=postrouting (comment~"$id") ];
:log warning ("Creating New Fw Mangle Rules for $id");
:delay 100ms;
/ip firewall mangle add action=mark-packet chain=postrouting comment="$com" new-packet-mark="$l" \
out-interface="$g" passthrough=$pass src-address-list="$l";
}}}
:if ([/ip firewall mangle find where chain=postrouting (comment~"$id") ] != "" ) do={
:foreach p2 in=[/ip firewall mangle find where chain=postrouting (comment~"2") ] do={
:set npm1 [/ip firewall mangle get $p2 new-packet-mark ];
:set com1 [/ip firewall mangle get $p2 comment ];
:if ([/queue tree find where comment="$com1" ] = "" ) do={
:log warning ("Creating queue-tree name=$com1");
:delay 100ms;
/queue tree add name="$com1" parent="$par1" queue="$qtp" packet-mark="$npm1" comment="$com1";
} else={
:log error ("REMOVING OLD QUEUE-TREE NAME=$com1");
:delay 100ms;
/queue tree remove [find where name="$com1" ];
:log warning ("Creating queue-tree name=$com1");
:delay 100ms;
/queue tree add name="$com1" parent="$par1" queue="$qtp" packet-mark="$npm1" comment="$com1";
}}}
:if ([/ip firewall mangle find where chain=postrouting (comment~"$id") ] != "" ) do={
:foreach p3 in=[/ip firewall mangle find where chain=postrouting (comment~"4") ] do={
:set npm2 [/ip firewall mangle get $p3 new-packet-mark ];
:set com2 [/ip firewall mangle get $p3 comment ];
:if ([/queue tree find where comment="$com2" ] = "" ) do={
:log warning ("Creating queue-tree name=$com2");
:delay 100ms;
/queue tree add name="$com2" parent="$par2" queue="$qtp" packet-mark="$npm2" comment="$com2";
} else={
:log error ("REMOVING OLD QUEUE-TREE NAME=$com2");
:delay 100ms;
/queue tree remove [find where name="$com2" ];
:log warning ("Creating queue-tree name=$com2");
:delay 100ms;
/queue tree add name="$com2" parent="$par2" queue="$qtp" packet-mark="$npm2" comment="$com2";
}}}
:if ([/ip firewall mangle find where chain=postrouting (comment~"$id") ] != "" ) do={
:foreach p4 in=[/ip firewall mangle find where chain=postrouting (comment~"8") ] do={
:set npm3 [/ip firewall mangle get $p4 new-packet-mark ];
:set com3 [/ip firewall mangle get $p4 comment ];
:if ([/queue tree find where comment="$com3" ] = "" ) do={
:log warning ("Creating queue-tree name=$com3");
:delay 100ms;
/queue tree add name="$com3" parent="$par3" queue="$qtp" packet-mark="$npm3" comment="$com3";
} else={
:log error ("REMOVING OLD QUEUE-TREE NAME=$com3");
:delay 100ms;
/queue tree remove [find where name="$com3" ];
:log warning ("Creating queue-tree name=$com3");
:delay 100ms;
/queue tree add name="$com3" parent="$par3" queue="$qtp" packet-mark="$npm3" comment="$com3";
}}}}
Top
 
j3k3m3
just joined
Posts: 3
Joined: Wed Dec 21, 2016 3:34 am

Re: Firewall Filter and Mangle Rules and Queue Trees for Qos

Tue Dec 27, 2016 2:06 am

Wow, there's a lot there in that script. I noticed that onedrive was listed in the script. Does that section of the script control upload/downloads of onedrive files?

Thanks!
Top
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Firewall Filter and Mangle Rules and Queue Trees for Qos

Tue Dec 27, 2016 2:20 am

Please note that BrasDeutscher's QoS solution does a LOT of deep packet inspection and will therefore be very processor intensive. For him it doesn't matter because his total internet connection speed is only about 1Mbps, but if your Internet speed is much faster, his script will likely overwhelm your router. His script should be fine to use if your Internet connection is very slow to begin with.
Top
Post Reply
  4. RouterOS
  5. Scripting