Firewall Filter and Mangle Rules and Queue Trees for Qos
Posted: Mon Oct 03, 2016 11:39 pm
!!-- this Script has 559 Lines --!!
!!-- If your Router have a low CPU do not use this Script in New Terminal, Insert to System Scripts and Run --!!
## Firewall Filter and Mangle Rules and Queue Trees for Qos ##
## Testet under RouterOS 6.38rc7 ##
## Written by BrasDeutscher,PA,Brazil ##
{
## Set your new chain name here ##
:global id "Qos"
## Set the incoming-interface name here ##
:global int "br1"
## Set here the Fw address-list timeout here ##
:global t "1d"
## Set here passtrough yes or no for mangle rules ##
:global pass "no"
## !!-- DO NOT CHANGE ANY MORE BELOW --!! ##
:global l
:global com
:global g
:global qtp "hotspot-default"
:global npm1
:global com1
:global npm2
:global com2
:global npm3
:global com3
:global fi
:global nm "prof1"
:global q1 ("$nm" . "-a")
:global q2 ("$nm" . "-b")
:global q3 ("$nm" . "-c")
:global par1 "$q1"
:global par2 "$q2"
:global par3 "$q3"
:global xcalc ($xx * 1000)
######################################################################################
## !- default for q1 -! ##
:global x "1024"
:global bl1q1 ("$x" . "k")
# burst-threshold #
:global bth1q1 "512k"
# burst-time #
:global bti1q1 "8s"
# limit-at #
:global la1q1 "256k"
# max-limit #
:global ml1q1 "768k"
# queue type options are default, default-small, hotspot-default or wireless-default #
:global qut1q1 "hotspot-default"
## !- default for q2 -! ##
# burst-limit #
:global bl1q2 "768k"
# burst-threshold #
:global bth1q2 "400k"
# burst-time #
:global bti1q2 "8s"
# limit-at #
:global la1q2 "128k"
# max-limit #
:global ml1q2 "512k"
# queue type options are default, default-small, hotspot-default or wireless-default #
:global qut1q2 "hotspot-default"
## !- default for q3 -! ##
# burst-limit #
:global bl1q3 "512k"
# burst-threshold #
:global bth1q3 "200k"
# burst-time #
:global bti1q3 "8s"
# limit-at #
:global la1q3 "64k"
# max-limit #
:global ml1q3 "256k"
# queue type options are default, default-small, hotspot-default or wireless-default #
:global qut1q3 "hotspot-default"
######################################################################################
## HERE YOU CAN SET YOUR OWN BANDWIDTH LIMITATIONS FOR QUEUE-TREE PARENTS ##
######################################################################################
## !- When you change the value from burst-limit value -! ##
## !- The script sets your own bandwidth configuration below -! ##
## !- bandwidth change for q1 -! ##
# burst-limit #
:global xx "1024"
:global bl2q1 ("$xx" . "k")
## !- bandwidth change for q1 -! ##
# burst-threshold #
:global bth2q1 "512k"
# burst-time #
:global bti2q1 "8s"
# limit-at #
:global la2q1 "256k"
# max-limit #
:global ml2q1 "768k"
# queue type options are default, default-small, hotspot-default or wireless-default #
:global qut2q1 "hotspot-default"
## !- bandwidth change for q2 -! ##
# burst-limit #
:global bl2q2 "768k"
# burst-threshold #
:global bth2q2 "400k"
# burst-time #
:global bti2q2 "8s"
# limit-at #
:global la2q2 "128k"
# max-limit #
:global ml2q2 "512k"
# queue type options are default, default-small, hotspot-default or wireless-default #
:global qut2q2 "hotspot-default"
## !- bandwidth change for q3 -! ##
# burst-limit #
:global bl2q3 "512k"
# burst-threshold #
:global bth2q3 "200k"
# burst-time #
:global bti2q3 "8s"
# limit-at #
:global la2q3 "64k"
# max-limit #
:global ml2q3 "256k"
# queue type options are default, default-small, hotspot-default or wireless-default #
:global qut2q3 "hotspot-default"
######################################################################################
## !!-- DO NOT CHANGE ANY MORE BELOW, THIS CAN BREAKE THE SCRIPT --!! ##
######################################################################################
:if ([/queue tree find where (name~"$nm") ] = "" ) do={
:delay 100ms;
/queue tree add burst-limit="$bl1q1" burst-threshold="$bth1q1" burst-time="$bti1q1" comment="$q1" \
limit-at="$la1q1" max-limit="$ml1q1" name="$q1" packet-mark=no-mark parent=\
global priority=2 queue="$qut1q1";
:delay 100ms;
/queue tree add burst-limit="$bl1q2" burst-threshold="$bth1q2" burst-time="$bti1q2" comment="$q2" \
limit-at="$la1q2" max-limit="$ml1q2" name="$q2" packet-mark=no-mark parent=\
global priority=4 queue="$qut1q2";
:delay 100ms;
/queue tree add burst-limit="$bl1q3" burst-threshold="$bth1q3" burst-time="$bti1q3" comment="$q3" \
limit-at="$la1q3" max-limit="$ml1q3" name="$q3" packet-mark=no-mark parent=\
global priority=8 queue="$qut1q3";
:log warning ("Creating New Queue-Tree Parents");
} else={
:set fi [/queue tree get [find where name="$q1" ] burst-limit ];
:if ($fi != $xcalc) do={
:delay 100ms;
/queue tree set [find where name="$q1" ] burst-limit="$bl2q1" burst-threshold="$bth2q1" \
burst-time="$bti2q1" limit-at="$la2q1" max-limit="$ml2q1" queue="$qut2q1";
:delay 100ms;
/queue tree set [find where name="$q2" ] burst-limit="$bl2q2" burst-threshold="$bth2q2" \
burst-time="$bti2q2" limit-at="$la2q2" max-limit="$ml2q2" queue="$qut2q2";
:delay 100ms;
/queue tree set [find where name="$q3" ] burst-limit="$bl2q2" burst-threshold="$bth2q2" \
burst-time="$bti2q2" limit-at="$la2q2" max-limit="$ml2q2" queue="$qut2q2";
:log warning ("Setting new Bandwidth from existing Queue-Tree Parents");
}}
:if ([/ip firewall filter find where ! dynamic (comment~"$id") ] = "" ) do={
:log warning ("Creating New Fw Filter Rules for $id");
/ip firewall filter add action=jump chain=forward comment="$id - Jump Filter" in-interface="$int" \
jump-target="$id";
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="mail-client" \
address-list-timeout=$t chain="$id" comment="$id - mail-client - 2" \
dst-port=110,143,993,995 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="ubuntu.com" \
address-list-timeout=$t chain="$id" comment="$id - ubuntu.com - 2" content="ubuntu.com" \
dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="login.live.com" \
address-list-timeout=$t chain="$id" comment="$id - login.live.com - 2" content="\
login.live.com" dst-port=443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="outlook.live.com" \
address-list-timeout=$t chain="$id" comment="$id - outlook.live.com - 2" content="\
outlook.live.com" dst-port=443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="onedrive.live.com" \
address-list-timeout=$t chain="$id" comment="$id - onedrive.live.com - 2" content="\
onedrive.live.com" dst-port=443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="skype.com" \
address-list-timeout=$t chain="$id" comment="$id - skype.com - 2" content="skype.com" \
dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="msg.yahoo.com" \
address-list-timeout=$t chain="$id" comment="$id - msg.yahoo.com - 2" content="\
msg.yahoo.com" dst-port=20,23,25,80,119,5050,8001,8002 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="vc.yahoo.com" \
address-list-timeout=$t chain="$id" comment="$id - vc.yahoo.com - tcp - 2" content="\
vc.yahoo.com" dst-port=5000-5010 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="vc.yahoo.com" \
address-list-timeout=$t chain="$id" comment="$id - vc.yahoo.com - udp - 2" content="\
vc.yahoo.com" dst-port=5000-5010 in-interface="$int" protocol=udp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="windowsupdate.microsoft.com" \
address-list-timeout=$t chain="$id" comment="$id - windowsupdate.microsoft.com - 2" content="\
windowsupdate.microsoft.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="update.microsoft.com" \
address-list-timeout=$t chain="$id" comment="$id - update.microsoft.com - 2" content="\
update.microsoft.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="download.windowsupdate.com" \
address-list-timeout=$t chain="$id" comment="$id - download.windowsupdate.com - 2" content="\
download.windowsupdate.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="download.microsoft.com" \
address-list-timeout=$t chain="$id" comment="$id - download.microsoft.com - 2" content="\
download.microsoft.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="ntservicepack.microsoft.com" \
address-list-timeout=$t chain="$id" comment="$id - ntservicepack.microsoft.com - 2" content="\
ntservicepack.microsoft.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="windowsupdate.com" \
address-list-timeout=$t chain="$id" comment="$id - windowsupdate.com - 2" content="\
windowsupdate.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="update" \
address-list-timeout=$t chain="$id" comment="$id - update - 2" content="\
update" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="microsoft.com" \
address-list-timeout=$t chain="$id" comment="$id - microsoft.com - 2" content="\
microsoft.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="voip-tcp" \
address-list-timeout=$t chain="$id" comment="$id - voip-tcp - 2" \
dst-port=5060-5061 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="voip-udp" \
address-list-timeout=$t chain="$id" comment="$id - voip-udp - 2" \
dst-port=5060-5061 in-interface="$int" protocol=udp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="icmp" \
address-list-timeout=$t chain="$id" comment="$id - icmp - 2" in-interface="$int" \
protocol=icmp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="facebook.com" \
address-list-timeout=$t chain="$id" comment="$id - facebook.com - 4" content="\
facebook.com" dst-port=443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="forum.mikrotik.com" \
address-list-timeout=$t chain="$id" comment="$id - forum.mikrotik.com - 4" content="\
forum.mikrotik.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="google.com" \
address-list-timeout=$t chain="$id" comment="$id - google.com - 4" content="google.com" \
dst-port=443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="bing.com" \
address-list-timeout=$t chain="$id" comment="$id - bing.com - 4" content="bing.com" \
dst-port=80 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="mikrotik.com" \
address-list-timeout=$t chain="$id" comment="$id - mikrotik.com - 4" content="\
mikrotik.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="msn.com" address-list-timeout=$t \
chain="$id" comment="$id - msn.com - 4" content="msn.com" dst-port=80 in-interface="$int" \
protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="yahoo.com" \
address-list-timeout=$t chain="$id" comment="$id - yahoo.com - 4" content="yahoo.com" \
dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="download" \
address-list-timeout=$t chain="$id" comment="$id - download - 8" content="download" \
dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-bin" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-bin - 8" in-interface="$int" \
layer7-protocol=BIN protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-7z" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-7z - 8" in-interface="$int" \
layer7-protocol=7z protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-exe" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-exe - 8" in-interface="$int" \
layer7-protocol=EXE protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-rar" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-rar - 8" in-interface="$int" \
layer7-protocol=RAR protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-iso" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-iso - 8" in-interface="$int" \
layer7-protocol=ISO protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-mIVa" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-mIVa - 8" in-interface="$int" \
layer7-protocol=M4A protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-mpIII" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-mpIII - 8" in-interface="$int" \
layer7-protocol=MP3 protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-mpIV" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-mpIV - 8" in-interface="$int" \
layer7-protocol=MP4 protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-wma" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-wma - 8" in-interface="$int" \
layer7-protocol=WMA protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-zip" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-zip - 8" in-interface="$int" \
layer7-protocol=ZIP protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="video" address-list-timeout=$t \
chain="$id" comment="$id - video - 8" content="video" dst-port=80,443 in-interface="$int" \
protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="webcam.yahoo.com" \
address-list-timeout=$t chain="$id" comment="$id - webcam.yahoo.com - 8" content="\
webcam.yahoo.com" dst-port=5100 in-interface="$int" protocol=tcp;
} else={
:log error ("REMOVING OLD $id FW FILTER RULES");
:delay 100ms;
/ip firewall filter remove [find where ! dynamic (comment~"$id") ];
:log warning ("Creating New Fw Filter Rules for $id");
:delay 100ms;
/ip firewall filter add action=jump chain=forward comment="$id - Jump Filter" in-interface="$int" \
jump-target="$id";
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="mail-client" \
address-list-timeout=$t chain="$id" comment="$id - mail-client - 2" \
dst-port=110,143,993,995 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="ubuntu.com" \
address-list-timeout=$t chain="$id" comment="$id - ubuntu.com - 2" content="ubuntu.com" \
dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="login.live.com" \
address-list-timeout=$t chain="$id" comment="$id - login.live.com - 2" content="\
login.live.com" dst-port=443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="outlook.live.com" \
address-list-timeout=$t chain="$id" comment="$id - outlook.live.com - 2" content="\
outlook.live.com" dst-port=443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="onedrive.live.com" \
address-list-timeout=$t chain="$id" comment="$id - onedrive.live.com - 2" content="\
onedrive.live.com" dst-port=443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="skype.com" \
address-list-timeout=$t chain="$id" comment="$id - skype.com - 2" content="skype.com" \
dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="msg.yahoo.com" \
address-list-timeout=$t chain="$id" comment="$id - msg.yahoo.com - 2" content="\
msg.yahoo.com" dst-port=20,23,25,80,119,5050,8001,8002 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="vc.yahoo.com" \
address-list-timeout=$t chain="$id" comment="$id - vc.yahoo.com - tcp - 2" content="\
vc.yahoo.com" dst-port=5000-5010 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="vc.yahoo.com" \
address-list-timeout=$t chain="$id" comment="$id - vc.yahoo.com - udp - 2" content="\
vc.yahoo.com" dst-port=5000-5010 in-interface="$int" protocol=udp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="windowsupdate.microsoft.com" \
address-list-timeout=$t chain="$id" comment="$id - windowsupdate.microsoft.com - 2" content="\
windowsupdate.microsoft.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="update.microsoft.com" \
address-list-timeout=$t chain="$id" comment="$id - update.microsoft.com - 2" content="\
update.microsoft.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="download.windowsupdate.com" \
address-list-timeout=$t chain="$id" comment="$id - download.windowsupdate.com - 2" content="\
download.windowsupdate.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="download.microsoft.com" \
address-list-timeout=$t chain="$id" comment="$id - download.microsoft.com - 2" content="\
download.microsoft.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="ntservicepack.microsoft.com" \
address-list-timeout=$t chain="$id" comment="$id - ntservicepack.microsoft.com - 2" content="\
ntservicepack.microsoft.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="windowsupdate.com" \
address-list-timeout=$t chain="$id" comment="$id - windowsupdate.com - 2" content="\
windowsupdate.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="update" \
address-list-timeout=$t chain="$id" comment="$id - update - 2" content="\
update" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="microsoft.com" \
address-list-timeout=$t chain="$id" comment="$id - microsoft.com - 2" content="\
microsoft.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="voip-tcp" \
address-list-timeout=$t chain="$id" comment="$id - voip-tcp - 2" \
dst-port=5060-5061 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="voip-udp" \
address-list-timeout=$t chain="$id" comment="$id - voip-udp - 2" \
dst-port=5060-5061 in-interface="$int" protocol=udp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="icmp" \
address-list-timeout=$t chain="$id" comment="$id - icmp - 2" in-interface="$int" \
protocol=icmp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="facebook.com" \
address-list-timeout=$t chain="$id" comment="$id - facebook.com - 4" content="\
facebook.com" dst-port=443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="forum.mikrotik.com" \
address-list-timeout=$t chain="$id" comment="$id - forum.mikrotik.com - 4" content="\
forum.mikrotik.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="google.com" \
address-list-timeout=$t chain="$id" comment="$id - google.com - 4" content="google.com" \
dst-port=443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="bing.com" \
address-list-timeout=$t chain="$id" comment="$id - bing.com - 4" content="bing.com" \
dst-port=80 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="mikrotik.com" \
address-list-timeout=$t chain="$id" comment="$id - mikrotik.com - 4" content="\
mikrotik.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="msn.com" address-list-timeout=$t \
chain="$id" comment="$id - msn.com - 4" content="msn.com" dst-port=80 in-interface="$int" \
protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="yahoo.com" \
address-list-timeout=$t chain="$id" comment="$id - yahoo.com - 4" content="yahoo.com" \
dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="download" \
address-list-timeout=$t chain="$id" comment="$id - download - 8" content="download" \
dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-bin" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-bin - 8" in-interface="$int" \
layer7-protocol=BIN protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-7z" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-7z - 8" in-interface="$int" \
layer7-protocol=7z protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-exe" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-exe - 8" in-interface="$int" \
layer7-protocol=EXE protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-rar" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-rar - 8" in-interface="$int" \
layer7-protocol=RAR protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-iso" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-iso - 8" in-interface="$int" \
layer7-protocol=ISO protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-mIVa" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-mIVa - 8" in-interface="$int" \
layer7-protocol=M4A protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-mpIII" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-mpIII - 8" in-interface="$int" \
layer7-protocol=MP3 protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-mpIV" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-mpIV - 8" in-interface="$int" \
layer7-protocol=MP4 protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-wma" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-wma - 8" in-interface="$int" \
layer7-protocol=WMA protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-zip" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-zip - 8" in-interface="$int" \
layer7-protocol=ZIP protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="video" address-list-timeout=$t \
chain="$id" comment="$id - video - 8" content="video" dst-port=80,443 in-interface="$int" \
protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="webcam.yahoo.com" \
address-list-timeout=$t chain="$id" comment="$id - webcam.yahoo.com - 8" content="\
webcam.yahoo.com" dst-port=5100 in-interface="$int" protocol=tcp;
}
:if ([/ip firewall filter find where ! dynamic chain="$id" ] != "" ) do={
:foreach fw in=[/ip firewall filter find where ! dynamic chain="$id" ] do={
:set l [/ip firewall filter get $fw address-list ];
:set com [/ip firewall filter get $fw comment ];
:set g [/ip firewall filter get $fw in-interface ];
:if ([/ip firewall mangle find where ! dynamic chain=postrouting \
out-interface="$g" comment="$com" ] = "" ) do={
:log warning ("Creating New Fw Mangle Rules for $id");
:delay 100ms;
/ip firewall mangle add action=mark-packet chain=postrouting comment="$com" new-packet-mark="$l" \
out-interface="$g" passthrough=$pass src-address-list="$l";
} else={
:log error ("REMOVING OLD Fw MANGLE RULES FOR $id");
:delay 100ms;
/ip firewall mangle remove [find where chain=postrouting (comment~"$id") ];
:log warning ("Creating New Fw Mangle Rules for $id");
:delay 100ms;
/ip firewall mangle add action=mark-packet chain=postrouting comment="$com" new-packet-mark="$l" \
out-interface="$g" passthrough=$pass src-address-list="$l";
}}}
:if ([/ip firewall mangle find where chain=postrouting (comment~"$id") ] != "" ) do={
:foreach p2 in=[/ip firewall mangle find where chain=postrouting (comment~"2") ] do={
:set npm1 [/ip firewall mangle get $p2 new-packet-mark ];
:set com1 [/ip firewall mangle get $p2 comment ];
:if ([/queue tree find where comment="$com1" ] = "" ) do={
:log warning ("Creating queue-tree name=$com1");
:delay 100ms;
/queue tree add name="$com1" parent="$par1" queue="$qtp" packet-mark="$npm1" comment="$com1";
} else={
:log error ("REMOVING OLD QUEUE-TREE NAME=$com1");
:delay 100ms;
/queue tree remove [find where name="$com1" ];
:log warning ("Creating queue-tree name=$com1");
:delay 100ms;
/queue tree add name="$com1" parent="$par1" queue="$qtp" packet-mark="$npm1" comment="$com1";
}}}
:if ([/ip firewall mangle find where chain=postrouting (comment~"$id") ] != "" ) do={
:foreach p3 in=[/ip firewall mangle find where chain=postrouting (comment~"4") ] do={
:set npm2 [/ip firewall mangle get $p3 new-packet-mark ];
:set com2 [/ip firewall mangle get $p3 comment ];
:if ([/queue tree find where comment="$com2" ] = "" ) do={
:log warning ("Creating queue-tree name=$com2");
:delay 100ms;
/queue tree add name="$com2" parent="$par2" queue="$qtp" packet-mark="$npm2" comment="$com2";
} else={
:log error ("REMOVING OLD QUEUE-TREE NAME=$com2");
:delay 100ms;
/queue tree remove [find where name="$com2" ];
:log warning ("Creating queue-tree name=$com2");
:delay 100ms;
/queue tree add name="$com2" parent="$par2" queue="$qtp" packet-mark="$npm2" comment="$com2";
}}}
:if ([/ip firewall mangle find where chain=postrouting (comment~"$id") ] != "" ) do={
:foreach p4 in=[/ip firewall mangle find where chain=postrouting (comment~"8") ] do={
:set npm3 [/ip firewall mangle get $p4 new-packet-mark ];
:set com3 [/ip firewall mangle get $p4 comment ];
:if ([/queue tree find where comment="$com3" ] = "" ) do={
:log warning ("Creating queue-tree name=$com3");
:delay 100ms;
/queue tree add name="$com3" parent="$par3" queue="$qtp" packet-mark="$npm3" comment="$com3";
} else={
:log error ("REMOVING OLD QUEUE-TREE NAME=$com3");
:delay 100ms;
/queue tree remove [find where name="$com3" ];
:log warning ("Creating queue-tree name=$com3");
:delay 100ms;
/queue tree add name="$com3" parent="$par3" queue="$qtp" packet-mark="$npm3" comment="$com3";
}}}}
!!-- If your Router have a low CPU do not use this Script in New Terminal, Insert to System Scripts and Run --!!
## Firewall Filter and Mangle Rules and Queue Trees for Qos ##
## Testet under RouterOS 6.38rc7 ##
## Written by BrasDeutscher,PA,Brazil ##
{
## Set your new chain name here ##
:global id "Qos"
## Set the incoming-interface name here ##
:global int "br1"
## Set here the Fw address-list timeout here ##
:global t "1d"
## Set here passtrough yes or no for mangle rules ##
:global pass "no"
## !!-- DO NOT CHANGE ANY MORE BELOW --!! ##
:global l
:global com
:global g
:global qtp "hotspot-default"
:global npm1
:global com1
:global npm2
:global com2
:global npm3
:global com3
:global fi
:global nm "prof1"
:global q1 ("$nm" . "-a")
:global q2 ("$nm" . "-b")
:global q3 ("$nm" . "-c")
:global par1 "$q1"
:global par2 "$q2"
:global par3 "$q3"
:global xcalc ($xx * 1000)
######################################################################################
## !- default for q1 -! ##
:global x "1024"
:global bl1q1 ("$x" . "k")
# burst-threshold #
:global bth1q1 "512k"
# burst-time #
:global bti1q1 "8s"
# limit-at #
:global la1q1 "256k"
# max-limit #
:global ml1q1 "768k"
# queue type options are default, default-small, hotspot-default or wireless-default #
:global qut1q1 "hotspot-default"
## !- default for q2 -! ##
# burst-limit #
:global bl1q2 "768k"
# burst-threshold #
:global bth1q2 "400k"
# burst-time #
:global bti1q2 "8s"
# limit-at #
:global la1q2 "128k"
# max-limit #
:global ml1q2 "512k"
# queue type options are default, default-small, hotspot-default or wireless-default #
:global qut1q2 "hotspot-default"
## !- default for q3 -! ##
# burst-limit #
:global bl1q3 "512k"
# burst-threshold #
:global bth1q3 "200k"
# burst-time #
:global bti1q3 "8s"
# limit-at #
:global la1q3 "64k"
# max-limit #
:global ml1q3 "256k"
# queue type options are default, default-small, hotspot-default or wireless-default #
:global qut1q3 "hotspot-default"
######################################################################################
## HERE YOU CAN SET YOUR OWN BANDWIDTH LIMITATIONS FOR QUEUE-TREE PARENTS ##
######################################################################################
## !- When you change the value from burst-limit value -! ##
## !- The script sets your own bandwidth configuration below -! ##
## !- bandwidth change for q1 -! ##
# burst-limit #
:global xx "1024"
:global bl2q1 ("$xx" . "k")
## !- bandwidth change for q1 -! ##
# burst-threshold #
:global bth2q1 "512k"
# burst-time #
:global bti2q1 "8s"
# limit-at #
:global la2q1 "256k"
# max-limit #
:global ml2q1 "768k"
# queue type options are default, default-small, hotspot-default or wireless-default #
:global qut2q1 "hotspot-default"
## !- bandwidth change for q2 -! ##
# burst-limit #
:global bl2q2 "768k"
# burst-threshold #
:global bth2q2 "400k"
# burst-time #
:global bti2q2 "8s"
# limit-at #
:global la2q2 "128k"
# max-limit #
:global ml2q2 "512k"
# queue type options are default, default-small, hotspot-default or wireless-default #
:global qut2q2 "hotspot-default"
## !- bandwidth change for q3 -! ##
# burst-limit #
:global bl2q3 "512k"
# burst-threshold #
:global bth2q3 "200k"
# burst-time #
:global bti2q3 "8s"
# limit-at #
:global la2q3 "64k"
# max-limit #
:global ml2q3 "256k"
# queue type options are default, default-small, hotspot-default or wireless-default #
:global qut2q3 "hotspot-default"
######################################################################################
## !!-- DO NOT CHANGE ANY MORE BELOW, THIS CAN BREAKE THE SCRIPT --!! ##
######################################################################################
:if ([/queue tree find where (name~"$nm") ] = "" ) do={
:delay 100ms;
/queue tree add burst-limit="$bl1q1" burst-threshold="$bth1q1" burst-time="$bti1q1" comment="$q1" \
limit-at="$la1q1" max-limit="$ml1q1" name="$q1" packet-mark=no-mark parent=\
global priority=2 queue="$qut1q1";
:delay 100ms;
/queue tree add burst-limit="$bl1q2" burst-threshold="$bth1q2" burst-time="$bti1q2" comment="$q2" \
limit-at="$la1q2" max-limit="$ml1q2" name="$q2" packet-mark=no-mark parent=\
global priority=4 queue="$qut1q2";
:delay 100ms;
/queue tree add burst-limit="$bl1q3" burst-threshold="$bth1q3" burst-time="$bti1q3" comment="$q3" \
limit-at="$la1q3" max-limit="$ml1q3" name="$q3" packet-mark=no-mark parent=\
global priority=8 queue="$qut1q3";
:log warning ("Creating New Queue-Tree Parents");
} else={
:set fi [/queue tree get [find where name="$q1" ] burst-limit ];
:if ($fi != $xcalc) do={
:delay 100ms;
/queue tree set [find where name="$q1" ] burst-limit="$bl2q1" burst-threshold="$bth2q1" \
burst-time="$bti2q1" limit-at="$la2q1" max-limit="$ml2q1" queue="$qut2q1";
:delay 100ms;
/queue tree set [find where name="$q2" ] burst-limit="$bl2q2" burst-threshold="$bth2q2" \
burst-time="$bti2q2" limit-at="$la2q2" max-limit="$ml2q2" queue="$qut2q2";
:delay 100ms;
/queue tree set [find where name="$q3" ] burst-limit="$bl2q2" burst-threshold="$bth2q2" \
burst-time="$bti2q2" limit-at="$la2q2" max-limit="$ml2q2" queue="$qut2q2";
:log warning ("Setting new Bandwidth from existing Queue-Tree Parents");
}}
:if ([/ip firewall filter find where ! dynamic (comment~"$id") ] = "" ) do={
:log warning ("Creating New Fw Filter Rules for $id");
/ip firewall filter add action=jump chain=forward comment="$id - Jump Filter" in-interface="$int" \
jump-target="$id";
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="mail-client" \
address-list-timeout=$t chain="$id" comment="$id - mail-client - 2" \
dst-port=110,143,993,995 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="ubuntu.com" \
address-list-timeout=$t chain="$id" comment="$id - ubuntu.com - 2" content="ubuntu.com" \
dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="login.live.com" \
address-list-timeout=$t chain="$id" comment="$id - login.live.com - 2" content="\
login.live.com" dst-port=443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="outlook.live.com" \
address-list-timeout=$t chain="$id" comment="$id - outlook.live.com - 2" content="\
outlook.live.com" dst-port=443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="onedrive.live.com" \
address-list-timeout=$t chain="$id" comment="$id - onedrive.live.com - 2" content="\
onedrive.live.com" dst-port=443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="skype.com" \
address-list-timeout=$t chain="$id" comment="$id - skype.com - 2" content="skype.com" \
dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="msg.yahoo.com" \
address-list-timeout=$t chain="$id" comment="$id - msg.yahoo.com - 2" content="\
msg.yahoo.com" dst-port=20,23,25,80,119,5050,8001,8002 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="vc.yahoo.com" \
address-list-timeout=$t chain="$id" comment="$id - vc.yahoo.com - tcp - 2" content="\
vc.yahoo.com" dst-port=5000-5010 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="vc.yahoo.com" \
address-list-timeout=$t chain="$id" comment="$id - vc.yahoo.com - udp - 2" content="\
vc.yahoo.com" dst-port=5000-5010 in-interface="$int" protocol=udp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="windowsupdate.microsoft.com" \
address-list-timeout=$t chain="$id" comment="$id - windowsupdate.microsoft.com - 2" content="\
windowsupdate.microsoft.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="update.microsoft.com" \
address-list-timeout=$t chain="$id" comment="$id - update.microsoft.com - 2" content="\
update.microsoft.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="download.windowsupdate.com" \
address-list-timeout=$t chain="$id" comment="$id - download.windowsupdate.com - 2" content="\
download.windowsupdate.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="download.microsoft.com" \
address-list-timeout=$t chain="$id" comment="$id - download.microsoft.com - 2" content="\
download.microsoft.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="ntservicepack.microsoft.com" \
address-list-timeout=$t chain="$id" comment="$id - ntservicepack.microsoft.com - 2" content="\
ntservicepack.microsoft.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="windowsupdate.com" \
address-list-timeout=$t chain="$id" comment="$id - windowsupdate.com - 2" content="\
windowsupdate.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="update" \
address-list-timeout=$t chain="$id" comment="$id - update - 2" content="\
update" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="microsoft.com" \
address-list-timeout=$t chain="$id" comment="$id - microsoft.com - 2" content="\
microsoft.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="voip-tcp" \
address-list-timeout=$t chain="$id" comment="$id - voip-tcp - 2" \
dst-port=5060-5061 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="voip-udp" \
address-list-timeout=$t chain="$id" comment="$id - voip-udp - 2" \
dst-port=5060-5061 in-interface="$int" protocol=udp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="icmp" \
address-list-timeout=$t chain="$id" comment="$id - icmp - 2" in-interface="$int" \
protocol=icmp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="facebook.com" \
address-list-timeout=$t chain="$id" comment="$id - facebook.com - 4" content="\
facebook.com" dst-port=443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="forum.mikrotik.com" \
address-list-timeout=$t chain="$id" comment="$id - forum.mikrotik.com - 4" content="\
forum.mikrotik.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="google.com" \
address-list-timeout=$t chain="$id" comment="$id - google.com - 4" content="google.com" \
dst-port=443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="bing.com" \
address-list-timeout=$t chain="$id" comment="$id - bing.com - 4" content="bing.com" \
dst-port=80 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="mikrotik.com" \
address-list-timeout=$t chain="$id" comment="$id - mikrotik.com - 4" content="\
mikrotik.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="msn.com" address-list-timeout=$t \
chain="$id" comment="$id - msn.com - 4" content="msn.com" dst-port=80 in-interface="$int" \
protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="yahoo.com" \
address-list-timeout=$t chain="$id" comment="$id - yahoo.com - 4" content="yahoo.com" \
dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="download" \
address-list-timeout=$t chain="$id" comment="$id - download - 8" content="download" \
dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-bin" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-bin - 8" in-interface="$int" \
layer7-protocol=BIN protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-7z" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-7z - 8" in-interface="$int" \
layer7-protocol=7z protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-exe" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-exe - 8" in-interface="$int" \
layer7-protocol=EXE protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-rar" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-rar - 8" in-interface="$int" \
layer7-protocol=RAR protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-iso" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-iso - 8" in-interface="$int" \
layer7-protocol=ISO protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-mIVa" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-mIVa - 8" in-interface="$int" \
layer7-protocol=M4A protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-mpIII" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-mpIII - 8" in-interface="$int" \
layer7-protocol=MP3 protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-mpIV" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-mpIV - 8" in-interface="$int" \
layer7-protocol=MP4 protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-wma" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-wma - 8" in-interface="$int" \
layer7-protocol=WMA protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-zip" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-zip - 8" in-interface="$int" \
layer7-protocol=ZIP protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="video" address-list-timeout=$t \
chain="$id" comment="$id - video - 8" content="video" dst-port=80,443 in-interface="$int" \
protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="webcam.yahoo.com" \
address-list-timeout=$t chain="$id" comment="$id - webcam.yahoo.com - 8" content="\
webcam.yahoo.com" dst-port=5100 in-interface="$int" protocol=tcp;
} else={
:log error ("REMOVING OLD $id FW FILTER RULES");
:delay 100ms;
/ip firewall filter remove [find where ! dynamic (comment~"$id") ];
:log warning ("Creating New Fw Filter Rules for $id");
:delay 100ms;
/ip firewall filter add action=jump chain=forward comment="$id - Jump Filter" in-interface="$int" \
jump-target="$id";
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="mail-client" \
address-list-timeout=$t chain="$id" comment="$id - mail-client - 2" \
dst-port=110,143,993,995 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="ubuntu.com" \
address-list-timeout=$t chain="$id" comment="$id - ubuntu.com - 2" content="ubuntu.com" \
dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="login.live.com" \
address-list-timeout=$t chain="$id" comment="$id - login.live.com - 2" content="\
login.live.com" dst-port=443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="outlook.live.com" \
address-list-timeout=$t chain="$id" comment="$id - outlook.live.com - 2" content="\
outlook.live.com" dst-port=443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="onedrive.live.com" \
address-list-timeout=$t chain="$id" comment="$id - onedrive.live.com - 2" content="\
onedrive.live.com" dst-port=443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="skype.com" \
address-list-timeout=$t chain="$id" comment="$id - skype.com - 2" content="skype.com" \
dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="msg.yahoo.com" \
address-list-timeout=$t chain="$id" comment="$id - msg.yahoo.com - 2" content="\
msg.yahoo.com" dst-port=20,23,25,80,119,5050,8001,8002 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="vc.yahoo.com" \
address-list-timeout=$t chain="$id" comment="$id - vc.yahoo.com - tcp - 2" content="\
vc.yahoo.com" dst-port=5000-5010 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="vc.yahoo.com" \
address-list-timeout=$t chain="$id" comment="$id - vc.yahoo.com - udp - 2" content="\
vc.yahoo.com" dst-port=5000-5010 in-interface="$int" protocol=udp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="windowsupdate.microsoft.com" \
address-list-timeout=$t chain="$id" comment="$id - windowsupdate.microsoft.com - 2" content="\
windowsupdate.microsoft.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="update.microsoft.com" \
address-list-timeout=$t chain="$id" comment="$id - update.microsoft.com - 2" content="\
update.microsoft.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="download.windowsupdate.com" \
address-list-timeout=$t chain="$id" comment="$id - download.windowsupdate.com - 2" content="\
download.windowsupdate.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="download.microsoft.com" \
address-list-timeout=$t chain="$id" comment="$id - download.microsoft.com - 2" content="\
download.microsoft.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="ntservicepack.microsoft.com" \
address-list-timeout=$t chain="$id" comment="$id - ntservicepack.microsoft.com - 2" content="\
ntservicepack.microsoft.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="windowsupdate.com" \
address-list-timeout=$t chain="$id" comment="$id - windowsupdate.com - 2" content="\
windowsupdate.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="update" \
address-list-timeout=$t chain="$id" comment="$id - update - 2" content="\
update" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="microsoft.com" \
address-list-timeout=$t chain="$id" comment="$id - microsoft.com - 2" content="\
microsoft.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="voip-tcp" \
address-list-timeout=$t chain="$id" comment="$id - voip-tcp - 2" \
dst-port=5060-5061 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="voip-udp" \
address-list-timeout=$t chain="$id" comment="$id - voip-udp - 2" \
dst-port=5060-5061 in-interface="$int" protocol=udp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="icmp" \
address-list-timeout=$t chain="$id" comment="$id - icmp - 2" in-interface="$int" \
protocol=icmp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="facebook.com" \
address-list-timeout=$t chain="$id" comment="$id - facebook.com - 4" content="\
facebook.com" dst-port=443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="forum.mikrotik.com" \
address-list-timeout=$t chain="$id" comment="$id - forum.mikrotik.com - 4" content="\
forum.mikrotik.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="google.com" \
address-list-timeout=$t chain="$id" comment="$id - google.com - 4" content="google.com" \
dst-port=443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="bing.com" \
address-list-timeout=$t chain="$id" comment="$id - bing.com - 4" content="bing.com" \
dst-port=80 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="mikrotik.com" \
address-list-timeout=$t chain="$id" comment="$id - mikrotik.com - 4" content="\
mikrotik.com" dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="msn.com" address-list-timeout=$t \
chain="$id" comment="$id - msn.com - 4" content="msn.com" dst-port=80 in-interface="$int" \
protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="yahoo.com" \
address-list-timeout=$t chain="$id" comment="$id - yahoo.com - 4" content="yahoo.com" \
dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="download" \
address-list-timeout=$t chain="$id" comment="$id - download - 8" content="download" \
dst-port=80,443 in-interface="$int" protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-bin" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-bin - 8" in-interface="$int" \
layer7-protocol=BIN protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-7z" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-7z - 8" in-interface="$int" \
layer7-protocol=7z protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-exe" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-exe - 8" in-interface="$int" \
layer7-protocol=EXE protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-rar" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-rar - 8" in-interface="$int" \
layer7-protocol=RAR protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-iso" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-iso - 8" in-interface="$int" \
layer7-protocol=ISO protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-mIVa" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-mIVa - 8" in-interface="$int" \
layer7-protocol=M4A protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-mpIII" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-mpIII - 8" in-interface="$int" \
layer7-protocol=MP3 protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-mpIV" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-mpIV - 8" in-interface="$int" \
layer7-protocol=MP4 protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-wma" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-wma - 8" in-interface="$int" \
layer7-protocol=WMA protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="Layer7-zip" \
address-list-timeout=1d chain="$id" comment="$id - Layer7-zip - 8" in-interface="$int" \
layer7-protocol=ZIP protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="video" address-list-timeout=$t \
chain="$id" comment="$id - video - 8" content="video" dst-port=80,443 in-interface="$int" \
protocol=tcp;
:delay 100ms;
/ip firewall filter add action=add-dst-to-address-list address-list="webcam.yahoo.com" \
address-list-timeout=$t chain="$id" comment="$id - webcam.yahoo.com - 8" content="\
webcam.yahoo.com" dst-port=5100 in-interface="$int" protocol=tcp;
}
:if ([/ip firewall filter find where ! dynamic chain="$id" ] != "" ) do={
:foreach fw in=[/ip firewall filter find where ! dynamic chain="$id" ] do={
:set l [/ip firewall filter get $fw address-list ];
:set com [/ip firewall filter get $fw comment ];
:set g [/ip firewall filter get $fw in-interface ];
:if ([/ip firewall mangle find where ! dynamic chain=postrouting \
out-interface="$g" comment="$com" ] = "" ) do={
:log warning ("Creating New Fw Mangle Rules for $id");
:delay 100ms;
/ip firewall mangle add action=mark-packet chain=postrouting comment="$com" new-packet-mark="$l" \
out-interface="$g" passthrough=$pass src-address-list="$l";
} else={
:log error ("REMOVING OLD Fw MANGLE RULES FOR $id");
:delay 100ms;
/ip firewall mangle remove [find where chain=postrouting (comment~"$id") ];
:log warning ("Creating New Fw Mangle Rules for $id");
:delay 100ms;
/ip firewall mangle add action=mark-packet chain=postrouting comment="$com" new-packet-mark="$l" \
out-interface="$g" passthrough=$pass src-address-list="$l";
}}}
:if ([/ip firewall mangle find where chain=postrouting (comment~"$id") ] != "" ) do={
:foreach p2 in=[/ip firewall mangle find where chain=postrouting (comment~"2") ] do={
:set npm1 [/ip firewall mangle get $p2 new-packet-mark ];
:set com1 [/ip firewall mangle get $p2 comment ];
:if ([/queue tree find where comment="$com1" ] = "" ) do={
:log warning ("Creating queue-tree name=$com1");
:delay 100ms;
/queue tree add name="$com1" parent="$par1" queue="$qtp" packet-mark="$npm1" comment="$com1";
} else={
:log error ("REMOVING OLD QUEUE-TREE NAME=$com1");
:delay 100ms;
/queue tree remove [find where name="$com1" ];
:log warning ("Creating queue-tree name=$com1");
:delay 100ms;
/queue tree add name="$com1" parent="$par1" queue="$qtp" packet-mark="$npm1" comment="$com1";
}}}
:if ([/ip firewall mangle find where chain=postrouting (comment~"$id") ] != "" ) do={
:foreach p3 in=[/ip firewall mangle find where chain=postrouting (comment~"4") ] do={
:set npm2 [/ip firewall mangle get $p3 new-packet-mark ];
:set com2 [/ip firewall mangle get $p3 comment ];
:if ([/queue tree find where comment="$com2" ] = "" ) do={
:log warning ("Creating queue-tree name=$com2");
:delay 100ms;
/queue tree add name="$com2" parent="$par2" queue="$qtp" packet-mark="$npm2" comment="$com2";
} else={
:log error ("REMOVING OLD QUEUE-TREE NAME=$com2");
:delay 100ms;
/queue tree remove [find where name="$com2" ];
:log warning ("Creating queue-tree name=$com2");
:delay 100ms;
/queue tree add name="$com2" parent="$par2" queue="$qtp" packet-mark="$npm2" comment="$com2";
}}}
:if ([/ip firewall mangle find where chain=postrouting (comment~"$id") ] != "" ) do={
:foreach p4 in=[/ip firewall mangle find where chain=postrouting (comment~"8") ] do={
:set npm3 [/ip firewall mangle get $p4 new-packet-mark ];
:set com3 [/ip firewall mangle get $p4 comment ];
:if ([/queue tree find where comment="$com3" ] = "" ) do={
:log warning ("Creating queue-tree name=$com3");
:delay 100ms;
/queue tree add name="$com3" parent="$par3" queue="$qtp" packet-mark="$npm3" comment="$com3";
} else={
:log error ("REMOVING OLD QUEUE-TREE NAME=$com3");
:delay 100ms;
/queue tree remove [find where name="$com3" ];
:log warning ("Creating queue-tree name=$com3");
:delay 100ms;
/queue tree add name="$com3" parent="$par3" queue="$qtp" packet-mark="$npm3" comment="$com3";
}}}}