The problem comes when trying to process the incoming UDP traffic on the router from the Internet (for example traffic torrent). The problem manifests itself in the termination of the account and coloring inbound Internet.
I ask your help in solving the problem.
router config:
Code: Select all
[admin@MikroTik Prometej] > interface export
# jul/09/2012 21:03:38 by RouterOS 5.18
# software id = XXXX-XXXX
#
/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes \
disabled=yes forward-delay=15s max-message-age=20s mtu=1500 name=\
bridge-interface priority=0x8000 protocol-mode=none transmit-hold-count=6
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes \
comment="LoopBack OSPF" disabled=yes forward-delay=15s max-message-age=\
20s mtu=1500 name=loopback priority=0x8000 protocol-mode=none \
transmit-hold-count=6
/interface ethernet
set 0 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"WAN and LAN" disabled=no full-duplex=yes l2mtu=1520 mac-address=\
00:0C:42:A9:E5:FE master-port=none mtu=1500 name=ether1 speed=100Mbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=yes full-duplex=yes l2mtu=1520 mac-address=00:0C:42:A9:E5:FF \
master-port=none mtu=1500 name=ether2 speed=100Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=yes full-duplex=yes l2mtu=1520 mac-address=00:0C:42:A9:E6:00 \
master-port=none mtu=1500 name=ether3 speed=1Gbps
set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=yes full-duplex=yes l2mtu=1520 mac-address=00:0C:42:A9:E6:01 \
master-port=none mtu=1500 name=ether4 speed=100Mbps
set 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=yes full-duplex=yes l2mtu=1520 mac-address=00:0C:42:A9:E6:02 \
master-port=none mtu=1500 name=ether5 speed=100Mbps
set 5 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=yes full-duplex=yes l2mtu=1520 mac-address=00:0C:42:A9:E6:03 \
master-port=none mtu=1500 name=ether6 speed=100Mbps
set 6 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=yes full-duplex=yes l2mtu=1520 mac-address=00:0C:42:A9:E6:04 \
master-port=none mtu=1500 name=ether7 speed=100Mbps
set 7 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=yes full-duplex=yes l2mtu=1520 mac-address=00:0C:42:A9:E6:05 \
master-port=none mtu=1500 name=ether8 speed=100Mbps
set 8 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=no full-duplex=yes l2mtu=1520 mac-address=00:0C:42:A9:E6:06 \
master-port=none mtu=1500 name=ether9 speed=100Mbps
/interface l2tp-client
add add-default-route=no allow=pap,chap,mschap1,mschap2 comment=\
"Internet Beeline" connect-to=10.255.255.249 dial-on-demand=yes disabled=\
no max-mru=1460 max-mtu=1460 mrru=disabled name="L2TP 1" password=\
XXXXXXXXXXXXXXXX profile=default user=08922XXXXX
/interface pptp-client
add add-default-route=no allow=pap,chap,mschap1,mschap2 connect-to=\
10.255.255.251 dial-on-demand=yes disabled=yes max-mru=1460 max-mtu=1460 \
mrru=disabled name="PPTP 1" password=andromedaromy2009 profile=default \
user=0892208108
/interface ipip
add comment="IP \F2\F3\ED\ED\E5\EB\FC \"\D0\F3\F1\EB\E0\ED \E8 \DE\F0\E0\"" \
disabled=yes dscp=0 local-address=10.254.23.134 mtu=1480 name=Pro-Rus-IP \
remote-address=10.254.24.55
add comment=\
"IP \F2\F3\ED\ED\E5\EB\FC \"\CB\FE\E1\EE\EC\E8\F0 \E8 \DE\F0\E0\"" \
disabled=yes dscp=0 local-address=10.254.23.134 mtu=1480 name=Pro-Lub-IP \
remote-address=10.23.62.41
/interface vlan
add arp=enabled comment=PrivateLanBeeline disabled=no interface=ether1 l2mtu=\
1516 mtu=1500 name=Eth1-vlan-1308 use-service-tag=no vlan-id=1308
add arp=enabled comment=WhiteLanBee disabled=no interface=ether1 l2mtu=1516 \
mtu=1500 name=Eth1-vlan-0308 use-service-tag=no vlan-id=308
/interface ethernet switch
set 0 mirror-source=none mirror-target=none name=switch1
set 1 mirror-source=none mirror-target=none name=switch2
/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=\
no
/interface ethernet switch port
set 0 vlan-header=leave-as-is vlan-mode=fallback
set 5 vlan-header=leave-as-is vlan-mode=fallback
set 6 vlan-header=leave-as-is vlan-mode=fallback
set 7 vlan-header=leave-as-is vlan-mode=fallback
set 8 vlan-header=leave-as-is vlan-mode=fallback
set 9 vlan-header=leave-as-is vlan-mode=fallback
/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=\
default-encryption enabled=no max-mru=1460 max-mtu=1460 mrru=disabled
/interface ovpn-server server
set auth=sha1,md5 certificate=none cipher=blowfish128,aes128 default-profile=\
default enabled=no keepalive-timeout=60 mac-address=FE:6B:F1:3C:7C:64 \
max-mtu=1500 mode=ip netmask=24 port=1194 require-client-certificate=no
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption \
enabled=no keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none default-profile=\
default enabled=no keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=\
disabled port=443 verify-client-certificate=noCode: Select all
[admin@MikroTik Prometej] > ppp export
# jul/09/2012 21:08:27 by RouterOS 5.18
# software id = XXXX-XXXX
#
/ppp profile
set 0 change-tcp-mss=no name=default only-one=default use-compression=default \
use-encryption=default use-mpls=default use-vj-compression=default
set 1 change-tcp-mss=yes name=default-encryption only-one=default \
use-compression=default use-encryption=yes use-mpls=default \
use-vj-compression=default
/ppp aaa
set accounting=yes interim-update=0s use-radius=noCode: Select all
[admin@MikroTik Prometej] > ip export
# jul/09/2012 21:12:14 by RouterOS 5.18
# software id = XXXX-XXXX
#
/ip dhcp-server option
add code=249 name="option 249" value="0x080A0AFE178110AC190AFE178110AC1A0AFE17\
8110AC1B0AFE17811CC2558F100AFE17811DC29A52280AFE1781"
add code=121 name="option 121" value="0x080A0AFE178110AC190AFE178110AC1A0AFE17\
8110AC1B0AFE17811CC2558F100AFE17811DC29A52280AFE1781"
/ip firewall layer7-protocol
add name=HTTPS regexp=\
"^(.\?.\?\\x16\\x03.*\\x16\\x03|.\?.\?\\x01\\x03\\x01\?.*\\x0b)"
add name=GNUTELLA regexp="^(gnd[\\x01\\x02]\?.\?.\?\\x01|gnutella connect/[012\
]\\.[0-9]\\x0d\\x0a|get /uri-res/n2r\\\?urn:sha1:|get /.*user-agent: (gtk-\
gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /.*conte\
nt-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-\
f]* [1-9][0-9]\?[0-9]\?\\.[1-9][0-9]\?[0-9]\?\\.[1-9][0-9]\?[0-9]\?\\.[1-9\
][0-9]\?[0-9]\?:[1-9][0-9]\?[0-9]\?[0-9]\?|gnutella.*content-type: applica\
tion/x-gnutella|...................\?lime)"
add name=DIRECTCONNECT regexp="^(\\\$mynick |\\\$lock |\\\$key )"
add name=BITTORRENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrap\
e\\\?info_hash=|get /announce\\\?info_hash=|get /client/bitcomet/|GET /dat\
a\\\?fid=)|d1:.d2:id20:|\\x08'7P\\)[RP]"
add name=BITTORRENT_DHT regexp="^d1\\\\:ad2\\\\:id20\\\\:"
add name=DHT regexp="^d1:[a|r]d2:id20:.*:y1:[q|r]e"
add name=YouTube regexp="^.*(get|GET).+(youtube|googlevideo).*\$"
add name=VideoPlayBack regexp="^.*(get|GET).+(/videoplayback).*\$"
/ip hotspot profile
set [ find default=yes ] dns-name="" hotspot-address=0.0.0.0 html-directory=\
hotspot http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=\
cookie,http-chap name=default rate-limit="" smtp-server=0.0.0.0 \
split-user-domain=no use-radius=no
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m name=default \
shared-users=1 status-autorefresh=1m transparent-proxy=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=3des \
lifetime=30m name=default pfs-group=modp1024
/ip pool
add name="DHCP Pool" ranges=10.254.23.135-10.254.23.141
/ip dhcp-server
add address-pool="DHCP Pool" authoritative=after-2sec-delay disabled=no \
interface=Eth1-vlan-1308 lease-time=1h name="DHCP Server"
/ip accounting
set account-local-traffic=no enabled=no threshold=256
/ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ip address
add address=192.168.0.1/24 comment="Managment device" disabled=yes interface=\
ether9 network=192.168.0.0
add address=10.254.23.134/28 comment="WAN and LAN IP" disabled=no interface=\
Eth1-vlan-1308 network=10.254.23.128
add address=192.168.20.1/24 comment="WAN and LAN IP" disabled=no interface=\
Eth1-vlan-1308 network=192.168.20.0
add address=192.168.30.1/30 comment=\
"P2P-\"\D0\F3\F1\EB\E0\ED \E8 \DE\F0\E0\"" disabled=yes interface=\
Pro-Rus-IP network=192.168.30.0
add address=192.168.30.5/30 comment=\
"P2P-\"\CB\FE\E1\EE\EC\E8\F0 \E8 \DE\F0\E0\"" disabled=yes interface=\
Pro-Lub-IP network=192.168.30.4
add address=192.168.255.5/32 comment="LoopBack IP OSPF" disabled=yes \
interface=loopback network=192.168.255.5
/ip dhcp-client
add add-default-route=yes default-route-distance=1 disabled=yes interface=\
Eth1-vlan-0308 use-peer-dns=yes use-peer-ntp=no
/ip dhcp-server config
set store-leases-disk=5m
/ip dhcp-server lease
add address=10.254.23.135 client-id=1:0:15:af:2a:18:0 comment=\
"IP - Notebook Izida" disabled=no lease-time=6h mac-address=\
00:15:AF:2A:18:00 server="DHCP Server"
add address=10.254.23.139 client-id=1:0:16:e8:b5:a1:ba comment=\
"IP - DUNE HD PLAY" disabled=no lease-time=6h mac-address=\
00:16:E8:B5:A1:BA server="DHCP Server"
add address=10.254.23.137 client-id=1:0:1f:33:ea:98:61 comment=\
"IP - ReadyNAS-Pro" disabled=no lease-time=6h mac-address=\
00:1F:33:EA:98:61 server="DHCP Server"
add address=10.254.23.136 always-broadcast=yes client-id=1:68:a3:c4:35:6c:18 \
comment="IP - Notebook Unicum" disabled=no mac-address=68:A3:C4:35:6C:18 \
server="DHCP Server"
add address=10.254.23.138 client-id=1:0:25:ae:e2:9e:74 comment="IP - XBOX360" \
disabled=no lease-time=6h mac-address=00:25:AE:E2:9E:74 server=\
"DHCP Server"
add address=192.168.20.2 client-id=1:0:25:ae:e2:9e:74 comment="IP - XBOX360" \
disabled=yes lease-time=6h mac-address=00:25:AE:E2:9E:74 server=\
"DHCP Server"
/ip dhcp-server network
add address=10.254.23.128/28 dhcp-option="option 249,option 121" dns-server=\
10.254.23.134 gateway=10.254.23.134 netmask=28 ntp-server=10.254.23.134 \
wins-server=""
add address=192.168.20.0/24 dhcp-option="" dns-server=192.168.20.1 gateway=\
192.168.20.1 netmask=24 ntp-server=192.168.20.1 wins-server=""
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
max-udp-packet-size=512 servers=194.154.82.43,194.154.82.44
/ip firewall address-list
add address=74.125.168.18 disabled=no list=VideoPlayBack
add address=74.125.218.80 disabled=no list=VideoPlayBack
add address=74.125.218.22 disabled=no list=VideoPlayBack
add address=74.125.168.178 disabled=no list=VideoPlayBack
add address=74.125.168.242 disabled=no list=VideoPlayBack
add address=74.125.168.100 disabled=no list=VideoPlayBack
add address=74.125.163.73 disabled=no list=VideoPlayBack
add address=74.125.218.208 disabled=no list=VideoPlayBack
add address=74.125.168.211 disabled=no list=VideoPlayBack
add address=74.125.168.22 disabled=no list=VideoPlayBack
add address=74.125.168.209 disabled=no list=VideoPlayBack
add address=74.125.168.96 disabled=no list=VideoPlayBack
add address=74.125.168.251 disabled=no list=VideoPlayBack
add address=74.125.168.86 disabled=no list=VideoPlayBack
add address=74.125.168.16 disabled=no list=VideoPlayBack
add address=74.125.168.98 disabled=no list=VideoPlayBack
add address=74.125.218.179 disabled=no list=VideoPlayBack
add address=74.125.168.24 disabled=no list=VideoPlayBack
add address=74.125.218.52 disabled=no list=VideoPlayBack
add address=74.125.218.53 disabled=no list=VideoPlayBack
add address=74.125.163.119 disabled=no list=VideoPlayBack
add address=74.125.168.218 disabled=no list=VideoPlayBack
add address=74.125.168.103 disabled=no list=VideoPlayBack
add address=74.125.168.99 disabled=no list=VideoPlayBack
add address=74.125.168.186 disabled=no list=VideoPlayBack
add address=74.125.168.185 disabled=no list=VideoPlayBack
add address=74.125.168.250 disabled=no list=VideoPlayBack
add address=74.125.168.216 disabled=no list=VideoPlayBack
add address=74.125.168.187 disabled=no list=VideoPlayBack
add address=74.125.168.83 disabled=no list=VideoPlayBack
add address=74.125.168.28 disabled=no list=VideoPlayBack
add address=74.125.168.25 disabled=no list=VideoPlayBack
add address=74.125.168.147 disabled=no list=VideoPlayBack
add address=74.125.168.245 disabled=no list=VideoPlayBack
add address=74.125.168.176 disabled=no list=VideoPlayBack
add address=74.125.168.241 disabled=no list=VideoPlayBack
add address=74.125.168.31 disabled=no list=VideoPlayBack
add address=74.125.168.85 disabled=no list=VideoPlayBack
add address=74.125.168.149 disabled=no list=VideoPlayBack
add address=74.125.168.177 disabled=no list=VideoPlayBack
add address=74.125.168.248 disabled=no list=VideoPlayBack
add address=74.125.168.214 disabled=no list=VideoPlayBack
add address=74.125.168.215 disabled=no list=VideoPlayBack
add address=74.125.218.178 disabled=no list=VideoPlayBack
add address=74.125.218.23 disabled=no list=VideoPlayBack
add address=74.125.218.212 disabled=no list=VideoPlayBack
add address=74.125.168.27 disabled=no list=VideoPlayBack
add address=74.125.168.88 disabled=no list=VideoPlayBack
add address=74.125.168.152 disabled=no list=VideoPlayBack
add address=74.125.168.154 disabled=no list=VideoPlayBack
add address=74.125.168.153 disabled=no list=VideoPlayBack
add address=74.125.168.182 disabled=no list=VideoPlayBack
add address=74.125.168.183 disabled=no list=VideoPlayBack
add address=74.125.168.217 disabled=no list=VideoPlayBack
add address=74.125.168.219 disabled=no list=VideoPlayBack
add address=74.125.168.84 disabled=no list=VideoPlayBack
add address=74.125.218.81 disabled=no list=VideoPlayBack
add address=74.125.218.86 disabled=no list=VideoPlayBack
add address=74.125.218.113 disabled=no list=VideoPlayBack
add address=74.125.218.116 disabled=no list=VideoPlayBack
add address=74.125.218.117 disabled=no list=VideoPlayBack
add address=74.125.218.118 disabled=no list=VideoPlayBack
add address=74.125.218.146 disabled=no list=VideoPlayBack
add address=74.125.218.148 disabled=no list=VideoPlayBack
add address=74.125.218.149 disabled=no list=VideoPlayBack
add address=74.125.218.209 disabled=no list=VideoPlayBack
add address=74.125.218.242 disabled=no list=VideoPlayBack
add address=74.125.168.145 disabled=no list=VideoPlayBack
add address=74.125.218.49 disabled=no list=VideoPlayBack
add address=74.125.168.148 disabled=no list=VideoPlayBack
add address=74.125.168.144 disabled=no list=VideoPlayBack
add address=74.125.168.95 disabled=no list=VideoPlayBack
add address=74.125.168.180 disabled=no list=VideoPlayBack
add address=74.125.168.179 disabled=no list=VideoPlayBack
add address=74.125.168.210 disabled=no list=VideoPlayBack
add address=74.125.218.48 disabled=no list=VideoPlayBack
add address=10.254.23.128/28 disabled=no list=SRC-NAT
add address=192.168.30.2 disabled=no list=SRC-NAT
add address=192.168.21.0/24 disabled=no list=SRC-NAT
add address=74.125.168.38 disabled=no list=VideoPlayBack
add address=74.125.168.81 disabled=no list=VideoPlayBack
add address=74.125.168.90 disabled=no list=VideoPlayBack
add address=74.125.168.151 disabled=no list=VideoPlayBack
add address=74.125.168.213 disabled=no list=VideoPlayBack
add address=74.125.168.244 disabled=no list=VideoPlayBack
add address=74.125.168.249 disabled=no list=VideoPlayBack
add address=74.125.218.20 disabled=no list=VideoPlayBack
add address=74.125.218.51 disabled=no list=VideoPlayBack
add address=94.198.55.0/24 disabled=no list=WorldOfTanks
add address=178.20.235.0/24 disabled=no list=WorldOfTanks
add address=213.252.177.0/24 disabled=no list=WorldOfTanks
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=drop chain=input comment=\
"Internet deny to FTP, SSH,TELNET,WWW,WINBOX" disabled=no dst-port=\
21,22,23,8291 in-interface="L2TP 1" protocol=tcp
/ip firewall mangle
add action=change-mss chain=forward disabled=no in-interface="L2TP 1" \
new-mss=1420 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=\
1421-65535
add action=change-mss chain=forward disabled=no new-mss=1420 out-interface=\
"L2TP 1" passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1421-65535
add action=mark-connection chain=output comment="Mark connection udp - L2TP" \
connection-mark=no-mark disabled=yes dst-port=1701 new-connection-mark=\
"connection - L2TP" passthrough=yes protocol=udp
add action=mark-connection chain=input comment="Mark connection udp - DNS" \
connection-mark=no-mark disabled=yes dst-port=53 new-connection-mark=\
"connection - DNS" passthrough=yes protocol=udp
add action=mark-connection chain=output comment="Mark connection udp - DNS" \
connection-mark=no-mark disabled=yes dst-port=53 new-connection-mark=\
"connection - DNS" passthrough=yes protocol=udp
add action=mark-connection chain=input comment="Mark connection udp - NTP" \
connection-mark=no-mark disabled=yes dst-port=123 new-connection-mark=\
"connection - NTP" passthrough=yes protocol=udp
add action=mark-connection chain=output comment="Mark connection udp - NTP" \
connection-mark=no-mark disabled=yes dst-port=123 new-connection-mark=\
"connection - NTP" passthrough=yes protocol=udp
add action=mark-connection chain=input comment="Mark connection tcp - WinBox" \
connection-mark=no-mark disabled=yes dst-port=8291 new-connection-mark=\
"connection - WinBox" passthrough=yes protocol=tcp
add action=add-dst-to-address-list address-list=VideoPlayBack \
address-list-timeout=1d chain=forward comment=\
"Auto add server - VideoPlayBack" disabled=yes dst-address-list=\
!VideoPlayBack dst-port=80 layer7-protocol=VideoPlayBack out-interface=\
"L2TP 1" protocol=tcp
add action=mark-connection chain=forward comment=\
"Mark connection tcp - VideoPlayBack" connection-mark=no-mark disabled=\
yes dst-address-list=VideoPlayBack new-connection-mark=\
"connection - VideoPlayBack" out-interface="L2TP 1" passthrough=yes \
protocol=tcp
add action=mark-connection chain=forward comment=\
"Mark connection tcp - VideoPlayBack" connection-mark=\
"connection - HTTP(S)" disabled=yes dst-address-list=VideoPlayBack \
new-connection-mark="connection - VideoPlayBack" out-interface="L2TP 1" \
passthrough=yes protocol=tcp
add action=mark-packet chain=forward comment=\
"Mark packet tcp in - VideoPlayBack" connection-mark=\
"connection - VideoPlayBack" disabled=yes in-interface="L2TP 1" \
new-packet-mark=Priority-4-In-VideoPlayBack packet-mark=no-mark \
passthrough=no
add action=mark-packet chain=forward comment=\
"Mark packet tcp out - VideoPlayBack" connection-mark=\
"connection - VideoPlayBack" disabled=yes new-packet-mark=\
Priority-4-Out-VideoPlayBack out-interface="L2TP 1" packet-mark=no-mark \
passthrough=no
add action=mark-connection chain=forward comment=\
"Mark connection udp in - World of Tanks" connection-mark=no-mark \
disabled=yes in-interface="L2TP 1" new-connection-mark=\
"connection - WorldofTanks" passthrough=yes protocol=udp \
src-address-list=WorldOfTanks
add action=mark-connection chain=forward comment=\
"Mark connection udp out - World of Tanks" connection-mark=no-mark \
disabled=yes dst-address-list=WorldOfTanks new-connection-mark=\
"connection - WorldofTanks" out-interface="L2TP 1" passthrough=yes \
protocol=udp
add action=mark-packet chain=forward comment=\
"Mark packet udp in - World of Tanks" connection-mark=\
"connection - WorldofTanks" disabled=yes in-interface="L2TP 1" \
new-packet-mark=Priority-4-In-Games packet-mark=no-mark passthrough=no
add action=mark-packet chain=forward comment=\
"Mark packet udp out - World of Tanks" connection-mark=\
"connection - WorldofTanks" disabled=yes new-packet-mark=\
Priority-4-Out-Games out-interface="L2TP 1" packet-mark=no-mark \
passthrough=no
add action=mark-connection chain=forward comment="Mark connection tcp - QIP" \
connection-mark=no-mark disabled=no dst-port=5222 new-connection-mark=\
"connection - QIP" out-interface="L2TP 1" passthrough=yes protocol=tcp
add action=mark-packet chain=forward comment="Mark packet tcp in - QIP" \
connection-mark="connection - QIP" disabled=no in-interface="L2TP 1" \
new-packet-mark=Priority-4-In-qip packet-mark=no-mark passthrough=no
add action=mark-packet chain=forward comment="Mark packet tcp out - QIP" \
connection-mark="connection - QIP" disabled=no new-packet-mark=\
Priority-4-Out-qip out-interface="L2TP 1" packet-mark=no-mark \
passthrough=no
add action=mark-connection chain=forward comment="Mark connection tcp - ICQ" \
connection-mark=no-mark disabled=no dst-port=5190 new-connection-mark=\
"connection - ICQ" out-interface="L2TP 1" passthrough=yes protocol=tcp
add action=mark-packet chain=forward comment="Mark packet tcp in - ICQ" \
connection-mark="connection - ICQ" disabled=no in-interface="L2TP 1" \
new-packet-mark=Priority-4-In-icq packet-mark=no-mark passthrough=no
add action=mark-packet chain=forward comment="Mark packet tcp out - ICQ" \
connection-mark="connection - ICQ" disabled=no new-packet-mark=\
Priority-4-Out-icq out-interface="L2TP 1" packet-mark=no-mark \
passthrough=no
add action=mark-connection chain=forward comment=\
"Mark connection tcp - MAgent" connection-mark=no-mark disabled=no \
dst-port=2041-2042 new-connection-mark="connection - MAgent" \
out-interface="L2TP 1" passthrough=yes protocol=tcp
add action=mark-packet chain=forward comment="Mark packet tcp in - MAgent" \
connection-mark="connection - MAgent" disabled=no in-interface="L2TP 1" \
new-packet-mark=Priority-4-In-magent packet-mark=no-mark passthrough=no
add action=mark-packet chain=forward comment="Mark packet tcp out - MAgent" \
connection-mark="connection - MAgent" disabled=no new-packet-mark=\
Priority-4-Out-magent out-interface="L2TP 1" packet-mark=no-mark \
passthrough=no
add action=mark-connection chain=forward comment=\
"Mark connection tcp - HTTP(S)" connection-mark=no-mark disabled=no \
dst-port=80,443 new-connection-mark="connection - HTTP(S)" out-interface=\
"L2TP 1" passthrough=yes protocol=tcp
add action=mark-packet chain=forward comment="Mark packet tcp in - HTTP(S)" \
connection-mark="connection - HTTP(S)" disabled=no in-interface="L2TP 1" \
new-packet-mark="Priority-2-In-http(s)" packet-mark=no-mark passthrough=\
no
add action=mark-packet chain=forward comment="Mark packet tcp out - HTTP(S)" \
connection-mark="connection - HTTP(S)" disabled=no new-packet-mark=\
"Priority-2-Out-http(s)" out-interface="L2TP 1" packet-mark=no-mark \
passthrough=no
add action=mark-connection chain=forward comment=\
"Mark connection tcp in - torrent" connection-mark=no-mark disabled=no \
dst-port=10256,10512 in-interface="L2TP 1" new-connection-mark=\
"connection - torrent" passthrough=yes protocol=tcp
add action=mark-connection chain=forward comment=\
"Mark connection udp in - torrent" connection-mark=no-mark disabled=no \
dst-port=10256,10512 in-interface="L2TP 1" new-connection-mark=\
"connection - torrent" passthrough=yes protocol=udp
add action=mark-connection chain=forward comment=\
"Mark connection tcp out - torrent" connection-mark=no-mark disabled=no \
new-connection-mark="connection - torrent" out-interface="L2TP 1" \
passthrough=yes protocol=tcp src-port=10256,10512
add action=mark-connection chain=forward comment=\
"Mark connection udp out - torrent" connection-mark=no-mark disabled=no \
new-connection-mark="connection - torrent" out-interface="L2TP 1" \
passthrough=yes protocol=udp src-port=10256,10512
add action=mark-packet chain=forward comment="Mark packet in - torrent" \
connection-mark="connection - torrent" disabled=no in-interface="L2TP 1" \
new-packet-mark=Priority-0-In-torrent packet-mark=no-mark passthrough=no
add action=mark-packet chain=forward comment="Mark packet out - torrent" \
connection-mark="connection - torrent" disabled=no new-packet-mark=\
Priority-0-Out-torrent out-interface="L2TP 1" packet-mark=no-mark \
passthrough=no
add action=mark-packet chain=forward comment="Mark packet in - nomark" \
disabled=no in-interface="L2TP 1" new-packet-mark=Priority-1-In-nomark \
packet-mark=no-mark passthrough=no
add action=mark-packet chain=forward comment="Mark packet out - nomark" \
disabled=no new-packet-mark=Priority-1-Out-nomark out-interface="L2TP 1" \
packet-mark=no-mark passthrough=no
add action=log chain=forward disabled=no in-interface="L2TP 1" log-prefix="" \
packet-mark=no-mark
add action=log chain=forward disabled=no log-prefix="" out-interface="L2TP 1" \
packet-mark=no-mark
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT Network 10.254.23.128/28" \
disabled=yes src-address=10.254.23.128/28
add action=masquerade chain=srcnat comment="NAT Network 10.254.23.128/28" \
disabled=no src-address-list=SRC-NAT
add action=masquerade chain=srcnat comment="NAT Network 192.168.20.0/24" \
disabled=yes src-address=192.168.20.0/24
add action=dst-nat chain=dstnat comment="DNAT ReadyNAS-Pro TCP 10512" \
disabled=no dst-port=10512 in-interface="L2TP 1" protocol=tcp \
to-addresses=10.254.23.137 to-ports=10512
add action=dst-nat chain=dstnat comment="DNAT Andromeda TCP 10256" disabled=\
no dst-port=10256 in-interface="L2TP 1" protocol=tcp to-addresses=\
10.254.23.130 to-ports=10256
add action=dst-nat chain=dstnat comment="DNAT ReadyNAS-Pro UDP 10512" \
disabled=no dst-port=10512 in-interface="L2TP 1" protocol=udp \
to-addresses=10.254.23.137 to-ports=10512
add action=dst-nat chain=dstnat comment="DNAT Andromeda UDP 10256" disabled=\
no dst-port=10256 in-interface="L2TP 1" protocol=udp to-addresses=\
10.254.23.130 to-ports=10256
add action=dst-nat chain=dstnat comment="DNAT XBOX360 TCP 53" disabled=no \
dst-port=53 in-interface="L2TP 1" protocol=tcp to-addresses=10.254.23.138 \
to-ports=53
add action=dst-nat chain=dstnat comment="DNAT XBOX360 TCP 3074" disabled=no \
dst-port=3074 in-interface="L2TP 1" protocol=tcp to-addresses=\
10.254.23.138 to-ports=3074
add action=dst-nat chain=dstnat comment="DNAT XBOX360 TCP 80" disabled=no \
dst-port=80 in-interface="L2TP 1" protocol=tcp to-addresses=10.254.23.138 \
to-ports=80
add action=dst-nat chain=dstnat comment="DNAT XBOX360 UDP 53" disabled=no \
dst-port=53 in-interface="L2TP 1" protocol=udp to-addresses=10.254.23.138 \
to-ports=53
add action=dst-nat chain=dstnat comment="DNAT XBOX360 UDP 3074" disabled=no \
dst-port=3074 in-interface="L2TP 1" protocol=udp to-addresses=\
10.254.23.138 to-ports=3074
add action=dst-nat chain=dstnat comment="DNAT XBOX360 UDP 88" disabled=no \
dst-port=88 in-interface="L2TP 1" protocol=udp to-addresses=10.254.23.138 \
to-ports=88
add action=dst-nat chain=dstnat comment="DNAT XBOX360 TCP 53" disabled=yes \
dst-port=53 in-interface="L2TP 1" protocol=tcp to-addresses=192.168.20.2 \
to-ports=53
add action=dst-nat chain=dstnat comment="DNAT XBOX360 TCP 3074" disabled=yes \
dst-port=3074 in-interface="L2TP 1" protocol=tcp to-addresses=\
192.168.20.2 to-ports=3074
add action=dst-nat chain=dstnat comment="DNAT XBOX360 TCP 80" disabled=yes \
dst-port=80 in-interface="L2TP 1" protocol=tcp to-addresses=192.168.20.2 \
to-ports=80
add action=dst-nat chain=dstnat comment="DNAT XBOX360 UDP 53" disabled=yes \
dst-port=53 in-interface="L2TP 1" protocol=udp to-addresses=192.168.20.2 \
to-ports=53
add action=dst-nat chain=dstnat comment="DNAT XBOX360 UDP 3074" disabled=yes \
dst-port=3074 in-interface="L2TP 1" protocol=udp to-addresses=\
192.168.20.2 to-ports=3074
add action=dst-nat chain=dstnat comment="DNAT XBOX360 UDP 88" disabled=yes \
dst-port=88 in-interface="L2TP 1" protocol=udp to-addresses=192.168.20.2 \
to-ports=88
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no
/ip hotspot service-port
set ftp disabled=no ports=21
/ip neighbor discovery
set ether1 disabled=no
set ether2 disabled=no
set ether3 disabled=no
set ether4 disabled=no
set ether5 disabled=no
set ether6 disabled=no
set ether7 disabled=no
set ether8 disabled=no
set ether9 disabled=no
set bridge-interface disabled=no
set "PPTP 1" disabled=yes
set "L2TP 1" disabled=yes
set Pro-Rus-IP disabled=yes
set Pro-Lub-IP disabled=yes
set loopback disabled=no
set Eth1-vlan-1308 disabled=yes
set Eth1-vlan-0308 disabled=yes
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 \
cache-on-disk=no enabled=no max-cache-size=none max-client-connections=\
600 max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0 \
parent-proxy-port=0 port=8080 serialize-connections=no src-address=\
0.0.0.0
/ip route
add comment="Default GW" disabled=no distance=1 dst-address=0.0.0.0/0 \
gateway="L2TP 1" scope=30 target-scope=10
add comment="Route to 10.0.0.0/8 (Local Network Beeline)" disabled=no \
distance=1 dst-address=10.0.0.0/8 gateway=10.254.23.129 scope=30 \
target-scope=10
add comment="Route to 172.24.0.0/14 (Managment Network Beeline)" disabled=no \
distance=1 dst-address=172.24.0.0/14 gateway=10.254.23.129 scope=30 \
target-scope=10
add comment="Route to 194.154.82.40/29 (DHCP/DNS Network Beeline)" disabled=\
no distance=1 dst-address=194.154.82.40/29 gateway=10.254.23.129 scope=30 \
target-scope=10
/ip service
set telnet address="" disabled=no port=23
set ftp address="" disabled=no port=21
set www address="" disabled=no port=80
set ssh address="" disabled=no port=22
set www-ssl address="" certificate=none disabled=yes port=443
set api address="" disabled=yes port=8728
set winbox address="" disabled=no port=8291
/ip smb
set allow-guests=yes comment=Mikrotik-Prometej domain=MYHOME enabled=no \
interfaces=all
/ip smb shares
set [ find default=yes ] comment="default share" directory=/pub disabled=no \
max-sessions=10 name=pub
/ip smb users
set [ find default=yes ] disabled=no name=guest password="" read-only=yes
/ip socks
set connection-idle-timeout=2m enabled=no max-connections=200 port=1080
/ip tftp
add allow=yes allow-rollover=no disabled=no ip-addresses=10.254.23.131 \
read-only=yes real-filename=/software-220B007.had req-filename=\
software-220B007.had
/ip traffic-flow
set active-flow-timeout=30m cache-entries=4k enabled=no \
inactive-flow-timeout=15s interfaces=all
/ip upnp
set allow-disable-external-interface=yes enabled=no show-dummy-rule=yesCode: Select all
[admin@MikroTik Prometej] > queue export
# jul/09/2012 21:15:41 by RouterOS 5.18
# software id = XXXX-XXXX
#
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=yes limit-at=4M max-limit=4M name="Eth1 Out LAN" packet-mark="" parent=ether1 priority=1
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=yes limit-at=4M max-limit=4M name="L2TP Out WAN" packet-mark="" parent="L2TP 1" priority=1
/queue type
set 0 kind=pfifo name=default pfifo-limit=200
set 1 kind=pfifo name=ethernet-default pfifo-limit=50
set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5
set 3 kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 red-limit=60 red-max-threshold=50 red-min-threshold=10
set 4 kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
add kind=pfifo name=Class-7 pfifo-limit=100
add kind=pfifo name=Class-6 pfifo-limit=90
add kind=pfifo name=Class-5 pfifo-limit=80
add kind=pfifo name=Class-4 pfifo-limit=70
add kind=pfifo name=Class-3 pfifo-limit=60
add kind=pfifo name=Class-2 pfifo-limit=50
add kind=pfifo name=Class-1 pfifo-limit=40
add kind=pfifo name=Class-0 pfifo-limit=30
set 13 kind=none name=only-hardware-queue
set 14 kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-default
set 15 kind=pfifo name=default-small pfifo-limit=10
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s comment="ICQ, MAgent, FlashVideo, Games" disabled=yes limit-at=0 max-limit=0 name=Priority-4-LAN packet-mark=\
Priority-4-In-qip,Priority-4-In-icq,Priority-4-In-magent,Priority-4-In-Games,Priority-4-In-VideoPlayBack parent="Eth1 Out LAN" priority=4 queue=Class-4
add burst-limit=0 burst-threshold=0 burst-time=0s comment="HTTP(S) \F2\F0\E0\F4\E8\EA" disabled=yes limit-at=0 max-limit=0 name=Priority-2-LAN packet-mark=\
"Priority-2-In-http(s)" parent="Eth1 Out LAN" priority=6 queue=Class-2
add burst-limit=0 burst-threshold=0 burst-time=0s comment="\CD\E5\E8\E7\E2\E5\F1\F2\ED\FB\E9 \E8 Torrent \F2\F0\E0\F4\E8\EA " disabled=yes limit-at=0 \
max-limit=0 name=Priority-0-LAN packet-mark=Priority-0-In-torrent,Priority-1-In-nomark parent="Eth1 Out LAN" priority=8 queue=Class-0
add burst-limit=0 burst-threshold=0 burst-time=0s comment="\CD\E5\E8\E7\E2\E5\F1\F2\ED\FB\E9 \E8 Torrent \F2\F0\E0\F4\E8\EA" disabled=yes limit-at=0 max-limit=\
0 name=Priority-0-Out-WAN packet-mark=Priority-0-Out-torrent,Priority-1-Out-nomark parent="L2TP Out WAN" priority=8 queue=Class-0
add burst-limit=0 burst-threshold=0 burst-time=0s comment="HTTP(S) \F2\F0\E0\F4\E8\EA" disabled=yes limit-at=0 max-limit=0 name=Priority-2-Out-WAN packet-mark=\
"Priority-2-Out-http(s)" parent="L2TP Out WAN" priority=6 queue=Class-2
add burst-limit=0 burst-threshold=0 burst-time=0s comment="ICQ, MAgent, FlashVideo, Games" disabled=yes limit-at=0 max-limit=0 name=Priority-4-Out-WAN \
packet-mark=Priority-4-Out-qip,Priority-4-Out-icq,Priority-4-Out-magent,Priority-4-Out-Games,Priority-4-Out-VideoPlayBack parent="L2TP Out WAN" priority=4 \
queue=Class-4
/queue interface
set ether1 queue=ethernet-default
set ether2 queue=ethernet-default
set ether3 queue=ethernet-default
set ether4 queue=ethernet-default
set ether5 queue=ethernet-default
set ether6 queue=ethernet-default
set ether7 queue=ethernet-default
set ether8 queue=ethernet-default
set ether9 queue=ethernet-default