MikroTik

Hello Guys,

I have RB450 and i am using layer7 for blocking all website and excluded few website with same layer 7.

i have also made port open from firewall rule 1025-65535 for skype access.

Main problem is, skype is working but file transfer between my client and me is very slow.

does anyone please help me how can i fix this issue. if i disable the rule, file transfer is good. please help.

Layer 7 application firewalling is very labor intensive to the CPU and memory. If you have a lot of rules to process, your slowness is possibly due to over consumption of resources.

One possible fix is trying to build a new chain containing the skype file transfer protocol, or allowing already established connections to pass through uninhibited (if not already).

Can you please let me know details about the rules how it will be ? It will help me then please.

Can you post your existing rule set please.

add chain=forward comment="skype port accpt" dst-port=1025-65535 protocol=tcp \
src-address-list=Processing

Good fortune, Scott Hammersley...

Can u please tell me now about rule what u are talking about ?

You can try this:

place this rule towards the top of the rule set:

/ip firewall filter
add chain=forward comment="accept and bypass established connections" protocol=tcp \
connection-state=established src-address-list=Processing action=jump jump-target=trust-established

place this rule at the BOTTOM of the rule set:

/ip firewall filter
add chain=trust-established comment="accept and bypass established connections" action=accept

You can try this:

place this rule towards the top of the rule set:

/ip firewall filter
add chain=forward comment="accept and bypass established connections" protocol=tcp \
connection-state=established src-address-list=Processing action=jump jump-target=trust-established

place this rule at the BOTTOM of the rule set:

/ip firewall filter
add chain=trust-established comment="accept and bypass established connections" action=accept

i have tried. but problem is if i add this rule, they can access all websites which i had blocked.
Please see below all rules which i have.

add chain=forward comment="skype port accpt" dst-port=1025-65535 protocol=tcp \
src-address-list=Processing
add chain=forward port=21-22 protocol=tcp src-address-list=Processing
add chain=forward comment="Processing allow web" layer7-protocol=\
Accept_processing src-address-list=Processing
add chain=forward comment="Processing wetransfer accept" layer7-protocol=\
Accept_wetransfer src-address-list=Processing
add chain=forward comment="Processing wetransfer accept_all" layer7-protocol=\
Accept_processing_wetransfer_all src-address-list=Processing
add chain=forward comment="users accept" layer7-protocol=Accept_users \
src-address-list=Vision_Users
add action=drop chain=forward comment="processing blocking rule" \
layer7-protocol="BlockAll Website" src-address-list=Processing
add action=drop chain=forward comment="users block" layer7-protocol=\
"BlockAll Website" src-address-list=Vision_Users

everything is working good. only problem skype file transfer. please ask me if anything is not clear to you.
If you can help me with this it will be very helpful to me.

AFAIK, Skype transfers the files in 2 ways. If a P2P connection is possible with the file recipient, then a direct connection is established.
If that is not the case, it will go via skype's servers, which is slow.

If there is a controlled environment regarding applications on your network (meaning abuse is excluded)and the network is not very big, UPNP can give you the proper access for your skype users, including fast file transfer.