I have a couple basic questions. I am curious if there is a way to backup my Routerboard's firmware. I have my configuration backed up, but I am new and not sure of if those configs are good for updated firmwares.
Also, in mangle, I have connection bytes in red. I cannot put anything into that field that I have found except 0, to which I understand means infinite. If I try, say, 2000000-0 and click ok I get "Invalid value in undefined".
Thanks all!
Re: Hello all,
Post your export please so we can see whats wrong.
Go in the main window to "new terminal"
type export
Copy and paste the result and set this on this forum
Go in the main window to "new terminal"
type export
Copy and paste the result and set this on this forum
-
-
enigmatic1
just joined
- Posts: 11
- Joined:
Re: Hello all,
I don't believe that is working correctly. It is copy pasting as an absolute wall of text, and also has personal details in there, passwords and whatnot.
Re: Hello all,
you can remove sensitive parts of the configuration, like public ip addresses, passwords, usernames. Yes, it will be wall of text, however in certain situation this is only way on how to debug configuration problem or confirm some problem in RouterOS.
-
-
enigmatic1
just joined
- Posts: 11
- Joined:
Re: Hello all,
MMM MMM KKK TTTTTTTTTTT KKK MMMM MMMM KKK TTTTTTTTTTT KKK MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK MMM MMM III KKK KKK
RRR RRR OOOOOO TTT III KKK KKK MikroTik RouterOS 6.5 (c) 1999-2013 http://www.mikrotik.com/ [?] Gives the list of available commands command [?] Gives help on the command and list of arguments [Tab] Completes the command/word. If the
input is ambigous, a second [Tab] gives possible options / Move up to base level .. Move up one level /command Use command at the base level [admin@MikroTik] > export # sep/11/2014 13:27:51 by RouterOS 6.5 # software id = FPJJ-FL3J #
/interface bridge add admin-mac=4C:5E:0C:21:C3:15 auto-mac=no l2mtu=1598 name=bridge-local \ protocol-mode=rstp /interface ethernet set [ find default-name=ether1 ] name=ether01-gateway set [ find default-name=ether2 ] name=ether02 set
[ find default-name=ether3 ] name=ether03 set [ find default-name=ether4 ] name=ether04 set [ find default-name=ether5 ] name=ether05 set [ find default-name=ether6 ] name=ether06-master-local set [ find default-name=ether7 ] master-
port=ether06-master-local name=\ ether07-slave-local set [ find default-name=ether8 ] master-port=ether06-master-local name=\ ether08-slave-local set [ find default-name=ether9 ] master-port=ether06-master-local name=\ ether09-slave-
local set [ find default-name=ether10 ] name=ether10-slave-local /interface pppoe-client add add-default-route=yes disabled=no interface=ether05 max-mru=1492 \ max-mtu=1492 name=pppoe-out1 password=xxxxxxxx use-peer-dns=yes \
user=xxxxxxxx /interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=\ 20/40mhz-ht-above disabled=no ht-rxchains=0,1 ht-txchains=0,1 l2mtu=\ 2290 mode=ap-bridge rate-set=configured ssid=xxxxxxxx \ wireless-
protocol=802.11 /ip neighbor discovery set ether01-gateway discover=no /interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk group-ciphers=\ tkip,aes-ccm mode=dynamic-keys unicast-
ciphers=tkip,aes-ccm \ wpa-pre-shared-key=xxxxxxxx wpa2-pre-shared-key=xxxxxxxx /ip firewall layer7-protocol add name=speedtest-servers regexp="^.*(get|GET).+speedtest.*\$" add name=torrent-wwws regexp="^.*(get|GET).+(torrent|
thepiratebay|isohunt\ |entertane|demonoid|btjunkie|mininova|flixflux|vertor|h33t|zoozle|bit\ nova|bitsoup|meganova|fulldls|btbot|fenopy|gpirate|commonbits).*\$" add name=torrent-dns regexp="^.+(torrent|thepiratebay|isohunt|entertane|d\
emonoid|btjunkie|mininova|flixflux|vertor|h33t|zoozle|bitnova|bitsoup\ |meganova|fulldls|btbot|fenopy|gpirate|commonbits).*\$" add name=netflix regexp="^.*(get|GET).+(netflix).*\$" add name=mp4 regexp="^.*(get|GET).+\\.mp4.*\$" add
name=swf regexp="^.*(get|GET).+\\.swf.*\$" add name=flv regexp="^.*(get|GET).+\\.flv.*\$" add name=video regexp="^.*(get|GET).+(\\.flv|\\.mp4|netflix|\\.swf).*\$" /ip hotspot user profile set [ find default=yes ] idle-timeout=none
keepalive-timeout=2m \ mac-cookie-timeout=3d /ip pool add name=dhcp ranges=192.168.1.102-192.168.1.152 /ip dhcp-server add address-pool=dhcp disabled=no interface=bridge-local lease-time=1d \ name=default /port set 0 name=serial0 /queue
simple add dst=pppoe-out1 max-limit=720k/6656k name="PPPOE Queue" /queue type add kind=pfifo name=streaming-video-in pfifo-limit=500 add kind=pcq name=games-in-pcq pcq-classifier=dst-address \ pcq-dst-address6-mask=64 pcq-rate=100k
pcq-src-address6-mask=64 \ pcq-total-limit=750000 /queue tree add max-limit=6400k name=in parent=global queue=default add max-limit=650k name=out parent=global queue=default add limit-at=512k max-limit=6400k name=http-in packet-
mark=http-in \ parent=in priority=4 queue=default add limit-at=4096k max-limit=6400k name=streaming-video-in packet-mark=\ streaming-video-in parent=in priority=3 queue=streaming-video-in add limit-at=512k max-limit=6400k name=gaming-in
packet-mark=games-in \ parent=in priority=2 queue=games-in-pcq add max-limit=6400k name=download-in packet-mark=in parent=in queue=\ default add max-limit=650k name=upload-out packet-mark=out parent=out queue=\ default add limit-at=200k
max-limit=650k name=gaming-out packet-mark=games-out \ parent=out priority=2 queue=default add limit-at=90k max-limit=650k name=http-out packet-mark=http-out \ parent=out priority=4 queue=default add limit-at=90k max-limit=650k
name=streaming-video-out packet-mark=\ streaming-video-out parent=out priority=3 queue=default add limit-at=512k max-limit=6400k name=voip-in packet-mark=voip-in \ parent=in priority=1 queue=default add limit-at=512k max-limit=6400k
name=vpn-in packet-mark=vpn-in parent=\ in priority=2 queue=default add limit-at=200k max-limit=650k name=voip-out packet-mark=voip-out \ parent=out priority=1 queue=default add limit-at=90k max-limit=650k name=vpn-out packet-mark=vpn-
out parent=\ out priority=2 queue=default add limit-at=512k max-limit=6400k name=admin-in packet-mark=admin-in \ parent=in priority=1 queue=default add limit-at=50k max-limit=650k name=admin-out packet-mark=admin-out \ parent=out
priority=1 queue=default /interface bridge port add bridge=bridge-local interface=ether02 add bridge=bridge-local interface=ether03 add bridge=bridge-local interface=ether04 add bridge=bridge-local disabled=yes interface=ether05 add
bridge=bridge-local interface=ether06-master-local add bridge=bridge-local interface=sfp1 add bridge=bridge-local interface=wlan1 /ip address add address=192.168.1.1/24 comment="default configuration" interface=\ sfp1
network=192.168.1.0 add address=192.168.1.1/24 interface=wlan1 network=192.168.1.0 /ip dhcp-server network add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24 add address=192.168.88.0/24 comment="default configuration" dns-
server=\ 192.168.88.1 gateway=192.168.88.1 /ip dns set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,142.161.2.18 /ip dns static add address=192.168.88.1 name=router /ip firewall address-list add address=192.168.0.0/24 list=support
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=\ bogons add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if yo\ u need this subnet before enable it" disabled=yes list=bogons add
address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if\ \_you need this subnet
before enable it" list=bogons add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check i\ f you need this subnet before enable it" disabled=yes list=bogons add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1"
list=\ bogons add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\ bogons add address=198.18.0.0/15 comment="NIDB Testing" list=bogons add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=\ bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=\ bogons add address=224.0.0.0/4 comment=\ "MC, Class D, IANA # Check if you need this subnet before enable it" \ list=bogons add address=10.0.0.0/24 list=support add
address=192.168.5.0/24 list=support add address=192.168.1.0/24 list=internal-nets add address=10.0.0.0/8 list=internal-nets /ip firewall filter add action=add-src-to-address-list address-list=Syn_Flooder \ address-list-timeout=30m
chain=input comment=\ "Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \ tcp-flags=syn add action=add-src-to-address-list address-list=Port_Scanner \ address-list-timeout=1w chain=input comment="Port Scanner Detect" \
protocol=tcp psd=21,3s,3,1 add action=jump chain=input comment="Jump for icmp input flow" \ jump-target=ICMP protocol=icmp add chain=input comment="default configuration\ \nAllow ICMP" protocol=icmp add chain=input comment=\ "default
configuration\ \nAllow Established connections" connection-state=established add chain=input comment=\ "default configuration\ \nAllow related connections" connection-state=related add chain=input comment="Accept incoming on Port 80
(HTTP)" \ in-interface=all-ppp port=80 protocol=tcp add chain=input comment="Allow inputs not from WAN" in-interface=\ !all-ppp src-address=192.168.1.0/24 add chain=input comment="Full access to SUPPORT address list" \ src-address-
list=support add action=drop chain=input comment="default configuration" \ in-interface=ether01-gateway add action=drop chain=input comment="Drop incoming on Port 80 (HTTP)" \ disabled=yes in-interface=all-ppp port=80 protocol=tcp add
action=drop chain=input comment=\ "Drop DNS incoming on PPP connections" dst-port=53 in-interface=\ all-ppp protocol=tcp add action=drop chain=input comment=\ "Drop DNS incoming on PPP connections" dst-port=53 in-interface=\ all-ppp
protocol=udp add action=drop chain=input comment="Drop to syn flood list" \ src-address-list=Syn_Flooder add action=drop chain=input comment="Drop to port scan list" \ src-address-list=Port_Scanner add action=drop chain=input
comment="Block all access to the winbox - exc\ ept to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET \ IN THE SUPPORT ADDRESS LIST" dst-port=8291 protocol=tcp \ src-address-list=!support add action=drop chain=input
comment="Drop Invalid connections" \ connection-state=invalid add action=drop chain=input comment="Drop everything else" add action=jump chain=output comment="Jump for icmp output" jump-target=\ ICMP protocol=icmp add action=add-src-
to-address-list address-list=spammers \ address-list-timeout=3h chain=forward comment=\ "Add Spammers to the list for 3 hours" connection-limit=30,32 \ dst-port=25,587 limit=30/1m,0 protocol=tcp add chain=forward comment="default
configuration" connection-state=\ established add chain=forward comment="default configuration" connection-state=\ related add chain=forward comment="allow already established connections" \ connection-state=established add
chain=forward comment="allow related connections" connection-state=\ related add action=jump chain=forward jump-target=tcp protocol=tcp add action=jump chain=forward jump-target=udp protocol=udp add action=jump chain=forward jump-
target=icmp protocol=icmp add action=jump chain=forward comment="Jump for icmp forward flow" \ jump-target=ICMP protocol=icmp add action=drop chain=forward comment="default configuration" \ connection-state=invalid add action=drop
chain=forward src-address=0.0.0.0/8 add action=drop chain=forward dst-address=0.0.0.0/8 add action=drop chain=forward src-address=127.0.0.0/8 add action=drop chain=forward dst-address=127.0.0.0/8 add action=drop chain=forward src-
address=224.0.0.0/3 add action=drop chain=forward dst-address=224.0.0.0/3 add action=drop chain=forward comment="Drop to bogon list" \ dst-address-list=bogons add action=drop chain=forward comment="Avoid spammers action" dst-port=\
25,587 protocol=tcp src-address-list=spammers add action=drop chain=forward comment="drop invalid connections" \ connection-state=invalid protocol=tcp add chain=ICMP comment="echo reply" icmp-options=0:0 protocol=icmp add chain=ICMP
comment="net unreachable" icmp-options=3:0 protocol=icmp add chain=ICMP comment="host unreachable" icmp-options=3:1 protocol=icmp add chain=ICMP comment="host unreachable fragmentation required" \ icmp-options=3:4 protocol=icmp add
chain=ICMP comment="allow source quench" icmp-options=4:0 protocol=\ icmp add chain=ICMP comment="allow echo request" icmp-options=8:0 protocol=\ icmp add chain=ICMP comment="allow time exceed" icmp-options=11:0 protocol=\ icmp add
chain=ICMP comment="allow parameter bad" icmp-options=12:0 protocol=\ icmp add chain=ICMP comment="Echo request - Avoiding Ping Flood" \ icmp-options=8:0 limit=1,5 protocol=icmp add chain=ICMP comment="Echo reply" icmp-options=0:0
protocol=icmp add chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp add chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 \ protocol=icmp add chain=ICMP comment="Path MTU Discovery" icmp-options=3:4
protocol=\ icmp add action=drop chain=ICMP comment="deny all other types" add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=\ icmp add action=drop chain=tcp comment="deny TFTP" dst-port=69 protocol=tcp add
action=drop chain=tcp comment="deny RPC portmapper" dst-port=111 \ protocol=tcp add action=drop chain=tcp comment="deny RPC portmapper" dst-port=135 \ protocol=tcp add action=drop chain=tcp comment="deny NBT" dst-port=137-139 protocol=\
tcp add action=drop chain=tcp comment="deny cifs" dst-port=445 protocol=tcp add action=drop chain=tcp comment="deny NFS" dst-port=2049 protocol=tcp add action=drop chain=tcp comment="deny NetBus" dst-port=12345-12346 \ protocol=tcp add
action=drop chain=tcp comment="deny NetBus" dst-port=20034 protocol=\ tcp add action=drop chain=tcp comment="deny BackOriffice" dst-port=3133 \ protocol=tcp add action=drop chain=tcp comment="deny DHCP" dst-port=67-68 protocol=\ tcp add
action=drop chain=udp comment="deny TFTP" dst-port=69 protocol=udp add action=drop chain=udp comment="deny NBT" dst-port=137-139 protocol=\ udp add action=drop chain=udp comment="deny NFS" dst-port=2049 protocol=udp add action=drop
chain=udp comment="deny BackOriffice" dst-port=3133 \ protocol=udp add action=drop chain=udp comment="deny PRC portmapper" dst-port=111 \ protocol=udp add action=drop chain=udp comment="deny PRC portmapper" dst-port=135 \ protocol=udp
/ip firewall mangle add action=mark-packet chain=prerouting comment=\ "internal-traffic packet mark" dst-address-list=internal-nets \ new-packet-mark=internal-traffic passthrough=no src-address-list=\ internal-nets add action=mark-
packet chain=prerouting comment=\ "admin-in packet mark DNS" in-interface=pppoe-out1 new-packet-mark=\ admin-in passthrough=no protocol=udp src-port=53 add action=mark-packet chain=prerouting comment=\ "admin-in packet mark snmp" dst-
port=161 in-interface=pppoe-out1 \ new-packet-mark=admin-in passthrough=no protocol=udp add action=mark-connection chain=prerouting comment=\ "Remote Protocols admin connection mark" new-connection-mark=admin \
port=20,21,22,23,3389,8291 protocol=tcp add action=mark-connection chain=prerouting comment=\ "icmp connection mark as admin" new-connection-mark=admin protocol=\ icmp src-address-list=internal-nets add action=mark-packet
chain=prerouting comment="admin-in packet mark" \ connection-mark=admin in-interface=pppoe-out1 new-packet-mark=\ admin-in passthrough=no add action=mark-packet chain=prerouting comment="admin-out packet mark" \ connection-mark=admin
new-packet-mark=admin-out passthrough=no add action=mark-connection chain=prerouting comment=\ "streaming video connection mark" dst-port=80 layer7-protocol=video \ new-connection-mark=streaming-video protocol=tcp src-address-list=\
internal-nets add action=mark-packet chain=prerouting comment=\ "streaming video in packet mark" connection-mark=streaming-video \ in-interface=pppoe-out1 new-packet-mark=streaming-video-in \ passthrough=no add action=mark-packet
chain=prerouting comment=\ "streaming video out packet mark" connection-mark=streaming-video \ new-packet-mark=streaming-video-out passthrough=no add action=mark-connection chain=prerouting comment=\ "http traffic connection mark" dst-
port=80,443 new-connection-mark=\ http protocol=tcp src-address-list=internal-nets add action=mark-connection chain=prerouting comment=\ "http traffic connection mark" connection-bytes=5000000-4294967295 \ dst-port=80,443 new-
connection-mark=http-download protocol=tcp \ src-address-list=internal-nets add action=mark-packet chain=prerouting comment="http in packet mark" \ connection-mark=http in-interface=pppoe-out1 new-packet-mark=http-in \ passthrough=no
add action=mark-packet chain=prerouting comment="http out packet mark" \ connection-mark=http new-packet-mark=http-out passthrough=no add action=mark-connection chain=prerouting comment=\ "wow connection mark as gaming" dst-port=\
1119,3724,6112-6114,4000,6881-6999 new-connection-mark=games \ protocol=tcp src-address-list=internal-nets add action=mark-connection chain=prerouting comment=\ "wot connection mark as gaming" dst-port=5222 new-connection-mark=\ games
protocol=tcp src-address-list=internal-nets add action=mark-connection chain=prerouting comment=\ "eve online connection mark as gaming" dst-address=87.237.38.200 \ new-connection-mark=games src-address-list=internal-nets add
action=mark-connection chain=prerouting comment=\ "starcraft 2 connection mark as gaming" dst-port=1119 \ new-connection-mark=games protocol=tcp src-address-list=\ internal-nets add action=mark-connection chain=prerouting comment=\
"heros of newerth connection mark as gaming" dst-port=\ 11031,11235-11335 new-connection-mark=games protocol=tcp \ src-address-list=internal-nets add action=mark-connection chain=prerouting comment=\ "steam connection mark as gaming"
dst-port=27014-27050 \ new-connection-mark=games protocol=tcp src-address-list=\ internal-nets add action=mark-connection chain=prerouting comment=\ "xbox live connection mark as gaming" dst-port=3074 \ new-connection-mark=games
protocol=tcp src-address-list=\ internal-nets add action=mark-connection chain=prerouting comment=\ "ps3 online connection mark as gaming" dst-port=5223 \ new-connection-mark=games protocol=tcp src-address-list=\ internal-nets add
action=mark-connection chain=prerouting comment=\ "wii online connection mark as gaming" dst-port=\ 28910,29900,29901,29920 new-connection-mark=games protocol=tcp \ src-address-list=internal-nets add action=mark-packet chain=prerouting
comment="games packet mark wow" \ in-interface=pppoe-out1 new-packet-mark=games-in passthrough=no \ protocol=udp src-port=53,3724 add action=mark-packet chain=prerouting comment="games packet mark wot" \ dst-
port=53,3432,9987,30443,32800-32900 new-packet-mark=games-out \ passthrough=no protocol=udp src-address-list=internal-nets add action=mark-packet chain=prerouting comment="games packet mark wot" \ in-interface=pppoe-out1 new-packet-
mark=games-in passthrough=no \ protocol=udp src-port=53,3432,9987,30443,32800-32900 add action=mark-packet chain=prerouting comment=\ "games packet mark starcraft2" in-interface=pppoe-out1 \ new-packet-mark=games-in passthrough=no
protocol=udp src-port=\ 1119,6113 add action=mark-packet chain=prerouting comment="games packet mark HoN" \ in-interface=pppoe-out1 new-packet-mark=games-in passthrough=no \ protocol=udp src-port=11031,11235-11335 add action=mark-packet
chain=prerouting comment=\ "games packet mark steam in" in-interface=pppoe-out1 \ new-packet-mark=games-in passthrough=no port=4380,28960,27000-27030 \ protocol=udp add action=mark-packet chain=prerouting comment=\ "games packet mark
steam out" dst-port=\ 53,1500,3005,3101,3478,4379-4380,4380,28960,27000-27030,28960 \ new-packet-mark=games-out passthrough=no protocol=udp \ src-address-list=internal-nets add action=mark-packet chain=prerouting comment=\ "games packet
mark xbox live" in-interface=pppoe-out1 \ new-packet-mark=games-in passthrough=no protocol=udp src-port=\ 88,3074,3544,4500 add action=mark-packet chain=prerouting comment=\ "games packet mark ps3 online" in-interface=pppoe-out1 \ new-
packet-mark=games-in passthrough=no protocol=udp src-port=\ 3478,3479,3658 add action=mark-packet chain=prerouting comment="games packet mark in" \ connection-mark=games in-interface=pppoe-out1 new-packet-mark=\ games-in passthrough=no
add action=mark-packet chain=prerouting comment="games packet mark out" \ connection-mark=games new-packet-mark=games-out passthrough=no add action=mark-packet chain=prerouting comment=\ "voip-in packet mark teamspeak" in-
interface=pppoe-out1 \ new-packet-mark=voip-in passthrough=no protocol=udp src-port=9987 add action=mark-packet chain=prerouting comment=\ "voip-out packet mark teamspeak" dst-port=9987 new-packet-mark=\ voip-out passthrough=no
protocol=udp src-address-list=internal-nets add action=mark-packet chain=prerouting comment=\ "voip-out packet mark teamspeak" in-interface=pppoe-out1 \ new-packet-mark=voip-out passthrough=no protocol=udp src-port=9987 add
action=mark-packet chain=prerouting comment=\ "voip-in packet mark ventrilo" in-interface=pppoe-out1 \ new-packet-mark=voip-in passthrough=no protocol=udp src-port=3784 add action=mark-packet chain=prerouting comment=\ "voip-out packet
mark ventrilo" dst-port=3784 new-packet-mark=\ voip-out passthrough=no protocol=udp src-address-list=internal-nets add action=mark-packet chain=prerouting comment=\ "voip-in packet mark ventrilo" in-interface=pppoe-out1 \ new-packet-
mark=voip-in passthrough=no protocol=tcp src-port=3784 add action=mark-packet chain=prerouting comment=\ "voip-out packet mark ventrilo" dst-port=3784 new-packet-mark=\ voip-out passthrough=no protocol=tcp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment=\ "voip-in packet mark SIP" in-interface=pppoe-out1 new-packet-mark=\ voip-in passthrough=no port=5060 protocol=tcp add action=mark-packet chain=prerouting comment=\ "voip-out packet mark
SIP" new-packet-mark=voip-out passthrough=no \ port=5060 protocol=tcp src-address-list=internal-nets add action=mark-packet chain=prerouting comment=\ "voip-in packet mark udp SIP" in-interface=pppoe-out1 \ new-packet-mark=voip-in
passthrough=no port=5004,5060 protocol=udp add action=mark-packet chain=prerouting comment=\ "voip-out packet mark udp SIP" new-packet-mark=voip-out passthrough=\ no port=5004,5060 protocol=udp src-address-list=internal-nets add
action=mark-packet chain=prerouting comment=\ "voip-in packet mark RTP" in-interface=pppoe-out1 new-packet-mark=\ voip-in packet-size=100-400 passthrough=no port=16348-32768 \ protocol=udp add action=mark-packet chain=prerouting
comment=\ "voip-out packet mark RTP" new-packet-mark=voip-out packet-size=\ 100-400 passthrough=no port=16348-32768 protocol=udp \ src-address-list=internal-nets add action=mark-packet chain=prerouting comment="vpn-in packet mark GRE" \
in-interface=pppoe-out1 new-packet-mark=vpn-in passthrough=no \ protocol=gre add action=mark-packet chain=prerouting comment=\ "vpn-out packet mark GRE" new-packet-mark=vpn-out passthrough=no \ protocol=gre add action=mark-packet
chain=prerouting comment="vpn-in packet mark ESP" \ in-interface=pppoe-out1 new-packet-mark=vpn-in passthrough=no \ protocol=ipsec-esp add action=mark-packet chain=prerouting comment=\ "vpn-out packet mark ESP" new-packet-mark=vpn-out
passthrough=no \ protocol=ipsec-esp add action=mark-packet chain=prerouting comment=\ "vpn-in packet mark VPN UDP ports" in-interface=pppoe-out1 \ new-packet-mark=vpn-in passthrough=no protocol=udp src-port=\ 500,1701,4500 add
action=mark-packet chain=prerouting comment=\ "vpn-out packet mark VPN UDP ports" new-packet-mark=vpn-out \ passthrough=no protocol=udp src-port=500,1701,4500 add action=mark-packet chain=prerouting comment=\ "vpn-in packet mark PPTP"
in-interface=pppoe-out1 new-packet-mark=\ vpn-in passthrough=no protocol=tcp src-port=1723 add action=mark-packet chain=prerouting comment=\ "vpn-out packet mark PPTP" new-packet-mark=vpn-out passthrough=no \ protocol=tcp src-port=1723
add action=mark-packet chain=prerouting comment="all in" in-interface=\ pppoe-out1 new-packet-mark=in passthrough=no add action=mark-packet chain=prerouting comment="all out" \ new-packet-mark=out passthrough=no /ip firewall nat add
action=masquerade chain=srcnat comment="default configuration" \ out-interface=all-ppp to-addresses=0.0.0.0 /ip service set telnet disabled=yes set ftp disabled=yes set ssh disabled=yes set api disabled=yes set winbox disabled=yes set
api-ssl disabled=yes /ip upnp set enabled=yes /ip upnp interfaces add interface=pppoe-out1 type=external add interface=bridge-local type=internal /lcd interface set sfp1 interface=sfp1 set ether01-gateway interface=ether01-gateway set
ether02 interface=ether02 set ether03 interface=ether03 set ether04 interface=ether04 set ether05 interface=ether05 set ether06-master-local interface=ether06-master-local set ether07-slave-local interface=ether07-slave-local set
ether08-slave-local interface=ether08-slave-local set ether09-slave-local interface=ether09-slave-local set ether10-slave-local interface=ether10-slave-local set wlan1 interface=wlan1 /system clock set time-zone-name=America/Winnipeg
/system logging set 0 action=disk set 1 action=disk set 2 action=disk set 3 action=disk /system ntp client set enabled=yes mode=unicast primary-ntp=198.50.239.53 secondary-ntp=\ 66.96.30.35 /system watchdog set watch-address=8.8.8.8
watchdog-timer=no /tool graphing interface add interface=pppoe-out1 add interface=ether04 add interface=ether02 add interface=ether03 add interface=ether05 /tool mac-server set [ find default=yes ] disabled=yes add interface=ether02 add
interface=ether03 add interface=ether04 add interface=ether05 add interface=ether06-master-local add interface=ether07-slave-local add interface=ether08-slave-local add interface=ether09-slave-local add interface=sfp1 add
interface=wlan1 add interface=bridge-local /tool mac-server mac-winbox set [ find default=yes ] disabled=yes add interface=ether02 add interface=ether03 add interface=ether04 add interface=ether05 add interface=ether06-master-local add
interface=ether07-slave-local add interface=ether08-slave-local add interface=ether09-slave-local add interface=sfp1 add interface=wlan1 add interface=bridge-local
RRR RRR OOOOOO TTT III KKK KKK MikroTik RouterOS 6.5 (c) 1999-2013 http://www.mikrotik.com/ [?] Gives the list of available commands command [?] Gives help on the command and list of arguments [Tab] Completes the command/word. If the
input is ambigous, a second [Tab] gives possible options / Move up to base level .. Move up one level /command Use command at the base level [admin@MikroTik] > export # sep/11/2014 13:27:51 by RouterOS 6.5 # software id = FPJJ-FL3J #
/interface bridge add admin-mac=4C:5E:0C:21:C3:15 auto-mac=no l2mtu=1598 name=bridge-local \ protocol-mode=rstp /interface ethernet set [ find default-name=ether1 ] name=ether01-gateway set [ find default-name=ether2 ] name=ether02 set
[ find default-name=ether3 ] name=ether03 set [ find default-name=ether4 ] name=ether04 set [ find default-name=ether5 ] name=ether05 set [ find default-name=ether6 ] name=ether06-master-local set [ find default-name=ether7 ] master-
port=ether06-master-local name=\ ether07-slave-local set [ find default-name=ether8 ] master-port=ether06-master-local name=\ ether08-slave-local set [ find default-name=ether9 ] master-port=ether06-master-local name=\ ether09-slave-
local set [ find default-name=ether10 ] name=ether10-slave-local /interface pppoe-client add add-default-route=yes disabled=no interface=ether05 max-mru=1492 \ max-mtu=1492 name=pppoe-out1 password=xxxxxxxx use-peer-dns=yes \
user=xxxxxxxx /interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=\ 20/40mhz-ht-above disabled=no ht-rxchains=0,1 ht-txchains=0,1 l2mtu=\ 2290 mode=ap-bridge rate-set=configured ssid=xxxxxxxx \ wireless-
protocol=802.11 /ip neighbor discovery set ether01-gateway discover=no /interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk group-ciphers=\ tkip,aes-ccm mode=dynamic-keys unicast-
ciphers=tkip,aes-ccm \ wpa-pre-shared-key=xxxxxxxx wpa2-pre-shared-key=xxxxxxxx /ip firewall layer7-protocol add name=speedtest-servers regexp="^.*(get|GET).+speedtest.*\$" add name=torrent-wwws regexp="^.*(get|GET).+(torrent|
thepiratebay|isohunt\ |entertane|demonoid|btjunkie|mininova|flixflux|vertor|h33t|zoozle|bit\ nova|bitsoup|meganova|fulldls|btbot|fenopy|gpirate|commonbits).*\$" add name=torrent-dns regexp="^.+(torrent|thepiratebay|isohunt|entertane|d\
emonoid|btjunkie|mininova|flixflux|vertor|h33t|zoozle|bitnova|bitsoup\ |meganova|fulldls|btbot|fenopy|gpirate|commonbits).*\$" add name=netflix regexp="^.*(get|GET).+(netflix).*\$" add name=mp4 regexp="^.*(get|GET).+\\.mp4.*\$" add
name=swf regexp="^.*(get|GET).+\\.swf.*\$" add name=flv regexp="^.*(get|GET).+\\.flv.*\$" add name=video regexp="^.*(get|GET).+(\\.flv|\\.mp4|netflix|\\.swf).*\$" /ip hotspot user profile set [ find default=yes ] idle-timeout=none
keepalive-timeout=2m \ mac-cookie-timeout=3d /ip pool add name=dhcp ranges=192.168.1.102-192.168.1.152 /ip dhcp-server add address-pool=dhcp disabled=no interface=bridge-local lease-time=1d \ name=default /port set 0 name=serial0 /queue
simple add dst=pppoe-out1 max-limit=720k/6656k name="PPPOE Queue" /queue type add kind=pfifo name=streaming-video-in pfifo-limit=500 add kind=pcq name=games-in-pcq pcq-classifier=dst-address \ pcq-dst-address6-mask=64 pcq-rate=100k
pcq-src-address6-mask=64 \ pcq-total-limit=750000 /queue tree add max-limit=6400k name=in parent=global queue=default add max-limit=650k name=out parent=global queue=default add limit-at=512k max-limit=6400k name=http-in packet-
mark=http-in \ parent=in priority=4 queue=default add limit-at=4096k max-limit=6400k name=streaming-video-in packet-mark=\ streaming-video-in parent=in priority=3 queue=streaming-video-in add limit-at=512k max-limit=6400k name=gaming-in
packet-mark=games-in \ parent=in priority=2 queue=games-in-pcq add max-limit=6400k name=download-in packet-mark=in parent=in queue=\ default add max-limit=650k name=upload-out packet-mark=out parent=out queue=\ default add limit-at=200k
max-limit=650k name=gaming-out packet-mark=games-out \ parent=out priority=2 queue=default add limit-at=90k max-limit=650k name=http-out packet-mark=http-out \ parent=out priority=4 queue=default add limit-at=90k max-limit=650k
name=streaming-video-out packet-mark=\ streaming-video-out parent=out priority=3 queue=default add limit-at=512k max-limit=6400k name=voip-in packet-mark=voip-in \ parent=in priority=1 queue=default add limit-at=512k max-limit=6400k
name=vpn-in packet-mark=vpn-in parent=\ in priority=2 queue=default add limit-at=200k max-limit=650k name=voip-out packet-mark=voip-out \ parent=out priority=1 queue=default add limit-at=90k max-limit=650k name=vpn-out packet-mark=vpn-
out parent=\ out priority=2 queue=default add limit-at=512k max-limit=6400k name=admin-in packet-mark=admin-in \ parent=in priority=1 queue=default add limit-at=50k max-limit=650k name=admin-out packet-mark=admin-out \ parent=out
priority=1 queue=default /interface bridge port add bridge=bridge-local interface=ether02 add bridge=bridge-local interface=ether03 add bridge=bridge-local interface=ether04 add bridge=bridge-local disabled=yes interface=ether05 add
bridge=bridge-local interface=ether06-master-local add bridge=bridge-local interface=sfp1 add bridge=bridge-local interface=wlan1 /ip address add address=192.168.1.1/24 comment="default configuration" interface=\ sfp1
network=192.168.1.0 add address=192.168.1.1/24 interface=wlan1 network=192.168.1.0 /ip dhcp-server network add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24 add address=192.168.88.0/24 comment="default configuration" dns-
server=\ 192.168.88.1 gateway=192.168.88.1 /ip dns set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,142.161.2.18 /ip dns static add address=192.168.88.1 name=router /ip firewall address-list add address=192.168.0.0/24 list=support
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=\ bogons add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if yo\ u need this subnet before enable it" disabled=yes list=bogons add
address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if\ \_you need this subnet
before enable it" list=bogons add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check i\ f you need this subnet before enable it" disabled=yes list=bogons add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1"
list=\ bogons add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\ bogons add address=198.18.0.0/15 comment="NIDB Testing" list=bogons add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=\ bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=\ bogons add address=224.0.0.0/4 comment=\ "MC, Class D, IANA # Check if you need this subnet before enable it" \ list=bogons add address=10.0.0.0/24 list=support add
address=192.168.5.0/24 list=support add address=192.168.1.0/24 list=internal-nets add address=10.0.0.0/8 list=internal-nets /ip firewall filter add action=add-src-to-address-list address-list=Syn_Flooder \ address-list-timeout=30m
chain=input comment=\ "Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \ tcp-flags=syn add action=add-src-to-address-list address-list=Port_Scanner \ address-list-timeout=1w chain=input comment="Port Scanner Detect" \
protocol=tcp psd=21,3s,3,1 add action=jump chain=input comment="Jump for icmp input flow" \ jump-target=ICMP protocol=icmp add chain=input comment="default configuration\ \nAllow ICMP" protocol=icmp add chain=input comment=\ "default
configuration\ \nAllow Established connections" connection-state=established add chain=input comment=\ "default configuration\ \nAllow related connections" connection-state=related add chain=input comment="Accept incoming on Port 80
(HTTP)" \ in-interface=all-ppp port=80 protocol=tcp add chain=input comment="Allow inputs not from WAN" in-interface=\ !all-ppp src-address=192.168.1.0/24 add chain=input comment="Full access to SUPPORT address list" \ src-address-
list=support add action=drop chain=input comment="default configuration" \ in-interface=ether01-gateway add action=drop chain=input comment="Drop incoming on Port 80 (HTTP)" \ disabled=yes in-interface=all-ppp port=80 protocol=tcp add
action=drop chain=input comment=\ "Drop DNS incoming on PPP connections" dst-port=53 in-interface=\ all-ppp protocol=tcp add action=drop chain=input comment=\ "Drop DNS incoming on PPP connections" dst-port=53 in-interface=\ all-ppp
protocol=udp add action=drop chain=input comment="Drop to syn flood list" \ src-address-list=Syn_Flooder add action=drop chain=input comment="Drop to port scan list" \ src-address-list=Port_Scanner add action=drop chain=input
comment="Block all access to the winbox - exc\ ept to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET \ IN THE SUPPORT ADDRESS LIST" dst-port=8291 protocol=tcp \ src-address-list=!support add action=drop chain=input
comment="Drop Invalid connections" \ connection-state=invalid add action=drop chain=input comment="Drop everything else" add action=jump chain=output comment="Jump for icmp output" jump-target=\ ICMP protocol=icmp add action=add-src-
to-address-list address-list=spammers \ address-list-timeout=3h chain=forward comment=\ "Add Spammers to the list for 3 hours" connection-limit=30,32 \ dst-port=25,587 limit=30/1m,0 protocol=tcp add chain=forward comment="default
configuration" connection-state=\ established add chain=forward comment="default configuration" connection-state=\ related add chain=forward comment="allow already established connections" \ connection-state=established add
chain=forward comment="allow related connections" connection-state=\ related add action=jump chain=forward jump-target=tcp protocol=tcp add action=jump chain=forward jump-target=udp protocol=udp add action=jump chain=forward jump-
target=icmp protocol=icmp add action=jump chain=forward comment="Jump for icmp forward flow" \ jump-target=ICMP protocol=icmp add action=drop chain=forward comment="default configuration" \ connection-state=invalid add action=drop
chain=forward src-address=0.0.0.0/8 add action=drop chain=forward dst-address=0.0.0.0/8 add action=drop chain=forward src-address=127.0.0.0/8 add action=drop chain=forward dst-address=127.0.0.0/8 add action=drop chain=forward src-
address=224.0.0.0/3 add action=drop chain=forward dst-address=224.0.0.0/3 add action=drop chain=forward comment="Drop to bogon list" \ dst-address-list=bogons add action=drop chain=forward comment="Avoid spammers action" dst-port=\
25,587 protocol=tcp src-address-list=spammers add action=drop chain=forward comment="drop invalid connections" \ connection-state=invalid protocol=tcp add chain=ICMP comment="echo reply" icmp-options=0:0 protocol=icmp add chain=ICMP
comment="net unreachable" icmp-options=3:0 protocol=icmp add chain=ICMP comment="host unreachable" icmp-options=3:1 protocol=icmp add chain=ICMP comment="host unreachable fragmentation required" \ icmp-options=3:4 protocol=icmp add
chain=ICMP comment="allow source quench" icmp-options=4:0 protocol=\ icmp add chain=ICMP comment="allow echo request" icmp-options=8:0 protocol=\ icmp add chain=ICMP comment="allow time exceed" icmp-options=11:0 protocol=\ icmp add
chain=ICMP comment="allow parameter bad" icmp-options=12:0 protocol=\ icmp add chain=ICMP comment="Echo request - Avoiding Ping Flood" \ icmp-options=8:0 limit=1,5 protocol=icmp add chain=ICMP comment="Echo reply" icmp-options=0:0
protocol=icmp add chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp add chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 \ protocol=icmp add chain=ICMP comment="Path MTU Discovery" icmp-options=3:4
protocol=\ icmp add action=drop chain=ICMP comment="deny all other types" add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=\ icmp add action=drop chain=tcp comment="deny TFTP" dst-port=69 protocol=tcp add
action=drop chain=tcp comment="deny RPC portmapper" dst-port=111 \ protocol=tcp add action=drop chain=tcp comment="deny RPC portmapper" dst-port=135 \ protocol=tcp add action=drop chain=tcp comment="deny NBT" dst-port=137-139 protocol=\
tcp add action=drop chain=tcp comment="deny cifs" dst-port=445 protocol=tcp add action=drop chain=tcp comment="deny NFS" dst-port=2049 protocol=tcp add action=drop chain=tcp comment="deny NetBus" dst-port=12345-12346 \ protocol=tcp add
action=drop chain=tcp comment="deny NetBus" dst-port=20034 protocol=\ tcp add action=drop chain=tcp comment="deny BackOriffice" dst-port=3133 \ protocol=tcp add action=drop chain=tcp comment="deny DHCP" dst-port=67-68 protocol=\ tcp add
action=drop chain=udp comment="deny TFTP" dst-port=69 protocol=udp add action=drop chain=udp comment="deny NBT" dst-port=137-139 protocol=\ udp add action=drop chain=udp comment="deny NFS" dst-port=2049 protocol=udp add action=drop
chain=udp comment="deny BackOriffice" dst-port=3133 \ protocol=udp add action=drop chain=udp comment="deny PRC portmapper" dst-port=111 \ protocol=udp add action=drop chain=udp comment="deny PRC portmapper" dst-port=135 \ protocol=udp
/ip firewall mangle add action=mark-packet chain=prerouting comment=\ "internal-traffic packet mark" dst-address-list=internal-nets \ new-packet-mark=internal-traffic passthrough=no src-address-list=\ internal-nets add action=mark-
packet chain=prerouting comment=\ "admin-in packet mark DNS" in-interface=pppoe-out1 new-packet-mark=\ admin-in passthrough=no protocol=udp src-port=53 add action=mark-packet chain=prerouting comment=\ "admin-in packet mark snmp" dst-
port=161 in-interface=pppoe-out1 \ new-packet-mark=admin-in passthrough=no protocol=udp add action=mark-connection chain=prerouting comment=\ "Remote Protocols admin connection mark" new-connection-mark=admin \
port=20,21,22,23,3389,8291 protocol=tcp add action=mark-connection chain=prerouting comment=\ "icmp connection mark as admin" new-connection-mark=admin protocol=\ icmp src-address-list=internal-nets add action=mark-packet
chain=prerouting comment="admin-in packet mark" \ connection-mark=admin in-interface=pppoe-out1 new-packet-mark=\ admin-in passthrough=no add action=mark-packet chain=prerouting comment="admin-out packet mark" \ connection-mark=admin
new-packet-mark=admin-out passthrough=no add action=mark-connection chain=prerouting comment=\ "streaming video connection mark" dst-port=80 layer7-protocol=video \ new-connection-mark=streaming-video protocol=tcp src-address-list=\
internal-nets add action=mark-packet chain=prerouting comment=\ "streaming video in packet mark" connection-mark=streaming-video \ in-interface=pppoe-out1 new-packet-mark=streaming-video-in \ passthrough=no add action=mark-packet
chain=prerouting comment=\ "streaming video out packet mark" connection-mark=streaming-video \ new-packet-mark=streaming-video-out passthrough=no add action=mark-connection chain=prerouting comment=\ "http traffic connection mark" dst-
port=80,443 new-connection-mark=\ http protocol=tcp src-address-list=internal-nets add action=mark-connection chain=prerouting comment=\ "http traffic connection mark" connection-bytes=5000000-4294967295 \ dst-port=80,443 new-
connection-mark=http-download protocol=tcp \ src-address-list=internal-nets add action=mark-packet chain=prerouting comment="http in packet mark" \ connection-mark=http in-interface=pppoe-out1 new-packet-mark=http-in \ passthrough=no
add action=mark-packet chain=prerouting comment="http out packet mark" \ connection-mark=http new-packet-mark=http-out passthrough=no add action=mark-connection chain=prerouting comment=\ "wow connection mark as gaming" dst-port=\
1119,3724,6112-6114,4000,6881-6999 new-connection-mark=games \ protocol=tcp src-address-list=internal-nets add action=mark-connection chain=prerouting comment=\ "wot connection mark as gaming" dst-port=5222 new-connection-mark=\ games
protocol=tcp src-address-list=internal-nets add action=mark-connection chain=prerouting comment=\ "eve online connection mark as gaming" dst-address=87.237.38.200 \ new-connection-mark=games src-address-list=internal-nets add
action=mark-connection chain=prerouting comment=\ "starcraft 2 connection mark as gaming" dst-port=1119 \ new-connection-mark=games protocol=tcp src-address-list=\ internal-nets add action=mark-connection chain=prerouting comment=\
"heros of newerth connection mark as gaming" dst-port=\ 11031,11235-11335 new-connection-mark=games protocol=tcp \ src-address-list=internal-nets add action=mark-connection chain=prerouting comment=\ "steam connection mark as gaming"
dst-port=27014-27050 \ new-connection-mark=games protocol=tcp src-address-list=\ internal-nets add action=mark-connection chain=prerouting comment=\ "xbox live connection mark as gaming" dst-port=3074 \ new-connection-mark=games
protocol=tcp src-address-list=\ internal-nets add action=mark-connection chain=prerouting comment=\ "ps3 online connection mark as gaming" dst-port=5223 \ new-connection-mark=games protocol=tcp src-address-list=\ internal-nets add
action=mark-connection chain=prerouting comment=\ "wii online connection mark as gaming" dst-port=\ 28910,29900,29901,29920 new-connection-mark=games protocol=tcp \ src-address-list=internal-nets add action=mark-packet chain=prerouting
comment="games packet mark wow" \ in-interface=pppoe-out1 new-packet-mark=games-in passthrough=no \ protocol=udp src-port=53,3724 add action=mark-packet chain=prerouting comment="games packet mark wot" \ dst-
port=53,3432,9987,30443,32800-32900 new-packet-mark=games-out \ passthrough=no protocol=udp src-address-list=internal-nets add action=mark-packet chain=prerouting comment="games packet mark wot" \ in-interface=pppoe-out1 new-packet-
mark=games-in passthrough=no \ protocol=udp src-port=53,3432,9987,30443,32800-32900 add action=mark-packet chain=prerouting comment=\ "games packet mark starcraft2" in-interface=pppoe-out1 \ new-packet-mark=games-in passthrough=no
protocol=udp src-port=\ 1119,6113 add action=mark-packet chain=prerouting comment="games packet mark HoN" \ in-interface=pppoe-out1 new-packet-mark=games-in passthrough=no \ protocol=udp src-port=11031,11235-11335 add action=mark-packet
chain=prerouting comment=\ "games packet mark steam in" in-interface=pppoe-out1 \ new-packet-mark=games-in passthrough=no port=4380,28960,27000-27030 \ protocol=udp add action=mark-packet chain=prerouting comment=\ "games packet mark
steam out" dst-port=\ 53,1500,3005,3101,3478,4379-4380,4380,28960,27000-27030,28960 \ new-packet-mark=games-out passthrough=no protocol=udp \ src-address-list=internal-nets add action=mark-packet chain=prerouting comment=\ "games packet
mark xbox live" in-interface=pppoe-out1 \ new-packet-mark=games-in passthrough=no protocol=udp src-port=\ 88,3074,3544,4500 add action=mark-packet chain=prerouting comment=\ "games packet mark ps3 online" in-interface=pppoe-out1 \ new-
packet-mark=games-in passthrough=no protocol=udp src-port=\ 3478,3479,3658 add action=mark-packet chain=prerouting comment="games packet mark in" \ connection-mark=games in-interface=pppoe-out1 new-packet-mark=\ games-in passthrough=no
add action=mark-packet chain=prerouting comment="games packet mark out" \ connection-mark=games new-packet-mark=games-out passthrough=no add action=mark-packet chain=prerouting comment=\ "voip-in packet mark teamspeak" in-
interface=pppoe-out1 \ new-packet-mark=voip-in passthrough=no protocol=udp src-port=9987 add action=mark-packet chain=prerouting comment=\ "voip-out packet mark teamspeak" dst-port=9987 new-packet-mark=\ voip-out passthrough=no
protocol=udp src-address-list=internal-nets add action=mark-packet chain=prerouting comment=\ "voip-out packet mark teamspeak" in-interface=pppoe-out1 \ new-packet-mark=voip-out passthrough=no protocol=udp src-port=9987 add
action=mark-packet chain=prerouting comment=\ "voip-in packet mark ventrilo" in-interface=pppoe-out1 \ new-packet-mark=voip-in passthrough=no protocol=udp src-port=3784 add action=mark-packet chain=prerouting comment=\ "voip-out packet
mark ventrilo" dst-port=3784 new-packet-mark=\ voip-out passthrough=no protocol=udp src-address-list=internal-nets add action=mark-packet chain=prerouting comment=\ "voip-in packet mark ventrilo" in-interface=pppoe-out1 \ new-packet-
mark=voip-in passthrough=no protocol=tcp src-port=3784 add action=mark-packet chain=prerouting comment=\ "voip-out packet mark ventrilo" dst-port=3784 new-packet-mark=\ voip-out passthrough=no protocol=tcp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment=\ "voip-in packet mark SIP" in-interface=pppoe-out1 new-packet-mark=\ voip-in passthrough=no port=5060 protocol=tcp add action=mark-packet chain=prerouting comment=\ "voip-out packet mark
SIP" new-packet-mark=voip-out passthrough=no \ port=5060 protocol=tcp src-address-list=internal-nets add action=mark-packet chain=prerouting comment=\ "voip-in packet mark udp SIP" in-interface=pppoe-out1 \ new-packet-mark=voip-in
passthrough=no port=5004,5060 protocol=udp add action=mark-packet chain=prerouting comment=\ "voip-out packet mark udp SIP" new-packet-mark=voip-out passthrough=\ no port=5004,5060 protocol=udp src-address-list=internal-nets add
action=mark-packet chain=prerouting comment=\ "voip-in packet mark RTP" in-interface=pppoe-out1 new-packet-mark=\ voip-in packet-size=100-400 passthrough=no port=16348-32768 \ protocol=udp add action=mark-packet chain=prerouting
comment=\ "voip-out packet mark RTP" new-packet-mark=voip-out packet-size=\ 100-400 passthrough=no port=16348-32768 protocol=udp \ src-address-list=internal-nets add action=mark-packet chain=prerouting comment="vpn-in packet mark GRE" \
in-interface=pppoe-out1 new-packet-mark=vpn-in passthrough=no \ protocol=gre add action=mark-packet chain=prerouting comment=\ "vpn-out packet mark GRE" new-packet-mark=vpn-out passthrough=no \ protocol=gre add action=mark-packet
chain=prerouting comment="vpn-in packet mark ESP" \ in-interface=pppoe-out1 new-packet-mark=vpn-in passthrough=no \ protocol=ipsec-esp add action=mark-packet chain=prerouting comment=\ "vpn-out packet mark ESP" new-packet-mark=vpn-out
passthrough=no \ protocol=ipsec-esp add action=mark-packet chain=prerouting comment=\ "vpn-in packet mark VPN UDP ports" in-interface=pppoe-out1 \ new-packet-mark=vpn-in passthrough=no protocol=udp src-port=\ 500,1701,4500 add
action=mark-packet chain=prerouting comment=\ "vpn-out packet mark VPN UDP ports" new-packet-mark=vpn-out \ passthrough=no protocol=udp src-port=500,1701,4500 add action=mark-packet chain=prerouting comment=\ "vpn-in packet mark PPTP"
in-interface=pppoe-out1 new-packet-mark=\ vpn-in passthrough=no protocol=tcp src-port=1723 add action=mark-packet chain=prerouting comment=\ "vpn-out packet mark PPTP" new-packet-mark=vpn-out passthrough=no \ protocol=tcp src-port=1723
add action=mark-packet chain=prerouting comment="all in" in-interface=\ pppoe-out1 new-packet-mark=in passthrough=no add action=mark-packet chain=prerouting comment="all out" \ new-packet-mark=out passthrough=no /ip firewall nat add
action=masquerade chain=srcnat comment="default configuration" \ out-interface=all-ppp to-addresses=0.0.0.0 /ip service set telnet disabled=yes set ftp disabled=yes set ssh disabled=yes set api disabled=yes set winbox disabled=yes set
api-ssl disabled=yes /ip upnp set enabled=yes /ip upnp interfaces add interface=pppoe-out1 type=external add interface=bridge-local type=internal /lcd interface set sfp1 interface=sfp1 set ether01-gateway interface=ether01-gateway set
ether02 interface=ether02 set ether03 interface=ether03 set ether04 interface=ether04 set ether05 interface=ether05 set ether06-master-local interface=ether06-master-local set ether07-slave-local interface=ether07-slave-local set
ether08-slave-local interface=ether08-slave-local set ether09-slave-local interface=ether09-slave-local set ether10-slave-local interface=ether10-slave-local set wlan1 interface=wlan1 /system clock set time-zone-name=America/Winnipeg
/system logging set 0 action=disk set 1 action=disk set 2 action=disk set 3 action=disk /system ntp client set enabled=yes mode=unicast primary-ntp=198.50.239.53 secondary-ntp=\ 66.96.30.35 /system watchdog set watch-address=8.8.8.8
watchdog-timer=no /tool graphing interface add interface=pppoe-out1 add interface=ether04 add interface=ether02 add interface=ether03 add interface=ether05 /tool mac-server set [ find default=yes ] disabled=yes add interface=ether02 add
interface=ether03 add interface=ether04 add interface=ether05 add interface=ether06-master-local add interface=ether07-slave-local add interface=ether08-slave-local add interface=ether09-slave-local add interface=sfp1 add
interface=wlan1 add interface=bridge-local /tool mac-server mac-winbox set [ find default=yes ] disabled=yes add interface=ether02 add interface=ether03 add interface=ether04 add interface=ether05 add interface=ether06-master-local add
interface=ether07-slave-local add interface=ether08-slave-local add interface=ether09-slave-local add interface=sfp1 add interface=wlan1 add interface=bridge-local
-
-
enigmatic1
just joined
- Posts: 11
- Joined:
Re: Hello all,
There it is, would be nice if it could be formatted just the way it comes out in terminal. I hope I have removed everything sensitive from there, please let me know if I missed something, and please bear with me I am new to this Mikrotik/RouterOS. I have found/made/modified/fixed scripts and cobbled together what I have there, and quite frankly it works very well!
Fairly happy with the QoS script that I found, after I fixed a bunch of it.
Thanks for your time!
Fairly happy with the QoS script that I found, after I fixed a bunch of it.
Thanks for your time!
Re: Hello all,
Needed to be able to read it a bit clearer, now my eyes are bleeding.
Code: Select all
# sep/11/2014 13:27:51 by RouterOS 6.5
# software id = FPJJ-FL3J
#
/interface bridge
add admin-mac=4C:5E:0C:21:C3:15 auto-mac=no l2mtu=1598 name=bridge-local protocol-mode=rstp
/interface ethernet
set [ find default-name=ether1 ] name=ether01-gateway
set [ find default-name=ether2 ] name=ether02
set [ find default-name=ether3 ] name=ether03
set [ find default-name=ether4 ] name=ether04
set [ find default-name=ether5 ] name=ether05
set [ find default-name=ether6 ] name=ether06-master-local
set [ find default-name=ether7 ] master-port=ether06-master-local name=ether07-slave-local
set [ find default-name=ether8 ] master-port=ether06-master-local name=ether08-slave-local
set [ find default-name=ether9 ] master-port=ether06-master-local name=ether09-slave-local
set [ find default-name=ether10 ] name=ether10-slave-local
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether05 max-mru=1492 max-mtu=1492 name=pppoe-out1 password=xxxxxxxx use-peer-dns=yes user=xxxxxxxx
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-ht-above disabled=no ht-rxchains=0,1 ht-txchains=0,1 l2mtu=2290 mode=ap-bridge rate-set=configured ssid=xxxxxxxx wireless-protocol=802.11
/ip neighbor discovery
set ether01-gateway discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk group-ciphers=tkip,aes-ccm mode=dynamic-keys unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=xxxxxxxx wpa2-pre-shared-key=xxxxxxxx
/ip firewall layer7-protocol
add name=speedtest-servers regexp="^.*(get|GET).+speedtest.*\$"
add name=torrent-wwws regexp="^.*(get|GET).+(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|vertor|h33t|zoozle|bitnova|bitsoup|meganova|fulldls|btbot|fenopy|gpirate|commonbits).*\$"
add name=torrent-dns regexp="^.+torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|vertor|h33t|zoozle|bitnova|bitsoup|meganova|fulldls|btbot|fenopy|gpirate|commonbits).*\$"
add name=netflix regexp="^.*(get|GET).+(netflix).*\$"
add name=mp4 regexp="^.*(get|GET).+\\.mp4.*\$"
add name=swf regexp="^.*(get|GET).+\\.swf.*\$"
add name=flv regexp="^.*(get|GET).+\\.flv.*\$"
add name=video regexp="^.*(get|GET).+(\\.flv|\\.mp4|netflix|\\.swf).*\$"
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m mac-cookie-timeout=3d
/ip pool
add name=dhcp ranges=192.168.1.102-192.168.1.152
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local lease-time=1d name=default
/port
set 0 name=serial0
/queue simple
add dst=pppoe-out1 max-limit=720k/6656k name="PPPOE Queue"
/queue type
add kind=pfifo name=streaming-video-in pfifo-limit=500
add kind=pcq name=games-in-pcq pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=100k pcq-src-address6-mask=64 pcq-total-limit=750000
/queue tree
add max-limit=6400k name=in parent=global queue=default
add max-limit=650k name=out parent=global queue=default
add limit-at=512k max-limit=6400k name=http-in packet-mark=http-in parent=in priority=4 queue=default
add limit-at=4096k max-limit=6400k name=streaming-video-in packet-mark=streaming-video-in parent=in priority=3 queue=streaming-video-in
add limit-at=512k max-limit=6400k name=gaming-in packet-mark=games-in parent=in priority=2 queue=games-in-pcq
add max-limit=6400k name=download-in packet-mark=in parent=in queue=default
add max-limit=650k name=upload-out packet-mark=out parent=out queue=default
add limit-at=200k max-limit=650k name=gaming-out packet-mark=games-out parent=out priority=2 queue=default
add limit-at=90k max-limit=650k name=http-out packet-mark=http-out parent=out priority=4 queue=default
add limit-at=90k max-limit=650k name=streaming-video-out packet-mark=streaming-video-out parent=out priority=3 queue=default
add limit-at=512k max-limit=6400k name=voip-in packet-mark=voip-in parent=in priority=1 queue=default
add limit-at=512k max-limit=6400k name=vpn-in packet-mark=vpn-in parent=in priority=2 queue=default
add limit-at=200k max-limit=650k name=voip-out packet-mark=voip-out parent=out priority=1 queue=default
add limit-at=90k max-limit=650k name=vpn-out packet-mark=vpn-out parent=out priority=2 queue=default
add limit-at=512k max-limit=6400k name=admin-in packet-mark=admin-in parent=in priority=1 queue=default
add limit-at=50k max-limit=650k name=admin-out packet-mark=admin-out parent=out priority=1 queue=default
/interface bridge port
add bridge=bridge-local interface=ether02
add bridge=bridge-local interface=ether03
add bridge=bridge-local interface=ether04
add bridge=bridge-local disabled=yes interface=ether05
add bridge=bridge-local interface=ether06-master-local
add bridge=bridge-local interface=sfp1
add bridge=bridge-local interface=wlan1
/ip address
add address=192.168.1.1/24 comment="default configuration" interface=sfp1 network=192.168.1.0
add address=192.168.1.1/24 interface=wlan1 network=192.168.1.0
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
add address=192.168.88.0/24 comment="default configuration" dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,142.161.2.18
/ip dns static
add address=192.168.88.1 name=router
/ip firewall address-list
add address=192.168.0.0/24 list=support
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you need this subnet before enable it" disabled=yes list=bogons
add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you need this subnet before enable it" list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you need this subnet before enable it" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment="MC, Class D, IANA # Check if you need this subnet before enable it" list=bogons
add address=10.0.0.0/24 list=support
add address=192.168.5.0/24 list=support
add address=192.168.1.0/24 list=internal-nets
add address=10.0.0.0/8 list=internal-nets
/ip firewall filter
add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp tcp-flags=syn
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="Port Scanner Detect" protocol=tcp psd=21,3s,3,1
add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP protocol=icmp
add chain=input comment="default configuration\ \nAllow ICMP" protocol=icmp
add chain=input comment="default configuration\ \nAllow Established connections" connection-state=established
add chain=input comment="default configuration\ \nAllow related connections" connection-state=related
add chain=input comment="Accept incoming on Port 80 (HTTP)" in-interface=all-ppp port=80 protocol=tcp
add chain=input comment="Allow inputs not from WAN" in-interface=!all-ppp src-address=192.168.1.0/24
add chain=input comment="Full access to SUPPORT address list" src-address-list=support
add action=drop chain=input comment="default configuration" in-interface=ether01-gateway
add action=drop chain=input comment="Drop incoming on Port 80 (HTTP)" disabled=yes in-interface=all-ppp port=80 protocol=tcp
add action=drop chain=input comment="Drop DNS incoming on PPP connections" dst-port=53 in-interface=all-ppp protocol=tcp
add action=drop chain=input comment="Drop DNS incoming on PPP connections" dst-port=53 in-interface=all-ppp protocol=udp
add action=drop chain=input comment="Drop to syn flood list" src-address-list=Syn_Flooder
add action=drop chain=input comment="Drop to port scan list" src-address-list=Port_Scanner
add action=drop chain=input comment="Block all access to the winbox - except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST" dst-port=8291 protocol=tcp src-address-list=!support
add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid
add action=drop chain=input comment="Drop everything else"
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP protocol=icmp
add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment="Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=25,587 limit=30/1m,0 protocol=tcp
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add chain=forward comment="allow already established connections" connection-state=established
add chain=forward comment="allow related connections" connection-state=related
add action=jump chain=forward jump-target=tcp protocol=tcp
add action=jump chain=forward jump-target=udp protocol=udp
add action=jump chain=forward jump-target=icmp protocol=icmp
add action=jump chain=forward comment="Jump for icmp forward flow" jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=drop chain=forward src-address=0.0.0.0/8
add action=drop chain=forward dst-address=0.0.0.0/8
add action=drop chain=forward src-address=127.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward src-address=224.0.0.0/3
add action=drop chain=forward dst-address=224.0.0.0/3
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=bogons
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 protocol=tcp src-address-list=spammers
add action=drop chain=forward comment="drop invalid connections" connection-state=invalid protocol=tcp
add chain=ICMP comment="echo reply" icmp-options=0:0 protocol=icmp
add chain=ICMP comment="net unreachable" icmp-options=3:0 protocol=icmp
add chain=ICMP comment="host unreachable" icmp-options=3:1 protocol=icmp
add chain=ICMP comment="host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add chain=ICMP comment="allow source quench" icmp-options=4:0 protocol=icmp
add chain=ICMP comment="allow echo request" icmp-options=8:0 protocol=icmp
add chain=ICMP comment="allow time exceed" icmp-options=11:0 protocol=icmp
add chain=ICMP comment="allow parameter bad" icmp-options=12:0 protocol=icmp
add chain=ICMP comment="Echo request - Avoiding Ping Flood" icmp-options=8:0 limit=1,5 protocol=icmp
add chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp
add chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp
add chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=icmp
add chain=ICMP comment="Path MTU Discovery" icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="deny all other types"
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=drop chain=tcp comment="deny TFTP" dst-port=69 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=111 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=135 protocol=tcp
add action=drop chain=tcp comment="deny NBT" dst-port=137-139 protocol=tcp
add action=drop chain=tcp comment="deny cifs" dst-port=445 protocol=tcp
add action=drop chain=tcp comment="deny NFS" dst-port=2049 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=12345-12346 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=20034 protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" dst-port=3133 protocol=tcp
add action=drop chain=tcp comment="deny DHCP" dst-port=67-68 protocol=tcp
add action=drop chain=udp comment="deny TFTP" dst-port=69 protocol=udp
add action=drop chain=udp comment="deny NBT" dst-port=137-139 protocol=udp
add action=drop chain=udp comment="deny NFS" dst-port=2049 protocol=udp
add action=drop chain=udp comment="deny BackOriffice" dst-port=3133 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=111 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=135 protocol=udp
/ip firewall mangle
add action=mark-packet chain=prerouting comment="internal-traffic packet mark" dst-address-list=internal-nets new-packet-mark=internal-traffic passthrough=no src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="admin-in packet mark DNS" in-interface=pppoe-out1 new-packet-mark=admin-in passthrough=no protocol=udp src-port=53
add action=mark-packet chain=prerouting comment="admin-in packet mark snmp" dst-port=161 in-interface=pppoe-out1 new-packet-mark=admin-in passthrough=no protocol=udp
add action=mark-connection chain=prerouting comment="Remote Protocols admin connection mark" new-connection-mark=admin port=20,21,22,23,3389,8291 protocol=tcp
add action=mark-connection chain=prerouting comment="icmp connection mark as admin" new-connection-mark=admin protocol=icmp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="admin-in packet mark" connection-mark=admin in-interface=pppoe-out1 new-packet-mark=admin-in passthrough=no
add action=mark-packet chain=prerouting comment="admin-out packet mark" connection-mark=admin new-packet-mark=admin-out passthrough=no
add action=mark-connection chain=prerouting comment="streaming video connection mark" dst-port=80 layer7-protocol=video new-connection-mark=streaming-video protocol=tcp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="streaming video in packet mark" connection-mark=streaming-video in-interface=pppoe-out1 new-packet-mark=streaming-video-in passthrough=no
add action=mark-packet chain=prerouting comment="streaming video out packet mark" connection-mark=streaming-video new-packet-mark=streaming-video-out passthrough=no
add action=mark-connection chain=prerouting comment="http traffic connection mark" dst-port=80,443 new-connection-mark=http protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment="http traffic connection mark" connection-bytes=5000000-4294967295 dst-port=80,443 new-connection-mark=http-download protocol=tcp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="http in packet mark" connection-mark=http in-interface=pppoe-out1 new-packet-mark=http-in passthrough=no
add action=mark-packet chain=prerouting comment="http out packet mark" connection-mark=http new-packet-mark=http-out passthrough=no
add action=mark-connection chain=prerouting comment="wow connection mark as gaming" dst-port=1119,3724,6112-6114,4000,6881-6999 new-connection-mark=games protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment="wot connection mark as gaming" dst-port=5222 new-connection-mark=games protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment="eve online connection mark as gaming" dst-address=87.237.38.200 new-connection-mark=games src-address-list=internal-nets
add action=mark-connection chain=prerouting comment="starcraft 2 connection mark as gaming" dst-port=1119 new-connection-mark=games protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment="heros of newerth connection mark as gaming" dst-port=11031,11235-11335 new-connection-mark=games protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment="steam connection mark as gaming" dst-port=27014-27050 new-connection-mark=games protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment="xbox live connection mark as gaming" dst-port=3074 new-connection-mark=games protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment="ps3 online connection mark as gaming" dst-port=5223 new-connection-mark=games protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment="wii online connection mark as gaming" dst-port=28910,29900,29901,29920 new-connection-mark=games protocol=tcp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="games packet mark wow" in-interface=pppoe-out1 new-packet-mark=games-in passthrough=no protocol=udp src-port=53,3724
add action=mark-packet chain=prerouting comment="games packet mark wot" dst-port=53,3432,9987,30443,32800-32900 new-packet-mark=games-out passthrough=no protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="games packet mark wot" in-interface=pppoe-out1 new-packet-mark=games-in passthrough=no protocol=udp src-port=53,3432,9987,30443,32800-32900
add action=mark-packet chain=prerouting comment="games packet mark starcraft2" in-interface=pppoe-out1 new-packet-mark=games-in passthrough=no protocol=udp src-port=1119,6113
add action=mark-packet chain=prerouting comment="games packet mark HoN" in-interface=pppoe-out1 new-packet-mark=games-in passthrough=no protocol=udp src-port=11031,11235-11335
add action=mark-packet chain=prerouting comment="games packet mark steam in" in-interface=pppoe-out1 new-packet-mark=games-in passthrough=no port=4380,28960,27000-27030 protocol=udp
add action=mark-packet chain=prerouting comment="games packet mark steam out" dst-port=53,1500,3005,3101,3478,4379-4380,4380,28960,27000-27030,28960 new-packet-mark=games-out passthrough=no protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="games packet mark xbox live" in-interface=pppoe-out1 new-packet-mark=games-in passthrough=no protocol=udp src-port=88,3074,3544,4500
add action=mark-packet chain=prerouting comment="games packet mark ps3 online" in-interface=pppoe-out1 new-packet-mark=games-in passthrough=no protocol=udp src-port=3478,3479,3658
add action=mark-packet chain=prerouting comment="games packet mark in" connection-mark=games in-interface=pppoe-out1 new-packet-mark=games-in passthrough=no
add action=mark-packet chain=prerouting comment="games packet mark out" connection-mark=games new-packet-mark=games-out passthrough=no
add action=mark-packet chain=prerouting comment="voip-in packet mark teamspeak" in-interface=pppoe-out1 new-packet-mark=voip-in passthrough=no protocol=udp src-port=9987
add action=mark-packet chain=prerouting comment="voip-out packet mark teamspeak" dst-port=9987 new-packet-mark=voip-out passthrough=no protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="voip-out packet mark teamspeak" in-interface=pppoe-out1 new-packet-mark=voip-out passthrough=no protocol=udp src-port=9987
add action=mark-packet chain=prerouting comment="voip-in packet mark ventrilo" in-interface=pppoe-out1 new-packet-mark=voip-in passthrough=no protocol=udp src-port=3784
add action=mark-packet chain=prerouting comment="voip-out packet mark ventrilo" dst-port=3784 new-packet-mark=voip-out passthrough=no protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="voip-in packet mark ventrilo" in-interface=pppoe-out1 new-packet-mark=voip-in passthrough=no protocol=tcp src-port=3784
add action=mark-packet chain=prerouting comment="voip-out packet mark ventrilo" dst-port=3784 new-packet-mark=voip-out passthrough=no protocol=tcp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="voip-in packet mark SIP" in-interface=pppoe-out1 new-packet-mark=voip-in passthrough=no port=5060 protocol=tcp
add action=mark-packet chain=prerouting comment="voip-out packet mark SIP" new-packet-mark=voip-out passthrough=no port=5060 protocol=tcp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="voip-in packet mark udp SIP" in-interface=pppoe-out1 new-packet-mark=voip-in passthrough=no port=5004,5060 protocol=udp
add action=mark-packet chain=prerouting comment="voip-out packet mark udp SIP" new-packet-mark=voip-out passthrough=no port=5004,5060 protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="voip-in packet mark RTP" in-interface=pppoe-out1 new-packet-mark=voip-in packet-size=100-400 passthrough=no port=16348-32768 protocol=udp
add action=mark-packet chain=prerouting comment="voip-out packet mark RTP" new-packet-mark=voip-out packet-size=100-400 passthrough=no port=16348-32768 protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="vpn-in packet mark GRE" in-interface=pppoe-out1 new-packet-mark=vpn-in passthrough=no protocol=gre add action=mark-packet chain=prerouting comment="vpn-out packet mark GRE" new-packet-mark=vpn-out passthrough=no protocol=gre
add action=mark-packet chain=prerouting comment="vpn-in packet mark ESP" in-interface=pppoe-out1 new-packet-mark=vpn-in passthrough=no protocol=ipsec-esp
add action=mark-packet chain=prerouting comment="vpn-out packet mark ESP" new-packet-mark=vpn-out passthrough=no protocol=ipsec-esp
add action=mark-packet chain=prerouting comment="vpn-in packet mark VPN UDP ports" in-interface=pppoe-out1 new-packet-mark=vpn-in passthrough=no protocol=udp src-port=500,1701,4500
add action=mark-packet chain=prerouting comment="vpn-out packet mark VPN UDP ports" new-packet-mark=vpn-out passthrough=no protocol=udp src-port=500,1701,4500
add action=mark-packet chain=prerouting comment="vpn-in packet mark PPTP" in-interface=pppoe-out1 new-packet-mark=vpn-in passthrough=no protocol=tcp src-port=1723
add action=mark-packet chain=prerouting comment="vpn-out packet mark PPTP" new-packet-mark=vpn-out passthrough=no protocol=tcp src-port=1723
add action=mark-packet chain=prerouting comment="all in" in-interface=pppoe-out1 new-packet-mark=in passthrough=no
add action=mark-packet chain=prerouting comment="all out" new-packet-mark=out passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=all-ppp to-addresses=0.0.0.0
/ip service
set telnet disabled=yes
set ftp disabled=yes
et ssh disabled=yes
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=pppoe-out1 type=external
add interface=bridge-local type=internal
/lcd interface
set sfp1 interface=sfp1
set ether01-gateway interface=ether01-gateway
set ether02 interface=ether02
set ether03 interface=ether03
set ether04 interface=ether04
set ether05 interface=ether05
set ether06-master-local interface=ether06-master-local
set ether07-slave-local interface=ether07-slave-local
set ether08-slave-local interface=ether08-slave-local
set ether09-slave-local interface=ether09-slave-local
set ether10-slave-local interface=ether10-slave-local
set wlan1 interface=wlan1
/system clock
set time-zone-name=America/Winnipeg
/system logging
set 0 action=disk
set 1 action=disk
set 2 action=disk
set 3 action=disk
/system ntp client
set enabled=yes mode=unicast primary-ntp=198.50.239.53 secondary-ntp=66.96.30.35
/system watchdog
set watch-address=8.8.8.8 watchdog-timer=no
/tool graphing interface
add interface=pppoe-out1
add interface=ether04
add interface=ether02
add interface=ether03
add interface=ether05
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether02
add interface=ether03
add interface=ether04
add interface=ether05
add interface=ether06-master-local
add interface=ether07-slave-local
add interface=ether08-slave-local
add interface=ether09-slave-local
add interface=sfp1
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether02
add interface=ether03
add interface=ether04
add interface=ether05
add interface=ether06-master-local
add interface=ether07-slave-local
add interface=ether08-slave-local
add interface=ether09-slave-local
add interface=sfp1
add interface=wlan1
add interface=bridge-local-
-
enigmatic1
just joined
- Posts: 11
- Joined:
Re: Hello all,
[quote="mrphreak"]Needed to be able to read it a bit clearer, now my eyes are bleeding.
Thanks very much, haha sorry for your eyes!
Can anyone help me out?
Thanks very much, haha sorry for your eyes!
Can anyone help me out?
-
-
enigmatic1
just joined
- Posts: 11
- Joined:
Re: Hello all,
Bump x 2.
No help available on this forum? Why not?
No help available on this forum? Why not?
Re: Hello all,
Which mangle rules are you having problems with specifically??
-
-
enigmatic1
just joined
- Posts: 11
- Joined:
Re: Hello all,
Hey Thanks very much for your reply,Which mangle rules are you having problems with specifically??
These ones connection bytes is red, with no value in "connection bytes", appears to be working fine:
add action=mark-packet chain=prerouting comment="admin-in packet mark DNS" in-interface=pppoe-out1 new-packet-mark=admin-in passthrough=no protocol=udp src-port=53
add action=mark-packet chain=prerouting comment="admin-in packet mark snmp" dst-port=161 in-interface=pppoe-out1 new-packet-mark=admin-in passthrough=no protocol=udp
add action=mark-connection chain=prerouting comment="Remote Protocols admin connection mark" new-connection-mark=admin port=20,21,22,23,3389,8291 protocol=tcp
add action=mark-connection chain=prerouting comment="streaming video connection mark" dst-port=80 layer7-protocol=video new-connection-mark=streaming-video protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment="http traffic connection mark" dst-port=80,443 new-connection-mark=http protocol=tcp src-address-list=internal-nets
This one has connection bytes in red, with the value of 5000000-4294967295, and does not appear to be working:
add action=mark-connection chain=prerouting comment="http traffic connection mark" connection-bytes=5000000-4294967295 dst-port=80,443 new-connection-mark=http-download protocol=tcp src-address-list=internal-nets
These have connection bytes red, no value in connection bytes, and appear to be working correctly:
add action=mark-connection chain=prerouting comment="wow connection mark as gaming" dst-port=1119,3724,6112-6114,4000,6881-6999 new-connection-mark=games protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment="wot connection mark as gaming" dst-port=5222 new-connection-mark=games protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment="starcraft 2 connection mark as gaming" dst-port=1119 new-connection-mark=games protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment="heros of newerth connection mark as gaming" dst-port=11031,11235-11335 new-connection-mark=games protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment="steam connection mark as gaming" dst-port=27014-27050 new-connection-mark=games protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment="xbox live connection mark as gaming" dst-port=3074 new-connection-mark=games protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment="ps3 online connection mark as gaming" dst-port=5223 new-connection-mark=games protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment="wii online connection mark as gaming" dst-port=28910,29900,29901,29920 new-connection-mark=games protocol=tcp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="games packet mark wow" in-interface=pppoe-out1 new-packet-mark=games-in passthrough=no protocol=udp src-port=53,3724
add action=mark-packet chain=prerouting comment="games packet mark wot" in-interface=pppoe-out1 new-packet-mark=games-in passthrough=no protocol=udp src-port=53,3432,9987,30443,32800-32900
add action=mark-packet chain=prerouting comment="games packet mark starcraft2" in-interface=pppoe-out1 new-packet-mark=games-in passthrough=no protocol=udp src-port=1119,6113
add action=mark-packet chain=prerouting comment="games packet mark HoN" in-interface=pppoe-out1 new-packet-mark=games-in passthrough=no protocol=udp src-port=11031,11235-11335
add action=mark-packet chain=prerouting comment="games packet mark steam in" in-interface=pppoe-out1 new-packet-mark=games-in passthrough=no port=4380,28960,27000-27030 protocol=udp
add action=mark-packet chain=prerouting comment="games packet mark steam out" dst-port=53,1500,3005,3101,3478,4379-4380,4380,28960,27000-27030,28960 new-packet-mark=games-out passthrough=no protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="games packet mark xbox live" in-interface=pppoe-out1 new-packet-mark=games-in passthrough=no protocol=udp src-port=88,3074,3544,4500
add action=mark-packet chain=prerouting comment="games packet mark ps3 online" in-interface=pppoe-out1 new-packet-mark=games-in passthrough=no protocol=udp src-port=3478,3479,3658
add action=mark-packet chain=prerouting comment="voip-in packet mark teamspeak" in-interface=pppoe-out1 new-packet-mark=voip-in passthrough=no protocol=udp src-port=9987
add action=mark-packet chain=prerouting comment="voip-out packet mark teamspeak" dst-port=9987 new-packet-mark=voip-out passthrough=no protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="voip-out packet mark teamspeak" in-interface=pppoe-out1 new-packet-mark=voip-out passthrough=no protocol=udp src-port=9987
add action=mark-packet chain=prerouting comment="voip-in packet mark ventrilo" in-interface=pppoe-out1 new-packet-mark=voip-in passthrough=no protocol=udp src-port=3784
add action=mark-packet chain=prerouting comment="voip-out packet mark ventrilo" dst-port=3784 new-packet-mark=voip-out passthrough=no protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="voip-in packet mark ventrilo" in-interface=pppoe-out1 new-packet-mark=voip-in passthrough=no protocol=tcp src-port=3784
add action=mark-packet chain=prerouting comment="voip-out packet mark ventrilo" dst-port=3784 new-packet-mark=voip-out passthrough=no protocol=tcp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="voip-in packet mark SIP" in-interface=pppoe-out1 new-packet-mark=voip-in passthrough=no port=5060 protocol=tcp
add action=mark-packet chain=prerouting comment="voip-out packet mark SIP" new-packet-mark=voip-out passthrough=no port=5060 protocol=tcp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="voip-in packet mark udp SIP" in-interface=pppoe-out1 new-packet-mark=voip-in passthrough=no port=5004,5060 protocol=udp
add action=mark-packet chain=prerouting comment="voip-out packet mark udp SIP" new-packet-mark=voip-out passthrough=no port=5004,5060 protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="voip-in packet mark RTP" in-interface=pppoe-out1 new-packet-mark=voip-in packet-size=100-400 passthrough=no port=16348-32768 protocol=udp
add action=mark-packet chain=prerouting comment="voip-out packet mark RTP" new-packet-mark=voip-out packet-size=100-400 passthrough=no port=16348-32768 protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="vpn-in packet mark VPN UDP ports" in-interface=pppoe-out1 new-packet-mark=vpn-in passthrough=no protocol=udp src-port=500,1701,4500
add action=mark-packet chain=prerouting comment="vpn-out packet mark VPN UDP ports" new-packet-mark=vpn-out passthrough=no protocol=udp src-port=500,1701,4500
add action=mark-packet chain=prerouting comment="vpn-in packet mark PPTP" in-interface=pppoe-out1 new-packet-mark=vpn-in passthrough=no protocol=tcp src-port=1723
add action=mark-packet chain=prerouting comment="vpn-out packet mark PPTP" new-packet-mark=vpn-out passthrough=no protocol=tcp src-port=1723
All the other ones have connection bytes in black, with no value.
Re: Hello all,
interface pppoe-out1 is UP?
-
-
enigmatic1
just joined
- Posts: 11
- Joined:
Re: Hello all,
If you mean connected by up, then yes it is up.interface pppoe-out1 is UP?
Thanks
-
-
enigmatic1
just joined
- Posts: 11
- Joined:
Re: Hello all,
Anyone? janisk? I have had this problem for a long time, and had it posted in the forum for 49 days now.
Also, why does the quick setup page always revert to static address acquisition?
Also, why does the quick setup page always revert to static address acquisition?
Re: Hello all,
I have same error, I am unable to put anything in connection-bytes, exept 0 .
I get invalid value error, it doesn't except 5000000-0 value. ROS v6.33.3
I get invalid value error, it doesn't except 5000000-0 value. ROS v6.33.3
Who is online
Users browsing this forum: No registered users and 79 guests