This is a way to isolate between download & Browsing and to give the user speed for example 64 Kb/sec for download but if he browsed the internet and surfing web sites for just browsing
he will browse the web pages with the entire network speed for example suppose that it's
4 Mb/sec
and we took 64 kb for just an example
you can change it with what ever you want to
/ip firewall layer7-protocol
add comment="" name="Extension \" .exe \"" regexp="\\.(exe)"
add comment="" name="Extension \" .rar \"" regexp="\\.(rar)"
add comment="" name="Extension \" .zip \"" regexp="\\.(zip)"
add comment="" name="Extension \" .7z \"" regexp="\\.(7z)"
add comment="" name="Extension \" .cab \"" regexp="\\.(cab)"
add comment="" name="Extension \" .asf \"" regexp="\\.(asf)"
add comment="" name="Extension \" .mov \"" regexp="\\.(mov)"
add comment="" name="Extension \" .wmv \"" regexp="\\.(wmv)"
add comment="" name="Extension \" .mpg \"" regexp="\\.(mpg)"
add comment="" name="Extension \" .mpeg \"" regexp="\\.(mpeg)"
add comment="" name="Extension \" .mkv \"" regexp="\\.(mkv)"
add comment="" name="Extension \" .avi \"" regexp="\\.(avi)"
add comment="" name="Extension \" .flv \"" regexp="\\.(flv)"
add comment="" name="Extension \" .pdf \"" regexp="\\.(pdf)"
add comment="" name="Extension \" .wav \"" regexp="\\.(wav)"
add comment="" name="Extension \" .rm \"" regexp="\\.(rm)"
add comment="" name="Extension \" .mp3 \"" regexp="\\.(mp3)"
add comment="" name="Extension \" .mp4 \"" regexp="\\.(mp4)"
add comment="" name="Extension \" .ram \"" regexp="\\.(ram)"
add comment="" name="Extension \" .rmvb \"" regexp="\\.(rmvb)"
add comment="" name="Extension \" .dat \"" regexp="\\.(dat)"
add comment="" name="Extension \" .daa \"" regexp="\\.(daa)"
add comment="" name="Extension \" .iso \"" regexp="\\.(iso)"
add comment="" name="Extension \" .nrg \"" regexp="\\.(nrg)"
add comment="" name="Extension \" .bin \"" regexp="\\.(bin)"
add comment="" name="Extension \" .vcd \"" regexp="\\.(vcd)"
/ip firewall mangle
add action=mark-connection chain=prerouting comment="7z DOWNS" disabled=no layer7-protocol="Extension \" .7z \"" new-connection-mark="7z DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="7z DOWNS" disabled=no new-packet-mark=7z passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="asf DOWNS" disabled=no layer7-protocol="Extension \" .asf \"" new-connection-mark="asf DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="asf DOWNS" disabled=no new-packet-mark=asf passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="avi DOWNS" disabled=no layer7-protocol="Extension \" .avi \"" new-connection-mark="avi DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="avi DOWNS" disabled=no new-packet-mark=avi passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="bin DOWNS" disabled=no layer7-protocol="Extension \" .bin \"" new-connection-mark="bin DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="bin DOWNS" disabled=no new-packet-mark=bin passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="flv DOWNS" disabled=no layer7-protocol="Extension \" .flv \"" new-connection-mark="flv DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="flv DOWNS" disabled=no new-packet-mark=flv passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="iso DOWNS" disabled=no layer7-protocol="Extension \" .iso \"" new-connection-mark="iso DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark= "iso DOWNS" disabled=no new-packet-mark=iso passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="mkv DOWNS" disabled=no layer7-protocol="Extension \" .mkv \"" new-connection-mark="mkv DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="mkv DOWNS" disabled=no new-packet-mark=mkv passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="exe DOWNS" disabled=no layer7-protocol="Extension \" .exe \"" new-connection-mark="exe DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="exe DOWNS" disabled=no new-packet-mark=exe passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="mov DOWNS" disabled=no layer7-protocol="Extension \" .mov \"" new-connection-mark="mov DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="mov DOWNS" disabled=no new-packet-mark=mov passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="mp3 DOWNS" disabled=no layer7-protocol="Extension \" .mp3 \"" new-connection-mark="mp3 DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="mp3 DOWNS" disabled=no new-packet-mark=mp3 passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="mp4 DOWNS" disabled=no layer7-protocol="Extension \" .mp4 \"" new-connection-mark="mp4 DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="mp4 DOWNS" disabled=no new-packet-mark=mp4 passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="mpeg DOWNS" disabled=no layer7-protocol="Extension \" .mpeg \"" new-connection-mark="mpeg DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="mpeg DOWNS" disabled=no new-packet-mark=mpeg passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="mpg DOWNS" disabled=no layer7-protocol="Extension \" .mpg \"" new-connection-mark="mpg DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="mpg DOWNS" disabled=no new-packet-mark=mpg passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="nrg DOWNS" disabled=no layer7-protocol="Extension \" .nrg \"" new-connection-mark="nrg DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="nrg DOWNS" disabled=no new-packet-mark=nrg passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="pdf DOWNS" disabled=no layer7-protocol="Extension \" .pdf \"" new-connection-mark="pdf DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="pdf DOWNS" disabled=no new-packet-mark=pdf passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="ram DOWNS" disabled=no layer7-protocol="Extension \" .ram \"" new-connection-mark="ram DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="ram DOWNS" disabled=no new-packet-mark=ram passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="rar DOWNS" disabled=no layer7-protocol="Extension \" .rar \"" new-connection-mark="rar DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="rar DOWNS" disabled=no new-packet-mark=rar passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="rm DOWNS" disabled=no layer7-protocol="Extension \" .rm \"" new-connection-mark="rm DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="rm DOWNS" disabled=no new-packet-mark=rm passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="rmvb DOWNS" disabled=no layer7-protocol="Extension \" .rmvb \"" new-connection-mark="rmvb DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="rmvb DOWNS" disabled=no new-packet-mark=rmvb passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="wav DOWNS" disabled=no layer7-protocol="Extension \" .wav \"" new-connection-mark="wav DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="wav DOWNS" disabled=no new-packet-mark=wav passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="wma DOWNS" disabled=no layer7-protocol="Extension \" .wma \"" new-connection-mark="wma DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="wma DOWNS" disabled=no new-packet-mark=wma passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="wmv DOWNS" disabled=no layer7-protocol="Extension \" .wmv \"" new-connection-mark="wmv DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="wmv DOWNS" disabled=no new-packet-mark=wmv passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="zip DOWNS" disabled=no layer7-protocol="Extension \" .zip \"" new-connection-mark="zip DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="zip DOWNS" disabled=no new-packet-mark=zip passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="youtube DOWNS" disabled=no layer7-protocol="YouTube " new-connection-mark="youtube DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="youtube DOWNS" disabled=no new-packet-mark=youtube passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="daa DOWNS" disabled=no layer7-protocol="Extension \" .daa \"" new-connection-mark="daa DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="daa DOWNS" disabled=no new-packet-mark=daa passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="dat DOWNS" disabled=no layer7-protocol="Extension \" .dat \"" new-connection-mark="dat DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="dat DOWNS" disabled=no new-packet-mark=dat passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="vcd DOWNS" disabled=no layer7-protocol="Extension \" .vcd \"" new-connection-mark="vcd DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="vcd DOWNS" disabled=no new-packet-mark=vcd passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment="cab DOWNS" disabled=no layer7-protocol="Extension \" .cab \"" new-connection-mark="cab DOWNS" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="cab DOWNS" disabled=no new-packet-mark=cab passthrough=no protocol=tcp
/queue type
set default-small kind=pcq name=default-small pcq-classifier=src-address,dst-address,src-port,dst-port pcq-limit=50 pcq-rate=0 pcq-total-limit=2000
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no max-limit=1M name=Download_queue packet-mark="exe,flv,rar,zip,7z,bin,mp3,mp4,wav,pdf,asf,avi,mov,wmv,mpg,mpeg,rm,iso,nrg,daa,vcd,cab,3gp,ram,rmvb,mkv,wma,youtube" parent=global-out priority=8 queue=default-small
This shape download + upload with only 1 Mb/sec to the whole Network
if you want just to shape download you can use in layer7 regexp this rule for example
/ip firewall layer7-protocol
add comment="" name="Extension \" .exe \"" regexp="^.*get.+\\.exe.*\$"
and apply it to the rest of the extensions
if you want to shape upload only use this code in layer7
/ip firewall layer7-protocol
add comment="" name="Extension \" .exe \"" regexp="^.*set.+\\.exe.*\$"
********************************************************************
and you can shape Download Traffic by 64 kb on one IP like 192.168.0.2 using simple Queue instead of Queue Tree like this
/queue simple
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s comment="" direction=both disabled=no dst-address=0.0.0.0/0 interface=all limit-at=1M/1M max-limit=1M/1M name="download max" packet-marks=exe,flv,rar,zip,7z,bin,mp3,mp4,wav,pdf,asf,avi,mov,wmv,mpg,mpeg,rm,iso,nrg,daa,vcd,cab,3gp,ram,rmvb,mkv,wma,youtube parent=none priority=8 queue=default-small/default-small total-queue=default-small
and then make 64 Kb a speed for the Specified user in this parent group and refer to it's parent the first rule like this
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s comment="" direction=both disabled=no dst-address=0.0.0.0/0 interface=all limit-at=64k/64k max-limit=64k/64k name="User \" 192.168.0.2 \"" parent="download max" priority=8 queue=default-small/default-small target-addresses=192.168.0.2/32 total-queue=default-small
using this we can Shape IP 192.168.0.2 Download Traffic By 64 Kb
or what ever the speed we want to do it for the client.
the only problem this code is not working with loadbalancing ADSL Lines
is there any way to make it work ???
any one know how to do both Load Balancing + Shape download Traffic please tell us .
Notice : All code above applied on 3.3 Mikrotik OS Version
-
-
hazemamer7
newbie
- Posts: 28
- Joined:
- Location: Egypt
learn how to Shape Download Traffic only & leave Browsing
Last edited by hazemamer7 on Wed Jul 21, 2010 5:02 am, edited 3 times in total.
Re: learn how to Shape Download Traffic only & leave Browsin
any comment in this post 
Re: learn how to Shape Download Traffic only & leave Browsin
very good job, what about the cpu resources? have you tested it with how many clients?
Re: learn how to Shape Download Traffic only & leave Browsin
I'd be concerned about that, too.very good job, what about the cpu resources? have you tested it with how many clients?
The configuration can be significantly optimized:
- There's no need for passthrough=yes on all those mark-connection rules as a connection already identified as downloading a 7z file doesn't need to undergo checks on whether it's download an EXE file.
- You should also put a rule that checks if there's already a connection mark at the very top so that an already identified connection (from an earlier packet) never is checked again (connection-mark=!no-mark action=accept). Layer 7 scanning for a regex is pretty much the most expensive thing you could do, so you should do it as little as possible.
- There's also no need to do this for anything but HTTP traffic - it'll be rare that that happens outside of tcp/80, tcp/3128, tcp/8080 and tcp/8888 and it's probably worth missing a few connection but not scanning absolutely anything.
- Lastly, start out with the rules in alphabetical order but ensure to watch packet counters and sort them so that the most often hit rules come first.
As an example for three file extensions:
Code: Select all
/ip firewall mangle
add chain=prerouting action=jump jump-target=markL7packet connection-mark=!no-mark
add chain=prerouting action=jump jump-target=markL7conn protocol=tcp dst-port=80,3128,8080,8888
add action=mark-connection chain=markL7conn comment="mpeg DOWNS" disabled=no layer7-protocol="Extension \" .mpeg \"" new-connection-mark="mpeg DOWNS" passthrough=no
add action=mark-connection chain=markL7conn comment="mpg DOWNS" disabled=no layer7-protocol="Extension \" .mpg \"" new-connection-mark="mpg DOWNS" passthrough=no
add action=mark-connection chain=markL7conn comment="nrg DOWNS" disabled=no layer7-protocol="Extension \" .nrg \"" new-connection-mark="nrg DOWNS" passthrough=no
add action=mark-packet chain=markL7packet connection-mark="mpeg DOWNS" disabled=no new-packet-mark=mpeg passthrough=no
add action=mark-packet chain=markL7packet connection-mark="mpg DOWNS" disabled=no new-packet-mark=mpeg passthrough=no
add action=mark-packet chain=markL7packet connection-mark="nrg DOWNS" disabled=no new-packet-mark=mpeg passthrough=no
Re: learn how to Shape Download Traffic only & leave Browsin
add comment="" name="Extension \" .exe \"" regexp="\\.(exe)"
add comment="" name="Extension \" .exe \"" regexp="\\.(zip)"
question can we make it in one line
to add tow extension toghether
add comment="" name="Extension \" .exe \"" regexp="\\.(zip)"
question can we make it in one line
to add tow extension toghether
Re: learn how to Shape Download Traffic only & leave Browsin
tryadd comment="" name="Extension \" .exe \"" regexp="\\.(exe)"
add comment="" name="Extension \" .exe \"" regexp="\\.(zip)"
question can we make it in one line
to add tow extension toghether
add name="ExtensionZ" regexp="\\.(zip|exe)"
-
-
hazemamer7
newbie
- Posts: 28
- Joined:
- Location: Egypt
Re: learn how to Shape Download Traffic only & leave Browsin
The packet on which the connection is identified won't be marked and thus won't be rate limited, but that's one packet and for a download of a larger file that's going to be insignificant. You'll still want to order the rules with highest hit count first after running for a while.
Eng: fewi sorry correction has been made to the code try it again
-
-
eghtedari2000
Frequent Visitor
- Posts: 85
- Joined:
Re: learn how to Shape Download Traffic only & leave Browsin
tryadd comment="" name="Extension \" .exe \"" regexp="\\.(exe)"
add comment="" name="Extension \" .exe \"" regexp="\\.(zip)"
question can we make it in one line
to add tow extension toghether
add name="ExtensionZ" regexp="\\.(zip|exe)"
Re: learn how to Shape Download Traffic only & leave Browsin
doesn't work ... is there any way to merge the whole list of extensions in one line ??tryadd comment="" name="Extension \" .exe \"" regexp="\\.(exe)"
add comment="" name="Extension \" .exe \"" regexp="\\.(zip)"
question can we make it in one line
to add tow extension toghether
add name="ExtensionZ" regexp="\\.(zip|exe)"
-
-
dreamrider
newbie
- Posts: 26
- Joined:
Re: learn how to Shape Download Traffic only & leave Browsin
Yeah, old topic, but - I have this question, too. What is an answer? It's possible merge all extensions in one line? 
-
-
hazemamer7
newbie
- Posts: 28
- Joined:
- Location: Egypt
Re: learn how to Shape Download Traffic only & leave Browsin
Mr dreamrider , Samsoft08 and kazanova :
about your question if we can add all extensions in 1 line i say ;
yes it can be
and here it is
/ip firewall layer7-protocol
add name=test regexp="^(.*)(.exe|.rar|.zip|.7z|.iso|.nrg|.daa|.dat|.vcd|.flv|.mp4|.mov|.avi|.asf|.mpg|.mpeg|.wmv|. ra|.rar|.mp3|.wav|.ram|.rmvb|.mkv|.cab|.chm|.ctf|. flg)(.*)\\\$|videoplayback"
test this and tell me , and you know of course what to do with mangle , it's just only 1 mangle rule for all extensions , and i just added each extensions in one line because it was my first time to discover a L7 code that can detect downloadable files,
and this 1 line is from Mahmoud Abo Aldahab efforts,
and there is another code can make extensions in 3x seperated L7 Lines
\.(exe)|\.(rar)|\.(zip)|\.(7z)|\.(iso)|\.(nrg)|\.(daa)|\.(dat)|\.(vcd)
\.(flv)|\.(mp4)|\.(mov)|\.(avi)|\.(asf)|\.(mpg)|\.(mpeg)|\.(wmv)
\.(ra)|\.(mp3)|\.(wav)|\.(ram)|\.(rmvb)|\.(mkv)|videoplayback
and of course if you use 3x lines you have to do 1 mangle rules for each L7 rule , good luck for all.
about your question if we can add all extensions in 1 line i say ;
yes it can be
and here it is
/ip firewall layer7-protocol
add name=test regexp="^(.*)(.exe|.rar|.zip|.7z|.iso|.nrg|.daa|.dat|.vcd|.flv|.mp4|.mov|.avi|.asf|.mpg|.mpeg|.wmv|. ra|.rar|.mp3|.wav|.ram|.rmvb|.mkv|.cab|.chm|.ctf|. flg)(.*)\\\$|videoplayback"
test this and tell me , and you know of course what to do with mangle , it's just only 1 mangle rule for all extensions , and i just added each extensions in one line because it was my first time to discover a L7 code that can detect downloadable files,
and this 1 line is from Mahmoud Abo Aldahab efforts,
and there is another code can make extensions in 3x seperated L7 Lines
\.(exe)|\.(rar)|\.(zip)|\.(7z)|\.(iso)|\.(nrg)|\.(daa)|\.(dat)|\.(vcd)
\.(flv)|\.(mp4)|\.(mov)|\.(avi)|\.(asf)|\.(mpg)|\.(mpeg)|\.(wmv)
\.(ra)|\.(mp3)|\.(wav)|\.(ram)|\.(rmvb)|\.(mkv)|videoplayback
and of course if you use 3x lines you have to do 1 mangle rules for each L7 rule , good luck for all.
-
-
dreamrider
newbie
- Posts: 26
- Joined:
Re: learn how to Shape Download Traffic only & leave Browsin
@hazemamer7
At first testing minutes - youtube watching is blocked, *.rar downloading is blocked, *.mp4 downloading from youtube is allowed, this forum - is blocked 
Will continue to test. Thanks.
Code: Select all
/ip firewall layer7-protocol
add name=test regexp="^(.*)(.exe|.rar|.zip|.7z|.iso|.nrg|.daa|.dat|.vcd|.flv|.mp4|.mov|.avi|.asf|.mpg|.mpeg|.wmv|. ra|.rar|.mp3|.wav|.ram|.rmvb|.mkv|.cab|.chm|.ctf|. flg)(.*)\\\$|videoplayback"
Re: learn how to Shape Download Traffic only & leave Browsin
This will block everything, not just file extensions. It will block any page that mentions ".dat" in it's text. Not just the downloads.
-
-
dreamrider
newbie
- Posts: 26
- Joined:
Re: learn how to Shape Download Traffic only & leave Browsin
I began to understand, tests continue ... But why downloading *.mp4 from youtube is allowed? In rule text - extension *.mp4 present.It will block any page that mentions ".dat" in it's text. Not just the downloads.
Re: learn how to Shape Download Traffic only & leave Browsin
Could be that youtube works over HTTPS, then you will not see the contents of the page, it's encryptedI began to understand, tests continue ... But why downloading *.mp4 from youtube is allowed? In rule text - extension *.mp4 present.It will block any page that mentions ".dat" in it's text. Not just the downloads.
-
-
hazemamer7
newbie
- Posts: 28
- Joined:
- Location: Egypt
Re: learn how to Shape Download Traffic only & leave Browsin
Test this and tell me
\.(exe)|\.(rar)|\.(zip)|\.(7z)|\.(iso)|\.(nrg)|\.(daa)|\.(dat)|\.(vcd)
\.(flv)|\.(mp4)|\.(mov)|\.(avi)|\.(asf)|\.(mpg)|\.(mpeg)|\.(wmv)
\.(ra)|\.(mp3)|\.(wav)|\.(ram)|\.(rmvb)|\.(mkv)|videoplayback
and of course each layer7 code line need 1 mangle rule to mark the packet for the queues,
test and tell me and if still not work i can provide you with video of proving that it works.
\.(exe)|\.(rar)|\.(zip)|\.(7z)|\.(iso)|\.(nrg)|\.(daa)|\.(dat)|\.(vcd)
\.(flv)|\.(mp4)|\.(mov)|\.(avi)|\.(asf)|\.(mpg)|\.(mpeg)|\.(wmv)
\.(ra)|\.(mp3)|\.(wav)|\.(ram)|\.(rmvb)|\.(mkv)|videoplayback
and of course each layer7 code line need 1 mangle rule to mark the packet for the queues,
test and tell me and if still not work i can provide you with video of proving that it works.
-
-
dreamrider
newbie
- Posts: 26
- Joined:
Re: learn how to Shape Download Traffic only & leave Browsin
@ hazemamer7
Can you write a complete code for at least one line? Begining, i mean. With regexp=. Or what else there need..
Thank you!
Can you write a complete code for at least one line? Begining, i mean. With regexp=. Or what else there need..
Thank you!
-
-
hazemamer7
newbie
- Posts: 28
- Joined:
- Location: Egypt
Re: learn how to Shape Download Traffic only & leave Browsin
Dreamrider
here it is the code ,and if it works reply to me that it works
********************************************************************************************************************************************************************************
/ip firewall layer7-protocol
add name=ext1 regexp="\\.(exe)|\\.(rar)|\\.(zip)|\\.(7z)|\\.(iso)|\\.(nrg)|\\.\
(daa)|\\.(dat)|\\.(vcd)"
add name=ext2 regexp="\\.(flv)|\\.(mp4)|\\.(mov)|\\.(avi)|\\.(asf)|\\.(mpg)|\\\
.(mpeg)|\\.(wmv)"
add name=ext3 regexp=\
"\\.(ra)|\\.(mp3)|\\.(wav)|\\.(ram)|\\.(rmvb)|\\.(mkv)|videoplayback"
/ip firewall mangle
add action=mark-packet chain=prerouting layer7-protocol=ext1 new-packet-mark=\
download1
add action=mark-packet chain=prerouting layer7-protocol=ext2 new-packet-mark=\
download2
add action=mark-packet chain=prerouting layer7-protocol=ext3 new-packet-mark=\
download3
/queue type
add kind=pcq name=pcqmanual pcq-classifier=src-address,dst-address,src-port \
pcq-dst-address6-mask=64 pcq-rate=400k pcq-src-address6-mask=64 \
pcq-total-limit=5000
/queue tree
add max-limit=3M name=limitspeed packet-mark=download1,download2,download3 \
parent=global queue=pcqmanual
**********************************************************************************************************************************************************************
in queue tree (max-limit=3M) >>> this make the max download rate in the network = 3 Mb/sec
in queue type (pcq-rate=400k) >>> this make the speed for each user = 400 kb/sec = 50 KB/sec
you can edit those for get the optimum option for you,
try to download this link as a test
http://ardownload.adobe.com/pub/adobe/r ... _en_US.exe
do not forget if it works to tell us.
here it is the code ,and if it works reply to me that it works
********************************************************************************************************************************************************************************
/ip firewall layer7-protocol
add name=ext1 regexp="\\.(exe)|\\.(rar)|\\.(zip)|\\.(7z)|\\.(iso)|\\.(nrg)|\\.\
(daa)|\\.(dat)|\\.(vcd)"
add name=ext2 regexp="\\.(flv)|\\.(mp4)|\\.(mov)|\\.(avi)|\\.(asf)|\\.(mpg)|\\\
.(mpeg)|\\.(wmv)"
add name=ext3 regexp=\
"\\.(ra)|\\.(mp3)|\\.(wav)|\\.(ram)|\\.(rmvb)|\\.(mkv)|videoplayback"
/ip firewall mangle
add action=mark-packet chain=prerouting layer7-protocol=ext1 new-packet-mark=\
download1
add action=mark-packet chain=prerouting layer7-protocol=ext2 new-packet-mark=\
download2
add action=mark-packet chain=prerouting layer7-protocol=ext3 new-packet-mark=\
download3
/queue type
add kind=pcq name=pcqmanual pcq-classifier=src-address,dst-address,src-port \
pcq-dst-address6-mask=64 pcq-rate=400k pcq-src-address6-mask=64 \
pcq-total-limit=5000
/queue tree
add max-limit=3M name=limitspeed packet-mark=download1,download2,download3 \
parent=global queue=pcqmanual
**********************************************************************************************************************************************************************
in queue tree (max-limit=3M) >>> this make the max download rate in the network = 3 Mb/sec
in queue type (pcq-rate=400k) >>> this make the speed for each user = 400 kb/sec = 50 KB/sec
you can edit those for get the optimum option for you,
try to download this link as a test
http://ardownload.adobe.com/pub/adobe/r ... _en_US.exe
do not forget if it works to tell us.
-
-
dreamrider
newbie
- Posts: 26
- Joined:
Re: learn how to Shape Download Traffic only & leave Browsin
@ hazemamer7
I do not need too complicated rules and I do not use mangles and queues for that. There is part of my firewall rules that works perfectly for me. No more any downloads! Browsing works wherever I have tried. Thank you for working code!
P.S. But I can't submit this answer... Works blocking rule ext3... Hm?
I do not need too complicated rules and I do not use mangles and queues for that.
There is part of my firewall rules that works perfectly for me. No more any downloads! Browsing works wherever I have tried. Thank you for working code!
Code: Select all
/ip firewall layer7-protocol
add name=ext1 regexp="\\.(exe)|\\.(rar)|\\.(zip)|\\.(7z)|\\.(iso)|\\.(nrg)|\\.\
(daa)|\\.(dat)|\\.(vcd)"
add name=ext2 regexp="\\.(flv)|\\.(mp4)|\\.(mov)|\\.(avi)|\\.(asf)|\\.(mpg)|\\\
.(mpeg)|\\.(wmv)"
add name=ext3 regexp=\
"\\.(ra)|\\.(mp3)|\\.(wav)|\\.(ram)|\\.(rmvb)|\\.(mkv)|videoplayback"
/ip firewall filter
add action=jump chain=forward jump-target=drop layer7-protocol=ext1
add action=jump chain=forward jump-target=drop layer7-protocol=ext2
add action=jump chain=forward jump-target=drop layer7-protocol=ext3
add action=drop chain=drop comment="Drop Everything that we drop"Re: learn how to Shape Download Traffic only & leave Browsin
Curious..
It's been a while since I've dug into the HTTP protocol, but aren't there some headers that you could key in on?
IMO, the best, first test, would be Content-Length (if we could actually use the number from the string). Small files could be let through, with medium and large files being queued.
Next, would be the Content-Disposition, which should contain a filename. This filename would be where you would want to check for the type.
Content-Type might be another header that could be looked at, which could help identify specific mime types.
-Troy
It's been a while since I've dug into the HTTP protocol, but aren't there some headers that you could key in on?
IMO, the best, first test, would be Content-Length (if we could actually use the number from the string). Small files could be let through, with medium and large files being queued.
Next, would be the Content-Disposition, which should contain a filename. This filename would be where you would want to check for the type.
Content-Type might be another header that could be looked at, which could help identify specific mime types.
-Troy
-
-
dreamrider
newbie
- Posts: 26
- Joined:
Re: learn how to Shape Download Traffic only & leave Browsin
@ troy
Content-Length
Yes, this could be interesting deal. Allow to download a few kilobytes and then block a connection. Rules with slow down download speed is not what I need.
Sorry, my english is too bad, but I think - you understand me
Content-Length
Yes, this could be interesting deal. Allow to download a few kilobytes and then block a connection. Rules with slow down download speed is not what I need.
Sorry, my english is too bad, but I think - you understand me
-
-
dreamrider
newbie
- Posts: 26
- Joined:
Re: learn how to Shape Download Traffic only & leave Browsin
@ hazemamer7
Yours complete code works very interesting, too! One question - how to mark packets and create queues for disabling some adresses (address-list) from those fine limiting rules?
Yours complete code works very interesting, too! One question - how to mark packets and create queues for disabling some adresses (address-list) from those fine limiting rules?
-
-
hazemamer7
newbie
- Posts: 28
- Joined:
- Location: Egypt
Re: learn how to Shape Download Traffic only & leave Browsin
This can be done using simple queue instead of queue tree@ hazemamer7
Yours complete code works very interesting, too! One question - how to mark packets and create queues for disabling some adresses (address-list) from those fine limiting rules?
you will use my L7 and my mangle codes only and do not use queue tree and go use only queue simple
and it will be like this
1-add new simple queue rule for all network.
2-add new simple rule for the one(or group) that you want to exclude from network rule.
3- Be sure that you are sorting rules using # and always the excluded rule is most above and for example:
your internal network range is 192.168.1.0/24 and you put for it 2Mb/s for download
and the user that you want it to take full speed is 192.168.1.26 so the code will be like this
Code: Select all
/queue simple
add name=26 packet-marks=download1,download2,download3 queue=\
pcqmanual/pcqmanual target=192.168.1.26/32
add max-limit=256k/2M name=all packet-marks=download1,download2,download3 \
queue=pcqmanual/pcqmanual target=192.168.1.0/24and the entire code will be like this
Code: Select all
/ip firewall layer7-protocol
add name=ext1 regexp="\\.(exe)|\\.(rar)|\\.(zip)|\\.(7z)|\\.(iso)|\\.(nrg)|\\.\
(daa)|\\.(dat)|\\.(vcd)"
add name=ext2 regexp="\\.(flv)|\\.(mp4)|\\.(mov)|\\.(avi)|\\.(asf)|\\.(mpg)|\\\
.(mpeg)|\\.(wmv)"
add name=ext3 regexp=\
"\\.(ra)|\\.(mp3)|\\.(wav)|\\.(ram)|\\.(rmvb)|\\.(mkv)|videoplayback"
/ip firewall mangle
add action=mark-packet chain=prerouting layer7-protocol=ext1 new-packet-mark=\
download1
add action=mark-packet chain=prerouting layer7-protocol=ext2 new-packet-mark=\
download2
add action=mark-packet chain=prerouting layer7-protocol=ext3 new-packet-mark=\
download3
/queue type
set 0 pfifo-limit=150
add kind=pcq name=pcqmanual pcq-classifier=src-address,dst-address,src-port pcq-dst-address6-mask=64 \
pcq-src-address6-mask=64 pcq-total-limit=5000
set 10 kind=pcq pcq-classifier=src-address,dst-address,src-port pcq-rate=400k pcq-total-limit=5000
/queue simple
add name=26 packet-marks=download1,download2,download3 queue=\
pcqmanual/pcqmanual target=192.168.1.26/32
add max-limit=256k/2M name=all packet-marks=download1,download2,download3 \
queue=pcqmanual/pcqmanual target=192.168.1.0/24Do not forget to test and tell me about result, and sorry for late answer.
-
-
hazemamer7
newbie
- Posts: 28
- Joined:
- Location: Egypt
Re: learn how to Shape Download Traffic only & leave Browsin
i do not understand you ,This will block everything, not just file extensions. It will block any page that mentions ".dat" in it's text. Not just the downloads.
what will block everything ?is it my code? or you mean another thing ?
-
-
dreamrider
newbie
- Posts: 26
- Joined:
Re: learn how to Shape Download Traffic only & leave Browsin
@ hazemamer7
Rules works, but I was made some changes:
In first simple queue - for excluding IP address - I had change queue type to default.
Exclusions in this mode works for me. All another code stays yours, I was changed only IP's and max limits according of my network needs. I'm very glad, thank you!
Sorry for my english again
Rules works, but I was made some changes:
Code: Select all
/queue simple
add name=26 packet-marks=download1,download2,download3 queue=\
default/default target=192.168.1.26/32
add max-limit=256k/2M name=all packet-marks=download1,download2,download3 \
queue=pcqmanual/pcqmanual target=192.168.1.0/24Exclusions in this mode works for me. All another code stays yours, I was changed only IP's and max limits according of my network needs. I'm very glad, thank you!
Sorry for my english again