MikroTik

sash7

Do test: in this simple queue, try to use queue type = sfq. (create new one or simply use wireless-default) and check again.

sash7

i see firewall use about twice resources than qos. So, probably you can try to optimize your firewall rules (mangle)

sash7

don't use bridge, set different network for wlan and lan, then set simple queue on wlan. also allow communication between these two in firewall forward if you want to see each other.

sash7

Should be work. Post your firewall forward rules

sash7

you need to set rules in firewall filter forward chain. First, use only 2 rules: rule 1: allow related, established rule 2: drop all now, between these two add separate rule for each vlan you want, for example for vlan10: allow internet only : in-interface=vlan10 out-interface=wan action=accept allo...

sash7

without network map this is waste of time but... i dont know how many interfaces you have, but if you set simple queue(s) with target=wan interface (internet), then local traffic (between local interfaces) cannot be affected in any way. in simple queue you can also add dst=xxx where xxx=any local in...

sash7

borisk try to use simple queue. it's much easy to understand and configure and work well in most cases. draw some diagram of network to see it

sash7

well it's strange use of queue tree, no limits, parent with one child...

and where you mark packets for child queue "... local" ? when you have child's you need to drive traffic to them. all traffic

sash7

NetJohn maybe try this: add new bridge
add static ip on bridge - to acces router in this ip. add all interfaces you want + wlan on this bridge. remove all other and try again.
as i understand dhcp server is on pc, right?

sash7

little mess in forward chain. Try temporary to disable all rules in forward and test again (use safe mode) . nat rules is ok

sash7

it's not clear what you have in forward chain.
add accept rule for connection-nat-state=dstnat, or write rule with right address and ports.

sash7

can't open images...

you also need to accept these nat-ed packets in firewall forward chain.

sash7

something like this

/ip firewall nat
add chain=dstnat in-interface=your-wan protocol=tcp src-address=145.x.x.x src-port=1234 dst-port=3099 action=dst-nat to-addresses=192.168.88.xx to-ports=3099

change
in-interface=, protocol=, src-address=, to-address=
with yours

sash7

Is not it easier to use simple queues for these ip and watch traffic there?

sash7

IP 192.168.1.5 will use 20mbit. you can first create a parent with target=192.168.1.0/24 20M/20M and then use this parent in child 192.168.1.x

or maybe PCQ will do better job in your case.
https://wiki.mikrotik.com/wiki/Manual:Queues_-_PCQ

sash7

about priority. limit-at is always guarantee even there is priority in this setup, up to 1000kbit priority will not work, because two child have guaranteed 300k and 700k. but if try 2000 as limit in tbf, probably those child with 4/4 priority will get all over 1000 up to 2000 =1700, and those child ...

sash7

use pcq queue in parent is useless - this work only in leaf child. htb work fair only if sum of rate<=parent rate. (htb rate == limit-at in ros) if you don't know current speed, use small limit-at in two child, only proportion between these two matter. so, for example, if expected speed drop to 1000...

sash7

In simple queue you can select these two: pcq-download-default and pcq-upload-default for download and upload Then in Queue / Queue Types tab you can find these two, click them and edit Rate = 2M https://s7.postimg.org/5abzn19dn/20170405_135559.png https://wiki.mikrotik.com/wiki/Manual:Queue#Queue_T...

sash7

no, you need one simple queue with target=192.168.0.0/24 and max-limit=10M/10M + set queue type=pcq for upload/download and set these with pcq-rate=2M in both

1 client - 2M, up to 5 client - get 2M each. 10 client - 1M each...

sash7

ok, try to add new rule

/ip firewall mangle
 add chain=postrouting out-interface=xxx action=change-ttl new-ttl=set:56

change xxx with your 3g interface

test...

sash7

ping google from RB terminal and see TTL, maybe is 1?

Then try to set ttl in number you get from ping - on mangle postrouting, where out-interface="your 3g device"

Maybe this provider block internet access if see different ttl from you (they try to prevent sharing)

sash7

Hi, in this case queue tree and mark is not needed. Keep things simple, use queue simple with target=192.168.68.0/24 and pcq.

Specify what exactly you want. what speed download/upload for all users, what for each one?

sash7

Test: /ip firewall filter> add chain=forward in-interface=ether1-wan connection-nat-state=dstnat dst-address-list=!"nat-list" action=add-dst-to-address-list address-list="nat-list" log=yes Correct in-interface name with yours, eventually add out-interface. rule should be first, o...

sash7

maybe something like this: in forward chain catch nat connections, compare destination ip with list, add new ip-s to this list.

sash7

these guys who "opening their own hotspot" 100% know how to deal with ttl1 )

sash7

Also may check did you have accept rule for these connections. In firewall forward chain.

sash7

Hi. For me, mistake in your rules in first post is in address mask. pcq-src-address-mask=0 pcq-dst-address-mask=0 If you network is 192.168.88.0/24 - src and dst mask should to be 32 not 0 /queue type> print 5 name="pcq-download" kind=pcq pcq-rate=6M pcq-limit=50KiB pcq-classifier=dst-addr...

sash7

Hi. If you just try to limit speed, use simple queue. If there are many equal clients, use network as target, and learn about "pcq" queue

sash7

Hi.
in /ip dhcp-client use "Use peer DNS" checked if you want WAN to get dns from your isp.

in /ip dhcp-server network remove all these dns servers and just use dns-server == gateway ip
clients will ask and get dns from router

sash7

yes you wrong, queue 4 will get all left to 10mbit : 2 + 4 = 6.

sash7

they communicate each other directly through switch, you can't stop this in router.

sash7

look examples here:
http://wiki.mikrotik.com/wiki/Manual:In ... n_Examples

sash7

maybe simple dstnat rule to server ip/port and you can access it on wan ip address

sash7

irghost post firewall rules with:
/ip firewall filter export

sash7

give more info, is 192.168.100.100 ftp server? if yes, you need to add dst-nat rule in nat table, and also accept these packets in forward chain.

sash7

well, default config is not mandatory. i use variant with rule accepted my local interface (bridge-local) and then last rule drop everything. no chance to mistake )

sash7

simple use different network on ether5, then drop communication between server and local network in firewall forward chain.

first check is ether5 not to slave - in default config ether2 is master on ether3-5

sash7

Hi TechGuy I must noted that if both limits (pcq-rate and max-limit) are unspecified, queue behavior can be imprecise. So it is strongly suggested to have at least one of these options set. this is from pcq manual. You need to limit upload speed to ~80% of your real upload speed. If you want to have...

sash7

syntax is ok, try to add manually, maybe you copy-paste?

sash7

you have too complicated firewall, in my opinion many many ot these rules is useless and do absolutely nothing. nothing good at least. i don't know what is easy - to edit (disabled) they one by one, or rewrite all from zero. about red line i have no answer, maybe some who has more experience with mi...

sash7

First, who is user Estiaan? Give more information about network - what connection use to internet, local network... then post here your firewall rules.
And better stay with last bugfix version 6.32.4 - do you prefer stability, or want to be beta tester?

sash7

Hi, are you sure that fasttrack is off? Please post rules in your forward chain.

and, or, try simpliest queue - with no dst, only target with wan interface.

sash7

after dstnat packets to your server which is behind router going to forward chain, not to input.

sash7

i understand what you want, but when use priority there is no "guarantee" nothing for classes with low priority. these with high priority probably may get all bandwidth. in my opinion htb work predictable and fair if you use equal priority and set correct numbers for limit and max limit.

sash7

yes, set ether1 to master-port=none then attach dhcp-client on him, if your isp give you automatic settings, or set manually ip address, gateway, dns. then only need to set nat.

router coming without any settings or what?

sash7

add chain=forward connection-state=established,related dst-address=192.168.1.251
add chain=forward src-address=192.168.1.251

add action=fasttrack-connection chain=forward connection-state=established,related
add chain=forward connection-state=established,related

sash7

about upload: lan1 drop because your lan2 has high priority. another: where is limit and max-limit for lan3? if your upload max-limit is 5M, then sum of all tree lan's limit need to be equal to 5M. try in this way, and without different priority. exactly same case in downloads. change and test again)

sash7

something like this add chain=forward comment="FW allow related,established" \ connection-state=established,related add chain=forward comment="FW: allow only my phone" \ in-interface=bridge-local src-mac-address=\ 64:BC:0C:91:EC:67 add action=drop chain=forward comment="FW: ...

sash7

packets mark is ok, you wrong with parents in queue tree. for upload from clients you need to use your wan interface as parent

sash7

another problem is that you lose these counters if power off rourer.

sash7

its not easy just to add two rules in queue simple? /queue simple add name=boss target=192.168.2.33 max-limit=100M/100M add name=all target=192.168.2.0/24 max-limit=512k/512k queue=pcq-upload-default/pcq-download-default do not use unlimited speed for unlimited user "boss" , use your real ...

sash7

you have an error in marking - in both places is new-packet-mark=download ?

sash7

slv simply use forward chain, packet mark and use interfaces in-interface / out-interface for all download like this /ip firewall mangle add chain=forward action=mark-packet new-packet-mark=download in-interface=your_wan_iface out-interface=your_lan_iface passthrough=no comment="all download&q...

sash7

yes, problem in rules - you need a rule to accept related,established. in first place! chain=input action=accept connection-state=related,established then remove 1 ;;; ALLOW --> OpenVPN chain=input action=accept protocol=tcp src-address=192.168.10.1 in-interface=ether1 src-port=1194 log=no log-prefi...

sash7

post your rules in input chain (Router2)

sash7

it's normal, probably have windows machines on this interface, try to "took" each other)

Sent from my LG-H502 using Tapatalk

sash7

mac address is not possible from internet. I also use my phone for remote access. my ip is also dynamic, but vary only in last numbers, 202.5.0.xxx and i use in rule src-adreess=202.5.0.0/24. only 256 ip can try, much better than all world)

sash7

add chain=input action=accept in-interface=wan_iface src-address=remote_ip protocol=tcp dst-port=80

Move in over your drop rule in input chain. Is risky if you not specify src-address!

sash7

k750 two more questions : what is the name of your wan (connected to internet) interface? what is the name of your lan (192.168.1.1) interface? i try to write rules for you later when back to home) ---------------- well, if you want test this 1. Save your config Remove all rules in input, forward, o...

sash7

k750 maybe you need to start from beginning. add rules and rules in firewall just like that is not good. Previously in another theme you ask to open ports 80 and 443 for server or something, now misunderstand why these ports is open... make network map with all computers, servers, addresses, ports.....

sash7

I try this in my MT - same as your case. But start working well when set any speed in max-limit, i try 100M/100M

sash7

Try to add max-limit to first queue, even max-limit=0/0

sash7

Too many information, but you also need to accept this ports in forward chain.

sash7

1. It's really bad idea to open winbox, http and telnet from all internet. 2. Put "related, established" rule on second place in input chain right behind 'invalid' rule. And this is not from "connection orginated from lan". This rule accept most traffic in input chain, so, move i...

sash7

mikrot1ker post your firewall rules here (input only) Check your IP here http://www.yougetsignal.com/tools/open-ports/ Here is my Input rules ) 0 ;;; IPT: allow related,established chain=input action=accept connection-state=established,related log=no log-prefix="" 1 ;;; IPT: allow all from...

sash7

https://youtu.be/G-iIxxXcYq0

Sent from my LG-H502 using Tapatalk

sash7

you can't use 20.0.0.0/24 (Kids) in private network, use these in ZeroByte post, or something like 10.0.10.0/24 and 10.0.20.0/24

sash7

post all firewall rules:

/ip firewall filter print

Search found 68 matches