3-isp config but i think there is something wrong and i want to go v7

geland9 · February 26, 2025, 6:51pm

please could you help me to update this config because i see that when 2 isps are connected the connection begin to be slow i use starlink , and 2 mobile operators

# feb/24/2025 17:20:25 by RouterOS 6.49.17
# software id =
#
# model = RB1100x4
# serial number = xxxxx
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] mac-address=74:4D:28:85:AD:C6 name=\
    ether1-FAI1
set [ find default-name=ether2 ] mac-address=74:4D:28:85:AD:C7 name=\
    ether2-FAI2
set [ find default-name=ether3 ] mac-address=74:4D:28:85:AD:C8 name=\
    ether3-FAI3
set [ find default-name=ether4 ] mac-address=74:4D:28:85:AD:C9 name=\
    ether4-Local
set [ find default-name=ether5 ] mac-address=74:4D:28:85:AD:CA
set [ find default-name=ether6 ] mac-address=74:4D:28:85:AD:CB
set [ find default-name=ether7 ] mac-address=74:4D:28:85:AD:CC
set [ find default-name=ether8 ] mac-address=74:4D:28:85:AD:CD
set [ find default-name=ether9 ] mac-address=74:4D:28:85:AD:CE
set [ find default-name=ether10 ] mac-address=74:4D:28:85:AD:CF
set [ find default-name=ether11 ] mac-address=74:4D:28:85:AD:D0
set [ find default-name=ether12 ] mac-address=74:4D:28:85:AD:D1
set [ find default-name=ether13 ] mac-address=74:4D:28:85:AD:D2
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
set 12 default-vlan-id=0
set 13 default-vlan-id=0
set 14 default-vlan-id=0
set 15 default-vlan-id=0
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add comment="blocking ytb" name=Youtube regexp="^. + (Youtube). * \$ | Oo.pref\
    erred.pttelkom- | a.youtube.com | b.youtube.com | c youtube.com | d.youtub\
    e.com | e. youtube.com | f.youtube.com | g.youtube.com | h.youtube.com | i\
    .youtube.com | j.youtube.com | l.youtube.com \93| (facebook.com). * \$"
add comment="Block tiktok for all" name=tik_Block regexp=\
    "^.+(www.tiktok.com|tiktok|tiktok.com).*\$"
add comment="Block facebook Completely" name=Fb_Block regexp=\
    "^.+(www.facebook.com|facebook|facebook.com).*\$"
add comment="facebook blocking" name="blockage total fcb" regexp="\"^.+(www.fa\
    cebook.com|facebook.com|login.facebook.com|ww\\\r\
    \n    w.login.facebook.com|fbcdn.net|www.fbcdn.net|fbcdn.com|www.fbcdn.com\
    |static.ak.fbcdn.net|static.ak.connect.facebook.com|connect.facebook.net|w\
    ww.connect.facebook.net|m.me|apps.facebook.com).*\\\$\""
add name="block Pinterest"
add comment="block instagram" name=Insta_block regexp="^.+(www.instagram.com|c\
    dninstagram.com|.cdninstagram.com|.instagram.com|instagram.|.instagram|.cd\
    ninstagram|cdninstagram.).*\$"
add comment="Block Bit Torrent" name=layer7-bittorrent-exp regexp="^(\\x13bitt\
    orrent protocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?inf\
    o_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[\
    RP]"
add name="Torrent sites" regexp="^.+(torrent|rarbg|thepiratebay|isohunts|enter\
    tane|demonoid|btjunkie|mininova|flixflux|torrentz|vertor|h33t|btscene|bitu\
    nity|bittoxic|thunderbytes|entertane|zoozle|vcdq|bitnova|bitsoup|meganova|\
    fulldls|btbot|flixflux|seedpeer|fenopy|gpirate|commonbits|d1:ad2|tracker|a\
    nnounce).*\$"
add comment="Block Torrents" name=block-torrents regexp="^(\\x13bittorrent pro\
    tocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?info_hash=|ge\
    t /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
/ip pool
add name=pool2 ranges=192.168.17.200-192.168.17.247
add name=pool1 next-pool=pool2 ranges=192.168.17.4-192.168.17.100
/ip dhcp-server
add address-pool=pool1 disabled=no interface=bridge1 lease-time=3d name=DHCP
/interface bridge port
add bridge=bridge1 interface=ether4-Local
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
/ip address
add address=192.168.5.25/24 interface=ether1-FAI1 network=192.168.5.0
add address=192.168.100.1/24 interface=ether2-FAI2 network=192.168.100.0
add address=192.168.1.41/24 interface=ether3-FAI3 network=192.168.1.0
add address=192.168.17.254/24 interface=bridge1 network=192.168.17.0

/ip cloud
set ddns-enabled=yes
/ip dhcp-server lease
add address=192.168.17.44 client-id=1:48:f:cf:3e:ee:58 mac-address=\
    48:0F:CF:3E:EE:58 server=DHCP
add address=192.168.17.50 client-id=1:10:e7:c6:34:d:3e mac-address=\
    10:E7:C6:34:0D:3E server=DHCP
add address=192.168.17.12 client-id=1:f8:94:c2:6b:9d:d3 comment="Mme Ngansop" \
    mac-address=F8:94:C2:6B:9D:D3 server=DHCP
add address=192.168.17.43 client-id=1:6c:3b:e5:f:1f:0 mac-address=\
    6C:3B:E5:0F:1F:00 server=DHCP
add address=192.168.17.47 client-id=1:10:e7:c6:26:35:13 mac-address=\
    10:E7:C6:26:35:13 server=DHCP
add address=192.168.17.11 client-id=1:9c:4e:36:a7:76:4 mac-address=\
    9C:4E:36:A7:76:04 server=DHCP
add address=192.168.17.28 client-id=1:10:e7:c6:3b:a7:e7 mac-address=\
    10:E7:C6:3B:A7:E7 server=DHCP
add address=192.168.17.59 client-id=1:88:51:fb:47:a6:a8 mac-address=\
    88:51:FB:47:A6:A8 server=DHCP
add address=192.168.17.75 client-id=1:80:0:b:ba:41:8b comment="Laptop IT" \
    mac-address=80:00:0B:BA:41:8B server=DHCP
add address=192.168.17.58 client-id=1:90:f:c:77:e5:e9 mac-address=\
    90:0F:0C:77:E5:E9 server=DHCP
add address=192.168.17.89 client-id=1:5c:96:9d:97:f0:8f comment=\
    "machine Landry" mac-address=5C:96:9D:97:F0:8F server=DHCP
add address=192.168.17.70 client-id=1:8c:c8:4b:a7:c7:55 mac-address=\
    8C:C8:4B:A7:C7:55 server=DHCP
add address=192.168.17.34 client-id=\
    ff:e4:ec:bd:65:0:2:0:0:ab:11:97:23:3b:ab:e6:5e:ec:b8 mac-address=\
    74:83:C2:11:5E:61 server=DHCP
add address=192.168.17.42 client-id=1:70:5a:f:3a:31:58 mac-address=\
    70:5A:0F:3A:31:58 server=DHCP
add address=192.168.17.45 client-id=1:10:e7:c6:3b:a7:af mac-address=\
    10:E7:C6:3B:A7:AF server=DHCP
add address=192.168.17.48 client-id=1:10:e7:c6:26:2c:f mac-address=\
    10:E7:C6:26:2C:0F server=DHCP
/ip dhcp-server network
add address=192.168.17.0/24 dns-server=8.8.8.8,4.2.2.2 gateway=192.168.17.254
/ip dns
set allow-remote-requests=yes cache-size=5000KiB max-udp-packet-size=512 \
    servers=8.8.8.8,4.2.2.2
/ip firewall address-list
add address=www.messenger.com list=facebook
add address=www.fbsbx.com list=facebook
add address=31.13.70.1 list=facebook
add address=fb.me list=facebook
add address=facebook.pl list=facebook
add address=m.me list=facebook
add address=facebook.com list=facebook
add address=31.13.67.35 list=facebook
add address=youtube.com list=Youtube
add address=216.58.223.238 comment=youtube.com list=Youtube
add address=142.250.145.95 comment=youtube.com list=Youtube
/ip firewall filter
add action=fasttrack-connection chain=forward comment=\
    "TCP FASTTRACK CONNECTION" dst-port=53 protocol=tcp
add action=fasttrack-connection chain=forward comment=\
    "UDP FASTTRACK CONNECTION" dst-port=53 protocol=udp
add action=fasttrack-connection chain=forward comment=\
    "TCP FASTTRACK CONNECTION" dst-port=53 protocol=tcp
add action=fasttrack-connection chain=forward comment=\
    "UDP FASTTRACK CONNECTION" dst-port=53 protocol=udp
add action=accept chain=forward comment="IP PUBLISHING" dst-address-list=\
    Youtube src-address=192.168.17.40 time=0s-1d,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward dst-address-list=Youtube src-address=\
    192.168.17.95
add action=accept chain=forward dst-address-list=Youtube src-address=\
    192.168.17.84
add action=accept chain=forward dst-address-list=Youtube src-address=\
    192.168.17.41
add action=accept chain=forward dst-address-list=Youtube src-address=\
    192.168.17.241
add action=accept chain=forward disabled=yes dst-address-list=Youtube \
    src-address=192.168.17.44
add action=accept chain=forward disabled=yes dst-address-list=Youtube \
    src-address=192.168.17.45
add action=accept chain=forward dst-address-list=Youtube src-address=\
    192.168.17.46
add action=accept chain=forward dst-address-list=Youtube src-address=\
    192.168.17.39
add action=accept chain=forward dst-address-list=Youtube src-address=\
    192.168.17.48
add action=accept chain=forward dst-address-list=Youtube src-address=\
    192.168.17.49
add action=accept chain=forward dst-address-list=Youtube src-address=\
    192.168.17.123
add action=accept chain=forward disabled=yes dst-address-list=Youtube \
    src-address=192.168.17.51
add action=accept chain=forward dst-address-list=Youtube src-address=\
    192.168.17.52
add action=accept chain=forward dst-address-list=Youtube src-address=\
    192.168.17.26
add action=accept chain=forward dst-address-list=Youtube src-address=\
    192.168.17.54
add action=accept chain=forward disabled=yes dst-address-list=Youtube \
    src-address=192.168.17.55
add action=accept chain=forward dst-address-list=Youtube src-address=\
    192.168.17.81
add action=accept chain=forward comment=CEO connection-rate=0-4294967295 \
    dst-address-list=!Youtube src-address=192.168.17.89
add action=accept chain=forward dst-address-list=Youtube src-address=\
    192.168.17.75
add action=accept chain=forward comment=PATRICK dst-address-list=Youtube \
    src-address=192.168.17.38
add action=accept chain=forward comment=ARISTIDE disabled=yes \
    dst-address-list=Youtube src-address=192.168.17.30
add action=add-dst-to-address-list address-list=Youtube address-list-timeout=\
    7w1d chain=forward comment="recuperer les ip Facebook" dst-port=443 \
    protocol=tcp src-address=192.168.17.0/24 tls-host=*facebook*
# inactive time
add action=accept chain=forward connection-state=new dst-address-list=\
    facebook src-address=192.168.17.0/24 time=\
    12h-13h40m,sun,mon,tue,wed,thu,fri,sat
add action=add-dst-to-address-list address-list=Youtube address-list-timeout=\
    7w1d chain=forward comment="recuperer les ip youtube" disabled=yes \
    dst-port=443 protocol=tcp src-address=192.168.17.0/24 tls-host=*youtube*
add action=drop chain=forward connection-state=new disabled=yes \
    dst-address-list=facebook src-address=192.168.17.0/24 time=\
    0s-12h,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward connection-state=new dst-address-list=facebook \
    src-address=192.168.17.0/24 time=\
    14h30m-23h59m59s,sun,mon,tue,wed,thu,fri,sat
# inactive time
add action=drop chain=forward dst-address-list=facebook src-address=\
    192.168.17.0/24 time=0s-12h,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward dst-address-list=facebook src-address=\
    192.168.17.0/24 time=14h30m-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward comment="block tiktok" disabled=yes \
    in-interface=bridge1 layer7-protocol=tik_Block out-interface=ether2-FAI2
add action=drop chain=forward comment="block tiktok" disabled=yes \
    in-interface=bridge1 layer7-protocol=tik_Block out-interface=ether1-FAI1
add action=drop chain=forward comment=Youtube disabled=yes dst-port=443 \
    in-interface=bridge1 layer7-protocol=Youtube protocol=tcp src-address=\
    192.168.17.0/24 time=0s-14h30m,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward comment=Youtube disabled=yes dst-port=443 \
    in-interface=bridge1 layer7-protocol=Youtube protocol=tcp src-address=\
    192.168.17.0/24 time=14h30m-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward disabled=yes dst-address-list=Youtube time=\
    14h30m-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward disabled=yes dst-address-list=Youtube time=\
    0s-12h,sun,mon,tue,wed,thu,fri
add action=drop chain=forward comment="Block Pinterest" disabled=yes \
    dst-port=443 in-interface=bridge1 layer7-protocol="block Pinterest" port=\
    "" protocol=tcp src-address=192.168.17.0/24
add action=drop chain=forward comment="Block Torrents" dst-port=\
    !0-1023,1723,5900,5800,3389,8728,8291,14147,5222,59905 protocol=tcp \
    src-address=192.168.17.0/24 src-address-list=torrent-connections
add action=drop chain=forward dst-address-type=local packet-mark=\
    torrent_packet
add action=drop chain=forward content=tracker
add action=drop chain=forward content=info_hash
add action=drop chain=forward content=annonce_peers
add action=drop chain=forward content=getpeers
add action=drop chain=forward content=torrent
add action=add-src-to-address-list address-list=Torrent-Conn \
    address-list-timeout=2m chain=forward layer7-protocol=\
    layer7-bittorrent-exp src-address=192.168.17.0/24 src-address-list=\
    !allow-bit
# p2p matcher is obsolete please use layer7 matcher instead
add action=add-src-to-address-list address-list=Torrent-Conn \
    address-list-timeout=2m chain=forward p2p=all-p2p src-address=\
    192.168.17.0/24 src-address-list=!allow-bit
add action=drop chain=forward dst-port=\
    !0-1024,8291,5900,5800,3389,14147,5222,59905 protocol=tcp \
    src-address-list=Torrent-Conn
add action=drop chain=forward dst-port=\
    !0-1024,8291,5900,5800,3389,14147,5222,59905 protocol=udp \
    src-address-list=Torrent-Conn
/ip firewall mangle
add action=mark-connection chain=input in-interface=ether1-FAI1 \
    new-connection-mark=ether1-FAI1_conn passthrough=yes
add action=mark-connection chain=input in-interface=ether2-FAI2 \
    new-connection-mark=ether2-FAI2_conn passthrough=yes
add action=mark-connection chain=input in-interface=ether3-FAI3 \
    new-connection-mark=ether3-FAI3_conn passthrough=yes
add action=mark-routing chain=output connection-mark=ether1-FAI1_conn \
    new-routing-mark=to_ether1-FAI1 passthrough=yes
add action=mark-routing chain=output connection-mark=ether2-FAI2_conn \
    new-routing-mark=to_ether2-FAI2 passthrough=yes
add action=mark-routing chain=output connection-mark=ether3-FAI3_conn \
    new-routing-mark=to_ether3-FAI3 passthrough=yes
add action=accept chain=prerouting dst-address=192.168.17.0/24 in-interface=\
    bridge1
add action=mark-connection chain=prerouting dst-address-type=local \
    in-interface=bridge1 new-connection-mark=ether1-FAI1_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting dst-address-type=local \
    in-interface=bridge1 new-connection-mark=ether2-FAI2_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting dst-address-type=local \
    in-interface=bridge1 new-connection-mark=ether3-FAI3_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:3/2
add action=mark-routing chain=prerouting connection-mark=ether1-FAI1_conn \
    in-interface=bridge1 new-routing-mark=to_ether1-FAI1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ether2-FAI2_conn \
    in-interface=bridge1 new-routing-mark=to_ether2-FAI2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ether3-FAI3_conn \
    in-interface=bridge1 new-routing-mark=to_ether3-FAI3 passthrough=yes
add action=accept chain=prerouting in-interface=ether1-FAI1
add action=accept chain=prerouting in-interface=ether2-FAI2
add action=mark-connection chain=prerouting dst-address-type=!local \
    new-connection-mark=wan1_conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/0 src-address=192.168.17.0/24
add action=mark-connection chain=prerouting dst-address-type=!local \
    new-connection-mark=wan2_conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/1 src-address=192.168.17.0/24
add action=mark-routing chain=prerouting connection-mark=wan1_conn \
    new-routing-mark=to_wan1 passthrough=yes src-address=192.168.17.0/24
add action=mark-routing chain=prerouting connection-mark=wan2_conn \
    new-routing-mark=to_wan2 passthrough=yes src-address=192.168.17.0/24
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=local layer7-protocol=layer7-bittorrent-exp \
    new-connection-mark=torrent_conn passthrough=yes
add action=mark-packet chain=prerouting connection-mark=torrent_conn \
    layer7-protocol=layer7-bittorrent-exp new-packet-mark=torrent_packet \
    passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-FAI1
add action=masquerade chain=srcnat out-interface=ether2-FAI2
add action=masquerade chain=srcnat out-interface=ether3-FAI3
/ip route
add distance=1 gateway=192.168.5.1 routing-mark=to_ether1-FAI1
add distance=2 gateway=192.168.100.1 routing-mark=to_ether2-FAI2
add distance=3 gateway=192.168.1.1 routing-mark=to_ether3-FAI3
add check-gateway=ping distance=1 gateway=192.168.5.1
add check-gateway=ping distance=2 gateway=192.168.100.1
add check-gateway=ping distance=3 gateway=192.168.1.1
/system clock
set time-zone-name=Europe/Berlin

MIKROTIK2025 modifié copy.txt (13.1 KB)

BartoszP · February 26, 2025, 9:59pm

Please use code tags for code ( button < / > ), otherwise we have to scroll several pages of text.

anav · February 27, 2025, 12:40am

Suggest you simplify and the first thing is get rid of the garbage layer7 rules.
I will go further and state you should go back to the default firewall rules and then build from there for traffic that is needed, not focus at all at blocking traffic…

Also to simplify you can easily accomplish ECMP load balancing in Ver7, with no mangling.
The only reason to mangle now would be
vlans going to specific Interface…
Port forwarding…
And this means you can enable and take advantage of fastrack for most of the traffic.

geland9 · February 28, 2025, 1:36pm

good morning sir i don’t know where to do it if you can show me humbly accept my apologise sir

geland9 · February 28, 2025, 1:38pm

Dear Anav , thank you for your concern but if i come hier it is because i don’t know to do it can you give me a help with your method ?

anav · February 28, 2025, 3:06pm

The code tags are found above, on the same line as Text controls of BOLD B, ITALICS I and UNDERLINE U.
Go further to the right and you will see the code tag icon, the black square with white square brackets inside the black square.

Hey, you seem to know quite a lot, otherwise how did you add all those rules?
If you want to start fresh, reset/restart the router… and accept the defaults.

In any case you need a solid plan before even touching the router.
The first step is detailing the requirements.
a. identify all the user(s)/device(s) ( including internal users, external users and you the admin)
b. identify all the traffic they need to accomplish.
c. Draw a network diagram to identify the equipment you have and the subnets you would like to have etc..
d. discuss the WAN situation especially if more than one

public or private, static or dynamic and type (pppoe, cable, fibre etc…)
for mulitwans, use one and other for backup, or share equally - load balance.
or more complex some use one, some use the other ( always detailing for every case what happens if one of the WANs is not available)
detailing any port forwarding coming in on WAN
detailing any VPNs coming to the router

That is the minimum you need to do to start working on the config.
Understand what all the rules are doing on the config, look at MT documents, look at YOUTUBE videos from Mikrotik, the network berg and the network trip.
Then you are in a position to start chaning the rules and adding rules. Focus on traffic needed not blocking stuff.
When you get stuck then come here and ask for assistance…
/export file=anynameyouwish ( minus router serial number, any public WANIP information (ip and gateway that is public), vpn keys )

You can read this… for some helpful tips as well.
http://forum.mikrotik.com/t/the-twelve-rules-of-mikrotik-club/182164/1