Hello, I am hoping someone can help.

Router Information: RB450g os6.22

The only way I can gain access to this router is via SSH and the client has internet access. There are no problems connecting to the router when connected to LAN only when connecting through WAN.

I must note that this router has 2 WAN 's with 2 separate ISP’s and I experience the same exact problem with both interfaces.

When I try to enter the router via winbox i get the following messages “Starting Winbox” “Logging in” “Retrieving preferences” “Router has been disconnected!”. When I try to enter via HTTP I get “This webpage is not available”.

Here is my configuration.

IP/Address
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         INTERFACE
 0   192.168.0.1/24     192.168.0.0     ether3-OPS-1
 1 D 192.168.4.100/24   192.168.4.0     ether1-WAN-1
 2   1xx.7.2xx.102/30   1xx.7.2xx.100   ether2-WAN-2

IP/DHCP-Client
Flags: X - disabled, I - invalid
 #   INTERFACE           USE ADD-DEFAULT-ROUTE STATUS        ADDRESS
 0   ;;; default configuration
     ether1-WAN-1        no  yes               bound         192.168.4.100/24
 1 X ether2-WAN-2        yes yes

IP/Firewall/Filter. "All rules disabled"

IP/Firewall/NAT
Flags: X - disabled, I - invalid, D - dynamic
 0    ;;; default configuration
      chain=srcnat action=masquerade out-interface=ether1-WAN-1 log=no
      log-prefix=""

 1    ;;; default configuration
      chain=srcnat action=masquerade out-interface=ether2-WAN-2 log=no
      log-prefix=""

IP/Firewall/Mangle. "All rules are disabled"

IP/Routes
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          192.168.4.1               0
 1 X S  0.0.0.0/0                          192.168.4.1               1
 2 X S  0.0.0.0/0                          1xx.7.2xx.101             2
 3 ADC  1xx.7.2xx.100/30   1xx.7.2xx.102   ether2-WAN-2              0
 4 ADC  192.168.0.0/24     192.168.0.1     ether3-OPS-1              0
 5 ADC  192.168.4.0/24     192.168.4.100   ether1-WAN-1              0

Thanks in advance.

This is the first time i experienced these issues. Does anybody have any ideas?

I think you need to add the filter on the firewall:

something like this:

chain=input action=accept protocol=tcp in-interface=ether2-WAN-2 dst-port=8291 log=no log-prefix=""

Thanks,


I have tried these rules and still have the same issues with windbox and HTTP access from both ports.

chain=input action=accept protocol=tcp in-interface=ether1-WAN-1 dst-port=8291 log=no log-prefix=""
chain=input action=accept protocol=tcp in-interface=ether1-WAN-1 dst-port=80 log=no log-prefix=""
chain=input action=accept protocol=tcp in-interface=ether2-WAN-2 dst-port=8291 log=no log-prefix=""
chain=input action=accept protocol=tcp in-interface=ether2-WAN-2 dst-port=80 log=no log-prefix=""

Can any body see anything wrong? I need to find a solution.

Thanks

Post full export of firewall filter. Rule order matters and other rules may be missing.

Thank you. Here is everything.

INTERFACE
Flags: D - dynamic, X - disabled, R - running, S - slave

NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU MAC-ADDRESS

0 R ether1-WAN-1 ether 1500 1520 1520 4C:xx:xx:B3:86:6A
1 R ether2-WAN-2 ether 1500 1520 1520 4C:xx:xx:B3:86:6B
2 R ether3-OPS-1 ether 1500 1520 1520 4C:xx:xx:B3:86:6C
3 RS ether4-OPS-2 ether 1500 1520 1520 4C:xx:xx:B3:86:6D
4 S ether5-OPS-3 ether 1500 1520 1520 4C:xx:xx:B3:86:6E
IP/ARP
Flags: X - disabled, I - invalid, H - DHCP, D - dynamic, P - published

ADDRESS MAC-ADDRESS INTERFACE

0 D 192.168.4.1 00:xx:xx:6E:D5:02 ether1-WAN-1
1 D 61.160.213.54 00:xx:xx:7E:0F:AF ether2-WAN-2
2 D 80.76.161.225 00:xx:xx:7E:0F:AF ether2-WAN-2
3 D 85.30.68.214 00:xx:xx:7E:0F:AF ether2-WAN-2
4 D 122.225.103.124 00:xx:xx:7E:0F:AF ether2-WAN-2
5 D 221.236.12.38 00:xx:xx:7E:0F:AF ether2-WAN-2
6 D 99.70.22.15 00:xx:xx:7E:0F:AF ether2-WAN-2
7 D 176.31.101.5 00:xx:xx:7E:0F:AF ether2-WAN-2
8 D 61.160.224.130 00:xx:xx:7E:0F:AF ether2-WAN-2
IP/ADDRESS
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK INTERFACE

0 192.168.0.1/24 192.168.0.0 ether3-OPS-1
1 1xx.7.2xx.102/30 1xx.7.2xx.100 ether2-WAN-2
2 D 192.168.4.100/24 192.168.4.0 ether1-WAN-1
IP/DHCP-Client
Flags: X - disabled, I - invalid

INTERFACE USE-PEER-DNS ADD-DEFAULT-ROUTE STATUS ADDRESS

0 ;;; default configuration
ether1-WAN-1 no yes bound 192.168.4.100/24
1 X ether2-WAN-2 yes yes
IP/DNS
servers: 8.8.8.8,4.4.2.2
dynamic-servers:
allow-remote-requests: yes
max-udp-packet-size: 4096
query-server-timeout: 2s
query-total-timeout: 10s
cache-size: 2048KiB
cache-max-ttl: 1w
cache-used: 156KiB
IP/FIREWALL/FILTER
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; Blacklist Drop
chain=input_drop action=drop src-address-list=Blacklist log=no log-prefix=""

1 X ;;; WAN ICMP Drop
chain=input_drop action=drop protocol=icmp src-address=!69.142.19.78 log=no log-prefix=""

2 X ;;; Common Virus/Trojen Drop
chain=input_drop action=drop protocol=tcp port=1723 log=no log-prefix=""

3 X ;;; Unlisted DNS Drop
chain=input_drop action=drop protocol=udp src-address-list=!dns layer7-protocol=!dns port=53 log=no log-prefix=""

4 X ;;; IP Blacklist Drop
chain=input_drop action=drop src-address-list=ip_blacklist log=yes log-prefix="blacklist"

5 X chain=input_drop action=passthrough log=no log-prefix=""

6 X ;;; ----------ip_blacklist----------
chain=input action=jump jump-target=ip_blacklist protocol=udp src-address-list=!allow connection-limit=100,24
log=no log-prefix=""

7 X chain=ip_blacklist action=add-src-to-address-list src-address-list=!allow address-list=ip_blacklist
address-list-timeout=1d log=yes log-prefix="ip_blacklist"

8 X chain=ip_blacklist action=passthrough log=no log-prefix=""

9 X ;;; ----------drop ssh brute forcers----------
chain=input action=jump jump-target=ssh_brute_forcers protocol=tcp dst-port=22 log=no log-prefix=""

10 X chain=ssh_brute_forcers action=accept protocol=tcp dst-port=22 content=530 Login incorrect
dst-limit=1/1m,9,dst-address/1m log=no log-prefix=""

11 X chain=ssh_brute_forcers action=drop connection-state=new src-address-list=ssh_stage1 log=no log-prefix=""

12 X chain=ssh_brute_forcers action=add-src-to-address-list connection-state=new protocol=tcp
src-address-list=ssh_stage1 address-list=ssh_stage1 address-list-timeout=1m dst-port=22 log=yes
log-prefix="ssh_stage1"

13 X chain=ssh_brute_forcers action=drop connection-state=new src-address-list=ssh_stage2 log=no log-prefix=""

14 X chain=ssh_brute_forcers action=add-src-to-address-list connection-state=new protocol=tcp
src-address-list=ssh_stage2 address-list=ssh_stage2 address-list-timeout=10h dst-port=22 log=yes
log-prefix="ssh_stage2"

15 X chain=ssh_brute_forcers action=drop connection-state=new src-address-list=ssh_stage3 log=no log-prefix=""

16 X chain=ssh_brute_forcers action=add-src-to-address-list connection-state=new protocol=tcp
src-address-list=ssh_stage3 address-list=ssh_stage3 address-list-timeout=5d dst-port=22 log=yes
log-prefix="ssh_stage3"

17 X chain=ssh_brute_forcers action=passthrough log=no log-prefix=""

18 X ;;; ----------drop ftp_bruteforcers----------
chain=input action=jump jump-target=ftp_bruteforcers protocol=tcp dst-port=21 connection-mark=ftp_in log=no
log-prefix=""

19 X chain=ftp_bruteforcers action=accept protocol=tcp dst-port=21 content=530 Login incorrect
dst-limit=1/1m,9,dst-address/1m log=no log-prefix=""

20 X chain=ftp_bruteforcers action=drop src-address-list=ftp_stage1 log=no log-prefix=""

21 X chain=ftp_bruteforcers action=add-dst-to-address-list protocol=tcp address-list=ftp_stage1 address-list-timeout=10>
dst-port=21 content=530 Login incorrect log=yes log-prefix="ftp_stage1"

22 X chain=ftp_bruteforcers action=drop src-address-list=ftp_stage2 log=no log-prefix=""

23 X chain=ftp_bruteforcers action=add-dst-to-address-list protocol=tcp address-list=ftp_stage2 address-list-timeout=10>
dst-port=21 content=530 Login incorrect log=yes log-prefix="ftp_stage2"

24 X chain=ftp_bruteforcers action=drop src-address-list=ftp_stage3 log=no log-prefix=""

25 X chain=ftp_bruteforcers action=add-dst-to-address-list protocol=tcp address-list=ftp_stage3 address-list-timeout=5d
dst-port=21 content=530 Login incorrect log=yes log-prefix="ftp_stage3"

26 X chain=ftp_bruteforcers action=passthrough log=no log-prefix=""

27 X ;;; ----------drop_port_scanners----------
chain=input action=jump jump-target=drop_scanners protocol=tcp log=no log-prefix=""

28 X chain=drop_scanners action=drop protocol=tcp src-address-list=port scanners log=no log-prefix=""

29 X chain=drop_scanners action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 src-address-list=!allow
address-list=port scanners address-list-timeout=2w log=no log-prefix=""

30 X chain=drop_scanners action=add-src-to-address-list tcp-flags=fin,!syn,!rst,!psh,!ack,!urg protocol=tcp
src-address-list=!allow address-list=port scanners address-list-timeout=2w log=no log-prefix=""

31 X chain=drop_scanners action=add-src-to-address-list tcp-flags=syn,rst protocol=tcp src-address-list=!allow
address-list=port scanners address-list-timeout=2w log=no log-prefix=""

32 X chain=drop_scanners action=add-src-to-address-list tcp-flags=fin,syn protocol=tcp src-address-list=!allow
address-list=port scanners address-list-timeout=2w log=no log-prefix=""

33 X chain=drop_scanners action=add-src-to-address-list tcp-flags=fin,psh,urg,!syn,!rst,!ack protocol=tcp
src-address-list=!allow address-list=port scanners address-list-timeout=2w log=no log-prefix=""

34 X chain=drop_scanners action=add-src-to-address-list tcp-flags=fin,syn,rst,psh,ack,urg protocol=tcp
src-address-list=!allow address-list=port scanners address-list-timeout=2w log=no log-prefix=""

35 X chain=drop_scanners action=add-src-to-address-list tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg protocol=tcp
src-address-list=!allow address-list=port scanners address-list-timeout=2w log=no log-prefix=""

36 X chain=drop_scanners action=log protocol=tcp src-address-list=port scanners log=no log-prefix="port_scanners"

37 X chain=drop_scanners action=passthrough log=no log-prefix=""

38 X ;;; ----------SYN-Flood Protect----------
chain=input action=jump jump-target=SYN-Flood Protect connection-state=new protocol=tcp src-address-list=!allow
connection-limit=50,32 log=no log-prefix=""

39 X chain=accept tcp flags action=accept tcp-flags=syn connection-state=new protocol=tcp limit=400,5 log=no
log-prefix=""

40 X chain=SYN-Flood Protect action=drop tcp-flags=syn connection-state=new protocol=tcp src-address-list=SYN-Protect
log=no log-prefix=""

41 X chain=SYN-Flood Protect action=add-src-to-address-list tcp-flags=syn protocol=tcp address-list=SYN-Protect
address-list-timeout=1d connection-limit=42,32 log=yes log-prefix="SYN-Flood Protect"

42 X chain=SYN-Flood Protect action=passthrough log=no log-prefix=""

43 X ;;; ----------jump to the virus chain----------
chain=forward action=jump jump-target=virus log=no log-prefix=""

44 X ;;; Drop Blaster Worm
chain=virus action=drop protocol=tcp dst-port=135-139 log=yes log-prefix="Drop Blaster Worm"

45 X ;;; Drop Messenger Worm
chain=virus action=drop protocol=udp dst-port=135-139 log=no log-prefix="Drop Messenger Worm"

46 X ;;; Drop Blaster Worm
chain=virus action=drop protocol=tcp dst-port=445 log=no log-prefix=""

47 X ;;; Drop Blaster Worm
chain=virus action=drop protocol=udp dst-port=445 log=no log-prefix=""

48 X ;;; Drop________
chain=virus action=drop protocol=tcp dst-port=593 log=no log-prefix=""

49 X ;;; Drop ________
chain=virus action=drop protocol=tcp dst-port=1024-1030 log=no log-prefix=""

50 X ;;; Drop MyDoom
chain=virus action=drop protocol=tcp dst-port=1080 log=no log-prefix=""

51 X ;;; Drop ________
chain=virus action=drop protocol=tcp dst-port=1214 log=no log-prefix=""

52 X ;;; Drop ndm requester
chain=virus action=drop protocol=tcp dst-port=1363 log=no log-prefix=""

53 X ;;; Drop ndm server
chain=virus action=drop protocol=tcp dst-port=1364 log=no log-prefix=""

54 X ;;; Drop screen cast
chain=virus action=drop protocol=tcp dst-port=1368 log=no log-prefix=""

55 X ;;; Drop hromgrafx
chain=virus action=drop protocol=tcp dst-port=1373 log=no log-prefix=""

56 X ;;; Drop cichlid
chain=virus action=drop protocol=tcp dst-port=1377 log=no log-prefix=""

57 X ;;; Drop Worm
chain=virus action=drop protocol=tcp dst-port=1433-1434 log=no log-prefix=""

58 X ;;; Drop Bagle Virus
chain=virus action=drop protocol=tcp dst-port=2745 log=no log-prefix=""

59 X ;;; Drop Dumaru.Y
chain=virus action=drop protocol=tcp dst-port=2283 log=no log-prefix=""

60 X ;;; Drop Beagle
chain=virus action=drop protocol=tcp dst-port=2535 log=no log-prefix=""

61 X ;;; Drop Beagle.C-K
chain=virus action=drop protocol=tcp dst-port=2745 log=no log-prefix=""

62 X ;;; Drop MyDoom
chain=virus action=drop protocol=tcp dst-port=3127-3128 log=no log-prefix=""

63 X ;;; Drop Backdoor OptixPro
chain=virus action=drop protocol=tcp dst-port=3410 log=no log-prefix=""

64 X ;;; Drop Worm
chain=virus action=drop protocol=tcp dst-port=4444 log=no log-prefix=""

65 X ;;; Drop Worm
chain=virus action=drop protocol=udp dst-port=4444 log=no log-prefix=""

66 X ;;; Drop Sasser
chain=virus action=drop protocol=tcp dst-port=5554 log=no log-prefix=""

67 X ;;; Drop Beagle.B
chain=virus action=drop protocol=tcp dst-port=8866 log=no log-prefix=""

68 X ;;; Drop Dabber.A-B
chain=virus action=drop protocol=tcp dst-port=9898 log=no log-prefix=""

69 X ;;; Drop Dumaru.Y
chain=virus action=drop protocol=tcp dst-port=10000 log=yes log-prefix="Drop Dumaru.Y"

70 X ;;; Drop MyDoom.B
chain=virus action=drop protocol=tcp dst-port=10080 log=no log-prefix=""

71 X ;;; Drop NetBus
chain=virus action=drop protocol=tcp dst-port=12345 log=no log-prefix=""

72 X ;;; Drop Kuang2
chain=virus action=drop protocol=tcp dst-port=17300 log=no log-prefix=""

73 X ;;; Drop SubSeven
chain=virus action=drop protocol=tcp dst-port=27374 log=no log-prefix=""

74 X ;;; Drop PhatBot, Agobot, Gaobot
chain=virus action=log protocol=tcp dst-port=65506 log=no log-prefix="Drop PhatBot, Agobot, Gaobot"

75 X ;;; Drop PhatBot, Agobot, Gaobot
chain=virus action=drop protocol=tcp dst-port=65506 log=no log-prefix=""

76 X ;;; Drop Trojan
chain=virus action=drop protocol=tcp dst-port=8130 log=no log-prefix=""

77 X ;;; Drop Trinoo
chain=virus action=drop protocol=udp dst-port=12667 log=no log-prefix=""

78 X ;;; Drop Trinoo
chain=virus action=drop protocol=udp dst-port=27665 log=no log-prefix=""

79 X ;;; DropTrinoo
chain=virus action=drop protocol=udp dst-port=31335 log=no log-prefix=""

80 X ;;; Drop Trinoo
chain=virus action=drop protocol=udp dst-port=34555 log=no log-prefix=""

81 X ;;; Drop Trinoo
chain=virus action=drop protocol=udp dst-port=35555 log=no log-prefix=""

82 X ;;; Drop Trinoo
chain=virus action=drop protocol=tcp dst-port=27444 log=no log-prefix=""

83 X ;;; Drop Trinoo
chain=virus action=drop protocol=tcp dst-port=27665 log=no log-prefix=""

84 X ;;; Drop Trinoo
chain=virus action=drop protocol=tcp dst-port=31335 log=no log-prefix=""

85 X ;;; Drop Trinoo
chain=virus action=drop protocol=tcp dst-port=31846 log=no log-prefix=""

86 X ;;; DropTrinoo
chain=virus action=drop protocol=tcp dst-port=35555 log=no log-prefix=""

87 X ;;; Drop 2869 UPNP
chain=virus action=drop protocol=tcp dst-port=2869 log=yes log-prefix="2869 UPNP"

88 X ;;; Drop trojan
chain=virus action=drop protocol=udp dst-port=1024,1025 log=no log-prefix=""

89 X ;;; Drop 2869 UPNP
chain=virus action=drop protocol=udp dst-port=2869 log=no log-prefix=""

90 X ;;; Drop Anti NETBIOS
chain=virus action=drop protocol=tcp src-port=135-139 log=no log-prefix=""

91 X chain=virus action=drop protocol=udp src-port=135-139 log=no log-prefix=""

92 X chain=virus action=drop protocol=tcp dst-port=135-139 log=no log-prefix=""

93 X chain=virus action=drop protocol=udp dst-port=135-139 log=no log-prefix=""

94 X chain=virus action=drop protocol=tcp dst-port=445 log=no log-prefix=""

95 X chain=virus action=drop protocol=udp src-port=445 log=no log-prefix=""

96 X chain=virus action=drop protocol=udp dst-port=445 log=no log-prefix=""

97 X chain=virus action=return log=no log-prefix=""

98 X ;;; ----------isolation----------
chain=forward action=jump jump-target=isolation log=no log-prefix=""

99 X chain=isolation action=drop src-address-list=Hotspot_Segment dst-address-list=Security_Segment log=no log-prefix=">

100 X chain=isolation action=drop src-address-list=Hotspot_Segment dst-address-list=Operations_Segment log=no
log-prefix=""

101 X chain=isolation action=return log=no log-prefix=""

102 X ;;; ----------ICMP_Input----------
chain=input action=jump jump-target=ICMP_Input protocol=icmp log=no log-prefix=""

103 X ;;; Allow 0:0 and limit for 5pac/s
chain=ICMP_Input action=accept protocol=icmp icmp-options=0:0-255 limit=5,5 log=no log-prefix=""

104 X ;;; Allow 3:3 and limit for 5pac/s
chain=ICMP_Input action=accept protocol=icmp icmp-options=3:3 limit=5,5 log=no log-prefix=""

105 X ;;; Allow 3:4 and limit for 5pac/s
chain=ICMP_Input action=accept protocol=icmp icmp-options=3:4 limit=5,5 log=no log-prefix=""

106 X ;;; Allow 8:0 and limit for 5pac/s
chain=ICMP_Input action=accept protocol=icmp icmp-options=8:0-255 limit=5,5 log=no log-prefix=""

107 X ;;; Allow 11:0 and limit for 5pac/s
chain=ICMP_Input action=accept protocol=icmp icmp-options=11:0-255 limit=5,5 log=no log-prefix=""

108 X ;;; Allow echo reply
chain=ICMP_Input action=accept protocol=icmp icmp-options=0:0 log=no log-prefix=""

109 X ;;; Allow net unreachable
chain=ICMP_Input action=accept protocol=icmp icmp-options=3:0 log=no log-prefix=""

110 X ;;; Allow host unreachable
chain=ICMP_Input action=accept protocol=icmp icmp-options=3:1 log=no log-prefix=""

111 X ;;; Allow host unreachable fragmentation required
chain=ICMP_Input action=accept protocol=icmp icmp-options=3:4 log=no log-prefix=""

112 X ;;; Allow source quench
chain=ICMP_Input action=accept protocol=icmp icmp-options=4:0 log=no log-prefix=""

113 X ;;; Allow echo request
chain=ICMP_Input action=accept protocol=icmp icmp-options=8:0 log=no log-prefix=""

114 X ;;; Allow time exceed
chain=ICMP_Input action=accept protocol=icmp icmp-options=11:0 log=no log-prefix=""

115 X ;;; Allow parameter bad
chain=ICMP_Input action=accept protocol=icmp icmp-options=12:0 log=no log-prefix=""

116 X chain=ICMP_Input action=log log=no log-prefix="ICMP_Input"

117 X ;;; deny all other types
chain=ICMP_Input action=drop log=no log-prefix=""

118 X ;;; ----------Allow 3-way handshake Input----------
chain=input action=jump jump-target=tcpflags_input protocol=tcp log=no log-prefix=""

119 X chain=tcpflags_input action=accept tcp-flags=syn connection-state=new protocol=tcp log=no log-prefix=""

120 X chain=tcpflags_input action=accept tcp-flags=syn,ack protocol=tcp log=no log-prefix=""

121 X chain=tcpflags_input action=accept tcp-flags=ack protocol=tcp log=no log-prefix=""

122 X chain=tcpflags_input action=accept tcp-flags=fin,ack protocol=tcp log=no log-prefix=""

123 X chain=tcpflags_input action=accept tcp-flags=psh,ack protocol=tcp log=no log-prefix=""

124 X chain=tcpflags_input action=accept tcp-flags=rst protocol=tcp log=no log-prefix=""

125 X chain=tcpflags_input action=accept tcp-flags=urg protocol=tcp log=no log-prefix=""

126 X chain=tcpflags_input action=passthrough log=no log-prefix=""

127 X ;;; ----------jump to chain services input----------
chain=input action=jump jump-target=services_input log=no log-prefix=""

128 X ;;; Allow Mikrotik CDP
chain=services_input action=accept protocol=udp dst-port=20561 log=no log-prefix=""

129 X ;;; Allow GRE protocol
chain=services_input action=accept protocol=gre log=no log-prefix=""

130 X ;;; Allow SSH
chain=services_input action=accept protocol=tcp dst-port=22 log=no log-prefix=""

131 X ;;; Allow ftp
chain=services_input action=accept protocol=tcp dst-port=21 log=no log-prefix=""

132 X ;;; Allow Multicast
chain=services_input action=accept packet-mark=mltcst log=no log-prefix=""

133 X ;;; Allow DNS queries L7
chain=services_input action=accept layer7-protocol=dns log=no log-prefix=""

134 X ;;; Allow DNS queries
chain=services_input action=accept src-address-list=dns log=no log-prefix=""

135 X ;;; Allow SysLog
chain=services_input action=accept protocol=udp dst-port=514 log=no log-prefix=""

136 X ;;; Allow VPN - PPTP port
chain=services_input action=accept tcp-flags=syn protocol=tcp dst-port=1723 log=no log-prefix=""

137 X ;;; Allow MACwinbox
chain=services_input action=accept protocol=udp dst-port=20561 log=no log-prefix=""

138 X ;;; Allow Winbox
chain=services_input action=accept connection-mark=wnbx_in log=no log-prefix=""

139 X ;;; Allow SNMP
chain=services_input action=accept protocol=udp dst-port=161 log=no log-prefix=""

140 X ;;; Allow PPTP
chain=services_input action=accept protocol=tcp dst-port=1723 log=no log-prefix=""

141 X ;;; Allow NTP
chain=services_input action=accept connection-mark=ntp_in log=no log-prefix=""

142 X ;;; Allow UPnP
chain=services_input action=accept protocol=udp dst-port=1900 log=no log-prefix=""

143 X ;;; Allow Dude
chain=services_input action=accept protocol=tcp dst-port=2210 log=no log-prefix=""

144 X ;;; Allow DHCP
chain=services_input action=accept protocol=udp port=67,68 log=no log-prefix=""

145 X ;;; Allow DNS L-7
chain=services_input action=accept layer7-protocol=dns log=no log-prefix=""

146 X ;;; Allow DNS
chain=services_input action=accept src-address-list=dns log=no log-prefix=""

147 X ;;; Allow Network Time Protocol
chain=services_input action=accept protocol=udp port=123 log=no log-prefix=""

148 X ;;; Allow Drop Box
chain=services_input action=accept protocol=udp port=17500 log=no log-prefix=""

149 X ;;; Allow Real-Time Transport Protocol (RTP)
chain=services_input action=accept protocol=udp port=16403 log=no log-prefix=""

150 X ;;; Allow GHS to GHS
chain=services_input action=accept src-address-list=Hotspot_Segment dst-address-list=Hotspot_Segment log=no
log-prefix=""

151 X ;;; Allow OPS to OPS
chain=services_input action=accept src-address-list=Operations_Segment dst-address-list=Operations_Segment log=no
log-prefix=""

152 X ;;; Allow SEC to SEC
chain=services_input action=accept src-address-list=Security_Segment dst-address-list=Security_Segment log=no
log-prefix=""

153 X ;;; Allow Cripto Mining
chain=services_input action=accept protocol=udp port=3334 log=no log-prefix=""

154 X ;;; Allow privet ports
chain=services_input action=accept protocol=udp port=6881,35845 log=no log-prefix=""

155 X ;;; Allow com_in
chain=services_input action=accept packet-mark=com_in log=no log-prefix=""

156 X ;;; Allow p2p_in
chain=services_input action=accept packet-mark=p2p_in log=no log-prefix=""

157 X ;;; Allow http_in
chain=services_input action=accept packet-mark=http_in log=no log-prefix=""

158 X ;;; Allow https_in
chain=services_input action=accept packet-mark=https_in log=no log-prefix=""

159 X ;;; Allow game_in
chain=services_input action=accept packet-mark=game_in log=no log-prefix=""

160 X ;;; Allow lan_in
chain=services_input action=accept packet-mark=lan_in log=no log-prefix=""

161 X ;;; Allow ur_in
chain=services_input action=accept packet-mark=ur_in log=no log-prefix=""

162 X ;;; Allow pro_in
chain=services_input action=accept packet-mark=pro_in log=no log-prefix=""

163 X ;;; Allow mltcst_in
chain=services_input action=accept dst-address-list=multicast log=no log-prefix=""

164 X ;;; Allow other_in
chain=services_input action=accept packet-mark=other_in log=no log-prefix=""

165 X ;;; Allow webproxy
chain=services_input action=accept src-address=192.168.40.254 packet-mark=other_in log=no log-prefix=""

166 X chain=services_input action=log src-address-list=!allow dst-address-list=!allow log=no
log-prefix="input_drop_the_rest"

167 X ;;; Drop the rest
chain=services_input action=drop src-address-list=!allow dst-address-list=!allow log=no log-prefix=""

168 X ;;; ----------ICMP_Forward----------
chain=forward action=jump jump-target=ICMP_Forward protocol=icmp log=no log-prefix=""

169 X ;;; Allow 0:0 and limit for 5pac/s
chain=ICMP_Forward action=accept protocol=icmp icmp-options=0:0-255 limit=5,5 log=no log-prefix=""

170 X ;;; Allow 3:3 and limit for 5pac/s
chain=ICMP_Forward action=accept protocol=icmp icmp-options=3:3 limit=5,5 log=no log-prefix=""

171 X ;;; Allow 3:4 and limit for 5pac/s
chain=ICMP_Forward action=accept protocol=icmp icmp-options=3:4 limit=5,5 log=no log-prefix=""

172 X ;;; Allow 8:0 and limit for 5pac/s
chain=ICMP_Forward action=accept protocol=icmp icmp-options=8:0-255 limit=5,5 log=no log-prefix=""

173 X ;;; Allow 11:0 and limit for 5pac/s
chain=ICMP_Forward action=accept protocol=icmp icmp-options=11:0-255 limit=5,5 log=no log-prefix=""

174 X ;;; Allow echo reply
chain=ICMP_Forward action=accept protocol=icmp icmp-options=0:0 log=no log-prefix=""

175 X ;;; Allow net unreachable
chain=ICMP_Forward action=accept protocol=icmp icmp-options=3:0 log=no log-prefix=""

176 X ;;; Allow host unreachable
chain=ICMP_Forward action=accept protocol=icmp icmp-options=3:1 log=no log-prefix=""

177 X ;;; Allow host unreachable fragmentation required
chain=ICMP_Forward action=accept protocol=icmp icmp-options=3:4 log=no log-prefix=""

178 X ;;; Allow source quench
chain=ICMP_Forward action=accept protocol=icmp icmp-options=4:0 log=no log-prefix=""

179 X ;;; Allow echo request
chain=ICMP_Forward action=accept protocol=icmp icmp-options=8:0 log=no log-prefix=""

180 X ;;; Allow time exceed
chain=ICMP_Forward action=accept protocol=icmp icmp-options=11:0 log=no log-prefix=""

181 X ;;; Allow parameter bad
chain=ICMP_Forward action=accept protocol=icmp icmp-options=12:0 log=no log-prefix=""

182 X chain=ICMP_Forward action=log src-address-list=!exception dst-address-list=!exception log=no
log-prefix="ICMP_Forward"

183 X ;;; deny all other types
chain=ICMP_Forward action=drop log=no log-prefix=""

184 X ;;; ----------Allow 3-way handshake Forward----------
chain=forward action=jump jump-target=tcpflags protocol=tcp log=no log-prefix=""

185 X chain=tcpflags action=accept tcp-flags=syn connection-state=new protocol=tcp log=no log-prefix=""

186 X chain=tcpflags action=accept tcp-flags=syn,ack protocol=tcp log=no log-prefix=""

187 X chain=tcpflags action=accept tcp-flags=ack connection-state=new protocol=tcp log=no log-prefix=""

188 X chain=tcpflags action=accept tcp-flags=fin,ack protocol=tcp log=no log-prefix=""

189 X chain=tcpflags action=accept tcp-flags=urg connection-state=new protocol=tcp log=no log-prefix=""

190 X chain=tcpflags action=accept tcp-flags=rst connection-state=new protocol=tcp log=no log-prefix=""

191 X chain=tcpflags action=accept tcp-flags=syn protocol=tcp log=no log-prefix=""

192 X chain=tcpflags action=accept tcp-flags=psh,ack connection-state=new protocol=tcp log=no log-prefix=""

193 X chain=tcpflags action=passthrough protocol=tcp log=no log-prefix=""

194 X ;;; ----------Jump to services_fwd----------
chain=forward action=jump jump-target=services_fwd log=no log-prefix=""

195 X ;;; Allow access to Video
chain=services_fwd action=accept protocol=tcp dst-port=12000-12002 log=no log-prefix=""

196 X ;;; Allow VPN - PPTP port
chain=services_fwd action=accept tcp-flags=syn protocol=tcp dst-port=1723 log=no log-prefix=""

197 X ;;; Allow SysLog
chain=services_fwd action=accept protocol=udp dst-port=10069 log=no log-prefix=""

198 X ;;; Allow SysLog
chain=services_fwd action=accept protocol=udp dst-port=514 log=no log-prefix=""

199 X ;;; Allow VPN - PPTP port
chain=services_fwd action=accept tcp-flags=syn protocol=tcp dst-port=1723 log=no log-prefix=""

200 X ;;; Allow Mysql database for JacoPos
chain=services_fwd action=accept protocol=tcp dst-port=3306 log=no log-prefix=""

201 X ;;; Allow MACwinbox
chain=services_fwd action=accept protocol=udp dst-port=20561 log=no log-prefix=""

202 X ;;; Allow Winbox
chain=services_fwd action=accept connection-mark=wnbx_in log=no log-prefix=""

203 X ;;; Allow winbox
chain=services_fwd action=accept protocol=tcp dst-port=8291 log=no log-prefix=""

204 X ;;; Allow MT Discovery Protocol
chain=services_fwd action=accept protocol=udp dst-port=5678 log=no log-prefix=""

205 X ;;; Allow SNMP
chain=services_fwd action=accept protocol=udp dst-port=161 log=no log-prefix=""

206 X ;;; Allow BGP
chain=services_fwd action=accept protocol=tcp dst-port=179 log=no log-prefix=""

207 X ;;; Allow SIP
chain=services_fwd action=accept protocol=udp dst-port=5000-5100 log=no log-prefix=""

208 X ;;; Allow NTP
chain=services_fwd action=accept protocol=udp port=123 log=no log-prefix=""

209 X ;;; Allow PPTP
chain=services_fwd action=accept protocol=tcp dst-port=1723 log=no log-prefix=""

210 X ;;; Allow PPTP and EoIP
chain=services_fwd action=accept protocol=gre log=no log-prefix=""

211 X ;;; Allow UPnP
chain=services_fwd action=accept protocol=udp port=1900 log=no log-prefix=""

212 X ;;; Allow UPnP
chain=services_fwd action=accept protocol=tcp port=5000 log=no log-prefix=""

213 X ;;; Allow DHCP
chain=services_fwd action=accept protocol=udp dst-port=67-68 log=no log-prefix=""

214 X ;;; Allow Dude
chain=services_fwd action=accept src-mac-address=54:04:A6:48:75:0F log=no log-prefix=""

215 X ;;; Allow SMTP
chain=services_fwd action=accept protocol=tcp dst-port=25 log=no log-prefix=""

216 X ;;; Allow Bootstrap Protocol
chain=services_fwd action=accept protocol=udp dst-port=67 log=no log-prefix=""

217 X ;;; Allow Nexus Portal
chain=services_fwd action=accept protocol=udp dst-port=4021 log=no log-prefix=""

218 X ;;; Allow DNS
chain=services_fwd action=accept protocol=udp dst-port=53 log=no log-prefix=""

219 X ;;; Allow DNS queries
chain=services_fwd action=accept protocol=tcp dst-port=53 log=no log-prefix=""

220 X ;;; Allow Real-Time Transport Protocol (RTP)
chain=services_fwd action=accept protocol=udp port=16403 log=no log-prefix=""

221 X ;;; Allow lan_in
chain=services_fwd action=accept packet-mark=lan_in log=no log-prefix=""

222 X ;;; Allow other_in
chain=services_fwd action=accept packet-mark=other_in log=no log-prefix=""

223 X ;;; Allow p2p_in
chain=services_fwd action=accept packet-mark=p2p_in log=no log-prefix=""

224 X ;;; Allow ur_in
chain=services_fwd action=accept packet-mark=ur_in log=no log-prefix=""

225 X ;;; Allow http_in
chain=services_fwd action=accept packet-mark=http_in log=no log-prefix=""

226 X ;;; Allow bitttorrent
chain=services_fwd action=accept protocol=udp src-port=10974 log=no log-prefix=""

227 X ;;; Allow all traffic to proxy
chain=services_fwd action=accept dst-address=192.168.40.254 log=no log-prefix=""

228 X ;;; Allow Teredo tunneling (Official)
chain=services_fwd action=accept protocol=udp port=3544 log=no log-prefix=""

229 X chain=services_fwd action=accept connection-state=established log=no log-prefix=""

230 X chain=services_fwd action=accept connection-state=related log=no log-prefix=""

231 X chain=services_fwd action=drop connection-state=invalid log=no log-prefix=""

232 X ;;; Allow All UDP
chain=services_fwd action=accept protocol=udp log=no log-prefix=""

233 X chain=services_fwd action=log src-address-list=!allow dst-address-list=!allow log=no
log-prefix="forward_drop_the_rest"

234 X ;;; Drop the rest
chain=services_fwd action=drop src-address-list=!allow dst-address-list=!allow log=no log-prefix=""

235 ;;; Allow winbox
chain=input action=accept protocol=tcp dst-port=8291 log=no log-prefix=""

236 ;;; Allow winbox
chain=forward action=accept protocol=tcp dst-port=8291 log=no log-prefix=""

237 ;;; Allow Router HTTP access
chain=forward action=accept protocol=tcp dst-port=89 log=no log-prefix=""

238 ;;; Allow Router winbox access
chain=input action=accept protocol=tcp dst-port=8291 log=no log-prefix=""
IP/FIREWALL/NAT
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
chain=srcnat action=masquerade out-interface=ether1-WAN-1 log=no log-prefix=""

1 ;;; default configuration
chain=srcnat action=masquerade out-interface=ether2-WAN-2 log=no log-prefix=""
IP/FIREWALL/MANGLE
Flags: X - disabled, I - invalid, D - dynamic
0 X chain=prerouting action=accept src-address=192.168.0.99 in-interface=ether2-WAN-2 log=no log-prefix=""

1 X ;;; START Bandwidth Load-ballancing --------------------------------------------------------------------
chain=Not Used action=accept log=no log-prefix=""

2 X chain=prerouting action=accept src-address-list=Connected dst-address-list=Connected log=no log-prefix=""

3 X chain=input action=mark-connection new-connection-mark=WAN1->ROS passthrough=yes in-interface=ether1-WAN-1 log=no
log-prefix=""

4 X chain=input action=mark-connection new-connection-mark=WAN2->ROS passthrough=yes in-interface=ether2-WAN-2 log=no
log-prefix=""

5 X chain=output action=mark-routing new-routing-mark=WAN1_rout passthrough=yes connection-mark=WAN1->ROS log=no
log-prefix=""

6 X chain=output action=mark-routing new-routing-mark=WAN2_rout passthrough=yes connection-mark=WAN2->ROS log=no
log-prefix=""

7 X chain=forward action=mark-connection new-connection-mark=WAN1->LANs passthrough=yes in-interface=ether1-WAN-1
log=no log-prefix=""

8 X chain=forward action=mark-connection new-connection-mark=WAN2->LANs passthrough=yes in-interface=ether2-WAN-2
log=no log-prefix=""

9 X chain=prerouting action=mark-routing new-routing-mark=WAN1_rout passthrough=yes src-address-list=lan
connection-mark=WAN1->LANs log=no log-prefix=""

10 X chain=prerouting action=mark-routing new-routing-mark=WAN2_rout passthrough=yes src-address-list=lan
connection-mark=WAN2->LANs log=no log-prefix=""

11 X chain=prerouting action=mark-connection new-connection-mark=LAN->WAN passthrough=yes dst-address-type=!local
src-address-list=lan dst-address-list=!Connected log=no log-prefix=""

12 X ;;; Load-Balancing here
chain=prerouting action=mark-routing new-routing-mark=WAN1_rout passthrough=yes src-address-list=lan
connection-mark=LAN->WAN log=no log-prefix=""

13 X chain=prerouting action=mark-connection new-connection-mark=Sticky_WAN1 passthrough=yes routing-mark=WAN1_rout
connection-mark=LAN->WAN log=no log-prefix=""

14 X chain=prerouting action=mark-connection new-connection-mark=Sticky_WAN2 passthrough=yes routing-mark=WAN2_rout
connection-mark=LAN->WAN log=no log-prefix=""

15 X chain=prerouting action=mark-routing new-routing-mark=WAN1_rout passthrough=yes src-address-list=lan
connection-mark=Sticky_WAN1 log=no log-prefix=""

16 X chain=prerouting action=mark-routing new-routing-mark=WAN2_rout passthrough=yes src-address-list=lan
connection-mark=Sticky_WAN2 log=no log-prefix=""

17 X ;;; END Bandwidth Load-ballancing --------------------------------------------------------------------
chain=Not Used action=accept log=no log-prefix=""

18 ;;; Bypass All LAN Traffic
chain=prerouting action=accept src-address-list=lan_all dst-address-list=lan_all log=no log-prefix=""

19 chain=postrouting action=accept src-address-list=lan_all dst-address-list=lan_all log=no log-prefix=""

20 X chain=prerouting action=mark-connection new-connection-mark=wan_in passthrough=yes in-interface=ether1-WAN-1 log=n>
log-prefix=""

21 X chain=postrouting action=mark-connection new-connection-mark=wan_out passthrough=yes out-interface=ether1-WAN-1
log=no log-prefix=""

22 X chain=prerouting action=mark-connection new-connection-mark=wan_in passthrough=yes in-interface=ether2-WAN-2 log=n>
log-prefix=""

23 X chain=postrouting action=mark-connection new-connection-mark=wan_out passthrough=yes out-interface=ether2-WAN-2
log=no log-prefix=""

24 ;;; DWN eDonkey2000
chain=prerouting action=mark-packet new-packet-mark=dwn_in passthrough=no p2p=edonkey layer7-protocol=edonkey
connection-mark=wan_in log=no log-prefix=""

25 chain=postrouting action=mark-packet new-packet-mark=p2p_out passthrough=no p2p=edonkey layer7-protocol=edonkey
connection-mark=wan_out log=no log-prefix=""

26 ;;; DWN P2P 100bao
chain=prerouting action=mark-packet new-packet-mark=dwn_in passthrough=no layer7-protocol=100bao
connection-mark=wan_in log=no log-prefix=""

27 chain=postrouting action=mark-packet new-packet-mark=dwn_out passthrough=no layer7-protocol=100bao
connection-mark=wan_out log=no log-prefix=""

28 ;;; DWN P2P applejuice
chain=prerouting action=mark-packet new-packet-mark=dwn_in passthrough=no layer7-protocol=applejuice
connection-mark=wan_in log=no log-prefix=""

29 chain=postrouting action=mark-packet new-packet-mark=dwn_out passthrough=no layer7-protocol=applejuice
connection-mark=wan_out log=no log-prefix=""

30 ;;; DWN P2P ares
chain=prerouting action=mark-packet new-packet-mark=dwn_in passthrough=no layer7-protocol=ares
connection-mark=wan_in log=no log-prefix=""

31 chain=postrouting action=mark-packet new-packet-mark=dwn_out passthrough=no layer7-protocol=ares
connection-mark=wan_out log=no log-prefix=""

32 ;;; DWN P2P Direct Connect
chain=prerouting action=mark-packet new-packet-mark=dwn_in passthrough=no layer7-protocol=directconnect
connection-mark=wan_in log=no log-prefix=""

33 chain=postrouting action=mark-packet new-packet-mark=dwn_out passthrough=no layer7-protocol=directconnect
connection-mark=wan_out log=no log-prefix=""

34 ;;; DWN P2P FastTrack, Kazaa, Morpheus, iMesh, Grokster, etc
chain=prerouting action=mark-packet new-packet-mark=dwn_in passthrough=no layer7-protocol=fasttrack
connection-mark=wan_in log=no log-prefix=""

35 chain=postrouting action=mark-packet new-packet-mark=dwn_out passthrough=no layer7-protocol=fasttrack
connection-mark=wan_out log=no log-prefix=""

36 ;;; DWN P2P GnucleusLAN - LAN-only
chain=prerouting action=mark-packet new-packet-mark=dwn_in passthrough=no layer7-protocol=gnucleuslan log=no
log-prefix=""

37 chain=postrouting action=mark-packet new-packet-mark=dwn_out passthrough=no layer7-protocol=gnucleuslan
connection-mark=wan_out log=no log-prefix=""

38 ;;; DWN P2P Gnutella
chain=prerouting action=mark-packet new-packet-mark=dwn_in passthrough=no layer7-protocol=gnutella
connection-mark=wan_in log=no log-prefix=""

39 chain=postrouting action=mark-packet new-packet-mark=dwn_out passthrough=no layer7-protocol=gnutella
connection-mark=wan_out log=no log-prefix=""

40 ;;; DWN P2P GoBoogy - a Korean
chain=prerouting action=mark-packet new-packet-mark=dwn_in passthrough=no layer7-protocol=goboogy
connection-mark=wan_in log=no log-prefix=""

41 chain=postrouting action=mark-packet new-packet-mark=dwn_out passthrough=no layer7-protocol=goboogy
connection-mark=wan_out log=no log-prefix=""

42 ;;; DWN P2P iMesh - the native protocol of iMesh, a P2P application
chain=prerouting action=mark-packet new-packet-mark=dwn_in passthrough=no layer7-protocol=imesh
connection-mark=wan_in log=no log-prefix=""

43 chain=postrouting action=mark-packet new-packet-mark=p2p_out passthrough=no layer7-protocol=imesh
connection-mark=wan_out log=no log-prefix=""

44 ;;; DWN P2P KuGoo - a Chinese
chain=prerouting action=mark-packet new-packet-mark=dwn_in passthrough=no layer7-protocol=kugoo
connection-mark=wan_in log=no log-prefix=""

45 chain=postrouting action=mark-packet new-packet-mark=dwn_out passthrough=no layer7-protocol=kugoo
connection-mark=wan_out log=no log-prefix=""

46 ;;; DWN P2P MUTE
chain=prerouting action=mark-packet new-packet-mark=dwn_in passthrough=no layer7-protocol=mute
connection-mark=wan_in log=no log-prefix=""

47 chain=postrouting action=mark-packet new-packet-mark=dwn_out passthrough=no layer7-protocol=mute
connection-mark=wan_out log=no log-prefix=""

48 ;;; DWN P2P Soulseek
chain=prerouting action=mark-packet new-packet-mark=dwn_in passthrough=no p2p=soulseek layer7-protocol=soulseek
connection-mark=wan_in log=no log-prefix=""

49 chain=postrouting action=mark-packet new-packet-mark=dwn_out passthrough=no p2p=soulseek layer7-protocol=soulseek
connection-mark=wan_out log=no log-prefix=""

50 ;;; UR Blizzard's Battle.net Diablo III
chain=prerouting action=mark-packet new-packet-mark=ur_in passthrough=no protocol=tcp port=1119,6881-6999
connection-mark=wan_in log=no log-prefix=""

51 chain=postrouting action=mark-packet new-packet-mark=ur_in passthrough=no protocol=tcp port=1119,6881-6999
connection-mark=wan_out log=no log-prefix=""

52 ;;; UR Blizzard's Battle.net gaming service and some games
chain=prerouting action=mark-packet new-packet-mark=ur_in passthrough=no protocol=tcp port=6112
connection-mark=wan_in log=no log-prefix=""

53 chain=postrouting action=mark-packet new-packet-mark=ur_out passthrough=no protocol=tcp layer7-protocol=edonkey
port=6112 connection-mark=wan_out log=no log-prefix=""

54 ;;; UR Google Play, Android Cloud to Device Messaging Service, Google Cloud Messaging
chain=prerouting action=mark-packet new-packet-mark=ur_in passthrough=no protocol=tcp port=5228
connection-mark=wan_in log=no log-prefix=""

55 chain=postrouting action=mark-packet new-packet-mark=ur_out passthrough=no protocol=tcp layer7-protocol=edonkey
port=5228 connection-mark=wan_out log=no log-prefix=""

56 ;;; UR Steam Game Client
chain=prerouting action=mark-packet new-packet-mark=ur_in passthrough=no protocol=udp port=27000-27030
connection-mark=wan_in log=no log-prefix=""

57 chain=postrouting action=mark-packet new-packet-mark=ur_out passthrough=no protocol=udp port=27000-27015
connection-mark=wan_out log=no log-prefix=""

58 ;;; UR Steam Download
chain=prerouting action=mark-packet new-packet-mark=ur_in passthrough=no protocol=tcp port=27014-27050
connection-mark=wan_in log=no log-prefix=""

59 chain=prerouting action=mark-packet new-packet-mark=ur_in passthrough=no protocol=udp port=27014-27050
connection-mark=wan_in log=no log-prefix=""

60 chain=postrouting action=mark-packet new-packet-mark=ur_out passthrough=no protocol=tcp port=27014-27050
connection-mark=wan_out log=no log-prefix=""

61 chain=postrouting action=mark-packet new-packet-mark=ur_out passthrough=no protocol=udp port=27014-27050
connection-mark=wan_out log=no log-prefix=""

62 ;;; P2P bittorent
chain=prerouting action=mark-packet new-packet-mark=p2p_in passthrough=no protocol=udp port=10974
connection-mark=wan_in log=no log-prefix=""

63 chain=prerouting action=mark-packet new-packet-mark=p2p_in passthrough=no layer7-protocol=bittorrent1
connection-mark=wan_in log=no log-prefix=""

64 chain=prerouting action=mark-packet new-packet-mark=p2p_in passthrough=no p2p=bit-torrent connection-mark=wan_in
log=no log-prefix=""

65 chain=prerouting action=mark-packet new-packet-mark=p2p_in passthrough=no layer7-protocol=bittorrent2
connection-mark=wan_in log=no log-prefix=""

66 chain=prerouting action=mark-packet new-packet-mark=p2p_in passthrough=no layer7-protocol=bittorrent3
connection-mark=wan_in log=no log-prefix=""

67 chain=prerouting action=mark-packet new-packet-mark=p2p_in passthrough=no layer7-protocol=bittorrent4
connection-mark=wan_in log=no log-prefix=""

68 chain=prerouting action=mark-packet new-packet-mark=p2p_in passthrough=no protocol=udp port=6681
connection-mark=wan_in log=no log-prefix=""

69 chain=postrouting action=mark-packet new-packet-mark=p2p_out passthrough=no protocol=udp port=10974
connection-mark=wan_out log=no log-prefix=""

70 chain=postrouting action=mark-packet new-packet-mark=p2p_out passthrough=no layer7-protocol=bittorrent1
connection-mark=wan_out log=no log-prefix=""

71 chain=postrouting action=mark-packet new-packet-mark=p2p_out passthrough=no p2p=bit-torrent connection-mark=wan_ou>
log=no log-prefix=""

72 chain=postrouting action=mark-packet new-packet-mark=p2p_out passthrough=no layer7-protocol=bittorrent2
connection-mark=wan_out log=no log-prefix=""

73 chain=postrouting action=mark-packet new-packet-mark=p2p_out passthrough=no layer7-protocol=bittorrent3
connection-mark=wan_out log=no log-prefix=""

74 chain=postrouting action=mark-packet new-packet-mark=p2p_out passthrough=no layer7-protocol=bittorrent4
connection-mark=wan_out log=no log-prefix=""

75 chain=postrouting action=mark-packet new-packet-mark=p2p_out passthrough=no protocol=udp port=6881
connection-mark=wan_out log=no log-prefix=""

76 ;;; DWN HTTP Download
chain=prerouting action=mark-packet new-packet-mark=dwn_in passthrough=no protocol=tcp port=80
connection-mark=wan_in connection-bytes=500000-0 log=no log-prefix=""

77 chain=postrouting action=mark-packet new-packet-mark=dwn_out passthrough=no protocol=tcp port=80
connection-mark=wan_out connection-bytes=500000-0 log=no log-prefix=""

78 ;;; DWN HTTPS Download
chain=prerouting action=mark-packet new-packet-mark=dwn_in passthrough=no protocol=tcp port=443
connection-mark=wan_in connection-bytes=500000-0 log=no log-prefix=""

79 chain=postrouting action=mark-packet new-packet-mark=https_out passthrough=no protocol=tcp port=443
connection-mark=wan_out connection-bytes=500000-0 log=no log-prefix=""

80 ;;; HTTP HTTP Request
chain=prerouting action=mark-packet new-packet-mark=http_in passthrough=no protocol=tcp port=80
connection-mark=wan_in log=no log-prefix=""

81 chain=postrouting action=mark-packet new-packet-mark=http_out passthrough=no protocol=tcp port=80
connection-mark=wan_out log=no log-prefix=""

82 ;;; HTTP HTTPS Request
chain=prerouting action=mark-packet new-packet-mark=http_in passthrough=no protocol=tcp port=443
connection-mark=wan_in log=no log-prefix=""

83 chain=postrouting action=mark-packet new-packet-mark=http_out passthrough=no protocol=tcp port=443
connection-mark=wan_out log=no log-prefix=""

84 ;;; COM Secure Internet Live Conferencing (SILC) (Official)
chain=prerouting action=mark-packet new-packet-mark=com_in passthrough=no protocol=tcp port=706
connection-mark=wan_in log=no log-prefix=""

85 chain=postrouting action=mark-packet new-packet-mark=com_out passthrough=no protocol=tcp port=706
connection-mark=wan_out log=no log-prefix=""

86 ;;; COM RDP - Remote Desktop Protocol
chain=prerouting action=mark-packet new-packet-mark=com_in passthrough=no protocol=tcp port=3389
connection-mark=wan_in log=no log-prefix=""

87 chain=postrouting action=mark-packet new-packet-mark=com_out passthrough=no protocol=tcp port=3389
connection-mark=wan_out log=no log-prefix=""

88 ;;; COM Coin O Tron
chain=prerouting action=mark-packet new-packet-mark=com_in passthrough=no protocol=tcp port=3334
connection-mark=wan_in log=no log-prefix=""

89 chain=postrouting action=mark-packet new-packet-mark=com_out passthrough=no protocol=tcp layer7-protocol=vnc
port=3334 connection-mark=wan_out log=no log-prefix=""

90 ;;; COM vnc
chain=prerouting action=mark-packet new-packet-mark=com_in passthrough=no protocol=tcp port=5800,5900
connection-mark=wan_in log=no log-prefix=""

91 chain=postrouting action=mark-packet new-packet-mark=com_out passthrough=no protocol=tcp port=5800,5900
connection-mark=wan_out log=no log-prefix=""

92 ;;; COM winbox
chain=prerouting action=mark-packet new-packet-mark=com_in passthrough=no protocol=tcp port=8291
connection-mark=wan_in log=no log-prefix=""

93 chain=postrouting action=mark-packet new-packet-mark=com_out passthrough=no protocol=tcp port=8291
connection-mark=wan_out log=no log-prefix=""

94 ;;; COM Teamviewer application
chain=prerouting action=mark-packet new-packet-mark=com_in passthrough=no layer7-protocol=Teamviewer
connection-mark=wan_in log=no log-prefix=""

95 chain=postrouting action=mark-packet new-packet-mark=com_out passthrough=no layer7-protocol=Teamviewer
connection-mark=wan_out log=no log-prefix=""

96 ;;; COM Teamviewer1 application
chain=prerouting action=mark-packet new-packet-mark=com_in passthrough=no layer7-protocol=Teamviewer1
connection-mark=wan_in log=no log-prefix=""

97 chain=postrouting action=mark-packet new-packet-mark=com_out passthrough=no layer7-protocol=Teamviewer1
connection-mark=wan_out log=no log-prefix=""

98 ;;; COM Teamviewer2 application
chain=prerouting action=mark-packet new-packet-mark=com_in passthrough=no protocol=tcp port=5938
connection-mark=wan_in log=no log-prefix=""

99 chain=postrouting action=mark-packet new-packet-mark=com_out passthrough=no protocol=tcp port=5938
connection-mark=wan_out log=no log-prefix=""

100 ;;; COM MSN Messenger
chain=prerouting action=mark-packet new-packet-mark=com_in passthrough=no layer7-protocol=msnmessenger
connection-mark=wan_in log=no log-prefix=""

101 chain=postrouting action=mark-packet new-packet-mark=com_out passthrough=no layer7-protocol=msnmessenger
connection-mark=wan_out log=no log-prefix=""

102 ;;; COM MSN (Micosoft Network) Messenger file transfers
chain=prerouting action=mark-packet new-packet-mark=com_in passthrough=no layer7-protocol=msn-filetransfer
connection-mark=wan_in log=no log-prefix=""

103 chain=postrouting action=mark-packet new-packet-mark=com_out passthrough=no layer7-protocol=msn-filetransfer
connection-mark=wan_out log=no log-prefix=""

104 ;;; COM aim mesenger
chain=prerouting action=mark-packet new-packet-mark=com_in passthrough=no layer7-protocol=aim
connection-mark=wan_in log=no log-prefix=""

105 chain=postrouting action=mark-packet new-packet-mark=com_out passthrough=no layer7-protocol=aim
connection-mark=wan_out log=no log-prefix=""

106 ;;; COM Web service, iTunes Radio streams
chain=prerouting action=mark-packet new-packet-mark=com_in passthrough=no protocol=tcp port=8130
connection-mark=wan_in log=no log-prefix=""

107 chain=postrouting action=mark-packet new-packet-mark=com_out passthrough=no protocol=tcp
layer7-protocol=aimwebcontent port=8130 connection-mark=wan_out log=no log-prefix=""

108 ;;; COM aim_messenger_web
chain=prerouting action=mark-packet new-packet-mark=com_in passthrough=no layer7-protocol=aimwebcontent
connection-mark=wan_in log=no log-prefix=""

109 chain=postrouting action=mark-packet new-packet-mark=com_out passthrough=no layer7-protocol=aimwebcontent
connection-mark=wan_out log=no log-prefix=""

110 ;;; COM SIP - Session Initiation Protocol - Internet telephony
chain=prerouting action=mark-packet new-packet-mark=com_in passthrough=no layer7-protocol=sip
connection-mark=wan_in connection-type=sip log=no log-prefix=""

111 chain=output action=mark-packet new-packet-mark=com_out passthrough=no layer7-protocol=sip connection-mark=wan_ou>
connection-type=sip log=no log-prefix=""

112 ;;; COM Skype to phone - UDP voice call
chain=prerouting action=mark-packet new-packet-mark=com_in passthrough=no protocol=udp layer7-protocol=skypeout
connection-mark=wan_in log=no log-prefix=""

113 chain=postrouting action=mark-packet new-packet-mark=com_out passthrough=no protocol=udp layer7-protocol=skypeout
connection-mark=wan_out log=no log-prefix=""

114 ;;; COM Skype to Skype - UDP voice call
chain=prerouting action=mark-packet new-packet-mark=com_in passthrough=no protocol=udp
layer7-protocol=skypetoskype connection-mark=wan_in log=no log-prefix=""

115 chain=postrouting action=mark-packet new-packet-mark=com_out passthrough=yes protocol=udp
layer7-protocol=skypetoskype connection-mark=wan_out log=no log-prefix=""

116 ;;; COM Skype
chain=prerouting action=mark-packet new-packet-mark=com_in passthrough=no protocol=tcp port=51477,40016
connection-mark=wan_in log=no log-prefix=""

117 chain=postrouting action=mark-packet new-packet-mark=com_out passthrough=no protocol=tcp port=51477,40016
connection-mark=wan_out log=no log-prefix=""

118 ;;; COM H.323 - Voice over IP
chain=prerouting action=mark-packet new-packet-mark=com_in passthrough=no layer7-protocol=h323
connection-mark=wan_in log=no log-prefix=""

119 chain=postrouting action=mark-packet new-packet-mark=com_out passthrough=no layer7-protocol=h323
connection-mark=wan_out log=no log-prefix=""

120 ;;; COM TeamSpeak - VoIP application
chain=prerouting action=mark-packet new-packet-mark=com_in passthrough=no layer7-protocol=teamspeak
connection-mark=wan_in log=no log-prefix=""

121 chain=postrouting action=mark-packet new-packet-mark=com_out passthrough=no layer7-protocol=Teamviewer
connection-mark=wan_out log=no log-prefix=""

122 ;;; COM IRC - Internet Relay Chat
chain=prerouting action=mark-packet new-packet-mark=com_in passthrough=no layer7-protocol=irc
connection-mark=wan_in log=no log-prefix=""

123 chain=postrouting action=mark-packet new-packet-mark=com_out passthrough=no layer7-protocol=irc
connection-mark=wan_out log=no log-prefix=""

124 ;;; COM FTP
chain=prerouting action=mark-packet new-packet-mark=com_in passthrough=no protocol=udp port=21
connection-mark=wan_in log=no log-prefix=""

125 chain=postrouting action=mark-packet new-packet-mark=com_out passthrough=no protocol=udp port=21
connection-mark=wan_out log=no log-prefix=""

126 ;;; COM SSH
chain=prerouting action=mark-packet new-packet-mark=com_in passthrough=no protocol=tcp layer7-protocol=ssh
port=22 connection-mark=wan_in log=no log-prefix=""

127 chain=postrouting action=mark-packet new-packet-mark=com_out passthrough=no protocol=tcp port=22
connection-mark=wan_out log=no log-prefix=""

128 ;;; COM POP, SMTP
chain=prerouting action=mark-packet new-packet-mark=com_in passthrough=no protocol=tcp port=25,110
connection-mark=wan_in log=no log-prefix=""

129 chain=postrouting action=mark-packet new-packet-mark=com_out passthrough=no protocol=tcp port=25,110
connection-mark=wan_out log=no log-prefix=""

130 ;;; COM POP31 - Post Office Protocol version 3
chain=prerouting action=mark-packet new-packet-mark=com_in passthrough=no protocol=tcp port=995
connection-mark=wan_in log=no log-prefix=""

131 chain=output action=mark-packet new-packet-mark=com_out passthrough=no protocol=tcp port=995
connection-mark=wan_out log=no log-prefix=""

132 ;;; COM POP3 - Post Office Protocol version 3
chain=prerouting action=mark-packet new-packet-mark=com_in passthrough=no protocol=tcp port=995
connection-mark=wan_in log=no log-prefix=""

133 chain=postrouting action=mark-packet new-packet-mark=com_out passthrough=no protocol=tcp port=995
connection-mark=wan_out log=no log-prefix=""

134 ;;; COM IMAP - Internet Message Access Protocol (A common e-mail protocol)
chain=prerouting action=mark-packet new-packet-mark=com_in passthrough=no layer7-protocol=imap
connection-mark=wan_in log=no log-prefix=""

135 chain=postrouting action=mark-packet new-packet-mark=com_out passthrough=no layer7-protocol=imap
connection-mark=wan_out log=no log-prefix=""

136 ;;; COM DNS - Domain Name System
chain=prerouting action=mark-packet new-packet-mark=com_in passthrough=no protocol=udp port=53
connection-mark=wan_in log=no log-prefix=""

137 chain=postrouting action=mark-packet new-packet-mark=com_out passthrough=no protocol=udp port=53
connection-mark=wan_out log=no log-prefix=""

138 ;;; PRO Extensible Messaging and Presence Protocol (XMPP) client connection over SSL (Official
chain=prerouting action=mark-packet new-packet-mark=pro_in passthrough=no protocol=tcp port=5222-5223
connection-mark=wan_in log=no log-prefix=""

139 chain=postrouting action=mark-packet new-packet-mark=pro_out passthrough=no protocol=tcp port=5222-5223
connection-mark=wan_out log=no log-prefix=""

140 ;;; PRO bgp_routing
chain=prerouting action=mark-packet new-packet-mark=pro_in passthrough=no layer7-protocol=bgp
connection-mark=wan_in log=no log-prefix=""

141 chain=postrouting action=mark-packet new-packet-mark=pro_out passthrough=no layer7-protocol=bgp
connection-mark=wan_out log=no log-prefix=""

142 ;;; PRO RTSP tunneled within HTTP
chain=prerouting action=mark-packet new-packet-mark=pro_in passthrough=no layer7-protocol=http-rtsp
connection-mark=wan_in log=no log-prefix=""

143 chain=postrouting action=mark-packet new-packet-mark=pro_in passthrough=no layer7-protocol=http-rtsp
connection-mark=wan_out log=no log-prefix=""

144 ;;; PRO Ident - Identification Protocol - RFC 1413
chain=prerouting action=mark-packet new-packet-mark=pro_in passthrough=no layer7-protocol=ident
connection-mark=wan_in log=no log-prefix=""

145 chain=postrouting action=mark-packet new-packet-mark=pro_out passthrough=no layer7-protocol=ident
connection-mark=wan_out log=no log-prefix=""

146 ;;; PRO RTSP - Real Time Streaming Protocol
chain=prerouting action=mark-packet new-packet-mark=pro_in passthrough=no layer7-protocol=rtsp
connection-mark=wan_in log=no log-prefix=""

147 chain=postrouting action=mark-packet new-packet-mark=pro_out passthrough=no layer7-protocol=rtsp
connection-mark=wan_out log=no log-prefix=""

148 ;;; PRO FTPS Protocol (control): FTP over TLS/SSL (Official)
chain=prerouting action=mark-packet new-packet-mark=pro_in passthrough=no protocol=tcp port=990
connection-mark=wan_in log=no log-prefix=""

149 chain=postrouting action=mark-packet new-packet-mark=pro_in passthrough=no protocol=tcp port=990
connection-mark=wan_out log=no log-prefix=""

150 ;;; PRO Microsoft-DS Active Directory, Windows shares (Official)
chain=prerouting action=mark-packet new-packet-mark=pro_in passthrough=no protocol=tcp port=445
connection-mark=wan_in log=no log-prefix=""

151 chain=postrouting action=mark-packet new-packet-mark=pro_in passthrough=no protocol=tcp port=445
connection-mark=wan_out log=no log-prefix=""

152 ;;; PRO Mailbox Name Nameserver
chain=prerouting action=mark-packet new-packet-mark=pro_in passthrough=no protocol=tcp port=105
connection-mark=wan_in log=no log-prefix=""

153 chain=postrouting action=mark-packet new-packet-mark=pro_in passthrough=no protocol=tcp port=105
connection-mark=wan_out log=no log-prefix=""

154 ;;; PRO BGP (Border Gateway Protocol) (Official)
chain=prerouting action=mark-packet new-packet-mark=pro_in passthrough=no protocol=tcp port=179
connection-mark=wan_in log=no log-prefix=""

155 chain=postrouting action=mark-packet new-packet-mark=pro_in passthrough=no protocol=tcp port=179
connection-mark=wan_out log=no log-prefix=""

156 ;;; PRO Adobe Flash (Official)
chain=prerouting action=mark-packet new-packet-mark=pro_in passthrough=no protocol=tcp port=843
connection-mark=wan_in log=no log-prefix=""

157 chain=postrouting action=mark-packet new-packet-mark=pro_in passthrough=no protocol=tcp port=843
connection-mark=wan_out log=no log-prefix=""

158 ;;; PRO SMTP - Simple Mail Transfer Protocol
chain=prerouting action=mark-packet new-packet-mark=pro_in passthrough=no layer7-protocol=smtp
connection-mark=wan_in log=no log-prefix=""

159 chain=postrouting action=mark-packet new-packet-mark=pro_out passthrough=no layer7-protocol=smtp
connection-mark=wan_out log=no log-prefix=""

160 ;;; PRO ICMP
chain=prerouting action=mark-packet new-packet-mark=pro_in passthrough=no protocol=icmp connection-mark=wan_in
log=no log-prefix=""

161 chain=postrouting action=mark-packet new-packet-mark=pro_out passthrough=no protocol=icmp connection-mark=wan_out
log=no log-prefix=""

162 ;;; PRO IGMP- Internet Group Management Protocol
chain=prerouting action=mark-packet new-packet-mark=pro_in passthrough=no protocol=igmp connection-mark=wan_in
log=no log-prefix=""

163 chain=postrouting action=mark-packet new-packet-mark=pro_out passthrough=no protocol=igmp connection-mark=wan_out
log=no log-prefix=""

164 ;;; PRO dhcp
chain=prerouting action=mark-packet new-packet-mark=pro_in passthrough=no layer7-protocol=dhcp
connection-mark=wan_in log=no log-prefix=""

165 chain=postrouting action=mark-packet new-packet-mark=pro_out passthrough=no layer7-protocol=dhcp
connection-mark=wan_out log=no log-prefix=""

166 ;;; PRO NetBIOS - Network Basic Input Output System
chain=prerouting action=mark-packet new-packet-mark=pro_in passthrough=no layer7-protocol=netbios
connection-mark=wan_in log=no log-prefix=""

167 chain=postrouting action=mark-packet new-packet-mark=pro_out passthrough=no layer7-protocol=netbios
connection-mark=wan_out log=no log-prefix=""

168 ;;; PRO dude
chain=prerouting action=mark-packet new-packet-mark=pro_in passthrough=no protocol=tcp port=2210 log=no
log-prefix=""

169 chain=output action=mark-packet new-packet-mark=pro_out passthrough=no protocol=tcp port=2210
connection-mark=wan_out log=no log-prefix=""

170 ;;; PRO Lite coin Wallet
chain=prerouting action=mark-packet new-packet-mark=pro_in passthrough=no protocol=tcp port=9333
connection-mark=wan_in log=no log-prefix=""

171 chain=postrouting action=mark-packet new-packet-mark=pro_out passthrough=no protocol=tcp port=9333
connection-mark=wan_out log=no log-prefix=""

172 ;;; PRO Microsoft
chain=prerouting action=mark-packet new-packet-mark=pro_in passthrough=no protocol=tcp port=49100-49900
connection-mark=wan_in log=no log-prefix=""

173 chain=postrouting action=mark-packet new-packet-mark=pro_out passthrough=no protocol=tcp port=49100-49900
connection-mark=wan_out log=no log-prefix=""

174 ;;; PRO NNTP - Network News Transfer Protocol
chain=prerouting action=mark-packet new-packet-mark=pro_in passthrough=no layer7-protocol=nntp
connection-mark=wan_in log=no log-prefix=""

175 chain=postrouting action=mark-packet new-packet-mark=pro_out passthrough=no layer7-protocol=nntp
connection-mark=wan_out log=no log-prefix=""

176 ;;; PRO NTP - Network Time Protocol
chain=prerouting action=mark-packet new-packet-mark=pro_in passthrough=no layer7-protocol=ntp
connection-mark=wan_in log=no log-prefix=""

177 chain=postrouting action=mark-packet new-packet-mark=pro_out passthrough=no layer7-protocol=ntp
connection-mark=wan_out log=no log-prefix=""

178 ;;; PRO Teredo tunneling
chain=prerouting action=mark-packet new-packet-mark=pro_in passthrough=no protocol=udp port=3544
connection-mark=wan_in log=no log-prefix=""

179 chain=postrouting action=mark-packet new-packet-mark=pro_in passthrough=no protocol=udp port=3544
connection-mark=wan_out log=no log-prefix=""

180 ;;; PRO Mikrotik RouterOS Neighbor Discovery Protocol (MNDP)
chain=prerouting action=mark-packet new-packet-mark=pro_in passthrough=no protocol=udp port=5678
connection-mark=wan_in log=no log-prefix=""

181 chain=postrouting action=mark-packet new-packet-mark=pro_out passthrough=no protocol=udp port=5678
connection-mark=wan_out log=no log-prefix=""

182 ;;; PRO snmp161
chain=prerouting action=mark-packet new-packet-mark=pro_in passthrough=no protocol=udp port=161
connection-mark=wan_in log=no log-prefix=""

183 chain=postrouting action=mark-packet new-packet-mark=pro_out passthrough=no protocol=udp port=161
connection-mark=wan_out log=no log-prefix=""

184 ;;; ALL OTHER
chain=prerouting action=mark-packet new-packet-mark=other_in passthrough=no connection-mark=wan_in log=no
log-prefix="other_in"

185 chain=postrouting action=mark-packet new-packet-mark=other_out passthrough=no connection-mark=wan_out log=no
log-prefix="other_out"
IP/ROUTES
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 ADS 0.0.0.0/0 192.168.4.1 0
1 S 0.0.0.0/0 192.168.4.1 1
2 X S 0.0.0.0/0 1xx.7.2xx.101 2
3 ADC 1xx.7.2xx.100/30 1xx.7.2xx.102 ether2-WAN-2 0
4 ADC 192.168.0.0/24 192.168.0.1 ether3-OPS-1 0
5 ADC 192.168.4.0/24 192.168.4.100 ether1-WAN-1 0
QUEUE/INTERFACE

INTERFACE QUEUE DEFAULT-QUEUE

0 ether1-WAN-1 only-hardware-queue only-hardware-queue
1 ether2-WAN-2 only-hardware-queue only-hardware-queue
2 ether3-OPS-1 only-hardware-queue only-hardware-queue
3 ether4-OPS-2 only-hardware-queue only-hardware-queue
4 ether5-OPS-3 only-hardware-queue only-hardware-queue
QUEUE/TREE
Flags: X - disabled, I - invalid
0 X name="Download" parent=global packet-mark="" limit-at=3M queue=pcq-in 3M priority=1 max-limit=3M burst-limit=3500k
burst-threshold=2500k burst-time=5s

1 X name="Upload" parent=global packet-mark="" limit-at=1200k queue=pcq-out 1200K priority=1 max-limit=1200k
burst-limit=1500k burst-threshold=1M burst-time=5s

2 I name="#3 http_in" parent=Download packet-mark=http_in limit-at=2900k queue=pcq-in 2900K priority=3 max-limit=2900k
burst-limit=3500k burst-threshold=2500k burst-time=5s

3 I name="#3 http_out" parent=Upload packet-mark=http_out limit-at=500k queue=pcq-out 1200K priority=3 max-limit=500k
burst-limit=1M burst-threshold=300k burst-time=5s

4 I name="#1 com_out" parent=Upload packet-mark=com_out limit-at=500k queue=pcq-out 1200K priority=1 max-limit=500k
burst-limit=1M burst-threshold=300k burst-time=5s

5 I name="#7 pro_in" parent=Download packet-mark=pro_in limit-at=2850k queue=pcq-in 2850K priority=7 max-limit=2850k
burst-limit=3500k burst-threshold=2500k burst-time=10s

6 I name="#7 pro_out" parent=Upload packet-mark=pro_out limit-at=500k queue=pcq-out 1200K priority=7 max-limit=500k
burst-limit=1M burst-threshold=300k burst-time=5s

7 I name="#4 dwn_in" parent=Download packet-mark=dwn_in limit-at=2850k queue=pcq-in 2850K priority=4 max-limit=2850k
burst-limit=3500k burst-threshold=1500k burst-time=5s

8 I name="#4 dwn_out" parent=Upload packet-mark=dwn_out limit-at=500k queue=pcq-out 1200K priority=4 max-limit=500k
burst-limit=1M burst-threshold=300k burst-time=5s

9 I name="#8 p2p_in" parent=Download packet-mark=p2p_in limit-at=2400k queue=pcq-in 1400K priority=8 max-limit=2400k
burst-limit=3500k burst-threshold=2500k burst-time=5s

10 I name="#8 p2p_out" parent=Upload packet-mark=p2p_out limit-at=400k queue=pcq-out 400K priority=8 max-limit=400k
burst-limit=900k burst-threshold=250k burst-time=5s

11 I name="#5 other_in" parent=Download packet-mark=other_in limit-at=2850k queue=pcq-in 2850K priority=5 max-limit=2850>
burst-limit=3500k burst-threshold=2500k burst-time=10s

12 I name="#5 other_out" parent=Upload packet-mark=other_out limit-at=500k queue=pcq-out 1200K priority=5 max-limit=500k
burst-limit=1M burst-threshold=300k burst-time=5s

13 I name="#2 ur_in" parent=Download packet-mark=ur_in limit-at=2900k queue=pcq-in 2900K priority=2 max-limit=2900k
burst-limit=3500k burst-threshold=2500k burst-time=5s

14 I name="#2 ur_out" parent=Upload packet-mark=ur_out limit-at=500k queue=pcq-out 1200K priority=2 max-limit=500k
burst-limit=0 burst-threshold=0 burst-time=0s

15 I name="#1 com_in" parent=Download packet-mark=com_in limit-at=2950k queue=pcq-in 2950K priority=1 max-limit=2950k
burst-limit=3M burst-threshold=2500k burst-time=5s

It’s too many messy rules that I am not able to overview them on my phone. Will look again when I have time sitting at computer. Anyway do you believe that you really need those rules? Why not to remove them all and build own set of easy rules you will clearly understand?

Thanks Jarda,

I had posted more than just filter rules.I had included the following:
1.INTERFACE
2.IP/ARP
3.IP/ADDRESS
4.IP/DHCP-Client
5.IP/DNS
6.IP/FIREWALL/FILTER
7.IP/FIREWALL/MANGLE
8.IP/FIREWALL/NAT
9.IP/ROUTES
10. QUEUE/INTERFACE
11.QUEUE/TREE
Almost all the filter rules are disabled except for the rules accepting traffic from winbox and HTTP router access and those are located towards the end of the rule set.

Ok,
I guess you have found some config somewhere and just pasted it inside. I would not suggest that, even the rules could be well meant, if they do not fit to your situation, it could be more problematic than helpful.

If you can, I suggest to do following:

Reset configuration, remove all defaults. Start with one wan first.
Set the ports, bridges, ip addresses, dhcp clients and server. Enable sntp to get time. Set dns servers and allow remote dns requests.
Check in Ip services that ports 8291 and 80 are enabled.

Then set basic firewall rules:

• forward drop invalid from wan
• forward accept established from wan
• forward accept related from wan
• forward drop all from wan
• input drop invalid from wan
• input accept established from wan
• input accept related from wan
• input drop udp dst-port 53 from wan
• input tarpit tcp dst-port 53 from wan
• input accept tcp dst-port 80
• input accept tcp dst-port 8291 from wan
• input drop all from wan

Then set masquerade srcnat out interface wan.

Now it should be working correctly at least from first wan. If so, its time to take care about dual wan handling.

Thanks jarda,

As it turns out I was missing two routing rules and needed to make a minor adjustment on my distances.

This is with the new rules and distance adjustment.

/ip route
add check-gateway=ping distance=1 gateway=192.168.4.1 routing-mark=WAN1_rout
add check-gateway=ping distance=1 gateway=1xx.7.2xx.101 routing-mark=\
    WAN2_rout scope=10
add check-gateway=ping distance=1 gateway=192.168.4.1
add check-gateway=ping distance=2 gateway=1xx.7.2xx.101 scope=10

The reason for the routing marks is because I am using Bandwidth based load balancing.

I now have access via winbox/HTTP and load balancing/failover are now working fine.

We have been developing these rules over some time and they are well tested over multiple routers with some routers supporting over 50 clients. The problem is Bandwidth based load balancing is still new to me.

Thank you for your help

Your welcome. Even I didn’t help you directly. Sometimes just discussion about the problem brings you to the solution. Have a nice day.

I had this problem in the past and it was due to a MTU issue. Resolved by enable jumbo frames on one switch.