Hi,

I am the admin for a network in a fraternity house of about 50 college students. I have a RB433 providing most network functionality, with several access points throughout the house. For a while, I had a simple P2P filter setup that was able to block bittorrent traffic. We switched ISPs and one of the other people in the house thought they knew how to admin the MT device with webbox. My filter rules got erased and now I can't get the P2P filter set up. I have read a lot of the forum posts that advise adding a forward rule to drop all p2p. I tried this several times and couldnt get it working. I eventually decided to start over and followed Dimitry's wiki entry about setting up protocol classifiers and filter rules. I also tried marking the connections as P2P and dropping those. I still can't figure it out. I've attached the entire export in case my problems are not in the filter chain. I'm hoping someone can help me.

Thanks much,

John

[admin@MikroTik] > export

mar/03/2010 12:02:31 by RouterOS 4.4

software id = E604-R76C

/interface ethernet
set 0 arp=enabled auto-negotiation=yes comment=Internet disabled=no
full-duplex=yes l2mtu=1526 mac-address=00:0C:42:28:89:03 mtu=1500 name=
Public speed=100Mbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited
comment=LAN disabled=no full-duplex=yes l2mtu=1522 mac-address=
00:0C:42:28:89:04 master-port=none mtu=1500 name=Local speed=100Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited
comment="Extra Port (Admin)" disabled=no full-duplex=yes l2mtu=1522
mac-address=00:0C:42:28:89:05 master-port=none mtu=1500 name=ether3
speed=100Mbps
/interface ethernet switch
set switch1 mirror-source=none mirror-target=none name=switch1
/interface wireless security-profiles
set default authentication-types="" eap-methods=passthrough group-ciphers=
"" group-key-update=5m interim-update=0s management-protection=disabled
management-protection-key="" mode=none name=default
radius-eap-accounting=no radius-mac-accounting=no
radius-mac-authentication=no radius-mac-caching=disabled
radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username
static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=
none static-key-0="" static-key-1="" static-key-2="" static-key-3=""
static-sta-private-algo=none static-sta-private-key=""
static-transmit-key=key-0 supplicant-identity=MikroTik tls-certificate=
none tls-mode=no-certificates unicast-ciphers="" wpa-pre-shared-key=""
wpa2-pre-shared-key=""
/ip firewall layer7-protocol
add comment="" name=LimeWire regexp="^(gnd[\x01\x02]?.?.?\x01|gnutella
_connect/[012]\.[0-9]\x0d\x0a|get /uri-res/n2r\?urn:sha1:|get /.u
ser-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|i
mesh)|get /.content-type: application/x-gnutella-packets|giv [0-9]:[0-
9a-f]/|queue [0-9a-f]* [1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9
][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutell
a.content-type: application/x-gnutella|...................?lime)"
add comment="" name=HTTPS regexp=
"^(.?.?\x16\x03.\x16\x03|.?.?\x01\x03\x01?.*\x0b)"
add comment="" name=BITTORRENT2 regexp="^(\x13bittorrent protocol)"
/ip hotspot profile
set default dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot
http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=cookie,http-chap
name=default rate-limit="" smtp-server=0.0.0.0 split-user-domain=no
use-radius=no
/ip hotspot user profile
set default advertise=no idle-timeout=none keepalive-timeout=2m name=
default open-status-page=always shared-users=1 status-autorefresh=1m
transparent-proxy=yes
/ip ipsec proposal
set default auth-algorithms=sha1 comment="" disabled=no enc-algorithms=3des
lifetime=30m name=default pfs-group=modp1024
/ip pool
add name=pool1 ranges=10.0.0.15-10.0.0.254
add name=dhcp_pool1 ranges=10.0.0.2-10.0.0.254
/ip dhcp-server
add address-pool=pool1 authoritative=yes bootp-support=static disabled=no
interface=Local lease-time=3d name="DU intranet DHCP server"
add address-pool=pool1 authoritative=after-2sec-delay bootp-support=static
disabled=no interface=ether3 lease-time=3d name=server1
/port
set 0 baud-rate=auto data-bits=8 flow-control=none name=serial0 parity=none
stop-bits=1
/ppp profile
set default change-tcp-mss=yes comment="" name=default only-one=default
use-compression=default use-encryption=default use-vj-compression=
default
set default-encryption change-tcp-mss=yes comment="" name=
default-encryption only-one=default use-compression=default
use-encryption=yes use-vj-compression=default
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
max-limit=0 name=Download packet-mark=users parent=Local priority=8
/queue type
set default kind=pfifo name=default pfifo-limit=50
set ethernet-default kind=pfifo name=ethernet-default pfifo-limit=50
set wireless-default kind=sfq name=wireless-default sfq-allot=1514
sfq-perturb=5
set synchronous-default kind=red name=synchronous-default red-avg-packet=
1000 red-burst=20 red-limit=60 red-max-threshold=50 red-min-threshold=
10
set hotspot-default kind=sfq name=hotspot-default sfq-allot=1514
sfq-perturb=5
add kind=pcq name=pcq-download pcq-classifier=dst-address pcq-limit=150
pcq-rate=0 pcq-total-limit=2000
add kind=pcq name=pcq-upload pcq-classifier=src-address pcq-limit=50
pcq-rate=0 pcq-total-limit=2000
set default-small kind=pfifo name=default-small pfifo-limit=10
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
max-limit=0 name=queue1 packet-mark=users parent=Download priority=8
queue=pcq-download
/routing bgp instance
set default as=65530 client-to-client-reflection=yes comment="" disabled=no
ignore-as-path-len=no name=default out-filter=""
redistribute-connected=no redistribute-ospf=no redistribute-other-bgp=
no redistribute-rip=no redistribute-static=no router-id=0.0.0.0
routing-table=""
/routing ospf instance
set default comment="" disabled=no distribute-default=never in-filter=
ospf-in metric-bgp=auto metric-connected=20 metric-default=1
metric-other-ospf=auto metric-rip=20 metric-static=20 name=default
out-filter=ospf-out redistribute-bgp=no redistribute-connected=no
redistribute-other-ospf=no redistribute-rip=no redistribute-static=no
router-id=0.0.0.0
/routing ospf area
set backbone area-id=0.0.0.0 comment="" disabled=no instance=default name=
backbone type=default
/snmp
set contact="" enabled=yes engine-boots=47 engine-id="" location=""
time-window=15 trap-sink=0.0.0.0 trap-version=1
/snmp community
set public address=0.0.0.0/0 authentication-password=""
authentication-protocol=MD5 encryption-password="" encryption-protocol=
DES name=public read-access=yes security=none write-access=no
/system logging action
set memory memory-lines=100 memory-stop-on-full=no name=memory target=
memory
set disk disk-file-count=2 disk-file-name=log disk-lines-per-file=100
disk-stop-on-full=no name=disk target=disk
set echo name=echo remember=yes target=echo
set remote bsd-syslog=no name=remote remote=0.0.0.0:514 src-address=0.0.0.0
syslog-facility=daemon syslog-severity=auto target=remote
/system routerboard settings
set baud-rate=115200 boot-delay=2s boot-device=nand-if-fail-then-ethernet
boot-protocol=bootp cpu-frequency=300MHz enable-jumper-reset=yes
enter-setup-on=any-key force-backup-booter=no
set baud-rate=115200 boot-delay=2s boot-device=nand-if-fail-then-ethernet
boot-protocol=bootp cpu-frequency=300MHz enable-jumper-reset=yes
enter-setup-on=any-key force-backup-booter=no
/user group
add comment="" name=read policy="local,telnet,ssh,reboot,read,test,winbox,pa
ssword,web,sniff,sensitive,!ftp,!write,!policy"
add comment="" name=write policy="local,telnet,ssh,reboot,read,write,test,wi
nbox,password,web,sniff,sensitive,!ftp,!policy"
add comment="" name=full policy="local,telnet,ssh,ftp,reboot,read,write,poli
cy,test,winbox,password,web,sniff,sensitive"
/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no
use-ip-firewall-for-vlan=no
/interface ethernet switch port
set (unknown)
set (unknown)
/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=
default-encryption enabled=no max-mru=1460 max-mtu=1460 mrru=disabled
/interface ovpn-server server
set auth=sha1,md5 certificate=none cipher=blowfish128,aes128
default-profile=default enabled=no keepalive-timeout=60 mac-address=
FE:A8:09:F0:6D:3D max-mtu=1500 mode=ip netmask=24 port=1194
require-client-certificate=no
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption
enabled=no keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled
/interface wireless align
set active-mode=yes audio-max=-20 audio-min=-100 audio-monitor=
00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 frame-size=300
frames-per-second=25 receive-all=no ssid-all=no
/interface wireless sniffer
set channel-time=200ms file-limit=10 file-name="" memory-limit=10
multiple-channels=no only-headers=no receive-errors=no
streaming-enabled=no streaming-max-rate=0 streaming-server=0.0.0.0
/interface wireless snooper
set channel-time=200ms multiple-channels=yes receive-errors=no
/ip accounting
set account-local-traffic=no enabled=no threshold=256
/ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ip address
add address=10.0.0.1/24 broadcast=10.0.0.255 comment="" disabled=no
interface=Local network=10.0.0.0
/ip dhcp-client
add add-default-route=yes client-id=DUinet comment=""
default-route-distance=0 disabled=no interface=Public use-peer-dns=yes
use-peer-ntp=yes
add add-default-route=yes comment="" default-route-distance=0 disabled=no
interface=ether3 use-peer-dns=yes use-peer-ntp=yes
/ip dhcp-server config
set store-leases-disk=5m
/ip dhcp-server lease
add address=10.0.0.4 comment="" disabled=no mac-address=00:16:01:8A:29:EC
add address=10.0.0.5 comment="" disabled=no mac-address=00:80:77:CC:EF:45
add address=10.0.0.10 client-id=1:0:1d:60:dc:c8:2e comment="" disabled=no
mac-address=00:1D:60:DC:C8:2E server="DU intranet DHCP server"
add address=10.0.0.12 comment="" disabled=yes mac-address=00:30:C1:0B:4A:A1
/ip dhcp-server network
add address=10.0.0.0/24 comment="" dns-server=216.231.41.2 gateway=10.0.0.1
netmask=24 wins-server=10.0.0.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB
max-udp-packet-size=512 primary-dns=10.1.10.1 secondary-dns=
216.231.41.2
/ip firewall address-list
add address=0.0.0.0/8 comment="illegal addresses" disabled=no list=
illegal-addr
add address=127.0.0.0/8 comment="" disabled=no list=illegal-addr
add address=224.0.0.0/3 comment="" disabled=no list=illegal-addr
add address=10.0.0.0/8 comment="" disabled=no list=illegal-addr
add address=172.16.0.0/12 comment="" disabled=no list=illegal-addr
add address=192.168.0.0/16 comment="" disabled=no list=illegal-addr
add address=10.0.0.0/24 comment="my local network" disabled=no list=
local-addr
add address=10.0.0.0/24 comment="my src-nated local network hosts"
disabled=no list=nat-addr
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s
tcp-close-wait-timeout=10s tcp-established-timeout=1d
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=drop chain=forward comment="" disabled=no p2p=all-p2p
add action=drop chain=input comment="" disabled=yes in-interface=Local p2p=
all-p2p
add action=drop chain=forward comment="Block bit-torrent" disabled=no p2p=
bit-torrent
add action=add-src-to-address-list address-list=p2p-users
address-list-timeout=0s chain=forward comment="Block all P2P"
connection-mark=p2p disabled=no src-address-list=local-addr
add action=drop chain=forward comment="" connection-mark=p2p disabled=no
add action=jump chain=forward comment="Sanity Check Forward" disabled=no
jump-target=sanity-check
add action=jump chain=sanity-check comment="Deny illegal NAT traversal"
disabled=no jump-target=drop packet-mark=nat-traversal
add action=add-src-to-address-list address-list=blocked-addr
address-list-timeout=1d chain=sanity-check comment="Block port scans"
disabled=yes protocol=tcp psd=20,3s,3,1
add action=add-src-to-address-list address-list=blocked-addr
address-list-timeout=1d chain=sanity-check comment=
"Block TCP Null scan" disabled=no protocol=tcp tcp-flags=
fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=blocked-addr
address-list-timeout=1d chain=sanity-check comment=
"Block TCP Xmas scan" disabled=no protocol=tcp tcp-flags=
!fin,!syn,!rst,!psh,!ack,!urg
add action=jump chain=sanity-check comment="" disabled=no jump-target=drop
protocol=tcp src-address-list=blocked-addr
add action=jump chain=sanity-check comment="Drop TCP RST" disabled=no
jump-target=drop protocol=tcp tcp-flags=rst
add action=jump chain=sanity-check comment="Drop TCP SYN+FIN" disabled=no
jump-target=drop protocol=tcp tcp-flags=fin,syn
add action=jump chain=sanity-check comment=
"Dropping invalid connections at once" connection-state=invalid
disabled=no jump-target=drop
add action=accept chain=sanity-check comment=
"Accepting already established connections" connection-state=
established disabled=no
add action=accept chain=sanity-check comment=
"Also accepting related connections" connection-state=related disabled=
no
add action=jump chain=sanity-check comment=
"Drop all traffic that goes to multicast or broadcast addresses"
disabled=no dst-address-type=broadcast,multicast jump-target=drop
add action=jump chain=sanity-check comment="Drop illegal source addresses"
disabled=no in-interface=Public jump-target=drop src-address-list=
illegal-addr
add action=jump chain=sanity-check comment="Drop everything that goes from p
ublic interface but not to local address" disabled=no dst-address-list=
!local-addr in-interface=Public jump-target=drop
add action=jump chain=sanity-check comment=
"Drop all traffic that comes from multicast or broadcast addresses"
disabled=no jump-target=drop src-address-type=broadcast,multicast
add action=jump chain=forward comment="" disabled=no jump-target=
restrict-tcp protocol=tcp
add action=jump chain=forward comment="" disabled=no jump-target=
restrict-udp protocol=udp
add action=jump chain=forward comment="" disabled=no jump-target=
restrict-ip
add action=reject chain=restrict-tcp comment="" connection-mark=auth
disabled=no reject-with=icmp-network-unreachable
add action=jump chain=restrict-tcp comment="anti-spam policy"
connection-mark=smtp disabled=no jump-target=smtp-first-drop
add action=add-src-to-address-list address-list=approved-smtp
address-list-timeout=0s chain=smtp-first-drop comment="" disabled=no
src-address-list=first-smtp
add action=return chain=smtp-first-drop comment="" disabled=no
src-address-list=approved-smtp
add action=add-src-to-address-list address-list=first-smtp
address-list-timeout=0s chain=smtp-first-drop comment="" disabled=no
add action=reject chain=smtp-first-drop comment="" disabled=no reject-with=
icmp-network-unreachable
add action=jump chain=restrict-tcp comment="" connection-mark=other-tcp
disabled=no jump-target=drop
add action=jump chain=restrict-udp comment="" connection-mark=other-udp
disabled=no jump-target=drop
add action=jump chain=restrict-ip comment="" connection-mark=other
disabled=no jump-target=drop
add action=accept chain=input comment=
"Allow local traffic (between router applications)" disabled=no
dst-address-type=local src-address-type=local
add action=jump chain=input comment="Sanity Check" disabled=no jump-target=
sanity-check
add action=jump chain=input comment="Dropping packets not destined to the ro
uter itself, including all broadcast traffic" disabled=no
dst-address-type=!local jump-target=drop
add action=accept chain=input comment=
"Allow pings, but at a very limited rate (5 packets per sec)"
connection-mark=ping disabled=no limit=5,5
add action=jump chain=input comment=
"Allowing some services to be accessible from the Internet" disabled=no
in-interface=Public jump-target=public-services
add action=jump chain=input comment="" disabled=no jump-target=drop
add action=accept chain=dhcp comment="" disabled=no dst-address=
255.255.255.255 src-address=0.0.0.0
add action=accept chain=dhcp comment="" disabled=no dst-address-type=local
src-address=0.0.0.0
add action=accept chain=dhcp comment="" disabled=no dst-address-type=local
src-address-list=local-addr
add action=accept chain=local-services comment="SSH (22/TCP)"
connection-mark=ssh disabled=no
add action=accept chain=local-services comment=DNS connection-mark=dns
disabled=no
add action=accept chain=local-services comment="HTTP Proxy (3128/TCP)"
connection-mark=proxy disabled=no
add action=accept chain=local-services comment="Winbox (8291/TCP)"
connection-mark=winbox disabled=no
add action=log chain=local-services comment=
"Log & Drop Other Local Services" disabled=no log-prefix=""
add action=drop chain=local-services comment="" disabled=yes
add action=accept chain=public-services comment="SSH (22/TCP)"
connection-mark=ssh disabled=no
add action=accept chain=public-services comment="PPTP (1723/TCP)"
connection-mark=pptp disabled=no
add action=accept chain=public-services comment="Winbox (8291/TCP)"
connection-mark=winbox disabled=no
add action=accept chain=public-services comment="GRE for PPTP"
connection-mark=gre disabled=no
add action=log chain=public-services comment=
"Log & Drop Other Public Services" disabled=no log-prefix=""
add action=drop chain=public-services comment="" disabled=yes
/ip firewall mangle
add action=mark-packet chain=prerouting comment="Detect NAT Traversal"
disabled=no dst-address-list=nat-addr in-interface=Public
new-packet-mark=nat-traversal passthrough=no
add action=jump chain=prerouting comment="" connection-state=new disabled=
no jump-target=tcp-services protocol=tcp
add action=jump chain=prerouting comment="" connection-state=new disabled=
no jump-target=udp-services protocol=udp
add action=mark-connection chain=p2p-service comment="" disabled=no
new-connection-mark=p2p p2p=all-p2p passthrough=no
add action=jump chain=prerouting comment="" connection-state=new disabled=
no jump-target=other-services
add action=jump chain=prerouting comment="" disabled=no jump-target=
p2p-service p2p=all-p2p
add action=jump chain=prerouting comment="" disabled=no jump-target=
p2p-service layer7-protocol=BITTORRENT2
add action=jump chain=prerouting comment="" connection-state=new disabled=
no dst-port=443 jump-target=tcp-services protocol=tcp
add action=jump chain=prerouting comment="" connection-state=new disabled=
no dst-port=!443 jump-target=p2p-service layer7-protocol=HTTPS
protocol=tcp
add action=jump chain=prerouting comment="" connection-state=new disabled=
no jump-target=tcp-services protocol=tcp tcp-flags=syn
add action=jump chain=prerouting comment="" connection-state=new disabled=
no jump-target=udp-services protocol=udp
add action=jump chain=prerouting comment="" connection-state=new disabled=
no jump-target=other-services
add action=mark-connection chain=tcp-services comment="" disabled=no
dst-port=443 new-connection-mark=https passthrough=no protocol=tcp
src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no
dst-port=20-21 new-connection-mark=ftp passthrough=no protocol=tcp
src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no
dst-port=22 new-connection-mark=ssh passthrough=no protocol=tcp
src-port=513-65535
add action=mark-connection chain=tcp-services comment="" disabled=no
dst-port=23 new-connection-mark=telnet passthrough=no protocol=tcp
src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no
dst-port=25 new-connection-mark=smtp passthrough=no protocol=tcp
src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no
dst-port=53 new-connection-mark=dns passthrough=no protocol=tcp
src-port=53
add action=mark-connection chain=tcp-services comment="" disabled=no
dst-port=53 new-connection-mark=dns passthrough=no protocol=tcp
src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no
dst-port=80 new-connection-mark=http passthrough=no protocol=tcp
src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no
dst-port=110 new-connection-mark=pop3 passthrough=no protocol=tcp
src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no
dst-port=113 new-connection-mark=auth passthrough=no protocol=tcp
src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no
dst-port=119 new-connection-mark=nntp passthrough=no protocol=tcp
src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no
dst-port=143 new-connection-mark=imap passthrough=no protocol=tcp
src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no
dst-port=161-162 new-connection-mark=snmp passthrough=no protocol=tcp
src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no
dst-port=443 new-connection-mark=https passthrough=no protocol=tcp
src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no
dst-port=465 new-connection-mark=smtps passthrough=no protocol=tcp
src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no
dst-port=993 new-connection-mark=imaps passthrough=no protocol=tcp
src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no
dst-port=995 new-connection-mark=pop3s passthrough=no protocol=tcp
src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no
dst-port=1723 new-connection-mark=pptp passthrough=no protocol=tcp
src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no
dst-port=2379 new-connection-mark=kgs passthrough=no protocol=tcp
src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no
dst-port=3128 new-connection-mark=proxy passthrough=no protocol=tcp
src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no
dst-port=3389 new-connection-mark=win-ts passthrough=no protocol=tcp
src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no
dst-port=4242-4243 new-connection-mark=emule passthrough=no protocol=
tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no
dst-port=1024-65535 new-connection-mark=overnet passthrough=no
protocol=tcp src-port=4661-4662
add action=mark-connection chain=tcp-services comment="" disabled=no
dst-port=1024-65535 new-connection-mark=emule passthrough=no protocol=
tcp src-port=4711
add action=mark-connection chain=tcp-services comment="" disabled=no
dst-port=5900-5901 new-connection-mark=vnc passthrough=no protocol=tcp
src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no
dst-port=6667-6669 new-connection-mark=irc passthrough=no protocol=tcp
src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no
dst-port=6881-6889 new-connection-mark=bittorrent passthrough=no
protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no
dst-port=8080 new-connection-mark=http passthrough=no protocol=tcp
src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no
dst-port=8291 new-connection-mark=winbox passthrough=no protocol=tcp
src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no
new-connection-mark=other-tcp passthrough=no protocol=tcp
add action=mark-connection chain=udp-services comment="" disabled=no
dst-port=53 new-connection-mark=dns passthrough=no protocol=udp
src-port=1024-65535
add action=mark-connection chain=udp-services comment="" disabled=no
dst-port=123 new-connection-mark=ntp passthrough=no protocol=udp
src-port=1024-65535
add action=mark-connection chain=udp-services comment="" disabled=no
dst-port=1701 new-connection-mark=l2tp passthrough=no protocol=udp
src-port=1024-65535
add action=mark-connection chain=udp-services comment="" disabled=no
dst-port=4665 new-connection-mark=emule passthrough=no protocol=udp
src-port=1024-65535
add action=mark-connection chain=udp-services comment="" disabled=no
dst-port=4672 new-connection-mark=emule passthrough=no protocol=udp
src-port=1024-65535
add action=mark-connection chain=udp-services comment="" disabled=no
dst-port=1024-65535 new-connection-mark=emule passthrough=no protocol=
udp src-port=4672
add action=mark-connection chain=udp-services comment="" disabled=no
dst-port=12053 new-connection-mark=overnet passthrough=no protocol=udp
src-port=1024-65535
add action=mark-connection chain=udp-services comment="" disabled=no
dst-port=1024-65535 new-connection-mark=overnet passthrough=no
protocol=udp src-port=12053
add action=mark-connection chain=udp-services comment="" disabled=no
dst-port=1024-65535 new-connection-mark=skype passthrough=no protocol=
udp src-port=36725
add action=mark-connection chain=udp-services comment="" connection-state=
new disabled=no new-connection-mark=other-udp passthrough=no protocol=
udp
add action=mark-connection chain=other-services comment="" disabled=no
icmp-options=8:0-255 new-connection-mark=ping passthrough=no protocol=
icmp
add action=mark-connection chain=other-services comment="" disabled=no
new-connection-mark=gre passthrough=no protocol=gre
add action=mark-connection chain=other-services comment="" disabled=no
new-connection-mark=other passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="Added by webbox" disabled=no
out-interface=Public
add action=redirect chain=dstnat comment="Transparent DNS Cache"
connection-mark=dns disabled=yes in-interface=Local
add action=redirect chain=dstnat comment="Transparent Web Cache"
connection-mark=http disabled=yes in-interface=Local protocol=tcp
to-ports=3128
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=yes
set sip disabled=yes ports=5060,5061
set pptp disabled=yes
/ip hotspot service-port
set ftp disabled=no ports=21
/ip neighbor discovery
set Public discover=yes
set Local discover=yes
set ether3 discover=yes
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4
cache-on-disk=no enabled=no max-cache-size=none max-client-connections=
600 max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0
parent-proxy-port=0 port=8080 serialize-connections=no src-address=
0.0.0.0
/ip service
set telnet address=0.0.0.0/0 disabled=no port=23
set ftp address=0.0.0.0/0 disabled=no port=21
set www address=0.0.0.0/0 disabled=no port=80
set ssh address=0.0.0.0/0 disabled=no port=22
set www-ssl address=0.0.0.0/0 certificate=none disabled=yes port=443
set api address=0.0.0.0/0 disabled=yes port=8728
set winbox address=0.0.0.0/0 disabled=no port=8291
/ip socks
set connection-idle-timeout=2m enabled=no max-connections=200 port=1080
/ip traffic-flow
set active-flow-timeout=30m cache-entries=4k enabled=no
inactive-flow-timeout=15s interfaces=all
/ip upnp
set allow-disable-external-interface=no enabled=no show-dummy-rule=yes
/ip upnp interfaces
add disabled=yes interface=Public type=external
add disabled=yes interface=Local type=internal
add disabled=no interface=ether3 type=internal
/mpls
set dynamic-label-range=16-1048575 propagate-ttl=yes
/mpls interface
add comment="" disabled=no interface=all mpls-mtu=1508
/mpls ldp
set distribute-for-default-route=no enabled=no hop-limit=255 loop-detect=no
lsr-id=0.0.0.0 path-vector-limit=255 transport-address=0.0.0.0
use-explicit-null=no
/ppp aaa
set accounting=yes interim-update=0s use-radius=no
/queue interface
set Public queue=pcq-upload
set Local queue=pcq-download
set ether3 queue=ethernet-default
/radius incoming
set accept=no port=3799
/routing bfd interface
set all comment="" disabled=no interface=all interval=0.2sec min-rx=0.2sec
multiplier=5
/routing mme
set bidirectional-timeout=2 gateway-class=none gateway-keepalive=1m
gateway-selection=no-gateway origination-interval=5s preferred-gateway=
0.0.0.0 timeout=1m ttl=50
/routing rip
set distribute-default=never garbage-timer=2m metric-bgp=1
metric-connected=1 metric-default=1 metric-ospf=1 metric-static=1
redistribute-bgp=no redistribute-connected=no redistribute-ospf=no
redistribute-static=no routing-table=main timeout-timer=3m
update-timer=30s
/store
add comment="" disabled=no disk=system name=web-proxy1 type=web-proxy
/system clock
set time-zone-name=America/Los_Angeles
/system clock manual
set dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start=
"jan/01/1970 00:00:00" time-zone=+00:00
/system console
add disabled=no port=serial0 term=vt102
/system health
set fan-mode=auto use-fan=main
/system identity
set name=MikroTik
/system logging
add action=memory disabled=no prefix="" topics=info
add action=memory disabled=no prefix="" topics=error
add action=memory disabled=no prefix="" topics=warning
add action=echo disabled=no prefix="" topics=critical
/system note
set note="" show-at-login=yes
/system ntp client
set enabled=yes mode=unicast primary-ntp=169.229.70.64 secondary-ntp=
97.107.128.165
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=
0.0.0.0 user=""
/system watchdog
set auto-send-supout=no automatic-supout=yes no-ping-delay=5m
watch-address=none watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=
10
/tool e-mail
set from=<> password="" server=0.0.0.0:25 username=""
/tool graphing
set page-refresh=300 store-every=5min
/tool graphing interface
add allow-address=0.0.0.0/0 disabled=no interface=all store-on-disk=yes
/tool mac-server
add disabled=no interface=all
/tool mac-server ping
set enabled=yes
/tool sms
set allowed-number="" channel=0 keep-max-sms=0 receive-enabled=no secret=""
/tool sniffer
set file-limit=10 file-name="" filter-address1=0.0.0.0/0:0-65535
filter-address2=0.0.0.0/0:0-65535 filter-protocol=ip-only
filter-stream=yes interface=all memory-limit=10 memory-scroll=no
only-headers=no streaming-enabled=no streaming-server=0.0.0.0
/tool traffic-monitor
add comment="" disabled=no interface=Public name=tmon1 on-event=""
threshold=0 traffic=received trigger=above
/user aaa
set accounting=yes default-group=read interim-update=0s use-radius=no
[admin@MikroTik] >