Fasstrack and rules

Andoniar78 · March 9, 2022, 8:32am

when I have fasstrack activated, filter rules don’t work…
What I can do?
Thank you

afuchs · March 9, 2022, 8:55am

Post more details, like what mirotik you use, what rules did not work and what do you want to achieve with the rules.
To post a a export of your configuration ( /export file=[filename] hide-sensitive) would help to.

Joni · March 9, 2022, 9:17am

.

Have you read the manual: https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack

Warning: Queues (except Queue Trees parented to interfaces), firewall filter and mangle rules will not be applied for FastTracked traffic.
Connection is FastTracked until connection is closed, timed-out or router is rebooted.

Andoniar78 · March 9, 2022, 10:36am

Hello,
I used fasstrack because without fasstrack it takes away half the speed of the connection and it is a vessel that has a satellite connection and hopefully we can navigate at 3 mb
I want to indicate that with the CCR2004-16G-2S+ router there are no speed problems. Without the fasstrack it gives me the 600MB of my operator.

This is the configuration file.

mar/09/2022 12:03:09 by RouterOS 7.1.1

software id = 00T3-DHG9

model = CRS326-24G-2S+

/interface bridge
add name=Lan
add name=Wifi_Crew
add name=Wifi_Puente
/interface ethernet
set [ find default-name=ether10 ] comment=ether10 name=Catsat-PC
set [ find default-name=ether3 ] comment=ether3 name=Frigolan
set [ find default-name=ether16 ] comment=ether16 name="Insight Explorer"
set [ find default-name=ether9 ] comment=ether9 name=Nautical_Master
set [ find default-name=ether8 ] comment=ether8 name=Nautical_Slave
set [ find default-name=ether13 ] name=Oficial-PC
set [ find default-name=ether7 ] comment=ether7 name=PC-Capitan
set [ find default-name=ether4 ] comment=ether4 name=PC-Jefe
set [ find default-name=ether6 ] comment=ether6 name="Pc-2\BA"
set [ find default-name=ether19 ] comment=ether19 name=Satlink_Master
set [ find default-name=ether11 ] name=Satlink_Slave
set [ find default-name=ether1 ] comment=ether1 name=Wan
set [ find default-name=ether22 ] comment=ether22 name=Wifi_Marineria
set [ find default-name=ether21 ] comment=ether21 name="Wifi_M\E1quinas"
set [ find default-name=ether23 ] comment=ether23 name=Wifi_Oficiales

/ip hotspot profile
add dns-name=vessel.wifi hotspot-address=30.30.30.1 html-directory=
flash/hotspot name=Puente
add dns-name=crew.wifi hotspot-address=40.40.40.1 html-directory=
flash/hotspot2 name=Crew
/ip pool
add name=hs-pool-28 ranges=30.30.30.75-30.30.30.200
add name=hs-pool-29 ranges=40.40.40.75-40.40.40.200
add name=dhcp_pool3 ranges=192.168.6.100-192.168.6.150
add name=dhcp_pool4 ranges=192.168.1.50-192.168.1.200
/ip dhcp-server
add address-pool=hs-pool-28 interface=Wifi_Puente name=Wifi_Puente
add address-pool=hs-pool-29 interface=Wifi_Crew name=Wifi_Crew
add address-pool=dhcp_pool3 interface=Frigolan name=Frigolan
add address-pool=dhcp_pool4 interface=Lan name=Lan
/ip hotspot
add address-pool=hs-pool-28 addresses-per-mac=1 disabled=no interface=
Wifi_Puente name=Puente profile=Puente
add address-pool=hs-pool-29 addresses-per-mac=1 disabled=no interface=
Wifi_Crew name=Crew profile=Crew
/port
set 0 name=serial0
/queue simple
add limit-at=64k/64k max-limit=64k/64k name=Frigolan target=Frigolan
add limit-at=1024k/4096k max-limit=1024k/4096k name=Vsat target=
40.40.40.0/24,30.30.30.0/24
/queue type
add kind=pcq name=pcq-download-lan pcq-classifier=dst-address pcq-rate=3M
add kind=pcq name=pcq-upload-lan pcq-classifier=src-address pcq-rate=1M
set 7 pcq-rate=128k
set 8 pcq-rate=1M
/queue simple
add disabled=yes name=hs- queue=hotspot-default/hotspot-default target=
Wifi_Crew
add disabled=yes name=hs- queue=hotspot-default/hotspot-default
target=Wifi_Puente
add limit-at=25k/102k max-limit=1024k/4096k name=Crew parent=Vsat queue=
pcq-upload-default/pcq-download-default target=40.40.40.0/24
add limit-at=25k/102k max-limit=1024k/4096k name=Puente parent=Vsat queue=
pcq-upload-default/pcq-download-default target=30.30.30.0/24
/routing bgp template
set default as=65530 disabled=no name=default output.network=bgp-networks
/routing ospf instance
add name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas
sword,web,sniff,sensitive,api,romon,dude,tikapp,rest-api"
/interface bridge port
add bridge=Lan ingress-filtering=no interface=ether2
add bridge=Lan ingress-filtering=no interface=ether5
add bridge=Lan ingress-filtering=no interface=PC-Capitan
add bridge=Lan ingress-filtering=no interface=Nautical_Slave
add bridge=Lan ingress-filtering=no interface=Nautical_Master
add bridge=Lan ingress-filtering=no interface=Catsat-PC
add bridge=Lan ingress-filtering=no interface=Satlink_Slave
add bridge=Lan ingress-filtering=no interface=ether12
add bridge=Lan ingress-filtering=no interface=Oficial-PC
add bridge=Lan ingress-filtering=no interface=ether14
add bridge=Lan ingress-filtering=no interface=ether15
add bridge=Lan ingress-filtering=no interface="Insight Explorer"
add bridge=Lan ingress-filtering=no interface=ether17
add bridge=Lan ingress-filtering=no interface=ether18
add bridge=Lan ingress-filtering=no interface=Satlink_Master
add bridge=Lan ingress-filtering=no interface=ether20
add bridge=Wifi_Puente ingress-filtering=no interface=Wifi_Oficiales
add bridge=Wifi_Puente ingress-filtering=no interface=ether24
add bridge=Wifi_Crew ingress-filtering=no interface=Wifi_Marineria
add bridge=Wifi_Crew ingress-filtering=no interface="Wifi_M\E1quinas"
add bridge=Lan ingress-filtering=no interface=PC-Jefe
add bridge=Lan ingress-filtering=no interface="Pc-2\BA"
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes
/ip address
add address=192.168.65.2/24 interface=Wan network=192.168.65.0
add address=192.168.1.1/24 interface=Lan network=192.168.1.0
add address=30.30.30.1/24 interface=Wifi_Puente network=30.30.30.0
add address=40.40.40.1/24 interface=Wifi_Crew network=40.40.40.0
add address=192.168.6.1/24 interface=Frigolan network=192.168.6.0

/ip dhcp-server network
add address=30.30.30.0/24 comment="hotspot network" gateway=30.30.30.1
add address=40.40.40.0/24 comment="hotspot network" gateway=40.40.40.1
add address=192.168.1.0/24 comment=Lan gateway=192.168.1.1
add address=192.168.6.0/24 comment=Frigolan gateway=192.168.6.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1

/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=
established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=passthrough chain=unused-hs-chain comment=
"place hotspot rules here" disabled=yes

add action=drop chain=forward comment="BLOQUEO WINDOWS UPDATE" content=
update.microsoft.com disabled=yes time=
5h30m-59m59s,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward content=download.microsoft.com disabled=yes
time=5h30m-59m59s,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward content=download.windowsupdate.com disabled=yes
time=5h30m-59m59s,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward content=wustat.windows.com disabled=yes time=
5h30m-59m59s,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward content=ntservicepack.microsoft.com disabled=
yes time=5h30m-59m59s,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward content=stats.microsoft.com disabled=yes time=
5h30m-59m59s,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward content=windowsupdate.com disabled=yes time=
5h30m-59m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward comment="WINDOW UPDATE PERMITIDO" content=
update.microsoft.com disabled=yes time=
1h-5h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward content=download.microsoft.com disabled=yes
time=1h-5h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward content=download.windowsupdate.com disabled=
yes time=1h-5h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward content=wustat.windows.com disabled=yes time=
1h-5h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward content=ntservicepack.microsoft.com disabled=
yes time=1h-5h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward content=stats.microsoft.com disabled=yes
time=1h-5h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward content=windowsupdate.com disabled=yes time=
1h-5h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=add-dst-to-address-list address-list=400_Youtube
address-list-timeout=1w chain=forward comment=YOUTUBE disabled=yes
dst-port=80,443 protocol=tcp tls-host=youtube
add action=drop chain=forward disabled=yes dst-address-list=400_Youtube
add action=add-dst-to-address-list address-list=401_Netflix
address-list-timeout=1w chain=forward comment=NETFLIX disabled=yes
dst-port=80,443 protocol=tcp tls-host=netflix
add action=drop chain=forward disabled=yes dst-address-list=401_Netflix
add action=add-dst-to-address-list address-list="402_Prime Video"
address-list-timeout=1w chain=forward comment="PRIME VIDEO" disabled=yes
dst-port=80,443 protocol=tcp tls-host=primevideo
add action=drop chain=forward disabled=yes dst-address-list="402_Prime Video"
add action=add-dst-to-address-list address-list=403_HBO address-list-timeout=
1w chain=forward comment=HBO disabled=yes dst-port=80,443 protocol=tcp
tls-host=hbo
add action=drop chain=forward disabled=yes dst-address-list=403_HBO
add action=add-dst-to-address-list address-list=404_Dazn
address-list-timeout=1w chain=forward comment=DAZN disabled=yes dst-port=
80,443 protocol=tcp tls-host=dazn
add action=drop chain=forward disabled=yes dst-address-list=404_Dazn
add action=add-dst-to-address-list address-list="405_Disney Plus"
address-list-timeout=1w chain=forward comment="DISNEY PLUS" disabled=yes
dst-port=80,443 protocol=tcp tls-host=diensyplus
add action=drop chain=forward disabled=yes dst-address-list="405_Disney Plus"
add action=add-dst-to-address-list address-list=407_Mega
address-list-timeout=1w chain=forward comment=MEGA disabled=yes dst-port=
80,443 protocol=tcp tls-host=mega
add action=drop chain=forward disabled=yes dst-address-list=407_Mega
add action=add-dst-to-address-list address-list=408_Vimeo
address-list-timeout=1w chain=forward comment=VIMEO disabled=yes
dst-port=80,443 protocol=tcp tls-host=vimeo
add action=drop chain=forward disabled=yes dst-address-list=408_Vimeo
add action=add-dst-to-address-list address-list=409_Ddownload
address-list-timeout=1w chain=forward comment=DDOWNLOAD disabled=yes
dst-port=80,443 protocol=tcp tls-host=ddownload
add action=drop chain=forward disabled=yes dst-address-list=409_Ddownload
add action=add-dst-to-address-list address-list=410_Rapidgator
address-list-timeout=1w chain=forward comment=RAPIDGATOR disabled=yes
dst-port=80,443 protocol=tcp tls-host=rapidgator
add action=drop chain=forward disabled=yes dst-address-list=410_Rapidgator
add action=add-dst-to-address-list address-list=411_Torrent
address-list-timeout=1w chain=forward comment=TORRENT disabled=yes
dst-port=80,443 protocol=tcp tls-host=torrent
add action=drop chain=forward disabled=yes dst-address-list=411_Torrent
add action=passthrough chain=unused-hs-chain comment=LAN disabled=yes
add action=accept chain=forward comment=Ping disabled=yes protocol=icmp
src-address-list=00_Lan
add action=accept chain=forward comment=DNS disabled=yes dst-port=53
protocol=udp src-address-list=00_Lan
add action=accept chain=forward comment=Internet disabled=yes dst-port=80,443
protocol=tcp src-address-list=00_Lan
add action=accept chain=forward disabled=yes dst-port=80,443 protocol=udp
src-address-list=00_Lan
add action=accept chain=forward comment="Puertos para Correo" disabled=yes
dst-port=25,110,143,389,443,465,587,993,995 protocol=tcp
src-address-list=00_Lan
add action=accept chain=forward disabled=yes dst-port=995 protocol=udp
src-address-list=00_Lan
add action=accept chain=forward comment=Teamviewer disabled=yes
dst-address-list=200_Teamviewer dst-port=5938 protocol=tcp
src-address-list=00_Lan
add action=accept chain=forward disabled=yes dst-address-list=200_Teamviewer
dst-port=5938 protocol=udp src-address-list=00_Lan
add action=accept chain=forward comment=Ammyy disabled=yes dst-address-list=
201_Ammyy dst-port=8080,5931 protocol=tcp src-address-list=00_Lan
add action=accept chain=forward disabled=yes dst-address-list=201_Ammyy
dst-port=8080,5931 protocol=udp src-address-list=00_Lan
add action=accept chain=forward comment=Radios disabled=yes dst-address-list=
"01.1_Radio nervion" dst-port=554,1900,2177,2869,10243,10245 protocol=tcp
src-address=192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address-list=
"01.1_Radio nervion" dst-port=554,1900,2177,2869,10243,10245 protocol=udp
src-address=192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address-list=
"01.1_Radio nervion" dst-port=5004-5005 protocol=tcp src-address=
192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address-list=
"01.1_Radio nervion" dst-port=5004-5005 protocol=udp src-address=
192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address-list=
"01.1_Radio nervion" dst-port=10280-10284 protocol=tcp src-address=
192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address-list=
"01.1_Radio nervion" dst-port=10280-10284 protocol=udp src-address=
192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address-list=
01.2_Emisora_ORG dst-port=554,1900,2177,2869,10243,10245 protocol=tcp
src-address=192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address-list=
01.2_Emisora_ORG dst-port=554,1900,2177,2869,10243,10245 protocol=udp
src-address=192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address-list=
01.2_Emisora_ORG dst-port=5004-5005 protocol=tcp src-address=
192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address-list=
01.2_Emisora_ORG dst-port=5004-5005 protocol=udp src-address=
192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address-list=
01.2_Emisora_ORG dst-port=10280-10284 protocol=tcp src-address=
192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address-list=
01.2_Emisora_ORG dst-port=10280-10284 protocol=udp src-address=
192.168.1.0/24
add action=accept chain=forward comment=Salink disabled=yes dst-address-list=
100_Satlink dst-port=52050,52060 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address-list=100_Satlink
dst-port=52050,52060 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment=Nautical disabled=yes
dst-address-list=101_Nautical src-address=192.168.1.0/24
add action=accept chain=forward comment=Catsat disabled=yes dst-address-list=
102_Catsat src-address=192.168.1.0/24
add action=accept chain=forward comment="Insight Explorer" disabled=yes
dst-address-list="104_Insight Explorer" dst-port=23,465,995,1200
protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address-list=
"104_Insight Explorer" dst-port=23,465,995,1200 protocol=udp src-address=
192.168.1.0/24
add action=accept chain=forward comment=Zunibal disabled=yes
dst-address-list=103_Zunibal dst-port=11200,11201 protocol=tcp
src-address=192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address-list=103_Zunibal
dst-port=11200,11201 protocol=udp src-address=192.168.1.0/24
add action=drop chain=forward comment="BLOQUEO TOTAL LAN" disabled=yes
src-address=192.168.1.0/24
add action=passthrough chain=unused-hs-chain comment="WIFI PUENTE" disabled=
yes
add action=accept chain=forward comment=DNS disabled=yes dst-port=53
protocol=udp src-address=30.30.30.0/24
add action=accept chain=forward comment=Internet disabled=yes dst-port=80,443
protocol=tcp src-address=30.30.30.0/24
add action=accept chain=forward disabled=yes dst-port=80,443 protocol=udp
src-address=30.30.30.0/24
add action=accept chain=forward comment="Puertos para Correo" disabled=yes
dst-port=25,110,143,389,443,465,587,993,995 protocol=tcp src-address=
30.30.30.0/24
add action=accept chain=forward disabled=yes dst-port=995 protocol=udp
src-address=30.30.30.0/24
add action=accept chain=forward comment=Whatsapp disabled=yes
dst-address-list=300_Whatsapp src-address=30.30.30.0/24
add action=accept chain=forward disabled=yes dst-port=5222,5223,5228
protocol=tcp src-address=30.30.30.0/24
add action=accept chain=forward disabled=yes dst-port=3478 protocol=udp
src-address=30.30.30.0/24
add action=drop chain=forward comment="BLOQUEO TOTAL" disabled=yes
src-address=30.30.30.0/24
add action=passthrough chain=unused-hs-chain comment="CREW OFICIALES"
disabled=yes
add action=accept chain=forward comment=DNS disabled=yes dst-port=53
protocol=udp src-address=40.40.40.0/24
add action=accept chain=forward comment=Internet disabled=yes dst-port=80,443
protocol=tcp src-address=40.40.40.0/24 src-address-list=01_Oficiales_Crew
add action=accept chain=forward disabled=yes dst-port=80,443 protocol=udp
src-address=40.40.40.0/24 src-address-list=01_Oficiales_Crew
add action=accept chain=forward comment="Puertos para Correo" disabled=yes
dst-port=25,110,143,389,443,465,587,993,995 protocol=tcp src-address=
40.40.40.0/24 src-address-list=01_Oficiales_Crew
add action=accept chain=forward disabled=yes dst-port=995 protocol=udp
src-address=40.40.40.0/24 src-address-list=01_Oficiales_Crew
add action=accept chain=forward comment=Whatsapp disabled=yes
dst-address-list=300_Whatsapp src-address=40.40.40.0/24 src-address-list=
01_Oficiales_Crew
add action=accept chain=forward disabled=yes dst-port=5222,5223,5228
protocol=tcp src-address=40.40.40.0/24 src-address-list=01_Oficiales_Crew
add action=accept chain=forward disabled=yes dst-port=3478 protocol=udp
src-address=40.40.40.0/24 src-address-list=01_Oficiales_Crew
add action=drop chain=forward comment="BLOQUEO TOTAL CREW OFICIALES"
disabled=yes src-address-list=01_Oficiales_Crew
add action=passthrough chain=unused-hs-chain comment="WIFI CREW" disabled=yes
add action=accept chain=forward comment=DNS disabled=yes dst-port=53
protocol=udp src-address=40.40.40.0/24 time=
11h30m-12h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward comment=Internet disabled=yes dst-port=80,443
protocol=tcp src-address=40.40.40.0/24 time=
11h30m-12h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward disabled=yes dst-port=80,443 protocol=udp
src-address=40.40.40.0/24 time=
11h30m-12h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward comment="Puertos para Correo" disabled=yes
dst-port=25,110,143,389,443,465,587,993,995 protocol=tcp src-address=
40.40.40.0/24 time=11h30m-12h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward disabled=yes dst-port=995 protocol=udp
src-address=40.40.40.0/24 time=
11h30m-12h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward comment=Whatsapp disabled=yes
dst-address-list=300_Whatsapp src-address=40.40.40.0/24 time=
11h30m-12h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward disabled=yes dst-port=5222,5223,5228
protocol=tcp src-address=40.40.40.0/24 time=
11h30m-12h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward disabled=yes dst-port=3478 protocol=udp
src-address=40.40.40.0/24 time=
11h30m-12h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=passthrough chain=unused-hs-chain comment=17:30 disabled=yes
add action=accept chain=forward comment=DNS disabled=yes dst-port=53
protocol=udp src-address=40.40.40.0/24 time=
17h30m-5h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward comment=Internet disabled=yes dst-port=80,443
protocol=tcp src-address=40.40.40.0/24 time=
17h30m-5h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward disabled=yes dst-port=80,443 protocol=udp
src-address=40.40.40.0/24 time=
17h30m-5h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward comment="Puertos para Correo" disabled=yes
dst-port=25,110,143,389,443,465,587,993,995 protocol=tcp src-address=
40.40.40.0/24 time=17h30m-5h30m,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward disabled=yes dst-port=995 protocol=udp
src-address=40.40.40.0/24 time=17h30m-5h30m,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward comment=Whatsapp disabled=yes
dst-address-list=300_Whatsapp src-address=40.40.40.0/24 time=
17h30m-5h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward disabled=yes dst-port=5222,5223,5228
protocol=tcp src-address=40.40.40.0/24 time=
17h30m-5h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward disabled=yes dst-port=3478 protocol=udp
src-address=40.40.40.0/24 time=
17h30m-5h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward comment="BLOQUEO TOTAL WIFI_CREW" disabled=yes
src-address=40.40.40.0/24
add action=add-dst-to-address-list address-list=411_Torrent
address-list-timeout=1w chain=forward disabled=yes dst-port=80,443
protocol=tcp src-address=192.168.1.18 tls-host=torrent
/ip firewall nat
add action=src-nat chain=srcnat disabled=yes dst-address=192.168.1.0
protocol=tcp src-address=30.30.30.1 to-addresses=192.168.1.1 to-ports=
0-65535
add action=passthrough chain=unused-hs-chain comment=
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat out-interface=Wan src-address=
192.168.1.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network"
out-interface=Wan src-address=30.30.30.0/24
add action=masquerade chain=srcnat comment="Abierto de 11:30 a012:30"
out-interface=Wan src-address=40.40.40.0/24 time=
11h30m-12h30m,sun,mon,tue,wed,thu,fri,sat

inactive time

add action=masquerade chain=srcnat comment="Abierto de 17:30 a 05:30"
out-interface=Wan src-address=40.40.40.0/24 time=
17h30m-5h30m,sun,mon,tue,wed,thu,fri,sat
add action=masquerade chain=srcnat out-interface=Wan

/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.65.1

THANK YOU SO MUCH

Andoniar78 · March 9, 2022, 10:37am

Yes i did but…

THANK YOU

afuchs · March 9, 2022, 11:02am

Please help me out.
I started to look over your firewall rules and found the most of the them are

disabled=yes

.
Can you please point at the rules that you want to use,

/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes


add action=drop chain=forward comment="BLOQUEO WINDOWS UPDATE" content=update.microsoft.com disabled=yes time= 5h30m-59m59s,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward content=download.microsoft.com disabled=yes time=5h30m-59m59s,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward content=download.windowsupdate.com disabled=yes time=5h30m-59m59s,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward content=wustat.windows.com disabled=yes time=5h30m-59m59s,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward content=ntservicepack.microsoft.com disabled=yes time=5h30m-59m59s,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward content=stats.microsoft.com disabled=yes time=5h30m-59m59s,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward content=windowsupdate.com disabled=yes time=5h30m-59m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward comment="WINDOW UPDATE PERMITIDO" content=update.microsoft.com disabled=yes time=1h-5h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward content=download.microsoft.com disabled=yes time=1h-5h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward content=download.windowsupdate.com disabled=yes time=1h-5h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward content=wustat.windows.com disabled=yes time=1h-5h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward content=ntservicepack.microsoft.com disabled=yes time=1h-5h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward content=stats.microsoft.com disabled=yes time=1h-5h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward content=windowsupdate.com disabled=yes time=1h-5h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=add-dst-to-address-list address-list=400_Youtube address-list-timeout=1w chain=forward comment=YOUTUBE disabled=yes dst-port=80,443 protocol=tcp tls-host=*youtube*
add action=drop chain=forward disabled=yes dst-address-list=400_Youtube
add action=add-dst-to-address-list address-list=401_Netflix address-list-timeout=1w chain=forward comment=NETFLIX disabled=yes dst-port=80,443 protocol=tcp tls-host=*netflix*
add action=drop chain=forward disabled=yes dst-address-list=401_Netflix
add action=add-dst-to-address-list address-list="402_Prime Video" address-list-timeout=1w chain=forward comment="PRIME VIDEO" disabled=yes dst-port=80,443 protocol=tcp tls-host=*primevideo*
add action=drop chain=forward disabled=yes dst-address-list="402_Prime Video"
add action=add-dst-to-address-list address-list=403_HBO address-list-timeout=1w chain=forward comment=HBO disabled=yes dst-port=80,443 protocol=tcp tls-host=*hbo*
add action=drop chain=forward disabled=yes dst-address-list=403_HBO
add action=add-dst-to-address-list address-list=404_Dazn address-list-timeout=1w chain=forward comment=DAZN disabled=yes dst-port=80,443 protocol=tcp tls-host=*dazn*
add action=drop chain=forward disabled=yes dst-address-list=404_Dazn
add action=add-dst-to-address-list address-list="405_Disney Plus" address-list-timeout=1w chain=forward comment="DISNEY PLUS" disabled=yes dst-port=80,443 protocol=tcp tls-host=*diensyplus*
add action=drop chain=forward disabled=yes dst-address-list="405_Disney Plus"
add action=add-dst-to-address-list address-list=407_Mega address-list-timeout=1w chain=forward comment=MEGA disabled=yes dst-port=80,443 protocol=tcp tls-host=*mega*
add action=drop chain=forward disabled=yes dst-address-list=407_Mega
add action=add-dst-to-address-list address-list=408_Vimeo address-list-timeout=1w chain=forward comment=VIMEO disabled=yes dst-port=80,443 protocol=tcp tls-host=*vimeo*
add action=drop chain=forward disabled=yes dst-address-list=408_Vimeo
add action=add-dst-to-address-list address-list=409_Ddownload address-list-timeout=1w chain=forward comment=DDOWNLOAD disabled=yes dst-port=80,443 protocol=tcp tls-host=*ddownload*
add action=drop chain=forward disabled=yes dst-address-list=409_Ddownload
add action=add-dst-to-address-list address-list=410_Rapidgator address-list-timeout=1w chain=forward comment=RAPIDGATOR disabled=yes dst-port=80,443 protocol=tcp tls-host=*rapidgator*
add action=drop chain=forward disabled=yes dst-address-list=410_Rapidgator
add action=add-dst-to-address-list address-list=411_Torrent address-list-timeout=1w chain=forward comment=TORRENT disabled=yes dst-port=80,443 protocol=tcp tls-host=*torrent*
add action=drop chain=forward disabled=yes dst-address-list=411_Torrent
add action=passthrough chain=unused-hs-chain comment=LAN disabled=yes
add action=accept chain=forward comment=Ping disabled=yes protocol=icmp src-address-list=00_Lan
add action=accept chain=forward comment=DNS disabled=yes dst-port=53 protocol=udp src-address-list=00_Lan
add action=accept chain=forward comment=Internet disabled=yes dst-port=80,443 protocol=tcp src-address-list=00_Lan
add action=accept chain=forward disabled=yes dst-port=80,443 protocol=udp src-address-list=00_Lan
add action=accept chain=forward comment="Puertos para Correo" disabled=yes dst-port=25,110,143,389,443,465,587,993,995 protocol=tcp src-address-list=00_Lan
add action=accept chain=forward disabled=yes dst-port=995 protocol=udp src-address-list=00_Lan
add action=accept chain=forward comment=Teamviewer disabled=yes dst-address-list=200_Teamviewer dst-port=5938 protocol=tcp src-address-list=00_Lan
add action=accept chain=forward disabled=yes dst-address-list=200_Teamviewer dst-port=5938 protocol=udp src-address-list=00_Lan
add action=accept chain=forward comment=Ammyy disabled=yes dst-address-list=201_Ammyy dst-port=8080,5931 protocol=tcp src-address-list=00_Lan
add action=accept chain=forward disabled=yes dst-address-list=201_Ammyy dst-port=8080,5931 protocol=udp src-address-list=00_Lan
add action=accept chain=forward comment=Radios disabled=yes dst-address-list="01.1_Radio nervion" dst-port=554,1900,2177,2869,10243,10245 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address-list="01.1_Radio nervion" dst-port=554,1900,2177,2869,10243,10245 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address-list="01.1_Radio nervion" dst-port=5004-5005 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address-list="01.1_Radio nervion" dst-port=5004-5005 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address-list="01.1_Radio nervion" dst-port=10280-10284 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address-list="01.1_Radio nervion" dst-port=10280-10284 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address-list=01.2_Emisora_ORG dst-port=554,1900,2177,2869,10243,10245 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address-list=01.2_Emisora_ORG dst-port=554,1900,2177,2869,10243,10245 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address-list=01.2_Emisora_ORG dst-port=5004-5005 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address-list=01.2_Emisora_ORG dst-port=5004-5005 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address-list=01.2_Emisora_ORG dst-port=10280-10284 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address-list=01.2_Emisora_ORG dst-port=10280-10284 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment=Salink disabled=yes dst-address-list=100_Satlink dst-port=52050,52060 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address-list=100_Satlink dst-port=52050,52060 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment=Nautical disabled=yes dst-address-list=101_Nautical src-address=192.168.1.0/24
add action=accept chain=forward comment=Catsat disabled=yes dst-address-list=102_Catsat src-address=192.168.1.0/24
add action=accept chain=forward comment="Insight Explorer" disabled=yes dst-address-list="104_Insight Explorer" dst-port=23,465,995,1200 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address-list="104_Insight Explorer" dst-port=23,465,995,1200 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment=Zunibal disabled=yes dst-address-list=103_Zunibal dst-port=11200,11201 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address-list=103_Zunibal dst-port=11200,11201 protocol=udp src-address=192.168.1.0/24
add action=drop chain=forward comment="BLOQUEO TOTAL LAN" disabled=yes src-address=192.168.1.0/24
add action=passthrough chain=unused-hs-chain comment="WIFI PUENTE" disabled=yes
add action=accept chain=forward comment=DNS disabled=yes dst-port=53 protocol=udp src-address=30.30.30.0/24
add action=accept chain=forward comment=Internet disabled=yes dst-port=80,443 protocol=tcp src-address=30.30.30.0/24
add action=accept chain=forward disabled=yes dst-port=80,443 protocol=udp src-address=30.30.30.0/24
add action=accept chain=forward comment="Puertos para Correo" disabled=yes dst-port=25,110,143,389,443,465,587,993,995 protocol=tcp src-address=30.30.30.0/24
add action=accept chain=forward disabled=yes dst-port=995 protocol=udp src-address=30.30.30.0/24
add action=accept chain=forward comment=Whatsapp disabled=yes dst-address-list=300_Whatsapp src-address=30.30.30.0/24
add action=accept chain=forward disabled=yes dst-port=5222,5223,5228 protocol=tcp src-address=30.30.30.0/24
add action=accept chain=forward disabled=yes dst-port=3478 protocol=udp src-address=30.30.30.0/24
add action=drop chain=forward comment="BLOQUEO TOTAL" disabled=yes src-address=30.30.30.0/24
add action=passthrough chain=unused-hs-chain comment="CREW OFICIALES" disabled=yes
add action=accept chain=forward comment=DNS disabled=yes dst-port=53 protocol=udp src-address=40.40.40.0/24
add action=accept chain=forward comment=Internet disabled=yes dst-port=80,443 protocol=tcp src-address=40.40.40.0/24 src-address-list=01_Oficiales_Crew
add action=accept chain=forward disabled=yes dst-port=80,443 protocol=udp src-address=40.40.40.0/24 src-address-list=01_Oficiales_Crew
add action=accept chain=forward comment="Puertos para Correo" disabled=yes dst-port=25,110,143,389,443,465,587,993,995 protocol=tcp src-address=40.40.40.0/24 src-address-list=01_Oficiales_Crew
add action=accept chain=forward disabled=yes dst-port=995 protocol=udp src-address=40.40.40.0/24 src-address-list=01_Oficiales_Crew
add action=accept chain=forward comment=Whatsapp disabled=yes dst-address-list=300_Whatsapp src-address=40.40.40.0/24 src-address-list=01_Oficiales_Crew
add action=accept chain=forward disabled=yes dst-port=5222,5223,5228 protocol=tcp src-address=40.40.40.0/24 src-address-list=01_Oficiales_Crew
add action=accept chain=forward disabled=yes dst-port=3478 protocol=udp src-address=40.40.40.0/24 src-address-list=01_Oficiales_Crew
add action=drop chain=forward comment="BLOQUEO TOTAL CREW OFICIALES" disabled=yes src-address-list=01_Oficiales_Crew
add action=passthrough chain=unused-hs-chain comment="WIFI CREW" disabled=yes
add action=accept chain=forward comment=DNS disabled=yes dst-port=53 protocol=udp src-address=40.40.40.0/24 time=11h30m-12h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward comment=Internet disabled=yes dst-port=80,443 protocol=tcp src-address=40.40.40.0/24 time=11h30m-12h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward disabled=yes dst-port=80,443 protocol=udp src-address=40.40.40.0/24 time=11h30m-12h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward comment="Puertos para Correo" disabled=yes dst-port=25,110,143,389,443,465,587,993,995 protocol=tcp src-address=40.40.40.0/24 time=11h30m-12h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward disabled=yes dst-port=995 protocol=udp src-address=40.40.40.0/24 time=11h30m-12h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward comment=Whatsapp disabled=yes dst-address-list=300_Whatsapp src-address=40.40.40.0/24 time=11h30m-12h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward disabled=yes dst-port=5222,5223,5228 protocol=tcp src-address=40.40.40.0/24 time=11h30m-12h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward disabled=yes dst-port=3478 protocol=udp src-address=40.40.40.0/24 time=11h30m-12h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=passthrough chain=unused-hs-chain comment=17:30 disabled=yes
add action=accept chain=forward comment=DNS disabled=yes dst-port=53 protocol=udp src-address=40.40.40.0/24 time=17h30m-5h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward comment=Internet disabled=yes dst-port=80,443 protocol=tcp src-address=40.40.40.0/24 time=17h30m-5h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward disabled=yes dst-port=80,443 protocol=udp src-address=40.40.40.0/24 time=17h30m-5h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward comment="Puertos para Correo" disabled=yes dst-port=25,110,143,389,443,465,587,993,995 protocol=tcp src-address=40.40.40.0/24 time=17h30m-5h30m,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward disabled=yes dst-port=995 protocol=udp src-address=40.40.40.0/24 time=17h30m-5h30m,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward comment=Whatsapp disabled=yes dst-address-list=300_Whatsapp src-address=40.40.40.0/24 time=17h30m-5h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward disabled=yes dst-port=5222,5223,5228 protocol=tcp src-address=40.40.40.0/24 time=17h30m-5h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward disabled=yes dst-port=3478 protocol=udp src-address=40.40.40.0/24 time=17h30m-5h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward comment="BLOQUEO TOTAL WIFI_CREW" disabled=yes src-address=40.40.40.0/24
add action=add-dst-to-address-list address-list=411_Torrent address-list-timeout=1w chain=forward disabled=yes dst-port=80,443 protocol=tcp src-address=192.168.1.18 tls-host=*torrent*
/ip firewall nat
add action=src-nat chain=srcnat disabled=yes dst-address=192.168.1.0 \
protocol=tcp src-address=30.30.30.1 to-addresses=192.168.1.1 to-ports=\
0-65535
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat out-interface=Wan src-address=\
192.168.1.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
out-interface=Wan src-address=30.30.30.0/24
add action=masquerade chain=srcnat comment="Abierto de 11:30 a012:30" \
out-interface=Wan src-address=40.40.40.0/24 time=\
11h30m-12h30m,sun,mon,tue,wed,thu,fri,sat
# inactive time
add action=masquerade chain=srcnat comment="Abierto de 17:30 a 05:30" \
out-interface=Wan src-address=40.40.40.0/24 time=\
17h30m-5h30m,sun,mon,tue,wed,thu,fri,sat
add action=masquerade chain=srcnat out-interface=Wan

/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.65.1

johnson73 · March 10, 2022, 2:25pm

Andoniar78
Looking at your firewall shows that the rules are not in the correct order. Mikrotik firewall policy is executed from top-> down.
Usually “Fasttrack” is not the first. First is "Input, estabilished, related .. “”, which ends with “Drop-All”. Only then follow the “Forward” rules where the last rule will always be “Drop-All”.

add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else"
=forward chain==
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
< place your required forward rules here >
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"

Andoniar78 · March 11, 2022, 12:50pm

Andoniar78
Looking at your firewall shows that the rules are not in the correct order. Mikrotik firewall policy is executed from top-> down.
Usually “Fasttrack” is not the first. First is "Input, estabilished, related .. “”, which ends with “Drop-All”. Only then follow the “Forward” rules where the last rule will always be “Drop-All”.

add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else"
=forward chain==
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
< place your required forward rules here >
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"

I have simplified the firewall rules by only blocking youtube. I have put the drop at the end of the line but the “special dummy rule to show fasstrack counters” rule is the first. The same thing is that I am creating the Fasstrack rule wrong.

This is my fasstrck rule

/ip firewall filter add chain=forward action=fasttrack-connection connection-state=established,related
/ip firewall filter add chain=forward action=accept connection-state=established,related
/ip firewall filter add chain=forward action=drop connection-state=invalid
Thank you so much to all!

Andoniar78 · March 11, 2022, 12:51pm

Please help me out.
I started to look over your firewall rules and found the most of the them are

disabled=yes

.
Can you please point at the rules that you want to use,

/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes


add action=drop chain=forward comment="BLOQUEO WINDOWS UPDATE" content=update.microsoft.com disabled=yes time= 5h30m-59m59s,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward content=download.microsoft.com disabled=yes time=5h30m-59m59s,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward content=download.windowsupdate.com disabled=yes time=5h30m-59m59s,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward content=wustat.windows.com disabled=yes time=5h30m-59m59s,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward content=ntservicepack.microsoft.com disabled=yes time=5h30m-59m59s,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward content=stats.microsoft.com disabled=yes time=5h30m-59m59s,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward content=windowsupdate.com disabled=yes time=5h30m-59m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward comment="WINDOW UPDATE PERMITIDO" content=update.microsoft.com disabled=yes time=1h-5h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward content=download.microsoft.com disabled=yes time=1h-5h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward content=download.windowsupdate.com disabled=yes time=1h-5h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward content=wustat.windows.com disabled=yes time=1h-5h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward content=ntservicepack.microsoft.com disabled=yes time=1h-5h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward content=stats.microsoft.com disabled=yes time=1h-5h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward content=windowsupdate.com disabled=yes time=1h-5h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=add-dst-to-address-list address-list=400_Youtube address-list-timeout=1w chain=forward comment=YOUTUBE disabled=yes dst-port=80,443 protocol=tcp tls-host=*youtube*
add action=drop chain=forward disabled=yes dst-address-list=400_Youtube
add action=add-dst-to-address-list address-list=401_Netflix address-list-timeout=1w chain=forward comment=NETFLIX disabled=yes dst-port=80,443 protocol=tcp tls-host=*netflix*
add action=drop chain=forward disabled=yes dst-address-list=401_Netflix
add action=add-dst-to-address-list address-list="402_Prime Video" address-list-timeout=1w chain=forward comment="PRIME VIDEO" disabled=yes dst-port=80,443 protocol=tcp tls-host=*primevideo*
add action=drop chain=forward disabled=yes dst-address-list="402_Prime Video"
add action=add-dst-to-address-list address-list=403_HBO address-list-timeout=1w chain=forward comment=HBO disabled=yes dst-port=80,443 protocol=tcp tls-host=*hbo*
add action=drop chain=forward disabled=yes dst-address-list=403_HBO
add action=add-dst-to-address-list address-list=404_Dazn address-list-timeout=1w chain=forward comment=DAZN disabled=yes dst-port=80,443 protocol=tcp tls-host=*dazn*
add action=drop chain=forward disabled=yes dst-address-list=404_Dazn
add action=add-dst-to-address-list address-list="405_Disney Plus" address-list-timeout=1w chain=forward comment="DISNEY PLUS" disabled=yes dst-port=80,443 protocol=tcp tls-host=*diensyplus*
add action=drop chain=forward disabled=yes dst-address-list="405_Disney Plus"
add action=add-dst-to-address-list address-list=407_Mega address-list-timeout=1w chain=forward comment=MEGA disabled=yes dst-port=80,443 protocol=tcp tls-host=*mega*
add action=drop chain=forward disabled=yes dst-address-list=407_Mega
add action=add-dst-to-address-list address-list=408_Vimeo address-list-timeout=1w chain=forward comment=VIMEO disabled=yes dst-port=80,443 protocol=tcp tls-host=*vimeo*
add action=drop chain=forward disabled=yes dst-address-list=408_Vimeo
add action=add-dst-to-address-list address-list=409_Ddownload address-list-timeout=1w chain=forward comment=DDOWNLOAD disabled=yes dst-port=80,443 protocol=tcp tls-host=*ddownload*
add action=drop chain=forward disabled=yes dst-address-list=409_Ddownload
add action=add-dst-to-address-list address-list=410_Rapidgator address-list-timeout=1w chain=forward comment=RAPIDGATOR disabled=yes dst-port=80,443 protocol=tcp tls-host=*rapidgator*
add action=drop chain=forward disabled=yes dst-address-list=410_Rapidgator
add action=add-dst-to-address-list address-list=411_Torrent address-list-timeout=1w chain=forward comment=TORRENT disabled=yes dst-port=80,443 protocol=tcp tls-host=*torrent*
add action=drop chain=forward disabled=yes dst-address-list=411_Torrent
add action=passthrough chain=unused-hs-chain comment=LAN disabled=yes
add action=accept chain=forward comment=Ping disabled=yes protocol=icmp src-address-list=00_Lan
add action=accept chain=forward comment=DNS disabled=yes dst-port=53 protocol=udp src-address-list=00_Lan
add action=accept chain=forward comment=Internet disabled=yes dst-port=80,443 protocol=tcp src-address-list=00_Lan
add action=accept chain=forward disabled=yes dst-port=80,443 protocol=udp src-address-list=00_Lan
add action=accept chain=forward comment="Puertos para Correo" disabled=yes dst-port=25,110,143,389,443,465,587,993,995 protocol=tcp src-address-list=00_Lan
add action=accept chain=forward disabled=yes dst-port=995 protocol=udp src-address-list=00_Lan
add action=accept chain=forward comment=Teamviewer disabled=yes dst-address-list=200_Teamviewer dst-port=5938 protocol=tcp src-address-list=00_Lan
add action=accept chain=forward disabled=yes dst-address-list=200_Teamviewer dst-port=5938 protocol=udp src-address-list=00_Lan
add action=accept chain=forward comment=Ammyy disabled=yes dst-address-list=201_Ammyy dst-port=8080,5931 protocol=tcp src-address-list=00_Lan
add action=accept chain=forward disabled=yes dst-address-list=201_Ammyy dst-port=8080,5931 protocol=udp src-address-list=00_Lan
add action=accept chain=forward comment=Radios disabled=yes dst-address-list="01.1_Radio nervion" dst-port=554,1900,2177,2869,10243,10245 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address-list="01.1_Radio nervion" dst-port=554,1900,2177,2869,10243,10245 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address-list="01.1_Radio nervion" dst-port=5004-5005 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address-list="01.1_Radio nervion" dst-port=5004-5005 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address-list="01.1_Radio nervion" dst-port=10280-10284 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address-list="01.1_Radio nervion" dst-port=10280-10284 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address-list=01.2_Emisora_ORG dst-port=554,1900,2177,2869,10243,10245 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address-list=01.2_Emisora_ORG dst-port=554,1900,2177,2869,10243,10245 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address-list=01.2_Emisora_ORG dst-port=5004-5005 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address-list=01.2_Emisora_ORG dst-port=5004-5005 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address-list=01.2_Emisora_ORG dst-port=10280-10284 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address-list=01.2_Emisora_ORG dst-port=10280-10284 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment=Salink disabled=yes dst-address-list=100_Satlink dst-port=52050,52060 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address-list=100_Satlink dst-port=52050,52060 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment=Nautical disabled=yes dst-address-list=101_Nautical src-address=192.168.1.0/24
add action=accept chain=forward comment=Catsat disabled=yes dst-address-list=102_Catsat src-address=192.168.1.0/24
add action=accept chain=forward comment="Insight Explorer" disabled=yes dst-address-list="104_Insight Explorer" dst-port=23,465,995,1200 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address-list="104_Insight Explorer" dst-port=23,465,995,1200 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment=Zunibal disabled=yes dst-address-list=103_Zunibal dst-port=11200,11201 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address-list=103_Zunibal dst-port=11200,11201 protocol=udp src-address=192.168.1.0/24
add action=drop chain=forward comment="BLOQUEO TOTAL LAN" disabled=yes src-address=192.168.1.0/24
add action=passthrough chain=unused-hs-chain comment="WIFI PUENTE" disabled=yes
add action=accept chain=forward comment=DNS disabled=yes dst-port=53 protocol=udp src-address=30.30.30.0/24
add action=accept chain=forward comment=Internet disabled=yes dst-port=80,443 protocol=tcp src-address=30.30.30.0/24
add action=accept chain=forward disabled=yes dst-port=80,443 protocol=udp src-address=30.30.30.0/24
add action=accept chain=forward comment="Puertos para Correo" disabled=yes dst-port=25,110,143,389,443,465,587,993,995 protocol=tcp src-address=30.30.30.0/24
add action=accept chain=forward disabled=yes dst-port=995 protocol=udp src-address=30.30.30.0/24
add action=accept chain=forward comment=Whatsapp disabled=yes dst-address-list=300_Whatsapp src-address=30.30.30.0/24
add action=accept chain=forward disabled=yes dst-port=5222,5223,5228 protocol=tcp src-address=30.30.30.0/24
add action=accept chain=forward disabled=yes dst-port=3478 protocol=udp src-address=30.30.30.0/24
add action=drop chain=forward comment="BLOQUEO TOTAL" disabled=yes src-address=30.30.30.0/24
add action=passthrough chain=unused-hs-chain comment="CREW OFICIALES" disabled=yes
add action=accept chain=forward comment=DNS disabled=yes dst-port=53 protocol=udp src-address=40.40.40.0/24
add action=accept chain=forward comment=Internet disabled=yes dst-port=80,443 protocol=tcp src-address=40.40.40.0/24 src-address-list=01_Oficiales_Crew
add action=accept chain=forward disabled=yes dst-port=80,443 protocol=udp src-address=40.40.40.0/24 src-address-list=01_Oficiales_Crew
add action=accept chain=forward comment="Puertos para Correo" disabled=yes dst-port=25,110,143,389,443,465,587,993,995 protocol=tcp src-address=40.40.40.0/24 src-address-list=01_Oficiales_Crew
add action=accept chain=forward disabled=yes dst-port=995 protocol=udp src-address=40.40.40.0/24 src-address-list=01_Oficiales_Crew
add action=accept chain=forward comment=Whatsapp disabled=yes dst-address-list=300_Whatsapp src-address=40.40.40.0/24 src-address-list=01_Oficiales_Crew
add action=accept chain=forward disabled=yes dst-port=5222,5223,5228 protocol=tcp src-address=40.40.40.0/24 src-address-list=01_Oficiales_Crew
add action=accept chain=forward disabled=yes dst-port=3478 protocol=udp src-address=40.40.40.0/24 src-address-list=01_Oficiales_Crew
add action=drop chain=forward comment="BLOQUEO TOTAL CREW OFICIALES" disabled=yes src-address-list=01_Oficiales_Crew
add action=passthrough chain=unused-hs-chain comment="WIFI CREW" disabled=yes
add action=accept chain=forward comment=DNS disabled=yes dst-port=53 protocol=udp src-address=40.40.40.0/24 time=11h30m-12h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward comment=Internet disabled=yes dst-port=80,443 protocol=tcp src-address=40.40.40.0/24 time=11h30m-12h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward disabled=yes dst-port=80,443 protocol=udp src-address=40.40.40.0/24 time=11h30m-12h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward comment="Puertos para Correo" disabled=yes dst-port=25,110,143,389,443,465,587,993,995 protocol=tcp src-address=40.40.40.0/24 time=11h30m-12h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward disabled=yes dst-port=995 protocol=udp src-address=40.40.40.0/24 time=11h30m-12h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward comment=Whatsapp disabled=yes dst-address-list=300_Whatsapp src-address=40.40.40.0/24 time=11h30m-12h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward disabled=yes dst-port=5222,5223,5228 protocol=tcp src-address=40.40.40.0/24 time=11h30m-12h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward disabled=yes dst-port=3478 protocol=udp src-address=40.40.40.0/24 time=11h30m-12h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=passthrough chain=unused-hs-chain comment=17:30 disabled=yes
add action=accept chain=forward comment=DNS disabled=yes dst-port=53 protocol=udp src-address=40.40.40.0/24 time=17h30m-5h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward comment=Internet disabled=yes dst-port=80,443 protocol=tcp src-address=40.40.40.0/24 time=17h30m-5h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward disabled=yes dst-port=80,443 protocol=udp src-address=40.40.40.0/24 time=17h30m-5h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward comment="Puertos para Correo" disabled=yes dst-port=25,110,143,389,443,465,587,993,995 protocol=tcp src-address=40.40.40.0/24 time=17h30m-5h30m,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward disabled=yes dst-port=995 protocol=udp src-address=40.40.40.0/24 time=17h30m-5h30m,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward comment=Whatsapp disabled=yes dst-address-list=300_Whatsapp src-address=40.40.40.0/24 time=17h30m-5h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward disabled=yes dst-port=5222,5223,5228 protocol=tcp src-address=40.40.40.0/24 time=17h30m-5h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward disabled=yes dst-port=3478 protocol=udp src-address=40.40.40.0/24 time=17h30m-5h29m59s,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward comment="BLOQUEO TOTAL WIFI_CREW" disabled=yes src-address=40.40.40.0/24
add action=add-dst-to-address-list address-list=411_Torrent address-list-timeout=1w chain=forward disabled=yes dst-port=80,443 protocol=tcp src-address=192.168.1.18 tls-host=*torrent*
/ip firewall nat
add action=src-nat chain=srcnat disabled=yes dst-address=192.168.1.0 \
protocol=tcp src-address=30.30.30.1 to-addresses=192.168.1.1 to-ports=\
0-65535
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat out-interface=Wan src-address=\
192.168.1.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
out-interface=Wan src-address=30.30.30.0/24
add action=masquerade chain=srcnat comment="Abierto de 11:30 a012:30" \
out-interface=Wan src-address=40.40.40.0/24 time=\
11h30m-12h30m,sun,mon,tue,wed,thu,fri,sat
# inactive time
add action=masquerade chain=srcnat comment="Abierto de 17:30 a 05:30" \
out-interface=Wan src-address=40.40.40.0/24 time=\
17h30m-5h30m,sun,mon,tue,wed,thu,fri,sat
add action=masquerade chain=srcnat out-interface=Wan

/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.65.1

Yes, i disabled this… but if i enabled is not working

dioeyandika · March 11, 2022, 1:03pm

why you using public ip subnet for client, for me thats is number one mistake

Andoniar78 · March 11, 2022, 1:23pm

Publick ip subnet? can you explain that please?
Thank you

dioeyandika · March 11, 2022, 1:25pm

this two subnet is public ip space dont use in hotspot pool or any client,
add name=hs-pool-28 ranges=30.30.30.75-30.30.30.200
add name=hs-pool-29 ranges=40.40.40.75-40.40.40.200

Andoniar78 · March 12, 2022, 8:47am

hello,
They do have clients but I have removed them. There are 2 captive portals that I have for clients. 2 totally different networks

sindy · March 12, 2022, 9:06am

Well, you’ve referred to CCR 2004 and 600 Mbit/s, but the configuration you’ve posted is from a CRS326, which is much weaker as a router (a single 32-bit CPU core at 800 MHz vs four 64-bit CPU cores at 1700 MHz, that’s 8 times more throughput even if leaving the 32/64 aside).

With queueing, the advantage may not be that high unless queue simple can use all CPU cores in 7.x, but it’s still more than double the throughput on a 2004. Do you use queues at the 2004 at all?

To the 326: the order of rules in filter is correct, as you first accept all packets belonging to already established connections, and only then you deal with packets initiating new ones. Also the usual way (allow anything from LANs to establish connections wherever they want) is not applicable in your case as you want to block everything bandwidth intensive. So everything right here.

No input rules are a security hole though, your router is currently manageable for anyone connected to it from any LAN if he’s got the credentials, unless you have some other firewalls in place between users and the CRS.

Your queue setup seems like a work in progress to me - you have a parent queue for crew & puente, but the individual child queues have same limits and no mutual priority, so there is no point in having three with these settings.

Also, you have set queue types pcq-download-lan and pcq-upload-lan, but you don’t actually use them.

Last, if the download cap of the sat uplink is only 3 Mbit/s, setting max-limit to 4096k may result in clogging the line, causing more loss as the satellite provider’s shaper will shape the bandwidth instead of you. So this could be the reason why you get lower throughput than you expect.