help with outlook

RouterOS General
1

Hi guys, my clients needs MS Outlook to be able to access / download emails & attachments using full wan speed (8MB) without logon to hotspot every time (all users have limit of 512 kb), cause many of them using their PCs for emails & printing only, our mail server is hosted by yahoo

I have walled garden yahoo email ports : pop, imap & smtp (995,993 & 465) & it works fine, but once a user logon using hotspot, email download speed drops to the user’s limit (512KB) which is very slow for large attachments & many email errors appear in outlook like (connection to the server is interrupted, contact ISP or administrator)

I also tried to wall garden those hosts (*.yahoo.com, pop.bizmail.yahoo.com, smtp.bizmail.yahoo.com) & faced same issue when users logon to hotspot

a user told me that it may need a queue (simple or tree) or a firewall/NAT rule, but didn’t explain where is the error or how to fix it
please this is a production environment & realy necessary to implement such rules
any help is appreciated.

2

Make a mangle rule to do packet-mark on packets to/from these same ports.
Most efficient method: create “classify” chain -
put rules in this chain :
connection-mark=no-mark, port/protocol/etc type 1 → connection mark 1 pass-through=yes
connection-mark=no-mark, port/protocol/etc type 2 → connection mark 2 pass-through=yes
connection-mark=no-mark, port/protocol/etc type 3 → connection mark 3 pass-through=yes
..

  • of course in stead of type, you would have things like protocol=udp port=53 → connection-mark = dns

the next-to-last rule is "connection-mark=no-mark, mark-connection → default
last rule of classify chain is a simple “return” rule.

Then in pre-routing, your first rule is “connection-mark=no-mark, action=jump jump-target=classify”
So this way, you only have to go through the list of classification checks once whenever a new connection starts.

After this jump rule, you simply have a list of checks for class marks and do a packet mark accordingly:
connection-mark = dns → mark packet = dns
connection-mark - email → mark packet = email
(don’t worry about marking default packets)
These packet marking rules should not have “pass-through” checked - marking the packet is the end…


So now you’ll have a bunch of marked packets flowing through your Mirkotik. (You can look in the connections tab of the firewall screen to see the connection marks in action / make sure they’re working properly)

Now - you can add a simple queue before all other simple queues. It matches packet mark = email, and you could probably set it to SFQ type, or something that will basically give fair access to multiple users w/o a lot of tuning required.
Put the limit here = max amount of bandwidth to dedicate to email - TOTAL (all users’ email traffic will go through this queue)

There ya go!

3

sorry i’m a beginner in MT & not fully understand what u saying , I’m using ROS 5.20 is ur solution applicable to it (I can’t find the classify chain in NAT)
please write me a script that I can understand or modify it with my wan/lan names then copy & past it at my terminal , this will be very helpful if you may do

4

In my example, classify is a custom chain that you create. Whenever you start to make the first rule, in the chain= field, you can actually type in any value that you like.

Type in “classify” the first time.
After this, classify will be a choice in any drop-down selection which lets you choose chains.

I think it would be applicable to ROS 5.20 - they did make many changes to the simple queues for version 6, but the solution should still apply - put the “email” queue above the users’ queues and it will match first.

Here is an example “classify” chain:

/ip firewall mangle
add action=mark-connection chain=classify connection-mark=no-mark new-connection-mark=web port=80 protocol=tcp
add action=mark-connection chain=classify connection-mark=no-mark new-connection-mark=dns port=53 protocol=udp
add action=mark-connection chain=classify connection-mark=no-mark new-connection-mark=email port=25,110,143,465,993,995 protocol=tcp
add action=mark-connection chain=classify connection-mark=no-mark new-connection-mark=default
add action=return chain=classify

Then the “prerouting” chain will look like this:

/ip firewall mangle
add action=jump chain=prerouting connection-mark=no-mark jump-target=classify
add action=accept chain=prerouting connection-mark=default
add action=mark-packet chain=prerouting connection-mark=web new-packet-mark=web passthrough=no
add action=mark-packet chain=prerouting connection-mark=dns new-packet-mark=dns passthrough=no
add action=mark-packet chain=prerouting connection-mark=email new-packet-mark=email passthrough=no

Of course, if you’re not going to have different policies for web or dns, then don’t make classifier rules for those, and don’t make packet marking rules for those.

Keep default and email though, for your application. I just included the other two types of traffic as an example of how to mark packets for multiple types if you should want to try more complicated queue strategies later.

5

will try on monday & back to you

6

Dear Mr Zerobyte

the new configuration looking good so far on a test environment (1pc , 3 HS users) , but once a user login to hotspot the email queue is bypassed/suppressed by the user’s queue, but whem manually move the email queue up outlook works fine & the user too
so after hard digging I figured out this script

“queue simple move email 0”
and added it to the user profile/scripts to run on logon

now it works like a charm I suppose

thank you very much for you help & hope all users to find it useful too

7

http://forum.mikrotik.com/t/ip-restriction/87471/1