/interface ethernet
set [ find default-name=ether1 ] comment=WAN mac-address=E4:8D:8C:50:80:BD
set [ find default-name=ether2 ] arp=proxy-arp mac-address=E4:8D:8C:50:80:BE
set [ find default-name=ether3 ] mac-address=E4:8D:8C:50:80:BF master-port=ether2
set [ find default-name=ether4 ] mac-address=E4:8D:8C:50:80:C0 master-port=ether2
set [ find default-name=ether5 ] mac-address=E4:8D:8C:50:80:C1 master-port=ether2
/interface vlan
add comment=Management interface=ether1 name=vlan2 vlan-id=2
add comment=WAN2 interface=ether1 name=vlan3232 vlan-id=3232
add comment=WAN1 interface=ether1 name=vlan4090 vlan-id=4090
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=dhcp ranges=192.168.1.51-192.168.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether2 name=DHCP-LAN
/ppp profile
add dns-server=192.168.1.1 local-address=dhcp name=PPTP-VPN remote-address=dhcp
/queue type
add kind=pcq name=pcq-down-512k pcq-classifier=dst-address pcq-rate=512k pcq-total-limit=4000KiB
add kind=pcq name=pcq-up-512k pcq-classifier=src-address pcq-rate=512k pcq-total-limit=4000KiB
add kind=pcq name=pcq-down-2M pcq-classifier=dst-address pcq-rate=2M pcq-total-limit=4000KiB
add kind=pcq name=pcq-up-2M pcq-classifier=src-address pcq-rate=2M pcq-total-limit=4000KiB
add kind=pcq name=pcq-down-64k pcq-classifier=dst-address pcq-rate=512k pcq-total-limit=4000KiB
add kind=pcq name=pcq-up-64k pcq-classifier=src-address pcq-rate=64k pcq-total-limit=4000KiB
add kind=pcq name=pcq-down-3M pcq-classifier=dst-address pcq-rate=3M pcq-total-limit=4000KiB
add kind=pcq name=pcq-up-3M pcq-classifier=src-address pcq-rate=3M pcq-total-limit=4000KiB
/queue simple
add name=South queue=pcq-up-2M/pcq-down-2M target=192.168.1.226/32
add max-limit=5M/5M name=WAN queue=ethernet-default/ethernet-default target=192.168.1.0/24
add name="internet abusers" parent=WAN queue=pcq-up-64k/pcq-down-64k target=192.168.1.69/32
add name="Manager1 " parent=WAN queue=pcq-up-3M/pcq-down-3M target=192.168.1.78/32,192.168.1.51/32
add name="IT Admin" parent=WAN queue=pcq-up-3M/pcq-down-3M target=192.168.1.53/32,192.168.1.54/32
add name=Manager2 parent=WAN queue=pcq-up-3M/pcq-down-3M target=192.168.1.60/32,192.168.1.76/32
add name=Manager3 parent=WAN queue=pcq-up-3M/pcq-down-3M target=192.168.1.243/32,192.168.1.58/32,192.168.1.239/32
add name=Manager4 parent=WAN queue=pcq-up-3M/pcq-down-3M target=192.168.1.56/32
add name="IT Tech" parent=WAN queue=pcq-up-3M/pcq-down-3M target=192.168.1.75/32
add name=Radios parent=WAN queue=pcq-up-3M/pcq-down-3M target=192.168.1.65/32,192.168.1.50/32
add name="Manager6" parent=WAN queue=pcq-up-3M/pcq-down-3M target=192.168.1.165/32
add name=Manager7 parent=WAN queue=pcq-up-3M/pcq-down-3M target=192.168.1.81/32,192.168.1.82/32
add name=Manager8 parent=WAN queue=pcq-up-3M/pcq-down-3M target=192.168.1.248/32
add name="South Reception" parent=WAN queue=pcq-up-2M/pcq-down-2M target=192.168.1.244/32
add name="Manager9" parent=WAN queue=pcq-up-3M/pcq-down-3M target=192.168.1.71/32 total-queue=default
add name="Swipe Machine" parent=WAN queue=pcq-up-3M/pcq-down-3M target=192.168.1.232/32
add name="Reception Bookings" parent=WAN queue=pcq-up-3M/pcq-down-3M target=192.168.1.86/32 total-queue=default
add name="LAN - internet" parent=WAN queue=pcq-up-512k/pcq-down-512k target=192.168.1.0/24
/ip settings
set allow-fast-path=no route-cache=no
/interface pptp-server server
set default-profile=PPTP-VPN enabled=yes
/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
add address=x.x.x.x/30 interface=vlan4090 network=x.x.x.x
add address=172.17.0.254/24 interface=vlan2 network=172.17.0.0
add address=y.y.y.y/30 interface=vlan3232 network=y.y.y.y
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server lease
add address=192.168.1.56 always-broadcast=yes client-id=1:30:10:b3:82:a7:fd mac-address=30:10:B3:82:A7:FD server=DHCP-LAN
add address=192.168.1.69 always-broadcast=yes client-id=1:bc:ae:c5:35:e:82 mac-address=BC:AE:C5:35:0E:82 server=DHCP-LAN
add address=192.168.1.64 always-broadcast=yes client-id=1:bc:ae:c5:35:e:7a mac-address=BC:AE:C5:35:0E:7A server=DHCP-LAN
add address=192.168.1.78 always-broadcast=yes client-id=1:48:45:20:6b:30:eb mac-address=48:45:20:6B:30:EB server=DHCP-LAN
add address=192.168.1.81 always-broadcast=yes client-id=1:a4:d1:8c:61:5:36 mac-address=A4:D1:8C:61:05:36 server=DHCP-LAN
add address=192.168.1.82 always-broadcast=yes client-id=1:40:33:1a:b4:8f:36 mac-address=40:33:1A:B4:8F:36 server=DHCP-LAN
add address=192.168.1.51 always-broadcast=yes client-id=1:ec:1f:72:3d:68:77 mac-address=EC:1F:72:3D:68:77 server=DHCP-LAN
add address=192.168.1.79 always-broadcast=yes client-id=1:60:6c:66:b5:ad:10 mac-address=60:6C:66:B5:AD:10 server=DHCP-LAN
add address=192.168.1.75 always-broadcast=yes client-id=1:8:ed:b9:6a:57:40 mac-address=08:ED:B9:6A:57:40 server=DHCP-LAN
add address=192.168.1.72 client-id=1:a0:2b:b8:26:61:a3 mac-address=A0:2B:B8:26:61:A3 server=DHCP-LAN
add address=192.168.1.70 client-id=1:a8:fa:d8:3d:dd:70 mac-address=A8:FA:D8:3D:DD:70 server=DHCP-LAN
add address=192.168.1.71 always-broadcast=yes client-id=1:28:e3:47:ed:b2:23 mac-address=28:E3:47:ED:B2:23 server=DHCP-LAN
add address=192.168.1.54 always-broadcast=yes client-id=1:f0:25:b7:f1:d7:fa mac-address=F0:25:B7:F1:D7:FA server=DHCP-LAN
add address=192.168.1.53 always-broadcast=yes client-id=1:5c:ac:4c:98:e5:38 mac-address=5C:AC:4C:98:E5:38 server=DHCP-LAN
add address=192.168.1.63 always-broadcast=yes client-id=1:68:a3:c4:93:b7:c mac-address=68:A3:C4:93:B7:0C server=DHCP-LAN
add address=192.168.1.165 always-broadcast=yes client-id=1:70:5a:f:48:4d:3b mac-address=70:5A:0F:48:4D:3B server=DHCP-LAN
add address=192.168.1.52 always-broadcast=yes client-id=1:70:70:d:5:d:cc mac-address=70:70:0D:05:0D:CC server=DHCP-LAN
add address=192.168.1.90 always-broadcast=yes client-id=1:6c:40:8:aa:13:5c mac-address=6C:40:08:AA:13:5C server=DHCP-LAN
add address=192.168.1.65 client-id=1:d0:27:88:df:57:4e mac-address=D0:27:88:DF:57:4E server=DHCP-LAN
add address=192.168.1.76 always-broadcast=yes client-id=1:80:7a:bf:3b:f2:fc mac-address=80:7A:BF:3B:F2:FC server=DHCP-LAN
add address=192.168.1.60 always-broadcast=yes client-id=1:ac:2b:6e:cf:47:61 mac-address=AC:2B:6E:CF:47:61 server=DHCP-LAN
add address=192.168.1.66 client-id=1:54:27:1e:52:5e:ae mac-address=54:27:1E:52:5E:AE server=DHCP-LAN
add address=192.168.1.58 always-broadcast=yes client-id=1:d0:c5:f3:d7:5:b5 mac-address=D0:C5:F3:D7:05:B5 server=DHCP-LAN
add address=192.168.1.243 client-id=1:a4:d1:8c:c2:7f:e8 mac-address=A4:D1:8C:C2:7F:E8 server=DHCP-LAN
add address=192.168.1.239 always-broadcast=yes client-id=1:34:a3:95:35:1a:7d mac-address=34:A3:95:35:1A:7D server=DHCP-LAN
add address=192.168.1.86 always-broadcast=yes client-id=1:98:54:1b:83:c7:d7 mac-address=98:54:1B:83:C7:D7 server=DHCP-LAN
add address=192.168.1.226 always-broadcast=yes client-id=1:c4:17:fe:c0:ec:2 mac-address=C4:17:FE:C0:EC:02 server=DHCP-LAN
add address=192.168.1.248 always-broadcast=yes client-id=1:0:12:17:49:d4:ed mac-address=00:12:17:49:D4:ED server=DHCP-LAN
add address=192.168.1.244 always-broadcast=yes client-id=1:98:54:1b:80:56:5b mac-address=98:54:1B:80:56:5B server=DHCP-LAN
add address=192.168.1.232 always-broadcast=yes client-id=1:f0:92:1c:4d:87:5c mac-address=F0:92:1C:4D:87:5C server=DHCP-LAN
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d cache-size=4096KiB max-udp-packet-size=512 servers=5.11.11.11,5.11.11.5
/ip firewall filter
add action=drop chain=input comment="drop invalid connections" connection-state=invalid
add action=tarpit chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp \
src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp \
src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp \
src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
add action=accept chain=input comment="Allow LAN access to router and Internet" connection-state=new in-interface=ether2
add action=accept chain=input comment="Allow Established Connections" connection-state=established
add action=accept chain=input comment="Allow connections that originated from LAN" connection-state=related
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input comment=SSH dst-port=22 protocol=tcp
add action=accept chain=input comment=ISAKMP dst-port=500 protocol=tcp
add action=accept chain=input comment=PPTP-VPN dst-port=1723 protocol=tcp
add action=accept chain=input comment="The Dude" dst-port=2210 protocol=tcp
add action=accept chain=input comment=WINBOX dst-port=8291 protocol=tcp
add action=accept chain=input comment=PPTP-VPN protocol=gre
add action=accept chain=input comment=PPTP-VPN protocol=ipsec-esp
add action=accept chain=input comment=OSPF dst-address=224.0.0.5
add action=accept chain=input dst-address=224.0.0.18 protocol=ipsec-ah
add action=accept chain=input comment=OSPF log=yes protocol=ospf
add action=accept chain=input comment="LAN Traffic" dst-address=192.168.1.0/24 src-address=192.168.1.0/24
add action=return chain=input comment="UDP Return Unreachable" connection-state="" protocol=udp
add action=drop chain=input comment="Drop Traffic from anywhere"
add action=accept chain=forward comment="LAN Traffic" dst-address=192.168.1.0/24 src-address=192.168.1.0/24
add action=drop chain=forward comment="Drop invalid connections" connection-state=invalid
add action=accept chain=forward comment=ICMP protocol=icmp
add action=accept chain=forward comment="Allow all dstnat traffic" connection-nat-state=dstnat
add action=accept chain=forward comment=FTP-DATA dst-address=0.0.0.0/0 dst-port=20 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment=FTP-DATA dst-address=192.168.1.0/24 protocol=udp src-port=20
add action=accept chain=forward comment=FTP-CONTROL dst-address=0.0.0.0/0 dst-port=21 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=SSH dst-address=0.0.0.0/0 dst-port=22 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=Telnet dst-address=0.0.0.0/0 dst-port=23 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=SMTP dst-port=25 protocol=tcp src-address=172.17.2.126
add action=accept chain=forward comment=DNS dst-address=0.0.0.0/0 dst-port=53 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=DNS dst-address=0.0.0.0/0 dst-port=53 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment=DNS dst-address=192.168.1.0/24 protocol=udp src-port=53
add action=accept chain=forward comment=HTTP dst-address=0.0.0.0/0 dst-port=80 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment="RADIO EXPORT CODEPLUG DATABASE" dst-address=0.0.0.0/0 dst-port=81 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=POP3 dst-address=0.0.0.0/0 dst-port=110 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=NTP dst-address=0.0.0.0/0 dst-port=123 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment=NTP dst-address=192.168.1.0/24 protocol=udp src-port=123
add action=accept chain=forward comment="Microsoft RPC Locator Service" dst-address=0.0.0.0/0 dst-port=135 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment="Microsoft RPC Locator Service" dst-address=0.0.0.0/0 dst-port=135 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment="Microsoft RPC Locator Service" dst-address=192.168.1.0/24 protocol=udp src-port=135
add action=accept chain=forward comment=Netbios dst-address=0.0.0.0/0 dst-port=139 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=Netbios dst-address=0.0.0.0/0 dst-port=139 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment=Netbios dst-address=192.168.1.0/24 protocol=udp src-port=139
add action=accept chain=forward comment=IMAP dst-address=0.0.0.0/0 dst-port=143 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=HTTPS dst-address=0.0.0.0/0 dst-port=443 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment="Incoming Outlook Anywhere" dst-address=192.168.1.0/24 dst-port=443 protocol=tcp
add action=accept chain=forward comment=HTTPS dst-address=0.0.0.0/0 dst-port=443 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment=HTTPS dst-address=192.168.1.0/24 protocol=udp src-port=443
add action=accept chain=forward comment=SMTPS dst-address=0.0.0.0/0 dst-port=465 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=ISAKMP dst-address=0.0.0.0/0 dst-port=500 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=ISAKMP dst-address=0.0.0.0/0 dst-port=500 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment=ISAKMP dst-address=192.168.1.0/24 protocol=udp src-port=500
add action=accept chain=forward comment=SMTP dst-address=0.0.0.0/0 dst-port=587 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment="ZIMRA FTP" dst-address=0.0.0.0/0 dst-port=800 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=IMAPS dst-address=0.0.0.0/0 dst-port=993 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=POP3S dst-address=0.0.0.0/0 dst-port=995 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=PPTP-VPN dst-address=0.0.0.0/0 dst-port=1723 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment="ExSolar Smart Energy Monitor Data" dst-address=0.0.0.0/0 dst-port=2010 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment="ExSolar Smart Energy Monitor Data" dst-address=192.168.1.0/24 protocol=udp src-port=2010
add action=accept chain=forward comment="Quintum Remtoe Tenor Manager" dst-address=65.88.254.134 dst-port=2300 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment="Quintum Remtoe Tenor Manager" dst-address=192.168.1.0/24 protocol=udp src-address=65.88.254.134 src-port=2300
add action=accept chain=forward comment=SMTP dst-address=0.0.0.0/0 dst-port=2525 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=UPNP dst-address=0.0.0.0/0 dst-port=2869 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=BlackBerry dst-address=0.0.0.0/0 dst-port=3101 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment="Active Directory" dst-address=0.0.0.0/0 dst-port=3268 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment="Incoming Active Directory" dst-address=192.168.1.0/24 dst-port=3268 protocol=tcp
add action=accept chain=forward comment="Allow Remote Desktop out" dst-address=0.0.0.0/0 dst-port=3389 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=Viber,whatsapp dst-address=0.0.0.0/0 dst-port=3478 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment=Viber,whatsapp dst-address=192.168.1.0/24 protocol=udp src-port=3478
add action=accept chain=forward comment=Facetime dst-address=0.0.0.0/0 dst-port=3478-3497 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment=Facetime dst-address=192.168.1.0/24 protocol=udp src-port=3478-3497
add action=accept chain=forward comment=Viber,whatsapp dst-address=0.0.0.0/0 dst-port=4244 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment="WAN1 Crashplan" dst-address=0.0.0.0/0 dst-port=4282 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=NON500-ISAKMP dst-address=0.0.0.0/0 dst-port=4500 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=NON500-ISAKMP dst-address=0.0.0.0/0 dst-port=4500 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment=NON500-ISAKMP dst-address=192.168.1.0/24 protocol=udp src-port=4500
add action=accept chain=forward comment=SIP dst-address=0.0.0.0/0 dst-port=5060 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=SIP dst-address=0.0.0.0/0 dst-port=5060 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment=SIP dst-address=192.168.1.0/24 dst-port=5060 protocol=udp
add action=accept chain=forward comment=SIP dst-address=0.0.0.0/0 dst-port=5061 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=SIP dst-address=0.0.0.0/0 dst-port=5070 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=SIP dst-address=0.0.0.0/0 dst-port=5070 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment=SIP dst-address=192.168.1.0/24 dst-port=5070 protocol=udp
add action=accept chain=forward comment=Whatsapp dst-address=0.0.0.0/0 dst-port=5222 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=Whatsapp dst-address=0.0.0.0/0 dst-port=5223 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=Whatsapp dst-address=0.0.0.0/0 dst-port=5228 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=Whatsapp dst-address=0.0.0.0/0 dst-port=5242 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=Viber dst-address=0.0.0.0/0 dst-port=5243 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment=Viber dst-address=192.168.1.0/24 protocol=udp src-port=5243
add action=accept chain=forward comment="Web Portal" dst-address=0.0.0.0/0 dst-port=5742 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment="solar webportal" dst-address=0.0.0.0/0 dst-port=7777 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment="Alternate SMTP" dst-address=0.0.0.0/0 dst-port=8025 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=HTTP dst-address=0.0.0.0/0 dst-port=8080 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment="WAN1 Service Desk Portal" dst-address=0.0.0.0/0 dst-port=8086 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=Winbox dst-address=0.0.0.0/0 dst-port=8291 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=Winbox dst-address=192.168.1.0/24 protocol=tcp src-port=8291
add action=accept chain=forward comment=SSL dst-address=0.0.0.0/0 dst-port=8443 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=Viber dst-address=0.0.0.0/0 dst-port=9785 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment=Viber dst-address=192.168.1.0/24 protocol=udp src-port=9785
add action=accept chain=forward comment="VPN " dst-address=0.0.0.0/0 dst-port=10000 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment="VPN " dst-address=0.0.0.0/0 dst-port=10000 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment="VPN " dst-address=192.168.1.0/24 protocol=udp src-port=10000
add action=accept chain=forward comment="Dandemutande SMTP" dst-address=0.0.0.0/0 dst-port=10025 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=Facetime dst-address=0.0.0.0/0 dst-port=16384-16387 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment=Facetime dst-address=192.168.1.0/24 protocol=udp src-port=16384-16387
add action=accept chain=forward comment=Facetime dst-address=0.0.0.0/0 dst-port=16393-16402 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment=Facetime dst-address=192.168.1.0/24 protocol=udp src-port=16393-16402
add action=accept chain=forward comment="FNB Banking App" dst-address=0.0.0.0/0 dst-port=36400 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=Whatsapp dst-port=45395 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment=Whatsapp dst-address=192.168.1.0/24 protocol=udp src-port=45395
add action=accept chain=forward comment=PPTP-VPN protocol=gre
add action=accept chain=forward comment="WAN1 VOIP" dst-address=77.246.50.80 src-address=192.168.1.0/24
add action=accept chain=forward comment="WAN1 VOIP" dst-address=192.168.1.0/24 src-address=77.246.50.80
add action=accept chain=forward comment="TCP Established" connection-state=established protocol=tcp
add action=accept chain=forward comment="Allow connections originating from Lan" connection-state=related protocol=tcp
add action=log chain=forward log=yes
add action=accept chain=forward comment="Drop everything not accepted"
add action=accept chain=output comment="Allow Established from router" connection-state=established
add action=accept chain=output comment="Allow related from router" connection-state=related
add action=accept chain=output comment="LAN Traffic" dst-address=192.168.1.0/24 src-address=192.168.1.0/24
add action=drop chain=output comment="Drop invalid from router" connection-state=invalid
/ip firewall mangle
add action=mark-routing chain=prerouting comment=" pfw WAN1, out WAN1" connection-mark=WAN1_pfw in-interface=vlan4090 new-routing-mark=WAN1_traffic \
passthrough=no
add action=mark-routing chain=prerouting comment=" pfw WAN2, out WAN2" connection-mark=WAN2_pfw in-interface=vlan3232 new-routing-mark=WAN2_traffic \
passthrough=no
add action=mark-connection chain=input comment=" in WAN1,out WAN1" in-interface=vlan4090 new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=input comment=" in WAN2,out WAN2" in-interface=vlan3232 new-connection-mark=WAN2_conn passthrough=yes
add action=mark-connection chain=forward comment=" pfw WAN1, out WAN1" connection-state=new in-interface=vlan4090 new-connection-mark=WAN1_pfw \
passthrough=yes
add action=mark-connection chain=forward comment=" pfw WAN2, out WAN2" connection-state=new in-interface=vlan3232 new-connection-mark=WAN2_pfw \
passthrough=yes
add action=mark-routing chain=output comment=" in WAN1,out WAN1" connection-mark=WAN1_conn new-routing-mark=WAN1_traffic passthrough=no
add action=mark-routing chain=output comment=" in WAN2,out WAN2" connection-mark=WAN2_conn new-routing-mark=WAN2_traffic passthrough=no
/ip firewall nat
add action=src-nat chain=srcnat comment="WAN1 Src Nat" dst-address=0.0.0.0/0 out-interface=vlan4090 src-address=192.168.1.0/24 to-addresses=x.x.x.x
add action=src-nat chain=srcnat comment="WAN2 Src Nat" dst-address=0.0.0.0/0 out-interface=vlan3232 src-address=192.168.1.0/24 to-addresses=y.y.y.y
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.1.0/24 src-address=192.168.1.0/24
/ip route
add check-gateway=ping comment="in_WAN1;;out_WAN1" distance=1 gateway=x.x.x.225 routing-mark=WAN1_traffic
add check-gateway=ping comment="in_WAN2; out_WAN2" distance=1 gateway=y.y.y.69 routing-mark=WAN2_traffic
add check-gateway=ping comment="Primary out_WAN2" distance=1 gateway=y.y.y.69
add check-gateway=ping comment="Secondary out_WAN1" distance=2 gateway=x.x.x.225
/ip route rule
add dst-address=192.168.1.0/24 table=main
add dst-address=y.y.y.y/30 table=main
add dst-address=x.x.x.x/30 table=main
add src-address=y.y.y.y/30 table=WAN2_traffic
add src-address=x.x.x.x/30 table=WAN1_traffic
add routing-mark=WAN2_traffic table=WAN2_traffic
add routing-mark=WAN1_traffic table=WAN1_traffic
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=grant profile=PPTP-VPN service=pptp
/system clock
set time-zone-name=Indian/Mauritius
/system identity
set name=RB750G
/system logging
add topics=pptp
/system ntp client
set enabled=yes server-dns-names=0.africa.pool.ntp.org,1.africa.pool.ntp.org,2.africa.pool.ntp.org,3.africa.pool.ntp.org
/system package update
set channel=bugfix
/system routerboard settings
set init-delay=0s
/tool romon port
add
So my understanding is this.
You want to have LAN and WIFI for your emplyees or colleagues and then a guest WiFi for just guests.
I would use Ether1 for the Wan port or the link to the 10.10 network. I would then configure 2 bridges.1 Bridge for LAN and 1 bridge for Guest_Wifi
I would then apply the the ip addresses to the various interfaces (ether1, LAN_BRIDGE, GUEST_WIFI_BRIDGE) You can experiment to see if performance is changed by applying the ip address to the ether 2 interface of LAN_BRIDGE.
I would add ether 2 and Wifi interfaces for your lan users to LAN_Bridge.
I would then set Ether 2 as master interface for ether3-5.
Configure your DHCP accoridingly. and default lan accordingly. YOu will also need to make sure that 10.10. main router has an ip route pointing back from your LAN traffic on this router.
This would be a very simple config. Not many lines.
example which is not exactly same but similar.
/interface bridge
add name="VLAN 10 LAN Bridge"
/interface ethernet
set [ find default-name=ether1 ] loop-protect=on
set [ find default-name=ether2 ] loop-protect=on master-port=ether1
set [ find default-name=ether3 ] loop-protect=on master-port=ether1
set [ find default-name=ether4 ] loop-protect=on master-port=ether1
set [ find default-name=ether5 ] loop-protect=on master-port=ether1
set [ find default-name=sfp1 ] loop-protect=on
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-eC country=zimbabwe disabled=no frequency=2462 frequency-mode=superchannel mode=\
ap-bridge name=HQ-RES-2.4 ssid=HQ-RES tx-power=29 tx-power-mode=all-rates-fixed wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-eCee country=zimbabwe disabled=no frequency=auto frequency-mode=regulatory-domain \
mode=ap-bridge name=HQ-RES-5 ssid=HQ-RES wps-mode=disabled
/interface wireless nstreme
set HQ-RES-2.4 enable-polling=no
set HQ-RES-5 enable-polling=no
/interface vlan
add interface=sfp1 name=vlan10 vlan-id=10
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/routing ospf instance
set [ find default=yes ] router-id=172.17.10.8
/interface bridge port
add bridge="VLAN 10 LAN Bridge" interface=ether1
add bridge="VLAN 10 LAN Bridge" interface=HQ-RES-2.4
add bridge="VLAN 10 LAN Bridge" interface=HQ-RES-5
add bridge="VLAN 10 LAN Bridge" interface=vlan10
/ip settings
set route-cache=no
/ip address
add address=172.17.10.8/24 interface=vlan10 network=172.17.10.0
/ip dns
set cache-size=512KiB servers=172.17.2.123,172.17.2.125
/ip route
add distance=1 gateway=172.17.10.1
/ip smb shares
set [ find default=yes ] directory=/pub
/routing ospf network
add area=backbone network=172.16.0.0/16
/system clock
set time-zone-name=Indian/Mauritius
/system identity
set name=HQ-RES-SW1
/system leds
set 1 interface=HQ-RES-5
/system package update
set channel=bugfix
Excuse me, I can globally change config only on weekend, but can you test maximum speed in your config? In my current configuration, speed decreased from 911Mbit to 620Mbit (tested by iperf3) after one simple queue. Moreover, in 911Mbit CPU load is about 75%, but 620Mbit burn CPU at 100%.
Thank you for your config, I’ll mindfully review it later.
I tried running iperf between 2 computers on my network. getting maximum 500 mbits no matter what settings I changed. CPU usage would sit between 70 and 90% without simple queues. This is not an indication of bandwidth as I tried them on the same switch and behing the router. same results. This appears to be an issue with windows and IPERF. So difficult for me to give you an accurate result.
Thank you a lot!
My mistake was to add all interfaces to bridge instead of using master port and bridge only it.
Now, speed up to 92Mb/sec with one simple queue, but CPU is about 70%-90% load, so it’s problem of queue tuning, not CPU limit.
these smaller routers use large amount of CPU for networking and ethernet especially when bridge involved. the rules only account for a few percent. you may need to look at a higher model to get greater throughput. I am using the 1100ah x2 for inter vlan router and works well.
I would like some complete solution with Wi-Fi, so selected “hAP ac” as a highest model 
Can you recommend me any other?
As you have said if you looking for an integrated solution then the HAP AC is the highest model. You could use a seperate AP and router. Or the other options you could do the Speed control on your wan router. This is where I do the most then it will take 25% of load off your Hap ac for simple queues. I prefer to control on the WAN routert as this offers the best results.
I have ccr1036 2s+ em
..
My information and configuration details..
I am running a small isp in a town area..
My total customers are 2100 only.
And every user has different bandwidth limit from radius server configured as zal pro for assigning internet packages with expiry date..like 10mbps 15mbps 25mbps 35mbps 50mbps and 100mbps..most of them are 10mbps, 15mbps and 25mbps..
I configure firewall nat as cgnat for 2200 clients on /24 pool.
Nat rules will be 7 or 8000 rules for 2200 clients..
My total bandwidth is 2gb per second..
Wan is connected to sfp+ plus port with a fiber dac cable..
Lan also connected to fiber dac cable with vlans cisco nexus 10gbps switch for my distributers areas…
1Ge ethernet port also configured with vlan for another area..
I am getting two issues on mikrotik ccr1036 2s+ em
1- when i tried simple queus with limit of 400mbps on certain destination supposed local ip pool 172.16.0.0/16
Amd destination adress is youtube pool for limit the maximum bandwidth for local users… So when i applied this my ccr cpu goes to 100% and i was shocked but i did not disable that and let them running.. ccr restarted self so i did disable that queu from simple queues…
2- one month ago i request to the isp to upgrade my internet services from 2gbps to 10gbps because at that time i connected the new distributor for providing internet of about 1200 users only..
And i make 2 more ccr 1036 configured same but short cgnat ip pool of about /22 only. And that two ccr’s connected after my configured cc1036 ip routing only and vlan through cisco nexus ports
So my main ccr was passing only 4 gbps maximum bandwidth…
And if i use a simple queue for two another ccr band limit only two ip adresses cpu goes to 100percent…
Why mikrotik queues are eating allot of cpus…
With queues its also not passing a bandwidth to 10gbps… Maximum throughput was only 4 or 4.2 gbps of bandwidth without any limit…
Kindly guide me to pass the maximum traffic to 10gbps
And to resolve the simple ques issue on low minimum proccesing..
i think you need to split that load on separate machines
that ccr1036 is maxed out
I tried x86_64bit version on xeon server also… Mikrotik is not passing traffic as much in that also… Mikrotik needs allot of resources for passing the data… More speed need more processors…i heard about netelastic on centos is giving a 20gbps passthrough on same server… I dont know why the mikrotik test result was about ccr1036 2s+em that can pass 26gbps if using every port… So why 10g not passing from sfp+ port?
May be i need to configure cgnatting to core router
And pppoe clients on different ccr…
But when i active simple queues mikrotik goes to 100 percent… How other people are doing this and what is happening to my ccr? I baught 3 ccr in last three months… But failed to pass 10gb internet…
What i am i missing? I dont want to give the fast track enable to my customers because customers will not pay for the higher bandwidth payments… I am very disheartened and so much confused to what to do now..
Cisco nexus as bgp
Then server x86
Then 1 ccr1036 cgnatting
Then 3 ccr for customers..
Still customers are not satisfying from the services
And resources is not enough to run only 21 hundred users… Because of 100% cpu problem.
it depends of configuration with a ccr1036 i real world customer scenarios you can pass approximately:
20 gbps in fast-path mode no firewall,no mangle, no queues, no PPPoE
10 gbps in fast-track mode no mangle, no queues, no PPPoE
all depends of the complexity of your configuration, a heavy configuration can easily reduce ccr1036 capacity up to 1.5 gbps, a bad configuration can cripple it to lower than that
In a ISP network some Router Roles/Functions imply concentrate almost all the bandwidth, border-router and core-router easily fall in this category but this roles can be fulfilled in fast-path or even fast-track mode, CG-Nat Works well on fast-track mode
thats why running this Roles/Functions in separate machines is a good idea to achieve fast-path/fast-track mode and pass many gbps without problem and scale that Roles/Functions more easily
once you have this Roles/Functions running on fast-track/fast-path mode on your border, core and CG-Nat routers you have an advantage which is that this tasks these tasks are no longer performed by BRAS/BNG routers offloading some load and complexity from them
but intensive tasks like queues, QoS, PPPoE and more task still need to be realized by BRAS/BNG Role/Function routers
It is often in this role that you most need to design and implement your network to partition fractions of your end users across multiple BRAS/BNG routers, in a way that you can maintain te amount of end-users and traffic on each router within equipment capacity
also consider to offload traffic control onto access-network
For example, in GPON networks, many are no longer controlling bandwidth with the routers, instead they do it with the OLT, freeing up resources in the router BNG/BRAS
a good guide about this:
https://stubarea51.net/2021/11/14/isp-design-guide-separation-of-network-functions-introduction-and-overview/
https://stubarea51.net/2022/05/02/webinar-isp-design-separation-of-network-functions/
Thanks for the great reply… I hope in new upgrades mikrotik achieve this on single bng router…
Because in these days we like to put the smallest equipment into the rack because of lower consume voltage and ups backup will be good..
Nobody will like to install the big servers like dell and hp servers a rackmount servers…
Many of isp i heard that they are using junipers to achieve 100gbps on single router… But its very expensive i dont know the actual price but its also not available in my country…if its available somewhere in my country i must ask the price and interested to go to juniper..
Mikrotik is fastest in the making configuration
And also fastest to see and rectify the customer issue… But against juniper its failed..
And 7 version is not good as 6.x versions are fixed issues..
Well thanks anyways..
don’t forget about power consumption and heat, MikroTik is also very competitive in that matter, to power the smallest Juniper Box (which was discontinued recently) you will need the power and space of several Mikrotik’s, and talking about money i hope your 2.000 customers generate profit to buy something 10x more expensive than MikroTik and the power and cooling you will require for that
even if you use Juniper the Network Role/Function separation is needed, forget about a single in one box solution to scale properly
[flash=][/flash]
No man… Netelastic and juniper is working on single box… And i allready mention about power consumption…
My only request is i need a one box in a mikrotik
..
Because of winbox funtion its very fast to configure any type of router…
And i need one box because i need to put that router on many places to achieve higher and higher bandwidth for the customers in very reliable rates..
And alhumdullillah means thanks of god that i have 2000 customers and i also can manage and can buy multiple ccr’s but i need for multiples pop localtions and its very costly… Ups nexus and ccrs and then nexus again redundant fiber connectivity location rent electricity rent.. fiber expenses it will be cost around 10 thousand dollars minimum for one pop…
And if still data not pass so its hurt…
Well i am also like and fan of mikrotik.. just waiting for the bigger router..
Mikrotik has to produce a enterprise level like cisco and juniper or intel xeon server type routers… For huge packets…and for million of users…
Hope next year mikrotik will do..