I habe a 250 Mbit Internet-Connection and will use the CRS125 as Router. My ISP give me a static IP, i must use my own Router to save my lokal Network (Unitymedia Business-Cable-Connection).
My think is, i use the CRS125 at Port 1 to connect the ISP-Modem, the CRS should use the first static-IP and connected the local network via Masquerade.
My Transfer-Rate is maybe 15 MBit. When i use my local Computer direct to the ISP-Modem, i become 280 MBit at downstream. Before is use the 250 MBit-Downstream, i use 100 MBit with no Problem.
Here is my Config-File as “Export”:
RouterOS is 6.33.3
/interface ethernet
set [ find default-name=ether1 ] comment="WAN Gateway to Unitymedia" name=\
ether1WAN-Gateway
set [ find default-name=ether2 ] advertise=1000M-full master-port=\
ether1WAN-Gateway name=ether2-local-slave
set [ find default-name=ether3 ] master-port=ether1WAN-Gateway name=\
ether3-local-slave
set [ find default-name=ether4 ] master-port=ether1WAN-Gateway name=\
ether4-local-slave
set [ find default-name=ether5 ] master-port=ether1WAN-Gateway name=\
ether5-local-slave
set [ find default-name=ether6 ] master-port=ether1WAN-Gateway name=\
ether6-local-slave
set [ find default-name=ether7 ] comment="Medion NAS" name=\
ether7-local-Master
set [ find default-name=ether8 ] comment="HP Laserjet pro 400 Color" \
master-port=ether7-local-Master name=ether8-local-slave
set [ find default-name=ether9 ] comment="GigaBlue Quad plus" master-port=\
ether7-local-Master name=ether9-local-master
set [ find default-name=ether10 ] advertise=1000M-full master-port=\
ether7-local-Master name=ether10-local-slave
set [ find default-name=ether11 ] comment="Sony Bravia KDL-55" master-port=\
ether7-local-Master name=ether11-local-slave
set [ find default-name=ether12 ] advertise=1000M-full comment=\
"HP LaserJet 2430 DTN" master-port=ether7-local-Master name=\
ether12-local-slave
set [ find default-name=ether13 ] comment="iMac - Simona LAN" master-port=\
ether7-local-Master name=ether13-local-slave
set [ find default-name=ether14 ] comment="iMac Wolfgang" master-port=\
ether7-local-Master name=ether14-local-slave
set [ find default-name=ether15 ] comment=Sofa-Cable master-port=\
ether7-local-Master name=ether15-local-slave
set [ find default-name=ether16 ] master-port=ether7-local-Master name=\
ether16-local-slave
set [ find default-name=ether17 ] advertise=100M-full,1000M-full comment=\
"Asterisk VoIP" master-port=ether7-local-Master name=ether17-local-master
set [ find default-name=ether18 ] comment="Lummerland-Video LAN" master-port=\
ether7-local-Master name=ether18-local-master
set [ find default-name=ether19 ] master-port=ether7-local-Master
set [ find default-name=ether20 ] master-port=ether7-local-Master
set [ find default-name=ether21 ] master-port=ether7-local-Master
set [ find default-name=ether22 ] master-port=ether7-local-Master
set [ find default-name=ether23 ] master-port=ether7-local-Master
set [ find default-name=ether24 ] master-port=ether7-local-Master
set [ find default-name=sfp1 ] master-port=ether7-local-Master name=\
sfp1-local-slave
/ip neighbor discovery
set ether1WAN-Gateway comment="WAN Gateway to Unitymedia" discover=no
set ether7-local-Master comment="Medion NAS"
set ether8-local-slave comment="HP Laserjet pro 400 Color"
set ether9-local-master comment="GigaBlue Quad plus"
set ether11-local-slave comment="Sony Bravia KDL-55"
set ether12-local-slave comment="HP LaserJet 2430 DTN"
set ether13-local-slave comment="iMac - Simona LAN"
set ether14-local-slave comment="iMac Wolfgang"
set ether15-local-slave comment=Sofa-Cable
set ether17-local-master comment="Asterisk VoIP"
set ether18-local-master comment="Lummerland-Video LAN"
/interface wireless channels
add band=2ghz-b/g/n frequency=2442 list=Lummerland name=ch1 width=20
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk group-ciphers=\
tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=Password \
wpa2-pre-shared-key=Password
add authentication-types=wpa2-psk eap-methods="" group-ciphers=tkip,aes-ccm \
mode=dynamic-keys name=Lummerland-Guest supplicant-identity=MikroTik \
unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=Password \
wpa2-pre-shared-key=LummerlandGuest
add authentication-types=wpa2-psk eap-methods="" group-ciphers=tkip mode=\
dynamic-keys name=Lummerland-WLAN supplicant-identity=MikroTik \
unicast-ciphers=tkip wpa-pre-shared-key=Password \
wpa2-pre-shared-key=Password
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
disabled=no distance=indoors frequency=2442 mode=ap-bridge \
security-profile=Lummerland-WLAN ssid=Lummerland-Devon wireless-protocol=\
802.11 wmm-support=enabled wps-mode=disabled
add mac-address=E6:8D:8C:A1:C9:D9 master-interface=wlan1 name=\
Lummerland-Guest security-profile=Lummerland-Guest ssid=Lummerland-Guest \
wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip dhcp-server option
add code=66 name=TFTP value=0xAC100132
add code=150 name=Cisco-TFTP value=0xAC10010A
/ip dhcp-server option sets
add name=Cisco options=Cisco-TFTP
add name=TFTP options=TFTP
/ip firewall layer7-protocol
add comment="Social Network Dropdown" name=SocialNetwork-Drop regexp=\
"^.+(facebook|twitter).*\$"
add comment="Mail-Server connect" name=Mail-Traffic regexp=\
"^.+(yahoo|web|gmail|icloud).*\$"
add comment="Buyers Network Dropdown" name=Ilegal-Site-Drop regexp=\
"^.+(ebay|shpock|crack).*\$"
/ip pool
add name=dhcp ranges=172.16.1.10-172.16.1.62
add name=DHCP-Pool_Lummerland-WLAN ranges=172.16.1.66-172.16.1.95
add name=DHCP-Pool_Lummerland-WAN ranges=92.50.73.115-92.50.73.118
/ip dhcp-server
add add-arp=yes address-pool=dhcp disabled=no interface=ether7-local-Master \
lease-time=1d name=DHCP-Server_Lummerland-LAN
add add-arp=yes address-pool=DHCP-Pool_Lummerland-WLAN disabled=no interface=\
wlan1 lease-time=1d name=DHCP-Server_Lummerland-WLAN
add address-pool=DHCP-Pool_Lummerland-WAN disabled=no interface=\
ether1WAN-Gateway name=DHCP-Server_Lummerland-WAN
/system logging action
set 0 disk-file-count=28 disk-file-name=disk1/Firewall_Log \
disk-lines-per-file=1024 target=disk
set 1 disk-file-count=28 disk-file-name=disk1/Firewall-log \
disk-lines-per-file=1024
set 3 remote=172.16.1.13
/interface bridge settings
set use-ip-firewall=yes
/ip settings
set allow-fast-path=yes
/interface wireless access-list
add comment="Simona iMac WLAN" interface=wlan1 mac-address=04:54:53:0F:60:CF \
vlan-mode=no-tag
add comment="Simona iPhone" interface=wlan1 mac-address=E0:C9:7A:3B:47:AA \
vlan-mode=no-tag
add comment="Simona iPad" interface=wlan1 mac-address=2C:F0:EE:4A:DF:3E \
vlan-mode=no-tag
add comment="Wolfgang iMac WLAN" interface=wlan1 mac-address=\
E4:CE:8F:5B:9F:8B vlan-mode=no-tag
add comment="Wolfgang iPhone" interface=wlan1 mac-address=80:BE:05:86:71:C1 \
vlan-mode=no-tag
add comment="Wolfgang iPad" interface=wlan1 mac-address=34:A3:95:56:4E:D7 \
vlan-mode=no-tag
add comment="Daniel Smartphone" interface=wlan1 mac-address=D8:3C:69:A7:C5:22 \
vlan-mode=no-tag
add comment="Daniel Laptop" interface=wlan1 mac-address=88:9F:FA:1C:97:48 \
vlan-mode=no-tag
add comment="Sony Bravia TV" interface=wlan1 mac-address=2C:33:7A:32:C5:97 \
vlan-mode=no-tag
/interface wireless cap
set discovery-interfaces=wlan1 interfaces=wlan1
/interface wireless connect-list
add comment="Wolfgang iPad" interface=wlan1 mac-address=34:A3:95:56:4E:D7 \
security-profile=Lummerland-WLAN
add comment="Daniel Smartphone" interface=wlan1 mac-address=D8:3C:69:A7:C5:22 \
security-profile=Lummerland-WLAN
add comment="Simona iPad" interface=wlan1 mac-address=2C:F0:EE:4A:DF:3E \
security-profile=Lummerland-WLAN
add comment="Daniel Laptop" interface=wlan1 mac-address=88:9F:FA:1C:97:48 \
security-profile=Lummerland-WLAN wireless-protocol=802.11
add comment="Simona iPhone" interface=wlan1 mac-address=80:BE:05:86:71:C1 \
security-profile=Lummerland-WLAN
add comment="Sony Bravia TV" interface=wlan1 mac-address=2C:33:7A:32:C5:97 \
security-profile=Lummerland-WLAN
add comment="Wolfgang iPhone" interface=wlan1 mac-address=80:BE:05:86:71:C1 \
security-profile=Lummerland-WLAN ssid=Lummerland-Devon wireless-protocol=\
802.11
/ip address
add address=172.16.1.1/26 comment="Lummerland Local Network" interface=\
ether7-local-Master network=172.16.1.0
add address=92.50.73.114/29 comment="Lummerland to Unitymedia" interface=\
ether1WAN-Gateway network=92.50.73.112
add address=172.16.1.65/27 comment="Lummerland WLAN" interface=wlan1 network=\
172.16.1.64
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=\
ether1WAN-Gateway
/ip dhcp-server lease
add address=172.16.1.10 client-id=1:c8:2a:14:34:19:b2 mac-address=\
C8:2A:14:34:19:B2 server=DHCP-Server_Lummerland-LAN
add address=172.16.1.50 always-broadcast=yes client-id=1:0:1c:42:2e:4b:df \
mac-address=00:1C:42:2E:4B:DF server=DHCP-Server_Lummerland-LAN
add address=172.16.1.15 block-access=yes client-id=Broadcast mac-address=\
00:00:00:00:00:15
add address=172.16.1.16 block-access=yes client-id=Network comment="Subnet B" \
mac-address=00:00:00:00:00:16
add address=172.16.1.8 block-access=yes client-id=Broadcast mac-address=\
00:00:00:00:00:08
add address=172.16.1.9 block-access=yes client-id=Network comment="Subnet A" \
mac-address=00:00:00:00:00:09
add address=172.16.1.64 block-access=yes client-id=Network comment="Subnet E" \
mac-address=00:00:00:00:00:64
add address=172.16.1.32 block-access=yes client-id=Network comment="Subnet C" \
mac-address=00:00:00:00:00:32
add address=172.16.1.47 block-access=yes client-id=Broadcast mac-address=\
00:00:00:00:00:47
add address=172.16.1.48 block-access=yes client-id=Network comment="Subnet D" \
mac-address=00:00:00:00:00:48
add address=172.16.1.63 block-access=yes client-id=Broadcast mac-address=\
00:00:00:00:00:63
add address=172.16.1.31 block-access=yes client-id=Broadcast mac-address=\
00:00:00:00:00:31
add address=172.16.1.95 block-access=yes client-id=Broadcast mac-address=\
00:00:00:00:00:79
add address=172.16.1.3 client-id=1:0:11:41:30:bd:d4 comment="Medion NAS" \
mac-address=00:11:41:30:BD:D4 server=DHCP-Server_Lummerland-LAN
add address=172.16.1.6 client-id=1:90:98:64:0:2a:cb comment=SAT-Receiver \
mac-address=90:98:64:00:2A:CB server=DHCP-Server_Lummerland-LAN
add address=172.16.1.5 client-id=1:00:14:38:89:ea:3e comment=\
"HP Laserjet 2430 DTN" mac-address=00:14:38:89:EA:3E server=\
DHCP-Server_Lummerland-LAN
add address=172.16.1.11 client-id=1:e4:ce:8f:5b:9f:8b mac-address=\
E4:CE:8F:5B:9F:8B server=DHCP-Server_Lummerland-WLAN
add address=172.16.1.17 client-id=1:2c:33:7a:32:c5:97 mac-address=\
2C:33:7A:32:C5:97 server=DHCP-Server_Lummerland-LAN
add address=172.16.1.13 client-id=1:3c:7:54:60:5d:fb mac-address=\
3C:07:54:60:5D:FB server=DHCP-Server_Lummerland-LAN
add address=172.16.1.14 client-id=1:4:54:53:f:60:cf mac-address=\
04:54:53:0F:60:CF server=DHCP-Server_Lummerland-WLAN
add address=172.16.1.49 client-id=1:18:a9:5:5d:8f:46 comment=\
"HP ProLiant iLO" mac-address=18:A9:05:5D:8F:46 server=\
DHCP-Server_Lummerland-LAN
add address=172.16.1.4 always-broadcast=yes client-id=1:74:46:a0:4b:ad:e5 \
comment="HP Laserjet 400 Color" mac-address=74:46:A0:4B:AD:E5 server=\
DHCP-Server_Lummerland-LAN
add address=172.16.1.12 client-id=1:b4:99:ba:57:1c:3f mac-address=\
B4:99:BA:57:1C:3F server=DHCP-Server_Lummerland-LAN
add address=172.16.1.51 client-id=1:18:a9:5:5d:83:d6 mac-address=\
18:A9:05:5D:83:D6 server=DHCP-Server_Lummerland-LAN
add address=172.16.1.18 client-id=1:0:1c:42:3b:94:48 mac-address=\
00:1C:42:3B:94:48 server=DHCP-Server_Lummerland-LAN
add address=172.16.1.19 client-id=1:1c:75:8:e4:5d:46 mac-address=\
1C:75:08:E4:5D:46 server=DHCP-Server_Lummerland-LAN
add address=172.16.1.7 always-broadcast=yes mac-address=00:90:33:1F:0A:EA \
server=DHCP-Server_Lummerland-LAN
add address=172.16.1.66 client-id=1:88:9f:fa:1c:97:48 mac-address=\
88:9F:FA:1C:97:48 server=DHCP-Server_Lummerland-WLAN
/ip dhcp-server network
add address=92.50.73.112/29 comment="Lummerland WAN" dns-server=\
92.50.73.113,208.67.222.222 gateway=92.50.73.113 netmask=29 ntp-server=\
92.50.73.114
add address=172.16.1.0/26 comment="Lummerland Network" dns-server=\
92.50.73.113,80.69.100.109 gateway=172.16.1.1 netmask=26 ntp-server=\
172.16.1.1
add address=172.16.1.64/27 comment="Lummerland WLAN" dns-server=\
92.50.73.113,8.8.4.4 gateway=172.16.1.65 netmask=27 ntp-server=\
172.16.1.65
/ip dns
set allow-remote-requests=yes servers=80.69.100.204,80.69.100.109
/ip dns static
add address=172.16.1.65 name=router
/ip firewall address-list
add address=192.168.1.0/27 comment="Class B Subnet /27" list="Class B"
add address=172.16.1.0/28 comment="Class B Subnet A" list="Class B Subnet A"
add address=172.16.1.16/28 comment="Class B Subnet B" list="Class B Subnet B"
add address=172.16.1.32/28 comment="Class B Subnet C" list="Class B Subnet C"
add address=172.16.1.48/28 comment="Class B Subnet D" list="Class B Subnet D"
add address=172.16.1.64/28 comment="Class B Subnet E" list="Class B Subnet E"
/ip firewall filter
add chain=input comment="BTest Server Connection" disabled=yes dst-port=2000 \
log=yes log-prefix="Btest-Server Connection" protocol=tcp
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input comment="SSH Brute-Force" disabled=\
yes dst-port=23 protocol=tcp src-address=!172.16.1.0/24
add action=add-src-to-address-list address-list=http_blacklist \
address-list-timeout=1w3d chain=input comment="HTTP/HTTPS Brute-Force" \
disabled=yes dst-port=80,81,443,8080 protocol=tcp src-address=\
!172.16.1.0/24
add action=add-src-to-address-list address-list=http_blacklist \
address-list-timeout=1w3d chain=input disabled=yes protocol=tcp \
src-address=!172.16.1.0/24 src-port=80,81,443,8080
add action=add-src-to-address-list address-list=IMAPs-POP3s_blacklist \
address-list-timeout=1w3d chain=input comment="IMAP/POP3S Brute-Force" \
disabled=yes layer7-protocol=!Mail-Traffic protocol=tcp src-address=\
!172.16.1.0/24 src-port=993,995
add action=add-src-to-address-list address-list=IPSec_Connect \
address-list-timeout=1d chain=input comment=\
"Try to connect via IPSec Brute-Force" disabled=yes protocol=tcp \
src-address=!172.16.1.0/24 src-port=500
add action=add-src-to-address-list address-list=SQL_blacklist \
address-list-timeout=1w3d chain=input comment="MSSQL Brute-Force" \
disabled=yes dst-port=1433-1434 protocol=tcp src-address=!172.16.1.0/24
add action=add-src-to-address-list address-list=VNC/X11_blacklist \
address-list-timeout=1w3d chain=input comment="VNC/X11 Brute-Force" \
disabled=yes protocol=tcp src-address=!172.16.1.0/24 src-port=5900,6000
add action=drop chain=input comment="drop SSH brute forcers" disabled=yes \
log-prefix="Drop SSH connect" src-address-list=ssh_blacklist
add action=drop chain=input comment="drop http brute forcers" disabled=yes \
log-prefix="Drop HTTP/HTTPS connect" src-address=!172.16.1.0/24 \
src-address-list=http_blacklist
add action=drop chain=input comment="drop IMAPS/POP3S brute forcers" \
disabled=yes log-prefix="Drop IMAP/POP3 connect" src-address-list=\
IMAPs-POP3s_blacklist
add action=drop chain=input comment="drop IPSec_Connection" disabled=yes \
log-prefix="Drop IPSec_Connection" src-address-list=IPSec_Connect
add action=drop chain=input comment="drop MS/MySQL brute forcers" disabled=\
yes log-prefix="Drop MSSQL connect" src-address-list=SQL_blacklist
add action=drop chain=input comment="drop VNC brute forcers" disabled=yes \
log-prefix="Drop VNC/X11 connect" src-address-list=VNC/X11_blacklist
add chain=input comment="Allow ping ICMP from anywhere" log-prefix=\
"Allow ping ICMP from anywhere" protocol=icmp
add chain=input comment="Allow connections that originated from LAN" \
connection-state=established log-prefix="Allow connection from LAN"
add chain=forward comment="Social Network accept from Subnet A" disabled=yes \
layer7-protocol=SocialNetwork-Drop src-address-list="Class B Subnet A"
add chain=forward comment="Social Network accept from Subnet B" disabled=yes \
layer7-protocol=SocialNetwork-Drop src-address-list="Class B Subnet B"
add action=drop chain=forward comment="Social Network drop from Subnet C" \
disabled=yes layer7-protocol=SocialNetwork-Drop log=yes log-prefix=\
"Drop Facebook drop from Subnet C" src-address-list="Class B Subnet C"
add action=drop chain=forward comment="Social Network drop from Subnet D" \
disabled=yes layer7-protocol=SocialNetwork-Drop log=yes log-prefix=\
"Drop Facebook drop from Subnet D" src-address-list="Class B Subnet D"
add action=drop chain=forward comment="Shopping-Network drop from Subnet C" \
disabled=yes layer7-protocol=Ilegal-Site-Drop log=yes log-prefix=\
"Drop Shoping-Site drop from Subnet C" src-address-list=\
"Class B Subnet C"
add action=drop chain=forward comment="Shopping-Network drop from Subnet D" \
disabled=yes layer7-protocol=Ilegal-Site-Drop log=yes log-prefix=\
"Drop Shoping-Site drop from Subnet D" src-address-list=\
"Class B Subnet D"
add action=drop chain=input comment="Drop Homecall-Software Barebones.com" \
disabled=yes dst-address=204.107.232.37 log=yes log-prefix=\
"Drop Homecall-Software" protocol=tcp
add action=drop chain=input comment=\
"Drop Homecall-Software - Snom DeutschlandLAN Priority-Server" disabled=\
yes dst-address=109.237.182.196 log=yes log-prefix=\
"Drop Homecall-Software" protocol=tcp
add action=drop chain=input comment=\
"Disallow anything from anywhere on any interface" in-interface=\
ether1WAN-Gateway log-prefix="Drop from anywhere" src-address-list=\
!92.50.73.112/29
/ip firewall nat
add action=masquerade chain=srcnat comment="Masquearde LAN to WAN" \
out-interface=ether1WAN-Gateway
/ip hotspot user
add comment="counters and limits for trial users" name=default-trial
/ip route
add distance=1 gateway=92.50.73.113
/ip service
set telnet address=172.16.0.0/20 disabled=yes
set ftp address=172.16.0.0/20
set www address=172.16.0.0/20
set ssh address=172.16.0.0/20
set www-ssl address=172.16.0.0/20 disabled=no
set api address=172.16.0.0/20
set winbox address=172.16.0.0/20,92.50.73.112/29
set api-ssl address=172.16.0.0/20
/lcd
set default-screen=informative-slideshow
/lcd interface pages
set 0 interfaces=wlan1
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=MikroTik_Lummerland
/system ntp client
set enabled=yes primary-ntp=192.53.103.108
/system ntp server
set enabled=yes manycast=no
/system package update
set channel=release-candidate
/system routerboard settings
set protected-routerboot=disabled
/tool bandwidth-server
set authenticate=no
/tool graphing interface
add
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-local-slave
add interface=wlan1
add
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-local-slave
add interface=wlan1
add
I hope, anyone can help me…