Please check my configs - first time setting up Mikrotik network.

Hi, I am new to networking and have recently set up a new RB5009 in my home, Using tutorials and forums I have learnt a lot about networking and routerOS. The network I set up has been working great so far and is by far the best setup i’ve tried. Previously had a (Netgear RX1000).

current setup:
BT Fiber 1000M Download / 100M Upload (ether1)> Mikrotik RB5009/switch > (ether2)Wifi AP Asus AC86U/NAS > (ether3)PS5

I would like to get a second opinion on my firewall,NAT, Mangle rules swell as my Queue configurations. Let me know if there is anything unnecessary or if i’m missing anything important.

 2023-08-15 10:56:15 by RouterOS 7.10.2
# software id = x x x x
#
# model = RB5009UPr+S+
# serial number = x x x x 
/interface bridge
add name="LAN Bridge"
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=LAN
set [ find default-name=ether3 ] comment=PS5
set [ find default-name=ether4 ] comment=Config
set [ find default-name=ether5 ] comment=Other
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    service-name="BT Fibre PPPoe (1000M/100M)" use-peer-dns=yes user=\
  x x x x
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.x.10-192.168.x.254
add name=dhcp_pool2 ranges=192.168.x.10-192.168.x.254
add name=dhcp_pool3 ranges=192.168.x.10-192.168.x.254
/ip dhcp-server
add address-pool=dhcp_pool3 interface="LAN Bridge" lease-time=1d name=\
    "LAN dhcp"
/queue simple
add disabled=yes max-limit=50M/200M name="PS5 Default" target=192.168.x.254/32 \
    time=0s-1d,sun,mon,tue,wed,thu,fri,sat
/queue type
add cake-diffserv=besteffort cake-overhead-scheme=raw kind=cake name=\
    "CakeConfig - Defaults"
add cake-ack-filter=filter cake-atm=ptm cake-bandwidth=80.0Mbps cake-diffserv=\
    besteffort cake-mpu=88 cake-nat=yes cake-overhead=40 kind=cake name=\
    "CakeConfig - Upload"
add cake-atm=ptm cake-bandwidth=1000.0Mbps cake-diffserv=besteffort cake-mpu=88 \
    cake-nat=yes cake-overhead=40 cake-wash=yes kind=cake name=\
    "CakeConfig - Download"
add kind=fq-codel name="FQ Codel"
add cake-nat=yes cake-wash=yes kind=cake name="Cake Download"
add cake-nat=yes kind=cake name="Cake Upload"
add kind=cake name="Cake Default"
/queue simple
add max-limit=50M/200M name="ps5 cake" priority=1/1 queue=\
    "Cake Upload/Cake Download" target=192.168.x.254/32 time=\
    0s-1d,sun,mon,tue,wed,thu,fri,sat total-queue="Cake Default"
add disabled=yes max-limit=80M/1G name="All Bandwidth" queue=\
    "Cake Upload/Cake Download" target=192.168.x.0/24 time=\
    0s-1d,sun,mon,tue,wed,thu,fri,sat total-queue="Cake Default"
add disabled=yes max-limit=50M/200M name=PS5 parent="All Bandwidth" priority=\
    1/1 queue="Cake Upload/Cake Download" target=192.168.x.254/32 time=\
    0s-1d,sun,mon,tue,wed,thu,fri,sat total-queue="Cake Default"
add disabled=yes max-limit=50M/200M name="ps5 fq codel" priority=1/1 queue=\
    "FQ Codel/FQ Codel" target=192.168.x.254/32 time=\
    0s-1d,sun,mon,tue,wed,thu,fri,sat
/queue tree
add disabled=yes max-limit=1100M name="All Bandwidth" parent=global priority=1 \
    queue="Cake Default"
add disabled=yes max-limit=1G name=Download packet-mark=client-dw-pk parent=\
    "All Bandwidth" priority=2 queue="Cake Download"
add disabled=yes max-limit=1G name="http download" packet-mark=http-dw-pk \
    parent=Download priority=1 queue="Cake Download"
add disabled=yes max-limit=500M name="other download" packet-mark=other-dw-pk \
    parent=Download priority=6 queue="Cake Download"
add disabled=yes max-limit=100M name=Upload packet-mark=client-up-pk parent=\
    "All Bandwidth" queue="Cake Upload"
add disabled=yes max-limit=100M name="http upload" packet-mark=http-up-pk \
    parent=Upload priority=1 queue="Cake Upload"
add disabled=yes max-limit=50M name="other upload" packet-mark=other-up-pk \
    parent=Upload priority=6 queue="Cake Upload"
/interface bridge port
add bridge="LAN Bridge" interface=ether2
add bridge="LAN Bridge" interface=ether3
add bridge="LAN Bridge" interface=ether4
add bridge="LAN Bridge" interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=pppoe-out1 list=WAN
add interface="LAN Bridge" list=LAN
/ip address
add address=192.168.x.1/24 interface="LAN Bridge" network=192.168.x.0
/ip dhcp-client
add interface="LAN Bridge"
/ip dhcp-server lease
add address=192.168.x.254 client-id=1:xx:xx:xx:xx:xx:xx mac-address=\
    Xx:xx:xx:xx:xx:xx server="LAN dhcp"
/ip dhcp-server network
add address=192.168.x.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.x.1 \
    netmask=24
/ip dns
set servers=8.8.8.8,1.1.1.1
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=Bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you need \
    this subnet before enable it" list=Bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=Bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=Bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you ne\
    ed this subnet before enable it" list=Bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=Bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=Bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=Bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=Bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=Bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" list=\
    Bogons
add address=172.xx.xx.0/24 list="MGMT Ranges"
add address=192.168.x.0/24 list="MGMT Ranges"
add address=172.xx.xx.xx list="LAN Range"
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=reject chain=input comment="start of TKJS basic rules" in-interface=\
    ether1 reject-with=icmp-network-unreachable src-address-list="!MGMT Ranges"
add action=accept chain=forward out-interface=ether1 port=80,443,8080,53 \
    protocol=tcp src-address-list="LAN Range"
add action=accept chain=forward out-interface=ether1 port=53 protocol=udp \
    src-address-list="LAN Range"
add action=accept chain=forward out-interface=ether1 protocol=icmp \
    src-address-list="LAN Range"
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input port=69 protocol=udp
add action=accept chain=forward port=69 protocol=udp
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
    Bogons
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="start of network berg rules" disabled=\
    yes protocol=icmp
add action=accept chain=input connection-state=established disabled=yes
add action=accept chain=input connection-state=related disabled=yes
add action=accept chain=forward comment="PS5 Ghosts" disabled=yes dst-port=\
    3074,3478-3479,49152-65535 protocol=udp
add action=accept chain=forward disabled=yes dst-port=0,443,1935,3478-3480 \
    protocol=tcp
/ip firewall mangle
add action=mark-packet chain=prerouting disabled=yes dst-port=\
    80,0,443,8080,53,1935,3478-3480 new-packet-mark=Gaming passthrough=yes \
    protocol=tcp
add action=mark-connection chain=forward comment=cliient-dw-con disabled=yes \
    in-interface=ether1 new-connection-mark=cliient-dw-con passthrough=yes
add action=mark-packet chain=forward comment=client-dw-pk connection-mark=\
    cliient-dw-con disabled=yes new-packet-mark=client-dw-pk passthrough=yes
add action=mark-connection chain=prerouting comment=client-up-con disabled=yes \
    in-interface="LAN Bridge" new-connection-mark=client-up-con passthrough=yes
add action=mark-packet chain=prerouting comment=client-up-pk connection-mark=\
    client-up-con disabled=yes new-packet-mark=client-up-pk passthrough=yes
add action=mark-packet chain=forward comment=http-dw-pk disabled=yes \
    new-packet-mark=http-dw-pk packet-mark=client-dw-pk passthrough=no port=\
    80,443 protocol=tcp
add action=mark-packet chain=forward comment=http-up-pk disabled=yes \
    new-packet-mark=http-up-pk packet-mark=client-up-pk passthrough=no port=\
    80,443 protocol=tcp
add action=mark-packet chain=forward comment=other-dw-pk disabled=yes \
    new-packet-mark=other-dw-pk packet-mark=client-dw-pk passthrough=no
add action=mark-packet chain=forward comment=other-up-pk disabled=yes \
    new-packet-mark=other-up-pk packet-mark=client-up-pk passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat protocol=icmp to-addresses=192.168.x.1
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat comment=ps5 disabled=yes dst-port=80 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.x.254 to-ports=0
add action=dst-nat chain=dstnat comment=ps5 disabled=yes dst-port=443 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.x.254 to-ports=0
add action=dst-nat chain=dstnat comment=ps5 disabled=yes dst-port=465 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.x.254 to-ports=0
add action=dst-nat chain=dstnat comment=ps5 disabled=yes dst-port=993 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.x.254 to-ports=0
add action=dst-nat chain=dstnat comment=ps5 disabled=yes dst-port=3478 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.x.254 to-ports=0
add action=dst-nat chain=dstnat comment=ps5 disabled=yes dst-port=3479 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.x.254 to-ports=0
add action=dst-nat chain=dstnat comment=ps5 disabled=yes dst-port=3480 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.x.254 to-ports=0
add action=dst-nat chain=dstnat comment=ps5 disabled=yes dst-port=5223 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.x.254 to-ports=0
add action=dst-nat chain=dstnat comment=ps5 disabled=yes dst-port=8080 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.x.254 to-ports=0
add action=dst-nat chain=dstnat comment=ps5 disabled=yes dst-port=1935 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.x.254 to-ports=0
add action=dst-nat chain=dstnat comment=ps5 disabled=yes dst-port=0 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.x.254 to-ports=0
add action=dst-nat chain=dstnat comment=ps5 disabled=yes dst-port=3074 \
    in-interface-list=WAN protocol=udp to-addresses=192.168.x.254 to-ports=0
add action=dst-nat chain=dstnat comment=ps5 disabled=yes dst-port=3478 \
    in-interface-list=WAN protocol=udp to-addresses=192.168.x.254 to-ports=0
add action=dst-nat chain=dstnat comment=ps5 disabled=yes dst-port=3479 \
    in-interface-list=WAN protocol=udp to-addresses=192.168.x.254 to-ports=0
add action=dst-nat chain=dstnat comment=ps5 disabled=yes dst-port=49152-65535 \
    in-interface-list=WAN protocol=udp to-addresses=192.168.x.254 to-ports=0
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=172.xx.x.x,192.168.x.x/24 port=x
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=pppoe-out1 type=external
add interface="LAN Bridge" type=internal
/system clock
set time-zone-name=Europe/London
/system identity
set name=xxxx
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=pool.ntp.org
add address=asia.pool.ntp.org
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add interval=1d name="Daily Reboot" on-event="system reboot" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2023-08-13 start-time=06:00:00

Thank you for reading this far and apologies for not knowing the command prompts for getting this information, which is why i’m uploading pictures. I f there is any additional info I can provide let me know, also if there is a command prompt to get said info.

My goal is to get this network set up for competitive FPS gaming and for it be as secure as can be.
later I will learn how to setup Wiregaurd VPN and how to port forward properly for an open NAT, but ill leave that for another post.

Thank you,
Elias.

It’s extremely simple, and the results are far more useful than screenshots. Click “New Terminal” in WinBox, then type “/export” and copy-paste the result into a “code” block here. Edit out any sensitive info like serial numbers, software license keys, etc.

Yes it was much simpler than editing those pics haha thanks

 2023-08-15 10:56:15 by RouterOS 7.10.2
# software id = x x x x
#
# model = RB5009UPr+S+
# serial number = x x x x 
/interface bridge
add name="LAN Bridge"
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=LAN
set [ find default-name=ether3 ] comment=PS5
set [ find default-name=ether4 ] comment=Config
set [ find default-name=ether5 ] comment=Other
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    service-name="BT Fibre PPPoe (1000M/100M)" use-peer-dns=yes user=\
  x x x x
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.x.10-192.168.x.254
add name=dhcp_pool2 ranges=192.168.x.10-192.168.x.254
add name=dhcp_pool3 ranges=192.168.x.10-192.168.x.254
/ip dhcp-server
add address-pool=dhcp_pool3 interface="LAN Bridge" lease-time=1d name=\
    "LAN dhcp"
/queue simple
add disabled=yes max-limit=50M/200M name="PS5 Default" target=192.168.x.254/32 \
    time=0s-1d,sun,mon,tue,wed,thu,fri,sat
/queue type
add cake-diffserv=besteffort cake-overhead-scheme=raw kind=cake name=\
    "CakeConfig - Defaults"
add cake-ack-filter=filter cake-atm=ptm cake-bandwidth=80.0Mbps cake-diffserv=\
    besteffort cake-mpu=88 cake-nat=yes cake-overhead=40 kind=cake name=\
    "CakeConfig - Upload"
add cake-atm=ptm cake-bandwidth=1000.0Mbps cake-diffserv=besteffort cake-mpu=88 \
    cake-nat=yes cake-overhead=40 cake-wash=yes kind=cake name=\
    "CakeConfig - Download"
add kind=fq-codel name="FQ Codel"
add cake-nat=yes cake-wash=yes kind=cake name="Cake Download"
add cake-nat=yes kind=cake name="Cake Upload"
add kind=cake name="Cake Default"
/queue simple
add max-limit=50M/200M name="ps5 cake" priority=1/1 queue=\
    "Cake Upload/Cake Download" target=192.168.x.254/32 time=\
    0s-1d,sun,mon,tue,wed,thu,fri,sat total-queue="Cake Default"
add disabled=yes max-limit=80M/1G name="All Bandwidth" queue=\
    "Cake Upload/Cake Download" target=192.168.x.0/24 time=\
    0s-1d,sun,mon,tue,wed,thu,fri,sat total-queue="Cake Default"
add disabled=yes max-limit=50M/200M name=PS5 parent="All Bandwidth" priority=\
    1/1 queue="Cake Upload/Cake Download" target=192.168.x.254/32 time=\
    0s-1d,sun,mon,tue,wed,thu,fri,sat total-queue="Cake Default"
add disabled=yes max-limit=50M/200M name="ps5 fq codel" priority=1/1 queue=\
    "FQ Codel/FQ Codel" target=192.168.x.254/32 time=\
    0s-1d,sun,mon,tue,wed,thu,fri,sat
/queue tree
add disabled=yes max-limit=1100M name="All Bandwidth" parent=global priority=1 \
    queue="Cake Default"
add disabled=yes max-limit=1G name=Download packet-mark=client-dw-pk parent=\
    "All Bandwidth" priority=2 queue="Cake Download"
add disabled=yes max-limit=1G name="http download" packet-mark=http-dw-pk \
    parent=Download priority=1 queue="Cake Download"
add disabled=yes max-limit=500M name="other download" packet-mark=other-dw-pk \
    parent=Download priority=6 queue="Cake Download"
add disabled=yes max-limit=100M name=Upload packet-mark=client-up-pk parent=\
    "All Bandwidth" queue="Cake Upload"
add disabled=yes max-limit=100M name="http upload" packet-mark=http-up-pk \
    parent=Upload priority=1 queue="Cake Upload"
add disabled=yes max-limit=50M name="other upload" packet-mark=other-up-pk \
    parent=Upload priority=6 queue="Cake Upload"
/interface bridge port
add bridge="LAN Bridge" interface=ether2
add bridge="LAN Bridge" interface=ether3
add bridge="LAN Bridge" interface=ether4
add bridge="LAN Bridge" interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=pppoe-out1 list=WAN
add interface="LAN Bridge" list=LAN
/ip address
add address=192.168.x.1/24 interface="LAN Bridge" network=192.168.x.0
/ip dhcp-client
add interface="LAN Bridge"
/ip dhcp-server lease
add address=192.168.x.254 client-id=1:xx:xx:xx:xx:xx:xx mac-address=\
    Xx:xx:xx:xx:xx:xx server="LAN dhcp"
/ip dhcp-server network
add address=192.168.x.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.x.1 \
    netmask=24
/ip dns
set servers=8.8.8.8,1.1.1.1
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=Bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you need \
    this subnet before enable it" list=Bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=Bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=Bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you ne\
    ed this subnet before enable it" list=Bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=Bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=Bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=Bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=Bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=Bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" list=\
    Bogons
add address=172.xx.xx.0/24 list="MGMT Ranges"
add address=192.168.x.0/24 list="MGMT Ranges"
add address=172.xx.xx.xx list="LAN Range"
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=reject chain=input comment="start of TKJS basic rules" in-interface=\
    ether1 reject-with=icmp-network-unreachable src-address-list="!MGMT Ranges"
add action=accept chain=forward out-interface=ether1 port=80,443,8080,53 \
    protocol=tcp src-address-list="LAN Range"
add action=accept chain=forward out-interface=ether1 port=53 protocol=udp \
    src-address-list="LAN Range"
add action=accept chain=forward out-interface=ether1 protocol=icmp \
    src-address-list="LAN Range"
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input port=69 protocol=udp
add action=accept chain=forward port=69 protocol=udp
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
    Bogons
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="start of network berg rules" disabled=\
    yes protocol=icmp
add action=accept chain=input connection-state=established disabled=yes
add action=accept chain=input connection-state=related disabled=yes
add action=accept chain=forward comment="PS5 Ghosts" disabled=yes dst-port=\
    3074,3478-3479,49152-65535 protocol=udp
add action=accept chain=forward disabled=yes dst-port=0,443,1935,3478-3480 \
    protocol=tcp
/ip firewall mangle
add action=mark-packet chain=prerouting disabled=yes dst-port=\
    80,0,443,8080,53,1935,3478-3480 new-packet-mark=Gaming passthrough=yes \
    protocol=tcp
add action=mark-connection chain=forward comment=cliient-dw-con disabled=yes \
    in-interface=ether1 new-connection-mark=cliient-dw-con passthrough=yes
add action=mark-packet chain=forward comment=client-dw-pk connection-mark=\
    cliient-dw-con disabled=yes new-packet-mark=client-dw-pk passthrough=yes
add action=mark-connection chain=prerouting comment=client-up-con disabled=yes \
    in-interface="LAN Bridge" new-connection-mark=client-up-con passthrough=yes
add action=mark-packet chain=prerouting comment=client-up-pk connection-mark=\
    client-up-con disabled=yes new-packet-mark=client-up-pk passthrough=yes
add action=mark-packet chain=forward comment=http-dw-pk disabled=yes \
    new-packet-mark=http-dw-pk packet-mark=client-dw-pk passthrough=no port=\
    80,443 protocol=tcp
add action=mark-packet chain=forward comment=http-up-pk disabled=yes \
    new-packet-mark=http-up-pk packet-mark=client-up-pk passthrough=no port=\
    80,443 protocol=tcp
add action=mark-packet chain=forward comment=other-dw-pk disabled=yes \
    new-packet-mark=other-dw-pk packet-mark=client-dw-pk passthrough=no
add action=mark-packet chain=forward comment=other-up-pk disabled=yes \
    new-packet-mark=other-up-pk packet-mark=client-up-pk passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat protocol=icmp to-addresses=192.168.x.1
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat comment=ps5 disabled=yes dst-port=80 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.x.254 to-ports=0
add action=dst-nat chain=dstnat comment=ps5 disabled=yes dst-port=443 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.x.254 to-ports=0
add action=dst-nat chain=dstnat comment=ps5 disabled=yes dst-port=465 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.x.254 to-ports=0
add action=dst-nat chain=dstnat comment=ps5 disabled=yes dst-port=993 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.x.254 to-ports=0
add action=dst-nat chain=dstnat comment=ps5 disabled=yes dst-port=3478 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.x.254 to-ports=0
add action=dst-nat chain=dstnat comment=ps5 disabled=yes dst-port=3479 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.x.254 to-ports=0
add action=dst-nat chain=dstnat comment=ps5 disabled=yes dst-port=3480 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.x.254 to-ports=0
add action=dst-nat chain=dstnat comment=ps5 disabled=yes dst-port=5223 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.x.254 to-ports=0
add action=dst-nat chain=dstnat comment=ps5 disabled=yes dst-port=8080 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.x.254 to-ports=0
add action=dst-nat chain=dstnat comment=ps5 disabled=yes dst-port=1935 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.x.254 to-ports=0
add action=dst-nat chain=dstnat comment=ps5 disabled=yes dst-port=0 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.x.254 to-ports=0
add action=dst-nat chain=dstnat comment=ps5 disabled=yes dst-port=3074 \
    in-interface-list=WAN protocol=udp to-addresses=192.168.x.254 to-ports=0
add action=dst-nat chain=dstnat comment=ps5 disabled=yes dst-port=3478 \
    in-interface-list=WAN protocol=udp to-addresses=192.168.x.254 to-ports=0
add action=dst-nat chain=dstnat comment=ps5 disabled=yes dst-port=3479 \
    in-interface-list=WAN protocol=udp to-addresses=192.168.x.254 to-ports=0
add action=dst-nat chain=dstnat comment=ps5 disabled=yes dst-port=49152-65535 \
    in-interface-list=WAN protocol=udp to-addresses=192.168.x.254 to-ports=0
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=172.xx.x.x,192.168.x.x/24 port=x
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=pppoe-out1 type=external
add interface="LAN Bridge" type=internal
/system clock
set time-zone-name=Europe/London
/system identity
set name=xxxx
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=pool.ntp.org
add address=asia.pool.ntp.org
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add interval=1d name="Daily Reboot" on-event="system reboot" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2023-08-13 start-time=06:00:00

is there anyone here from mikrotik that can help me out ?

Perhaps start with default configuration and learn how it works. First you should remember, all rules are evaluated in sequence as they are ordered. As short example, here second rule will not work at all because previous rule already blocks all packets from ether1.

add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=reject chain=input comment="start of TKJS basic rules" in-interface=\
    ether1 reject-with=icmp-network-unreachable src-address-list="!MGMT Ranges"

Also second src-nat rule won’t work, because you already have src-nat rule at the beginning of the table. And so on.

add action=masquerade chain=srcnat
add action=masquerade chain=srcnat out-interface=ether1

This is a user-to-user forum, not a source of free configuration consultation from MikroTik Inc.

In order to attract another user’s interest in helping you, simply blasting your configuration out and asking for open-ended help is not a strategy likely to show high success rates. It would be better to show that you’ve tried something specific, failed in some manner, and have described the failure with test results, expected behaviors, and so forth.

But what the heck, I’m willing to skim through your 247 lines of configuration and list random things I find with no specific goal in mind; why not?

• Three overlapping DHCP pools? WTF?
• Simple queues, fq_codel, and Cake, all at once? Do you mix gasoline, diesel, and kerosene in your cars, just to see what happens?
• Don’t disable IPv6. It’s 2023, decades past time to begin coping with the IPv6 reality.
• You apply multiple packet marks that are never used (“Gaming”, the presumably misspelled “cliient-dw-con”, etc.)
• What is dst-natting ICMP to the router supposed to do?
• You have multiple references to TCP port 0, which was reserved and never assigned, since the Internet’s Dark Ages. (i.e. Before fiber, back when we only had electrons to play with.) Why?
• What is host 192.168.x.254 on the LAN, and why is it so bloody trustworthy that you forward so much of consequence to it, including 49152-65535, as only an absolute muppet would?

Like I said this is my first time setting up a mikrotik router, I knew I would make mistakes. And asking if there is any one form mikrotik that can help me is a valid question on a mikrotik forum, there is no need for the condescending tone. I have just followed tutorials from tksja and the network berg. Thanks for the information I will look into this.

Well, here are my two cents:

• get firewall back to original, lots of crap added
• get rid of upnp and disable it like…forever. And start getting ashamed while you want your router as save as possible
• get rid of auto-upgrade and disable it like…forever
• reboots are not necessary, you are using MikroTik now (not crappy consumer stuff)
• lot of cleanup can be done (is appreciated here on the forum)

Glad you masked the private IP addresses…like that is sensitive data.

Hope this is what you are looking for? Again, this is a user forum and the people are more than willing to help. Whether your question is valid

I appreciate any help I get. I didn’t know what to look for in that code so I wouldn’t have noticed the mistakes especially since it was all running pretty smooth. That goes to show how good Mikrotik is, ive had it for 3 weeks and the connection is the best ive had so far. I also love how flexible it is. But it is quite a steep learning curve compared to your common routers.

So i’m going to just redo the whole thing with default firewall and remove all my attempts to port forward my ps5 which all failed in the end. later on I will figure it out i’m sure but firstly I will focus on the firewall. I have removed the overlapping DHCP pools, I don’t even know why it was like that. Upnp, auto update, reboots , extra src-nat removed.

One thing im not sure about is about this comment:

Simple queues, fq_codel, and Cake, all at once? Do you mix gasoline, diesel, and kerosene in your cars, just to see what happens?

Is this to say that I shouldn’t change the queue type at all on simple queues? Every tutorial I have seen on how to get cake to manage buffer bloat says to do it like this:

add disabled=yes max-limit=80M/1G name="All Bandwidth" queue=\
    "Cake Upload/Cake Download" target=192.168.x.0/24 time=\
    0s-1d,sun,mon,tue,wed,thu,fri,sat total-queue="Cake Default"
add disabled=yes max-limit=50M/200M name=PS5 parent="All Bandwidth" priority=\
    1/1 queue="Cake Upload/Cake Download" target=192.168.x.254/32 time=\
    0s-1d,sun,mon,tue,wed,thu,fri,sat total-queue="Cake Default"

Sure, and now you have your answer: in general, the answer is “No, you cannot expect MikroTik people to respond here on the forum.” They might, but it is unreasonable to expect it.

If you are only interested in MikroTik’s responses, not end-user responses, they offer multiple direct support channels. However, I think your current questions would currently fall under point 6 on that page: don’t expect them to teach you network engineering one support ticket at a time.

there is no need for the condescending tone

The intent was more “comic roasting,” with the hope that it would usher forward the day that this configuration makes you shake your head in disbelief, too. I thought that came through clearly in the over-the-top language, but I am clearly no Eric Idle, am I?

I have just followed tutorials from tksja and the network berg.

You can read seven different tutorials and come away with seven great and correct ideas which nevertheless will not all work together when slapped together in pseudorandom order. There’s no getting around the need to understand how RouterOS’s many features interact.

You’re much better off trying one thing at a time than trying all the ideas you were able to pull up with a web search all at once.

Is this to say that I shouldn’t change the queue type at all on simple queues?

No, it’s primarily a reference to lines 32-34 in your configuration, where you set up a simple queue without reference to either the Cake or fq_codel. It’s disabled, but why then is it present in your offering for comment, if you don’t want anyone to comment on it? My presumption was that you’re turning these queues on and off to try different options, but then why are you asking for advice? Do you want a personal taste-test, or do you want us to tell you what to do? Giving us all the options you’ve tried without any further guidance is confusing and calls for either speculation or lots of back-and-forth questions to tease out what it is you’re trying to accomplish.

Secondarily, I see no reason to ever mix Cake and fq_codel. Pick one. They have different design principles, resulting in different tradeoffs, which is why both are available. Different purposes make one better than the other, but without knowing your purposes, I can’t tell you which one to use. I suspect Cake is better for your needs, but that’s speculation.

I don’t expect or feel entitled to mikrotik help or user help but I appreciate help from both. In most forums which are set up by the actual company there usually is people from the company helping people as well as user to user, that has been my experience. Anyway I would prefer to stay on topic.

Now Im just correcting my mistakes which I would never have known were there without posting a block of code so i’m glad I did even if there wasn’t a goal per se. My goal is to firstly make sure that I have done the basics like firewall correctly. and secondly to have a working queue to optimise the buffer bloat on the PS5.

I am absorbing the useful information all the users give and will do my due diligence accordingly. At least now I have a base to start on.

These are my new configs atm, Default configs the router sets up at the start, additionally I removed fast track and applied 2 simple queues which I will test to see which is optimal.

# 2023-08-17 07:08:47 by RouterOS 7.11
# software id = x x x 
#
# model = RB5009UPr+S+
# serial number = x x x 
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=LAN
set [ find default-name=ether3 ] comment=PS5
set [ find default-name=ether4 ] comment=Config
set [ find default-name=ether5 ] comment=Other
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    use-peer-dns=yes user=x x x
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=x x x
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/queue type
add cake-nat=yes kind=cake name="Cake Upload"
add cake-nat=yes cake-wash=yes kind=cake name="Cake Download"
add kind=cake name="Cake Default"
add kind=fq-codel name="FQ Codel"
/queue simple
add max-limit=80M/1G name="All Bandwidth" queue=default/default target=\
    192.168.88.0/24 time=0s-1d,sun,mon,tue,wed,thu,fri,sat
add max-limit=50M/200M name=PS5 parent="All Bandwidth" priority=1/1 queue=\
    "Cake Upload/Cake Download" target=192.168.88.249/32 time=\
    0s-1d,sun,mon,tue,wed,thu,fri,sat total-queue="Cake Default"
add disabled=yes max-limit=50M/200M name="PS5 Cake only" priority=1/1 queue=\
    "Cake Upload/Cake Download" target=192.168.88.249/32 time=\
    0s-1d,sun,mon,tue,wed,thu,fri,sat total-queue="Cake Default"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.88.0/24 disabled=yes port=x
set api disabled=yes
set winbox address=192.168.88.0/24
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
    src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
    dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/London
/system identity
set name=x x x
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=pool.ntp.org
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

This guide might possibly help you a bit along the way: “New User Pathway To Config Success” (courtesy of @Anav)

Wow i’ve had a quick look through and it is pretty great, kudos to Anav for putting that together and thank you Larsa.