I noticed in my queue trees that one of my tenants is uploading ALOT. ( the queue trees only define download). What would the upload parent tree look like in order for me to regulate uploads?
Also, i have setup queue trees and i do have excess bandwidth BUT i seem to be maxing on my bandwidth. This is how i marked my connections and packets,
;;; Fountain_Packets
chain=forward action=mark-packet new-packet-mark=Fountain_Packets passthrough=yes
src-address=192.168.5.0/24 connection-mark=Fountain_Connection
;;; Fountain_Connection
chain=prerouting action=mark-connection new-connection-mark=Fountain_Connection
passthrough=yes src-address=192.168.5.0/24
Is this correct?
Finally, how can i block pop3 for specific adresses e.g 192.168.5.2?
Your upload Queue tree needs to be on your upload interface, i.e. your WAN interface. You can also place it on one of the Global interfaces, I just don’t ever remember which as the Globals tend to confuse me. This also depends on how you are marking the packets, are you marking them directly or marking the connection and then marking the packet based off of the connection? If you are marking based off of the connection you are fine, but if you are marking the packets directly you need to mark them in both directions. So it would be two rules to get http both in forward, one with a dst-port of 80 and one with a src-port of 80.
In as far as blocking pop3, you can block the port it generally uses. However if they use a non-standard port it becomes a bit harder to block.
Is this ok and can i simply include tenants to the upload queues as i had done with the download queue.
Finally, i looked at the code you kindly provided, i realized that you had not specified the protocol i.e. tcp or udp. , how can you specify the port to block if you have not specified the protocol? What should the protocol be?
Thanks
You don’t, not all internet protocols have a concept of a port. TCP and UDP do, but things like GRE, ICMP, etc. do not. The router needs to know what protocol it is looking for first before it even knows it needs to look for a port. TCP is the protocol you are looking for standard pop3, I just forgot to add it in the firewall matcher, my bad.
Since you are first marking connections and then marking packets off of those connection marks, you can leave everything in the prerouting chain if you wanted since that will catch everything in both directions. Also remove “packet-mark=Centrif_Packets” from your connection mark rule as it could mess things up.
Also if you wanted to include people easier, use src-address-list instead of src-address to get it to match several IP addresses, then you can just add IP addresses to that list. Depending on what kind of queue you are using in that case you will probably want to switch it over to PCQ if you want it to allocate the bandwidth evenly amongst the people in that address list, otherwise everyone will share the exact same queue, and therefore one of them could hog the entire thing.
