RB3011 inter vlan routing performance

Hi there,

I’ve a problem regarding the routing performance of my RB3011. I’ve a internal bridge with 192.168.254.0/24 and attached two dmz vlans.
DMZ1: 192.168.100.0/24 port 8
DMZ2: 192.168.200.0/24 port 8

there is a intel nuc connected to port 8 running esxi and a couple of vms. One vm is virtualized firewall using both the dmz.
I’ve successfully configured the RB3011 to forward relevant traffic via PBR via dmz1 to the firewall. The firewall sends the traffic to RB3011 via DMZ2 - the other traffic is sent directly out the WAN interface via 0.0.0.0/0 - This is working as expected

However I have some serious performance with this setup. I have a stable 260/20mbit line on the wan side but am only able to get ~150mbit through this setup.
As soon as I disable PBR and route everything out directly from the bridge to the wan interface everything is blazing fast.

NOTE: I have made sure that the bottleneck is NOT the NUC or the vm running on it so it must have something to do with the RB3011 (or its configuration)

Am I missing something? Is this normal as inter vlan routing has to use CPU (although CPU load is at about 30% during download)?
I’am a bit lost here …

ip route print 
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  ;;; OPNSENSE
        0.0.0.0/0                          192.168.100.253           1
 2 ADS  0.0.0.0/0                          213.47.110.1              1
 4 ADC  192.168.100.0/24   192.168.100.254 vlan100                   0
 8 ADC  192.168.200.0/24   192.168.200.254 vlan200                   0
 9 ADC  192.168.254.0/24   192.168.254.254 bridge                    0
11 ADC  213.47.110.0/24    213.47.110.102  ether1                    0

/ip route
add check-gateway=ping comment=OPNSENSE distance=1 gateway=192.168.100.253 \
    routing-mark=IPS
add check-gateway=ping comment=pfsense disabled=yes distance=1 gateway=\
    192.168.100.252 routing-mark=IPS
/ip route rule
add disabled=yes routing-mark=IPS src-address=192.168.254.0/24 table=IPS
add disabled=yes routing-mark=main src-address=192.168.254.0/24 table=mai
add action=jump chain=prerouting jump-target=IPS_MARK
add action=mark-routing chain=IPS_MARK connection-mark=no-mark \
    dst-address-list=!BOGONS in-interface=bridge log-prefix=IPS \
    new-routing-mark=IPS passthrough=no

/interface bridge
add name=bridge protocol-mode=none pvid=10 vlan-filtering=yes
/interface bridge port
add bridge=bridge interface=ether3 pvid=10
add bridge=bridge interface=ether2 pvid=10
add bridge=bridge interface=ether4 pvid=10
add bridge=bridge interface=ether5 pvid=10
add bridge=bridge interface=ether8 pvid=10
add bridge=bridge interface=ether9 pvid=10
add bridge=bridge interface=ether10 pvid=10
/interface bridge vlan
add bridge=bridge tagged=ether8,bridge vlan-ids=100
add bridge=bridge tagged=ether8,bridge vlan-ids=200

/ip address
add address=192.168.254.254/24 interface=bridge network=192.168.254.0
add address=192.168.100.254/24 interface=vlan100 network=192.168.100.0
add address=192.168.200.254/24 interface=vlan200 network=192.168.200.0

Thanks for your help!

VLAN filtering is currently ony supported on CRS3xx, so I will change the VLAN config from Bridge VLAN to Switch VLAN to gain wirespeed.

I will also use mangle instead of route rules to mark connection, then routing for PBR

vlan-filtering is supported everywhere but only on CRS3xx it is supported in hardware.
And if the difference observed is between with and without Policy Based Routing, the vlan filtering on the bridge is not the most limiting factor.

The excerpt from configuration is slightly messy, with /ip firewall mangle rules mixed with /ip route rule items, so it is hard to say what actually happens. Better to post the complete /export hide-sensitive after obfuscating eventual public IP addresses.

The point is that RouterOS uses a lot of optimisations - if you don’t use firewall at all, fastpath is automatically used. If you start using firewall, fasttracking still saves a lot of CPU and thus packet processing delay.

Also, if it is enough to choose the routing table for a packet by its src-address, /ip route rule is enough to do so, so you do not need to assign routing-marks using firewall mangle rules, and I’ve recently got a feeling that route rules do not interfere with fasttracking. On the other hand, if you need to assign routing mark based on some other packet property than the source address, you do not need to use any /ip route rule to translate routing mark to routing table name because the two are actually the same thing. But if you need the mangle rules to assign routing-marks, you cannot fasttrack those connections which require such marking. How to fasttrack the most of the traffic in such case is described here.

Thanks for your answer Sindy!

Unfortunately I wasnt able to exclude the PBR/VLAN filtering configuration in detail as the NUC only has one physical NIC. I’ve tried it with routed ports and usb nic on the NUC but these are a reall mess when it comes to performance and stability.
I’ve disabled fasttrack as it does not work properly when PBR is involed, correct?

I’m forced to use routing marks with connection marking as I have to choose the route depending on layer4 details. Addtionally I’ve disabled the routing rules just in case …

Here is the full cfg:

# may/11/2018 14:57:00 by RouterOS 6.42.1
# software id = 60DZ-71SZ
#
# model = RouterBOARD 3011UiAS
# serial number = 780E06559E5F
/interface bridge
add name=bridge protocol-mode=none pvid=10 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] advertise=1000M-full comment="WAN 6C:3B:6B:77:8B:6B" loop-protect=off mac-address=6C:3B:6B:77:8B:6B rx-flow-control=auto speed=1Gbps tx-flow-control=auto
set [ find default-name=ether6 ] rx-flow-control=auto speed=1Gbps tx-flow-control=auto
set [ find default-name=ether7 ] rx-flow-control=auto speed=1Gbps tx-flow-control=auto
set [ find default-name=ether8 ] comment=nuc rx-flow-control=auto speed=1Gbps tx-flow-control=auto
set [ find default-name=ether9 ] rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether10 ] comment=uplink rx-flow-control=auto speed=1Gbps tx-flow-control=auto
/interface gre
add allow-fast-path=no !keepalive mtu=1434 name=GRE-philipp remote-address=84.113.27.145
/interface vlan
add interface=bridge name=vlan100 vlan-id=100
add interface=bridge name=vlan200 vlan-id=200
/ip ipsec proposal
set [ find default=yes ] auth-algorithms="" disabled=yes enc-algorithms=""
add auth-algorithms="" enc-algorithms=aes-256-gcm lifetime=1d name=philipp pfs-group=modp2048
add auth-algorithms=sha512,sha256,sha1 lifetime=1h name=fritzbox
/ip pool
add name=openvpn ranges=10.0.0.100-10.0.0.200
add name=dhcp_pool2 ranges=192.168.9.1-192.168.9.253
/ppp profile
add dns-server=192.168.254.252 local-address=10.0.0.254 name=openvpn remote-address=openvpn use-encryption=required use-mpls=no
/queue type
add bfifo-limit=1500 kind=bfifo name=gaming
add kind=pcq name=pcq-down-manual-size pcq-classifier=dst-port pcq-limit=40KiB pcq-total-limit=7000KiB
add kind=pcq name=pcq-up-manual-size pcq-classifier=src-port pcq-limit=20KiB pcq-total-limit=40KiB
set 8 pcq-classifier=src-port
set 9 pcq-classifier=dst-port
/queue interface
set sfp1 queue=ethernet-default
/routing ospf instance
add name=philipp router-id=192.168.254.254
/routing ospf area
add instance=philipp name=backbone_philipp
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0 read-access=no
add addresses=192.168.254.0/24 name=homepublic_2016
/system logging action
set 3 bsd-syslog=yes remote=192.168.254.248 remote-port=5141 src-address=192.168.254.254 syslog-facility=syslog syslog-severity=info
/user group
set read policy=local,telnet,ssh,read,test,winbox,password,web,sniff,sensitive,api,romon,tikapp,!ftp,!reboot,!write,!policy,!dude
/interface bridge port
add bridge=bridge interface=ether3 pvid=10
add bridge=bridge interface=ether2 pvid=10
add bridge=bridge interface=ether4 pvid=10
add bridge=bridge interface=ether5 pvid=10
add bridge=bridge interface=ether8 pvid=10
add bridge=bridge interface=ether9 pvid=10
add bridge=bridge interface=ether10 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set accept-source-route=yes allow-fast-path=no rp-filter=loose tcp-syncookies=yes
/interface bridge vlan
add bridge=bridge tagged=ether10,bridge vlan-ids=9
add bridge=bridge tagged=ether8,bridge vlan-ids=100
add bridge=bridge tagged=ether8,bridge vlan-ids=200
/ip address
add address=198.18.0.2/30 interface=GRE-philipp network=198.18.0.0
add address=192.168.254.254/24 interface=bridge network=192.168.254.0
add address=192.168.100.254/24 interface=vlan100 network=192.168.100.0
add address=192.168.200.254/24 interface=vlan200 network=192.168.200.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-relay
add dhcp-server=192.168.254.250 interface=ether1 local-address=192.168.9.254 name=wlan
/ip dns
set servers=192.168.254.251,192.168.254.250
/ip firewall address-list
add address=0.0.0.0/8 list=BOGONS
add address=10.0.0.0/8 list=BOGONS
add address=100.64.0.0/10 list=BOGONS
add address=127.0.0.0/8 list=BOGONS
add address=169.254.0.0/16 list=BOGONS
add address=172.16.0.0/12 list=BOGONS
add address=192.0.0.0/24 list=BOGONS
add address=192.0.2.0/24 list=BOGONS
add address=192.168.0.0/16 list=BOGONS
add address=198.18.0.0/15 list=BOGONS
add address=198.51.100.0/24 list=BOGONS
add address=203.0.113.0/24 list=BOGONS
add address=224.0.0.0/3 list=BOGONS
add address=69.162.124.226 list=UPTIMEROBOT
add address=69.162.124.227 list=UPTIMEROBOT
add address=69.162.124.228 list=UPTIMEROBOT
add address=69.162.124.229 list=UPTIMEROBOT
add address=69.162.124.230 list=UPTIMEROBOT
add address=69.162.124.231 list=UPTIMEROBOT
add address=69.162.124.232 list=UPTIMEROBOT
add address=69.162.124.233 list=UPTIMEROBOT
add address=69.162.124.234 list=UPTIMEROBOT
add address=69.162.124.235 list=UPTIMEROBOT
add address=69.162.124.236 list=UPTIMEROBOT
add address=69.162.124.237 list=UPTIMEROBOT
add address=69.162.124.238 list=UPTIMEROBOT
add address=63.143.42.242 list=UPTIMEROBOT
add address=63.143.42.243 list=UPTIMEROBOT
add address=63.143.42.244 list=UPTIMEROBOT
add address=63.143.42.245 list=UPTIMEROBOT
add address=63.143.42.246 list=UPTIMEROBOT
add address=63.143.42.247 list=UPTIMEROBOT
add address=63.143.42.248 list=UPTIMEROBOT
add address=63.143.42.249 list=UPTIMEROBOT
add address=63.143.42.250 list=UPTIMEROBOT
add address=63.143.42.251 list=UPTIMEROBOT
add address=63.143.42.252 list=UPTIMEROBOT
add address=46.137.190.132 list=UPTIMEROBOT
add address=122.248.234.23 list=UPTIMEROBOT
add address=188.226.183.141 list=UPTIMEROBOT
add address=178.62.52.237 list=UPTIMEROBOT
add address=54.79.28.129 list=UPTIMEROBOT
add address=54.94.142.218 list=UPTIMEROBOT
add address=104.131.107.63 list=UPTIMEROBOT
add address=54.67.10.127 list=UPTIMEROBOT
add address=54.64.67.106 list=UPTIMEROBOT
add address=159.203.30.41 list=UPTIMEROBOT
add address=46.101.250.135 list=UPTIMEROBOT
add address=192.168.178.0/24 list=NO-NAT-SOURCE
add address=192.168.179.0/24 list=NO-NAT-SOURCE
add address=192.168.178.0/24 list=NO-NAT-DEST
add address=192.168.179.0/24 list=NO-NAT-DEST
add address=10.0.0.0/24 list=MGMT
add address=192.168.254.0/24 list=MGMT
add address=192.168.188.0/24 list=NO-NAT-DEST
add address=192.168.188.0/24 list=NO-NAT-SOURCE
/ip firewall filter
add action=accept chain=input comment="PERMIT GATEWAY CHECK OPNSENSE" dst-address=192.168.200.254 in-interface=vlan200 protocol=icmp src-address=192.168.200.253
add action=accept chain=input comment="PERMIT GATEWAY CHECK OPNSENSE" dst-address=192.168.100.254 in-interface=vlan100 protocol=icmp src-address=192.168.100.253
add action=accept chain=input comment="PERMIT NTP" dst-address=192.168.100.254 dst-port=123 in-interface=vlan100 protocol=udp src-address=192.168.100.253
add action=accept chain=input src-address=77.244.253.93
add action=accept chain=forward comment="PERMIT DMZ" dst-address=192.168.100.0/24 in-interface=bridge src-address=192.168.254.0/24
add action=accept chain=forward comment="PERMIT DMZ" dst-address=192.168.254.0/24 in-interface=vlan100 src-address=192.168.100.0/24
add action=accept chain=forward comment="PERMIT EST REL" connection-state=established,related log-prefix="PERMIT EST REL"
add action=drop chain=forward comment="DROP FORWARD INVALID" connection-state=invalid log=yes log-prefix="DROP FORWARD INVALID"
add action=accept chain=input in-interface=ether1 protocol=icmp src-address=66.220.2.74
add action=accept chain=input in-interface=ether1 protocol=icmp src-address=216.66.80.30
add action=accept chain=input comment="PERMIT INPUT ESTABLISHED RELATED" connection-state=established,related log-prefix="PERMIT INPUT RELATED"
add action=jump chain=input comment="JUMP AND DENY PORT SCANNERS" jump-target="port scanners" log-prefix="JUMP AND DENY PORT SCANNERS"
add action=drop chain=input comment="DROP INPUT INVALID" connection-state=invalid log=yes log-prefix="DROP INPUT INVALID"
add action=drop chain=input comment="DROP MALWARE DST INPUT IN" in-interface=ether1 log=yes log-prefix="DROP MALWARE DST INPUT IN" src-address-list=intrusBL
add action=accept chain=input comment="PERMIT IPSEC IN" dst-port=4500,500 log-prefix="PERMIT IPSEC IN" protocol=udp
add action=accept chain=input comment="PERMIT IPSEC IN" log-prefix="PERMIT IPSEC IN" protocol=ipsec-esp
add action=accept chain=input comment="PERMIT PROTO41" connection-state="" log-prefix="PERMIT IPV6 ALIVE ICMP" protocol=ipv6 src-address=216.66.80.30
add action=accept chain=forward comment="PERMIT FORWARD 8443,444,49161" dst-address=192.168.200.6 dst-port=8443,444,49161 in-interface=ether1 log=yes log-prefix="PERMIT FORWARD 8443,444,49161" out-interface=\
    vlan200 protocol=tcp
add action=accept chain=forward comment="PERMIT FORWARD 80" dst-address=192.168.200.6 dst-port=80 in-interface=ether1 log=yes log-prefix="PERMIT FORWARD 80" out-interface=vlan200 protocol=tcp
add action=accept chain=forward comment="PERMIT FORWARD 8443,80,444" dst-address=192.168.254.6 dst-port=8443,444,49161 in-interface=vlan100 log=yes log-prefix="PERMIT FORWARD 8443,444,49161" out-interface=\
    bridge protocol=tcp
add action=accept chain=forward comment="PERMIT FORWARD 80" dst-address=192.168.254.6 dst-port=80 in-interface=vlan100 log=yes log-prefix="PERMIT FORWARD 80" out-interface=bridge protocol=tcp
add action=drop chain=forward comment="DROP MALWARE DST FORWARD OUT" dst-address-list=intrusBL in-interface=bridge log=yes log-prefix="DROP MALWARE DST FORWARD OUT"
add action=drop chain=forward comment="DROP MALWARE DST FORWARD IN" in-interface=ether1 log=yes log-prefix="DROP MALWARE DST FORWARD IN" src-address-list=intrusBL
add action=jump chain=forward comment=VPN jump-target=vpn log-prefix=VPN
add action=jump chain=forward comment="JUMP AND DENY VIRUS PORTS" dst-address=!192.168.0.0/16 in-interface=bridge jump-target=virus log-prefix="JUMP AND DENY VIRUS PORTS"
add action=accept chain=vpn comment="PERMIT MATHIS IPSEC IN" dst-address=192.168.254.0/24 in-interface=ether1 log-prefix="PERMIT MATHIS IPSEC IN" src-address=192.168.179.0/24
add action=accept chain=vpn comment="PERMIT MATHIS IPSEC OUT" dst-address=192.168.179.0/24 in-interface=bridge log-prefix="PERMIT MATHIS IPSEC OUT" src-address=192.168.254.0/24
add action=accept chain=vpn comment="PERMIT PHILIPP IPSEC IN" dst-address=192.168.254.0/24 in-interface=GRE-philipp log-prefix="PERMIT PHILIPP IPSEC IN" src-address=192.168.11.0/24
add action=accept chain=vpn comment="PERMIT PHILIPP IPSEC OUT" dst-address=192.168.11.0/24 in-interface=bridge log-prefix="PERMIT PHILIPP IPSEC OUT" src-address=192.168.254.0/24
add action=accept chain=input comment="PERMIT INPUT OSPF" in-interface=GRE-philipp protocol=ospf
add action=accept chain=forward comment="PERMIT FORWARD OVPN" dst-address=192.168.254.0/24 in-interface=all-ppp log-prefix="PERMIT FORWARD OVPN" out-interface=bridge src-address=10.0.0.0/24
add action=accept chain=forward comment="PERMIT FORWARD OVPN" in-interface=all-ppp log-prefix="PERMIT FORWARD OVPN" out-interface=ether1 src-address=10.0.0.0/24
add action=accept chain=input comment="PERMIT INPUT OPENVPN" dst-port=443 in-interface=ether1 protocol=tcp
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain="port scanners" comment="PORT SCANNERS TO DENY LIST" log=yes log-prefix="DROP PORT SCANNERS" protocol=tcp psd=\
    21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain="port scanners" comment="NMAP FIN Stealth scan" log=yes log-prefix="DROP PORT SCANNERS" protocol=tcp tcp-flags=\
    fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain="port scanners" comment="SYN/FIN scan" log=yes log-prefix="DROP PORT SCANNERS" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain="port scanners" comment="SYN/RST scan" log=yes log-prefix="DROP PORT SCANNERS" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain="port scanners" comment="FIN/PSH/URG scan" log=yes log-prefix="DROP PORT SCANNERS" protocol=tcp tcp-flags=\
    fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain="port scanners" comment="ALL/ALL scan" log=yes log-prefix="DROP PORT SCANNERS" protocol=tcp tcp-flags=\
    fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain="port scanners" comment="NMAP NULL scan" log=yes log-prefix="DROP PORT SCANNERS" protocol=tcp tcp-flags=\
    !fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=135-139 log=yes protocol=tcp
add action=drop chain=virus comment="Drop Messenger Worm" dst-port=135-139 log=yes protocol=udp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=445 log=yes protocol=tcp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=445 log=yes protocol=udp
add action=drop chain=virus comment=________ dst-port=593 log=yes protocol=tcp
add action=drop chain=virus comment=________ dst-port=1024-1030 log=yes protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" dst-port=1080 log=yes protocol=tcp
add action=drop chain=virus comment=________ dst-port=1214 log=yes protocol=tcp
add action=drop chain=virus comment="ndm requester" dst-port=1363 log=yes protocol=tcp
add action=drop chain=virus comment=hromgrafx dst-port=1373 log=yes protocol=tcp
add action=drop chain=virus comment="ndm server" dst-port=1364 log=yes protocol=tcp
add action=drop chain=virus comment="screen cast" dst-port=1368 log=yes protocol=tcp
add action=drop chain=virus comment=cichlid dst-port=1377 log=yes protocol=tcp
add action=drop chain=virus comment=Worm dst-port=1433-1434 log=yes protocol=tcp
add action=drop chain=virus comment="Bagle Virus" dst-port=2745 log=yes protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" dst-port=2283 log=yes protocol=tcp
add action=drop chain=virus comment="Drop Beagle" dst-port=2535 log=yes protocol=tcp
add action=drop chain=virus comment="Drop Beagle.C-K" dst-port=2745 log=yes protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" dst-port=3127-3128 log=yes protocol=tcp
add action=drop chain=virus comment="Drop Backdoor OptixPro" dst-port=3410 log=yes protocol=tcp
add action=drop chain=virus comment=Worm dst-port=4444 log=yes protocol=tcp
add action=drop chain=virus comment=Worm dst-port=4444 log=yes protocol=udp
add action=drop chain=virus comment="Drop Sasser" dst-port=5554 log=yes protocol=tcp
add action=drop chain=virus comment="Drop Beagle.B" dst-port=8866 log=yes protocol=tcp
add action=drop chain=virus comment="Drop Dabber.A-B" dst-port=9898 log=yes protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" dst-port=10000 log=yes protocol=tcp
add action=drop chain=virus comment="Drop MyDoom.B" dst-port=10080 log=yes protocol=tcp
add action=drop chain=virus comment="Drop NetBus" dst-port=12345 log=yes protocol=tcp
add action=drop chain=virus comment="Drop Kuang2" dst-port=17300 log=yes protocol=tcp
add action=drop chain=virus comment="Drop SubSeven" dst-port=27374 log=yes protocol=tcp
add action=drop chain=virus comment="Drop PhatBot, Agobot, Gaobot" dst-port=65506 log=yes protocol=tcp
add action=accept chain=input comment="PERMIT MGMT" log-prefix="PERMIT MGMT" src-address-list=MGMT
add action=accept chain=input comment="PERMIT MATHIS NTP" dst-address=192.168.254.254 dst-port=123 log-prefix="PERMIT MATHIS NTP" protocol=udp src-address=192.168.179.252
add action=accept chain=input comment="PERMIT KARLI NTP" dst-address=192.168.254.254 dst-port=123 log-prefix="PERMIT KARLI NTP" protocol=udp src-address=192.168.188.1
add action=accept chain=output
add action=accept chain=vpn comment="PERMIT MARTIN IPSEC OUT" dst-address=192.168.178.0/24 in-interface=bridge log-prefix="PERMIT MARTIN IPSEC OUT" src-address=192.168.254.0/24
add action=accept chain=vpn comment="PERMIT MARTIN IPSEC IN" dst-address=192.168.254.0/24 in-interface=ether1 log=yes log-prefix="PERMIT MARTIN IPSEC IN" src-address=192.168.178.0/24
add action=accept chain=vpn comment="PERMIT KARLI IPSEC IN" dst-address=192.168.254.0/24 in-interface=ether1 log=yes log-prefix="PERMIT KARLI IPSEC IN" src-address=192.168.188.0/24
add action=accept chain=vpn comment="PERMIT KARLI IPSEC OUT" dst-address=192.168.188.0/24 in-interface=bridge log-prefix="PERMIT KARLI IPSEC OUT" src-address=192.168.254.0/24
add action=drop chain=forward comment="DROP BOGUS" dst-address-list=BOGONS log=yes log-prefix="DROP BOGUS" out-interface=ether1
add action=accept chain=forward comment="PERMIT REST FROM INSIDE" in-interface=bridge log=yes log-prefix="PERMIT REST" src-address=192.168.254.0/24
add action=accept chain=forward comment="PERMIT REST FROM INSIDE" in-interface=vlan200 log=yes log-prefix="PERMIT REST DMZ" src-address=192.168.200.0/24
add action=accept chain=forward comment="PERMIT REST FROM INSIDE" in-interface=bridge log-prefix="PERMIT REST" src-address=192.168.9.0/24
add action=drop chain=input comment="DROP INPUT ALL" log=yes log-prefix="DROP INPUT ALL"
add action=drop chain="port scanners" comment="DROP PORT SCANNERS" log=yes log-prefix="DROP PORT SCANNERS" src-address-list="port scanners"
add action=drop chain=forward comment="DROP FORWARD ALL" log=yes log-prefix="DROP FORWARD ALL"
/ip firewall mangle
add action=mark-connection chain=prerouting comment=steam dst-address-list=!BOGONS dst-address-type=!local dst-port=27000-28999 in-interface=bridge log-prefix=STEAM new-connection-mark=steam passthrough=yes \
    protocol=udp
add action=mark-connection chain=prerouting comment=PUBG dst-address-list=!BOGONS dst-address-type=!local dst-port=7000-7999 in-interface=bridge log-prefix=STEAM new-connection-mark=steam passthrough=yes \
    protocol=udp
add action=mark-connection chain=prerouting comment=steam dst-address-list=!BOGONS dst-address-type=!local dst-port=27000-28999 in-interface=bridge log-prefix=STEAM new-connection-mark=steam passthrough=yes \
    protocol=tcp
add action=mark-connection chain=prerouting comment=quake dst-address-list=!BOGONS dst-address-type=!local dst-port=48800-49000 in-interface=bridge new-connection-mark=qc passthrough=yes protocol=udp
add action=mark-connection chain=prerouting comment=bf dst-address-list=!BOGONS dst-address-type=!local dst-port=5222,9988,17502,22990,42127 in-interface=bridge new-connection-mark=bf passthrough=yes protocol=\
    tcp
add action=mark-connection chain=prerouting comment=bf dst-address-list=!BOGONS dst-address-type=!local dst-port=3659,14000-14016,22990-23006,25200-25300,10000-10010 in-interface=bridge new-connection-mark=bf \
    passthrough=yes protocol=udp
add action=mark-connection chain=prerouting comment=twitch dst-address-list=!BOGONS dst-address-type=!local dst-port=1935 in-interface=bridge new-connection-mark=twitch passthrough=yes protocol=tcp
add action=jump chain=prerouting jump-target=IPS_MARK
add action=return chain=IPS_MARK connection-mark=no-mark dst-address=192.168.179.0/24
add action=return chain=IPS_MARK connection-mark=no-mark dst-address=192.168.11.0/24
add action=mark-routing chain=IPS_MARK connection-mark=no-mark dst-address-list=!BOGONS in-interface=bridge log-prefix=IPS new-routing-mark=IPS passthrough=no

/ip firewall nat

add action=accept chain=srcnat comment="nonat vpn" dst-address=192.168.178.0/24 out-interface=ether1 src-address=192.168.254.0/24
add action=accept chain=srcnat comment="nonat vpn" dst-address=192.168.179.0/24 out-interface=ether1 src-address=192.168.254.0/24
add action=accept chain=srcnat comment="nonat vpn" dst-address=192.168.188.0/24 out-interface=ether1 src-address=192.168.254.0/24
add action=masquerade chain=srcnat comment="masq 4 int" log-prefix=MASQUERADE out-interface=ether1 src-address=192.168.254.0/24
add action=masquerade chain=srcnat comment="masq 4 dmz" log-prefix=MASQUERADE out-interface=ether1 src-address=192.168.200.0/24 to-addresses=x.x.x.x.x
add action=masquerade chain=srcnat comment="masq 4 dmz" log-prefix=MASQUERADE out-interface=ether1 src-address=192.168.100.0/24
add action=masquerade chain=srcnat comment="masq 4 client vpn" log-prefix=MASQUERADE out-interface=ether1 src-address=10.0.0.0/24
add action=dst-nat chain=dstnat comment="nas mgmt" dst-address-list=!NO-NAT-DEST dst-port=8443 in-interface=ether1 log-prefix="STATIC NAT NAS" protocol=tcp src-address-list=!NO-NAT-SOURCE to-addresses=\
    192.168.200.6 to-ports=8443
add action=dst-nat chain=dstnat comment="nas http srv" dst-address-list=!NO-NAT-DEST dst-port=444 in-interface=ether1 log-prefix="DNAT NAS" protocol=tcp src-address-list=!NO-NAT-SOURCE to-addresses=\
    192.168.200.6
add action=dst-nat chain=dstnat comment="nas http srv, torrent" dst-address-list=!NO-NAT-DEST dst-port=49161 in-interface=ether1 log-prefix="DNAT NAS" protocol=tcp src-address-list=!NO-NAT-SOURCE to-addresses=\
    192.168.200.6
add action=dst-nat chain=dstnat comment="DNAT NEXTCLOUD" dst-address-list=!NO-NAT-DEST dst-port=80 in-interface=ether1 log-prefix="DNAT NEXTCLOUD" protocol=tcp src-address-list=!NO-NAT-SOURCE to-addresses=\
    192.168.200.6

/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set udplite disabled=yes
/ip ipsec peer
<IPSEC CFG>
/ip ipsec policy
/ip route
add check-gateway=ping comment=OPNSENSE distance=1 gateway=192.168.100.253 routing-mark=IPS
add comment="martin netwatch" distance=1 dst-address=192.168.178.0/24 gateway=ether1 pref-src=192.168.254.254
add comment="mathis netwatch" distance=1 dst-address=192.168.179.0/24 gateway=ether1 pref-src=192.168.254.254
add comment=karli distance=1 dst-address=192.168.188.0/24 gateway=ether1 pref-src=192.168.254.254
/ip route rule
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.254.0/24
set ssh address=192.168.254.0/24,10.0.0.0/24
set winbox address=5.196.206.156/32,77.244.253.93/32,192.168.254.0/24,10.0.0.0/24,77.244.253.93/32
/ip traffic-flow
set enabled=yes interfaces=vlan100,bridge
/ip traffic-flow target
add dst-address=192.168.254.248 port=4739 version=ipfix
/ip upnp
set show-dummy-rule=no
/lcd
set read-only-mode=yes time-interval=hour
/ppp aaa
set use-radius=yes
/radius
add address=192.168.254.250 service=ppp timeout=2s
/routing ospf interface
add authentication=md5 authentication-key-id=3 interface=GRE-philipp network-type=point-to-point
add interface=bridge network-type=broadcast passive=yes
/routing ospf network
add area=backbone_philipp network=192.168.254.0/24
add area=backbone_philipp network=198.18.0.0/30
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name=TCube1
/system logging
set 3 action=disk
add action=disk topics=error
add disabled=yes topics=ipsec,debug
add disabled=yes topics=debug,packet
add disabled=yes topics=ipsec,event
add disabled=yes topics=dhcp,info
add disabled=yes topics=radius,info
add disabled=yes topics=interface,info
add disabled=yes topics=dhcp
add action=remote topics=info
/system ntp client
set enabled=yes primary-ntp=80.92.126.65 secondary-ntp=212.69.166.153
/system ntp server
set enabled=yes multicast=yes
/system package update
set channel=release-candidate
/system routerboard settings
set silent-boot=no
/tool bandwidth-server
set authenticate=no enabled=no
/tool netwatch
add down-script=":log warning \"NETWATCH >>> MARTIN IPSEC DOWN ...\"\r\
    \n" host=192.168.178.1 up-script=":log warning \"NETWATCH MARTIN >>> SA WORKING\""
add down-script=":log warning \"NETWATCH >>> MATHIS IPSEC DOWN ...\"\r\
    \n" host=192.168.179.1 up-script=":log warning \"NETWATCH MATHIS >>> SA WORKING\""
add down-script=":log warning \"NETWATCH >>> KARLI IPSEC DOWN ...\"\r\
    \n" host=192.168.188.1 up-script=":log warning \"NETWATCH KARLI >>> SA WORKING\""
add down-script=":log warning \"NETWATCH >>> PHILIPP IPSEC DOWN ...\"\r\
    \n" host=192.168.11.116 up-script=":log warning \"NETWATCH PHILIPP >>> SA WORKING\""
/tool sniffer
set file-limit=100000KiB file-name=st_fast.pcap filter-interface=bridge filter-ip-address=77.244.243.0/24 filter-ip-protocol=tcp streaming-server=192.168.254.247
/user aaa
set accounting=no default-group=full use-radius=yes

Forget about vlan filtering, it is not the trouble here. You route between two VLANs, albeit on the same physical Ethernet interface, so the packets have to go through the CPU anyway, as they would if you routed between two physical Ethernets. Whether vlan-filtering is set to yes or no makes a (lot of) difference when it comes to forwarding frames belonging to the same VLAN between different Ethernet interfaces of your device but not in your case. And you have found yourself that the PBR makes the difference, without it the CPU performance is sufficient to handle the traffic volume permitted by your uplink.

Well, that indicates to me that you did use fasttrack before you’ve decided to use PBR to insert the IPS into the path, which explains a lot.. So again, have you read the link I’ve provided in my previous post? The main trick is to identify (in advance, not during runtime) the traffic which occupies most bandwidth, and handle it the default way, i.e. using the default routing table, thus avoiding the need to routing-mark every single packet, thus allowing to use fasttrack. All the other traffic has to be routing-marked and thus must not be fasttracked.

A much smaller bit of help than making it possible to fasttrack the of bulk of the traffic is to let as many as possible packets to be handled by as little as possible firewall rules, and let these rules evaluate as little conditions as possible.

I can see that you use connection marks to exclude packets from routing-marking. There is nothing wrong about it, it is just an unusual approach. But if you find out that the amount of routing-marked traffic is actually higher than the amount of traffic you don’t currently routing-mark, you have to swap their roles, which means to invert the routing-marking rule and to assign a routing mark to the other default route. The issue here is that you get the default route for the default routing table from dhcp server, and the question is whether the gateway assigned sometimes changes or not. If it doesn’t, you can simply disable use of default route in your dhcp-client settings and provision the default route in routing table IPS with the gateway you normally receive from the dhcp server; if it sometimes changes, you would have to configure the dhcp-client to take the route but assign a high distance value to it and use the dhcp-client’s script property to run a script which would update the default route in the routing table IPS each time it would renew the assignment.

The rest is optimizing the order of your firewall rules. The action=fasttrack-connection rule should always be the first one in chain=forward of /ip firewall filter because it handles the most of packets. In your case, you would add connection-mark=no-mark or connection-mark=any to it, depending on whether the connection-marked connections or not connection-marked ones represent more traffic.

In mangle, you’ve done several conceptual mistakes:

• it makes sense to connection-mark only packets with connection-state=new. Therefore, the very first mangle rules should be those setting routing-marks (or not) for connection-state=established,related packets. So in your current logic of connection-marking and routing-marking, that would be

action=accept connection-state=established,related connection-mark=any
action=routing-mark new-routing-mark=IPS connection-state=established,related

After these two rules, you would place your current connection-marking rules, and after them your existing rule translating connection-mark=no-mark to new-routing-mark=IPS without additional conditions.

• you connection-mark other packets than initial ones of the connection. Placing the two rules above before them fixes this automatically as only packets with connection-state=new (plus some garbage which the filter will get rid of later) will ever reach the connection-marking rules
• you exclude some packets which are not connection-marked from routing-marking based on some other property than presence of connection-mark. You should avoid this by evaluating that other condition in the connection-marking set of rules and assigning these connections some connection-mark as well.

Well, that indicates to me that you did use fasttrack before you’ve decided to use PBR to insert the IPS into the path, which explains a lot.. So again, have you read the link I’ve provided in my previous post? The main trick is to identify (in advance, not during runtime) the traffic which occupies most bandwidth, and handle it the default way, i.e. using the default routing table, thus avoiding the need to routing-mark every single packet, thus allowing to use fasttrack. All the other traffic has to be routing-marked and thus must not be fasttracked.

Yes I did read it, and tbh learned a few things! I got your basic idea but I ran into a problem trying to reconfigure it. I’ve changed the IPS route to be in the default (main) routing table. So the packet arrives at 3011, is forwarded to 192.168.100.253 in dmz100. After that the IPS NATs this IPs from 192.168.254.0/24 to 192.168.200.0/24 (otherwise routing would by asymetric). The packet arrives at 3011 on 192.168.200.254 who looks up his main routing table saying "ok, 0.0.0.0/0 going to 192.168.100.253 !!! So now we created a routing loop. I think we cant get over this without a routing mark at the 3011 for packets arriving at 192.168.200.254, can we?

Hope you can still follow me …


EDIT// Can I make this work with a route rule to overcome the loop or does this have the same performance impact as the routing mark procedure?

I believe I can follow you but I haven’t realized before that you actually need to insert the IPS into the packet path, so you actually route each packet through the 'Tik twice. So if it is the vast majority of traffic which has to be pushed through the IPS, you’ve actually almost doubled the volume of traffic the 'Tik has to handle as compared to the IPS-less state.

It should still be possible to preserve fasttracking on both paths. You would dst-nat the packets incoming through the WAN to some auxiliary to-address which the default routing table would route to the WAN-facing interface of the IPS, and let the 'Tik dst-nat these packets once more when received from the LAN-facing interface of the IPS. On the return path (LAN->WAN), the default routing table’s default gateway would be the LAN-facing interface of the IPS, and a routing rule would make an exception, sending packets with the auxiliary address as mentioned above as source, i.e. the packets received from the WAN-facing interface of the IPS, to a dedicated routing table with the WAN as default gateway. As said earlier, I believe that routing rules are compatible with fasttracking, so if it is true, this should be a way to preserve fasttracking for both paths of the “IPS-ed” packets through the 'Tik.

And you would routing-mark the traffic which does not need to be IPS-ed for the other routing table whose default gateway would be the WAN-interface.

Does that make sense to you?

It does absolutely make sense for me.
Sindy, I’m impressed and really cant put it into words as I was trying to solve this for such a long time and NOW its working. The 3011 is able to push the bandwidth (yes, twice the bw) through. I really had no clue that could be the problem because the cpu of the 3011 wasnt even close to 100%.

cfg for reference (and maybe you can give me short hint if something isnt as good as it should)

export hide-sensitive
# may/11/2018 18:17:52 by RouterOS 6.42.1
# software id = 60DZ-71SZ
#
# model = RouterBOARD 3011UiAS
# serial number = 780E06559E5F
/interface bridge
add name=bridge protocol-mode=none pvid=10 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] advertise=1000M-full comment="WAN 6C:3B:6B:77:8B:6B" loop-protect=off mac-address=6C:3B:6B:77:8B:6B rx-flow-control=auto speed=1Gbps tx-flow-control=auto
set [ find default-name=ether6 ] rx-flow-control=auto speed=1Gbps tx-flow-control=auto
set [ find default-name=ether7 ] rx-flow-control=auto speed=1Gbps tx-flow-control=auto
set [ find default-name=ether8 ] comment=nuc rx-flow-control=auto speed=1Gbps tx-flow-control=auto
set [ find default-name=ether9 ] rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether10 ] comment=uplink rx-flow-control=auto speed=1Gbps tx-flow-control=auto
/interface gre
add allow-fast-path=no !keepalive mtu=1434 name=GRE-philipp remote-address=84.113.27.145
/interface vlan
add interface=bridge name=vlan100 vlan-id=100
add interface=bridge name=vlan200 vlan-id=200
/ip ipsec proposal
set [ find default=yes ] auth-algorithms="" disabled=yes enc-algorithms=""
add auth-algorithms="" enc-algorithms=aes-256-gcm lifetime=1d name=philipp pfs-group=modp2048
add auth-algorithms=sha512,sha256,sha1 lifetime=1h name=fritzbox
/ip pool
add name=openvpn ranges=10.0.0.100-10.0.0.200
add name=dhcp_pool2 ranges=192.168.9.1-192.168.9.253
/ppp profile
add dns-server=192.168.254.252 local-address=10.0.0.254 name=openvpn remote-address=openvpn use-encryption=required use-mpls=no
/queue type
add bfifo-limit=1500 kind=bfifo name=gaming
add kind=pcq name=pcq-down-manual-size pcq-classifier=dst-port pcq-limit=40KiB pcq-total-limit=7000KiB
add kind=pcq name=pcq-up-manual-size pcq-classifier=src-port pcq-limit=20KiB pcq-total-limit=40KiB
set 8 pcq-classifier=src-port
set 9 pcq-classifier=dst-port
/queue interface
set sfp1 queue=ethernet-default
/routing ospf instance
add name=philipp router-id=192.168.254.254
/routing ospf area
add instance=philipp name=backbone_philipp
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0 read-access=no
add addresses=192.168.254.0/24 name=homepublic_2016
/system logging action
set 3 bsd-syslog=yes remote=192.168.254.248 remote-port=5141 src-address=192.168.254.254 syslog-facility=syslog syslog-severity=info
/user group
set read policy=local,telnet,ssh,read,test,winbox,password,web,sniff,sensitive,api,romon,tikapp,!ftp,!reboot,!write,!policy,!dude
/interface bridge port
add bridge=bridge interface=ether3 pvid=10
add bridge=bridge interface=ether2 pvid=10
add bridge=bridge interface=ether4 pvid=10
add bridge=bridge interface=ether5 pvid=10
add bridge=bridge interface=ether8 pvid=10
add bridge=bridge interface=ether9 pvid=10
add bridge=bridge interface=ether10 pvid=10
add bridge=bridge interface=ether7 pvid=10
add bridge=bridge interface=ether6
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set accept-source-route=yes rp-filter=loose tcp-syncookies=yes
/interface bridge vlan
add bridge=bridge tagged=ether10,bridge vlan-ids=9
add bridge=bridge tagged=ether8,ether7,bridge vlan-ids=100
add bridge=bridge tagged=ether8,ether7,bridge vlan-ids=200
/ip address
add address=198.18.0.2/30 interface=GRE-philipp network=198.18.0.0
add address=192.168.100.254/24 disabled=yes interface=ether6 network=192.168.100.0
add address=192.168.254.254/24 interface=bridge network=192.168.254.0
add address=192.168.9.254/24 disabled=yes network=192.168.9.0
add address=192.168.200.254/24 disabled=yes interface=ether7 network=192.168.200.0
add address=192.168.100.254/24 interface=vlan100 network=192.168.100.0
add address=192.168.200.254/24 interface=vlan200 network=192.168.200.0
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=ether1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-relay
add dhcp-server=192.168.254.250 interface=ether1 local-address=192.168.9.254 name=wlan
/ip dns
set servers=192.168.254.251,192.168.254.250
/ip firewall address-list
add address=0.0.0.0/8 list=BOGONS
add address=10.0.0.0/8 list=BOGONS
add address=100.64.0.0/10 list=BOGONS
add address=127.0.0.0/8 list=BOGONS
add address=169.254.0.0/16 list=BOGONS
add address=172.16.0.0/12 list=BOGONS
add address=192.0.0.0/24 list=BOGONS
add address=192.0.2.0/24 list=BOGONS
add address=192.168.0.0/16 list=BOGONS
add address=198.18.0.0/15 list=BOGONS
add address=198.51.100.0/24 list=BOGONS
add address=203.0.113.0/24 list=BOGONS
add address=224.0.0.0/3 list=BOGONS
add address=69.162.124.226 list=UPTIMEROBOT
add address=69.162.124.227 list=UPTIMEROBOT
add address=69.162.124.228 list=UPTIMEROBOT
add address=69.162.124.229 list=UPTIMEROBOT
add address=69.162.124.230 list=UPTIMEROBOT
add address=69.162.124.231 list=UPTIMEROBOT
add address=69.162.124.232 list=UPTIMEROBOT
add address=69.162.124.233 list=UPTIMEROBOT
add address=69.162.124.234 list=UPTIMEROBOT
add address=69.162.124.235 list=UPTIMEROBOT
add address=69.162.124.236 list=UPTIMEROBOT
add address=69.162.124.237 list=UPTIMEROBOT
add address=69.162.124.238 list=UPTIMEROBOT
add address=63.143.42.242 list=UPTIMEROBOT
add address=63.143.42.243 list=UPTIMEROBOT
add address=63.143.42.244 list=UPTIMEROBOT
add address=63.143.42.245 list=UPTIMEROBOT
add address=63.143.42.246 list=UPTIMEROBOT
add address=63.143.42.247 list=UPTIMEROBOT
add address=63.143.42.248 list=UPTIMEROBOT
add address=63.143.42.249 list=UPTIMEROBOT
add address=63.143.42.250 list=UPTIMEROBOT
add address=63.143.42.251 list=UPTIMEROBOT
add address=63.143.42.252 list=UPTIMEROBOT
add address=46.137.190.132 list=UPTIMEROBOT
add address=122.248.234.23 list=UPTIMEROBOT
add address=188.226.183.141 list=UPTIMEROBOT
add address=178.62.52.237 list=UPTIMEROBOT
add address=54.79.28.129 list=UPTIMEROBOT
add address=54.94.142.218 list=UPTIMEROBOT
add address=104.131.107.63 list=UPTIMEROBOT
add address=54.67.10.127 list=UPTIMEROBOT
add address=54.64.67.106 list=UPTIMEROBOT
add address=159.203.30.41 list=UPTIMEROBOT
add address=46.101.250.135 list=UPTIMEROBOT
add address=192.168.178.0/24 list=NO-NAT-SOURCE
add address=192.168.179.0/24 list=NO-NAT-SOURCE
add address=192.168.178.0/24 list=NO-NAT-DEST
add address=192.168.179.0/24 list=NO-NAT-DEST
add address=10.0.0.0/24 list=MGMT
add address=192.168.254.0/24 list=MGMT
add address=vo0nnz6ahxoy2cfz.myfritz.net disabled=yes list="IPSEC SOURCES"
add address=toxit.dyndns.org disabled=yes list="IPSEC SOURCES"
add address=192.168.188.0/24 list=NO-NAT-DEST
add address=192.168.188.0/24 list=NO-NAT-SOURCE
/ip firewall filter
add action=accept chain=forward disabled=yes dst-port=1935 in-interface=bridge protocol=tcp
add action=fasttrack-connection chain=input comment="FASTTRACK INPUT ESTABLISHED RELATED" connection-state=established,related disabled=yes log-prefix="FASTTRACK INPUT ESTABLISHED RELATED"
add action=accept chain=input disabled=yes in-interface=ether1 protocol=icmp
add action=accept chain=input comment="PERMIT GATEWAY CHECK OPNSENSE" dst-address=192.168.200.254 in-interface=vlan200 protocol=icmp src-address=192.168.200.253
add action=accept chain=input comment="PERMIT GATEWAY CHECK OPNSENSE" dst-address=192.168.100.254 in-interface=vlan100 protocol=icmp src-address=192.168.100.253
add action=accept chain=input comment="PERMIT NTP" dst-address=192.168.100.254 dst-port=123 in-interface=vlan100 protocol=udp src-address=192.168.100.253
add action=accept chain=input disabled=yes src-address=5.196.206.156
add action=accept chain=input src-address=77.244.253.93
add action=fasttrack-connection chain=forward comment="FASTTRACK ESTABLISHED RELATED" connection-mark=no-mark connection-state=established,related log-prefix="FASTTRACK ESTABLISHED RELATED"
add action=accept chain=forward comment="PERMIT EST REL" connection-state=established,related log-prefix="PERMIT EST REL"
add action=accept chain=forward comment="PERMIT DMZ" dst-address=192.168.100.0/24 in-interface=bridge src-address=192.168.254.0/24
add action=accept chain=forward comment="PERMIT DMZ" disabled=yes dst-address=192.168.200.0/24 in-interface=bridge src-address=192.168.254.0/24
add action=accept chain=forward comment="PERMIT DMZ" dst-address=192.168.254.0/24 in-interface=vlan100 src-address=192.168.100.0/24
add action=jump chain=forward comment="JUMP AND DENY PORT SCANNERS" disabled=yes in-interface=ether1 jump-target="port scanners" log-prefix="JUMP AND DENY PORT SCANNERS"
add action=drop chain=forward comment="DROP FORWARD INVALID" connection-state=invalid log=yes log-prefix="DROP FORWARD INVALID"
add action=accept chain=forward comment="UPC Modem" disabled=yes dst-address=192.168.100.1 dst-port=80 in-interface=bridge log=yes log-prefix="PERMIT UPC MODEM" out-interface=ether1 protocol=tcp src-address=\
    192.168.254.0/24
add action=accept chain=input in-interface=ether1 protocol=icmp src-address=66.220.2.74
add action=accept chain=input in-interface=ether1 protocol=icmp src-address=216.66.80.30
add action=accept chain=input disabled=yes src-address=x.x.x.x
add action=accept chain=input comment="PERMIT INPUT ESTABLISHED RELATED" connection-state=established,related log-prefix="PERMIT INPUT RELATED"
add action=jump chain=input comment="JUMP AND DENY PORT SCANNERS" jump-target="port scanners" log-prefix="JUMP AND DENY PORT SCANNERS"
add action=drop chain=input comment="DROP INPUT INVALID" connection-state=invalid log=yes log-prefix="DROP INPUT INVALID"
add action=drop chain=input comment="DROP MALWARE DST INPUT IN" in-interface=ether1 log=yes log-prefix="DROP MALWARE DST INPUT IN" src-address-list=intrusBL
add action=accept chain=input comment="PERMIT IPSEC IN" dst-port=4500,500 log-prefix="PERMIT IPSEC IN" protocol=udp
add action=accept chain=input comment="PERMIT IPSEC IN" disabled=yes log-prefix="PERMIT IPSEC IN" protocol=ipsec-ah
add action=accept chain=input comment="PERMIT IPSEC IN" log-prefix="PERMIT IPSEC IN" protocol=ipsec-esp
add action=accept chain=input comment="PERMIT PROTO41" connection-state="" log-prefix="PERMIT IPV6 ALIVE ICMP" protocol=ipv6 src-address=216.66.80.30
add action=accept chain=forward comment="PERMIT FORWARD 8443,444,49161" dst-address=192.168.200.6 dst-port=8443,444,49161 in-interface=ether1 log=yes log-prefix="PERMIT FORWARD 8443,444,49161" out-interface=\
    vlan200 protocol=tcp
add action=accept chain=forward comment="PERMIT FORWARD 80" dst-address=192.168.200.6 dst-port=80 in-interface=ether1 log=yes log-prefix="PERMIT FORWARD 80" out-interface=vlan200 protocol=tcp
add action=accept chain=forward comment="PERMIT FORWARD 8443,80,444" dst-address=192.168.254.6 dst-port=8443,444,49161 in-interface=vlan100 log=yes log-prefix="PERMIT FORWARD 8443,444,49161" out-interface=\
    bridge protocol=tcp
add action=accept chain=forward comment="PERMIT FORWARD 80" dst-address=192.168.254.6 dst-port=80 in-interface=vlan100 log=yes log-prefix="PERMIT FORWARD 80" out-interface=bridge protocol=tcp
add action=drop chain=forward comment="DROP MALWARE DST FORWARD OUT" dst-address-list=intrusBL in-interface=bridge log=yes log-prefix="DROP MALWARE DST FORWARD OUT"
add action=drop chain=forward comment="DROP MALWARE DST FORWARD IN" in-interface=ether1 log=yes log-prefix="DROP MALWARE DST FORWARD IN" src-address-list=intrusBL
add action=jump chain=forward comment=VPN jump-target=vpn log-prefix=VPN
add action=jump chain=forward comment="JUMP AND DENY VIRUS PORTS" dst-address=!192.168.0.0/16 in-interface=bridge jump-target=virus log-prefix="JUMP AND DENY VIRUS PORTS"
add action=accept chain=vpn comment="PERMIT MATHIS IPSEC IN" dst-address=192.168.254.0/24 in-interface=ether1 log-prefix="PERMIT MATHIS IPSEC IN" src-address=192.168.179.0/24
add action=accept chain=vpn comment="PERMIT MATHIS IPSEC OUT" dst-address=192.168.179.0/24 in-interface=bridge log-prefix="PERMIT MATHIS IPSEC OUT" src-address=192.168.254.0/24
add action=accept chain=vpn comment="PERMIT PHILIPP IPSEC IN" dst-address=192.168.254.0/24 in-interface=GRE-philipp log-prefix="PERMIT PHILIPP IPSEC IN" src-address=192.168.11.0/24
add action=accept chain=vpn comment="PERMIT PHILIPP IPSEC OUT" dst-address=192.168.11.0/24 in-interface=bridge log-prefix="PERMIT PHILIPP IPSEC OUT" src-address=192.168.254.0/24
add action=accept chain=input comment="PERMIT INPUT OSPF" in-interface=GRE-philipp protocol=ospf
add action=accept chain=forward comment="PERMIT FORWARD OVPN" dst-address=192.168.254.0/24 in-interface=all-ppp log-prefix="PERMIT FORWARD OVPN" out-interface=bridge src-address=10.0.0.0/24
add action=accept chain=forward comment="PERMIT FORWARD OVPN" in-interface=all-ppp log-prefix="PERMIT FORWARD OVPN" out-interface=ether1 src-address=10.0.0.0/24
add action=accept chain=input comment="PERMIT INPUT OPENVPN" dst-port=443 in-interface=ether1 protocol=tcp
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain="port scanners" comment="PORT SCANNERS TO DENY LIST" log=yes log-prefix="DROP PORT SCANNERS" protocol=tcp psd=\
    21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain="port scanners" comment="NMAP FIN Stealth scan" log=yes log-prefix="DROP PORT SCANNERS" protocol=tcp tcp-flags=\
    fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain="port scanners" comment="SYN/FIN scan" log=yes log-prefix="DROP PORT SCANNERS" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain="port scanners" comment="SYN/RST scan" log=yes log-prefix="DROP PORT SCANNERS" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain="port scanners" comment="FIN/PSH/URG scan" log=yes log-prefix="DROP PORT SCANNERS" protocol=tcp tcp-flags=\
    fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain="port scanners" comment="ALL/ALL scan" log=yes log-prefix="DROP PORT SCANNERS" protocol=tcp tcp-flags=\
    fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain="port scanners" comment="NMAP NULL scan" log=yes log-prefix="DROP PORT SCANNERS" protocol=tcp tcp-flags=\
    !fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=135-139 log=yes protocol=tcp
add action=drop chain=virus comment="Drop Messenger Worm" dst-port=135-139 log=yes protocol=udp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=445 log=yes protocol=tcp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=445 log=yes protocol=udp
add action=drop chain=virus comment=________ dst-port=593 log=yes protocol=tcp
add action=drop chain=virus comment=________ dst-port=1024-1030 log=yes protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" dst-port=1080 log=yes protocol=tcp
add action=drop chain=virus comment=________ dst-port=1214 log=yes protocol=tcp
add action=drop chain=virus comment="ndm requester" dst-port=1363 log=yes protocol=tcp
add action=drop chain=virus comment=hromgrafx dst-port=1373 log=yes protocol=tcp
add action=drop chain=virus comment="ndm server" dst-port=1364 log=yes protocol=tcp
add action=drop chain=virus comment="screen cast" dst-port=1368 log=yes protocol=tcp
add action=drop chain=virus comment=cichlid dst-port=1377 log=yes protocol=tcp
add action=drop chain=virus comment=Worm dst-port=1433-1434 log=yes protocol=tcp
add action=drop chain=virus comment="Bagle Virus" dst-port=2745 log=yes protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" dst-port=2283 log=yes protocol=tcp
add action=drop chain=virus comment="Drop Beagle" dst-port=2535 log=yes protocol=tcp
add action=drop chain=virus comment="Drop Beagle.C-K" dst-port=2745 log=yes protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" dst-port=3127-3128 log=yes protocol=tcp
add action=drop chain=virus comment="Drop Backdoor OptixPro" dst-port=3410 log=yes protocol=tcp
add action=drop chain=virus comment=Worm dst-port=4444 log=yes protocol=tcp
add action=drop chain=virus comment=Worm dst-port=4444 log=yes protocol=udp
add action=drop chain=virus comment="Drop Sasser" dst-port=5554 log=yes protocol=tcp
add action=drop chain=virus comment="Drop Beagle.B" dst-port=8866 log=yes protocol=tcp
add action=drop chain=virus comment="Drop Dabber.A-B" dst-port=9898 log=yes protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" dst-port=10000 log=yes protocol=tcp
add action=drop chain=virus comment="Drop MyDoom.B" dst-port=10080 log=yes protocol=tcp
add action=drop chain=virus comment="Drop NetBus" dst-port=12345 log=yes protocol=tcp
add action=drop chain=virus comment="Drop Kuang2" dst-port=17300 log=yes protocol=tcp
add action=drop chain=virus comment="Drop SubSeven" dst-port=27374 log=yes protocol=tcp
add action=drop chain=virus comment="Drop PhatBot, Agobot, Gaobot" dst-port=65506 log=yes protocol=tcp
add action=accept chain=input comment="PERMIT MGMT" log-prefix="PERMIT MGMT" src-address-list=MGMT
add action=accept chain=input comment="PERMIT MATHIS NTP" dst-address=192.168.254.254 dst-port=123 log-prefix="PERMIT MATHIS NTP" protocol=udp src-address=192.168.179.252
add action=accept chain=input comment="PERMIT KARLI NTP" dst-address=192.168.254.254 dst-port=123 log-prefix="PERMIT KARLI NTP" protocol=udp src-address=192.168.188.1
add action=fasttrack-connection chain=output comment="FASTTRACK ESTABLISHED RELATED" connection-state=established,related disabled=yes log-prefix="FASTTRACK ESTABLISHED RELATED"
add action=accept chain=output
add action=accept chain=vpn comment="PERMIT MARTIN IPSEC OUT" dst-address=192.168.178.0/24 in-interface=bridge log-prefix="PERMIT MARTIN IPSEC OUT" src-address=192.168.254.0/24
add action=accept chain=vpn comment="PERMIT MARTIN IPSEC IN" dst-address=192.168.254.0/24 in-interface=ether1 log=yes log-prefix="PERMIT MARTIN IPSEC IN" src-address=192.168.178.0/24
add action=accept chain=vpn comment="PERMIT KARLI IPSEC IN" dst-address=192.168.254.0/24 in-interface=ether1 log=yes log-prefix="PERMIT KARLI IPSEC IN" src-address=192.168.188.0/24
add action=accept chain=vpn comment="PERMIT KARLI IPSEC OUT" dst-address=192.168.188.0/24 in-interface=bridge log-prefix="PERMIT KARLI IPSEC OUT" src-address=192.168.254.0/24
add action=drop chain=forward comment="DROP BOGUS" dst-address-list=BOGONS log=yes log-prefix="DROP BOGUS" out-interface=ether1
add action=accept chain=forward comment="PERMIT REST FROM INSIDE" in-interface=bridge log=yes log-prefix="PERMIT REST" src-address=192.168.254.0/24
add action=accept chain=forward comment="PERMIT REST FROM INSIDE" in-interface=vlan200 log=yes log-prefix="PERMIT REST DMZ" src-address=192.168.200.0/24
add action=accept chain=forward comment="PERMIT REST FROM INSIDE" in-interface=bridge log-prefix="PERMIT REST" src-address=192.168.9.0/24
add action=drop chain=input comment="DROP INPUT ALL" log=yes log-prefix="DROP INPUT ALL"
add action=drop chain="port scanners" comment="DROP PORT SCANNERS" log=yes log-prefix="DROP PORT SCANNERS" src-address-list="port scanners"
add action=drop chain=forward comment="DROP FORWARD ALL" log=yes log-prefix="DROP FORWARD ALL"
/ip firewall mangle
add action=accept chain=prerouting connection-state=established,related
add action=mark-routing chain=prerouting connection-mark=!no-mark connection-state=established,related new-routing-mark=DIRECT passthrough=no
add action=mark-connection chain=prerouting comment=steam connection-state=new dst-address-list=!BOGONS dst-address-type=!local dst-port=27000-28999 in-interface=bridge log-prefix=STEAM new-connection-mark=\
    steam passthrough=yes protocol=udp
add action=mark-connection chain=prerouting comment=PUBG connection-state=new dst-address-list=!BOGONS dst-address-type=!local dst-port=7000-7999 in-interface=bridge log-prefix=STEAM new-connection-mark=steam \
    passthrough=yes protocol=udp
add action=mark-connection chain=prerouting comment=steam connection-state=new dst-address-list=!BOGONS dst-address-type=!local dst-port=27000-28999 in-interface=bridge log-prefix=STEAM new-connection-mark=\
    steam passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment=quake connection-state=new dst-address-list=!BOGONS dst-address-type=!local dst-port=48800-49000 in-interface=bridge new-connection-mark=qc passthrough=yes \
    protocol=udp
add action=mark-connection chain=prerouting comment=bf connection-state=new dst-address-list=!BOGONS dst-address-type=!local dst-port=5222,9988,17502,22990,42127 in-interface=bridge new-connection-mark=bf \
    passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment=bf connection-state=new dst-address-list=!BOGONS dst-address-type=!local dst-port=3659,14000-14016,22990-23006,25200-25300,10000-10010 in-interface=bridge \
    new-connection-mark=bf passthrough=yes protocol=udp
add action=mark-connection chain=prerouting comment=twitch connection-state=new dst-address-list=!BOGONS dst-address-type=!local dst-port=1935 in-interface=bridge new-connection-mark=twitch passthrough=yes \
    protocol=tcp
add action=jump chain=prerouting jump-target=IPS_MARK
add action=return chain=IPS_MARK connection-mark=no-mark disabled=yes dst-address=192.168.179.0/24
add action=return chain=IPS_MARK connection-mark=no-mark disabled=yes dst-address=192.168.11.0/24
add action=mark-routing chain=IPS_MARK connection-mark=bf dst-address-list=!BOGONS in-interface=bridge log-prefix=DIRECT new-routing-mark=DIRECT passthrough=no
add action=mark-routing chain=IPS_MARK connection-mark=qc dst-address-list=!BOGONS in-interface=bridge log-prefix=DIRECT new-routing-mark=DIRECT passthrough=no
add action=mark-routing chain=IPS_MARK connection-mark=icmp dst-address-list=!BOGONS in-interface=bridge log-prefix=DIRECT new-routing-mark=DIRECT passthrough=no
add action=mark-routing chain=IPS_MARK connection-mark=twitch dst-address-list=!BOGONS in-interface=bridge log-prefix=DIRECT new-routing-mark=DIRECT passthrough=no
add action=mark-routing chain=IPS_MARK connection-mark=steam dst-address-list=!BOGONS in-interface=bridge log-prefix=DIRECT new-routing-mark=DIRECT passthrough=no
/ip firewall nat
add action=accept chain=srcnat comment="nonat vpn" dst-address=192.168.178.0/24 out-interface=ether1 src-address=192.168.254.0/24
add action=accept chain=srcnat comment="nonat vpn" dst-address=192.168.179.0/24 out-interface=ether1 src-address=192.168.254.0/24
add action=accept chain=srcnat comment="nonat vpn" dst-address=192.168.188.0/24 out-interface=ether1 src-address=192.168.254.0/24
add action=masquerade chain=srcnat comment="masq 4 int" log-prefix=MASQUERADE out-interface=ether1 src-address=192.168.254.0/24
add action=masquerade chain=srcnat comment="masq 4 dmz" log-prefix=MASQUERADE out-interface=ether1 src-address=192.168.200.0/24 to-addresses=213.47.110.102
add action=masquerade chain=srcnat comment="masq 4 dmz" log-prefix=MASQUERADE out-interface=ether1 src-address=192.168.100.0/24
add action=masquerade chain=srcnat comment="masq 4 client vpn" log-prefix=MASQUERADE out-interface=ether1 src-address=10.0.0.0/24
add action=dst-nat chain=dstnat comment="nas mgmt" dst-address-list=!NO-NAT-DEST dst-port=8443 in-interface=ether1 log-prefix="STATIC NAT NAS" protocol=tcp src-address-list=!NO-NAT-SOURCE to-addresses=\
    192.168.200.6 to-ports=8443
add action=dst-nat chain=dstnat comment="nas http srv" dst-address-list=!NO-NAT-DEST dst-port=444 in-interface=ether1 log-prefix="DNAT NAS" protocol=tcp src-address-list=!NO-NAT-SOURCE to-addresses=\
    192.168.200.6
add action=dst-nat chain=dstnat comment="nas http srv, torrent" dst-address-list=!NO-NAT-DEST dst-port=49161 in-interface=ether1 log-prefix="DNAT NAS" protocol=tcp src-address-list=!NO-NAT-SOURCE to-addresses=\
    192.168.200.6
add action=dst-nat chain=dstnat comment="DNAT NEXTCLOUD" dst-address-list=!NO-NAT-DEST dst-port=80 in-interface=ether1 log-prefix="DNAT NEXTCLOUD" protocol=tcp src-address-list=!NO-NAT-SOURCE to-addresses=\
    192.168.200.6
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set udplite disabled=yes
/ip ipsec peer
# Unsafe configuration, suggestion to use certificates
add address=91.13.47.76/32 comment=martin dh-group=modp1024 disabled=yes dpd-interval=1m enc-algorithm=aes-256,camellia-256,aes-192,camellia-192,aes-128,camellia-128 exchange-mode=aggressive lifetime=1h \
    local-address=84.112.242.236 my-id=fqdn:prdtn.ignorelist.com nat-traversal=no proposal-check=strict
# Unsafe configuration, suggestion to use certificates
add address=84.113.27.145/32 comment=philipp dh-group=modp2048 enc-algorithm=aes-256 exchange-mode=aggressive hash-algorithm=sha256 nat-traversal=no proposal-check=strict
# Unsafe configuration, suggestion to use certificates
add address=95.91.14.19/32 comment=mathis dh-group=modp1024 dpd-interval=1m enc-algorithm=aes-256,camellia-256,aes-192,camellia-192,aes-128,camellia-128 exchange-mode=aggressive lifetime=1h local-address=\
    213.47.110.102 my-id=fqdn:prdtn.ignorelist.com nat-traversal=no proposal-check=strict
# Unsafe configuration, suggestion to use certificates
add address=188.23.160.179/32 comment=karli dh-group=modp1024 disabled=yes dpd-interval=1m enc-algorithm=aes-256,camellia-256,aes-192,camellia-192,aes-128,camellia-128 exchange-mode=aggressive lifetime=1h \
    local-address=84.112.242.236 my-id=fqdn:prdtn.ignorelist.com nat-traversal=no proposal-check=strict
/ip ipsec policy
set 0 disabled=yes
add comment=martin disabled=yes dst-address=192.168.178.0/24 level=unique proposal=fritzbox sa-dst-address=91.13.47.76 sa-src-address=84.112.242.236 src-address=192.168.254.0/24 tunnel=yes
add comment=karli disabled=yes dst-address=192.168.188.0/24 level=unique proposal=fritzbox sa-dst-address=188.23.160.179 sa-src-address=84.112.242.236 src-address=192.168.254.0/24 tunnel=yes
add comment=philipp dst-address=84.113.27.145/32 level=unique proposal=philipp src-address=213.47.110.102/32
add comment=mathis dst-address=192.168.179.0/24 level=unique proposal=fritzbox sa-dst-address=95.91.14.19 sa-src-address=213.47.110.102 src-address=192.168.254.0/24 tunnel=yes
/ip route
add distance=1 gateway=213.47.110.1 routing-mark=DIRECT
add comment=OPNSENSE distance=1 gateway=192.168.100.253
add check-gateway=ping comment=OPNSENSE disabled=yes distance=1 gateway=192.168.100.252
add comment="martin netwatch" distance=1 dst-address=192.168.178.0/24 gateway=ether1 pref-src=192.168.254.254
add comment="mathis netwatch" distance=1 dst-address=192.168.179.0/24 gateway=ether1 pref-src=192.168.254.254
add comment=karli distance=1 dst-address=192.168.188.0/24 gateway=ether1 pref-src=192.168.254.254
/ip route rule
add src-address=192.168.200.0/24 table=DIRECT
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.254.0/24
set ssh address=192.168.254.0/24,10.0.0.0/24
set winbox address=5.196.206.156/32,77.244.253.93/32,192.168.254.0/24,10.0.0.0/24,77.244.253.93/32
/ip traffic-flow
set enabled=yes interfaces=vlan100,bridge
/ip traffic-flow target
add dst-address=192.168.254.248 port=4739 version=ipfix
add disabled=yes dst-address=192.168.254.248 src-address=192.168.254.254
/ip upnp
set show-dummy-rule=no
/lcd
set read-only-mode=yes time-interval=hour
/ppp aaa
set use-radius=yes
/ppp secret
add disabled=yes name=strn profile=openvpn routes=192.168.254.0/24 service=ovpn
/radius
add address=192.168.254.250 service=ppp timeout=2s
/routing ospf interface
add authentication=md5 authentication-key-id=3 interface=GRE-philipp network-type=point-to-point
add interface=bridge network-type=broadcast passive=yes
/routing ospf network
add area=backbone_philipp network=192.168.254.0/24
add area=backbone_philipp network=198.18.0.0/30
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name=TCube1
/system logging
set 3 action=disk
add action=disk topics=error
add disabled=yes topics=ipsec,debug
add disabled=yes topics=debug,packet
add disabled=yes topics=ipsec,event
add disabled=yes topics=dhcp,info
add disabled=yes topics=radius,info
add disabled=yes topics=interface,info
add disabled=yes topics=dhcp
add action=remote topics=info
/system ntp client
set enabled=yes primary-ntp=80.92.126.65 secondary-ntp=212.69.166.153
/system ntp server
set enabled=yes multicast=yes
/system package update
set channel=release-candidate
/system routerboard settings
set silent-boot=no
/system scheduler
add interval=1h name=prdtn.ignorelist.com on-event=FreeDNS policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=jan/23/2017 start-time=17:32:44
add interval=1h name=OpenDNS on-event=OpenDNS policy=ftp,read,write,policy,test,password,sniff,sensitive,romon start-date=jan/23/2017 start-time=17:32:44
add interval=10m name=updateIPSec on-event=updateIPSecPeer policy=read,write,policy,test,password,sensitive start-time=startup
add interval=1d name=UpdateBlacklist_periodic on-event="/system script run blacklistUpdate" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=feb/01/2017 start-time=04:00:00
add name=blacklistUpdateOnBoot on-event=":delay 30\r\
    \n/system script run blacklistUpdate\r\
    \n" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-time=startup
add interval=10m name=hurricane on-event=hurricane policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=jul/31/2017 start-time=12:19:19
/system script
add name=FreeDNS owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="tool fetch url=\"https://sync.afraid.org/u/CWGBBUmC3c6dfZgrefhocwWN/\"\r\
    \n"
add name=OpenDNS owner=admin policy=read,write,policy,test source="#--------------- Change Values in this section to match your setup ------------------\r\
    \n\r\
    \n:delay 15\r\
    \n\r\
    \n\r\
    \n# User account info of OpenDNS\r\
    \n\r\
    \n# Update-only password (obtained from OpenDNS Support). With two-factor authentication enabled, the use of an update only password is required. \r\
    \n\r\
    \n:local odnsuser \"strrrn@gmail.com\"\r\
    \n:local odnspass \"Service.1\"\r\
    \n\r\
    \n# Set the hostname or label of network to be updated. This is the name of your OpenDNS network on the Dashboard. \r\
    \n# Hostnames with spaces are unsupported. Replace the value in the quotations below with your host name.\r\
    \n# Only one host is supported\r\
    \n# Use \"all.dnsomatic.com\" for the matichost to update all items in dnsomatic with this IP.\r\
    \n\r\
    \n# Note, you must have admin or edit (Read/Write/Grant in the OpenDNS Dashboard) to update IP addresses. \r\
    \n\r\
    \n:local odnshost \"Home\"\r\
    \n\r\
    \n# Change to the name of interface that gets the changing IP address\r\
    \n# May not be needed for your model number - commenting out this line may still work for single interface devices or if this is not supplied in the DNS-O-Matic script currently being used\r\
    \n\r\
    \n:local inetinterface \"ether1\"\r\
    \n\r\
    \n#------------------------------------------------------------------------------------\r\
    \n# No more changes needed, one optional change\r\
    \n\r\
    \n:global previousIP\r\
    \n:log info \"Fetching current IP\"\r\
    \n\r\
    \n# Get the current public IP using DNS-O-Matic service.\r\
    \n\r\
    \n/tool fetch url=\"https://myip.dnsomatic.com/\" mode=https dst-path=mypublicip.txt\r\
    \n:delay 3;\r\
    \n# Read the current public IP into the currentIP variable.\r\
    \n:local currentIP [/file get mypublicip.txt contents]\r\
    \n\r\
    \n:log info \"Fetched current IP as \$currentIP\"\r\
    \n\r\
    \n# --------- Optional check to only run if the IP has changed (one line: :if)\r\
    \n# to disable, set line below to: \":if (\$currentIP != 1) do={\"\r\
    \n\r\
    \n:if (\$currentIP != \$previousIP) do={\r\
    \n:log info \"OpenDNS: Update needed\"\r\
    \n:set previousIP \$currentIP\r\
    \n# \\3F\r\
    \n\r\
    \n:local url \"https://updates.opendns.com/nic/update/\"\r\
    \n:log info \"OpenDNS: Sending update for \$odnshost\"\r\
    \n/tool fetch mode=https url=(\$url) user=\$odnsuser password=\$odnspass  dst-path=(\"/net_odns.txt\")\r\
    \n:delay 2;\r\
    \n\r\
    \n:local odnsReply [/file get net_odns.txt contents];\r\
    \n\r\
    \n:log info \"OpenDNS update complete.\"\r\
    \n\r\
    \n:log info \"OpenDNS reply was \$odnsReply\";\r\
    \n\r\
    \n} else={\r\
    \n\r\
    \n:log info \"OpenDNS: Previous IP \$previousIP and current IP not different\"\r\
    \n}"
add name=updateIPSecPeer owner=admin policy=read,write,policy,test,password,sensitive source="##############   CREATED BY ANDRE REINHOLD   ##################\r\
    \n\r\
    \n:global currentpeeripmartin [:resolve toxit.dyndns.org];\r\
    \n:global currentpeeripmathis [:resolve flynet.privatedns.org];\r\
    \n:global currentpeeripkarli [:resolve karli.dynu.net];\r\
    \n\r\
    \n:global previouspeeripmartin;\r\
    \n:global previouspeeripmathis;\r\
    \n:global previouspeeripkarli;\r\
    \n\r\
    \n:global \"current-ip\" [file get mypublicip.txt contents ];\r\
    \n\r\
    \n# Host to be checked \r\
    \n# :local hostmartin \"192.168.178.1\";\r\
    \n:local hostmathis \"192.168.179.1\";\r\
    \n# :local hostkarli \"192.168.188.1\";\r\
    \n\r\
    \n:local i 0;\r\
    \n:local j 0;\r\
    \n:local k 0;\r\
    \n\r\
    \n:local martin 0;\r\
    \n:local mathis 0;\r\
    \n:local karli 0;\r\
    \n\r\
    \n# :if (\$currentpeeripmartin != \$previouspeeripmartin) do={\r\
    \n# :log info \"Update required Martins Peer IP is: \$currentpeeripmartin\";\r\
    \n# :set previouspeeripmartin \$\"currentpeeripmartin\";\r\
    \n# [/ip ipsec policy set [find comment=\"martin\"] sa-src-address=\$\"current-ip\" sa-dst-address=\$currentpeeripmartin];\r\
    \n# [/ip ipsec peer set [find comment=\"martin\"] address=\$currentpeeripmartin];\r\
    \n# :log info \"martin done ...\"\r\
    \n# } else={ :log info \"martins ip didnt change\"\r\
    \n# }\r\
    \n\r\
    \n:if (\$currentpeeripmathis != \$previouspeeripmathis) do={\r\
    \n:log info \"Update required Mathis Peer IP is: \$currentpeeripmathis\";\r\
    \n:set previouspeeripmathis \$\"currentpeeripmathis\";\r\
    \n[/ip ipsec policy set [find comment=\"mathis\"] sa-src-address=\$\"current-ip\" sa-dst-address=\$currentpeeripmathis];\r\
    \n[/ip ipsec peer set [find comment=\"mathis\"] address=\$currentpeeripmathis];\r\
    \n:log info \"mathis done ...\"\r\
    \n} else={ :log info \"mathis ip didnt change\"\r\
    \n}\r\
    \n\r\
    \n# :if (\$currentpeeripkarli != \$previouspeeripkarli) do={\r\
    \n# :log info \"Update required Karlis Peer IP is: \$currentpeeripkarli\";\r\
    \n# :set previouspeeripkarli \$\"currentpeeripkarli\";\r\
    \n# [/ip ipsec policy set [find comment=\"karli\"] sa-src-address=\$\"current-ip\" sa-dst-address=\$currentpeeripkarli];\r\
    \n# [/ip ipsec peer set [find comment=\"karli\"] address=\$currentpeeripkarli];\r\
    \n# :log info \"karli done ...\"\r\
    \n# } else={ :log info \"karlis ip didnt change\"\r\
    \n# }\r\
    \n \r\
    \n# PING each host 3 times\r\
    \n# :for i from=1 to=3 do={\r\
    \n# \tif ([/ping \$hostmartin count=1]=0) do={:set martin (\$martin + 1)}\r\
    \n# \t:delay 1;\r\
    \n# };\r\
    \n\r\
    \n:for j from=1 to=3 do={\r\
    \n\tif ([/ping \$hostmathis count=1]=0) do={:set mathis (\$mathis + 1)}\r\
    \n\t:delay 1;\r\
    \n};\r\
    \n\r\
    \n# :for j from=1 to=3 do={\r\
    \n# \tif ([/ping \$hostkarli count=1]=0) do={:set karli (\$karli + 1)}\r\
    \n# \t:delay 1;\r\
    \n# };\r\
    \n\r\
    \n# IPSEC CHECK \r\
    \n# :if (\$martin=3) do={\r\
    \n# \t:log error \"MARTIN IPSEC DOWN - RESETING ...\";\r\
    \n# \t# reseting ipsec peer ... \r\
    \n# \t/ip ipsec peer disable [find comment=\"martin\"]\r\
    \n# \t:delay 2\r\
    \n# \t/ip ipsec peer enable [find comment=\"martin\"]\r\
    \n# \t}\r\
    \n\r\
    \n# IPSEC CHECK \r\
    \n:if (\$mathis=3) do={\r\
    \n\t:log error \"MATHIS IPSEC DOWN - RESETING ...\";\r\
    \n\t# reseting ipsec peer ... \r\
    \n\t/ip ipsec peer disable [find comment=\"mathis\"]\r\
    \n\t:delay 2\r\
    \n\t/ip ipsec peer enable [find comment=\"mathis\"] \r\
    \n\t}\r\
    \n\t\r\
    \n# IPSEC CHECK \r\
    \n# :if (\$karli=3) do={\r\
    \n# \t:log error \"KARLI IPSEC DOWN - RESETING ...\";\r\
    \n# \t# reseting ipsec peer ... \r\
    \n# \t/ip ipsec peer disable [find comment=\"karli\"]\r\
    \n# \t:delay 2\r\
    \n# \t/ip ipsec peer enable [find comment=\"karli\"] \r\
    \n# \t}"
add name=hurricane owner=admin policy=read,write,policy,test,sensitive source=":global previousIP;\r\
    \n\r\
    \n:local currentIP [/file get mypublicip.txt contents]\r\
    \n\r\
    \n:if (\$currentIP != \$previousIP) do={\r\
    \n\t:log warn \"WAN IP CHANGED - UPDATING IPV6 TUNNEL SOURCE\"\r\
    \n\t:set \$previousIP \$\"currentIP\"\r\
    \n\t /interface 6to4 set [find comment=\"Hurricane Electric IPv6 Tunnel Broker\"] local-address=\$\"currentIP\"\r\
    \n/tool fetch url=\"https://strnnn:z2ELPOrDlI17LDpB@ipv4.tunnelbroker.net/nic/update\?hostname=372628\"\r\
    \n}"
add name=blacklistUpdate.conf owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="# Intrus Technologies blacklist sytem installer/updater\r\
    \n# \A92017 David Joyce, Intrus Technologies\r\
    \n\r\
    \n##  This Script Must Remain Named \"blacklistUpdate.conf\"\r\
    \n\r\
    \n# Global settings for the Intrus Blacklist Update script\r\
    \n# Settings in here will be kept when the script is auto-updated\r\
    \n# This allows the process to be automated without needed to make changes\r\
    \n\r\
    \n# Update your path if needed. Use the default, or add a disk path to it.\r\
    \n# Path must NOT start with \"/\".  Examples: \"disk1/blTemp.rsc\" or \"blTemp.rsc\"\r\
    \n\r\
    \n:global blDataPath;\r\
    \n:set blDataPath \"blTemp.rsc\";\r\
    \n\r\
    \n# Select your list size\r\
    \n# \"3\" - 3 to 5 Megabyte download - 200k+ entries - intended for protecting internet servers\r\
    \n# \"2\" - 500 to 800 Kilobytes download - 40k+ entries - intended for corporate networks\r\
    \n# \"1\" - 20 to 100 Kilobyte download - 2k+ entries - intended for networks with no open ports\r\
    \n\r\
    \n:global blListSize;\r\
    \n:set blListSize \"2\";\r\
    \n\r\
    \n# DNS host and port for list and script lookups\r\
    \n# You should not have to change this\r\
    \n\r\
    \n:global blDnsPort;\r\
    \n:global blDnsHost;\r\
    \n:set blDnsPort 6502;\r\
    \n:set blDnsHost \"mikrotikfilters.com\";\r\
    \n\r\
    \n# Auto-Update for the script (yes/no)\r\
    \n:global blScriptUpdate \"yes\";\r\
    \n\r\
    \n# Enabling debugging to get verbose output\r\
    \n:global blDebug \"0\";"
add name=blacklistScriptUpdater owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":execute { /system script run blacklistUpdate.conf };\r\
    \n:delay 500ms;\r\
    \n\r\
    \n:global blScriptVersion;\r\
    \n:global blDnsHost;\r\
    \n:global blDnsPort;\r\
    \n:global log do={:put \$t; :log warning \$t}\r\
    \n\r\
    \n:local currentScriptVersion [ :resolve server=\$blDnsHost server-port=\$blDnsPort domain-name=127.0.0.2 ]\r\
    \n\r\
    \nif ([:len [\$blScriptVersion]] = 0) do={\r\
    \n    \$log t=\"Please run the blacklistUpdate script at least once before running the auto-update script\";\r\
    \n    :error \"\";\r\
    \n}\r\
    \n\r\
    \nif (\$blScriptVersion != \$currentScriptVersion) do={\r\
    \n    \$log t=\"A newer script is available on the server. Begining update.\";\r\
    \n    :put \"Installed Version: \$blScriptVersion\";\r\
    \n    :put \"Server Version: \$currentScriptVersion\";\r\
    \n    :local sourceServer \"https://mikrotikfilters.com/\";\r\
    \n    :local sourceServerPort \"6501\";\r\
    \n    :local scriptName \"blInstaller.rsc\";\r\
    \n    \$log t=\"Downloading update script...\";\r\
    \n    :do {\r\
    \n        /tool fetch url=\"\$sourceServer\$scriptName\" mode=https port=\$sourceServerPort dst-path=\"/\$scriptName\";\r\
    \n    } on-error={\r\
    \n        \$log t=\"Error. Download failed\";\r\
    \n    }\r\
    \n    \$log t=\"Importing update script...\";\r\
    \n    :do {\r\
    \n        /import \"\$scriptName\";\r\
    \n    } on-error={\r\
    \n        :put \"import failed. unknown error.\";\r\
    \n    }\r\
    \n    \$log t=\"Removing update script...\";\r\
    \n    :do {\r\
    \n        /file remove \"\$scriptName\";\r\
    \n    } on-error={}\r\
    \n    :execute { /system script run blacklistUpdate };\r\
    \n    :do { /system script environment remove log } on-error={}\r\
    \n    :error \"Update Complete.\";\r\
    \n}\r\
    \n\r\
    \n\$log t=\"Script is current. Nothing to do.\";\r\
    \n:do { /system script environment remove log } on-error={}"
add name=blacklistUpdate owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="# Import Intrus Managed Filter Lists\r\
    \n# \A9 2017 David Joyce, Intrus Technologies\r\
    \n\r\
    \n##\r\
    \n##  This Script Must Be Named \"blacklistUpdate\"\r\
    \n##\r\
    \n\r\
    \n# config moved to \"blacklistUpdate.conf\" script\r\
    \n# do not edit this script\r\
    \n\r\
    \n# Function to encode non-url-safe characters\r\
    \n:global urlEncode do={ :local temp;\r\
    \n    :for i from=0 to=([:len \$t] - 1) do={ :local char [:pick \$t \$i];\r\
    \n        :if (\$char = \" \") do={ :set \$char \"%20\"; }\r\
    \n        :if (\$char = \"-\") do={ :set \$char \"%2D\"; }\r\
    \n        :if (\$char = \"/\") do={ :set \$char \"%2D\"; }\r\
    \n        :if (\$char = \"&\") do={ :set \$char \"%26\"; }\r\
    \n        :if (\$char = \"=\") do={ :set \$char \"%3D\"; }\r\
    \n        :set temp (\$temp . \$char); }\r\
    \n    :return \$temp; }\r\
    \n\r\
    \n# import config - delay for slow routers\r\
    \n:execute { /system script run blacklistUpdate.conf };\r\
    \n:delay 500ms;\r\
    \n\r\
    \n# read globals from the config\r\
    \n:global log do={:put \$t; :log warning \$t}\r\
    \n:global blDnsHost;\r\
    \n:global blDnsPort;\r\
    \n:global blSerial;\r\
    \n:global blDataPath;\r\
    \n:global blListSize;\r\
    \n:global blCount;\r\
    \n:global blDebug;\r\
    \n:local\tblListName \"intrusBL\";\r\
    \n:global\tblScriptVersion\t\"2.0.5\";\r\
    \n:local\tcc\t\$blCount;\r\
    \n:local\tbn\t[ \$urlEncode t=[/system resource get board-name ]];\r\
    \n:local\trv\t[ \$urlEncode t=[/system resource get version ]];\r\
    \n:local\ttm\t[ /system resource get total-memory ];\r\
    \n:local\tcl\t[ /system logging get number=0 value-name=topics ]\r\
    \n:local bs [ :resolve server=\$blDnsHost server-port=\$blDnsPort domain-name=127.0.0.3 ]\r\
    \n\r\
    \n# Check current list, do not update is it's the same.\r\
    \n\$log t=\"Checking server for current blacklist serial number.\";\r\
    \nif (\$blSerial = \$bs) do={\r\
    \n\t\$log t=\"Blacklist is already up to date. Nothing to do.\";\r\
    \n\t:do { /system script environment remove log } on-error={}\r\
    \n             :do { /system script environment remove urlEncode } on-error={}\r\
    \n\t:error \t\"\";\r\
    \n} else={\r\
    \n\t\$log t=\"New blacklist update found. Begining update.\"\r\
    \n}\r\
    \n\r\
    \n# System ID - Different for CHR/x86/RB\r\
    \n:local si [ \$urlEncode t=[ /system license get software-id ]]\r\
    \n:if ([:len \$si] < 4) do={ :set si [ \$urlEncode t=[ /system license get system-id ]] }\r\
    \n\r\
    \n:local\tSVR\t\"https://mikrotikfilters.com/dlBL.php\";\r\
    \n:local     PORT    \"6501\";\r\
    \n:local\tURL\t\"\?request=\$blListSize&rbModel=\$bn&osVersion=\$rv&totalMemory=\$tm&scriptVersion=\$blScriptVersion&softwareID=\$si\";\r\
    \n\r\
    \n# Extra Console Output\r\
    \n:if (\$blDebug = 1) do={\r\
    \n\t:put\t\"System ID: \$si\";\r\
    \n\t:put\t\"Board Name: \$bn\";\r\
    \n\t:put\t\"RouterOS Version: \$rv\";\r\
    \n\t:put\t\"Total Memory: \$tm\";\r\
    \n\t:put\t\"Script Version: \$blScriptVersion\";\r\
    \n\t:log \twarning\t\"System ID: \$si\";\r\
    \n\t:log \twarning\t\"Board Name: \$bn\";\r\
    \n\t:log \twarning\t\"RouterOS Version: \$rv\";\r\
    \n\t:log \twarning\t\"Total Memory: \$tm\";\r\
    \n\t:log \twarning\t\"Script Version: \$blScriptVersion\";\r\
    \n}\r\
    \n# Disable the log (We don't need 7k ~ 120k lines of adds and removes in the log\r\
    \n:if (\$blDebug = 1) do={\$log t=\"Disabling firewall info logging...\";}\r\
    \n/system logging set numbers=0 topics=\"info,!firewall\"\r\
    \n\r\
    \n# Begin download of current blacklist\r\
    \n:if (\$blDebug = 1) do={\$log t=\"Beginning download..\"}\r\
    \n/tool fetch mode=https port=\$PORT dst-path=\"\$blDataPath\" url=\"\$SVR\$URL\";\r\
    \n\r\
    \n# Check to see if the download was completed. Import list if download was complete.\r\
    \n# Delay is needed to give slow routers time to write to disk.\r\
    \n:delay\t1;\r\
    \n:local\tdlsz \t[:tonum [/file get [ find where name=\$blDataPath] value-name=size]];\r\
    \n\r\
    \n:if (\$dlsz < 400) do={\r\
    \n\t:put\t\"Download failed. Received \$dlsz bytes.\";\r\
    \n\t:log\terror\t\"Download failed. Received \$dlsz bytes.\";\r\
    \n}\r\
    \n\r\
    \n# Import the downloaded blacklist\r\
    \n:if (\$blDebug = 1) do={\$log t=\"Updating Blacklist Entries. This will take some time.\";}\r\
    \n/import file-name=\"\$blDataPath\";\r\
    \n\r\
    \n# Find and remove the downloaded file\r\
    \n:if (\$blDebug = 1) do={\$log t=\"Removing temp file...\"}\r\
    \n:do { /file remove [find name=\$blDataPath]; } on-error={ \$log t=\"Error deleting temp file.\" }\r\
    \n\r\
    \n# Output Stats\r\
    \n:global\tblCount\t[/ip firewall address-list print count-only where list=\$blListName];\r\
    \n:if (\$blDebug = 1) do={\r\
    \n\t:local\tchange\t(\$blCount - \$cc);\r\
    \n\t:put\t\"Previous Entry Count: \$cc \";\r\
    \n\t:put\t\"Current Entry Count: \$blCount \";\r\
    \n\t:put\t\"Change: \$change\";\r\
    \n\t:log\twarning\t\"Previous Entries: \$cc\";\r\
    \n\t:log\twarning\t\"New Entries: \$blCount\";\r\
    \n\t:log\twarning\t\"Change: \$change\";\r\
    \n}\r\
    \n:if (\$blDownloadFailed = \"1\") do={\r\
    \n\t\$log t=\"Blacklist Update Failed.\";\r\
    \n} else={ \r\
    \n\t\$log t=\"Blacklist Update Complete.\"; \r\
    \n}\r\
    \n\r\
    \n# Turn the logging back on\r\
    \n:if (\$blDebug = 1) do={ \$log t=\"Enabling firewall info logging...\"; }\r\
    \n/system logging set numbers=0 topics=\$cl;\r\
    \n\r\
    \n# Cleanup\r\
    \n:do { /system script environment remove in  } on-error={}\r\
    \n:do { /system script environment remove up  } on-error={}\r\
    \n:do { /system script environment remove log } on-error={}\r\
    \n:do { /system script environment remove urlEncode } on-error={}\r\
    \n"
/tool bandwidth-server
set authenticate=no enabled=no
/tool netwatch
add down-script=":log warning \"NETWATCH >>> MARTIN IPSEC DOWN ...\"\r\
    \n" host=192.168.178.1 up-script=":log warning \"NETWATCH MARTIN >>> SA WORKING\""
add down-script=":log warning \"NETWATCH >>> MATHIS IPSEC DOWN ...\"\r\
    \n" host=192.168.179.1 up-script=":log warning \"NETWATCH MATHIS >>> SA WORKING\""
add down-script=":log warning \"NETWATCH >>> KARLI IPSEC DOWN ...\"\r\
    \n" host=192.168.188.1 up-script=":log warning \"NETWATCH KARLI >>> SA WORKING\""
add down-script=":log warning \"NETWATCH >>> PHILIPP IPSEC DOWN ...\"\r\
    \n" host=192.168.11.116 up-script=":log warning \"NETWATCH PHILIPP >>> SA WORKING\""
/tool sniffer
set file-limit=100000KiB file-name=st_fast.pcap filter-interface=bridge filter-ip-address=77.244.243.0/24 filter-ip-protocol=tcp streaming-server=192.168.254.247
/user aaa
set accounting=no default-group=full use-radius=yes

Thank you very much again Sindy!

BTW: Sorry for not making it clear, I’m trying to push the bandwidth trough actually twice …

Bear in mind that one thing is whether the CPU can handle the traffic, another thing is how long it takes it to handle a packet (higher processing delay can slow down some connections), and yet another thing is how the task distribution between the four cores works. Have you tried to profile the CPUs (cores) separately or only in total? When the total is 30 %, it may well mean that one of the cores is at 100 %.

So what is the total CPU load now with the new arrangement?

Found nothing significant. If you want to save even the last CPU cycle: as the jump to chain IPS_MARK is the last one in chain prerouting and is immediately followed by rules belonging to chain IPS_MARK, and as several rules actually do the same, you can as well remove the jump and the whole chain, and use just two rules instead of all that:

action=accept chain=prerouting connection-mark=no-mark
action=mark-routing chain=prerouting in-interface=bridge new-routing-mark=DIRECT

But as said earlier, so few packets are handled by these rules that the processing speedup will be unnoticeable.

Also for the record, the difference of your configuration from my suggestion is that the second dst-nat in the IPS instead of the Mikrotik. That may be a better solution depending on which of the two device has more processing power available. I just didn’t know the IPS was able to do that.

One more remark I forgot to write. action=masquerade is designed to src-nat packets to the IP address of the out-interface if the latter is assigned and changed dynamically, which means that this action ignores the to-addresses parameter (or at least should ignore it).

So if everything works for you, you actually don’t need the to-addresses parameters. If something doesn’t work as you expect, this may be the reason. Whatever the case, you should use action=src-nat instead of action=masquerade whenever the IP address of the out-interface is constant, because use of action=masquerade causes the router to clean up the connection table if the interface goes down, which may cause a short-time overload of the CPU.

Do you mean the static nats I’ve configured? They were always working fine as they are connections initiated from wan and the masquerading was initiated from inside.

the wan ip is not dynamically changing to often but its also not sure to be static. Someday it could change, as it will if the connection is down for too long (or other reasons I dont know). Thats why I want to keep the masquerading as it is. So far everything regarding that NAT is working I guess.

But a problem still remains or come up now.
The 3011 itself isnt of course able to reach the internet anymore as he doesnt have a gateway at its directly connected route in his default routing table. What works is to nat the 3011 address in the first dmz also through the IPS but this isnt as good as it looks in the first moment as the ipsec tunnels wont work anymore (because of the NAT the IPS is doing I guess)

Do you know a simple way to force the 3011 to use the other routing table instead of the default one so he can actually go “out” with his wan ip?

PS: I will monitor and report back the cpu usage

I believe you talk here about the port forwarding (dst-nat). Once the initial packet of a connection hits a nat rule (dst-nat, src-nat, or masquerade), the need to dst-nat the packets in client->server direction and symmetrically src-nat the packets in server->client direction is remembered for the whole connection. So you don’t need a separate rule to src-nat responses to dst-nat’ed requests and vice versa.

I don’t say your masquerade rules do not work; I just say they src-nat the initial packets they match to the address currently assigned to the interface, regardless what value you have assigned to their to-addresses parameters because these values are ignored.

And if some of them are there to mirror the dst-nat rules, they are not necessary and not used.

Sure. chain=prerouting in /ip firewall mangle table handles packets which came in through some interface, regardless whether they later turn out to be packets for one of 'Tik’s own IP addresses (so handled by chain=input of /ip firewall filter) or packets to be forwarded somewhere else (so handled by chain=forward of /ip firewall filter).

Locally originated packets are handled by chain=output in /ip firewall mangle. This picture shows it all, pay special attention to the exploded view of chain Output.

So if you want to route part of 'Tik’s locally originated traffic directly via the WAN gateway, you have to duplicate the subset of connection-marking and routing-marking as used in chain=prerouting also in chain=output of /ip firewall mangle. If you want to route all the locally originated traffic via the WAN gateway, the following is enough:

/ip firewalll mangle
add action=mark-routing chain=output new-routing-mark=DIRECT

Local traffic does not use fasttracking (for obvious reasons) so there is no need to take care about this aspect.

Do you mean the static nats I’ve configured? They were always working fine as they are connections initiated from wan and the masquerading was initiated from inside.
I believe you talk here about the port forwarding (dst-nat). Once the initial packet of a connection hits a nat rule (dst-nat, src-nat, or masquerade), the need to dst-nat the packets in client->server direction and symmetrically src-nat the packets in server->client direction is remembered for the whole connection. So you don’t need a separate rule to src-nat responses to dst-nat’ed requests and vice versa.

I dont have separate rules for the return traffic, do I?

Thats why I want to keep the masquerading as it is. So far everything regarding that NAT is working I guess.
I don’t say your masquerade rules do not work; I just say they src-nat the initial packets they match to the address currently assigned to the interface, regardless what value you have assigned to their to-addresses parameters because these values are ignored.

I dont have any to-addresses parameters in the masquerading sections and as far as I remember they are not even allowed?!
…Sorry if I got you wrong on this subtopic

And if some of them are there to mirror the dst-nat rules, they are not necessary and not used.

No, they are there to allow internet access from inside. The static nats with to-addresses are only for specific ports and the masquerading rules are used for putting every single internal ip/port into the PAT table to identify the return traffic correctly (as you surely already know)

Do you know a simple way to force the 3011 to use the other routing table instead of the default one so he can actually go “out” with his wan ip?
Sure. chain=prerouting in /ip firewall mangle table handles packets which came in through some interface, regardless whether they later turn out to be packets for one of 'Tik’s own IP addresses (so handled by chain=input of /ip firewall filter) or packets to be forwarded somewhere else (so handled by chain=forward of /ip firewall filter).

Perfect, thanks!

by the way: the cpu usage during ful load

tool profile cpu=all
NAME                    CPU        USAGE
ethernet                  0        11.5%
console                   0           0%
firewall                  0          21%
networking                0          26%
management                0           0%
bridging                  0           7%
unclassified              0         4.5%
cpu0                                 70%
ethernet                  1         4.5%
console                   1           0%
firewall                  1         5.5%
networking                1           9%
winbox                    1         0.5%
management                1         0.5%
bridging                  1           2%
unclassified              1         4.5%
cpu1                               26.5%

this was during 4 download connections … not really evenly distributed
what is strange too is the fact that one download connection doesnt seem to get the full (or even near)bandwidth. If i start 3-4x from the same destination IP, I’m getting full speed - but I assume I cant get rid of this as it may depend on the internals of the the 3011?

This is a quotation from your configuration export above:
/ip firewall nat
…
add action=masquerade chain=srcnat comment=“masq 4 dmz” log-prefix=MASQUERADE out-interface=ether1 src-address=192.168.200.0/24 to-addresses=213.47.110.102
The presence of public IP as to-addresses in this rule was the reason for me to think that the intention was to use it as a “reverse dst-nat”.

Regarding the single connection not using all available bandwidth, bear in mind that your router may not be the only source of speed limitation.

This is a quotation from your configuration export above:
/ip firewall nat
…
add action=> masquerade > chain=srcnat comment=“masq 4 dmz” log-prefix=MASQUERADE out-interface=ether1 src-address=192.168.200.0/24 > to-addresses=213.47.110.102
The presence of public IP as > to-addresses > in this rule was the reason for me to think that the intention was to use it as a “reverse dst-nat”.

Ok, now I got you - thanks for that. This is actually a mistake! I’ve checked this and for some reason it really is configured with to-addresses altough there is no such to-addresses field in the gui version of the rule. There isnt even the possibility to configure it that way via the gui but in cli. Initial the rules were configured via the gui so I have no clue why this was configured.
Anyway, I’ve removed it so thanks for pointig me in this direction.