Sharing a setup...

RouterOS General
1

Please, comments are welcome! :slight_smile:


Short description:
Wireless access point in 802.11b performing traffic shaping and priorization using PPPOE in the wireless interface. Home users at 128k and 256k with PCQ and dynamic addressing. Static adressing users specific shaping with SFQ. WRAP hardware x86 ROS 2.9.46 and MAC auth using access-list disabled forwarding on all wireless clients. About 100 registered MACs and a peak of 60 PPPOE simultaneously connected. Remote RADIUS auth using IP address and Pool name attributes. Local DNS caching, public IP addressing on all clients, no proxy arp, RIP routes redistribute static.

My comments:
One problem here is the protocol = 0 in the conntrack that make some packets not receive a correct mark also flood the conntrack table with ten thousand entries, wierd. Another question refers to priorize traffic on PCQ if it work as expected. Im most thinking that each host under the PCQ here have a xxxkbps high prio link, a xxxkbps mid prio link and a xxxkbps low prio all at the same time. That does not sound correct at all and Im still unsure about using PCQ priorizing traffic. Please, point out incorrectness and other unwanted things. :wink:


Points of interest:

AP interface
/ interface wireless
set wlan2 name=β€œwlan2” mtu=1500 mac-address=00:0C:42:0C:9F:D8 arp=enabled
disable-running-check=yes radio-name=β€œ000C420C9FD8” mode=ap-bridge
ssid=β€œACCSILO” area=β€œβ€ frequency-mode=manual-txpower
country=no_country_set antenna-gain=0 frequency=2442 band=2.4ghz-b
scan-list=default rate-set=default
supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007
ack-timeout=dynamic tx-power-mode=default noise-floor-threshold=default
periodic-calibration=default periodic-calibration-interval=60
burst-time=disabled dfs-mode=none antenna-mode=ant-a wds-mode=disabled
wds-default-bridge=none wds-default-cost=100 wds-cost-range=50-150
wds-ignore-ssid=no update-stats-interval=disabled
default-authentication=no default-forwarding=no default-ap-tx-limit=0
default-client-tx-limit=0 proprietary-extensions=post-2.9.25 hide-ssid=no
security-profile=default disconnect-timeout=3s on-fail-retry-time=100ms
hw-retries=4 preamble-mode=long compression=no allow-sharedkey=no
comment=β€œβ€ disabled=no

Backbone interface
/ interface ethernet
set ether1 name=β€œether1” mtu=1500 mac-address=00:0D:B9:04:52:F0 arp=enabled
disable-running-check=yes auto-negotiation=yes full-duplex=yes
cable-settings=default speed=100Mbps comment=β€œβ€ disabled=no

PPPOE server
/ interface pppoe-server server
add service-name=β€œβ€ interface=wlan2 max-mtu=1480 max-mru=1480
authentication=pap keepalive-timeout=30 one-session-per-host=yes
max-sessions=0 default-profile=pppoe_prof disabled=no

Mangle
/ ip firewall mangle
add chain=prerouting action=jump jump-target=from_clients
src-address-list=corp comment=β€œβ€ disabled=no
add chain=prerouting action=jump jump-target=from_clients
src-address-list=h128 comment=β€œβ€ disabled=no
add chain=prerouting action=jump jump-target=from_clients
src-address-list=h256 comment=β€œβ€ disabled=no
add chain=from_clients action=mark-connection
new-connection-mark=all_p2p_incoming passthrough=yes p2p=all-p2p
comment=β€œβ€ disabled=no
add chain=from_clients action=mark-connection
new-connection-mark=all_others_incoming passthrough=yes
connection-mark=!all_p2p_incoming comment=β€œβ€ disabled=no
add chain=from_clients action=return comment=β€œβ€ disabled=no
add chain=prerouting action=jump jump-target=up_priority comment=β€œβ€
disabled=no
add chain=up_priority action=mark-packet new-packet-mark=low_up
passthrough=yes connection-mark=all_p2p_incoming comment=β€œβ€ disabled=no
add chain=up_priority action=mark-packet new-packet-mark=low_up
passthrough=yes connection-mark=all_others_incoming comment=β€œβ€
disabled=no
add chain=up_priority action=mark-packet new-packet-mark=mid_up
passthrough=yes dst-port=80 protocol=tcp packet-mark=low_up
connection-mark=all_others_incoming comment=β€œβ€ disabled=no
add chain=up_priority action=mark-packet new-packet-mark=high_up
passthrough=yes src-address=200.128.224.174 dst-port=16567 protocol=udp
packet-mark=low_up connection-mark=all_others_incoming comment=β€œβ€
disabled=no
add chain=up_priority action=mark-packet new-packet-mark=high_up
passthrough=yes protocol=icmp connection-mark=all_others_incoming
comment=β€œβ€ disabled=no
add chain=up_priority action=mark-packet new-packet-mark=high_up
passthrough=yes dst-address=200.216.126.48 dst-port=53 protocol=udp
connection-mark=all_others_incoming comment=β€œβ€ disabled=no
add chain=up_priority action=mark-packet new-packet-mark=high_up
passthrough=yes tcp-flags=syn protocol=tcp
connection-mark=all_others_incoming comment=β€œβ€ disabled=no
add chain=up_priority action=return comment=β€œβ€ disabled=no
add chain=prerouting action=mark-packet new-packet-mark=high_up_ozelo
passthrough=no src-address=200.128.224.174 packet-mark=high_up comment=β€œβ€
disabled=no
add chain=prerouting action=mark-packet new-packet-mark=mid_up_ozelo
passthrough=no src-address=200.128.224.174 packet-mark=mid_up comment=β€œβ€
disabled=no
add chain=prerouting action=mark-packet new-packet-mark=low_up_ozelo
passthrough=no src-address=200.128.224.174 packet-mark=low_up comment=β€œβ€
disabled=no
add chain=prerouting action=mark-packet new-packet-mark=high_up_128
passthrough=no packet-mark=high_up src-address-list=h128 comment=β€œβ€
disabled=no
add chain=prerouting action=mark-packet new-packet-mark=mid_up_128
passthrough=no packet-mark=mid_up src-address-list=h128 comment=β€œβ€
disabled=no
add chain=prerouting action=mark-packet new-packet-mark=low_up_128
passthrough=no packet-mark=low_up src-address-list=h128 comment=β€œβ€
disabled=no
add chain=prerouting action=mark-packet new-packet-mark=high_up_256
passthrough=yes packet-mark=high_up src-address-list=h256 comment=β€œβ€
disabled=no
add chain=prerouting action=mark-packet new-packet-mark=mid_up_256
passthrough=no packet-mark=mid_up src-address-list=h256 comment=β€œβ€
disabled=no
add chain=prerouting action=mark-packet new-packet-mark=low_up_256
passthrough=no packet-mark=low_up src-address-list=h256 comment=β€œβ€
disabled=no
add chain=postrouting action=jump jump-target=to_clients dst-address-list=corp
comment=β€œβ€ disabled=no
add chain=postrouting action=jump jump-target=to_clients dst-address-list=h128
comment=β€œβ€ disabled=no
add chain=postrouting action=jump jump-target=to_clients dst-address-list=h256
comment=β€œβ€ disabled=no
add chain=to_clients action=mark-connection
new-connection-mark=all_p2p_outgoing passthrough=yes p2p=all-p2p
comment=β€œβ€ disabled=no
add chain=to_clients action=mark-connection
new-connection-mark=all_others_outgoing passthrough=yes
connection-mark=!all_p2p_outgoing comment=β€œβ€ disabled=no
add chain=to_clients action=return comment=β€œβ€ disabled=no
add chain=postrouting action=jump jump-target=down_priority comment=β€œβ€
disabled=no
add chain=down_priority action=mark-packet new-packet-mark=low_down
passthrough=yes connection-mark=all_p2p_outgoing comment=β€œβ€ disabled=no
add chain=down_priority action=mark-packet new-packet-mark=low_down
passthrough=yes connection-mark=all_others_outgoing comment=β€œβ€
disabled=no
add chain=down_priority action=mark-packet new-packet-mark=mid_down
passthrough=yes src-port=80 protocol=tcp packet-mark=low_down
connection-mark=all_others_outgoing comment=β€œβ€ disabled=no
add chain=down_priority action=mark-packet new-packet-mark=high_down
passthrough=yes dst-address=200.128.224.174 src-port=16567 protocol=udp
packet-mark=low_down connection-mark=all_others_outgoing comment=β€œβ€
disabled=no
add chain=down_priority action=mark-packet new-packet-mark=high_down
passthrough=yes protocol=icmp connection-mark=all_others_outgoing
comment=β€œβ€ disabled=no
add chain=down_priority action=mark-packet new-packet-mark=high_down
passthrough=yes src-address=200.216.126.48 src-port=53 protocol=udp
connection-mark=all_others_outgoing comment=β€œβ€ disabled=no
add chain=down_priority action=return comment=β€œβ€ disabled=no
add chain=postrouting action=mark-packet new-packet-mark=high_down_ozelo
passthrough=no dst-address=200.128.224.174 packet-mark=high_down
comment=β€œβ€ disabled=no
add chain=postrouting action=mark-packet new-packet-mark=mid_down_ozelo
passthrough=no dst-address=200.128.224.174 packet-mark=mid_down comment=β€œβ€
disabled=no
add chain=postrouting action=mark-packet new-packet-mark=low_down_ozelo
passthrough=no dst-address=200.128.224.174 packet-mark=low_down comment=β€œβ€
disabled=no
add chain=postrouting action=mark-packet new-packet-mark=high_down_128
passthrough=no packet-mark=high_down dst-address-list=h128 comment=β€œβ€
disabled=no
add chain=postrouting action=mark-packet new-packet-mark=mid_down_128
passthrough=no packet-mark=mid_down dst-address-list=h128 comment=β€œβ€
disabled=no
add chain=postrouting action=mark-packet new-packet-mark=low_down_128
passthrough=no packet-mark=low_down dst-address-list=h128 comment=β€œβ€
disabled=no
add chain=postrouting action=mark-packet new-packet-mark=high_down_256
passthrough=yes packet-mark=high_down dst-address-list=h256 comment=β€œβ€
disabled=no
add chain=postrouting action=mark-packet new-packet-mark=mid_down_256
passthrough=no packet-mark=mid_down dst-address-list=h256 comment=β€œβ€
disabled=no
add chain=postrouting action=mark-packet new-packet-mark=low_down_256
passthrough=no packet-mark=low_down dst-address-list=h256 comment=β€œβ€
disabled=no

Filter
/ ip firewall filter
add chain=input action=jump jump-target=sanity comment=β€œβ€ disabled=no
add chain=forward action=jump jump-target=sanity comment=β€œβ€ disabled=no
add chain=sanity action=accept connection-state=established comment=β€œβ€ disabled=no
add chain=sanity action=accept connection-state=related comment=β€œβ€ disabled=no
add chain=sanity action=drop connection-state=invalid comment=β€œβ€ disabled=no
add chain=sanity action=drop src-address=10.0.0.0/8 comment=β€œβ€
disabled=no
add chain=sanity action=drop dst-address=10.0.0.0/8 comment=β€œβ€ disabled=no
add chain=sanity action=drop src-address=172.16.0.0/12 comment=β€œβ€ disabled=no
add chain=sanity action=drop dst-address=172.16.0.0/12 comment=β€œβ€ disabled=no
add chain=sanity action=drop src-address=192.168.0.0/16 comment=β€œβ€ disabled=no
add chain=sanity action=drop dst-address=192.168.0.0/16 comment=β€œβ€ disabled=no
add chain=sanity action=drop src-address=169.254.0.0/16 comment=β€œoutros
bloqueios basicos” disabled=no
add chain=sanity action=drop dst-address=169.254.0.0/16 comment=β€œβ€ disabled=no
add chain=sanity action=drop src-address=255.255.255.255 comment=β€œβ€
disabled=no
add chain=sanity action=drop dst-address=255.255.255.255 comment=β€œβ€
disabled=no
add chain=sanity action=drop src-port=135-139 protocol=tcp comment=β€œβ€
disabled=no
add chain=sanity action=drop src-port=135-139 protocol=udp comment=β€œβ€
disabled=no
add chain=sanity action=drop dst-port=135-139 protocol=tcp comment=β€œβ€
disabled=no
add chain=sanity action=drop dst-port=135-139 protocol=udp comment=β€œβ€
disabled=no
add chain=sanity action=drop src-port=445 protocol=tcp comment=β€œβ€ disabled=no
add chain=sanity action=drop src-port=445 protocol=udp comment=β€œβ€ disabled=no
add chain=sanity action=drop dst-port=445 protocol=tcp comment=β€œβ€ disabled=no
add chain=sanity action=drop dst-port=445 protocol=udp comment=β€œβ€ disabled=no
add chain=sanity action=return comment=β€œβ€ disabled=no

Tracking
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=5s tcp-syn-received-timeout=5s
tcp-established-timeout=1d tcp-fin-wait-timeout=10s
tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s
tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s
udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m
tcp-syncookie=no

PPPOE profile
/ ppp profile
add name=β€œpppoe_prof” local-address=200.216.126.48 remote-address=pool_128
idle-timeout=30m use-compression=no use-vj-compression=no
use-encryption=no only-one=no change-tcp-mss=yes dns-server=200.216.126.48
comment=β€œβ€

Queue types used
/ queue type
set default name=β€œdefault” kind=sfq sfq-perturb=5 sfq-allot=1480
set ethernet-default name=β€œethernet-default” kind=sfq sfq-perturb=5
sfq-allot=1480
set wireless-default name=β€œwireless-default” kind=sfq sfq-perturb=5
sfq-allot=1480
add name=β€œpcq_src_256” kind=pcq pcq-rate=256000 pcq-limit=25
pcq-classifier=src-address pcq-total-limit=2500
add name=β€œpcq_dst_256” kind=pcq pcq-rate=270000 pcq-limit=50
pcq-classifier=dst-address pcq-total-limit=5000
add name=β€œpcq_dst_128” kind=pcq pcq-rate=128000 pcq-limit=50
pcq-classifier=dst-address pcq-total-limit=5000
add name=β€œpcq_src_128” kind=pcq pcq-rate=128000 pcq-limit=25
pcq-classifier=src-address pcq-total-limit=2500
add name=β€œozelo” kind=pfifo pfifo-limit=50

Queue tree
/ queue tree
add name=β€œall_upload” parent=global-in packet-mark=β€œβ€ limit-at=1000000
queue=default priority=8 max-limit=1000000 burst-limit=0 burst-threshold=0
burst-time=0s disabled=no
add name=β€œall_up_128” parent=all_upload packet-mark=β€œβ€ limit-at=256000
queue=default priority=8 max-limit=1000000 burst-limit=0 burst-threshold=0
burst-time=0s disabled=no
add name=β€œall_up_256” parent=all_upload packet-mark=β€œβ€ limit-at=512000
queue=default priority=8 max-limit=1000000 burst-limit=0 burst-threshold=0
burst-time=0s disabled=no
add name=β€œhigh_up_128” parent=all_up_128 packet-mark=high_up_128
limit-at=128000 queue=pcq_src_128 priority=3 max-limit=1000000
burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name=β€œmid_up_128” parent=all_up_128 packet-mark=mid_up_128 limit-at=127000
queue=pcq_src_128 priority=4 max-limit=1000000 burst-limit=0
burst-threshold=0 burst-time=0s disabled=no
add name=β€œlow_up_128” parent=all_up_128 packet-mark=low_up_128 limit-at=1000
queue=pcq_src_128 priority=8 max-limit=1000000 burst-limit=0
burst-threshold=0 burst-time=0s disabled=no
add name=β€œhigh_up_256” parent=all_up_256 packet-mark=high_up_256
limit-at=256000 queue=pcq_src_256 priority=3 max-limit=1000000
burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name=β€œlow_up_256” parent=all_up_256 packet-mark=low_up_256 limit-at=1000
queue=pcq_src_256 priority=8 max-limit=1000000 burst-limit=0
burst-threshold=0 burst-time=0s disabled=no
add name=β€œmid_up_256” parent=all_up_256 packet-mark=mid_up_256 limit-at=255000
queue=pcq_src_256 priority=4 max-limit=1000000 burst-limit=0
burst-threshold=0 burst-time=0s disabled=no
add name=β€œall_up_ozelo” parent=all_upload packet-mark=β€œβ€ limit-at=380000
queue=default priority=8 max-limit=380000 burst-limit=0 burst-threshold=0
burst-time=0s disabled=no
add name=β€œall_download” parent=global-out packet-mark=β€œβ€ limit-at=3000000
queue=default priority=8 max-limit=3000000 burst-limit=0 burst-threshold=0
burst-time=0s disabled=no
add name=β€œall_down_128” parent=all_download packet-mark=β€œβ€ limit-at=512000
queue=default priority=8 max-limit=3000000 burst-limit=0 burst-threshold=0
burst-time=0s disabled=no
add name=β€œall_down_256” parent=all_download packet-mark=β€œβ€ limit-at=512000
queue=default priority=8 max-limit=3000000 burst-limit=0 burst-threshold=0
burst-time=0s disabled=no
add name=β€œhigh_down_128” parent=all_down_128 packet-mark=high_down_128
limit-at=128000 queue=pcq_dst_128 priority=3 max-limit=3000000
burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name=β€œmid_down_128” parent=all_down_128 packet-mark=mid_down_128
limit-at=127000 queue=pcq_dst_128 priority=8 max-limit=3000000
burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name=β€œlow_down_128” parent=all_down_128 packet-mark=low_down_128
limit-at=1000 queue=pcq_dst_128 priority=8 max-limit=3000000 burst-limit=0
burst-threshold=0 burst-time=0s disabled=no
add name=β€œhigh_down_256” parent=all_down_256 packet-mark=high_down_256
limit-at=256000 queue=pcq_dst_256 priority=3 max-limit=3000000
burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name=β€œlow_down_256” parent=all_down_256 packet-mark=low_down_256
limit-at=1000 queue=pcq_dst_256 priority=8 max-limit=3000000 burst-limit=0
burst-threshold=0 burst-time=0s disabled=no
add name=β€œmid_down_256” parent=all_down_256 packet-mark=mid_down_256
limit-at=255000 queue=pcq_dst_256 priority=4 max-limit=3000000
burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name=β€œall_down_ozelo” parent=all_download packet-mark=β€œβ€ limit-at=512000
queue=ozelo priority=8 max-limit=512000 burst-limit=0 burst-threshold=0
burst-time=0s disabled=no
add name=β€œhigh_down_ozelo” parent=all_down_ozelo packet-mark=high_down_ozelo
limit-at=256000 queue=ozelo priority=1 max-limit=512000 burst-limit=0
burst-threshold=0 burst-time=0s disabled=no
add name=β€œmid_down_ozelo” parent=all_down_ozelo packet-mark=mid_down_ozelo
limit-at=255000 queue=ozelo priority=2 max-limit=512000 burst-limit=0
burst-threshold=0 burst-time=0s disabled=no
add name=β€œlow_down_ozelo” parent=all_down_ozelo packet-mark=low_down_ozelo
limit-at=1000 queue=ozelo priority=8 max-limit=512000 burst-limit=0
burst-threshold=0 burst-time=0s disabled=no
add name=β€œhigh_up_ozelo” parent=all_up_ozelo packet-mark=high_up_ozelo
limit-at=190000 queue=default priority=1 max-limit=380000 burst-limit=0
burst-threshold=0 burst-time=0s disabled=no
add name=β€œmid_up_ozelo” parent=all_up_ozelo packet-mark=mid_up_ozelo
limit-at=189000 queue=default priority=2 max-limit=380000 burst-limit=0
burst-threshold=0 burst-time=0s disabled=no
add name=β€œlow_up_ozelo” parent=all_up_ozelo packet-mark=low_up_ozelo
limit-at=1000 queue=default priority=8 max-limit=380000 burst-limit=0
burst-threshold=0 burst-time=0s disabled=no