Hello Folks,
we have a Access Concentrator connected via untagged VLAN over a Switch to our Internet Router. Both are MT CCRs.
here is the Config of the IN Router:
/interface ethernet
set [ find default-name=ether1 ] comment=WAN l2mtu=1590 rx-flow-control=auto \
tx-flow-control=auto
set [ find default-name=ether2 ] l2mtu=1590 rx-flow-control=auto \
tx-flow-control=auto
set [ find default-name=ether3 ] l2mtu=1590 rx-flow-control=auto \
tx-flow-control=auto
set [ find default-name=ether4 ] l2mtu=1590
set [ find default-name=ether5 ] l2mtu=1590
set [ find default-name=ether6 ] comment=Transfer l2mtu=1590
set [ find default-name=ether7 ] l2mtu=1590
set [ find default-name=ether8 ] comment=MGNT l2mtu=1590
/ip neighbor discovery
set ether1 comment=WAN
set ether6 comment=Transfer
set ether8 comment=MGNT
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/routing ospf instance
set [ find default=yes ] router-id=IP.AD.DR.ESS
add name=inet router-id=IP.AD.DR.ESS
/routing ospf area
add area-id=0.0.0.1 instance=inet name=inet
/ip settings
set tcp-syncookies=yes
/ip firewall filter
add action=drop chain=input comment="drop invalid" connection-state=invalid \
protocol=tcp
add action=drop chain=input comment="dropping port scanners" \
src-address-list="port scanners"
add action=drop chain=forward comment="dropping port scanners" in-interface=\
ether1 src-address-list="port scanners"
add action=drop chain=forward comment="drop SIP Hacker" in-interface=ether1 \
src-address-list="SIP Hacker"
add action=drop chain=forward comment="drop Windows Network" dst-port=\
135-139,445 protocol=tcp
add action=drop chain=forward dst-port=135-139,445 protocol=udp
add action=drop chain=forward comment="drop DNS from WAN" dst-port=53 \
in-interface=ether1 protocol=tcp
add action=drop chain=forward dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input comment="no DNS from WAN" dst-port=53 \
in-interface=ether1 protocol=tcp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp
add chain=input comment=est/rel connection-state=established protocol=tcp
add chain=input connection-state=related protocol=tcp
add chain=input connection-state=established protocol=udp
add chain=input comment="from Backbone" src-address=10.0.0.0/8
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1h chain=input comment="Port scanners to list " \
disabled=yes protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1h chain=input comment="NMAP FIN Stealth scan" \
disabled=yes protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1h chain=input comment="SYN/FIN scan" disabled=yes \
protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1h chain=input comment="SYN/RST scan" disabled=yes \
protocol=tcp tcp-flags=syn,rst
add action=fasttrack-connection chain=forward comment=est/rel \
connection-state=established,related
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1h chain=input comment="FIN/PSH/URG scan" disabled=\
yes protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1h chain=input comment="ALL/ALL scan" disabled=yes \
protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1h chain=input comment="NMAP NULL scan" disabled=yes \
protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add chain=input comment="ICMP ratenlimitiert" limit=50/5s,2 protocol=icmp
add action=drop chain=input protocol=icmp
add chain=input comment=OSPF in-interface=ether6 protocol=ospf
add chain=input in-interface=ether7 protocol=ospf
add chain=input in-interface=ether8 protocol=ospf
add chain=input comment=IPIP protocol=ipencap
add chain=input protocol=ipip
add chain=input comment=BGB dst-port=646 protocol=tcp
add chain=input comment=MPLS dst-port=646 protocol=udp
add chain=input comment=DNS dst-port=53 protocol=tcp
add chain=input dst-port=53 protocol=udp
add chain=input comment=MGNT dst-port=161-162,8291 protocol=tcp
add chain=input dst-port=161-162,5678 protocol=udp
add action=drop chain=input comment="drop all"
add chain=forward connection-state=established,related
add action=drop chain=forward comment="drop invalid" connection-state=invalid \
protocol=tcp
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1h chain="block Scanner" comment=\
"Port scanners to list " in-interface=ether1 protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1h chain="block Scanner" comment=\
"NMAP FIN Stealth scan" disabled=yes in-interface=ether1 protocol=tcp \
tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1h chain="block Scanner" comment="SYN/FIN scan" \
disabled=yes in-interface=ether1 protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1h chain="block Scanner" comment="SYN/RST scan" \
disabled=yes in-interface=ether1 protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1h chain="block Scanner" comment="FIN/PSH/URG scan" \
disabled=yes in-interface=ether1 protocol=tcp tcp-flags=\
fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1h chain="block Scanner" comment="ALL/ALL scan" \
disabled=yes in-interface=ether1 protocol=tcp tcp-flags=\
fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1h chain="block Scanner" comment="NMAP NULL scan" \
disabled=yes in-interface=ether1 protocol=tcp tcp-flags=\
!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="SIP Hacker" \
address-list-timeout=1h chain="block Scanner" comment="dedect SIP Hacker" \
connection-state=new dst-port=5060 in-interface=ether1 protocol=udp \
src-address-list="SIP Trial"
add action=jump chain=forward jump-target="block Scanner"
add chain=forward comment=ICMP protocol=icmp
add chain=forward comment="allow VPN" connection-state=established protocol=\
gre
add chain=forward connection-state=established protocol=ipsec-esp
add chain=forward connection-state=established protocol=ipsec-ah
add chain=forward comment=MGNT dst-address=10.0.0.0/8 src-address=10.0.0.0/8
add action=drop chain=forward dst-address=0.0.0.0/0 src-address=10.0.0.0/8
add action=drop chain=forward dst-address=10.0.0.0/8 src-address=0.0.0.0
add chain=forward comment="allow Transfer" dst-address=our.Transfer.Net \
src-address=0.0.0.0/0
add chain=forward dst-address=0.0.0.0/0 src-address=IP.AD.DR.ESS
add chain=forward comment="" dst-address=IP.AD.DR.ESS \
src-address=0.0.0.0/0
add chain=forward dst-address=0.0.0.0/0 src-address=IP.AD.DR.ESS
add chain=forward dst-address=IP.AD.DR.ESS. src-address=0.0.0.0/0
add chain=forward dst-address=0.0.0.0/0 src-address=IP.AD.DR.ESS.
add chain=forward dst-address=IP.AD.DR.ESS src-address=0.0.0.0/0
add chain=forward dst-address=0.0.0.0/0 src-address=1IP.AD.DR.ESS.
add action=drop chain=forward comment="drop all"
add action=add-src-to-address-list address-list="SIP Trial" \
address-list-timeout=15s chain="block Scanner" connection-state=new \
dst-port=5060 in-interface=ether1 protocol=udp
add action=return chain="block Scanner"
/ip route
add distance=1 gateway=
add disabled=yes distance=1 gateway=IP.AD.DR.ESS
add distance=1 dst-address=IP.AD.DR.ESS gateway=IP.AD.DR.ESS
add distance=1 dst-address=IP.AD.DR.ESS gateway=IP.AD.DR.ESS
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=10.0.0.0/8
set api disabled=yes
set api-ssl disabled=yes
/lcd
set backlight-timeout=never default-screen=stats read-only-mode=yes \
touch-screen=disabled
/lcd interface
set sfp-sfpplus1 disabled=yes
set sfp1 disabled=yes
set ether2 disabled=yes
set ether3 disabled=yes
set ether4 disabled=yes
set ether5 disabled=yes
set ether6 disabled=yes
set ether7 disabled=yes
set ether8 disabled=yes
/lcd interface pages
set 0 interfaces=ether1
/lcd screen
set 2 disabled=yes
set 3 disabled=yes
set 4 disabled=yes
set 5 disabled=yes
/routing ospf interface
add interface=ether6 network-type=broadcast priority=255
add interface=ether8 network-type=broadcast priority=250
add cost=1000 disabled=yes interface=ipip-tunnel1 network-type=point-to-point
/routing ospf network
add area=backbone network=10.0.0.0/8
add area=inet network=IP.AD.DR.ESS.
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=TOPSecret
/system package update
set channel=current
/system routerboard settings
set cpu-frequency=1200MHz memory-frequency=1066DDR
and here the config of the Access Consentrator
RouterOS 6.31
/interface bridge
add mtu=1500 name=AC priority=0x100
add mtu=1500 name=lo0
/interface ethernet
set [ find default-name=ether1 ] comment=Transfer l2mtu=1590 rx-flow-control=\
auto tx-flow-control=auto
set [ find default-name=ether2 ] comment=PPPoE l2mtu=1590 rx-flow-control=\
auto tx-flow-control=auto
set [ find default-name=ether3 ] comment="PPPoE ...\DFe" l2mtu=1590 \
rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether4 ] l2mtu=1590 rx-flow-control=auto \
tx-flow-control=auto
set [ find default-name=ether5 ] l2mtu=1590 rx-flow-control=auto \
tx-flow-control=auto
set [ find default-name=ether6 ] l2mtu=1590 rx-flow-control=auto \
tx-flow-control=auto
/ppp profile
add change-tcp-mss=yes local-address= name=PPTP only-one=yes \
remote-address=DD use-encryption=yes
add change-tcp-mss=yes local-address= name="Radius" \
only-one=yes remote-address=DD use-compression=no use-encryption=no \
use-mpls=no
add change-tcp-mss=yes local-address= name="Radius 1" \
only-one=yes remote-address=DD use-compression=no use-encryption=no \
use-mpls=no
/queue type
set 0 pfifo-limit=100
set 1 pfifo-limit=100
set 9 pfifo-limit=70
/routing ospf instance
set [ find default=yes ] router-id=P.AD.DR.ESS.
add name=inet router-id=A
/routing ospf area
add area-id=0.0.0.1 instance=inet name=inet
/system logging action
set 3 bsd-syslog=yes remote=P.AD.DR.ESS. src-address=P.AD.DR.ESS.
/interface bridge port
add bridge=AC horizon=2 interface=ether2
/interface pppoe-server server
add authentication=pap,chap default-profile="Radius " disabled=no \
interface=AC max-mru=1480 max-mtu=1480 mrru=1600 one-session-per-host=yes \
service-name=CL
add authentication=pap,chap default-profile="Radius 1" disabled=no \
interface=ether3 max-mru=1480 max-mtu=1480 mrru=1600 \
one-session-per-host=yes service-name=BERG
/ip dns
set allow-remote-requests=yes cache-size=8192KiB max-udp-packet-size=8192 \
servers=8.8.8.8,145.253.2.203
/ip firewall filter
add action=drop chain=input comment="drop invalid" connection-state=invalid \
protocol=tcp
add chain=input comment=est/rel connection-state=established protocol=tcp
add action=fasttrack-connection chain=forward comment=est/rel \
connection-state=established,related
add chain=forward connection-state=established,related
add chain=input connection-state=related protocol=tcp
add chain=input connection-state=established protocol=udp
add chain=input comment="ICMP ratenlimitiert" limit=20/5s,2 protocol=icmp
add action=drop chain=input protocol=icmp
add chain=input comment=OSPF protocol=ospf
add chain=input comment="from Backbone" src-address=10.0.0.0/8
add chain=input comment="PPtP Server" protocol=gre
add chain=input dst-port=1723 protocol=tcp
add chain=input comment=DNS dst-port=53 protocol=tcp
add chain=input dst-port=53 protocol=udp
add chain=input comment=NTP dst-port=123 protocol=tcp
add chain=input dst-port=123 protocol=udp
add chain=input comment=MGNT dst-port=161-162,8291 protocol=tcp
add chain=input dst-port=161-162,5678 protocol=udp
add action=drop chain=input comment="drop all"
add chain=forward connection-state=established protocol=gre
add chain=forward connection-state=established protocol=ipsec-esp
add chain=forward connection-state=established protocol=ipsec-ah
add action=drop chain=forward comment="drop invalid" connection-state=invalid \
protocol=tcp
add action=drop chain=forward comment="drop Windows Network" protocol=tcp \
src-port=135-139,445
add action=drop chain=forward protocol=udp src-port=135-139,445
add chain=forward comment=Backbone dst-address=10.0.0.0/8 src-address=\
10.0.0.0/8
add action=drop chain=forward dst-address=10.0.0.0/8 src-address=0.0.0.0/0
add action=drop chain=forward dst-address=0.0.0.0/0 src-address=10.0.0.0/8
add chain=forward comment="allow DDLAN" dst-address=0.0.0.0/0 src-address=\
88.79.157.0/24
add chain=forward dst-address=0.0.0.0/0 src-address=P.AD.DR.ESS.
add chain=forward dst-address=P.AD.DR.ESS. src-address=0.0.0.0/0
add chain=forward dst-address=P.AD.DR.ESS. src-address=0.0.0.0/0
add action=drop chain=forward comment="drop all"
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip route
add distance=1 gateway=P.AD.DR.ESS.
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=10.0.0.0/8
set api disabled=yes
set api-ssl disabled=yes
/lcd
set backlight-timeout=never default-screen=stats read-only-mode=yes \
touch-screen=disabled
/lcd interface
set ether2 disabled=yes
set ether3 disabled=yes
set ether4 disabled=yes
set ether5 disabled=yes
set ether6 disabled=yes
set ether7 disabled=yes
set ether8 disabled=yes
set ether9 disabled=yes
set ether10 disabled=yes
set ether11 disabled=yes
set ether12 disabled=yes
/lcd interface pages
set 0 interfaces=ether1
/lcd screen
set 2 disabled=yes
set 3 disabled=yes
set 4 disabled=yes
set 5 disabled=yes
/routing ospf interface
add interface=ether1 network-type=broadcast priority=250
/routing ospf network
add area=backbone network=10.0.0.0/8
add area=inet network=P.AD.DR.ESS.
add area=inet network=P.AD.DR.ESS.
add area=inet network=P.AD.DR.ESS.
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Berlin
/system logging
/system ntp client
set enabled=yes primary-ntp=192.53.103.108 secondary-ntp=192.53.103.104
/system package update
set channel=current
/system routerboard settings
set cpu-frequency=1200MHz memory-frequency=1066DDR
We have a 450Mbit Line that never reaches the Full Amount of Traffic.
We use simple Queues for PPPoE Connections, but the problem is that we have a Costumer with 24 Mbits and he never reaches mor then 18 Mbits when he makes a Speedtest. Sometimes he gets not more then 1 Mbits
The link to the Costumer is an MT Link with Cisco bgp vpls stable an good.
The Queues are created dynamic by our Radius
The Queue Type is default Small.
What can help for the Costumers to get the maximum Bandwith from their Queues?
Thanks for the Help