So im battling this problem for some time.
At our company iv set HAP AC as main router and have some basic firewall and mangle rules with QUEUES. (around 30 all togther).
We have 40mbit ADSL line and CPU already hits 100% often when PCSs on network download windows update or torrents.
TO make things even worse, if someone copies something over WLAN, it fully chokes router locking it to 100%, internet slows down, and even clients which are doing those WLAN transfer getting disconnects due extensive data loos error in router log.And max transfer speeds are up to 200mbit (Laptop connects 780mbit/s)
If i disable ALL mangle, firewall,and queue rules, CPU load barely drops.Only thing that helps is disabling firewall, than bridge fast path is active and client pulls over 500+mbit transfer speeds without problem or high CPU load.
So what exactly can i do?Other than buying another router just to serve WLAN and another one for basic QOS/Firewall?
Why cant i directly bridge one LAN port with WLAN interface bypassing all ip firewall thats active on other bridge port?Why is this not possible to do on Mikrotik router?
Re: 100 CPU on any mikrotik router using basic rules
Is perfectly possible... check that "Use IP Firewall" isn't ticked on Bridge > SettingsWhy cant i directly bridge one LAN port with WLAN interface bypassing all ip firewall thats active on other bridge port?Why is this not possible to do on Mikrotik router?
Upgrade it to ROS 6.36.3, checking System > Routerboard Current firmware is the same as Upgrade firmware.
Post a configuration export, 40Mbps is way under Hap ac capabilities.
Re: 100 CPU on any mikrotik router using basic rules
If i untick Use IP Firewall than ALL my firewall, mangle, and queue rules stop working.The setting is for all bridgets, you can untick it per bridges, that is what i askedIs perfectly possible... check that "Use IP Firewall" isn't ticked on Bridge > SettingsWhy cant i directly bridge one LAN port with WLAN interface bypassing all ip firewall thats active on other bridge port?Why is this not possible to do on Mikrotik router?
Upgrade it to ROS 6.36.3, checking System > Routerboard Current firmware is the same as Upgrade firmware.
Post a configuration export, 40Mbps is way under Hap ac capabilities.
I can post configuration tomorrow, but as i said, its not that i have too many of them or what not, its enough that IP firewall is turned on without any rules to get this poor resoults.
And yes im using latest Software.
Re: 100 CPU on any mikrotik router using basic rules
without an export I can just speculate... you have every single detail in mind because you're troubleshooting this, but I can't see anywhere where did you ask for that detail... (the answer is no, it's a global setting).
With an export, we will be able (hopefully) to see if you configured the router following best practices, or suggest improvements over specific configuration details.
With an export, we will be able (hopefully) to see if you configured the router following best practices, or suggest improvements over specific configuration details.
Re: 100 CPU on any mikrotik router using basic rules
Doubt this export will solve anything, basically just taking fresh rested router, creating simple wifi connectin with bridge and enabling IP filter will cause 100% CPU load and almost 4x times less performance making the router uselss for some basic expected functions..
In case someone going to say i have too much firewall rules or ordering is wrong or whatever, disabling all, deleting all this firewall rules, filter,mangle, queue, makes almost NO difference in CPU load!
In case someone going to say i have too much firewall rules or ordering is wrong or whatever, disabling all, deleting all this firewall rules, filter,mangle, queue, makes almost NO difference in CPU load!
Code: Select all
/ip firewall connection tracking
set generic-timeout=5m icmp-timeout=7s tcp-close-timeout=7s \
tcp-close-wait-timeout=6s tcp-established-timeout=10m tcp-fin-wait-timeout=\
6s tcp-last-ack-timeout=7s tcp-syn-received-timeout=4s \
tcp-syn-sent-timeout=4s tcp-time-wait-timeout=7s udp-timeout=5s
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2
/interface sstp-server server
set max-mru=1492 max-mtu=1492 mrru=1500 port=6000
/ip address
add address=192.168.1.5/24 interface=GETIM network=192.168.1.0
add address=192.168.2.1/24 interface="GREEN TRAVEL" network=192.168.2.0
add address=192.168.1.244/24 interface=ADSL_ULAZ network=192.168.1.0
/ip dhcp-client
add dhcp-options=hostname,clientid interface=GETIM
/ip dhcp-server lease
add address=192.168.1.196 always-broadcast=yes client-id=1:bc:ae:c5:5d:4c:ee \
mac-address=BC:AE:C5:5D:4C:EE server=dhcp2
add address=192.168.1.193 always-broadcast=yes client-id=1:18:5e:f:3b:76:8f \
mac-address=18:5E:0F:3B:76:8F server=dhcp2
add address=192.168.1.195 mac-address=00:22:F4:46:3D:9D server=dhcp1
add address=192.168.1.194 always-broadcast=yes client-id=1:0:1e:8c:b5:d0:6f \
mac-address=00:1E:8C:B5:D0:6F server=dhcp2
add address=192.168.1.197 always-broadcast=yes client-id=1:0:1d:60:57:ce:1b \
mac-address=00:1D:60:57:CE:1B server=dhcp2
add address=192.168.1.50 always-broadcast=yes client-id=1:90:e7:c4:c6:9c:b1 \
mac-address=90:E7:C4:C6:9C:B1 server=dhcp2
/ip dhcp-server network
add address=192.168.1.0/24 dhcp-option=\
"PXEClient,OPTION66,Predefined Option 43" dns-server=192.168.1.244 gateway=\
192.168.1.244 netmask=24 next-server=192.168.1.200
add address=192.168.2.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.2.1 \
netmask=24
/ip dns
set allow-remote-requests=yes cache-size=4096KiB query-total-timeout=5s \
servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=212.15.170.59 list=GOOGLE
add address=173.255.253.123 list=showmypcIP
add address=46.28.53.198 list="101 Zagreb"
add address=195.29.89.26 list=ORBIS
add address=173.192.137.34 list=173.192.137.34
add address=192.168.1.1 list=POS_BLOCK
add address=192.168.1.2 list=POS_BLOCK
add address=192.168.1.3 list=POS_BLOCK
add address=192.168.1.4 list=POS_BLOCK
add address=192.168.1.5 list=POS_BLOCK
add address=192.168.1.6 list=POS_BLOCK
add address=192.168.1.7 list=POS_BLOCK
add address=192.168.1.8 list=POS_BLOCK
add address=192.168.1.9 list=POS_BLOCK
add address=192.168.1.10 list=POS_BLOCK
add address=192.168.1.11 list=POS_BLOCK
add address=192.168.1.12 list=POS_BLOCK
add address=192.168.1.13 list=POS_BLOCK
add address=192.168.1.14 list=POS_BLOCK
add address=192.168.1.15 list=POS_BLOCK
add address=192.168.1.16 list=POS_BLOCK
add address=192.168.1.17 list=POS_BLOCK
add address=192.168.1.18 list=POS_BLOCK
add address=192.168.1.19 list=POS_BLOCK
add address=192.168.1.20 list=POS_BLOCK
add address=192.168.1.21 list=POS_BLOCK
add address=192.168.1.22 list=POS_BLOCK
add address=192.168.1.23 list=POS_BLOCK
add address=192.168.1.24 list=POS_BLOCK
add address=192.168.1.25 list=POS_BLOCK
add address=192.168.1.26 list=POS_BLOCK
add address=192.168.1.27 list=POS_BLOCK
add address=192.168.1.28 list=POS_BLOCK
add address=192.168.1.29 list=POS_BLOCK
add address=192.168.1.30 list=POS_BLOCK
add address=192.168.1.31 list=POS_BLOCK
add address=192.168.1.32 list=POS_BLOCK
add address=192.168.1.33 list=POS_BLOCK
add address=192.168.1.34 list=POS_BLOCK
add address=192.168.1.35 list=POS_BLOCK
add address=192.168.1.36 list=POS_BLOCK
add address=192.168.1.37 list=POS_BLOCK
add address=192.168.1.38 list=POS_BLOCK
add address=192.168.1.39 list=POS_BLOCK
add address=192.168.1.40 list=POS_BLOCK
add address=192.168.1.41 list=POS_BLOCK
add address=192.168.1.42 list=POS_BLOCK
add address=192.168.1.43 list=POS_BLOCK
add address=192.168.1.44 list=POS_BLOCK
add address=192.168.1.45 list=POS_BLOCK
add address=192.168.1.46 list=POS_BLOCK
add address=192.168.1.47 list=POS_BLOCK
add address=192.168.1.48 list=POS_BLOCK
add address=192.168.1.49 list=POS_BLOCK
add address=192.168.1.50 list=POS_BLOCK
add address=192.168.1.51 list=POS_BLOCK
add address=192.168.1.52 list=POS_BLOCK
add address=192.168.1.53 list=POS_BLOCK
add address=192.168.1.54 list=POS_BLOCK
add address=192.168.1.55 list=POS_BLOCK
add address=192.168.1.56 list=POS_BLOCK
add address=192.168.1.57 list=POS_BLOCK
add address=192.168.1.58 list=POS_BLOCK
add address=192.168.1.59 list=POS_BLOCK
add address=192.168.1.60 list=POS_BLOCK
add address=192.168.1.61 list=POS_BLOCK
add address=192.168.1.62 list=POS_BLOCK
add address=192.168.1.63 list=POS_BLOCK
add address=192.168.1.64 list=POS_BLOCK
add address=192.168.1.65 list=POS_BLOCK
add address=192.168.1.66 list=POS_BLOCK
add address=192.168.1.67 list=POS_BLOCK
add address=192.168.1.68 list=POS_BLOCK
add address=192.168.1.69 list=POS_BLOCK
add address=192.168.1.70 list=POS_BLOCK
add address=192.168.1.71 list=POS_BLOCK
add address=192.168.1.72 list=POS_BLOCK
add address=192.168.1.73 list=POS_BLOCK
add address=192.168.1.74 list=POS_BLOCK
add address=192.168.1.75 list=POS_BLOCK
add address=192.168.1.76 list=POS_BLOCK
add address=192.168.1.77 list=POS_BLOCK
add address=192.168.1.78 list=POS_BLOCK
add address=192.168.1.79 list=POS_BLOCK
add address=192.168.1.80 list=POS_BLOCK
add address=192.168.1.81 list=POS_BLOCK
add address=192.168.1.82 list=POS_BLOCK
add address=192.168.1.83 list=POS_BLOCK
add address=192.168.1.84 list=POS_BLOCK
add address=192.168.1.85 list=POS_BLOCK
add address=192.168.1.86 list=POS_BLOCK
add address=192.168.1.87 list=POS_BLOCK
add address=192.168.1.88 list=POS_BLOCK
add address=192.168.1.89 list=POS_BLOCK
add address=192.168.1.90 list=POS_BLOCK
add address=192.168.1.91 list=POS_BLOCK
add address=192.168.1.92 list=POS_BLOCK
add address=192.168.1.93 list=POS_BLOCK
add address=192.168.1.94 list=POS_BLOCK
add address=192.168.1.95 list=POS_BLOCK
add address=192.168.1.96 list=POS_BLOCK
add address=192.168.1.97 list=POS_BLOCK
add address=192.168.1.98 list=POS_BLOCK
add address=192.168.1.99 list=POS_BLOCK
add address=192.168.1.100 list=POS_BLOCK
add address=192.168.1.101 list=POS_BLOCK
add address=192.168.1.102 list=POS_BLOCK
add address=192.168.1.103 list=POS_BLOCK
add address=192.168.1.104 list=POS_BLOCK
add address=192.168.1.105 list=POS_BLOCK
add address=192.168.1.106 list=POS_BLOCK
add address=192.168.1.107 list=POS_BLOCK
add address=192.168.1.108 list=POS_BLOCK
add address=192.168.1.109 list=POS_BLOCK
add address=192.168.1.110 list=POS_BLOCK
add address=192.168.1.111 list=POS_BLOCK
add address=192.168.1.112 list=POS_BLOCK
add address=192.168.1.113 list=POS_BLOCK
add address=192.168.1.114 list=POS_BLOCK
add address=192.168.1.115 list=POS_BLOCK
add address=192.168.1.116 list=POS_BLOCK
add address=192.168.1.117 list=POS_BLOCK
add address=192.168.1.118 list=POS_BLOCK
add address=192.168.1.119 list=POS_BLOCK
add address=192.168.1.120 list=POS_BLOCK
add address=192.168.1.121 list=POS_BLOCK
add address=192.168.1.122 list=POS_BLOCK
add address=192.168.1.123 list=POS_BLOCK
add address=192.168.1.124 list=POS_BLOCK
add address=192.168.1.125 list=POS_BLOCK
add address=192.168.1.126 list=POS_BLOCK
add address=192.168.1.127 list=POS_BLOCK
add address=192.168.1.128 list=POS_BLOCK
add address=192.168.1.129 list=POS_BLOCK
add address=192.168.1.130 list=POS_BLOCK
add address=192.168.1.131 list=POS_BLOCK
add address=192.168.1.132 list=POS_BLOCK
add address=192.168.1.133 list=POS_BLOCK
add address=192.168.1.134 list=POS_BLOCK
add address=192.168.1.135 list=POS_BLOCK
add address=192.168.1.136 list=POS_BLOCK
add address=192.168.1.137 list=POS_BLOCK
add address=192.168.1.138 list=POS_BLOCK
add address=192.168.1.139 list=POS_BLOCK
add address=192.168.1.140 list=POS_BLOCK
add address=192.168.1.141 list=POS_BLOCK
add address=192.168.1.142 list=POS_BLOCK
add address=192.168.1.143 list=POS_BLOCK
add address=192.168.1.144 list=POS_BLOCK
add address=192.168.1.145 list=POS_BLOCK
add address=192.168.1.146 list=POS_BLOCK
add address=192.168.1.147 list=POS_BLOCK
add address=192.168.1.148 list=POS_BLOCK
add address=192.168.1.149 list=POS_BLOCK
add address=192.168.1.150 list=POS_BLOCK
add address=192.168.1.151 list=POS_BLOCK
add address=192.168.1.152 list=POS_BLOCK
add address=192.168.1.153 list=POS_BLOCK
add address=192.168.1.154 list=POS_BLOCK
add address=192.168.1.155 list=POS_BLOCK
add address=192.168.1.156 list=POS_BLOCK
add address=192.168.1.157 list=POS_BLOCK
add address=192.168.1.158 list=POS_BLOCK
add address=192.168.1.159 list=POS_BLOCK
add address=192.168.1.160 list=POS_BLOCK
add address=192.168.1.161 list=POS_BLOCK
add address=192.168.1.162 list=POS_BLOCK
add address=192.168.1.163 list=POS_BLOCK
add address=192.168.1.164 list=POS_BLOCK
add address=192.168.1.165 list=POS_BLOCK
add address=192.168.1.166 list=POS_BLOCK
add address=192.168.1.167 list=POS_BLOCK
add address=192.168.1.168 list=POS_BLOCK
add address=192.168.1.169 list=POS_BLOCK
add address=192.168.1.170 list=POS_BLOCK
add address=192.168.1.171 list=POS_BLOCK
add address=192.168.1.172 list=POS_BLOCK
add address=192.168.1.173 list=POS_BLOCK
add address=192.168.1.174 list=POS_BLOCK
add address=192.168.1.175 list=POS_BLOCK
add address=192.168.1.176 list=POS_BLOCK
add address=192.168.1.177 list=POS_BLOCK
add address=192.168.1.178 list=POS_BLOCK
add address=192.168.1.179 list=POS_BLOCK
add address=192.168.1.180 list=POS_BLOCK
add address=192.168.1.181 list=POS_BLOCK
add address=192.168.1.182 list=POS_BLOCK
add address=192.168.1.183 list=POS_BLOCK
add address=192.168.1.184 list=POS_BLOCK
add address=192.168.1.185 list=POS_BLOCK
add address=192.168.1.186 list=POS_BLOCK
add address=192.168.1.187 list=POS_BLOCK
add address=192.168.1.188 list=POS_BLOCK
add address=192.168.1.189 list=POS_BLOCK
add address=192.168.1.190 list=POS_BLOCK
add address=192.168.1.191 list=POS_BLOCK
add address=192.168.1.192 list=POS_BLOCK
add address=192.168.1.193 list=POS_BLOCK
add address=192.168.1.194 list=POS_BLOCK
add address=192.168.1.195 list=POS_BLOCK
add address=192.168.1.196 list=POS_BLOCK
add address=192.168.1.197 list=POS_BLOCK
add address=192.168.1.198 list=POS_BLOCK
add address=192.168.1.199 list=POS_BLOCK
add address=192.168.1.200 list=POS_BLOCK
add address=192.168.1.201 list=POS_BLOCK
add address=192.168.1.202 list=POS_BLOCK
add address=192.168.1.203 list=POS_BLOCK
add address=192.168.1.204 list=POS_BLOCK
add address=192.168.1.205 list=POS_BLOCK
add address=192.168.1.206 list=POS_BLOCK
add address=192.168.1.207 list=POS_BLOCK
add address=192.168.1.208 list=POS_BLOCK
add address=192.168.1.209 list=POS_BLOCK
add address=192.168.1.210 list=POS_BLOCK
add address=192.168.1.211 list=POS_BLOCK
add address=192.168.1.212 list=POS_BLOCK
add address=192.168.1.213 list=POS_BLOCK
add address=192.168.1.214 list=POS_BLOCK
add address=192.168.1.215 list=POS_BLOCK
add address=192.168.1.216 list=POS_BLOCK
add address=192.168.1.217 list=POS_BLOCK
add address=192.168.1.218 list=POS_BLOCK
add address=192.168.1.219 list=POS_BLOCK
add address=192.168.1.220 list=POS_BLOCK
add address=192.168.1.221 list=POS_BLOCK
add address=192.168.1.222 list=POS_BLOCK
add address=192.168.1.223 list=POS_BLOCK
add address=192.168.1.224 list=POS_BLOCK
add address=192.168.1.225 list=POS_BLOCK
add address=192.168.1.226 list=POS_BLOCK
add address=192.168.1.227 list=POS_BLOCK
add address=192.168.1.228 list=POS_BLOCK
add address=192.168.1.229 list=POS_BLOCK
add address=192.168.1.230 list=POS_BLOCK
add address=192.168.1.231 list=POS_BLOCK
add address=192.168.1.232 list=POS_BLOCK
add address=192.168.1.233 list=POS_BLOCK
add address=192.168.1.234 list=POS_BLOCK
add address=192.168.1.235 list=POS_BLOCK
add address=192.168.1.236 list=POS_BLOCK
add address=192.168.1.237 list=POS_BLOCK
add address=192.168.1.238 list=POS_BLOCK
add address=192.168.1.239 list=POS_BLOCK
add address=192.168.1.240 list=POS_BLOCK
add address=192.168.1.241 list=POS_BLOCK
add address=192.168.1.242 list=POS_BLOCK
add address=192.168.1.243 list=POS_BLOCK
add address=192.168.1.245 list=POS_BLOCK
add address=192.168.1.246 list=POS_BLOCK
add address=192.168.1.247 list=POS_BLOCK
add address=192.168.1.248 list=POS_BLOCK
add address=192.168.1.249 list=POS_BLOCK
add address=192.168.1.250 list=POS_BLOCK
add address=192.168.1.251 list=POS_BLOCK
add address=192.168.1.252 list=POS_BLOCK
add address=192.168.1.253 list=POS_BLOCK
add address=192.168.1.255 list=POS_BLOCK
add address=192.168.2.0/24 list=POS_BLOCK
add address=192.168.101.0/24 list=POS_BLOCK
add address=173.192.137.34 list=Antena
add address=195.29.89.26 list=ORBIS_IP
/ip firewall filter
add action=fasttrack-connection chain=forward out-bridge-port=WLAN_5G
add action=fasttrack-connection chain=forward in-interface=GETIM
add action=fasttrack-connection chain=forward out-interface=GETIM
add action=fasttrack-connection chain=input in-interface=GETIM
add action=fasttrack-connection chain=output out-interface=GETIM
add action=accept chain=input port=6001 protocol=tcp
add action=accept chain=input connection-state=established in-interface=\
ADSL_BRIDGE
add action=drop chain=forward port=5355 protocol=udp
add action=drop chain=forward comment="POS URE\D0AJI" in-interface=GETIM \
out-bridge-port=POS1 src-address-list=POS_BLOCK
add action=drop chain=forward in-interface=GETIM out-bridge-port=POS2 \
src-address-list=POS_BLOCK
add action=drop chain=forward in-interface=ADSL_BRIDGE port=137 protocol=udp
add action=accept chain=input in-interface=ADSL_BRIDGE port=53 protocol=udp
add action=accept chain=forward dst-address=192.168.1.244 src-address=\
192.168.1.0/24
add action=drop chain=forward in-interface=ADSL_BRIDGE src-address=\
192.168.1.242
add action=accept chain=input in-interface=ADSL_BRIDGE port=8291 protocol=tcp
add action=accept chain=forward port=5901,5550,3334 protocol=tcp
add action=accept chain=forward port=5500,5901,3334 protocol=udp
add action=accept chain=forward port=53 protocol=tcp
add action=accept chain=forward port=8080 protocol=tcp
add action=accept chain=input in-interface=ADSL_BRIDGE protocol=icmp
add action=accept chain=input connection-state=related
add action=drop chain=forward src-address=192.168.102.0/24
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward in-interface=ADSL_BRIDGE port=67-68 protocol=udp \
src-address=192.168.1.254
add action=drop chain=forward in-interface="GREEN TRAVEL" out-interface=GETIM
add action=drop chain=forward dst-address=192.168.1.0/24 src-address=\
192.168.2.0/24
add action=drop chain=input connection-state=invalid
add action=drop chain=forward connection-limit=100,32 in-interface=ADSL_BRIDGE \
protocol=udp
add action=jump chain=forward comment="SYN Flood protect" connection-state=new \
in-interface=ADSL_BRIDGE jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=accept chain=SYN-Protect connection-state=new in-interface=\
ADSL_BRIDGE limit=200,300:packet protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect connection-state=new in-interface=ADSL_BRIDGE \
tcp-flags=""
/ip firewall mangle
add action=mark-packet chain=prerouting new-packet-mark=WINBOX passthrough=no \
port=8291 protocol=tcp
add action=mark-packet chain=postrouting dst-address=8.8.8.8 new-packet-mark=\
ICMP/DNS_QOS out-interface=ADSL_BRIDGE passthrough=no
add action=mark-packet chain=postrouting new-packet-mark=ICMP/DNS_QOS \
out-interface=ADSL_BRIDGE passthrough=no protocol=icmp
add action=mark-packet chain=postrouting new-packet-mark=ICMP/DNS_QOS \
out-interface=ADSL_BRIDGE passthrough=no port=53 protocol=udp
add action=mark-packet chain=postrouting connection-state=new new-packet-mark=\
ICMP/DNS_QOS out-interface=ADSL_BRIDGE passthrough=no protocol=tcp
add action=mark-packet chain=postrouting new-packet-mark=ICMP/DNS_QOS \
out-interface=ADSL_BRIDGE packet-size=90-159 passthrough=no protocol=tcp \
tcp-flags=ack
add action=mark-packet chain=postrouting new-packet-mark=ICMP/DNS_QOS \
out-interface=ADSL_BRIDGE packet-size=160-249 passthrough=no protocol=tcp \
tcp-flags=ack
add action=mark-connection chain=postrouting comment=RDP new-connection-mark=\
RDP_CONNECTION out-interface=ADSL_BRIDGE passthrough=yes port=3389 \
protocol=tcp
add action=mark-connection chain=postrouting new-connection-mark=RDP_CONNECTION \
out-interface=ADSL_BRIDGE passthrough=yes port=3389 protocol=udp
add action=mark-packet chain=postrouting connection-mark=RDP_CONNECTION \
new-packet-mark=RDP_QOS out-interface=ADSL_BRIDGE passthrough=no
add action=mark-connection chain=postrouting comment=VNC new-connection-mark=\
VNC out-interface=ADSL_BRIDGE passthrough=yes port=5500,5901 protocol=tcp
add action=mark-packet chain=postrouting connection-mark=VNC new-packet-mark=\
VNC_QOS out-interface=ADSL_BRIDGE passthrough=no
add action=mark-packet chain=postrouting comment=ORBIS new-packet-mark=\
ORBIS_QOS out-interface=ADSL_BRIDGE passthrough=no src-address-list=ORBIS
add action=mark-connection chain=postrouting comment="101 radio" \
new-connection-mark=101radio_connection out-interface=ADSL_BRIDGE \
passthrough=yes src-address-list="101 Zagreb"
add action=mark-connection chain=postrouting new-connection-mark=\
101radio_connection out-interface=ADSL_BRIDGE passthrough=yes \
src-address-list=173.192.137.34
add action=mark-packet chain=postrouting new-packet-mark=101radio_QOS \
out-interface=ADSL_BRIDGE passthrough=no src-address-list=Antena
add action=mark-packet chain=postrouting connection-mark=101radio_connection \
new-packet-mark=101radio_QOS out-interface=ADSL_BRIDGE passthrough=no
add action=mark-connection chain=postrouting comment=TORRENTS \
new-connection-mark=p2p_conn out-interface=ADSL_BRIDGE passthrough=yes \
port=33333 protocol=udp
add action=mark-connection chain=postrouting new-connection-mark=p2p_conn \
out-interface=ADSL_BRIDGE passthrough=yes port=33333 protocol=tcp
add action=mark-connection chain=postrouting content=d1:ad2:id20: \
new-connection-mark=p2p_conn out-interface=ADSL_BRIDGE packet-size=95-190 \
passthrough=yes port=1025-65535 protocol=udp
add action=mark-packet chain=postrouting new-packet-mark=p2p out-interface=\
ADSL_BRIDGE p2p=all-p2p passthrough=no
add action=mark-packet chain=postrouting connection-mark=p2p_conn \
new-packet-mark=p2p out-interface=ADSL_BRIDGE passthrough=no
add action=mark-connection chain=postrouting comment=HTTP_DOWNLOADS \
connection-bytes=1000000-0 new-connection-mark=HTTP_DOWNLOD_CON \
out-interface=ADSL_BRIDGE passthrough=yes port=80,443,8080 protocol=tcp
add action=mark-connection chain=postrouting connection-bytes=1000000-0 \
new-connection-mark=HTTP_DOWNLOD_CON out-interface=ADSL_BRIDGE passthrough=\
yes port=443,80,8080 protocol=udp
add action=mark-packet chain=postrouting connection-mark=HTTP_DOWNLOD_CON \
new-packet-mark=HTTP_DOWNLOADS out-interface=ADSL_BRIDGE passthrough=no
add action=mark-connection chain=postrouting comment=HTTP connection-bytes=\
0-4000000 new-connection-mark=http_conn out-interface=ADSL_BRIDGE \
passthrough=yes port=80,443,8080 protocol=tcp
add action=mark-connection chain=postrouting connection-bytes=0-4000000 \
new-connection-mark=http_conn out-interface=ADSL_BRIDGE passthrough=yes \
port=80,443,8080 protocol=udp
add action=mark-packet chain=postrouting connection-mark=http_conn \
new-packet-mark=http out-interface=ADSL_BRIDGE passthrough=no
add action=mark-connection chain=postrouting comment=OTHER new-connection-mark=\
other_conn out-interface=ADSL_BRIDGE passthrough=yes
add action=mark-packet chain=postrouting connection-mark=other_conn \
new-packet-mark=other out-interface=ADSL_BRIDGE passthrough=no
/ip firewall nat
add action=dst-nat chain=dstnat port=6001 protocol=tcp to-addresses=\
192.168.255.2 to-ports=3389
add action=dst-nat chain=dstnat port=6001 protocol=udp to-addresses=\
192.168.255.2 to-ports=3389
add action=masquerade chain=srcnat src-address=192.168.2.0/24
add action=redirect chain=dstnat disabled=yes dst-port=80 in-interface=*14 \
protocol=tcp src-address=!192.168.1.5 to-ports=8080
add action=redirect chain=dstnat disabled=yes dst-port=80 in-interface=\
ADSL_BRIDGE protocol=tcp to-ports=8080
/ip firewall service-port
set ftp disabled=yes
/ip proxy
set always-from-cache=yes cache-administrator="" cache-hit-dscp=5 cache-path=\
disk4/proxy max-cache-size=60000KiB max-client-connections=1000 \
max-fresh-time=42w6d max-server-connections=1000 parent-proxy=0.0.0.0
/ip proxy access
add path=*.flv
add path=*.avi
add path=*.mp4
add path=*.mp3
add path=*.zip
add path=*.rar
add path=*.exe
add action=deny disabled=yes dst-host=*@*txt*
/ip proxy cache
add action=deny dst-host=*@*txt*
add action=deny path=*@*txt*
/ip route
add distance=1 gateway=192.168.1.254
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb
set allow-guests=no domain=WORKGROUP interfaces=GETIM
/ip smb shares
set [ find default=yes ] directory=/disk4
add directory=/share1 name=share1
/ip smb users
set [ find default=yes ] name=g
/metarouter interface
add static-interface=GETIM vm-mac-address=02:19:AF:42:AD:1F
/ppp secret
add local-address=192.168.255.4 name=getim remote-address=192.168.255.1
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=GETIM_MIKROTIK_WLAN
/system package update
set channel=release-candidate
/system routerboard settings
set cpu-frequency=720MHz protected-routerboot=disabled
/system scheduler
add interval=1m name=DynDns on-event="/system script run DynDns" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
apr/28/2016 start-time=09:43:13
/system script
add name=DynDns owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive source=":local us\
ername \"getim\"\r\
\n:local password \"masked\"\r\
\n:local hostname \"getim.ath.cx\"\r\
\n:local emailAddress \"\"\r\
\n\r\
\n:local url \"dummy\"\r\
\n:local previousIP\r\
\n\r\
\n:global dyndnsForce\r\
\n\r\
\n:set dyndnsForce false\r\
\n\r\
\n:log info (\"UpdateDynDNS starts.\")\r\
\n\r\
\n# print some debug info\r\
\n#:log info (\"UpdateDynDNS: username = \$username\")\r\
\n#:log info (\"UpdateDynDNS: password = \$password\")\r\
\n#:log info (\"UpdateDynDNS: hostname = \$hostname\")\r\
\n#:log info (\"UpdateDynDNS: previousIP = \$previousIP\")\r\
\n\r\
\n# I have some doubt over the persistence of the global previousIP.\r\
\n# This value should be stored in /dyndns.txt after the last update attempt\
,\r\
\n# preceded by the status and a space.\r\
\n# For status values see: https://help.dyn.com/remote-access-api/return-cod\
es/\r\
\n\r\
\n:if ([:len [/file find name=dyndns.txt]] > 0) do={\r\
\n :local ipfile [/file get dyndns.txt contents]\r\
\n :local ipstart ([find \$ipfile \" \" -1] + 1)\r\
\n :local ipend [:len \$ipfile]\r\
\n :set previousIP [:pick \$ipfile \$ipstart \$ipend]\r\
\n} else={\r\
\n :set previousIP \"0.0.0.0\"\r\
\n}\r\
\n\r\
\n# get the current IP address from the internet (in case of double-nat)\r\
\n/tool fetch mode=http address=\"checkip.dyn.com\" src-path=\"/\" dst-path=\
\"/dyndns.checkip.html\"\r\
\n:delay 1\r\
\n:local result [/file get dyndns.checkip.html contents]\r\
\n\r\
\n# parse the current IP result\r\
\n:local resultLen [:len \$result]\r\
\n:local startLoc [:find \$result \": \" -1]\r\
\n:set startLoc (\$startLoc + 2)\r\
\n:local endLoc [:find \$result \"</body>\" -1]\r\
\n:local currentIP [:pick \$result \$startLoc \$endLoc]\r\
\n\r\
\n# Remove the # on next line to force an update every single time - useful \
for debugging,\r\
\n# but you could end up getting blacklisted by DynDNS!\r\
\n\r\
\n#:set dyndnsForce true\r\
\n\r\
\n# Determine if dyndns update is needed\r\
\n# more dyndns updater request details http://www.dyndns.com/developers/spe\
cs/syntax.html\r\
\n\r\
\n:if ((\$currentIP != \$previousIP) || (\$dyndnsForce = true)) do={\r\
\n :log info (\"Changing IP from \$previousIP to \$currentIP.\")\r\
\n :set dyndnsForce false\r\
\n :set url \"http://\$username:\$password@members.dyndns.org/nic/update\?\
hostname=\$hostname&myip=\$currentIP&wildcard=no\"\r\
\n /tool fetch url=\$url mode=http dst-path=\"/dyndns.txt\"\r\
\n \r\
\n# Original code:\r\
\n# /tool fetch user=\$username password=\$password mode=http address=\"me\
mbers.dyndns.org\" \\\r\
\n# src-path=\"nic/update\?system=dyndns&hostname=\$hostname&myip=\$cur\
rentIP&wildcard=no\" \\\r\
\n# dst-path=\"/dyndns.txt\"\r\
\n\r\
\n :delay 1\r\
\n\r\
\n # :set previousIP \$currentIP\r\
\n\r\
\n :local result [/file get dyndns.txt contents]\r\
\n :log info (\"UpdateDynDNS: Dyndns update needed\")\r\
\n :log info (\"UpdateDynDNS: Dyndns Update Result: \".\$result)\r\
\n\r\
\n# email result:\r\
\n :local output \"DynDNS Update Result: \$result\"\r\
\n /tool e-mail send to=\"\$emailAddress\" subject=\"DynDNS update \$curre\
ntTime\" body=\"\$output\"\r\
\n} else={\r\
\n :log info (\"UpdateDynDNS: No dyndns update needed\")\r\
\n}"
add name=Supermario owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive source=":beep fre\
quency=660 length=100ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=660 length=100ms;\r\
\n:delay 300ms;\r\
\n:beep frequency=660 length=100ms;\r\
\n:delay 300ms;\r\
\n:beep frequency=510 length=100ms;\r\
\n:delay 100ms;\r\
\n:beep frequency=660 length=100ms;\r\
\n:delay 300ms;\r\
\n:beep frequency=770 length=100ms;\r\
\n:delay 550ms;\r\
\n:beep frequency=380 length=100ms;\r\
\n:delay 575ms;\r\
\n\r\
\n:beep frequency=510 length=100ms;\r\
\n:delay 450ms;\r\
\n:beep frequency=380 length=100ms;\r\
\n:delay 400ms;\r\
\n:beep frequency=320 length=100ms;\r\
\n:delay 500ms;\r\
\n:beep frequency=440 length=100ms;\r\
\n:delay 300ms;\r\
\n:beep frequency=480 length=80ms;\r\
\n:delay 330ms;\r\
\n:beep frequency=450 length=100ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=430 length=100ms;\r\
\n:delay 300ms;\r\
\n:beep frequency=380 length=100ms;\r\
\n:delay 200ms;\r\
\n:beep frequency=660 length=80ms;\r\
\n:delay 200ms;\r\
\n:beep frequency=760 length=50ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=860 length=100ms;\r\
\n:delay 300ms;\r\
\n:beep frequency=700 length=80ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=760 length=50ms;\r\
\n:delay 350ms;\r\
\n:beep frequency=660 length=80ms;\r\
\n:delay 300ms;\r\
\n:beep frequency=520 length=80ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=580 length=80ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=480 length=80ms;\r\
\n:delay 500ms;\r\
\n\r\
\n:beep frequency=510 length=100ms;\r\
\n:delay 450ms;\r\
\n:beep frequency=380 length=100ms;\r\
\n:delay 400ms;\r\
\n:beep frequency=320 length=100ms;\r\
\n:delay 500ms;\r\
\n:beep frequency=440 length=100ms;\r\
\n:delay 300ms;\r\
\n:beep frequency=480 length=80ms;\r\
\n:delay 330ms;\r\
\n:beep frequency=450 length=100ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=430 length=100ms;\r\
\n:delay 300ms;\r\
\n:beep frequency=380 length=100ms;\r\
\n:delay 200ms;\r\
\n:beep frequency=660 length=80ms;\r\
\n:delay 200ms;\r\
\n:beep frequency=760 length=50ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=860 length=100ms;\r\
\n:delay 300ms;\r\
\n:beep frequency=700 length=80ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=760 length=50ms;\r\
\n:delay 350ms;\r\
\n:beep frequency=660 length=80ms;\r\
\n:delay 300ms;\r\
\n:beep frequency=520 length=80ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=580 length=80ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=480 length=80ms;\r\
\n:delay 500ms;\r\
\n\r\
\n:beep frequency=500 length=100ms;\r\
\n:delay 300ms;\r\
\n\r\
\n:beep frequency=760 length=100ms;\r\
\n:delay 100ms;\r\
\n:beep frequency=720 length=100ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=680 length=100ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=620 length=150ms;\r\
\n:delay 300ms;\r\
\n\r\
\n:beep frequency=650 length=150ms;\r\
\n:delay 300ms;\r\
\n:beep frequency=380 length=100ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=430 length=100ms;\r\
\n:delay 150ms;\r\
\n\r\
\n:beep frequency=500 length=100ms;\r\
\n:delay 300ms;\r\
\n:beep frequency=430 length=100ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=500 length=100ms;\r\
\n:delay 100ms;\r\
\n:beep frequency=570 length=100ms;\r\
\n:delay 220ms;\r\
\n\r\
\n:beep frequency=500 length=100ms;\r\
\n:delay 300ms;\r\
\n\r\
\n:beep frequency=760 length=100ms;\r\
\n:delay 100ms;\r\
\n:beep frequency=720 length=100ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=680 length=100ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=620 length=150ms;\r\
\n:delay 300ms;\r\
\n\r\
\n:beep frequency=650 length=200ms;\r\
\n:delay 300ms;\r\
\n\r\
\n:beep frequency=1020 length=80ms;\r\
\n:delay 300ms;\r\
\n:beep frequency=1020 length=80ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=1020 length=80ms;\r\
\n:delay 300ms;\r\
\n\r\
\n:beep frequency=380 length=100ms;\r\
\n:delay 300ms;\r\
\n:beep frequency=500 length=100ms;\r\
\n:delay 300ms;\r\
\n\r\
\n:beep frequency=760 length=100ms;\r\
\n:delay 100ms;\r\
\n:beep frequency=720 length=100ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=680 length=100ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=620 length=150ms;\r\
\n:delay 300ms;\r\
\n\r\
\n:beep frequency=650 length=150ms;\r\
\n:delay 300ms;\r\
\n:beep frequency=380 length=100ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=430 length=100ms;\r\
\n:delay 150ms;\r\
\n\r\
\n:beep frequency=500 length=100ms;\r\
\n:delay 300ms;\r\
\n:beep frequency=430 length=100ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=500 length=100ms;\r\
\n:delay 100ms;\r\
\n:beep frequency=570 length=100ms;\r\
\n:delay 420ms;\r\
\n\r\
\n:beep frequency=585 length=100ms;\r\
\n:delay 450ms;\r\
\n\r\
\n:beep frequency=550 length=100ms;\r\
\n:delay 420ms;\r\
\n\r\
\n:beep frequency=500 length=100ms;\r\
\n:delay 360ms;\r\
\n\r\
\n:beep frequency=380 length=100ms;\r\
\n:delay 300ms;\r\
\n:beep frequency=500 length=100ms;\r\
\n:delay 300ms;\r\
\n:beep frequency=500 length=100ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=500 length=100ms;\r\
\n:delay 300ms;\r\
\n\r\
\n:beep frequency=500 length=100ms;\r\
\n:delay 300ms;\r\
\n\r\
\n:beep frequency=760 length=100ms;\r\
\n:delay 100ms;\r\
\n:beep frequency=720 length=100ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=680 length=100ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=620 length=150ms;\r\
\n:delay 300ms;\r\
\n\r\
\n:beep frequency=650 length=150ms;\r\
\n:delay 300ms;\r\
\n:beep frequency=380 length=100ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=430 length=100ms;\r\
\n:delay 150ms;\r\
\n\r\
\n:beep frequency=500 length=100ms;\r\
\n:delay 300ms;\r\
\n:beep frequency=430 length=100ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=500 length=100ms;\r\
\n:delay 100ms;\r\
\n:beep frequency=570 length=100ms;\r\
\n:delay 220ms;\r\
\n\r\
\n:beep frequency=500 length=100ms;\r\
\n:delay 300ms;\r\
\n\r\
\n:beep frequency=760 length=100ms;\r\
\n:delay 100ms;\r\
\n:beep frequency=720 length=100ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=680 length=100ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=620 length=150ms;\r\
\n:delay 300ms;\r\
\n\r\
\n:beep frequency=650 length=200ms;\r\
\n:delay 300ms;\r\
\n\r\
\n:beep frequency=1020 length=80ms;\r\
\n:delay 300ms;\r\
\n:beep frequency=1020 length=80ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=1020 length=80ms;\r\
\n:delay 300ms;\r\
\n\r\
\n:beep frequency=380 length=100ms;\r\
\n:delay 300ms;\r\
\n:beep frequency=500 length=100ms;\r\
\n:delay 300ms;\r\
\n\r\
\n:beep frequency=760 length=100ms;\r\
\n:delay 100ms;\r\
\n:beep frequency=720 length=100ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=680 length=100ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=620 length=150ms;\r\
\n:delay 300ms;\r\
\n\r\
\n:beep frequency=650 length=150ms;\r\
\n:delay 300ms;\r\
\n:beep frequency=380 length=100ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=430 length=100ms;\r\
\n:delay 150ms;\r\
\n\r\
\n:beep frequency=500 length=100ms;\r\
\n:delay 300ms;\r\
\n:beep frequency=430 length=100ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=500 length=100ms;\r\
\n:delay 100ms;\r\
\n:beep frequency=570 length=100ms;\r\
\n:delay 420ms;\r\
\n\r\
\n:beep frequency=585 length=100ms;\r\
\n:delay 450ms;\r\
\n\r\
\n:beep frequency=550 length=100ms;\r\
\n:delay 420ms;\r\
\n\r\
\n:beep frequency=500 length=100ms;\r\
\n:delay 360ms;\r\
\n\r\
\n:beep frequency=380 length=100ms;\r\
\n:delay 300ms;\r\
\n:beep frequency=500 length=100ms;\r\
\n:delay 300ms;\r\
\n:beep frequency=500 length=100ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=500 length=100ms;\r\
\n:delay 300ms;\r\
\n\r\
\n:beep frequency=500 length=60ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=500 length=80ms;\r\
\n:delay 300ms;\r\
\n:beep frequency=500 length=60ms;\r\
\n:delay 350ms;\r\
\n:beep frequency=500 length=80ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=580 length=80ms;\r\
\n:delay 350ms;\r\
\n:beep frequency=660 length=80ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=500 length=80ms;\r\
\n:delay 300ms;\r\
\n:beep frequency=430 length=80ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=380 length=80ms;\r\
\n:delay 600ms;\r\
\n\r\
\n:beep frequency=500 length=60ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=500 length=80ms;\r\
\n:delay 300ms;\r\
\n:beep frequency=500 length=60ms;\r\
\n:delay 350ms;\r\
\n:beep frequency=500 length=80ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=580 length=80ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=660 length=80ms;\r\
\n:delay 550ms;\r\
\n\r\
\n:beep frequency=870 length=80ms;\r\
\n:delay 325ms;\r\
\n:beep frequency=760 length=80ms;\r\
\n:delay 600ms;\r\
\n\r\
\n:beep frequency=500 length=60ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=500 length=80ms;\r\
\n:delay 300ms;\r\
\n:beep frequency=500 length=60ms;\r\
\n:delay 350ms;\r\
\n:beep frequency=500 length=80ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=580 length=80ms;\r\
\n:delay 350ms;\r\
\n:beep frequency=660 length=80ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=500 length=80ms;\r\
\n:delay 300ms;\r\
\n:beep frequency=430 length=80ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=380 length=80ms;\r\
\n:delay 600ms;\r\
\n\r\
\n:beep frequency=660 length=100ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=660 length=100ms;\r\
\n:delay 300ms;\r\
\n:beep frequency=660 length=100ms;\r\
\n:delay 300ms;\r\
\n:beep frequency=510 length=100ms;\r\
\n:delay 100ms;\r\
\n:beep frequency=660 length=100ms;\r\
\n:delay 300ms;\r\
\n:beep frequency=770 length=100ms;\r\
\n:delay 550ms;\r\
\n:beep frequency=380 length=100ms;\r\
\n:delay 575ms;"
add name=Imperial owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive source=":beep fre\
quency=500 length=500ms;\r\
\n:delay 500ms;\r\
\n\r\
\n:beep frequency=500 length=500ms;\r\
\n:delay 500ms;\r\
\n\r\
\n:beep frequency=500 length=500ms;\r\
\n:delay 500ms;\r\
\n\r\
\n:beep frequency=400 length=500ms;\r\
\n:delay 400ms;\r\
\n\r\
\n:beep frequency=600 length=200ms;\r\
\n:delay 100ms;\r\
\n\r\
\n:beep frequency=500 length=500ms;\r\
\n:delay 500ms;\r\
\n\r\
\n:beep frequency=400 length=500ms;\r\
\n:delay 400ms;\r\
\n\r\
\n:beep frequency=600 length=200ms;\r\
\n:delay 100ms;\r\
\n\r\
\n:beep frequency=500 length=500ms;\r\
\n:delay 1000ms;\r\
\n\r\
\n\r\
\n\r\
\n:beep frequency=750 length=500ms;\r\
\n:delay 500ms;\r\
\n\r\
\n:beep frequency=750 length=500ms;\r\
\n:delay 500ms;\r\
\n\r\
\n:beep frequency=750 length=500ms;\r\
\n:delay 500ms;\r\
\n\r\
\n:beep frequency=810 length=500ms;\r\
\n:delay 400ms;\r\
\n\r\
\n:beep frequency=600 length=200ms;\r\
\n:delay 100ms;\r\
\n\r\
\n:beep frequency=470 length=500ms;\r\
\n:delay 500ms;\r\
\n\r\
\n:beep frequency=400 length=500ms;\r\
\n:delay 400ms;\r\
\n\r\
\n:beep frequency=600 length=200ms;\r\
\n:delay 100ms;\r\
\n\r\
\n:beep frequency=500 length=500ms;\r\
\n:delay 1000ms;"
/tool netwatch
add down-script=":beep frequency=900 length=30ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=800 length=30ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=700 length=30ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=600 length=30ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=500 length=30ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=400 length=30ms;" host=8.8.8.8 interval=10s timeout=5s \
up-script=":beep frequency=400 length=30ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=500 length=30ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=600 length=30ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=700 length=30ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=800 length=30ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=900 length=30ms;"
/tool romon port
add
[admin@GETIM_MIKROTIK_WLAN] >
Re: 100 CPU on any mikrotik router using basic rules
Sorry, but this config is far away from a "basic" one, you seem to have touched every imaginable knob available in the OS, so the possible variables are endless, making troubleshooting a shot in the dark.At our company iv set HAP AC as main router and have some basic firewall and mangle rules with QUEUES.
Where are you seeing that "spike"? in winbox CPU load graph? winbox Dashboard > Cpu? or Tools > profile???
Suppossing you actually saw it on tools > Profile, or Winbox Dashboard > CPU, and not the bar graph, which can "peak" with 0% CPU load, and isn't a reliable load indicator by any means.
Have you tried resetting it to defaults? does it have that 100% CPU spike?
If it persists: does it keep peaking the CPU after netinstalling it, and using a default config?
P.S: Can´t make any sense out of your setup, I'd start with a default one (Mikrotik engineers chose all these settings for a reason) and customize/evolve from there.
Re: 100 CPU on any mikrotik router using basic rules
I had to do all this settings and workarounds because of the this problem, if i reset router to default than things are even WORSE.Sorry, but this config is far away from a "basic" one, you seem to have touched every imaginable knob available in the OS, so the possible variables are endless, making troubleshooting a shot in the dark.At our company iv set HAP AC as main router and have some basic firewall and mangle rules with QUEUES.
Where are you seeing that "spike"? in winbox CPU load graph? winbox Dashboard > Cpu? or Tools > profile???
Suppossing you actually saw it on tools > Profile, or Winbox Dashboard > CPU, and not the bar graph, which can "peak" with 0% CPU load, and isn't a reliable load indicator by any means.
Have you tried resetting it to defaults? does it have that 100% CPU spike?
If it persists: does it keep peaking the CPU after netinstalling it, and using a default config?
P.S: Can´t make any sense out of your setup, I'd start with a default one (Mikrotik engineers chose all these settings for a reason) and customize/evolve from there.
Freshly reseted router, creating simple bridge WLAN and one LAN PORT, with IP filter turned on, without single additional rule or setting causes the same issue, 100%cpu load in profiler, around 50% firewall, and wireless around 30% + some other services the rest.
File transfers than drop, packets drop, and even client gets disconnected by router due extensive data lost.
Re: 100 CPU on any mikrotik router using basic rules
Do you surely need firewall on bridge level? If you use it, it was not clear from the export...
Re: 100 CPU on any mikrotik router using basic rules
How else I can create guest wifi network for example with another dhcp range from main wifi and this 2 networks must be isolated from each other?Do you surely need firewall on bridge level? If you use it, it was not clear from the export...
Other than that, I also need queues or one pc downloads Windows updates and than web browsing simple dies due upload beeing choked on adsl router. With mine queues it works perfect, I can saturate full adsl link, and yet web pages reload near instant.
Re: 100 CPU on any mikrotik router using basic rules
Split the networks both on layer3 and layers, don't put them on the same bridge and switch of bridge firewall. Put blocking rules in ip firewall instead.
Re: 100 CPU on any mikrotik router using basic rules
Ip firewall is the one causing slowdowns, i didint add anything in bridge firewallSplit the networks both on layer3 and layers, don't put them on the same bridge and switch of bridge firewall. Put blocking rules in ip firewall instead.
And as i mention rules means nothing, IP firewall once activated without rules drops speeds by almost 4x and hits CPU 100%.And they are not on same bridge.
WLAN1 = BRIDGE ONE
WLAN2 (guest) = BRIDGE 2
Than i did masquerade for WLAN2.
I mean i got everything set up and i know how to do it, and everything works, but performance is killing me on this routers.
Dont even want to mention what happend when i implemented transparent proxy in order to cache all common downloads like windows updates, antivirus defintions etc..
CPU was screaming on 100% all the time.
Do i need much powerful mikrotik switch for this?Or maybe even build an PC ruining RouterOS in HYPER-V for example?
Re: 100 CPU on any mikrotik router using basic rules
Ok, that is very strange. just enabling firewall without rules (no filter, no mangle, no nat, no nothing...) cannot do anything bad to traffic or cpu.
Re: 100 CPU on any mikrotik router using basic rules
Use torch or otherwise monitor your traffic, you may have broadcast storm or a loop or something on your network if you are seeing such high load under basic configuration.
-
-
IntrusDave
Forum Guru
- Posts: 1286
- Joined:
- Location: Rancho Cucamonga, CA
Re: 100 CPU on any mikrotik router using basic rules
So many thoughts, not sure where to begin..
My thoughts on ip filter on a bridge... If you need filtering, why are you bridging?
When you filter a LAN bridge, ALL local traffic gets inspected by the CPU - if you need this, you should be using a CCR, not a RB.
Each lan segment should be a separate interface - not in a bridge.
You QoS should be on WAN interface only - again, if you need QoS on your LAN, you should be using a CCR.
I think you are pushing the hAP too hard. It will work just fine as a router and access point. but making it filter all your internal traffic, and apply QoS to all internal traffic is just too much for a MIPSBE cpu. The unit will likely do what you need, but you need to rethink the configuration.
My thoughts on ip filter on a bridge... If you need filtering, why are you bridging?
When you filter a LAN bridge, ALL local traffic gets inspected by the CPU - if you need this, you should be using a CCR, not a RB.
Each lan segment should be a separate interface - not in a bridge.
You QoS should be on WAN interface only - again, if you need QoS on your LAN, you should be using a CCR.
I think you are pushing the hAP too hard. It will work just fine as a router and access point. but making it filter all your internal traffic, and apply QoS to all internal traffic is just too much for a MIPSBE cpu. The unit will likely do what you need, but you need to rethink the configuration.
Re: 100 CPU on any mikrotik router using basic rules
I dont need QOS or Filtering of LAN, i just need QOS for WAN,
But i guess i have some general flaw in my configurations, i dont know how else to create QOS without bridge?And ip Filter enabled.
What i need is for simplest example.
LAN1 > CONNECTED TO ADSL ROUTER
LAN2 > OUTPUT TO MAIN SWTICH
I need QOS(QUEUES) on this interfaces to control ADSL traffic
How do i make mangle/firewall rules etc and route traffic between PORTS LAN1 and LAN2 without bridging them?
Just masquerading them should work?And firewall/mangle/queues should work without bridging them?
In addition i want to serve WLAN on the same router and i dont need any kind of traffic control for this(except WAN queue i mentioned above), but i need 2 SSIDS separated from each other.
But i guess i have some general flaw in my configurations, i dont know how else to create QOS without bridge?And ip Filter enabled.
What i need is for simplest example.
LAN1 > CONNECTED TO ADSL ROUTER
LAN2 > OUTPUT TO MAIN SWTICH
I need QOS(QUEUES) on this interfaces to control ADSL traffic
How do i make mangle/firewall rules etc and route traffic between PORTS LAN1 and LAN2 without bridging them?
Just masquerading them should work?And firewall/mangle/queues should work without bridging them?
In addition i want to serve WLAN on the same router and i dont need any kind of traffic control for this(except WAN queue i mentioned above), but i need 2 SSIDS separated from each other.
Re: 100 CPU on any mikrotik router using basic rules
just my 2¢
hAP ac is dual radio, so using one for users and one for guests is not optimal. Look into VirtualAP interfaces and create separate virtualAP for guests on both interfaces.
Then draw your setup and check with packet flow diagram what goes where and check '/tool profile' what is eating away on your CPU.
hAP ac is dual radio, so using one for users and one for guests is not optimal. Look into VirtualAP interfaces and create separate virtualAP for guests on both interfaces.
Then draw your setup and check with packet flow diagram what goes where and check '/tool profile' what is eating away on your CPU.
Re: 100 CPU on any mikrotik router using basic rules
Let me insist on you analyzing a default configuration, you can check the script that applies it by issuing:How do i make mangle/firewall rules etc and route traffic between PORTS LAN1 and LAN2 without bridging them?
Just masquerading them should work?And firewall/mangle/queues should work without bridging them?
Code: Select all
/system default-configuration printRouterOS as its name implies, routes by default, i.e. forwards IP packets not addressed to itself to their destinations. Let's consider the utmost basic routing setup that will provide internet access, from a router with a complete blank setup: i.e. resetted to no defaults, no bridges at all:
- WAN has an IP assigned (192.168.1.244/24 in your case)
- LAN has a different network range IP assigned (lets consider just one network for now, 192.168.2.1/24)
- A default route (0.0.0.0/0) is set with a reachable gateway; this is known as default gateway (192.168.1.254 in your case)
- A masquerade rule is in place for all traffic exiting (out-interface) by the WAN interface.
If you take a laptop, and plug it into the LAN ether port, setting its ethernet IP as 192.168.2.2/24, 192.168.2.1 as default GW, you'll be able to reach internet (ping 8.8.8.8 for example), because the Hap will route (forward) anything addressed to other than its "known" networks through the default gw, 192.168.1.254.
192.168.1.0/24 and 192.168.2.0/24 are known networks for it because you set IPs in the 192.168.1.0/24 and 192.168.2.0/24 ranges to its interfaces. That's all RouterOS need to know these networks are directly connected to it.
If you add another network, say LAN2 and assign an ip on top, say 192.168.3.1/24, and connect a laptop to LAN2, setting laptop's ethernet IP in the 192.168.3.0/24 range, with default gw 192.168.3.1/24, it will be able also to reach internet, no need for any bridges.
Why? because the both the Hap knows how to reach 192.168.3.0/24 (through LAN2), and the laptop know who to hand out traffic addressed to any network other than those known to it (192.168.3.0/24) by forwarding to its default gw, 192.168.3.1, through its ethernet.
An important thing when routing between two hosts, is both hosts need to know how to reach each other. In this last example, the Hap knows all traffic addressed to 192.168.3.0/24 should exit by LAN2 due to the IP/mask assigned to it, and the laptop knows how to reach 192.168.3.0/24 for the same reason; setting the default GW on the laptop will instruct it to send any traffic addressed to any unknown networks through its default GW, 192.168.3.1.
Now to filtering:
You'll had noticed firewall, filter, mangle, nat, use chains; the forward chain is the one for all forwarded traffic, i.e. All traffic traversing the router.
Now let's pretend you don't want the LAN1 network, 192.168.2.0/24 to be able to reach 192.168.3.0/24. Setting an ip > firewall > rule like
Code: Select all
/ip firewall filter
add chain=forward action=drop src-address=192.168.2.0/24 dst-address=192.168.3.0/24Will take care of that.
Suppose you don't want 192.168.3.0/24 to reach 192.168.2.0/24 either; adding
Code: Select all
/ip firewall filter
add chain=forward action=drop src-address=192.168.2.0/24 dst-address=192.168.3.0/24
add chain=forward action=drop src-address=192.168.3.0/24 dst-address=192.168.2.0/24Will be all the needed rules.
Suppose you want to completely isolate both LANs, regardless of the IPs involved (better practice); a firewall ruleset like
Code: Select all
/ip firewall filter
add action=drop chain=forward in-interface=LAN1 out-interface=LAN2
add action=drop chain=forward in-interface=LAN2 out-interface=LAN1
Will achieve that.
Re: 100 CPU on any mikrotik router using basic rules
Hey thanks for your info.
Well now i figured why i used Bridge IP filter even in a first place.
Im unable to mangle download traffic on BRIDGE without it, only upload works.
Is is possible to separate download from upload (for queues) on bridge which is passing internet from router to rest of the network?
I tried ever possible combination of prerouting, postrouting, input, output.. for this bridge
If its possible it would save me alot of time, because i dont have another router or can reset and redo this router at current time.
Well now i figured why i used Bridge IP filter even in a first place.
Im unable to mangle download traffic on BRIDGE without it, only upload works.
Is is possible to separate download from upload (for queues) on bridge which is passing internet from router to rest of the network?
I tried ever possible combination of prerouting, postrouting, input, output.. for this bridge
If its possible it would save me alot of time, because i dont have another router or can reset and redo this router at current time.
Re: 100 CPU on any mikrotik router using basic rules
So conclusion, i took one hEX lite for test, i factory reset it, i plug ETH1 port into my ADSL router and one test laptop to ETH2.
ETH1 gets ip from ADSL router 192.168.1.0/24 range
ETH2 get ip from mikrotik's DHCP 192.168.88.0/24 range.
Internet works fine on laptop.
Now i change ETH2 range to from 192.168.88.0 to 192.168.100.0 range and also i change ETH2 ip adress of Mikrotik to 192.168.100.1
Again laptop gets new 192.168.100.0/24 range and internet works just fine!
Now i change ETH2 range to 192.168.1.0/24 range and IP address of mikrotik to 192.168.1.1 and now whole hell breaks loose. Im unable to connect to router anymore via IP or MAC, internet doesnt work on laptop, tho laptop does get proper ip in this 192.168.1.0/24 range.
If i unplug ETH1 from mikrotik i t doesnt help, i can only get back access to router if unplug ETH1 than reboot router.
So conclusion its not possible have same ranges on wan side and ethernet side.
Besides, this scenario doesnt help me, my ISP is very bad in coding their routers, i cant switch it to bridge mode to dial PPOE connection.I cant also put mikrotik into DMZ as this router doesnt have this option, so i cant port forward between different ranges on this 2 routers.
So only solution for me is BRIDGE mode between ETH1 and ETH2.
Now as mentioned problem is, only way i can QUEUE upload and download is if i have BRIDGE IP filter enabled!
If i disable BRIDGE IP FILTER, im unable mangle download traffic, only upload (i tried every possible imaginable way)
And with BRIDGE IP FILTER enabled, router is hitting 100CPU usage all the time and causing WLAN disconnects and other network slowdowns
So does anyone has any other suggestion?
ETH1 gets ip from ADSL router 192.168.1.0/24 range
ETH2 get ip from mikrotik's DHCP 192.168.88.0/24 range.
Internet works fine on laptop.
Now i change ETH2 range to from 192.168.88.0 to 192.168.100.0 range and also i change ETH2 ip adress of Mikrotik to 192.168.100.1
Again laptop gets new 192.168.100.0/24 range and internet works just fine!
Now i change ETH2 range to 192.168.1.0/24 range and IP address of mikrotik to 192.168.1.1 and now whole hell breaks loose. Im unable to connect to router anymore via IP or MAC, internet doesnt work on laptop, tho laptop does get proper ip in this 192.168.1.0/24 range.
If i unplug ETH1 from mikrotik i t doesnt help, i can only get back access to router if unplug ETH1 than reboot router.
So conclusion its not possible have same ranges on wan side and ethernet side.
Besides, this scenario doesnt help me, my ISP is very bad in coding their routers, i cant switch it to bridge mode to dial PPOE connection.I cant also put mikrotik into DMZ as this router doesnt have this option, so i cant port forward between different ranges on this 2 routers.
So only solution for me is BRIDGE mode between ETH1 and ETH2.
Now as mentioned problem is, only way i can QUEUE upload and download is if i have BRIDGE IP filter enabled!
If i disable BRIDGE IP FILTER, im unable mangle download traffic, only upload (i tried every possible imaginable way)
And with BRIDGE IP FILTER enabled, router is hitting 100CPU usage all the time and causing WLAN disconnects and other network slowdowns
So does anyone has any other suggestion?
Re: 100 CPU on any mikrotik router using basic rules
Why not use a different IP segment behind your hEX?
Re: 100 CPU on any mikrotik router using basic rules
How can i port forward than?ISP router blocks all the traffic, and i can only port forward from him and in that 192.168.1.0/24 range, usualy i put mikrotik IP in DMZ zone on ISP router, than all ports are open on mirkotik and i firewall and port forward on mikrotik, but as i said its not possible to do it on this ISP router..Why not use a different IP segment behind your hEX?
Re: 100 CPU on any mikrotik router using basic rules
Maybe I don't understand but if you are able to port-forward on your router, just forward everything to the 192.168.1.x address of your routerboard, and from there, forward again.How can i port forward than?ISP router blocks all the traffic, and i can only port forward from him and in that 192.168.1.0/24 range, usualy i put mikrotik IP in DMZ zone on ISP router, than all ports are open on mirkotik and i firewall and port forward on mikrotik, but as i said its not possible to do it on this ISP router..Why not use a different IP segment behind your hEX?
I know, not the most convenient solution but possible better then firewalling all the bridge traffic.
PS. Also keep in mind to masquerade all the traffic leaving the local segment towards the router.
Re: 100 CPU on any mikrotik router using basic rules
I cant forward everything thats the problem (DMZ does that), hm, maybe if i port forward one by one to the same IP of mikrotik that would work, didint try that yet..Maybe I don't understand but if you are able to port-forward on your router, just forward everything to the 192.168.1.x address of your routerboard, and from there, forward again.How can i port forward than?ISP router blocks all the traffic, and i can only port forward from him and in that 192.168.1.0/24 range, usualy i put mikrotik IP in DMZ zone on ISP router, than all ports are open on mirkotik and i firewall and port forward on mikrotik, but as i said its not possible to do it on this ISP router..Why not use a different IP segment behind your hEX?
I know, not the most convenient solution but possible better then firewalling all the bridge traffic.
PS. Also keep in mind to masquerade all the traffic leaving the local segment towards the router.
Re: 100 CPU on any mikrotik router using basic rules
I can imagine that it is a hustle if you need to forward a whole bunch of ports, but are you really in that situation?
How many ports do you need to forward?
I don't know your ISP supplied router, but maybe it is possible to forward a range.
How many ports do you need to forward?
I don't know your ISP supplied router, but maybe it is possible to forward a range.
Re: 100 CPU on any mikrotik router using basic rules
Nah i cant add range, but i got around 15 rules its not that big deal.I can imagine that it is a hustle if you need to forward a whole bunch of ports, but are you really in that situation?
How many ports do you need to forward?
I don't know your ISP supplied router, but maybe it is possible to forward a range.
Tho i wish Mikrotik would add option(if posibble) to enable IP firewall per bridge option, so i can have another bridge just between lan port and WIFI interface unaffected by ip firewall and pass wifi traffic, while other 2 ports would pass and control ADSL bridged traffic..
This would solve all my problems as it is.
Re: 100 CPU on any mikrotik router using basic rules
Just to report back, after few hours on phone with our ISP they finally managed to switch their router in bridge mode and i created ppoe on mikrotik and now finally performance issues are solved as far this part is concerned.
But now im facing another issue that is as bad as before.I want transparent web proxy, but again CPU hits 100% just opening for example 9gag page and fast scrolling down, web proxy shows as top usage in profiler .And i just set memory based caching for test which should be fastest, so i guess i can forget about this feature?
But now im facing another issue that is as bad as before.I want transparent web proxy, but again CPU hits 100% just opening for example 9gag page and fast scrolling down, web proxy shows as top usage in profiler .And i just set memory based caching for test which should be fastest, so i guess i can forget about this feature?
Who is online
Users browsing this forum: fadelliz78 and 105 guests