Community discussions

MikroTik App
 
mahfuzazam
newbie
Topic Author
Posts: 37
Joined: Sat Aug 08, 2020 7:59 pm
Location: Usa
Contact:

Multiple WAN QoS configuration with PBR

Fri Jul 16, 2021 11:55 am

Hello Guys,

I have a MikroTik RB3011 router, in which I run 2 WAN links, each giving 50M bandwidth, with a LAN network of /24. I run policy-based routing, i.e. 128 LAN users will use WAN1 and other 128 users will use WAN2, with failover for both links.
I want to have a QoS configured to prioritize traffics for better throughput. I've read and seen a lot of videos with single WAN QoS. But didn't come across any which simultaneously uses both WAN links and does QoS for both links.
Kindly advise me the best way for multiple wan QoS. For example, let's say I want to prioritize Zoom, Google Meet, and email traffics.

Please have my configuration script and advice.
/interface bridge
add admin-mac=74:4D:28:5F:BA:52 auto-mac=no name=bridge_LAN
/interface ethernet
set [ find default-name=ether1 ] name=WAN1-ether1-acc
set [ find default-name=ether2 ] name=WAN2_ether2_adn
set [ find default-name=ether8 ] name=ether8_ET
set [ find default-name=sfp1 ] disabled=yes
/interface eoip
add mac-address=74:4D:28:5F:BA:59 name=eoip_SKA remote-address=\
    XXXX tunnel-id=2108
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp_pool_extra ranges=192.168.222.22-192.168.222.190
add name=dhcp_pool_l2tp ranges=192.168.222.192-192.168.222.254
/ip dhcp-server
add address-pool=dhcp_pool_extra interface=bridge_LAN lease-time=4h name=\
    dhcp_LAN
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8 local-address=192.168.222.190 name=\
    SKA remote-address=dhcp_pool_l2tp
set *FFFFFFFE dns-server=8.8.8.8

/system logging action
set 0 memory-lines=1000
/user group
set read policy="ssh,read,!local,!telnet,!ftp,!reboot,!write,!policy,!test,!wi\
    nbox,!password,!web,!sniff,!sensitive,!api,!romon,!dude,!tikapp"
set write policy="ssh,read,write,winbox,!local,!telnet,!ftp,!reboot,!policy,!t\
    est,!password,!web,!sniff,!sensitive,!api,!romon,!dude,!tikapp"
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge_LAN interface=eoip_SKA
add bridge=bridge_LAN interface=ether8_ET
add bridge=bridge_LAN interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set tcp-syncookies=yes
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set default-profile=SKA enabled=yes max-mru=1460 max-mtu=1460 use-ipsec=yes
/interface list member
add comment=defconf interface=bridge_LAN list=LAN
add interface=WAN2_ether2_adn list=WAN
add interface=WAN1-ether1-acc list=WAN
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=SKA max-mru=1500 \
    max-mtu=1500
/interface sstp-server server
set default-profile=SKA
/ip address
add address=192.168.222.1/24 interface=bridge_LAN network=192.168.222.0

/ip cloud
set update-time=no
/ip dhcp-server network
add address=192.168.222.0/24 dns-server=1.1.1.1,8.8.8.8,192.168.222.1 \
    gateway=192.168.222.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=8w4d cache-size=4294967295KiB \
    servers=1.1.1.1,8.8.8.8,192.168.222.1
/ip firewall address-list
add address=0.0.0.0/8 list=BOGONS
add address=10.0.0.0/8 list=BOGONS
add address=100.64.0.0/10 list=BOGONS
add address=127.0.0.0/8 list=BOGONS
add address=169.254.0.0/16 list=BOGONS
add address=172.16.0.0/12 list=BOGONS
add address=192.0.0.0/24 list=BOGONS
add address=192.0.2.0/24 list=BOGONS
add address=198.18.0.0/15 list=BOGONS
add address=198.51.100.0/24 list=BOGONS
add address=203.0.113.0/24 list=BOGONS
add address=224.0.0.0/3 list=BOGONS
add address=46.161.27.40 list=PPTP_Attack
add address=87.251.66.122 list=PPTP_Attack
add address=193.29.13.162 list=PPTP_Attack
add address=192.241.221.222 list=PPTP_Attack
add address=87.251.66.125 list=PPTP_Attack
add address=87.251.66.121 list=PPTP_Attack
add address=87.251.66.123 list=PPTP_Attack
add address=87.251.66.126 list=PPTP_Attack
add address=46.161.27.95 list=PPTP_Attack
add address=5.188.87.59 list=PPTP_Attack
add address=192.241.224.167 list=PPTP_Attack
add address=192.241.221.29 list=PPTP_Attack
add address=213.108.134.183 list=PPTP_Attack
add address=192.241.219.62 list=PPTP_Attack
add address=139.162.102.46 list=PPTP_Attack
add address=141.98.80.90 list=PPTP_Attack
add address=141.98.80.28 list=PPTP_Attack
add address=141.98.80.29 list=PPTP_Attack
add address=141.98.80.91 list=PPTP_Attack
add address=141.98.80.92 list=PPTP_Attack
add address=141.98.80.93 list=PPTP_Attack
add address=78.128.113.152 list=PPTP_Attack
add address=213.108.134.182 list=PPTP_Attack
add address=141.98.80.89 list=PPTP_Attack
/ip firewall filter

add action=drop chain=input comment=DNS_Spoofing_Protect connection-state=new \
    dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=input connection-state=new dst-port=53 \
    in-interface-list=WAN protocol=udp
add action=add-src-to-address-list address-list=Level_1 address-list-timeout=\
    2m chain=input comment=Secured_Access dst-port=2213 protocol=tcp
add action=add-src-to-address-list address-list=Level_2 address-list-timeout=\
    10m chain=input dst-port=2293 protocol=tcp src-address-list=Level_1
add action=add-src-to-address-list address-list=Secured address-list-timeout=\
    1h chain=input dst-port=64041 protocol=tcp src-address-list=Level_2
add action=drop chain=input dst-port=10662 in-interface-list=WAN log=yes \
    log-prefix=Unsecure_Login protocol=tcp src-address=!192.168.222.0/24 \
    src-address-list=!Secured
add action=drop chain=input comment=Access_Security src-address-list=\
    blacklisted-ip
add action=add-src-to-address-list address-list=blacklisted-ip \
    address-list-timeout=5d chain=input connection-state=new dst-port=\
    21,22,23,8291 protocol=tcp src-address=!192.168.222.0/24 \
    src-address-list=stage-3
add action=add-src-to-address-list address-list=stage-3 address-list-timeout=\
    5m chain=input connection-state=new dst-port=21,22,23,8291 protocol=tcp \
    src-address=!192.168.222.0/24 src-address-list=stage-2
add action=add-src-to-address-list address-list=stage-2 address-list-timeout=\
    5m chain=input connection-state=new dst-port=21,22,23,8291 protocol=tcp \
    src-address=!192.168.222.0/24 src-address-list=stage-1
add action=add-src-to-address-list address-list=stage-1 address-list-timeout=\
    5m chain=input connection-state=new dst-port=21,22,23,8291 protocol=tcp \
    src-address=!192.168.222.0/24
add action=fasttrack-connection chain=forward comment=Fasttrack_DNS_TCP \
    connection-state="" dst-port=53 protocol=tcp
add action=fasttrack-connection chain=forward comment=Fasttrack_DNS_UDP \
    dst-port=53 protocol=udp
add action=drop chain=forward connection-state=invalid
add action=drop chain=input connection-state=invalid
add action=drop chain=forward src-address-list=BOGONS
add action=drop chain=forward dst-address-list=BOGONS
add action=drop chain=input comment=PPTP_Protection src-address-list=\
    PPTP_Attack
add action=accept chain=input comment=Ping_Flood_Protection limit=3,5:packet \
    protocol=icmp
add action=drop chain=input protocol=icmp
/ip firewall mangle
add action=mark-connection chain=input in-interface=WAN1-ether1-acc \
    new-connection-mark=conn_1 passthrough=yes
add action=mark-routing chain=output connection-mark=conn_1 new-routing-mark=\
    Group-Acc passthrough=yes
add action=mark-connection chain=input in-interface=WAN2_ether2_adn \
    new-connection-mark=conn_2 passthrough=yes
add action=mark-routing chain=output connection-mark=conn_2 new-routing-mark=\
    Group-Adn passthrough=yes
add action=mark-routing chain=prerouting new-routing-mark=Group-Adn \
    passthrough=yes src-address=192.168.222.0/27
add action=mark-routing chain=prerouting new-routing-mark=Group-Adn \
    passthrough=yes src-address=192.168.222.32/27
add action=mark-routing chain=prerouting new-routing-mark=Group-Acc \
    passthrough=yes src-address=192.168.222.64/27
add action=mark-routing chain=prerouting new-routing-mark=Group-Acc \
    passthrough=yes src-address=192.168.222.96/27
add action=mark-routing chain=prerouting new-routing-mark=Group-Acc \
    passthrough=yes src-address=192.168.222.128/27
add action=mark-routing chain=prerouting new-routing-mark=Group-Acc \
    passthrough=yes src-address=192.168.222.160/27
add action=mark-routing chain=prerouting new-routing-mark=Group-Adn \
    passthrough=yes src-address=192.168.222.192/27
add action=mark-routing chain=prerouting new-routing-mark=Group-Adn \
    passthrough=yes src-address=192.168.222.224/27
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=WAN2_ether2_adn
add action=masquerade chain=srcnat disabled=yes out-interface=WAN1-ether1-acc
add action=src-nat chain=srcnat out-interface=WAN1-ether1-acc to-addresses=\
    XXXX
add action=src-nat chain=srcnat out-interface=WAN2_ether2_adn to-addresses=\
    XXXX
/ip route
add check-gateway=ping distance=1 gateway=8.8.4.4 routing-mark=Group-Acc
add check-gateway=ping distance=2 gateway=1.0.0.1 routing-mark=Group-Acc
add check-gateway=ping distance=1 gateway=1.0.0.1 routing-mark=Group-Adn
add check-gateway=ping distance=2 gateway=8.8.4.4 routing-mark=Group-Adn

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes port=8080
set ssh port=2293
set api disabled=yes
set winbox port=10662
set api-ssl disabled=yes
/lcd
set enabled=no time-interval=hour touch-screen=disabled
/ppp secret
add name=windows profile=SKA service=l2tp
/system clock
set time-zone-name=Asia/Dhaka
/system identity
set name=MikroTik_SKA
/system ntp client
set enabled=yes primary-ntp=124.108.20.1 secondary-ntp=61.239.100.228
/system package update
set channel=long-term
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
Thanks and have a great day.

Who is online

Users browsing this forum: No registered users and 74 guests