My tasks:
1. Good conditions for VoIP (I exclude VoIP-server from mangling with passthrough=no at first)
2. Fast VPN channel between offices
3. Responsive for remote access apps
4. Low speed guest WiFi and not-a-office resources (like youtube etc. by tls-host)
Questions:
1. Is everything set up ok?
2. I use chain=forward and because of this, the connections of the router itself are not marked up (vpn connection or DNS and NTP requests). So they don't queued?
3. If I use the chain=prerouting and add, for example, the VPN-connection protocol=udp port=500,4500 to the "HIGH" section, then the traffic "intra-tunnel" (by address-list) and "external-tunnel" (by this rule) is duplicated in the queue twice. How to solve it correctly?
Mangle:
Code: Select all
/ip firewall mangle
add action=mark-packet chain=forward dst-address=192.168.88.222 new-packet-mark=VOIP-IN passthrough=no
add action=mark-packet chain=forward new-packet-mark=VOIP-OUT passthrough=no src-address=192.168.88.222
add action=mark-packet chain=forward comment=GUEST-DOWNLOAD dst-address=192.168.99.0/24 new-packet-mark=GUEST-DOWNLOAD passthrough=no
add action=mark-packet chain=forward comment=GUEST-UPLOAD new-packet-mark=GUEST-UPLOAD passthrough=no src-address=192.168.99.0/24
add action=passthrough chain=forward comment="###### LOW ######" disabled=yes
add action=add-dst-to-address-list address-list=UNLIMTRAFFIC address-list-timeout=1w chain=forward dst-address-list=!UNLIMTRAFFIC port=443 protocol=tcp tls-host=*googlevideo.com
add action=add-dst-to-address-list address-list=UNLIMTRAFFIC address-list-timeout=1w chain=forward dst-address-list=!UNLIMTRAFFIC port=443 protocol=tcp tls-host=*tiktok*
add action=add-dst-to-address-list address-list=UNLIMTRAFFIC address-list-timeout=1w chain=forward dst-address-list=!UNLIMTRAFFIC port=443 protocol=tcp tls-host=*twitch*
add action=mark-connection chain=forward comment=ALL-TRAFFIC new-connection-mark=LOW passthrough=yes
add action=mark-packet chain=forward comment="UNLIMTRAFFIC LOW-DOWNLOAD" connection-mark=LOW new-packet-mark=LOW-DOWNLOAD passthrough=no src-address-list=UNLIMTRAFFIC
add action=mark-packet chain=forward comment="UNLIMTRAFFIC LOW-UPLOAD" connection-mark=LOW dst-address-list=UNLIMTRAFFIC new-packet-mark=LOW-UPLOAD passthrough=no
add action=mark-packet chain=forward comment=LOW-DOWNLOAD connection-mark=LOW in-interface-list=WAN new-packet-mark=LOW-DOWNLOAD passthrough=yes
add action=mark-packet chain=forward comment=LOW-UPLOAD connection-mark=LOW new-packet-mark=LOW-UPLOAD out-interface-list=WAN passthrough=yes
add action=passthrough chain=forward comment="###### END LOW ######" disabled=yes
add action=passthrough chain=forward comment="###### NORMAL ######" disabled=yes
add action=mark-connection chain=forward comment=HTTPS new-connection-mark=NORMAL passthrough=yes port=443 protocol=tcp
add action=mark-connection chain=forward comment=HTTP new-connection-mark=NORMAL passthrough=yes port=80 protocol=tcp
add action=mark-connection chain=forward comment=QUIC new-connection-mark=NORMAL passthrough=yes port=80,443 protocol=udp
add action=mark-connection chain=forward comment=Proxy new-connection-mark=NORMAL passthrough=yes port=3128,8080 protocol=tcp
add action=mark-connection chain=forward comment=FTP new-connection-mark=NORMAL passthrough=yes port=20,21 protocol=tcp
add action=mark-connection chain=forward comment=IMAPS new-connection-mark=NORMAL passthrough=yes port=993 protocol=tcp
add action=mark-connection chain=forward comment=SMTPS new-connection-mark=NORMAL passthrough=yes port=465 protocol=tcp
add action=mark-connection chain=forward comment=POP3S new-connection-mark=NORMAL passthrough=yes port=995 protocol=tcp
add action=mark-connection chain=forward comment=L2TP new-connection-mark=NORMAL passthrough=yes port=1701,4500,500 protocol=udp
add action=mark-connection chain=forward comment="1Mb Connections" connection-bytes=0-1000000 new-connection-mark=NORMAL passthrough=yes protocol=tcp
add action=mark-packet chain=forward comment=NORMAL-DOWNLOAD connection-mark=NORMAL in-interface-list=WAN new-packet-mark=NORMAL-DOWNLOAD passthrough=yes
add action=mark-packet chain=forward comment=NORMAL-UPLOAD connection-mark=NORMAL new-packet-mark=NORMAL-UPLOAD out-interface-list=WAN passthrough=yes
add action=passthrough chain=forward comment="###### END NORMAL ######" disabled=yes
add action=passthrough chain=forward comment="###### HIGH ######" disabled=yes
add action=mark-connection chain=forward comment="Google Push" new-connection-mark=HIGH passthrough=yes port=5228 protocol=tcp
add action=mark-connection chain=forward comment=VoIP new-connection-mark=HIGH passthrough=yes port=5060,5061,5065 protocol=udp
add action=mark-connection chain=forward comment=VoIP new-connection-mark=HIGH passthrough=yes port=5060,5061,5065 protocol=tcp
add action=mark-connection chain=forward comment=Zoom new-connection-mark=HIGH passthrough=yes port=3478,3479,8801-8810 protocol=udp
add action=mark-connection chain=forward comment=Zoom new-connection-mark=HIGH passthrough=yes port=8801,8802 protocol=tcp
add action=mark-connection chain=forward comment=SSH new-connection-mark=HIGH packet-size=0-1400 passthrough=yes port=22 protocol=tcp
add action=mark-connection chain=forward comment=TELNET new-connection-mark=HIGH passthrough=yes port=23 protocol=tcp
add action=mark-connection chain=forward comment="VPN in" new-connection-mark=HIGH passthrough=yes src-address-list=VPN-LANs
add action=mark-connection chain=forward comment="VPN out" dst-address-list=VPN-LANs new-connection-mark=HIGH passthrough=yes
add action=mark-connection chain=forward comment="100Kb Connections" connection-bytes=0-100000 new-connection-mark=HIGH passthrough=yes protocol=tcp
add action=mark-packet chain=forward comment=HIGH-DOWNLOAD connection-mark=HIGH in-interface-list=WAN new-packet-mark=HIGH-DOWNLOAD passthrough=yes
add action=mark-packet chain=forward comment=HIGH-UPLOAD connection-mark=HIGH new-packet-mark=HIGH-UPLOAD out-interface-list=WAN passthrough=yes
add action=passthrough chain=forward comment="###### END HIGH ######" disabled=yes
add action=passthrough chain=forward comment="###### SUPER-HIGH ######" disabled=yes
add action=mark-connection chain=forward comment=DNS new-connection-mark=SUPER-HIGH passthrough=yes port=53 protocol=udp
add action=mark-connection chain=forward comment=DNS new-connection-mark=SUPER-HIGH passthrough=yes port=53 protocol=tcp
add action=mark-connection chain=forward comment=NTP new-connection-mark=SUPER-HIGH passthrough=yes port=123 protocol=udp
add action=mark-connection chain=forward comment=Winbox new-connection-mark=SUPER-HIGH passthrough=yes port=8291 protocol=tcp
add action=mark-connection chain=forward comment=Anydesk new-connection-mark=SUPER-HIGH passthrough=yes port=7070 protocol=tcp
add action=mark-connection chain=forward comment=RDP new-connection-mark=SUPER-HIGH passthrough=yes port=3389 protocol=tcp
add action=mark-connection chain=forward comment=PING new-connection-mark=SUPER-HIGH passthrough=yes protocol=icmp
add action=mark-connection chain=forward comment="10Kb Connections" connection-bytes=0-10000 new-connection-mark=SUPER-HIGH passthrough=yes protocol=tcp
add action=mark-packet chain=forward comment=SUPER-HIGH-DOWNLOAD connection-mark=SUPER-HIGH in-interface-list=WAN new-packet-mark=SUPER-HIGH-DOWNLOAD passthrough=yes
add action=mark-packet chain=forward comment=SUPER-HIGH-UPLOAD connection-mark=SUPER-HIGH new-packet-mark=SUPER-HIGH-UPLOAD out-interface-list=WAN passthrough=yes
add action=passthrough chain=forward comment="###### END SUPER-HIGH ######" disabled=yes
Code: Select all
/queue type
add cake-diffserv=besteffort cake-rtt-scheme=internet cake-wash=yes kind=cake name=Q-dn
add cake-ack-filter=filter cake-diffserv=besteffort cake-nat=yes cake-rtt-scheme=internet kind=cake name=Q-up
/queue tree
add bucket-size=0.01 max-limit=30M name="MAIN DN" parent=global queue=Q-dn
add parent="MAIN DN" queue=Q-dn name=1-VOIP-DN packet-mark=VOIP-IN limit-at=512k max-limit=1M priority=1
add parent="MAIN DN" queue=Q-dn name=3-SUPER-HIGH-DOWNLOAD packet-mark=SUPER-HIGH-DOWNLOAD priority=3
add parent="MAIN DN" queue=Q-dn name=4-HIGH-DOWNLOAD packet-mark=HIGH-DOWNLOAD priority=4
add parent="MAIN DN" queue=Q-dn name=6-NORMAL-DOWNLOAD packet-mark=NORMAL-DOWNLOAD burst-limit=30M burst-threshold=512k burst-time=3s max-limit=20M priority=6
add parent="MAIN DN" queue=Q-dn name=7-GUEST-DOWNLOAD packet-mark=GUEST-DOWNLOAD burst-limit=5M burst-threshold=512k burst-time=3s max-limit=1M priority=7
add parent="MAIN DN" queue=Q-dn name=8-LOW-DOWNLOAD packet-mark=LOW-DOWNLOAD burst-limit=5M burst-threshold=512k burst-time=3s max-limit=1M
add bucket-size=0.01 max-limit=30M name="MAIN UP" parent=global queue=Q-up
add parent="MAIN UP" queue=Q-up name=1-VOIP-UP packet-mark=VOIP-OUT priority=1 limit-at=512k max-limit=1M
add parent="MAIN UP" queue=Q-up name=3-SUPER-HIGH-UPLOAD packet-mark=SUPER-HIGH-UPLOAD priority=3
add parent="MAIN UP" queue=Q-up name=4-HIGH-UPLOAD packet-mark=HIGH-UPLOAD priority=4
add parent="MAIN UP" queue=Q-up name=6-NORMAL-UPLOAD packet-mark=NORMAL-UPLOAD priority=6 burst-limit=30M burst-threshold=512k burst-time=3s max-limit=20M
add parent="MAIN UP" queue=Q-up name=7-GUEST-UPLOAD packet-mark=GUEST-UPLOAD priority=7 burst-limit=5M burst-threshold=512k burst-time=3s max-limit=1M
add parent="MAIN UP" queue=Q-up name=8-LOW-UPLOAD packet-mark=LOW-UPLOAD burst-limit=5M burst-threshold=512k burst-time=3s max-limit=1M