[K@KTyC]

В общем имеется RB951G-2HnD, провайдер выдающий 70 мбит/сек. Роутер же не разгоняется больше 20. При отключенном bridge ну максимум 30. Куда копать, уже и Queues настроил в общем скорость выше не поднимается. Есть iptv неужели оно так может забивать. В общем жду светлых мыслей, как оптимизировать конфиг, чтобы получить положенные 70. Конфиг ниже:

 

 

[xxxxxx@MikroTik] > /export compact

# oct/18/2015 23:13:53 by RouterOS 6.32.2

# software id = Z5TN-3BZ4

#

/interface bridge

add name=bridge-local

/interface ethernet

set [ find default-name=ether1 ] comment=WAN

set [ find default-name=ether2 ] comment=LAN

set [ find default-name=ether3 ] master-port=ether2

set [ find default-name=ether4 ] master-port=ether2

set [ find default-name=ether5 ] master-port=ether2

/ip neighbor discovery

set ether1 comment=WAN discover=no

set ether2 comment=LAN

/interface wireless security-profiles

add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=Security supplicant-identity="" \

wpa-pre-shared-key=XXXXXXXXXXXXXXXXX wpa2-pre-shared-key=XXXXXXXXXXXXXXXX

/interface wireless

set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode band=2ghz-b/g/n country=russia disabled=no distance=indoors frequency=2437 \

frequency-mode=superchannel mode=ap-bridge multicast-helper=disabled security-profile=Security ssid="=Wi-Fi=" tx-power=18 tx-power-mode=all-rates-fixed \

wireless-protocol=802.11 wmm-support=enabled

/interface wireless nstreme

set wlan1 enable-polling=no

/ip neighbor discovery

set wlan1 discover=no

/ip firewall layer7-protocol

add name=Skype regexp="^..\\x02............."

add name=radmin regexp="^\\x01\\x01(\\x08\\x08|\\x1b\\x1b)\$"

add name=rdp regexp="rdp\r\

\nrdpdr.*cliprdr.*rdpsnd"

add name=Jabber regexp="<stream:stream[\\x09-\\x0d ][ -~]*[\\x09-\\x0d ]xmlns=['\"]jabber"

add name=GIF_FILE regexp=gif

add name=PNG_FILE regexp=png

add name=http regexp=\

"http/(0\\.9|1\\.0|1\\.1) [1-5][0-9][0-9] [\\x09-\\x0d \96~]*(connection:|content-type:|content-length:|date:)|post [\\x09-\\x0d -~]* http/[01]\\.[019]"

/ip ipsec proposal

set [ find default=yes ] enc-algorithms=aes-128-cbc

/ip pool

add name=dhcp ranges=192.168.1.10-192.168.1.30

add name=OpenVPN ranges=172.24.98.2-172.24.98.10

add name=pool ranges=192.168.1.2-192.168.1.9

/ip dhcp-server

add address-pool=dhcp disabled=no interface=bridge-local lease-time=3h name=dhcp1

/port

set 0 name=usb1

/interface ppp-client

add apn=internet.beeline.ru default-route-distance=1 dial-on-demand=no name=ppp-3G password=beeline port=usb1 use-peer-dns=no user=beeline

/ppp profile

add local-address=172.24.98.1 name=OpenVPN remote-address=OpenVPN

/queue tree

add limit-at=85M max-limit=100M name=DOWNLOAD parent=global

add limit-at=85M max-limit=100M name=UPLOAD parent=global

add name=GROUP-A-UP parent=UPLOAD

add name=GROUP-B-UP parent=UPLOAD

add name=GROUP-C-UP parent=UPLOAD

add name=GROUP-D-UP parent=UPLOAD

add name=GROUP-E-UP parent=UPLOAD

add limit-at=70M max-limit=80M name=GROUP-A-DL parent=DOWNLOAD

add limit-at=20M max-limit=22M name=GROUP-B-DL parent=DOWNLOAD

add limit-at=15M max-limit=17M name=GROUP-C-DL parent=DOWNLOAD

add limit-at=10M max-limit=12M name=GROUP-D-DL parent=DOWNLOAD

add limit-at=5M max-limit=7M name=GROUP-E-DL parent=DOWNLOAD

/queue type

add kind=pcq name=GROUP-A-DL pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-src-address6-mask=64

add kind=pcq name=GROUP-B-DL pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-src-address6-mask=64

add kind=pcq name=GROUP-C-DL pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-src-address6-mask=64

add kind=pcq name=GROUP-D-DL pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-src-address6-mask=64

add kind=pcq name=GROUP-E-DL pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-src-address6-mask=64

add kind=pcq name=GROUP-A-UP pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-limit=150 pcq-src-address6-mask=64

add kind=pcq name=GROUP-B-UP pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-limit=150 pcq-src-address6-mask=64

add kind=pcq name=GROUP-C-UP pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-limit=150 pcq-src-address6-mask=64

add kind=pcq name=GROUP-D-UP pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-limit=150 pcq-src-address6-mask=64

add kind=pcq name=GROUP-E-UP pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-limit=150 pcq-src-address6-mask=64

/queue tree

add name=CLASS-AA-UP packet-mark=CLASS-A-GROUP-A-UP parent=GROUP-A-UP priority=1 queue=GROUP-A-UP

add name=CLASS-BA-UP packet-mark=CLASS-B-GROUP-A-UP parent=GROUP-A-UP priority=2 queue=GROUP-A-UP

add name=CLASS-CA-UP packet-mark=CLASS-C-GROUP-A-UP parent=GROUP-A-UP priority=3 queue=GROUP-A-UP

add name=CLASS-DA-UP packet-mark=CLASS-D-GROUP-A-UP parent=GROUP-A-UP priority=4 queue=GROUP-A-UP

add name=CLASS-AB-UP packet-mark=CLASS-A-GROUP-B-UP parent=GROUP-B-UP priority=2 queue=GROUP-B-UP

add name=CLASS-BB-UP packet-mark=CLASS-B-GROUP-B-UP parent=GROUP-B-UP priority=3 queue=GROUP-B-UP

add name=CLASS-CB-UP packet-mark=CLASS-C-GROUP-B-UP parent=GROUP-B-UP priority=4 queue=GROUP-B-UP

add name=CLASS-DB-UP packet-mark=CLASS-D-GROUP-B-UP parent=GROUP-B-UP priority=5 queue=GROUP-B-UP

add name=CLASS-AC-UP packet-mark=CLASS-A-GROUP-C-UP parent=GROUP-C-UP priority=3 queue=GROUP-C-UP

add name=CLASS-BC-UP packet-mark=CLASS-B-GROUP-C-UP parent=GROUP-C-UP priority=4 queue=GROUP-C-UP

add name=CLASS-CC-UP packet-mark=CLASS-C-GROUP-C-UP parent=GROUP-C-UP priority=5 queue=GROUP-C-UP

add name=CLASS-DC-UP packet-mark=CLASS-D-GROUP-C-UP parent=GROUP-C-UP priority=6 queue=GROUP-C-UP

add name=CLASS-AD-UP packet-mark=CLASS-A-GROUP-D-UP parent=GROUP-D-UP priority=4 queue=GROUP-D-UP

add name=CLASS-BD-UP packet-mark=CLASS-B-GROUP-D-UP parent=GROUP-D-UP priority=5 queue=GROUP-D-UP

add name=CLASS-CD-UP packet-mark=CLASS-C-GROUP-D-UP parent=GROUP-D-UP priority=6 queue=GROUP-D-UP

add name=CLASS-DD-UP packet-mark=CLASS-D-GROUP-D-UP parent=GROUP-D-UP priority=7 queue=GROUP-D-UP

add name=CLASS-AE-UP packet-mark=CLASS-A-GROUP-E-UP parent=GROUP-E-UP priority=5 queue=GROUP-E-UP

add name=CLASS-BE-UP packet-mark=CLASS-B-GROUP-E-UP parent=GROUP-E-UP priority=6 queue=GROUP-E-UP

add name=CLASS-CE-UP packet-mark=CLASS-C-GROUP-E-UP parent=GROUP-E-UP priority=7 queue=GROUP-E-UP

add name=CLASS-DE-UP packet-mark=CLASS-D-GROUP-E-UP parent=GROUP-E-UP queue=GROUP-E-UP

add name=CLASS-AA-DL packet-mark=CLASS-A-GROUP-A-DL parent=GROUP-A-DL priority=1 queue=GROUP-A-DL

add name=CLASS-BA-DL packet-mark=CLASS-B-GROUP-A-DL parent=GROUP-A-DL priority=2 queue=GROUP-A-DL

add name=CLASS-CA-DL packet-mark=CLASS-C-GROUP-A-DL parent=GROUP-A-DL priority=3 queue=GROUP-A-DL

add name=CLASS-DA-DL packet-mark=CLASS-D-GROUP-A-DL parent=GROUP-A-DL priority=4 queue=GROUP-A-DL

add name=CLASS-AB-DL packet-mark=CLASS-A-GROUP-B-DL parent=GROUP-B-DL priority=2 queue=GROUP-B-DL

add name=CLASS-BB-DL packet-mark=CLASS-B-GROUP-B-DL parent=GROUP-B-DL priority=3 queue=GROUP-B-DL

add name=CLASS-CB-DL packet-mark=CLASS-C-GROUP-B-DL parent=GROUP-B-DL priority=4 queue=GROUP-B-DL

add name=CLASS-DB-DL packet-mark=CLASS-D-GROUP-B-DL parent=GROUP-B-DL priority=5 queue=GROUP-B-DL

add name=CLASS-AC-DL packet-mark=CLASS-A-GROUP-C-DL parent=GROUP-C-DL priority=3 queue=GROUP-C-DL

add name=CLASS-BC-DL packet-mark=CLASS-B-GROUP-C-DL parent=GROUP-C-DL priority=4 queue=GROUP-C-DL

add name=CLASS-CC-DL packet-mark=CLASS-C-GROUP-C-DL parent=GROUP-C-DL priority=5 queue=GROUP-C-DL

add name=CLASS-DC-DL packet-mark=CLASS-D-GROUP-C-DL parent=GROUP-C-DL priority=6 queue=GROUP-C-DL

add name=CLASS-AD-DL packet-mark=CLASS-A-GROUP-D-DL parent=GROUP-D-DL priority=4 queue=GROUP-D-DL

add name=CLASS-BD-DL packet-mark=CLASS-B-GROUP-D-DL parent=GROUP-D-DL priority=5 queue=GROUP-D-DL

add name=CLASS-CD-DL packet-mark=CLASS-C-GROUP-D-DL parent=GROUP-D-DL priority=6 queue=GROUP-D-DL

add name=CLASS-DD-DL packet-mark=CLASS-D-GROUP-D-DL parent=GROUP-D-DL priority=7 queue=GROUP-D-DL

add name=CLASS-AE-DL packet-mark=CLASS-A-GROUP-E-DL parent=GROUP-E-DL priority=5 queue=GROUP-E-DL

add name=CLASS-BE-DL packet-mark=CLASS-B-GROUP-E-DL parent=GROUP-E-DL priority=6 queue=GROUP-E-DL

add name=CLASS-CE-DL packet-mark=CLASS-C-GROUP-E-DL parent=GROUP-E-DL priority=7 queue=GROUP-E-DL

add name=CLASS-DE-DL packet-mark=CLASS-D-GROUP-E-DL parent=GROUP-E-DL queue=GROUP-E-DL

/interface bridge port

add bridge=bridge-local interface=ether2

add bridge=bridge-local interface=wlan1

/ip firewall connection tracking

set tcp-established-timeout=5h

/interface ovpn-server server

set certificate=cert_2 cipher=blowfish128,aes128,aes192,aes256 default-profile=OpenVPN enabled=yes require-client-certificate=yes

/ip address

add address=192.168.1.1/26 interface=bridge-local network=192.168.1.0

/ip dhcp-client

add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=ether1

/ip dhcp-server lease

add address=192.168.1.3 client-id=1:f4:6d:4:d0:d7:f5 comment=Descktop mac-address=F4:6D:04:D0:D7:F5 server=dhcp1

/ip dhcp-server network

add address=192.168.1.0/27 dns-server=192.168.1.1 gateway=192.168.1.1 netmask=26

/ip dns

set allow-remote-requests=yes max-udp-packet-size=512

/ip firewall address-list

add address=192.168.1.3 comment="Desctop" list=GROUP-A

add list=CLASS-A-SITES

add list=CLASS-B-SITES

add list=CLASS-C-SITES

add address=192.168.1.16/28 list=ShaperExclude

add address=192.168.1.3 comment="Desctop" list=GROUP-A

add address=xxxxxxxxxxx list=white_list_permit

/ip firewall filter

add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="Port scanners to list" protocol=tcp psd=21,3s,3,1

add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=\

fin,!syn,!rst,!psh,!ack,!urg

add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn

add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst

add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=\

fin,psh,urg,!syn,!rst,!ack

add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=\

fin,syn,rst,psh,ack,urg

add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=\

!fin,!syn,!rst,!psh,!ack,!urg

add action=drop chain=input comment="dropping port scanners" src-address-list=port_scanners

add action=drop chain=forward comment="dropping port scanners" src-address-list=port_scanners

add action=drop chain=input comment="Drop DNS Flood" dst-port=53 in-interface=ether1 protocol=udp src-address-list="dns flood"

add action=add-src-to-address-list address-list="dns flood" address-list-timeout=1h chain=input dst-port=53 in-interface=ether1 protocol=udp

add action=drop chain=input comment="drop ssh,telnet,openvpn brute forcers" dst-port=22,23,1194 protocol=tcp src-address-list=brute_blacklist

add action=add-src-to-address-list address-list=brute_blacklist address-list-timeout=3d chain=input connection-state=new dst-port=22,23,1194 protocol=tcp \

src-address-list=blacklist_stage3

add action=add-src-to-address-list address-list=blacklist_stage3 address-list-timeout=5m chain=input connection-state=new dst-port=22,23,1194 protocol=tcp \

src-address-list=blacklist_stage2

add action=add-src-to-address-list address-list=blacklist_stage2 address-list-timeout=2m chain=input connection-state=new dst-port=22,23,1194 protocol=tcp \

src-address-list=blacklist_stage1

add action=add-src-to-address-list address-list=blacklist_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22,23,1194 protocol=tcp

add action=drop chain=forward comment="Drop invalid packet" connection-state=invalid

add action=drop chain=input connection-state=invalid

add chain=forward comment="Allow ICMP Ping" protocol=icmp

add chain=input comment="For IPTV" protocol=igmp

add chain=forward protocol=udp

add chain=input protocol=udp

add chain=input comment="Accept established connections" connection-state=established

add chain=forward connection-state=established

add chain=forward comment="Allow related connections" connection-state=related

add chain=input comment="Allow access from Internet to Winbox and SSH_white_list_permit" dst-port=8891,8822,8880 in-interface=ether1 protocol=tcp \

src-address-list=white_list_permit

add chain=forward comment="Accept Apps_white_list_permit" dst-port=xxxx,xxxx,xxxx in-interface=ether1 protocol=tcp src-address-list=white_list_permit

add chain=forward comment="Accept Torrent Peer" dst-port=xxxx protocol=tcp

add chain=forward comment="Access to Internet from local network" in-interface=bridge-local out-interface=ether1

add chain=forward comment="Access to Internet from VPN Client" out-interface=ether1 src-address=172.24.98.0/25

add chain=forward comment="Access to internet via 3G" disabled=yes in-interface=bridge-local out-interface=ppp-3G src-address-list=3G_Inet

add chain=input comment="Allow access from LocalNetwork to Winbox SSH Web" dst-port=8891,8822,8880,53,8828 in-interface=bridge-local protocol=tcp

add action=jump chain=forward comment="SYN Flood protect" connection-state=new jump-target=SYN-Protect protocol=tcp tcp-flags=syn

add chain=SYN-Protect connection-state=new limit=400,5 protocol=tcp tcp-flags=syn

add action=drop chain=SYN-Protect connection-state=new protocol=tcp tcp-flags=syn

add action=drop chain=forward comment="All drop" log=yes

add action=drop chain=input log=yes

/ip firewall mangle

add action=change-ttl chain=prerouting new-ttl=increment:1

add chain=forward comment=CLASS-D disabled=yes

add action=mark-connection chain=forward comment=ALLTRAFFIC new-connection-mark=CLASS-D

add action=mark-packet chain=forward comment=CLASS-D-GROUP-E-DL connection-mark=CLASS-D dst-address-list=GROUP-E new-packet-mark=CLASS-D-GROUP-E-DL \

src-address-list=!ShaperExclude

add action=mark-packet chain=forward comment=CLASS-D-GROUP-D-DL connection-mark=CLASS-D dst-address-list=GROUP-D new-packet-mark=CLASS-D-GROUP-D-DL \

src-address-list=!ShaperExclude

add action=mark-packet chain=forward comment=CLASS-D-GROUP-C-DL connection-mark=CLASS-D dst-address-list=GROUP-C new-packet-mark=CLASS-D-GROUP-C-DL \

src-address-list=!ShaperExclude

add action=mark-packet chain=forward comment=CLASS-D-GROUP-B-DL connection-mark=CLASS-D dst-address-list=GROUP-B new-packet-mark=CLASS-D-GROUP-B-DL \

src-address-list=!ShaperExclude

add action=mark-packet chain=forward comment=CLASS-D-GROUP-A-DL connection-mark=CLASS-D dst-address-list=GROUP-A new-packet-mark=CLASS-D-GROUP-A-DL \

src-address-list=!ShaperExclude

add action=mark-packet chain=prerouting comment=CLASS-D-GROUP-E-UP connection-mark=CLASS-D dst-address-list=!ShaperExclude new-packet-mark=CLASS-D-GROUP-E-UP \

src-address-list=GROUP-E

add action=mark-packet chain=prerouting comment=CLASS-D-GROUP-D-UP connection-mark=CLASS-D dst-address-list=!ShaperExclude new-packet-mark=CLASS-D-GROUP-D-UP \

src-address-list=GROUP-D

add action=mark-packet chain=prerouting comment=CLASS-D-GROUP-C-UP connection-mark=CLASS-D dst-address-list=!ShaperExclude new-packet-mark=CLASS-D-GROUP-C-UP \

src-address-list=GROUP-C

add action=mark-packet chain=prerouting comment=CLASS-D-GROUP-B-UP connection-mark=CLASS-D dst-address-list=!ShaperExclude new-packet-mark=CLASS-D-GROUP-B-UP \

src-address-list=GROUP-B

add action=mark-packet chain=prerouting comment=CLASS-D-GROUP-A-UP connection-mark=CLASS-D dst-address-list=!ShaperExclude new-packet-mark=CLASS-D-GROUP-A-UP \

src-address-list=GROUP-A

add chain=forward comment=CLASS-D disabled=yes

add chain=forward comment=CLASS-C disabled=yes

add action=mark-connection chain=forward comment=Proxy dst-port=3128 new-connection-mark=CLASS-C protocol=tcp

add action=mark-connection chain=forward comment=HTTP layer7-protocol=http new-connection-mark=CLASS-C protocol=tcp

add action=mark-connection chain=forward comment=HTTPS dst-port=443 new-connection-mark=CLASS-C protocol=tcp

add action=mark-connection chain=forward comment=FTP dst-port=20,21 new-connection-mark=CLASS-C protocol=tcp

add action=mark-connection chain=forward comment=SFTP dst-port=22 new-connection-mark=CLASS-C packet-size=1400-1500 protocol=tcp

add action=mark-connection chain=forward comment=SMTP dst-port=25 new-connection-mark=CLASS-C protocol=tcp

add action=mark-connection chain=forward comment=SMTPS dst-port=465 new-connection-mark=CLASS-C protocol=tcp

add action=mark-connection chain=forward comment=Imap dst-port=143 new-connection-mark=CLASS-C protocol=tcp

add action=mark-connection chain=forward comment=POP3 dst-port=110 new-connection-mark=CLASS-C protocol=tcp

add action=mark-connection chain=forward comment=POP3S dst-port=995 new-connection-mark=CLASS-C protocol=tcp

add action=mark-connection chain=forward comment=IMAPS dst-port=993 new-connection-mark=CLASS-C protocol=tcp

add action=mark-connection chain=forward comment=GIF_FILE layer7-protocol=GIF_FILE new-connection-mark=CLASS-C

add action=mark-connection chain=forward comment=PNG_FILE layer7-protocol=PNG_FILE new-connection-mark=CLASS-C

add action=mark-connection chain=forward comment=CLASS-C-SITES new-connection-mark=CLASS-C src-address-list=CLASS-C-SITES

add action=mark-connection chain=forward comment=CLASS-C-SITES dst-address-list=CLASS-C-SITES new-connection-mark=CLASS-C

add action=mark-connection chain=forward comment="100Kb Connections" connection-bytes=0-100000 new-connection-mark=CLASS-C protocol=tcp

add action=mark-packet chain=forward comment=CLASS-C-GROUP-E-DL connection-mark=CLASS-C dst-address-list=GROUP-E new-packet-mark=CLASS-C-GROUP-E-DL \

src-address-list=!ShaperExclude

add action=mark-packet chain=forward comment=CLASS-C-GROUP-D-DL connection-mark=CLASS-C dst-address-list=GROUP-D new-packet-mark=CLASS-C-GROUP-D-DL \

src-address-list=!ShaperExclude

add action=mark-packet chain=forward comment=CLASS-C-GROUP-C-DL connection-mark=CLASS-C dst-address-list=GROUP-C new-packet-mark=CLASS-C-GROUP-C-DL \

src-address-list=!ShaperExclude

add action=mark-packet chain=forward comment=CLASS-C-GROUP-B-DL connection-mark=CLASS-C dst-address-list=GROUP-B new-packet-mark=CLASS-C-GROUP-B-DL \

src-address-list=!ShaperExclude

add action=mark-packet chain=forward comment=CLASS-C-GROUP-A-DL connection-mark=CLASS-C dst-address-list=GROUP-A new-packet-mark=CLASS-C-GROUP-A-DL \

src-address-list=!ShaperExclude

add action=mark-packet chain=prerouting comment=CLASS-C-GROUP-E-UP connection-mark=CLASS-C dst-address-list=!ShaperExclude new-packet-mark=CLASS-C-GROUP-E-UP \

src-address-list=GROUP-E

add action=mark-packet chain=prerouting comment=CLASS-C-GROUP-D-UP connection-mark=CLASS-C dst-address-list=!ShaperExclude new-packet-mark=CLASS-C-GROUP-D-UP \

src-address-list=GROUP-D

add action=mark-packet chain=prerouting comment=CLASS-C-GROUP-C-UP connection-mark=CLASS-C dst-address-list=!ShaperExclude new-packet-mark=CLASS-C-GROUP-C-UP \

src-address-list=GROUP-C

add action=mark-packet chain=prerouting comment=CLASS-C-GROUP-B-UP connection-mark=CLASS-C dst-address-list=!ShaperExclude new-packet-mark=CLASS-C-GROUP-B-UP \

src-address-list=GROUP-B

add action=mark-packet chain=prerouting comment=CLASS-C-GROUP-A-UP connection-mark=CLASS-C dst-address-list=!ShaperExclude new-packet-mark=CLASS-C-GROUP-A-UP \

src-address-list=GROUP-A

add chain=forward comment=CLASS-C disabled=yes

add chain=forward comment=CLASS-B disabled=yes

add action=mark-connection chain=forward comment=ICQ dst-port=5190 new-connection-mark=CLASS-B protocol=tcp

add action=mark-connection chain=forward comment="Mail.ru Agent" dst-port=2041,2042 new-connection-mark=CLASS-B protocol=tcp

add action=mark-connection chain=forward comment=Jabber layer7-protocol=Jabber new-connection-mark=CLASS-B

add action=mark-connection chain=forward comment=IRC dst-port=6667-6669 new-connection-mark=CLASS-B protocol=tcp

add action=mark-connection chain=forward comment=SSH dst-port=22 new-connection-mark=CLASS-B packet-size=0-1400 protocol=tcp

add action=mark-connection chain=forward comment=TELNET dst-port=23 new-connection-mark=CLASS-B protocol=tcp

add action=mark-connection chain=forward comment=SNMP dst-port=161-162 new-connection-mark=CLASS-B protocol=tcp

add action=mark-connection chain=forward comment=PPTP dst-port=1723 new-connection-mark=CLASS-B protocol=tcp

add action=mark-connection chain=forward comment=L2TP dst-port=1701 new-connection-mark=CLASS-B protocol=udp

add action=mark-connection chain=forward comment=GRE new-connection-mark=CLASS-B protocol=gre

add action=mark-connection chain=forward comment=Skype layer7-protocol=Skype new-connection-mark=CLASS-B

add action=mark-connection chain=forward comment=CLASS-B-SITES new-connection-mark=CLASS-B src-address-list=CLASS-B-SITES

add action=mark-connection chain=forward comment=CLASS-B-SITES dst-address-list=CLASS-B-SITES new-connection-mark=CLASS-B

add action=mark-connection chain=forward comment="50Kb Connections" connection-bytes=0-50000 new-connection-mark=CLASS-B protocol=tcp

add action=mark-packet chain=forward comment=CLASS-B-GROUP-E-DL connection-mark=CLASS-B dst-address-list=GROUP-E new-packet-mark=CLASS-B-GROUP-E-DL \

src-address-list=!ShaperExclude

add action=mark-packet chain=forward comment=CLASS-B-GROUP-D-DL connection-mark=CLASS-B dst-address-list=GROUP-D new-packet-mark=CLASS-B-GROUP-D-DL \

src-address-list=!ShaperExclude

add action=mark-packet chain=forward comment=CLASS-B-GROUP-C-DL connection-mark=CLASS-B dst-address-list=GROUP-C new-packet-mark=CLASS-B-GROUP-C-DL \

src-address-list=!ShaperExclude

add action=mark-packet chain=forward comment=CLASS-B-GROUP-B-DL connection-mark=CLASS-B dst-address-list=GROUP-B new-packet-mark=CLASS-B-GROUP-B-DL \

src-address-list=!ShaperExclude

add action=mark-packet chain=forward comment=CLASS-B-GROUP-A-DL connection-mark=CLASS-B dst-address-list=GROUP-A new-packet-mark=CLASS-B-GROUP-A-DL \

src-address-list=!ShaperExclude

add action=mark-packet chain=prerouting comment=CLASS-B-GROUP-E-UP connection-mark=CLASS-B dst-address-list=!ShaperExclude new-packet-mark=CLASS-B-GROUP-E-UP \

src-address-list=GROUP-E

add action=mark-packet chain=prerouting comment=CLASS-B-GROUP-D-UP connection-mark=CLASS-B dst-address-list=!ShaperExclude new-packet-mark=CLASS-B-GROUP-D-UP \

src-address-list=GROUP-D

add action=mark-packet chain=prerouting comment=CLASS-B-GROUP-C-UP connection-mark=CLASS-B dst-address-list=!ShaperExclude new-packet-mark=CLASS-B-GROUP-C-UP \

src-address-list=GROUP-C

add action=mark-packet chain=prerouting comment=CLASS-B-GROUP-B-UP connection-mark=CLASS-B dst-address-list=!ShaperExclude new-packet-mark=CLASS-B-GROUP-B-UP \

src-address-list=GROUP-B

add action=mark-packet chain=prerouting comment=CLASS-B-GROUP-A-UP connection-mark=CLASS-B dst-address-list=!ShaperExclude new-packet-mark=CLASS-B-GROUP-A-UP \

src-address-list=GROUP-A

add chain=forward comment=CLASS-B disabled=yes

add chain=forward comment=CLASS-A disabled=yes

add action=mark-connection chain=forward comment=DNS dst-port=53 new-connection-mark=CLASS-A protocol=tcp src-port=53

add action=mark-connection chain=forward comment=DNS dst-port=53 new-connection-mark=CLASS-A protocol=tcp

add action=mark-connection chain=forward comment=DNS dst-port=53 new-connection-mark=CLASS-A protocol=udp

add action=mark-connection chain=forward comment=NNTP dst-port=119 new-connection-mark=CLASS-A protocol=tcp

add action=mark-connection chain=forward comment=Winbox dst-port=8291 new-connection-mark=CLASS-A protocol=tcp

add action=mark-connection chain=forward comment=ntp dst-port=123 new-connection-mark=CLASS-A protocol=udp

add action=mark-connection chain=forward comment=VNC dst-port=5900-5901 new-connection-mark=CLASS-A protocol=tcp

add action=mark-connection chain=forward comment=Radmin layer7-protocol=radmin new-connection-mark=CLASS-A

add action=mark-connection chain=forward comment=RDP layer7-protocol=rdp new-connection-mark=CLASS-A

add action=mark-connection chain=forward comment=PING new-connection-mark=CLASS-A protocol=icmp

add action=mark-connection chain=forward comment=CLASS-A-SITES new-connection-mark=CLASS-A src-address-list=CLASS-A-SITES

add action=mark-connection chain=forward comment=CLASS-A-SITES dst-address-list=CLASS-A-SITES new-connection-mark=CLASS-A

add action=mark-connection chain=forward comment="5Kb Connections" connection-bytes=0-5000 new-connection-mark=CLASS-A protocol=tcp

add action=mark-packet chain=forward comment=CLASS-A-GROUP-E-DL connection-mark=CLASS-A dst-address-list=GROUP-E new-packet-mark=CLASS-A-GROUP-E-DL \

src-address-list=!ShaperExclude

add action=mark-packet chain=forward comment=CLASS-A-GROUP-D-DL connection-mark=CLASS-A dst-address-list=GROUP-D new-packet-mark=CLASS-A-GROUP-D-DL \

src-address-list=!ShaperExclude

add action=mark-packet chain=forward comment=CLASS-A-GROUP-C-DL connection-mark=CLASS-A dst-address-list=GROUP-C new-packet-mark=CLASS-A-GROUP-C-DL \

src-address-list=!ShaperExclude

add action=mark-packet chain=forward comment=CLASS-A-GROUP-B-DL connection-mark=CLASS-A dst-address-list=GROUP-B new-packet-mark=CLASS-A-GROUP-B-DL \

src-address-list=!ShaperExclude

add action=mark-packet chain=forward comment=CLASS-A-GROUP-A-DL connection-mark=CLASS-A dst-address-list=GROUP-A new-packet-mark=CLASS-A-GROUP-A-DL \

src-address-list=!ShaperExclude

add action=mark-packet chain=prerouting comment=CLASS-A-GROUP-E-UP connection-mark=CLASS-A dst-address-list=!ShaperExclude new-packet-mark=CLASS-A-GROUP-E-UP \

src-address-list=GROUP-E

add action=mark-packet chain=prerouting comment=CLASS-A-GROUP-D-UP connection-mark=CLASS-A dst-address-list=!ShaperExclude new-packet-mark=CLASS-A-GROUP-D-UP \

src-address-list=GROUP-D

add action=mark-packet chain=prerouting comment=CLASS-A-GROUP-C-UP connection-mark=CLASS-A dst-address-list=!ShaperExclude new-packet-mark=CLASS-A-GROUP-C-UP \

src-address-list=GROUP-C

add action=mark-packet chain=prerouting comment=CLASS-A-GROUP-B-UP connection-mark=CLASS-A dst-address-list=!ShaperExclude new-packet-mark=CLASS-A-GROUP-B-UP \

src-address-list=GROUP-B

add action=mark-packet chain=prerouting comment=CLASS-A-GROUP-A-UP connection-mark=CLASS-A dst-address-list=!ShaperExclude new-packet-mark=CLASS-A-GROUP-A-UP \

src-address-list=GROUP-A

add chain=forward comment=CLASS-A disabled=yes

/ip firewall nat

add action=masquerade chain=srcnat comment="NAT for LocalNetwork" out-interface=ether1 src-address=192.168.1.0/27 to-addresses=ether1

add action=masquerade chain=srcnat disabled=yes out-interface=ppp-3G src-address=192.168.1.0/27

add action=masquerade chain=srcnat comment="NAT for VPN" out-interface=ether1 src-address=172.24.98.0/31

add action=netmap chain=dstnat comment="Accept VNC Client" dst-port=xxxx in-interface=ether1 protocol=tcp src-address-list=white_list_permit to-addresses=\

192.168.1.1x to-ports=xxxx

add action=netmap chain=dstnat dst-port=xxxx in-interface=ether1 protocol=tcp src-address-list=white_list_permit to-addresses=192.168.1.1x to-ports=xxxx

add action=netmap chain=dstnat comment="Web Rule Torrent" dst-port=xxxx in-interface=ether1 protocol=tcp src-address-list=white_list_permit to-addresses=\

192.168.1.1x to-ports=xxxx

add action=netmap chain=dstnat comment="Torrent peer" dst-port=xxxx in-interface=ether1 protocol=tcp to-addresses=192.168.1.1x to-ports=xxxx

add action=netmap chain=dstnat comment="Access SPA" disabled=yes dst-port=xxxx protocol=tcp src-address-list=white_list_permit to-addresses=192.168.1.2x \

to-ports=xxxx

/ip firewall service-port

set ftp disabled=yes

set tftp disabled=yes

set irc disabled=yes

set h323 disabled=yes

set sip disabled=yes

set pptp disabled=yes

/ip service

set telnet disabled=yes

set ftp disabled=yes

set www port=8880

set ssh port=8822

set www-ssl certificate=cert_1

set api address=192.168.1.0/24

set api-ssl disabled=yes

/ip upnp interfaces

add interface=bridge-local type=internal

add interface=ether1 type=external

/ppp secret

add name=xxxxxxxxxxxxxxxxxxx

/routing igmp-proxy

set quick-leave=yes

/routing igmp-proxy interface

add alternative-subnets=0.0.0.0/0 interface=ether1 upstream=yes

add interface=bridge-local

/system clock

set time-zone-name=Europe/Moscow

/system clock manual

set dst-delta=+03:00 time-zone=+03:00

/system leds

set 0 interface=wlan1

/system ntp client

set enabled=yes primary-ntp=85.21.78.91 secondary-ntp=91.226.136.139

/system ntp server

set manycast=no

/tool graphing interface

add interface=ether1

/tool graphing queue

add

/tool graphing resource

add

/tool mac-server

set [ find default=yes ] disabled=yes

add interface=ether2

/tool sniffer

set file-limit=50000KiB file-name=dnssnif filter-interface=ether1 filter-port=dns

[xxxxxxx@MikroTik] >

 

Edited October 18, 2015 by K@KTyC

[pppoetest]

В файерволле слишком много правил.

[K@KTyC]

Пробовал отключать все правила файрвола и ната, оставлял лишь маскардинг. Лучше не стало. Да и при тесте скорости нагрузка на ЦП не больше 25%. Причем ту правила файрвола?

[Danila]

Пробовал отключать все правила файрвола и ната, оставлял лишь маскардинг. Лучше не стало. Да и при тесте скорости нагрузка на ЦП не больше 25%. Причем ту правила файрвола?

 

Маркировка пакетов достаточно затратная процедура для процессора.

Попробуйте оптимизировать количество маркируемых пакетов.

[g3fox]

А оператор точно даёт 70 мбит?

Может, вы при тесте без микротика проверяете подключив ПК кабелем, а с микротиком по Wi-Fi?

 

И мне тоже кажется, что у вас слишком накуренный файрвол.

Особенно всякие l7-filter.

[K@KTyC]

Да. Точно дает 70 мбит, тестил ноутом прыгает 68-69 Мбит. Сбросил его в дефолт. настроил только dhcp client (к провайдеру) dhcp server для тестового ПК и маскардинг NAT и опять все те же 30. Мысль откатиться RouterOS на более ранению версию, может в этой глюки, но какую тогда

Edited October 19, 2015 by K@KTyC

[guruks]

Посмотрите ошибки на порту который смотрит на провайдера

Edited October 19, 2015 by guruks

[K@KTyC]

Простите конечно, я еще не до конца его знаю, это смотрится в общем логе или отдельно? В логе только попытки коннекта с разных ip по 443 порту.

[Ivan_83]

Купи себе асус или зюхел, не парь мозги.

А если это типа для учёбы то лучше линух/фря.

[darkagent]

Причем ту правила файрвола?

Достаточно 25 правил, чтоб превратить некротик в тыкву. Инфа с сайта производителя:

 

btw, удивительно, теме 3 дня, а сааб сюда еще не засумонился. сарказм, офк.

[Mindaugas]

В firewall ключи только маскарада и фасттрака (снизит нагрузку CPU). У меня на RB951 150Mbit с 15% CPU.

 

EDIT: Зачем тебя bridge?

Edited October 21, 2015 by Mindaugas

[K@KTyC]

Через bridge соеденен Wi-Fi и Ethernet подскажите как по другому связать откажусь от бриджа. Фасттрак?

[guruks]

Простите конечно, я еще не до конца его знаю, это смотрится в общем логе или отдельно? В логе только попытки коннекта с разных ip по 443 порту.

 

Слева меню interfaces --> ethernet --> выбираете порт к которому подключен провайдер --> закладки RX Stats и TX Stats