K@KTyC Posted October 18, 2015 (edited) · Report post В общем имеется RB951G-2HnD, провайдер выдающий 70 мбит/сек. Роутер же не разгоняется больше 20. При отключенном bridge ну максимум 30. Куда копать, уже и Queues настроил в общем скорость выше не поднимается. Есть iptv неужели оно так может забивать. В общем жду светлых мыслей, как оптимизировать конфиг, чтобы получить положенные 70. Конфиг ниже: [xxxxxx@MikroTik] > /export compact # oct/18/2015 23:13:53 by RouterOS 6.32.2 # software id = Z5TN-3BZ4 # /interface bridge add name=bridge-local /interface ethernet set [ find default-name=ether1 ] comment=WAN set [ find default-name=ether2 ] comment=LAN set [ find default-name=ether3 ] master-port=ether2 set [ find default-name=ether4 ] master-port=ether2 set [ find default-name=ether5 ] master-port=ether2 /ip neighbor discovery set ether1 comment=WAN discover=no set ether2 comment=LAN /interface wireless security-profiles add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=Security supplicant-identity="" \ wpa-pre-shared-key=XXXXXXXXXXXXXXXXX wpa2-pre-shared-key=XXXXXXXXXXXXXXXX /interface wireless set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode band=2ghz-b/g/n country=russia disabled=no distance=indoors frequency=2437 \ frequency-mode=superchannel mode=ap-bridge multicast-helper=disabled security-profile=Security ssid="=Wi-Fi=" tx-power=18 tx-power-mode=all-rates-fixed \ wireless-protocol=802.11 wmm-support=enabled /interface wireless nstreme set wlan1 enable-polling=no /ip neighbor discovery set wlan1 discover=no /ip firewall layer7-protocol add name=Skype regexp="^..\\x02............." add name=radmin regexp="^\\x01\\x01(\\x08\\x08|\\x1b\\x1b)\$" add name=rdp regexp="rdp\r\ \nrdpdr.*cliprdr.*rdpsnd" add name=Jabber regexp="<stream:stream[\\x09-\\x0d ][ -~]*[\\x09-\\x0d ]xmlns=['\"]jabber" add name=GIF_FILE regexp=gif add name=PNG_FILE regexp=png add name=http regexp=\ "http/(0\\.9|1\\.0|1\\.1) [1-5][0-9][0-9] [\\x09-\\x0d \96~]*(connection:|content-type:|content-length:|date:)|post [\\x09-\\x0d -~]* http/[01]\\.[019]" /ip ipsec proposal set [ find default=yes ] enc-algorithms=aes-128-cbc /ip pool add name=dhcp ranges=192.168.1.10-192.168.1.30 add name=OpenVPN ranges=172.24.98.2-172.24.98.10 add name=pool ranges=192.168.1.2-192.168.1.9 /ip dhcp-server add address-pool=dhcp disabled=no interface=bridge-local lease-time=3h name=dhcp1 /port set 0 name=usb1 /interface ppp-client add apn=internet.beeline.ru default-route-distance=1 dial-on-demand=no name=ppp-3G password=beeline port=usb1 use-peer-dns=no user=beeline /ppp profile add local-address=172.24.98.1 name=OpenVPN remote-address=OpenVPN /queue tree add limit-at=85M max-limit=100M name=DOWNLOAD parent=global add limit-at=85M max-limit=100M name=UPLOAD parent=global add name=GROUP-A-UP parent=UPLOAD add name=GROUP-B-UP parent=UPLOAD add name=GROUP-C-UP parent=UPLOAD add name=GROUP-D-UP parent=UPLOAD add name=GROUP-E-UP parent=UPLOAD add limit-at=70M max-limit=80M name=GROUP-A-DL parent=DOWNLOAD add limit-at=20M max-limit=22M name=GROUP-B-DL parent=DOWNLOAD add limit-at=15M max-limit=17M name=GROUP-C-DL parent=DOWNLOAD add limit-at=10M max-limit=12M name=GROUP-D-DL parent=DOWNLOAD add limit-at=5M max-limit=7M name=GROUP-E-DL parent=DOWNLOAD /queue type add kind=pcq name=GROUP-A-DL pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-src-address6-mask=64 add kind=pcq name=GROUP-B-DL pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-src-address6-mask=64 add kind=pcq name=GROUP-C-DL pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-src-address6-mask=64 add kind=pcq name=GROUP-D-DL pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-src-address6-mask=64 add kind=pcq name=GROUP-E-DL pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-src-address6-mask=64 add kind=pcq name=GROUP-A-UP pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-limit=150 pcq-src-address6-mask=64 add kind=pcq name=GROUP-B-UP pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-limit=150 pcq-src-address6-mask=64 add kind=pcq name=GROUP-C-UP pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-limit=150 pcq-src-address6-mask=64 add kind=pcq name=GROUP-D-UP pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-limit=150 pcq-src-address6-mask=64 add kind=pcq name=GROUP-E-UP pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-limit=150 pcq-src-address6-mask=64 /queue tree add name=CLASS-AA-UP packet-mark=CLASS-A-GROUP-A-UP parent=GROUP-A-UP priority=1 queue=GROUP-A-UP add name=CLASS-BA-UP packet-mark=CLASS-B-GROUP-A-UP parent=GROUP-A-UP priority=2 queue=GROUP-A-UP add name=CLASS-CA-UP packet-mark=CLASS-C-GROUP-A-UP parent=GROUP-A-UP priority=3 queue=GROUP-A-UP add name=CLASS-DA-UP packet-mark=CLASS-D-GROUP-A-UP parent=GROUP-A-UP priority=4 queue=GROUP-A-UP add name=CLASS-AB-UP packet-mark=CLASS-A-GROUP-B-UP parent=GROUP-B-UP priority=2 queue=GROUP-B-UP add name=CLASS-BB-UP packet-mark=CLASS-B-GROUP-B-UP parent=GROUP-B-UP priority=3 queue=GROUP-B-UP add name=CLASS-CB-UP packet-mark=CLASS-C-GROUP-B-UP parent=GROUP-B-UP priority=4 queue=GROUP-B-UP add name=CLASS-DB-UP packet-mark=CLASS-D-GROUP-B-UP parent=GROUP-B-UP priority=5 queue=GROUP-B-UP add name=CLASS-AC-UP packet-mark=CLASS-A-GROUP-C-UP parent=GROUP-C-UP priority=3 queue=GROUP-C-UP add name=CLASS-BC-UP packet-mark=CLASS-B-GROUP-C-UP parent=GROUP-C-UP priority=4 queue=GROUP-C-UP add name=CLASS-CC-UP packet-mark=CLASS-C-GROUP-C-UP parent=GROUP-C-UP priority=5 queue=GROUP-C-UP add name=CLASS-DC-UP packet-mark=CLASS-D-GROUP-C-UP parent=GROUP-C-UP priority=6 queue=GROUP-C-UP add name=CLASS-AD-UP packet-mark=CLASS-A-GROUP-D-UP parent=GROUP-D-UP priority=4 queue=GROUP-D-UP add name=CLASS-BD-UP packet-mark=CLASS-B-GROUP-D-UP parent=GROUP-D-UP priority=5 queue=GROUP-D-UP add name=CLASS-CD-UP packet-mark=CLASS-C-GROUP-D-UP parent=GROUP-D-UP priority=6 queue=GROUP-D-UP add name=CLASS-DD-UP packet-mark=CLASS-D-GROUP-D-UP parent=GROUP-D-UP priority=7 queue=GROUP-D-UP add name=CLASS-AE-UP packet-mark=CLASS-A-GROUP-E-UP parent=GROUP-E-UP priority=5 queue=GROUP-E-UP add name=CLASS-BE-UP packet-mark=CLASS-B-GROUP-E-UP parent=GROUP-E-UP priority=6 queue=GROUP-E-UP add name=CLASS-CE-UP packet-mark=CLASS-C-GROUP-E-UP parent=GROUP-E-UP priority=7 queue=GROUP-E-UP add name=CLASS-DE-UP packet-mark=CLASS-D-GROUP-E-UP parent=GROUP-E-UP queue=GROUP-E-UP add name=CLASS-AA-DL packet-mark=CLASS-A-GROUP-A-DL parent=GROUP-A-DL priority=1 queue=GROUP-A-DL add name=CLASS-BA-DL packet-mark=CLASS-B-GROUP-A-DL parent=GROUP-A-DL priority=2 queue=GROUP-A-DL add name=CLASS-CA-DL packet-mark=CLASS-C-GROUP-A-DL parent=GROUP-A-DL priority=3 queue=GROUP-A-DL add name=CLASS-DA-DL packet-mark=CLASS-D-GROUP-A-DL parent=GROUP-A-DL priority=4 queue=GROUP-A-DL add name=CLASS-AB-DL packet-mark=CLASS-A-GROUP-B-DL parent=GROUP-B-DL priority=2 queue=GROUP-B-DL add name=CLASS-BB-DL packet-mark=CLASS-B-GROUP-B-DL parent=GROUP-B-DL priority=3 queue=GROUP-B-DL add name=CLASS-CB-DL packet-mark=CLASS-C-GROUP-B-DL parent=GROUP-B-DL priority=4 queue=GROUP-B-DL add name=CLASS-DB-DL packet-mark=CLASS-D-GROUP-B-DL parent=GROUP-B-DL priority=5 queue=GROUP-B-DL add name=CLASS-AC-DL packet-mark=CLASS-A-GROUP-C-DL parent=GROUP-C-DL priority=3 queue=GROUP-C-DL add name=CLASS-BC-DL packet-mark=CLASS-B-GROUP-C-DL parent=GROUP-C-DL priority=4 queue=GROUP-C-DL add name=CLASS-CC-DL packet-mark=CLASS-C-GROUP-C-DL parent=GROUP-C-DL priority=5 queue=GROUP-C-DL add name=CLASS-DC-DL packet-mark=CLASS-D-GROUP-C-DL parent=GROUP-C-DL priority=6 queue=GROUP-C-DL add name=CLASS-AD-DL packet-mark=CLASS-A-GROUP-D-DL parent=GROUP-D-DL priority=4 queue=GROUP-D-DL add name=CLASS-BD-DL packet-mark=CLASS-B-GROUP-D-DL parent=GROUP-D-DL priority=5 queue=GROUP-D-DL add name=CLASS-CD-DL packet-mark=CLASS-C-GROUP-D-DL parent=GROUP-D-DL priority=6 queue=GROUP-D-DL add name=CLASS-DD-DL packet-mark=CLASS-D-GROUP-D-DL parent=GROUP-D-DL priority=7 queue=GROUP-D-DL add name=CLASS-AE-DL packet-mark=CLASS-A-GROUP-E-DL parent=GROUP-E-DL priority=5 queue=GROUP-E-DL add name=CLASS-BE-DL packet-mark=CLASS-B-GROUP-E-DL parent=GROUP-E-DL priority=6 queue=GROUP-E-DL add name=CLASS-CE-DL packet-mark=CLASS-C-GROUP-E-DL parent=GROUP-E-DL priority=7 queue=GROUP-E-DL add name=CLASS-DE-DL packet-mark=CLASS-D-GROUP-E-DL parent=GROUP-E-DL queue=GROUP-E-DL /interface bridge port add bridge=bridge-local interface=ether2 add bridge=bridge-local interface=wlan1 /ip firewall connection tracking set tcp-established-timeout=5h /interface ovpn-server server set certificate=cert_2 cipher=blowfish128,aes128,aes192,aes256 default-profile=OpenVPN enabled=yes require-client-certificate=yes /ip address add address=192.168.1.1/26 interface=bridge-local network=192.168.1.0 /ip dhcp-client add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=ether1 /ip dhcp-server lease add address=192.168.1.3 client-id=1:f4:6d:4:d0:d7:f5 comment=Descktop mac-address=F4:6D:04:D0:D7:F5 server=dhcp1 /ip dhcp-server network add address=192.168.1.0/27 dns-server=192.168.1.1 gateway=192.168.1.1 netmask=26 /ip dns set allow-remote-requests=yes max-udp-packet-size=512 /ip firewall address-list add address=192.168.1.3 comment="Desctop" list=GROUP-A add list=CLASS-A-SITES add list=CLASS-B-SITES add list=CLASS-C-SITES add address=192.168.1.16/28 list=ShaperExclude add address=192.168.1.3 comment="Desctop" list=GROUP-A add address=xxxxxxxxxxx list=white_list_permit /ip firewall filter add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="Port scanners to list" protocol=tcp psd=21,3s,3,1 add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=\ fin,!syn,!rst,!psh,!ack,!urg add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=\ fin,psh,urg,!syn,!rst,!ack add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=\ fin,syn,rst,psh,ack,urg add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=\ !fin,!syn,!rst,!psh,!ack,!urg add action=drop chain=input comment="dropping port scanners" src-address-list=port_scanners add action=drop chain=forward comment="dropping port scanners" src-address-list=port_scanners add action=drop chain=input comment="Drop DNS Flood" dst-port=53 in-interface=ether1 protocol=udp src-address-list="dns flood" add action=add-src-to-address-list address-list="dns flood" address-list-timeout=1h chain=input dst-port=53 in-interface=ether1 protocol=udp add action=drop chain=input comment="drop ssh,telnet,openvpn brute forcers" dst-port=22,23,1194 protocol=tcp src-address-list=brute_blacklist add action=add-src-to-address-list address-list=brute_blacklist address-list-timeout=3d chain=input connection-state=new dst-port=22,23,1194 protocol=tcp \ src-address-list=blacklist_stage3 add action=add-src-to-address-list address-list=blacklist_stage3 address-list-timeout=5m chain=input connection-state=new dst-port=22,23,1194 protocol=tcp \ src-address-list=blacklist_stage2 add action=add-src-to-address-list address-list=blacklist_stage2 address-list-timeout=2m chain=input connection-state=new dst-port=22,23,1194 protocol=tcp \ src-address-list=blacklist_stage1 add action=add-src-to-address-list address-list=blacklist_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22,23,1194 protocol=tcp add action=drop chain=forward comment="Drop invalid packet" connection-state=invalid add action=drop chain=input connection-state=invalid add chain=forward comment="Allow ICMP Ping" protocol=icmp add chain=input comment="For IPTV" protocol=igmp add chain=forward protocol=udp add chain=input protocol=udp add chain=input comment="Accept established connections" connection-state=established add chain=forward connection-state=established add chain=forward comment="Allow related connections" connection-state=related add chain=input comment="Allow access from Internet to Winbox and SSH_white_list_permit" dst-port=8891,8822,8880 in-interface=ether1 protocol=tcp \ src-address-list=white_list_permit add chain=forward comment="Accept Apps_white_list_permit" dst-port=xxxx,xxxx,xxxx in-interface=ether1 protocol=tcp src-address-list=white_list_permit add chain=forward comment="Accept Torrent Peer" dst-port=xxxx protocol=tcp add chain=forward comment="Access to Internet from local network" in-interface=bridge-local out-interface=ether1 add chain=forward comment="Access to Internet from VPN Client" out-interface=ether1 src-address=172.24.98.0/25 add chain=forward comment="Access to internet via 3G" disabled=yes in-interface=bridge-local out-interface=ppp-3G src-address-list=3G_Inet add chain=input comment="Allow access from LocalNetwork to Winbox SSH Web" dst-port=8891,8822,8880,53,8828 in-interface=bridge-local protocol=tcp add action=jump chain=forward comment="SYN Flood protect" connection-state=new jump-target=SYN-Protect protocol=tcp tcp-flags=syn add chain=SYN-Protect connection-state=new limit=400,5 protocol=tcp tcp-flags=syn add action=drop chain=SYN-Protect connection-state=new protocol=tcp tcp-flags=syn add action=drop chain=forward comment="All drop" log=yes add action=drop chain=input log=yes /ip firewall mangle add action=change-ttl chain=prerouting new-ttl=increment:1 add chain=forward comment=CLASS-D disabled=yes add action=mark-connection chain=forward comment=ALLTRAFFIC new-connection-mark=CLASS-D add action=mark-packet chain=forward comment=CLASS-D-GROUP-E-DL connection-mark=CLASS-D dst-address-list=GROUP-E new-packet-mark=CLASS-D-GROUP-E-DL \ src-address-list=!ShaperExclude add action=mark-packet chain=forward comment=CLASS-D-GROUP-D-DL connection-mark=CLASS-D dst-address-list=GROUP-D new-packet-mark=CLASS-D-GROUP-D-DL \ src-address-list=!ShaperExclude add action=mark-packet chain=forward comment=CLASS-D-GROUP-C-DL connection-mark=CLASS-D dst-address-list=GROUP-C new-packet-mark=CLASS-D-GROUP-C-DL \ src-address-list=!ShaperExclude add action=mark-packet chain=forward comment=CLASS-D-GROUP-B-DL connection-mark=CLASS-D dst-address-list=GROUP-B new-packet-mark=CLASS-D-GROUP-B-DL \ src-address-list=!ShaperExclude add action=mark-packet chain=forward comment=CLASS-D-GROUP-A-DL connection-mark=CLASS-D dst-address-list=GROUP-A new-packet-mark=CLASS-D-GROUP-A-DL \ src-address-list=!ShaperExclude add action=mark-packet chain=prerouting comment=CLASS-D-GROUP-E-UP connection-mark=CLASS-D dst-address-list=!ShaperExclude new-packet-mark=CLASS-D-GROUP-E-UP \ src-address-list=GROUP-E add action=mark-packet chain=prerouting comment=CLASS-D-GROUP-D-UP connection-mark=CLASS-D dst-address-list=!ShaperExclude new-packet-mark=CLASS-D-GROUP-D-UP \ src-address-list=GROUP-D add action=mark-packet chain=prerouting comment=CLASS-D-GROUP-C-UP connection-mark=CLASS-D dst-address-list=!ShaperExclude new-packet-mark=CLASS-D-GROUP-C-UP \ src-address-list=GROUP-C add action=mark-packet chain=prerouting comment=CLASS-D-GROUP-B-UP connection-mark=CLASS-D dst-address-list=!ShaperExclude new-packet-mark=CLASS-D-GROUP-B-UP \ src-address-list=GROUP-B add action=mark-packet chain=prerouting comment=CLASS-D-GROUP-A-UP connection-mark=CLASS-D dst-address-list=!ShaperExclude new-packet-mark=CLASS-D-GROUP-A-UP \ src-address-list=GROUP-A add chain=forward comment=CLASS-D disabled=yes add chain=forward comment=CLASS-C disabled=yes add action=mark-connection chain=forward comment=Proxy dst-port=3128 new-connection-mark=CLASS-C protocol=tcp add action=mark-connection chain=forward comment=HTTP layer7-protocol=http new-connection-mark=CLASS-C protocol=tcp add action=mark-connection chain=forward comment=HTTPS dst-port=443 new-connection-mark=CLASS-C protocol=tcp add action=mark-connection chain=forward comment=FTP dst-port=20,21 new-connection-mark=CLASS-C protocol=tcp add action=mark-connection chain=forward comment=SFTP dst-port=22 new-connection-mark=CLASS-C packet-size=1400-1500 protocol=tcp add action=mark-connection chain=forward comment=SMTP dst-port=25 new-connection-mark=CLASS-C protocol=tcp add action=mark-connection chain=forward comment=SMTPS dst-port=465 new-connection-mark=CLASS-C protocol=tcp add action=mark-connection chain=forward comment=Imap dst-port=143 new-connection-mark=CLASS-C protocol=tcp add action=mark-connection chain=forward comment=POP3 dst-port=110 new-connection-mark=CLASS-C protocol=tcp add action=mark-connection chain=forward comment=POP3S dst-port=995 new-connection-mark=CLASS-C protocol=tcp add action=mark-connection chain=forward comment=IMAPS dst-port=993 new-connection-mark=CLASS-C protocol=tcp add action=mark-connection chain=forward comment=GIF_FILE layer7-protocol=GIF_FILE new-connection-mark=CLASS-C add action=mark-connection chain=forward comment=PNG_FILE layer7-protocol=PNG_FILE new-connection-mark=CLASS-C add action=mark-connection chain=forward comment=CLASS-C-SITES new-connection-mark=CLASS-C src-address-list=CLASS-C-SITES add action=mark-connection chain=forward comment=CLASS-C-SITES dst-address-list=CLASS-C-SITES new-connection-mark=CLASS-C add action=mark-connection chain=forward comment="100Kb Connections" connection-bytes=0-100000 new-connection-mark=CLASS-C protocol=tcp add action=mark-packet chain=forward comment=CLASS-C-GROUP-E-DL connection-mark=CLASS-C dst-address-list=GROUP-E new-packet-mark=CLASS-C-GROUP-E-DL \ src-address-list=!ShaperExclude add action=mark-packet chain=forward comment=CLASS-C-GROUP-D-DL connection-mark=CLASS-C dst-address-list=GROUP-D new-packet-mark=CLASS-C-GROUP-D-DL \ src-address-list=!ShaperExclude add action=mark-packet chain=forward comment=CLASS-C-GROUP-C-DL connection-mark=CLASS-C dst-address-list=GROUP-C new-packet-mark=CLASS-C-GROUP-C-DL \ src-address-list=!ShaperExclude add action=mark-packet chain=forward comment=CLASS-C-GROUP-B-DL connection-mark=CLASS-C dst-address-list=GROUP-B new-packet-mark=CLASS-C-GROUP-B-DL \ src-address-list=!ShaperExclude add action=mark-packet chain=forward comment=CLASS-C-GROUP-A-DL connection-mark=CLASS-C dst-address-list=GROUP-A new-packet-mark=CLASS-C-GROUP-A-DL \ src-address-list=!ShaperExclude add action=mark-packet chain=prerouting comment=CLASS-C-GROUP-E-UP connection-mark=CLASS-C dst-address-list=!ShaperExclude new-packet-mark=CLASS-C-GROUP-E-UP \ src-address-list=GROUP-E add action=mark-packet chain=prerouting comment=CLASS-C-GROUP-D-UP connection-mark=CLASS-C dst-address-list=!ShaperExclude new-packet-mark=CLASS-C-GROUP-D-UP \ src-address-list=GROUP-D add action=mark-packet chain=prerouting comment=CLASS-C-GROUP-C-UP connection-mark=CLASS-C dst-address-list=!ShaperExclude new-packet-mark=CLASS-C-GROUP-C-UP \ src-address-list=GROUP-C add action=mark-packet chain=prerouting comment=CLASS-C-GROUP-B-UP connection-mark=CLASS-C dst-address-list=!ShaperExclude new-packet-mark=CLASS-C-GROUP-B-UP \ src-address-list=GROUP-B add action=mark-packet chain=prerouting comment=CLASS-C-GROUP-A-UP connection-mark=CLASS-C dst-address-list=!ShaperExclude new-packet-mark=CLASS-C-GROUP-A-UP \ src-address-list=GROUP-A add chain=forward comment=CLASS-C disabled=yes add chain=forward comment=CLASS-B disabled=yes add action=mark-connection chain=forward comment=ICQ dst-port=5190 new-connection-mark=CLASS-B protocol=tcp add action=mark-connection chain=forward comment="Mail.ru Agent" dst-port=2041,2042 new-connection-mark=CLASS-B protocol=tcp add action=mark-connection chain=forward comment=Jabber layer7-protocol=Jabber new-connection-mark=CLASS-B add action=mark-connection chain=forward comment=IRC dst-port=6667-6669 new-connection-mark=CLASS-B protocol=tcp add action=mark-connection chain=forward comment=SSH dst-port=22 new-connection-mark=CLASS-B packet-size=0-1400 protocol=tcp add action=mark-connection chain=forward comment=TELNET dst-port=23 new-connection-mark=CLASS-B protocol=tcp add action=mark-connection chain=forward comment=SNMP dst-port=161-162 new-connection-mark=CLASS-B protocol=tcp add action=mark-connection chain=forward comment=PPTP dst-port=1723 new-connection-mark=CLASS-B protocol=tcp add action=mark-connection chain=forward comment=L2TP dst-port=1701 new-connection-mark=CLASS-B protocol=udp add action=mark-connection chain=forward comment=GRE new-connection-mark=CLASS-B protocol=gre add action=mark-connection chain=forward comment=Skype layer7-protocol=Skype new-connection-mark=CLASS-B add action=mark-connection chain=forward comment=CLASS-B-SITES new-connection-mark=CLASS-B src-address-list=CLASS-B-SITES add action=mark-connection chain=forward comment=CLASS-B-SITES dst-address-list=CLASS-B-SITES new-connection-mark=CLASS-B add action=mark-connection chain=forward comment="50Kb Connections" connection-bytes=0-50000 new-connection-mark=CLASS-B protocol=tcp add action=mark-packet chain=forward comment=CLASS-B-GROUP-E-DL connection-mark=CLASS-B dst-address-list=GROUP-E new-packet-mark=CLASS-B-GROUP-E-DL \ src-address-list=!ShaperExclude add action=mark-packet chain=forward comment=CLASS-B-GROUP-D-DL connection-mark=CLASS-B dst-address-list=GROUP-D new-packet-mark=CLASS-B-GROUP-D-DL \ src-address-list=!ShaperExclude add action=mark-packet chain=forward comment=CLASS-B-GROUP-C-DL connection-mark=CLASS-B dst-address-list=GROUP-C new-packet-mark=CLASS-B-GROUP-C-DL \ src-address-list=!ShaperExclude add action=mark-packet chain=forward comment=CLASS-B-GROUP-B-DL connection-mark=CLASS-B dst-address-list=GROUP-B new-packet-mark=CLASS-B-GROUP-B-DL \ src-address-list=!ShaperExclude add action=mark-packet chain=forward comment=CLASS-B-GROUP-A-DL connection-mark=CLASS-B dst-address-list=GROUP-A new-packet-mark=CLASS-B-GROUP-A-DL \ src-address-list=!ShaperExclude add action=mark-packet chain=prerouting comment=CLASS-B-GROUP-E-UP connection-mark=CLASS-B dst-address-list=!ShaperExclude new-packet-mark=CLASS-B-GROUP-E-UP \ src-address-list=GROUP-E add action=mark-packet chain=prerouting comment=CLASS-B-GROUP-D-UP connection-mark=CLASS-B dst-address-list=!ShaperExclude new-packet-mark=CLASS-B-GROUP-D-UP \ src-address-list=GROUP-D add action=mark-packet chain=prerouting comment=CLASS-B-GROUP-C-UP connection-mark=CLASS-B dst-address-list=!ShaperExclude new-packet-mark=CLASS-B-GROUP-C-UP \ src-address-list=GROUP-C add action=mark-packet chain=prerouting comment=CLASS-B-GROUP-B-UP connection-mark=CLASS-B dst-address-list=!ShaperExclude new-packet-mark=CLASS-B-GROUP-B-UP \ src-address-list=GROUP-B add action=mark-packet chain=prerouting comment=CLASS-B-GROUP-A-UP connection-mark=CLASS-B dst-address-list=!ShaperExclude new-packet-mark=CLASS-B-GROUP-A-UP \ src-address-list=GROUP-A add chain=forward comment=CLASS-B disabled=yes add chain=forward comment=CLASS-A disabled=yes add action=mark-connection chain=forward comment=DNS dst-port=53 new-connection-mark=CLASS-A protocol=tcp src-port=53 add action=mark-connection chain=forward comment=DNS dst-port=53 new-connection-mark=CLASS-A protocol=tcp add action=mark-connection chain=forward comment=DNS dst-port=53 new-connection-mark=CLASS-A protocol=udp add action=mark-connection chain=forward comment=NNTP dst-port=119 new-connection-mark=CLASS-A protocol=tcp add action=mark-connection chain=forward comment=Winbox dst-port=8291 new-connection-mark=CLASS-A protocol=tcp add action=mark-connection chain=forward comment=ntp dst-port=123 new-connection-mark=CLASS-A protocol=udp add action=mark-connection chain=forward comment=VNC dst-port=5900-5901 new-connection-mark=CLASS-A protocol=tcp add action=mark-connection chain=forward comment=Radmin layer7-protocol=radmin new-connection-mark=CLASS-A add action=mark-connection chain=forward comment=RDP layer7-protocol=rdp new-connection-mark=CLASS-A add action=mark-connection chain=forward comment=PING new-connection-mark=CLASS-A protocol=icmp add action=mark-connection chain=forward comment=CLASS-A-SITES new-connection-mark=CLASS-A src-address-list=CLASS-A-SITES add action=mark-connection chain=forward comment=CLASS-A-SITES dst-address-list=CLASS-A-SITES new-connection-mark=CLASS-A add action=mark-connection chain=forward comment="5Kb Connections" connection-bytes=0-5000 new-connection-mark=CLASS-A protocol=tcp add action=mark-packet chain=forward comment=CLASS-A-GROUP-E-DL connection-mark=CLASS-A dst-address-list=GROUP-E new-packet-mark=CLASS-A-GROUP-E-DL \ src-address-list=!ShaperExclude add action=mark-packet chain=forward comment=CLASS-A-GROUP-D-DL connection-mark=CLASS-A dst-address-list=GROUP-D new-packet-mark=CLASS-A-GROUP-D-DL \ src-address-list=!ShaperExclude add action=mark-packet chain=forward comment=CLASS-A-GROUP-C-DL connection-mark=CLASS-A dst-address-list=GROUP-C new-packet-mark=CLASS-A-GROUP-C-DL \ src-address-list=!ShaperExclude add action=mark-packet chain=forward comment=CLASS-A-GROUP-B-DL connection-mark=CLASS-A dst-address-list=GROUP-B new-packet-mark=CLASS-A-GROUP-B-DL \ src-address-list=!ShaperExclude add action=mark-packet chain=forward comment=CLASS-A-GROUP-A-DL connection-mark=CLASS-A dst-address-list=GROUP-A new-packet-mark=CLASS-A-GROUP-A-DL \ src-address-list=!ShaperExclude add action=mark-packet chain=prerouting comment=CLASS-A-GROUP-E-UP connection-mark=CLASS-A dst-address-list=!ShaperExclude new-packet-mark=CLASS-A-GROUP-E-UP \ src-address-list=GROUP-E add action=mark-packet chain=prerouting comment=CLASS-A-GROUP-D-UP connection-mark=CLASS-A dst-address-list=!ShaperExclude new-packet-mark=CLASS-A-GROUP-D-UP \ src-address-list=GROUP-D add action=mark-packet chain=prerouting comment=CLASS-A-GROUP-C-UP connection-mark=CLASS-A dst-address-list=!ShaperExclude new-packet-mark=CLASS-A-GROUP-C-UP \ src-address-list=GROUP-C add action=mark-packet chain=prerouting comment=CLASS-A-GROUP-B-UP connection-mark=CLASS-A dst-address-list=!ShaperExclude new-packet-mark=CLASS-A-GROUP-B-UP \ src-address-list=GROUP-B add action=mark-packet chain=prerouting comment=CLASS-A-GROUP-A-UP connection-mark=CLASS-A dst-address-list=!ShaperExclude new-packet-mark=CLASS-A-GROUP-A-UP \ src-address-list=GROUP-A add chain=forward comment=CLASS-A disabled=yes /ip firewall nat add action=masquerade chain=srcnat comment="NAT for LocalNetwork" out-interface=ether1 src-address=192.168.1.0/27 to-addresses=ether1 add action=masquerade chain=srcnat disabled=yes out-interface=ppp-3G src-address=192.168.1.0/27 add action=masquerade chain=srcnat comment="NAT for VPN" out-interface=ether1 src-address=172.24.98.0/31 add action=netmap chain=dstnat comment="Accept VNC Client" dst-port=xxxx in-interface=ether1 protocol=tcp src-address-list=white_list_permit to-addresses=\ 192.168.1.1x to-ports=xxxx add action=netmap chain=dstnat dst-port=xxxx in-interface=ether1 protocol=tcp src-address-list=white_list_permit to-addresses=192.168.1.1x to-ports=xxxx add action=netmap chain=dstnat comment="Web Rule Torrent" dst-port=xxxx in-interface=ether1 protocol=tcp src-address-list=white_list_permit to-addresses=\ 192.168.1.1x to-ports=xxxx add action=netmap chain=dstnat comment="Torrent peer" dst-port=xxxx in-interface=ether1 protocol=tcp to-addresses=192.168.1.1x to-ports=xxxx add action=netmap chain=dstnat comment="Access SPA" disabled=yes dst-port=xxxx protocol=tcp src-address-list=white_list_permit to-addresses=192.168.1.2x \ to-ports=xxxx /ip firewall service-port set ftp disabled=yes set tftp disabled=yes set irc disabled=yes set h323 disabled=yes set sip disabled=yes set pptp disabled=yes /ip service set telnet disabled=yes set ftp disabled=yes set www port=8880 set ssh port=8822 set www-ssl certificate=cert_1 set api address=192.168.1.0/24 set api-ssl disabled=yes /ip upnp interfaces add interface=bridge-local type=internal add interface=ether1 type=external /ppp secret add name=xxxxxxxxxxxxxxxxxxx /routing igmp-proxy set quick-leave=yes /routing igmp-proxy interface add alternative-subnets=0.0.0.0/0 interface=ether1 upstream=yes add interface=bridge-local /system clock set time-zone-name=Europe/Moscow /system clock manual set dst-delta=+03:00 time-zone=+03:00 /system leds set 0 interface=wlan1 /system ntp client set enabled=yes primary-ntp=85.21.78.91 secondary-ntp=91.226.136.139 /system ntp server set manycast=no /tool graphing interface add interface=ether1 /tool graphing queue add /tool graphing resource add /tool mac-server set [ find default=yes ] disabled=yes add interface=ether2 /tool sniffer set file-limit=50000KiB file-name=dnssnif filter-interface=ether1 filter-port=dns [xxxxxxx@MikroTik] > Edited October 18, 2015 by K@KTyC Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
pppoetest Posted October 19, 2015 · Report post В файерволле слишком много правил. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
K@KTyC Posted October 19, 2015 · Report post Пробовал отключать все правила файрвола и ната, оставлял лишь маскардинг. Лучше не стало. Да и при тесте скорости нагрузка на ЦП не больше 25%. Причем ту правила файрвола? Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
Danila Posted October 19, 2015 · Report post Пробовал отключать все правила файрвола и ната, оставлял лишь маскардинг. Лучше не стало. Да и при тесте скорости нагрузка на ЦП не больше 25%. Причем ту правила файрвола? Маркировка пакетов достаточно затратная процедура для процессора. Попробуйте оптимизировать количество маркируемых пакетов. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
g3fox Posted October 19, 2015 · Report post А оператор точно даёт 70 мбит? Может, вы при тесте без микротика проверяете подключив ПК кабелем, а с микротиком по Wi-Fi? И мне тоже кажется, что у вас слишком накуренный файрвол. Особенно всякие l7-filter. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
K@KTyC Posted October 19, 2015 (edited) · Report post Да. Точно дает 70 мбит, тестил ноутом прыгает 68-69 Мбит. Сбросил его в дефолт. настроил только dhcp client (к провайдеру) dhcp server для тестового ПК и маскардинг NAT и опять все те же 30. Мысль откатиться RouterOS на более ранению версию, может в этой глюки, но какую тогда Edited October 19, 2015 by K@KTyC Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
guruks Posted October 19, 2015 (edited) · Report post Посмотрите ошибки на порту который смотрит на провайдера Edited October 19, 2015 by guruks Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
K@KTyC Posted October 20, 2015 · Report post Простите конечно, я еще не до конца его знаю, это смотрится в общем логе или отдельно? В логе только попытки коннекта с разных ip по 443 порту. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
Ivan_83 Posted October 20, 2015 · Report post Купи себе асус или зюхел, не парь мозги. А если это типа для учёбы то лучше линух/фря. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
darkagent Posted October 21, 2015 · Report post Причем ту правила файрвола? Достаточно 25 правил, чтоб превратить некротик в тыкву. Инфа с сайта производителя: btw, удивительно, теме 3 дня, а сааб сюда еще не засумонился. сарказм, офк. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
Mindaugas Posted October 21, 2015 (edited) · Report post В firewall ключи только маскарада и фасттрака (снизит нагрузку CPU). У меня на RB951 150Mbit с 15% CPU. EDIT: Зачем тебя bridge? Edited October 21, 2015 by Mindaugas Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
K@KTyC Posted October 22, 2015 · Report post Через bridge соеденен Wi-Fi и Ethernet подскажите как по другому связать откажусь от бриджа. Фасттрак? Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
guruks Posted October 22, 2015 · Report post Простите конечно, я еще не до конца его знаю, это смотрится в общем логе или отдельно? В логе только попытки коннекта с разных ip по 443 порту. Слева меню interfaces --> ethernet --> выбираете порт к которому подключен провайдер --> закладки RX Stats и TX Stats Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...