Jump to content
Калькуляторы

Микротик режет скорость Ограничивает скорость

В общем имеется RB951G-2HnD, провайдер выдающий 70 мбит/сек. Роутер же не разгоняется больше 20. При отключенном bridge ну максимум 30. Куда копать, уже и Queues настроил в общем скорость выше не поднимается. Есть iptv неужели оно так может забивать. В общем жду светлых мыслей, как оптимизировать конфиг, чтобы получить положенные 70. Конфиг ниже:

 

 

[xxxxxx@MikroTik] > /export compact

# oct/18/2015 23:13:53 by RouterOS 6.32.2

# software id = Z5TN-3BZ4

#

/interface bridge

add name=bridge-local

/interface ethernet

set [ find default-name=ether1 ] comment=WAN

set [ find default-name=ether2 ] comment=LAN

set [ find default-name=ether3 ] master-port=ether2

set [ find default-name=ether4 ] master-port=ether2

set [ find default-name=ether5 ] master-port=ether2

/ip neighbor discovery

set ether1 comment=WAN discover=no

set ether2 comment=LAN

/interface wireless security-profiles

add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=Security supplicant-identity="" \

wpa-pre-shared-key=XXXXXXXXXXXXXXXXX wpa2-pre-shared-key=XXXXXXXXXXXXXXXX

/interface wireless

set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode band=2ghz-b/g/n country=russia disabled=no distance=indoors frequency=2437 \

frequency-mode=superchannel mode=ap-bridge multicast-helper=disabled security-profile=Security ssid="=Wi-Fi=" tx-power=18 tx-power-mode=all-rates-fixed \

wireless-protocol=802.11 wmm-support=enabled

/interface wireless nstreme

set wlan1 enable-polling=no

/ip neighbor discovery

set wlan1 discover=no

/ip firewall layer7-protocol

add name=Skype regexp="^..\\x02............."

add name=radmin regexp="^\\x01\\x01(\\x08\\x08|\\x1b\\x1b)\$"

add name=rdp regexp="rdp\r\

\nrdpdr.*cliprdr.*rdpsnd"

add name=Jabber regexp="<stream:stream[\\x09-\\x0d ][ -~]*[\\x09-\\x0d ]xmlns=['\"]jabber"

add name=GIF_FILE regexp=gif

add name=PNG_FILE regexp=png

add name=http regexp=\

"http/(0\\.9|1\\.0|1\\.1) [1-5][0-9][0-9] [\\x09-\\x0d \96~]*(connection:|content-type:|content-length:|date:)|post [\\x09-\\x0d -~]* http/[01]\\.[019]"

/ip ipsec proposal

set [ find default=yes ] enc-algorithms=aes-128-cbc

/ip pool

add name=dhcp ranges=192.168.1.10-192.168.1.30

add name=OpenVPN ranges=172.24.98.2-172.24.98.10

add name=pool ranges=192.168.1.2-192.168.1.9

/ip dhcp-server

add address-pool=dhcp disabled=no interface=bridge-local lease-time=3h name=dhcp1

/port

set 0 name=usb1

/interface ppp-client

add apn=internet.beeline.ru default-route-distance=1 dial-on-demand=no name=ppp-3G password=beeline port=usb1 use-peer-dns=no user=beeline

/ppp profile

add local-address=172.24.98.1 name=OpenVPN remote-address=OpenVPN

/queue tree

add limit-at=85M max-limit=100M name=DOWNLOAD parent=global

add limit-at=85M max-limit=100M name=UPLOAD parent=global

add name=GROUP-A-UP parent=UPLOAD

add name=GROUP-B-UP parent=UPLOAD

add name=GROUP-C-UP parent=UPLOAD

add name=GROUP-D-UP parent=UPLOAD

add name=GROUP-E-UP parent=UPLOAD

add limit-at=70M max-limit=80M name=GROUP-A-DL parent=DOWNLOAD

add limit-at=20M max-limit=22M name=GROUP-B-DL parent=DOWNLOAD

add limit-at=15M max-limit=17M name=GROUP-C-DL parent=DOWNLOAD

add limit-at=10M max-limit=12M name=GROUP-D-DL parent=DOWNLOAD

add limit-at=5M max-limit=7M name=GROUP-E-DL parent=DOWNLOAD

/queue type

add kind=pcq name=GROUP-A-DL pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-src-address6-mask=64

add kind=pcq name=GROUP-B-DL pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-src-address6-mask=64

add kind=pcq name=GROUP-C-DL pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-src-address6-mask=64

add kind=pcq name=GROUP-D-DL pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-src-address6-mask=64

add kind=pcq name=GROUP-E-DL pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-src-address6-mask=64

add kind=pcq name=GROUP-A-UP pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-limit=150 pcq-src-address6-mask=64

add kind=pcq name=GROUP-B-UP pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-limit=150 pcq-src-address6-mask=64

add kind=pcq name=GROUP-C-UP pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-limit=150 pcq-src-address6-mask=64

add kind=pcq name=GROUP-D-UP pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-limit=150 pcq-src-address6-mask=64

add kind=pcq name=GROUP-E-UP pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-limit=150 pcq-src-address6-mask=64

/queue tree

add name=CLASS-AA-UP packet-mark=CLASS-A-GROUP-A-UP parent=GROUP-A-UP priority=1 queue=GROUP-A-UP

add name=CLASS-BA-UP packet-mark=CLASS-B-GROUP-A-UP parent=GROUP-A-UP priority=2 queue=GROUP-A-UP

add name=CLASS-CA-UP packet-mark=CLASS-C-GROUP-A-UP parent=GROUP-A-UP priority=3 queue=GROUP-A-UP

add name=CLASS-DA-UP packet-mark=CLASS-D-GROUP-A-UP parent=GROUP-A-UP priority=4 queue=GROUP-A-UP

add name=CLASS-AB-UP packet-mark=CLASS-A-GROUP-B-UP parent=GROUP-B-UP priority=2 queue=GROUP-B-UP

add name=CLASS-BB-UP packet-mark=CLASS-B-GROUP-B-UP parent=GROUP-B-UP priority=3 queue=GROUP-B-UP

add name=CLASS-CB-UP packet-mark=CLASS-C-GROUP-B-UP parent=GROUP-B-UP priority=4 queue=GROUP-B-UP

add name=CLASS-DB-UP packet-mark=CLASS-D-GROUP-B-UP parent=GROUP-B-UP priority=5 queue=GROUP-B-UP

add name=CLASS-AC-UP packet-mark=CLASS-A-GROUP-C-UP parent=GROUP-C-UP priority=3 queue=GROUP-C-UP

add name=CLASS-BC-UP packet-mark=CLASS-B-GROUP-C-UP parent=GROUP-C-UP priority=4 queue=GROUP-C-UP

add name=CLASS-CC-UP packet-mark=CLASS-C-GROUP-C-UP parent=GROUP-C-UP priority=5 queue=GROUP-C-UP

add name=CLASS-DC-UP packet-mark=CLASS-D-GROUP-C-UP parent=GROUP-C-UP priority=6 queue=GROUP-C-UP

add name=CLASS-AD-UP packet-mark=CLASS-A-GROUP-D-UP parent=GROUP-D-UP priority=4 queue=GROUP-D-UP

add name=CLASS-BD-UP packet-mark=CLASS-B-GROUP-D-UP parent=GROUP-D-UP priority=5 queue=GROUP-D-UP

add name=CLASS-CD-UP packet-mark=CLASS-C-GROUP-D-UP parent=GROUP-D-UP priority=6 queue=GROUP-D-UP

add name=CLASS-DD-UP packet-mark=CLASS-D-GROUP-D-UP parent=GROUP-D-UP priority=7 queue=GROUP-D-UP

add name=CLASS-AE-UP packet-mark=CLASS-A-GROUP-E-UP parent=GROUP-E-UP priority=5 queue=GROUP-E-UP

add name=CLASS-BE-UP packet-mark=CLASS-B-GROUP-E-UP parent=GROUP-E-UP priority=6 queue=GROUP-E-UP

add name=CLASS-CE-UP packet-mark=CLASS-C-GROUP-E-UP parent=GROUP-E-UP priority=7 queue=GROUP-E-UP

add name=CLASS-DE-UP packet-mark=CLASS-D-GROUP-E-UP parent=GROUP-E-UP queue=GROUP-E-UP

add name=CLASS-AA-DL packet-mark=CLASS-A-GROUP-A-DL parent=GROUP-A-DL priority=1 queue=GROUP-A-DL

add name=CLASS-BA-DL packet-mark=CLASS-B-GROUP-A-DL parent=GROUP-A-DL priority=2 queue=GROUP-A-DL

add name=CLASS-CA-DL packet-mark=CLASS-C-GROUP-A-DL parent=GROUP-A-DL priority=3 queue=GROUP-A-DL

add name=CLASS-DA-DL packet-mark=CLASS-D-GROUP-A-DL parent=GROUP-A-DL priority=4 queue=GROUP-A-DL

add name=CLASS-AB-DL packet-mark=CLASS-A-GROUP-B-DL parent=GROUP-B-DL priority=2 queue=GROUP-B-DL

add name=CLASS-BB-DL packet-mark=CLASS-B-GROUP-B-DL parent=GROUP-B-DL priority=3 queue=GROUP-B-DL

add name=CLASS-CB-DL packet-mark=CLASS-C-GROUP-B-DL parent=GROUP-B-DL priority=4 queue=GROUP-B-DL

add name=CLASS-DB-DL packet-mark=CLASS-D-GROUP-B-DL parent=GROUP-B-DL priority=5 queue=GROUP-B-DL

add name=CLASS-AC-DL packet-mark=CLASS-A-GROUP-C-DL parent=GROUP-C-DL priority=3 queue=GROUP-C-DL

add name=CLASS-BC-DL packet-mark=CLASS-B-GROUP-C-DL parent=GROUP-C-DL priority=4 queue=GROUP-C-DL

add name=CLASS-CC-DL packet-mark=CLASS-C-GROUP-C-DL parent=GROUP-C-DL priority=5 queue=GROUP-C-DL

add name=CLASS-DC-DL packet-mark=CLASS-D-GROUP-C-DL parent=GROUP-C-DL priority=6 queue=GROUP-C-DL

add name=CLASS-AD-DL packet-mark=CLASS-A-GROUP-D-DL parent=GROUP-D-DL priority=4 queue=GROUP-D-DL

add name=CLASS-BD-DL packet-mark=CLASS-B-GROUP-D-DL parent=GROUP-D-DL priority=5 queue=GROUP-D-DL

add name=CLASS-CD-DL packet-mark=CLASS-C-GROUP-D-DL parent=GROUP-D-DL priority=6 queue=GROUP-D-DL

add name=CLASS-DD-DL packet-mark=CLASS-D-GROUP-D-DL parent=GROUP-D-DL priority=7 queue=GROUP-D-DL

add name=CLASS-AE-DL packet-mark=CLASS-A-GROUP-E-DL parent=GROUP-E-DL priority=5 queue=GROUP-E-DL

add name=CLASS-BE-DL packet-mark=CLASS-B-GROUP-E-DL parent=GROUP-E-DL priority=6 queue=GROUP-E-DL

add name=CLASS-CE-DL packet-mark=CLASS-C-GROUP-E-DL parent=GROUP-E-DL priority=7 queue=GROUP-E-DL

add name=CLASS-DE-DL packet-mark=CLASS-D-GROUP-E-DL parent=GROUP-E-DL queue=GROUP-E-DL

/interface bridge port

add bridge=bridge-local interface=ether2

add bridge=bridge-local interface=wlan1

/ip firewall connection tracking

set tcp-established-timeout=5h

/interface ovpn-server server

set certificate=cert_2 cipher=blowfish128,aes128,aes192,aes256 default-profile=OpenVPN enabled=yes require-client-certificate=yes

/ip address

add address=192.168.1.1/26 interface=bridge-local network=192.168.1.0

/ip dhcp-client

add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=ether1

/ip dhcp-server lease

add address=192.168.1.3 client-id=1:f4:6d:4:d0:d7:f5 comment=Descktop mac-address=F4:6D:04:D0:D7:F5 server=dhcp1

/ip dhcp-server network

add address=192.168.1.0/27 dns-server=192.168.1.1 gateway=192.168.1.1 netmask=26

/ip dns

set allow-remote-requests=yes max-udp-packet-size=512

/ip firewall address-list

add address=192.168.1.3 comment="Desctop" list=GROUP-A

add list=CLASS-A-SITES

add list=CLASS-B-SITES

add list=CLASS-C-SITES

add address=192.168.1.16/28 list=ShaperExclude

add address=192.168.1.3 comment="Desctop" list=GROUP-A

add address=xxxxxxxxxxx list=white_list_permit

/ip firewall filter

add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="Port scanners to list" protocol=tcp psd=21,3s,3,1

add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=\

fin,!syn,!rst,!psh,!ack,!urg

add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn

add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst

add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=\

fin,psh,urg,!syn,!rst,!ack

add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=\

fin,syn,rst,psh,ack,urg

add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=\

!fin,!syn,!rst,!psh,!ack,!urg

add action=drop chain=input comment="dropping port scanners" src-address-list=port_scanners

add action=drop chain=forward comment="dropping port scanners" src-address-list=port_scanners

add action=drop chain=input comment="Drop DNS Flood" dst-port=53 in-interface=ether1 protocol=udp src-address-list="dns flood"

add action=add-src-to-address-list address-list="dns flood" address-list-timeout=1h chain=input dst-port=53 in-interface=ether1 protocol=udp

add action=drop chain=input comment="drop ssh,telnet,openvpn brute forcers" dst-port=22,23,1194 protocol=tcp src-address-list=brute_blacklist

add action=add-src-to-address-list address-list=brute_blacklist address-list-timeout=3d chain=input connection-state=new dst-port=22,23,1194 protocol=tcp \

src-address-list=blacklist_stage3

add action=add-src-to-address-list address-list=blacklist_stage3 address-list-timeout=5m chain=input connection-state=new dst-port=22,23,1194 protocol=tcp \

src-address-list=blacklist_stage2

add action=add-src-to-address-list address-list=blacklist_stage2 address-list-timeout=2m chain=input connection-state=new dst-port=22,23,1194 protocol=tcp \

src-address-list=blacklist_stage1

add action=add-src-to-address-list address-list=blacklist_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22,23,1194 protocol=tcp

add action=drop chain=forward comment="Drop invalid packet" connection-state=invalid

add action=drop chain=input connection-state=invalid

add chain=forward comment="Allow ICMP Ping" protocol=icmp

add chain=input comment="For IPTV" protocol=igmp

add chain=forward protocol=udp

add chain=input protocol=udp

add chain=input comment="Accept established connections" connection-state=established

add chain=forward connection-state=established

add chain=forward comment="Allow related connections" connection-state=related

add chain=input comment="Allow access from Internet to Winbox and SSH_white_list_permit" dst-port=8891,8822,8880 in-interface=ether1 protocol=tcp \

src-address-list=white_list_permit

add chain=forward comment="Accept Apps_white_list_permit" dst-port=xxxx,xxxx,xxxx in-interface=ether1 protocol=tcp src-address-list=white_list_permit

add chain=forward comment="Accept Torrent Peer" dst-port=xxxx protocol=tcp

add chain=forward comment="Access to Internet from local network" in-interface=bridge-local out-interface=ether1

add chain=forward comment="Access to Internet from VPN Client" out-interface=ether1 src-address=172.24.98.0/25

add chain=forward comment="Access to internet via 3G" disabled=yes in-interface=bridge-local out-interface=ppp-3G src-address-list=3G_Inet

add chain=input comment="Allow access from LocalNetwork to Winbox SSH Web" dst-port=8891,8822,8880,53,8828 in-interface=bridge-local protocol=tcp

add action=jump chain=forward comment="SYN Flood protect" connection-state=new jump-target=SYN-Protect protocol=tcp tcp-flags=syn

add chain=SYN-Protect connection-state=new limit=400,5 protocol=tcp tcp-flags=syn

add action=drop chain=SYN-Protect connection-state=new protocol=tcp tcp-flags=syn

add action=drop chain=forward comment="All drop" log=yes

add action=drop chain=input log=yes

/ip firewall mangle

add action=change-ttl chain=prerouting new-ttl=increment:1

add chain=forward comment=CLASS-D disabled=yes

add action=mark-connection chain=forward comment=ALLTRAFFIC new-connection-mark=CLASS-D

add action=mark-packet chain=forward comment=CLASS-D-GROUP-E-DL connection-mark=CLASS-D dst-address-list=GROUP-E new-packet-mark=CLASS-D-GROUP-E-DL \

src-address-list=!ShaperExclude

add action=mark-packet chain=forward comment=CLASS-D-GROUP-D-DL connection-mark=CLASS-D dst-address-list=GROUP-D new-packet-mark=CLASS-D-GROUP-D-DL \

src-address-list=!ShaperExclude

add action=mark-packet chain=forward comment=CLASS-D-GROUP-C-DL connection-mark=CLASS-D dst-address-list=GROUP-C new-packet-mark=CLASS-D-GROUP-C-DL \

src-address-list=!ShaperExclude

add action=mark-packet chain=forward comment=CLASS-D-GROUP-B-DL connection-mark=CLASS-D dst-address-list=GROUP-B new-packet-mark=CLASS-D-GROUP-B-DL \

src-address-list=!ShaperExclude

add action=mark-packet chain=forward comment=CLASS-D-GROUP-A-DL connection-mark=CLASS-D dst-address-list=GROUP-A new-packet-mark=CLASS-D-GROUP-A-DL \

src-address-list=!ShaperExclude

add action=mark-packet chain=prerouting comment=CLASS-D-GROUP-E-UP connection-mark=CLASS-D dst-address-list=!ShaperExclude new-packet-mark=CLASS-D-GROUP-E-UP \

src-address-list=GROUP-E

add action=mark-packet chain=prerouting comment=CLASS-D-GROUP-D-UP connection-mark=CLASS-D dst-address-list=!ShaperExclude new-packet-mark=CLASS-D-GROUP-D-UP \

src-address-list=GROUP-D

add action=mark-packet chain=prerouting comment=CLASS-D-GROUP-C-UP connection-mark=CLASS-D dst-address-list=!ShaperExclude new-packet-mark=CLASS-D-GROUP-C-UP \

src-address-list=GROUP-C

add action=mark-packet chain=prerouting comment=CLASS-D-GROUP-B-UP connection-mark=CLASS-D dst-address-list=!ShaperExclude new-packet-mark=CLASS-D-GROUP-B-UP \

src-address-list=GROUP-B

add action=mark-packet chain=prerouting comment=CLASS-D-GROUP-A-UP connection-mark=CLASS-D dst-address-list=!ShaperExclude new-packet-mark=CLASS-D-GROUP-A-UP \

src-address-list=GROUP-A

add chain=forward comment=CLASS-D disabled=yes

add chain=forward comment=CLASS-C disabled=yes

add action=mark-connection chain=forward comment=Proxy dst-port=3128 new-connection-mark=CLASS-C protocol=tcp

add action=mark-connection chain=forward comment=HTTP layer7-protocol=http new-connection-mark=CLASS-C protocol=tcp

add action=mark-connection chain=forward comment=HTTPS dst-port=443 new-connection-mark=CLASS-C protocol=tcp

add action=mark-connection chain=forward comment=FTP dst-port=20,21 new-connection-mark=CLASS-C protocol=tcp

add action=mark-connection chain=forward comment=SFTP dst-port=22 new-connection-mark=CLASS-C packet-size=1400-1500 protocol=tcp

add action=mark-connection chain=forward comment=SMTP dst-port=25 new-connection-mark=CLASS-C protocol=tcp

add action=mark-connection chain=forward comment=SMTPS dst-port=465 new-connection-mark=CLASS-C protocol=tcp

add action=mark-connection chain=forward comment=Imap dst-port=143 new-connection-mark=CLASS-C protocol=tcp

add action=mark-connection chain=forward comment=POP3 dst-port=110 new-connection-mark=CLASS-C protocol=tcp

add action=mark-connection chain=forward comment=POP3S dst-port=995 new-connection-mark=CLASS-C protocol=tcp

add action=mark-connection chain=forward comment=IMAPS dst-port=993 new-connection-mark=CLASS-C protocol=tcp

add action=mark-connection chain=forward comment=GIF_FILE layer7-protocol=GIF_FILE new-connection-mark=CLASS-C

add action=mark-connection chain=forward comment=PNG_FILE layer7-protocol=PNG_FILE new-connection-mark=CLASS-C

add action=mark-connection chain=forward comment=CLASS-C-SITES new-connection-mark=CLASS-C src-address-list=CLASS-C-SITES

add action=mark-connection chain=forward comment=CLASS-C-SITES dst-address-list=CLASS-C-SITES new-connection-mark=CLASS-C

add action=mark-connection chain=forward comment="100Kb Connections" connection-bytes=0-100000 new-connection-mark=CLASS-C protocol=tcp

add action=mark-packet chain=forward comment=CLASS-C-GROUP-E-DL connection-mark=CLASS-C dst-address-list=GROUP-E new-packet-mark=CLASS-C-GROUP-E-DL \

src-address-list=!ShaperExclude

add action=mark-packet chain=forward comment=CLASS-C-GROUP-D-DL connection-mark=CLASS-C dst-address-list=GROUP-D new-packet-mark=CLASS-C-GROUP-D-DL \

src-address-list=!ShaperExclude

add action=mark-packet chain=forward comment=CLASS-C-GROUP-C-DL connection-mark=CLASS-C dst-address-list=GROUP-C new-packet-mark=CLASS-C-GROUP-C-DL \

src-address-list=!ShaperExclude

add action=mark-packet chain=forward comment=CLASS-C-GROUP-B-DL connection-mark=CLASS-C dst-address-list=GROUP-B new-packet-mark=CLASS-C-GROUP-B-DL \

src-address-list=!ShaperExclude

add action=mark-packet chain=forward comment=CLASS-C-GROUP-A-DL connection-mark=CLASS-C dst-address-list=GROUP-A new-packet-mark=CLASS-C-GROUP-A-DL \

src-address-list=!ShaperExclude

add action=mark-packet chain=prerouting comment=CLASS-C-GROUP-E-UP connection-mark=CLASS-C dst-address-list=!ShaperExclude new-packet-mark=CLASS-C-GROUP-E-UP \

src-address-list=GROUP-E

add action=mark-packet chain=prerouting comment=CLASS-C-GROUP-D-UP connection-mark=CLASS-C dst-address-list=!ShaperExclude new-packet-mark=CLASS-C-GROUP-D-UP \

src-address-list=GROUP-D

add action=mark-packet chain=prerouting comment=CLASS-C-GROUP-C-UP connection-mark=CLASS-C dst-address-list=!ShaperExclude new-packet-mark=CLASS-C-GROUP-C-UP \

src-address-list=GROUP-C

add action=mark-packet chain=prerouting comment=CLASS-C-GROUP-B-UP connection-mark=CLASS-C dst-address-list=!ShaperExclude new-packet-mark=CLASS-C-GROUP-B-UP \

src-address-list=GROUP-B

add action=mark-packet chain=prerouting comment=CLASS-C-GROUP-A-UP connection-mark=CLASS-C dst-address-list=!ShaperExclude new-packet-mark=CLASS-C-GROUP-A-UP \

src-address-list=GROUP-A

add chain=forward comment=CLASS-C disabled=yes

add chain=forward comment=CLASS-B disabled=yes

add action=mark-connection chain=forward comment=ICQ dst-port=5190 new-connection-mark=CLASS-B protocol=tcp

add action=mark-connection chain=forward comment="Mail.ru Agent" dst-port=2041,2042 new-connection-mark=CLASS-B protocol=tcp

add action=mark-connection chain=forward comment=Jabber layer7-protocol=Jabber new-connection-mark=CLASS-B

add action=mark-connection chain=forward comment=IRC dst-port=6667-6669 new-connection-mark=CLASS-B protocol=tcp

add action=mark-connection chain=forward comment=SSH dst-port=22 new-connection-mark=CLASS-B packet-size=0-1400 protocol=tcp

add action=mark-connection chain=forward comment=TELNET dst-port=23 new-connection-mark=CLASS-B protocol=tcp

add action=mark-connection chain=forward comment=SNMP dst-port=161-162 new-connection-mark=CLASS-B protocol=tcp

add action=mark-connection chain=forward comment=PPTP dst-port=1723 new-connection-mark=CLASS-B protocol=tcp

add action=mark-connection chain=forward comment=L2TP dst-port=1701 new-connection-mark=CLASS-B protocol=udp

add action=mark-connection chain=forward comment=GRE new-connection-mark=CLASS-B protocol=gre

add action=mark-connection chain=forward comment=Skype layer7-protocol=Skype new-connection-mark=CLASS-B

add action=mark-connection chain=forward comment=CLASS-B-SITES new-connection-mark=CLASS-B src-address-list=CLASS-B-SITES

add action=mark-connection chain=forward comment=CLASS-B-SITES dst-address-list=CLASS-B-SITES new-connection-mark=CLASS-B

add action=mark-connection chain=forward comment="50Kb Connections" connection-bytes=0-50000 new-connection-mark=CLASS-B protocol=tcp

add action=mark-packet chain=forward comment=CLASS-B-GROUP-E-DL connection-mark=CLASS-B dst-address-list=GROUP-E new-packet-mark=CLASS-B-GROUP-E-DL \

src-address-list=!ShaperExclude

add action=mark-packet chain=forward comment=CLASS-B-GROUP-D-DL connection-mark=CLASS-B dst-address-list=GROUP-D new-packet-mark=CLASS-B-GROUP-D-DL \

src-address-list=!ShaperExclude

add action=mark-packet chain=forward comment=CLASS-B-GROUP-C-DL connection-mark=CLASS-B dst-address-list=GROUP-C new-packet-mark=CLASS-B-GROUP-C-DL \

src-address-list=!ShaperExclude

add action=mark-packet chain=forward comment=CLASS-B-GROUP-B-DL connection-mark=CLASS-B dst-address-list=GROUP-B new-packet-mark=CLASS-B-GROUP-B-DL \

src-address-list=!ShaperExclude

add action=mark-packet chain=forward comment=CLASS-B-GROUP-A-DL connection-mark=CLASS-B dst-address-list=GROUP-A new-packet-mark=CLASS-B-GROUP-A-DL \

src-address-list=!ShaperExclude

add action=mark-packet chain=prerouting comment=CLASS-B-GROUP-E-UP connection-mark=CLASS-B dst-address-list=!ShaperExclude new-packet-mark=CLASS-B-GROUP-E-UP \

src-address-list=GROUP-E

add action=mark-packet chain=prerouting comment=CLASS-B-GROUP-D-UP connection-mark=CLASS-B dst-address-list=!ShaperExclude new-packet-mark=CLASS-B-GROUP-D-UP \

src-address-list=GROUP-D

add action=mark-packet chain=prerouting comment=CLASS-B-GROUP-C-UP connection-mark=CLASS-B dst-address-list=!ShaperExclude new-packet-mark=CLASS-B-GROUP-C-UP \

src-address-list=GROUP-C

add action=mark-packet chain=prerouting comment=CLASS-B-GROUP-B-UP connection-mark=CLASS-B dst-address-list=!ShaperExclude new-packet-mark=CLASS-B-GROUP-B-UP \

src-address-list=GROUP-B

add action=mark-packet chain=prerouting comment=CLASS-B-GROUP-A-UP connection-mark=CLASS-B dst-address-list=!ShaperExclude new-packet-mark=CLASS-B-GROUP-A-UP \

src-address-list=GROUP-A

add chain=forward comment=CLASS-B disabled=yes

add chain=forward comment=CLASS-A disabled=yes

add action=mark-connection chain=forward comment=DNS dst-port=53 new-connection-mark=CLASS-A protocol=tcp src-port=53

add action=mark-connection chain=forward comment=DNS dst-port=53 new-connection-mark=CLASS-A protocol=tcp

add action=mark-connection chain=forward comment=DNS dst-port=53 new-connection-mark=CLASS-A protocol=udp

add action=mark-connection chain=forward comment=NNTP dst-port=119 new-connection-mark=CLASS-A protocol=tcp

add action=mark-connection chain=forward comment=Winbox dst-port=8291 new-connection-mark=CLASS-A protocol=tcp

add action=mark-connection chain=forward comment=ntp dst-port=123 new-connection-mark=CLASS-A protocol=udp

add action=mark-connection chain=forward comment=VNC dst-port=5900-5901 new-connection-mark=CLASS-A protocol=tcp

add action=mark-connection chain=forward comment=Radmin layer7-protocol=radmin new-connection-mark=CLASS-A

add action=mark-connection chain=forward comment=RDP layer7-protocol=rdp new-connection-mark=CLASS-A

add action=mark-connection chain=forward comment=PING new-connection-mark=CLASS-A protocol=icmp

add action=mark-connection chain=forward comment=CLASS-A-SITES new-connection-mark=CLASS-A src-address-list=CLASS-A-SITES

add action=mark-connection chain=forward comment=CLASS-A-SITES dst-address-list=CLASS-A-SITES new-connection-mark=CLASS-A

add action=mark-connection chain=forward comment="5Kb Connections" connection-bytes=0-5000 new-connection-mark=CLASS-A protocol=tcp

add action=mark-packet chain=forward comment=CLASS-A-GROUP-E-DL connection-mark=CLASS-A dst-address-list=GROUP-E new-packet-mark=CLASS-A-GROUP-E-DL \

src-address-list=!ShaperExclude

add action=mark-packet chain=forward comment=CLASS-A-GROUP-D-DL connection-mark=CLASS-A dst-address-list=GROUP-D new-packet-mark=CLASS-A-GROUP-D-DL \

src-address-list=!ShaperExclude

add action=mark-packet chain=forward comment=CLASS-A-GROUP-C-DL connection-mark=CLASS-A dst-address-list=GROUP-C new-packet-mark=CLASS-A-GROUP-C-DL \

src-address-list=!ShaperExclude

add action=mark-packet chain=forward comment=CLASS-A-GROUP-B-DL connection-mark=CLASS-A dst-address-list=GROUP-B new-packet-mark=CLASS-A-GROUP-B-DL \

src-address-list=!ShaperExclude

add action=mark-packet chain=forward comment=CLASS-A-GROUP-A-DL connection-mark=CLASS-A dst-address-list=GROUP-A new-packet-mark=CLASS-A-GROUP-A-DL \

src-address-list=!ShaperExclude

add action=mark-packet chain=prerouting comment=CLASS-A-GROUP-E-UP connection-mark=CLASS-A dst-address-list=!ShaperExclude new-packet-mark=CLASS-A-GROUP-E-UP \

src-address-list=GROUP-E

add action=mark-packet chain=prerouting comment=CLASS-A-GROUP-D-UP connection-mark=CLASS-A dst-address-list=!ShaperExclude new-packet-mark=CLASS-A-GROUP-D-UP \

src-address-list=GROUP-D

add action=mark-packet chain=prerouting comment=CLASS-A-GROUP-C-UP connection-mark=CLASS-A dst-address-list=!ShaperExclude new-packet-mark=CLASS-A-GROUP-C-UP \

src-address-list=GROUP-C

add action=mark-packet chain=prerouting comment=CLASS-A-GROUP-B-UP connection-mark=CLASS-A dst-address-list=!ShaperExclude new-packet-mark=CLASS-A-GROUP-B-UP \

src-address-list=GROUP-B

add action=mark-packet chain=prerouting comment=CLASS-A-GROUP-A-UP connection-mark=CLASS-A dst-address-list=!ShaperExclude new-packet-mark=CLASS-A-GROUP-A-UP \

src-address-list=GROUP-A

add chain=forward comment=CLASS-A disabled=yes

/ip firewall nat

add action=masquerade chain=srcnat comment="NAT for LocalNetwork" out-interface=ether1 src-address=192.168.1.0/27 to-addresses=ether1

add action=masquerade chain=srcnat disabled=yes out-interface=ppp-3G src-address=192.168.1.0/27

add action=masquerade chain=srcnat comment="NAT for VPN" out-interface=ether1 src-address=172.24.98.0/31

add action=netmap chain=dstnat comment="Accept VNC Client" dst-port=xxxx in-interface=ether1 protocol=tcp src-address-list=white_list_permit to-addresses=\

192.168.1.1x to-ports=xxxx

add action=netmap chain=dstnat dst-port=xxxx in-interface=ether1 protocol=tcp src-address-list=white_list_permit to-addresses=192.168.1.1x to-ports=xxxx

add action=netmap chain=dstnat comment="Web Rule Torrent" dst-port=xxxx in-interface=ether1 protocol=tcp src-address-list=white_list_permit to-addresses=\

192.168.1.1x to-ports=xxxx

add action=netmap chain=dstnat comment="Torrent peer" dst-port=xxxx in-interface=ether1 protocol=tcp to-addresses=192.168.1.1x to-ports=xxxx

add action=netmap chain=dstnat comment="Access SPA" disabled=yes dst-port=xxxx protocol=tcp src-address-list=white_list_permit to-addresses=192.168.1.2x \

to-ports=xxxx

/ip firewall service-port

set ftp disabled=yes

set tftp disabled=yes

set irc disabled=yes

set h323 disabled=yes

set sip disabled=yes

set pptp disabled=yes

/ip service

set telnet disabled=yes

set ftp disabled=yes

set www port=8880

set ssh port=8822

set www-ssl certificate=cert_1

set api address=192.168.1.0/24

set api-ssl disabled=yes

/ip upnp interfaces

add interface=bridge-local type=internal

add interface=ether1 type=external

/ppp secret

add name=xxxxxxxxxxxxxxxxxxx

/routing igmp-proxy

set quick-leave=yes

/routing igmp-proxy interface

add alternative-subnets=0.0.0.0/0 interface=ether1 upstream=yes

add interface=bridge-local

/system clock

set time-zone-name=Europe/Moscow

/system clock manual

set dst-delta=+03:00 time-zone=+03:00

/system leds

set 0 interface=wlan1

/system ntp client

set enabled=yes primary-ntp=85.21.78.91 secondary-ntp=91.226.136.139

/system ntp server

set manycast=no

/tool graphing interface

add interface=ether1

/tool graphing queue

add

/tool graphing resource

add

/tool mac-server

set [ find default=yes ] disabled=yes

add interface=ether2

/tool sniffer

set file-limit=50000KiB file-name=dnssnif filter-interface=ether1 filter-port=dns

[xxxxxxx@MikroTik] >

 

Edited by K@KTyC

Share this post


Link to post
Share on other sites

Пробовал отключать все правила файрвола и ната, оставлял лишь маскардинг. Лучше не стало. Да и при тесте скорости нагрузка на ЦП не больше 25%. Причем ту правила файрвола?

Share this post


Link to post
Share on other sites

Пробовал отключать все правила файрвола и ната, оставлял лишь маскардинг. Лучше не стало. Да и при тесте скорости нагрузка на ЦП не больше 25%. Причем ту правила файрвола?

 

Маркировка пакетов достаточно затратная процедура для процессора.

Попробуйте оптимизировать количество маркируемых пакетов.

Share this post


Link to post
Share on other sites

А оператор точно даёт 70 мбит?

Может, вы при тесте без микротика проверяете подключив ПК кабелем, а с микротиком по Wi-Fi?

 

И мне тоже кажется, что у вас слишком накуренный файрвол.

Особенно всякие l7-filter.

Share this post


Link to post
Share on other sites

Да. Точно дает 70 мбит, тестил ноутом прыгает 68-69 Мбит. Сбросил его в дефолт. настроил только dhcp client (к провайдеру) dhcp server для тестового ПК и маскардинг NAT и опять все те же 30. Мысль откатиться RouterOS на более ранению версию, может в этой глюки, но какую тогда

Edited by K@KTyC

Share this post


Link to post
Share on other sites

Простите конечно, я еще не до конца его знаю, это смотрится в общем логе или отдельно? В логе только попытки коннекта с разных ip по 443 порту.

Share this post


Link to post
Share on other sites

Причем ту правила файрвола?

Достаточно 25 правил, чтоб превратить некротик в тыкву. Инфа с сайта производителя:

nekrotik.1445421445.png

 

btw, удивительно, теме 3 дня, а сааб сюда еще не засумонился. сарказм, офк.

Share this post


Link to post
Share on other sites

В firewall ключи только маскарада и фасттрака (снизит нагрузку CPU). У меня на RB951 150Mbit с 15% CPU.

 

EDIT: Зачем тебя bridge?

Edited by Mindaugas

Share this post


Link to post
Share on other sites

Простите конечно, я еще не до конца его знаю, это смотрится в общем логе или отдельно? В логе только попытки коннекта с разных ip по 443 порту.

 

Слева меню interfaces --> ethernet --> выбираете порт к которому подключен провайдер --> закладки RX Stats и TX Stats

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.