K@KTyC Posted October 18, 2015 (edited) В общем имеется RB951G-2HnD, провайдер выдающий 70 мбит/сек. Роутер же не разгоняется больше 20. При отключенном bridge ну максимум 30. Куда копать, уже и Queues настроил в общем скорость выше не поднимается. Есть iptv неужели оно так может забивать. В общем жду светлых мыслей, как оптимизировать конфиг, чтобы получить положенные 70. Конфиг ниже: [xxxxxx@MikroTik] > /export compact # oct/18/2015 23:13:53 by RouterOS 6.32.2 # software id = Z5TN-3BZ4 # /interface bridge add name=bridge-local /interface ethernet set [ find default-name=ether1 ] comment=WAN set [ find default-name=ether2 ] comment=LAN set [ find default-name=ether3 ] master-port=ether2 set [ find default-name=ether4 ] master-port=ether2 set [ find default-name=ether5 ] master-port=ether2 /ip neighbor discovery set ether1 comment=WAN discover=no set ether2 comment=LAN /interface wireless security-profiles add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=Security supplicant-identity="" \ wpa-pre-shared-key=XXXXXXXXXXXXXXXXX wpa2-pre-shared-key=XXXXXXXXXXXXXXXX /interface wireless set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode band=2ghz-b/g/n country=russia disabled=no distance=indoors frequency=2437 \ frequency-mode=superchannel mode=ap-bridge multicast-helper=disabled security-profile=Security ssid="=Wi-Fi=" tx-power=18 tx-power-mode=all-rates-fixed \ wireless-protocol=802.11 wmm-support=enabled /interface wireless nstreme set wlan1 enable-polling=no /ip neighbor discovery set wlan1 discover=no /ip firewall layer7-protocol add name=Skype regexp="^..\\x02............." add name=radmin regexp="^\\x01\\x01(\\x08\\x08|\\x1b\\x1b)\$" add name=rdp regexp="rdp\r\ \nrdpdr.*cliprdr.*rdpsnd" add name=Jabber regexp="<stream:stream[\\x09-\\x0d ][ -~]*[\\x09-\\x0d ]xmlns=['\"]jabber" add name=GIF_FILE regexp=gif add name=PNG_FILE regexp=png add name=http regexp=\ "http/(0\\.9|1\\.0|1\\.1) [1-5][0-9][0-9] [\\x09-\\x0d \96~]*(connection:|content-type:|content-length:|date:)|post [\\x09-\\x0d -~]* http/[01]\\.[019]" /ip ipsec proposal set [ find default=yes ] enc-algorithms=aes-128-cbc /ip pool add name=dhcp ranges=192.168.1.10-192.168.1.30 add name=OpenVPN ranges=172.24.98.2-172.24.98.10 add name=pool ranges=192.168.1.2-192.168.1.9 /ip dhcp-server add address-pool=dhcp disabled=no interface=bridge-local lease-time=3h name=dhcp1 /port set 0 name=usb1 /interface ppp-client add apn=internet.beeline.ru default-route-distance=1 dial-on-demand=no name=ppp-3G password=beeline port=usb1 use-peer-dns=no user=beeline /ppp profile add local-address=172.24.98.1 name=OpenVPN remote-address=OpenVPN /queue tree add limit-at=85M max-limit=100M name=DOWNLOAD parent=global add limit-at=85M max-limit=100M name=UPLOAD parent=global add name=GROUP-A-UP parent=UPLOAD add name=GROUP-B-UP parent=UPLOAD add name=GROUP-C-UP parent=UPLOAD add name=GROUP-D-UP parent=UPLOAD add name=GROUP-E-UP parent=UPLOAD add limit-at=70M max-limit=80M name=GROUP-A-DL parent=DOWNLOAD add limit-at=20M max-limit=22M name=GROUP-B-DL parent=DOWNLOAD add limit-at=15M max-limit=17M name=GROUP-C-DL parent=DOWNLOAD add limit-at=10M max-limit=12M name=GROUP-D-DL parent=DOWNLOAD add limit-at=5M max-limit=7M name=GROUP-E-DL parent=DOWNLOAD /queue type add kind=pcq name=GROUP-A-DL pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-src-address6-mask=64 add kind=pcq name=GROUP-B-DL pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-src-address6-mask=64 add kind=pcq name=GROUP-C-DL pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-src-address6-mask=64 add kind=pcq name=GROUP-D-DL pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-src-address6-mask=64 add kind=pcq name=GROUP-E-DL pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-src-address6-mask=64 add kind=pcq name=GROUP-A-UP pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-limit=150 pcq-src-address6-mask=64 add kind=pcq name=GROUP-B-UP pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-limit=150 pcq-src-address6-mask=64 add kind=pcq name=GROUP-C-UP pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-limit=150 pcq-src-address6-mask=64 add kind=pcq name=GROUP-D-UP pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-limit=150 pcq-src-address6-mask=64 add kind=pcq name=GROUP-E-UP pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-limit=150 pcq-src-address6-mask=64 /queue tree add name=CLASS-AA-UP packet-mark=CLASS-A-GROUP-A-UP parent=GROUP-A-UP priority=1 queue=GROUP-A-UP add name=CLASS-BA-UP packet-mark=CLASS-B-GROUP-A-UP parent=GROUP-A-UP priority=2 queue=GROUP-A-UP add name=CLASS-CA-UP packet-mark=CLASS-C-GROUP-A-UP parent=GROUP-A-UP priority=3 queue=GROUP-A-UP add name=CLASS-DA-UP packet-mark=CLASS-D-GROUP-A-UP parent=GROUP-A-UP priority=4 queue=GROUP-A-UP add name=CLASS-AB-UP packet-mark=CLASS-A-GROUP-B-UP parent=GROUP-B-UP priority=2 queue=GROUP-B-UP add name=CLASS-BB-UP packet-mark=CLASS-B-GROUP-B-UP parent=GROUP-B-UP priority=3 queue=GROUP-B-UP add name=CLASS-CB-UP packet-mark=CLASS-C-GROUP-B-UP parent=GROUP-B-UP priority=4 queue=GROUP-B-UP add name=CLASS-DB-UP packet-mark=CLASS-D-GROUP-B-UP parent=GROUP-B-UP priority=5 queue=GROUP-B-UP add name=CLASS-AC-UP packet-mark=CLASS-A-GROUP-C-UP parent=GROUP-C-UP priority=3 queue=GROUP-C-UP add name=CLASS-BC-UP packet-mark=CLASS-B-GROUP-C-UP parent=GROUP-C-UP priority=4 queue=GROUP-C-UP add name=CLASS-CC-UP packet-mark=CLASS-C-GROUP-C-UP parent=GROUP-C-UP priority=5 queue=GROUP-C-UP add name=CLASS-DC-UP packet-mark=CLASS-D-GROUP-C-UP parent=GROUP-C-UP priority=6 queue=GROUP-C-UP add name=CLASS-AD-UP packet-mark=CLASS-A-GROUP-D-UP parent=GROUP-D-UP priority=4 queue=GROUP-D-UP add name=CLASS-BD-UP packet-mark=CLASS-B-GROUP-D-UP parent=GROUP-D-UP priority=5 queue=GROUP-D-UP add name=CLASS-CD-UP packet-mark=CLASS-C-GROUP-D-UP parent=GROUP-D-UP priority=6 queue=GROUP-D-UP add name=CLASS-DD-UP packet-mark=CLASS-D-GROUP-D-UP parent=GROUP-D-UP priority=7 queue=GROUP-D-UP add name=CLASS-AE-UP packet-mark=CLASS-A-GROUP-E-UP parent=GROUP-E-UP priority=5 queue=GROUP-E-UP add name=CLASS-BE-UP packet-mark=CLASS-B-GROUP-E-UP parent=GROUP-E-UP priority=6 queue=GROUP-E-UP add name=CLASS-CE-UP packet-mark=CLASS-C-GROUP-E-UP parent=GROUP-E-UP priority=7 queue=GROUP-E-UP add name=CLASS-DE-UP packet-mark=CLASS-D-GROUP-E-UP parent=GROUP-E-UP queue=GROUP-E-UP add name=CLASS-AA-DL packet-mark=CLASS-A-GROUP-A-DL parent=GROUP-A-DL priority=1 queue=GROUP-A-DL add name=CLASS-BA-DL packet-mark=CLASS-B-GROUP-A-DL parent=GROUP-A-DL priority=2 queue=GROUP-A-DL add name=CLASS-CA-DL packet-mark=CLASS-C-GROUP-A-DL parent=GROUP-A-DL priority=3 queue=GROUP-A-DL add name=CLASS-DA-DL packet-mark=CLASS-D-GROUP-A-DL parent=GROUP-A-DL priority=4 queue=GROUP-A-DL add name=CLASS-AB-DL packet-mark=CLASS-A-GROUP-B-DL parent=GROUP-B-DL priority=2 queue=GROUP-B-DL add name=CLASS-BB-DL packet-mark=CLASS-B-GROUP-B-DL parent=GROUP-B-DL priority=3 queue=GROUP-B-DL add name=CLASS-CB-DL packet-mark=CLASS-C-GROUP-B-DL parent=GROUP-B-DL priority=4 queue=GROUP-B-DL add name=CLASS-DB-DL packet-mark=CLASS-D-GROUP-B-DL parent=GROUP-B-DL priority=5 queue=GROUP-B-DL add name=CLASS-AC-DL packet-mark=CLASS-A-GROUP-C-DL parent=GROUP-C-DL priority=3 queue=GROUP-C-DL add name=CLASS-BC-DL packet-mark=CLASS-B-GROUP-C-DL parent=GROUP-C-DL priority=4 queue=GROUP-C-DL add name=CLASS-CC-DL packet-mark=CLASS-C-GROUP-C-DL parent=GROUP-C-DL priority=5 queue=GROUP-C-DL add name=CLASS-DC-DL packet-mark=CLASS-D-GROUP-C-DL parent=GROUP-C-DL priority=6 queue=GROUP-C-DL add name=CLASS-AD-DL packet-mark=CLASS-A-GROUP-D-DL parent=GROUP-D-DL priority=4 queue=GROUP-D-DL add name=CLASS-BD-DL packet-mark=CLASS-B-GROUP-D-DL parent=GROUP-D-DL priority=5 queue=GROUP-D-DL add name=CLASS-CD-DL packet-mark=CLASS-C-GROUP-D-DL parent=GROUP-D-DL priority=6 queue=GROUP-D-DL add name=CLASS-DD-DL packet-mark=CLASS-D-GROUP-D-DL parent=GROUP-D-DL priority=7 queue=GROUP-D-DL add name=CLASS-AE-DL packet-mark=CLASS-A-GROUP-E-DL parent=GROUP-E-DL priority=5 queue=GROUP-E-DL add name=CLASS-BE-DL packet-mark=CLASS-B-GROUP-E-DL parent=GROUP-E-DL priority=6 queue=GROUP-E-DL add name=CLASS-CE-DL packet-mark=CLASS-C-GROUP-E-DL parent=GROUP-E-DL priority=7 queue=GROUP-E-DL add name=CLASS-DE-DL packet-mark=CLASS-D-GROUP-E-DL parent=GROUP-E-DL queue=GROUP-E-DL /interface bridge port add bridge=bridge-local interface=ether2 add bridge=bridge-local interface=wlan1 /ip firewall connection tracking set tcp-established-timeout=5h /interface ovpn-server server set certificate=cert_2 cipher=blowfish128,aes128,aes192,aes256 default-profile=OpenVPN enabled=yes require-client-certificate=yes /ip address add address=192.168.1.1/26 interface=bridge-local network=192.168.1.0 /ip dhcp-client add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=ether1 /ip dhcp-server lease add address=192.168.1.3 client-id=1:f4:6d:4:d0:d7:f5 comment=Descktop mac-address=F4:6D:04:D0:D7:F5 server=dhcp1 /ip dhcp-server network add address=192.168.1.0/27 dns-server=192.168.1.1 gateway=192.168.1.1 netmask=26 /ip dns set allow-remote-requests=yes max-udp-packet-size=512 /ip firewall address-list add address=192.168.1.3 comment="Desctop" list=GROUP-A add list=CLASS-A-SITES add list=CLASS-B-SITES add list=CLASS-C-SITES add address=192.168.1.16/28 list=ShaperExclude add address=192.168.1.3 comment="Desctop" list=GROUP-A add address=xxxxxxxxxxx list=white_list_permit /ip firewall filter add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="Port scanners to list" protocol=tcp psd=21,3s,3,1 add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=\ fin,!syn,!rst,!psh,!ack,!urg add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=\ fin,psh,urg,!syn,!rst,!ack add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=\ fin,syn,rst,psh,ack,urg add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=\ !fin,!syn,!rst,!psh,!ack,!urg add action=drop chain=input comment="dropping port scanners" src-address-list=port_scanners add action=drop chain=forward comment="dropping port scanners" src-address-list=port_scanners add action=drop chain=input comment="Drop DNS Flood" dst-port=53 in-interface=ether1 protocol=udp src-address-list="dns flood" add action=add-src-to-address-list address-list="dns flood" address-list-timeout=1h chain=input dst-port=53 in-interface=ether1 protocol=udp add action=drop chain=input comment="drop ssh,telnet,openvpn brute forcers" dst-port=22,23,1194 protocol=tcp src-address-list=brute_blacklist add action=add-src-to-address-list address-list=brute_blacklist address-list-timeout=3d chain=input connection-state=new dst-port=22,23,1194 protocol=tcp \ src-address-list=blacklist_stage3 add action=add-src-to-address-list address-list=blacklist_stage3 address-list-timeout=5m chain=input connection-state=new dst-port=22,23,1194 protocol=tcp \ src-address-list=blacklist_stage2 add action=add-src-to-address-list address-list=blacklist_stage2 address-list-timeout=2m chain=input connection-state=new dst-port=22,23,1194 protocol=tcp \ src-address-list=blacklist_stage1 add action=add-src-to-address-list address-list=blacklist_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22,23,1194 protocol=tcp add action=drop chain=forward comment="Drop invalid packet" connection-state=invalid add action=drop chain=input connection-state=invalid add chain=forward comment="Allow ICMP Ping" protocol=icmp add chain=input comment="For IPTV" protocol=igmp add chain=forward protocol=udp add chain=input protocol=udp add chain=input comment="Accept established connections" connection-state=established add chain=forward connection-state=established add chain=forward comment="Allow related connections" connection-state=related add chain=input comment="Allow access from Internet to Winbox and SSH_white_list_permit" dst-port=8891,8822,8880 in-interface=ether1 protocol=tcp \ src-address-list=white_list_permit add chain=forward comment="Accept Apps_white_list_permit" dst-port=xxxx,xxxx,xxxx in-interface=ether1 protocol=tcp src-address-list=white_list_permit add chain=forward comment="Accept Torrent Peer" dst-port=xxxx protocol=tcp add chain=forward comment="Access to Internet from local network" in-interface=bridge-local out-interface=ether1 add chain=forward comment="Access to Internet from VPN Client" out-interface=ether1 src-address=172.24.98.0/25 add chain=forward comment="Access to internet via 3G" disabled=yes in-interface=bridge-local out-interface=ppp-3G src-address-list=3G_Inet add chain=input comment="Allow access from LocalNetwork to Winbox SSH Web" dst-port=8891,8822,8880,53,8828 in-interface=bridge-local protocol=tcp add action=jump chain=forward comment="SYN Flood protect" connection-state=new jump-target=SYN-Protect protocol=tcp tcp-flags=syn add chain=SYN-Protect connection-state=new limit=400,5 protocol=tcp tcp-flags=syn add action=drop chain=SYN-Protect connection-state=new protocol=tcp tcp-flags=syn add action=drop chain=forward comment="All drop" log=yes add action=drop chain=input log=yes /ip firewall mangle add action=change-ttl chain=prerouting new-ttl=increment:1 add chain=forward comment=CLASS-D disabled=yes add action=mark-connection chain=forward comment=ALLTRAFFIC new-connection-mark=CLASS-D add action=mark-packet chain=forward comment=CLASS-D-GROUP-E-DL connection-mark=CLASS-D dst-address-list=GROUP-E new-packet-mark=CLASS-D-GROUP-E-DL \ src-address-list=!ShaperExclude add action=mark-packet chain=forward comment=CLASS-D-GROUP-D-DL connection-mark=CLASS-D dst-address-list=GROUP-D new-packet-mark=CLASS-D-GROUP-D-DL \ src-address-list=!ShaperExclude add action=mark-packet chain=forward comment=CLASS-D-GROUP-C-DL connection-mark=CLASS-D dst-address-list=GROUP-C new-packet-mark=CLASS-D-GROUP-C-DL \ src-address-list=!ShaperExclude add action=mark-packet chain=forward comment=CLASS-D-GROUP-B-DL connection-mark=CLASS-D dst-address-list=GROUP-B new-packet-mark=CLASS-D-GROUP-B-DL \ src-address-list=!ShaperExclude add action=mark-packet chain=forward comment=CLASS-D-GROUP-A-DL connection-mark=CLASS-D dst-address-list=GROUP-A new-packet-mark=CLASS-D-GROUP-A-DL \ src-address-list=!ShaperExclude add action=mark-packet chain=prerouting comment=CLASS-D-GROUP-E-UP connection-mark=CLASS-D dst-address-list=!ShaperExclude new-packet-mark=CLASS-D-GROUP-E-UP \ src-address-list=GROUP-E add action=mark-packet chain=prerouting comment=CLASS-D-GROUP-D-UP connection-mark=CLASS-D dst-address-list=!ShaperExclude new-packet-mark=CLASS-D-GROUP-D-UP \ src-address-list=GROUP-D add action=mark-packet chain=prerouting comment=CLASS-D-GROUP-C-UP connection-mark=CLASS-D dst-address-list=!ShaperExclude new-packet-mark=CLASS-D-GROUP-C-UP \ src-address-list=GROUP-C add action=mark-packet chain=prerouting comment=CLASS-D-GROUP-B-UP connection-mark=CLASS-D dst-address-list=!ShaperExclude new-packet-mark=CLASS-D-GROUP-B-UP \ src-address-list=GROUP-B add action=mark-packet chain=prerouting comment=CLASS-D-GROUP-A-UP connection-mark=CLASS-D dst-address-list=!ShaperExclude new-packet-mark=CLASS-D-GROUP-A-UP \ src-address-list=GROUP-A add chain=forward comment=CLASS-D disabled=yes add chain=forward comment=CLASS-C disabled=yes add action=mark-connection chain=forward comment=Proxy dst-port=3128 new-connection-mark=CLASS-C protocol=tcp add action=mark-connection chain=forward comment=HTTP layer7-protocol=http new-connection-mark=CLASS-C protocol=tcp add action=mark-connection chain=forward comment=HTTPS dst-port=443 new-connection-mark=CLASS-C protocol=tcp add action=mark-connection chain=forward comment=FTP dst-port=20,21 new-connection-mark=CLASS-C protocol=tcp add action=mark-connection chain=forward comment=SFTP dst-port=22 new-connection-mark=CLASS-C packet-size=1400-1500 protocol=tcp add action=mark-connection chain=forward comment=SMTP dst-port=25 new-connection-mark=CLASS-C protocol=tcp add action=mark-connection chain=forward comment=SMTPS dst-port=465 new-connection-mark=CLASS-C protocol=tcp add action=mark-connection chain=forward comment=Imap dst-port=143 new-connection-mark=CLASS-C protocol=tcp add action=mark-connection chain=forward comment=POP3 dst-port=110 new-connection-mark=CLASS-C protocol=tcp add action=mark-connection chain=forward comment=POP3S dst-port=995 new-connection-mark=CLASS-C protocol=tcp add action=mark-connection chain=forward comment=IMAPS dst-port=993 new-connection-mark=CLASS-C protocol=tcp add action=mark-connection chain=forward comment=GIF_FILE layer7-protocol=GIF_FILE new-connection-mark=CLASS-C add action=mark-connection chain=forward comment=PNG_FILE layer7-protocol=PNG_FILE new-connection-mark=CLASS-C add action=mark-connection chain=forward comment=CLASS-C-SITES new-connection-mark=CLASS-C src-address-list=CLASS-C-SITES add action=mark-connection chain=forward comment=CLASS-C-SITES dst-address-list=CLASS-C-SITES new-connection-mark=CLASS-C add action=mark-connection chain=forward comment="100Kb Connections" connection-bytes=0-100000 new-connection-mark=CLASS-C protocol=tcp add action=mark-packet chain=forward comment=CLASS-C-GROUP-E-DL connection-mark=CLASS-C dst-address-list=GROUP-E new-packet-mark=CLASS-C-GROUP-E-DL \ src-address-list=!ShaperExclude add action=mark-packet chain=forward comment=CLASS-C-GROUP-D-DL connection-mark=CLASS-C dst-address-list=GROUP-D new-packet-mark=CLASS-C-GROUP-D-DL \ src-address-list=!ShaperExclude add action=mark-packet chain=forward comment=CLASS-C-GROUP-C-DL connection-mark=CLASS-C dst-address-list=GROUP-C new-packet-mark=CLASS-C-GROUP-C-DL \ src-address-list=!ShaperExclude add action=mark-packet chain=forward comment=CLASS-C-GROUP-B-DL connection-mark=CLASS-C dst-address-list=GROUP-B new-packet-mark=CLASS-C-GROUP-B-DL \ src-address-list=!ShaperExclude add action=mark-packet chain=forward comment=CLASS-C-GROUP-A-DL connection-mark=CLASS-C dst-address-list=GROUP-A new-packet-mark=CLASS-C-GROUP-A-DL \ src-address-list=!ShaperExclude add action=mark-packet chain=prerouting comment=CLASS-C-GROUP-E-UP connection-mark=CLASS-C dst-address-list=!ShaperExclude new-packet-mark=CLASS-C-GROUP-E-UP \ src-address-list=GROUP-E add action=mark-packet chain=prerouting comment=CLASS-C-GROUP-D-UP connection-mark=CLASS-C dst-address-list=!ShaperExclude new-packet-mark=CLASS-C-GROUP-D-UP \ src-address-list=GROUP-D add action=mark-packet chain=prerouting comment=CLASS-C-GROUP-C-UP connection-mark=CLASS-C dst-address-list=!ShaperExclude new-packet-mark=CLASS-C-GROUP-C-UP \ src-address-list=GROUP-C add action=mark-packet chain=prerouting comment=CLASS-C-GROUP-B-UP connection-mark=CLASS-C dst-address-list=!ShaperExclude new-packet-mark=CLASS-C-GROUP-B-UP \ src-address-list=GROUP-B add action=mark-packet chain=prerouting comment=CLASS-C-GROUP-A-UP connection-mark=CLASS-C dst-address-list=!ShaperExclude new-packet-mark=CLASS-C-GROUP-A-UP \ src-address-list=GROUP-A add chain=forward comment=CLASS-C disabled=yes add chain=forward comment=CLASS-B disabled=yes add action=mark-connection chain=forward comment=ICQ dst-port=5190 new-connection-mark=CLASS-B protocol=tcp add action=mark-connection chain=forward comment="Mail.ru Agent" dst-port=2041,2042 new-connection-mark=CLASS-B protocol=tcp add action=mark-connection chain=forward comment=Jabber layer7-protocol=Jabber new-connection-mark=CLASS-B add action=mark-connection chain=forward comment=IRC dst-port=6667-6669 new-connection-mark=CLASS-B protocol=tcp add action=mark-connection chain=forward comment=SSH dst-port=22 new-connection-mark=CLASS-B packet-size=0-1400 protocol=tcp add action=mark-connection chain=forward comment=TELNET dst-port=23 new-connection-mark=CLASS-B protocol=tcp add action=mark-connection chain=forward comment=SNMP dst-port=161-162 new-connection-mark=CLASS-B protocol=tcp add action=mark-connection chain=forward comment=PPTP dst-port=1723 new-connection-mark=CLASS-B protocol=tcp add action=mark-connection chain=forward comment=L2TP dst-port=1701 new-connection-mark=CLASS-B protocol=udp add action=mark-connection chain=forward comment=GRE new-connection-mark=CLASS-B protocol=gre add action=mark-connection chain=forward comment=Skype layer7-protocol=Skype new-connection-mark=CLASS-B add action=mark-connection chain=forward comment=CLASS-B-SITES new-connection-mark=CLASS-B src-address-list=CLASS-B-SITES add action=mark-connection chain=forward comment=CLASS-B-SITES dst-address-list=CLASS-B-SITES new-connection-mark=CLASS-B add action=mark-connection chain=forward comment="50Kb Connections" connection-bytes=0-50000 new-connection-mark=CLASS-B protocol=tcp add action=mark-packet chain=forward comment=CLASS-B-GROUP-E-DL connection-mark=CLASS-B dst-address-list=GROUP-E new-packet-mark=CLASS-B-GROUP-E-DL \ src-address-list=!ShaperExclude add action=mark-packet chain=forward comment=CLASS-B-GROUP-D-DL connection-mark=CLASS-B dst-address-list=GROUP-D new-packet-mark=CLASS-B-GROUP-D-DL \ src-address-list=!ShaperExclude add action=mark-packet chain=forward comment=CLASS-B-GROUP-C-DL connection-mark=CLASS-B dst-address-list=GROUP-C new-packet-mark=CLASS-B-GROUP-C-DL \ src-address-list=!ShaperExclude add action=mark-packet chain=forward comment=CLASS-B-GROUP-B-DL connection-mark=CLASS-B dst-address-list=GROUP-B new-packet-mark=CLASS-B-GROUP-B-DL \ src-address-list=!ShaperExclude add action=mark-packet chain=forward comment=CLASS-B-GROUP-A-DL connection-mark=CLASS-B dst-address-list=GROUP-A new-packet-mark=CLASS-B-GROUP-A-DL \ src-address-list=!ShaperExclude add action=mark-packet chain=prerouting comment=CLASS-B-GROUP-E-UP connection-mark=CLASS-B dst-address-list=!ShaperExclude new-packet-mark=CLASS-B-GROUP-E-UP \ src-address-list=GROUP-E add action=mark-packet chain=prerouting comment=CLASS-B-GROUP-D-UP connection-mark=CLASS-B dst-address-list=!ShaperExclude new-packet-mark=CLASS-B-GROUP-D-UP \ src-address-list=GROUP-D add action=mark-packet chain=prerouting comment=CLASS-B-GROUP-C-UP connection-mark=CLASS-B dst-address-list=!ShaperExclude new-packet-mark=CLASS-B-GROUP-C-UP \ src-address-list=GROUP-C add action=mark-packet chain=prerouting comment=CLASS-B-GROUP-B-UP connection-mark=CLASS-B dst-address-list=!ShaperExclude new-packet-mark=CLASS-B-GROUP-B-UP \ src-address-list=GROUP-B add action=mark-packet chain=prerouting comment=CLASS-B-GROUP-A-UP connection-mark=CLASS-B dst-address-list=!ShaperExclude new-packet-mark=CLASS-B-GROUP-A-UP \ src-address-list=GROUP-A add chain=forward comment=CLASS-B disabled=yes add chain=forward comment=CLASS-A disabled=yes add action=mark-connection chain=forward comment=DNS dst-port=53 new-connection-mark=CLASS-A protocol=tcp src-port=53 add action=mark-connection chain=forward comment=DNS dst-port=53 new-connection-mark=CLASS-A protocol=tcp add action=mark-connection chain=forward comment=DNS dst-port=53 new-connection-mark=CLASS-A protocol=udp add action=mark-connection chain=forward comment=NNTP dst-port=119 new-connection-mark=CLASS-A protocol=tcp add action=mark-connection chain=forward comment=Winbox dst-port=8291 new-connection-mark=CLASS-A protocol=tcp add action=mark-connection chain=forward comment=ntp dst-port=123 new-connection-mark=CLASS-A protocol=udp add action=mark-connection chain=forward comment=VNC dst-port=5900-5901 new-connection-mark=CLASS-A protocol=tcp add action=mark-connection chain=forward comment=Radmin layer7-protocol=radmin new-connection-mark=CLASS-A add action=mark-connection chain=forward comment=RDP layer7-protocol=rdp new-connection-mark=CLASS-A add action=mark-connection chain=forward comment=PING new-connection-mark=CLASS-A protocol=icmp add action=mark-connection chain=forward comment=CLASS-A-SITES new-connection-mark=CLASS-A src-address-list=CLASS-A-SITES add action=mark-connection chain=forward comment=CLASS-A-SITES dst-address-list=CLASS-A-SITES new-connection-mark=CLASS-A add action=mark-connection chain=forward comment="5Kb Connections" connection-bytes=0-5000 new-connection-mark=CLASS-A protocol=tcp add action=mark-packet chain=forward comment=CLASS-A-GROUP-E-DL connection-mark=CLASS-A dst-address-list=GROUP-E new-packet-mark=CLASS-A-GROUP-E-DL \ src-address-list=!ShaperExclude add action=mark-packet chain=forward comment=CLASS-A-GROUP-D-DL connection-mark=CLASS-A dst-address-list=GROUP-D new-packet-mark=CLASS-A-GROUP-D-DL \ src-address-list=!ShaperExclude add action=mark-packet chain=forward comment=CLASS-A-GROUP-C-DL connection-mark=CLASS-A dst-address-list=GROUP-C new-packet-mark=CLASS-A-GROUP-C-DL \ src-address-list=!ShaperExclude add action=mark-packet chain=forward comment=CLASS-A-GROUP-B-DL connection-mark=CLASS-A dst-address-list=GROUP-B new-packet-mark=CLASS-A-GROUP-B-DL \ src-address-list=!ShaperExclude add action=mark-packet chain=forward comment=CLASS-A-GROUP-A-DL connection-mark=CLASS-A dst-address-list=GROUP-A new-packet-mark=CLASS-A-GROUP-A-DL \ src-address-list=!ShaperExclude add action=mark-packet chain=prerouting comment=CLASS-A-GROUP-E-UP connection-mark=CLASS-A dst-address-list=!ShaperExclude new-packet-mark=CLASS-A-GROUP-E-UP \ src-address-list=GROUP-E add action=mark-packet chain=prerouting comment=CLASS-A-GROUP-D-UP connection-mark=CLASS-A dst-address-list=!ShaperExclude new-packet-mark=CLASS-A-GROUP-D-UP \ src-address-list=GROUP-D add action=mark-packet chain=prerouting comment=CLASS-A-GROUP-C-UP connection-mark=CLASS-A dst-address-list=!ShaperExclude new-packet-mark=CLASS-A-GROUP-C-UP \ src-address-list=GROUP-C add action=mark-packet chain=prerouting comment=CLASS-A-GROUP-B-UP connection-mark=CLASS-A dst-address-list=!ShaperExclude new-packet-mark=CLASS-A-GROUP-B-UP \ src-address-list=GROUP-B add action=mark-packet chain=prerouting comment=CLASS-A-GROUP-A-UP connection-mark=CLASS-A dst-address-list=!ShaperExclude new-packet-mark=CLASS-A-GROUP-A-UP \ src-address-list=GROUP-A add chain=forward comment=CLASS-A disabled=yes /ip firewall nat add action=masquerade chain=srcnat comment="NAT for LocalNetwork" out-interface=ether1 src-address=192.168.1.0/27 to-addresses=ether1 add action=masquerade chain=srcnat disabled=yes out-interface=ppp-3G src-address=192.168.1.0/27 add action=masquerade chain=srcnat comment="NAT for VPN" out-interface=ether1 src-address=172.24.98.0/31 add action=netmap chain=dstnat comment="Accept VNC Client" dst-port=xxxx in-interface=ether1 protocol=tcp src-address-list=white_list_permit to-addresses=\ 192.168.1.1x to-ports=xxxx add action=netmap chain=dstnat dst-port=xxxx in-interface=ether1 protocol=tcp src-address-list=white_list_permit to-addresses=192.168.1.1x to-ports=xxxx add action=netmap chain=dstnat comment="Web Rule Torrent" dst-port=xxxx in-interface=ether1 protocol=tcp src-address-list=white_list_permit to-addresses=\ 192.168.1.1x to-ports=xxxx add action=netmap chain=dstnat comment="Torrent peer" dst-port=xxxx in-interface=ether1 protocol=tcp to-addresses=192.168.1.1x to-ports=xxxx add action=netmap chain=dstnat comment="Access SPA" disabled=yes dst-port=xxxx protocol=tcp src-address-list=white_list_permit to-addresses=192.168.1.2x \ to-ports=xxxx /ip firewall service-port set ftp disabled=yes set tftp disabled=yes set irc disabled=yes set h323 disabled=yes set sip disabled=yes set pptp disabled=yes /ip service set telnet disabled=yes set ftp disabled=yes set www port=8880 set ssh port=8822 set www-ssl certificate=cert_1 set api address=192.168.1.0/24 set api-ssl disabled=yes /ip upnp interfaces add interface=bridge-local type=internal add interface=ether1 type=external /ppp secret add name=xxxxxxxxxxxxxxxxxxx /routing igmp-proxy set quick-leave=yes /routing igmp-proxy interface add alternative-subnets=0.0.0.0/0 interface=ether1 upstream=yes add interface=bridge-local /system clock set time-zone-name=Europe/Moscow /system clock manual set dst-delta=+03:00 time-zone=+03:00 /system leds set 0 interface=wlan1 /system ntp client set enabled=yes primary-ntp=85.21.78.91 secondary-ntp=91.226.136.139 /system ntp server set manycast=no /tool graphing interface add interface=ether1 /tool graphing queue add /tool graphing resource add /tool mac-server set [ find default=yes ] disabled=yes add interface=ether2 /tool sniffer set file-limit=50000KiB file-name=dnssnif filter-interface=ether1 filter-port=dns [xxxxxxx@MikroTik] > Edited October 18, 2015 by K@KTyC Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
pppoetest Posted October 19, 2015 В файерволле слишком много правил. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
K@KTyC Posted October 19, 2015 Пробовал отключать все правила файрвола и ната, оставлял лишь маскардинг. Лучше не стало. Да и при тесте скорости нагрузка на ЦП не больше 25%. Причем ту правила файрвола? Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
Danila Posted October 19, 2015 Пробовал отключать все правила файрвола и ната, оставлял лишь маскардинг. Лучше не стало. Да и при тесте скорости нагрузка на ЦП не больше 25%. Причем ту правила файрвола? Маркировка пакетов достаточно затратная процедура для процессора. Попробуйте оптимизировать количество маркируемых пакетов. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
g3fox Posted October 19, 2015 А оператор точно даёт 70 мбит? Может, вы при тесте без микротика проверяете подключив ПК кабелем, а с микротиком по Wi-Fi? И мне тоже кажется, что у вас слишком накуренный файрвол. Особенно всякие l7-filter. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
K@KTyC Posted October 19, 2015 (edited) Да. Точно дает 70 мбит, тестил ноутом прыгает 68-69 Мбит. Сбросил его в дефолт. настроил только dhcp client (к провайдеру) dhcp server для тестового ПК и маскардинг NAT и опять все те же 30. Мысль откатиться RouterOS на более ранению версию, может в этой глюки, но какую тогда Edited October 19, 2015 by K@KTyC Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
guruks Posted October 19, 2015 (edited) Посмотрите ошибки на порту который смотрит на провайдера Edited October 19, 2015 by guruks Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
K@KTyC Posted October 20, 2015 Простите конечно, я еще не до конца его знаю, это смотрится в общем логе или отдельно? В логе только попытки коннекта с разных ip по 443 порту. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
Ivan_83 Posted October 20, 2015 Купи себе асус или зюхел, не парь мозги. А если это типа для учёбы то лучше линух/фря. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
darkagent Posted October 21, 2015 Причем ту правила файрвола? Достаточно 25 правил, чтоб превратить некротик в тыкву. Инфа с сайта производителя: btw, удивительно, теме 3 дня, а сааб сюда еще не засумонился. сарказм, офк. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
Mindaugas Posted October 21, 2015 (edited) В firewall ключи только маскарада и фасттрака (снизит нагрузку CPU). У меня на RB951 150Mbit с 15% CPU. EDIT: Зачем тебя bridge? Edited October 21, 2015 by Mindaugas Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
K@KTyC Posted October 22, 2015 Через bridge соеденен Wi-Fi и Ethernet подскажите как по другому связать откажусь от бриджа. Фасттрак? Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
guruks Posted October 22, 2015 Простите конечно, я еще не до конца его знаю, это смотрится в общем логе или отдельно? В логе только попытки коннекта с разных ip по 443 порту. Слева меню interfaces --> ethernet --> выбираете порт к которому подключен провайдер --> закладки RX Stats и TX Stats Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...