add action=dst-nat chain=dstnat comment="Port Forwarding Jovision DVR access" \
dst-address=<WAN_IP> dst-port=9101 in-interface=WAN protocol=tcp \
to-addresses=<LOCAL_IP> to-ports=9101
Saturday, June 18, 2016
Port mapping
add action=dst-nat chain=dstnat comment="Port Forwarding Jovision DVR access" \
dst-address=<WAN_IP> dst-port=9101 in-interface=WAN protocol=tcp \
to-addresses=<LOCAL_IP> to-ports=9101
Monday, June 6, 2016
Drop port scanners in Mikrotik
To protect the Router from port scanners, we can record the IPs of hackers who try to scan your box. Using this address list we can drop connection from those IP
in /ip firewall filter
/ip firewall filter
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port_scanners_list" address-list-timeout=30d comment="Port scanners to list " disabled=yes
Various combinations of TCP flags can also indicate port scanner activity.
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port_scanners_list" address-list-timeout=30d comment="NMAP FIN Stealth scan" disabled=yes
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port_scanners_list" address-list-timeout=30d comment="SYN/FIN scan" disabled=yes
add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port_scanners_list" address-list-timeout=30d comment="SYN/RST scan" disabled=yes
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port_scanners_list" address-list-timeout=30d comment="FIN/PSH/URG scan" disabled=yes
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port_scanners_list" address-list-timeout=30d comment="ALL/ALL scan" disabled=yes
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port_scanners_list" address-list-timeout=30d comment="NMAP NULL scan" disabled=yes
Set below rule top of all rule mentioned here.
add chain=input src-address-list="port_scanners_list" action=drop comment="dropping port scanners" disabled=yes
Similarly, we can drop these port scanners in the forward chain, but using the above rules with "chain=forward".
Sunday, June 5, 2016
Bruteforce login prevention in Mikrotik
Bruteforce login prevention for FTP, SSh, Telnet and Winbox
Please read the article: https://en.wikipedia.org/wiki/Brute-force_attack
# jun/05/2016 19:06:05 by RouterOS 6.35.2
# wahid.telco@gmail.com
#
#########################################
#Bruteforce login prevention for ftp #
#########################################
/ip firewall filter
add action=drop chain=input comment=\
"Bruteforce login prevention(ftp: drop ftp brute forcers)" dst-port=21 \
protocol=tcp src-address-list=ftp_blacklist
add chain=output comment="Bruteforce login prevention(ftp: 530 Login incorrect\
\_to limit dst address)" content="530 Login incorrect" dst-limit=\
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output comment=\
"Bruteforce login prevention(ftp: 530 Login incorrect to ftp_blacklist)" \
content="530 Login incorrect" protocol=tcp
#########################################
#Bruteforce login prevention for ssh #
#########################################
/ip firewall filter
add action=drop chain=input comment=\
"Bruteforce login prevention(ssh: drop ssh brute forcers)" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=4w2d chain=input comment=\
"Bruteforce login prevention(ssh: stage3 to blacklist)" connection-state=\
new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1h chain=input comment=\
"Bruteforce login prevention(ssh: stage2 to stage3)" connection-state=new \
dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=6h chain=input comment=\
"Bruteforce login prevention(ssh: stage1 to stage2)" connection-state=new \
dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=12h chain=input comment=\
"Bruteforce login prevention(ssh: stage1)" connection-state=new dst-port=\
22 protocol=tcp
add action=drop chain=forward comment=\
"Bruteforce login prevention(ssh: drop ssh brute downstream)" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
#########################################
#Bruteforce login prevention for Telnet #
#########################################
If you can identify telnet attacker IP then add attacker IP in address list then make a firewall rule to droop from the address list.
/ip firewall address list
add list=telnet_droop_list_static address=ATTACKER IP comment="Add telnet attacker to this list"
/ip firewall filter
add action=drop chain=input comment=\
"Telnet known attacker droop(from address list: telnet_droop_list_static)" \
dst-port=23 protocol=tcp src-address-list=telnet_droop_list_static
If you want to use above mention filter rule then above rule must set top of below mentioned rule. If you don't want to use above rule then just skip above rule and copy/paste below rule.
/ip firewall filter
add action=drop chain=input comment=\
"Bruteforce login prevention(Telnet: droop telnet brute forcers)" \
dst-port=23 protocol=tcp src-address-list=telnet_blacklist
add action=add-src-to-address-list address-list=telnet_blacklist \
address-list-timeout=4w2d chain=input comment=\
"Bruteforce login prevention(Telnet: stage3 to telnet_blacklist)" \
connection-state=new dst-port=23 protocol=tcp src-address-list=\
telnet_stage_3
add action=add-src-to-address-list address-list=telnet_stage_3 \
address-list-timeout=1h chain=input comment=\
"Bruteforce login prevention(Telnet: stage2 to stage3)" connection-state=\
new dst-port=23 protocol=tcp src-address-list=telnet_stage_2
add action=add-src-to-address-list address-list=telnet_stage_2 \
address-list-timeout=6h chain=input comment=\
"Bruteforce login prevention(Telnet: stage1 to stage2)" connection-state=\
new dst-port=23 protocol=tcp src-address-list=telnet_stage_1
add action=add-src-to-address-list address-list=telnet_stage_1 \
address-list-timeout=12h chain=input comment=\
"Bruteforce login prevention(Telnet: stage1)" connection-state=new \
dst-port=23 protocol=tcp
#########################################
#Bruteforce login prevention for Winbox #
#########################################
/ip firewall filter
add action=drop chain=input comment=\
"Bruteforce login prevention(Winbox: droop Winbox brute forcers)" \
dst-port=8291 protocol=tcp src-address-list=winbox_blacklist
add action=add-src-to-address-list address-list=winbox_blacklist \
address-list-timeout=15d chain=input comment=\
"Bruteforce login prevention(Winbox: stage3 to winbox_blacklist)" \
connection-state=new dst-port=8291 protocol=tcp src-address-list=\
winbox_stage_3
add action=add-src-to-address-list address-list=winbox_stage_3 \
address-list-timeout=1m chain=input comment=\
"Bruteforce login prevention(Winbox: stage2 to stage3)" connection-state=\
new dst-port=8291 protocol=tcp src-address-list=winbox_stage_2
add action=add-src-to-address-list address-list=winbox_stage_2 \
address-list-timeout=6h chain=input comment=\
"Bruteforce login prevention(Winbox: stage1 to stage2)" connection-state=\
new dst-port=8291 protocol=tcp src-address-list=winbox_stage_1
add action=add-src-to-address-list address-list=winbox_stage_1 \
address-list-timeout=12h chain=input comment=\
"Bruteforce login prevention(Winbox: stage1)" connection-state=new \
dst-port=8291 protocol=tcp
Please read the article: https://en.wikipedia.org/wiki/Brute-force_attack
# jun/05/2016 19:06:05 by RouterOS 6.35.2
# wahid.telco@gmail.com
#
#########################################
#Bruteforce login prevention for ftp #
#########################################
/ip firewall filter
add action=drop chain=input comment=\
"Bruteforce login prevention(ftp: drop ftp brute forcers)" dst-port=21 \
protocol=tcp src-address-list=ftp_blacklist
add chain=output comment="Bruteforce login prevention(ftp: 530 Login incorrect\
\_to limit dst address)" content="530 Login incorrect" dst-limit=\
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output comment=\
"Bruteforce login prevention(ftp: 530 Login incorrect to ftp_blacklist)" \
content="530 Login incorrect" protocol=tcp
#########################################
#Bruteforce login prevention for ssh #
#########################################
/ip firewall filter
add action=drop chain=input comment=\
"Bruteforce login prevention(ssh: drop ssh brute forcers)" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=4w2d chain=input comment=\
"Bruteforce login prevention(ssh: stage3 to blacklist)" connection-state=\
new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1h chain=input comment=\
"Bruteforce login prevention(ssh: stage2 to stage3)" connection-state=new \
dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=6h chain=input comment=\
"Bruteforce login prevention(ssh: stage1 to stage2)" connection-state=new \
dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=12h chain=input comment=\
"Bruteforce login prevention(ssh: stage1)" connection-state=new dst-port=\
22 protocol=tcp
add action=drop chain=forward comment=\
"Bruteforce login prevention(ssh: drop ssh brute downstream)" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
#########################################
#Bruteforce login prevention for Telnet #
#########################################
If you can identify telnet attacker IP then add attacker IP in address list then make a firewall rule to droop from the address list.
/ip firewall address list
add list=telnet_droop_list_static address=ATTACKER IP comment="Add telnet attacker to this list"
/ip firewall filter
add action=drop chain=input comment=\
"Telnet known attacker droop(from address list: telnet_droop_list_static)" \
dst-port=23 protocol=tcp src-address-list=telnet_droop_list_static
If you want to use above mention filter rule then above rule must set top of below mentioned rule. If you don't want to use above rule then just skip above rule and copy/paste below rule.
/ip firewall filter
add action=drop chain=input comment=\
"Bruteforce login prevention(Telnet: droop telnet brute forcers)" \
dst-port=23 protocol=tcp src-address-list=telnet_blacklist
add action=add-src-to-address-list address-list=telnet_blacklist \
address-list-timeout=4w2d chain=input comment=\
"Bruteforce login prevention(Telnet: stage3 to telnet_blacklist)" \
connection-state=new dst-port=23 protocol=tcp src-address-list=\
telnet_stage_3
add action=add-src-to-address-list address-list=telnet_stage_3 \
address-list-timeout=1h chain=input comment=\
"Bruteforce login prevention(Telnet: stage2 to stage3)" connection-state=\
new dst-port=23 protocol=tcp src-address-list=telnet_stage_2
add action=add-src-to-address-list address-list=telnet_stage_2 \
address-list-timeout=6h chain=input comment=\
"Bruteforce login prevention(Telnet: stage1 to stage2)" connection-state=\
new dst-port=23 protocol=tcp src-address-list=telnet_stage_1
add action=add-src-to-address-list address-list=telnet_stage_1 \
address-list-timeout=12h chain=input comment=\
"Bruteforce login prevention(Telnet: stage1)" connection-state=new \
dst-port=23 protocol=tcp
#########################################
#Bruteforce login prevention for Winbox #
#########################################
/ip firewall filter
add action=drop chain=input comment=\
"Bruteforce login prevention(Winbox: droop Winbox brute forcers)" \
dst-port=8291 protocol=tcp src-address-list=winbox_blacklist
add action=add-src-to-address-list address-list=winbox_blacklist \
address-list-timeout=15d chain=input comment=\
"Bruteforce login prevention(Winbox: stage3 to winbox_blacklist)" \
connection-state=new dst-port=8291 protocol=tcp src-address-list=\
winbox_stage_3
add action=add-src-to-address-list address-list=winbox_stage_3 \
address-list-timeout=1m chain=input comment=\
"Bruteforce login prevention(Winbox: stage2 to stage3)" connection-state=\
new dst-port=8291 protocol=tcp src-address-list=winbox_stage_2
add action=add-src-to-address-list address-list=winbox_stage_2 \
address-list-timeout=6h chain=input comment=\
"Bruteforce login prevention(Winbox: stage1 to stage2)" connection-state=\
new dst-port=8291 protocol=tcp src-address-list=winbox_stage_1
add action=add-src-to-address-list address-list=winbox_stage_1 \
address-list-timeout=12h chain=input comment=\
"Bruteforce login prevention(Winbox: stage1)" connection-state=new \
dst-port=8291 protocol=tcp
Wednesday, June 1, 2016
Block torrent downloads
ip firewall layer7-protocol add name=peer_to_peer_dns regexp="^.+(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|vertor|
h33t|zoozle|bitnova|bitsoup|meganova|fulldls|btbot|fenopy|gpirate|commonbits).*$" comment="block torrent"
ip firewall layer7-protocol add name=peer_to_peer_www regexp="^.*(get|GET).+(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|vertor|h33t|zoozle|bitnova|bitsoup|meganova|fulldls|btbot|fenopy|gpirate|commonbits).*$" comment="block torrent"
/ip firewall filter add chain=forward out-interface=WAN action=drop layer7-protocol=peer_to_peer_dns disabled=yes comment="block torrent"
/ip firewall filter add chain=forward out-interface=WAN action=drop layer7-protocol=peer_to_peer_www disabled=yes comment="block torrent"
Also you can follow http://forum.mikrotik.com/viewtopic.php?f=2&t=73462&start=0
Monday, May 30, 2016
How to block website by any name by layer7
How to block website by any name?
you can try this.......
/ip firewall layer7-protocol
add name=prothom regexp="^.+(prothom-alo).*\$"
/ip firewall filter
add action=drop chain=forward layer7-protocol=prothom
Port Number, Protocol Number and Description :
Port Number, Protocol Number and Description :
1 — Ping (Packet Internet Groper) and ICMP)
6 — TCP (Transmission Control Protocol)
7 — Echo (Display the Line of Text)
15 — Netstat (Ip Monitoring)
17 — UDP (User Datagram Protocol)
20 — FTP (File Transfer Protocol) Client
21 — FTP Server
22 — SSH (Secure Shell) (Remote Login)
23 — Telnet (Remote Login)
25 — SMTP (Simple Mail Transfer Protocol) (Incoming Service)
34 — RF (Remote File Transfer)
37 — Timeserver
42 — Name Server or (Wins)
43 — WHOIS
53 — DNS (Domain Naming System or Server)
67 — BOOTP (Bootstrap Protocol)
68 — DHCP (Dynamic Host Configuration Protocol)
69 — TFTP (Trivial File Transfer Protocol)
79 — Finger (List the Current User information)
80 — HTTP (Hyper Text Transfer Protocol)
88 — Kerberos (Authentication Protocol)
101 — NIC Host NAME
108 — SNA (IBM System Network Architecture)
109 — POP2 (Post Office Protocol Version2)
110 — POP3 (Post Office Protocol Version3)
111 — Portmap
115 — SFTP (Secure File Transfer Protocol)
118 — SQL Structure Query Languages
119 — NNTP (Network News Transfer Protocol)
123 — NTP (Network Time Protocol)
136 — Profile
137 — NetBIOS Name Service
138 — NetBIOS Datagram Service
139 — NetBIOS Session Service
143 — IMAP (Internet Message Access Protocol)
161 — SNMP (Simple Network Managing Protocol)
167 — NMAP (Network Mapper)
174 — Mailq (Mails)
180 — RIS (Remote Installation Service)
223 — IMAP3 (Internet Mail Accessing Protocol)
389 — LDAP (Lightweight Directory Access Protocol)
443 — HTTPS (Hyper Text Transfer Protocol over Security)
500 — IKE (Internet Key Exchange)
514 — Syslog / UDP
515 — Printer (Printing Service)
519 — Uptime (for load average)
520 — RIP Routing Information Protocol
546 — DHCPV6 Client (Dynamic Host configuration Protocol Version6)
547 — DHCPV7 Server (Dynamic Host configuration Protocol Version6)
565 — Whoami (Present user information)
636 — LDAPS over SSL (Secure Socket Layer)
992 — Telnets over SSL
993 — IMAPS over SSL
995 — POP3S over SSL
2049 — NFS (Network File System in Linux) in Windows GFS (Global File System)
2082 — CPANEL (Web server Third-party Tool)
2095 — CPANEL Webmail
2427 — MCGP (Media Gateway Control Protocol)
3128 — Squid (Proxy) (Firewall Filter)
3268 — AD Global Catalog
3269 — AD Global Catalog over SSL
3306 — My SQL Server
3346 — Transporentproxy
33443 — Trace route
6000 to 6063 — Xwindow (Graphical Window)
8080 — Web cache
10000 — Webmin
How to block all website except gmail and ymail by layer7
How to block all website except gmail and ymail
You can use layer 7 protocols
For accept rule:
Name: Accept
regexp= ^.+(gmail.com|mail.google.com|yahoo.com|login.yahoo.com|in-mg61.mail.yahoo.com).*$
For deny rule:
Name=Block regexp=^.+(.).*$
Need two filters rules
1. action=accept and L7=(Accept)
2. action=drop and L7=Block
if u have any trouble to understanding. inbox me :)
Saturday, May 28, 2016
Allowing Specific Ports High Priority over other traffic by simple queue
First we need to mark protocols. In this example we are using SMTP port 25 to provide high priority.
here,
interface=ether1 is your WAN interface.
/ip firewall mangle add chain=prerouting protocol=tcp port=25 connection-state=new action=mark-connection new-connection-mark=smtp(port25)_connection_mark_high_prio comment="smtp(port25)_connection_mark_high_prio"
/ip firewall mangle add chain=prerouting connection-mark=smtp(port25)_connection_mark_high_prio action=mark-packet new-packet-mark=smtp(port25)_packet_mark_high_prio comment="smtp(port25)_packet_mark_high_prio"
Now we will create Simple Queue and give high priority to marked packets and other packets low priority. (In this example we have 2Mb WAN connection)
/queue simple add name=wan_total_conn_limit interface=ether1 max-limit=2M/2M
/queue simple add name=high_prio_smtp(port25) interface=ether1 parent=wan_total_conn_limit packet-marks=smtp(port25)_packet_mark_high_prio priority=1
/queue simple add name=other_prio_low interface=ether1 parent=Internet priority=8
Now SMTP traffic will get higher priority over other traffic.
Allowing Specific File Extensions High / Limited / Unlimited Bandwidth
For example, You have a network and every user have there bandwidth limited at 256kb. Now you want that if a user is downloading .FLV video file , He can view/download it at unlimited speed regardless of his allowed speed limit, i.e 256kb package, Use the following.
First mark all packets with .flv extention.
/ip firewall mangle
add action=mark-connection chain=postrouting comment="Mark Conn for .flv Ext" content=flv disabled=no new-connection-mark=flv-conn passthrough=yes
add action=mark-packet chain=postrouting comment="Mark Pkts for flv-conn Ext" connection-mark=flv-conn disabled=no new-packet-mark=flv passthrough=no
Now Create a Queue Tree and Set Unlimited or Limited Bandwidth (OR As per your requirements if you want to allot specific amount, set it) to Marked Packets
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=100M max-limit=100M name=Unlimited-Speed-4-Marked-Pkts packet-mark=flv parent=global-out priority=1 queue=defaul
You can use the same in reverse to limit specific extension type bandwidth usage.
Allowing specific extension low priority and other traffic high priority by simple queue
In this example we are marking traffic via mangle rules. .iso extension is marked as low priority traffic , and all other traffic is marked as hi priority traffic.
For example We have 256kb internet bandwidth in total. and we want that when users are downloading any .iso file, it gets low priority over other traffic i.e browsing etc. Use the following.
/ip firewall mangle
add action=mark-connection chain=postrouting comment="Mark Conn for .iso Ext" content=iso disabled=no new-connection-mark=iso-conn passthrough=yes
add action=mark-packet chain=postrouting comment="Mark Pkts for iso-conn Ext" connection-mark=iso-conn disabled=no new-packet-mark=lo-prio-traffic-pkts passthrough=no
add action=mark-connection chain=postrouting comment="Mark Conn for all other traffic" content=!iso disabled=no new-connection-mark=hi-prio-traffic-conn passthrough=yes
add action=mark-packet chain=postrouting comment="Mark Pkts for all other traffic" connection-mark=hi-prio-traffic-conn disabled=no new-packet-mark=hi-prio-traffic-pkts passthrough=no
/queue simple add name=wan_conn_limit interface=ether1 max-limit=256k/256k
/queue simple add name=hi-prio-traffic interface=ether1 parent=wan_conn_limit packet-marks=hi-prio-traffic-pkts priority=1
/queue simple add name=lo-prio-traffic packet-marks=lo-prio-traffic-pkts interface=ether1 parent=wan_conn_limit priority=8
For example We have 256kb internet bandwidth in total. and we want that when users are downloading any .iso file, it gets low priority over other traffic i.e browsing etc. Use the following.
/ip firewall mangle
add action=mark-connection chain=postrouting comment="Mark Conn for .iso Ext" content=iso disabled=no new-connection-mark=iso-conn passthrough=yes
add action=mark-packet chain=postrouting comment="Mark Pkts for iso-conn Ext" connection-mark=iso-conn disabled=no new-packet-mark=lo-prio-traffic-pkts passthrough=no
add action=mark-connection chain=postrouting comment="Mark Conn for all other traffic" content=!iso disabled=no new-connection-mark=hi-prio-traffic-conn passthrough=yes
add action=mark-packet chain=postrouting comment="Mark Pkts for all other traffic" connection-mark=hi-prio-traffic-conn disabled=no new-packet-mark=hi-prio-traffic-pkts passthrough=no
/queue simple add name=wan_conn_limit interface=ether1 max-limit=256k/256k
/queue simple add name=hi-prio-traffic interface=ether1 parent=wan_conn_limit packet-marks=hi-prio-traffic-pkts priority=1
/queue simple add name=lo-prio-traffic packet-marks=lo-prio-traffic-pkts interface=ether1 parent=wan_conn_limit priority=8
Sunday, May 8, 2016
Limiting each user bandwidth by Simple Queue
We will limit user Wahid to 256kbps.
Lets constider that,
IP address of Wahid is 10.0.0.5
/queue simple add name="wahid" target-addresses=10.0.0.5 max-limit=256k/256k
Now we will limit user Muhammad to 512kbps.
Lets constider that,
IP address of Muhammad is 10.0.0.6
/queue simple add name="Muhammad" target-addresses=10.0.0.6 max-limit=512k/512k
If you want, you can also set burst limit feature here.
Enjoy.....!
Lets constider that,
IP address of Wahid is 10.0.0.5
/queue simple add name="wahid" target-addresses=10.0.0.5 max-limit=256k/256k
Now we will limit user Muhammad to 512kbps.
Lets constider that,
IP address of Muhammad is 10.0.0.6
/queue simple add name="Muhammad" target-addresses=10.0.0.6 max-limit=512k/512k
If you want, you can also set burst limit feature here.
Enjoy.....!
Equal Bandwidth Distribution to unknown number of users using PCQ Simple Queue where WAN bandwidth is known(Best configuration for home/small office use)
We will configure PCQ Simple Queue where WAN bandwidth is known and equal Bandwidth will distribute to unknown number of users.
If you have 512 kbps(known bandwidth) in WAN interface and you want to share this equally
among your LAN users(unknown number), but if only one PC(user) is active then that PC(user)
will get full 512 kbps, if 2 pcs(users) are active 256 kbps each and vise versa.
This is best configuration for home/small office use.If you have 512 kbps(known bandwidth) in WAN interface and you want to share this equally
among your LAN users(unknown number), but if only one PC(user) is active then that PC(user)
will get full 512 kbps, if 2 pcs(users) are active 256 kbps each and vise versa.
Lets consider that,
LAN network: 10.0.0.0/24
Use the following command:
/queue type add name="download_equal" kind=pcq pcq-rate=512k pcq-classifier=dst-address/queue type add name="upload_equal" kind=pcq pcq-rate=512k pcq-classifier=src-address /queue simple add queue=upload_equal/download_equal target-addresses=10.0.0.0/24Enjoy....!
Friday, May 6, 2016
E-Mail alert on queue tree limit exceeded
I will show you a little script of Mikrotik RouterOS to check queue and mail if queue tree exceed the limit you set.
For example we have a queue tree that limits the amount of total traffic (Upload+Download) to 2Mbps.
I want to know whenever this queue exceed the limit, and the system will send me an email alart.
This is the script:
Assume that a que tree name=total-traffic
total-traffic
:global checkrate [/queue tree get total-traffic rate]
:local limit 2000000
:if ( $checkrate < $limit ) do={
:log info ("Queue not Exceeded")
}
:if ( $checkrate > $limit ) do={
:log info ("Queue Exceeded")
/tool e-mail send server=xxx.xxx.xxx.xxx from="me@myself.com" to="me@myself.com" subject=("Queue Limit Exceed name=total-traffic") body=("Queue Limit Exceed name=total-traffic, Limit is: " . $checkrate)
}
Enjoy!
:global checkrate [/queue tree get total-traffic rate]:local limit 2000000:if ( $checkrate < $limit ) do={:log info ("Queue not Exceeded")}:if ( $checkrate > $limit ) do={:log info ("Queue Exceeded")/tool e-mail send server=xxx.xxx.xxx.xxx from="me@myself.com" to="me@myself.com" subject=("Queue Limit Exceed name=total-traffic") body=("Queue Limit Exceed name=total-traffic, Limit is: " . $checkrate)}
Enjoy!
Subscribe to:
Posts (Atom)