Skip to content
Sep 19 / Greg

Border Router QoS Script For Mikrotik

******UPDATED 1/16/2014 – overall update, V6 support******

******UPDATED 1/17/2014 – added some additional xbox one ports******

I’ve been using a derivative of this script successfully for quite some time now. In the past I’ve charged for it, but since I’ve had so little time for you guys lately I decided to hand this out for free.

So this identifies and marks traffic. It then puts this traffic into different queues and elevates priorities accordingly. It is really tailored for an apartment complex or WISP that serves a lot of standard users. There is a provision in there for elevated customer access too…for those complainers.

It marks and elevates:

  • VoIP
  • VPN
  • Gaming traffic(xbox network, PS network Wii, WoW, LoL, etc.)
  • Streaming video (netflix, youtube, etc.)
  • Http browsing (connections of less than 5MB)
  • Admin protocols(ssh, telnet, etc.
  • Admin services(DNS, ICMP, etc.)
  • Everything left over is considered scavenge and fights for what’s left.

    It does use Layer 7 regex matches for identifying streaming traffic. When this is enabled you will take a service hit due to the additional processing necessary.

    *****THIS IS VERSION 5 of RouterOS*****

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    86
    87
    88
    89
    90
    91
    92
    93
    94
    95
    96
    97
    98
    99
    100
    101
    102
    103
    104
    105
    106
    107
    108
    109
    110
    111
    112
    113
    114
    115
    116
    117
    118
    119
    120
    121
    122
    123
    124
    125
    126
    127
    128
    129
    130
    131
    132
    133
    134
    135
    136
    137
    138
    139
    140
    141
    142
    143
    144
    145
    146
    147
    148
    149
    150
    151
    152
    153
    154
    155
    156
    157
    158
    159
    160
    161
    162
    163
    164
    165
    166
    167
    168
    169
    170
    171
    172
    173
    174
    175
    176
    177
    178
    179
    180
    181
    182
    183
    184
    185
    186
    187
    188
    189
    190
    191
    192
    193
    194
    195
    196
    197
    198
    199
    200
    201
    202
    203
    
    ##Provided by Greg Sowell at Greg Sowell Consulting.
    ###Email: Greg@GregSowell.com HTTP: http://GregSowell.com
    #
    ##The queues are based off of a theoretical 10Mb connection.  In this way you can
    ###use the values as percentages of the whole.  The easiest thing to do is to 
    ###apply the script, then in winbox adjust the values for queue size.
    #
    ##1.1.1.0/29 is your external WAN subnet, replace this.
    ##2.2.2.0/24 is an additional subnet routed to you on the WAN side, replace or remove any lines containing this.
    ##172.22.0.0/16 is listed as your internal subnet and should be modified to fit your environment.
    ##172.22.0.5 is listed as "customer servers".  This is a special queue listed at 10 percent
    ###of the overall bandwidth.  This gives elevated service to any internal customers.  To disable
    ###this functionality, issue the following commands once everything has been put into place:
    ###/ip firewall mangle dis 2,3
    ###/queue tree dis 8,9
    ###You can then appropriate the queue bandwidth as you see fit.
    #
    ##You will also want to change the ether1 interface to whatever your WAN interface happens to be.
    #
    ##As always, thank you for your business and thank you for helping to feed my kids :)
     
    #Here's our l7 regex statements:
    /ip firewall layer7-protocol
    add comment="" name=speedtest-servers regexp="^.*(get|GET).+speedtest.*\$"
    add comment="" name=torrent-wwws regexp="^.*(get|GET).+(torrent|thepiratebay|i\
        sohunt|entertane|demonoid|btjunkie|mininova|flixflux|vertor|h33t|zoozle|bi\
        tnova|bitsoup|meganova|fulldls|btbot|fenopy|gpirate|commonbits).*\$"
    add comment="" name=torrent-dns regexp="^.+(torrent|thepiratebay|isohunt|enter\
        tane|demonoid|btjunkie|mininova|flixflux|vertor|h33t|zoozle|bitnova|bitsou\
        p|meganova|fulldls|btbot|fenopy|gpirate|commonbits).*\$"
    add comment="" name=netflix regexp="^.*(get|GET).+(netflix).*\$"
    add comment="" name=mp4 regexp="^.*(get|GET).+\\.mp4.*\$"
    add comment="" name=swf regexp="^.*(get|GET).+\\.swf.*\$"
    add comment="" name=flv regexp="^.*(get|GET).+\\.flv.*\$"
    add name=video regexp="^.*(get|GET).+(\\.flv|\\.mp4|netflix|\\.swf).*\$"
     
    #Setting up our address lists
    /ip firewall address-list
    add address=172.22.0.0/16 comment="" disabled=no list=internal-nets
    add address=1.1.1.0/29 comment="" disabled=no list=external-nets
    add address=2.2.2.0/24 comment="" disabled=no list=external-nets
    add address=172.22.0.5 comment="customer 1" disabled=no list=customer-servers
     
    #Mangle identifies our various portions of traffic
    /ip firewall mangle
    add action=mark-packet chain=prerouting comment="internal-traffic packet mark" dst-address-list=\
        internal-nets new-packet-mark=internal-traffic passthrough=no src-address-list=internal-nets
    add action=mark-packet chain=prerouting comment="customer-servers-out packet mark" new-packet-mark=\
        customer-servers-out passthrough=no src-address-list=customer-servers
    add action=mark-packet chain=prerouting comment="customer-servers-in packet mark" dst-address-list=\
        customer-servers new-packet-mark=customer-servers-in passthrough=no
    add action=mark-packet chain=prerouting comment="admin-in packet mark DNS" in-interface=ether1 \
        new-packet-mark=admin-in passthrough=no protocol=udp src-port=53
    add action=mark-packet chain=prerouting comment="admin-in packet mark snmp" dst-port=161 \
        in-interface=ether1 new-packet-mark=admin-in passthrough=no protocol=udp
    add action=mark-connection chain=prerouting comment="Remote Protocols admin connection mark" \
        new-connection-mark=admin port=20,21,22,23,3389,8291 protocol=tcp
    add action=mark-connection chain=prerouting comment="icmp connection mark as admin" \
        new-connection-mark=admin protocol=icmp src-address-list=internal-nets
    add action=mark-packet chain=prerouting comment="admin-in packet mark" connection-mark=admin \
        in-interface=ether1 new-packet-mark=admin-in passthrough=no
    add action=mark-packet chain=prerouting comment="admin-out packet mark" connection-mark=admin \
        new-packet-mark=admin-out passthrough=no
    add action=mark-connection chain=prerouting comment="streaming video connection mark" dst-port=80 \
        layer7-protocol=video new-connection-mark=streaming-video protocol=tcp src-address-list=\
        internal-nets
    add action=mark-packet chain=prerouting comment="streaming video in packet mark" connection-mark=\
        streaming-video in-interface=ether1 new-packet-mark=streaming-video-in passthrough=no
    add action=mark-packet chain=prerouting comment="streaming video out packet mark" connection-mark=\
        streaming-video new-packet-mark=streaming-video-out passthrough=no
    add action=mark-connection chain=prerouting comment="http traffic connection mark" dst-port=80,443 \
        new-connection-mark=http protocol=tcp src-address-list=internal-nets
    add action=mark-connection chain=prerouting comment="http traffic connection mark" \
        connection-bytes=5000000-4294967295 dst-port=80,443 new-connection-mark=http-download protocol=\
        tcp src-address-list=internal-nets
    add action=mark-packet chain=prerouting comment="http in packet mark" connection-mark=http \
        in-interface=ether1 new-packet-mark=http-in passthrough=no
    add action=mark-packet chain=prerouting comment="http out packet mark" connection-mark=http \
        new-packet-mark=http-out passthrough=no
    add action=mark-connection chain=prerouting comment="wow connetion mark as gaming" dst-port=\
        1119,3724,6112-6114,4000,6881-6999 new-connection-mark=games protocol=tcp src-address-list=\
        internal-nets
    add action=mark-connection chain=prerouting comment="eve online connetion mark as gaming" \
        dst-address=87.237.38.200 new-connection-mark=games src-address-list=internal-nets
    add action=mark-connection chain=prerouting comment="starcraft 2 connetion mark as gaming" \
        dst-port=1119 new-connection-mark=games protocol=tcp src-address-list=internal-nets
    add action=mark-connection chain=prerouting comment="heros of newerth connetion mark as gaming" \
        dst-port=11031,11235-11335 new-connection-mark=games protocol=tcp src-address-list=\
        internal-nets
    add action=mark-connection chain=prerouting comment="steam connetion mark as gaming" dst-port=\
        27014-27050 new-connection-mark=games protocol=tcp src-address-list=internal-nets
    add action=mark-connection chain=prerouting comment="xbox live connetion mark as gaming" dst-port=\
        3074 new-connection-mark=games protocol=tcp src-address-list=internal-nets
    add action=mark-connection chain=prerouting comment="ps3 online connetion mark as gaming" dst-port=\
        5223 new-connection-mark=games protocol=tcp src-address-list=internal-nets
    add action=mark-connection chain=prerouting comment="wii online connetion mark as gaming" dst-port=\
        28910,29900,29901,29920 new-connection-mark=games protocol=tcp src-address-list=internal-nets
    add action=mark-packet chain=prerouting comment="games packet mark forever-saken-game" \
        dst-address-list=external-nets new-packet-mark=games-in passthrough=no src-address-list=\
        forever-saken-game
    add action=mark-packet chain=prerouting comment="games packet mark wow" dst-address-list=\
        external-nets new-packet-mark=games-in passthrough=no protocol=udp src-port=53,3724
    add action=mark-packet chain=prerouting comment="games packet mark starcraft2" dst-address-list=\
        external-nets new-packet-mark=games-in passthrough=no protocol=udp src-port=1119,6113
    add action=mark-packet chain=prerouting comment="games packet mark HoN" dst-address-list=\
        external-nets new-packet-mark=games-in passthrough=no protocol=udp src-port=11031,11235-11335
    add action=mark-packet chain=prerouting comment="games packet mark steam in" dst-address-list=\
        external-nets new-packet-mark=games-in passthrough=no port=4380,28960,27000-27030 protocol=udp
    add action=mark-packet chain=prerouting comment="games packet mark steam out" dst-port=\
        53,1500,3005,3101,3478,4379-4380,4380,28960,27000-27030,28960 new-packet-mark=games-out \
        passthrough=no protocol=udp src-address-list=internal-nets
    add action=mark-packet chain=prerouting comment="games packet mark xbox live" dst-address-list=\
        external-nets new-packet-mark=games-in passthrough=no protocol=udp src-port=88,3074,3544,4500
    add action=mark-packet chain=prerouting comment="games packet mark ps3 online" dst-address-list=\
        external-nets new-packet-mark=games-in passthrough=no protocol=udp src-port=3478,3479,3658
    add action=mark-packet chain=prerouting comment="games packet mark in" connection-mark=games \
        dst-address-list=external-nets new-packet-mark=games-in passthrough=no
    add action=mark-packet chain=prerouting comment="games packet mark out" connection-mark=games \
        new-packet-mark=games-out passthrough=no
    add action=mark-packet chain=prerouting comment="voip-in packet mark teamspeak" dst-address-list=\
        external-nets new-packet-mark=voip-in passthrough=no protocol=udp src-port=9987
    add action=mark-packet chain=prerouting comment="voip-out packet mark teamspeak" dst-port=9987 \
        new-packet-mark=voip-out passthrough=no protocol=udp src-address-list=internal-nets
    add action=mark-packet chain=prerouting comment="voip-out packet mark teamspeak" dst-address-list=\
        external-nets new-packet-mark=voip-in passthrough=no protocol=udp src-port=9987
    add action=mark-packet chain=prerouting comment="voip-in packet mark ventrilo" dst-address-list=\
        external-nets new-packet-mark=voip-in passthrough=no protocol=udp src-port=3784
    add action=mark-packet chain=prerouting comment="voip-out packet mark ventrilo" dst-port=3784 \
        new-packet-mark=voip-out passthrough=no protocol=udp src-address-list=internal-nets
    add action=mark-packet chain=prerouting comment="voip-in packet mark ventrilo" dst-address-list=\
        external-nets new-packet-mark=voip-in passthrough=no protocol=tcp src-port=3784
    add action=mark-packet chain=prerouting comment="voip-out packet mark ventrilo" dst-port=3784 \
        new-packet-mark=voip-out passthrough=no protocol=tcp src-address-list=internal-nets
    add action=mark-packet chain=prerouting comment="voip-in packet mark SIP" dst-address-list=\
        internal-nets new-packet-mark=voip-in passthrough=no port=5060 protocol=tcp
    add action=mark-packet chain=prerouting comment="voip-out packet mark SIP" new-packet-mark=voip-out \
        passthrough=no port=5060 protocol=tcp src-address-list=internal-nets
    add action=mark-packet chain=prerouting comment="voip-in packet mark udp SIP" dst-address-list=\
        internal-nets new-packet-mark=voip-in passthrough=no port=5004,5060 protocol=udp
    add action=mark-packet chain=prerouting comment="voip-out packet mark udp SIP" new-packet-mark=\
        voip-out passthrough=no port=5004,5060 protocol=udp src-address-list=internal-nets
    add action=mark-packet chain=prerouting comment="voip-in packet mark RTP" dst-address-list=\
        internal-nets new-packet-mark=voip-in packet-size=100-400 passthrough=no port=16348-32768 \
        protocol=udp
    add action=mark-packet chain=prerouting comment="voip-out packet mark RTP" new-packet-mark=voip-in \
        packet-size=100-400 passthrough=no port=16348-32768 protocol=udp src-address-list=internal-nets
    add action=mark-packet chain=prerouting comment="vpn-in packet mark GRE" in-interface=ether1 \
        new-packet-mark=vpn-in passthrough=no protocol=gre
    add action=mark-packet chain=prerouting comment="vpn-out packet mark GRE" new-packet-mark=vpn-out \
        passthrough=no protocol=gre
    add action=mark-packet chain=prerouting comment="vpn-in packet mark ESP" in-interface=ether1 \
        new-packet-mark=vpn-in passthrough=no protocol=ipsec-esp
    add action=mark-packet chain=prerouting comment="vpn-out packet mark ESP" new-packet-mark=vpn-out \
        passthrough=no protocol=ipsec-esp
    add action=mark-packet chain=prerouting comment="vpn-in packet mark VPN UDP ports" in-interface=\
        ether1 new-packet-mark=vpn-in passthrough=no protocol=udp src-port=500,1701,4500
    add action=mark-packet chain=prerouting comment="vpn-out packet mark VPN UDP ports" \
        new-packet-mark=vpn-out passthrough=no protocol=udp src-port=500,1701,4500
    add action=mark-packet chain=prerouting comment="vpn-in packet mark PPTP" in-interface=ether1 \
        new-packet-mark=vpn-in passthrough=no protocol=tcp src-port=1723
    add action=mark-packet chain=prerouting comment="vpn-out packet mark PPTP" new-packet-mark=vpn-out \
        passthrough=no protocol=tcp src-port=1723
    add action=mark-packet chain=prerouting comment="all in" in-interface=ether1 new-packet-mark=in \
        passthrough=no
    add action=mark-packet chain=prerouting comment="all out" new-packet-mark=out passthrough=no
     
    #We now start setting up our queues
    /queue type
    add kind=pfifo name=streaming-video-in pfifo-limit=500
    add kind=pcq name=games-in-pcq pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 pcq-dst-address6-mask=64 \
        pcq-limit=50 pcq-rate=100k pcq-src-address-mask=32 pcq-src-address6-mask=64 pcq-total-limit=750000
    /queue tree
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
        max-limit=10M name=in parent=global-in priority=8
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
        max-limit=10M name=out parent=global-in priority=8
    /queue tree
    add max-limit=10M name=in parent=global-in queue=default
    add max-limit=10M name=out parent=global-in queue=default
    add limit-at=3M max-limit=10M name=http-in packet-mark=http-in parent=in priority=4 queue=default
    add limit-at=4M max-limit=10M name=streaming-video-in packet-mark=streaming-video-in parent=in \
        priority=3 queue=streaming-video-in
    add limit-at=500k max-limit=10M name=gaming-in packet-mark=games-in parent=in priority=2 queue=\
        games-in-pcq
    add max-limit=10M name=download-in packet-mark=in parent=in queue=default
    add max-limit=10M name=upload-out packet-mark=out parent=out queue=default
    add limit-at=500k max-limit=10M name=gaming-out packet-mark=games-out parent=out priority=2 queue=\
        default
    add limit-at=3M max-limit=10M name=http-out packet-mark=http-out parent=out priority=4 queue=default
    add limit-at=4M max-limit=10M name=streaming-video-out packet-mark=streaming-video-out parent=out \
        priority=3 queue=default
    add limit-at=1M max-limit=10M name=customer-servers-in packet-mark=customer-servers-in parent=in \
        priority=1 queue=default
    add limit-at=1M max-limit=10M name=customer-servers-out packet-mark=customer-servers-out parent=out \
        priority=1 queue=default
    add limit-at=500k max-limit=10M name=voip-in packet-mark=voip-in parent=in priority=1 queue=default
    add limit-at=500k max-limit=10M name=vpn-in packet-mark=vpn-in parent=in priority=2 queue=default
    add limit-at=500k max-limit=10M name=voip-out packet-mark=voip-out parent=out priority=1 queue=\
        default
    add limit-at=500k max-limit=10M name=vpn-out packet-mark=vpn-out parent=out priority=2 queue=default
    add limit-at=500k max-limit=10M name=admin-in packet-mark=admin-in parent=in priority=1 queue=default
    add limit-at=500k max-limit=10M name=admin-out packet-mark=admin-out parent=out priority=1 queue=\
        default

    *****THIS IS VERSION 6 of RouterOS*****

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    86
    87
    88
    89
    90
    91
    92
    93
    94
    95
    96
    97
    98
    99
    100
    101
    102
    103
    104
    105
    106
    107
    108
    109
    110
    111
    112
    113
    114
    115
    116
    117
    118
    119
    120
    121
    122
    123
    124
    125
    126
    127
    128
    129
    130
    131
    132
    133
    134
    135
    136
    137
    138
    139
    140
    141
    142
    143
    144
    145
    146
    147
    148
    149
    150
    151
    152
    153
    154
    155
    156
    157
    158
    159
    160
    161
    162
    163
    164
    165
    166
    167
    168
    169
    170
    171
    172
    173
    174
    175
    176
    177
    178
    179
    180
    181
    182
    183
    184
    185
    186
    187
    188
    189
    190
    191
    192
    193
    194
    195
    196
    197
    198
    199
    200
    201
    202
    203
    
    ##Provided by Greg Sowell at Greg Sowell Consulting.
    ###Email: Greg@GregSowell.com HTTP: http://GregSowell.com
    #
    ##The queues are based off of a theoretical 10Mb connection.  In this way you can
    ###use the values as percentages of the whole.  The easiest thing to do is to 
    ###apply the script, then in winbox adjust the values for queue size.
    #
    ##1.1.1.0/29 is your external WAN subnet, replace this.
    ##2.2.2.0/24 is an additional subnet routed to you on the WAN side, replace or remove any lines containing this.
    ##172.22.0.0/16 is listed as your internal subnet and should be modified to fit your environment.
    ##172.22.0.5 is listed as "customer servers".  This is a special queue listed at 10 percent
    ###of the overall bandwidth.  This gives elevated service to any internal customers.  To disable
    ###this functionality, issue the following commands once everything has been put into place:
    ###/ip firewall mangle dis 2,3
    ###/queue tree dis 8,9
    ###You can then appropriate the queue bandwidth as you see fit.
    #
    ##You will also want to change the ether1 interface to whatever your WAN interface happens to be.
    #
    ##As always, thank you for your business and thank you for helping to feed my kids :)
     
    #Here's our l7 regex statements:
    /ip firewall layer7-protocol
    add comment="" name=speedtest-servers regexp="^.*(get|GET).+speedtest.*\$"
    add comment="" name=torrent-wwws regexp="^.*(get|GET).+(torrent|thepiratebay|i\
        sohunt|entertane|demonoid|btjunkie|mininova|flixflux|vertor|h33t|zoozle|bi\
        tnova|bitsoup|meganova|fulldls|btbot|fenopy|gpirate|commonbits).*\$"
    add comment="" name=torrent-dns regexp="^.+(torrent|thepiratebay|isohunt|enter\
        tane|demonoid|btjunkie|mininova|flixflux|vertor|h33t|zoozle|bitnova|bitsou\
        p|meganova|fulldls|btbot|fenopy|gpirate|commonbits).*\$"
    add comment="" name=netflix regexp="^.*(get|GET).+(netflix).*\$"
    add comment="" name=mp4 regexp="^.*(get|GET).+\\.mp4.*\$"
    add comment="" name=swf regexp="^.*(get|GET).+\\.swf.*\$"
    add comment="" name=flv regexp="^.*(get|GET).+\\.flv.*\$"
    add name=video regexp="^.*(get|GET).+(\\.flv|\\.mp4|netflix|\\.swf).*\$"
     
    #Setting up our address lists
    /ip firewall address-list
    add address=172.22.0.0/16 comment="" disabled=no list=internal-nets
    add address=1.1.1.0/29 comment="" disabled=no list=external-nets
    add address=2.2.2.0/24 comment="" disabled=no list=external-nets
    add address=172.22.0.5 comment="customer 1" disabled=no list=customer-servers
     
    #Mangle identifies our various portions of traffic
    /ip firewall mangle
    add action=mark-packet chain=prerouting comment="internal-traffic packet mark" dst-address-list=\
        internal-nets new-packet-mark=internal-traffic passthrough=no src-address-list=internal-nets
    add action=mark-packet chain=prerouting comment="customer-servers-out packet mark" new-packet-mark=\
        customer-servers-out passthrough=no src-address-list=customer-servers
    add action=mark-packet chain=prerouting comment="customer-servers-in packet mark" dst-address-list=\
        customer-servers new-packet-mark=customer-servers-in passthrough=no
    add action=mark-packet chain=prerouting comment="admin-in packet mark DNS" in-interface=ether1 \
        new-packet-mark=admin-in passthrough=no protocol=udp src-port=53
    add action=mark-packet chain=prerouting comment="admin-in packet mark snmp" dst-port=161 \
        in-interface=ether1 new-packet-mark=admin-in passthrough=no protocol=udp
    add action=mark-connection chain=prerouting comment="Remote Protocols admin connection mark" \
        new-connection-mark=admin port=20,21,22,23,3389,8291 protocol=tcp
    add action=mark-connection chain=prerouting comment="icmp connection mark as admin" \
        new-connection-mark=admin protocol=icmp src-address-list=internal-nets
    add action=mark-packet chain=prerouting comment="admin-in packet mark" connection-mark=admin \
        in-interface=ether1 new-packet-mark=admin-in passthrough=no
    add action=mark-packet chain=prerouting comment="admin-out packet mark" connection-mark=admin \
        new-packet-mark=admin-out passthrough=no
    add action=mark-connection chain=prerouting comment="streaming video connection mark" dst-port=80 \
        layer7-protocol=video new-connection-mark=streaming-video protocol=tcp src-address-list=\
        internal-nets
    add action=mark-packet chain=prerouting comment="streaming video in packet mark" connection-mark=\
        streaming-video in-interface=ether1 new-packet-mark=streaming-video-in passthrough=no
    add action=mark-packet chain=prerouting comment="streaming video out packet mark" connection-mark=\
        streaming-video new-packet-mark=streaming-video-out passthrough=no
    add action=mark-connection chain=prerouting comment="http traffic connection mark" dst-port=80,443 \
        new-connection-mark=http protocol=tcp src-address-list=internal-nets
    add action=mark-connection chain=prerouting comment="http traffic connection mark" \
        connection-bytes=5000000-4294967295 dst-port=80,443 new-connection-mark=http-download protocol=\
        tcp src-address-list=internal-nets
    add action=mark-packet chain=prerouting comment="http in packet mark" connection-mark=http \
        in-interface=ether1 new-packet-mark=http-in passthrough=no
    add action=mark-packet chain=prerouting comment="http out packet mark" connection-mark=http \
        new-packet-mark=http-out passthrough=no
    add action=mark-connection chain=prerouting comment="wow connetion mark as gaming" dst-port=\
        1119,3724,6112-6114,4000,6881-6999 new-connection-mark=games protocol=tcp src-address-list=\
        internal-nets
    add action=mark-connection chain=prerouting comment="eve online connetion mark as gaming" \
        dst-address=87.237.38.200 new-connection-mark=games src-address-list=internal-nets
    add action=mark-connection chain=prerouting comment="starcraft 2 connetion mark as gaming" \
        dst-port=1119 new-connection-mark=games protocol=tcp src-address-list=internal-nets
    add action=mark-connection chain=prerouting comment="heros of newerth connetion mark as gaming" \
        dst-port=11031,11235-11335 new-connection-mark=games protocol=tcp src-address-list=\
        internal-nets
    add action=mark-connection chain=prerouting comment="steam connetion mark as gaming" dst-port=\
        27014-27050 new-connection-mark=games protocol=tcp src-address-list=internal-nets
    add action=mark-connection chain=prerouting comment="xbox live connetion mark as gaming" dst-port=\
        3074 new-connection-mark=games protocol=tcp src-address-list=internal-nets
    add action=mark-connection chain=prerouting comment="ps3 online connetion mark as gaming" dst-port=\
        5223 new-connection-mark=games protocol=tcp src-address-list=internal-nets
    add action=mark-connection chain=prerouting comment="wii online connetion mark as gaming" dst-port=\
        28910,29900,29901,29920 new-connection-mark=games protocol=tcp src-address-list=internal-nets
    add action=mark-packet chain=prerouting comment="games packet mark forever-saken-game" \
        dst-address-list=external-nets new-packet-mark=games-in passthrough=no src-address-list=\
        forever-saken-game
    add action=mark-packet chain=prerouting comment="games packet mark wow" dst-address-list=\
        external-nets new-packet-mark=games-in passthrough=no protocol=udp src-port=53,3724
    add action=mark-packet chain=prerouting comment="games packet mark starcraft2" dst-address-list=\
        external-nets new-packet-mark=games-in passthrough=no protocol=udp src-port=1119,6113
    add action=mark-packet chain=prerouting comment="games packet mark HoN" dst-address-list=\
        external-nets new-packet-mark=games-in passthrough=no protocol=udp src-port=11031,11235-11335
    add action=mark-packet chain=prerouting comment="games packet mark steam in" dst-address-list=\
        external-nets new-packet-mark=games-in passthrough=no port=4380,28960,27000-27030 protocol=udp
    add action=mark-packet chain=prerouting comment="games packet mark steam out" dst-port=\
        53,1500,3005,3101,3478,4379-4380,4380,28960,27000-27030,28960 new-packet-mark=games-out \
        passthrough=no protocol=udp src-address-list=internal-nets
    add action=mark-packet chain=prerouting comment="games packet mark xbox live" dst-address-list=\
        external-nets new-packet-mark=games-in passthrough=no protocol=udp src-port=88,3074,3544,4500
    add action=mark-packet chain=prerouting comment="games packet mark ps3 online" dst-address-list=\
        external-nets new-packet-mark=games-in passthrough=no protocol=udp src-port=3478,3479,3658
    add action=mark-packet chain=prerouting comment="games packet mark in" connection-mark=games \
        dst-address-list=external-nets new-packet-mark=games-in passthrough=no
    add action=mark-packet chain=prerouting comment="games packet mark out" connection-mark=games \
        new-packet-mark=games-out passthrough=no
    add action=mark-packet chain=prerouting comment="voip-in packet mark teamspeak" dst-address-list=\
        external-nets new-packet-mark=voip-in passthrough=no protocol=udp src-port=9987
    add action=mark-packet chain=prerouting comment="voip-out packet mark teamspeak" dst-port=9987 \
        new-packet-mark=voip-out passthrough=no protocol=udp src-address-list=internal-nets
    add action=mark-packet chain=prerouting comment="voip-out packet mark teamspeak" dst-address-list=\
        external-nets new-packet-mark=voip-in passthrough=no protocol=udp src-port=9987
    add action=mark-packet chain=prerouting comment="voip-in packet mark ventrilo" dst-address-list=\
        external-nets new-packet-mark=voip-in passthrough=no protocol=udp src-port=3784
    add action=mark-packet chain=prerouting comment="voip-out packet mark ventrilo" dst-port=3784 \
        new-packet-mark=voip-out passthrough=no protocol=udp src-address-list=internal-nets
    add action=mark-packet chain=prerouting comment="voip-in packet mark ventrilo" dst-address-list=\
        external-nets new-packet-mark=voip-in passthrough=no protocol=tcp src-port=3784
    add action=mark-packet chain=prerouting comment="voip-out packet mark ventrilo" dst-port=3784 \
        new-packet-mark=voip-out passthrough=no protocol=tcp src-address-list=internal-nets
    add action=mark-packet chain=prerouting comment="voip-in packet mark SIP" dst-address-list=\
        internal-nets new-packet-mark=voip-in passthrough=no port=5060 protocol=tcp
    add action=mark-packet chain=prerouting comment="voip-out packet mark SIP" new-packet-mark=voip-out \
        passthrough=no port=5060 protocol=tcp src-address-list=internal-nets
    add action=mark-packet chain=prerouting comment="voip-in packet mark udp SIP" dst-address-list=\
        internal-nets new-packet-mark=voip-in passthrough=no port=5004,5060 protocol=udp
    add action=mark-packet chain=prerouting comment="voip-out packet mark udp SIP" new-packet-mark=\
        voip-out passthrough=no port=5004,5060 protocol=udp src-address-list=internal-nets
    add action=mark-packet chain=prerouting comment="voip-in packet mark RTP" dst-address-list=\
        internal-nets new-packet-mark=voip-in packet-size=100-400 passthrough=no port=16348-32768 \
        protocol=udp
    add action=mark-packet chain=prerouting comment="voip-out packet mark RTP" new-packet-mark=voip-in \
        packet-size=100-400 passthrough=no port=16348-32768 protocol=udp src-address-list=internal-nets
    add action=mark-packet chain=prerouting comment="vpn-in packet mark GRE" in-interface=ether1 \
        new-packet-mark=vpn-in passthrough=no protocol=gre
    add action=mark-packet chain=prerouting comment="vpn-out packet mark GRE" new-packet-mark=vpn-out \
        passthrough=no protocol=gre
    add action=mark-packet chain=prerouting comment="vpn-in packet mark ESP" in-interface=ether1 \
        new-packet-mark=vpn-in passthrough=no protocol=ipsec-esp
    add action=mark-packet chain=prerouting comment="vpn-out packet mark ESP" new-packet-mark=vpn-out \
        passthrough=no protocol=ipsec-esp
    add action=mark-packet chain=prerouting comment="vpn-in packet mark VPN UDP ports" in-interface=\
        ether1 new-packet-mark=vpn-in passthrough=no protocol=udp src-port=500,1701,4500
    add action=mark-packet chain=prerouting comment="vpn-out packet mark VPN UDP ports" \
        new-packet-mark=vpn-out passthrough=no protocol=udp src-port=500,1701,4500
    add action=mark-packet chain=prerouting comment="vpn-in packet mark PPTP" in-interface=ether1 \
        new-packet-mark=vpn-in passthrough=no protocol=tcp src-port=1723
    add action=mark-packet chain=prerouting comment="vpn-out packet mark PPTP" new-packet-mark=vpn-out \
        passthrough=no protocol=tcp src-port=1723
    add action=mark-packet chain=prerouting comment="all in" in-interface=ether1 new-packet-mark=in \
        passthrough=no
    add action=mark-packet chain=prerouting comment="all out" new-packet-mark=out passthrough=no
     
    #We now start setting up our queues
    /queue type
    add kind=pfifo name=streaming-video-in pfifo-limit=500
    add kind=pcq name=games-in-pcq pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 pcq-dst-address6-mask=64 \
        pcq-limit=50 pcq-rate=100k pcq-src-address-mask=32 pcq-src-address6-mask=64 pcq-total-limit=750000
    /queue tree
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
        max-limit=10M name=in parent=global priority=8
    add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
        max-limit=10M name=out parent=global priority=8
    /queue tree
    add max-limit=10M name=in parent=global queue=default
    add max-limit=10M name=out parent=global queue=default
    add limit-at=3M max-limit=10M name=http-in packet-mark=http-in parent=in priority=4 queue=default
    add limit-at=4M max-limit=10M name=streaming-video-in packet-mark=streaming-video-in parent=in \
        priority=3 queue=streaming-video-in
    add limit-at=500k max-limit=10M name=gaming-in packet-mark=games-in parent=in priority=2 queue=\
        games-in-pcq
    add max-limit=10M name=download-in packet-mark=in parent=in queue=default
    add max-limit=10M name=upload-out packet-mark=out parent=out queue=default
    add limit-at=500k max-limit=10M name=gaming-out packet-mark=games-out parent=out priority=2 queue=\
        default
    add limit-at=3M max-limit=10M name=http-out packet-mark=http-out parent=out priority=4 queue=default
    add limit-at=4M max-limit=10M name=streaming-video-out packet-mark=streaming-video-out parent=out \
        priority=3 queue=default
    add limit-at=1M max-limit=10M name=customer-servers-in packet-mark=customer-servers-in parent=in \
        priority=1 queue=default
    add limit-at=1M max-limit=10M name=customer-servers-out packet-mark=customer-servers-out parent=out \
        priority=1 queue=default
    add limit-at=500k max-limit=10M name=voip-in packet-mark=voip-in parent=in priority=1 queue=default
    add limit-at=500k max-limit=10M name=vpn-in packet-mark=vpn-in parent=in priority=2 queue=default
    add limit-at=500k max-limit=10M name=voip-out packet-mark=voip-out parent=out priority=1 queue=\
        default
    add limit-at=500k max-limit=10M name=vpn-out packet-mark=vpn-out parent=out priority=2 queue=default
    add limit-at=500k max-limit=10M name=admin-in packet-mark=admin-in parent=in priority=1 queue=default
    add limit-at=500k max-limit=10M name=admin-out packet-mark=admin-out parent=out priority=1 queue=\
        default

    I’m a fan of queue trees. I like them because they are so easy to read and it allows you(in version 6) to use simple queues in concert without issue.

    You must remember that QoS doesn’t reorder packets. It simply gives preference to certain marked traffic. Another note is that QoS has zero effect on your traffic until you are in a congestion situation. Until the matched traffic hits that “max-limit” it doesn’t do anything.

    There are some additional modifications that you can use like setting up a PCQ on the streaming video queue. This will allow you to limit individual customers to only stream at certain resolutions(this can be a life saver).

    I’ve noticed that around 70% or better of all traffic is streaming video; so be sure to pay special attention to it.

    I’m hastily throwing this up here, so I’ll come back and add some additional notes and supporting material…at some point. Until then if you have some additional services/L7 I should add, drop me a comment and I’ll update the doc.

    If you enjoy the script, take a few seconds to drop me a comment.

    17 Comments

    leave a comment
    1. Bobby Lacey / Sep 19 2013

      Thanks Greg! Really appreciate this script!

    2. Greg / Sep 20 2013

      @Bobby
      NP sir, glad to help 🙂

    3. techieg33k / Oct 14 2013

      Awesome! I have a quick-config script setup for our techs and will be adding this into it so that priorities are much better for our customers. Thank you very much and trust me your contribution info will stay fully intact!
      Looking forward to any other changes you do.

    4. Cullen Lorsung / Nov 3 2013

      I am trying to match packets for streaming traffic from http://www.twitch.tv. I can sort of do it by guessing massive IP ranges, but that seems somewhat lame. All I really care about is the streams themselves, and after looking at some packet captures, I thought this should cover just about everything I needed:

      ^.*((video|media)\d+(\-\d+)?\.(\w{2,}\d\.)?((\w{2,})\.)?(twitch|justin)\..*|(twitch.map.fastly.net))$

      But I get nothing. Any experience with this, or thoughts on where I’m going wrong?

      Thanks!

    5. Ivanof / Nov 8 2013

      Thnx, Greg. Really appreciate it. Plz go on with that kind of useful stuffs.

      Regards,

      Img

    6. TheHox / Nov 26 2013

      Thanks Greg, installed this today.

      Also an update to the XBOX ports, with the new “XBOX ONE” that was just released.

      Xbox Live requires the following ports to be open:

      Port 88 (UDP)
      Port 3074 (UDP and TCP)
      Port 53 (UDP and TCP)
      Port 80 (TCP)
      Port 500 (UDP)
      UDP Port 3544 (UDP)
      UDP Port 4500 (UDP)
      http://support.xbox.com/en-US/xbox-one/networking/network-ports-used-xbox-live

    7. roger wilco / Dec 10 2013

      thanks for sharing, greg.

    8. TouchOfSleep / Dec 11 2013

      Nice script. I will try it.
      Thank`s

    9. ANTHOINE Andy / Dec 18 2013

      First, i would like to tell you that i’m a big fan of your website man 🙂

      Thanks for the script, it was pretty interesting cause i m actually implementing that kind of QoS in my company.

      Have a good day

    10. reea / Dec 29 2013

      Great site Greg , i am new with mikrotik and i need all kind of information to learn. So thank’s for sharing u’r knowleadge.

    11. Darren / Jan 17 2014

      Excellent update, thanks again!

      One thing: the amended ROS 6.x version sets up the in/out queues in lines 172-176 with the ‘global’ parent, and then tries to create them again in lines 178-9 with a parent of ‘global-in’ which doesn’t exist any longer in 6.x

    12. Greg / Jan 17 2014

      @Darren
      I fat fingered it from the copy/paste. Updated, thanks!

    13. RealPilot / Jan 19 2014

      Greg,

      Thanks for this. I have a wireless hotspot setup in an office building with multiple mikrotik waps and a mikrotik router. Should this be loaded on the waps, or just the router and simple pcq added to the waps?

    14. Greg / Jan 21 2014

      @Pilot
      If your network bottleneck is at the border, then just put it there.

    15. skoenman / Jan 28 2014

      Hey Greg i have alot of game ports setup on my router if you want i can send them to you and you can add them???

    16. Greg / Jan 28 2014

      @Skoenman
      Hook us up!

    17. Juan Manuel / Mar 5 2014

      Excelente trabajo!! gracias por compartirlo y actualizarlo!!
      Saludos

    Leave a Comment

     

    *