Border Router QoS Script For Mikrotik
******UPDATED 1/16/2014 – overall update, V6 support******
******UPDATED 1/17/2014 – added some additional xbox one ports******
I’ve been using a derivative of this script successfully for quite some time now. In the past I’ve charged for it, but since I’ve had so little time for you guys lately I decided to hand this out for free.
So this identifies and marks traffic. It then puts this traffic into different queues and elevates priorities accordingly. It is really tailored for an apartment complex or WISP that serves a lot of standard users. There is a provision in there for elevated customer access too…for those complainers.
It marks and elevates:
Everything left over is considered scavenge and fights for what’s left.
It does use Layer 7 regex matches for identifying streaming traffic. When this is enabled you will take a service hit due to the additional processing necessary.
*****THIS IS VERSION 5 of RouterOS*****
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 | ##Provided by Greg Sowell at Greg Sowell Consulting. ###Email: [email protected] HTTP: http://GregSowell.com # ##The queues are based off of a theoretical 10Mb connection. In this way you can ###use the values as percentages of the whole. The easiest thing to do is to ###apply the script, then in winbox adjust the values for queue size. # ##1.1.1.0/29 is your external WAN subnet, replace this. ##2.2.2.0/24 is an additional subnet routed to you on the WAN side, replace or remove any lines containing this. ##172.22.0.0/16 is listed as your internal subnet and should be modified to fit your environment. ##172.22.0.5 is listed as "customer servers". This is a special queue listed at 10 percent ###of the overall bandwidth. This gives elevated service to any internal customers. To disable ###this functionality, issue the following commands once everything has been put into place: ###/ip firewall mangle dis 2,3 ###/queue tree dis 8,9 ###You can then appropriate the queue bandwidth as you see fit. # ##You will also want to change the ether1 interface to whatever your WAN interface happens to be. # ##As always, thank you for your business and thank you for helping to feed my kids :) #Here's our l7 regex statements: /ip firewall layer7-protocol add comment="" name=speedtest-servers regexp="^.*(get|GET).+speedtest.*\$" add comment="" name=torrent-wwws regexp="^.*(get|GET).+(torrent|thepiratebay|i\ sohunt|entertane|demonoid|btjunkie|mininova|flixflux|vertor|h33t|zoozle|bi\ tnova|bitsoup|meganova|fulldls|btbot|fenopy|gpirate|commonbits).*\$" add comment="" name=torrent-dns regexp="^.+(torrent|thepiratebay|isohunt|enter\ tane|demonoid|btjunkie|mininova|flixflux|vertor|h33t|zoozle|bitnova|bitsou\ p|meganova|fulldls|btbot|fenopy|gpirate|commonbits).*\$" add comment="" name=netflix regexp="^.*(get|GET).+(netflix).*\$" add comment="" name=mp4 regexp="^.*(get|GET).+\\.mp4.*\$" add comment="" name=swf regexp="^.*(get|GET).+\\.swf.*\$" add comment="" name=flv regexp="^.*(get|GET).+\\.flv.*\$" add name=video regexp="^.*(get|GET).+(\\.flv|\\.mp4|netflix|\\.swf).*\$" #Setting up our address lists /ip firewall address-list add address=172.22.0.0/16 comment="" disabled=no list=internal-nets add address=1.1.1.0/29 comment="" disabled=no list=external-nets add address=2.2.2.0/24 comment="" disabled=no list=external-nets add address=172.22.0.5 comment="customer 1" disabled=no list=customer-servers #Mangle identifies our various portions of traffic /ip firewall mangle add action=mark-packet chain=prerouting comment="internal-traffic packet mark" dst-address-list=\ internal-nets new-packet-mark=internal-traffic passthrough=no src-address-list=internal-nets add action=mark-packet chain=prerouting comment="customer-servers-out packet mark" new-packet-mark=\ customer-servers-out passthrough=no src-address-list=customer-servers add action=mark-packet chain=prerouting comment="customer-servers-in packet mark" dst-address-list=\ customer-servers new-packet-mark=customer-servers-in passthrough=no add action=mark-packet chain=prerouting comment="admin-in packet mark DNS" in-interface=ether1 \ new-packet-mark=admin-in passthrough=no protocol=udp src-port=53 add action=mark-packet chain=prerouting comment="admin-in packet mark snmp" dst-port=161 \ in-interface=ether1 new-packet-mark=admin-in passthrough=no protocol=udp add action=mark-connection chain=prerouting comment="Remote Protocols admin connection mark" \ new-connection-mark=admin port=20,21,22,23,3389,8291 protocol=tcp add action=mark-connection chain=prerouting comment="icmp connection mark as admin" \ new-connection-mark=admin protocol=icmp src-address-list=internal-nets add action=mark-packet chain=prerouting comment="admin-in packet mark" connection-mark=admin \ in-interface=ether1 new-packet-mark=admin-in passthrough=no add action=mark-packet chain=prerouting comment="admin-out packet mark" connection-mark=admin \ new-packet-mark=admin-out passthrough=no add action=mark-connection chain=prerouting comment="streaming video connection mark" dst-port=80 \ layer7-protocol=video new-connection-mark=streaming-video protocol=tcp src-address-list=\ internal-nets add action=mark-packet chain=prerouting comment="streaming video in packet mark" connection-mark=\ streaming-video in-interface=ether1 new-packet-mark=streaming-video-in passthrough=no add action=mark-packet chain=prerouting comment="streaming video out packet mark" connection-mark=\ streaming-video new-packet-mark=streaming-video-out passthrough=no add action=mark-connection chain=prerouting comment="http traffic connection mark" dst-port=80,443 \ new-connection-mark=http protocol=tcp src-address-list=internal-nets add action=mark-connection chain=prerouting comment="http traffic connection mark" \ connection-bytes=5000000-4294967295 dst-port=80,443 new-connection-mark=http-download protocol=\ tcp src-address-list=internal-nets add action=mark-packet chain=prerouting comment="http in packet mark" connection-mark=http \ in-interface=ether1 new-packet-mark=http-in passthrough=no add action=mark-packet chain=prerouting comment="http out packet mark" connection-mark=http \ new-packet-mark=http-out passthrough=no add action=mark-connection chain=prerouting comment="wow connetion mark as gaming" dst-port=\ 1119,3724,6112-6114,4000,6881-6999 new-connection-mark=games protocol=tcp src-address-list=\ internal-nets add action=mark-connection chain=prerouting comment="eve online connetion mark as gaming" \ dst-address=87.237.38.200 new-connection-mark=games src-address-list=internal-nets add action=mark-connection chain=prerouting comment="starcraft 2 connetion mark as gaming" \ dst-port=1119 new-connection-mark=games protocol=tcp src-address-list=internal-nets add action=mark-connection chain=prerouting comment="heros of newerth connetion mark as gaming" \ dst-port=11031,11235-11335 new-connection-mark=games protocol=tcp src-address-list=\ internal-nets add action=mark-connection chain=prerouting comment="steam connetion mark as gaming" dst-port=\ 27014-27050 new-connection-mark=games protocol=tcp src-address-list=internal-nets add action=mark-connection chain=prerouting comment="xbox live connetion mark as gaming" dst-port=\ 3074 new-connection-mark=games protocol=tcp src-address-list=internal-nets add action=mark-connection chain=prerouting comment="ps3 online connetion mark as gaming" dst-port=\ 5223 new-connection-mark=games protocol=tcp src-address-list=internal-nets add action=mark-connection chain=prerouting comment="wii online connetion mark as gaming" dst-port=\ 28910,29900,29901,29920 new-connection-mark=games protocol=tcp src-address-list=internal-nets add action=mark-packet chain=prerouting comment="games packet mark forever-saken-game" \ dst-address-list=external-nets new-packet-mark=games-in passthrough=no src-address-list=\ forever-saken-game add action=mark-packet chain=prerouting comment="games packet mark wow" dst-address-list=\ external-nets new-packet-mark=games-in passthrough=no protocol=udp src-port=53,3724 add action=mark-packet chain=prerouting comment="games packet mark starcraft2" dst-address-list=\ external-nets new-packet-mark=games-in passthrough=no protocol=udp src-port=1119,6113 add action=mark-packet chain=prerouting comment="games packet mark HoN" dst-address-list=\ external-nets new-packet-mark=games-in passthrough=no protocol=udp src-port=11031,11235-11335 add action=mark-packet chain=prerouting comment="games packet mark steam in" dst-address-list=\ external-nets new-packet-mark=games-in passthrough=no port=4380,28960,27000-27030 protocol=udp add action=mark-packet chain=prerouting comment="games packet mark steam out" dst-port=\ 53,1500,3005,3101,3478,4379-4380,4380,28960,27000-27030,28960 new-packet-mark=games-out \ passthrough=no protocol=udp src-address-list=internal-nets add action=mark-packet chain=prerouting comment="games packet mark xbox live" dst-address-list=\ external-nets new-packet-mark=games-in passthrough=no protocol=udp src-port=88,3074,3544,4500 add action=mark-packet chain=prerouting comment="games packet mark ps3 online" dst-address-list=\ external-nets new-packet-mark=games-in passthrough=no protocol=udp src-port=3478,3479,3658 add action=mark-packet chain=prerouting comment="games packet mark in" connection-mark=games \ dst-address-list=external-nets new-packet-mark=games-in passthrough=no add action=mark-packet chain=prerouting comment="games packet mark out" connection-mark=games \ new-packet-mark=games-out passthrough=no add action=mark-packet chain=prerouting comment="voip-in packet mark teamspeak" dst-address-list=\ external-nets new-packet-mark=voip-in passthrough=no protocol=udp src-port=9987 add action=mark-packet chain=prerouting comment="voip-out packet mark teamspeak" dst-port=9987 \ new-packet-mark=voip-out passthrough=no protocol=udp src-address-list=internal-nets add action=mark-packet chain=prerouting comment="voip-out packet mark teamspeak" dst-address-list=\ external-nets new-packet-mark=voip-in passthrough=no protocol=udp src-port=9987 add action=mark-packet chain=prerouting comment="voip-in packet mark ventrilo" dst-address-list=\ external-nets new-packet-mark=voip-in passthrough=no protocol=udp src-port=3784 add action=mark-packet chain=prerouting comment="voip-out packet mark ventrilo" dst-port=3784 \ new-packet-mark=voip-out passthrough=no protocol=udp src-address-list=internal-nets add action=mark-packet chain=prerouting comment="voip-in packet mark ventrilo" dst-address-list=\ external-nets new-packet-mark=voip-in passthrough=no protocol=tcp src-port=3784 add action=mark-packet chain=prerouting comment="voip-out packet mark ventrilo" dst-port=3784 \ new-packet-mark=voip-out passthrough=no protocol=tcp src-address-list=internal-nets add action=mark-packet chain=prerouting comment="voip-in packet mark SIP" dst-address-list=\ internal-nets new-packet-mark=voip-in passthrough=no port=5060 protocol=tcp add action=mark-packet chain=prerouting comment="voip-out packet mark SIP" new-packet-mark=voip-out \ passthrough=no port=5060 protocol=tcp src-address-list=internal-nets add action=mark-packet chain=prerouting comment="voip-in packet mark udp SIP" dst-address-list=\ internal-nets new-packet-mark=voip-in passthrough=no port=5004,5060 protocol=udp add action=mark-packet chain=prerouting comment="voip-out packet mark udp SIP" new-packet-mark=\ voip-out passthrough=no port=5004,5060 protocol=udp src-address-list=internal-nets add action=mark-packet chain=prerouting comment="voip-in packet mark RTP" dst-address-list=\ internal-nets new-packet-mark=voip-in packet-size=100-400 passthrough=no port=16348-32768 \ protocol=udp add action=mark-packet chain=prerouting comment="voip-out packet mark RTP" new-packet-mark=voip-in \ packet-size=100-400 passthrough=no port=16348-32768 protocol=udp src-address-list=internal-nets add action=mark-packet chain=prerouting comment="vpn-in packet mark GRE" in-interface=ether1 \ new-packet-mark=vpn-in passthrough=no protocol=gre add action=mark-packet chain=prerouting comment="vpn-out packet mark GRE" new-packet-mark=vpn-out \ passthrough=no protocol=gre add action=mark-packet chain=prerouting comment="vpn-in packet mark ESP" in-interface=ether1 \ new-packet-mark=vpn-in passthrough=no protocol=ipsec-esp add action=mark-packet chain=prerouting comment="vpn-out packet mark ESP" new-packet-mark=vpn-out \ passthrough=no protocol=ipsec-esp add action=mark-packet chain=prerouting comment="vpn-in packet mark VPN UDP ports" in-interface=\ ether1 new-packet-mark=vpn-in passthrough=no protocol=udp src-port=500,1701,4500 add action=mark-packet chain=prerouting comment="vpn-out packet mark VPN UDP ports" \ new-packet-mark=vpn-out passthrough=no protocol=udp src-port=500,1701,4500 add action=mark-packet chain=prerouting comment="vpn-in packet mark PPTP" in-interface=ether1 \ new-packet-mark=vpn-in passthrough=no protocol=tcp src-port=1723 add action=mark-packet chain=prerouting comment="vpn-out packet mark PPTP" new-packet-mark=vpn-out \ passthrough=no protocol=tcp src-port=1723 add action=mark-packet chain=prerouting comment="all in" in-interface=ether1 new-packet-mark=in \ passthrough=no add action=mark-packet chain=prerouting comment="all out" new-packet-mark=out passthrough=no #We now start setting up our queues /queue type add kind=pfifo name=streaming-video-in pfifo-limit=500 add kind=pcq name=games-in-pcq pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 pcq-dst-address6-mask=64 \ pcq-limit=50 pcq-rate=100k pcq-src-address-mask=32 pcq-src-address6-mask=64 pcq-total-limit=750000 /queue tree add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=10M name=in parent=global-in priority=8 add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=10M name=out parent=global-in priority=8 /queue tree add max-limit=10M name=in parent=global-in queue=default add max-limit=10M name=out parent=global-in queue=default add limit-at=3M max-limit=10M name=http-in packet-mark=http-in parent=in priority=4 queue=default add limit-at=4M max-limit=10M name=streaming-video-in packet-mark=streaming-video-in parent=in \ priority=3 queue=streaming-video-in add limit-at=500k max-limit=10M name=gaming-in packet-mark=games-in parent=in priority=2 queue=\ games-in-pcq add max-limit=10M name=download-in packet-mark=in parent=in queue=default add max-limit=10M name=upload-out packet-mark=out parent=out queue=default add limit-at=500k max-limit=10M name=gaming-out packet-mark=games-out parent=out priority=2 queue=\ default add limit-at=3M max-limit=10M name=http-out packet-mark=http-out parent=out priority=4 queue=default add limit-at=4M max-limit=10M name=streaming-video-out packet-mark=streaming-video-out parent=out \ priority=3 queue=default add limit-at=1M max-limit=10M name=customer-servers-in packet-mark=customer-servers-in parent=in \ priority=1 queue=default add limit-at=1M max-limit=10M name=customer-servers-out packet-mark=customer-servers-out parent=out \ priority=1 queue=default add limit-at=500k max-limit=10M name=voip-in packet-mark=voip-in parent=in priority=1 queue=default add limit-at=500k max-limit=10M name=vpn-in packet-mark=vpn-in parent=in priority=2 queue=default add limit-at=500k max-limit=10M name=voip-out packet-mark=voip-out parent=out priority=1 queue=\ default add limit-at=500k max-limit=10M name=vpn-out packet-mark=vpn-out parent=out priority=2 queue=default add limit-at=500k max-limit=10M name=admin-in packet-mark=admin-in parent=in priority=1 queue=default add limit-at=500k max-limit=10M name=admin-out packet-mark=admin-out parent=out priority=1 queue=\ default |
*****THIS IS VERSION 6 of RouterOS*****
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 | ##Provided by Greg Sowell at Greg Sowell Consulting. ###Email: [email protected] HTTP: http://GregSowell.com # ##The queues are based off of a theoretical 10Mb connection. In this way you can ###use the values as percentages of the whole. The easiest thing to do is to ###apply the script, then in winbox adjust the values for queue size. # ##1.1.1.0/29 is your external WAN subnet, replace this. ##2.2.2.0/24 is an additional subnet routed to you on the WAN side, replace or remove any lines containing this. ##172.22.0.0/16 is listed as your internal subnet and should be modified to fit your environment. ##172.22.0.5 is listed as "customer servers". This is a special queue listed at 10 percent ###of the overall bandwidth. This gives elevated service to any internal customers. To disable ###this functionality, issue the following commands once everything has been put into place: ###/ip firewall mangle dis 2,3 ###/queue tree dis 8,9 ###You can then appropriate the queue bandwidth as you see fit. # ##You will also want to change the ether1 interface to whatever your WAN interface happens to be. # ##As always, thank you for your business and thank you for helping to feed my kids :) #Here's our l7 regex statements: /ip firewall layer7-protocol add comment="" name=speedtest-servers regexp="^.*(get|GET).+speedtest.*\$" add comment="" name=torrent-wwws regexp="^.*(get|GET).+(torrent|thepiratebay|i\ sohunt|entertane|demonoid|btjunkie|mininova|flixflux|vertor|h33t|zoozle|bi\ tnova|bitsoup|meganova|fulldls|btbot|fenopy|gpirate|commonbits).*\$" add comment="" name=torrent-dns regexp="^.+(torrent|thepiratebay|isohunt|enter\ tane|demonoid|btjunkie|mininova|flixflux|vertor|h33t|zoozle|bitnova|bitsou\ p|meganova|fulldls|btbot|fenopy|gpirate|commonbits).*\$" add comment="" name=netflix regexp="^.*(get|GET).+(netflix).*\$" add comment="" name=mp4 regexp="^.*(get|GET).+\\.mp4.*\$" add comment="" name=swf regexp="^.*(get|GET).+\\.swf.*\$" add comment="" name=flv regexp="^.*(get|GET).+\\.flv.*\$" add name=video regexp="^.*(get|GET).+(\\.flv|\\.mp4|netflix|\\.swf).*\$" #Setting up our address lists /ip firewall address-list add address=172.22.0.0/16 comment="" disabled=no list=internal-nets add address=1.1.1.0/29 comment="" disabled=no list=external-nets add address=2.2.2.0/24 comment="" disabled=no list=external-nets add address=172.22.0.5 comment="customer 1" disabled=no list=customer-servers #Mangle identifies our various portions of traffic /ip firewall mangle add action=mark-packet chain=prerouting comment="internal-traffic packet mark" dst-address-list=\ internal-nets new-packet-mark=internal-traffic passthrough=no src-address-list=internal-nets add action=mark-packet chain=prerouting comment="customer-servers-out packet mark" new-packet-mark=\ customer-servers-out passthrough=no src-address-list=customer-servers add action=mark-packet chain=prerouting comment="customer-servers-in packet mark" dst-address-list=\ customer-servers new-packet-mark=customer-servers-in passthrough=no add action=mark-packet chain=prerouting comment="admin-in packet mark DNS" in-interface=ether1 \ new-packet-mark=admin-in passthrough=no protocol=udp src-port=53 add action=mark-packet chain=prerouting comment="admin-in packet mark snmp" dst-port=161 \ in-interface=ether1 new-packet-mark=admin-in passthrough=no protocol=udp add action=mark-connection chain=prerouting comment="Remote Protocols admin connection mark" \ new-connection-mark=admin port=20,21,22,23,3389,8291 protocol=tcp add action=mark-connection chain=prerouting comment="icmp connection mark as admin" \ new-connection-mark=admin protocol=icmp src-address-list=internal-nets add action=mark-packet chain=prerouting comment="admin-in packet mark" connection-mark=admin \ in-interface=ether1 new-packet-mark=admin-in passthrough=no add action=mark-packet chain=prerouting comment="admin-out packet mark" connection-mark=admin \ new-packet-mark=admin-out passthrough=no add action=mark-connection chain=prerouting comment="streaming video connection mark" dst-port=80 \ layer7-protocol=video new-connection-mark=streaming-video protocol=tcp src-address-list=\ internal-nets add action=mark-packet chain=prerouting comment="streaming video in packet mark" connection-mark=\ streaming-video in-interface=ether1 new-packet-mark=streaming-video-in passthrough=no add action=mark-packet chain=prerouting comment="streaming video out packet mark" connection-mark=\ streaming-video new-packet-mark=streaming-video-out passthrough=no add action=mark-connection chain=prerouting comment="http traffic connection mark" dst-port=80,443 \ new-connection-mark=http protocol=tcp src-address-list=internal-nets add action=mark-connection chain=prerouting comment="http traffic connection mark" \ connection-bytes=5000000-4294967295 dst-port=80,443 new-connection-mark=http-download protocol=\ tcp src-address-list=internal-nets add action=mark-packet chain=prerouting comment="http in packet mark" connection-mark=http \ in-interface=ether1 new-packet-mark=http-in passthrough=no add action=mark-packet chain=prerouting comment="http out packet mark" connection-mark=http \ new-packet-mark=http-out passthrough=no add action=mark-connection chain=prerouting comment="wow connetion mark as gaming" dst-port=\ 1119,3724,6112-6114,4000,6881-6999 new-connection-mark=games protocol=tcp src-address-list=\ internal-nets add action=mark-connection chain=prerouting comment="eve online connetion mark as gaming" \ dst-address=87.237.38.200 new-connection-mark=games src-address-list=internal-nets add action=mark-connection chain=prerouting comment="starcraft 2 connetion mark as gaming" \ dst-port=1119 new-connection-mark=games protocol=tcp src-address-list=internal-nets add action=mark-connection chain=prerouting comment="heros of newerth connetion mark as gaming" \ dst-port=11031,11235-11335 new-connection-mark=games protocol=tcp src-address-list=\ internal-nets add action=mark-connection chain=prerouting comment="steam connetion mark as gaming" dst-port=\ 27014-27050 new-connection-mark=games protocol=tcp src-address-list=internal-nets add action=mark-connection chain=prerouting comment="xbox live connetion mark as gaming" dst-port=\ 3074 new-connection-mark=games protocol=tcp src-address-list=internal-nets add action=mark-connection chain=prerouting comment="ps3 online connetion mark as gaming" dst-port=\ 5223 new-connection-mark=games protocol=tcp src-address-list=internal-nets add action=mark-connection chain=prerouting comment="wii online connetion mark as gaming" dst-port=\ 28910,29900,29901,29920 new-connection-mark=games protocol=tcp src-address-list=internal-nets add action=mark-packet chain=prerouting comment="games packet mark forever-saken-game" \ dst-address-list=external-nets new-packet-mark=games-in passthrough=no src-address-list=\ forever-saken-game add action=mark-packet chain=prerouting comment="games packet mark wow" dst-address-list=\ external-nets new-packet-mark=games-in passthrough=no protocol=udp src-port=53,3724 add action=mark-packet chain=prerouting comment="games packet mark starcraft2" dst-address-list=\ external-nets new-packet-mark=games-in passthrough=no protocol=udp src-port=1119,6113 add action=mark-packet chain=prerouting comment="games packet mark HoN" dst-address-list=\ external-nets new-packet-mark=games-in passthrough=no protocol=udp src-port=11031,11235-11335 add action=mark-packet chain=prerouting comment="games packet mark steam in" dst-address-list=\ external-nets new-packet-mark=games-in passthrough=no port=4380,28960,27000-27030 protocol=udp add action=mark-packet chain=prerouting comment="games packet mark steam out" dst-port=\ 53,1500,3005,3101,3478,4379-4380,4380,28960,27000-27030,28960 new-packet-mark=games-out \ passthrough=no protocol=udp src-address-list=internal-nets add action=mark-packet chain=prerouting comment="games packet mark xbox live" dst-address-list=\ external-nets new-packet-mark=games-in passthrough=no protocol=udp src-port=88,3074,3544,4500 add action=mark-packet chain=prerouting comment="games packet mark ps3 online" dst-address-list=\ external-nets new-packet-mark=games-in passthrough=no protocol=udp src-port=3478,3479,3658 add action=mark-packet chain=prerouting comment="games packet mark in" connection-mark=games \ dst-address-list=external-nets new-packet-mark=games-in passthrough=no add action=mark-packet chain=prerouting comment="games packet mark out" connection-mark=games \ new-packet-mark=games-out passthrough=no add action=mark-packet chain=prerouting comment="voip-in packet mark teamspeak" dst-address-list=\ external-nets new-packet-mark=voip-in passthrough=no protocol=udp src-port=9987 add action=mark-packet chain=prerouting comment="voip-out packet mark teamspeak" dst-port=9987 \ new-packet-mark=voip-out passthrough=no protocol=udp src-address-list=internal-nets add action=mark-packet chain=prerouting comment="voip-out packet mark teamspeak" dst-address-list=\ external-nets new-packet-mark=voip-in passthrough=no protocol=udp src-port=9987 add action=mark-packet chain=prerouting comment="voip-in packet mark ventrilo" dst-address-list=\ external-nets new-packet-mark=voip-in passthrough=no protocol=udp src-port=3784 add action=mark-packet chain=prerouting comment="voip-out packet mark ventrilo" dst-port=3784 \ new-packet-mark=voip-out passthrough=no protocol=udp src-address-list=internal-nets add action=mark-packet chain=prerouting comment="voip-in packet mark ventrilo" dst-address-list=\ external-nets new-packet-mark=voip-in passthrough=no protocol=tcp src-port=3784 add action=mark-packet chain=prerouting comment="voip-out packet mark ventrilo" dst-port=3784 \ new-packet-mark=voip-out passthrough=no protocol=tcp src-address-list=internal-nets add action=mark-packet chain=prerouting comment="voip-in packet mark SIP" dst-address-list=\ internal-nets new-packet-mark=voip-in passthrough=no port=5060 protocol=tcp add action=mark-packet chain=prerouting comment="voip-out packet mark SIP" new-packet-mark=voip-out \ passthrough=no port=5060 protocol=tcp src-address-list=internal-nets add action=mark-packet chain=prerouting comment="voip-in packet mark udp SIP" dst-address-list=\ internal-nets new-packet-mark=voip-in passthrough=no port=5004,5060 protocol=udp add action=mark-packet chain=prerouting comment="voip-out packet mark udp SIP" new-packet-mark=\ voip-out passthrough=no port=5004,5060 protocol=udp src-address-list=internal-nets add action=mark-packet chain=prerouting comment="voip-in packet mark RTP" dst-address-list=\ internal-nets new-packet-mark=voip-in packet-size=100-400 passthrough=no port=16348-32768 \ protocol=udp add action=mark-packet chain=prerouting comment="voip-out packet mark RTP" new-packet-mark=voip-in \ packet-size=100-400 passthrough=no port=16348-32768 protocol=udp src-address-list=internal-nets add action=mark-packet chain=prerouting comment="vpn-in packet mark GRE" in-interface=ether1 \ new-packet-mark=vpn-in passthrough=no protocol=gre add action=mark-packet chain=prerouting comment="vpn-out packet mark GRE" new-packet-mark=vpn-out \ passthrough=no protocol=gre add action=mark-packet chain=prerouting comment="vpn-in packet mark ESP" in-interface=ether1 \ new-packet-mark=vpn-in passthrough=no protocol=ipsec-esp add action=mark-packet chain=prerouting comment="vpn-out packet mark ESP" new-packet-mark=vpn-out \ passthrough=no protocol=ipsec-esp add action=mark-packet chain=prerouting comment="vpn-in packet mark VPN UDP ports" in-interface=\ ether1 new-packet-mark=vpn-in passthrough=no protocol=udp src-port=500,1701,4500 add action=mark-packet chain=prerouting comment="vpn-out packet mark VPN UDP ports" \ new-packet-mark=vpn-out passthrough=no protocol=udp src-port=500,1701,4500 add action=mark-packet chain=prerouting comment="vpn-in packet mark PPTP" in-interface=ether1 \ new-packet-mark=vpn-in passthrough=no protocol=tcp src-port=1723 add action=mark-packet chain=prerouting comment="vpn-out packet mark PPTP" new-packet-mark=vpn-out \ passthrough=no protocol=tcp src-port=1723 add action=mark-packet chain=prerouting comment="all in" in-interface=ether1 new-packet-mark=in \ passthrough=no add action=mark-packet chain=prerouting comment="all out" new-packet-mark=out passthrough=no #We now start setting up our queues /queue type add kind=pfifo name=streaming-video-in pfifo-limit=500 add kind=pcq name=games-in-pcq pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 pcq-dst-address6-mask=64 \ pcq-limit=50 pcq-rate=100k pcq-src-address-mask=32 pcq-src-address6-mask=64 pcq-total-limit=750000 /queue tree add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=10M name=in parent=global priority=8 add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=10M name=out parent=global priority=8 /queue tree add max-limit=10M name=in parent=global queue=default add max-limit=10M name=out parent=global queue=default add limit-at=3M max-limit=10M name=http-in packet-mark=http-in parent=in priority=4 queue=default add limit-at=4M max-limit=10M name=streaming-video-in packet-mark=streaming-video-in parent=in \ priority=3 queue=streaming-video-in add limit-at=500k max-limit=10M name=gaming-in packet-mark=games-in parent=in priority=2 queue=\ games-in-pcq add max-limit=10M name=download-in packet-mark=in parent=in queue=default add max-limit=10M name=upload-out packet-mark=out parent=out queue=default add limit-at=500k max-limit=10M name=gaming-out packet-mark=games-out parent=out priority=2 queue=\ default add limit-at=3M max-limit=10M name=http-out packet-mark=http-out parent=out priority=4 queue=default add limit-at=4M max-limit=10M name=streaming-video-out packet-mark=streaming-video-out parent=out \ priority=3 queue=default add limit-at=1M max-limit=10M name=customer-servers-in packet-mark=customer-servers-in parent=in \ priority=1 queue=default add limit-at=1M max-limit=10M name=customer-servers-out packet-mark=customer-servers-out parent=out \ priority=1 queue=default add limit-at=500k max-limit=10M name=voip-in packet-mark=voip-in parent=in priority=1 queue=default add limit-at=500k max-limit=10M name=vpn-in packet-mark=vpn-in parent=in priority=2 queue=default add limit-at=500k max-limit=10M name=voip-out packet-mark=voip-out parent=out priority=1 queue=\ default add limit-at=500k max-limit=10M name=vpn-out packet-mark=vpn-out parent=out priority=2 queue=default add limit-at=500k max-limit=10M name=admin-in packet-mark=admin-in parent=in priority=1 queue=default add limit-at=500k max-limit=10M name=admin-out packet-mark=admin-out parent=out priority=1 queue=\ default |
I’m a fan of queue trees. I like them because they are so easy to read and it allows you(in version 6) to use simple queues in concert without issue.
You must remember that QoS doesn’t reorder packets. It simply gives preference to certain marked traffic. Another note is that QoS has zero effect on your traffic until you are in a congestion situation. Until the matched traffic hits that “max-limit” it doesn’t do anything.
There are some additional modifications that you can use like setting up a PCQ on the streaming video queue. This will allow you to limit individual customers to only stream at certain resolutions(this can be a life saver).
I’ve noticed that around 70% or better of all traffic is streaming video; so be sure to pay special attention to it.
I’m hastily throwing this up here, so I’ll come back and add some additional notes and supporting material…at some point. Until then if you have some additional services/L7 I should add, drop me a comment and I’ll update the doc.
If you enjoy the script, take a few seconds to drop me a comment.
Thanks Greg! Really appreciate this script!
@Bobby
NP sir, glad to help 🙂
Awesome! I have a quick-config script setup for our techs and will be adding this into it so that priorities are much better for our customers. Thank you very much and trust me your contribution info will stay fully intact!
Looking forward to any other changes you do.
I am trying to match packets for streaming traffic from http://www.twitch.tv. I can sort of do it by guessing massive IP ranges, but that seems somewhat lame. All I really care about is the streams themselves, and after looking at some packet captures, I thought this should cover just about everything I needed:
^.*((video|media)\d+(\-\d+)?\.(\w{2,}\d\.)?((\w{2,})\.)?(twitch|justin)\..*|(twitch.map.fastly.net))$
But I get nothing. Any experience with this, or thoughts on where I’m going wrong?
Thanks!
Thnx, Greg. Really appreciate it. Plz go on with that kind of useful stuffs.
Regards,
Img
Thanks Greg, installed this today.
Also an update to the XBOX ports, with the new “XBOX ONE” that was just released.
Xbox Live requires the following ports to be open:
Port 88 (UDP)
Port 3074 (UDP and TCP)
Port 53 (UDP and TCP)
Port 80 (TCP)
Port 500 (UDP)
UDP Port 3544 (UDP)
UDP Port 4500 (UDP)
http://support.xbox.com/en-US/xbox-one/networking/network-ports-used-xbox-live
thanks for sharing, greg.
Nice script. I will try it.
Thank`s
First, i would like to tell you that i’m a big fan of your website man 🙂
Thanks for the script, it was pretty interesting cause i m actually implementing that kind of QoS in my company.
Have a good day
Great site Greg , i am new with mikrotik and i need all kind of information to learn. So thank’s for sharing u’r knowleadge.
Excellent update, thanks again!
One thing: the amended ROS 6.x version sets up the in/out queues in lines 172-176 with the ‘global’ parent, and then tries to create them again in lines 178-9 with a parent of ‘global-in’ which doesn’t exist any longer in 6.x
@Darren
I fat fingered it from the copy/paste. Updated, thanks!
Greg,
Thanks for this. I have a wireless hotspot setup in an office building with multiple mikrotik waps and a mikrotik router. Should this be loaded on the waps, or just the router and simple pcq added to the waps?
@Pilot
If your network bottleneck is at the border, then just put it there.
Hey Greg i have alot of game ports setup on my router if you want i can send them to you and you can add them???
@Skoenman
Hook us up!
Excelente trabajo!! gracias por compartirlo y actualizarlo!!
Saludos