Skip to content
Dec 6 / Greg

BIND9 Notifications

In your bind configurations when a master DNS server makes an update it looks inside the zone file, and any DNS servers listed inside are sent a notice saying there has been an update. After this the slave queries the SOA for updates. If you happen to have an additional DNS server that needs to be notified but isn’t in this list, there is an “also-notify” option.

1
2
3
4
5

options {
....
    also-notify {10.1.0.15; 172.28.32.7;}; // all zones
....
};

Also-notify will do just that…send a notification over to these servers that there has been a change.

In your master you will also need to allow transfers from any additional servers, otherwise all of this is moot.

Filed under Linux, Server
0
Dec 3 / Greg

RouterOS V6.7 Released

What\\’s new in 6.7 (2013-Nov-29 13:37):

*) support Android usb tethering interface; What’s all this action about…I can plug my phone in and tether with a Mikrotik…yes please!
*) ipsec – added aes-gcm icv16 encryption mode;
*) ipsec – added aes-ctr encryption mode;
*) ipsec – added sha256 and sha512 support;
*) ipsec – proposal defaults changed to aes-128 and sha1 for both phase1 and phase2;
*) ipsec – fix policy bypass on IPv6 gre, ipip, eoip tunnels when policy uses protocol filter;
A whole slew of ipsec updates!
*) leds – inverted modem signal trigger, now it will trigger when the signal level rises above the treshold;
*) wireless – improve rate selection for nstreme protocol
*) poe – new poe controller firmware for RB750UP and OmniTIK UPA;
*) certificate – support ip, dns and email subject alternative names;
*) dhcpv4 server – added REMOTE_ID option variable for relayed packets;
*) userman – fix crash on tilera;
*) fixed hairpin nat on bridge with use-ip-firewall=yes;
*) fixed vlan on bridge after reboot having 00:00:00:00:00:00 mac address;
*) address-list – allow manually adding timeoutable entries; AWESOME. Jimmy and I were just rigging methods to accomplish this…now it is just built in!
*) address-list – show dynamic entry timeout;
*) fixed l2mtu changing on CCRs – could cause port flapping;
*) disabling/enabling ethernet ports did not work properly on CCRs – could cause port flapping;
*) fixed port flapping on CCR – could happen when having other than only-hardware-queue interface queue. More important CCR updates.
Note that having other interface queue than only-hardware-queue dramatically reduces performace, so should be avoided if possible;

Filed under Mikrotik
2
Nov 8 / Greg

Mikrotik ROS V6.6 Released

What’s new in 6.6 (2013-Nov-07 13:04):

*) winbox – fixed problem where all previous session opened windows were read only; – This was annoying
*) certificate – no more \’reset-certificate-cache\’ and \’decrypt\’ commands,
private keys can be decrypted only on \’import\’, use \’decrypt\’ before upgrade if needed;
*) fixed arp-reply only with more than one ip address on interface;
*) fixed RB400 not to reboot by watchdog during micro-sd format;
*) web proxy – fix SPDY server push handling;
*) certificate – merged \’/certificate ca issued\’, \’/certificate scep client\’ and
\’/certificate templates\’ into \’/certificate\’;
*) console – :foreach command can iterate over keys and values in an array,
by specifying two counter variables, e.g.:
:foreach k,v in=[/system clock get] do={:put \”$k is $v\”};
*) added support for new Intel 10Gb ethernet cards (82599); Nice to see they are still supporting the x86 dudes
*) certificates – fixed certificate import;
*) wireless – fixed crash when dfs was enabled on pre-n wireless cards;
*) fixed port flapping on CCR; I’ve heard reports of this, so I urge you guys to definitely take a look at this.

Filed under Mikrotik
0
Sep 30 / Greg

VLANs In Centos 6

Creating VLANs in centos 6 is simple…well, it’s supposed to be.

1
2
3
4
5
6
7
8

# cat /etc/sysconfig/network-scripts/ifcfg-eth1.58
VLAN=yes
DEVICE=eth1.58
NM_CONTROLLED=no
ONBOOT=yes
BOOTPROTO=static
IPADDR=x.y.z.w
NETMASK=a.b.c.d

For me, though, not so much. I have a CSV with about 200 VLANs that need to be created, so I wrote a quick autoit script to whip up the config files…no biggie.

I then copied them to the server and did a “service network restart”, and It gave me :

Device eth1.58 does not seem to be present, delaying initialization.

After I banged my head against the wall for a while I found that once the files were on the server if I opened the file, then saved it…it would magically work. I’m not sure what the difference was, but that was it.

You can script it to echo your configs and pipe it with > and >> to file, or perhaps you can just script it to open/save/close each file. Have phun kids!

Filed under Linux, Server
5
Sep 19 / Greg

Border Router QoS Script For Mikrotik

******UPDATED 1/16/2014 – overall update, V6 support******

******UPDATED 1/17/2014 – added some additional xbox one ports******

I’ve been using a derivative of this script successfully for quite some time now. In the past I’ve charged for it, but since I’ve had so little time for you guys lately I decided to hand this out for free.

So this identifies and marks traffic. It then puts this traffic into different queues and elevates priorities accordingly. It is really tailored for an apartment complex or WISP that serves a lot of standard users. There is a provision in there for elevated customer access too…for those complainers.

It marks and elevates:

  • VoIP
  • VPN
  • Gaming traffic(xbox network, PS network Wii, WoW, LoL, etc.)
  • Streaming video (netflix, youtube, etc.)
  • Http browsing (connections of less than 5MB)
  • Admin protocols(ssh, telnet, etc.
  • Admin services(DNS, ICMP, etc.)

    • Everything left over is considered scavenge and fights for what’s left.

    It does use Layer 7 regex matches for identifying streaming traffic. When this is enabled you will take a service hit due to the additional processing necessary.

    *****THIS IS VERSION 5 of RouterOS*****

    1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203

    ##Provided by Greg Sowell at Greg Sowell Consulting.
###Email: [email protected] HTTP: http://GregSowell.com
#
##The queues are based off of a theoretical 10Mb connection.  In this way you can
###use the values as percentages of the whole.  The easiest thing to do is to 
###apply the script, then in winbox adjust the values for queue size.
#
##1.1.1.0/29 is your external WAN subnet, replace this.
##2.2.2.0/24 is an additional subnet routed to you on the WAN side, replace or remove any lines containing this.
##172.22.0.0/16 is listed as your internal subnet and should be modified to fit your environment.
##172.22.0.5 is listed as "customer servers".  This is a special queue listed at 10 percent
###of the overall bandwidth.  This gives elevated service to any internal customers.  To disable
###this functionality, issue the following commands once everything has been put into place:
###/ip firewall mangle dis 2,3
###/queue tree dis 8,9
###You can then appropriate the queue bandwidth as you see fit.
#
##You will also want to change the ether1 interface to whatever your WAN interface happens to be.
#
##As always, thank you for your business and thank you for helping to feed my kids :)
 
#Here's our l7 regex statements:
/ip firewall layer7-protocol
add comment="" name=speedtest-servers regexp="^.*(get|GET).+speedtest.*\$"
add comment="" name=torrent-wwws regexp="^.*(get|GET).+(torrent|thepiratebay|i\
    sohunt|entertane|demonoid|btjunkie|mininova|flixflux|vertor|h33t|zoozle|bi\
    tnova|bitsoup|meganova|fulldls|btbot|fenopy|gpirate|commonbits).*\$"
add comment="" name=torrent-dns regexp="^.+(torrent|thepiratebay|isohunt|enter\
    tane|demonoid|btjunkie|mininova|flixflux|vertor|h33t|zoozle|bitnova|bitsou\
    p|meganova|fulldls|btbot|fenopy|gpirate|commonbits).*\$"
add comment="" name=netflix regexp="^.*(get|GET).+(netflix).*\$"
add comment="" name=mp4 regexp="^.*(get|GET).+\\.mp4.*\$"
add comment="" name=swf regexp="^.*(get|GET).+\\.swf.*\$"
add comment="" name=flv regexp="^.*(get|GET).+\\.flv.*\$"
add name=video regexp="^.*(get|GET).+(\\.flv|\\.mp4|netflix|\\.swf).*\$"
 
#Setting up our address lists
/ip firewall address-list
add address=172.22.0.0/16 comment="" disabled=no list=internal-nets
add address=1.1.1.0/29 comment="" disabled=no list=external-nets
add address=2.2.2.0/24 comment="" disabled=no list=external-nets
add address=172.22.0.5 comment="customer 1" disabled=no list=customer-servers
 
#Mangle identifies our various portions of traffic
/ip firewall mangle
add action=mark-packet chain=prerouting comment="internal-traffic packet mark" dst-address-list=\
    internal-nets new-packet-mark=internal-traffic passthrough=no src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="customer-servers-out packet mark" new-packet-mark=\
    customer-servers-out passthrough=no src-address-list=customer-servers
add action=mark-packet chain=prerouting comment="customer-servers-in packet mark" dst-address-list=\
    customer-servers new-packet-mark=customer-servers-in passthrough=no
add action=mark-packet chain=prerouting comment="admin-in packet mark DNS" in-interface=ether1 \
    new-packet-mark=admin-in passthrough=no protocol=udp src-port=53
add action=mark-packet chain=prerouting comment="admin-in packet mark snmp" dst-port=161 \
    in-interface=ether1 new-packet-mark=admin-in passthrough=no protocol=udp
add action=mark-connection chain=prerouting comment="Remote Protocols admin connection mark" \
    new-connection-mark=admin port=20,21,22,23,3389,8291 protocol=tcp
add action=mark-connection chain=prerouting comment="icmp connection mark as admin" \
    new-connection-mark=admin protocol=icmp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="admin-in packet mark" connection-mark=admin \
    in-interface=ether1 new-packet-mark=admin-in passthrough=no
add action=mark-packet chain=prerouting comment="admin-out packet mark" connection-mark=admin \
    new-packet-mark=admin-out passthrough=no
add action=mark-connection chain=prerouting comment="streaming video connection mark" dst-port=80 \
    layer7-protocol=video new-connection-mark=streaming-video protocol=tcp src-address-list=\
    internal-nets
add action=mark-packet chain=prerouting comment="streaming video in packet mark" connection-mark=\
    streaming-video in-interface=ether1 new-packet-mark=streaming-video-in passthrough=no
add action=mark-packet chain=prerouting comment="streaming video out packet mark" connection-mark=\
    streaming-video new-packet-mark=streaming-video-out passthrough=no
add action=mark-connection chain=prerouting comment="http traffic connection mark" dst-port=80,443 \
    new-connection-mark=http protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment="http traffic connection mark" \
    connection-bytes=5000000-4294967295 dst-port=80,443 new-connection-mark=http-download protocol=\
    tcp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="http in packet mark" connection-mark=http \
    in-interface=ether1 new-packet-mark=http-in passthrough=no
add action=mark-packet chain=prerouting comment="http out packet mark" connection-mark=http \
    new-packet-mark=http-out passthrough=no
add action=mark-connection chain=prerouting comment="wow connetion mark as gaming" dst-port=\
    1119,3724,6112-6114,4000,6881-6999 new-connection-mark=games protocol=tcp src-address-list=\
    internal-nets
add action=mark-connection chain=prerouting comment="eve online connetion mark as gaming" \
    dst-address=87.237.38.200 new-connection-mark=games src-address-list=internal-nets
add action=mark-connection chain=prerouting comment="starcraft 2 connetion mark as gaming" \
    dst-port=1119 new-connection-mark=games protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment="heros of newerth connetion mark as gaming" \
    dst-port=11031,11235-11335 new-connection-mark=games protocol=tcp src-address-list=\
    internal-nets
add action=mark-connection chain=prerouting comment="steam connetion mark as gaming" dst-port=\
    27014-27050 new-connection-mark=games protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment="xbox live connetion mark as gaming" dst-port=\
    3074 new-connection-mark=games protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment="ps3 online connetion mark as gaming" dst-port=\
    5223 new-connection-mark=games protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment="wii online connetion mark as gaming" dst-port=\
    28910,29900,29901,29920 new-connection-mark=games protocol=tcp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="games packet mark forever-saken-game" \
    dst-address-list=external-nets new-packet-mark=games-in passthrough=no src-address-list=\
    forever-saken-game
add action=mark-packet chain=prerouting comment="games packet mark wow" dst-address-list=\
    external-nets new-packet-mark=games-in passthrough=no protocol=udp src-port=53,3724
add action=mark-packet chain=prerouting comment="games packet mark starcraft2" dst-address-list=\
    external-nets new-packet-mark=games-in passthrough=no protocol=udp src-port=1119,6113
add action=mark-packet chain=prerouting comment="games packet mark HoN" dst-address-list=\
    external-nets new-packet-mark=games-in passthrough=no protocol=udp src-port=11031,11235-11335
add action=mark-packet chain=prerouting comment="games packet mark steam in" dst-address-list=\
    external-nets new-packet-mark=games-in passthrough=no port=4380,28960,27000-27030 protocol=udp
add action=mark-packet chain=prerouting comment="games packet mark steam out" dst-port=\
    53,1500,3005,3101,3478,4379-4380,4380,28960,27000-27030,28960 new-packet-mark=games-out \
    passthrough=no protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="games packet mark xbox live" dst-address-list=\
    external-nets new-packet-mark=games-in passthrough=no protocol=udp src-port=88,3074,3544,4500
add action=mark-packet chain=prerouting comment="games packet mark ps3 online" dst-address-list=\
    external-nets new-packet-mark=games-in passthrough=no protocol=udp src-port=3478,3479,3658
add action=mark-packet chain=prerouting comment="games packet mark in" connection-mark=games \
    dst-address-list=external-nets new-packet-mark=games-in passthrough=no
add action=mark-packet chain=prerouting comment="games packet mark out" connection-mark=games \
    new-packet-mark=games-out passthrough=no
add action=mark-packet chain=prerouting comment="voip-in packet mark teamspeak" dst-address-list=\
    external-nets new-packet-mark=voip-in passthrough=no protocol=udp src-port=9987
add action=mark-packet chain=prerouting comment="voip-out packet mark teamspeak" dst-port=9987 \
    new-packet-mark=voip-out passthrough=no protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="voip-out packet mark teamspeak" dst-address-list=\
    external-nets new-packet-mark=voip-in passthrough=no protocol=udp src-port=9987
add action=mark-packet chain=prerouting comment="voip-in packet mark ventrilo" dst-address-list=\
    external-nets new-packet-mark=voip-in passthrough=no protocol=udp src-port=3784
add action=mark-packet chain=prerouting comment="voip-out packet mark ventrilo" dst-port=3784 \
    new-packet-mark=voip-out passthrough=no protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="voip-in packet mark ventrilo" dst-address-list=\
    external-nets new-packet-mark=voip-in passthrough=no protocol=tcp src-port=3784
add action=mark-packet chain=prerouting comment="voip-out packet mark ventrilo" dst-port=3784 \
    new-packet-mark=voip-out passthrough=no protocol=tcp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="voip-in packet mark SIP" dst-address-list=\
    internal-nets new-packet-mark=voip-in passthrough=no port=5060 protocol=tcp
add action=mark-packet chain=prerouting comment="voip-out packet mark SIP" new-packet-mark=voip-out \
    passthrough=no port=5060 protocol=tcp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="voip-in packet mark udp SIP" dst-address-list=\
    internal-nets new-packet-mark=voip-in passthrough=no port=5004,5060 protocol=udp
add action=mark-packet chain=prerouting comment="voip-out packet mark udp SIP" new-packet-mark=\
    voip-out passthrough=no port=5004,5060 protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="voip-in packet mark RTP" dst-address-list=\
    internal-nets new-packet-mark=voip-in packet-size=100-400 passthrough=no port=16348-32768 \
    protocol=udp
add action=mark-packet chain=prerouting comment="voip-out packet mark RTP" new-packet-mark=voip-in \
    packet-size=100-400 passthrough=no port=16348-32768 protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="vpn-in packet mark GRE" in-interface=ether1 \
    new-packet-mark=vpn-in passthrough=no protocol=gre
add action=mark-packet chain=prerouting comment="vpn-out packet mark GRE" new-packet-mark=vpn-out \
    passthrough=no protocol=gre
add action=mark-packet chain=prerouting comment="vpn-in packet mark ESP" in-interface=ether1 \
    new-packet-mark=vpn-in passthrough=no protocol=ipsec-esp
add action=mark-packet chain=prerouting comment="vpn-out packet mark ESP" new-packet-mark=vpn-out \
    passthrough=no protocol=ipsec-esp
add action=mark-packet chain=prerouting comment="vpn-in packet mark VPN UDP ports" in-interface=\
    ether1 new-packet-mark=vpn-in passthrough=no protocol=udp src-port=500,1701,4500
add action=mark-packet chain=prerouting comment="vpn-out packet mark VPN UDP ports" \
    new-packet-mark=vpn-out passthrough=no protocol=udp src-port=500,1701,4500
add action=mark-packet chain=prerouting comment="vpn-in packet mark PPTP" in-interface=ether1 \
    new-packet-mark=vpn-in passthrough=no protocol=tcp src-port=1723
add action=mark-packet chain=prerouting comment="vpn-out packet mark PPTP" new-packet-mark=vpn-out \
    passthrough=no protocol=tcp src-port=1723
add action=mark-packet chain=prerouting comment="all in" in-interface=ether1 new-packet-mark=in \
    passthrough=no
add action=mark-packet chain=prerouting comment="all out" new-packet-mark=out passthrough=no
 
#We now start setting up our queues
/queue type
add kind=pfifo name=streaming-video-in pfifo-limit=500
add kind=pcq name=games-in-pcq pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 pcq-dst-address6-mask=64 \
    pcq-limit=50 pcq-rate=100k pcq-src-address-mask=32 pcq-src-address6-mask=64 pcq-total-limit=750000
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=10M name=in parent=global-in priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=10M name=out parent=global-in priority=8
/queue tree
add max-limit=10M name=in parent=global-in queue=default
add max-limit=10M name=out parent=global-in queue=default
add limit-at=3M max-limit=10M name=http-in packet-mark=http-in parent=in priority=4 queue=default
add limit-at=4M max-limit=10M name=streaming-video-in packet-mark=streaming-video-in parent=in \
    priority=3 queue=streaming-video-in
add limit-at=500k max-limit=10M name=gaming-in packet-mark=games-in parent=in priority=2 queue=\
    games-in-pcq
add max-limit=10M name=download-in packet-mark=in parent=in queue=default
add max-limit=10M name=upload-out packet-mark=out parent=out queue=default
add limit-at=500k max-limit=10M name=gaming-out packet-mark=games-out parent=out priority=2 queue=\
    default
add limit-at=3M max-limit=10M name=http-out packet-mark=http-out parent=out priority=4 queue=default
add limit-at=4M max-limit=10M name=streaming-video-out packet-mark=streaming-video-out parent=out \
    priority=3 queue=default
add limit-at=1M max-limit=10M name=customer-servers-in packet-mark=customer-servers-in parent=in \
    priority=1 queue=default
add limit-at=1M max-limit=10M name=customer-servers-out packet-mark=customer-servers-out parent=out \
    priority=1 queue=default
add limit-at=500k max-limit=10M name=voip-in packet-mark=voip-in parent=in priority=1 queue=default
add limit-at=500k max-limit=10M name=vpn-in packet-mark=vpn-in parent=in priority=2 queue=default
add limit-at=500k max-limit=10M name=voip-out packet-mark=voip-out parent=out priority=1 queue=\
    default
add limit-at=500k max-limit=10M name=vpn-out packet-mark=vpn-out parent=out priority=2 queue=default
add limit-at=500k max-limit=10M name=admin-in packet-mark=admin-in parent=in priority=1 queue=default
add limit-at=500k max-limit=10M name=admin-out packet-mark=admin-out parent=out priority=1 queue=\
    default

    *****THIS IS VERSION 6 of RouterOS*****

    1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203

    ##Provided by Greg Sowell at Greg Sowell Consulting.
###Email: [email protected] HTTP: http://GregSowell.com
#
##The queues are based off of a theoretical 10Mb connection.  In this way you can
###use the values as percentages of the whole.  The easiest thing to do is to 
###apply the script, then in winbox adjust the values for queue size.
#
##1.1.1.0/29 is your external WAN subnet, replace this.
##2.2.2.0/24 is an additional subnet routed to you on the WAN side, replace or remove any lines containing this.
##172.22.0.0/16 is listed as your internal subnet and should be modified to fit your environment.
##172.22.0.5 is listed as "customer servers".  This is a special queue listed at 10 percent
###of the overall bandwidth.  This gives elevated service to any internal customers.  To disable
###this functionality, issue the following commands once everything has been put into place:
###/ip firewall mangle dis 2,3
###/queue tree dis 8,9
###You can then appropriate the queue bandwidth as you see fit.
#
##You will also want to change the ether1 interface to whatever your WAN interface happens to be.
#
##As always, thank you for your business and thank you for helping to feed my kids :)
 
#Here's our l7 regex statements:
/ip firewall layer7-protocol
add comment="" name=speedtest-servers regexp="^.*(get|GET).+speedtest.*\$"
add comment="" name=torrent-wwws regexp="^.*(get|GET).+(torrent|thepiratebay|i\
    sohunt|entertane|demonoid|btjunkie|mininova|flixflux|vertor|h33t|zoozle|bi\
    tnova|bitsoup|meganova|fulldls|btbot|fenopy|gpirate|commonbits).*\$"
add comment="" name=torrent-dns regexp="^.+(torrent|thepiratebay|isohunt|enter\
    tane|demonoid|btjunkie|mininova|flixflux|vertor|h33t|zoozle|bitnova|bitsou\
    p|meganova|fulldls|btbot|fenopy|gpirate|commonbits).*\$"
add comment="" name=netflix regexp="^.*(get|GET).+(netflix).*\$"
add comment="" name=mp4 regexp="^.*(get|GET).+\\.mp4.*\$"
add comment="" name=swf regexp="^.*(get|GET).+\\.swf.*\$"
add comment="" name=flv regexp="^.*(get|GET).+\\.flv.*\$"
add name=video regexp="^.*(get|GET).+(\\.flv|\\.mp4|netflix|\\.swf).*\$"
 
#Setting up our address lists
/ip firewall address-list
add address=172.22.0.0/16 comment="" disabled=no list=internal-nets
add address=1.1.1.0/29 comment="" disabled=no list=external-nets
add address=2.2.2.0/24 comment="" disabled=no list=external-nets
add address=172.22.0.5 comment="customer 1" disabled=no list=customer-servers
 
#Mangle identifies our various portions of traffic
/ip firewall mangle
add action=mark-packet chain=prerouting comment="internal-traffic packet mark" dst-address-list=\
    internal-nets new-packet-mark=internal-traffic passthrough=no src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="customer-servers-out packet mark" new-packet-mark=\
    customer-servers-out passthrough=no src-address-list=customer-servers
add action=mark-packet chain=prerouting comment="customer-servers-in packet mark" dst-address-list=\
    customer-servers new-packet-mark=customer-servers-in passthrough=no
add action=mark-packet chain=prerouting comment="admin-in packet mark DNS" in-interface=ether1 \
    new-packet-mark=admin-in passthrough=no protocol=udp src-port=53
add action=mark-packet chain=prerouting comment="admin-in packet mark snmp" dst-port=161 \
    in-interface=ether1 new-packet-mark=admin-in passthrough=no protocol=udp
add action=mark-connection chain=prerouting comment="Remote Protocols admin connection mark" \
    new-connection-mark=admin port=20,21,22,23,3389,8291 protocol=tcp
add action=mark-connection chain=prerouting comment="icmp connection mark as admin" \
    new-connection-mark=admin protocol=icmp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="admin-in packet mark" connection-mark=admin \
    in-interface=ether1 new-packet-mark=admin-in passthrough=no
add action=mark-packet chain=prerouting comment="admin-out packet mark" connection-mark=admin \
    new-packet-mark=admin-out passthrough=no
add action=mark-connection chain=prerouting comment="streaming video connection mark" dst-port=80 \
    layer7-protocol=video new-connection-mark=streaming-video protocol=tcp src-address-list=\
    internal-nets
add action=mark-packet chain=prerouting comment="streaming video in packet mark" connection-mark=\
    streaming-video in-interface=ether1 new-packet-mark=streaming-video-in passthrough=no
add action=mark-packet chain=prerouting comment="streaming video out packet mark" connection-mark=\
    streaming-video new-packet-mark=streaming-video-out passthrough=no
add action=mark-connection chain=prerouting comment="http traffic connection mark" dst-port=80,443 \
    new-connection-mark=http protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment="http traffic connection mark" \
    connection-bytes=5000000-4294967295 dst-port=80,443 new-connection-mark=http-download protocol=\
    tcp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="http in packet mark" connection-mark=http \
    in-interface=ether1 new-packet-mark=http-in passthrough=no
add action=mark-packet chain=prerouting comment="http out packet mark" connection-mark=http \
    new-packet-mark=http-out passthrough=no
add action=mark-connection chain=prerouting comment="wow connetion mark as gaming" dst-port=\
    1119,3724,6112-6114,4000,6881-6999 new-connection-mark=games protocol=tcp src-address-list=\
    internal-nets
add action=mark-connection chain=prerouting comment="eve online connetion mark as gaming" \
    dst-address=87.237.38.200 new-connection-mark=games src-address-list=internal-nets
add action=mark-connection chain=prerouting comment="starcraft 2 connetion mark as gaming" \
    dst-port=1119 new-connection-mark=games protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment="heros of newerth connetion mark as gaming" \
    dst-port=11031,11235-11335 new-connection-mark=games protocol=tcp src-address-list=\
    internal-nets
add action=mark-connection chain=prerouting comment="steam connetion mark as gaming" dst-port=\
    27014-27050 new-connection-mark=games protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment="xbox live connetion mark as gaming" dst-port=\
    3074 new-connection-mark=games protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment="ps3 online connetion mark as gaming" dst-port=\
    5223 new-connection-mark=games protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment="wii online connetion mark as gaming" dst-port=\
    28910,29900,29901,29920 new-connection-mark=games protocol=tcp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="games packet mark forever-saken-game" \
    dst-address-list=external-nets new-packet-mark=games-in passthrough=no src-address-list=\
    forever-saken-game
add action=mark-packet chain=prerouting comment="games packet mark wow" dst-address-list=\
    external-nets new-packet-mark=games-in passthrough=no protocol=udp src-port=53,3724
add action=mark-packet chain=prerouting comment="games packet mark starcraft2" dst-address-list=\
    external-nets new-packet-mark=games-in passthrough=no protocol=udp src-port=1119,6113
add action=mark-packet chain=prerouting comment="games packet mark HoN" dst-address-list=\
    external-nets new-packet-mark=games-in passthrough=no protocol=udp src-port=11031,11235-11335
add action=mark-packet chain=prerouting comment="games packet mark steam in" dst-address-list=\
    external-nets new-packet-mark=games-in passthrough=no port=4380,28960,27000-27030 protocol=udp
add action=mark-packet chain=prerouting comment="games packet mark steam out" dst-port=\
    53,1500,3005,3101,3478,4379-4380,4380,28960,27000-27030,28960 new-packet-mark=games-out \
    passthrough=no protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="games packet mark xbox live" dst-address-list=\
    external-nets new-packet-mark=games-in passthrough=no protocol=udp src-port=88,3074,3544,4500
add action=mark-packet chain=prerouting comment="games packet mark ps3 online" dst-address-list=\
    external-nets new-packet-mark=games-in passthrough=no protocol=udp src-port=3478,3479,3658
add action=mark-packet chain=prerouting comment="games packet mark in" connection-mark=games \
    dst-address-list=external-nets new-packet-mark=games-in passthrough=no
add action=mark-packet chain=prerouting comment="games packet mark out" connection-mark=games \
    new-packet-mark=games-out passthrough=no
add action=mark-packet chain=prerouting comment="voip-in packet mark teamspeak" dst-address-list=\
    external-nets new-packet-mark=voip-in passthrough=no protocol=udp src-port=9987
add action=mark-packet chain=prerouting comment="voip-out packet mark teamspeak" dst-port=9987 \
    new-packet-mark=voip-out passthrough=no protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="voip-out packet mark teamspeak" dst-address-list=\
    external-nets new-packet-mark=voip-in passthrough=no protocol=udp src-port=9987
add action=mark-packet chain=prerouting comment="voip-in packet mark ventrilo" dst-address-list=\
    external-nets new-packet-mark=voip-in passthrough=no protocol=udp src-port=3784
add action=mark-packet chain=prerouting comment="voip-out packet mark ventrilo" dst-port=3784 \
    new-packet-mark=voip-out passthrough=no protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="voip-in packet mark ventrilo" dst-address-list=\
    external-nets new-packet-mark=voip-in passthrough=no protocol=tcp src-port=3784
add action=mark-packet chain=prerouting comment="voip-out packet mark ventrilo" dst-port=3784 \
    new-packet-mark=voip-out passthrough=no protocol=tcp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="voip-in packet mark SIP" dst-address-list=\
    internal-nets new-packet-mark=voip-in passthrough=no port=5060 protocol=tcp
add action=mark-packet chain=prerouting comment="voip-out packet mark SIP" new-packet-mark=voip-out \
    passthrough=no port=5060 protocol=tcp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="voip-in packet mark udp SIP" dst-address-list=\
    internal-nets new-packet-mark=voip-in passthrough=no port=5004,5060 protocol=udp
add action=mark-packet chain=prerouting comment="voip-out packet mark udp SIP" new-packet-mark=\
    voip-out passthrough=no port=5004,5060 protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="voip-in packet mark RTP" dst-address-list=\
    internal-nets new-packet-mark=voip-in packet-size=100-400 passthrough=no port=16348-32768 \
    protocol=udp
add action=mark-packet chain=prerouting comment="voip-out packet mark RTP" new-packet-mark=voip-in \
    packet-size=100-400 passthrough=no port=16348-32768 protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="vpn-in packet mark GRE" in-interface=ether1 \
    new-packet-mark=vpn-in passthrough=no protocol=gre
add action=mark-packet chain=prerouting comment="vpn-out packet mark GRE" new-packet-mark=vpn-out \
    passthrough=no protocol=gre
add action=mark-packet chain=prerouting comment="vpn-in packet mark ESP" in-interface=ether1 \
    new-packet-mark=vpn-in passthrough=no protocol=ipsec-esp
add action=mark-packet chain=prerouting comment="vpn-out packet mark ESP" new-packet-mark=vpn-out \
    passthrough=no protocol=ipsec-esp
add action=mark-packet chain=prerouting comment="vpn-in packet mark VPN UDP ports" in-interface=\
    ether1 new-packet-mark=vpn-in passthrough=no protocol=udp src-port=500,1701,4500
add action=mark-packet chain=prerouting comment="vpn-out packet mark VPN UDP ports" \
    new-packet-mark=vpn-out passthrough=no protocol=udp src-port=500,1701,4500
add action=mark-packet chain=prerouting comment="vpn-in packet mark PPTP" in-interface=ether1 \
    new-packet-mark=vpn-in passthrough=no protocol=tcp src-port=1723
add action=mark-packet chain=prerouting comment="vpn-out packet mark PPTP" new-packet-mark=vpn-out \
    passthrough=no protocol=tcp src-port=1723
add action=mark-packet chain=prerouting comment="all in" in-interface=ether1 new-packet-mark=in \
    passthrough=no
add action=mark-packet chain=prerouting comment="all out" new-packet-mark=out passthrough=no
 
#We now start setting up our queues
/queue type
add kind=pfifo name=streaming-video-in pfifo-limit=500
add kind=pcq name=games-in-pcq pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 pcq-dst-address6-mask=64 \
    pcq-limit=50 pcq-rate=100k pcq-src-address-mask=32 pcq-src-address6-mask=64 pcq-total-limit=750000
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=10M name=in parent=global priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=10M name=out parent=global priority=8
/queue tree
add max-limit=10M name=in parent=global queue=default
add max-limit=10M name=out parent=global queue=default
add limit-at=3M max-limit=10M name=http-in packet-mark=http-in parent=in priority=4 queue=default
add limit-at=4M max-limit=10M name=streaming-video-in packet-mark=streaming-video-in parent=in \
    priority=3 queue=streaming-video-in
add limit-at=500k max-limit=10M name=gaming-in packet-mark=games-in parent=in priority=2 queue=\
    games-in-pcq
add max-limit=10M name=download-in packet-mark=in parent=in queue=default
add max-limit=10M name=upload-out packet-mark=out parent=out queue=default
add limit-at=500k max-limit=10M name=gaming-out packet-mark=games-out parent=out priority=2 queue=\
    default
add limit-at=3M max-limit=10M name=http-out packet-mark=http-out parent=out priority=4 queue=default
add limit-at=4M max-limit=10M name=streaming-video-out packet-mark=streaming-video-out parent=out \
    priority=3 queue=default
add limit-at=1M max-limit=10M name=customer-servers-in packet-mark=customer-servers-in parent=in \
    priority=1 queue=default
add limit-at=1M max-limit=10M name=customer-servers-out packet-mark=customer-servers-out parent=out \
    priority=1 queue=default
add limit-at=500k max-limit=10M name=voip-in packet-mark=voip-in parent=in priority=1 queue=default
add limit-at=500k max-limit=10M name=vpn-in packet-mark=vpn-in parent=in priority=2 queue=default
add limit-at=500k max-limit=10M name=voip-out packet-mark=voip-out parent=out priority=1 queue=\
    default
add limit-at=500k max-limit=10M name=vpn-out packet-mark=vpn-out parent=out priority=2 queue=default
add limit-at=500k max-limit=10M name=admin-in packet-mark=admin-in parent=in priority=1 queue=default
add limit-at=500k max-limit=10M name=admin-out packet-mark=admin-out parent=out priority=1 queue=\
    default

    I’m a fan of queue trees. I like them because they are so easy to read and it allows you(in version 6) to use simple queues in concert without issue.

    You must remember that QoS doesn’t reorder packets. It simply gives preference to certain marked traffic. Another note is that QoS has zero effect on your traffic until you are in a congestion situation. Until the matched traffic hits that “max-limit” it doesn’t do anything.

    There are some additional modifications that you can use like setting up a PCQ on the streaming video queue. This will allow you to limit individual customers to only stream at certain resolutions(this can be a life saver).

    I’ve noticed that around 70% or better of all traffic is streaming video; so be sure to pay special attention to it.

    I’m hastily throwing this up here, so I’ll come back and add some additional notes and supporting material…at some point. Until then if you have some additional services/L7 I should add, drop me a comment and I’ll update the doc.

    If you enjoy the script, take a few seconds to drop me a comment.

    Filed under Mikrotik, Networking
    17
    Sep 19 / Greg

    USA MUM 2013 New Products

    Some of this might not be brand new, but it was new to me, so shut it. Sorry for the terrible pics…they were on my cell and the projector is pretty terrible.

    Groove52

  • 2 or 5 ghz software selectable in single unit – SDR much?
  • Shipping with omni antenna

    • ccr1036-8g-2s+

  • 2 sfp+
  • 8 gig ether
  • 16GB ram (+EM model)
  • 42million pps
  • 28Gb max

    • This is their new flagship. Now with 10 gig interfaces they have upped chassis throughput.

    r11e-2hnd

  • 2ghz card
  • 800mW power

    • R11e-hpnd

  • made for minipci rb912
  • 2 and 5 ghz modules
  • 1000mW
  • New atheros chipset

    • RB14E

  • pciexpress card for 4 mini pci slots for your X86 box

    • RB14EU

  • same but with sim cards and USB ports

    • SXT HG

  • 17dBi higher gain antenna
  • new design
  • 1000mW
  • gig port
  • 5Ghz

    • QRT G
    QRT G

  • flat panel
  • 17dBi
  • gig ether
  • custom RB inside
  • high power radio

    • Cloud Router Switch CRS

  • Built in wireless on some units
  • SFP
  • LCD
  • desktop and rackmount
  • 24 gig
  • router os

    • CCR1009

  • 9 core
  • 8 gig ports
  • 1 sfp
  • 1 sfp+
  • touchscreen lcd

    • Price price price. What is the price on this unit going to be? I think this unit will be moving fast. I can see this being the new defacto border router. I can see this in place of several of my X86 boxes.

    RB953GS-5HnT
    RB953GS-5HnT

  • new atheros scorpion CPU
  • 3 gig ports
  • 2 sfps
  • 3 chain 5 gig scards
  • 2 minipcie slots

    • Talking with Mike on this one now that they have the all SFPs and this AP has 2 SFP ports you can do all of your cabling via fiber…the only copper will be for power. We talked about having two SFP routers at the base, each with a backhaul, then each sector being a 953 with an SFP going into each router. This would be just about as much redundancy as you could build in…short of adding extra sectors.

    mAP
    mAP

  • poe injector with built in 2ghz ap
  • micro usb for modem or for providing power – you can run it as an ap just off of USB power
  • station or ap
  • af compliant
  • passive poe out. This means you can power him via PoE and it will pass that PoE out of the secondary port.
  • ethernet ports are switched so passing traffic doesn’t affect the CPU
  • end of year

    • This looks like the Ubiquiti airGateway, but with a few more options. I have confirmed that it DOES run full ROS. It has a very small CPU, so you can’t get too crazy, but it sounds fun.

    CCR1016-12s-1s+

  • 12 sfp ports
  • 1 sfp+
  • touchscreen lcd
  • 16 core tilera

    • This is veeeery interesting. I can see doing plenty of switch aggregation with this unit. Since it only has 16 cores it should come in at a slightly lower price. I imagine plugging in plenty of user switches and backhauling via 10Gb back to the core.

    Filed under Hardware, Mikrotik
    0
    Sep 9 / Greg

    Installing Rancid On Centos

    I actually installed Rancid on my newest CactiEZ install. Rancid is a device configuration backup service. To view the CVS files that are created I used CVSweb.

    I started with this tutorial to install Rancid on Centos…an extremely useful tutorial.

    Once this was working I pulled the newest files from the CVSweb site. I dropped them into “/var/www/cgi-bin/” folder.

    A quick tip: each time you edit the cvsweb config file be sure to restart your apache service( service httpd restart).

    Another note: the rlog binary isn’t installed at this point. The quickest method is to install rcs with a simple “yum install rcs”.

    Have fun my friends 🙂

    Filed under Linux, Networking, Server
    4