Scribd
Upload
71 views

Fasttrack Firewall

Uploaded by

Jhotam Mamparair
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
71 views

Fasttrack Firewall

Uploaded by

Jhotam Mamparair
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 4

Fasttrack Firewall Filter Rules for Prioritizing Typical Connection Packets

/ip firewall filter


add action=fasttrack-connection chain=forward connection-state=established,related
disabled=yes dst-address=xxx.xxx.xxx.xxx dst-port=5060,5061 protocol=udp
comment="Bypass Voip UDP SIP"
add action=fasttrack-connection chain=forward connection-state=established,related
dst-address=xxx.xxx.xxx.xxx dst-port=10000-20000 protocol=udp comment="Bypass Voip
UDP RTP"
add action=fasttrack-connection chain=forward connection-state=established,related
disabled=yes dst-address=xxx.xxx.xxx.xxx dst-port=4569,5036 protocol=udp
comment="Bypass Voip UDP IAX"
add action=fasttrack-connection chain=forward connection-state=established,related
disabled=yes dst-address=xxx.xxx.xxx.xxx dst-port=5060,5061 protocol=tcp
comment="Bypass Voip TCP SIP"

/ip firewall filter add action=fasttrack-connection chain=forward connection-


state=established,related dst-
port=14009,14010,14017,14019,14024,14025,14042,14113,14120 protocol=udp
comment="UDP PORT LOSTSAGA I"
add action=fasttrack-connection chain=forward connection-state=established,related
dst-port=14245,14263,15494,21530,22317,22561,26019,30146,32629,45693 protocol=udp
comment="UDP PORT LOSTSAGA II"
add action=fasttrack-connection chain=forward connection-state=established,related
dst-
port=9000,14009,14010,61031,61034,61035,61037,61046,61047,61048,61049,61051,61058
protocol=tcp comment="TCP PORT LOSTSAGA"

Still on firewall filter rules, let�s complete our router rules with Router
protection and Clients Protection to avoid something that we don�t want! For more
explanation please visit wiki.mikrotik.com.

/ip firewall filter


add action=drop chain=input comment="Drop Invalid connections" connection-
state=invalid
add action=accept chain=input comment="Allow Established connections" connection-
state=established
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input in-interface=!ether1-internet src-
address=192.168.88.0/24
add action=drop chain=input comment="Drop everything else"
add action=drop chain=forward comment="drop invalid connections" connection-
state=invalid protocol=tcp
add action=accept chain=forward comment="allow already established connections"
connection-state=established
add action=accept chain=forward comment="allow related connections" connection-
state=related
add action=drop chain=forward src-address=0.0.0.0/8
add action=drop chain=forward dst-address=0.0.0.0/8
add action=drop chain=forward src-address=127.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward src-address=224.0.0.0/3
add action=drop chain=forward dst-address=224.0.0.0/3
add action=jump chain=forward jump-target=tcp protocol=tcp
add action=jump chain=forward jump-target=udp protocol=udp
add action=jump chain=forward jump-target=icmp protocol=icmp
add action=drop chain=tcp comment="deny TFTP" dst-port=69 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=111 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=135 protocol=tcp
add action=drop chain=tcp comment="deny NBT" dst-port=137-139 protocol=tcp
add action=drop chain=tcp comment="deny cifs" dst-port=445 protocol=tcp
add action=drop chain=tcp comment="deny NFS" dst-port=2049 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=12345-12346 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=20034 protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" dst-port=3133 protocol=tcp
add action=drop chain=tcp comment="deny DHCP" dst-port=67-68 protocol=tcp
add action=drop chain=udp comment="deny TFTP" dst-port=69 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=111 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=135 protocol=udp
add action=drop chain=udp comment="deny NBT" dst-port=137-139 protocol=udp
add action=drop chain=udp comment="deny NFS" dst-port=2049 protocol=udp
add action=drop chain=udp comment="deny BackOriffice" dst-port=3133 protocol=udp
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0
protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1
protocol=icmp
add action=accept chain=icmp comment="host unreachable fragmentation required"
icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow source quench" icmp-options=4:0
protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0
protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0
protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0
protocol=icmp
add action=drop chain=icmp comment="deny all other types"

Mark Connection Packets Upload and Download based on Bytes Connection

We going to mark the connection packets for total upload and download as usual.
This rules will not effect with fasttrack-connection that we have just created
above. After that we create the connection packets mark based on bytes size of the
connection packets.

Assuming that the client download any files with different sizes. We don�t want
that the client who download the big size file spend a lot of the bandwidth spare
that we have. So we have plan that the connection packets priority is down, and
change Its speed is lowered. Of course its not just for download files, its for all
connection packets types based on bytes sizes. Ok lets see the rules below!

/ip firewall mangle


add action=mark-connection chain=forward in-interface=ether1-internet new-
connection-mark=dconn-isp comment="ISP DOWNSTEAM"
add action=mark-packet chain=forward connection-mark=dconn-isp new-packet-
mark=dpkt-isp comment="Packets Total Downsteam"
add action=mark-packet chain=forward connection-bytes=0-1000000 new-packet-
mark=dpkt-light-isp packet-mark=dpkt-isp passthrough=no comment="Packets Less Then
1000000"
add action=mark-packet chain=forward connection-bytes=1000000-3000000 new-packet-
mark=dpkt-fair-isp packet-mark=dpkt-isp passthrough=no comment="Packets 1000001-
3000000"
add action=mark-packet chain=forward connection-bytes=3000000-6000000 new-packet-
mark=dpkt-weight-isp packet-mark=dpkt-isp passthrough=no comment="Packets 3000001-
6000000"
add action=mark-packet chain=forward connection-bytes=6000000-0 new-packet-
mark=dpkt-very-isp packet-mark=dpkt-isp passthrough=no comment="Packets more then
6000000"
/ip firewall mangle
add action=mark-connection chain=forward new-connection-mark=uconn-isp out-
interface=ether1-internet comment="ISP UPSTEAM"
add action=mark-packet chain=forward connection-mark=uconn-isp new-packet-
mark=upkt-isp comment="Packets Total Upsteam"

/ip firewall mangle


add action=mark-connection chain=forward in-interface=ether1 new-connection-
mark=dconn-isp comment="ISP DOWNSTEAM"
add action=mark-packet chain=forward connection-mark=dconn-isp new-packet-
mark=dpkt-isp comment="Packets Total Downsteam"
add action=mark-packet chain=forward connection-bytes=0-1000000 new-packet-
mark=dpkt-light-isp packet-mark=dpkt-isp passthrough=no comment="Packets Less Then
1000000"
add action=mark-packet chain=forward connection-bytes=1000000-3000000 new-packet-
mark=dpkt-fair-isp packet-mark=dpkt-isp passthrough=no comment="Packets 1000001-
3000000"
add action=mark-packet chain=forward connection-bytes=3000000-6000000 new-packet-
mark=dpkt-weight-isp packet-mark=dpkt-isp passthrough=no comment="Packets 3000001-
6000000"
add action=mark-packet chain=forward connection-bytes=6000000-0 new-packet-
mark=dpkt-very-isp packet-mark=dpkt-isp passthrough=no comment="Packets more then
6000000"
/ip firewall mangle
add action=mark-connection chain=forward new-connection-mark=uconn-isp out-
interface=ether1 comment="ISP UPSTEAM"
add action=mark-packet chain=forward connection-mark=uconn-isp new-packet-
mark=upkt-isp comment="Packets Total Upsteam"

/ip firewall mangle


add action=mark-connection chain=forward in-interface=ether2 new-connection-
mark=dconn-isp comment="ISP DOWNSTEAM"
add action=mark-packet chain=forward connection-mark=dconn-isp new-packet-
mark=dpkt-isp comment="Packets Total Downsteam"
add action=mark-packet chain=forward connection-bytes=0-1000000 new-packet-
mark=dpkt-light-isp packet-mark=dpkt-isp passthrough=no comment="Packets Less Then
1000000"
add action=mark-packet chain=forward connection-bytes=1000000-3000000 new-packet-
mark=dpkt-fair-isp packet-mark=dpkt-isp passthrough=no comment="Packets 1000001-
3000000"
add action=mark-packet chain=forward connection-bytes=3000000-6000000 new-packet-
mark=dpkt-weight-isp packet-mark=dpkt-isp passthrough=no comment="Packets 3000001-
6000000"
add action=mark-packet chain=forward connection-bytes=6000000-0 new-packet-
mark=dpkt-very-isp packet-mark=dpkt-isp passthrough=no comment="Packets more then
6000000"
/ip firewall mangle
add action=mark-connection chain=forward new-connection-mark=uconn-isp out-
interface=ether2 comment="ISP UPSTEAM"
add action=mark-packet chain=forward connection-mark=uconn-isp new-packet-
mark=upkt-isp comment="Packets Total Upsteam"
The above mangle rules means we separate connection packets into download and
upload, then we separate download packets about less then 1M, 1-3M, 3-6M, more then
6M.

Queue tree with PCQ to manage the priority and speed limitation

Assuming we have total bandwidth 20M, we want to spread the internet connection
equal for all clients using PCQ for every separated packets byte sizes that we have
defined on mangle rules. In this case I use pcq-download-default, pcq-upload-
default. Change the total limit PCQ as you like, or you can create a new rule for
PCQ, then use it on queue tree.

/queue tree
add max-limit=20M name=Downsteam-ISP packet-mark=dpkt-isp parent=global queue=pcq-
download-default
add limit-at=1M max-limit=20M name=1.light-isp packet-mark=dpkt-light-isp
parent=Downsteam-ISP priority=1 queue=pcq-download-default
add limit-at=1M max-limit=10M name=2.fair-isp packet-mark=dpkt-fair-isp
parent=Downsteam-ISP priority=2 queue=pcq-download-default
add limit-at=1M max-limit=5M name=3.weight-isp packet-mark=dpkt-weight-isp
parent=Downsteam-ISP priority=3 queue=pcq-download-default
add limit-at=1M max-limit=1M name=4.very-isp packet-mark=dpkt-very-isp
parent=Downsteam-ISP priority=4 queue=pcq-download-default
add max-limit=20M name=Upsteam-ISP packet-mark=upkt-isp parent=global queue=pcq-
upload-default

So that�s all about the Effective Way Bandwidth Management with Fasttrack Firewall
Filter, I hope can be useful, and for more clearly lets see the video below! Happy
exploring!

You might also like