Início
Ola amigos do FPI brasil !!!
Irei deixar esse tópico aqui com umas regras de qos da versao 6 do Mikrotik em bridge;
Primeiramente vc cria uma bridge na sua rb e adiciona todas as portas a ela, em seguida vc vai em bridge settings e abelita (USE IP FIREWALL) com isso vc autoriza com que a bridge faça marcação dos pacotes possibilitando um controle dos mesmos, nao esqueça de dar um ip a bridge para seu acesso a mesma.
Como usar e porque usar?
Apos seu link dedicado ou apos seu balanceador, priorização de trafego serve para separar uma banda para determinados serviços.
Abaixo esta minhas marcaçoes para um link de 250 megas.
/interface bridge
add name=firewall_bridge
/ip neighbor discovery
set ether1 discover=no
set ether2 discover=no
set ether3 discover=no
set ether4 discover=no
set ether5 discover=no
set ether6 discover=no
set ether7 discover=no
set ether8 discover=no
set ether9 discover=no
set ether10 discover=no
/interface bridge port
add bridge=firewall_bridge interface=ether1
add bridge=firewall_bridge interface=ether2
add bridge=firewall_bridge interface=ether3
add bridge=firewall_bridge interface=ether4
add bridge=firewall_bridge interface=ether5
add bridge=firewall_bridge interface=ether6
add bridge=firewall_bridge interface=ether7
add bridge=firewall_bridge interface=ether8
add bridge=firewall_bridge interface=ether9
add bridge=firewall_bridge interface=ether10
add bridge=firewall_bridge interface=ether11
add bridge=firewall_bridge interface=ether12
add bridge=firewall_bridge interface=ether13
/interface bridge settings
set use-ip-firewall=yes
/ip settings
set secure-redirects=no send-redirects=no tcp-syncookies=yes
/ip dns
set max-udp-packet-size=10096 servers=200.219.150.5,200.219.150.4
/ip firewall filter
add chain=forward comment="Aceita DNS" protocol=udp src-port=53
add chain=forward dst-port=53 protocol=udp
add chain=forward comment="Portas TCP Liberadas" protocol=tcp
add chain=forward comment="Allow Established connections" connection-state=established
add chain=input comment="Estabeliza conexao ao router" connection-state=established
add action=drop chain=input comment="Broqueio de conexao invalida" connection-state=invalid
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Port scanners to list " protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" src-address-list="port scanners"
add action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d chain=input comment="DoS attack protection" connection-limit=10,32 protocol=tcp
add action=tarpit chain=input connection-limit=3,32 protocol=tcp src-address-list=blocked-addr
add action=drop chain=input comment="Broqueio de ataque ao router" dst-port=21-25,53,80,110,161,953,1812,1813,8080 protocol=tcp
/ip firewall mangle
add action=mark-connection chain=prerouting comment="Qos https" dst-port=443 new-connection-mark=conn_https protocol=tcp
add action=mark-packet chain=prerouting connection-mark=conn_https new-packet-mark=pc-https passthrough=no
add action=mark-connection chain=prerouting comment="Qos http" dst-port=80 new-connection-mark=conn_http protocol=tcp
add action=mark-packet chain=prerouting connection-mark=conn_http new-packet-mark=pc-http passthrough=no
add action=mark-connection chain=prerouting comment="Qos p2p" new-connection-mark=conn_p2p p2p=all-p2p protocol=tcp
add action=mark-packet chain=prerouting connection-mark=conn_p2p new-packet-mark=pc-p2p passthrough=no
add action=mark-connection chain=prerouting comment="Qos conexao restantes" new-connection-mark=conexaorestantes protocol=tcp
add action=mark-packet chain=prerouting connection-mark=conexaorestantes new-packet-mark=pc-conexaorestantes passthrough=no
/queue simple
add limit-at=170M/170M max-limit=170M/170M name=https packet-marks=pc-https priority=1/1 target=0.0.0.0/0
add limit-at=65M/65M max-limit=65M/65M name=http packet-marks=pc-http priority=1/1 target=0.0.0.0/0
add limit-at=5M/5M max-limit=5M/5M name=p2p packet-marks=pc-p2p target=0.0.0.0/0
add limit-at=5M/5M max-limit=5M/5M name=conexao-restantes packet-marks=pc-conexaorestantes priority=7/7 target=0.0.0.0/0
Irei deixar esse tópico aqui com umas regras de qos da versao 6 do Mikrotik em bridge;
Primeiramente vc cria uma bridge na sua rb e adiciona todas as portas a ela, em seguida vc vai em bridge settings e abelita (USE IP FIREWALL) com isso vc autoriza com que a bridge faça marcação dos pacotes possibilitando um controle dos mesmos, nao esqueça de dar um ip a bridge para seu acesso a mesma.
Como usar e porque usar?
Apos seu link dedicado ou apos seu balanceador, priorização de trafego serve para separar uma banda para determinados serviços.
Abaixo esta minhas marcaçoes para um link de 250 megas.
/interface bridge
add name=firewall_bridge
/ip neighbor discovery
set ether1 discover=no
set ether2 discover=no
set ether3 discover=no
set ether4 discover=no
set ether5 discover=no
set ether6 discover=no
set ether7 discover=no
set ether8 discover=no
set ether9 discover=no
set ether10 discover=no
/interface bridge port
add bridge=firewall_bridge interface=ether1
add bridge=firewall_bridge interface=ether2
add bridge=firewall_bridge interface=ether3
add bridge=firewall_bridge interface=ether4
add bridge=firewall_bridge interface=ether5
add bridge=firewall_bridge interface=ether6
add bridge=firewall_bridge interface=ether7
add bridge=firewall_bridge interface=ether8
add bridge=firewall_bridge interface=ether9
add bridge=firewall_bridge interface=ether10
add bridge=firewall_bridge interface=ether11
add bridge=firewall_bridge interface=ether12
add bridge=firewall_bridge interface=ether13
/interface bridge settings
set use-ip-firewall=yes
/ip settings
set secure-redirects=no send-redirects=no tcp-syncookies=yes
/ip dns
set max-udp-packet-size=10096 servers=200.219.150.5,200.219.150.4
/ip firewall filter
add chain=forward comment="Aceita DNS" protocol=udp src-port=53
add chain=forward dst-port=53 protocol=udp
add chain=forward comment="Portas TCP Liberadas" protocol=tcp
add chain=forward comment="Allow Established connections" connection-state=established
add chain=input comment="Estabeliza conexao ao router" connection-state=established
add action=drop chain=input comment="Broqueio de conexao invalida" connection-state=invalid
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Port scanners to list " protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" src-address-list="port scanners"
add action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d chain=input comment="DoS attack protection" connection-limit=10,32 protocol=tcp
add action=tarpit chain=input connection-limit=3,32 protocol=tcp src-address-list=blocked-addr
add action=drop chain=input comment="Broqueio de ataque ao router" dst-port=21-25,53,80,110,161,953,1812,1813,8080 protocol=tcp
/ip firewall mangle
add action=mark-connection chain=prerouting comment="Qos https" dst-port=443 new-connection-mark=conn_https protocol=tcp
add action=mark-packet chain=prerouting connection-mark=conn_https new-packet-mark=pc-https passthrough=no
add action=mark-connection chain=prerouting comment="Qos http" dst-port=80 new-connection-mark=conn_http protocol=tcp
add action=mark-packet chain=prerouting connection-mark=conn_http new-packet-mark=pc-http passthrough=no
add action=mark-connection chain=prerouting comment="Qos p2p" new-connection-mark=conn_p2p p2p=all-p2p protocol=tcp
add action=mark-packet chain=prerouting connection-mark=conn_p2p new-packet-mark=pc-p2p passthrough=no
add action=mark-connection chain=prerouting comment="Qos conexao restantes" new-connection-mark=conexaorestantes protocol=tcp
add action=mark-packet chain=prerouting connection-mark=conexaorestantes new-packet-mark=pc-conexaorestantes passthrough=no
/queue simple
add limit-at=170M/170M max-limit=170M/170M name=https packet-marks=pc-https priority=1/1 target=0.0.0.0/0
add limit-at=65M/65M max-limit=65M/65M name=http packet-marks=pc-http priority=1/1 target=0.0.0.0/0
add limit-at=5M/5M max-limit=5M/5M name=p2p packet-marks=pc-p2p target=0.0.0.0/0
add limit-at=5M/5M max-limit=5M/5M name=conexao-restantes packet-marks=pc-conexaorestantes priority=7/7 target=0.0.0.0/0
Última edição por Alan.Miranda em Qua 5 Ago - 22:02, editado 2 vez(es) (Motivo da edição : compartilhando conhecimento !!!)
