Manual - Wireless: Wireless Debug Log Mikrotik

Wireless problem debugging using logs.

By default the log shows that RouterOS wireless clients connecting and disconnecting a simple entry:




That was enough for ordinary users to know that the wireless client with MAC address "00:80:48:41: AF: 2A" connected to the wireless interface "wlan1". But there are actually more available than the log entries are displayed in the standard logging. They're called 'debug' log which gives more detailed information. In the following example you will see the Debug Logs the same client connects to the AP in more detail than that found in typical logging:


Debug log will give you more specific informantion on every step of the client wireless connection and disconnection. The first line indicates that the wireless client tries to connect to the AP. On the second line AP examined to see whether the client is allowed to connect to the AP and the resulting action. And only in the third row you can see that the client is connected. This is just one example of the debug log messages. Overview of all debug entries are written below.
To enable log debug wireless you have to run a command like:

Or in Winbox:



This will help you understand and fix wireless problems with ease and with little interaction with the support team.

Station Mode

@ : Lost connection,
The station has lost its connection to the AP because
@ : Failed to connect,
The station tries to connect to the AP, but fails because
@ : Connection established on , SSID
The station tried and successfully connected to the AP with the SSID on frequency.
@ : MIC failure!
TKIP message integrity check fails, one should try to get into DOS or network, if more than 1 MIC failures encountered during the period of the '60s, "TKIP countermeasures" state is entered.
@ : Enter TKIP countermeasures
Entered prevention TKIP countries, this means that the station will be disconnected from the AP and silent for 60s.
Ap Mode

: Radar detected on
Detected on radar frequency, the AP will seek other channels
: Data from unknown device , sent deauth [(events suppressed XXX, YYY deauths suppressed)]
Data frames from unknown devices (read - these unregistered AP) with mac address is received, the AP sent deauthentication frame to it (according to 802.11). XXX is the number of events are not logged so the logs do not become too large (the log is limited to one entry per 5s after the first 5 entries), YYY is the number of deauthentication frames that should have been sent, but not sent, so that resources are not wasted sending frames deauthentication too much (only 10 frames per second deauth allowed).
The likely cause of the message is that the previous station is connected to the AP, who do not know it had come down from the AP registration table, sending data to the AP. Deauthentication message telling stations that are no longer connected.

: Denying assoc to , failed to setup compression
Failed to initialize the compression in the AP, most likely because there are too many clients try to connect and use compression.

: Is new WDS master
WDS-slave has established a connection to master WDS, this means that the WDS slave began to receive clients and act as an AP.

: Was WDS master
This message appears after the connection with disconnected, meaning that the WDS slave will disconnect all clients and starts scanning to find a new master WDS.

@ : Connected [, is AP] [, wants WDS]
Stations with addresses connected. if "is the AP" present - AP remote device, if "is a WDS" prize, the remote device wants to establish the WDS link.
@ : Disconnected,
Connection with the stations with addresses ending because

@ : Disconnected,
Connection with the stations with addresses ending because

: TKIP countermeasures over, resuming
prevention TKIP (60s period of silence) above, the AP resumes acting as AP.

: Starting TKIP countermeasures
Entering the state prevention TKIP (60S silent period), all clients will be lost.


"Joining failed" - can only occur on Prism cards in station mode, failed to connect to the AP for several reasons
"Join timeout" - which occurs in the station, failed to synchronize to an AP (receiving the first beacon frames). Most of the weak signal as possible, the remote is turned off, a strong disturbance, several other issues related to RF to make communication impossible.
"No beacons" - no beacon received from the remote end of WDS link. Most of the weak signal as possible, the remote is turned off, a strong disturbance, several other issues related to RF to make communication impossible.
"Extensive data loss" - local interface decided to drop the connection to the remote device due to the inability to send data to the remote after a few failures at the lowest possible level. Possible causes - too weak signal, the remote device is turned off, the disorder is strong, a few other issues related to RF to make communication impossible.
"Decided to deauth, <802.11 reason>" - local interface remote deauthenticate decided to use the excuse 802.11 <802.11 reason>.
"Inactivity" - the remote device is inactive for too long
"Device disabled" - local interface got disabled
"Got deauth, <802.11 reason>" - accept the separation of the frame from a remote device, 802.11 reason code is reported in <802.11 reason>
"Got disassoc, <802.11 reason>" - disassociation frame received from remote devices, 802.11 reason code is reported in <802.11 reason>
"Frames from the AP auth" - authentication frame from a remote device, known as AP, which seem to change the mode on the remote device from the AP to Station.
"Ssid bad" - bad for ssid WDS link
"Beacons from non-AP" - receive beacon frames from remote devices known non-AP node, the mode changes to the device, most likely away from the station to the AP.
"No WDS support" - did not report supports WDS
"Failed to confirm the SSID" - failed to confirm the SSID the other end of the WDS link.
"Hardware failure" - some hardware failures or unexpected behavior. It is impossible to see.
"Lost connection" - can only occur on Prism cards in station mode, the connection to the AP lost for several reasons.
"Auth failed <802.11 status>" - which occurs in the station, the AP denied authentication, 802.11 status code is reported in <802.11 status>.
"Assoc failed <802.11 status>" - which occurs in the station, the AP denied association, reported in the status code 802.11 <802.11 status>.
"Auth timeout" - which occurs in the station, Station does not receive a response to the authentication frame, either a bad link or AP ignore this station for several reasons.
"Assoc timeout" - which occurs in the station, Station does not receive a response to the frame of the association, either a bad link or AP ignore this station for several reasons.
"Reassociating" - happens on the AP: connection assumed to be lost, because the station was considered already associated attempts to associate again. All information related to the connection must be removed, because during the process of association of the connection parameters are negotiated (because it is "disconnected"). The reason why Station reassociates must look at the Station (the most likely cause is that the station for some reason dropped connection without telling AP - eg loss of data, configuration changes).
"Compression setup failure" - the connection is not possible, due to insufficient resources to do the compression (too many stations that want to use compression is already connected)
<802.11 Reason> And <802.11 status>

This is the reason for the status code numbers / encoded into the 802.11 management messages. Log messages include numeric codes and a textual description of the proper standards in the 802.11 standard. While this is intended to clearly as possible, should be taken into account that the real reason / status code that appears in the frame of management depends only on the equipment or software makers - in which one device sends 802.11 management frames including the right reason / status code for the situation that led to the frame others, can send frames with the reason "not specified" / status code. Hence the reason / status code should only be considered information.
Like the 802.11 standard evolved, RouterOS can lose a textual description for reason code / status that some devices are used. In such cases the numerical values ​​should be used to search for meaning in the 802.11 standard.
In order to properly interpret the reason / status code, a good understanding of the 802.11 standard is required. Most of the textual descriptions are self-explaining. Explanation for some of the most commonly seen reson code / status follows.
Class 2 frames received (6) - received the "Class 2" frame (association / reassociation frame management) before completing the 802.11 authentication process;
Class 3 frame received (7) - the device receives a "class 3" frame (frame data) before completing the process of association;

- End -

Manual - Wireless: Wireless FAQ MIKROTIK

Sometimes when you change
some wireless settings for tuning your links have so far that the link is not established or work is not stable anymore and you do not remember what settings you have in the beginning. In this case you can use the command reset-configuration in wireless menu - it will reset all wireless settings for specific wireless interface and you will be able to configure the interface from scratch. Note that running this command also disables the interface, so please be careful to not execute this command if you want to configure the remote router using a wireless link that you want to reset the configuration.
What resend wireless and where to check it?

Wireless retransmission is when the card sends the frame and you do not accept re-acknowledgment (ACK), you send the frame again until you regain recognition. resend wieless can increase latency and reduce throughput of wireless wireless link. To check whether a connection has been retransmission wireless wieless you need to compare two fields in the wireless registration table: hw-frames and frames. Hw-frame if the value is greater than the value of the frame then it means that the wireless link makes retransmissions. If the difference is not so big, it can be ignored, but if-hw frame count two, three or four times or even greater than the number of frames then you need to troubleshoot wireless connection.
Can I compare frames with hw-frames are also on the link Nstreme?

counting only frames that contain the actual data. In the case of Nstreme, only the ACK can be transmitted in one frame, if no other data to send. ACK frame will not be added to the number of frames, but they will appear in the hw-frame. If there is traffic in both directions with a maximum speed (for example, there will be no-ack frame only), then you can not compare the hw-frame to frame as in the case of ordinary wireless link.
What the TX power values ​​can I use?

Tx-power default setting is the maximum power of tx-card that can be used and taken from eeprom card. If you want to use a larger power tx value, you can set it, but do so at your own risk, as it may damage your card at last! Normally, one should use this parameter only to reduce the tx-power.
In general tx power controlling properties should be left at its default setting. Changing the default settings can help with some cards in some situations, but without testing, the most common result is the degradation of range and throughput. Some problems that may occur are:
overheating of the power amplifier chip and the card that will lead to lower efficiency and more data errors;
overdriving the amplifier which will cause more data errors;
excessive use of power for this card and may overload the 3.3V power supply board that the card is located in the resulting voltage drop and reboot or excessive temperatures for the board.
What is the TX-power-mode is the best?

TX-power-mode wireless card tells the tx-power value should be used. By default this setting is enabled.
default means that the card will use the power values ​​from eeprom card tx and will ignore what the settings specified by the user in the field of power tx.
card-rates means that for different data rate tx-power is calculated based on the cards transmit power algorithm from eeprom card and as the argument takes tx-power value is determined by the user.
all-rates-fixed means all that the card will use the tx power value
for all data values ​​specified by the user in the field of power tx.

Note that it is not advisable to use the mode 'all-levels-fixed' as a card tx-power wireless data rates higher and lower by forcing to use the tx-power rates remain well for higher data speeds may cause similar problems as in the previous question about the tx-power setting. For most cases if you want to change the tx power settings are encouraged to use the tx-power-mode = card-level and it is recommended to reduce and not increase the tx-power.
What is the CCQ and how these values ​​determined?

Client Connection Quality (CCQ) is a value in percent that shows how the effective bandwidth is used regarding the theoretically available bandwidth maximum. CCQ is the weighted average value of Tmin / Treal, which can be computed for each frame is sent, where Tmin is the time required to send a given frame at the highest level without retries and Treal is the time required to transmit frames in real life (taking into account account necessary retries it takes to send and transmit frame rate).
What hw-retries setting?

The number of times to send the frame retried without regard to any transmission failure. Decrease in failure rate data and the frame sent again. Three sequential failures on lowest level supported suspend transmission to the destination for a period of on-fail-retry-time. After that, the frame is sent again. frame is retransmitted until successful transmission, or until the client disconnected after disconnect-timeout. Frame can be discarded during this time when the frame-lifetime has been exceeded.

What is the disconnect-timeout setting?

This interval is measured from third sending failure on the lowest data rate. At this time 3 * (hw-retries + 1) transmit data frames on the lowest rate had failed. During the disconnect-timeout packet transmission will be attempted on-fail-retry-time. If no frame can be transmitted successfully during the disconnect-timeout, the connection is closed, and the event is recorded as "extensive data loss". successful frame transmission resets this timer.
What noise-immune adaptive-setting?

Adaptive Noise Immunity (ANI) adjust the parameters of the receiver dynamic range to minimize interference and noise effects on signal quality [1] setting is added to the wireless driver for Atheros AR5212 chipset and the newer cards
How to measure the signal strength of wireless devices, when the access-list or a linked-list is used?

reported signal levels exponentially weighted moving average with smoothing factor of 50%.
What method of error correction is supported in RouterOS wireless?

ARQ method is supported in the protocol nstreme. Regular 802.11 standard does not include ARQ - retrasmission corrupt frame is based on the recognition protocol. RouterOS supports forward error correction coding (convolutional coding) with coding rate: 1 / 2, 2 / 3, or 3 / 4.
Setup

Amplifier will increase the speed on my link?

It depends on the quality of your signal and noise. Remember that you can probably get a better link with low output power settings, and a good antenna. Amplifier increases the noise and will only cause problems with the link.
Amplifier got a boost on both the transmitted and received signals. Thus, in "silent", where you're alone or with very little "noise" or "competition", you might get very good results. On the other hand, in crowded areas, with lots of wireless activity, you will also increase the signal received from any other competitors or sources of noise, which can dramatically lower the overall quality of the link. Moreover, in taking account EIRP to see if your link remains within the bounds of the law.
You can also get a better signal on the "11b only" radio, which saw most of 802.11g as "noise", thus screening better signal can be used.
How to improve wireless link with the hw-retries?

You must understand that for 802.11 device is really there is limited information (or "feedback" from the environment) that the device can be used to tune their behavior:
signal strength, which can be used to determine the best level of sensitivity of the receiver knows to send. Sill is not reliable account that the sensitivity varies for different recipients (eg change from time to time), the condition of roads that are not symmetrical (and the device can only measure the received signal strength), etc.
by receiving / not receiving recognition for frames sent.
Taking into account that the use of signal strength is not reliable, 802.11 devices are basically left with only "feedback" to fine-tune the operation - success / failure of the transmission. When the transmission failed (ACK is not received in time), there is no way how the sender can find out why it fails - either because of noise, multipath, direct interference (and the weather that disrupted the actual data or ACK frame itself) - the frame just did not make and generally does not matter "why". What is important is the packet error rate.


Therefore RouterOS implements the algorithm to try to use the most efficient medium in any environment using only limited information, giving users the ability to control the workings of the algorithm and describe the algorithm. And there are only a few use guidelines, not a set of values ​​you should use in certain situations.
In general - hw-retries a bigger, better "feedback" is the ability of the device will provide a frame at a certain level (for example if the frame rate to 54Mbps transmission failed 16 times, it said more than if it fails with 2 retries) and the better can find the optimum transmit level, at the expense of latency can be introduced in the network - as long as all retries fail, the other devices in these channels can not be sent. So the larger hw-retries can be recommended for backbone links PTP - which note that the link must always be active). Hw-retries minus one makes the choice more quickly adapt to the expense of some accuracy (under 2 will not make sense in most cases, it may be advisable to link PTMP, where it is normal for links can connect / disconnect and keep the latency under is essential.
on-fail-retry-time and disconnect disconnect-timeout controls how the hardware will try to consider the remote "connect". disconnect-timeout larger will make the device do not "disconnect" the other party, even if there is a lot of losses in transmission rates as small as possible. This again is most useful for "weak" link is known that they "should" be formed (eg backbone link). In a large PTMP network disconnect-timeout longer will increase the latency in the network over time as the AP will try to send data to several clients who had just turned off (AP will try to do is to disconnect-timeout overall).
frame-lifetime makes it possible to track how long the AP tries to use frames for transmission before considering that it's not worth giving it (for example, if the delivery fails frames on the lowest level, on-fail-retry-time timer is activated, if during the lifetime of this frame- end, a particular frame is dropped and the next transmission attempt will happen with the next frame. "Disabled frame-lifetime means that wireless will ensure order in the delivery of" all data "frame no matter how long it takes, or" will drop the connection if all else fails ). This makes it possible to optimize for various types of traffic such as for real-time traffic - if the primary use of voip wireless networks, for example, it could make sense to limit the frame-lifetime, because voip tolerate a small loss is better than high latency.
Is it possible to use a wireless repeater with only one radio interface?

This setup is possible by using WDS on the wireless interface that runs in ap-bridge mode.

- End -

How to limit download speeds to separate extentions. Avi,. Flv,. Zip,. Exe etc. based on the ip address on Mikrotik

Suppose in One Network ..
we want to separate the velocity extentions. avi,. flv,. zip,. exe etc. based on the ip address that is different for the average stay by browsing the entire bandwidth using queue trees, here's how:

Like Topology above:

Total PC = 20 PC

Example ip address
To the internet: 192.168.9.16 - ethernet1 Miktotik to Modem
PC client: 192.168.11.254 - Ethernet2 Mikrotik The HUB

Computer 1 Up to 5:
Ip address = 192.168.11.1-192.168.11.5
Limit extensions such as zip, zip, rar, exe = 512 KB
Browsing = For the average throughout the Bandwidth

Computer 6 to 10:
Ip address :192.168.11.6-192 .168.11.10
Limit extensions such as zip, zip, rar, exe = 256 KB
Browsing = For the average throughout the Bandwidth

Computer 11 to 20
Ip address = 192.168.11.6-192.168.11.10
Limit extensions such as zip, zip, rar, exe = 1 MB
Browsing = For the average throughout the Bandwidth

Let's get started:

Remote your Mikrotik Winbox, which leads to make sure Ethernet Modem has been given a public name, if not please rename the name of the public, and which leads to an Ethernet hub has been given a local name, if not please rename the local name.







Next make sure ip firewall nat in mikrotik is empty, because we will create a NAT based on the address list,



Next we make the ip address for Ethernet Modem leading to the public.
Click on "New Terminal" in winbox and type the command:
Below is an example ip address only, please adjust the ip addresses that point to your modem each:

/ Ip address add address = 192.168.9.16 \
netmask = 255.255.255.0 \
interface = public \
comment = "IP ADDRESS TO MODEM"


Next we make the ip address to an Ethernet hub that leads to the local.
Click on "New Terminal" in winbox and type the command:
Below is an example ip address only, please adjust the ip addresses that point to your client PCs each:

/ Ip address add address = 192.168.11.254 \
netmask = 255.255.255.0 \
interface = local \
comment = "IP ADDRESS TO THE PC CLIENT"

Next we enter the gateway in the "New Terminal":
Below is the gateway ip for example only, please adjust with each gateway ip:

/ Ip route add gateway = 192.168.9.1

Next we enter the DNS in the "New Terminal":
Below is an example DNS ip only, please adjust the DNS ip each - each:

Command control for Mikrotik Os 4 Go to bottom:

/ Ip dns set primary-dns = 203.130.193.74 \
; / Ip dns set secondary-dns = 203 130 206 250 \
allow-remote-requests = yes

Command control for Mikrotik Os 4 Go up:

/ Ip set dns servers = 203.130.193.74,203.130.206.250 \
allow-remote-requests = yes

Next we create the address list for ip address - ip address that we will to limit its extension, the command in the "New Terminal":

A. For the ip address 512 k limit extension:

/ Ip firewall address-list \
add list = "LIMIT IP Extention 512 K" \
address = 192.168.11.1 \
comment = "PC 1"
/ Ip firewall address-list \
add list = "LIMIT IP Extention 512 K" \
address = 192.168.11.2 \
comment = "PC 2"
/ Ip firewall address-list \
add list = "LIMIT IP Extention 512 K" \
address = 192.168.11.3 \
comment = "PC 3"
/ Ip firewall address-list \
add list = "LIMIT IP Extention 512 K" \
address = 192.168.11.4 \
comment = "PC 4"
/ Ip firewall address-list \
add list = "LIMIT IP Extention 512 K" \
address = 192.168.11.5 \
comment = "PC 5"

B. For the ip address 256 k limit extension:

/ Ip firewall address-list \
add list = "LIMIT IP Extention 256 K" \
address = 192.168.11.6 \
comment = "PC 6"
/ Ip firewall address-list \
add list = "LIMIT IP Extention 256 K" \
address = 192.168.11.7 \
comment = "PC 7"
/ Ip firewall address-list \
add list = "LIMIT IP Extention 256 K" \
address = 192.168.11.8 \
comment = "PC 8"
/ Ip firewall address-list \
add list = "LIMIT IP Extention 256 K" \
address = 192.168.11.9 \
comment = "PC 9"
/ Ip firewall address-list \
add list = "LIMIT IP Extention 256 K" \
address = 192.168.11.10 \
comment = "PC 10"

C. For the ip address 1 MB limit extension:

/ Ip firewall address-list \
add list = "IP Extention LIMIT 1 MB" \
address = 192.168.11.11 \
comment = "PC 11"
/ Ip firewall address-list \
add list = "IP Extention LIMIT 1 MB" \
address = 192.168.11.12 \
comment = "PC 12"
/ Ip firewall address-list \
add list = "IP Extention LIMIT 1 MB" \
address = 192.168.11.13 \
comment = "PC 13"
/ Ip firewall address-list \
add list = "IP Extention LIMIT 1 MB" \
address = 192.168.11.14 \
comment = "PC 14"
/ Ip firewall address-list \
add list = "IP Extention LIMIT 1 MB" \
address = 192.168.11.15 \
comment = "PC 15"
/ Ip firewall address-list \
add list = "IP Extention LIMIT 1 MB" \
address = 192.168.11.16 \
comment = "PC 16"
/ Ip firewall address-list \
add list = "IP Extention LIMIT 1 MB" \
address = 192.168.11.17 \
comment = "PC 17"
/ Ip firewall address-list \
add list = "IP Extention LIMIT 1 MB" \
address = 192.168.11.18 \
comment = "PC 18"
/ Ip firewall address-list \
add list = "IP Extention LIMIT 1 MB" \
address = 192.168.11.19 \
comment = "PC 19"
/ Ip firewall address-list \
add list = "IP Extention LIMIT 1 MB" \
address = 192.168.11.20 \
comment = "PC 20"


Next we create a NAT for each address that the above list, with action masquerade, in "New Terminal":

/ Ip firewall nat add chain = srcnat action = masquerade \
src-address-list = "LIMIT IP Extention 512 K" \
out-interface = public \
comment = "MASQUERADE LIMIT extention 512 K"
/ Ip firewall nat add chain = srcnat action = masquerade \
src-address-list = "LIMIT IP Extention 256 K" \
out-interface = public \
comment = "MASQUERADE LIMIT extention 256 K"
/ Ip firewall nat add chain = srcnat action = masquerade \
src-address-list = "IP Extention LIMIT 1 MB" \
out-interface = public \
comment = "MASQUERADE extention LIMIT 1 MB"

Next we create the file extention with layer7 regexp, in "New Terminal":

/ Ip firewall layer7-protocol add name = "YOUTUBE layer7" regexp = "http / (0 \ \ .9 | 1 \ \ .0 | 1 \ \ .1) [\ \ x09-\ \ x0d] [1-5 ] [0-9] [0-9] [\ \ x09-\ \ x0d -~]*( content-type: video) "
/ Ip firewall layer7-protocol add name = "EXE layer7" regexp = "\ \. (Exe)"
/ Ip firewall layer7-protocol add name = "RAR layer7" regexp = "\ \. (Zip)"
/ Ip firewall layer7-protocol add name = "ZIP layer7" regexp = "\ \. (Zip)"
/ Ip firewall layer7-protocol add name = "7z layer7" regexp = "\ \. (7z)"
/ Ip firewall layer7-protocol add name = "WMV layer7" regexp = "\ \. (Wmv)"
/ Ip firewall layer7-protocol add name = "MPG layer7" regexp = "\ \. (Mpg)"
/ Ip firewall layer7-protocol add name = "MPEG layer7" regexp = "\ \. (Archive)"
/ Ip firewall layer7-protocol add name = "AVI layer7" regexp = "\ \. (Avi)"
/ Ip firewall layer7-protocol add name = "FLV layer7" regexp = "\ \. (Flv)"
/ Ip firewall layer7-protocol add name = "WAV layer7" regexp = "\ \. (Wav)"
/ Ip firewall layer7-protocol add name = "MP3 layer7" regexp = "\ \. (Mp3)"
/ Ip firewall layer7-protocol add name = "MP4 layer7" regexp = "\ \. (Mp4)"
/ Ip firewall layer7-protocol add name = "ISO layer7" regexp = "\ \. (Iso)"

Then we make extension bersasarkan Mangle to limit the source address list that we have set.

A. Mangle To Limit Extension 512K:
In "New Terminal" Winbox:

/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "7z layer7 512K" \
passthrough = no dst-address-list = "LIMIT IP Extention 512 K" \
layer7-protocol = "7z layer7" \
comment = "7z layer7 DOWNLOAD 512K"

/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "AVI layer7 512K" \
passthrough = no dst-address-list = "LIMIT IP Extention 512 K" \
layer7-protocol = "AVI layer7" \
comment = "layer7 AVI DOWNLOAD 512K"

/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "layer7 512K EXE" \
passthrough = no dst-address-list = "LIMIT IP Extention 512 K" \
layer7-protocol = "EXE layer7" \
comment = "layer7 DOWNLOAD EXE 512K"

/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "FLV layer7 512K" \
passthrough = no dst-address-list = "LIMIT IP Extention 512 K" \
layer7-protocol = "FLV layer7" \
comment = "layer7 FLV DOWNLOAD 512K"

/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "ISO layer7 512K" \
passthrough = no dst-address-list = "LIMIT IP Extention 512 K" \
layer7-protocol = "ISO layer7" \
comment = "ISO layer7 DOWNLOAD 512K"

/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "layer7 MP3 512k" \
passthrough = no dst-address-list = "LIMIT IP Extention 512 K" \
layer7-protocol = "MP3 layer7" \
comment = "layer7 DOWNLOAD MP3 512k"

/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "MP4 layer7 512K" \
passthrough = no dst-address-list = "LIMIT IP Extention 512 K" \
layer7-protocol = "MP4 layer7" \
comment = "layer7 MP4 DOWNLOAD 512K"

/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "MPEG layer7 512K" \
passthrough = no dst-address-list = "LIMIT IP Extention 512 K" \
layer7-protocol = "MPEG layer7" \
comment = "layer7 MPEG 512k DOWNLOAD"

/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "layer7 MPG 512K" \
passthrough = no dst-address-list = "LIMIT IP Extention 512 K" \
layer7-protocol = "MPG layer7" \
comment = "layer7 MPG DOWNLOAD 512K"

/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "layer7 RAR 512K" \
passthrough = no dst-address-list = "LIMIT IP Extention 512 K" \
layer7-protocol = "RAR layer7" \
comment = "layer7 DOWNLOAD RAR 512K"

/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "layer7 WAV 512K" \
passthrough = no dst-address-list = "LIMIT IP Extention 512 K" \
layer7-protocol = "WAV layer7" \
comment = "layer7 WAV DOWNLOAD 512K"

/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "layer7 WMV 512K" \
passthrough = no dst-address-list = "LIMIT IP Extention 512 K" \
layer7-protocol = "WMV layer7" \
comment = "layer7 WMV DOWNLOAD 512K"

/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "YOUTUBE layer7 512K" \
passthrough = no dst-address-list = "LIMIT IP Extention 512 K" \
layer7-protocol = "YOUTUBE layer7" \
comment = "layer7 YOUTUBE DOWNLOAD 512K"

/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "layer7 ZIP 512K" \
passthrough = no dst-address-list = "LIMIT IP Extention 512 K" \
layer7-protocol = "ZIP layer7" \
comment = "layer7 DOWNLOAD ZIP 512K"

B. Mangle To Limit Extension 256K:
In "New Terminal" Winbox:

/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "7z layer7 256K" \
passthrough = no dst-address-list = "LIMIT IP Extention 256 K" \
layer7-protocol = "7z layer7" \
comment = "7z layer7 DOWNLOAD 256K"

/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "AVI layer7 256K" \
passthrough = no dst-address-list = "LIMIT IP Extention 256 K" \
layer7-protocol = "AVI layer7" \
comment = "layer7 AVI DOWNLOAD 256K"

/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "layer7 256K EXE" \
passthrough = no dst-address-list = "LIMIT IP Extention 256 K" \
layer7-protocol = "EXE layer7" \
comment = "layer7 DOWNLOAD EXE 256K"

/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "FLV layer7 256K" \
passthrough = no dst-address-list = "LIMIT IP Extention 256 K" \
layer7-protocol = "FLV layer7" \
comment = "layer7 FLV DOWNLOAD 256K"

/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "ISO layer7 256K" \
passthrough = no dst-address-list = "LIMIT IP Extention 256 K" \
layer7-protocol = "ISO layer7" \
comment = "ISO layer7 DOWNLOAD 256K"

/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "layer7 MP3 256k" \
passthrough = no dst-address-list = "LIMIT IP Extention 256 K" \
layer7-protocol = "MP3 layer7" \
comment = "layer7 MP3 DOWNLOAD 256K"

/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "MP4 layer7 256K" \
passthrough = no dst-address-list = "LIMIT IP Extention 256 K" \
layer7-protocol = "MP4 layer7" \
comment = "layer7 MP4 DOWNLOAD 256K"

/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "MPEG layer7 256K" \
passthrough = no dst-address-list = "LIMIT IP Extention 256 K" \
layer7-protocol = "MPEG layer7" \
comment = "layer7 MPEG 256k DOWNLOAD"

/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "layer7 MPG 256K" \
passthrough = no dst-address-list = "LIMIT IP Extention 256 K" \
layer7-protocol = "MPG layer7" \
comment = "layer7 MPG DOWNLOAD 256K"

/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "layer7 RAR 256K" \
passthrough = no dst-address-list = "LIMIT IP Extention 256 K" \
layer7-protocol = "RAR layer7" \
comment = "layer7 DOWNLOAD RAR 256K"

/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "layer7 WAV 256K" \
passthrough = no dst-address-list = "LIMIT IP Extention 256 K" \
layer7-protocol = "WAV layer7" \
comment = "layer7 WAV DOWNLOAD 256K"

/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "layer7 WMV 256K" \
passthrough = no dst-address-list = "LIMIT IP Extention 256 K" \
layer7-protocol = "WMV layer7" \
comment = "layer7 WMV DOWNLOAD 256K"

/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "YOUTUBE layer7 256K" \
passthrough = no dst-address-list = "LIMIT IP Extention 256 K" \
layer7-protocol = "YOUTUBE layer7" \
comment = "layer7 YOUTUBE DOWNLOAD 256K"

/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "layer7 ZIP 256K" \
passthrough = no dst-address-list = "LIMIT IP Extention 256 K" \
layer7-protocol = "ZIP layer7" \
comment = "layer7 DOWNLOAD ZIP 256K"

C. Mangle To Limit Extension 1 MB:
In "New Terminal" Winbox:

/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "7z layer7 1MB" \
passthrough = no dst-address-list = "IP Extention LIMIT 1 MB" \
layer7-protocol = "7z layer7" \
comment = "7z layer7 DOWNLOAD 1MB"

/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "layer7 1MB AVI" \
passthrough = no dst-address-list = "IP Extention LIMIT 1 MB" \
layer7-protocol = "AVI layer7" \
comment = "layer7 AVI DOWNLOAD 1MB"

/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "layer7 1MB EXE" \
passthrough = no dst-address-list = "IP Extention LIMIT 1 MB" \
layer7-protocol = "EXE layer7" \
comment = "layer7 DOWNLOAD EXE 1MB"

/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "FLV layer7 1MB" \
passthrough = no dst-address-list = "IP Extention LIMIT 1 MB" \
layer7-protocol = "FLV layer7" \
comment = "layer7 FLV DOWNLOAD 1MB"

/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "ISO layer7 1MB" \
passthrough = no dst-address-list = "IP Extention LIMIT 1 MB" \
layer7-protocol = "ISO layer7" \
comment = "ISO layer7 DOWNLOAD 1MB"

/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "layer7 1MB MP3" \
passthrough = no dst-address-list = "IP Extention LIMIT 1 MB" \
layer7-protocol = "MP3 layer7" \
comment = "layer7 MP3 DOWNLOAD 1MB"

/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "MP4 layer7 1MB" \
passthrough = no dst-address-list = "IP Extention LIMIT 1 MB" \
layer7-protocol = "MP4 layer7" \
comment = "layer7 MP4 DOWNLOAD 1MB"

/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "MPEG layer7 1MB" \
passthrough = no dst-address-list = "IP Extention LIMIT 1 MB" \
layer7-protocol = "MPEG layer7" \
comment = "MPEG layer7 DOWNLOAD 1MB"

/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "layer7 MPG 1MB" \
passthrough = no dst-address-list = "IP Extention LIMIT 1 MB" \
layer7-protocol = "MPG layer7" \
comment = "layer7 MPG DOWNLOAD 1MB"

/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "layer7 1MB RAR" \
passthrough = no dst-address-list = "IP Extention LIMIT 1 MB" \
layer7-protocol = "RAR layer7" \
comment = "layer7 RAR DOWNLOAD 1MB"

/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "layer7 1MB WAV" \
passthrough = no dst-address-list = "IP Extention LIMIT 1 MB" \
layer7-protocol = "WAV layer7" \
comment = "layer7 WAV DOWNLOAD 1MB"

/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "layer7 WMV 1MB" \
passthrough = no dst-address-list = "IP Extention LIMIT 1 MB" \
layer7-protocol = "WMV layer7" \
comment = "layer7 DOWNLOAD WMV 1MB"

/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "YOUTUBE layer7 1MB" \
passthrough = no dst-address-list = "IP Extention LIMIT 1 MB" \
layer7-protocol = "YOUTUBE layer7" \
comment = "layer7 YOUTUBE DOWNLOAD 1MB"

/ Ip firewall mangle add chain = forward action = mark-packet \
new-packet-mark = "layer7 ZIP 1MB" \
passthrough = no dst-address-list = "IP Extention LIMIT 1 MB" \
layer7-protocol = "ZIP layer7" \
comment = "layer7 DOWNLOAD ZIP 1MB"

We Create Queue Tree next to its limits:
A. For ip = 192.168.1.1-192.168.1.5 = 512 KB
In "New Terminal" Winbox:

/ Queue tree add name = "LIMIT extention" parent = global-out \
limit-at = 0 priority = 1 max-limit = 0 \
burst-limit = 0 burst-threshold = 0 burst-time = 0s

/ Queue tree add name = "192.168.1.1-192.168.1.5" \
parent = "LIMIT extention" \
packet-mark = "7z layer7 512K, \
AVI layer7 512K, 512K EXE layer7, \
FLV layer7 512K, 512K layer7 ISO, \
Layer7 512K MP3, MP4 layer7 512K, \
Layer7 512K MPEG, MPG layer7 512K, \
Layer7 RAR 512K, 512K WAV layer7, \
Layer7 WMV 512K, 512K YOUTUBE layer7, \
ZIP 512K layer7 "limit-at = 0 queue = default \
priority = 1 max-limit = 512k burst-limit = 0 \
burst-threshold = 0 burst-time = 0s

B. For ip = 192.168.1.6-192.168.1.10 = 256 KB
In "New Terminal" Winbox:

/ Queue tree add name = "192.168.1.6-192.168.6.10" \
parent = "LIMIT extention" \
packet-mark = "7z layer7 256K, \
AVI layer7 256K, 256K EXE layer7, \
FLV layer7 256K, 256K layer7 ISO, \
Layer7 256K MP3, MP4 layer7 256K, \
Layer7 256K MPEG, MPG layer7 256K, \
Layer7 RAR 256K, 256K WAV layer7, \
Layer7 WMV 256K, 256K YOUTUBE layer7, \
ZIP 256K layer7 "limit-at = 0 queue = default \
priority = 1 max-limit = 256k burst-limit = 0 \
burst-threshold = 0 burst-time = 0s

C. For ip = 192.168.1.11-192.168.1.20 = 1 MB
In "New Terminal" Winbox:

/ Queue tree add name = "192.168.1.11-192.168.11.20" \
parent = "LIMIT extention" \
packet-mark = "7z layer7 1MB, 1MB layer7 AVI, \
EXE layer7 1MB, 1MB layer7 FLV, ISO layer7 1MB, \
MP3 layer7 1MB, 1MB layer7 MP4, MPEG layer7 1MB, \
Layer7 MPG 1MB, 1MB RAR layer7, WAV layer7 1MB, \
Layer7 WMV 1MB, 1MB layer7 YOUTUBE, \
ZIP 1MB layer7 "limit-at = 0 queue = default \
priority = 1 max-limit = 1M burst-limit = 0 \
burst-threshold = 0 burst-time = 0s


Next we try,
With the first ip address 192.168.1.1 on your PC and then my test download

which has the specified ip 192.168.1.1 to 192.168.1.5 with a limit of 512 KB successful extention terlimit with evidence that the 512 KB limit extensions in queue trees become red.

Next we try, with the ip address 192.168.1.6 on the PC then I test download,

which has the specified ip 192.168.1.6 to 192.168.1.10 with a limit of 256 KB successful extention terlimit with evidence that the 256 KB limit extensions in queue trees become red.

Next we try, with IP address 192.168.1.11 on the PC then I test download:


which has the specified ip 192.168.1.11 to 192.168.1.20 with a limit of 1 MB of successful extensions terlimit with evidence that the limit extention part 1 MB in queue trees become red.

Finished work ... good mood ... good luck ...

Setting loadbalancing 8 modem in Mikrotik, 8 Special Modem Modem Browsing and 1 Special Games and Redirect to External Proxy (P2)

Now we move on ......

/ Ip firewall mangle add action = mark-packet \
chain = forward layer7-disabled = no protocol = ISO \
new-packet-mark = 3GP passthrough = no

/ Ip firewall mangle add action = mark-packet \
chain = forward layer7-disabled = no protocol = 7z \
new-packet-mark = 7z passthrough = no

Furthermore ip firewall mangle for online games, the command:

/ Ip firewall mangle add action = mark-connection \
chain = prerouting comment = "GAME ONLINE" \
disabled = no dst-port = \
1818,2001,3010,4300,5105,5121,5126,5171,5340-5352,6000-6152,7777 \
in-interface = local new-connection-mark = "GAME ONLINE" \
passthrough = yes protocol = tcp

/ Ip firewall mangle add action = mark-connection \
chain = prerouting disabled = no dst-port = 7341-7350,7451,8085,9600,9601-9602,9300 \
in-interface = local new-connection-mark = "GAME ONLINE" \
passthrough = yes protocol = tcp

/ Ip firewall mangle add action = mark-connection \
chain = prerouting disabled = no dst-port = 9376-9377,9400,9700,10001-10011 \
in-interface = local new-connection-mark = "GAME ONLINE" \
passthrough = yes protocol = tcp
/ Ip firewall mangle add action = mark-connection \
chain = prerouting disabled = no dst-port = "10402.11011 - \
11041,12011,12110,13008,13413 "in-interface = local \
new-connection-mark = "GAME ONLINE" \
passthrough = yes protocol = tcp

/ Ip firewall mangle add action = mark-connection \
chain = prerouting disabled = no dst-port = "15000-15002,16402-16502,16666,18901-18909,19000" \
in-interface = local new-connection-mark = "GAME ONLINE" \
passthrough = yes protocol = tcp
/ Ip firewall mangle add action = mark-connection \
chain = prerouting disabled = no \
dst-port = 19101,22100,27780,28012,29000,29200 \
in-interface = local \
new-connection-mark = "GAME ONLINE" \
passthrough = yes protocol = tcp

/ Ip firewall mangle add action = mark-connection \
chain = prerouting disabled = no \
dst-port = 39100,39110,39220,39190,40000,49100 in-interface = local \
new-connection-mark = "GAME ONLINE" \
passthrough = yes protocol = tcp
/ Ip firewall mangle add action = mark-connection \
chain = prerouting disabled = no \
dst-port = "1293,1479,6100-6152,7777-7977,8001" in-interface = local \
new-connection-mark = "GAME ONLINE" \
passthrough = yes protocol = udp

/ Ip firewall mangle add action = mark-connection \
chain = prerouting disabled = no \
dst-port = "9401,9600-9602,12020-12080,30000,40000-40010" \
in-interface = local new-connection-mark = "GAME ONLINE" \
passthrough = yes protocol = udp
/ Ip firewall mangle add action = mark-connection \
chain = prerouting disabled = no dst-port = 42051-42052,11100-11125,11440-11460 in-interface = local new-connection-mark = "GAME ONLINE" \
passthrough = yes protocol = udp

/ Ip firewall mangle add action = mark-packet \
chain = forward connection-mark = "GAME ONLINE" \
disabled = no dst-address = 192.168.1.0/24 \
new-packet-mark = "ONLINE GAME DOWN" \
passthrough = no

/ Ip firewall mangle add action = mark-packet \
chain = forward connection-mark = "GAME ONLINE" \
disabled = no in-interface = local new-packet-mark = "ONLINE GAME UP" passthrough = no src-address = 192.168.1.0/24

/ Ip firewall mangle add action = mark-connection \
chain = prerouting comment = "FACEBOOK GAME" \
disabled = no dst-port = 9339.843 in-interface = local \
new-connection-mark = "FACEBOOK GAME" \
passthrough = yes protocol = tcp

/ Ip firewall mangle add action = mark-packet \
chain = forward connection-mark = "FACEBOOK GAME" \
disabled = no dst-address = 192.168.1.0/24 new-packet-mark = \
"FACEBOOK GAME DOWN" passthrough = no

/ Ip firewall mangle add action = mark-packet \
chain = forward connection-mark = "FACEBOOK GAME" \
disabled = no new-packet-mark = "FACEBOOK GAME UP" \
passthrough = no src-address = 192.168.1.0/24

Furthermore ip firewall mangle to browse and download and upload mivo tv which later in the queue tree limit, the command:

/ Ip firewall mangle add action = mark-connection \
chain = prerouting comment = BROWSING disabled = no \
dst-port = 80 in-interface = local \
new-connection-mark = BROWSING passthrough = \
yes protocol = tcp

/ Ip firewall mangle add action = mark-packet \
chain = prerouting connection-mark = BROWSING disabled = no \
dst-address = 192.168.1.0/24 \
new-packet-mark = "BROWSING DOWN" passthrough = no

/ Ip firewall mangle add action = mark-packet \
chain = prerouting connection-mark = BROWSING disabled = no \
new-packet-mark = "UP BROWSING" \
passthrough = no src-address = 192.168.1.0/24

/ Ip firewall mangle add action = mark-connection \
chain = prerouting comment = "MIVO TV" disabled = no \
dst-port = 1935 in-interface = local new-connection-mark = "MIVO TV" \
passthrough = no protocol = tcp

/ Ip firewall mangle add action = mark-packet \
chain = prerouting connection-mark = MIVO disabled = no \
new-packet-mark = MIVO passthrough = no

Furthermore ip firewall filter for our mikrotik security from viruses and anti netcut port, the command:

/ Ip firewall filter add action = accept \
chain = input disabled = no dst-port = 8291 protocol = tcp
/ Ip firewall filter add action = drop \
chain = forward connection-state = invalid disabled = no
/ Ip firewall filter add action = drop \
chain = virus disabled = no dst-port = 135-139 protocol = tcp
/ Ip firewall filter add action = drop \
chain = virus disabled = no dst-port = 1433-1434 protocol = tcp
/ Ip firewall filter add action = drop \
chain = virus disabled = no dst-port = 445 protocol = tcp
/ Ip firewall filter add action = drop \
chain = virus disabled = no dst-port = 445 protocol = udp
/ Ip firewall filter add action = drop \
chain = virus disabled = no dst-port = 593 protocol = tcp
/ Ip firewall filter add action = drop \
chain = virus disabled = no dst-port = 1024-1030 protocol = tcp
/ Ip firewall filter add action = drop \
chain = virus disabled = no dst-port = 1080 protocol = tcp
/ Ip firewall filter add action = drop \
chain = virus disabled = no dst-port = 1214 protocol = tcp
/ Ip firewall filter add action = drop \
chain = virus disabled = no dst-port = 1363 protocol = tcp
/ Ip firewall filter add action = drop \
chain = virus disabled = no dst-port = 1364 protocol = tcp
/ Ip firewall filter add action = drop \
chain = virus disabled = no dst-port = 1368 protocol = tcp
/ Ip firewall filter add action = drop \
chain = virus disabled = no dst-port = 1373 protocol = tcp
/ Ip firewall filter add action = drop \
chain = virus disabled = no dst-port = 1377 protocol = tcp
/ Ip firewall filter add action = drop \
chain = virus disabled = no dst-port = 2745 protocol = tcp
/ Ip firewall filter add action = drop \
chain = virus disabled = no dst-port = 2283 protocol = tcp
/ Ip firewall filter add action = drop \
chain = virus disabled = no dst-port = 2535 protocol = tcp
/ Ip firewall filter add action = drop \
chain = virus disabled = no dst-port = 2745 protocol = tcp
/ Ip firewall filter add action = drop \
chain = virus disabled = no dst-port = 3127 protocol = tcp
/ Ip firewall filter add action = drop \
chain = virus disabled = no dst-port = 3410 protocol = tcp
/ Ip firewall filter add action = drop \
chain = virus disabled = no dst-port = 4444 protocol = tcp
/ Ip firewall filter add action = drop \
chain = virus disabled = no dst-port = 4444 protocol = udp
/ Ip firewall filter add action = drop \
chain = virus disabled = no dst-port = 5554 protocol = tcp
/ Ip firewall filter add action = drop \
chain = virus disabled = no dst-port = 8866 protocol = tcp
/ Ip firewall filter add action = drop \
chain = virus disabled = no dst-port = 9898 protocol = tcp
/ Ip firewall filter add action = drop \
chain = virus disabled = no dst-port = 10080 protocol = tcp
/ Ip firewall filter add action = drop \
chain = virus disabled = no dst-port = 12345 protocol = tcp
/ Ip firewall filter add action = drop \
chain = virus disabled = no dst-port = 17300 protocol = tcp
/ Ip firewall filter add action = drop \
chain = virus disabled = no dst-port = 27374 protocol = tcp
/ Ip firewall filter add action = drop \
chain = virus disabled = no dst-port = 65506 protocol = tcp
/ Ip firewall filter add action = jump \
chain = forward disabled = no jump-target = virus
/ Ip firewall filter add action = drop \
chain = input connection-state = invalid disabled = no
/ Ip firewall filter add action = accept \
chain = input disabled = no protocol = udp
/ Ip firewall filter add action = accept \
chain = input disabled = no limit = 50/5s, 2 protocol = icmp
/ Ip firewall filter add action = drop \
chain = input disabled = no protocol = icmp
/ Ip firewall filter add action = accept \
chain = input disabled = no dst-port = 21 protocol = tcp
/ Ip firewall filter add action = accept \
chain = input disabled = no dst-port = 22 protocol = tcp
/ Ip firewall filter add action = accept \
chain = input disabled = no dst-port = 23 protocol = tcp
/ Ip firewall filter add action = accept \
chain = input disabled = no dst-port = 80 protocol = tcp
/ Ip firewall filter add action = accept \
chain = input disabled = no dst-port = 8291 protocol = tcp
/ Ip firewall filter add action = accept \
chain = input disabled = no dst-port = 1723 protocol = tcp
/ Ip firewall filter add action = log \
chain = input disabled = yes log-prefix = "DROP INPUT"
/ Ip firewall filter add action = accept \
chain = input disabled = no dst-port = 23 protocol = tcp
/ Ip firewall filter add action = accept \
chain = input disabled = no dst-port = 80 protocol = tcp
/ Ip firewall filter add action = accept \
chain = input disabled = no dst-port = 1723 protocol = tcp
/ Ip firewall filter add action = log \
chain = input disabled = yes log-prefix = "DROP INPUT"
/ Ip firewall filter add action = add-src-to-address-list \
DDOS = address-list address-list-timeout = 15s
/ Ip firewall filter chain = input \
disabled = no dst-port = 1337 protocol = tcp
/ Ip firewall filter add action = add-src-to-address-list \
DDOS = address-list address-list-timeout = 15m \
/ Ip firewall filter chain = input disabled = no \
dst-port = 7331 protocol = tcp src-address-list = knock
/ Ip firewall filter add action = add-src-to-address-list \
address-list = "port scanners" address-list-timeout = 2w \
chain = input comment = "Port scanners to list" \
disabled = no protocol = tcp psd = 21.3 s, 3.1
/ Ip firewall filter add action = add-src-to-address-list \
address-list = "port scanners" address-list-timeout = 2w \
chain = input comment = "SYN / FIN scan" disabled = no \
protocol = tcp tcp-flags = fin, syn
/ Ip firewall filter add action = add-src-to-address-list \
address-list = "port scanners" address-list-timeout = 2w \
chain = input comment = "SYN / RST scan" disabled = no \
protocol = tcp tcp-flags = syn, rst
/ Ip firewall filter add action = add-src-to-address-list \
address-list = "port scanners" address-list-timeout = 2w \
chain = input comment = "FIN / PSH / URG scan" disabled = \
no protocol = tcp tcp-flags = FIN, PSH, URG,! syn,! rst,! ack
/ Ip firewall filter add action = add-src-to-address-list \
address-list = "port scanners" address-list-timeout = 2w \
chain = input comment = "ALL / ALL scan" disabled = no \
protocol = tcp tcp-flags = fin, syn, rst, PSH, ack, URG
/ Ip firewall filter add action = add-src-to-address-list \
address-list = "port scanners" address-list-timeout = 2w \
chain = input comment = "NMAP NULL scan" disabled = no \
protocol = tcp tcp-flags =! fin,! syn,! rst,! PSH,! ack,! URG
/ Ip firewall filter add action = add-src-to-address-list \
address-list = "port scanners" address-list-timeout = 2w \
chain = input comment = "NMAP FIN Stealth scan" \
disabled = no protocol = tcp
/ Ip firewall filter add action = accept chain = input \
comment = "ANTI Netcut" disabled = no dst-port = \
0-65535 protocol = tcp src-address = 61.213.183.1-61.213.183.254
/ Ip firewall filter add action = accept chain = input \
comment = "ANTI Netcut" disabled = no dst-port = \
0-65535 protocol = tcp src-address = 67.195.134.1-67.195.134.254
/ Ip firewall filter add action = accept chain = input \
comment = "ANTI Netcut" disabled = no dst-port = \
0-65535 protocol = tcp src-address = 68.142.233.1-68.142.233.254
/ Ip firewall filter add action = accept chain = input \
comment = "ANTI Netcut" disabled = no dst-port = \
0-65535 protocol = tcp src-address = 68.180.217.1-68.180.217.254
/ Ip firewall filter add action = accept chain = input \
comment = "ANTI Netcut" disabled = no dst-port = \
0-65535 protocol = tcp src-address = 203.84.204.1-203.84.204.254
/ Ip firewall filter add action = accept chain = input \
comment = "ANTI Netcut" disabled = no dst-port = \
0-65535 protocol = tcp src-address = 69.63.176.1-69.63.176.254
/ Ip firewall filter add action = accept chain = input \
comment = "ANTI Netcut" disabled = no dst-port = \
0-65535 protocol = tcp src-address = 69.63.181.1-69.63.181.254
/ Ip firewall filter add action = accept chain = input \
comment = "ANTI Netcut" disabled = no dst-port = \
0-65535 protocol = tcp src-address = 63.245.209.1-63.245.209.254
/ Ip firewall filter add action = accept chain = input \
comment = "ANTI Netcut" disabled = no dst-port = \
0-65535 protocol = tcp src-address = 63.245.213.1-63.245.213.254

Next Queue type, because we are using queue tree first we made the queue typenya with pcq, the command:

/ Queue type add kind = pcq name = "PROXY DOWN" \
pcq-burst-rate = 0 pcq-burst-threshold = 0 \
pcq-burst-time = 10s pcq-classifier = dst-address \
pcq-dst-address-mask-dst = 32-address6 pcq-mask = 128 \
pcq-limit = 50 pcq-rate = 0 pcq-src-address-mask = 32 \
pcq-src-address6-mask = 128 pcq-total-limit = 2000


/ Queue type add name = kind = pcq DOWN \
pcq-burst-rate = 0 pcq-burst-threshold = 0 \
pcq-burst-time = 2s pcq-classifier = dst-address, dst-port \
pcq-dst-address-mask-dst = 32-address6 pcq-mask = 64 \
pcq-limit = 50 pcq-rate = 0 pcq-src-address-mask = 32 \
pcq-src-address6-mask = 64 pcq-total-limit = 2000

/ Queue type add name = kind = pcq UP \
pcq-burst-rate = 0 pcq-burst-threshold = 0 pcq-burst-time = \
10s pcq-classifier = src-address, dst-address, src-port \
pcq-dst-address-mask-dst = 32-address6 pcq-mask = 64 \
pcq-limit = 50 pcq-rate = 0 pcq-src-address-mask = \
32-address6 pcq-src-mask = 64 pcq-total-limit = 2000 \
set default-small kind = pfifo name = default-small pfifo-limit = 10

Next Queue tree.untuk max limit please adjust your bandwidth capacity and needs of each.
A. Proxy Hit with the command:

/ Queue tree add burst-limit = 0 burst-threshold = 0 \
burst-time = 0s disabled = no limit-at = 0 \
max-limit = 0 name = "A.. PROXY HIT" \
packet-mark = "SQUID PROXY HIT" parent = \
local priority = 1 queue = "PROXY DOWN"

B. Upload Games with the command:

/ Queue tree add add burst-limit = 0 burst-threshold = 0 \
burst-time = 0s disabled = no limit-at = 0 \
max-limit = 0 name = "B. GAME UP" \
parent = public priority = 1

/ Queue tree add burst-limit = 0 burst-threshold = 0 \
burst-time = 0s disabled = no limit-at = 0 \
max-limit = 0 name = "FACEBOOK GAME." \
packet-mark = "FACEBOOK GAME UP" parent = \
"B. GAME UP" priority = 3 queue = UP

/ Queue tree add burst-limit = 0 burst-threshold = 0 \
burst-time = 0s disabled = no limit-at = 0 \
max-limit = 0 name = "ONLINE GAME." \
packet-mark = "ONLINE GAME UP" parent = \
"B. GAME UP" priority = 2 queue = UP

Browsing C. Upload

/ Queue tree add burst-limit = 0 burst-threshold = 0 \
burst-time = 0s disabled = no limit-at = 0 \
max-limit = 128k name = Up parent C. proxy = priority = 1

/ Queue tree add burst-limit = 0 burst-threshold = 0 \
burst-time = 0s disabled = no limit-at = 0 \
max-limit = 0 name = BROWSING. packet-mark = "UP BROWSING" \
parent = C. UP priority = 2 queue = UP

D. Download the command:

/ Queue tree add burst-limit = 0 burst-threshold = 0 \
burst-time = 0s disabled = no limit-at = 0 \
max-limit = 0 name = D DOWN parent = global-out priority = 1

D.1.Download facebook games, the command:

/ Queue tree add burst-limit = 0 burst-threshold = 0 \
burst-time = 0s disabled = no limit-at = 0 \
max-limit = 256k name = "GAME 1" parent = D. DOWN priority = 3

/ Queue tree add burst-limit = 0 burst-threshold = 0 \
burst-time = 0s disabled = no limit-at = 0 \
max-limit = 0 name = "FACEBOOK GAME" \
packet-mark = "FACEBOOK GAME DOWN" parent = \
"GAME 1" priority = 3 queue = DOWN

D.2.Download online games, the command:

/ Queue tree add burst-limit = 0 burst-threshold = 0 \
burst-time = 0s disabled = no limit-at = 0 \
max-limit = 0 name = "GAME 2" parent = D. DOWN priority = 2

/ Queue tree add burst-limit = 0 burst-threshold = 0 \
burst-time = 0s disabled = no limit-at = 0 \
max-limit = 0 name = "GAME ONLINE" \
packet-mark = "ONLINE GAME DOWN" parent = \
"GAME 2" priority = 2 queue = DOWN

D.3.Download browsing, the command:

/ Queue tree add burst-limit = 0 burst-threshold = 0 \
burst-time = 0s disabled = no limit-at = 0 \
max-limit = 0 name = parent = D. DOWN BROWSING priority = 4

/ Queue tree add burst-limit = 0 burst-threshold = 0 \
burst-time = 0s disabled = no limit-at = 0 \
max-limit = 0 name = "BROWSING ..." \
packet-mark = "BROWSING DOWN" parent = \
BROWSING priority = 4 queue = DOWN

D.4.Download files like exe, zip, rar, youtube streaming etc, the command:

/ Queue tree add burst-limit = 0 burst-threshold = 0 \
burst-time = 0s disabled = no limit-at = 0 \
max-limit = 0 name = "LIMIT extention" \
parent = D. DOWN priority = 5

/ Queue tree add burst-limit = 0 burst-threshold = 0 \
burst-time = 0s disabled = no limit-at = 0 \
max-limit = 0 name = YOUTUBE \
packet-mark = YOUTUBE parent = "LIMIT extention" \
priority = 5 queue = DOWN

/ Queue tree add burst-limit = 0 burst-threshold = 0 \
burst-time = 0s disabled = no limit-at = 0 \
max-limit = 0 name = "STREAMING YOUTUBE" \
packet-mark = "STREAMING YOUTUBE" \
parent = "LIMIT extention" priority = 5 queue = DOWN

/ Queue tree add burst-limit = 0 burst-threshold = 0 \
burst-time = 0s disabled = no limit-at = 0 \
max-limit = 0 name = MKV MKV packet-mark = \
parent = "LIMIT extention" priority = 5 queue = DOWN

/ Queue tree add burst-limit = 0 burst-threshold = 0 \
burst-time = 0s disabled = no limit-at = 0 \
max-limit = 0 name = MP3 MP3 packet-mark = \
parent = "LIMIT extention" priority = 5 queue = DOWN

/ Queue tree add burst-limit = 0 burst-threshold = 0 \
burst-time = 0s disabled = no limit-at = 0 \
max-limit = 0 name = MP4 MP4 packet-mark = \
parent = "LIMIT extention" priority = 5 queue = DOWN

/ Queue tree add burst-limit = 0 burst-threshold = 0 \
burst-time = 0s disabled = no limit-at = 0 \
max-limit = 0 name = "ZIP PACKAGE" packet-mark = ZIP \
parent = "LIMIT extention" priority = 5 queue = DOWN

/ Queue tree add burst-limit = 0 burst-threshold = 0 \
burst-time = 0s disabled = no limit-at = 0 \
max-limit = 0 name = EXE EXE packet-mark = \
parent = "LIMIT extention" priority = 5 queue = DOWN

/ Queue tree add burst-limit = 0 burst-threshold = 0 \
burst-time = 0s disabled = no limit-at = 0 \
max-limit = 0 name = FLV FLV packet-mark = \
parent = "LIMIT extention" priority = 5 queue = DOWN

/ Queue tree add burst-limit = 0 burst-threshold = 0 \
burst-time = 0s disabled = no limit-at = 0 \
max-limit = 0 name = ISO ISO packet-mark = \
parent = "LIMIT extention" priority = 5 queue = DOWN

/ Queue tree add burst-limit = 0 burst-threshold = 0 \
burst-time = 0s disabled = no limit-at = 0 \
max-limit = 0 name = ASF ASF packet-mark = \
parent = "LIMIT extention" priority = 5 queue = DOWN

/ Queue tree add burst-limit = 0 burst-threshold = 0 \
burst-time = 0s disabled = no limit-at = 0 \
max-limit = 0 name = AVI AVI packet-mark = \
parent = "LIMIT extention" priority = 5 queue = DOWN

/ Queue tree add burst-limit = 0 burst-threshold = 0 \
burst-time = 0s disabled = no limit-at = 0 \
max-limit = 0 name = packet-mark = BIN BIN \
parent = "LIMIT extention" priority = 5 queue = DOWN

/ Queue tree add burst-limit = 0 burst-threshold = 0 \
burst-time = 0s disabled = no limit-at = 0 \
max-limit = 0 name = CAB CAB packet-mark = \
parent = "LIMIT extention" priority = 5 queue = DOWN

/ Queue tree add burst-limit = 0 burst-threshold = 0 \
burst-time = 0s disabled = no limit-at = 0 \
max-limit = 0 name = DAA DAA packet-mark = \
parent = "LIMIT extention" priority = 5 queue = DOWN

/ Queue tree add burst-limit = 0 burst-threshold = 0 \
burst-time = 0s disabled = no limit-at = 0 \
max-limit = 0 name = MOV MOV packet-mark = \
parent = "LIMIT extention" priority = 5 queue = DOWN

/ Queue tree add burst-limit = 0 burst-threshold = 0 \
burst-time = 0s disabled = no limit-at = 0 \
max-limit = 0 name = MPEG MPEG packet-mark = \
parent = "LIMIT extention" priority = 5 queue = DOWN

/ Queue tree add burst-limit = 0 burst-threshold = 0 \
burst-time = 0s disabled = no limit-at = 0 \
max-limit = 0 name = MPG MPG packet-mark = \
parent = "LIMIT extention" priority = 5 queue = DOWN

/ Queue tree add burst-limit = 0 burst-threshold = 0 \
burst-time = 0s disabled = no limit-at = 0 \
max-limit = 0 name = MR MR packet-mark = \
parent = "LIMIT extention" priority = 5 queue = DOWN

/ Queue tree add burst-limit = 0 burst-threshold = 0 \
burst-time = 0s disabled = no limit-at = 0 \
max-limit = 0 name = NRG NRG packet-mark = \
parent = "LIMIT extention" priority = 5 queue = DOWN

/ Queue tree add burst-limit = 0 burst-threshold = 0 \
burst-time = 0s disabled = no limit-at = 0 \
max-limit = 0 name = RAM RAM packet-mark = \
parent = "LIMIT extention" priority = 5 queue = DOWN

/ Queue tree add burst-limit = 0 burst-threshold = 0 \
burst-time = 0s disabled = no limit-at = 0 \
max-limit = 0 name = RAR RAR packet-mark = \
parent = "LIMIT extention" priority = 5 queue = DOWN

/ Queue tree add burst-limit = 0 burst-threshold = 0 \
burst-time = 0s disabled = no limit-at = 0 \
max-limit = 0 name = RMVB RMVB packet-mark = \
parent = "LIMIT extention" priority = 5 queue = DOWN

/ Queue tree add burst-limit = 0 burst-threshold = 0 \
burst-time = 0s disabled = no limit-at = 0 \
max-limit = 0 name = VCD VCD packet-mark = \
parent = "LIMIT extention" priority = 5 queue = DOWN

/ Queue tree add burst-limit = 0 burst-threshold = 0 \
burst-time = 0s disabled = no limit-at = 0 \
max-limit = 0 name = WAV WAV packet-mark = \
parent = "LIMIT extention" priority = 5 queue = DOWN

/ Queue tree add burst-limit = 0 burst-threshold = 0 \
burst-time = 0s disabled = no limit-at = 0 \
max-limit = 0 name = WMV WMV packet-mark = \
parent = "LIMIT extention" priority = 5 queue = DOWN

/ Queue tree add burst-limit = 0 burst-threshold = 0 \
burst-time = 0s disabled = no limit-at = 0 \
max-limit = 0 name = 3GP 3GP packet-mark = \
parent = "LIMIT extention" priority = 5 queue = DOWN

/ Queue tree add burst-limit = 0 burst-threshold = 0 \
burst-time = 0s disabled = no limit-at = 0 \
max-limit = 0 name = 7z 7z packet-mark = \
parent = "LIMIT extention" priority = 5 queue = DOWN

/ Queue tree add name = "MIVO TV" \
LIMIT extention parent = packet-mark = MIVO \
limit-at = 0 queue = DOWN \
priority = 6 max-limit = 0 burst-limit = 0 \
burst-threshold = 0 burst-time = 0s

Next on the main page select the queues and queues Winbox tree and setting the limit at max limit and bandwidth, adjust your bandwidth each, as shown below:




Good luck ...

vara separating two internet line in a Mikrotik Router Wireless router-proxy

with 2 modems we separate his path in mikrotik for each computer that you specify in a network ..

Topology:
Modem
Modem1 = 192.168.1.1
Modem2 = 192.168.9.1

Mikrotik
Eth1 = 192.168.1.2
Eth2 = 192.168.9.16
Eth3 = 192.168.3.1

Client Computers
Client1 = 192.168.3.2 ---- On To navigate Modem1
Client2 = 192.168.3.3 ---- On To navigate Modem2

Let's get started:

The first step is to name each interface on mikrotik, with the command "New Terminal":

/ Interface set 0 name = public-modem1
/ Interface set 1 name = public-modem2
/ Interface set 2 name = local-client

Furthermore, given ip to ethernet in mikrotik, with the command:

/ Ip address add address = 192.168.1.2 \
netmask = 255.255.255.0 \
interface = public-modem1

/ Ip address add address = 192.168.9.16 \
netmask = 255.255.255.0 \
interface = public-modem2

/ Ip address add address = 192.168.3.1 \
netmask = 255.255.255.0 \
interface = local-client


Next enter the DNS, adjust your dns masing2, with the command:

/ Ip set dns servers = 203.130.193.74,203.130.206.250 \
allow-remote-requests = yes

then enter the ip route modem1, modem2 along with its routing mark:

/ Ip route add gateway = 192.168.1.1
/ Ip route add gateway = 192.168.1.1 routing-mark = MODEM1

/ Ip route add gateway = 192.168.9.1
/ Ip route add gateway = 192.168.1.1 routing-mark = MODEM2

Next enter the IP NAT firewall for each modem with action masquerade, printahnya:

/ Ip firewall nat add chain = srcnat \
out-interface = public-modem1 \
action = masquerade

/ Ip firewall nat add chain = srcnat \
out-interface = public-modem2 \
action = masquerade

Next enter the ip firewall clinet ip address list to be in a mangle rule in later topology on top of her ... there are 2 ip address is 192.168.3.2 and 192.168.3.3, the command as follows:

ip firewall address-list \
add address = 192.168.3.2 \
list = "IP leads to MODEM1"

ip firewall address-list \
add address = 192.168.3.3 \
list = "IP leads to MODEM2"

if let's say your computer is a lot you just add his ip address


Next we create a mangle for the connection of the address lists that we have made along with routing mark that would mangle the ip route with routing arrested earlier mark, and marks the packet for the opportunistic queue trees, with the command:

/ Ip firewall mangle add chain = prerouting \
action = mark-connection \
new-connection-mark = MODEM1 passthrough = yes \
src-address-list = "IP leads to MODEM1" \
in-interface = local-client

/ Ip firewall mangle add chain = prerouting \
action = mark-routing new-routing-mark = MODEM1 \
passthrough = no in-interface = local-client \
connection-mark = MODEM1

/ Ip firewall mangle add chain = forward \
action = mark-packet new-packet-mark = "MODEM1 DOWN" \
passthrough = no dst-address = 192.168.3.2 \
connection-mark = MODEM1

/ Ip firewall mangle add chain = forward \
action = mark-packet new-packet-mark = "MODEM1 UP" \
passthrough = no src-address = 192.168.3.2 \
connection-mark = MODEM1

/ Ip firewall mangle add chain = prerouting \
action = mark-connection \
new-connection-mark = MODEM2 passthrough = yes \
src-address-list = "IP leads to MODEM2" \
in-interface = local-client

/ Ip firewall mangle add chain = prerouting \
action = mark-routing new-routing-mark = MODEM2 \
passthrough = no in-interface = local-client \
connection-mark = MODEM2

/ Ip firewall mangle add chain = forward \
action = mark-packet new-packet-mark = "MODEM2 DOWN" \
passthrough = no dst-address = 192.168.3.3 \
connection-mark = MODEM2

/ Ip firewall mangle add chain = forward \
action = mark-packet new-packet-mark = "MODEM2 UP" \
passthrough = no src-address = 192.168.3.3 \
connection-mark = MODEM2

Next we create a queue type with pcq to the mark in the queue trees with less download and upload it automatically to the average bandwidth, the command:

/ Queue type add name = DOWN \
kind = pcq pcq-classifier = dst-address, dst-port

/ Queue type add name = UP \
kind = pcq pcq-classifier = src-address, src-port

Next we create its queue trees, to download and upload, the command:

/ Queue tree add name = "CLIENT MODEM1 DOWN" \
parent = global-out packet-mark = "MODEM1 DOWN" \
limit-at = 0 queue = DOWN priority = 1 \
max-limit = 0 burst-limit = 0 burst-threshold = 0 burst-time = 0s

/ Queue tree add name = "CLIENT MODEM2 DOWN" \
parent = global-out packet-mark = "MODEM2 DOWN" \
limit-at = 0 queue = DOWN priority = 1 max-limit = 0 \
burst-limit = 0 burst-threshold = 0 burst-time = 0s

/ Queue tree add name = "CLIENT MODEM1 UP" \
-modem1 parent = public packet-mark = "MODEM1 UP" \
limit-at = 0 queue = Up priority = 2 max-limit = 0 \
burst-limit = 0 burst-threshold = 0 burst-time = 0s

/ Queue tree add name = "CLIENT MODEM2 UP" \
-modem2 parent = public packet-mark = "MODEM2 UP" \
limit-at = 0 queue = Up priority = 2 max-limit = 0 \
burst-limit = 0 burst-threshold = 0 burst-time = 0s

Further test results, I first created in the computer ip address 192.168.3.2
Then I test and the results are browsing traffic headed modem1 and its queue toward modem1 also, means have been running

Further test results, I first created in the computer ip address 192.168.3.3

Then I test and the results are browsing traffic headed modem2 and its queue toward modem2 also, means have been running

Done and good luck .......

HOW TO RESET MIKROTIK WIRELESS HARDWARE AND WIRELESS ROUTER-PROXY Mikrotik Mikrotik

If you forget the password or mikrotik mikrotik wireless router, currently in press the reset button behind it, also did not want tereset mikrotik, you are forced to hardware reset it, here's how to reset mikrotik wireless hardware:

- Open the box mikrotik box with a screwdriver to use your:

- Then turn on the mikrotik is:

- You look at mikrotik board, there is a kind of round yellow gold copper:

- In order for the golden keys did not reset saatg abrasions or scratches screwdriver
then seal your screwdriver with cigarette tin:

- With the Mikrotik that is still lit, tin-plated screwdriver touch the cigarette to the
copper colored round kuing earlier:

- Then in turn, so mikrotiknya suddenly died:

- Hold for about 10 seconds:

- Then remove the screwdriver from the copper-colored yellow round earlier, and the wait
about 5 minutes:

- Hardware mikrotik you have tereset, log back into admin and the password in clear

- Good luck -

HOW TO SEE WIRELESS PASSWORD

see there may be a wireless password pda know and there who do not know .... Example application Here ....:
From the above applications look very simple ... is simple ... gan just ....: The one in need:
1. Network Wifi / Hotspot
2. brain
3. The strong faith ...
4. How his laptop:
1. open application
2. click reply berpassword wifi network
3. click on the menubar edit
4. then click Copy Key (Hex) Copy Key (Ascii) Select one ..
5. Paste in the last column berpassword wifi ...
6. Done ...
Subscribe to: Posts (Atom)