Mikrotik QoS

Have got VoIPnMikrotik?
Need QoS?

/ip firewall mangle
add action=mark-packet chain=forward comment="" disabled=no new-packet-mark=prio_in \
    passthrough=yes protocol=udp src-address=ipofyorsipprovider
add action=mark-packet chain=forward comment="" disabled=no dst-address=ipofyorsipprovider \
    new-packet-mark=prio_out passthrough=yes protocol=udp
add action=mark-packet chain=forward comment="" disabled=no new-packet-mark=rest_up \
    packet-mark=!prio_out passthrough=yes src-address=lan/24
add action=mark-packet chain=forward comment="" disabled=no dst-address=lan/24 \
    new-packet-mark=rest_down packet-mark=!prio_in passthrough=yes
add action=mark-packet chain=forward comment="" disabled=no new-packet-mark=rest_up \
    passthrough=yes src-address=wlan/24
add action=mark-packet chain=forward comment="" disabled=no dst-address=wlan/24 \
    new-packet-mark=rest_down passthrough=yes

The packets need first matched by mangling to get into queue

/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=4096k \
    name=download packet-mark="" parent=global-out priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=\
    monitoring_in packet-mark=prio_in parent=download priority=1 queue=synchronous-default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=3800k \
    name=rest packet-mark=rest_down parent=download priority=8 queue=synchronous-default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=4096k \
    name=upload packet-mark="" parent=global-out priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=\
    monitoring_out packet-mark=prio_out parent=upload priority=1 queue=synchronous-default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=3800k \
    name=rest-up packet-mark=rest_up parent=upload priority=8 queue=synchronous-default

Yes I’ve got 4mbit sym @ home

Have fun

Mikrotik Packet Filter

Got Mikrotik?
Here is my config
Q: which guy needs vlans @ home
A: a guy with a summit24 :-) thanks to http://www.cheat.at

/ip firewall filter export
add action=accept chain=in_vlan10 comment="" disabled=no dst-port=8291 protocol=tcp src-address-list=\
    safe
add action=accept chain=in_vlan10 comment="" disabled=no dst-port=21 protocol=tcp src-address-list=safe
add action=drop chain=in_vlan10 comment="" disabled=no dst-port=22 protocol=tcp src-address-list=\
    ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=2w chain=in_vlan10 \
    comment="" connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=in_vlan10 \
    comment="" connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=in_vlan10 \
    comment="" connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=in_vlan10 \
    comment="" connection-state=new disabled=no dst-port=22 protocol=tcp
add action=accept chain=in_vlan10 comment="" disabled=no dst-port=22 protocol=tcp
add action=accept chain=in_vlan10 comment="" disabled=no icmp-options=8:0-255 protocol=icmp
add action=accept chain=in_vlan10 comment="" connection-state=established disabled=no
add action=accept chain=in_vlan10 comment="" connection-state=related disabled=no
add action=log chain=in_vlan10 comment="" disabled=yes log-prefix=""
add action=drop chain=in_vlan10 comment="" disabled=no

Here ist my input chain of vlan10 (wan) with sshcrawler autoblacklister

add action=accept chain=in_vlan11 comment="" disabled=no dst-port=8291 protocol=tcp src-address-list=lan
add action=accept chain=in_vlan11 comment="" disabled=no dst-port=80 protocol=tcp src-address-list=lan
add action=accept chain=in_vlan11 comment="" disabled=no dst-port=22 protocol=tcp src-address-list=lan
add action=accept chain=in_vlan11 comment="" disabled=no dst-port=21 protocol=tcp src-address-list=lan
add action=accept chain=in_vlan11 comment="" disabled=no dst-port=53 protocol=udp src-address-list=lan
add action=accept chain=in_vlan11 comment="" disabled=no dst-port=67 protocol=udp src-address-list=lan
add action=accept chain=in_vlan11 comment="" disabled=no icmp-options=8:0-255 protocol=icmp \
    src-address-list=lan
add action=accept chain=in_vlan11 comment="" connection-state=established disabled=no
add action=accept chain=in_vlan11 comment="" connection-state=related disabled=no
add action=log chain=in_vlan11 comment="" disabled=yes log-prefix=""
add action=drop chain=in_vlan11 comment="" disabled=no

Here my input chain of vlan11 my (lan)

add action=accept chain=in_vlan12 comment="" disabled=no icmp-options=8:0-255 protocol=icmp \
    src-address-list=vlan12
add action=accept chain=in_vlan12 comment="" connection-state=established disabled=no
add action=accept chain=in_vlan12 comment="" connection-state=related disabled=no
add action=log chain=in_vlan12 comment="" disabled=yes log-prefix=""
add action=drop chain=in_vlan12 comment="" disabled=no

Here my input chain of vlan12 (switch mgmt)

add action=accept chain=in_vlan13 comment="" disabled=no icmp-options=8:0-255 protocol=icmp \
    src-address-list=vlan13
add action=accept chain=in_vlan13 comment="" connection-state=established disabled=no
add action=accept chain=in_vlan13 comment="" connection-state=related disabled=no
add action=log chain=in_vlan13 comment="" disabled=yes log-prefix=""
add action=drop chain=in_vlan13 comment="" disabled=no

Here my input chain of vlan13 (wlan) “pwgen -s 60” for wpa key

add action=accept chain=forward_vlan11 comment="" disabled=no out-interface=vlan10 src-address-list=lan
add action=accept chain=forward_vlan11 comment="" disabled=no dst-address=xxx.xxx.xxx.xxx dst-port=xx \
    out-interface=vlan11 protocol=tcp src-address-list=safe
add action=accept chain=forward_vlan11 comment="" disabled=no dst-address=xxx.xxx.xxx.xxx dst-port=xxxx \
    out-interface=vlan11 protocol=tcp
add action=accept chain=forward_vlan11 comment="" connection-state=established disabled=no
add action=accept chain=forward_vlan11 comment="" connection-state=related disabled=no
add action=log chain=forward_vlan11 comment="" disabled=yes log-prefix=""
add action=drop chain=forward_vlan11 comment="" disabled=no

Here my forward chain for vlan11 (lan) with2 portforwards and out-interface vlan10
so no wlan client is able to get from vlan13 to vlan10 to vlan12 etc or reverse

add action=accept chain=forward_vlan12 comment="" disabled=no out-interface=vlan10 src-address-list=\
    vlan12
add action=accept chain=forward_vlan12 comment="" connection-state=established disabled=no
add action=accept chain=forward_vlan12 comment="" connection-state=related disabled=no
add action=log chain=forward_vlan12 comment="" disabled=yes log-prefix=""
add action=drop chain=forward_vlan12 comment="" disabled=no

Here my forward chain for vlan12 (switch mgmt) for ntpdate :-)

add action=accept chain=forward_vlan13 comment="" disabled=no out-interface=vlan10 src-address-list=\
    vlan13
add action=accept chain=forward_vlan13 comment="" connection-state=established disabled=no
add action=accept chain=forward_vlan13 comment="" connection-state=related disabled=no
add action=log chain=forward_vlan13 comment="" disabled=yes log-prefix=""
add action=drop chain=forward_vlan13 comment="" disabled=no

Here my forward chain for vlan13 (wlan)

add action=jump chain=input comment="" disabled=no in-interface=vlan10 jump-target=in_vlan10
add action=jump chain=input comment="" disabled=no in-interface=vlan11 jump-target=in_vlan11
add action=jump chain=input comment="" disabled=no in-interface=vlan12 jump-target=in_vlan12
add action=jump chain=input comment="" disabled=no in-interface=vlan13 jump-target=in_vlan13
add action=accept chain=input comment="" connection-state=established disabled=no
add action=accept chain=input comment="" connection-state=related disabled=no
add action=log chain=input comment="" disabled=yes log-prefix=""
add action=drop chain=input comment="" disabled=no

Here are the jumps to the input chains

add action=jump chain=forward comment="" disabled=no jump-target=forward_vlan11 src-address-list=lan
add action=jump chain=forward comment="" disabled=no dst-address-list=lan jump-target=forward_vlan11
add action=jump chain=forward comment="" disabled=no jump-target=forward_vlan12 src-address-list=vlan12
add action=jump chain=forward comment="" disabled=no jump-target=forward_vlan13 src-address-list=vlan13
add action=accept chain=forward comment="" connection-state=established disabled=no
add action=accept chain=forward comment="" connection-state=related disabled=no
add action=log chain=forward comment="" disabled=yes log-prefix=""
add action=drop chain=forward comment="" disabled=no

Here are the jumps to the forward chains

/ip firewall nat export
add action=src-nat chain=srcnat comment="" disabled=no out-interface=vlan10 src-address=xxx.xxx.xxx.xxx/xx \
    to-addresses=xxx.xxx.xxx.xxx
add action=src-nat chain=srcnat comment="" disabled=no out-interface=vlan10 src-address=xxx.xxx.xxx.xxx/xx \
    to-addresses=xxx.xxx.xxx.xxx
add action=src-nat chain=srcnat comment="" disabled=no out-interface=vlan10 src-address=xxx.xxx.xxx.xxx/xx \
    to-addresses=xxx.xxx.xxx.xxx
add action=dst-nat chain=dstnat comment="" disabled=no dst-address=xxx.xxx.xxx.xxx dst-port=xxxx \
    protocol=tcp to-addresses=xxx.xxx.xxx.xxx to-ports=xx
add action=dst-nat chain=dstnat comment="" disabled=no dst-address=xxx.xxx.xxx.xxx/xx dst-port=xxxx \
    protocol=tcp to-addresses=xxx.xxx.xxx.xxx/xx to-ports=xxxx

Here my nat table

Have fun

find out mtu size and mss

Hi

My MTU size is 1500 :-) because i’ve got no dial in tunneling of my internet uplink

ping -c 2 -M do -s 1472 gmx.net
PING gmx.net (213.165.65.50) 1472(1500) bytes of data.
1480 bytes from gmx.net (213.165.65.50): icmp_seq=1 ttl=54 time=59.3 ms
1480 bytes from gmx.net (213.165.65.50): icmp_seq=2 ttl=54 time=40.4 ms

when I ping an xdsl uplink of my brother i get this mtu size

:~# ping -c 2 -M do -s 1464 blah.blah.org
PING blah.blah.org (0.0.0.0) 1464(1492) bytes of data.
1472 bytes from blah.blah.org (0.0.0.0): icmp_seq=1 ttl=54 time=63.4 ms
1472 bytes from blah.blah.org (0.0.0.0): icmp_seq=2 ttl=54 time=63.9 ms

28byte is overhead
so when you add 1472 + 28 = 1500
when you add 1464 + 28 = 1492

if you have some tunneling active like pppoe
you need tcp mss clamping

so with pppoe dialin you’ve got mtu 1492
mtu – ip – tcp
1492 – 20 – 20 = 1452

Have fun

dovecot roundcube sieve filter

Hi

First of all you need dovecot version 1.1x

You need to activate the sieve plugin in roundcube

config/main.inc.php
rcmail_config['plugins'] = array(managesieve);

Now activate sievesupport of dovecot

protocols = imap imaps managesieve
protocol managesieve {
  sieve=~/Maildir/.dovecot.sieve
  sieve_storage=~/Maildir/sieve
}

plugin {
  sieve=~/Maildir/.dovecot.sieve
  sieve_dir=~/Maildir/sieve
}
}
protocol lda {
  mail_plugins = quota cmusieve
}

Ready