自用Mikrotik routeros的queue/QOS流控策略分享_Update_210712

hyes · 发表于 2021-5-27 20:56

本帖最后由 hyes 于 2021-7-12 15:08 编辑

把几个主流的短视频软件流量抓取了下。顺便分享下在用的QOS策略。
如果发错区了，麻烦版主帮挪下。感谢CHH。
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

最开始用的设备是RBD52G-5HacD2HnD，也就是hap ac2。如下图。也用过一个的戴尔的sff机器X86机器，处理器是i3 7100，没有做虚拟机，直接sata接硬盘裸跑RouterOS。但是运行起来要20w，这个ac2才要5w。所以最后也弃用了。
目前在用的方案是拆机海尔19cm*19cm的J3160的拆机主板。主板可能是bios有问腿，裸跑ROS会掉驱驱动。所以是主板pcie上双网口intel pro网卡，功耗在10W左右。

使用环境和QOS规则说明：
1、使用环境的话，也就最多三四个移动设备同时用把。还有一台PC，一台NAS，NAS上挂Debian旁路/透明代理。

2、路由器上做了DNS劫持、IP分流、l2tp，碍于AC2的硬盘大小限制，ac2上就没有做基于DNS污染的广告拦截了。但是x86做了基于DNS劫持和污染的广告拦截。

3、下面LAN网段为192.168.50.0/24，宽带为300M

4、l7规则加上其他的设置，有些费CPU。

5、其实最管用的QOS，就是宽带均分，就是90%的宽带除以设备数就可以了。但是不做流控的宽带均分存在的问题就是，如果设备内某一个流量撑满宽带，那么上网就有问题了，典型的就是如果电脑满速P2P下载，可电脑就无法上网了。这只是理论，但实际情况是现在的下载软件都会只能下载，而且家庭环境里，电脑用的少之又少，大部分使用场景是移动设备了，移动设备的可以理解为没有多任务吧。所以正常单单做一个宽带均分其实够了。以下的纯属交流学习。

6、以下流控的思想是，DNS优先、游戏和小包优先。游戏包分为tcp和udp。我这里就玩一个王者荣耀，所以基于王者测试了后做了优化。ios下王者荣耀大概是使用了udp的5010、8080(游戏开局后可能不适用)、16285、17005、18301，以及一个随机的UDP端口，以及TCP的34087。基本游戏的包大小基本在512左右，速率在80K左右。王者一局游戏半小时左右conn在15M左右。基于以上，用速率、包大小以及coon大小做定位，把游戏包和小包混在一起做优先。p2p包很多也是小速率的小包，所以要用L7优先做标记，其他就是video包、file下载包、大包等看情况用或不用了。

7、先前使用l7确定P2P流后添加dst-addr到list，再mangle标记，但是ip有些多。后来用常用的方式处理了，即用l7定位p2p的LAN-IP，然后确定此ip发出的dst-port=!0-1024,8291,5900,5800,3389,14147,5222,59905的conn为p2p的conn。虽然可能存在一定的错误标记概率，但是这里定位P2P不是为了封禁，而只是给低优先，所以还好。

8、以下分享的方案，layer7和mangle的规则是全部放上去了，直接用ac2的话，cpu可能过载重启，目前是x86，cpu性能可以跟上，所以实际使用的话，可以根据情况增减。
Ashampoo_Snap_2021.05.27_20h50m32s_006_.jpg

Ashampoo_Snap_2021.05.27_20h50m32s_006_.jpg

Ashampoo_Snap_2021.05.27_20h50m49s_007_.jpg

Ashampoo_Snap_2021.05.27_20h53m25s_011_.jpg

Ashampoo_Snap_2021.05.27_20h54m42s_012_.jpg

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#update_210606_new
#update_2021-06-06_11:02
# may/27/2021 20:17:41 by RouterOS 6.47.10
#
# model = X86

/ip firewall address-list
add address=192.168.50.0/24 list=OnLineClient
add address=www.your-domain-name.com list=MyVPS
add address=www.your-domain-name-1.com list=MyVPS

add address=91.226.212.11 comment=00_p2p_eule_addr list=00_p2p_dst_addr
add address=114.55.28.216 comment=00_p2p_eule_addr list=00_p2p_dst_addr
add address=176.103.48.36 comment=00_p2p_eule_addr list=00_p2p_dst_addr
add address=212.83.184.152 comment=00_p2p_eule_addr list=00_p2p_dst_addr
add address=176.103.56.135 comment=00_p2p_eule_addr list=00_p2p_dst_addr
add address=52.14.246.143 comment=00_p2p_eule_addr list=00_p2p_dst_addr
add address=14.105.93.213 comment=00_p2p_eule_addr list=00_p2p_dst_addr
add address=80.208.228.241 comment=00_p2p_eule_addr list=00_p2p_dst_addr
add address=176.103.56.98 comment=00_p2p_eule_addr list=00_p2p_dst_addr
add address=62.210.28.77 comment=00_p2p_eule_addr list=00_p2p_dst_addr
add address=213.183.51.211 comment=00_p2p_eule_addr list=00_p2p_dst_addr

##用到的一些l7规则，一部分是流传已久的规则，一部分是这两天写的
##QQmusic这个l7会匹配到王者的流量，所以后面mangle规则里把小包和games的标记规则放到了file前面

/ip firewall layer7-protocol
add name=DNS regexp="^.\?.\?.\?.\?[\\x01\\x02].\?.\?.\?.\?.\?.\?[\\x01-\?][a-z\
0-9_][\\x01-\?a-z_]*[\\x02-\\x06](io)[\\x01-\\x10\\x1c][\\x01\\x03\\x04\\x\
FF]"
add comment=Xunlei name=layer7-p2p-Xunlei regexp=\
"^[()]...\?.\?.\?(reg|get|query)"
add comment=Torrent name=layer7-p2p-qBit regexp="^(\\x13bittorrent protocol|az\
ver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?info_hash=|get /clien\
t/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
add comment=Bitcomet name=layer7-p2p-Bitcomet regexp=\
"^.*\\/client\\/bitcomet\\/.*\$"
add name=Http regexp="http/(0\\.9|1\\.0|1\\.1) [1-5][0-9][0-9] [\t-\r -~]*(con\
nection:|content-type:|content-length:|date:)|post [\t-\r -~]* http/[01]\\\
.[019]"
add name=PPStream regexp="^.\?.\?\\c.+\\c"
add name=QQLive regexp="(^get.+_.+_.+(\\.mp4|\\.flv)|^get.+(livep.\?.\?.\?)\?\
\\.(now[0-9]\?[0-9]\?|l.\?.\?.\?|wxqcloud)(\\.gtimg|\\.qq)\\.com|^\\xFE.\?\
.\?.\?.\?\\xD3)"
add name=NetTV regexp=\
"^.*get.+(\\.flv|\\.f4v|\\.hlv|\\.rm|\\.swf|\\.wma|\\.mp4|\\.mp3).*\$"
add name=Qiyi regexp="^(get|post).+\\qiyi\\.\\com\\/\\player.+\\.swf"
add comment=layer7-BitTorrent name=layer7-bittorrent regexp="^(\\x13bittorrent\
\_protocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?info_has\
h=|get /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
add name=xhs regexp="^get.*(video|live).*\\.xhscdn\\.com.*\$"
add name=byte regexp="^get.+((v|lf|sf)[0-9]\?[0-9]\?|pull|download).*\\.(bd|i)\
*(huoshan|xigua|douyin|pstatp|yangyi[0-9]\?[0-9]\?)(vod|tatic|cdn)*\\.com.\
*\$"
add name=kuaishou regexp="^get.*((ali|js|mov|tx)[0-9]\?[0-9]\?\\.a\\.yximgs\\.\
com|(static|pull)\\.yximgs\\.com|v[0-9]\?[0-9]\?\\.kwaicdn\\.com)"
add name=l7_qqvideo regexp="^get.*(ts|ws|[a-z]\\.\?weishi|qqvideo|shortv|livep\
.\?.\?.\?|ugcyd|(now|dldir)[0-9]\?[0-9]\?)\\.(cdp|tc|now|dldir[0-9]\?[0-9]\
\?|l.\?.\?.\?|wxqcloud)\?\\.(qq|cdntips|gtimg)\\.(com|net)"
add name=File regexp="^.*get.+(\\.iso|\\.exe|\\.zip|\\.rar|\\.7z|\\.gho|\\.pdf\
|\\.avi|\\.mkv|\\.wmv|\\.wav|\\.flac|\\.ape|\\.msi).*\$"
add name=QQMusic regexp=\
"(^\\xFE.\?.\?.\?.\?\\xCF|^get.+\\qqmusic.\?\\qq.+\\qqmusic)"
add name=Tencent_qq regexp="^.\?.\?[\\x02|\\x05]\\x22\\x27.+|^.\?.\?[\\x02|\\x\
05]\\x22\\x27.+[\\x03|\\x09]\$|^.\?.\?\\x02.+\\x03\$|^/xFE/x42../x42/x02/x\
0B/x7D/x98/x38/xE4.+"
add name=Tencent_qqgame regexp="^.\?.\?\\x2D.+[\\x25\\x62\\x0E\\xC1\\x5F\\x6C|\
\\xFF\\xFF\\x20\\xCF\\x42\\x53|\\xFF\\xFF\\x10\\x17\\x87\\xA3|\\x3E\\x7F\\\
x20\\xCF\\x42\\x53|\\x1F\\x43\\x10\\x17\\x87\\xA3]|^\\x05\\x22.+\\x03\$"
add name=Http-web regexp=\
"\\.jsp|\\.shtml|\\.html|\\.htm|\\.php|\\.asp|\\.aspx|\\.cgi"
add name=Kugou regexp=\
"(^post.+\\x0D\\x0A\\x0D\\x0A|^http.+\\x0D\\x0A\\x0D\\x0A|^e)"
add name=Http-img regexp="\\.jpg|\\.png|\\.gif|\\.bmp|\\.jpeg"
add name=Http-jpg regexp="^.*(post|POST|get|GET).+\\.jpg.+\\http"

##filter定位在用p2p的局域网IP，timeout时间暂定为30分钟
/ip firewall filter
add action=add-src-to-address-list address-list=00_p2p_src_addr \
address-list-timeout=2h chain=forward comment="Add src to addr list_P2P" \
disabled=yes dst-address-list=!MyVPS layer7-protocol=layer7-bittorrent \
src-address-list=OnLineClient
add action=add-src-to-address-list address-list=00_p2p_src_addr \
address-list-timeout=30m chain=forward comment=\
"Add src to addr list_Bitcomet" disabled=yes dst-address-list=!MyVPS \
layer7-protocol=layer7-p2p-Bitcomet src-address-list=OnLineClient
add action=add-src-to-address-list address-list=00_p2p_src_addr \
address-list-timeout=30m chain=forward comment=\
"Add src to addr list_Xunlei" disabled=yes dst-address-list=!MyVPS \
layer7-protocol=layer7-p2p-Xunlei src-address-list=OnLineClient
add action=add-src-to-address-list address-list=00_p2p_src_addr \
address-list-timeout=30m chain=forward comment=\
"Add src to addr list_qBit" disabled=yes dst-address-list=!MyVPS \
layer7-protocol=layer7-p2p-qBit src-address-list=OnLineClient
add action=add-dst-to-address-list address-list=00_p2p_dst_addr \
address-list-timeout=1h chain=forward comment=\
"Add L7P2P-dst-addr to list" dst-address-list=!MyVPS layer7-protocol=\
layer7-bittorrent src-address-list=OnLineClient
add action=add-dst-to-address-list address-list=00_p2p_dst_addr \
address-list-timeout=1h chain=forward comment=\
"Add L7Bitcomet-dst-addr to list" dst-address-list=!MyVPS \
layer7-protocol=layer7-p2p-Bitcomet src-address-list=OnLineClient
add action=add-dst-to-address-list address-list=00_p2p_dst_addr \
address-list-timeout=2h chain=forward comment=\
"Add L7Xunlei-dst-addr to list" dst-address-list=!MyVPS layer7-protocol=\
layer7-p2p-Xunlei src-address-list=OnLineClient
add action=add-dst-to-address-list address-list=00_p2p_dst_addr \
address-list-timeout=2h chain=forward comment=\
"Add L7Qbit-dst-addr to list" dst-address-list=!MyVPS layer7-protocol=\
layer7-p2p-qBit src-address-list=OnLineClient

##mangle标记流量和pac
/ip firewall mangle
add action=mark-connection chain=forward comment=\
"01_Start_For_queue_mark :: VIP_con -- your_server_port_12345" new-connection-mark=VIP \
passthrough=yes port=12345 protocol=udp
add action=mark-packet chain=forward comment=VIP_pac_up connection-mark=VIP \
new-packet-mark=VIP_u passthrough=no src-address-list=OnLineClient
add action=mark-packet chain=forward comment=VIP_pac_down connection-mark=VIP \
new-packet-mark=VIP_d passthrough=no
add action=mark-connection chain=forward comment=\
"DNS\BA\CDICMP_conn: layer7 DNS" layer7-protocol=DNS new-connection-mark=\
dns&icmp passthrough=yes
add action=mark-connection chain=forward comment=\
"DNS\BA\CDICMP_conn: port 53_prerouting" dst-address-list=DNSs dst-port=\
53 new-connection-mark=dns&icmp passthrough=yes protocol=udp
add action=mark-connection chain=output comment=\
"DNS\BA\CDICMP_conn: output layer7 DNS" layer7-protocol=DNS \
new-connection-mark=dns&icmp passthrough=yes
add action=mark-connection chain=output comment=\
"DNS\BA\CDICMP_conn: port 53_output" dst-address-list=DNSs dst-port=53 \
new-connection-mark=dns&icmp passthrough=yes protocol=udp
add action=mark-connection chain=forward comment="DNS\BA\CDICMP_conn: icmp" \
new-connection-mark=dns&icmp passthrough=yes protocol=icmp
add action=mark-packet chain=forward comment="DNS\BA\CDICMP_pac: up" \
connection-mark=dns&icmp new-packet-mark=DNS&ICMP_u passthrough=no \
src-address-list=OnLineClient
add action=mark-packet chain=forward comment="DNS\BA\CDICMP_pac: down" \
connection-mark=dns&icmp new-packet-mark=DNS&ICMP_d passthrough=no
add action=mark-connection chain=forward comment=Honor_of_Kings_conn-udp_5010 \
connection-rate=1-128k dst-port=5010 new-connection-mark=Honor_of_Kings \
passthrough=yes protocol=udp
add action=mark-connection chain=forward comment=\
Honor_of_Kings_conn-udp_16285 connection-rate=1-128k dst-port=16285 \
new-connection-mark=Honor_of_Kings passthrough=yes protocol=udp
add action=mark-connection chain=forward comment=\
Honor_of_Kings_conn-udp_17005 connection-rate=1-128k dst-port=17005 \
new-connection-mark=Honor_of_Kings passthrough=yes protocol=udp
add action=mark-connection chain=forward comment=\
Honor_of_Kings_conn-udp_18301 connection-rate=1-128k dst-port=18301 \
new-connection-mark=Honor_of_Kings passthrough=yes protocol=udp
add action=mark-connection chain=forward comment=\
Honor_of_Kings_conn-tcp_10027 connection-rate=1-128k new-connection-mark=\
Honor_of_Kings passthrough=yes port=10027 protocol=tcp
add action=mark-packet chain=forward comment=Honor_of_Kings_pac_up \
connection-mark=Honor_of_Kings new-packet-mark=Honor_of_Kings_u \
passthrough=no src-address-list=OnLineClient
add action=mark-packet chain=forward comment=Honor_of_Kings_pac_down \
connection-mark=Honor_of_Kings new-packet-mark=Honor_of_Kings_d \
passthrough=no
add action=mark-connection chain=forward comment=\
"p2p_coon:: p2p_src_addr-tcp" dst-port=\
!0-1024,8291,5900,5800,3389,14147,5222,59905 new-connection-mark=p2p \
passthrough=yes protocol=tcp src-address-list=zz_p2p_src_addr
add action=mark-connection chain=forward comment=\
"p2p_coon:: p2p_src_addr-udp" dst-port=\
!0-1024,8291,5900,5800,3389,14147,5222,59905 new-connection-mark=p2p \
passthrough=yes protocol=udp src-address-list=zz_p2p_src_addr
add action=mark-connection chain=forward comment=\
"p2p_coon:: p2p_dst_addr-udp" disabled=yes dst-address-list=\
zz_p2p_dst_addr dst-port=!0-1024,8291,5900,5800,3389,14147,5222,59905 \
new-connection-mark=p2p passthrough=yes protocol=udp
add action=mark-connection chain=forward comment=\
"p2p_coon:: p2p_dst_addr-tcp" disabled=yes dst-address-list=\
zz_p2p_dst_addr dst-port=!0-1024,8291,5900,5800,3389,14147,5222,59905 \
new-connection-mark=p2p passthrough=yes protocol=tcp
add action=mark-packet chain=forward comment="mark pac_p2p_up" \
connection-mark=p2p new-packet-mark=p2p_u passthrough=no \
src-address-list=OnLineClient
add action=mark-packet chain=forward comment="mark pac_p2p_down" \
connection-mark=p2p new-packet-mark=p2p_d passthrough=no
add action=mark-connection chain=forward comment=all_conn connection-mark=\
!heavy new-connection-mark=all_conn passthrough=yes
add action=mark-connection chain=forward comment=light_udp_traffic_conn \
connection-bytes=1-15000000 connection-mark=all_conn connection-rate=\
1-92k new-connection-mark=light_udp packet-size=1-512 passthrough=yes \
protocol=udp
add action=mark-packet chain=forward comment=light_udp_pac_up \
connection-mark=light_udp new-packet-mark=light_udp_u passthrough=no \
src-address-list=OnLineClient
add action=mark-packet chain=forward comment=light_udp_pac_down \
connection-mark=light_udp new-packet-mark=light_udp_d passthrough=no
add action=mark-connection chain=forward comment="video_bytexhs_conn: byte" \
connection-mark=all_conn layer7-protocol=byte new-connection-mark=\
video_byte passthrough=yes
add action=mark-packet chain=forward comment="Video_up_pac: byte" \
connection-mark=video_byte new-packet-mark=video_u passthrough=no \
src-address-list=OnLineClient
add action=mark-packet chain=forward comment="Video_down_pac: byte" \
connection-mark=video_byte new-packet-mark=video_d passthrough=no
add action=mark-connection chain=forward comment="video_bytexhs_conn: xhs" \
connection-mark=all_conn layer7-protocol=xhs new-connection-mark=\
video_xhs passthrough=yes
add action=mark-packet chain=output comment="Video_up_pac:: xhs" \
connection-mark=video_xhs new-packet-mark=video_u passthrough=no \
src-address-list=OnLineClient
add action=mark-packet chain=forward comment="Video_down_pac:: xhs" \
connection-mark=video_xhs new-packet-mark=video_d passthrough=no
add action=mark-connection chain=forward comment="video_conn: kuaishou" \
connection-mark=all_conn layer7-protocol=kuaishou new-connection-mark=\
video_kuaishou passthrough=yes
add action=mark-packet chain=forward comment="Video_up_pac: kuaishou" \
connection-mark=video_kuaishou new-packet-mark=video_u passthrough=no \
src-address-list=OnLineClient
add action=mark-packet chain=forward comment="Video_down_pac: kuaishou" \
connection-mark=video_kuaishou new-packet-mark=video_d passthrough=no
add action=mark-connection chain=forward comment=video_l7qqv_conn \
connection-mark=all_conn layer7-protocol=l7_qqvideo new-connection-mark=\
video_l7qqv passthrough=yes
add action=mark-packet chain=forward comment="Video_up_pac: l7qqvideo" \
connection-mark=video_l7qqv new-packet-mark=video_u passthrough=no \
src-address-list=OnLineClient
add action=mark-packet chain=forward comment="Video_down_pac: l7qqvideo" \
connection-mark=video_l7qqv new-packet-mark=video_d passthrough=no
add action=mark-connection chain=forward comment="Video_conn: QQlive" \
connection-mark=all_conn layer7-protocol=QQLive new-connection-mark=\
video_QQLive passthrough=yes
add action=mark-packet chain=forward comment="Video_up_pac: QQlive" \
connection-mark=video_QQLive new-packet-mark=video_u passthrough=no \
src-address-list=OnLineClient
add action=mark-packet chain=forward comment="Video_down_pac: QQlive" \
connection-mark=video_QQLive new-packet-mark=video_d passthrough=no
add action=mark-connection chain=forward comment="Video_conn: Qiyi" \
connection-mark=all_conn layer7-protocol=Qiyi new-connection-mark=\
video_Qiyi passthrough=yes
add action=mark-packet chain=forward comment="Video_up_pac: Qiyi" \
connection-mark=video_Qiyi new-packet-mark=video_u passthrough=no \
src-address-list=OnLineClient
add action=mark-packet chain=forward comment="Video_down_pac: Qiyi" \
connection-mark=video_Qiyi new-packet-mark=video_d passthrough=no
add action=mark-connection chain=forward comment="vido_conn: baidu" \
connection-mark=all_conn layer7-protocol=baidu_video new-connection-mark=\
video_baidu passthrough=yes
add action=mark-packet chain=forward comment="Video_up_pac: baidu" \
connection-mark=video_baidu new-packet-mark=video_u passthrough=no \
src-address-list=OnLineClient
add action=mark-packet chain=forward comment="Video_down_pac: baidu" \
connection-mark=video_baidu new-packet-mark=video_d passthrough=no
add action=mark-connection chain=forward comment="vido_conn: NetTV" \
connection-mark=all_conn layer7-protocol=NetTV new-connection-mark=\
video_NetTV passthrough=yes
add action=mark-packet chain=forward comment="Video_up_pac: NetTV" \
connection-mark=video_NetTV new-packet-mark=video_u passthrough=no \
src-address-list=OnLineClient
add action=mark-packet chain=forward comment="Video_down_pac: NetTV" \
connection-mark=video_NetTV new-packet-mark=video_d passthrough=no
add action=mark-connection chain=forward comment="Video_conn: PPStream" \
connection-mark=all_conn layer7-protocol=PPStream new-connection-mark=\
video_PPStream passthrough=yes
add action=mark-packet chain=forward comment="Video_up_pac: PPStream" \
connection-mark=video_PPStream new-packet-mark=video_u passthrough=no \
src-address-list=OnLineClient
add action=mark-packet chain=forward comment="Video_down_pac: PPStream" \
connection-mark=video_PPStream new-packet-mark=video_d passthrough=no
add action=mark-connection chain=forward comment="small pac conn: UDP" \
connection-bytes=1-15000000 connection-mark=all_conn connection-rate=\
1-96k new-connection-mark=small_pac packet-size=1-311 passthrough=yes \
protocol=udp
add action=mark-connection chain=forward comment="small pac conn: TCP" \
connection-bytes=1-15000000 connection-mark=all_conn connection-rate=\
1-80k dst-port=!80,8080 new-connection-mark=small_pac packet-size=1-311 \
passthrough=yes protocol=tcp
add action=mark-packet chain=forward comment=small_pac_u connection-mark=\
small_pac new-packet-mark=small_pac_u passthrough=no src-address-list=\
OnLineClient
add action=mark-packet chain=forward comment=small_pac_d connection-mark=\
small_pac new-packet-mark=small_pac_d passthrough=no
add action=mark-connection chain=forward comment=http_conn_HTTP \
connection-mark=all_conn layer7-protocol=Http new-connection-mark=http \
passthrough=yes protocol=tcp
add action=mark-connection chain=forward comment=http_conn_HTTP-web \
connection-mark=all_conn layer7-protocol=DNS new-connection-mark=http \
passthrough=yes protocol=tcp
add action=mark-connection chain=forward comment=http_conn_HTTP-jpg \
connection-mark=all_conn layer7-protocol=DNS new-connection-mark=http \
passthrough=yes protocol=tcp
add action=mark-connection chain=forward comment=http_conn_HTTP-img \
connection-mark=all_conn layer7-protocol=kuaishou new-connection-mark=\
http passthrough=yes protocol=tcp
add action=mark-packet chain=forward comment=http_pac::http_up \
connection-mark=http new-packet-mark=http_u passthrough=no \
src-address-list=OnLineClient
add action=mark-packet chain=forward comment=http_pac::http_down \
connection-mark=http dst-address-list=OnLineClient new-packet-mark=http_d \
passthrough=no
add action=mark-connection chain=forward comment=file_conn::file \
connection-mark=all_conn layer7-protocol=File new-connection-mark=file \
passthrough=yes
add action=mark-connection chain=forward comment=file_conn::QQMusic \
connection-mark=all_conn layer7-protocol=QQMusic new-connection-mark=file \
passthrough=yes
add action=mark-connection chain=forward comment=file_conn::Kugou \
connection-mark=all_conn layer7-protocol=layer7-bittorrent \
new-connection-mark=file passthrough=yes
add action=mark-packet chain=forward comment=file_pac::file_down \
connection-mark=file dst-address-list=OnLineClient new-packet-mark=file_d \
passthrough=no
add action=mark-packet chain=forward comment=file_pac::file_up \
connection-mark=file new-packet-mark=file_u passthrough=no \
src-address-list=OnLineClient
add action=mark-connection chain=forward comment=heavy_traffic_conn_TCP \
connection-bytes=16000000-0 connection-mark=all_conn connection-rate=\
251k-300M new-connection-mark=heavy passthrough=yes protocol=tcp
add action=mark-connection chain=forward comment=heavy_traffic_conn_UDP \
connection-bytes=16000000-0 connection-mark=all_conn connection-rate=\
251k-300M new-connection-mark=heavy passthrough=yes protocol=udp
add action=mark-packet chain=forward comment=heavy_traffic_pac_UP \
connection-mark=heavy new-packet-mark=heavy_u passthrough=no \
src-address-list=OnLineClient
add action=mark-packet chain=forward comment=heavy_traffic_down \
connection-mark=heavy dst-address-list=OnLineClient new-packet-mark=\
heavy_d passthrough=no
add action=mark-connection chain=forward comment=other_conn connection-mark=\
all_conn new-connection-mark=others passthrough=yes
add action=mark-packet chain=forward comment=other_pac_up connection-mark=\
others new-packet-mark=others_u passthrough=no src-address-list=\
OnLineClient
add action=mark-packet chain=forward comment=\
"\BD\E1\CA\F8\A3\BA other_pac_down" connection-mark=others \
new-packet-mark=others_d passthrough=no

#queue-type、simple-queue和queue-tree设置

/queue type
set 0 kind=bfifo
set 5 pcq-burst-rate=20M pcq-burst-threshold=16M pcq-burst-time=15s pcq-rate=\
15M pcq-total-limit=1000KiB
set 6 pcq-burst-rate=160M pcq-burst-threshold=130M pcq-rate=120M \
pcq-total-limit=1000KiB

/queue simple
add burst-time=20s/0s max-limit=28M/260M name=default queue=\
pcq-upload-default/pcq-download-default target=192.168.50.0/24
add name=child1 parent=default target=192.168.50.0/24
add comment=Bypass-gateway_Broadband max-limit=18M/180M name=child2 parent=\
default target=192.168.50.110/32
add burst-limit=16M/150M burst-threshold=14M/100M burst-time=15s/15s limit-at=\
6M/60M max-limit=12M/80M name=l2tp_ios_sq parent=default priority=\
5/5 target=l2tp-ios

/queue tree
add max-limit=280M name=01_down parent=global queue=pcq-download-default
add max-limit=25M name=01_up parent=pppoe-out1 queue=pcq-upload-default
add burst-limit=40M burst-threshold=30M burst-time=10s limit-at=8M max-limit=\
15M name=D1_icmp@dns packet-mark=DNS&ICMP_down parent=01_down priority=1 \
queue=pcq-download-default
add burst-limit=90M burst-threshold=80M burst-time=10s limit-at=8M max-limit=\
60M name=D5_http packet-mark=http_down parent=01_down priority=5 queue=\
pcq-download-default
add burst-limit=120M burst-threshold=100M burst-time=10s limit-at=10M \
max-limit=80M name=D7_video packet-mark=video_down parent=01_down \
priority=7 queue=pcq-download-default
add burst-limit=100M burst-threshold=80M burst-time=10s limit-at=5M \
max-limit=50M name=D5_file packet-mark=file_down parent=01_down priority=\
5 queue=pcq-download-default
add burst-limit=120M burst-threshold=80M burst-time=10s limit-at=15M \
max-limit=60M name=D4_others packet-mark=others_down parent=01_down \
priority=4 queue=pcq-download-default
add burst-limit=5M burst-threshold=4M burst-time=10s limit-at=1M max-limit=4M \
name=U1_icmp&dns packet-mark=DNS&ICMP_up parent=01_up priority=1 queue=\
pcq-upload-default
add burst-limit=16M burst-threshold=12M burst-time=10s limit-at=2M max-limit=\
10M name=U5_http packet-mark=http_up parent=01_up priority=5 queue=\
pcq-upload-default
add burst-limit=12M burst-threshold=6M burst-time=15s limit-at=1M max-limit=\
10M name=U7_video packet-mark=video_up parent=01_up priority=7 queue=\
pcq-upload-default
add burst-limit=16M burst-threshold=12M burst-time=15s limit-at=1M max-limit=\
10M name=U5_file packet-mark=file_up parent=01_up priority=5 queue=\
pcq-upload-default
add burst-limit=16M burst-threshold=12M burst-time=15s limit-at=2M max-limit=\
10M name=U4_others packet-mark=others_up parent=01_up priority=4 queue=\
pcq-upload-default
add burst-limit=120M burst-threshold=100M burst-time=10s limit-at=8M \
max-limit=80M name=D6_heavy_traffic packet-mark=heavy_traffic_down \
parent=01_down priority=6 queue=pcq-download-default
add burst-limit=160M burst-threshold=120M burst-time=10s limit-at=10M \
max-limit=80M name=D3_small_packet packet-mark=small511_down parent=\
01_down priority=3 queue=pcq-download-default
add burst-limit=16M burst-threshold=12M burst-time=10s limit-at=2M max-limit=\
10M name=U3_small_packet packet-mark=small511_up parent=01_up priority=3 \
queue=pcq-upload-default
add burst-limit=20M burst-threshold=12M burst-time=15s limit-at=2M max-limit=\
12M name=U6_heavy_traffic packet-mark=heavy_traffic_up parent=01_up \
priority=6 queue=pcq-upload-default
add burst-limit=90M burst-threshold=60M burst-time=10s limit-at=8M max-limit=\
60M name=D2_Honor_of_Kings packet-mark=Honor_of_Kings_down parent=01_down \
priority=2 queue=pcq-download-default
add burst-limit=16M burst-threshold=12M burst-time=10s limit-at=2M max-limit=\
10M name=U2_Honor_of_Kings packet-mark=Honor_of_Kings_unicom-pac_u \
parent=01_up priority=2 queue=pcq-upload-default
add burst-limit=80M burst-threshold=60M burst-time=10s limit-at=15M \
max-limit=60M name=D2_light_udp_down packet-mark=light_udp_traffic_down \
parent=01_down priority=2 queue=pcq-download-default
add burst-limit=16M burst-threshold=12M burst-time=10s limit-at=2M max-limit=\
10M name=U2_light_udp_up packet-mark=light_udp_traffic_up parent=01_up \
priority=2 queue=pcq-upload-default
add burst-limit=120M burst-threshold=100M burst-time=10s limit-at=8M \
max-limit=80M name=D3_VIP packet-mark=VIP_pac_down parent=01_down \
priority=3 queue=pcq-download-default
add burst-limit=16M burst-threshold=10M burst-time=15s limit-at=2M max-limit=\
12M name=U3_VIP packet-mark=VIP_pac_up parent=01_up priority=3 queue=\
pcq-upload-default
add burst-limit=100M burst-threshold=80M burst-time=10s limit-at=8M \
max-limit=60M name=D8_p2p_down packet-mark=p2p_down parent=01_down queue=\
pcq-download-default
add burst-limit=6M burst-threshold=4M burst-time=10s limit-at=1M max-limit=5M \
name=U8_p2p_up packet-mark=p2p_up parent=01_up queue=pcq-upload-default

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

#旧版
#update_2021-05-29_01:16
# may/27/2021 20:17:41 by RouterOS 6.47.9
#
# model = RBD52G-5HacD2HnD

#NAS群晖自带的下载有电驴，所以先把电驴的一些节点固定了；同时设定LAN addr-list
/ip firewall address-list
add address=192.168.50.0/24 list=OnLineClient
add address=www.your-domain-name.com list=MyVPS
add address=www.your-domain-name-1.com list=MyVPS

add address=91.226.212.11 comment=00_p2p_eule_addr list=00_p2p_addr
add address=114.55.28.216 comment=00_p2p_eule_addr list=00_p2p_addr
add address=176.103.48.36 comment=00_p2p_eule_addr list=00_p2p_addr
add address=212.83.184.152 comment=00_p2p_eule_addr list=00_p2p_addr
add address=176.103.56.135 comment=00_p2p_eule_addr list=00_p2p_addr
add address=52.14.246.143 comment=00_p2p_eule_addr list=00_p2p_addr
add address=14.105.93.213 comment=00_p2p_eule_addr list=00_p2p_addr
add address=80.208.228.241 comment=00_p2p_eule_addr list=00_p2p_addr
add address=176.103.56.98 comment=00_p2p_eule_addr list=00_p2p_addr
add address=62.210.28.77 comment=00_p2p_eule_addr list=00_p2p_addr
add address=213.183.51.211 comment=00_p2p_eule_addr list=00_p2p_addr

#用到的一些l7规则，一部分是流传已久的规则，一部分是这两天写的
/ip firewall layer7-protocol
add name=DNS regexp="^.\?.\?.\?.\?[\\x01\\x02].\?.\?.\?.\?.\?.\?[\\x01-\?][a-z\
0-9_][\\x01-\?a-z_]*[\\x02-\\x06](io)[\\x01-\\x10\\x1c][\\x01\\x03\\x04\\x\
FF]"
add comment=Xunlei name=layer7-p2p-Xunlei regexp=\
"^[()]...\?.\?.\?(reg|get|query)"
add comment=Torrent name=layer7-p2p-qBit regexp="^(\\x13bittorrent protocol|az\
ver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?info_hash=|get /clien\
t/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
add comment=Bitcomet name=layer7-p2p-Bitcomet regexp=\
"^.*\\/client\\/bitcomet\\/.*\$"
add name=Http regexp="http/(0\\.9|1\\.0|1\\.1) [1-5][0-9][0-9] [\t-\r -~]*(con\
nection:|content-type:|content-length:|date:)|post [\t-\r -~]* http/[01]\\\
.[019]"
add name=PPStream regexp="^.\?.\?\\c.+\\c"
add name=QQLive regexp="(^get.+_.+_.+\\.(mp4|flv)\
|^\\xFE.\?.\?.\?.\?\\xD3|^(get|connect|http).+(livep.\?.\?.\?)\?\\.(now[0-\
9]\?[0-9]\?|l.\?.\?.\?|wxqcloud)\\.(gtimg|qq)\\.com)"
add name=Http-web regexp=\
"\\.jsp|\\.shtml|\\.html|\\.htm|\\.php|\\.asp|\\.aspx|\\.cgi"
add name=NetTV regexp=\
"^.*get.+(\\.flv|\\.f4v|\\.hlv|\\.rm|\\.swf|\\.wma|\\.mp4|\\.mp3).*\$"
add name=Qiyi regexp="^(get|post).+\\qiyi\\.\\com\\/\\player.+\\.swf"
add comment=layer7-BitTorrent name=layer7-bittorrent regexp="^(\\x13bittorrent\
\_protocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?info_has\
h=|get /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
add name=xhs regexp="^(get|connect).*(video|live).*\\.xhscdn\\.com.*\$"
add name=byte regexp="^(get|connect|http).+((v|lf|sf)[0-9]\?[0-9]\?|pull|downl\
oad).*\\.(bd|i)*(huoshan|xigua|douyin|pstatp|yangyi[0-9]\?[0-9]\?)(vod|tat\
ic|cdn)*\\.com.*\$"
add name=kuaishou regexp="^(get|connect).*((ali|js|mov|tx)[0-9]\?[0-9]\?\\.a\\\
.yximgs\\.com|(static|pull)\\.yximgs\\.com|v[0-9]\?[0-9]\?\\.kwaicdn\\.com\
)"
add name=l7_qqvideo regexp="^(get|connect|http).*(ts|ws|[a-z]\\.\?weishi|qqvid\
eo|shortv|livep.\?.\?.\?|ugcyd|(now|dldir)[0-9]\?[0-9]\?)\\.(cdp|tc|now|dl\
dir[0-9]\?[0-9]\?|l.\?.\?.\?|wxqcloud)\?\\.(qq|cdntips|gtimg)\\.(com|net)"
add name=File regexp="^.*get.+(\\.iso|\\.exe|\\.zip|\\.rar|\\.7z|\\.gho|\\.pdf\
|\\.avi|\\.mkv|\\.wmv|\\.wav|\\.flac|\\.ape|\\.msi).*\$"
add name=QQMusic regexp=\
"(^\\xFE.\?.\?.\?.\?\\xCF|^get.+\\qqmusic.\?\\qq.+\\qqmusic)"
add name=Kugou regexp=\
"(^post.+\\x0D\\x0A\\x0D\\x0A|^http.+\\x0D\\x0A\\x0D\\x0A|^e)"
add name=Tencent_qq regexp="^.\?.\?[\\x02|\\x05]\\x22\\x27.+|^.\?.\?[\\x02|\\x\
05]\\x22\\x27.+[\\x03|\\x09]\$|^.\?.\?\\x02.+\\x03\$|^/xFE/x42../x42/x02/x\
0B/x7D/x98/x38/xE4.+"
add name=Tencent_qqgame regexp="^.\?.\?\\x2D.+[\\x25\\x62\\x0E\\xC1\\x5F\\x6C|\
\\xFF\\xFF\\x20\\xCF\\x42\\x53|\\xFF\\xFF\\x10\\x17\\x87\\xA3|\\x3E\\x7F\\\
x20\\xCF\\x42\\x53|\\x1F\\x43\\x10\\x17\\x87\\xA3]|^\\x05\\x22.+\\x03\$"
add name=Http-img regexp="\\.jpg|\\.png|\\.gif|\\.bmp|\\.jpeg"
add name=Http-jpg regexp="^.*(post|POST|get|GET).+\\.jpg.+\\http"

##filter添加p2p地址，timeout时间自己看着办吧，这里是10分钟
/ip firewall filter
add action=add-dst-to-address-list address-list=00_p2p_addr \
address-list-timeout=30m chain=forward comment="Add src to addr list_P2P" \
dst-address-list=!MyVPS layer7-protocol=layer7-bittorrent src-address=\
192.168.50.0/24
add action=add-dst-to-address-list address-list=00_p2p_addr \
address-list-timeout=30m chain=forward comment=\
"Add src to addr list_Bitcomet" dst-address-list=!MyVPS layer7-protocol=\
layer7-p2p-Bitcomet src-address=192.168.50.0/24
add action=add-dst-to-address-list address-list=00_p2p_addr \
address-list-timeout=30m chain=forward comment=\
"Add src to addr list_Xunlei" dst-address-list=!MyVPS layer7-protocol=\
layer7-p2p-Xunlei src-address=192.168.50.0/24
add action=add-dst-to-address-list address-list=00_p2p_addr \
address-list-timeout=30m chain=forward comment=\
"Add src to addr list_qBit" dst-address-list=!MyVPS layer7-protocol=\
layer7-p2p-qBit src-address=192.168.50.0/24

##mangle打签
/ip firewall mangle
add action=change-ttl chain=forward new-ttl=set:128 passthrough=yes
add action=change-mss chain=forward new-mss=1440 passthrough=yes protocol=tcp \
tcp-flags=syn tcp-mss=1441-65535
add action=set-priority chain=postrouting comment="Respect DSCP tagging" \
disabled=yes new-priority=from-dscp-high-3-bits passthrough=yes
add action=set-priority chain=postrouting comment="Prioritize ACKs" disabled=\
yes new-priority=6 packet-size=0-123 passthrough=yes protocol=tcp \
tcp-flags=ack
add action=mark-connection chain=output comment=ipsec_l2tp_conn_500 \
dst-address=!192.168.50.0/24 dst-address-list=!zzCNIP dst-address-type=\
!local new-connection-mark=ipsec_l2tp_conn out-interface-list=\
"WAN Interfaces" passthrough=no protocol=udp src-address-type=local \
src-port=500
add action=accept chain=output comment="Accept L2tp UDP ports_500" \
dst-address=!192.168.50.0/24 dst-address-list=!zzCNIP dst-address-type=\
!local log-prefix=local_vip_mark out-interface-list="WAN Interfaces" \
protocol=udp src-address-type=local src-port=500
add action=mark-connection chain=output comment=ipsec_l2tp_conn_1701 \
dst-address=!192.168.50.0/24 dst-address-list=!zzCNIP dst-address-type=\
!local new-connection-mark=ipsec_conn out-interface-list="WAN Interfaces" \
passthrough=no protocol=udp src-address-type=local src-port=1701
add action=accept chain=output comment="Accept L2tp UDP ports_1701" \
dst-address=!192.168.50.0/24 dst-address-list=!zzCNIP dst-address-type=\
!local log-prefix=local_vip_mark out-interface-list="WAN Interfaces" \
protocol=udp src-address-type=local src-port=1701
add action=mark-connection chain=output comment=ipsec_l2tp_conn_4500 \
dst-address=!192.168.50.0/24 dst-address-list=!zzCNIP dst-address-type=\
!local new-connection-mark=ipsec_l2tp_conn out-interface-list=\
"WAN Interfaces" passthrough=no protocol=udp src-address-type=local \
src-port=4500
add action=accept chain=output comment="Accept L2tp UDP ports_4500" \
dst-address=!192.168.50.0/24 dst-address-list=!zzCNIP dst-address-type=\
!local log-prefix=local_vip_mark out-interface-list="WAN Interfaces" \
protocol=udp src-address-type=local src-port=4500
add action=accept chain=forward comment="Accept traffic that from VPS" \
disabled=yes in-interface-list="LAN Interfaces" src-address-list=MyVPS
add action=accept chain=forward comment="Accept traffic that to VPS" \
disabled=yes dst-address-list=MyVPS in-interface-list="LAN Interfaces"
add action=mark-routing chain=prerouting comment=\
"lan dns to 1111dns001 mark-routing" dst-port=53 layer7-protocol=\
1111dns001 new-routing-mark=lanhot passthrough=yes protocol=udp \
src-address=!192.168.50.110 src-address-list=OnLineClient
add action=mark-routing chain=prerouting comment=\
"lan dns to 1111dns002 mark-routing" dst-port=53 in-interface-list=\
"!WAN Interfaces" layer7-protocol=1111dns002 new-routing-mark=lanhot \
passthrough=yes protocol=udp src-address=!192.168.50.110 \
src-address-list=OnLineClient
add action=mark-routing chain=prerouting comment=\
"lan dns to 1111dns003 mark-routing" dst-port=53 in-interface-list=\
"!WAN Interfaces" layer7-protocol=1111dns003 new-routing-mark=lanhot \
passthrough=yes protocol=udp src-address=!192.168.50.110 \
src-address-list=OnLineClient
add action=mark-routing chain=output comment=\
"local dns to 1111dns001 mark-routing" dst-port=53 layer7-protocol=\
1111dns001 new-routing-mark=localhot passthrough=yes protocol=udp \
src-address-type=local
add action=mark-routing chain=output comment=\
"local dns to 1111dns002 mark-routing" dst-port=53 layer7-protocol=\
1111dns002 new-routing-mark=localhot passthrough=yes protocol=udp \
src-address-type=local
add action=mark-routing chain=output comment=\
"local dns to 1111dns003 mark-routing" dst-port=53 layer7-protocol=\
1111dns003 new-routing-mark=localhot passthrough=yes protocol=udp
add action=mark-connection chain=forward comment=\
"lan dns to 1111dns001 mark-con" disabled=yes dst-port=53 \
in-interface-list="!WAN Interfaces" layer7-protocol=1111dns001 \
new-connection-mark=to1111dns passthrough=yes protocol=udp src-address=\
!192.168.50.110 src-address-list=OnLineClient
add action=mark-connection chain=forward comment=\
"lan dns to 1111dns002 mark-con" disabled=yes dst-port=53 \
layer7-protocol=1111dns002 new-connection-mark=to1111dns passthrough=yes \
protocol=udp src-address=!192.168.50.110 src-address-list=OnLineClient
add action=mark-connection chain=forward comment=\
"lan dns to 1111dns003 mark-con" disabled=yes dst-port=53 \
layer7-protocol=1111dns003 new-connection-mark=to1111dns passthrough=yes \
protocol=udp src-address=!192.168.50.110 src-address-list=OnLineClient
add action=mark-connection chain=output comment=\
"local dns to 1111dns001 mark-con" disabled=yes dst-port=53 \
layer7-protocol=1111dns001 new-connection-mark=to1111dns passthrough=yes \
protocol=udp src-address-type=local
add action=mark-connection chain=output comment=\
"local dns to 1111dns002 mark-con" disabled=yes dst-port=53 \
layer7-protocol=1111dns002 new-connection-mark=to1111dns passthrough=yes \
protocol=udp src-address-type=local
add action=mark-connection chain=output comment=\
"local dns to 1111dns003 mark-con" disabled=yes dst-port=53 \
layer7-protocol=1111dns003 new-connection-mark=to1111dns passthrough=yes \
protocol=udp src-address-type=local
add action=mark-packet chain=output comment="local dns to 1111 mark-pac" \
connection-mark=to1111dns disabled=yes new-packet-mark=to1111dns \
passthrough=no protocol=udp
add action=mark-packet chain=prerouting comment="LAN dns to 1111 mark-pac" \
connection-mark=to1111dns disabled=yes new-packet-mark=to1111dns \
passthrough=no protocol=udp
add action=mark-routing chain=output comment=\
"loacl connection dst-to nonecnip mark-routing for bypass" dst-address=\
!192.168.50.0/24 dst-address-list=!zzCNIP dst-address-type=!local \
log-prefix=local_vip_mark new-routing-mark=localhot passthrough=yes \
src-address-type=local
add action=mark-routing chain=prerouting comment=\
"LAN connection dst-to nonecnip mark-routing for bypass" dst-address=\
!192.168.50.0/24 dst-address-list=!zzCNIP dst-address-type=!local \
in-interface-list="!WAN Interfaces" ipsec-policy=in,none log-prefix=\
LAN_VIP_mark new-routing-mark=lanhot passthrough=yes src-address=\
!192.168.50.110 src-address-list=OnLineClient
add action=mark-connection chain=forward comment=\
"01_Start_For_queue_mark :: VIP_con -- wg_10386" new-connection-mark=\
VIP_conn passthrough=yes port=10386 protocol=udp
add action=mark-packet chain=forward comment=VIP_pac_up connection-mark=\
VIP_conn new-packet-mark=VIP_pac_up passthrough=no src-address-list=\
OnLineClient
add action=mark-packet chain=forward comment=VIP_pac_down connection-mark=\
VIP_conn new-packet-mark=VIP_pac_down passthrough=no
add action=mark-connection chain=forward comment=\
"DNS\BA\CDICMP_conn: layer7 DNS" layer7-protocol=DNS new-connection-mark=\
dns&icmp passthrough=yes
add action=mark-connection chain=forward comment=\
"DNS\BA\CDICMP_conn: port 53_prerouting" dst-port=53 new-connection-mark=\
dns&icmp passthrough=yes protocol=udp
add action=mark-connection chain=prerouting comment=\
"DNS\BA\CDICMP_conn: port 53_output" dst-port=53 new-connection-mark=\
dns&icmp passthrough=yes protocol=udp
add action=mark-connection chain=forward comment="DNS\BA\CDICMP_conn: icmp" \
new-connection-mark=dns&icmp passthrough=yes protocol=icmp
add action=mark-packet chain=forward comment="DNS\BA\CDICMP_pac: up" \
connection-mark=dns&icmp new-packet-mark=DNS&ICMP_up passthrough=no \
src-address-list=OnLineClient
add action=mark-packet chain=forward comment="DNS\BA\CDICMP_pac: down" \
connection-mark=dns&icmp new-packet-mark=DNS&ICMP_down passthrough=no
add action=mark-connection chain=forward comment=Honor_of_Kings_conn-udp_5010 \
connection-rate=1-79k disabled=yes dst-port=5010 new-connection-mark=\
Honor_of_Kings_conn passthrough=yes protocol=udp
add action=mark-connection chain=forward comment=Honor_of_Kings_conn-udp_8080 \
connection-rate=1-79k disabled=yes dst-port=8080 new-connection-mark=\
Honor_of_Kings_conn passthrough=yes protocol=udp
add action=mark-connection chain=forward comment=\
Honor_of_Kings_conn-udp_16285 connection-rate=1-79k disabled=yes \
dst-port=16285 new-connection-mark=Honor_of_Kings_conn passthrough=yes \
protocol=udp
add action=mark-connection chain=forward comment=\
Honor_of_Kings_conn-udp_17005 connection-rate=1-79k disabled=yes \
dst-port=17005 new-connection-mark=Honor_of_Kings_conn passthrough=yes \
protocol=udp
add action=mark-connection chain=forward comment=\
Honor_of_Kings_conn-udp_18301 connection-rate=1-79k disabled=yes \
dst-port=18301 new-connection-mark=Honor_of_Kings_conn passthrough=yes \
protocol=udp
add action=mark-connection chain=forward comment=\
Honor_of_Kings_conn-tcp_34087 connection-rate=1-79k disabled=yes \
new-connection-mark=Honor_of_Kings_conn passthrough=yes port=34087 \
protocol=tcp
add action=mark-packet chain=forward comment=Honor_of_Kings_pac_up \
connection-mark=Honor_of_Kings_conn disabled=yes new-packet-mark=\
Honor_of_Kings_up passthrough=no src-address-list=OnLineClient
add action=mark-packet chain=forward comment=Honor_of_Kings_pac_down \
connection-mark=Honor_of_Kings_conn disabled=yes new-packet-mark=\
Honor_of_Kings_down passthrough=no
add action=mark-connection chain=forward comment="p2p_coon:: p2p_addr-tcp" \
dst-address-list=00_p2p_addr dst-port=\
!0-1024,8291,5900,5800,3389,14147,5222,59905 new-connection-mark=p2p_conn \
passthrough=yes protocol=tcp
add action=mark-connection chain=forward comment="p2p_coon:: p2p_addr-udp" \
dst-address-list=00_p2p_addr dst-port=\
!0-1024,8291,5900,5800,3389,14147,5222,59905 new-connection-mark=p2p_conn \
passthrough=yes protocol=udp
add action=mark-packet chain=forward comment="mark pac_p2p_up" \
connection-mark=p2p_conn new-packet-mark=p2p_up passthrough=no \
src-address-list=OnLineClient
add action=mark-packet chain=forward comment="mark pac_p2p_down" \
connection-mark=p2p_conn new-packet-mark=p2p_down passthrough=no
add action=mark-connection chain=forward comment=all_conn connection-mark=\
!heavy_traffic_conn new-connection-mark=all_conn passthrough=yes
add action=mark-connection chain=forward comment=video_l7qqv_conn \
connection-mark=all_conn layer7-protocol=l7_qqvideo new-connection-mark=\
video_l7qqv_conn passthrough=yes
add action=mark-packet chain=forward comment="Video_up_pac: l7qqvideo" \
connection-mark=video_l7qqv_conn new-packet-mark=video_up passthrough=no \
src-address-list=OnLineClient
add action=mark-packet chain=forward comment="Video_down_pac: l7qqvideo" \
connection-mark=video_l7qqv_conn new-packet-mark=video_down passthrough=\
no
add action=mark-connection chain=forward comment="Video_conn: QQlive" \
connection-mark=all_conn layer7-protocol=QQLive new-connection-mark=\
video_QQLive_conn passthrough=yes
add action=mark-packet chain=forward comment="Video_up_pac: QQlive" \
connection-mark=video_QQLive_conn new-packet-mark=video_up passthrough=no \
src-address-list=OnLineClient
add action=mark-packet chain=forward comment="Video_down_pac: QQlive" \
connection-mark=video_QQLive_conn new-packet-mark=video_down passthrough=\
no
add action=mark-connection chain=forward comment="video_bytexhs_conn: byte" \
connection-mark=all_conn layer7-protocol=byte new-connection-mark=\
video_byte_conn passthrough=yes
add action=mark-packet chain=forward comment="Video_up_pac: byte" \
connection-mark=video_byte_conn new-packet-mark=video_up passthrough=no \
src-address-list=OnLineClient
add action=mark-packet chain=forward comment="Video_down_pac: byte" \
connection-mark=video_byte_conn new-packet-mark=video_down passthrough=no
add action=mark-connection chain=forward comment="video_bytexhs_conn: xhs" \
connection-mark=all_conn layer7-protocol=xhs new-connection-mark=\
video_xhs_conn passthrough=yes
add action=mark-packet chain=output comment="Video_up_pac:: xhs" \
connection-mark=video_xhs_conn new-packet-mark=video_up passthrough=no \
src-address-list=OnLineClient
add action=mark-packet chain=forward comment="Video_down_pac:: xhs" \
connection-mark=video_xhs_conn new-packet-mark=video_down passthrough=no
add action=mark-connection chain=forward comment="video_conn: kuaishou" \
connection-mark=all_conn layer7-protocol=kuaishou new-connection-mark=\
video_kuaishou_conn passthrough=yes
add action=mark-packet chain=forward comment="Video_up_pac: kuaishou" \
connection-mark=video_kuaishou_conn new-packet-mark=video_up passthrough=\
no src-address-list=OnLineClient
add action=mark-packet chain=forward comment="Video_down_pac: kuaishou" \
connection-mark=video_kuaishou_conn new-packet-mark=video_down \
passthrough=no
add action=mark-connection chain=forward comment="Video_conn: Qiyi" \
connection-mark=all_conn layer7-protocol=Qiyi new-connection-mark=\
video_Qiyi_conn passthrough=yes
add action=mark-packet chain=forward comment="Video_up_pac: Qiyi" \
connection-mark=video_Qiyi_conn new-packet-mark=video_up passthrough=no \
src-address-list=OnLineClient
add action=mark-packet chain=forward comment="Video_down_pac: Qiyi" \
connection-mark=video_Qiyi_conn new-packet-mark=video_down passthrough=no
add action=mark-connection chain=forward comment="vido_conn: NetTV" \
connection-mark=all_conn layer7-protocol=NetTV new-connection-mark=\
video_NetTV_conn passthrough=yes
add action=mark-packet chain=forward comment="Video_up_pac: NetTV" \
connection-mark=video_NetTV_conn new-packet-mark=video_up passthrough=no \
src-address-list=OnLineClient
add action=mark-packet chain=forward comment="Video_down_pac: NetTV" \
connection-mark=video_NetTV_conn new-packet-mark=video_down passthrough=\
no
add action=mark-connection chain=forward comment="Video_conn: PPStream" \
connection-mark=all_conn layer7-protocol=PPStream new-connection-mark=\
video_PPStream_conn passthrough=yes
add action=mark-packet chain=forward comment="Video_up_pac: PPStream" \
connection-mark=video_PPStream_conn new-packet-mark=video_up passthrough=\
no src-address-list=OnLineClient
add action=mark-packet chain=forward comment="Video_down_pac: PPStream" \
connection-mark=video_PPStream_conn new-packet-mark=video_down \
passthrough=no
add action=mark-connection chain=forward comment=heavy_traffic_conn_TCP \
connection-bytes=500000-0 connection-mark=all_conn connection-rate=\
121k-200M new-connection-mark=heavy_traffic_conn passthrough=yes \
protocol=tcp
add action=mark-connection chain=forward comment=heavy_traffic_conn_UDP \
connection-bytes=500000-0 connection-mark=all_conn connection-rate=\
121k-200M new-connection-mark=heavy_traffic_conn passthrough=yes \
protocol=udp
add action=mark-packet chain=forward comment=heavy_traffic_pac_UP \
connection-mark=heavy_traffic_conn new-packet-mark=heavy_traffic_up \
passthrough=no src-address-list=OnLineClient
add action=mark-packet chain=forward comment=heavy_traffic_down \
connection-mark=heavy_traffic_conn dst-address-list=OnLineClient \
new-packet-mark=heavy_traffic_down passthrough=no
add action=mark-connection chain=forward comment=http_conn_HTTP \
connection-mark=all_conn layer7-protocol=Http new-connection-mark=http \
passthrough=yes
add action=mark-connection chain=forward comment=http_conn_HTTP-web \
connection-mark=all_conn layer7-protocol=Http-web new-connection-mark=\
http passthrough=yes
add action=mark-connection chain=forward comment=http_conn_HTTP-jpg \
connection-mark=all_conn layer7-protocol=Http-jpg new-connection-mark=\
http passthrough=yes
add action=mark-connection chain=forward comment=http_conn_HTTP-img \
connection-mark=all_conn layer7-protocol=Http-img new-connection-mark=\
http passthrough=yes
add action=mark-packet chain=forward comment=http_pac::http_down \
connection-mark=http dst-address-list=OnLineClient new-packet-mark=\
http_down passthrough=no
add action=mark-packet chain=forward comment=http_pac::http_dup \
connection-mark=http new-packet-mark=http_up passthrough=no \
src-address-list=OnLineClient
add action=mark-connection chain=forward comment=file_conn::file \
connection-mark=all_conn layer7-protocol=File new-connection-mark=\
file_conn passthrough=yes
add action=mark-connection chain=forward comment=file_conn::QQMusic \
connection-mark=all_conn layer7-protocol=QQMusic new-connection-mark=\
file_conn passthrough=yes
add action=mark-connection chain=forward comment=file_conn::Kugou \
connection-mark=all_conn layer7-protocol=Kugou new-connection-mark=\
file_conn passthrough=yes
add action=mark-packet chain=forward comment=file_pac::file_down \
connection-mark=file_conn dst-address-list=OnLineClient new-packet-mark=\
file_down passthrough=no
add action=mark-packet chain=forward comment=file_pac::file_up \
connection-mark=file_conn new-packet-mark=file_up passthrough=no \
src-address-list=OnLineClient
add action=mark-connection chain=forward comment=\
"\D0\A1\B0\FC 0-511--small-511_conn_TCP" connection-bytes=1-10000000 \
connection-mark=all_conn connection-rate=1-59k dst-port=!80,8080 \
new-connection-mark=small-511_conn packet-size=65-511 passthrough=yes \
protocol=tcp
add action=mark-connection chain=forward comment=small-511_conn_UDP \
connection-bytes=1-10000000 connection-mark=all_conn connection-rate=\
1-59k dst-port=!80,8080 new-connection-mark=small-511_conn packet-size=\
65-511 passthrough=yes protocol=udp
add action=mark-packet chain=forward comment=small511_pac_u connection-mark=\
small-511_conn new-packet-mark=small511_up passthrough=no \
src-address-list=OnLineClient
add action=mark-packet chain=forward comment=small511_pac_d connection-mark=\
small-511_conn new-packet-mark=small511_down passthrough=no
add action=mark-connection chain=forward comment=light_udp_traffic_conn \
connection-bytes=1-15000000 connection-mark=all_conn connection-rate=\
1-69k new-connection-mark=light_udp_traffic_conn packet-size=1-799 \
passthrough=yes protocol=udp
add action=mark-packet chain=forward comment=light_udp_pac_up \
connection-mark=light_udp_traffic_conn new-packet-mark=\
light_udp_traffic_up passthrough=no src-address-list=OnLineClient
add action=mark-packet chain=forward comment=light_udp_pac_down \
connection-mark=light_udp_traffic_conn new-packet-mark=\
light_udp_traffic_down passthrough=no
add action=mark-connection chain=forward comment=other_conn connection-mark=\
all_conn new-connection-mark=others passthrough=yes
add action=mark-packet chain=forward comment=other_pac_up connection-mark=\
others new-packet-mark=others_up passthrough=no src-address-list=\
OnLineClient
add action=mark-packet chain=forward comment=\
"\BD\E1\CA\F8\A3\BA other_pac_down" connection-mark=others \
new-packet-mark=others_down passthrough=no

/queue type
set 0 kind=bfifo
set 5 pcq-burst-rate=20M pcq-burst-threshold=16M pcq-burst-time=15s pcq-rate=\
15M pcq-total-limit=1000KiB
set 6 pcq-burst-rate=160M pcq-burst-threshold=130M pcq-rate=120M \
pcq-total-limit=1000KiB

/queue simple
add burst-time=20s/0s max-limit=28M/260M name=default queue=\
pcq-upload-default/pcq-download-default target=192.168.50.0/24
add name=child1 parent=default target=192.168.50.0/24
add max-limit=26M/200M name=child2 parent=default target=192.168.50.110/32

/queue tree
add max-limit=280M name=01_down parent=global queue=pcq-download-default
add max-limit=28M name=01_up parent=pppoe-out1 queue=pcq-upload-default
add burst-limit=40M burst-threshold=30M burst-time=10s limit-at=8M max-limit=\
15M name=D1_icmp@dns packet-mark=DNS&ICMP_down parent=01_down priority=1 \
queue=pcq-download-default
add burst-limit=90M burst-threshold=80M burst-time=10s limit-at=8M max-limit=\
60M name=D5_http packet-mark=http_down parent=01_down priority=5 queue=\
pcq-download-default
add burst-limit=120M burst-threshold=100M burst-time=10s limit-at=10M \
max-limit=80M name=D7_video packet-mark=video_down parent=01_down \
priority=7 queue=pcq-download-default
add burst-limit=100M burst-threshold=80M burst-time=10s limit-at=5M \
max-limit=50M name=D7_file packet-mark=file_down parent=01_down priority=\
7 queue=pcq-download-default
add burst-limit=120M burst-threshold=80M burst-time=10s limit-at=15M \
max-limit=60M name=D4_others packet-mark=others_down parent=01_down \
priority=4 queue=pcq-download-default
add burst-limit=5M burst-threshold=4M burst-time=10s limit-at=1M max-limit=4M \
name=U1_icmp&dns packet-mark=DNS&ICMP_up parent=01_up priority=1 queue=\
pcq-upload-default
add burst-limit=16M burst-threshold=12M burst-time=10s limit-at=2M max-limit=\
10M name=U5_http packet-mark=http_up parent=01_up priority=5 queue=\
pcq-upload-default
add burst-limit=12M burst-threshold=6M burst-time=15s limit-at=1M max-limit=\
10M name=U7_video packet-mark=video_up parent=01_up priority=7 queue=\
pcq-upload-default
add burst-limit=16M burst-threshold=12M burst-time=15s limit-at=1M max-limit=\
10M name=U7_file packet-mark=file_up parent=01_up priority=7 queue=\
pcq-upload-default
add burst-limit=16M burst-threshold=12M burst-time=15s limit-at=2M max-limit=\
10M name=U4_others packet-mark=others_up parent=01_up priority=4 queue=\
pcq-upload-default
add burst-limit=120M burst-threshold=100M burst-time=10s limit-at=8M \
max-limit=80M name=D6_heavy_traffic packet-mark=heavy_traffic_down \
parent=01_down priority=6 queue=pcq-download-default
add burst-limit=160M burst-threshold=120M burst-time=10s limit-at=10M \
max-limit=80M name=D3_small_packet packet-mark=small511_down parent=\
01_down priority=3 queue=pcq-download-default
add burst-limit=16M burst-threshold=12M burst-time=10s limit-at=2M max-limit=\
10M name=U3_small_packet packet-mark=small511_up parent=01_up priority=3 \
queue=pcq-upload-default
add burst-limit=20M burst-threshold=12M burst-time=15s limit-at=2M max-limit=\
12M name=U6_heavy_traffic packet-mark=heavy_traffic_up parent=01_up \
priority=6 queue=pcq-upload-default
add burst-limit=90M burst-threshold=60M burst-time=10s disabled=yes limit-at=\
8M max-limit=60M name=D2_Honor_of_Kings packet-mark=Honor_of_Kings_down \
parent=01_down priority=2 queue=pcq-download-default
add burst-limit=16M burst-threshold=12M burst-time=10s disabled=yes limit-at=\
2M max-limit=10M name=U2_Honor_of_Kings packet-mark=\
Honor_of_Kings_unicom-pac_u parent=01_up priority=2 queue=\
pcq-upload-default
add burst-limit=80M burst-threshold=60M burst-time=10s limit-at=15M \
max-limit=60M name=D2_light_udp_down packet-mark=light_udp_traffic_down \
parent=01_down priority=2 queue=pcq-download-default
add burst-limit=16M burst-threshold=12M burst-time=10s limit-at=2M max-limit=\
10M name=U2_light_udp_up packet-mark=light_udp_traffic_up parent=01_up \
priority=2 queue=pcq-upload-default
add burst-limit=120M burst-threshold=100M burst-time=10s limit-at=8M \
max-limit=80M name=D3_VIP packet-mark=VIP_pac_down parent=01_down \
priority=3 queue=pcq-download-default
add burst-limit=16M burst-threshold=10M burst-time=15s limit-at=2M max-limit=\
12M name=U3_VIP packet-mark=VIP_pac_up parent=01_up priority=3 queue=\
pcq-upload-default
add burst-limit=100M burst-threshold=80M burst-time=10s limit-at=8M \
max-limit=60M name=D8_p2p_down packet-mark=p2p_down parent=01_down queue=\
pcq-download-default
add burst-limit=6M burst-threshold=4M burst-time=10s limit-at=1M max-limit=5M \
name=U8_p2p_up packet-mark=p2p_up parent=01_up queue=pcq-upload-default

#end update_2021-05-29_01:16

nn1122 · 发表于 2021-5-27 22:19

问一个问题，L2TP如何强制IPSEC加密，虽然我设置了ipsec加密预共享密钥，但是在win下拨号测试仍可无需密钥即可连接成功

satorik · 发表于 2021-5-27 22:31

附图看上去是 RB951Ui-2HnD 吧...?

hyes · 发表于 2021-5-27 22:37

satorik 发表于 2021-5-27 22:31
附图看上去是 RB951Ui-2HnD 吧...?

换了个壳子，为了散热

hyes · 发表于 2021-5-27 23:28

satorik 发表于 2021-5-27 22:31
附图看上去是 RB951Ui-2HnD 吧...?

配置时候选上配置就好了？

lilarcor · 发表于 2021-5-28 18:04

不开fasttrack的话，ac2能跑多少wan

hyes · 发表于 2021-5-28 19:07

lilarcor 发表于 2021-5-28 18:04
不开fasttrack的话，ac2能跑多少wan

我这边规则比较多。可以去官网看下测试结果啊。

我这边刚随便跑了下，单线和多线都在150M以内。

lilarcor · 发表于 2021-5-28 22:06

看来规则多还是要x86

hyes · 发表于 2021-5-28 22:32

lilarcor 发表于 2021-5-28 22:06
看来规则多还是要x86

l7用得多还是x86，但是x86么有fastp。

hyes · 发表于 2021-5-29 01:18

lilarcor 发表于 2021-5-28 22:06
看来规则多还是要x86

下午用虚拟跑的，估计有点损耗。直接PC跑多二三十兆

大姨舅 · 发表于 2021-5-29 07:40

这货入门难度有点高啊

hyes · 发表于 2021-5-29 07:57

大姨舅发表于 2021-5-29 07:40
这货入门难度有点高啊

简单家用做主路由的话，直接quick set就好了。应该稳得很

onegai · 发表于 2021-5-29 11:37

壳子哪里有卖啊？同ac2，类肤质外壳已经很难看了

hyes · 发表于 2021-5-29 13:36

onegai 发表于 2021-5-29 11:37
壳子哪里有卖啊？同ac2，类肤质外壳已经很难看了

咸鱼蹲守了下..

chsid · 发表于 2021-5-29 19:12

nn1122 发表于 2021-5-27 22:19
问一个问题，L2TP如何强制IPSEC加密，虽然我设置了ipsec加密预共享密钥，但是在win下拨号测试仍可无需密钥 ...

PPP - L2TP server里面use IPSEC的框，有选成required么？

nn1122 · 发表于 2021-5-29 20:07

chsid 发表于 2021-5-29 19:12
PPP - L2TP server里面use IPSEC的框，有选成required么？

感谢，试了一下确实可以了，之前是选的yes,意思就是兼容模式都可以连接。另外问下，我有静态的公网IPv6地址，怎样分配到WAN和LAN，网上都是PPPOE的案例，搞了半天没成功

chsid · 发表于 2021-5-29 20:42

本帖最后由 chsid 于 2021-5-30 11:07 编辑

nn1122 发表于 2021-5-29 20:07
感谢，试了一下确实可以了，之前是选的yes,意思就是兼容模式都可以连接。另外问下，我有静态的公网IPv6地 ...

我用的IPv6也是PPPoE分配的，直配的没试过

理论上应该也是自己在IPv6 - Addresses里面给WAN接口添加一个地址，把分配的公网地址自己填进去
然后IPv6 - Routes里面添加::0从WAN口出去
最后把自己的prefix设置到IPv6 pool里，然后开ND让内网设备自己分地址吧

nn1122 · 发表于 2021-5-29 21:50

chsid 发表于 2021-5-29 20:42
我用的IPv6也是PPPoE分配的，直配的没试过

理论上应该也是自己在IPv6 - Addresses里面给WAN接口添加一个 ...

好的，我在研究一下，感谢

yourfei · 发表于 2021-5-30 20:33

几台机器没必要qos吧？

summerbee · 发表于 2021-5-30 21:48

顶。。。
刚刚入坑ros，简单设置、使用没问题，这货系统资源占用真好，其他不懂很多。。。

hyes · 发表于 2021-5-31 07:24

yourfei 发表于 2021-5-30 20:33
几台机器没必要qos吧？

那阵子家里远程办公卡卡的才弄的。

hyes · 发表于 2021-5-31 07:31

yourfei 发表于 2021-5-30 20:33
几台机器没必要qos吧？

另外这里面一些mangle和l7参考，用起来没必要

hyes · 发表于 2021-5-31 07:53

summerbee 发表于 2021-5-30 21:48
顶。。。
刚刚入坑ros，简单设置、使用没问题，这货系统资源占用真好，其他不懂很多。。。 ...

我也是不懂就去看官方说明

yourfei · 发表于 2021-5-31 08:26

hyes 发表于 2021-5-31 07:31
另外这里面一些mangle和l7参考，用起来没必要

现在宽带起步都是500M以上，然后路由性能配足，20个终端以下基本上都不需要qos。

hyes · 发表于 2021-5-31 08:34

yourfei 发表于 2021-5-31 08:26
现在宽带起步都是500M以上，然后路由性能配足，20个终端以下基本上都不需要qos。 ...

那就奇怪了，反正我媳妇刷一下抖音我就卡顿一下…可能那会哪里设置有问题

hyes · 发表于 2021-5-31 08:35

yourfei 发表于 2021-5-31 08:26
现在宽带起步都是500M以上，然后路由性能配足，20个终端以下基本上都不需要qos。 ...

最开始是华硕的ac87u，就有这个问题，没办法才上了ros

smallfount · 发表于 2021-5-31 08:36

有点...复杂OTL

在带宽提到200以后我貌似就完全放弃QoS了

在做了OpenWRT旁路的静态浮动以后我连打标啥的都丢掉了。。。就纯做个NAT+DNS混日子了

hyes · 发表于 2021-5-31 08:45

smallfount 发表于 2021-5-31 08:36
有点...复杂OTL

在带宽提到200以后我貌似就完全放弃QoS了

哈哈哈，怎么省事儿怎么来。我这瞎折腾

yourfei · 发表于 2021-5-31 08:54

hyes 发表于 2021-5-31 08:35
最开始是华硕的ac87u，就有这个问题，没办法才上了ros

自从宽带上500M，路由器换了er4，就再也没卡过。

wswcx · 发表于 2021-5-31 09:08

感谢分享，这玩意是真的稳，但入门难，先留个记号，谢谢大神！

账号		自动登录	找回密码
密码			加入我们

[网络] 自用Mikrotik routeros的queue/QOS流控策略分享_Update_210712