Quantcast
Channel: MikroTik
Viewing all articles
Browse latest Browse all 15133

General • Re: Slow upload speed only with RB5009

January 6, 2024, 11:51 am
$
0
0
Okay, made that change and no improvement! Thank you for commenting!
It would have helped if you if you had included a sketch from your network layout since your configuration has some "interesting" parts. Anyway it seems that you are using your 10Gbit SFP+ port for the 300/30 (down/up) Mbit Internet uplink as you are using a GPON or XGPON module and connect the fiber cable directly into your RB5009UG+S+. Also I presume that you don't have any other network devices (switch wireless AP, etc.) at your premises and all of your devices are connected via an Ethernet cable to your RB5009UG+S+ (as there are no comments indicating otherwise in your exported configuration file).

With the above considerations you may want to make the following changes (in the terminal):
Code: 
/interface bridgeset 0 admin-mac=2C:C8:1B:FF:63:D8 ageing-time=5m arp=\    enabled arp-timeout=auto auto-mac=no comment="defconf" \    dhcp-snooping=yes disabled=no ether-type=0x8100 fast-forward=yes \    forward-delay=15s frame-types=admit-all igmp-snooping=yes igmp-version=3 \    ingress-filtering=yes last-member-interval=1s last-member-query-count=2 \    max-hops=20 max-message-age=20s membership-interval=4m20s mld-version=2 \    mtu=auto multicast-querier=no multicast-router=temporary-query name=bridge\    priority=0x7000 protocol-mode=rstp port-cost-mode=long \    pvid=1 querier-interval=4m15s query-interval=2m5s query-response-interval=10s \    startup-query-count=2 startup-query-interval=31s250ms \    transmit-hold-count=6 vlan-filtering=yes/ip dhcp-serverset 0 add-arp=yes address-pool=dhcp \    allow-dual-stack-queue=yes always-broadcast=yes authoritative=yes comment=\    "defconf" disabled=no interface=bridge \    lease-script="" lease-time=10m name=defconf use-radius=no/interface bridge portset 0 auto-isolate=no bpdu-guard=no bridge=bridge \    broadcast-flood=yes comment="defconf" disabled=\    no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=yes \    ingress-filtering=yes interface=ether2 internal-path-cost=10000 learn=\    auto multicast-router=temporary-query path-cost=10000 point-to-point=auto \    priority=0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no \    trusted=no unknown-multicast-flood=yes unknown-unicast-flood=yesset 1 auto-isolate=no bpdu-guard=no bridge=bridge \    broadcast-flood=yes comment="defconf" disabled=\    no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=yes \    ingress-filtering=yes interface=ether3 internal-path-cost=10000 learn=\    auto multicast-router=temporary-query path-cost=10000 point-to-point=auto \    priority=0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no \    trusted=no unknown-multicast-flood=yes unknown-unicast-flood=yesset 2 auto-isolate=no bpdu-guard=no bridge=bridge \    broadcast-flood=yes comment="defconf" disabled=\    no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=yes \    ingress-filtering=yes interface=ether4 internal-path-cost=10000 learn=\    auto multicast-router=temporary-query path-cost=10000 point-to-point=auto \    priority=0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no \    trusted=no unknown-multicast-flood=yes unknown-unicast-flood=yesset 3 auto-isolate=no bpdu-guard=no bridge=bridge \    broadcast-flood=yes comment="defconf" disabled=\    no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=yes \    ingress-filtering=yes interface=ether5 internal-path-cost=10000 learn=\    auto multicast-router=temporary-query path-cost=10000 point-to-point=auto \    priority=0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no \    trusted=no unknown-multicast-flood=yes unknown-unicast-flood=yesset 4 auto-isolate=no bpdu-guard=no bridge=bridge \    broadcast-flood=yes comment="defconf" disabled=\    no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=yes \    ingress-filtering=yes interface=ether6 internal-path-cost=10000 learn=\    auto multicast-router=temporary-query path-cost=10000 point-to-point=auto \    priority=0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no \    trusted=no unknown-multicast-flood=yes unknown-unicast-flood=yesset 5 auto-isolate=no bpdu-guard=no bridge=bridge \    broadcast-flood=yes comment="defconf" disabled=\    no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=yes \    ingress-filtering=yes interface=ether7 internal-path-cost=10000 learn=\    auto multicast-router=temporary-query path-cost=10000 point-to-point=auto \    priority=0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no \    trusted=no unknown-multicast-flood=yes unknown-unicast-flood=yesset 6 auto-isolate=no bpdu-guard=no bridge=bridge \    broadcast-flood=yes comment="defconf" disabled=\    no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=yes \    ingress-filtering=yes interface=ether8 internal-path-cost=10000 learn=\    auto multicast-router=temporary-query path-cost=10000 point-to-point=auto \    priority=0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no \    trusted=no unknown-multicast-flood=yes unknown-unicast-flood=yesset 8 auto-isolate=no bpdu-guard=no bridge=bridge \    broadcast-flood=yes comment="defconf" disabled=\    no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=yes \    ingress-filtering=yes interface=ether1 internal-path-cost=7500 learn=\    auto multicast-router=temporary-query path-cost=7500 point-to-point=auto \    priority=0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no \    trusted=no unknown-multicast-flood=yes unknown-unicast-flood=yesremove numbers=7/interface bridge settings#enable the disabled fast pathset allow-fast-path=yes use-ip-firewall=no use-ip-firewall-for-pppoe=no \    use-ip-firewall-for-vlan=no/interface list member#as in the default configuration ether1 is member of WAN and I presume#it has not been removed the following line removes it from WANremove numbers=1/ip dhcp-clientset 0 use-peer-dns=yes add-default-route=yes/ipv6 dhcp-clientadd add-default-route=no comment=\    "IPv6 address and prefix request from my ISP" dhcp-options="" \    dhcp-options="" disabled=no interface=sfp-sfpplus1 pool-name=\    myisp-ipv6-pool pool-prefix-length=56 prefix-hint=::/0 \    request=address,prefix use-peer-dns=yes/ip firewall address-listadd address=0.0.0.0/8 comment="defconf: RFC6890" disabled=no dynamic=no list=\    no_forward_ipv4add address=169.254.0.0/16 comment="defconf: RFC6890" disabled=no dynamic=no \    list=no_forward_ipv4add address=224.0.0.0/4 comment="defconf: multicast" disabled=no dynamic=no \    list=no_forward_ipv4add address=255.255.255.255 comment="defconf: RFC6890" disabled=no dynamic=no \    list=no_forward_ipv4add address=127.0.0.0/8 comment="defconf: RFC6890" disabled=no dynamic=no \    list=bad_ipv4add address=192.0.0.0/24 comment="defconf: RFC6890" disabled=no dynamic=no \    list=bad_ipv4add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" disabled=no \    dynamic=no list=bad_ipv4add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" \    disabled=no dynamic=no list=bad_ipv4add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" disabled=\    no dynamic=no list=bad_ipv4add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" disabled=no \    dynamic=no list=bad_ipv4add address=0.0.0.0/8 comment="defconf: RFC6890" disabled=no dynamic=no list=\    not_global_ipv4add address=10.0.0.0/8 comment="defconf: RFC6890" disabled=no dynamic=no \    list=not_global_ipv4add address=100.64.0.0/10 comment="defconf: RFC6890" disabled=no dynamic=no \    list=not_global_ipv4add address=169.254.0.0/16 comment="defconf: RFC6890" disabled=no dynamic=no \    list=not_global_ipv4add address=172.16.0.0/12 comment="defconf: RFC6890" disabled=no dynamic=no \    list=not_global_ipv4add address=192.0.0.0/29 comment="defconf: RFC6890" disabled=no dynamic=no \    list=not_global_ipv4add address=192.168.0.0/16 comment="defconf: RFC6890" disabled=no dynamic=no \    list=not_global_ipv4add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" disabled=no \    dynamic=no list=not_global_ipv4add address=255.255.255.255 comment="defconf: RFC6890" disabled=no dynamic=no \    list=not_global_ipv4add address=224.0.0.0/4 comment="defconf: multicast" disabled=no dynamic=no \    list=bad_src_ipv4add address=255.255.255.255 comment="defconf: RFC6890" disabled=no dynamic=no \    list=bad_src_ipv4add address=0.0.0.0/8 comment="defconf: RFC6890" disabled=no dynamic=no list=\    bad_dst_ipv4add address=224.0.0.0/4 comment="defconf: RFC6890" disabled=no dynamic=no \    list=bad_dst_ipv4add address=acme-v02.api.letsencrypt.org disabled=no dynamic=no list=\    lets_encrypt_dns_ipv4add address=acme-staging-v02.api.letsencrypt.org disabled=no dynamic=no list=\    lets_encrypt_dns_ipv4add address=letsencrypt.org disabled=no dynamic=no list=lets_encrypt_dns_ipv4/ipv6 firewall address-listremove numbers=8remove numbers=7remove numbers=6remove numbers=5remove numbers=4remove numbers=3remove numbers=2remove numbers=1remove numbers=0add address=::/128 comment="defconf: unspecified address" disabled=no \    dynamic=no list=bad_ipv6add address=::1/128 comment="defconf: lo" disabled=no dynamic=no list=\    bad_ipv6add address=fec0::/10 comment="defconf: site-local" disabled=no dynamic=no \    list=bad_ipv6add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" disabled=no \    dynamic=no list=bad_ipv6add address=::/96 comment="defconf: ipv4 compat" disabled=no dynamic=no list=\    bad_ipv6add address=100::/64 comment="defconf: discard only " disabled=no dynamic=no \    list=bad_ipv6add address=2001:db8::/32 comment="defconf: documentation" disabled=no \    dynamic=no list=bad_ipv6add address=2001:10::/28 comment="defconf: ORCHID" disabled=no dynamic=no \    list=bad_ipv6add address=3ffe::/16 comment="defconf: 6bone" disabled=no dynamic=no list=\    bad_ipv6add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" \    disabled=no dynamic=no list=no_forward_ipv6add address=ff00::/8 comment="defconf: multicast" disabled=no dynamic=no \    list=no_forward_ipv6add address=2001::/23 comment="defconf: RFC6890" disabled=no dynamic=no list=\    bad_ipv6add address=100::/64 comment="defconf: RFC6890 Discard-only" disabled=no \    dynamic=no list=not_global_ipv6add address=2001::/32 comment="defconf: RFC6890 TEREDO" disabled=no dynamic=\    no list=not_global_ipv6add address=2001:2::/48 comment="defconf: RFC6890 Benchmark" disabled=no \    dynamic=no list=not_global_ipv6add address=fc00::/7 comment="defconf: RFC6890 Unique-Local" disabled=no \    dynamic=no list=not_global_ipv6add address=::/128 comment="defconf: unspecified" disabled=no dynamic=no \    list=bad_dst_ipv6add address=::/128 comment="defconf: unspecified" disabled=no dynamic=no \    list=bad_src_ipv6add address=ff00::/8 comment="defconf: multicast" disabled=no dynamic=no \    list=bad_src_ipv6add address=acme-v02.api.letsencrypt.org disabled=no dynamic=no list=\    lets_encrypt_dns_ipv6add address=acme-staging-v02.api.letsencrypt.org disabled=no dynamic=no list=\    lets_encrypt_dns_ipv6add address=letsencrypt.org disabled=no dynamic=no list=lets_encrypt_dns_ipv6/ip neighbor discovery-settingsset discover-interface-list=LAN lldp-med-net-policy-vlan=disabled mode=\    tx-and-rx protocol=cdp,lldp,mndp/ip dhcp-server networkadd address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\    192.168.88.1 domain=lan/ip firewall filterremove numbers=13remove numbers=12remove numbers=11remove numbers=10remove numbers=9remove numbers=8remove numbers=7remove numbers=6remove numbers=5remove numbers=4remove numbers=3remove numbers=2remove numbers=1remove numbers=0add action=accept chain=input comment="defconf: accept ICMP after RAW" \    !connection-bytes !connection-limit !connection-mark \    !connection-nat-state !connection-rate !connection-state pr!connection-type \    !content disabled=no !dscp !dst-address !dst-address-list \    !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options \    !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list \    !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \    log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list \    !out-interface !out-interface-list !packet-mark !packet-size \    !per-connection-classifier !port !priority protocol=icmp !psd !random \    !routing-mark !src-address !src-address-list !src-address-type \    !src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-host !ttladd action=accept chain=input comment=\    "defconf: accept established,related,untracked" connection-state=\    established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=\    invalidadd action=accept chain=input comment=\    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1add action=accept chain=input dst-port=32400 protocol=tcpadd action=drop chain=input comment="defconf: drop all not coming from LAN" \    in-interface-list=!LANadd action=accept chain=forward comment=\    "defconf: accept all that matches IPSec policy" !connection-bytes \    !connection-limit !connection-mark !connection-nat-state !connection-rate \    !connection-state !connection-type !content disabled=no !dscp \    !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port \    !fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list \    !in-interface !in-interface-list !ingress-priority ipsec-policy=in,ipsec \    !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth \    !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list \    !packet-mark !packet-size !per-connection-classifier !port !priority \    !protocol !psd !random !routing-mark !src-address !src-address-list \    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \    !tls-host !ttladd action=accept chain=forward comment="defconf: accept out ipsec policy" \    ipsec-policy=out,ipsecadd action=fasttrack-connection chain=forward comment="defconf: fasttrack" \    connection-state=established,related hw-offload=yesadd action=accept chain=forward comment=\    "defconf: accept established,related, untracked" connection-state=\    established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" \    connection-state=invalidadd action=drop chain=forward comment=\    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \    connection-state=new in-interface-list=WANadd action=drop chain=forward comment="defconf: drop bad forward IPs" \    src-address-list=no_forward_ipv4add action=drop chain=forward comment="defconf: drop bad forward IPs" \    dst-address-list=no_forward_ipv4/ip firewall mangleadd action=change-mss chain=forward new-mss=1480 out-interface=\     sfp-sfpplus1 protocol=tcp tcp-flags=syn tcp-mss=1481-65535/ip firewall natremove numbers=8remove numbers=7remove numbers=6remove numbers=5remove numbers=4remove numbers=3remove numbers=2remove numbers=1add action=accept chain=srcnat comment=\    "defconf: accept all that matches IPSec policy" ipsec-policy=out,ipsec \    !to-addresses !to-portsadd action=masquerade chain=srcnat comment="defconf: masquerade" \    ipsec-policy=out,none out-interface-list=WAN !to-addresses !to-portsadd action=dst-nat chain=dstnat dst-port=32400 in-interface-list=WAN \    protocol=tcp to-addresses=192.168.88.216 to-ports=32400add action=dst-nat chain=dstnat dst-port=52428 in-interface-list=WAN \    protocol=udp to-addresses=192.168.88.208 to-ports=52428add action=dst-nat chain=dstnat dst-port=53 in-interface-list=WAN \    protocol=tcp to-addresses=192.168.88.208 to-ports=53add action=dst-nat chain=dstnat dst-port=53 in-interface-list=WAN \    protocol=udp to-addresses=192.168.88.208 to-ports=53add action=dst-nat chain=dstnat dst-port=80 in-interface-list=WAN \    protocol=tcp to-addresses=192.168.88.208 to-ports=80add action=dst-nat chain=dstnat dst-port=80 in-interface-list=WAN \    protocol=udp to-addresses=192.168.88.208 to-ports=80add action=dst-nat chain=dstnat dst-port=80 in-interface-list=WAN \    protocol=udp to-addresses=192.168.88.208 to-ports=80/ip firewall rawadd action=accept chain=prerouting comment=\    "defconf: enable for transparent firewall" !content disabled=yes !dscp \    !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port \    !fragment !hotspot !icmp-options !in-interface !in-interface-list \    !ingress-priority !ipsec-policy !ipv4-options !limit log=no log-prefix="" \    !nth !out-interface !out-interface-list !packet-size \    !per-connection-classifier !port !priority !protocol !psd !random \    !src-address !src-address-list !src-address-type !src-mac-address \    !src-port !tcp-flags !tcp-mss !time !tls-host !ttladd action=accept chain=prerouting comment="defconf: accept DHCP discover" \    dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=\    udp src-address=0.0.0.0 src-port=68add action=drop chain=prerouting comment="defconf: drop bogon IP's" \    src-address-list=bad_ipv4add action=drop chain=prerouting comment="defconf: drop bogon IP's" !content \    disabled=no !dscp !dst-address dst-address-list=bad_ipv4 \    !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options \    !in-interface !in-interface-list !ingress-priority !ipsec-policy \    !ipv4-options !limit log=no log-prefix="" !nth !out-interface \    !out-interface-list !packet-size !per-connection-classifier !port \    !priority !protocol !psd !random !src-address !src-address-list \    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \    !tls-host !ttladd action=drop chain=prerouting comment="defconf: drop bogon IP's" \    src-address-list=bad_src_ipv4add action=drop chain=prerouting comment="defconf: drop bogon IP's" !content \    disabled=no !dscp !dst-address dst-address-list=bad_dst_ipv4 \    !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options \    !in-interface !in-interface-list !ingress-priority !ipsec-policy \    !ipv4-options !limit log=no log-prefix="" !nth !out-interface \    !out-interface-list !packet-size !per-connection-classifier !port \    !priority !protocol !psd !random !src-address !src-address-list \    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \    !tls-host !ttladd action=drop chain=prerouting comment="defconf: drop non global from WAN" \    !content disabled=no !dscp !dst-address !dst-address-list \    !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options \    !in-interface in-interface-list=WAN !ingress-priority !ipsec-policy \    !ipv4-options !limit log=no log-prefix="" !nth !out-interface \    !out-interface-list !packet-size !per-connection-classifier !port \    !priority !protocol !psd !random !src-address src-address-list=\    not_global_ipv4 !src-address-type !src-mac-address !src-port !tcp-flags \    !tcp-mss !time !tls-host !ttladd action=drop chain=prerouting comment=\    "defconf: drop forward to local lan from WAN" dst-address=192.168.88.0/24 \    in-interface-list=WANadd action=drop chain=prerouting comment=\    "defconf: drop local if not from default IP range" in-interface-list=LAN \    src-address=!192.168.88.0/24add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \    protocol=udpadd action=jump chain=prerouting comment="defconf: jump to icmp4 chain" \    jump-target=icmp4 protocol=icmpadd action=jump chain=prerouting comment="defconf: jump to bad_tcp chain" \    jump-target=bad_tcp protocol=tcpadd action=accept chain=prerouting comment=\    "defconf: accept everything else from LAN" in-interface-list=LANadd action=accept chain=prerouting comment=\    "defconf: accept everything else from WAN" in-interface-list=WANadd action=drop chain=prerouting comment="defconf: drop the rest"add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \    tcp-flags=!fin,!syn,!rst,!ackadd action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,synadd action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rstadd action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ackadd action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urgadd action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rstadd action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urgadd action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \    protocol=tcpadd action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 \    limit=5,10:packet protocol=icmpadd action=accept chain=icmp4 comment="defconf: net unreachable" \    icmp-options=3:0 protocol=icmpadd action=accept chain=icmp4 comment="defconf: host unreachable" \    icmp-options=3:1 protocol=icmpadd action=accept chain=icmp4 comment="defconf: protocol unreachable" \    icmp-options=3:2 protocol=icmpadd action=accept chain=icmp4 comment="defconf: port unreachable" \    icmp-options=3:3 protocol=icmpadd action=accept chain=icmp4 comment="defconf: fragmentation needed" \    icmp-options=3:4 protocol=icmpadd action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=\    5,10:packet protocol=icmpadd action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=\    11:0-255 protocol=icmpadd action=drop chain=icmp4 comment="defconf: drop other icmp" protocol=icmp/ip firewall service-portset ftp disabled=no ports=21set tftp disabled=no ports=69set irc disabled=yes ports=6667set h323 disabled=noset sip disabled=no ports=5060,5061 sip-direct-media=yes sip-timeout=10mset pptp disabled=noset rtsp disabled=no ports=554set udplite disabled=noset dccp disabled=noset sctp disabled=no/ip upnpset allow-disable-external-interface=no enabled=no show-dummy-rule=yes/ipv6 firewall filterremove numbers=21remove numbers=20remove numbers=19remove numbers=18remove numbers=17remove numbers=16remove numbers=15remove numbers=14remove numbers=13remove numbers=12remove numbers=11remove numbers=10remove numbers=9remove numbers=8remove numbers=7remove numbers=6remove numbers=5remove numbers=4remove numbers=3remove numbers=2remove numbers=1remove numbers=0add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" \    !connection-bytes !connection-limit !connection-mark !connection-rate \    !connection-state !connection-type !content disabled=no !dscp \    !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port \    !headers !hop-limit !icmp-options !in-bridge-port !in-bridge-port-list \    !in-interface !in-interface-list !ingress-priority !ipsec-policy !limit \    log=no log-prefix="" !out-bridge-port !out-bridge-port-list \    !out-interface !out-interface-list !packet-mark !packet-size \    !per-connection-classifier !port !priority protocol=icmpv6 !random \    !routing-mark !src-address !src-address-list !src-address-type \    !src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-hostadd action=accept chain=input comment=\    "defconf: accept established,related,untracked" connection-state=\    established,related,untrackedadd action=accept chain=input comment="defconf: accept UDP traceroute" port=\    33434-33534 protocol=udpadd action=accept chain=input comment=\    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\    udp src-address=fe80::/10add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \    protocol=udpadd action=accept chain=input comment="defconf: accept ipsec AH" protocol=\    ipsec-ahadd action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\    ipsec-espadd action=accept chain=input comment="defconf: accept all that matches ipsec \    policy - CHECK IT NOT IN ADVANCED FIREWALL EXAMPLE" !connection-bytes \    !connection-limit !connection-mark !connection-rate !connection-state \    !connection-type !content disabled=no !dscp !dst-address \    !dst-address-list !dst-address-type !dst-limit !dst-port !headers \    !hop-limit !icmp-options !in-bridge-port !in-bridge-port-list \    !in-interface !in-interface-list !ingress-priority ipsec-policy=in,ipsec \    !limit log=no log-prefix="" !out-bridge-port !out-bridge-port-list \    !out-interface !out-interface-list !packet-mark !packet-size \    !per-connection-classifier !port !priority !protocol !random \    !routing-mark !src-address !src-address-list !src-address-type \    !src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-hostadd action=drop chain=input comment="defconf: drop invalid" connection-state=\    invalidadd action=drop chain=input comment=\    "defconf: drop everything else not coming from LAN" in-interface-list=\    !LANadd action=accept chain=forward comment=\    "defconf: accept established,related,untracked" connection-state=\    established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid - DISABLED otherw\    ise ping6 google.com does not work" !connection-bytes !connection-limit \    !connection-mark !connection-nat-state !connection-rate connection-state=\    invalid !connection-type !content disabled=yes !dscp !dst-address \    !dst-address-list !dst-address-type !dst-limit !dst-port !headers \    !hop-limit !icmp-options !in-bridge-port !in-bridge-port-list \    !in-interface !in-interface-list !ingress-priority !ipsec-policy !limit \    log=no log-prefix="" !out-bridge-port !out-bridge-port-list \    !out-interface !out-interface-list !packet-mark !packet-size \    !per-connection-classifier !port !priority !protocol !random \    !routing-mark !src-address !src-address-list !src-address-type \    !src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-hostadd action=drop chain=forward comment="defconf: drop bad forward IPs" \    !connection-bytes !connection-limit !connection-mark !connection-rate \    !connection-state !connection-type !content disabled=no !dscp \    !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port \    !headers !hop-limit !icmp-options !in-bridge-port !in-bridge-port-list \    !in-interface !in-interface-list !ingress-priority !ipsec-policy !limit \    log=no log-prefix="" !out-bridge-port !out-bridge-port-list \    !out-interface !out-interface-list !packet-mark !packet-size \    !per-connection-classifier !port !priority !protocol !random \    !routing-mark !src-address src-address-list=no_forward_ipv6 \    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \    !tls-hostadd action=drop chain=forward comment=\    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6add action=drop chain=forward comment="defconf: drop bad forward IPs" \    !connection-bytes !connection-limit !connection-mark !connection-rate \    !connection-state !connection-type !content disabled=no !dscp \    !dst-address dst-address-list=no_forward_ipv6 !dst-address-type \    !dst-limit !dst-port !headers !hop-limit !icmp-options !in-bridge-port \    !in-bridge-port-list !in-interface !in-interface-list !ingress-priority \    !ipsec-policy !limit log=no log-prefix="" !out-bridge-port \    !out-bridge-port-list !out-interface !out-interface-list !packet-mark \    !packet-size !per-connection-classifier !port !priority !protocol !random \    !routing-mark !src-address !src-address-list !src-address-type \    !src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-hostadd action=drop chain=forward comment=\    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \    hop-limit=equal:1 protocol=icmpv6add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" \    !connection-bytes !connection-limit !connection-mark !connection-rate \    !connection-state !connection-type !content disabled=no !dscp \    !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port \    !headers !hop-limit !icmp-options !in-bridge-port !in-bridge-port-list \    !in-interface !in-interface-list !ingress-priority !ipsec-policy !limit \    log=no log-prefix="" !out-bridge-port !out-bridge-port-list \    !out-interface !out-interface-list !packet-mark !packet-size \    !per-connection-classifier !port !priority protocol=icmpv6 !random \    !routing-mark !src-address !src-address-list !src-address-type \    !src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-hostadd action=accept chain=forward comment="defconf: accept HIP" protocol=139add action=accept chain=forward comment="defconf: accept IKE" dst-port=\    500,4500 protocol=udpadd action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\    ipsec-ahadd action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\    ipsec-espadd action=accept chain=forward comment=\    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsecadd action=drop chain=forward comment="defconf: drop everything else not comin\    g from LAN - DISABLED otherwise test-ipv6.com test fails: \"No IPv6 addres\    s detected\"" !connection-bytes !connection-limit !connection-mark \    !connection-nat-state !connection-rate !connection-state !connection-type \    !content disabled=yes !dscp !dst-address !dst-address-list \    !dst-address-type !dst-limit !dst-port !headers !hop-limit !icmp-options \    !in-bridge-port !in-bridge-port-list !in-interface in-interface-list=!LAN \    !ingress-priority !ipsec-policy !limit log=no log-prefix="" \    !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list \    !packet-mark !packet-size !per-connection-classifier !port !priority \    !protocol !random !routing-mark !src-address !src-address-list \    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \    !tls-host/ipv6 firewall mangleadd action=change-mss chain=forward new-mss=1480 out-interface=\    sfp-sfpplus1 protocol=tcp tcp-flags=syn tcp-mss=1481-65535/ipv6 firewall rawadd action=accept chain=prerouting comment=\    "defconf: enable for transparent firewall" !content disabled=yes !dscp \    !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port \    !headers !hop-limit !icmp-options !in-interface !in-interface-list \    !ingress-priority !ipsec-policy !limit log=no log-prefix="" \    !out-interface !out-interface-list !packet-size \    !per-connection-classifier !port !priority !protocol !random !src-address \    !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \    !tcp-mss !time !tls-hostadd action=accept chain=prerouting comment="defconf: RFC4291, section 2.7.1" \    dst-address=ff02::1:ff00:0/104 icmp-options=135 protocol=icmpv6 \    src-address=::/128add action=drop chain=prerouting comment="defconf: drop bogon IP's" \    src-address-list=bad_ipv6add action=drop chain=prerouting comment="defconf: drop bogon IP's" \    dst-address-list=bad_ipv6add action=drop chain=prerouting comment=\    "defconf: drop packets with bad SRC ipv6" src-address-list=bad_src_ipv6add action=drop chain=prerouting comment=\    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_dst_ipv6add action=drop chain=prerouting comment="defconf: drop non global from WAN" \    in-interface-list=WAN src-address-list=not_global_ipv6add action=jump chain=prerouting comment="defconf: jump to ICMPv6 chain" \    jump-target=icmp6 protocol=icmpv6add action=accept chain=prerouting comment=\    "defconf: accept local multicast scope" dst-address=ff02::/16add action=drop chain=prerouting comment=\    "defconf: drop other multicast destinations" dst-address=ff00::/8add action=accept chain=prerouting comment=\    "defconf: accept everything else from WAN" in-interface-list=WANadd action=accept chain=prerouting comment=\    "defconf: accept everything else from LAN" in-interface-list=LANadd action=drop chain=prerouting comment="defconf: drop the rest"add action=accept chain=icmp6 comment=\    "defconf: rfc4890 drop ll if hop-limit!=255" dst-address=fe80::/10 \    hop-limit=not-equal:255 protocol=icmpv6add action=accept chain=icmp6 comment="defconf: dst unreachable" \    icmp-options=1:0-255 protocol=icmpv6add action=accept chain=icmp6 comment="defconf: packet too big" icmp-options=\    2:0-255 protocol=icmpv6add action=accept chain=icmp6 comment="defconf: limit exceeded" icmp-options=\    3:0-1 protocol=icmpv6add action=accept chain=icmp6 comment="defconf: bad header" icmp-options=\    4:0-2 protocol=icmpv6add action=accept chain=icmp6 comment=\    "defconf: Mobile home agent address discovery" icmp-options=144:0-255 \    protocol=icmpv6add action=accept chain=icmp6 comment=\    "defconf: Mobile home agent address discovery" icmp-options=145:0-255 \    protocol=icmpv6add action=accept chain=icmp6 comment="defconf: Mobile prefix solic" \    icmp-options=146:0-255 protocol=icmpv6add action=accept chain=icmp6 comment="defconf: Mobile prefix advert" \    icmp-options=147:0-255 protocol=icmpv6add action=accept chain=icmp6 comment="defconf: echo request limit 5,10" \    icmp-options=128:0-255 limit=5,10:packet protocol=icmpv6add action=accept chain=icmp6 comment="defconf: echo reply limit 5,10" \    icmp-options=129:0-255 limit=5,10:packet protocol=icmpv6add action=accept chain=icmp6 comment=\    "defconf: rfc4890 router solic limit 10,20 only LAN" !content disabled=no \    !dscp !dst-address !dst-address-list !dst-address-type !dst-limit \    !dst-port !headers hop-limit=equal:255 icmp-options=133:0-255 \    !in-interface in-interface-list=LAN !ingress-priority !ipsec-policy \    limit=10,20:packet log=no log-prefix="" !out-interface \    !out-interface-list !packet-size !per-connection-classifier !port \    !priority protocol=icmpv6 !random !src-address !src-address-list \    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \    !tls-hostadd action=accept chain=icmp6 comment=\    "defconf: rfc4890 router advert limit 10,20 only LAN" !content disabled=\    no !dscp !dst-address !dst-address-list !dst-address-type !dst-limit \    !dst-port !headers hop-limit=equal:255 icmp-options=134:0-255 \    !in-interface in-interface-list=LAN !ingress-priority !ipsec-policy \    limit=10,20:packet log=no log-prefix="" !out-interface \    !out-interface-list !packet-size !per-connection-classifier !port \    !priority protocol=icmpv6 !random !src-address !src-address-list \    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \    !tls-hostadd action=accept chain=icmp6 comment=\    "defconf: rfc4890 neighbor solic limit 10,20 only LAN" !content disabled=\    no !dscp !dst-address !dst-address-list !dst-address-type !dst-limit \    !dst-port !headers hop-limit=equal:255 icmp-options=135:0-255 \    !in-interface in-interface-list=LAN !ingress-priority !ipsec-policy \    limit=10,20:packet log=no log-prefix="" !out-interface \    !out-interface-list !packet-size !per-connection-classifier !port \    !priority protocol=icmpv6 !random !src-address !src-address-list \    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \    !tls-hostadd action=accept chain=icmp6 comment=\    "defconf: rfc4890 neighbor advert limit 10,20 only LAN" !content \    disabled=no !dscp !dst-address !dst-address-list !dst-address-type \    !dst-limit !dst-port !headers hop-limit=equal:255 icmp-options=136:0-255 \    !in-interface in-interface-list=LAN !ingress-priority !ipsec-policy \    limit=10,20:packet log=no log-prefix="" !out-interface \    !out-interface-list !packet-size !per-connection-classifier !port \    !priority protocol=icmpv6 !random !src-address !src-address-list \    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \    !tls-hostadd action=accept chain=icmp6 comment=\    "defconf: rfc4890 inverse ND solic limit 10,20 only LAN" !content \    disabled=no !dscp !dst-address !dst-address-list !dst-address-type \    !dst-limit !dst-port !headers hop-limit=equal:255 icmp-options=141:0-255 \    !in-interface in-interface-list=LAN !ingress-priority !ipsec-policy \    limit=10,20:packet log=no log-prefix="" !out-interface \    !out-interface-list !packet-size !per-connection-classifier !port \    !priority protocol=icmpv6 !random !src-address !src-address-list \    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \    !tls-hostadd action=accept chain=icmp6 comment=\    "defconf: rfc4890 inverse ND advert limit 10,20 only LAN" !content \    disabled=no !dscp !dst-address !dst-address-list !dst-address-type \    !dst-limit !dst-port !headers hop-limit=equal:255 icmp-options=142:0-255 \    !in-interface in-interface-list=LAN !ingress-priority !ipsec-policy \    limit=10,20:packet log=no log-prefix="" !out-interface \    !out-interface-list !packet-size !per-connection-classifier !port \    !priority protocol=icmpv6 !random !src-address !src-address-list \    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \    !tls-hostadd action=drop chain=icmp6 comment="defconf: drop other icmp" !content \    disabled=yes !dscp !dst-address !dst-address-list !dst-address-type \    !dst-limit !dst-port !headers !hop-limit !icmp-options !in-interface \    !in-interface-list !ingress-priority !ipsec-policy !limit log=no \    log-prefix="" !out-interface !out-interface-list !packet-size \    !per-connection-classifier !port !priority protocol=icmpv6 !random \    !src-address !src-address-list !src-address-type !src-mac-address \    !src-port !tcp-flags !tcp-mss !time !tls-host/ipv6 ndset [ find default=yes ] advertise-dns=yes advertise-mac-address=yes \    disabled=no dns="" hop-limit=unspecified interface=\    bridge managed-address-configuration=no mtu=\    unspecified other-configuration=no pref64="" ra-delay=0s ra-interval=\    3m-6m ra-lifetime=10m ra-preference=medium reachable-time=unspecified \    retransmit-interval=unspecified/ipv6 nd prefix defaultset autonomous=yes preferred-lifetime=30m valid-lifetime=33m/routing pimsm interface-templateadd disabled=no hello-delay=5s hello-period=30s instance=\    routing-pimsm-main-ipv4 interfaces=\    bridge join-prune-period=1m \    join-tracking-support=yes override-interval=2s500ms priority=2097152 \    propagation-delay=500ms source-addresses=192.168.88.1/routing settingsset single-process=no/ip cloudupdate-time=no ddns-enabled=yes ddns-update-interval=10m/system ntp clientset enabled=yes mode=unicast servers=\    0.us.pool.ntp.org,1.us.pool.ntp.org,2.us.pool.ntp.org,3.us.pool.ntp.org \    vrf=main/system ntp serverset auth-key=none broadcast=yes broadcast-addresses=192.168.88.255 enabled=yes \    local-clock-stratum=5 manycast=no multicast=yes use-local-clock=no vrf=\    main/system ntp client serversadd address=0.us.pool.ntp.org auth-key=none disabled=no iburst=yes max-poll=\    10 min-poll=6add address=1.us.pool.ntp.org auth-key=none disabled=no iburst=yes max-poll=\    10 min-poll=6add address=2.us.pool.ntp.org auth-key=none disabled=no iburst=yes max-poll=\    10 min-poll=6add address=3.us.pool.ntp.org auth-key=none disabled=no iburst=yes max-poll=\    10 min-poll=6/ip cloudupdate-time=no ddns-enabled=yes ddns-update-interval=10m

If you want to have similar access to certain internal using IPv6 as you are now having with IPv4, than you have to add the right rules in /ipv6 firewall mangle for it.

Statistics: Posted by un9edsda — Sat Jan 06, 2024 9:51 pm

Search
Viewing all articles
Browse latest Browse all 15133

Trending Articles

Practice Sheet of Right form of verbs for HSC Students

September 22, 2019, 11:40 pm

Download: FK ft Shenky – Nakuyewa ”Prod by: Shenky”

February 16, 2017, 4:24 pm

How to win at Markstrat (Markstrat Tips and Tricks) – Vodites

January 5, 2014, 10:34 pm

Ominde Commission Report and Recommendations – Ominde Report of 1964

March 16, 2015, 5:14 am

Bureau of Internal Revenue: Regional Offices (Directory)

January 9, 2014, 11:06 pm

GO 53 on Enhancement of Ex-gratia upto 5 Lakhs Toddy Tappers in Telangana

March 26, 2017, 11:23 pm

Cakewalk CA-2A Leveling Amplifier v2.0.1.97 WiN, v2.0.1.96 OSX Incl Keygen

October 17, 2016, 7:20 am

Mp3 Download: Mdu - Kunjenjenjena

December 7, 2017, 8:16 am

How the kill the job , when DTP request running for long hours.

July 26, 2013, 2:41 am

Microsoft Intune から展開しているアプリのアップデートについて

October 17, 2016, 4:11 am

18-year-old girl was beaten for half an hour by two Northampton men in 'an...

September 1, 2017, 10:00 pm

Car crash in Dunton Bassett leaves driver in critical condition

October 7, 2014, 7:51 am

Macky 2, Two Others In Road Accident

March 29, 2015, 5:34 am

Application log 00000000000000089514: Could not convert queue DLVST90CLNT

May 14, 2015, 11:27 pm

Detroit mafia: D’Anna Brothers agree to plea deal

April 21, 2016, 6:56 am

Delivery block field greyed out using VA02

January 26, 2016, 2:52 pm

Muloraki Au

June 22, 2016, 1:44 am

【個人撮影】スマホのプライベート映像♪「中に出さないで///」カラオケ屋での生ハメ撮りが流出w【リベンジポルノ】@PornHub

October 12, 2017, 2:23 pm

BREAKING NEWS: Diamond Platnumz Is Reported Dead After Ghastly Car Accident

February 9, 2018, 4:56 am

FIAT 500 B0111 B0112

July 5, 2018, 10:31 am
Search