So I started taking all the scripts and docs found and putting them together…. The result is a working system [...]]]> Searching far and wide on the web looking for a solution to my problem (have a mikrotik router that do load balance and failover), I came to the conclusion that a complete solution doesn’t exist.

So I started taking all the scripts and docs found and putting them together…. The result is a working system that actually I use on some location…. Obviously is not  perfect, it needs improvement and better documentation

I share it, so anyone can use it and refine it, please send it back to me or in the mikrotik wiki!

The code is divided in two parts:

• A script run every X minutes that check wan connections
• Command that you need to write in terminal of your firewall to make it working

Let’s start from the script, please read it carefully!

Open winbox and go to System->Scripts, create a new one and name it “Failover”, copy this content inside it.

# ——————- header ——————-
# Script improved to check two different hosts and act with PCC Load Balancer
# (Original Script by Tomas Kirnak)
# If you edit this script, please share it with the community!
# Author: Denis Barbazza (denis . barbazza [at] gmail . com)
# VERSION=2.3
# http://www.farlock.org/mikrotik/mikrotik-load-balancer-and-failover-and-traffic-prioritization/
# ChangeLog
# 2.3 – 21/10/16 – Bugfix, when main ISP comes back we close alle the connection on ISP2, not clean but necessary because of some connections not tracked (udp, needs more testing)
# we leave this feature commented out, needs testing.
# we close also connections from outside to lan, sometimes internal initated connection takes this mark, needs testing
# 2.2 – 11/05/16 – If one connection hangs, drop connection on it (udp and tcp), when main connection
# fails or comes back we reset also connections without mark (these because of the default route weight)
# 2.1 – 17/03/16 – Improved ping check based on script made by Gregory Sloop (gregs @ sloop.net)
# 2.0 – 01/03/16 – now we manage also the rule used with PCC load balancer
# 1.5 – 01/12/15 – Check two different hosts, just to be sure
# 1.0.7 – Original Script by Tomas Kirnak (t.kirnak @ atris.sk)

# The script in case of a faulting link increase the default route
# and disable the marking rule based on PCC that it found on mangle/prerouting chain
#
# Use ips for ping target, the script may not work with fqdn
#
# if you want you can disable every marking rule, and not only PCC, simply editing the four line that search for rule to be disabled:
# :foreach i in=[/ip firewall mangle find chain=prerouting && new-connection-mark=$ConnMarkISP1 && (per-connection-classifier).”” != “”] do=\
# and remove the part of PCC value:
# :foreach i in=[/ip firewall mangle find chain=prerouting && new-connection-mark=$ConnMarkISP1 ] do=\
# REMEMBER: you must edit the rule in 4 places (enable/disable ISP1 and enable/diable ISP2)
#
# Search in script rule starting with “### OPTIONAL”, here you can enable or disable some features,
# based on your needs.
#
# For more information and details about
# this script please visit the wiki page at
# http://wiki.mikrotik.com/wiki/Failover_Scripting
# ——————- header ——————-

# ————- start editing here ————-
# Edit the variables below to suit your needs

# Please fill the WAN interface names
:local InterfaceISP1 ISP_1
:local InterfaceISP2 ISP_2

# Please fill the gateway IPs (or interface names in case of PPP)
:local GatewayISP1 10.39.1.14
:local GatewayISP2 172.31.29.1

# Routing mark of each interface
:local RoutingMarkISP1 ISP1_Route
:local RoutingMarkISP2 ISP2_Route

# Connection mark of each interface
:local ConnMarkISP1 to_ISP1
:local ConnMarkISP2 to_ISP2

# Connection mark of each interface, from outside to local network
:local ConnMarkISP1_LAN from_ISP1_to_LAN
:local ConnMarkISP2_LAN from_ISP2_to_LAN

# Please fill the ping check host – currently: resolver1.opendns.com
:local PingTarget1 208.67.222.222
# Second ping check host – currently google secondary DNS
:local PingTarget2 8.8.4.4

# This can be used to make sure that the RTT is above this threshold. Ping replies that take longer than
# this to return will be counted as no reply. Adapt it to your lines
:local PingInterval 500ms;
# How many pings to send for our test
:local PingCount 5;
# Size of the pick packets [Don’t make them too large.]
:local PingSize 28;
# How many pings minimum must we get back to consider the pipe “up” – fewer than this – consider it down.
# This is for the single check! So we send PingCount packet and we must receive at least PingReturnThreshold
# to consider the line up
:local PingReturnThreshold 2;

# Please fill how many times the check can fail before fail-over happens,
# In may case I run the script once every 10 minute, so one is enough
# Or you can run it once a minute so increase it
:local FailTreshold 3

# Define the distance increase of a route when it fails
:local DistanceIncrease 20

# Editing the script after this point may break it
# ————– stop editing here ————–

# Declare the global variables
:global PingFailCountISP1
:global PingFailCountISP2

# This inicializes the PingFailCount variables, in case this is the 1st time the script has ran
:if ([:typeof $PingFailCountISP1] = “nothing”) do={:set PingFailCountISP1 0}
:if ([:typeof $PingFailCountISP2] = “nothing”) do={:set PingFailCountISP2 0}

# These variables will be used to keep results of individual ping attempts
:local PingResult1
:local PingResult2

# Check ISP1
# :set PingResult1 [ping $PingTarget1 count=1 interface=$InterfaceISP1 routing-table=$RoutingMarkISP1]
:set PingResult1 [/ping $PingTarget1 interface=$InterfaceISP1 routing-table=$RoutingMarkISP1 interval=$PingInterval count=$PingCount size=$PingSize];
#:put $PingResult1
# :set PingResult2 [ping $PingTarget2 count=1 interface=$InterfaceISP1 routing-table=$RoutingMarkISP1]
:set PingResult2 [/ping $PingTarget2 interface=$InterfaceISP1 routing-table=$RoutingMarkISP1 interval=$PingInterval count=$PingCount size=$PingSize];
#:put $PingResult2
# If both fails we consider router down
:if (($PingResult1 < $PingReturnThreshold) && ($PingResult2 < $PingReturnThreshold)) do={
:if ($PingFailCountISP1 < ($FailTreshold+2)) do={
:set PingFailCountISP1 ($PingFailCountISP1 + 1)

:if ($PingFailCountISP1 = $FailTreshold) do={
:log warning “ISP1 has a problem en route to $PingTarget1 or $PingTarget2 – increasing distance of routes.”
:foreach i in=[/ip route find gateway=$GatewayISP1 && static && !routing-mark] do=\
# {:log info “Increase distance route $i”}
{/ip route set $i distance=([/ip route get $i distance] + $DistanceIncrease)}
# Disable PCC rules
:foreach i in=[/ip firewall mangle find chain=prerouting && new-connection-mark=$ConnMarkISP1 && (per-connection-classifier).”” != “”] do=\
{/ip firewall mangle disable $i }
### OPTIONAL – Disable all rule, not the only ones regarding PCC
# :foreach i in=[/ip firewall mangle find chain=prerouting && new-connection-mark=$ConnMarkISP1 ] do=\
# {/ip firewall mangle disable $i }

:log warning “Route distance increase finished.”
# close ISP1 connection
foreach i in=[/ip firewall connection find connection-mark=$ConnMarkISP1] do= {/ip firewall connection remove $i }
foreach i in=[/ip firewall connection find connection-mark=$ConnMarkISP1_LAN] do= {/ip firewall connection remove $i }
# close connection without mark
foreach i in=[/ip firewall connection find (connection-mark).”” = “” ] do= {/ip firewall connection remove $i }
:log warning “Closed connection $ConnMarkISP1 , $ConnMarkISP1_LAN and without mark”
}
}
}
# If almost one is ok we consider the line up
:if (($PingResult1 > $PingReturnThreshold) || ($PingResult2 > $PingReturnThreshold)) do={
:if ($PingFailCountISP1 > 0) do={
:set PingFailCountISP1 ($PingFailCountISP1 – 1)

:if ($PingFailCountISP1 = ($FailTreshold -1)) do={
:log warning “ISP1 can reach $PingTarget1 or $PingTarget2 again – bringing back original distance of routes.”
:foreach i in=[/ip route find gateway=$GatewayISP1 && static && !routing-mark] do=\
# {:log info “Decrease distance route $i”}
{/ip route set $i distance=([/ip route get $i distance] – $DistanceIncrease)}
# Reenable PCC rules
:foreach i in=[/ip firewall mangle find chain=prerouting && new-connection-mark=$ConnMarkISP1 && (per-connection-classifier).”” != “”] do=\
{/ip firewall mangle enable $i }
### OPTIONAL – Enable all rule, not the only ones regarding PCC
# :foreach i in=[/ip firewall mangle find chain=prerouting && new-connection-mark=$ConnMarkISP1 ] do=\
# {/ip firewall mangle enable $i }

:log warning “Route distance decrease finished.”
# close connection without mark
foreach i in=[/ip firewall connection find (connection-mark).”” = “” ] do= {/ip firewall connection remove $i }
### OPTIONAL – If you want you can close all the connection on the line 2 to force reconnection on line 1
# foreach i in=[/ip firewall connection find connection-mark=$ConnMarkISP2] do= {/ip firewall connection remove $i }
# foreach i in=[/ip firewall connection find connection-mark=$ConnMarkISP2_LAN] do= {/ip firewall connection remove $i }

:log warning “Closed connection without mark”
}
}
}

# Check ISP2
# :set PingResult1 [ping $PingTarget1 count=1 interface=$InterfaceISP2 routing-table=$RoutingMarkISP2]
:set PingResult1 [/ping $PingTarget1 interface=$InterfaceISP2 routing-table=$RoutingMarkISP2 interval=$PingInterval count=$PingCount size=$PingSize];
#:put $PingResult1
# :set PingResult2 [ping $PingTarget2 count=1 interface=$InterfaceISP2 routing-table=$RoutingMarkISP1]
:set PingResult2 [/ping $PingTarget2 interface=$InterfaceISP2 routing-table=$RoutingMarkISP2 interval=$PingInterval count=$PingCount size=$PingSize];
#:put $PingResult2

:if (($PingResult1 < $PingReturnThreshold) && ($PingResult2 < $PingReturnThreshold)) do={
:if ($PingFailCountISP2 < ($FailTreshold+2)) do={
:set PingFailCountISP2 ($PingFailCountISP2 + 1)

:if ($PingFailCountISP2 = $FailTreshold) do={
:log warning “ISP2 has a problem en route to $PingTarget1 and $PingTarget2 – increasing distance of routes.”
:foreach i in=[/ip route find gateway=$GatewayISP2 && static && !routing-mark] do=\
# {:log info “Increase distance route $i”}
{/ip route set $i distance=([/ip route get $i distance] + $DistanceIncrease)}
# Disable PCC rules
:foreach i in=[/ip firewall mangle find chain=prerouting && new-connection-mark=$ConnMarkISP2 && (per-connection-classifier).”” != “”] do=\
{/ip firewall mangle disable $i }
### OPTIONAL – Disable all rule, not the only ones regarding PCC
# :foreach i in=[/ip firewall mangle find chain=prerouting && new-connection-mark=$ConnMarkISP2 ] do=\
# {/ip firewall mangle disable $i }

:log warning “Route distance increase finished.”
# close ISP2 connection
foreach i in=[/ip firewall connection find connection-mark=$ConnMarkISP2] do= {/ip firewall connection remove $i }
foreach i in=[/ip firewall connection find connection-mark=$ConnMarkISP2_LAN] do= {/ip firewall connection remove $i }
:log warning “Closed connection $ConnMarkISP2 and $ConnMarkISP2_LAN”
### OPTIONAL – Close connection without mark to force reopen, should not be necessary
# foreach i in=[/ip firewall connection find (connection-mark).”” = “” ] do= {/ip firewall connection remove $i }
}
}
}
:if (($PingResult1 > $PingReturnThreshold) || ($PingResult2 > $PingReturnThreshold)) do={
:if ($PingFailCountISP2 > 0) do={
:set PingFailCountISP2 ($PingFailCountISP2 – 1)

:if ($PingFailCountISP2 = ($FailTreshold -1)) do={
:log warning “ISP2 can reach $PingTarget1 or $PingTarget2 again – bringing back original distance of routes.”
:foreach i in=[/ip route find gateway=$GatewayISP2 && static && !routing-mark] do=\
# {:log info “Decrease distance route $i”}
{/ip route set $i distance=([/ip route get $i distance] – $DistanceIncrease)}
# Reenable PCC rules
:foreach i in=[/ip firewall mangle find chain=prerouting && new-connection-mark=$ConnMarkISP2 && (per-connection-classifier).”” != “”] do=\
{/ip firewall mangle enable $i }
### OPTIONAL – Disable all rule, not the only ones regarding PCC
# :foreach i in=[/ip firewall mangle find chain=prerouting && new-connection-mark=$ConnMarkISP2 ] do=\
# {/ip firewall mangle enable $i }

:log warning “Route distance decrease finished.”
}
}
}

Now we will start with all the commands for our Load Balance – Failover, read it carefully! Edit IPs based on your setup! copy text to notepad, edit it and paste commands line by line on terminal.

# ——————- header ——————-
# Author: Denis Barbazza (denis . barbazza [at] gmail . com)
# VERSION=2.3
# http://www.farlock.org/mikrotik/mikrotik-load-balancer-and-failover-and-traffic-prioritization/
# Set of rules to setup a load balancer and failover with mikrotik routeros
#
# Inspired by:
# http://mum.mikrotik.com/presentations/US12/steve.pdf
# https://aacable.wordpress.com/2011/07/27/mikrotik-dual-wan-load-balancing-using-pcc-method-complete-script-by-zaib/
# http://wiki.mikrotik.com/wiki/Failover_Scripting
# http://wiki.mikrotik.com/wiki/Advanced_Routing_Failover_without_Scripting
# http://mum.mikrotik.com/presentations/US12/tomas.pdf
#
# Search in script rule starting with “### OPTIONAL”, here you can enable or disable some features,
# based on your needs.
#
# For more information and details about
# this script please visit the wiki page at
# http://wiki.mikrotik.com/wiki/Failover_Scripting
# ——————- header ——————-

# setup our interfaces and addresses, adapt it to your interfaces
/interface ethernet
set 2 name=LAN comment=eth3
set 0 name=ISP_1 comment=eth1
set 1 name=ISP_2 comment=eth2
/ip address
add address=192.168.88.1/24 interface=LAN
add address=1.1.1.32/24 interface=ISP_1
add address=2.2.2.32/24 interface=ISP_2
# Regole di nat per ciascuna interfaccia verso gli ISP
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ISP_1 comment=”NAT packet going through ISPs”
add action=masquerade chain=srcnat out-interface=ISP_2

# Regole di routing con pesi diversi verso ciascun ISP
/ip route
add gateway=1.1.1.1 distance=10 check-gateway=ping comment=”Route to ISPs”
add gateway=2.2.2.2 distance=20 check-gateway=ping

add gateway=1.1.1.1 routing-mark=ISP1_Route distance=10 comment=”Route for marked connection”
add gateway=2.2.2.2 routing-mark=ISP2_Route distance=10

# Not mark packet sent to direct connected network (physical and VPN)
/ip firewall address-list
add address=1.1.1.1/24 list=Connected comment=”List of direct connected network” # ISP_1
add address=2.2.2.2/24 list=Connected # ISP_2
add address=192.168.w.0/24 list=Connected # VPN
add address=192.168.88.0/24 list=Connected # LAN
add address=192.168.88.0/24 list=LAN

/ip firewall mangle
add chain=prerouting src-address-list=Connected dst-address-list=Connected action=accept comment=”Not mark packet directed to direct connected network”

### OPTIONAL
#############
# ATTENTION!
# Eventually remember to filter the traffic allowed from LAN to other networks!
#############

# Mark packet coming through ISP interfaces and put them in the correct routing tables
/ip firewall mangle
add chain=input connection-mark=no-mark in-interface=ISP_1 action=mark-connection new-connection-mark=from_ISP1 comment=”Mark packet coming through ISP interfaces”
add chain=input connection-mark=no-mark in-interface=ISP_2 action=mark-connection new-connection-mark=from_ISP2
add chain=output connection-mark=from_ISP1 action=mark-routing new-routing-mark=ISP1_Route comment=”Put the outbound reply connection in the correct routing table”
add chain=output connection-mark=from_ISP2 action=mark-routing new-routing-mark=ISP2_Route

# Now we should take care also of the connection from outside to LAN
/ip firewall mangle
add chain=forward connection-mark=no-mark in-interface=ISP_1 action=mark-connection new-connection-mark=from_ISP1_to_LAN comment=”Mark packet coming through ISP interfaces directed to LAN”
add chain=forward connection-mark=no-mark in-interface=ISP_2 action=mark-connection new-connection-mark=from_ISP2_to_LAN
add chain=prerouting connection-mark=from_ISP1_to_LAN src-address-list=LAN action=mark-routing new-routing-mark=ISP1_Route comment=”Put the reply connection from LAN in the correct routing table”
add chain=prerouting connection-mark=from_ISP2_to_LAN src-address-list=LAN action=mark-routing new-routing-mark=ISP2_Route
# Now you can add the script for Failover under menù System->Scripts, name it “Failover”
# and then we add a schedule that launch it every 2 minutes, we set the date and unix epoch, just in
# case the clock isn’t set
/system scheduler add name=”Check_connectivity” interval=2m on-event=Failover start-date=jan/1/1970 start-time=0:0:0

You can choose load balancing based on PCC (http://wiki.mikrotik.com/wiki/Manual:PCC) or Traffic Monitor (http://mum.mikrotik.com/presentations/US12/tomas.pdf).

If you prefer PCC:

#########################################################################################
# PCC
# With PCC you must take care of bandwidth and number of WAN available, example:
# – Two equal WAN: we need two PCC mangle rule, one with :2/1 mark for ISP1 and the other with :2/0 mark for ISP2
# – Three equal WAN: three rule, :3/0 mark for ISP1 – :3/1 mark for ISP2 – :3/2 mark for ISP3
# – Two disequal wan, first twice bandwidth of the seconf: three rule, :3/0 mark for ISP1 – :3/1 mark for ISP1 – :3/2 mark for ISP2
# As you can see we need to balance the traffic with PCC rule, more powerful WANs need more rules

/ip firewall mangle
add chain=prerouting action=mark-connection connection-mark=no-mark connection-state=new dst-address-type=!local \
src-address-list=LAN new-connection-mark=to_ISP1 passthrough=yes per-connection-classifier=both-addresses:2/0 comment=”Doing PCC Balancing here”
add chain=prerouting action=mark-connection connection-mark=no-mark connection-state=new dst-address-type=!local \
src-address-list=LAN new-connection-mark=to_ISP2 passthrough=yes per-connection-classifier=both-addresses:2/1

# If we want to balance also traffice generated from the mikrotik itself, actually nothing can be do it’s in the TODO list…

# Now choose the right route based on connection mark
/ip firewall mangle
add chain=prerouting action=mark-routing connection-mark=to_ISP1 src-address-list=LAN new-routing-mark=ISP1_Route comment=”Mark balanced connection to the right routing table”
add chain=prerouting action=mark-routing connection-mark=to_ISP2 src-address-list=LAN new-routing-mark=ISP2_Route

### OPTIONAL
# If we use hotspot and we need balancing
# /ip firewall nat add action=accept chain=pre-hotspot disabled=no dst-address-type=!local hotspot=auth comment=”Rule for Hotspot and PCC”
# Questa regola va testata….
# Invece modificando le regole di PCC aggiungendo hotspot=auth tutto funziona correttamente:
#/ip firewall mangle
#add action=mark-connection chain=prerouting comment=”Doing PCC Balancing here” connection-mark=no-mark connection-state=new dst-address-type=\
# !local hotspot=auth new-connection-mark=to_ISP1 per-connection-classifier=dst-address:2/0 src-address-list=LAN
#add action=mark-connection chain=prerouting connection-mark=no-mark connection-state=new dst-address-type=!local hotspot=auth \
# new-connection-mark=to_ISP2 per-connection-classifier=dst-address:2/1 src-address-list=LAN

#########################################################################################

Or if you prefer Traffic Monitor:

#########################################################################################
# Automated based on bandwidth, switched by Traffic Monitor (thanks to Tomas Kirnak – t.kirnak @ atris.sk)
# Now start marking connection and routing
/ip firewall mangle
add chain=prerouting connection-mark=no-mark src-address-list=LAN dst-address-list=!Connected dst-address-type=!local \
action=mark-connection new-connection-mark=from_LAN_to_WAN comment=”Mark connection for Load Balancing”
add chain=prerouting connection-mark=from_LAN_to_WAN src-address-list=LAN action=mark-routing new-routing-mark=ISP1_Route comment=”Load-Balancing here”

# Now we MUST assure that a connection routed to ISP will always stay there
/ip firewall mangle
add chain=prerouting connection-mark=from_LAN_to_WAN routing-mark=ISP1_Route action=mark-connection new-connection-mark=Sticky_ISP1 comment=”Mark connections as sticky”
add chain=prerouting connection-mark=from_LAN_to_WAN routing-mark=ISP2_Route action=mark-connection new-connection-mark=Sticky_ISP2
add chain=prerouting connection-mark=Sticky_ISP1 src-address-list=LAN action=mark-routing new-routing-mark=ISP1_Route comment=”sticky connections will always go out through same ISP”
add chain=prerouting connection-mark=Sticky_ISP2 src-address-list=LAN action=mark-routing new-routing-mark=ISP2_Route

# Setup Traffic Monitor
/tool traffic-monitor
add interface=ISP_1 name=LB_ISP1_above trigger=above on-event=”:log debug \”Load-Balance Debug: ISP\
1 overloaded, switching to ISP2\”;\r\
\n/ip firewall mangle set [find comment=\”Load-Balancing here\”] new-routing-mark=ISP2_Route” \
threshold=5242880 traffic=received comment=”When ISP1 reaches 5mbit/s switch to ISP2″
add interface=ISP_1 name=LB_ISP1_below trigger=below on-event=”:log debug \”Load-Balance Debug: ISP\
1 back to normal\”;\r\
\n/ip firewall mangle set [find comment=\”Load-Balancing here\”] new-routing-mark=ISP1_Route” \
threshold=5242880 traffic=received comment=”And on less traffic go back again to ISP1″
##############################################################################################

Choose one of the two

And, the end, if you want icing on cake we can prioritize traffic based on its type and contents:

###################################################################################
# Traffic Prioritization – thanks to Rick Frey – support @ rickfreyconsulting.com
# some modification to original script to work correctly with HTTPS traffic
# To act with layer 7 traffic check original script on http://rickfreyconsulting.com

/ip firewall mangle
add chain=output comment=”Section Break – Input prioritize rules” disabled=yes
add action=change-dscp chain=input comment=”DSCP – 7 – Winbox Port 8291 (Local Management)” dst-port=8291 new-dscp=7 protocol=tcp
############################################################################################################################
#### This section sets priorities for tunneling methods used by the hosts on your LAN. ####
############################################################################################################################

/ip firewall mangle
add chain=output comment=”Section Break – VPN” disabled=yes
add action=change-dscp chain=forward comment=”DSCP – 5 – PPTP Port 1723 (LAN Traffic)” new-dscp=5 port=1723 protocol=tcp
add action=change-dscp chain=forward comment=”DSCP – 5 – GRE Protocol (LAN Traffic)” new-dscp=5 protocol=gre
add action=change-dscp chain=forward comment=”DSCP – 5 – L2TP UDP Port 500 (LAN Traffic)” new-dscp=5 port=500 protocol=udp
add action=change-dscp chain=forward comment=”DSCP – 5 – L2TP UDP Port 1701 (LAN Traffic)” new-dscp=5 port=1701 protocol=udp
add action=change-dscp chain=forward comment=”DSCP – 5 – L2TP UDP Port 4500 (LAN Traffic)” new-dscp=5 port=4500 protocol=udp
add action=change-dscp chain=forward comment=”DSCP – 5 – OVPN TCP Port 1194 (LAN Traffic)” new-dscp=5 port=1194 protocol=tcp
############################################################################################################################
#### This section sets priorities for VOIP Traffic ####
############################################################################################################################

add chain=output comment=”Section Break – Voip” disabled=yes
add action=change-dscp chain=postrouting comment=”DSCP – 7 – VOIP” disabled=no new-dscp=7 passthrough=yes port=1167,1719,1720,8010 protocol=udp
add action=change-dscp chain=postrouting comment=”DSCP – 7 – VOIP” disabled=no new-dscp=7 passthrough=yes port=1719,1720,8008,8009 protocol=tcp
add action=change-dscp chain=postrouting comment=”DSCP – 7 – SIP” disabled=no new-dscp=7 passthrough=yes port=5060,5061 protocol=tcp
add action=change-dscp chain=postrouting comment=”DSCP – 7 – SIP” disabled=no new-dscp=7 passthrough=yes port=5060,5061 protocol=udp
add action=change-dscp chain=postrouting comment=”DSCP – 7 – SIP 5004″ disabled=no new-dscp=7 passthrough=yes port=5004 protocol=udp
add action=set-priority chain=postrouting comment=”Priority – 7 – Ventrilo VOIP” new-priority=7 port=3784 protocol=tcp
add action=set-priority chain=postrouting comment=”Priority – 7 – Ventrilo VOIP” new-priority=7 port=3784,3785 protocol=udp
add action=set-priority chain=postrouting comment=”Priority – 7 – Windows Live Messenger Voice” new-priority=7 port=6901 protocol=tcp
add action=set-priority chain=postrouting comment=”Priority – 7 – Windows Live Messenger Voice” new-priority=7 port=6901 protocol=udp
############################################################################################################################
#### This section sets priorities for normal LAN Traffic ####
############################################################################################################################

add chain=output comment=”Section Break – Normal traffic” disabled=yes
add action=set-priority chain=prerouting comment=”Priority – 6 – SSH” disabled=no new-priority=6 passthrough=yes port=22 protocol=tcp
add action=set-priority chain=prerouting comment=”Priority – 6 – Telnet” disabled=no new-priority=6 passthrough=yes port=23 protocol=tcp
add action=set-priority chain=prerouting comment=”Priority – 6 – ICMP” disabled=no new-priority=6 passthrough=yes protocol=icmp
add action=set-priority chain=prerouting comment=”Priority – 6 – TCP DNS Requests” disabled=no new-priority=6 passthrough=yes port=53 protocol=tcp
add action=set-priority chain=prerouting comment=”Priority – 6 – UDP DNS & mDNS Requests” disabled=no new-priority=6 passthrough=yes port=53,5353 protocol=udp

add action=set-priority chain=prerouting comment=”Priority – 3 – HTTP Requests” connection-bytes=0-2000000 disabled=no dst-port=80 new-priority=3 passthrough=yes protocol=tcp
add action=set-priority chain=prerouting comment=”Priority – 3 – HTTPS Requests” connection-bytes=0-2000000 disabled=no dst-port=443 new-priority=3 passthrough=yes protocol=tcp
add action=set-priority chain=prerouting comment=”Priority – 4 – ICQ” disabled=no new-priority=5 passthrough=yes port=5190 protocol=tcp
add action=set-priority chain=prerouting comment=”Priority – 4 – Yahoo IM” disabled=no new-priority=5 passthrough=yes port=5050 protocol=tcp

add action=set-priority chain=prerouting comment=”Priority – 4 – AOL, IRC” disabled=no new-priority=4 passthrough=yes port=531,5190,6660-6669,6679,6697 protocol=tcp
add action=set-priority chain=prerouting comment=”Priority – 4 – AOL, IRC” disabled=no new-priority=4 passthrough=yes port=531 protocol=udp
add action=set-priority chain=prerouting comment=”Priority – 4 – Time” disabled=no new-priority=4 passthrough=yes port=37 protocol=tcp
add action=set-priority chain=prerouting comment=”Priority – 4 – Time” disabled=no new-priority=4 passthrough=yes port=37,123 protocol=udp

add action=set-priority chain=prerouting comment=”Priority – 0 – SFTP” disabled=no dst-port=22 new-priority=0 packet-size=1400-1500 passthrough=yes protocol=tcp
add action=set-priority chain=prerouting comment=”Priority – 0 – FTP” disabled=no dst-port=20,21 new-priority=0 packet-size=1400-1500 passthrough=yes protocol=tcp
add action=set-priority chain=prerouting comment=”Priority – 0 – HTTP Downloads” connection-bytes=2000000-0 disabled=no new-priority=0 passthrough=yes port=80 protocol=tcp
add action=set-priority chain=prerouting comment=”Priority – 0 – HTTPS Downloads” connection-bytes=2000000-0 disabled=no new-priority=0 passthrough=yes port=443 protocol=tcp
add action=set-priority chain=prerouting comment=”Priority – 0 – Mail Services” disabled=no port=110,995,143,993,25,57,109,465,587 new-priority=0 passthrough=yes protocol=tcp
add action=set-priority chain=prerouting comment=”Priority – 0 – SNMP” disabled=no new-priority=0 passthrough=yes port=161,162 protocol=udp
add action=set-priority chain=prerouting comment=”Priority – 0 – SNMP” disabled=no new-priority=0 passthrough=yes port=162 protocol=tcp
add action=set-priority chain=prerouting comment=”Priority – 0 – IMAP, IMAPS” disabled=no new-priority=0 passthrough=yes port=220,993 protocol=tcp
add action=set-priority chain=prerouting comment=”Priority – 0 – IMAP” disabled=no new-priority=0 passthrough=yes port=220 protocol=udp
add action=set-priority chain=prerouting comment=”Priority – 0 – Doom FPS” disabled=no new-priority=0 passthrough=yes port=666 protocol=udp
add action=set-priority chain=prerouting comment=”Priority – 0 – America’s Army MMO” disabled=no new-priority=0 passthrough=yes port=1716 protocol=tcp
add action=set-priority chain=prerouting comment=”Priority – 0 – Civilization MMO” disabled=no new-priority=0 passthrough=yes port=2056 protocol=udp
add action=set-priority chain=prerouting comment=”Priority – 0 – Halo: Combat Evolved MMO” disabled=no new-priority=0 passthrough=yes port=2302 protocol=udp
add action=set-priority chain=prerouting comment=”Priority – 0 – Dark Ages” disabled=no port=2610 protocol=tcp
add action=set-priority chain=prerouting comment=”Priority – 0 – Xbox Live” disabled=no new-priority=0 passthrough=yes port=3074 protocol=tcp
add action=set-priority chain=prerouting comment=”Priority – 0 – Xbox Live” disabled=no new-priority=0 passthrough=yes port=3074 protocol=udp
add action=set-priority chain=prerouting comment=”Priority – 0 – Blizzard Games Online” disabled=no new-priority=0 passthrough=yes port=3723,6112 protocol=tcp
add action=set-priority chain=prerouting comment=”Priority – 0 – Blizzard Games Online” disabled=no new-priority=0 passthrough=yes port=3723 protocol=udp
add action=set-priority chain=prerouting comment=”Priority – 0 – WoW MMO” disabled=no new-priority=0 passthrough=yes port=3724 protocol=tcp
add action=set-priority chain=prerouting comment=”Priority – 0 – WoW MMO” disabled=no new-priority=0 passthrough=yes port=3724 protocol=udp
add action=set-priority chain=prerouting comment=”Priority – 0 – Club Penguin Disney Online” disabled=no new-priority=0 passthrough=yes port=3724,6112,6113,9875 protocol=tcp
add action=set-priority chain=prerouting comment=”Priority – 0 – Diablo II” disabled=no new-priority=0 passthrough=yes port=4000 protocol=tcp
add action=set-priority chain=prerouting comment=”Priority – 0 – Diablo II” disabled=no new-priority=0 passthrough=yes port=4000 protocol=udp
add action=set-priority chain=prerouting comment=”Priority – 0 – Microsoft Ants MMO” disabled=no new-priority=0 passthrough=yes port=4001 protocol=tcp
add action=set-priority chain=prerouting comment=”Priority – 0 – Google Desktop” disabled=no new-priority=0 passthrough=yes port=4664 protocol=tcp
add action=set-priority chain=prerouting comment=”Priority – 0 – BZFlag” disabled=no new-priority=0 passthrough=yes port=5154 protocol=tcp
add action=set-priority chain=prerouting comment=”Priority – 0 – BZFlag” disabled=no new-priority=0 passthrough=yes port=5154 protocol=udp
add action=set-priority chain=prerouting comment=”Priority – 0 – Freeciv MMO” disabled=no new-priority=0 passthrough=yes port=5556 protocol=tcp
add action=set-priority chain=prerouting comment=”Priority – 0 – Freeciv MMO” disabled=no new-priority=0 passthrough=yes port=5556 protocol=udp
add action=set-priority chain=prerouting comment=”Priority – 0 – Windows Live Messenger File Transfer” disabled=no new-priority=0 passthrough=yes port=6891-6900 protocol=udp
add action=set-priority chain=prerouting comment=”Priority – 0 – Enemy Territory: Quake Wars” disabled=no new-priority=0 passthrough=yes port=7133 protocol=tcp
add action=set-priority chain=prerouting comment=”Priority – 0 – Teamspeak” disabled=no new-priority=0 passthrough=yes port=8767-8768 protocol=udp
add action=set-priority chain=prerouting comment=”Priority – 0 – Teamspeak” disabled=no new-priority=0 passthrough=yes port=9987 protocol=tcp
add action=set-priority chain=prerouting comment=”Priority – 0 – Earthland Relams 2″ disabled=no new-priority=0 passthrough=yes port=8888-8889 protocol=tcp
add action=set-priority chain=prerouting comment=”Priority – 0 – Sony Playstation” disabled=no new-priority=0 passthrough=yes port=9293 protocol=tcp
add action=set-priority chain=prerouting comment=”Priority – 0 – Battlefield 1942 MMO” disabled=no new-priority=0 passthrough=yes port=14567 protocol=udp
add action=set-priority chain=prerouting comment=”Priority – 0 – Battlefield Vietnam” disabled=no new-priority=0 passthrough=yes port=15567 protocol=udp
add action=set-priority chain=prerouting comment=”Priority – 0 – Battlefield 2″ disabled=no new-priority=0 passthrough=yes port=16567 protocol=udp
add action=set-priority chain=prerouting comment=”Priority – 0 – Quake” disabled=no new-priority=0 passthrough=yes port=26000 protocol=tcp
add action=set-priority chain=prerouting comment=”Priority – 0 – Quake” disabled=no new-priority=0 passthrough=yes port=26000,27901,27960 protocol=udp
add action=set-priority chain=prerouting comment=”Priority – 0 – Call of Duty” disabled=no new-priority=0 passthrough=yes port=28960 protocol=udp
add chain=output comment=”Section Break” disabled=yes

#########################################
#### VOIP ####
#########################################

/ip firewall layer7-protocol
add name=sip regexp=\
“^(invite|register|cancel) sip[\t-\r -~]*sip/[0-2]\\.[0-9]”
add name=h323 regexp=\
“^\03..\?\08…\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?\05″
add name=skypeout regexp=”^(\01.\?.\?.\?.\?.\?.\?.\?.\?\01|\02.\?.\?.\?.\?.\?.\
\?.\?.\?\02|\03.\?.\?.\?.\?.\?.\?.\?.\?\03|\04.\?.\?.\?.\?.\?.\?.\?.\?\04|\
\05.\?.\?.\?.\?.\?.\?.\?.\?\05|\06.\?.\?.\?.\?.\?.\?.\?.\?\06|\07.\?.\?.\?\
.\?.\?.\?.\?.\?\07|\08.\?.\?.\?.\?.\?.\?.\?.\?\08|\t.\?.\?.\?.\?.\?.\?.\?.\
\?\t|\
\n.\?.\?.\?.\?.\?.\?.\?.\?\
\n|\0B.\?.\?.\?.\?.\?.\?.\?.\?\0B|\0C.\?.\?.\?.\?.\?.\?.\?.\?\0C|\r.\?.\?.\
\?.\?.\?.\?.\?.\?\r|\0E.\?.\?.\?.\?.\?.\?.\?.\?\0E|\0F.\?.\?.\?.\?.\?.\?.\
\?.\?\0F|\10.\?.\?.\?.\?.\?.\?.\?.\?\10|\11.\?.\?.\?.\?.\?.\?.\?.\?\11|\12\
.\?.\?.\?.\?.\?.\?.\?.\?\12|\13.\?.\?.\?.\?.\?.\?.\?.\?\13|\14.\?.\?.\?.\?\
.\?.\?.\?.\?\14|\15.\?.\?.\?.\?.\?.\?.\?.\?\15|\16.\?.\?.\?.\?.\?.\?.\?.\?\
\16|\17.\?.\?.\?.\?.\?.\?.\?.\?\17|\18.\?.\?.\?.\?.\?.\?.\?.\?\18|\19.\?.\
\?.\?.\?.\?.\?.\?.\?\19|\1A.\?.\?.\?.\?.\?.\?.\?.\?\1A|\1B.\?.\?.\?.\?.\?.\
\?.\?.\?\1B|\1C.\?.\?.\?.\?.\?.\?.\?.\?\1C|\1D.\?.\?.\?.\?.\?.\?.\?.\?\1D|\
\1E.\?.\?.\?.\?.\?.\?.\?.\?\1E|\1F.\?.\?.\?.\?.\?.\?.\?.\?\1F| .\?.\?.\?.\
\?.\?.\?.\?.\? |!.\?.\?.\?.\?.\?.\?.\?.\?!|\”.\?.\?.\?.\?.\?.\?.\?.\?\”|#.\
\?.\?.\?.\?.\?.\?.\?.\?#|\\\$.\?.\?.\?.\?.\?.\?.\?.\?\\\$|%.\?.\?.\?.\?.\?\
.\?.\?.\?%|&.\?.\?.\?.\?.\?.\?.\?.\?&|’.\?.\?.\?.\?.\?.\?.\?.\?’|\\(.\?.\?\
.\?.\?.\?.\?.\?.\?\\(|\\).\?.\?.\?.\?.\?.\?.\?.\?\\)|\\*.\?.\?.\?.\?.\?.\?\
.\?.\?\\*|\\+.\?.\?.\?.\?.\?.\?.\?.\?\\+|,.\?.\?.\?.\?.\?.\?.\?.\?,|-.\?.\
\?.\?.\?.\?.\?.\?.\?-|\\..\?.\?.\?.\?.\?.\?.\?.\?\\.|/.\?.\?.\?.\?.\?.\?.\
\?.\?/|0.\?.\?.\?.\?.\?.\?.\?.\?0|1.\?.\?.\?.\?.\?.\?.\?.\?1|2.\?.\?.\?.\?\
.\?.\?.\?.\?2|3.\?.\?.\?.\?.\?.\?.\?.\?3|4.\?.\?.\?.\?.\?.\?.\?.\?4|5.\?.\
\?.\?.\?.\?.\?.\?.\?5|6.\?.\?.\?.\?.\?.\?.\?.\?6|7.\?.\?.\?.\?.\?.\?.\?.\?\
7|8.\?.\?.\?.\?.\?.\?.\?.\?8|9.\?.\?.\?.\?.\?.\?.\?.\?9|:.\?.\?.\?.\?.\?.\
\?.\?.\?:|;.\?.\?.\?.\?.\?.\?.\?.\?;|<.\?.\?.\?.\?.\?.\?.\?.\?<|=.\?.\?.\?\
.\?.\?.\?.\?.\?=|>.\?.\?.\?.\?.\?.\?.\?.\?>|\\\?.\?.\?.\?.\?.\?.\?.\?.\?\\\
\?|@.\?.\?.\?.\?.\?.\?.\?.\?@|A.\?.\?.\?.\?.\?.\?.\?.\?A|B.\?.\?.\?.\?.\?.\
\?.\?.\?B|C.\?.\?.\?.\?.\?.\?.\?.\?C|D.\?.\?.\?.\?.\?.\?.\?.\?D|E.\?.\?.\?\
.\?.\?.\?.\?.\?E|F.\?.\?.\?.\?.\?.\?.\?.\?F|G.\?.\?.\?.\?.\?.\?.\?.\?G|H.\
\?.\?.\?.\?.\?.\?.\?.\?H|I.\?.\?.\?.\?.\?.\?.\?.\?I|J.\?.\?.\?.\?.\?.\?.\?\
.\?J|K.\?.\?.\?.\?.\?.\?.\?.\?K|L.\?.\?.\?.\?.\?.\?.\?.\?L|M.\?.\?.\?.\?.\
\?.\?.\?.\?M|N.\?.\?.\?.\?.\?.\?.\?.\?N|O.\?.\?.\?.\?.\?.\?.\?.\?O|P.\?.\?\
.\?.\?.\?.\?.\?.\?P|Q.\?.\?.\?.\?.\?.\?.\?.\?Q|R.\?.\?.\?.\?.\?.\?.\?.\?R|\
S.\?.\?.\?.\?.\?.\?.\?.\?S|T.\?.\?.\?.\?.\?.\?.\?.\?T|U.\?.\?.\?.\?.\?.\?.\
\?.\?U|V.\?.\?.\?.\?.\?.\?.\?.\?V|W.\?.\?.\?.\?.\?.\?.\?.\?W|X.\?.\?.\?.\?\
.\?.\?.\?.\?X|Y.\?.\?.\?.\?.\?.\?.\?.\?Y|Z.\?.\?.\?.\?.\?.\?.\?.\?Z|\\[.\?\
.\?.\?.\?.\?.\?.\?.\?\\[|\\].\?.\?.\?.\?.\?.\?.\?.\?\\]|\\].\?.\?.\?.\?.\?\
.\?.\?.\?\\]|\\^.\?.\?.\?.\?.\?.\?.\?.\?\\^|_.\?.\?.\?.\?.\?.\?.\?.\?_|`.\
\?.\?.\?.\?.\?.\?.\?.\?`|a.\?.\?.\?.\?.\?.\?.\?.\?a|b.\?.\?.\?.\?.\?.\?.\?\
.\?b|c.\?.\?.\?.\?.\?.\?.\?.\?c|d.\?.\?.\?.\?.\?.\?.\?.\?d|e.\?.\?.\?.\?.\
\?.\?.\?.\?e|f.\?.\?.\?.\?.\?.\?.\?.\?f|g.\?.\?.\?.\?.\?.\?.\?.\?g|h.\?.\?\
.\?.\?.\?.\?.\?.\?h|i.\?.\?.\?.\?.\?.\?.\?.\?i|j.\?.\?.\?.\?.\?.\?.\?.\?j|\
k.\?.\?.\?.\?.\?.\?.\?.\?k|l.\?.\?.\?.\?.\?.\?.\?.\?l|m.\?.\?.\?.\?.\?.\?.\
\?.\?m|n.\?.\?.\?.\?.\?.\?.\?.\?n|o.\?.\?.\?.\?.\?.\?.\?.\?o|p.\?.\?.\?.\?\
.\?.\?.\?.\?p|q.\?.\?.\?.\?.\?.\?.\?.\?q|r.\?.\?.\?.\?.\?.\?.\?.\?r|s.\?.\
\?.\?.\?.\?.\?.\?.\?s|t.\?.\?.\?.\?.\?.\?.\?.\?t|u.\?.\?.\?.\?.\?.\?.\?.\?\
u|v.\?.\?.\?.\?.\?.\?.\?.\?v|w.\?.\?.\?.\?.\?.\?.\?.\?w|x.\?.\?.\?.\?.\?.\
\?.\?.\?x|y.\?.\?.\?.\?.\?.\?.\?.\?y|z.\?.\?.\?.\?.\?.\?.\?.\?z|\\{.\?.\?.\
\?.\?.\?.\?.\?.\?\\{|\\|.\?.\?.\?.\?.\?.\?.\?.\?\\||\\}.\?.\?.\?.\?.\?.\?.\
\?.\?\\}|~.\?.\?.\?.\?.\?.\?.\?.\?~|\7F.\?.\?.\?.\?.\?.\?.\?.\?\7F|\80.\?.\
\?.\?.\?.\?.\?.\?.\?\80|\81.\?.\?.\?.\?.\?.\?.\?.\?\81|\82.\?.\?.\?.\?.\?.\
\?.\?.\?\82|\83.\?.\?.\?.\?.\?.\?.\?.\?\83|\84.\?.\?.\?.\?.\?.\?.\?.\?\84|\
\85.\?.\?.\?.\?.\?.\?.\?.\?\85|\86.\?.\?.\?.\?.\?.\?.\?.\?\86|\87.\?.\?.\?\
.\?.\?.\?.\?.\?\87|\88.\?.\?.\?.\?.\?.\?.\?.\?\88|\89.\?.\?.\?.\?.\?.\?.\?\
.\?\89|\8A.\?.\?.\?.\?.\?.\?.\?.\?\8A|\8B.\?.\?.\?.\?.\?.\?.\?.\?\8B|\8C.\
\?.\?.\?.\?.\?.\?.\?.\?\8C|\8D.\?.\?.\?.\?.\?.\?.\?.\?\8D|\8E.\?.\?.\?.\?.\
\?.\?.\?.\?\8E|\8F.\?.\?.\?.\?.\?.\?.\?.\?\8F|\90.\?.\?.\?.\?.\?.\?.\?.\?\
\90|\91.\?.\?.\?.\?.\?.\?.\?.\?\91|\92.\?.\?.\?.\?.\?.\?.\?.\?\92|\93.\?.\
\?.\?.\?.\?.\?.\?.\?\93|\94.\?.\?.\?.\?.\?.\?.\?.\?\94|\95.\?.\?.\?.\?.\?.\
\?.\?.\?\95|\96.\?.\?.\?.\?.\?.\?.\?.\?\96|\97.\?.\?.\?.\?.\?.\?.\?.\?\97|\
\98.\?.\?.\?.\?.\?.\?.\?.\?\98|\99.\?.\?.\?.\?.\?.\?.\?.\?\99|\9A.\?.\?.\?\
.\?.\?.\?.\?.\?\9A|\9B.\?.\?.\?.\?.\?.\?.\?.\?\9B|\9C.\?.\?.\?.\?.\?.\?.\?\
.\?\9C|\9D.\?.\?.\?.\?.\?.\?.\?.\?\9D|\9E.\?.\?.\?.\?.\?.\?.\?.\?\9E|\9F.\
\?.\?.\?.\?.\?.\?.\?.\?\9F|\A0.\?.\?.\?.\?.\?.\?.\?.\?\A0|\A1.\?.\?.\?.\?.\
\?.\?.\?.\?\A1|\A2.\?.\?.\?.\?.\?.\?.\?.\?\A2|\A3.\?.\?.\?.\?.\?.\?.\?.\?\
\A3|\A4.\?.\?.\?.\?.\?.\?.\?.\?\A4|\A5.\?.\?.\?.\?.\?.\?.\?.\?\A5|\A6.\?.\
\?.\?.\?.\?.\?.\?.\?\A6|\A7.\?.\?.\?.\?.\?.\?.\?.\?\A7|\A8.\?.\?.\?.\?.\?.\
\?.\?.\?\A8|\A9.\?.\?.\?.\?.\?.\?.\?.\?\A9|\AA.\?.\?.\?.\?.\?.\?.\?.\?\AA|\
\AB.\?.\?.\?.\?.\?.\?.\?.\?\AB|\AC.\?.\?.\?.\?.\?.\?.\?.\?\AC|\AD.\?.\?.\?\
.\?.\?.\?.\?.\?\AD|\AE.\?.\?.\?.\?.\?.\?.\?.\?\AE|\AF.\?.\?.\?.\?.\?.\?.\?\
.\?\AF|\B0.\?.\?.\?.\?.\?.\?.\?.\?\B0|\B1.\?.\?.\?.\?.\?.\?.\?.\?\B1|\B2.\
\?.\?.\?.\?.\?.\?.\?.\?\B2|\B3.\?.\?.\?.\?.\?.\?.\?.\?\B3|\B4.\?.\?.\?.\?.\
\?.\?.\?.\?\B4|\B5.\?.\?.\?.\?.\?.\?.\?.\?\B5|\B6.\?.\?.\?.\?.\?.\?.\?.\?\
\B6|\B7.\?.\?.\?.\?.\?.\?.\?.\?\B7|\B8.\?.\?.\?.\?.\?.\?.\?.\?\B8|\B9.\?.\
\?.\?.\?.\?.\?.\?.\?\B9|\BA.\?.\?.\?.\?.\?.\?.\?.\?\BA|\BB.\?.\?.\?.\?.\?.\
\?.\?.\?\BB|\BC.\?.\?.\?.\?.\?.\?.\?.\?\BC|\BD.\?.\?.\?.\?.\?.\?.\?.\?\BD|\
\BE.\?.\?.\?.\?.\?.\?.\?.\?\BE|\BF.\?.\?.\?.\?.\?.\?.\?.\?\BF|\C0.\?.\?.\?\
.\?.\?.\?.\?.\?\C0|\C1.\?.\?.\?.\?.\?.\?.\?.\?\C1|\C2.\?.\?.\?.\?.\?.\?.\?\
.\?\C2|\C3.\?.\?.\?.\?.\?.\?.\?.\?\C3|\C4.\?.\?.\?.\?.\?.\?.\?.\?\C4|\C5.\
\?.\?.\?.\?.\?.\?.\?.\?\C5|\C6.\?.\?.\?.\?.\?.\?.\?.\?\C6|\C7.\?.\?.\?.\?.\
\?.\?.\?.\?\C7|\C8.\?.\?.\?.\?.\?.\?.\?.\?\C8|\C9.\?.\?.\?.\?.\?.\?.\?.\?\
\C9|\CA.\?.\?.\?.\?.\?.\?.\?.\?\CA|\CB.\?.\?.\?.\?.\?.\?.\?.\?\CB|\CC.\?.\
\?.\?.\?.\?.\?.\?.\?\CC|\CD.\?.\?.\?.\?.\?.\?.\?.\?\CD|\CE.\?.\?.\?.\?.\?.\
\?.\?.\?\CE|\CF.\?.\?.\?.\?.\?.\?.\?.\?\CF|\D0.\?.\?.\?.\?.\?.\?.\?.\?\D0|\
\D1.\?.\?.\?.\?.\?.\?.\?.\?\D1|\D2.\?.\?.\?.\?.\?.\?.\?.\?\D2|\D3.\?.\?.\?\
.\?.\?.\?.\?.\?\D3|\D4.\?.\?.\?.\?.\?.\?.\?.\?\D4|\D5.\?.\?.\?.\?.\?.\?.\?\
.\?\D5|\D6.\?.\?.\?.\?.\?.\?.\?.\?\D6|\D7.\?.\?.\?.\?.\?.\?.\?.\?\D7|\D8.\
\?.\?.\?.\?.\?.\?.\?.\?\D8|\D9.\?.\?.\?.\?.\?.\?.\?.\?\D9|\DA.\?.\?.\?.\?.\
\?.\?.\?.\?\DA|\DB.\?.\?.\?.\?.\?.\?.\?.\?\DB|\DC.\?.\?.\?.\?.\?.\?.\?.\?\
\DC|\DD.\?.\?.\?.\?.\?.\?.\?.\?\DD|\DE.\?.\?.\?.\?.\?.\?.\?.\?\DE|\DF.\?.\
\?.\?.\?.\?.\?.\?.\?\DF|\E0.\?.\?.\?.\?.\?.\?.\?.\?\E0|\E1.\?.\?.\?.\?.\?.\
\?.\?.\?\E1|\E2.\?.\?.\?.\?.\?.\?.\?.\?\E2|\E3.\?.\?.\?.\?.\?.\?.\?.\?\E3|\
\E4.\?.\?.\?.\?.\?.\?.\?.\?\E4|\E5.\?.\?.\?.\?.\?.\?.\?.\?\E5|\E6.\?.\?.\?\
.\?.\?.\?.\?.\?\E6|\E7.\?.\?.\?.\?.\?.\?.\?.\?\E7|\E8.\?.\?.\?.\?.\?.\?.\?\
.\?\E8|\E9.\?.\?.\?.\?.\?.\?.\?.\?\E9|\EA.\?.\?.\?.\?.\?.\?.\?.\?\EA|\EB.\
\?.\?.\?.\?.\?.\?.\?.\?\EB|\EC.\?.\?.\?.\?.\?.\?.\?.\?\EC|\ED.\?.\?.\?.\?.\
\?.\?.\?.\?\ED|\EE.\?.\?.\?.\?.\?.\?.\?.\?\EE|\EF.\?.\?.\?.\?.\?.\?.\?.\?\
\EF|\F0.\?.\?.\?.\?.\?.\?.\?.\?\F0|\F1.\?.\?.\?.\?.\?.\?.\?.\?\F1|\F2.\?.\
\?.\?.\?.\?.\?.\?.\?\F2|\F3.\?.\?.\?.\?.\?.\?.\?.\?\F3|\F4.\?.\?.\?.\?.\?.\
\?.\?.\?\F4|\F5.\?.\?.\?.\?.\?.\?.\?.\?\F5|\F6.\?.\?.\?.\?.\?.\?.\?.\?\F6|\
\F7.\?.\?.\?.\?.\?.\?.\?.\?\F7|\F8.\?.\?.\?.\?.\?.\?.\?.\?\F8|\F9.\?.\?.\?\
.\?.\?.\?.\?.\?\F9|\FA.\?.\?.\?.\?.\?.\?.\?.\?\FA|\FB.\?.\?.\?.\?.\?.\?.\?\
.\?\FB|\FC.\?.\?.\?.\?.\?.\?.\?.\?\FC|\FD.\?.\?.\?.\?.\?.\?.\?.\?\FD|\FE.\
\?.\?.\?.\?.\?.\?.\?.\?\FE|\FF.\?.\?.\?.\?.\?.\?.\?.\?\FF)”
add name=skypetoskype regexp=”^..\02………….”
add name=teamspeak regexp=”^\F4\BE\03.*teamspeak”
add name=ventrilo regexp=”^..\?v\\\$\CF”
add name=stun regexp=”^[\01\02]…………….\?\$”

/ip firewall mangle
add action=set-priority chain=forward comment=”Priority – 5 – VOIP – h323″ layer7-protocol=h323 new-priority=5
add action=set-priority chain=forward comment=”Priority – 5 – VOIP – SIP” layer7-protocol=sip new-priority=5
add action=set-priority chain=forward comment=”Priority – 5 – VOIP – Skypeout” layer7-protocol=skypeout new-priority=5
add action=set-priority chain=forward comment=”Priority – 5 – VOIP – skypetoskype” layer7-protocol=skypetoskype new-priority=5
add action=set-priority chain=forward comment=”Priority – 5 – VOIP – STUN” layer7-protocol=stun new-priority=5
add action=set-priority chain=forward comment=”Priority – 5 – VOIP – Teamspeak” layer7-protocol=teamspeak new-priority=5
add action=set-priority chain=forward comment=”Priority – 5 – VOIP – Ventrilo” layer7-protocol=ventrilo new-priority=5

That’s all!

Try it and share your impression, bugs, everything!

For reference you can download script and commands in text file:

1. Failover Script -> failover-2_3
2. Commands for config -> load-balance-failover-routeros-2_3

Linux Machine:

Mikrotik RouterBoard:

CATOP=./personalCA

CAKEY=./cakey.pem

CAREQ=./careq.pem

CACERT=./cacert.pem

cd /etc/ssl

mkdir $CATOP

mkdir $CATOP/certs

mkdir $CATOP/crl

mkdir $CATOP/newcerts

mkdir $CATOP/private

echo “00” > $CATOP/serial

echo “00” > $CATOP/crlnumber

touch $CATOP/index.txt

export OPENSSL_CONF=/etc/ssl/essetigiCA.cnf

copy /etc/ssl/openssl.cnf to personalCA.cnf and edit OrganizationName, Country, State, ecc fields.

Then execute:

openssl req -new -keyout $CATOP/private/$CAKEY -out $CATOP/$CAREQ

write a complex passhprase [...]]]> Launch this commands:

CATOP=./personalCA

CAKEY=./cakey.pem

CAREQ=./careq.pem

CACERT=./cacert.pem

cd /etc/ssl

mkdir $CATOP

mkdir $CATOP/certs

mkdir $CATOP/crl

mkdir $CATOP/newcerts

mkdir $CATOP/private

echo “00” > $CATOP/serial

echo “00” > $CATOP/crlnumber

touch $CATOP/index.txt

export OPENSSL_CONF=/etc/ssl/essetigiCA.cnf

copy /etc/ssl/openssl.cnf to personalCA.cnf and edit OrganizationName, Country, State, ecc fields.

Then execute:

openssl req -new -keyout $CATOP/private/$CAKEY -out $CATOP/$CAREQ

write a complex passhprase and remember it! Without it the CA is completely useless. It asks also for information about the CA.

Now we create our CA, it asks for the passphrase:

openssl ca -out $CATOP/$CACERT $CADAYS -extensions v3_ca -days 36500 -keyfile $CATOP/private/$CAKEY -selfsign -infiles $CATOP/$CAREQ

Server certificate:

openssl req -new -nodes -keyout $CATOP/private/server_key.pem -out $CATOP/certs/server_req.pem

openssl ca -out $CATOP/certs/server_cert.pem -days 13000 -extensions server_cert -infiles $CATOP/certs/server_req.pem

client certificate:

openssl req -new -nodes -keyout $CATOP/private/client01_key.pem -out $CATOP/certs/client01_req.pem

openssl ca -out $CATOP/certs/client01_cert.pem -days 10000  -infiles $CATOP/certs/client01_req.pem

That’s all.