Часть правил рулят внутри впн, часть снаружи.
Внутри туннеля запускаю скачивание по фтп
Как видим уходит все правильно, загружает всю выделенную полосу.
Теперь снаружи туннеля запускаю веб-трафик, не прерывая загрузку фтп
Подскажите почему падает скорость фтп? Ведь приоритет туннеля (соответственно и трафика внутри) выше чем веб трафика что снаружи (приоритет впн туннеля 2, а веб-трафика снаружи 3)
При чем приоретизация внутри туннеля работает:
Я уже запутался окончательно. Помогите пожалуйста!
Конфиг:
/queue
Код: Выделить всё
/queue tree
add max-limit=20M name=in parent=global
add max-limit=20M name=out parent=global
/queue type
add kind=pcq name=SIP pcq-classifier=\
src-address,dst-address,src-port,dst-port pcq-limit=10KiB pcq-rate=160k
/queue tree
add max-limit=10M name=wan_other_in packet-mark=wan_other_in parent=in queue=\
pcq-download-default
add max-limit=10M name=wan_other_out packet-mark=wan_other_out parent=out \
queue=pcq-upload-default
add max-limit=17M name=vpn_in packet-mark=vpn_in parent=in priority=2 queue=\
pcq-download-default
add limit-at=17M max-limit=17M name=vpn_out packet-mark=vpn_out parent=out \
priority=2 queue=pcq-upload-default
add max-limit=6M name=open_in packet-mark=open_in parent=in priority=5 queue=\
pcq-download-default
add max-limit=6M name=open_out packet-mark=open_out parent=out priority=5 \
queue=pcq-upload-default
add max-limit=5M name=service_out_wan packet-mark=service_out_wan parent=out \
priority=1 queue=pcq-upload-default
add max-limit=5M name=service_in_wan packet-mark=service_in_wan parent=in \
priority=1 queue=pcq-download-default
add max-limit=15M name=web_in packet-mark=web_in parent=in priority=3 queue=\
pcq-download-default
add max-limit=20M name=web_out packet-mark=web_out parent=out priority=3 \
queue=pcq-upload-default
add max-limit=15M name=nvr_in packet-mark=nvr_in parent=in priority=4 queue=\
pcq-download-default
add max-limit=15M name=nvr_out packet-mark=nvr_out parent=out priority=4 \
queue=pcq-upload-default
add max-limit=5M name=service_in packet-mark=service_in parent=vpn_in \
priority=1 queue=pcq-download-default
add max-limit=5M name=service_out packet-mark=service_out parent=vpn_out \
priority=1 queue=pcq-upload-default
add max-limit=10M name=sip_in packet-mark=sip_in parent=vpn_in priority=2 \
queue=SIP
add max-limit=10M name=sip_out packet-mark=sip_out parent=vpn_out priority=2 \
queue=SIP
add max-limit=17M name=1c_in packet-mark=1c_in parent=vpn_in priority=3 \
queue=pcq-download-default
add max-limit=17M name=1c_out packet-mark=1c_out parent=vpn_out priority=3 \
queue=pcq-upload-default
add max-limit=17M name=printer_in packet-mark=printer_in parent=vpn_in \
priority=4 queue=pcq-download-default
add max-limit=17M name=printer_out packet-mark=printer_out parent=vpn_out \
priority=4 queue=pcq-upload-default
add max-limit=17M name=rdp_vnc_in packet-mark=rdp_vnc_in parent=vpn_in \
priority=5 queue=pcq-download-default
add max-limit=17M name=rdp_vnc_out packet-mark=rdp_vnc_out parent=vpn_out \
priority=5 queue=pcq-upload-default
add max-limit=6M name=ftp_in packet-mark=ftp_in parent=vpn_in priority=6 \
queue=pcq-download-default
add max-limit=6M name=ftp_out packet-mark=ftp_out parent=vpn_out priority=6 \
queue=pcq-upload-default
add max-limit=17M name=vpn_all_in packet-mark=vpn_all_in parent=vpn_in queue=\
pcq-download-default
add max-limit=17M name=vpn_all_out packet-mark=vpn_all_out parent=vpn_out \
queue=pcq-upload-defaultКод: Выделить всё
/ip firewall mangle
add action=mark-connection chain=prerouting comment=Open new-connection-mark=\
open passthrough=no src-address=192.168.0.0/24
add action=mark-packet chain=forward connection-mark=open new-packet-mark=\
open_in out-interface-list=wan passthrough=no
add action=mark-packet chain=forward connection-mark=open in-interface-list=\
wan new-packet-mark=open_out passthrough=no
add action=mark-connection chain=prerouting comment=NVR dst-port=\
1511 in-interface-list=wan new-connection-mark=nvr passthrough=\
no protocol=tcp
add action=mark-packet chain=forward connection-mark=nvr new-packet-mark=\
nvr_in out-interface-list=wan passthrough=no
add action=mark-packet chain=forward connection-mark=nvr in-interface-list=\
wan new-packet-mark=nvr_out passthrough=no
add action=mark-connection chain=prerouting comment=WEB dst-port=80,443,8080 \
new-connection-mark=web passthrough=no protocol=tcp src-address=\
10.2.14.0/24
add action=mark-packet chain=forward connection-mark=web new-packet-mark=\
web_in out-interface-list=wan passthrough=no
add action=mark-packet chain=forward connection-mark=web in-interface-list=\
wan new-packet-mark=web_out passthrough=no
add action=mark-connection chain=prerouting comment=FTP dst-port=20,21 \
new-connection-mark=ftp passthrough=no protocol=tcp
add action=mark-packet chain=forward connection-mark=ftp new-packet-mark=\
ftp_in out-interface-list=vpn passthrough=no
add action=mark-packet chain=forward connection-mark=ftp in-interface-list=\
vpn new-packet-mark=ftp_out passthrough=no
add action=mark-connection chain=prerouting comment=RDP_VNC dst-port=\
3389,5900-5906,623 new-connection-mark=rdp_vnc passthrough=no protocol=\
tcp
add action=mark-packet chain=forward connection-mark=rdp_vnc new-packet-mark=\
rdp_vnc_in out-interface-list=vpn passthrough=no
add action=mark-packet chain=forward connection-mark=rdp_vnc \
in-interface-list=vpn new-packet-mark=rdp_vnc_out passthrough=no
add action=mark-connection chain=prerouting comment=Printer dst-port=9100 \
new-connection-mark=printer passthrough=no protocol=tcp
add action=mark-packet chain=forward connection-mark=printer new-packet-mark=\
printer_in out-interface-list=vpn passthrough=no
add action=mark-packet chain=forward connection-mark=printer \
in-interface-list=vpn new-packet-mark=printer_out passthrough=no
add action=mark-connection chain=prerouting comment=1C dst-port=\
1540,1541,1560-1591 new-connection-mark=1c passthrough=no protocol=tcp
add action=mark-packet chain=forward connection-mark=1c new-packet-mark=1c_in \
out-interface-list=vpn passthrough=no
add action=mark-packet chain=forward connection-mark=1c in-interface-list=vpn \
new-packet-mark=1c_out passthrough=no
add action=mark-connection chain=prerouting comment=SIP dst-port=\
5060,10000-20000 new-connection-mark=sip passthrough=no protocol=udp
add action=mark-packet chain=forward connection-mark=sip new-packet-mark=\
sip_in out-interface-list=vpn passthrough=no
add action=mark-packet chain=forward connection-mark=sip in-interface-list=\
vpn new-packet-mark=sip_out passthrough=no
add action=mark-connection chain=input comment=Service dst-port=\
1111,1112,1113 new-connection-mark=service_in passthrough=no protocol=tcp
add action=mark-connection chain=input dst-port=53 new-connection-mark=\
service_in passthrough=no protocol=udp
add action=mark-connection chain=input icmp-options=8:0 new-connection-mark=\
service_in passthrough=no protocol=icmp
add action=mark-packet chain=prerouting connection-mark=service_in \
in-interface-list=vpn new-packet-mark=service_in passthrough=no
add action=mark-packet chain=prerouting connection-mark=service_in \
in-interface-list=wan new-packet-mark=service_in_wan passthrough=no
add action=mark-connection chain=output new-connection-mark=service_out \
passthrough=no protocol=tcp src-port=1111,1112,1113
add action=mark-connection chain=output new-connection-mark=service_out \
passthrough=no protocol=udp src-port=53
add action=mark-connection chain=output icmp-options=8:0 new-connection-mark=\
service_out passthrough=no protocol=icmp
add action=mark-packet chain=postrouting connection-mark=service_out \
new-packet-mark=service_out out-interface-list=vpn passthrough=no
add action=mark-packet chain=postrouting connection-mark=service_out \
new-packet-mark=service_out_wan out-interface-list=wan passthrough=no
add action=mark-connection chain=input comment=VPN_mark dst-port=\
1701,500,4500 new-connection-mark=vpn_in passthrough=no protocol=udp
add action=mark-connection chain=input new-connection-mark=vpn_in \
passthrough=no protocol=ipsec-esp
add action=mark-connection chain=input new-connection-mark=vpn_in \
passthrough=no protocol=ipsec-ah
add action=mark-packet chain=prerouting connection-mark=vpn_in \
new-packet-mark=vpn_in passthrough=no
add action=mark-connection chain=output new-connection-mark=vpn_out \
passthrough=no protocol=udp src-port=1701,500,4500
add action=mark-connection chain=output new-connection-mark=vpn_out \
passthrough=no protocol=ipsec-ah
add action=mark-connection chain=output new-connection-mark=vpn_out \
passthrough=no protocol=ipsec-esp
add action=mark-packet chain=postrouting connection-mark=vpn_out \
new-packet-mark=vpn_out passthrough=no
add action=mark-packet chain=forward comment=VPN_other_mark new-packet-mark=\
vpn_all_in out-interface-list=vpn passthrough=no
add action=mark-packet chain=forward in-interface-list=vpn new-packet-mark=\
vpn_all_out passthrough=no
add action=mark-packet chain=forward comment=WAN_other_mark \
in-interface-list=wan new-packet-mark=wan_other_in passthrough=no
add action=mark-packet chain=forward new-packet-mark=wan_other_out \
out-interface-list=wan passthrough=no