Email:
/tool e-mail send to=abc@domain.com \
cc=abc@domain.com,abc2@domain.com \
subject="Subject" \
cc=abc@domain.com,abc2@domain.com \
subject="Subject" \
from=Example_Router \
port=587 \
start-tls=yes \
user=youruser@gmail.com \
password=youremailpassword \
body="body"
port=587 \
start-tls=yes \
user=youruser@gmail.com \
password=youremailpassword \
body="body"
LATEST NEW FIREWALL:
/ip firewall filter
add action=drop chain=input comment="outside word dns block in UDP" dst-port=\
53 in-interface=ether1 protocol=udp src-address=0.0.0.0/0
add action=drop chain=input comment="outside word dns block in TCP" dst-port=\
53 in-interface=ether1 protocol=tcp src-address=0.0.0.0/0
add action=add-src-to-address-list address-list=PortScanner \
address-list-timeout=2w chain=input comment="Drop Port Scanner" protocol=\
tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=PortScanner \
address-list-timeout=2w chain=input protocol=tcp tcp-flags=\
fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=PortScanner \
address-list-timeout=2w chain=input protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=PortScanner \
address-list-timeout=2w chain=input protocol=tcp tcp-flags=\
fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=PortScanner \
address-list-timeout=2w chain=input protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=PortScanner \
address-list-timeout=2w chain=input protocol=tcp tcp-flags=\
fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=PortScanner \
address-list-timeout=2w chain=input protocol=tcp tcp-flags=\
!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input src-address-list=PortScanner
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
in-interface=ether1 protocol=tcp src-address=0.0.0.0/0 src-address-list=\
ftp_blacklist
add chain=output content="530 Login incorrect" disabled=yes dst-limit=\
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=input content="530 Login incorrect" \
in-interface=ether1 protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
in-interface=ether1 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp
add action=drop chain=input comment="Drop Traceroute" icmp-options=11:0 \
in-interface=ether1 protocol=icmp
add action=drop chain=input icmp-options=3:3 in-interface=ether1 protocol=\
icmp
add action=drop chain=input in-interface=ether1 protocol=icmp \
src-address-list=!Local
add action=drop chain=input comment="Drop ICMP Ping" in-interface=ether1 \
protocol=icmp
/
Drop Virus Port
Drop Port Scanner
Drop Brute Force
Drop Trace route
Drop ICMP Ping
Drop Netcut Attack
Video
Youtube
Note:
Content: Facebook.com (you can change it to other site as you want to blocked)
Src-Address: You local IP Rules (change this ip rules with your ip rules)
IP FIREWALL MANGLE
QUEUE TREE
Note:queue limit is 256k you can change with other limit by change "256000"
/ip firewall filter
add action=drop chain=input comment="outside word dns block in UDP" dst-port=\
53 in-interface=ether1 protocol=udp src-address=0.0.0.0/0
add action=drop chain=input comment="outside word dns block in TCP" dst-port=\
53 in-interface=ether1 protocol=tcp src-address=0.0.0.0/0
add action=add-src-to-address-list address-list=PortScanner \
address-list-timeout=2w chain=input comment="Drop Port Scanner" protocol=\
tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=PortScanner \
address-list-timeout=2w chain=input protocol=tcp tcp-flags=\
fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=PortScanner \
address-list-timeout=2w chain=input protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=PortScanner \
address-list-timeout=2w chain=input protocol=tcp tcp-flags=\
fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=PortScanner \
address-list-timeout=2w chain=input protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=PortScanner \
address-list-timeout=2w chain=input protocol=tcp tcp-flags=\
fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=PortScanner \
address-list-timeout=2w chain=input protocol=tcp tcp-flags=\
!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input src-address-list=PortScanner
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
in-interface=ether1 protocol=tcp src-address=0.0.0.0/0 src-address-list=\
ftp_blacklist
add chain=output content="530 Login incorrect" disabled=yes dst-limit=\
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=input content="530 Login incorrect" \
in-interface=ether1 protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
in-interface=ether1 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp
add action=drop chain=input comment="Drop Traceroute" icmp-options=11:0 \
in-interface=ether1 protocol=icmp
add action=drop chain=input icmp-options=3:3 in-interface=ether1 protocol=\
icmp
add action=drop chain=input in-interface=ether1 protocol=icmp \
src-address-list=!Local
add action=drop chain=input comment="Drop ICMP Ping" in-interface=ether1 \
protocol=icmp
/
Load Balancing Two or More WAN
Connections With Failover
Rules:
/ip address
add address=YOUR LAN IP interface=LAN
add address=YOUR WAN1 IP interface=WAN1
add address=YOUR WAN2 IP interface=WAN2
/ip firewall mangle
add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_conn
add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_conn
add chain=output connection-mark=WAN1_conn action=mark-routing new-routing-mark=to_WAN1
add chain=output connection-mark=WAN2_conn action=mark-routing new-routing-mark=to_WAN2
add chain=prerouting dst-address=YOUR WAN1 SUBNET action=accept in-interface=LAN
add chain=prerouting dst-address=YOUR WAN1 SUBNET action=accept in-interface=LAN
add chain=prerouting dst-address-type=!local in-interface=LAN per-connection-classifier=both-addresses-and-ports:2/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=LAN per-connection-classifier=both-addresses-and-ports:2/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes
add chain=prerouting connection-mark=WAN1_conn in-interface=LAN action=mark-routing new-routing-mark=to_WAN1
add chain=prerouting connection-mark=WAN2_conn in-interface=LAN action=mark-routing new-routing-mark=to_WAN2
/ip route
add dst-address=0.0.0.0/0 gateway=YOUR WAN1 GATEWAY routing-mark=to_WAN1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=YOUR WAN2 GATEWAY routing-mark=to_WAN2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=YOUR WAN1 GATEWAY distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=YOUR WAN2 GATEWAY distance=2 check-gateway=ping
/ip firewall nat
add chain=srcnat out-interface=WAN1 action=masquerade
add chain=srcnat out-interface=WAN2 action=masquerade
IF YOU HAVE HOTSPOT ENABLED, ADD THIS
/ip firewall nat
add action=accept chain=pre-hotspot disabled=no dst-address-type=!local hotspot=auth
Rules:
/ip address
add address=YOUR LAN IP interface=LAN
add address=YOUR WAN1 IP interface=WAN1
add address=YOUR WAN2 IP interface=WAN2
/ip firewall mangle
add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_conn
add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_conn
add chain=output connection-mark=WAN1_conn action=mark-routing new-routing-mark=to_WAN1
add chain=output connection-mark=WAN2_conn action=mark-routing new-routing-mark=to_WAN2
add chain=prerouting dst-address=YOUR WAN1 SUBNET action=accept in-interface=LAN
add chain=prerouting dst-address=YOUR WAN1 SUBNET action=accept in-interface=LAN
add chain=prerouting dst-address-type=!local in-interface=LAN per-connection-classifier=both-addresses-and-ports:2/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=LAN per-connection-classifier=both-addresses-and-ports:2/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes
add chain=prerouting connection-mark=WAN1_conn in-interface=LAN action=mark-routing new-routing-mark=to_WAN1
add chain=prerouting connection-mark=WAN2_conn in-interface=LAN action=mark-routing new-routing-mark=to_WAN2
/ip route
add dst-address=0.0.0.0/0 gateway=YOUR WAN1 GATEWAY routing-mark=to_WAN1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=YOUR WAN2 GATEWAY routing-mark=to_WAN2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=YOUR WAN1 GATEWAY distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=YOUR WAN2 GATEWAY distance=2 check-gateway=ping
/ip firewall nat
add chain=srcnat out-interface=WAN1 action=masquerade
add chain=srcnat out-interface=WAN2 action=masquerade
IF YOU HAVE HOTSPOT ENABLED, ADD THIS
/ip firewall nat
add action=accept chain=pre-hotspot disabled=no dst-address-type=!local hotspot=auth
Standard firewall rule Mikrotik:
/ip firewall filter
add action=accept chain=forward comment="Accepted Connections" \
connection-state=established disabled=no
add action=accept chain=input comment="" disabled=no dst-port=80 protocol=tcp
add action=accept chain=input comment="" disabled=no dst-port=25 protocol=tcp
add action=drop chain=forward comment="Drop invalid connections" \
connection-state=invalid disabled=no
/ip firewall filter
add action=accept chain=forward comment="Accepted Connections" \
connection-state=established disabled=no
add action=accept chain=input comment="" disabled=no dst-port=80 protocol=tcp
add action=accept chain=input comment="" disabled=no dst-port=25 protocol=tcp
add action=drop chain=forward comment="Drop invalid connections" \
connection-state=invalid disabled=no
Drop Virus Port
/ip firewall filter
add action=drop chain=forward comment="Drop Virus Port" disabled=no \
dst-port=40016 protocol=udp
add action=drop chain=virus comment="" disabled=no dst-port=135-139 protocol=\
udp
add action=drop chain=virus comment="" disabled=no dst-port=135-139 protocol=\
tcp
add action=drop chain=virus comment="" disabled=no dst-port=1433-1434 \
protocol=tcp
add action=drop chain=virus comment="" disabled=no dst-port=445 protocol=tcp
add action=drop chain=virus comment="" disabled=no dst-port=445 protocol=udp
add action=drop chain=virus comment="" disabled=no dst-port=593 protocol=tcp
add action=drop chain=virus comment="" disabled=no dst-port=1024-1030 \
protocol=tcp
add action=drop chain=virus comment="" disabled=no dst-port=1080 protocol=tcp
add action=drop chain=virus comment="" disabled=no dst-port=1214 protocol=tcp
add action=drop chain=virus comment="" disabled=no dst-port=1363 protocol=tcp
add action=drop chain=virus comment="" disabled=no dst-port=1364 protocol=tcp
add action=drop chain=virus comment="" disabled=no dst-port=1368 protocol=tcp
add action=drop chain=virus comment="" disabled=no dst-port=1373 protocol=tcp
add action=drop chain=virus comment="" disabled=no dst-port=1377 protocol=tcp
add action=drop chain=virus comment="" disabled=no dst-port=2745 protocol=tcp
add action=drop chain=virus comment="" disabled=no dst-port=2283 protocol=tcp
add action=drop chain=virus comment="" disabled=no dst-port=2535 protocol=tcp
add action=drop chain=virus comment="" disabled=no dst-port=2745 protocol=tcp
add action=drop chain=virus comment="" disabled=no dst-port=3127 protocol=tcp
add action=drop chain=virus comment="" disabled=no dst-port=3410 protocol=tcp
add action=drop chain=virus comment="" disabled=no dst-port=4444 protocol=tcp
add action=drop chain=virus comment="" disabled=no dst-port=4444 protocol=udp
add action=drop chain=virus comment="" disabled=no dst-port=5554 protocol=tcp
add action=drop chain=virus comment="" disabled=no dst-port=8866 protocol=tcp
add action=drop chain=virus comment="" disabled=no dst-port=9898 protocol=tcp
add action=drop chain=virus comment="" disabled=no dst-port=10080 protocol=\
tcp
add action=drop chain=virus comment="" disabled=no dst-port=12345 protocol=\
tcp
add action=drop chain=virus comment="" disabled=no dst-port=17300 protocol=\
tcp
add action=drop chain=virus comment="" disabled=no dst-port=27374 protocol=\
tcp
add action=drop chain=virus comment="" disabled=no dst-port=65506 protocol=\
tcp
add action=drop chain=forward comment="Drop Virus Port" disabled=no \
dst-port=40016 protocol=udp
add action=drop chain=virus comment="" disabled=no dst-port=135-139 protocol=\
udp
add action=drop chain=virus comment="" disabled=no dst-port=135-139 protocol=\
tcp
add action=drop chain=virus comment="" disabled=no dst-port=1433-1434 \
protocol=tcp
add action=drop chain=virus comment="" disabled=no dst-port=445 protocol=tcp
add action=drop chain=virus comment="" disabled=no dst-port=445 protocol=udp
add action=drop chain=virus comment="" disabled=no dst-port=593 protocol=tcp
add action=drop chain=virus comment="" disabled=no dst-port=1024-1030 \
protocol=tcp
add action=drop chain=virus comment="" disabled=no dst-port=1080 protocol=tcp
add action=drop chain=virus comment="" disabled=no dst-port=1214 protocol=tcp
add action=drop chain=virus comment="" disabled=no dst-port=1363 protocol=tcp
add action=drop chain=virus comment="" disabled=no dst-port=1364 protocol=tcp
add action=drop chain=virus comment="" disabled=no dst-port=1368 protocol=tcp
add action=drop chain=virus comment="" disabled=no dst-port=1373 protocol=tcp
add action=drop chain=virus comment="" disabled=no dst-port=1377 protocol=tcp
add action=drop chain=virus comment="" disabled=no dst-port=2745 protocol=tcp
add action=drop chain=virus comment="" disabled=no dst-port=2283 protocol=tcp
add action=drop chain=virus comment="" disabled=no dst-port=2535 protocol=tcp
add action=drop chain=virus comment="" disabled=no dst-port=2745 protocol=tcp
add action=drop chain=virus comment="" disabled=no dst-port=3127 protocol=tcp
add action=drop chain=virus comment="" disabled=no dst-port=3410 protocol=tcp
add action=drop chain=virus comment="" disabled=no dst-port=4444 protocol=tcp
add action=drop chain=virus comment="" disabled=no dst-port=4444 protocol=udp
add action=drop chain=virus comment="" disabled=no dst-port=5554 protocol=tcp
add action=drop chain=virus comment="" disabled=no dst-port=8866 protocol=tcp
add action=drop chain=virus comment="" disabled=no dst-port=9898 protocol=tcp
add action=drop chain=virus comment="" disabled=no dst-port=10080 protocol=\
tcp
add action=drop chain=virus comment="" disabled=no dst-port=12345 protocol=\
tcp
add action=drop chain=virus comment="" disabled=no dst-port=17300 protocol=\
tcp
add action=drop chain=virus comment="" disabled=no dst-port=27374 protocol=\
tcp
add action=drop chain=virus comment="" disabled=no dst-port=65506 protocol=\
tcp
Drop Port Scanner
/ip firewall filter
add action=add-src-to-address-list address-list=PortScanner \
address-list-timeout=2w chain=input comment="Drop Port Scanner" disabled=\
no protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=PortScanner \
address-list-timeout=2w chain=input comment="" disabled=no protocol=tcp \
tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=PortScanner \
address-list-timeout=2w chain=input comment="" disabled=no protocol=tcp \
tcp-flags=fin,syn
add action=add-src-to-address-list address-list=PortScanner \
address-list-timeout=2w chain=input comment="" disabled=no protocol=tcp \
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=PortScanner \
address-list-timeout=2w chain=input comment="" disabled=no protocol=tcp \
tcp-flags=syn,rst
add action=add-src-to-address-list address-list=PortScanner \
address-list-timeout=2w chain=input comment="" disabled=no protocol=tcp \
tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=PortScanner \
address-list-timeout=2w chain=input comment="" disabled=no protocol=tcp \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="" disabled=no src-address-list=\
PortScanner
add action=add-src-to-address-list address-list=PortScanner \
address-list-timeout=2w chain=input comment="Drop Port Scanner" disabled=\
no protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=PortScanner \
address-list-timeout=2w chain=input comment="" disabled=no protocol=tcp \
tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=PortScanner \
address-list-timeout=2w chain=input comment="" disabled=no protocol=tcp \
tcp-flags=fin,syn
add action=add-src-to-address-list address-list=PortScanner \
address-list-timeout=2w chain=input comment="" disabled=no protocol=tcp \
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=PortScanner \
address-list-timeout=2w chain=input comment="" disabled=no protocol=tcp \
tcp-flags=syn,rst
add action=add-src-to-address-list address-list=PortScanner \
address-list-timeout=2w chain=input comment="" disabled=no protocol=tcp \
tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=PortScanner \
address-list-timeout=2w chain=input comment="" disabled=no protocol=tcp \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="" disabled=no src-address-list=\
PortScanner
Drop Brute Force
/ip firewall filter
add action=accept chain=output comment="Drop Brute Force" content=\
"530 Login incorrect" disabled=no dst-limit=1/1m,9,dst-address/1m \
protocol=tcp
add action=add-dst-to-address-list address-list=Blacklist \
address-list-timeout=23h chain=output comment="" content=\
"530 Login incorrect" disabled=no protocol=tcp
add action=drop chain=input comment="" disabled=no dst-port=22 protocol=tcp \
src-address-list=Blacklist
add action=accept chain=output comment="Drop Brute Force" content=\
"530 Login incorrect" disabled=no dst-limit=1/1m,9,dst-address/1m \
protocol=tcp
add action=add-dst-to-address-list address-list=Blacklist \
address-list-timeout=23h chain=output comment="" content=\
"530 Login incorrect" disabled=no protocol=tcp
add action=drop chain=input comment="" disabled=no dst-port=22 protocol=tcp \
src-address-list=Blacklist
Drop Trace route
/ip firewall filter
add action=drop chain=forward comment="Drop Traceroute" disabled=no \
icmp-options=11:0 protocol=icmp
add action=drop chain=forward comment="" disabled=no icmp-options=3:3 \
protocol=icmp
add action=drop chain=input comment="" disabled=no protocol=\
icmp src-address-list=!Local
add action=drop chain=forward comment="Drop Traceroute" disabled=no \
icmp-options=11:0 protocol=icmp
add action=drop chain=forward comment="" disabled=no icmp-options=3:3 \
protocol=icmp
add action=drop chain=input comment="" disabled=no protocol=\
icmp src-address-list=!Local
Drop ICMP Ping
/ip firewall filter
add action=drop chain=input comment="Drop ICMP Ping" disabled=no protocol=\
icmp
add action=drop chain=input comment="Drop ICMP Ping" disabled=no protocol=\
icmp
Drop Netcut Attack
/ip firewall filter
add action=accept chain=input comment="NETCUT BLOCK" disabled=no dst-port=\
0-65535 protocol=tcp src-address=61.213.183.0/24
add action=accept chain=input comment="" disabled=no dst-port=0-65535 \
protocol=tcp src-address=67.195.134.0/24
add action=accept chain=input comment="" disabled=no dst-port=0-65535 \
protocol=tcp src-address=68.142.233.0/24
add action=accept chain=input comment="" disabled=no dst-port=0-65535 \
protocol=tcp src-address=68.180.217.0/24
add action=accept chain=input comment="" disabled=no dst-port=0-65535 \
protocol=tcp src-address=203.84.204.0/24
add action=accept chain=input comment="" disabled=no dst-port=0-65535 \
protocol=tcp src-address=69.63.176.0/24
add action=accept chain=input comment="" disabled=no dst-port=0-65535 \
protocol=tcp src-address=69.63.181.0/24
add action=accept chain=input comment="NETCUT BLOCK" disabled=no dst-port=\
0-65535 protocol=tcp src-address=61.213.183.0/24
add action=accept chain=input comment="" disabled=no dst-port=0-65535 \
protocol=tcp src-address=67.195.134.0/24
add action=accept chain=input comment="" disabled=no dst-port=0-65535 \
protocol=tcp src-address=68.142.233.0/24
add action=accept chain=input comment="" disabled=no dst-port=0-65535 \
protocol=tcp src-address=68.180.217.0/24
add action=accept chain=input comment="" disabled=no dst-port=0-65535 \
protocol=tcp src-address=203.84.204.0/24
add action=accept chain=input comment="" disabled=no dst-port=0-65535 \
protocol=tcp src-address=69.63.176.0/24
add action=accept chain=input comment="" disabled=no dst-port=0-65535 \
protocol=tcp src-address=69.63.181.0/24
Extension
\.(exe|bin|cab|msi|rar|zip|iso|nrg|img|gz|gzip|7z|tar|mp3|mp4|wmv|avi|mpg|mpeg|flv|mov|3gp|rm|rm1|doc|pdf|ppt|xls|dat|vob|asf)
Video
http/(0\.9|1\.0|1\.1)[\x09-\x0d
][1-5][0-9][0-9][\x09-\x0d -~]*(content-type: video)
Youtube
o-o.preferred.pttelkom-|a.youtube.com|b.youtube.com|c.youtube.com|d.youtube.com|e.youtube.com|f.youtube.com|g.youtube.com|h.youtube.com|i.youtube.com|j.youtube.kom|l.youtube.com
Limit
Bandwith using Layer 7-Protocol
SCRIPT I
/ip
firewall layer7-protocol
add comment="" name=ISO regexp="\\.(iso)"
add comment="" name=NRG regexp="\\.(nrg)"
add comment="" name=RM regexp="\\.(rm)"
add comment="" name=RM1 regexp="\\.(rm1)"
add comment="" name=MP4 regexp="\\.(mp4)"
add comment="" name=AVI regexp="\\.(avi)"
add comment="" name=WAV regexp="\\.(wav)"
add comment="" name=MPG regexp="\\.(mpg)"
add comment="" name=MP3 regexp="\\.(mp3)"
add comment="" name=MPEG regexp="\\.(mpeg)"
add comment="" name=WMV regexp="\\.(wmv)"
add comment="" name=3GP regexp="\\.(3gp)"
add comment="" name=FLV regexp="\\.(flv)"
add comment="" name=MOV regexp="\\.(mov)"
add comment="" name=IMG regexp="\\.(img)"
add comment="" name=DOC regexp="\\.(doc)"
add comment="" name=PPT regexp="\\.(ppt)"
add comment="" name=PDF regexp="\\.(pdf)"
add comment="" name=EXE regexp="\\.(exe)"
add comment="" name=MSI regexp="\\.(msi)"
add comment="" name=7Z regexp="\\.(7z)"
add comment="" name=BIN regexp="\\.(bin)"
add comment="" name=GZ regexp="\\.(gz)"
add comment="" name=GZIP regexp="\\.(gzip)"
add comment="" name=TAR regexp="\\.(tar)"
add comment="" name=RAR regexp="\\.(rar)"
add comment="" name=ZIP regexp="\\.(zip)"
add comment="" name=ISO regexp="\\.(iso)"
add comment="" name=NRG regexp="\\.(nrg)"
add comment="" name=RM regexp="\\.(rm)"
add comment="" name=RM1 regexp="\\.(rm1)"
add comment="" name=MP4 regexp="\\.(mp4)"
add comment="" name=AVI regexp="\\.(avi)"
add comment="" name=WAV regexp="\\.(wav)"
add comment="" name=MPG regexp="\\.(mpg)"
add comment="" name=MP3 regexp="\\.(mp3)"
add comment="" name=MPEG regexp="\\.(mpeg)"
add comment="" name=WMV regexp="\\.(wmv)"
add comment="" name=3GP regexp="\\.(3gp)"
add comment="" name=FLV regexp="\\.(flv)"
add comment="" name=MOV regexp="\\.(mov)"
add comment="" name=IMG regexp="\\.(img)"
add comment="" name=DOC regexp="\\.(doc)"
add comment="" name=PPT regexp="\\.(ppt)"
add comment="" name=PDF regexp="\\.(pdf)"
add comment="" name=EXE regexp="\\.(exe)"
add comment="" name=MSI regexp="\\.(msi)"
add comment="" name=7Z regexp="\\.(7z)"
add comment="" name=BIN regexp="\\.(bin)"
add comment="" name=GZ regexp="\\.(gz)"
add comment="" name=GZIP regexp="\\.(gzip)"
add comment="" name=TAR regexp="\\.(tar)"
add comment="" name=RAR regexp="\\.(rar)"
add comment="" name=ZIP regexp="\\.(zip)"
SCRIPT II
/ip
firewall mangle
add action=mark-packet chain=forward comment="EKSTENSI-LAYER-7" disabled=no layer7-protocol=ISO new-packet-mark=ISO passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=NRG new-packet-mark=NRG passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=RM new-packet-mark=RM passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=RM1 new-packet-mark=RM1 passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=MP4 new-packet-mark=MP4 passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=AVI new-packet-mark=AVI passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=WAV new-packet-mark=WAV passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=MPG new-packet-mark=MPG passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=MP3 new-packet-mark=MP3 passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=MPEG new-packet-mark=MPEG passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=WMV new-packet-mark=WMV passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=3GP new-packet-mark=3GP passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=FLV new-packet-mark=FLV passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=MOV new-packet-mark=MOV passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=IMG new-packet-mark=IMG passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=DOC new-packet-mark=DOC passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=PPT new-packet-mark=PPT passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=PDF new-packet-mark=PDF passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=EXE new-packet-mark=EXE passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=MSI new-packet-mark=MSI passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=7Z new-packet-mark=7Z passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=BIN new-packet-mark=BIN passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=GZ new-packet-mark=GZ passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=GZIP new-packet-mark=GZIP passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=TAR new-packet-mark=TAR passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=RAR new-packet-mark=RAR passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=ZIP new-packet-mark=ZIP passthrough=no
add action=mark-packet chain=forward comment="EKSTENSI-LAYER-7" disabled=no layer7-protocol=ISO new-packet-mark=ISO passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=NRG new-packet-mark=NRG passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=RM new-packet-mark=RM passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=RM1 new-packet-mark=RM1 passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=MP4 new-packet-mark=MP4 passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=AVI new-packet-mark=AVI passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=WAV new-packet-mark=WAV passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=MPG new-packet-mark=MPG passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=MP3 new-packet-mark=MP3 passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=MPEG new-packet-mark=MPEG passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=WMV new-packet-mark=WMV passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=3GP new-packet-mark=3GP passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=FLV new-packet-mark=FLV passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=MOV new-packet-mark=MOV passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=IMG new-packet-mark=IMG passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=DOC new-packet-mark=DOC passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=PPT new-packet-mark=PPT passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=PDF new-packet-mark=PDF passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=EXE new-packet-mark=EXE passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=MSI new-packet-mark=MSI passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=7Z new-packet-mark=7Z passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=BIN new-packet-mark=BIN passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=GZ new-packet-mark=GZ passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=GZIP new-packet-mark=GZIP passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=TAR new-packet-mark=TAR passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=RAR new-packet-mark=RAR passthrough=no
add action=mark-packet chain=forward comment="" disabled=no layer7-protocol=ZIP new-packet-mark=ZIP passthrough=no
SCRIPT III
/queue
tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=256k max-limit=256k name=Limit-Download packet-mark=no-mark parent=global-out priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=ISO packet-mark=ISO parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=NRG packet-mark=NRG parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=RM packet-mark=RM parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=RM1 packet-mark=RM1 parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=MP4 packet-mark=MP4 parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=AVI packet-mark=AVI parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=WAV packet-mark=WAV parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=MPG packet-mark=MPG parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=MP3 packet-mark=MP3 parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=MPEG packet-mark=MPEG parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=WMV packet-mark=WMV parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=3GP packet-mark=3GP parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=FLV packet-mark=FLV parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=MOV packet-mark=MOV parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=IMG packet-mark=IMG parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=DOC packet-mark=DOC parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=PPT packet-mark=PPT parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=PDF packet-mark=PDF parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=EXE packet-mark=EXE parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=MSI packet-mark=MSI parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=7Z packet-mark=7Z parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=BIN packet-mark=BIN parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=GZ packet-mark=GZ parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=GZIP packet-mark=GZIP parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=TAR packet-mark=TAR parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=RAR packet-mark=RAR parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=ZIP packet-mark=ZIP parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=256k max-limit=256k name=Limit-Download packet-mark=no-mark parent=global-out priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=ISO packet-mark=ISO parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=NRG packet-mark=NRG parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=RM packet-mark=RM parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=RM1 packet-mark=RM1 parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=MP4 packet-mark=MP4 parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=AVI packet-mark=AVI parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=WAV packet-mark=WAV parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=MPG packet-mark=MPG parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=MP3 packet-mark=MP3 parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=MPEG packet-mark=MPEG parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=WMV packet-mark=WMV parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=3GP packet-mark=3GP parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=FLV packet-mark=FLV parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=MOV packet-mark=MOV parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=IMG packet-mark=IMG parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=DOC packet-mark=DOC parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=PPT packet-mark=PPT parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=PDF packet-mark=PDF parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=EXE packet-mark=EXE parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=MSI packet-mark=MSI parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=7Z packet-mark=7Z parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=BIN packet-mark=BIN parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=GZ packet-mark=GZ parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=GZIP packet-mark=GZIP parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=TAR packet-mark=TAR parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=RAR packet-mark=RAR parent=Limit-Download priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=ZIP packet-mark=ZIP parent=Limit-Download priority=8 queue=default
How to Block Facebook
using Mikrotik
Here this the script for blocked
facebook access using mikrotik
IP FIREWALL
IP FIREWALL
/ip firewall
add action=drop chain=forward comment="No-Facebook" content=facebook.com disabled=yes \
dst-port=80 protocol=tcp src-address=192.168.100.0/24
add action=drop chain=forward comment="No-Facebook" content=facebook.com disabled=yes \
dst-port=80 protocol=tcp src-address=192.168.100.0/24
Note:
Content: Facebook.com (you can change it to other site as you want to blocked)
Src-Address: You local IP Rules (change this ip rules with your ip rules)
Limit
Download File Extension
IP FIREWALL FILTER
Note: change "192.168.100.0/24" with your Network Rules
Note: change "192.168.100.0/24" with your Network Rules
/ip firewall filter
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment=\
"Limit Download by using File Extension" content=.exe disabled=no protocol=tcp \
src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.zip disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.arj disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.lzh disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.3gp disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.gz disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.gzip disabled=\
no protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.tar disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.bin disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.mp3 disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.m4a disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.wav disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.rar disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.ram disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.aac disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.aif disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.avi disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.mpg disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.mpeg disabled=\
no protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.qt disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.plj disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.asf disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.mov disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.rm disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.rm1 disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.mp4 disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.wma disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.wmv disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.mpe disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.mpa disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.pdf disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.msi disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.ace disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.iso disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.img disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.ogg disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.7z disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.sea disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.sit disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.doc disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.ppt disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.pps disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.flv disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment=\
"Limit Download by using File Extension" content=.exe disabled=no protocol=tcp \
src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.zip disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.arj disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.lzh disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.3gp disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.gz disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.gzip disabled=\
no protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.tar disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.bin disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.mp3 disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.m4a disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.wav disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.rar disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.ram disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.aac disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.aif disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.avi disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.mpg disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.mpeg disabled=\
no protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.qt disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.plj disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.asf disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.mov disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.rm disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.rm1 disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.mp4 disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.wma disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.wmv disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.mpe disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.mpa disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.pdf disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.msi disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.ace disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.iso disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.img disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.ogg disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.7z disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.sea disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.sit disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.doc disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.ppt disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.pps disabled=no \
protocol=tcp src-address=192.168.100.0/24
add action=add-dst-to-address-list address-list=limit-extension \
address-list-timeout=1h chain=forward comment="" content=.flv disabled=no \
protocol=tcp src-address=192.168.100.0/24
IP FIREWALL MANGLE
/ip firewall mangle
add action=mark-packet chain=forward comment="Limit Download" disabled=no \
new-packet-mark=Limit-Download passthrough=no protocol=tcp src-address-list=limit-extension
add action=mark-packet chain=forward comment="Limit Download" disabled=no \
new-packet-mark=Limit-Download passthrough=no protocol=tcp src-address-list=limit-extension
QUEUE TREE
Note:queue limit is 256k you can change with other limit by change "256000"
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=256000 \
max-limit=256k name=Limit-Download packet-mark=limit-download parent=\
global-out priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=256000 \
max-limit=256k name=Limit-Download packet-mark=limit-download parent=\
global-out priority=8 queue=default
