HI All
I've got an EdgeRouter Lite-3, configure with some VLANS,firewall rules and traffic policies.
I've noticed that even though HW offload is enabled, packets in any of the VLAN's are not offloaded.
I've configure a Basic Queue to limit Netflix speed for each user and some firewall rules to block P2P, on one of the subnets.
However any client on any VLAN is now unable to reach more than 100-105 Mbps download speed (ISP gives 240/30).
Any one got any idea what is wrong with this config?
Thanks in advance!
IP offload module : loaded IPv4 forwarding: enabled vlan : enabled pppoe : enabled gre : disabled IPv6 forwarding: disabled vlan : disabled pppoe : disabled IPSec offload module: loaded Traffic Analysis : export : enabled dpi : enabled
firewall {
all-ping enable
broadcast-ping disable
group {
port-group L2TP {
description ""
port 1701
port 500
port 4500
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name PUBLIC_Inbound {
default-action accept
description ""
rule 10 {
action reject-tcp
application {
category P2P
}
description "TCP RESET P2P"
log disable
protocol tcp
}
rule 20 {
action drop
application {
category P2P
}
description "Drop P2P"
log disable
protocol all
}
rule 21 {
action drop
application {
category Bypass-Proxies-and-Tunnels
}
description "Block Proxies "
log disable
protocol all
}
rule 22 {
action drop
description "Drop Private Ranges"
destination {
address 192.168.0.0/16
}
log enable
protocol all
}
}
name WAN_Inbound {
default-action drop
description ""
rule 1 {
action accept
description "Allow Esta/Rela Conn."
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 2 {
action drop
description "Drop Invalid Packets"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
rule 3 {
action accept
description "GRE Rules"
log disable
protocol gre
state {
established disable
invalid disable
new enable
related disable
}
}
}
name WAN_Local {
default-action drop
description ""
rule 10 {
action accept
description "Allow Esta/Rela Conn."
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 40 {
action drop
description "Drop invalid conn."
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
rule 50 {
action accept
description "ICMP 50/m"
limit {
burst 1
rate 50/minute
}
log disable
protocol icmp
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description WAN
duplex auto
firewall {
in {
name WAN_Inbound
}
local {
name WAN_Local
}
}
mac 00:1f:ca:7c:d7:5a
speed auto
}
ethernet eth1 {
address 192.168.0.254/24
duplex auto
speed auto
vif 20 {
address 192.168.5.1/24
description "C-LAN"
disable
}
vif 21 {
address 192.168.21.1/24
description "W-LAN"
disable
}
vif 22 {
address 192.168.22.1/24
description "CR-LAN"
}
vif 23 {
address 192.168.23.1/24
description "A-LAN"
disable
}
vif 100 {
address 10.100.0.1/24
description "Public WLAN"
firewall {
in {
name PUBLIC_Inbound
}
}
}
vif 200 {
address 10.200.0.1/24
description "Hotspot "
disable
}
}
ethernet eth2 {
duplex auto
speed auto
}
loopback lo {
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth1.100
lan-interface eth1.20
lan-interface eth1.21
lan-interface eth1.22
lan-interface eth1.23
lan-interface eth1.200
wan-interface eth0
}
service {
dns {
forwarding {
cache-size 1000
listen-on eth1.20
listen-on eth1.21
listen-on eth1.22
listen-on eth1.23
listen-on eth1.100
listen-on eth1
listen-on eth1.200
}
}
nat {
rule 5000 {
description NAT
log disable
outbound-interface eth0
protocol all
source {
}
type masquerade
}
}
upnp {
listen-on eth1 {
outbound-interface eth0
}
}
}
system{
traffic-analysis {
custom-category Netflix {
name Netflix
}
custom-category VoIP {
name SIP
name Skype
}
dpi enable
export enable
}
}
traffic-control {
advanced-queue {
filters {
match 1 {
application {
custom-category Netflix
}
attach-to 1023
ip {
source {
address 10.100.0.0/24
}
}
target 1
}
match 2 {
application {
custom-category Netflix
}
attach-to 1023
ip {
destination {
address 10.100.0.0/24
}
}
target 2
}
}
leaf {
queue 1 {
bandwidth 60mbit
parent 1023
queue-type UBNT_BQ_FIFO
}
queue 2 {
bandwidth 60mbit
parent 1023
queue-type UBNT_BQ_HFQ1
}
}
queue-type {
hfq UBNT_BQ_HFQ1 {
host-identifier dip
max-rate 4mbit
subnet 10.100.0.0/24
}
pfifo UBNT_BQ_FIFO {
}
}
root {
queue 1023 {
attach-to global
bandwidth 1000mbit
description UBNT-BQ
}
}
}
smart-queue UploadQOS {
upload {
ecn enable
rate 30mbit
}
wan-interface eth0
}
}
vpn {
ipsec {
auto-firewall-nat-exclude disable
ipsec-interfaces {
interface eth0
}
nat-networks {
allowed-network 192.168.0.0/16 {
}
}
nat-traversal enable
}
}