I’ve written before about the difficulties of using consumer routers and access points in a situation where the number of devices goes above about 10.  My latest project was to set up a wired and wireless network for my church.  The challenge was to create a setup where many people (potentially up to about 100) could access the Internet over a WiFi network, whilst the same broadband connection is being used for critical services such as live steaming of the church celebration meetings and live presentation of streaming video e.g. YouTube.  I chose to use Mikrotik RouterBoard kit because I’ve become familiar with it, it’s cheap, fast and powerful.

The setup uses two networks: a public WiFi network with a simple password, on 172.18.0.0/16, and a private wired and WiFi network on 172.20.0.0/16.  The WiFi network uses CAPsMAN, a Mikrotik feature that allows one device to act as a configuration and management interface for all of the RouterOS WiFi access points.  The 172.20 network is setup with traditional WiFi access points that bridge the WiFi side to the ethernet in each access point, so joining the WiFi network is essentially the same as plugging an RJ45 into a wall port.  The 172.18 network uses CAPsMAN to setup a secondary network with its own SSID (network name) on each access point which forms a VLAN (Virtual Lan) that isn’t bridged to the private network, but comes back to the main edge router.  Client to client forwarding is disabled for this network, so devices can only access the Internet, not each other.

I’ll write another article about my experiences with CAPsMAN – which is very powerful and ideal for this sort of setup.  Here I describe the QoS configuration that allows us to set overall rate (bandwidth) limits for the two networks, and also prioritise traffic to/from the Internet for each network so that everyone has a good experience of browsing without compromising the mission-critical traffic such as the live video streaming.

I previously used a RouterOS QoS Script to traffic-shape my home Internet connection.  Modifying this was a tempting idea, unfortunately it’s not always easy to determine which network a particular packet is heading to/from, depending on where in the RouterOS packet flow you decide to inspect the packets.  Furthermore, using packet inspection and the Queue Tree, I couldn’t find a way to reliably set separate data rate (bandwidth) limits for the two different networks.

After some frustrating trial and error, I’ve put together my own script.  It draws heavily on the Mikrotik-RouterOS script for classifying packets, but uses connection tracking to avoid inspecting every packet on its way through the router.  Rather than using the Queue Tree, instead it uses Simple Queues.  This allows us to create a queue for the WAN (wide area network) interface (in this case a BT Infinity PPPoE connection) with child queues for each network, and further child queues for the different priority packets.  In fact, the Simple Queues are far from simple, they’re very powerful indeed, but a lot of the inner workings are hidden.  Each queue can be bidirectional, with RouterOS automatically creating queues in the right place in the traffic flow to capture and queue the packets.

So the configuration is:

  • firewall mangle rules in the prerouting and postrouting chains match certain packet types and jump to special rules that will mark the packet and connection to a priority of 1-8
  • http traffic that doesn’t match to a special rule gets a generic packet and connection mark of ‘http’
  • the http traffic is tracked in the forward chain, with connections that have reached a certain byte count marked as ‘http-big’ which is then set to a lower priority
  • traffic that matches some site-specific IP addresses is excluded from the ‘http-big’ rule – this is to prevent the video streaming being deprioritised
  • two different chains of simple queues, one for each network, capturing the marked packets and passing them up to a parent queue with the correct priority from 1-8 (1 is highest), with unmarked packets captured in the priority 7 queue
  • the parent queue for each network set the bandwidth limit for that network and passes its packets up to a parent queue for the entire traffic to/from the WAN
  • the overall WAN parent queue keeps the overall upload and download rate lower than the bandwidth of the WAN

As it stands, the priority of each different packet type is the same for each network, to keep it simple.  It would be easy to modify the script so that packets and connections are marked semantically (e.g. VOIP, email etc.) rather than with a 1-8 priority, then setting multiple packet mark rules in each child queue to assign the semantically marked packets to a priority.  This would allow assigning a different priority to the same packet type depending on the network it’s on.

The priority queues use PCQ (Per Connection Queue) so that each device gets a fair share of the bandwidth within each packet/connection priority.  The parent queues use small PFIFO queues (the Mikrotik default).

An important difference between the Queue Tree and Simple Queue systems is that Simple Queues are like firewall chains – a packet will join the first queue it matches.  Therefore the parent queues must be below the child queues in the list, otherwise the packets will just match and join the parent queue.  Interestingly, the concept of “upload” and “download” is reversed from what we expect – because the queues are all targeted to the WAN (“pppoe-out1”) interface, upload from that interface to the router will be a download from the point of view of another network client, and vice versa.

The gallery below shows a snapshot from WebFig interface for the packet parking and queues.

The code for the script is below:

/ip firewall layer7-protocol
add comment="^.*netflix.com.*\$" name=Netflix regexp=netflix.com
add comment="^.*bbci\?.co.uk.*\$" name="BBC inc iPlayer" regexp="bbci\?.co.uk"
add comment="^.*ondemand\?_fcs_vhost.*\$" name="BBC iPlayer" regexp="ondemand\?_fcs_vhost"
add name=RTMP regexp="^\\x03.+\\x14.+\\x02.+\\x07.(connect)\?.+(video)\?"
add comment="^\\x03.+\\x14.+\\x02.+\\x07.(connect)\?.+(app)\?" name=RTMP2 regexp="^\\x03.+\\x14.+\\x02.+\\x07.(connect)"
add comment="Amazon Instant Video" name=amazon regexp="GET /ondemand/"

/queue type
add kind=pcq name=Private-Down pcq-classifier=src-address pcq-dst-address-mask=0 pcq-dst-address6-mask=64 pcq-src-address-mask=0 pcq-src-address6-mask=64
add kind=pcq name=Private-Up pcq-classifier=dst-address pcq-dst-address-mask=0 pcq-dst-address6-mask=64 pcq-src-address-mask=0 pcq-src-address6-mask=64
add kind=pcq name=Public-Down pcq-classifier=src-address pcq-dst-address-mask=0 pcq-dst-address6-mask=64 pcq-src-address-mask=0 pcq-src-address6-mask=64
add kind=pcq name=Public-Up pcq-classifier=dst-address pcq-dst-address-mask=0 pcq-dst-address6-mask=64 pcq-src-address-mask=0 pcq-src-address6-mask=64

/queue simple
add max-limit=60M/20M name="total limiter" priority=1/1 queue=default/default target=pppoe-out1
add dst=172.20.0.0/16 limit-at=40M/15M max-limit=59M/19M name=private-limiter parent="total limiter" priority=1/1 queue=default/default target=pppoe-out1
add dst=172.18.0.0/16 limit-at=20M/5M max-limit=59M/19M name=public-limiter parent="total limiter" priority=2/2 queue=default/default target=pppoe-out1
add comment="NB Upload and download reversed from normal sense as PPP is the \"target\" and the local networks are the \"destination\"" dst=172.20.0.0/16 name=Private1 packet-marks=p1 parent=private-limiter priority=1/1 queue=\
 Private-Up/Private-Down target=pppoe-out1
add dst=172.20.0.0/16 name=Private2 packet-marks=p2 parent=private-limiter priority=2/2 queue=Private-Up/Private-Down target=pppoe-out1
add dst=172.20.0.0/16 name=Private3 packet-marks=p3 parent=private-limiter priority=3/3 queue=Private-Up/Private-Down target=pppoe-out1
add dst=172.20.0.0/16 name=Private4 packet-marks=p4 parent=private-limiter priority=4/4 queue=Private-Up/Private-Down target=pppoe-out1
add dst=172.20.0.0/16 name=Private5 packet-marks=p5 parent=private-limiter priority=5/5 queue=Private-Up/Private-Down target=pppoe-out1
add dst=172.20.0.0/16 name=Private6 packet-marks=p6 parent=private-limiter priority=6/6 queue=Private-Up/Private-Down target=pppoe-out1
add dst=172.20.0.0/16 name=Private7 packet-marks=p7,no-mark parent=private-limiter priority=7/7 queue=Private-Up/Private-Down target=pppoe-out1
add dst=172.20.0.0/16 name=Private8 packet-marks=p8 parent=private-limiter queue=Private-Up/Private-Down target=pppoe-out1
add dst=172.18.0.0/16 name=Public1 packet-marks=p1 parent=public-limiter priority=1/1 queue=Public-Up/Public-Down target=pppoe-out1
add dst=172.18.0.0/16 name=Public2 packet-marks=p2 parent=public-limiter priority=2/2 queue=Public-Up/Public-Down target=pppoe-out1
add dst=172.18.0.0/16 name=Public3 packet-marks=p3 parent=public-limiter priority=3/3 queue=Public-Up/Public-Down target=pppoe-out1
add dst=172.18.0.0/16 name=Public4 packet-marks=p4 parent=public-limiter priority=4/4 queue=Public-Up/Public-Down target=pppoe-out1
add dst=172.18.0.0/16 name=Public5 packet-marks=p5 parent=public-limiter priority=5/5 queue=Public-Up/Public-Down target=pppoe-out1
add dst=172.18.0.0/16 name=Public6 packet-marks=p6 parent=public-limiter priority=6/6 queue=Public-Up/Public-Down target=pppoe-out1
add dst=172.18.0.0/16 name=Public7 packet-marks=p7,no-mark parent=public-limiter priority=7/7 queue=Public-Up/Public-Down target=pppoe-out1
add dst=172.18.0.0/16 name=Public8 packet-marks=p8 parent=public-limiter queue=Public-Up/Public-Down target=pppoe-out1

/ip firewall address-list
add address=192.168.1.0/24 list=support
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you need this subnet before enable it" list=bogons
add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you need this subnet before enable it" disabled=yes list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you need this subnet before enable it" list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment="MC, Class D, IANA # Check if you need this subnet before enable it" list=bogons
add address=192.168.1.0/24 disabled=yes list=QOSCustomerIPs
add address=86.157.0.0/16 comment="ISP IP Addresses" disabled=yes list=ISP
add address=172.16.0.0/16 comment="ISP IP Addresses" disabled=yes list=ISP
add address=12.129.193.0/24 comment=WoW list=games
add address=12.129.222.0/23 comment=WoW list=games
add address=12.129.225.0/24 comment=WoW list=games
add address=12.129.228.0/24 comment=WoW list=games
add address=12.129.233.0/24 comment=WoW list=games
add address=12.129.252.0/23 comment=WoW list=games
add address=63.241.255.0/24 comment=WoW list=games
add address=72.5.213.0/24 comment=WoW list=games
add address=80.239.149.0/24 comment=WoW list=games
add address=80.239.179.0/24 comment=WoW list=games
add address=80.239.181.0/24 comment=WoW list=games
add address=80.239.185.0/24 comment=WoW list=games
add address=80.239.233.0/24 comment=WoW list=games
add address=192.12.244.0/24 comment=WoW list=games
add address=195.12.246.0/24 comment=WoW list=games
add address=199.107.6.0/23 comment=WoW list=games
add address=199.107.24.0/23 comment=WoW list=games
add address=206.16.118.0/23 comment=WoW list=games
add address=206.16.147.0/24 comment=WoW list=games
add address=206.18.148.0/23 comment=WoW list=games
add address=206.18.98.0/23 comment=WoW list=games
add address=206.16.235.0/24 comment=WoW list=games
add address=206.17.111.0/24 comment=WoW list=games
add address=213.248.123.0/24 comment=WoW list=games
add address=213.248.127.0/24 comment=WoW list=games
add address=202.9.66.0/23 comment=SC2 list=games
add address=12.129.254.0/23 comment=SC2 list=games
add address=12.129.206.0/24 comment=SC2 list=games
add address=12.129.242.0/24 comment="Diablo III" list=games
add address=12.130.245.0/24 comment="Diablo III" list=games
add address=12.130.244.0/24 comment="Diablo III" list=games
add address=12.130.246.0/24 comment="Diablo III" list=games
add address=63.150.138.0/24 comment="Dota 2" list=games
add address=103.10.124.0/24 comment="Dota 2" list=games
add address=103.10.125.0/24 comment="Dota 2" list=games
add address=103.28.54.0/23 comment="Dota 2" list=games
add address=146.66.152.0/23 comment="Dota 2" list=games
add address=146.66.154.0/24 comment="Dota 2" list=games
add address=146.66.155.0/24 comment="Dota 2" list=games
add address=146.66.156.0/23 comment="Dota 2" list=games
add address=146.66.158.0/23 comment="Dota 2" list=games
add address=185.25.180.0/23 comment="Dota 2" list=games
add address=185.25.182.0/24 comment="Dota 2" list=games
add address=192.69.96.0/22 comment="Dota 2" list=games
add address=205.196.6.0/24 comment="Dota 2" list=games
add address=208.64.200.0/24 comment="Dota 2" list=games
add address=208.64.201.0/24 comment="Dota 2" list=games
add address=208.64.202.0/24 comment="Dota 2" list=games
add address=208.64.203.0/24 comment="Dota 2" list=games
add address=208.78.164.0/22 comment="Dota 2" list=games
add address=216.111.123.0/24 comment="Dota 2" list=games
add address=31.186.224.0/24 comment="LoL Europe" list=games
add address=31.186.226.0/24 comment="LoL Europe" list=games
add address=64.7.194.0/24 comment="LoL Europe" list=games
add address=95.172.65.0/24 comment="LoL Europe" list=games
add address=95.172.70.0/24 comment="LoL Europe" list=games
add address=66.150.148.0/24 comment="LoL EU-NE" list=games
add address=192.64.168.0/24 comment="LoL NA" list=games
add address=192.64.169.0/24 comment="LoL NA" list=games
add address=192.64.170.0/24 comment="LoL NA" list=games
add address=216.133.234.0/24 comment="LoL NA" list=games
add address=59.100.95.128/25 comment="LoL Oceania" list=games
add address=203.116.112.128/25 comment="LoL Singapore/Malaysia" list=games
add address=216.240.136.162 comment="Lowerping - US West - Panther 1" list=games
add address=216.240.145.9 comment="Lowerping - US West - Panther 2" list=games
add address=64.69.36.224 comment="Lowerping - US West - Panther 3" list=games
add address=208.70.75.171 comment="Lowerping - US West - Panther 4" list=games
add address=208.70.78.93 comment="Lowerping - US West - Panther 5" list=games
add address=216.240.136.167 comment="Lowerping - US West - Panther 6" list=games
add address=64.56.65.9 comment="Lowerping - US West - Tiger 1" list=games
add address=74.222.8.249 comment="Lowerping - US West - Tiger 2" list=games
add address=216.18.198.2 comment="Lowerping - US West - Fox 1" list=games
add address=173.231.26.242 comment="Lowerping - US West - Fox 2" list=games
add address=66.212.28.128 comment="Lowerping - US West - Lion A1" list=games
add address=66.63.191.237 comment="Lowerping - US West - Lion A2" list=games
add address=72.11.142.216 comment="Lowerping - US West - Lion B1" list=games
add address=72.11.142.217 comment="Lowerping - US West - Lion B2" list=games
add address=96.44.172.186 comment="Lowerping - US West - Lion C1" list=games
add address=96.44.177.26 comment="Lowerping - US West - Lion C2" list=games
add address=96.44.177.27 comment="Lowerping - US West - Lion D1" list=games
add address=72.11.142.218 comment="Lowerping - US West - Lion D2" list=games
add address=64.120.10.178 comment="Lowerping - US West - Panda 1" list=games
add address=72.51.46.93 comment="Lowerping - US West - Rhino 1" list=games
add address=173.245.68.180 comment="Lowerping - US West - Squid 1" list=games
add address=173.245.68.178 comment="Lowerping - US West - Squid 2" list=games
add address=8.17.252.162 comment="Lowerping - US West - Koala 1" list=games
add address=8.17.252.163 comment="Lowerping - US West - Koala 2" list=games
add address=50.23.65.37 comment="Lowerping - US West - Salmon 1" list=games
add address=174.127.96.124 comment="Lowerping - US West - Salmon 2" list=games
add address=174.127.96.127 comment="Lowerping - US West - Salmon 3" list=games
add address=66.109.20.100 comment="Lowerping - US East - Cobra 1" list=games
add address=66.199.235.194 comment="Lowerping - US East - Otter 1" list=games
add address=72.9.100.90 comment="Lowerping - US East - Otter 2" list=games
add address=173.208.45.82 comment="Lowerping - US East - Spider 1" list=games
add address=69.162.127.98 comment="Lowerping - US Central - Frog 1" list=games
add address=174.133.108.202 comment="Lowerping - US Central - Tadpole 1" list=games
add address=174.34.132.50 comment="Lowerping - US Central - Toad 1" list=games
add address=70.32.43.122 comment="Lowerping - Chicago - Macaw 1" list=games
add address=184.154.38.138 comment="Lowerping - Chicago - Jaguar 1" list=games
add address=78.129.220.51 comment="Lowerping - Europe - London 1" list=games
add address=188.138.24.38 comment="Lowerping - Europe - Germany 1" list=games
add address=85.10.193.111 comment="Lowerping - Europe - Germany 3" list=games
add address=94.75.208.164 comment="Lowerping - Europe - Netherlands 1" list=games
add address=62.212.91.21 comment="Lowerping - Europe - Netherlands 2" list=games
add address=91.191.144.94 comment="Lowerping - Europe - Paris 1" list=games
add address=46.21.207.116 comment="Lowerping - Europe - Paris 2" list=games
add address=159.153.0.0/16 comment="SWTOR - USA/EUROPE" list=games
add address=206.127.144.0/20 comment="GW2 - ArenaNet (NC Interactive)" list=games
add address=64.25.32.0/20 comment="GW2 - ArenaNet (NC Interactive)" list=games
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you need this subnet before enable it" disabled=yes list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you need this subnet before enable it" disabled=yes list=bogons
add address=86.157.0.0/16 comment="ISP IP Addresses" disabled=yes list=ISP
add address=172.16.0.0/16 comment="ISP IP Addresses" disabled=yes list=ISP
add address=172.20.0.0/16 list=support
add address=172.16.0.0/16 list=QOSCustomerIPs
add address=172.18.0.0/16 list=QOSCustomerIPs
add address=X.X.X.X/24 comment="live streaming" list=site-specific
add address=172.18.0.0/16 list=support

/ip firewall mangle
add action=mark-packet chain=postrouting comment="Mark all pure ACK packets p1 for outbound traffic." new-packet-mark=p1 out-interface=all-ppp packet-size=0-40 passthrough=no protocol=tcp tcp-flags=ack
add action=mark-packet chain=prerouting comment="Mark all pure ACK packets p1 for inbound traffic." in-interface=all-ppp new-packet-mark=p1 packet-size=0-40 passthrough=no protocol=tcp tcp-flags=ack
add action=log chain=notes comment="The following set the priorities for each traffic type"
add action=mark-packet chain=site new-packet-mark=p1
add action=mark-connection chain=site new-connection-mark=p1 passthrough=no
add action=mark-packet chain=proto new-packet-mark=p1
add action=mark-connection chain=proto new-connection-mark=p1 passthrough=no
add action=mark-packet chain=streaming-video new-packet-mark=p2
add action=mark-connection chain=streaming-video new-connection-mark=p2 passthrough=no
add action=mark-packet chain=voip new-packet-mark=p3
add action=mark-connection chain=voip new-connection-mark=p3 passthrough=no
add action=mark-packet chain=http new-packet-mark=p4
add action=mark-connection chain=http new-connection-mark=http passthrough=no
add action=mark-packet chain=IM new-packet-mark=p7
add action=mark-connection chain=IM new-connection-mark=p7 passthrough=no
add action=mark-packet chain=social new-packet-mark=p6
add action=mark-connection chain=social new-connection-mark=p6 passthrough=no
add action=mark-packet chain=dev new-packet-mark=p5
add action=mark-connection chain=dev new-connection-mark=p5 passthrough=no
add action=mark-packet chain=email new-packet-mark=p7
add action=mark-connection chain=email new-connection-mark=p7 passthrough=no
add action=mark-packet chain=remote new-packet-mark=p6
add action=mark-connection chain=remote new-connection-mark=p6 passthrough=no
add action=mark-packet chain=game new-packet-mark=p8
add action=mark-connection chain=game new-connection-mark=p8 passthrough=no
add action=mark-packet chain=p2p new-packet-mark=p8
add action=mark-connection chain=p2p new-connection-mark=p8 passthrough=no
add action=mark-packet chain=prerouting comment="Already marked connections carry on p1" connection-mark=p1 in-interface=all-ppp new-packet-mark=p1 passthrough=no
add action=mark-packet chain=postrouting connection-mark=p1 new-packet-mark=p1 out-interface=all-ppp passthrough=no
add action=mark-packet chain=prerouting comment="Already marked connections carry on p2" connection-mark=p2 in-interface=all-ppp new-packet-mark=p2 passthrough=no
add action=mark-packet chain=postrouting connection-mark=p2 new-packet-mark=p2 out-interface=all-ppp passthrough=no
add action=mark-packet chain=prerouting comment="Already marked connections carry on p3" connection-mark=p3 in-interface=all-ppp new-packet-mark=p3 passthrough=no
add action=mark-packet chain=postrouting connection-mark=p3 new-packet-mark=p3 out-interface=all-ppp passthrough=no
add action=mark-packet chain=prerouting comment="Already marked connections carry on p4" connection-mark=p4 in-interface=all-ppp new-packet-mark=p4 passthrough=no
add action=mark-packet chain=postrouting connection-mark=p4 new-packet-mark=p4 out-interface=all-ppp passthrough=no
add action=mark-packet chain=prerouting comment="Already marked connections carry on p5" connection-mark=p5 in-interface=all-ppp new-packet-mark=p5 passthrough=no
add action=mark-packet chain=postrouting connection-mark=p5 new-packet-mark=p5 out-interface=all-ppp passthrough=no
add action=mark-packet chain=prerouting comment="Already marked connections carry on p6" connection-mark=p6 in-interface=all-ppp new-packet-mark=p6 passthrough=no
add action=mark-packet chain=postrouting connection-mark=p6 new-packet-mark=p6 out-interface=all-ppp passthrough=no
add action=mark-packet chain=prerouting comment="Already marked connections carry on p7" connection-mark=p7 in-interface=all-ppp new-packet-mark=p7 passthrough=no
add action=mark-packet chain=postrouting connection-mark=p7 new-packet-mark=p7 out-interface=all-ppp passthrough=no
add action=mark-packet chain=prerouting comment="Already marked connections carry on p8" connection-mark=p8 in-interface=all-ppp new-packet-mark=p8 passthrough=no
add action=mark-packet chain=postrouting connection-mark=p8 new-packet-mark=p8 out-interface=all-ppp passthrough=no
add action=mark-connection chain=forward comment="Catch any connections DOWN >10Mb (exclude site)" connection-bytes=100000000-0 in-interface=all-ppp new-connection-mark=http-big protocol=tcp src-address-list=!site-specific src-port=\
 80,443,8080
add action=mark-connection chain=forward comment="Catch any connections UP >10Mb (exclude site)" connection-bytes=100000000-0 dst-address-list=!site-specific dst-port=80,443,8080 new-connection-mark=http-big out-interface=all-ppp \
 protocol=tcp
add action=mark-packet chain=prerouting comment="set priority for http-big connections DOWN" connection-mark=http-big in-interface=all-ppp new-packet-mark=p8 passthrough=no
add action=mark-packet chain=postrouting comment="set priority for http-big connections UP" connection-mark=http-big new-packet-mark=p8 out-interface=all-ppp passthrough=no
add action=mark-packet chain=prerouting comment="HTTP down connections packet marked" connection-mark=http in-interface=all-ppp new-packet-mark=p4 passthrough=no
add action=mark-packet chain=postrouting comment="HTTP up connections packet mark" connection-mark=http new-packet-mark=p7 out-interface=all-ppp passthrough=no
add action=log chain=notes comment="Start of QoS tree version updated on 4/4/2014"
add chain=prerouting comment="Accept traffic From QOSCustomerIPs to QOSCustomerIPs" dst-address-list=QOSCustomerIPs src-address-list=QOSCustomerIPs
add action=jump chain=prerouting comment="P2P Connections" in-interface=all-ppp jump-target=p2p p2p=all-p2p
add action=jump chain=postrouting jump-target=p2p out-interface=all-ppp p2p=all-p2p
add action=jump chain=prerouting comment="Default Bittorrent" in-interface=all-ppp jump-target=p2p protocol=tcp src-port=6881
add action=jump chain=postrouting comment="Default Bittorrent" dst-port=6881 jump-target=p2p out-interface=all-ppp protocol=tcp
add action=jump chain=prerouting comment="Mark ISP" in-interface=all-ppp jump-target=proto_down src-address-list=ISP
add action=jump chain=postrouting comment="Mark ISP" dst-address-list=ISP jump-target=proto out-interface=all-ppp
add action=jump chain=prerouting comment=BGP in-interface=all-ppp jump-target=proto_down protocol=tcp src-port=179
add action=jump chain=postrouting comment=BGP dst-port=179 jump-target=proto out-interface=all-ppp protocol=tcp
add action=jump chain=prerouting comment=OSPF in-interface=all-ppp jump-target=proto_down protocol=ospf
add action=jump chain=postrouting comment=OSPF jump-target=voip out-interface=all-ppp protocol=ospf
add action=jump chain=postrouting comment="Mark VoIP/ICMP Test (8080 udp)" connection-bytes=0-1000000 dst-port=8080 jump-target=proto out-interface=all-ppp protocol=udp
add action=jump chain=prerouting comment="Mark VoIP/ICMP Test (8080 udp)" connection-bytes=0-1000000 in-interface=all-ppp jump-target=proto_down protocol=udp src-port=8080
add action=jump chain=prerouting comment="Mark DNS 0-64k" connection-rate=0-64k dst-port=53 in-interface=all-ppp jump-target=proto_down protocol=tcp
add action=jump chain=postrouting comment="Mark DNS 0-64k" connection-rate=0-64k jump-target=proto out-interface=all-ppp protocol=tcp src-port=53
add action=jump chain=postrouting comment="Mark DNS 0-64k" connection-rate=0-64k dst-port=53 jump-target=proto out-interface=all-ppp protocol=udp
add action=jump chain=prerouting comment="Mark DNS 0-64k" connection-rate=0-64k in-interface=all-ppp jump-target=proto_down protocol=udp src-port=53
add action=jump chain=postrouting comment=ICMP jump-target=proto out-interface=all-ppp protocol=icmp
add action=jump chain=prerouting comment=ICMP in-interface=all-ppp jump-target=proto_down protocol=icmp
add action=jump chain=postrouting comment=FaceTime connection-rate=0-512k dst-port=3478,4080,5223 jump-target=voip out-interface=all-ppp protocol=tcp
add action=jump chain=prerouting comment=FaceTime connection-rate=0-512k in-interface=all-ppp jump-target=voip protocol=tcp src-port=3478,4080,5223
add action=jump chain=postrouting comment=FaceTime connection-rate=0-512k dst-port=16393-16402 jump-target=voip out-interface=all-ppp protocol=udp
add action=jump chain=prerouting comment=FaceTime connection-rate=0-512k in-interface=all-ppp jump-target=voip protocol=udp src-port=16393-16402
add action=jump chain=postrouting comment="VOIP - SIP - 0-512k" connection-rate=0-512k dst-port=5060-5061 jump-target=voip out-interface=all-ppp protocol=tcp
add action=jump chain=prerouting comment="VOIP - SIP - 0-512k" connection-rate=0-512k in-interface=all-ppp jump-target=voip protocol=tcp src-port=5060-5061
add action=jump chain=postrouting comment="VOIP - SIP - 0-512k" connection-rate=0-512k dst-port=5060-5061 jump-target=voip out-interface=all-ppp protocol=udp
add action=jump chain=prerouting comment="VOIP - SIP - 0-512k" connection-rate=0-512k in-interface=all-ppp jump-target=voip protocol=udp src-port=5060-5061
add action=jump chain=prerouting comment="VOIP - mark DSCP 46" dscp=46 jump-target=voip
add action=jump chain=postrouting comment="For the voip connection mark - 0-512k" connection-mark=voip connection-rate=0-512k jump-target=voip out-interface=all-ppp protocol=tcp
add action=jump chain=prerouting comment="For the voip connection mark - 0-512k " connection-mark=voip connection-rate=0-512k in-interface=all-ppp jump-target=voip protocol=tcp
add action=jump chain=postrouting comment="For the voip connection mark - 0-512k" connection-mark=voip connection-rate=0-512k jump-target=voip out-interface=all-ppp protocol=udp
add action=jump chain=prerouting comment="For the voip connection mark - 0-512k" connection-mark=voip connection-rate=0-512k in-interface=all-ppp jump-target=voip protocol=udp
add action=jump chain=prerouting comment=NTP. dst-port=123 in-interface=all-ppp jump-target=proto_down protocol=udp src-port=123
add action=jump chain=postrouting comment=NTP. dst-port=123 jump-target=proto out-interface=all-ppp protocol=udp
add action=jump chain=prerouting comment="WINBOX " in-interface=all-ppp jump-target=proto_down protocol=tcp src-port=8291
add action=jump chain=postrouting comment="WINBOX " dst-port=8291 jump-target=proto out-interface=all-ppp protocol=tcp
add action=jump chain=postrouting comment="### SITE SPECIFIC ADDRESS LIST ###" dst-address-list=site-specific jump-target=site out-interface=all-ppp
add action=jump chain=prerouting comment="### SITE SPECIFIC ADDRESS LIST ###" in-interface=all-ppp jump-target=site src-address-list=site-specific
add action=jump chain=postrouting comment="RDP/VNC 0-1Mbps" connection-rate=0-1M dst-port=3389,5900 jump-target=remote out-interface=all-ppp protocol=tcp
add action=jump chain=prerouting comment="RDP/VNC 0-1Mbps" connection-rate=0-1M in-interface=all-ppp jump-target=remote protocol=tcp src-port=3389,5900
add action=jump chain=prerouting comment="RDP/VNC 0-1Mbps" connection-rate=0-1M in-interface=all-ppp jump-target=remote protocol=tcp src-port=3389,5900
add action=jump chain=postrouting comment="Steam (codMW2)" connection-rate=0-128k dst-port=5223,3074 jump-target=game out-interface=all-ppp protocol=tcp
add action=jump chain=prerouting comment="Steam (codMW2)" connection-rate=0-256k in-interface=all-ppp jump-target=game protocol=tcp src-port=5223,3074
add action=jump chain=postrouting comment="Steam (codMW2)" connection-rate=0-128k dst-port=2005,3074,3075 jump-target=game out-interface=all-ppp protocol=udp
add action=jump chain=prerouting comment="Steam (codMW2)" connection-rate=0-256k in-interface=all-ppp jump-target=game protocol=udp src-port=2005,3074,3075
add action=jump chain=postrouting comment="Steam (codMW2)" connection-rate=0-64k dst-port=1500,3005,3101,28960 jump-target=game out-interface=all-ppp protocol=udp
add action=jump chain=prerouting comment="Steam (codMW2)" connection-rate=0-64k in-interface=all-ppp jump-target=game protocol=udp src-port=1500,3005,3101,28960
add action=jump chain=postrouting comment="SSH 0-256k up" connection-rate=0-256k dst-port=22 jump-target=proto out-interface=all-ppp protocol=tcp
add action=jump chain=prerouting comment="SSH 0-256k down" connection-rate=0-256k in-interface=all-ppp jump-target=proto_down protocol=tcp src-port=22
add action=jump chain=postrouting comment="ICQ " dst-port=5190 jump-target=IM out-interface=all-ppp protocol=tcp
add action=jump chain=prerouting comment="ICQ " in-interface=all-ppp jump-target=IM protocol=tcp src-port=5190
add action=jump chain=postrouting comment="MSN " dst-port=1863 jump-target=IM out-interface=all-ppp protocol=tcp
add action=jump chain=prerouting comment="MSN " in-interface=all-ppp jump-target=IM protocol=tcp src-port=1863
add action=jump chain=postrouting comment="NateON (Messenger) 0-128" connection-rate=0-128k dst-port=5004 jump-target=IM out-interface=all-ppp protocol=tcp
add action=jump chain=prerouting comment="NateON (Messenger) 0-128k" connection-rate=0-128k in-interface=all-ppp jump-target=IM protocol=tcp src-port=5004
add action=jump chain=postrouting comment="telnet 0-64k up " connection-rate=0-64k dst-port=23 jump-target=proto out-interface=all-ppp protocol=tcp
add action=jump chain=prerouting comment="telnet 0-64k down " connection-rate=0-64k in-interface=all-ppp jump-target=proto_down protocol=tcp src-port=23
add action=jump chain=postrouting comment="IPSEC-ESP -" jump-target=proto out-interface=all-ppp protocol=ipsec-esp
add action=jump chain=prerouting comment="IPSEC-ESP -" in-interface=all-ppp jump-target=proto_down protocol=ipsec-esp
add action=jump chain=postrouting comment="IPSEC-AH -" jump-target=proto out-interface=all-ppp protocol=ipsec-ah
add action=jump chain=prerouting comment="IPSEC-AH -" in-interface=all-ppp jump-target=proto_down protocol=ipsec-ah
add action=jump chain=postrouting comment="IPSEC NAT-Traversal p3 " dst-port=4500 jump-target=proto out-interface=all-ppp protocol=udp
add action=jump chain=prerouting comment="IPSEC NAT-Traversal p3 " in-interface=all-ppp jump-target=proto_down protocol=udp src-port=4500
add action=jump chain=postrouting comment="This will match Hulu and similar streams -" dst-port=1935 jump-target=streaming-video out-interface=all-ppp protocol=tcp
add action=jump chain=prerouting comment="This will match Hulu and similar streams -" in-interface=all-ppp jump-target=streaming-video protocol=tcp src-port=1935
add action=jump chain=postrouting comment="RTSP (Real time streaming protocol) " dst-port=554 jump-target=streaming-video out-interface=all-ppp protocol=tcp
add action=jump chain=prerouting comment="RTSP (Real time streaming protocol) " in-interface=all-ppp jump-target=streaming-video protocol=tcp src-port=554
add action=jump chain=postrouting comment="RTSP (Real time streaming protocol) " dst-port=554 jump-target=streaming-video out-interface=all-ppp protocol=udp
add action=jump chain=prerouting comment="RTSP (Real time streaming protocol) " in-interface=all-ppp jump-target=streaming-video protocol=udp src-port=554
add action=jump chain=postrouting comment=Pop3 dst-port=110 jump-target=email out-interface=all-ppp protocol=tcp
add action=jump chain=prerouting comment=Pop3 in-interface=all-ppp jump-target=email_down protocol=tcp src-port=110
add action=jump chain=postrouting comment="SMTP traffic" dst-port=25 jump-target=email out-interface=all-ppp protocol=tcp
add action=jump chain=prerouting comment="SMTP traffic" in-interface=all-ppp jump-target=email_down protocol=tcp src-port=25
add action=jump chain=postrouting comment="Secure SMTP" dst-port=465 jump-target=email out-interface=all-ppp protocol=tcp
add action=jump chain=prerouting comment="Secure SMTP" in-interface=all-ppp jump-target=email_down protocol=tcp src-port=465
add action=jump chain=postrouting comment="Secure IMAP" dst-port=485 jump-target=email out-interface=all-ppp protocol=tcp
add action=jump chain=prerouting comment="Secure IMAP" in-interface=all-ppp jump-target=email_down protocol=tcp src-port=485
add action=jump chain=postrouting comment="IMAP over SSL" dst-port=993 jump-target=email out-interface=all-ppp protocol=tcp
add action=jump chain=prerouting comment="IMAP over SSL" in-interface=all-ppp jump-target=email_down protocol=tcp src-port=993
add action=jump chain=postrouting comment=IMAP dst-port=143 jump-target=email out-interface=all-ppp protocol=tcp
add action=jump chain=prerouting comment=IMAP in-interface=all-ppp jump-target=email_down protocol=tcp src-port=143
add action=jump chain=postrouting comment="POP3 over SSL" dst-port=995 jump-target=email out-interface=all-ppp protocol=tcp
add action=jump chain=prerouting comment="POP3 over SSL" in-interface=all-ppp jump-target=email_down protocol=tcp src-port=995
add action=jump chain=postrouting comment=Subversion dst-port=3690 jump-target=dev out-interface=all-ppp protocol=tcp
add action=jump chain=prerouting comment=Subversion in-interface=all-ppp jump-target=dev protocol=tcp src-port=3690
add action=jump chain=postrouting comment=SNMP dst-port=161 jump-target=proto out-interface=all-ppp protocol=udp
add action=jump chain=prerouting comment=SNMP in-interface=all-ppp jump-target=proto_down protocol=udp src-port=161
add action=jump chain=postrouting comment=OpenVPN dst-port=1194 jump-target=proto out-interface=all-ppp protocol=udp
add action=jump chain=prerouting comment=OpenVPN in-interface=all-ppp jump-target=proto_down protocol=udp src-port=1194
add action=jump chain=postrouting comment="Steam (login) 0-128k" connection-rate=0-128k dst-port=27014-27050 jump-target=game out-interface=all-ppp protocol=tcp
add action=jump chain=prerouting comment="Steam (login) 0-128k" connection-rate=0-128k in-interface=all-ppp jump-target=game protocol=tcp src-port=27014-27050
add action=jump chain=postrouting comment="Steam (downloads)" dst-port=27014-27050 jump-target=http out-interface=all-ppp protocol=tcp
add action=jump chain=prerouting comment="Steam (downloads)" in-interface=all-ppp jump-target=http protocol=tcp src-port=27014-27050
add action=jump chain=postrouting comment=NNTP dst-port=119 jump-target=email out-interface=all-ppp protocol=tcp
add action=jump chain=prerouting comment=NNTP in-interface=all-ppp jump-target=email_down protocol=tcp src-port=119
add action=jump chain=postrouting comment="NNTP - Alt port" dst-port=433 jump-target=email out-interface=all-ppp protocol=tcp
add action=jump chain=prerouting comment="NNTP - Alt port" in-interface=all-ppp jump-target=email_down protocol=tcp src-port=433
add action=jump chain=postrouting comment="Steam (games) 0-256k down " connection-rate=0-256k dst-port=27000-28999 jump-target=game out-interface=all-ppp protocol=udp
add action=jump chain=prerouting comment="Steam (games) 0-256k up " connection-rate=0-256k in-interface=all-ppp jump-target=game protocol=udp src-port=27000-27015
add action=jump chain=postrouting comment="GunZ (games) 0-256k down " connection-rate=0-256k dst-port=7700-7800 jump-target=game out-interface=all-ppp protocol=udp
add action=jump chain=prerouting comment="GunZ (games) 0-256k up " connection-rate=0-256k in-interface=all-ppp jump-target=game protocol=udp src-port=7700-7800
add action=jump chain=prerouting comment="Trickster Online (games) 0-128k up " connection-rate=0-128k in-interface=all-ppp jump-target=game protocol=tcp src-port=10006,13339,22006
add action=jump chain=postrouting comment="Trickster Online (games) 0-128k down " connection-rate=0-128k dst-port=10006,13339,22006 jump-target=game out-interface=all-ppp protocol=tcp
add action=jump chain=postrouting comment="Battle.net (games) 0-128k " connection-rate=0-128k dst-port=6112-6119 jump-target=game out-interface=all-ppp protocol=udp
add action=jump chain=prerouting comment="Battle.net (games) 0-128k " connection-rate=0-128k in-interface=all-ppp jump-target=game protocol=udp src-port=6112-6119
add action=jump chain=postrouting comment="Warcraft 3 and WoW 0-128k (games) " connection-rate=0-128k dst-port=6112-6119 jump-target=game out-interface=all-ppp protocol=tcp
add action=jump chain=prerouting comment="Warcraft 3 and WoW 0-512k (games) " connection-rate=0-512k in-interface=all-ppp jump-target=game protocol=tcp src-port=6112-6119
add action=jump chain=postrouting comment="World of Warcraft (games) 0-128k up " connection-rate=0-128k dst-port=1119 jump-target=game out-interface=all-ppp protocol=tcp
add action=jump chain=prerouting comment="World of Warcraft (games) 0-512k down " connection-rate=0-512k in-interface=all-ppp jump-target=game protocol=tcp src-port=1119
add action=jump chain=prerouting comment="World of Warcraft (games) 0-512k down " connection-rate=0-512k in-interface=all-ppp jump-target=game protocol=tcp src-port=3724
add action=jump chain=postrouting comment="World of Warcraft (games) 0-128k up " connection-rate=0-128k dst-port=3724 jump-target=game out-interface=all-ppp protocol=tcp
add action=jump chain=prerouting comment="EVE Online (games) 0-512k down " connection-rate=0-512k in-interface=all-ppp jump-target=game protocol=tcp src-port=26000
add action=jump chain=postrouting comment="EVE Online (games) 0-512k up " connection-rate=0-128k dst-port=26000 jump-target=game out-interface=all-ppp protocol=tcp
add action=jump chain=postrouting comment="Garena 0-128k (games) " connection-rate=0-128k dst-port=1513 jump-target=game out-interface=all-ppp protocol=udp
add action=jump chain=prerouting comment="Garena 0-128k (games) " connection-rate=0-128k in-interface=all-ppp jump-target=game protocol=udp src-port=1513
add action=jump chain=postrouting comment="Garena 0-128k (games) " connection-rate=0-128k dst-port=7456 jump-target=game out-interface=all-ppp protocol=tcp
add action=jump chain=prerouting comment="Garena 0-128k (games) " connection-rate=0-128k in-interface=all-ppp jump-target=game protocol=tcp src-port=7456
add action=jump chain=postrouting comment="Garena 0-128k (games) " connection-rate=0-128k dst-port=8687 jump-target=game out-interface=all-ppp protocol=tcp
add action=jump chain=prerouting comment="Garena 0-128k (games) " connection-rate=0-128k in-interface=all-ppp jump-target=game protocol=tcp src-port=8687
add action=jump chain=postrouting comment="Lineage 0-128k (games) " connection-rate=0-128k dst-port=2000,2003 jump-target=game out-interface=all-ppp protocol=tcp
add action=jump chain=prerouting comment="Lineage 0-128k (games) " connection-rate=0-128k in-interface=all-ppp jump-target=game protocol=tcp src-port=2000,2003
add action=jump chain=postrouting comment="PlayStation Network (games) 0-128k up " connection-rate=0-128k dst-port=3478,3479,3658 jump-target=game out-interface=all-ppp protocol=udp
add action=jump chain=prerouting comment="PlayStation Network (games) 0-256k down " connection-rate=0-256k in-interface=all-ppp jump-target=game protocol=udp src-port=3478,3479,3658
add action=jump chain=postrouting comment="PlayStation Network (games) 0-128k up " connection-rate=0-128k dst-port=5223 jump-target=game out-interface=all-ppp protocol=tcp
add action=jump chain=prerouting comment="PlayStation Network (games) 0-256k down " connection-rate=0-256k in-interface=all-ppp jump-target=game protocol=tcp src-port=5223
add action=jump chain=postrouting comment="Xbox Live (games) " dst-port=3074 jump-target=game out-interface=all-ppp protocol=udp
add action=jump chain=prerouting comment="Xbox Live (games) " in-interface=all-ppp jump-target=game protocol=udp src-port=3074
add action=jump chain=postrouting comment="Xbox Live (games) " dst-port=3074 jump-target=game out-interface=all-ppp protocol=tcp
add action=jump chain=prerouting comment="Xbox Live (games) " in-interface=all-ppp jump-target=game protocol=tcp src-port=3074
add action=jump chain=postrouting comment="Guild Wars (games) 0-1024k up " connection-rate=0-1024k dst-port=6112,6600 jump-target=game out-interface=all-ppp protocol=tcp
add action=jump chain=prerouting comment="Guild Wars (games) 0-2048k down " connection-rate=0-2048k in-interface=all-ppp jump-target=game protocol=tcp src-port=6112,6600
add action=jump chain=postrouting comment="Company of Heroes (games) 0-128k up " connection-rate=0-128k dst-port=30260 jump-target=game out-interface=all-ppp protocol=udp
add action=jump chain=prerouting comment="Company of Heroes (games) 0-128k down " connection-rate=0-128k in-interface=all-ppp jump-target=game protocol=udp src-port=30260
add action=jump chain=postrouting comment="Heroes of Newerth (games) 0-128k up " connection-rate=0-128k dst-port=11235-11335 jump-target=game out-interface=all-ppp protocol=udp
add action=jump chain=prerouting comment="Heroes of Newerth (games) 0-128k down " connection-rate=0-128k in-interface=all-ppp jump-target=game protocol=udp src-port=11235-11335
add action=jump chain=postrouting comment="Heroes of Newerth (games) 0-128k up " connection-rate=0-128k dst-port=11031 jump-target=game out-interface=all-ppp protocol=tcp
add action=jump chain=prerouting comment="Heroes of Newerth (games) 0-128k down " connection-rate=0-128k in-interface=all-ppp jump-target=game protocol=tcp src-port=11031
add action=jump chain=postrouting comment="AVA (games) 0-128k " connection-rate=0-128k dst-port=28004 jump-target=game out-interface=all-ppp protocol=tcp
add action=jump chain=prerouting comment="AVA (games) 0-128k " connection-rate=0-128k in-interface=all-ppp jump-target=game protocol=tcp src-port=28004
add action=jump chain=prerouting comment="World of Warcraft (games) 0-256k down " connection-rate=0-256k in-interface=all-ppp jump-target=game protocol=tcp src-port=3724
add action=jump chain=postrouting comment="World of Warcraft (games) 0-128k up " connection-rate=0-128k dst-port=3724 jump-target=game out-interface=all-ppp protocol=tcp
add action=jump chain=postrouting comment="Steam (codMW2) PS3 0-128k " connection-rate=0-128k dst-port=5223,3074 jump-target=game out-interface=all-ppp protocol=tcp
add action=jump chain=prerouting comment="Steam (codMW2) PS3 0-128k " connection-rate=0-256k in-interface=all-ppp jump-target=game protocol=tcp src-port=5223,3074
add action=jump chain=postrouting comment="Steam (codMW2) PS3 0-128k " connection-rate=0-128k dst-port=2005,3074,3075 jump-target=game out-interface=all-ppp protocol=udp
add action=jump chain=prerouting comment="Steam (codMW2) PS3 0-128k " connection-rate=0-256k in-interface=all-ppp jump-target=game protocol=udp src-port=2005,3074,3075
add action=jump chain=postrouting comment="Steam (codMW2) 0-64k down " connection-rate=0-64k dst-port=1500,3005,3101,28960 jump-target=game out-interface=all-ppp protocol=udp
add action=jump chain=prerouting comment="Steam (codMW2) 0-64k up " connection-rate=0-64k in-interface=all-ppp jump-target=game protocol=udp src-port=1500,3005,3101,28960
add action=jump chain=postrouting comment="BFBC2 (games) " dst-port=18390,18395,13505 jump-target=game out-interface=all-ppp protocol=tcp
add action=jump chain=prerouting comment="BFBC2 (games) " in-interface=all-ppp jump-target=game protocol=tcp src-port=18390,18395,13505
add action=jump chain=postrouting comment="BFBC2 (games) " dst-port=18395 jump-target=game out-interface=all-ppp protocol=udp
add action=jump chain=prerouting comment="BFBC2 (games) " in-interface=all-ppp jump-target=game protocol=udp src-port=18395
add action=jump chain=postrouting comment="Requiem Online 0-256k (games) " connection-rate=0-256k dst-port=7110,7230 jump-target=game out-interface=all-ppp protocol=tcp
add action=jump chain=prerouting comment="Requiem Online 0-256k (games) " connection-rate=0-256k in-interface=all-ppp jump-target=game protocol=tcp src-port=7230,7110
add action=jump chain=postrouting comment="Crysis 2 (games) " connection-rate=0-128k dst-port=64100 jump-target=game out-interface=all-ppp protocol=tcp
add action=jump chain=prerouting comment="Crysis 2 (games) " connection-rate=0-128k in-interface=all-ppp jump-target=game protocol=tcp src-port=64100
add action=jump chain=prerouting comment="UT3 (games) 0-128k down " connection-rate=0-128k in-interface=all-ppp jump-target=game protocol=udp src-port=7777,3783
add action=jump chain=postrouting comment="UT3 (games) 0-128k up " connection-rate=0-128k dst-port=7777,3783 jump-target=game out-interface=all-ppp protocol=udp
add action=jump chain=postrouting comment="Rift (games) 0-128k down " connection-rate=0-128k dst-port=6520-6540 jump-target=game out-interface=all-ppp protocol=tcp
add action=jump chain=prerouting comment="Rift (games) 0-128k up " connection-rate=0-128k in-interface=all-ppp jump-target=game protocol=tcp src-port=6520-6540
add action=jump chain=postrouting comment="Red Alert 3 (games) " connection-rate=0-128k dst-port=4321,6660-6669,28900,29900,2901 jump-target=game out-interface=all-ppp protocol=udp
add action=jump chain=prerouting comment="Red Alert 3 (games) " connection-rate=0-128k in-interface=all-ppp jump-target=game protocol=udp src-port=4321,6660-6669,28900,29900,2901
add action=jump chain=postrouting comment="Red Alert 3 (games) " connection-rate=0-128k dst-port=6515,6500,13139,27900 jump-target=game out-interface=all-ppp protocol=tcp
add action=jump chain=prerouting comment="Red Alert 3 (games) " connection-rate=0-128k in-interface=all-ppp jump-target=game protocol=tcp src-port=6515,6500,13139,27900
add action=jump chain=prerouting comment="Freelancer (games) 0-256k down " connection-rate=0-256k in-interface=all-ppp jump-target=game protocol=udp src-port=2302-2304
add action=jump chain=postrouting comment="Freelancer (games) 0-128k up " connection-rate=0-128k dst-port=2302-2304 jump-target=game out-interface=all-ppp protocol=udp
add action=jump chain=prerouting comment="Minecraft (games) 0-512k down " connection-rate=0-512k in-interface=all-ppp jump-target=game protocol=tcp src-port=25565
add action=jump chain=postrouting comment="Minecraft (games) 0-128k up " connection-rate=0-128k dst-port=25565 jump-target=game out-interface=all-ppp protocol=tcp
add action=jump chain=postrouting comment=Filmon dst-address-list=Filmon jump-target=streaming-video out-interface=all-ppp
add action=jump chain=prerouting in-interface=all-ppp jump-target=streaming-video src-address-list=Filmon
add action=jump chain=postrouting comment=Netflix jump-target=streaming-video layer7-protocol=Netflix out-interface=all-ppp
add action=jump chain=prerouting comment="RTMP e.g. BBC iPlayer" in-interface=all-ppp jump-target=streaming-video layer7-protocol=RTMP
add action=jump chain=postrouting jump-target=streaming-video layer7-protocol=RTMP out-interface=all-ppp
add action=jump chain=prerouting comment="http download" in-interface=all-ppp jump-target=http protocol=tcp src-port=80,443,8080
add action=jump chain=postrouting comment="http upload" dst-port=80,443,8080 jump-target=http out-interface=all-ppp protocol=tcp
add action=log chain=notes comment="End QoS tree"