feat: Add MikroTik firewall mangle rules for connection/packet marking and routing, along with queue configurations for traffic shaping.

178-mangle-new.rsc

@@ -0,0 +1,127 @@
+# 2026-02-27 07:59:02 by RouterOS 7.21.2
+# software id = JRG5-1NLG
+#
+/ip firewall mangle
+add action=mark-routing chain=prerouting comment=EXPIRED new-routing-mark=\
+    EXPIRED passthrough=no src-address-list=EXPIRED
+add action=mark-routing chain=prerouting comment=container dst-address-list=\
+    !localNet new-routing-mark=container passthrough=no src-address=\
+    10.100.37.0/24
+add action=mark-routing chain=prerouting comment=SpeedTest disabled=yes \
+    dst-address-list=speedtest new-routing-mark=*403 passthrough=no \
+    src-address-list=localNet
+add action=mark-routing chain=prerouting comment=ke_isp2 disabled=yes \
+    dst-address=!103.138.63.180 dst-address-list=!localNet new-routing-mark=\
+    *400 src-address-list=bali_10
+add action=mark-routing chain=prerouting comment=ke_isp2 disabled=yes \
+    dst-address-list=!localNet new-routing-mark=*400 src-address-list=bali_20
+add action=mark-routing chain=prerouting comment=ke_isp2 disabled=yes \
+    dst-address-list=!localNet new-routing-mark=bali_fiber src-address-list=\
+    bali_30
+add action=mark-routing chain=prerouting comment=ke_isp2 disabled=yes \
+    dst-address-list=!localNet new-routing-mark=*400 src-address-list=bali_50
+add action=mark-routing chain=prerouting comment=ke_isp2 disabled=yes \
+    dst-address-list=!localNet new-routing-mark=*400 src-address-list=\
+    bali_100
+add action=mark-routing chain=prerouting comment=ke_isp2 disabled=yes \
+    dst-address-list=!localNet new-routing-mark=*400 src-address-list=\
+    bali_150
+add action=mark-routing chain=prerouting comment=ke_isp2 disabled=yes \
+    dst-address-list=!localNet new-routing-mark=bali_fiber src-address-list=\
+    hemat
+add action=mark-routing chain=prerouting comment=ke_isp3 disabled=yes \
+    dst-address=!103.138.63.180 dst-address-list=!localNet new-routing-mark=\
+    *400 src-address-list=star_10
+add action=mark-routing chain=prerouting comment=ke_isp3 disabled=yes \
+    dst-address=!103.138.63.180 dst-address-list=!localNet new-routing-mark=\
+    *402 src-address-list=gls_500
+add action=mark-routing chain=prerouting comment=ke_isp3 disabled=yes \
+    dst-address-list=!localNet new-routing-mark=*402 src-address=\
+    192.168.171.0/29
+add action=mark-routing chain=prerouting comment=ke_isp3 disabled=yes \
+    dst-address=!103.138.63.180 dst-address-list=!localNet new-routing-mark=\
+    *402 src-address-list=gold_50
+add action=mark-packet chain=forward dst-address-list=EXPIRED \
+    new-packet-mark=EXPIRED_dl passthrough=no
+add action=mark-packet chain=forward new-packet-mark=EXPIRED_ul passthrough=\
+    no src-address-list=EXPIRED
+add action=mark-packet chain=forward dst-address-list=hemat new-packet-mark=\
+    hemat_dl passthrough=no src-address-list=!ip-lokal
+add action=mark-packet chain=forward dst-address-list=!ip-lokal \
+    new-packet-mark=hemat_ul passthrough=no src-address-list=hemat
+add action=mark-packet chain=forward dst-address-list=hemat new-packet-mark=\
+    hemat_dl_local passthrough=no src-address-list=ip-lokal
+add action=mark-packet chain=forward dst-address-list=ip-lokal \
+    new-packet-mark=hemat_ul_local passthrough=no src-address-list=hemat
+add action=mark-packet chain=forward dst-address-list=star_10 \
+    new-packet-mark=star_10_dl passthrough=no src-address-list=!ip-lokal
+add action=mark-packet chain=forward dst-address-list=!ip-lokal \
+    new-packet-mark=star_10_ul passthrough=no src-address-list=star_10
+add action=mark-packet chain=forward dst-address-list=star_10 \
+    new-packet-mark=star_10_dl_local passthrough=no src-address-list=ip-lokal
+add action=mark-packet chain=forward dst-address-list=ip-lokal \
+    new-packet-mark=star_10_ul_local passthrough=no src-address-list=star_10
+add action=mark-packet chain=forward dst-address-list=star_20 \
+    new-packet-mark=star_20_dl passthrough=no src-address-list=!ip-lokal
+add action=mark-packet chain=forward dst-address-list=!ip-lokal \
+    new-packet-mark=star_20_ul passthrough=no src-address-list=star_20
+add action=mark-packet chain=forward dst-address-list=star_20 \
+    new-packet-mark=star_20_dl_local passthrough=no src-address-list=ip-lokal
+add action=mark-packet chain=forward dst-address-list=ip-lokal \
+    new-packet-mark=star_20_ul_local passthrough=no src-address-list=star_20
+add action=mark-packet chain=forward dst-address-list=star_30 \
+    new-packet-mark=star_30_dl passthrough=no src-address-list=!ip-lokal
+add action=mark-packet chain=forward dst-address-list=!ip-lokal \
+    new-packet-mark=star_30_ul passthrough=no src-address-list=star_30
+add action=mark-packet chain=forward dst-address-list=star_30 \
+    new-packet-mark=star_30_dl_local passthrough=no src-address-list=ip-lokal
+add action=mark-packet chain=forward dst-address-list=ip-lokal \
+    new-packet-mark=star_30_ul_local passthrough=no src-address-list=star_30
+add action=mark-packet chain=forward dst-address-list=star_50 \
+    new-packet-mark=star_50_dl passthrough=no src-address-list=!ip-lokal
+add action=mark-packet chain=forward dst-address-list=!ip-lokal \
+    new-packet-mark=star_50_ul passthrough=no src-address-list=star_50
+add action=mark-packet chain=forward dst-address-list=star_50 \
+    new-packet-mark=star_50_dl_local passthrough=no src-address-list=ip-lokal
+add action=mark-packet chain=forward dst-address-list=ip-lokal \
+    new-packet-mark=star_50_ul_local passthrough=no src-address-list=star_50
+add action=mark-packet chain=forward dst-address-list=star_100 \
+    new-packet-mark=star_100_dl passthrough=no src-address-list=!ip-lokal
+add action=mark-packet chain=forward dst-address-list=!ip-lokal \
+    new-packet-mark=star_100_ul passthrough=no src-address-list=star_100
+add action=mark-packet chain=forward dst-address-list=star_100 \
+    new-packet-mark=star_100_dl_local passthrough=no src-address-list=\
+    ip-lokal
+add action=mark-packet chain=forward dst-address-list=ip-lokal \
+    new-packet-mark=star_100_ul_local passthrough=no src-address-list=\
+    star_100
+add action=mark-packet chain=forward dst-address-list=star_150 \
+    new-packet-mark=star_150_dl passthrough=no src-address-list=!ip-lokal
+add action=mark-packet chain=forward dst-address-list=!ip-lokal \
+    new-packet-mark=star_150_ul passthrough=no src-address-list=star_150
+add action=mark-packet chain=forward dst-address-list=star_150 \
+    new-packet-mark=star_150_dl_local passthrough=no src-address-list=\
+    ip-lokal
+add action=mark-packet chain=forward dst-address-list=ip-lokal \
+    new-packet-mark=star_150_ul_local passthrough=no src-address-list=\
+    star_150
+add action=mark-packet chain=forward dst-address-list=star_200 \
+    new-packet-mark=star_200_dl passthrough=no src-address-list=!ip-lokal
+add action=mark-packet chain=forward dst-address-list=!ip-lokal \
+    new-packet-mark=star_200_ul passthrough=no src-address-list=star_200
+add action=mark-packet chain=forward dst-address-list=star_200 \
+    new-packet-mark=star_200_dl_local passthrough=no src-address-list=\
+    ip-lokal
+add action=mark-packet chain=forward dst-address-list=ip-lokal \
+    new-packet-mark=star_200_ul_local passthrough=no src-address-list=\
+    star_200
+add action=mark-packet chain=forward dst-address-list=star_500 \
+    new-packet-mark=star_500_dl passthrough=no src-address-list=!ip-lokal
+add action=mark-packet chain=forward dst-address-list=!ip-lokal \
+    new-packet-mark=star_500_ul passthrough=no src-address-list=star_500
+add action=mark-packet chain=forward dst-address-list=star_500 \
+    new-packet-mark=star_500_dl_local passthrough=no src-address-list=\
+    ip-lokal
+add action=mark-packet chain=forward dst-address-list=ip-lokal \
+    new-packet-mark=star_500_ul_local passthrough=no src-address-list=\
+    star_500

178-mangle-xx.rsc

@@ -0,0 +1,163 @@
+# 2026-02-27 08:27:15 by RouterOS 7.21.2
+# software id = JRG5-1NLG
+#
+/ip firewall mangle
+add action=mark-routing chain=prerouting comment=EXPIRED new-routing-mark=\
+    EXPIRED passthrough=no src-address-list=EXPIRED
+add action=mark-routing chain=prerouting comment=container dst-address-list=\
+    !localNet new-routing-mark=container passthrough=no src-address=\
+    10.100.37.0/24
+add action=mark-routing chain=prerouting comment=SpeedTest disabled=yes \
+    dst-address-list=speedtest new-routing-mark=*403 passthrough=no \
+    src-address-list=localNet
+add action=mark-routing chain=prerouting comment=ke_isp2 disabled=yes \
+    dst-address=!103.138.63.180 dst-address-list=!localNet new-routing-mark=\
+    *400 src-address-list=bali_10
+add action=mark-routing chain=prerouting comment=ke_isp2 disabled=yes \
+    dst-address-list=!localNet new-routing-mark=*400 src-address-list=bali_20
+add action=mark-routing chain=prerouting comment=ke_isp2 disabled=yes \
+    dst-address-list=!localNet new-routing-mark=bali_fiber src-address-list=\
+    bali_30
+add action=mark-routing chain=prerouting comment=ke_isp2 disabled=yes \
+    dst-address-list=!localNet new-routing-mark=*400 src-address-list=bali_50
+add action=mark-routing chain=prerouting comment=ke_isp2 disabled=yes \
+    dst-address-list=!localNet new-routing-mark=*400 src-address-list=\
+    bali_100
+add action=mark-routing chain=prerouting comment=ke_isp2 disabled=yes \
+    dst-address-list=!localNet new-routing-mark=*400 src-address-list=\
+    bali_150
+add action=mark-routing chain=prerouting comment=ke_isp2 disabled=yes \
+    dst-address-list=!localNet new-routing-mark=bali_fiber src-address-list=\
+    hemat
+add action=mark-routing chain=prerouting comment=ke_isp3 disabled=yes \
+    dst-address=!103.138.63.180 dst-address-list=!localNet new-routing-mark=\
+    *400 src-address-list=star_10
+add action=mark-routing chain=prerouting comment=ke_isp3 disabled=yes \
+    dst-address=!103.138.63.180 dst-address-list=!localNet new-routing-mark=\
+    *402 src-address-list=gls_500
+add action=mark-routing chain=prerouting comment=ke_isp3 disabled=yes \
+    dst-address-list=!localNet new-routing-mark=*402 src-address=\
+    192.168.171.0/29
+add action=mark-routing chain=prerouting comment=ke_isp3 disabled=yes \
+    dst-address=!103.138.63.180 dst-address-list=!localNet new-routing-mark=\
+    *402 src-address-list=gold_50
+add action=mark-packet chain=forward dst-address-list=EXPIRED \
+    new-packet-mark=EXPIRED_dl passthrough=no
+add action=mark-packet chain=forward new-packet-mark=EXPIRED_ul passthrough=\
+    no src-address-list=EXPIRED
+add action=mark-connection chain=forward dst-address-list=hemat \
+    new-connection-mark=conn_hemat_local src-address-list=ip-lokal
+add action=mark-connection chain=forward dst-address-list=ip-lokal \
+    new-connection-mark=conn_hemat_local src-address-list=hemat
+add action=mark-packet chain=forward connection-mark=conn_hemat_local \
+    dst-address-list=hemat new-packet-mark=hemat_dl_local passthrough=no
+add action=mark-packet chain=forward connection-mark=conn_hemat_local \
+    new-packet-mark=hemat_ul_local passthrough=no src-address-list=hemat
+add action=mark-packet chain=forward dst-address-list=hemat new-packet-mark=\
+    hemat_dl passthrough=no
+add action=mark-packet chain=forward new-packet-mark=hemat_ul passthrough=no \
+    src-address-list=hemat
+add action=mark-connection chain=forward dst-address-list=star_10 \
+    new-connection-mark=conn_star_10_local src-address-list=ip-lokal
+add action=mark-connection chain=forward dst-address-list=ip-lokal \
+    new-connection-mark=conn_star_10_local src-address-list=star_10
+add action=mark-packet chain=forward connection-mark=conn_star_10_local \
+    dst-address-list=star_10 new-packet-mark=star_10_dl_local passthrough=no
+add action=mark-packet chain=forward connection-mark=conn_star_10_local \
+    new-packet-mark=star_10_ul_local passthrough=no src-address-list=star_10
+add action=mark-packet chain=forward dst-address-list=star_10 \
+    new-packet-mark=star_10_dl passthrough=no
+add action=mark-packet chain=forward new-packet-mark=star_10_ul passthrough=\
+    no src-address-list=star_10
+add action=mark-connection chain=forward dst-address-list=star_20 \
+    new-connection-mark=conn_star_20_local src-address-list=ip-lokal
+add action=mark-connection chain=forward dst-address-list=ip-lokal \
+    new-connection-mark=conn_star_20_local src-address-list=star_20
+add action=mark-packet chain=forward connection-mark=conn_star_20_local \
+    dst-address-list=star_20 new-packet-mark=star_20_dl_local passthrough=no
+add action=mark-packet chain=forward connection-mark=conn_star_20_local \
+    new-packet-mark=star_20_ul_local passthrough=no src-address-list=star_20
+add action=mark-packet chain=forward dst-address-list=star_20 \
+    new-packet-mark=star_20_dl passthrough=no
+add action=mark-packet chain=forward new-packet-mark=star_20_ul passthrough=\
+    no src-address-list=star_20
+add action=mark-connection chain=forward dst-address-list=star_30 \
+    new-connection-mark=conn_star_30_local src-address-list=ip-lokal
+add action=mark-connection chain=forward dst-address-list=ip-lokal \
+    new-connection-mark=conn_star_30_local src-address-list=star_30
+add action=mark-packet chain=forward connection-mark=conn_star_30_local \
+    dst-address-list=star_30 new-packet-mark=star_30_dl_local passthrough=no
+add action=mark-packet chain=forward connection-mark=conn_star_30_local \
+    new-packet-mark=star_30_ul_local passthrough=no src-address-list=star_30
+add action=mark-packet chain=forward dst-address-list=star_30 \
+    new-packet-mark=star_30_dl passthrough=no
+add action=mark-packet chain=forward new-packet-mark=star_30_ul passthrough=\
+    no src-address-list=star_30
+add action=mark-connection chain=forward dst-address-list=star_50 \
+    new-connection-mark=conn_star_50_local src-address-list=ip-lokal
+add action=mark-connection chain=forward dst-address-list=ip-lokal \
+    new-connection-mark=conn_star_50_local src-address-list=star_50
+add action=mark-packet chain=forward connection-mark=conn_star_50_local \
+    dst-address-list=star_50 new-packet-mark=star_50_dl_local passthrough=no
+add action=mark-packet chain=forward connection-mark=conn_star_50_local \
+    new-packet-mark=star_50_ul_local passthrough=no src-address-list=star_50
+add action=mark-packet chain=forward dst-address-list=star_50 \
+    new-packet-mark=star_50_dl passthrough=no
+add action=mark-packet chain=forward new-packet-mark=star_50_ul passthrough=\
+    no src-address-list=star_50
+add action=mark-connection chain=forward dst-address-list=star_100 \
+    new-connection-mark=conn_star_100_local src-address-list=ip-lokal
+add action=mark-connection chain=forward dst-address-list=ip-lokal \
+    new-connection-mark=conn_star_100_local src-address-list=star_100
+add action=mark-packet chain=forward connection-mark=conn_star_100_local \
+    dst-address-list=star_100 new-packet-mark=star_100_dl_local passthrough=\
+    no
+add action=mark-packet chain=forward connection-mark=conn_star_100_local \
+    new-packet-mark=star_100_ul_local passthrough=no src-address-list=\
+    star_100
+add action=mark-packet chain=forward dst-address-list=star_100 \
+    new-packet-mark=star_100_dl passthrough=no
+add action=mark-packet chain=forward new-packet-mark=star_100_ul passthrough=\
+    no src-address-list=star_100
+add action=mark-connection chain=forward dst-address-list=star_150 \
+    new-connection-mark=conn_star_150_local src-address-list=ip-lokal
+add action=mark-connection chain=forward dst-address-list=ip-lokal \
+    new-connection-mark=conn_star_150_local src-address-list=star_150
+add action=mark-packet chain=forward connection-mark=conn_star_150_local \
+    dst-address-list=star_150 new-packet-mark=star_150_dl_local passthrough=\
+    no
+add action=mark-packet chain=forward connection-mark=conn_star_150_local \
+    new-packet-mark=star_150_ul_local passthrough=no src-address-list=\
+    star_150
+add action=mark-packet chain=forward dst-address-list=star_150 \
+    new-packet-mark=star_150_dl passthrough=no
+add action=mark-packet chain=forward new-packet-mark=star_150_ul passthrough=\
+    no src-address-list=star_150
+add action=mark-connection chain=forward dst-address-list=star_200 \
+    new-connection-mark=conn_star_200_local src-address-list=ip-lokal
+add action=mark-connection chain=forward dst-address-list=ip-lokal \
+    new-connection-mark=conn_star_200_local src-address-list=star_200
+add action=mark-packet chain=forward connection-mark=conn_star_200_local \
+    dst-address-list=star_200 new-packet-mark=star_200_dl_local passthrough=\
+    no
+add action=mark-packet chain=forward connection-mark=conn_star_200_local \
+    new-packet-mark=star_200_ul_local passthrough=no src-address-list=\
+    star_200
+add action=mark-packet chain=forward dst-address-list=star_200 \
+    new-packet-mark=star_200_dl passthrough=no
+add action=mark-packet chain=forward new-packet-mark=star_200_ul passthrough=\
+    no src-address-list=star_200
+add action=mark-connection chain=forward dst-address-list=star_500 \
+    new-connection-mark=conn_star_500_local src-address-list=ip-lokal
+add action=mark-connection chain=forward dst-address-list=ip-lokal \
+    new-connection-mark=conn_star_500_local src-address-list=star_500
+add action=mark-packet chain=forward connection-mark=conn_star_500_local \
+    dst-address-list=star_500 new-packet-mark=star_500_dl_local passthrough=\
+    no
+add action=mark-packet chain=forward connection-mark=conn_star_500_local \
+    new-packet-mark=star_500_ul_local passthrough=no src-address-list=\
+    star_500
+add action=mark-packet chain=forward dst-address-list=star_500 \
+    new-packet-mark=star_500_dl passthrough=no
+add action=mark-packet chain=forward new-packet-mark=star_500_ul passthrough=\
+    no src-address-list=star_500

example.txt

@@ -0,0 +1,29 @@
+[admin@MikroTik] > /ip firewall mangle pr
+Flags: X - disabled, I - invalid, D - dynamic
+
+0 chain=prerouting in-interface=ether-local 
+  dst-address-list=nice 
+  action=mark-connection new-connection-mark=conn-iix 
+  passthrough=yes
+
+1 chain=prerouting connection-mark=conn-iix 
+  action=mark-packet new-packet-mark=packet-iix 
+  passthrough=no
+
+2 chain=prerouting action=mark-packet 
+  new-packet-mark=packet-intl passthrough=no
+
+
+[admin@MikroTik]> /queue simple pr
+Flags: X - disabled, I - invalid, D - dynamic
+0 name="client02-iix" target-addresses=192.168.0.2/32 
+  dst-address=0.0.0.0/0 interface=all parent=none 
+  packet-marks=packet-iix direction=both priority=8 
+  queue=default-small/default-small limit-at=0/0 
+  max-limit=64000/256000 total-queue=default-small 
+
+1 name="client02-intl" target-addresses=192.168.0.2/32 
+  dst-address=0.0.0.0/0 interface=all parent=none 
+  packet-marks=packet-intl direction=both priority=8 
+  queue=default-small/default-small limit-at=0/0 
+  max-limit=32000/128000 total-queue=default-small