NZ Tik

Here is a working set of mangle rules for a single Mikrotik router acting as a PPPoE server, and 2 internet gateways. /ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no \     in-interface=isp1 new-connection-mark=isp1_conn passthrough=yes add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no \     in-interface=isp2 new-connection-mark=isp2_conn passthrough=yes add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no \     dst-address-type=!local new-connection-mark=isp1_conn passthrough=yes \     per-connection-classifier=src-address-and-port:2/0 src-address=\     10.10.100.0/24 add action=mark-routing chain=prerouting connection-mark=isp1_conn disabled=no \     dst-address-type=!local new-routing-mark=to_isp1 passthrough=no \     src-address=10.10.100.0/24 add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no \     dst-address-type=!loc

Simple eh? if ssh -l user server.example.com 'ls folder' > /dev/null; then echo "fexists"; else mkdir folder; fi

Cisco reflexive acls is a poor mans stateful firewall. If you don't have the luxury of the Advanced Security feature-set, then configuring these are your best bet. Take the above simple example. A name server behind your router is doing a recursive lookup to another name server. By looking at that, you need to allow UDP port 53 in interface e0, as well as the return traffic on port 2033. Unfortunately that port is dynamic, so you could either allow any udp traffic in e0, or use reflexive ACLs. ip access-list extended inbound permit icmp any any evaluate mytraffic ip access-list extended outbound permit udp any any reflect mytraffic interface e0 ip access-group inbound in ip access-group outbound out -------- verification... show access-list mytraffic  permit udp host 111.111.111.111 eq 53 host 192.168.1.100 eq 2033(1 match) (time left 299)      

For my bad memory. du -sk *|sort -nr output in kbytes