Tuesday, December 15, 2009

Implementation PCQ at MIKROTIK

seting mangle
/ip firewall Address List add CLIENT
make list for client

for upload
chain=prerouting in-interface=local src-address-list=CLIENT action=mark-packet new-packet-mark=client-up passthrough=no

for download
chain=forward src-address-list=CLIENT action=mark-connection new-connection-mark=client-conn passthrough=yes

/ip firewall mangle add chain=forward connection-mark=personal-conn in-interface=Public action=mark-packet new-packet-mark=client-down passthrough=no

make queue
/queue tree add name=down parent=Local queue=default
/queue tree add name=up parent=global-in queue=default

/queue type add name=auto-down kind=pcq pcq-rate=0 pcq-classifier=dst-address pcq-total-limit=2000
/queue type add name=auto-up kind=pcq rate=0 pcq-classifier=src-address pcq-total-limit=2000

/queue tree add name=per-down packet-mark=personal-down parent=down queue=auto-down max-limit=384k
/queue tree add name=per-up parent=up packet-mark=personal-up queue=auto-up max-limit=64k

Diposting oleh faqiir di 11:53 AM 0 komentar

Sunday, December 13, 2009

Queue with Masquerading and Internal Web-Proxy

Its Just for my dokumen and reference

Introduction

This page will talk about how to make a QUEUE TREE in RouterOS that is also running Web-Proxy and Masquerading. Several topics in the Forum say that it's impossible to do.

In version 2.9.x, we can not determine which traffic is HIT and which traffic is MISS from web-proxy. Several people want to make a configuration, to let cache data in proxy (HIT traffic) deliver in maximum possible speed. In other word, if we already have the requested data, those process will not queued.

In ver 3.0 we can do this, using TOS header modification in web-proxy feature. We can set any TOS value for the HIT traffic, and make it as a parameter in mangle.

Basic Setup

First, let's set the basic setting first. I'm using a machine with 2 network interface: 

admin@instaler] > in pr
#    NAME       TYPE    RX-RATE    TX-RATE    MTU
0  R public     ether   0          0          1500
1  R lan        wlan    0          0          1500

And this is the IP Address for each interface: 

[admin@instaler] > ip ad pr
Flags: X - disabled, I - invalid, D - dynamic
#  ADDRESS           NETWORK      BROADCAST      INTERFACE
0  192.168.0.217/24  192.168.0.0  192.168.0.255  public
1  172.21.1.1/24     172.21.1.0   172.21.1.255   lan

Don't forget to set the transparant web-proxy. We set cache-hit-dscp: 4. 

[admin@instaler] > ip proxy pr
                 enabled: yes
             src-address: 0.0.0.0
                    port: 3128
            parent-proxy: 0.0.0.0
       parent-proxy-port: 0
             cache-drive: system
     cache-administrator: "webmaster"
          max-cache-size: none
           cache-on-disk: yes
maximal-client-connections: 600
maximal-server-connections: 600
          max-fresh-time: 3d
   serialize-connections: yes
          cache-hit-dscp: 4

Firewall NAT

Make 2 NAT rules, 1 for Masquerading, and the other for redirecting transparant proxy. 

[admin@instaler] ip firewall nat> pr
Flags: X - disabled, I - invalid, D - dynamic
0   chain=srcnat out-interface=public
 src-address=172.21.1.0/24 action=masquerade
1   chain=dstnat in-interface=lan src-address=172.21.1.0/24
 protocol=tcp dst-port=80 action=redirect to-ports=3128

Mangle Setup

And now is the most important part in this case.

If we want to make HIT traffic from web proxy not queued, we have to make a mangle to handle this traffic. Put this rule on the beginning of the mangle, as it will check first. 

[admin@instaler] > ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0   ;;; HIT TRAFFIC FROM PROXY
 chain=output out-interface=lan
 dscp=4 action=mark-packet
 new-packet-mark=proxy-hit passthrough=no

As we will make Queue for uplink and downlink traffic, we need 2 packet-mark. In this example, we use "test-up" for uplink traffic, and "test-down" for downlink traffic.

For uplink traffic, it's quite simple. We need only one rule, using SRC-ADDRESS and IN-INTERFACE parameters, and using PREROUTING chain. Rule number #1.

But for downlink, we have to make sevaral rules. As we use masquerading, we need Connection Mark, named as "test-conn". Rule no #2.

Then we have to make 2 more rules. First rule is for non-HTTP connection / direct connection. We use chain forward, as the data traveling through the router. Rule no #3.

The second rule is for data coming from web-proxy to the client (MISS traffic). We use OUTPUT chain, as the data coming from internal process in the router itself. Rule no #4.

For both rules (no #3 and #4) we named it "test-down".

Please be aware, we use passthrough only for connection mark (rule no #2). 

[admin@instaler] > ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
1   ;;; UP TRAFFIC
 chain=prerouting in-interface=lan
 src-address=172.21.1.0/24 action=mark-packet
 new-packet-mark=test-up passthrough=no

2   ;;; CONN-MARK
 chain=forward src-address=172.21.1.0/24
 action=mark-connection
 new-connection-mark=test-conn passthrough=yes

3   ;;; DOWN-DIRECT CONNECTION
 chain=forward in-interface=public
 connection-mark=test-conn action=mark-packet
 new-packet-mark=test-down passthrough=no

4   ;;; DOWN-VIA PROXY
 chain=output out-interface=lan
 dst-address=172.21.1.0/24 action=mark-packet
 new-packet-mark=test-down passthrough=no

Queue Tree Setup

And now, the queue tree setting. We need one rule for downlink and one rule for uplink. Be careful when choosing the parent. for downlink traffic, we use parent "lan", the interface name for local network. And for uplink, we are using parent "global-in". 

[admin@instaler] > queue tree pr
Flags: X - disabled, I - invalid
0   name="downstream" parent=lan packet-mark=test-down
 limit-at=32000 queue=default priority=8
 max-limit=32000 burst-limit=0
 burst-threshold=0 burst-time=0s

1   name="upstream" parent=global-in
 packet-mark=test-up limit-at=32000
 queue=default priority=8
 max-limit=32000 burst-limit=0
 burst-threshold=0 burst-time=0s

You can use those mangle also with PCQ.


source:wiki.mikrotik.com

Diposting oleh faqiir di 6:08 AM 0 komentar

Friday, April 25, 2008

Delay pool di Mikrotik

pertama yg dibuat untuk membuat delay pool di mikrotik ini kita tambahkan di

/ip firewall Address List add download

/ip firewall filter add chain=forward \

src-address=192.168.0.0/24 protocol=tcp content=.zip \

action=add-dst-to-address-list address-list=downloads \

address-list-timeout=01:00:00

/ip firewall filter add chain=forward \

src-address=192.168.0.0/24 protocol=tcp content=.exe \

action=add-dst-to-address-list address-list=downloads \

address-list-timeout=01:00:00


/ip firewall mangle add chain=forward \

protocol=tcp src-address-list=downloads \

action=mark-packet new-packet-mark=download-paket passtrough=no


/queue simple add name=download-files \

max-limit=64000/64000 packet-marks=download-paket

Diposting oleh faqiir di 5:19 AM 2 komentar

Tuesday, April 15, 2008

Server Gateway Linux

Untuk membuat sebuah server gateway di butuhkan script seperti dibawah ini:
touch rc.firewall
chmod +x rc.firewall ---> mengaktifkan rc.firewall

mcedit /etc/rc.d/rc.firewall

isi rc.firewall

#!/bin/bash
IPT=`which iptables`
SQUID=`which squid`
PORT_SQUID="3128"
OUT_IFACE="Eth0"

$IPT -t nat -A PREROUTING -p tcp --dport80 -j REDIRECT --toport$PORT_SQUID
$IPT -t nat -A POSTROUTING -o $OUT_IFACE -j MASQUERADE

Setelah selesai membuat file rc.firewall kemudian install squid

to be continued.................

Diposting oleh faqiir di 10:02 AM 0 komentar

Sunday, March 16, 2008

Equal bandwidth sharing among users

Equal bandwidth sharing among users
This example shows how to equally share 10Mibps download and 2Mibps upload among active users in the network 192.168.0.0/24. If Host A is downloading 2 Mibps, Host B gets 8 Mibps and vice versa. There might be situations when both hosts want to use maximum bandwidth (10 Mibps), then they will receive 5 Mibps each, the same goes for upload. This setup is also valid for more than 2 users.

At first, mark all traffic, coming from local network 192.168.0.0/24 with a mark users:
/ip firewall mangle add chain=forward src-address=192.168.0.0/24 \
action=mark-connection new-connection-mark=users-con
/ip firewall mangle add connection-mark=users-con action=mark-packet \
new-packet-mark=users chain=forward
Now we will add 2 new PCQ types. The first, called pcq-download will group all traffic by destination address. As we will attach this queue type to the Local interface, it will create a dynamic queue for each destination address (user) which is downloading to the network 192.168.0.0/24. The second type, called pcq-upload will group the traffic by source address. We will attach this queue to the Public interface so it will make one dynamic queue for each user who is uploading to Internet from the local network 192.168.0.0/24.
/queue type add name=pcq-download kind=pcq pcq-classifier=dst-address
/queue type add name=pcq-upload kind=pcq pcq-classifier=src-address
Finally, make a queue tree for download traffic:
/queue tree add name=Download parent=Local max-limit=10240000
/queue tree add parent=Download queue=pcq-download packet-mark=users
And for upload traffic:
/queue tree add name=Upload parent=Public max-limit=2048000
/queue tree add parent=Upload queue=pcq-upload packet-mark=users
Note! If your ISP cannot guarantee you a fixed amount of traffic, you can use just one queue for upload and one for download, attached directly to the interface:
/queue tree add parent=Local queue=pcq-download packet-mark=users
/queue tree add parent=Public queue=pcq-upload packet-mark=users

Source : mikrotik.com

Diposting oleh faqiir di 3:11 AM 0 komentar

Subscribe to: Posts (Atom)