Scribd Logo
Hochladen

Willkommen bei Scribd!

  • MUM Bali 2008 Valens Riyadi

    Hochgeladen von

    Vlcek Vladimir
    49 Ansichten35 Seiten
    This document summarizes a workshop on IP flow routing, mangle, and QoS using Mikrotik RouterOS. It introduces the speakers and provides an overview of the topics to be covered, including IP flow diagrams, multiple gateway configurations, queue tree implementations, network address translation (NAT), and using firewall marks and queues to prioritize traffic. Case studies are presented on simple networks, load balancing across gateways, transparent web proxies, and prioritizing cached "hit" traffic from a proxy server. Configuration examples are provided for mangle rules, static routing, NAT, and queue trees.

    Originalbeschreibung:

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Verfügbare Formate

    PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden
    This document summarizes a workshop on IP flow routing, mangle, and QoS using Mikrotik RouterOS. It introduces the speakers and provides an overview of the topics to be covered, including IP flow diagrams, multiple gateway configurations, queue tree implementations, network address translation (NAT), and using firewall marks and queues to prioritize traffic. Case studies are presented on simple networks, load balancing across gateways, transparent web proxies, and prioritizing cached "hit" traffic from a proxy server. Configuration examples are provided for mangle rules, static routing, NAT, and queue trees.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    49 Ansichten35 Seiten

    MUM Bali 2008 Valens Riyadi

    Hochgeladen von

    Vlcek Vladimir
    This document summarizes a workshop on IP flow routing, mangle, and QoS using Mikrotik RouterOS. It introduces the speakers and provides an overview of the topics to be covered, including IP flow diagrams, multiple gateway configurations, queue tree implementations, network address translation (NAT), and using firewall marks and queues to prioritize traffic. Case studies are presented on simple networks, load balancing across gateways, transparent web proxies, and prioritizing cached "hit" traffic from a proxy server. Configuration examples are provided for mangle rules, static routing, NAT, and queue trees.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 35

    MUM 2008 Workshop

    IP Flow
    Routing, Mangle and QoS

    Valens Riyadi & Novan Chris


    Citraweb Nusa Infomedia (Mikrotik Certified Training Partner)

    Introduction
    Name: Valens Riyadi Country: Indonesia Graduated as Architect 1998 Work at Citraweb (Citranet)
    ISP, Web Developer, Mikrotik Reseller

    Photographer
    Administrator of www.fotografer.net

    Head of Security Dept, Indonesian ISP Association Volunteer for Airputih Foundation, IT Emergency Task Force Steering Committee for ID-SIRTII
    Indonesia Security Incident Response Team on Information Infrastructure

    Mikrotik Certified Consultant & Trainner

    00-2

    Mikrotik Indonesia http://www.mikrotik.co.id

    6/16/2008

    My Company
    Citraweb Nusa Infomedia
    Web Developer (since 2000) Small ISP (since 2001) Mikrotik Reseller (since 2002) Mikrotik Certified Training Partner (2005)

    Located at : Yogyakarta Indonesia Using RouterOS since 2.3.15

    00-3

    Mikrotik Indonesia http://www.mikrotik.co.id

    6/16/2008

    Yogyakarta City
    3,4 million of population
    Tourism City Student City
    Almost 50% of population are students from other cities.

    Finally . Cyber caf City

    00-4

    Mikrotik Indonesia http://www.mikrotik.co.id

    6/16/2008

    Overview
    IP Flow Mangle
    Mark connection, mark packet, mark route

    Multiple Gateways with NAT Network QoS -> Queue Tree We will NOT discuss about :
    Simple Queue, Queue Type Load balance

    00-5

    Mikrotik Indonesia http://www.mikrotik.co.id

    6/16/2008

    IP Flow
    Diagram that show how each packet process from input interface (or local process) to output interface (or local process) For each traffic, we should know source and destination.

    00-6

    Mikrotik Indonesia http://www.mikrotik.co.id

    6/16/2008

    Source and Destination


    Source
    Input Interface Local Process

    Destination
    Local Process Output Interface

    00-7

    Mikrotik Indonesia http://www.mikrotik.co.id

    6/16/2008

    IP Flow (simple diagram)


    INPUT INTERFACE

    PRE ROUTING

    FORWARD

    POST ROUTING

    OUTPUT INTERFACE

    INPUT

    LOCAL PROCESS

    OUTPUT

    PREROUTING Hotspot Input Conn-Tracking Mangle Dst-NAT Global-In Queue Global-Total Queue

    INPUT Mangle Filter

    FORWARD Mangle Filter Acounting

    OUTPUT Conn-Tracking Mangle Filter

    POSTROUTING Mangle Global-Out Queue Global-Total Queue Source-NAT Hotspot Output

    00-8

    Mikrotik Indonesia http://www.mikrotik.co.id

    6/16/2008

    IP Flow
    BRIDGE DST-NAT
    Bridge Decision

    OUTPUT Conn-Tracking Mangle Filter

    BRIDGE FORWARD

    Broute?

    + -

    PRE ROUTING

    BRIDGE INPUT FORWARD


    Routing Decision

    FORWARD Mangle Filter Acounting

    POSTROUTING Mangle Global-Out Queue Global-Total Queue Source-NAT Hotspot Output

    +
    INPUT is Bridged?

    INPUT INTERFACE IPSEC DECRYPTION

    INPUT

    Routing Decision

    OUTPUT is Bridged?

    Bridge Decision

    +
    IPsec Policy

    OUTPUT POST ROUTING


    LOCAL PROCESS-OUT

    BRIDGE OUTPUT BRIDGE SRC-NAT

    LOCAL PROCESS-IN

    PREROUTING Hotspot Input Conn-Tracking Mangle Dst-NAT Global-In Queue Global-Total Queue

    INPUT Mangle Filter

    IPSEC ENCRYPTION

    IPsec Policy

    INTERFACE QUEUE OUTPUT INTERFACE


    6/16/2008

    00-9

    Mikrotik Indonesia http://www.mikrotik.co.id

    Chain Position
    From Outside To Router / Local process Outside Mangle Prerouting Input Output Postrouting Outside Prerouting Forward Postrouting Forward Input Output Firewall Queue Global-in Global-Total Global-Out Global-Total Interface Global-in Global-out Global-total Interface
    00-10
    Mikrotik Indonesia http://www.mikrotik.co.id
    6/16/2008

    Router/ Local process Outside

    Case 1: Simple Network


    As the client is masqueraded, we will use connection tracking to mangle the client We do mark packet after connection tracking To limit all traffic, we will use chain prerouting

    00-11

    Mikrotik Indonesia http://www.mikrotik.co.id

    6/16/2008

    mangle

    00-12

    Mikrotik Indonesia http://www.mikrotik.co.id

    6/16/2008

    Mangle & Queue

    00-13

    Mikrotik Indonesia http://www.mikrotik.co.id

    6/16/2008

    Case 2: Multiple Gateway


    We have 2 access to backbones. We can use firewall nth and policy route to load balance the backbone.

    00-14

    Mikrotik Indonesia http://www.mikrotik.co.id

    6/16/2008

    Constrain
    In previous case, we use interface queue for uplink and downlink. But now we have more than 1 interface for uplink. We can use global-in for uplink

    00-15

    Mikrotik Indonesia http://www.mikrotik.co.id

    6/16/2008

    IP Address and Masquerade


    /ip address pr Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 172.16.10.2/24 172.16.10.0 172.16.10.255 ether2-backbone1 1 172.16.20.2/24 172.16.20.0 172.16.20.255 ether3-backbone2 2 192.168.10.1/24 192.168.10.0 192.168.10.255 ether1-local /ip firewall nat pr Flags: X - disabled, I - invalid, D - dynamic 0 chain=srcnat action=masquerade out-interface=ether2-backbone1 1 chain=srcnat action=masquerade out-interface=ether3-backbone2

    00-16

    Mikrotik Indonesia http://www.mikrotik.co.id

    6/16/2008

    Mangle for Routing


    /ip firewall mangle print Flags: X - disabled, I - invalid, D - dynamic 0 chain=prerouting action=mark-connection new-connectionmark=conn-1 passthrough=yes connection-state=new ininterface=ether1-local nth=2,1 1 chain=prerouting action=mark-connection new-connectionmark=conn-2 passthrough=yes connection-state=new ininterface=ether1-local nth=2,2 2 chain=prerouting action=mark-routing new-routingmark=route1 passthrough=yes in-interface=ether1-local connection-mark=conn-1 3 chain=prerouting action=mark-routing new-routingmark=route2 passthrough=yes in-interface=ether1-local connection-mark=conn-2

    00-17

    Mikrotik Indonesia http://www.mikrotik.co.id

    6/16/2008

    Static Route
    /ip route add comment="" disabled=no distance=1 dstaddress=0.0.0.0/0 gateway=172.16.20.1 \ routing-mark=route2 add comment="" disabled=no distance=1 dstaddress=0.0.0.0/0 gateway=172.16.10.1 \ routing-mark=route1 add comment="" disabled=no distance=1 dstaddress=0.0.0.0/0 gateway=172.16.20.1

    00-18

    Mikrotik Indonesia http://www.mikrotik.co.id

    6/16/2008

    Mangle for Queue


    /ip firewall mangle print 4 chain=prerouting action=mark-connection newconnection-mark=conn-client passthrough=yes src-address=192.168.10.0/24 5 chain=prerouting action=mark-packet newpacket-mark=packet-client1-upload passthrough=no in-interface=ether1-local connection-mark=conn-client 6 chain=prerouting action=mark-packet newpacket-mark=packet-client1-download passthrough=no connection-mark=conn-client

    00-19

    Mikrotik Indonesia http://www.mikrotik.co.id

    6/16/2008

    Queue Tree
    /queue tree print Flags: X- disabled, I - invalid 0 name="total d - ownload" parent=ether1- local packet m a rk=packet client1 dwnload limit - o at=512000 queue=default priority=8 max limit=512000 burst limit=0 burst threshold=0 burst time=0s 1 name="total u - pload" parent=global in packet mark=packet c - upload limit a - lient1 - t=256000 queue=default priority=8 max limit=256000 burst limit=0 burst threshold=0 burst tme=0s - i
    00-20
    Mikrotik Indonesia http://www.mikrotik.co.id
    6/16/2008

    00-21

    Mikrotik Indonesia http://www.mikrotik.co.id

    6/16/2008

    Case 3: Using Web Proxy


    We will use transparant proxy for web traffic (tcp 80) using dst-nat: redirect

    00-22

    Mikrotik Indonesia http://www.mikrotik.co.id

    6/16/2008

    Constrain
    Previous Configuration:
    Will not load balance uplink traffic from proxy Will not limit downlink connection from proxy to client

    00-23

    Mikrotik Indonesia http://www.mikrotik.co.id

    6/16/2008

    Queue with SRC-NAT & Internal Proxy


    ROUTER

    SRC-NAT

    Traffic Client - Internet WEB-PROXY LOCAL PROCESS

    INTERNET

    00-24

    Mikrotik Indonesia http://www.mikrotik.co.id

    6/16/2008

    Queue with SRC-NAT & Internal Proxy


    ROUTER Direct Upstream 2 SRC-NAT Direct Downstream 3 Upstream to proxy WEB-PROXY LOCAL PROCESS Downstream from proxy 4 6 5 INTERNET 1

    00-25

    Mikrotik Indonesia http://www.mikrotik.co.id

    6/16/2008

    How to do
    Load Balance Uplink traffic from proxy
    Make new rules in mangle chain output, to do nth (mark-connection and mark-packet)

    Limit downlink traffic from proxy to client:


    Make new packet-mark on chain output

    00-26

    Mikrotik Indonesia http://www.mikrotik.co.id

    6/16/2008

    New Mangle for routing


    /ip firewall mangle print 8 chain=output action=mark-connection newconnection-mark=conn-proxy-1 passthrough=yes connection-state=new nth=2,1 9 chain=output action=mark-connection newconnection-mark=conn-proxy-2 passthrough=yes connection-state=new nth=2,2 10 chain=output action=mark-routing new-routingmark=route1 passthrough=yes connectionmark=conn-1 11 chain=output action=mark-routing new-routingmark=route2 passthrough=yes connectionmark=conn-2
    00-27
    Mikrotik Indonesia http://www.mikrotik.co.id
    6/16/2008

    Mangle for Queue


    4 chain=prerouting action=mark-connection new-connectionmark=conn-client passthrough=yes src-address=192.168.10.0/24 5 chain=prerouting action=mark-packet new-packetmark=packet-client1-upload passthrough=no in-interface=ether1-local connection-mark=conn-client 6 chain=prerouting action=mark-packet new-packetmark=packet-client1-download passthrough=no connection-mark=conn-client 7 chain=output action=mark-packet new-packet-mark=packet-client1-download passthrough=no out-interface=ether1-local connection-mark=conn-client

    00-28

    Mikrotik Indonesia http://www.mikrotik.co.id

    6/16/2008

    Mangle Configuration

    00-29

    Mikrotik Indonesia http://www.mikrotik.co.id

    6/16/2008

    Case 4: Max Speed for Hit Traffic


    We want to give max speed for client if they access cached data on proxy (hit traffic)

    00-30

    Mikrotik Indonesia http://www.mikrotik.co.id

    6/16/2008

    How to
    We can differentiate hit and miss traffic using TOS / DSCP parameter. On proxy, we set Cache Hit DSCP (Differentiated Services Code Point)/ToS (Type of Services) = 4 We make new mangle and new queue tree to mange hit traffic
    00-31
    Mikrotik Indonesia http://www.mikrotik.co.id
    6/16/2008

    Mangle for Queue


    4 chain=prerouting action=mark-connection new-connectionmark=conn-client passthrough=yes src-address=192.168.10.0/24 5 chain=prerouting action=mark-packet new-packet-mark=packetclient1-upload passthrough=no in-interface=ether1-local connection-mark=conn-client 6 chain=prerouting action=mark-packet new-packet-mark=packetclient1-download passthrough=no connection-mark=conn-client 7 chain=output action=mark-packet new-packet-mark=packetclient1-hit-download passthrough=no out-interface=ether1-local connection-mark=conn-client dscp=4 8 chain=output action=mark-packet new-packet-mark=packet-client1download passthrough=no out-interface=ether1-local connection-mark=conn-client

    00-32

    Mikrotik Indonesia http://www.mikrotik.co.id

    6/16/2008

    Queue Tree
    0 name="total-download" parent=ether1-local packetmark=packet-client1-download limit-at=512000 queue=default priority=8 max-limit=512000 burst-limit=0 burst-threshold=0 burst-time=0s 1 name="total-upload" parent=global-in packet-mark=packetclient1-upload limit-at=256000 queue=default priority=8 maxlimit=256000 burst-limit=0 burst-threshold=0 burst-time=0s 2 name="total-download-hit" parent=ether1-local packetmark=packet-client1-hit-download limit-at=1000000 queue=default priority=8 max-limit=1000000 burst-limit=0 burst-threshold=0 burst-time=0s

    00-33

    Mikrotik Indonesia http://www.mikrotik.co.id

    6/16/2008

    00-34

    Mikrotik Indonesia http://www.mikrotik.co.id

    6/16/2008

    Thank You!
    info@mikrotik.co.id

    Das könnte Ihnen auch gefallen