IP Flow Routing, Mangle and QoS

Transcription

1 MUM 2008 Workshop IP Flow Routing, Mangle and QoS Valens Riyadi & Novan Chris Citraweb Nusa Infomedia (Mikrotik Certified Training Partner)

2 Introduction Name: Valens Riyadi Country: Indonesia Graduated as Architect 1998 Work at Citraweb (Citranet) ISP, Web Developer, Mikrotik Reseller Photographer Administrator of Head of Security Dept, Indonesian ISP Association Volunteer for Airputih Foundation, IT Emergency Task Force Steering Committee for ID-SIRTII Indonesia Security Incident Response Team on Information Infrastructure Mikrotik Certified Consultant & Trainner 00-2 Mikrotik Indonesia

3 My Company Citraweb Nusa Infomedia Web Developer (since 2000) Small ISP (since 2001) Mikrotik Reseller (since 2002) Mikrotik Certified Training Partner (2005) Located at : Yogyakarta Indonesia Using RouterOS since Mikrotik Indonesia

4 Yogyakarta City 3,4 million of population Tourism City Student City Almost 50% of population are students from other cities. Finally. Cyber café City 00-4 Mikrotik Indonesia

5 IP Flow Mangle Overview Mark connection, mark packet, mark route Multiple Gateways with NAT Network QoS -> Queue Tree We will NOT discuss about : Simple Queue, Queue Type Load balance 00-5 Mikrotik Indonesia

6 IP Flow Diagram that show how each packet process from input interface (or local process) to output interface (or local process) For each traffic, we should know source and destination Mikrotik Indonesia

7 Source and Destination Source Input Interface Local Process Destination Local Process Output Interface 00-7 Mikrotik Indonesia

8 IP Flow (simple diagram) INPUT INTERFACE PRE ROUTING FORWARD POST ROUTING OUTPUT INTERFACE INPUT LOCAL PROCESS OUTPUT PREROUTING Hotspot Input Conn-Tracking Mangle Dst-NAT Global-In Queue Global-Total Queue INPUT Mangle Filter FORWARD Mangle Filter Acounting OUTPUT Conn-Tracking Mangle Filter POSTROUTING Mangle Global-Out Queue Global-Total Queue Source-NAT Hotspot Output 00-8 Mikrotik Indonesia

9 BRIDGE DST-NAT Broute? + - INPUT is Bridged? - + IP Flow PRE ROUTING Bridge Decision - BRIDGE INPUT Routing Decision + BRIDGE FORWARD FORWARD OUTPUT Conn-Tracking Mangle Filter FORWARD Mangle Filter Acounting POSTROUTING Mangle Global-Out Queue Global-Total Queue Source-NAT Hotspot Output INPUT INTERFACE PREROUTING Hotspot Input Conn-Tracking Mangle Dst-NAT Global-In Queue Global-Total Queue IPSEC DECRYPTION INPUT Mangle Filter + INPUT IPsec Policy - LOCAL PROCESS-IN Routing Decision OUTPUT LOCAL PROCESS-OUT IPSEC ENCRYPTION + OUTPUT is Bridged? - POST ROUTING IPsec Policy - INTERFACE QUEUE + Bridge Decision BRIDGE OUTPUT BRIDGE SRC-NAT OUTPUT INTERFACE 00-9 Mikrotik Indonesia

10 Chain Position From To Mangle Firewall Queue Outside Router / Prerouting Global-in Local process Input Input Global-Total Router/ Outside Output Output Global-Out Local process Postrouting Global-Total Interface Outside Outside Prerouting Global-in Forward Forward Global-out Postrouting Global-total Interface Mikrotik Indonesia

11 Case 1: Simple Network As the client is masqueraded, we will use connection tracking to mangle the client We do mark packet after connection tracking To limit all traffic, we will use chain prerouting Mikrotik Indonesia

12 mangle Mikrotik Indonesia

13 Mangle & Queue Mikrotik Indonesia

14 Case 2: Multiple Gateway We have 2 access to backbones. We can use firewall nth and policy route to load balance the backbone Mikrotik Indonesia

15 Constrain In previous case, we use interface queue for uplink and downlink. But now we have more than 1 interface for uplink. We can use global-in for uplink Mikrotik Indonesia

16 IP Address and Masquerade /ip address pr Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE / ether2-backbone / ether3-backbone / ether1-local /ip firewall nat pr Flags: X - disabled, I - invalid, D - dynamic 0 chain=srcnat action=masquerade out-interface=ether2-backbone1 1 chain=srcnat action=masquerade out-interface=ether3-backbone Mikrotik Indonesia

17 Mangle for Routing /ip firewall mangle print Flags: X - disabled, I - invalid, D - dynamic 0 chain=prerouting action=mark-connection new-connectionmark=conn-1 passthrough=yes connection-state=new ininterface=ether1-local nth=2,1 1 chain=prerouting action=mark-connection new-connectionmark=conn-2 passthrough=yes connection-state=new ininterface=ether1-local nth=2,2 2 chain=prerouting action=mark-routing new-routingmark=route1 passthrough=yes in-interface=ether1-local connection-mark=conn-1 3 chain=prerouting action=mark-routing new-routingmark=route2 passthrough=yes in-interface=ether1-local connection-mark=conn Mikrotik Indonesia

18 Static Route /ip route add comment="" disabled=no distance=1 dstaddress= /0 gateway= \ routing-mark=route2 add comment="" disabled=no distance=1 dstaddress= /0 gateway= \ routing-mark=route1 add comment="" disabled=no distance=1 dstaddress= /0 gateway= Mikrotik Indonesia

19 Mangle for Queue /ip firewall mangle print 4 chain=prerouting action=mark-connection newconnection-mark=conn-client passthrough=yes src-address= /24 5 chain=prerouting action=mark-packet newpacket-mark=packet-client1-upload passthrough=no in-interface=ether1-local connection-mark=conn-client 6 chain=prerouting action=mark-packet newpacket-mark=packet-client1-download passthrough=no connection-mark=conn-client Mikrotik Indonesia

20 Queue Tree /queue tree print Flags: X - disabled, I - invalid 0 name="total- download" parent=ether1- local packet- mark=packet- client1- download limitat= queue=default priority=8 maxlimit= burst- limit=0 burst- threshold=0 bursttime=0s 1 name="total- upload" parent=global- in packetmark=packet- client1- upload limit- at= queue=default priority=8 max- limit= burstlimit=0 burst- threshold=0 burst- time=0s Mikrotik Indonesia

21 00-21 Mikrotik Indonesia

22 Case 3: Using Web Proxy We will use transparant proxy for web traffic (tcp 80) using dst-nat: redirect Mikrotik Indonesia

23 Constrain Previous Configuration: Will not load balance uplink traffic from proxy Will not limit downlink connection from proxy to client Mikrotik Indonesia

24 Queue with SRC-NAT & Internal Proxy ROUTER SRC-NAT Traffic Client - Internet INTERNET WEB-PROXY LOCAL PROCESS Mikrotik Indonesia

25 Queue with SRC-NAT & Internal Proxy ROUTER Direct Upstream SRC-NAT 2 Direct Downstream 1 3 Upstream to proxy WEB-PROXY LOCAL PROCESS Downstream from proxy INTERNET Mikrotik Indonesia

26 How to do Load Balance Uplink traffic from proxy Make new rules in mangle chain output, to do nth (mark-connection and mark-packet) Limit downlink traffic from proxy to client: Make new packet-mark on chain output Mikrotik Indonesia

27 New Mangle for routing /ip firewall mangle print 8 chain=output action=mark-connection newconnection-mark=conn-proxy-1 passthrough=yes connection-state=new nth=2,1 9 chain=output action=mark-connection newconnection-mark=conn-proxy-2 passthrough=yes connection-state=new nth=2,2 10 chain=output action=mark-routing new-routingmark=route1 passthrough=yes connectionmark=conn-1 11 chain=output action=mark-routing new-routingmark=route2 passthrough=yes connectionmark=conn Mikrotik Indonesia

28 Mangle for Queue 4 chain=prerouting action=mark-connection new-connectionmark=conn-client passthrough=yes src-address= /24 5 chain=prerouting action=mark-packet new-packetmark=packet-client1-upload passthrough=no in-interface=ether1-local connection-mark=conn-client 6 chain=prerouting action=mark-packet new-packetmark=packet-client1-download passthrough=no connection-mark=conn-client 7 chain=output action=mark-packet new-packet-mark=packet-client1-download passthrough=no out-interface=ether1-local connection-mark=conn-client Mikrotik Indonesia

29 Mangle Configuration Mikrotik Indonesia

30 Case 4: Max Speed for Hit Traffic We want to give max speed for client if they access cached data on proxy (hit traffic) Mikrotik Indonesia

31 How to We can differentiate hit and miss traffic using TOS / DSCP parameter. On proxy, we set Cache Hit DSCP (Differentiated Services Code Point)/ToS (Type of Services) = 4 We make new mangle and new queue tree to mange hit traffic Mikrotik Indonesia

32 Mangle for Queue 4 chain=prerouting action=mark-connection new-connectionmark=conn-client passthrough=yes src-address= /24 5 chain=prerouting action=mark-packet new-packet-mark=packetclient1-upload passthrough=no in-interface=ether1-local connection-mark=conn-client 6 chain=prerouting action=mark-packet new-packet-mark=packetclient1-download passthrough=no connection-mark=conn-client 7 chain=output action=mark-packet new-packet-mark=packetclient1-hit-download passthrough=no out-interface=ether1-local connection-mark=conn-client dscp=4 8 chain=output action=mark-packet new-packet-mark=packet-client1- download passthrough=no out-interface=ether1-local connection-mark=conn-client Mikrotik Indonesia

33 Queue Tree 0 name="total-download" parent=ether1-local packetmark=packet-client1-download limit-at= queue=default priority=8 max-limit= burst-limit=0 burst-threshold=0 burst-time=0s 1 name="total-upload" parent=global-in packet-mark=packetclient1-upload limit-at= queue=default priority=8 maxlimit= burst-limit=0 burst-threshold=0 burst-time=0s 2 name="total-download-hit" parent=ether1-local packetmark=packet-client1-hit-download limit-at= queue=default priority=8 max-limit= burst-limit=0 burst-threshold=0 burst-time=0s Mikrotik Indonesia

34 00-34 Mikrotik Indonesia

35 Thank You!