IP Flow Routing, Mangle and QoS



Similar documents
Load Balance with Masquerade Network on RouterOS. Prepared by: Janis Megis (Mikrotik) Valens Riyadi (Citraweb)

MikroTik RouterOS Workshop QoS Best Practice. Prague MUM Czech Republic 2009

Bandwidth Control. Table of Contents. General Information. Summary. Specifications

Bandwidth Management and QOS

Common VoIP problems, How to detect, correct and avoid them. Penny Tone LLC 1

Load Balancing Using PCC & RouterOS

Load Balancing Using PCC & RouterOS

MikroTik Certified Network Associate (MTCNA) Training outline

Building Effective Firewalls with MikroTik P R E S E N T E D B Y: R I C K F R E Y, N E T W O R K E N G I N E E R I P A R C H I T E C H S O P E R AT I

Linux firewall. Need of firewall Single connection between network Allows restricted traffic between networks Denies un authorized users

» David Bisschoff» Durban, South Africa» Work at Kinsey Computers» Discovered MikroTik in Kinsey Computers cc

MikroTik RouterOS Workshop Load Balancing Best Practice. Warsaw MUM Europe 2012

MikroTik RouterOS Training Basic Class. Johannesburg, South Africa 28 Sep 1 Oct

1.0 DHCPD.CONF. option domain-name-servers ; option domain-name "smuth-mru.org.zm"; option broadcast-address

GregSowell.com. Mikrotik Security

Load Balance Mechanism

The Use of Mikrotik Router Boards With Radius Server for ISPs.

Basic and most important functions

Linux Firewalls (Ubuntu IPTables) II

Intro to Linux Kernel Firewall

Telematics. 14th Tutorial - Proxies, Firewalls, P2P

Bandwidth-based load-balancing with failover. The easy way. We need more bandwidth.

Traffic Control in a Linux, Multiple Service Edge Device

Netfilter / IPtables

Network Security Exercise 10 How to build a wall of fire

Track 2 Workshop PacNOG 7 American Samoa. Firewalling and NAT

Feature catalog. Q1-Q MikroTik RouterOS

Network security Exercise 9 How to build a wall of fire Linux Netfilter

CS Computer and Network Security: Firewalls

Creating a VPN with overlapping subnets

Copyright 2008 Link Technologies,Inc. A Proud Vendor Member of the

CS Computer and Network Security: Firewalls

New Obvious and Obscure MikroTik RouterOS v5 features. Budapest, Hungary MUM Europe 2011

Controlling Network Traffic using MikroTik RouterOS

Chapter 7. Firewalls

Application Description

MikroTik RouterOS v3. New Obvious and Obscure Mikrotik RouterOS v3.x features

1:1 NAT in ZeroShell. Requirements. Overview. Network Setup

Netfilter. GNU/Linux Kernel version 2.4+ Setting up firewall to allow NIS and NFS traffic. January 2008

10.4. Multiple Connections to the Internet

Linux Firewall. Linux workshop #2.

QoS (Quality of Service)

CSC574 - Computer and Network Security Module: Firewalls

Dynamic Host Configuration Protocol (DHCP) 02 NAT and DHCP Tópicos Avançados de Redes

Worksheet 9. Linux as a router, packet filtering, traffic shaping

CSE543 - Computer and Network Security Module: Firewalls

GregSowell.com. Mikrotik Basics

CIS 433/533 - Computer and Network Security Firewalls

Linux Routers and Community Networks

netkit lab load balancer web switch 1.1 Giuseppe Di Battista, Massimo Rimondini Version Author(s)

AN INTRODUCTION TO LINUX POLICY ROUTING. Tom Eastep SeaGL Seattle, Washington

Burning Bridges - Routing Your Bridged WISP Network With MikroTik

OSBRiDGE 5XLi. Configuration Manual. Firmware 3.10R

Linux Firewall Wizardry. By Nemus

Howto: How to configure static port mapping in the corporate router/firewall for Panda GateDefender Integra VPN networks

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Computer Firewalls. The term firewall was originally used with forest fires, as a means to describe the

Focus on Security. Keeping the bad guys out

Open Source Bandwidth Management: Introduction to Linux Traffic Control

Module: Firewalls. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Lecture Objectives. Lecture 6 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs. Agenda. Nomadic Services. Agenda. Nomadic Services Functions

About Firewall Protection

Hosting more than one FortiOS instance on. VLANs. 1. Network topology

LOHU 4951L Outdoor Wireless Access Point / Bridge

Certes Networks Layer 4 Encryption. Network Services Impact Test Results

Implementation IPV6 in Mikrotik RouterOS. by Teddy Yuliswar

ExamPDF. Higher Quality,Better service!

Firewall. IPTables and its use in a realistic scenario. José Bateira ei10133 Pedro Cunha ei05064 Pedro Grilo ei09137 FEUP MIEIC SSIN

MPLS for ISPs PPPoE over VPLS. MPLS, VPLS, PPPoE

Bridgewalling - Using Netfilter in Bridge Mode

Enabling NAT and Routing in DGW v2.0 June 6, 2012

Check Point Software Technologies LTD. Creating A Generic Service Proxy (GSP) Using Network Address Translation (NAT)

TCP Session Load-balancing in Active-Active HA Cluster

MULTI WAN TECHNICAL OVERVIEW

How To Understand A Firewall

Allocating Network Bandwidth to Match Business Priorities

Policy Routing for Fun and Profit

5.0 Network Architecture. 5.1 Internet vs. Intranet 5.2 NAT 5.3 Mobile Network

LECTURE 4 NETWORK INFRASTRUCTURE

Matthew Rossmiller 11/25/03

White Paper Copyright 2011 Nomadix, Inc. All Rights Reserved. Thursday, January 05, 2012

Reducing the impact of DoS attacks with MikroTik RouterOS

Supporting Multiple Firewalled Subnets on SonicOS Enhanced

MikroTik Invisible Tools. By : Haydar Fadel 2014

An API for dynamic firewall control and its implementation for Linux Netfilter

Customer Guide. BT Business - BT SIP Trunks. BT SIP Trunks: Firewall and LAN Guide. Issued by: BT Business Date Issue: v1.

Networking and High Availability

Firewalls, NAT and Intrusion Detection and Prevention Systems (IDS)

Optimisacion del ancho de banda (Introduccion al Firewall de Linux)

Low cost secure VPN MikroTik SSTP over OpenIXP (Indonesian Internet) ASTA INFORMATICS Faisal Reza

21.4 Network Address Translation (NAT) NAT concept

How To Connect Xbox 360 Game Consoles to the Router by Ethernet cable (RJ45)?

Load Balancing ContentKeeper With RadWare

Com.X Router/Firewall Module. Use Cases. White Paper. Version 1.0, 21 May Far South Networks

Main functions of Linux Netfilter

Network Security. Routing and Firewalls. Radboud University Nijmegen, The Netherlands. Autumn 2014

Quick Note 026. Using the firewall of a Digi TransPort to redirect HTTP Traffic to a proxy server. Digi International Technical Support December 2011

Transcription:

MUM 2008 Workshop IP Flow Routing, Mangle and QoS Valens Riyadi & Novan Chris Citraweb Nusa Infomedia (Mikrotik Certified Training Partner)

Introduction Name: Valens Riyadi Country: Indonesia Graduated as Architect 1998 Work at Citraweb (Citranet) ISP, Web Developer, Mikrotik Reseller Photographer Administrator of www.fotografer.net Head of Security Dept, Indonesian ISP Association Volunteer for Airputih Foundation, IT Emergency Task Force Steering Committee for ID-SIRTII Indonesia Security Incident Response Team on Information Infrastructure Mikrotik Certified Consultant & Trainner 00-2 Mikrotik Indonesia http://www.mikrotik.co.id

My Company Citraweb Nusa Infomedia Web Developer (since 2000) Small ISP (since 2001) Mikrotik Reseller (since 2002) Mikrotik Certified Training Partner (2005) Located at : Yogyakarta Indonesia Using RouterOS since 2.3.15 00-3 Mikrotik Indonesia http://www.mikrotik.co.id

Yogyakarta City 3,4 million of population Tourism City Student City Almost 50% of population are students from other cities. Finally. Cyber café City 00-4 Mikrotik Indonesia http://www.mikrotik.co.id

IP Flow Mangle Overview Mark connection, mark packet, mark route Multiple Gateways with NAT Network QoS -> Queue Tree We will NOT discuss about : Simple Queue, Queue Type Load balance 00-5 Mikrotik Indonesia http://www.mikrotik.co.id

IP Flow Diagram that show how each packet process from input interface (or local process) to output interface (or local process) For each traffic, we should know source and destination. 00-6 Mikrotik Indonesia http://www.mikrotik.co.id

Source and Destination Source Input Interface Local Process Destination Local Process Output Interface 00-7 Mikrotik Indonesia http://www.mikrotik.co.id

IP Flow (simple diagram) INPUT INTERFACE PRE ROUTING FORWARD POST ROUTING OUTPUT INTERFACE INPUT LOCAL PROCESS OUTPUT PREROUTING Hotspot Input Conn-Tracking Mangle Dst-NAT Global-In Queue Global-Total Queue INPUT Mangle Filter FORWARD Mangle Filter Acounting OUTPUT Conn-Tracking Mangle Filter POSTROUTING Mangle Global-Out Queue Global-Total Queue Source-NAT Hotspot Output 00-8 Mikrotik Indonesia http://www.mikrotik.co.id

BRIDGE DST-NAT Broute? + - INPUT is Bridged? - + IP Flow PRE ROUTING Bridge Decision - BRIDGE INPUT Routing Decision + BRIDGE FORWARD FORWARD OUTPUT Conn-Tracking Mangle Filter FORWARD Mangle Filter Acounting POSTROUTING Mangle Global-Out Queue Global-Total Queue Source-NAT Hotspot Output INPUT INTERFACE PREROUTING Hotspot Input Conn-Tracking Mangle Dst-NAT Global-In Queue Global-Total Queue IPSEC DECRYPTION INPUT Mangle Filter + INPUT IPsec Policy - LOCAL PROCESS-IN Routing Decision OUTPUT LOCAL PROCESS-OUT IPSEC ENCRYPTION + OUTPUT is Bridged? - POST ROUTING IPsec Policy - INTERFACE QUEUE + Bridge Decision BRIDGE OUTPUT BRIDGE SRC-NAT OUTPUT INTERFACE 00-9 Mikrotik Indonesia http://www.mikrotik.co.id

Chain Position From To Mangle Firewall Queue Outside Router / Prerouting Global-in Local process Input Input Global-Total Router/ Outside Output Output Global-Out Local process Postrouting Global-Total Interface Outside Outside Prerouting Global-in Forward Forward Global-out Postrouting Global-total Interface 00-10 Mikrotik Indonesia http://www.mikrotik.co.id

Case 1: Simple Network As the client is masqueraded, we will use connection tracking to mangle the client We do mark packet after connection tracking To limit all traffic, we will use chain prerouting 00-11 Mikrotik Indonesia http://www.mikrotik.co.id

mangle 00-12 Mikrotik Indonesia http://www.mikrotik.co.id

Mangle & Queue 00-13 Mikrotik Indonesia http://www.mikrotik.co.id

Case 2: Multiple Gateway We have 2 access to backbones. We can use firewall nth and policy route to load balance the backbone. 00-14 Mikrotik Indonesia http://www.mikrotik.co.id

Constrain In previous case, we use interface queue for uplink and downlink. But now we have more than 1 interface for uplink. We can use global-in for uplink 00-15 Mikrotik Indonesia http://www.mikrotik.co.id

IP Address and Masquerade /ip address pr Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 172.16.10.2/24 172.16.10.0 172.16.10.255 ether2-backbone1 1 172.16.20.2/24 172.16.20.0 172.16.20.255 ether3-backbone2 2 192.168.10.1/24 192.168.10.0 192.168.10.255 ether1-local /ip firewall nat pr Flags: X - disabled, I - invalid, D - dynamic 0 chain=srcnat action=masquerade out-interface=ether2-backbone1 1 chain=srcnat action=masquerade out-interface=ether3-backbone2 00-16 Mikrotik Indonesia http://www.mikrotik.co.id

Mangle for Routing /ip firewall mangle print Flags: X - disabled, I - invalid, D - dynamic 0 chain=prerouting action=mark-connection new-connectionmark=conn-1 passthrough=yes connection-state=new ininterface=ether1-local nth=2,1 1 chain=prerouting action=mark-connection new-connectionmark=conn-2 passthrough=yes connection-state=new ininterface=ether1-local nth=2,2 2 chain=prerouting action=mark-routing new-routingmark=route1 passthrough=yes in-interface=ether1-local connection-mark=conn-1 3 chain=prerouting action=mark-routing new-routingmark=route2 passthrough=yes in-interface=ether1-local connection-mark=conn-2 00-17 Mikrotik Indonesia http://www.mikrotik.co.id

Static Route /ip route add comment="" disabled=no distance=1 dstaddress=0.0.0.0/0 gateway=172.16.20.1 \ routing-mark=route2 add comment="" disabled=no distance=1 dstaddress=0.0.0.0/0 gateway=172.16.10.1 \ routing-mark=route1 add comment="" disabled=no distance=1 dstaddress=0.0.0.0/0 gateway=172.16.20.1 00-18 Mikrotik Indonesia http://www.mikrotik.co.id

Mangle for Queue /ip firewall mangle print 4 chain=prerouting action=mark-connection newconnection-mark=conn-client passthrough=yes src-address=192.168.10.0/24 5 chain=prerouting action=mark-packet newpacket-mark=packet-client1-upload passthrough=no in-interface=ether1-local connection-mark=conn-client 6 chain=prerouting action=mark-packet newpacket-mark=packet-client1-download passthrough=no connection-mark=conn-client 00-19 Mikrotik Indonesia http://www.mikrotik.co.id

Queue Tree /queue tree print Flags: X - disabled, I - invalid 0 name="total- download" parent=ether1- local packet- mark=packet- client1- download limitat=512000 queue=default priority=8 maxlimit=512000 burst- limit=0 burst- threshold=0 bursttime=0s 1 name="total- upload" parent=global- in packetmark=packet- client1- upload limit- at=256000 queue=default priority=8 max- limit=256000 burstlimit=0 burst- threshold=0 burst- time=0s 00-20 Mikrotik Indonesia http://www.mikrotik.co.id

00-21 Mikrotik Indonesia http://www.mikrotik.co.id

Case 3: Using Web Proxy We will use transparant proxy for web traffic (tcp 80) using dst-nat: redirect 00-22 Mikrotik Indonesia http://www.mikrotik.co.id

Constrain Previous Configuration: Will not load balance uplink traffic from proxy Will not limit downlink connection from proxy to client 00-23 Mikrotik Indonesia http://www.mikrotik.co.id

Queue with SRC-NAT & Internal Proxy ROUTER SRC-NAT Traffic Client - Internet INTERNET WEB-PROXY LOCAL PROCESS 00-24 Mikrotik Indonesia http://www.mikrotik.co.id

Queue with SRC-NAT & Internal Proxy ROUTER Direct Upstream SRC-NAT 2 Direct Downstream 1 3 Upstream to proxy WEB-PROXY LOCAL PROCESS Downstream from proxy 4 5 6 INTERNET 00-25 Mikrotik Indonesia http://www.mikrotik.co.id

How to do Load Balance Uplink traffic from proxy Make new rules in mangle chain output, to do nth (mark-connection and mark-packet) Limit downlink traffic from proxy to client: Make new packet-mark on chain output 00-26 Mikrotik Indonesia http://www.mikrotik.co.id

New Mangle for routing /ip firewall mangle print 8 chain=output action=mark-connection newconnection-mark=conn-proxy-1 passthrough=yes connection-state=new nth=2,1 9 chain=output action=mark-connection newconnection-mark=conn-proxy-2 passthrough=yes connection-state=new nth=2,2 10 chain=output action=mark-routing new-routingmark=route1 passthrough=yes connectionmark=conn-1 11 chain=output action=mark-routing new-routingmark=route2 passthrough=yes connectionmark=conn-2 00-27 Mikrotik Indonesia http://www.mikrotik.co.id

Mangle for Queue 4 chain=prerouting action=mark-connection new-connectionmark=conn-client passthrough=yes src-address=192.168.10.0/24 5 chain=prerouting action=mark-packet new-packetmark=packet-client1-upload passthrough=no in-interface=ether1-local connection-mark=conn-client 6 chain=prerouting action=mark-packet new-packetmark=packet-client1-download passthrough=no connection-mark=conn-client 7 chain=output action=mark-packet new-packet-mark=packet-client1-download passthrough=no out-interface=ether1-local connection-mark=conn-client 00-28 Mikrotik Indonesia http://www.mikrotik.co.id

Mangle Configuration 00-29 Mikrotik Indonesia http://www.mikrotik.co.id

Case 4: Max Speed for Hit Traffic We want to give max speed for client if they access cached data on proxy (hit traffic) 00-30 Mikrotik Indonesia http://www.mikrotik.co.id

How to We can differentiate hit and miss traffic using TOS / DSCP parameter. On proxy, we set Cache Hit DSCP (Differentiated Services Code Point)/ToS (Type of Services) = 4 We make new mangle and new queue tree to mange hit traffic 00-31 Mikrotik Indonesia http://www.mikrotik.co.id

Mangle for Queue 4 chain=prerouting action=mark-connection new-connectionmark=conn-client passthrough=yes src-address=192.168.10.0/24 5 chain=prerouting action=mark-packet new-packet-mark=packetclient1-upload passthrough=no in-interface=ether1-local connection-mark=conn-client 6 chain=prerouting action=mark-packet new-packet-mark=packetclient1-download passthrough=no connection-mark=conn-client 7 chain=output action=mark-packet new-packet-mark=packetclient1-hit-download passthrough=no out-interface=ether1-local connection-mark=conn-client dscp=4 8 chain=output action=mark-packet new-packet-mark=packet-client1- download passthrough=no out-interface=ether1-local connection-mark=conn-client 00-32 Mikrotik Indonesia http://www.mikrotik.co.id

Queue Tree 0 name="total-download" parent=ether1-local packetmark=packet-client1-download limit-at=512000 queue=default priority=8 max-limit=512000 burst-limit=0 burst-threshold=0 burst-time=0s 1 name="total-upload" parent=global-in packet-mark=packetclient1-upload limit-at=256000 queue=default priority=8 maxlimit=256000 burst-limit=0 burst-threshold=0 burst-time=0s 2 name="total-download-hit" parent=ether1-local packetmark=packet-client1-hit-download limit-at=1000000 queue=default priority=8 max-limit=1000000 burst-limit=0 burst-threshold=0 burst-time=0s 00-33 Mikrotik Indonesia http://www.mikrotik.co.id

00-34 Mikrotik Indonesia http://www.mikrotik.co.id

Thank You! info@mikrotik.co.id

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information