Post on 12-Jul-2019
transcript
MUM 2008 Workshop
IP FlowRouting, Mangle and QoS
Valens Riyadi & Novan ChrisCitraweb Nusa Infomedia
(Mikrotik Certified Training Partner)
6/16/200800-2 Mikrotik Indonesia http://www.mikrotik.co.id
Introduction
� Name: Valens Riyadi
� Country: Indonesia
� Graduated as Architect 1998
� Work at Citraweb (Citranet)• ISP, Web Developer, Mikrotik Reseller
� Photographer• Administrator of www.fotografer.net
� Head of Security Dept, Indonesian ISP Association
� Volunteer for Airputih Foundation, IT Emergency Task Force
� Steering Committee for ID-SIRTIIIndonesia Security Incident Response Team on Information Infrastructure
� Mikrotik Certified Consultant & Trainner
6/16/200800-3 Mikrotik Indonesia http://www.mikrotik.co.id
My Company
� Citraweb Nusa Infomedia
� Web Developer (since 2000)
� Small ISP (since 2001)
� Mikrotik Reseller (since 2002)
� Mikrotik Certified Training Partner (2005)
� Located at : Yogyakarta Indonesia
� Using RouterOS since 2.3.15
6/16/200800-4 Mikrotik Indonesia http://www.mikrotik.co.id
Yogyakarta City
� 3,4 million of population
� Tourism City
� Student City
• Almost 50% of population are students from other
cities.
� Finally ……. Cyber café City
6/16/200800-5 Mikrotik Indonesia http://www.mikrotik.co.id
Overview
� IP Flow
� Mangle
� Mark connection, mark packet, mark route
� Multiple Gateways with NAT Network
� QoS -> Queue Tree
� We will NOT discuss about :
� Simple Queue, Queue Type
� Load balance
6/16/200800-6 Mikrotik Indonesia http://www.mikrotik.co.id
IP Flow
� Diagram that show how each packet
process from input interface (or local
process) to output interface (or local
process)
� For each traffic, we should know source
and destination.
6/16/200800-7 Mikrotik Indonesia http://www.mikrotik.co.id
Source and Destination
� Source
� Input Interface
� Local Process
� Destination
� Local Process
� Output Interface
6/16/200800-8 Mikrotik Indonesia http://www.mikrotik.co.id
IP Flow (simple diagram)
OUTPUT INTERFACE
FORWARDPOST
ROUTINGPRE
ROUTING
INPUT OUTPUTLOCAL
PROCESS
INPUTINTERFACE
PREROUTINGHotspot Input
Conn-TrackingMangle
Dst-NAT
Global-In Queue
Global-Total Queue
POSTROUTINGMangle
Global-Out QueueGlobal-Total Queue
Source-NAT
Hotspot Output
OUTPUTConn-Tracking
MangleFilter
FORWARDMangle
FilterAcounting
INPUTMangle
Filter
6/16/200800-9 Mikrotik Indonesia http://www.mikrotik.co.id
IP Flow
OUTPUT INTERFACE
FORWARD
POSTROUTING
PREROUTING
INPUT
OUTPUT
BRIDGEDST-NAT
BRIDGEINPUT
BRIDGEFORWARD
BRIDGEOUTPUT
BRIDGESRC-NAT
INPUT is
Bridged?
Broute?
Bridge
Decision
Routing
Decision
Routing
Decision
Bridge
Decision
OUTPUT is
Bridged?
LOCALPROCESS-IN
LOCALPROCESS-OUT
INPUTINTERFACE
IPSECDECRYPTION
IPSECENCRYPTION
IPsec
Policy
IPsec
Policy
INTERFACEQUEUE
+
+
+
+
+
+
-
--
-
-
-
PREROUTINGHotspot Input
Conn-TrackingMangle
Dst-NAT
Global-In Queue
Global-Total Queue
POSTROUTINGMangle
Global-Out QueueGlobal-Total Queue
Source-NAT
Hotspot Output
OUTPUTConn-Tracking
MangleFilter
FORWARDMangle
FilterAcounting
INPUTMangle
Filter
6/16/200800-10 Mikrotik Indonesia http://www.mikrotik.co.id
Chain Position
Outside
Outside
Router /
Local
process
To
Global-totalPostrouting
Interface
Global-outForwardForward
Global-inPreroutingOutside
Interface
Global-TotalPostrouting
Global-OutOutputOutputRouter/
Local
process
Global-TotalInputInput
Global-inPreroutingOutside
QueueFirewallMangleFrom
6/16/200800-11 Mikrotik Indonesia http://www.mikrotik.co.id
Case 1: Simple Network
� As the client is masqueraded, we will use connection tracking to mangle the client
� We do mark packet after connection tracking
� To limit all traffic, we will use chain prerouting
6/16/200800-14 Mikrotik Indonesia http://www.mikrotik.co.id
Case 2: Multiple Gateway
� We have 2 access to backbones.
� We can use firewall nth and policy route to load balance the backbone.
6/16/200800-15 Mikrotik Indonesia http://www.mikrotik.co.id
Constrain
� In previous case, we use interface queue
for uplink and downlink. But now we have
more than 1 interface for uplink.
� We can use global-in for uplink
6/16/200800-16 Mikrotik Indonesia http://www.mikrotik.co.id
IP Address and Masquerade
/ip address prFlags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE
0 172.16.10.2/24 172.16.10.0 172.16.10.255 ether2-backbone1
1 172.16.20.2/24 172.16.20.0 172.16.20.255 ether3-backbone2 2 192.168.10.1/24 192.168.10.0 192.168.10.255 ether1-local
/ip firewall nat prFlags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=ether2-backbone1 1 chain=srcnat action=masquerade out-interface=ether3-backbone2
6/16/200800-17 Mikrotik Indonesia http://www.mikrotik.co.id
Mangle for Routing
/ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=prerouting action=mark-connection new-connection-mark=conn-1 passthrough=yes connection-state=new in-interface=ether1-local nth=2,1
1 chain=prerouting action=mark-connection new-connection-mark=conn-2 passthrough=yes connection-state=new in-interface=ether1-local nth=2,2
2 chain=prerouting action=mark-routing new-routing-mark=route1 passthrough=yes in-interface=ether1-local connection-mark=conn-1
3 chain=prerouting action=mark-routing new-routing-mark=route2 passthrough=yes in-interface=ether1-local connection-mark=conn-2
6/16/200800-18 Mikrotik Indonesia http://www.mikrotik.co.id
Static Route
/ip route
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.16.20.1 \
routing-mark=route2
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.16.10.1 \
routing-mark=route1
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.16.20.1
6/16/200800-19 Mikrotik Indonesia http://www.mikrotik.co.id
Mangle for Queue
/ip firewall mangle print
4 chain=prerouting action=mark-connection new-connection-mark=conn-client passthrough=yes src-address=192.168.10.0/24
5 chain=prerouting action=mark-packet new-packet-mark=packet-client1-upload passthrough=no in-interface=ether1-local connection-mark=conn-client
6 chain=prerouting action=mark-packet new-packet-mark=packet-client1-download passthrough=no connection-mark=conn-client
6/16/200800-20 Mikrotik Indonesia http://www.mikrotik.co.id
Queue Tree
/queue tree print
Flags: X - disabled, I - invalid
0 name="total- download" parent=ether1- local
packet- mark=packet- client1- download limit-
at=512000 queue=default priority=8 max-
limit=512000 burst- limit=0 burst- threshold=0 burst-
time=0s
1 name="total- upload" parent=global- in packet-
mark=packet- client1- upload limit- at=256000
queue=default priority=8 max- limit=256000 burst-
limit=0 burst- threshold=0 burst- time=0s
6/16/200800-22 Mikrotik Indonesia http://www.mikrotik.co.id
Case 3: Using Web Proxy
� We will use transparant proxy for web traffic (tcp 80)� using dst-nat: redirect
6/16/200800-23 Mikrotik Indonesia http://www.mikrotik.co.id
Constrain
� Previous Configuration:
� Will not load balance uplink traffic from
proxy
� Will not limit downlink connection from proxy
to client
6/16/200800-24 Mikrotik Indonesia http://www.mikrotik.co.id
Queue with
SRC-NAT & Internal Proxy
WEB-PROXY
LOCAL
PROCESS
ROUTER
INTERNET
SRC-NAT
Traffic Client - Internet
6/16/200800-25 Mikrotik Indonesia http://www.mikrotik.co.id
Queue with
SRC-NAT & Internal Proxy
WEB-PROXY
LOCAL
PROCESS
Upstream to proxy
Downstream from proxy
ROUTER
INTERNET
SRC-NAT
Direct Upstream
Direct Downstream
1
2
3
4
5
6
6/16/200800-26 Mikrotik Indonesia http://www.mikrotik.co.id
How to do
� Load Balance Uplink traffic from proxy
� Make new rules in mangle chain output, to
do nth (mark-connection and mark-packet)
� Limit downlink traffic from proxy to client:
� Make new packet-mark on chain output
6/16/200800-27 Mikrotik Indonesia http://www.mikrotik.co.id
New Mangle for routing
/ip firewall mangle print8 chain=output action=mark-connection new-
connection-mark=conn-proxy-1 passthrough=yes connection-state=new nth=2,1
9 chain=output action=mark-connection new-connection-mark=conn-proxy-2 passthrough=yes connection-state=new nth=2,2
10 chain=output action=mark-routing new-routing-mark=route1 passthrough=yes connection-mark=conn-1
11 chain=output action=mark-routing new-routing-mark=route2 passthrough=yes connection-mark=conn-2
6/16/200800-28 Mikrotik Indonesia http://www.mikrotik.co.id
Mangle for Queue
4 chain=prerouting action=mark-connection new-connection-mark=conn-client passthrough=yes src-address=192.168.10.0/24
5 chain=prerouting action=mark-packet new-packet-mark=packet-client1-upload passthrough=no in-interface=ether1-local connection-mark=conn-client
6 chain=prerouting action=mark-packet new-packet-mark=packet-client1-download passthrough=no connection-mark=conn-client
7 chain=output action=mark-packet new-packet-mark=packet-client1-download passthrough=no out-interface=ether1-local connection-mark=conn-client
6/16/200800-30 Mikrotik Indonesia http://www.mikrotik.co.id
Case 4: Max Speed for Hit
Traffic
� We want to give max speed for client if they access cached data on proxy (hit
traffic)
6/16/200800-31 Mikrotik Indonesia http://www.mikrotik.co.id
How to
� We can differentiate hit and miss traffic using TOS / DSCP parameter.
� On proxy, we set Cache Hit DSCP (Differentiated
Services Code Point)/ToS (Type of
Services) = 4
� We make new mangle
and new queue tree to mange hit traffic
6/16/200800-32 Mikrotik Indonesia http://www.mikrotik.co.id
Mangle for Queue
4 chain=prerouting action=mark-connection new-connection-mark=conn-client passthrough=yes src-address=192.168.10.0/24
5 chain=prerouting action=mark-packet new-packet-mark=packet-client1-upload passthrough=no in-interface=ether1-local
connection-mark=conn-client 6 chain=prerouting action=mark-packet new-packet-mark=packet-
client1-download passthrough=no connection-mark=conn-client
7 chain=output action=mark-packet new-packet-mark=packet-client1-hit-download passthrough=no out-interface=ether1-local connection-mark=conn-client dscp=4
8 chain=output action=mark-packet new-packet-mark=packet-client1-download passthrough=no out-interface=ether1-local
connection-mark=conn-client
6/16/200800-33 Mikrotik Indonesia http://www.mikrotik.co.id
Queue Tree
0 name="total-download" parent=ether1-local packet-mark=packet-client1-download limit-at=512000 queue=default priority=8 max-limit=512000 burst-limit=0 burst-threshold=0 burst-time=0s
1 name="total-upload" parent=global-in packet-mark=packet-client1-upload limit-at=256000 queue=default priority=8 max-limit=256000 burst-limit=0 burst-threshold=0 burst-time=0s
2 name="total-download-hit" parent=ether1-local packet-mark=packet-client1-hit-download limit-at=1000000 queue=default priority=8 max-limit=1000000 burst-limit=0 burst-threshold=0 burst-time=0s