Assumed that:
1. Mikrotik Router do Masquerading / src-nat to the client. Client using a private IP.
2. Gateway used only one, both for international traffic and IIX.
3. You can use the web-proxy or without internal web-proxy. If you use the web-proxy, then there are some additional rule that needs to be done. Note the NAT and MANGLE in the example below.
If there are parameters on which you differ with the conditions in the field, the configuration on this article you must be modified in accordance with your network configuration.
Basic Settings
Here is a network diagram and the assumption of IP Address that will be used in this example.
To simplify the example, we change the name of each interface in accordance with the duties of each.
[admin @ Mikrotik]> / interface pr
Flags: X - disabled, D - dynamic, R - running # NAME TYPE RX-RATE TX-RATE MTU
0 R public ether-ether 0 0 1500 1 R Local ether-ether 0 0 1500
For the client, will use the IP block 192.168.0.0/24, and enabled IP Address 192.168.0.1 as the gateway and the router is installed, local-ether interface. Clients can use the IP Address 192.168.0-2 to 192.168.0.254 with subnet mask 255.255.255.0.
[admin @ Mikrotik]> / ip ad pr
Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK Broadcast Interface
0 202.0.0.1/24 202.0.0.0 202.0.0.255 ether-public
1 192.168.0.1/24 192.168.0.0 192.168.0.255 local-ether
Do not forget to set DNS server on the router, and enable the feature "allow remote requests."
Because the client uses private IP, then we must make the src-nat such as the following example.
[admin @ Mikrotik]> / ip nat pr fi
Flags: X - disabled, I - invalid, D - dynamic
0 chain = srcnat out-interface = ether-public action = Masquerade
If you use transparent web-proxy, you need to add nat redirect rule, as shown in the example below (the rule that is printed bold).
[admin @ Mikrotik]> / ip nat fi
pr Flags: X - disabled, I - invalid, D - dynamic
0 chain = srcnat out-interface = ether-public action = Masquerade
1 chain = dstnat in-interface = ether-local protocol = tcp dst-port = 80 action = redirect to-ports = 8080
Do not forget to activate the feature web-proxy, and set port web-services proxynya, and adjusted to the port redirect in the above example.
CHECK: Make sure all the configuration has been working well. Do ping (from both the router and from the client) to the outside of your network switch.
Setting IP Address List
Start Mikrotik RouterOS version 2.9, with a known feature called IP Address List. This feature is a grouping IP Address and IP Address of each can we Rename. This group can be used as a parameter in the mangle, the firewall filter, nat, or queue.
Mikrotik Indonesia has provided a list of IP Address diadvertise in OpenIXP and IIX, which can be downloaded freely at the URL: http://www.mikrotik.co.id/getfile.php?nf=nice.rsc
Nice.rsc this file is created automatically on the server Mikrotik Indonesia pk every morning around 05.30, and is the data that has been in the optimization to eliminate duplicate entry and overlapping subnet. When this number of lines in the script is around 430 lines.
Example file contents nice.rsc:
# Script created by: Valens Riyadi@www.mikrotik.co.id # Generated at 26 April 2007 05:30:02 WIB ... 431 lines
/ ip firewall address-list add list = nice address = "1.2.3.4" rem [find nice list =]
add list = nice address = "125.162.0.0/16" add list = nice address = "125.163.0.0/16"
add list = nice address = "152.118.0.0/16" add list = nice address = "125.160.0.0/16"
add list = nice address = "125.161.0.0/16" add list = nice address = "125.164.0.0/16"
. . dst ...
Save the file to your computer with the name nice.rsc, and do FTP to Mikrotik routers, and uploadlah file in the router. The example below is using the upload Console on Linux.
bagoes jasmine @: ~ $ wget http://www.mikrotik.co.id/getfile.php?nf=nice.rsc
- 2009-07-31 10:33:56 - http://www.mikrotik.co.id/getfile.php?nf=nice.rsc
Resolving www.mikrotik.co.id ... 202.65.113.16
Connecting to www.mikrotik.co.id|202.65.113.16|:80 ... connected.
HTTP request sent, Awaiting response ... 302 Found
Location: http://ixp.mikrotik.co.id/download/nice.rsc [following]
- 2009-07-31 10:33:56 - http://ixp.mikrotik.co.id/download/nice.rsc
Resolving ixp.mikrotik.co.id ... 202.65.113.115
Connecting to ixp.mikrotik.co.id | 202.65.113.115 |: 80 ... connected.
HTTP request sent, Awaiting response ... 200 OK
Length: 28,718 (28K) [text / plain]
Saving to: `nice.rsc.1 '
100 %[======================================>] 28.718 --.- K / s in 0.01s
2009-07-31 10:33:56 (2.46 MB / s) - `nice.rsc.1 'saved [28718/28718]
Once uploaded the file, just import the file.
[admin @ Mikrotik]> import nice.rsc Opening script file nice.rsc Script file loaded and executed successfully
Make sure that the import process has been held successfully, with the check-Address List on the menu IP - Firewall
The upload process can also be done automatically if you have any knowledge of scripting. For example, you create a shell script on Linux to do the download and automatically upload a file automatically each pk 06.00 am. Then you create a scheduler on the router to do the import file.
If you use RouterOS version 3.x, the update can also be done automatically. Details can be seen in this article.
Setting Mangle
The next step is to create a mangle. We need to make the connection 1 mark and 2 mark the packet, each for international and local traffic.
[admin @ Mikrotik]> / ip firewall mangle pr
Flags: X - disabled, I - invalid, D - dynamic
0 chain = prerouting in-ether-interface = local dst-address-list = nice action = mark-connection new-connection-mark = conn-IIX passthrough = yes
1 chain = prerouting connection-mark = conn-IIX action = mark-packet new-packet-mark = packet-IIX passthrough = no
2 = prerouting chain action = mark-packet new-packet-mark = packet-intl passthrough = no
To rule # 0, sure you choose the interface that leads to the client. For the chain, we use prerouting, and for both packet-mark, we use the passthrough = no.
If you use the internal web-proxy and redirecting trafic, then you make 2 additional rule such as the example below (the rule that is printed bold).
[admin @ Mikrotik]> / ip firewall mangle pr
Flags: X - disabled, I - invalid, D - dynamic
0 chain = prerouting in-ether-interface = local dst-address-list = nice action = mark-connection new-connection-mark = conn-IIX passthrough = yes
1 chain = prerouting connection-mark = conn-IIX action = mark-packet new-packet-mark = packet-IIX passthrough = no
2 = output chain connection-mark = conn-IIX action = mark-packet new-packet-mark = packet-IIX passthrough = no
3 chain = prerouting action = mark-packet new-packet-mark = packet-intl passthrough = no 4 chain = output action = mark-packet new-packet-mark = packet-intl passthrough = no
Simple queue settings
For each client, we need to make 2 pieces rule simple queue. In the example below, we will be doing the limitation for the 192.168.0.2/32 IP client, and we will give the limitation IIX (up / down) of 64k/256k, and as for international (up / down) 32k/128k.
[admin @ Mikrotik]> / queue simple pr
Flags: X - disabled, I - invalid, D - dynamic
0 name = "client02-IIX" target-addresses = 192.168.0.2/32 dst-address = 0.0.0.0 / 0 interface = all parent = none packet-marks = packet-IIX direction = both priority = 8 queue = default-small / default-small limit-at = 0 / 0 max-limit = 64000/256000 total-queue = default-small
1 name = "client02-In" target-addresses = 192.168.0.2/32 dst-address = 0.0.0.0 / 0 interface = all parent = none packet-marks = packet-intl direction = both priority = 8 queue = default-small / default-small limit-at = 0 / 0 max-limit = 32000/128000 total-queue = default-small
In this article, we assume that:
End checks
When done, do check the site to make access to local and international sites, and see the counter at both the firewall and mangle the simple queue.
You can also use the queue type pcq on traffic so that each client can be spread evenly.
reference: http://ojiex.blogspot.com/2009/02/tutorial-mikrotik-simple-queue-memisah.html
1. Mikrotik Router do Masquerading / src-nat to the client. Client using a private IP.
2. Gateway used only one, both for international traffic and IIX.
3. You can use the web-proxy or without internal web-proxy. If you use the web-proxy, then there are some additional rule that needs to be done. Note the NAT and MANGLE in the example below.
If there are parameters on which you differ with the conditions in the field, the configuration on this article you must be modified in accordance with your network configuration.
Basic Settings
Here is a network diagram and the assumption of IP Address that will be used in this example.
To simplify the example, we change the name of each interface in accordance with the duties of each.
[admin @ Mikrotik]> / interface pr
Flags: X - disabled, D - dynamic, R - running # NAME TYPE RX-RATE TX-RATE MTU
0 R public ether-ether 0 0 1500 1 R Local ether-ether 0 0 1500
For the client, will use the IP block 192.168.0.0/24, and enabled IP Address 192.168.0.1 as the gateway and the router is installed, local-ether interface. Clients can use the IP Address 192.168.0-2 to 192.168.0.254 with subnet mask 255.255.255.0.
[admin @ Mikrotik]> / ip ad pr
Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK Broadcast Interface
0 202.0.0.1/24 202.0.0.0 202.0.0.255 ether-public
1 192.168.0.1/24 192.168.0.0 192.168.0.255 local-ether
Do not forget to set DNS server on the router, and enable the feature "allow remote requests."
Because the client uses private IP, then we must make the src-nat such as the following example.
[admin @ Mikrotik]> / ip nat pr fi
Flags: X - disabled, I - invalid, D - dynamic
0 chain = srcnat out-interface = ether-public action = Masquerade
If you use transparent web-proxy, you need to add nat redirect rule, as shown in the example below (the rule that is printed bold).
[admin @ Mikrotik]> / ip nat fi
pr Flags: X - disabled, I - invalid, D - dynamic
0 chain = srcnat out-interface = ether-public action = Masquerade
1 chain = dstnat in-interface = ether-local protocol = tcp dst-port = 80 action = redirect to-ports = 8080
Do not forget to activate the feature web-proxy, and set port web-services proxynya, and adjusted to the port redirect in the above example.
CHECK: Make sure all the configuration has been working well. Do ping (from both the router and from the client) to the outside of your network switch.
Setting IP Address List
Start Mikrotik RouterOS version 2.9, with a known feature called IP Address List. This feature is a grouping IP Address and IP Address of each can we Rename. This group can be used as a parameter in the mangle, the firewall filter, nat, or queue.
Mikrotik Indonesia has provided a list of IP Address diadvertise in OpenIXP and IIX, which can be downloaded freely at the URL: http://www.mikrotik.co.id/getfile.php?nf=nice.rsc
Nice.rsc this file is created automatically on the server Mikrotik Indonesia pk every morning around 05.30, and is the data that has been in the optimization to eliminate duplicate entry and overlapping subnet. When this number of lines in the script is around 430 lines.
Example file contents nice.rsc:
# Script created by: Valens Riyadi@www.mikrotik.co.id # Generated at 26 April 2007 05:30:02 WIB ... 431 lines
/ ip firewall address-list add list = nice address = "1.2.3.4" rem [find nice list =]
add list = nice address = "125.162.0.0/16" add list = nice address = "125.163.0.0/16"
add list = nice address = "152.118.0.0/16" add list = nice address = "125.160.0.0/16"
add list = nice address = "125.161.0.0/16" add list = nice address = "125.164.0.0/16"
. . dst ...
Save the file to your computer with the name nice.rsc, and do FTP to Mikrotik routers, and uploadlah file in the router. The example below is using the upload Console on Linux.
bagoes jasmine @: ~ $ wget http://www.mikrotik.co.id/getfile.php?nf=nice.rsc
- 2009-07-31 10:33:56 - http://www.mikrotik.co.id/getfile.php?nf=nice.rsc
Resolving www.mikrotik.co.id ... 202.65.113.16
Connecting to www.mikrotik.co.id|202.65.113.16|:80 ... connected.
HTTP request sent, Awaiting response ... 302 Found
Location: http://ixp.mikrotik.co.id/download/nice.rsc [following]
- 2009-07-31 10:33:56 - http://ixp.mikrotik.co.id/download/nice.rsc
Resolving ixp.mikrotik.co.id ... 202.65.113.115
Connecting to ixp.mikrotik.co.id | 202.65.113.115 |: 80 ... connected.
HTTP request sent, Awaiting response ... 200 OK
Length: 28,718 (28K) [text / plain]
Saving to: `nice.rsc.1 '
100 %[======================================>] 28.718 --.- K / s in 0.01s
2009-07-31 10:33:56 (2.46 MB / s) - `nice.rsc.1 'saved [28718/28718]
Once uploaded the file, just import the file.
[admin @ Mikrotik]> import nice.rsc Opening script file nice.rsc Script file loaded and executed successfully
Make sure that the import process has been held successfully, with the check-Address List on the menu IP - Firewall
The upload process can also be done automatically if you have any knowledge of scripting. For example, you create a shell script on Linux to do the download and automatically upload a file automatically each pk 06.00 am. Then you create a scheduler on the router to do the import file.
If you use RouterOS version 3.x, the update can also be done automatically. Details can be seen in this article.
Setting Mangle
The next step is to create a mangle. We need to make the connection 1 mark and 2 mark the packet, each for international and local traffic.
[admin @ Mikrotik]> / ip firewall mangle pr
Flags: X - disabled, I - invalid, D - dynamic
0 chain = prerouting in-ether-interface = local dst-address-list = nice action = mark-connection new-connection-mark = conn-IIX passthrough = yes
1 chain = prerouting connection-mark = conn-IIX action = mark-packet new-packet-mark = packet-IIX passthrough = no
2 = prerouting chain action = mark-packet new-packet-mark = packet-intl passthrough = no
To rule # 0, sure you choose the interface that leads to the client. For the chain, we use prerouting, and for both packet-mark, we use the passthrough = no.
If you use the internal web-proxy and redirecting trafic, then you make 2 additional rule such as the example below (the rule that is printed bold).
[admin @ Mikrotik]> / ip firewall mangle pr
Flags: X - disabled, I - invalid, D - dynamic
0 chain = prerouting in-ether-interface = local dst-address-list = nice action = mark-connection new-connection-mark = conn-IIX passthrough = yes
1 chain = prerouting connection-mark = conn-IIX action = mark-packet new-packet-mark = packet-IIX passthrough = no
2 = output chain connection-mark = conn-IIX action = mark-packet new-packet-mark = packet-IIX passthrough = no
3 chain = prerouting action = mark-packet new-packet-mark = packet-intl passthrough = no 4 chain = output action = mark-packet new-packet-mark = packet-intl passthrough = no
Simple queue settings
For each client, we need to make 2 pieces rule simple queue. In the example below, we will be doing the limitation for the 192.168.0.2/32 IP client, and we will give the limitation IIX (up / down) of 64k/256k, and as for international (up / down) 32k/128k.
[admin @ Mikrotik]> / queue simple pr
Flags: X - disabled, I - invalid, D - dynamic
0 name = "client02-IIX" target-addresses = 192.168.0.2/32 dst-address = 0.0.0.0 / 0 interface = all parent = none packet-marks = packet-IIX direction = both priority = 8 queue = default-small / default-small limit-at = 0 / 0 max-limit = 64000/256000 total-queue = default-small
1 name = "client02-In" target-addresses = 192.168.0.2/32 dst-address = 0.0.0.0 / 0 interface = all parent = none packet-marks = packet-intl direction = both priority = 8 queue = default-small / default-small limit-at = 0 / 0 max-limit = 32000/128000 total-queue = default-small
In this article, we assume that:
End checks
When done, do check the site to make access to local and international sites, and see the counter at both the firewall and mangle the simple queue.
You can also use the queue type pcq on traffic so that each client can be spread evenly.
reference: http://ojiex.blogspot.com/2009/02/tutorial-mikrotik-simple-queue-memisah.html
No comments:
Post a Comment