How to create Queue with SRC-NAT and Web-Proxy

On the use of queue (bandwidth limiter), the determination of CHAIN ​​in MENGLE largely determine the course of a rule. If we install the SRC-NAT and WEB-PROXY on the same machine, often rather difficult to make a perfect queue rule. CHAIN ​​detailed explanation of the election, can be seen in the manual mikrotik.

The experiments were performed using a PC with RouterOS version 2.9.28. On these machines, use 2 pieces of interfaces, one for gateway named PUBLIC and another for a local network called LAN.

[admin@instaler] > in pr
Flags: X - disabled, D - dynamic, R - running
# NAME TYPE RX-RATE TX-RATE MTU
0 R public ether 0 0 1500
1 R lan wlan 0 0 1500

And here is the IP address used. 192.168.0.0/24 subnet is the subnet gateway for this machine.

[admin@instaler] > ip ad pr
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 192.168.0.217/24 192.168.0.0 192.168.0.255 public
1 172.21.1.1/24 172.21.1.0 172.21.1.255 lan
Features a transparent web-proxy is also enabled.
[admin@instaler] > ip web-proxy pr
enabled: yes
src-address: 0.0.0.0
port: 3128
hostname: "proxy"
transparent-proxy: yes
parent-proxy: 0.0.0.0:0
cache-administrator: "webmaster"
max-object-size: 4096KiB
cache-drive: system
max-cache-size: none
max-ram-cache-size: unlimited
status: running
reserved-for-cache: 0KiB
reserved-for-ram-cache: 154624KiB
MASQUERADE function is activated, is also one rule REDIRECTING to divert HTTP traffic to the WEB-PROXY
[admin@instaler] ip firewall nat> pr
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat out-interface=public
src-address=172.21.1.0/24 action=masquerade
1 chain=dstnat in-interface=lan src-address=172.21.1.0/24
protocol=tcp dst-port=80 action=redirect to-ports=3128
The following are the most important steps in this process, namely the manufacture of a mangle. We'll need 2 pieces PACKET-MARK. One for upstream data packet, which in this example we call test-ups. And another for downstream data packets, which in this example we call test-down.

For the upstream data packet, the process of making manglenya quite simple. We can directly do it with a fruit rule, simply by using the parameters of SRC-ADDRESS and IN-INTERFACE. Here we use a chain prerouting. Upstream data packets for this let's call-up test.

However, for downstream data packets, we need a few rules. Since we use IP translation / masquerade, we need a Connection Mark. In this example, we call it test-conn.

Then, we need to make the 2 pieces rule. The first rule, for non-HTTP data packets are directly downstream from the internet (not through proxy). We use forward chain, because the data flowing through the router.

The second rule, for data packets originating from the WEB-PROXY. We use the chain output, because the flow of data derived from applications in the router to a machine outside the router.

Data packets for downstream on both this rule let's call-down test.

Do not forget, this parameter is only enabled for the connection passthrough mark only.
[admin@instaler] > ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; UP TRAFFIC
chain=prerouting in-interface=lan
src-address=172.21.1.0/24 action=mark-packet
new-packet-mark=test-up passthrough=no

1 ;;; CONN-MARK
chain=forward src-address=172.21.1.0/24
action=mark-connection
new-connection-mark=test-conn passthrough=yes

2 ;;; DOWN-DIRECT CONNECTION
chain=forward in-interface=public
connection-mark=test-conn action=mark-packet
new-packet-mark=test-down passthrough=no

3 ;;; DOWN-VIA PROXY
chain=output out-interface=lan
dst-address=172.21.1.0/24 action=mark-packet
new-packet-mark=test-down passthrough=no
For the last stage, just configure the queue. Here we used queue trees. One rule for dowstream data, and one for upstream. What is important here, is the selection of the parent. For the downstream, we use the parent lan, according to the interface that leads to a local network, and for the upstream, we use the global parent-in.
[admin@instaler] > queue tree pr
Flags: X - disabled, I - invalid
0 name="downstream" parent=lan packet-mark=test-down
limit-at=32000 queue=default priority=8
max-limit=32000 burst-limit=0
burst-threshold=0 burst-time=0s

1 name="upstream" parent=global-in
packet-mark=test-up limit-at=32000
queue=default priority=8
max-limit=32000 burst-limit=0
burst-threshold=0 burst-time=0s
Another variation, for bandwidth management, it is also possible we use PCQ queue types, which can automatically divide the traffic per client.

Source : mikrotik.co.id

0 Comment:

Post a Comment