Scribd Logo
Upload

Welcome to Scribd!

  • 17 views

    MUM Bali 2008 Valens Riyadi PDF

    Uploaded by

    Yayan Cahyana

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    MUM Bali 2008 Valens Riyadi PDF

    Uploaded by

    Yayan Cahyana
    17 views35 pages

    Original Title

    MUM-Bali-2008-Valens-Riyadi.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    17 views35 pages

    MUM Bali 2008 Valens Riyadi PDF

    Uploaded by

    Yayan Cahyana

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 35

    MUM 2008 Workshop

    IP Flow
    Routing, Mangle and QoS

    Valens Riyadi & Novan Chris


    Citraweb Nusa Infomedia
    (Mikrotik Certified Training Partner)
    Introduction
     Name: Valens Riyadi
     Country: Indonesia
     Graduated as Architect 1998
     Work at Citraweb (Citranet)
    ISP, Web Developer, Mikrotik Reseller
     Photographer
    Administrator of www.fotografer.net
     Head of Security Dept, Indonesian ISP Association
     Volunteer for Airputih Foundation, IT Emergency Task
    Force
     Steering Committee for ID-SIRTII
    Indonesia Security Incident Response Team on Information Infrastructure
     Mikrotik Certified Consultant & Trainner

    00-2 Mikrotik Indonesia http://www.mikrotik.co.id 6/16/2008


    My Company
     Citraweb Nusa Infomedia
     Web Developer (since 2000)
     Small ISP (since 2001)
     Mikrotik Reseller (since 2002)
     Mikrotik Certified Training Partner (2005)

     Located at : Yogyakarta Indonesia


     Using RouterOS since 2.3.15

    00-3 Mikrotik Indonesia http://www.mikrotik.co.id 6/16/2008


    Yogyakarta City
     3,4 million of population
     Tourism City
     Student City
    Almost 50% of population are students from other
    cities.
     Finally . Cyber caf City

    00-4 Mikrotik Indonesia http://www.mikrotik.co.id 6/16/2008


    Overview
     IP Flow
     Mangle
     Mark connection, mark packet, mark route
     Multiple Gateways with NAT Network
     QoS -> Queue Tree
     We will NOT discuss about :
     Simple Queue, Queue Type
     Load balance

    00-5 Mikrotik Indonesia http://www.mikrotik.co.id 6/16/2008


    IP Flow
     Diagram that show how each packet
    process from input interface (or local
    process) to output interface (or local
    process)
     For each traffic, we should know source
    and destination.

    00-6 Mikrotik Indonesia http://www.mikrotik.co.id 6/16/2008


    Source and Destination
     Source
     Input Interface
     Local Process

     Destination
     Local Process
     Output Interface

    00-7 Mikrotik Indonesia http://www.mikrotik.co.id 6/16/2008


    IP Flow (simple diagram)
    INPUT PRE POST OUTPUT
    FORWARD
    INTERFACE ROUTING ROUTING INTERFACE

    LOCAL
    INPUT OUTPUT
    PROCESS

    PREROUTING INPUT FORWARD OUTPUT POSTROUTING


    Hotspot Input Mangle Mangle Conn-Tracking Mangle
    Conn-Tracking Filter Filter Mangle Global-Out Queue
    Mangle Acounting Filter Global-Total Queue
    Dst-NAT Source-NAT
    Global-In Queue Hotspot Output
    Global-Total Queue

    00-8 Mikrotik Indonesia http://www.mikrotik.co.id 6/16/2008


    OUTPUT POSTROUTING
    Conn-Tracking Mangle

    IP Flow Mangle
    Filter
    Global-Out Queue
    Global-Total Queue
    Source-NAT
    + FORWARD Hotspot Output
    BRIDGE Bridge BRIDGE Mangle
    DST-NAT Decision FORWARD Filter
    PRE Acounting
    - ROUTING
    -
    Broute?
    + BRIDGE
    INPUT
    + FORWARD
    INPUT is - Routing
    Bridged? Decision

    Routing OUTPUT is + Bridge


    INPUT INPUT Decision Bridged? Decision
    INTERFACE
    -
    IPSEC + IPsec
    OUTPUT
    BRIDGE
    DECRYPTION Policy OUTPUT
    - POST
    ROUTING
    LOCAL LOCAL BRIDGE
    PREROUTING SRC-NAT
    PROCESS-IN PROCESS-OUT
    Hotspot Input
    Conn-Tracking
    Mangle IPSEC + IPsec
    Dst-NAT INPUT
    ENCRYPTION Policy
    Global-In Queue Mangle
    Global-Total Queue Filter -
    INTERFACE OUTPUT
    QUEUE INTERFACE

    00-9 Mikrotik Indonesia http://www.mikrotik.co.id 6/16/2008


    Chain Position
    From To Mangle Firewall Queue
    Outside Router / Prerouting Global-in
    Local Input Input Global-Total
    process
    Router/ Outside Output Output Global-Out
    Local Postrouting Global-Total
    process Interface
    Outside Outside Prerouting Global-in
    Forward Forward Global-out
    Postrouting Global-total
    Interface

    00-10 Mikrotik Indonesia http://www.mikrotik.co.id 6/16/2008


    Case 1: Simple Network
     As the client is masqueraded,
    we will use connection
    tracking to mangle the client
     We do mark packet after
    connection tracking
     To limit all traffic, we will use
    chain prerouting

    00-11 Mikrotik Indonesia http://www.mikrotik.co.id 6/16/2008


    mangle

    00-12 Mikrotik Indonesia http://www.mikrotik.co.id 6/16/2008


    Mangle & Queue

    00-13 Mikrotik Indonesia http://www.mikrotik.co.id 6/16/2008


    Case 2: Multiple Gateway
     We have 2 access to
    backbones.
     We can use firewall nth and
    policy route to load balance
    the backbone.

    00-14 Mikrotik Indonesia http://www.mikrotik.co.id 6/16/2008


    Constrain
     In previous case, we use interface queue
    for uplink and downlink. But now we have
    more than 1 interface for uplink.
     We can use global-in for uplink

    00-15 Mikrotik Indonesia http://www.mikrotik.co.id 6/16/2008


    IP Address and Masquerade
    /ip address pr
    Flags: X - disabled, I - invalid, D - dynamic
    # ADDRESS NETWORK BROADCAST INTERFACE
    0 172.16.10.2/24 172.16.10.0 172.16.10.255 ether2-backbone1
    1 172.16.20.2/24 172.16.20.0 172.16.20.255 ether3-backbone2
    2 192.168.10.1/24 192.168.10.0 192.168.10.255 ether1-local

    /ip firewall nat pr


    Flags: X - disabled, I - invalid, D - dynamic
    0 chain=srcnat action=masquerade out-interface=ether2-backbone1
    1 chain=srcnat action=masquerade out-interface=ether3-backbone2

    00-16 Mikrotik Indonesia http://www.mikrotik.co.id 6/16/2008


    Mangle for Routing
    /ip firewall mangle print
    Flags: X - disabled, I - invalid, D - dynamic
    0 chain=prerouting action=mark-connection new-connection-
    mark=conn-1 passthrough=yes connection-state=new in-
    interface=ether1-local nth=2,1
    1 chain=prerouting action=mark-connection new-connection-
    mark=conn-2 passthrough=yes connection-state=new in-
    interface=ether1-local nth=2,2
    2 chain=prerouting action=mark-routing new-routing-
    mark=route1 passthrough=yes in-interface=ether1-local
    connection-mark=conn-1
    3 chain=prerouting action=mark-routing new-routing-
    mark=route2 passthrough=yes in-interface=ether1-local
    connection-mark=conn-2

    00-17 Mikrotik Indonesia http://www.mikrotik.co.id 6/16/2008


    Static Route
    /ip route
    add comment="" disabled=no distance=1 dst-
    address=0.0.0.0/0 gateway=172.16.20.1 \
    routing-mark=route2
    add comment="" disabled=no distance=1 dst-
    address=0.0.0.0/0 gateway=172.16.10.1 \
    routing-mark=route1
    add comment="" disabled=no distance=1 dst-
    address=0.0.0.0/0 gateway=172.16.20.1

    00-18 Mikrotik Indonesia http://www.mikrotik.co.id 6/16/2008


    Mangle for Queue
    /ip firewall mangle print
    4 chain=prerouting action=mark-connection new-
    connection-mark=conn-client passthrough=yes
    src-address=192.168.10.0/24
    5 chain=prerouting action=mark-packet new-
    packet-mark=packet-client1-upload
    passthrough=no in-interface=ether1-local
    connection-mark=conn-client
    6 chain=prerouting action=mark-packet new-
    packet-mark=packet-client1-download
    passthrough=no connection-mark=conn-client

    00-19 Mikrotik Indonesia http://www.mikrotik.co.id 6/16/2008


    Queue Tree
    /queue tree print
    Flags: X- disabled, I - invalid
    0 name="total- download" parent=ether1- local
    packet- mark=packet- client1 - download limit-
    at=512000 queue=default priority=8 max -
    limit=512000 burst- limit=0 burst- threshold=0 burst-
    time=0s
    1 name="total- upload" parent=global- in packet-
    mark=packet- client1 - upload limit- at=256000
    queue=default priority=8 max - limit=256000 burst-
    limit=0 burst- threshold=0 burst- time=0s

    00-20 Mikrotik Indonesia http://www.mikrotik.co.id 6/16/2008


    00-21 Mikrotik Indonesia http://www.mikrotik.co.id 6/16/2008
    Case 3: Using Web Proxy
     We will use transparant proxy
    for web traffic (tcp 80) using
    dst-nat: redirect

    00-22 Mikrotik Indonesia http://www.mikrotik.co.id 6/16/2008


    Constrain
     Previous Configuration:
     Will not load balance uplink traffic from
    proxy
     Will not limit downlink connection from proxy
    to client

    00-23 Mikrotik Indonesia http://www.mikrotik.co.id 6/16/2008


    Queue with
    SRC-NAT & Internal Proxy
    ROUTER

    SRC-NAT

    Traffic Client - Internet


    INTERNET

    WEB-PROXY
    LOCAL
    PROCESS

    00-24 Mikrotik Indonesia http://www.mikrotik.co.id 6/16/2008


    Queue with
    SRC-NAT & Internal Proxy
    ROUTER

    Direct Upstream 1
    SRC-NAT
    2
    Direct Downstream

    5 INTERNET
    3
    Upstream to proxy
    WEB-PROXY
    LOCAL
    PROCESS
    Downstream from proxy
    4 6

    00-25 Mikrotik Indonesia http://www.mikrotik.co.id 6/16/2008


    How to do
     Load Balance Uplink traffic from proxy
     Make new rules in mangle chain output, to
    do nth (mark-connection and mark-packet)
     Limit downlink traffic from proxy to client:
     Make new packet-mark on chain output

    00-26 Mikrotik Indonesia http://www.mikrotik.co.id 6/16/2008


    New Mangle for routing
    /ip firewall mangle print
    8 chain=output action=mark-connection new-
    connection-mark=conn-proxy-1 passthrough=yes
    connection-state=new nth=2,1
    9 chain=output action=mark-connection new-
    connection-mark=conn-proxy-2 passthrough=yes
    connection-state=new nth=2,2
    10 chain=output action=mark-routing new-routing-
    mark=route1 passthrough=yes connection-
    mark=conn-1
    11 chain=output action=mark-routing new-routing-
    mark=route2 passthrough=yes connection-
    mark=conn-2

    00-27 Mikrotik Indonesia http://www.mikrotik.co.id 6/16/2008


    Mangle for Queue
    4 chain=prerouting action=mark-connection new-connection-
    mark=conn-client passthrough=yes
    src-address=192.168.10.0/24
    5 chain=prerouting action=mark-packet new-packet-
    mark=packet-client1-upload passthrough=no
    in-interface=ether1-local connection-mark=conn-client
    6 chain=prerouting action=mark-packet new-packet-
    mark=packet-client1-download passthrough=no
    connection-mark=conn-client
    7 chain=output action=mark-packet
    new-packet-mark=packet-client1-download
    passthrough=no out-interface=ether1-local
    connection-mark=conn-client

    00-28 Mikrotik Indonesia http://www.mikrotik.co.id 6/16/2008


    Mangle Configuration

    00-29 Mikrotik Indonesia http://www.mikrotik.co.id 6/16/2008


    Case 4: Max Speed for Hit
    Traffic
     We want to give max speed
    for client if they access
    cached data on proxy (hit
    traffic)

    00-30 Mikrotik Indonesia http://www.mikrotik.co.id 6/16/2008


    How to
     We can differentiate hit
    and miss traffic using
    TOS / DSCP parameter.
     On proxy, we set Cache
    Hit DSCP (Differentiated
    Services Code
    Point)/ToS (Type of
    Services) = 4
     We make new mangle
    and new queue tree to
    mange hit traffic

    00-31 Mikrotik Indonesia http://www.mikrotik.co.id 6/16/2008


    Mangle for Queue
    4 chain=prerouting action=mark-connection new-connection-
    mark=conn-client passthrough=yes src-address=192.168.10.0/24
    5 chain=prerouting action=mark-packet new-packet-mark=packet-
    client1-upload passthrough=no in-interface=ether1-local
    connection-mark=conn-client
    6 chain=prerouting action=mark-packet new-packet-mark=packet-
    client1-download passthrough=no connection-mark=conn-client
    7 chain=output action=mark-packet new-packet-mark=packet-
    client1-hit-download passthrough=no out-interface=ether1-local
    connection-mark=conn-client dscp=4
    8 chain=output action=mark-packet new-packet-mark=packet-client1-
    download passthrough=no out-interface=ether1-local
    connection-mark=conn-client

    00-32 Mikrotik Indonesia http://www.mikrotik.co.id 6/16/2008


    Queue Tree
    0 name="total-download" parent=ether1-local packet-
    mark=packet-client1-download limit-at=512000 queue=default
    priority=8 max-limit=512000 burst-limit=0 burst-threshold=0
    burst-time=0s
    1 name="total-upload" parent=global-in packet-mark=packet-
    client1-upload limit-at=256000 queue=default priority=8 max-
    limit=256000 burst-limit=0 burst-threshold=0 burst-time=0s
    2 name="total-download-hit" parent=ether1-local packet-
    mark=packet-client1-hit-download limit-at=1000000
    queue=default priority=8 max-limit=1000000 burst-limit=0
    burst-threshold=0 burst-time=0s

    00-33 Mikrotik Indonesia http://www.mikrotik.co.id 6/16/2008


    00-34 Mikrotik Indonesia http://www.mikrotik.co.id 6/16/2008
    Thank You!

    info@mikrotik.co.id

    You might also like