Scribd Logo
Upload

Welcome to Scribd!

  • Mikrotik PBR Guide

    Uploaded by

    Ivo
    115 views10 pages
    This document provides instructions for configuring a Mikrotik router to work with a CACHEBox using policy-based routing (PBR). It describes setting up NAT, firewall mangle rules, and routes to redirect HTTP traffic to the CACHEBox for caching while preserving client source addresses. It also covers optional configurations like ToS/DSCP marking to prioritize cached content speeds.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document provides instructions for configuring a Mikrotik router to work with a CACHEBox using policy-based routing (PBR). It describes setting up NAT, firewall mangle rules, and routes to redirect HTTP traffic to the CACHEBox for caching while preserving client source addresses. It also covers optional configurations like ToS/DSCP marking to prioritize cached content speeds.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    115 views10 pages

    Mikrotik PBR Guide

    Uploaded by

    Ivo
    This document provides instructions for configuring a Mikrotik router to work with a CACHEBox using policy-based routing (PBR). It describes setting up NAT, firewall mangle rules, and routes to redirect HTTP traffic to the CACHEBox for caching while preserving client source addresses. It also covers optional configurations like ToS/DSCP marking to prioritize cached content speeds.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 10

    1

    Deploying CACHEBox with a Mikrotik Router in Policy Based Routing (PBR) mode

    Requirements:
    • Perform initial setup of your CACHEBox, so that it has an IP address on the eth0 interface, with the default route set to
    the Cachebox-facing interface on the Mikrotik router.
    For example:
    Mikrotik ether3: 192.168.2.1/24
    CACHEBox eth0: 192.168.2.2/24
    CACHEBox Default Route: 192.168.2.1

    Revision v1.0 – 10/08/2015


    2

    Option 1: Standard Policy Based Routing (Without Source Address Spoofing)

    1. If your Cachebox is within a private IP range, you may need to create a new NAT rule on the Mikrotik, to NAT the
    outgoing requests to the Internet, coming from the Cachebox's Private IP address.

    This can be done by navigating to the IP > Firewall > NAT tab in the Mikrotik interface and creating a NAT rule with the
    following options:

    Chain: src-nat

    Src-Address: CACHEBOX IP Address (e.g 192.168.2.2 in


    this example).

    Out-Interface: Mikrotik WAN Interface (e.g ether1 in this


    example).

    [Action Tab]

    Action: masquerade

    Save & Apply

    2. Navigate to the IP > Firewall > Mangle page and create a new Mangle rule with the following options:

    Chain: Prerouting

    Src-Address: Client subnet (e.g 172.16.1.0/24), or leave blank to


    match all HTTP traffic.

    Protocol: tcp

    Dst-Port: 80

    [Action Tab]

    Action: Mark Routing

    Routing Mark: cachebox (or a mark of your choice)

    Passthrough: Ticked/Enabled

    Save & Apply

    Revision v1.0 – 10/08/2015


    3

    3. Navigate to the IP > Routes page, and create a new route with the following options:

    Dst-Address: 0.0.0.0/0

    Gateway: CACHEBOX IP Address (e.g


    192.168.2.2 in this example)

    Check Gateway: ping (optional)

    Routing Mark: cachebox (or the mark you


    created in the previous step in the Mangle rule).

    Save & Apply

    4. On the CACHEBox web interface, navigate to Cache > Mode and set Deployment type to Gateway Interception (PBR).

    • Client HTTP traffic should now be getting re-directed to the Cachebox. This can be verified by going to the Cache
    Overview page in the Cachebox.
    • You should also see the packet counters incrementing under the Cachebox Mangle rule in the Mikrotik web interface.

    Revision v1.0 – 10/08/2015


    4

    Option 2: Policy Based Routing with Source Address Spoofing enabled.

    If your client machines have Public IP addresses, or you want to preserve the original client's IP address to upstream equipment
    – you will need to follow this Source Address Spoofing guide:

    1. Navigate to the IP > Firewall > Mangle page and create a new Mangle rule with the following options:

    Chain: Prerouting

    Src-Address: Client subnet (e.g 172.16.1.0/24), or leave


    blank to match all HTTP traffic.

    Protocol: tcp

    Any-Port: 80

    [Action Tab]

    Action: Mark Connection

    Routing Mark: cacheboxconnection (or a mark of your


    choice)

    Passthrough: Ticked/Enabled

    Save & Apply

    Revision v1.0 – 10/08/2015


    5

    2. In the same Firewall > Mangle page, create a new


    Mangle rule with the following options:

    Chain: Prerouting

    Src-Address: Client subnet (e.g 172.16.1.0/24), or leave


    blank to match all HTTP traffic.

    Protocol: tcp

    In. Interface: Not-Equal-To CACHEBOX Interface


    (e.g !ether3 in this example).

    Connection Mark: cacheboxconnection

    [Action Tab]

    Action: mark routing

    Routing Mark: cachebox (or a mark of your choice)

    Passthrough: Ticked/Enabled

    Save & Apply

    3. Navigate to the IP > Routes page, and create a new route with the following options:

    Dst-Address: 0.0.0.0/0

    Gateway: CACHEBOX IP Address (e.g


    192.168.2.2 in this example)

    Check Gateway: ping (optional)

    Routing Mark: cachebox (or the mark you created


    in the previous step in the Mangle rule).

    Save & Apply

    Revision v1.0 – 10/08/2015


    6

    4. On the CACHEBox web interface, set the deployment mode to Gateway Interception (PBR) in the Cache > Mode page.
    Then set navigate to Cache > Advanced and set Source Address Spoofing to 'Enabled'.

    5. You should then see successful requests appear in the Cache Overview page on the CACHEBox web interface.

    Revision v1.0 – 10/08/2015


    7

    Appendix A: Implementing ToS/DSCP Marking (Squid ZPH marking) for Cache HIT packets

    If you implement Queues or Rate-limiting in your Mikrotik router, to restrict bandwidth to your clients – you can allow full LAN
    speed to your Cache HIT packets by implementing ToS/DSCP marking as follows:

    1. In the CACHEBox web interface, navigate to the Cache > Custom page, and enter the following configuration:

    If running the Squid2 Cache engine:

    zph_mode tos
    zph_local 0x30

    If running the Squid3 Cache engine, enter:

    qos_flows local-hit=0x30

    (To check which version of Squid you are running, you may navigate to the System > Services page, and check the version displayed on the
    line starting 'Web Cache'.)

    Save the page to apply the changes.

    The 0x30 value is arbitrary, we will use this value when entering the Mikrotik configuration later on.
    You can see the following web page for guidance on different values.

    http://www.tucny.com/Home/dscp-tos

    Revision v1.0 – 10/08/2015


    8

    2. In the Mikrotik router, navigate to the IP > Firewall > Mangle page and create a new mangle rule with the following
    configuration:

    [General tab]

    Chain: Prerouting

    [Advanced Tab]

    DSCP (TOS): 12

    (Mikrotik can only match on DSCP decimal values, not ToS Hex values –
    and so this value is the converted result of ToS 0x30, which equals a DSCP
    decimal value of 12). You may use the following page to see the converted
    DSCP decimal value of your chosen ToS Hex mark that was used in the
    Cache Custom Config:
    http://www.tucny.com/Home/dscp-tos

    [Action Tab]

    Action: mark packet

    New Packet Mark: cacheboxdscp (or a mark of your choice)

    Passthrough: Ticked/Enabled

    Apply & Save

    Revision v1.0 – 10/08/2015


    9

    3. In the Mikrotik, navigate to the Queues menu and follow the following steps, depending on whether you are using only Simple
    Queues or more advanced Queue Trees.

    If you are already using only Simple Queues:

    Create a new Simple Queue with the following configuration:

    [General Tab]

    Name: CacheHIT (or a name of your choice)

    Target: 0.0.0.0/0

    Max Limit: Unlimited / Unlimited

    Burst Limit: Unlimited/Unlimited

    Burst Threshold: Unlimited/Unlimited

    [Advanced Tab]

    Packet Marks: cacheboxdscp (or the packet mark you created in step 1)

    Limit at: Unlimited/Unlimited

    Ensure that this new Queue is moved to the top of the Queue list,
    so that it is processed before the other queues.

    Apply & Save

    Revision v1.0 – 10/08/2015


    10

    If you are already only using Advanced Queues (Queue Trees), then create a new Queue Tree with the following configuration:

    Name: CacheHIT-Tree (or a name of your choice)

    Parent: global

    Packet Marks: cacheboxdscp (or the DSCP packet mark you


    created earlier)

    Queue Type: default

    Limit at: 0

    Max Limit: 0

    Burst Limit: 0

    Burst Threshold: 0

    Apply & Save

    Ensure that this new Queue is moved to the top of the Queue
    list, so that it is processed before the other queues.

    Cache HIT packets should no longer be rate-limited by your existing Queues.

    Revision v1.0 – 10/08/2015

    You might also like