MUM Bali 2008 Valens Riyadi

MUM 2008 Workshop

IP FlowRouting, Mangle and QoS

Valens Riyadi & Novan ChrisCitraweb Nusa Infomedia

(Mikrotik Certified Training Partner)

6/16/200800-2 Mikrotik Indonesia http://www.mikrotik.co.id

Introduction

� Name: Valens Riyadi

� Country: Indonesia

� Graduated as Architect 1998

� Work at Citraweb (Citranet)• ISP, Web Developer, Mikrotik Reseller

� Photographer• Administrator of www.fotografer.net

� Head of Security Dept, Indonesian ISP Association

� Volunteer for Airputih Foundation, IT Emergency Task Force

� Steering Committee for ID-SIRTIIIndonesia Security Incident Response Team on Information Infrastructure

� Mikrotik Certified Consultant & Trainner


My Company

� Citraweb Nusa Infomedia

� Web Developer (since 2000)

� Small ISP (since 2001)

� Mikrotik Reseller (since 2002)

� Mikrotik Certified Training Partner (2005)

� Located at : Yogyakarta Indonesia

� Using RouterOS since 2.3.15


Yogyakarta City

� 3,4 million of population

� Tourism City

� Student City

• Almost 50% of population are students from other

cities.

� Finally ……. Cyber café City


Overview

� IP Flow

� Mangle

� Mark connection, mark packet, mark route

� Multiple Gateways with NAT Network

� QoS -> Queue Tree

� We will NOT discuss about :

� Simple Queue, Queue Type

� Load balance


IP Flow

� Diagram that show how each packet

process from input interface (or local

process) to output interface (or local

process)

� For each traffic, we should know source

and destination.


Source and Destination

� Source

� Input Interface

� Local Process

� Destination

� Local Process

� Output Interface


IP Flow (simple diagram)

OUTPUT INTERFACE

FORWARDPOST

ROUTINGPRE

ROUTING

INPUT OUTPUTLOCAL

PROCESS

INPUTINTERFACE

PREROUTINGHotspot Input

Conn-TrackingMangle

Dst-NAT

Global-In Queue

Global-Total Queue

POSTROUTINGMangle

Global-Out QueueGlobal-Total Queue

Source-NAT

Hotspot Output

OUTPUTConn-Tracking

MangleFilter

FORWARDMangle

FilterAcounting

INPUTMangle

Filter


IP Flow

OUTPUT INTERFACE

FORWARD

POSTROUTING

PREROUTING

INPUT

OUTPUT

BRIDGEDST-NAT

BRIDGEINPUT

BRIDGEFORWARD

BRIDGEOUTPUT

BRIDGESRC-NAT

INPUT is

Bridged?

Broute?

Bridge

Decision

Routing

Decision

Routing

Decision

Bridge

Decision

OUTPUT is

Bridged?

LOCALPROCESS-IN

LOCALPROCESS-OUT

INPUTINTERFACE

IPSECDECRYPTION

IPSECENCRYPTION

IPsec

Policy

IPsec

Policy

INTERFACEQUEUE

+

+

+

+

+

+

-

--

-

-

-

PREROUTINGHotspot Input

Conn-TrackingMangle

Dst-NAT

Global-In Queue

Global-Total Queue

POSTROUTINGMangle

Global-Out QueueGlobal-Total Queue

Source-NAT

Hotspot Output

OUTPUTConn-Tracking

MangleFilter

FORWARDMangle

FilterAcounting

INPUTMangle

Filter


Chain Position

Outside

Outside

Router /

Local

process

To

Global-totalPostrouting

Interface

Global-outForwardForward

Global-inPreroutingOutside

Interface

Global-TotalPostrouting

Global-OutOutputOutputRouter/

Local

process

Global-TotalInputInput

Global-inPreroutingOutside

QueueFirewallMangleFrom


Case 1: Simple Network

� As the client is masqueraded, we will use connection tracking to mangle the client

� We do mark packet after connection tracking

� To limit all traffic, we will use chain prerouting


mangle


Mangle & Queue


Case 2: Multiple Gateway

� We have 2 access to backbones.

� We can use firewall nth and policy route to load balance the backbone.


Constrain

� In previous case, we use interface queue

for uplink and downlink. But now we have

more than 1 interface for uplink.

� We can use global-in for uplink


IP Address and Masquerade

/ip address prFlags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE

0 172.16.10.2/24 172.16.10.0 172.16.10.255 ether2-backbone1

1 172.16.20.2/24 172.16.20.0 172.16.20.255 ether3-backbone2 2 192.168.10.1/24 192.168.10.0 192.168.10.255 ether1-local

/ip firewall nat prFlags: X - disabled, I - invalid, D - dynamic

0 chain=srcnat action=masquerade out-interface=ether2-backbone1 1 chain=srcnat action=masquerade out-interface=ether3-backbone2


Mangle for Routing

/ip firewall mangle print

Flags: X - disabled, I - invalid, D - dynamic

0 chain=prerouting action=mark-connection new-connection-mark=conn-1 passthrough=yes connection-state=new in-interface=ether1-local nth=2,1

1 chain=prerouting action=mark-connection new-connection-mark=conn-2 passthrough=yes connection-state=new in-interface=ether1-local nth=2,2

2 chain=prerouting action=mark-routing new-routing-mark=route1 passthrough=yes in-interface=ether1-local connection-mark=conn-1

3 chain=prerouting action=mark-routing new-routing-mark=route2 passthrough=yes in-interface=ether1-local connection-mark=conn-2


Static Route

/ip route

add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.16.20.1 \

routing-mark=route2

add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.16.10.1 \

routing-mark=route1

add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.16.20.1


Mangle for Queue

/ip firewall mangle print

4 chain=prerouting action=mark-connection new-connection-mark=conn-client passthrough=yes src-address=192.168.10.0/24

5 chain=prerouting action=mark-packet new-packet-mark=packet-client1-upload passthrough=no in-interface=ether1-local connection-mark=conn-client

6 chain=prerouting action=mark-packet new-packet-mark=packet-client1-download passthrough=no connection-mark=conn-client


Queue Tree

/queue tree print

Flags: X - disabled, I - invalid

0 name="total- download" parent=ether1- local

packet- mark=packet- client1- download limit-

at=512000 queue=default priority=8 max-

limit=512000 burst- limit=0 burst- threshold=0 burst-

time=0s

1 name="total- upload" parent=global- in packet-

mark=packet- client1- upload limit- at=256000

queue=default priority=8 max- limit=256000 burst-

limit=0 burst- threshold=0 burst- time=0s


Case 3: Using Web Proxy

� We will use transparant proxy for web traffic (tcp 80)� using dst-nat: redirect


Constrain

� Previous Configuration:

� Will not load balance uplink traffic from

proxy

� Will not limit downlink connection from proxy

to client


Queue with

SRC-NAT & Internal Proxy

WEB-PROXY

LOCAL

PROCESS

ROUTER

INTERNET

SRC-NAT

Traffic Client - Internet


Queue with

SRC-NAT & Internal Proxy

WEB-PROXY

LOCAL

PROCESS

Upstream to proxy

Downstream from proxy

ROUTER

INTERNET

SRC-NAT

Direct Upstream

Direct Downstream

1

2

3

4

5

6


How to do

� Load Balance Uplink traffic from proxy

� Make new rules in mangle chain output, to

do nth (mark-connection and mark-packet)

� Limit downlink traffic from proxy to client:

� Make new packet-mark on chain output


New Mangle for routing

/ip firewall mangle print8 chain=output action=mark-connection new-

connection-mark=conn-proxy-1 passthrough=yes connection-state=new nth=2,1

9 chain=output action=mark-connection new-connection-mark=conn-proxy-2 passthrough=yes connection-state=new nth=2,2

10 chain=output action=mark-routing new-routing-mark=route1 passthrough=yes connection-mark=conn-1

11 chain=output action=mark-routing new-routing-mark=route2 passthrough=yes connection-mark=conn-2


Mangle for Queue


5 chain=prerouting action=mark-packet new-packet-mark=packet-client1-upload passthrough=no in-interface=ether1-local connection-mark=conn-client

6 chain=prerouting action=mark-packet new-packet-mark=packet-client1-download passthrough=no connection-mark=conn-client

7 chain=output action=mark-packet new-packet-mark=packet-client1-download passthrough=no out-interface=ether1-local connection-mark=conn-client


Mangle Configuration


Case 4: Max Speed for Hit

Traffic

� We want to give max speed for client if they access cached data on proxy (hit

traffic)


How to

� We can differentiate hit and miss traffic using TOS / DSCP parameter.

� On proxy, we set Cache Hit DSCP (Differentiated

Services Code Point)/ToS (Type of

Services) = 4

� We make new mangle

and new queue tree to mange hit traffic


Mangle for Queue


5 chain=prerouting action=mark-packet new-packet-mark=packet-client1-upload passthrough=no in-interface=ether1-local

connection-mark=conn-client 6 chain=prerouting action=mark-packet new-packet-mark=packet-

client1-download passthrough=no connection-mark=conn-client

7 chain=output action=mark-packet new-packet-mark=packet-client1-hit-download passthrough=no out-interface=ether1-local connection-mark=conn-client dscp=4

8 chain=output action=mark-packet new-packet-mark=packet-client1-download passthrough=no out-interface=ether1-local

connection-mark=conn-client


Queue Tree

0 name="total-download" parent=ether1-local packet-mark=packet-client1-download limit-at=512000 queue=default priority=8 max-limit=512000 burst-limit=0 burst-threshold=0 burst-time=0s

1 name="total-upload" parent=global-in packet-mark=packet-client1-upload limit-at=256000 queue=default priority=8 max-limit=256000 burst-limit=0 burst-threshold=0 burst-time=0s

2 name="total-download-hit" parent=ether1-local packet-mark=packet-client1-hit-download limit-at=1000000 queue=default priority=8 max-limit=1000000 burst-limit=0 burst-threshold=0 burst-time=0s

Thank You!

[email protected]

MUM Bali 2008 Valens Riyadi

Documents

Transcript of MUM Bali 2008 Valens Riyadi