Pages

Sunday, June 13, 2010

Mangle, Queue Tree and priorization

As we know ‘simple queue’ marks packets from/to target ip and queues them using global-in/global-out parents for packets at the local side of router. If we want to queue services using ‘queue tree’ we can do it at the local or public side. However if we want to use ‘simple queue’ and ‘queue tree’ for services we don’t have that choice. Packets are marked at the local side and queued by ‘simple queue’ (we can’t see it in /ip firewall mange and /queue tree). The second marking and the ‘queue tree’ at the local side won’t work. That’s why, for services we need to mark packets incoming/outgoing (prerouting/postrouting) at the public side of router.

/interface set ether1 name=wan
/interface set ether2 name=lan

/ip address add address=192.168.0.1/24 interface=lan
/ip address add address=1.0.0.2/24 interface=wan
/ip route add gateway=1.0.0.1

/ip firewall nat add chain=srcnat action=masquerade src-address=192.168.0.0/24

At first we make simple queue, for example:

!!! set your internet speed on MAX-LIMIT at QOS rule

/queue simple add name="QOS" dst-address=0.0.0.0/0 interface=all parent=none direction=both \
priority=8 queue=default-small/default-small limit-at=0/0 \
max-limit=1000000/1800000 total-queue=default-small disabled=no
:for z from=2 to=254 do={ \
/queue simple add name=("0." . $z) target-addresses=("192.168.0." . $z) \
parent="QOS" interface=all priority=4 queue=default/default max-limit=128000/530000 \
total-queue=default
}

Now we mark packets for the services

/ ip firewall mangle
add chain=prerouting action=mark-packet new-packet-mark=icmp_in passthrough=no \
in-interface=wan protocol=icmp comment="icmp" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=icmp_out \
passthrough=no out-interface=wan protocol=icmp comment="" disabled=no
add chain=prerouting action=mark-packet new-packet-mark=p2p_in passthrough=no \
p2p=all-p2p in-interface=wan comment="p2p" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=p2p_out \
passthrough=no p2p=all-p2p out-interface=wan comment="" disabled=no
add chain=prerouting action=mark-packet new-packet-mark=pop3_in passthrough=no \
in-interface=wan src-port=110 protocol=tcp comment="pop3" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=pop3_out \
passthrough=no out-interface=wan dst-port=110 protocol=tcp comment="" \
disabled=no
add chain=prerouting action=mark-packet new-packet-mark=smtp_in passthrough=no \
in-interface=wan src-port=25 protocol=tcp comment="smtp" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=smtp_out \
passthrough=no out-interface=wan dst-port=25 protocol=tcp comment="" \
disabled=no
add chain=prerouting action=mark-packet new-packet-mark=imap_in passthrough=no \
in-interface=wan src-port=143 protocol=tcp comment="imap" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=imap_out \
passthrough=no out-interface=wan dst-port=143 protocol=tcp comment="" \
disabled=no
add chain=prerouting action=mark-packet new-packet-mark=ssh_in passthrough=no \
in-interface=wan dst-port=22 protocol=tcp comment="ssh" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=ssh_out \
passthrough=no out-interface=wan src-port=22 protocol=tcp comment="" \
disabled=no
add chain=prerouting action=mark-packet new-packet-mark=winbox_in \
passthrough=no in-interface=wan dst-port=8291 protocol=tcp \
comment="winbox" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=winbox_out \
passthrough=no out-interface=wan src-port=8291 protocol=tcp comment="" \
disabled=no
add chain=prerouting action=mark-packet new-packet-mark=dns_in passthrough=no \
in-interface=wan src-port=53 protocol=udp comment="dns" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=dns_out \
passthrough=no out-interface=wan dst-port=53 protocol=udp comment="" \
disabled=no
add chain=prerouting action=mark-packet new-packet-mark=www_in passthrough=no \
in-interface=wan src-port=80 protocol=tcp comment="www" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=www_out \
passthrough=no out-interface=wan dst-port=80 protocol=tcp comment="" \
disabled=no
add chain=prerouting action=mark-packet new-packet-mark=ssl_in passthrough=no \
in-interface=wan src-port=443 protocol=tcp comment="ssl" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=ssl_out \
passthrough=no out-interface=wan dst-port=443 protocol=tcp comment="" \
disabled=no
add chain=prerouting action=mark-packet new-packet-mark=udp_in passthrough=no \
in-interface=wan protocol=udp comment="udp" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=udp_out \
passthrough=no out-interface=wan protocol=udp comment="" disabled=no
add chain=prerouting action=mark-packet new-packet-mark=tcp_in passthrough=no \
in-interface=wan protocol=tcp comment="tcp" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=tcp_out \
passthrough=no out-interface=wan protocol=tcp comment="" disabled=no
add chain=prerouting action=mark-packet new-packet-mark=other_in \
passthrough=no in-interface=wan comment="other" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=other_out \
passthrough=no out-interface=wan comment="" disabled=no

after that we can make queue tree:

/queue tree
add name="upload_wan1" parent=global-out packet-mark="" limit-at=0 \
queue=wireless-default priority=4 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="icmp_down" parent=global-in packet-mark=icmp_in limit-at=0 \
queue=wireless-default priority=1 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="icmp_up" parent=global-out packet-mark=icmp_out limit-at=0 \
queue=wireless-default priority=1 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="winbox_down" parent=global-in packet-mark=winbox_in limit-at=0 \
queue=wireless-default priority=1 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="winbox_up" parent=global-out packet-mark=winbox_out limit-at=0 \
queue=wireless-default priority=1 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="dns_down" parent=global-in packet-mark=dns_in limit-at=0 \
queue=wireless-default priority=1 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="dns_up" parent=global-out packet-mark=dns_out limit-at=0 \
queue=wireless-default priority=1 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="www_up" parent=upload_wan1 packet-mark=www_out limit-at=0 \
queue=wireless-default priority=2 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="ssl_up" parent=upload_wan1 packet-mark=ssl_out limit-at=0 \
queue=wireless-default priority=1 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="p2p_up" parent=upload_wan1 packet-mark=p2p_out limit-at=0 \
queue=wireless-default priority=8 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="udp_up" parent=upload_wan1 packet-mark=udp_out limit-at=0 \
queue=wireless-default priority=6 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="tcp_up" parent=upload_wan1 packet-mark=tcp_out limit-at=0 \
queue=wireless-default priority=4 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="other_up" parent=upload_wan1 packet-mark=other_out limit-at=0 \
queue=wireless-default priority=7 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="download_wan1" parent=global-in packet-mark="" limit-at=0 \
queue=wireless-default priority=4 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="www_down" parent=download_wan1 packet-mark=www_in limit-at=0 \
queue=wireless-default priority=2 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="ssl_down" parent=download_wan1 packet-mark=ssl_in limit-at=0 \
queue=wireless-default priority=1 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="p2p_down" parent=download_wan1 packet-mark=p2p_in limit-at=0 \
queue=wireless-default priority=8 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="udp_down" parent=download_wan1 packet-mark=udp_in limit-at=0 \
queue=wireless-default priority=6 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="tcp_down" parent=download_wan1 packet-mark=tcp_in limit-at=0 \
queue=wireless-default priority=4 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="other" parent=download_wan1 packet-mark=other_in limit-at=0 \
queue=wireless-default priority=7 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="ssh_down" parent=global-in packet-mark=ssh_in limit-at=0 \
queue=wireless-default priority=1 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="ssh_up" parent=global-out packet-mark=ssh_out limit-at=0 \
queue=wireless-default priority=1 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="pop3_down" parent=download_wan1 packet-mark=pop3_in limit-at=0 \
queue=wireless-default priority=5 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="smtp_down" parent=download packet-mark=smtp_in limit-at=0 \
queue=wireless-default priority=5 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="imap_down" parent=download packet-mark=imap_in limit-at=0 \
queue=wireless-default priority=5 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="imap_up" parent=upload packet-mark=imap_out limit-at=0 \
queue=wireless-default priority=5 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="smtp_out" parent=upload packet-mark=smtp_out limit-at=0 \
queue=wireless-default priority=5 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="pop3_up" parent=upload packet-mark=pop3_out limit-at=0 \
queue=wireless-default priority=5 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no

We have several basic download/upload queues:

- wan

- icmp

- winbox

- dns

Icmp, dns and winbox have the highest priority to ensure low ping, quick answer of dns server and winbox connection without any problems. The second is wan. In wan tree we decide which service has the highest priority, for which one we want to guarantee bandwidth or decrease speed.

source wiki.mikrotik.com

Implementasi Penggunaan PCQ Bagi ISP Untuk Mendapatkan Hasil Yang Maksimal

Melihat banyaknya pertanyaan mengenai pembagian sharing bandwith yang adil dan yang pasti bisa membatasi semua jenis trafik baik IDM maupun P2P sehingga gak perlu takut kecolongan, saya coba untuk mensharing CMIIW

Konfigurasi Jaringan :
Public --- (10.0.0.1/24) MT (192.168.1.1/24)--- Local

Skenarionya kaya gini :
Client 192.168.1.10 --- Bandwidth 512kbps 1:1 (corporate)
(512k up / 512 down)

Client 192.168.1.20, 21, 22, 23 --- Bandwidth 384kbps 1:4 (personal)
(64k up / 384 down)

Pertama-tama lakukan mangle :
Untuk trafik upload corporate
/ip firewall mangle add chain=prerouting src-address=192.168.1.10 in-interface=Local action=mark-packet new-packet-mark=corporate-up passthrough=no
Untuk trafik download corporate
/ip firewall mangle add chain=forward src-address=192.168.1.10 action=mark-connection new-connection-mark=corporate-conn passthrough=yes
/ip firewall mangle add chain=forward connection-mark=corporate-conn in-interface=Public action=mark-packet new-packet-mark=corporate-down passthrough=no

Untuk trafik upload personal
/ip firewall mangle add chain=prerouting src-address=192.168.1.20 in-interface=Local action=mark-packet new-packet-mark=personal-up passthrough=no
/ip firewall mangle add chain=prerouting src-address=192.168.1.21 in-interface=Local action=mark-packet new-packet-mark=personal-up passthrough=no
/ip firewall mangle add chain=prerouting src-address=192.168.1.22 in-interface=Local action=mark-packet new-packet-mark=personal-up passthrough=no
/ip firewall mangle add chain=prerouting src-address=192.168.1.23 in-interface=Local action=mark-packet new-packet-mark=personal-up passthrough=no
Untuk trafik download personal
/ip firewall mangle add chain=forward src-address=192.168.1.20 action=mark-connection new-connection-mark=personal-conn passthrough=yes
/ip firewall mangle add chain=forward src-address=192.168.1.21 action=mark-connection new-connection-mark=personal-conn passthrough=yes
/ip firewall mangle add chain=forward src-address=192.168.1.22 action=mark-connection new-connection-mark=personal-conn passthrough=yes
/ip firewall mangle add chain=forward src-address=192.168.1.23 action=mark-connection new-connection-mark=personal-conn passthrough=yes
/ip firewall mangle add chain=forward connection-mark=personal-conn in-interface=Public action=mark-packet new-packet-mark=personal-down passthrough=no

Harpa diperhatikan untuk mark-packet maka passthrough=no sedangkan untuk mark-connection passthrough=yes

Nah setelah beres urusan mangling ini, kita lanjut ke pembuatan queue tree :
/queue tree add name=down parent=Local queue=default
/queue tree add name=up parent=global-in queue=default

untuk download kita menggunakan in-interface kita dalam hal ini Local, sedangkan untuk upload kita menggunakan global-in

selanjutnya kita tambahkan type baru di queue kita :
yang harus kita tambahkan melihat skenario diatas adalah PCQ untuk paket corporate 512kbps (1:1) dan paket personal 384kbps (1:4).
Untuk paket corporate kita langsung menetapkan angka 512kbps, sedangkan untuk personal kita tidak dapat menetapkan angka disini karena bandiwdth yang akan diterima oleh paket personal tergantung seberapa banyak user yang online, jadi jika hanya 1 orang online akan mendapatkan bw penuh 384kbps, kalau 2 orang online maka masing-masing akan mendapatkan 192kbps dan seterusnya.
/queue type add name=512-down kind=pcq pcq-rate=512k pcq-classifier=dst-address pcq-total-limit=2000
/queue type add name=512-up kind=pcq rate=512k pcq-classifier=src-address pcq-total-limit=2000

/queue type add name=auto-down kind=pcq pcq-rate=0 pcq-classifier=dst-address pcq-total-limit=2000
/queue type add name=auto-up kind=pcq rate=0 pcq-classifier=src-address pcq-total-limit=2000

kita menggunakan 0 pada paket personal karena MT akan menghitung berapa besar bw yang tersedia pada saat client melakukan koneksi.

Nah setelah itu kita kembali ke queue tree dan menambahkan :
Paket corporate
/queue tree add name=corp-down packet-mark=corporate-down parent=down queue=512-down
/queue tree add name=corp-up parent=up packet-mark=corporate-up queue=512-up

Paket personal
/queue tree add name=per-down packet-mark=personal-down parent=down queue=auto-down max-limit=384k
/queue tree add name=per-up parent=up packet-mark=personal-up queue=auto-up max-limit=64k

Done.
Setelah melakukan semua hal ini silahkan dociba gunakan aplikasi P2P ataupun downloader, seharusnya semuanya sudah dapat ter-shaping dengan baik

Settingan diatas cocok diterapkan buat konfigurasi seperti diterangkan diatas, tanpa menggunakan proxy internal MT dan hanya 2 interface, untuk penggunakan proxy internal dan lebih banyak interface diperlukan sedikit perubahan dan penambahan pada script diatas

Btw, otw... kok ini kepotong yah pas dipindahin, ini jadinya ditambahin lagih CMIIW

sumber : forum mikrotik (geonet_comp)