Mangle, Queue Tree and prioritization ( baratev )
Saturday, July 12, 2008Posted by
Harry Chan Putra
0 Comments
#######################################
Mangle, Queue Tree and prioritization
#######################################
As we know ‘simple queue’ marks packets from/to target ip and queues them using
global-in/global-out parents for packets at the local side of router. If we want
to queue services using ‘queue tree’ we can do it at the local or public side.
However if we want to use ‘simple queue’ and ‘queue tree’ for services we don’t
have that choice. Packets are marked at the local side and queued by ‘simple queue’
(we can’t see it in /ip firewall mange and /queue tree). The second marking and
the ‘queue tree’ at the local side won’t work. That’s why, for services we need
to mark packets incoming/outgoing (prerouting/postrouting) at the public side of router.
Mangle Packet Flow
-------------------
* There are 5 places to mangle
- Prerouting
- Input
- Output
- Forward
- Postrouting
* There are 4 places to limit
- Global-in
- Global-out
- Global-total
- Interface queue
- Ether1,Ether2,etc (WAN,LAN,etc)
- Wlan1,Wlan2,etc (WAN,LAN,etc)
Mangle Packet Flow Diagram
---------------------------
+---------+
+-->| Mangle |--+
| | Forward | |
| +---------+ |
| V
_________ _________
+-------------------+ / \ / \ +-------------+
| Global-in | | Routing | | Routing | | Mangle |
| (and global-total |--->| Decision | | Decision |----> | Postrouting |
+-------------------+ \_________/ \_________/ +-------------+
^ | ^ |
| V | V
+------------+ +------------+ +------------+ +------------------+
| Mangle | | Mangle | | Mangle | | Global-out |
| Prerouting | | Input | | Output | | (and global-out) |
------------+ +------------+ +------------+ +------------------+
^ | ^ |
| V | V
+============+ +=-==-==-=-=-+----+=-=-=-=-=-=-+ +============+
| INPUT | | Local |--->| Local | | OUTPUT |
| INTERFACE | | Process-In | |Process-Out | | INTERFACE |
+============+ +=-==-==-=-=-+----+=-=-=-=-=-=-+ +============+
## Configuration
/interface set ether1 name=wan
/interface set ether2 name=lan
/ip address add address=192.168.0.1/24 interface=lan
/ip address add address=1.0.0.2/24 interface=wan
/ip route add gateway=1.0.0.1
/ip firewall nat add chain=srcnat action=masquerade src-address=192.168.0.0/24
At first we make simple queue, for example:
:for z from 2 to 254 do={/queue simple add name=(0. . $z) target-addresses=(192.168.0. . $z) \
parent=192.168.0.0/24 interface=all priority=4 queue=default/default max-limit=128000/530000 \
total-queue=default}
Now we mark packets for the services
/ ip firewall mangle
add chain=prerouting action=mark-packet new-packet-mark=icmp_in passthrough=no \
in-interface=wan protocol=icmp comment="icmp" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=icmp_out \
passthrough=no out-interface=wan protocol=icmp comment="" disabled=no
add chain=prerouting action=mark-packet new-packet-mark=p2p_in passthrough=no \
p2p=all-p2p in-interface=wan comment="p2p" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=p2p_out \
passthrough=no p2p=all-p2p out-interface=wan comment="" disabled=no
add chain=prerouting action=mark-packet new-packet-mark=pop3_in passthrough=no \
in-interface=wan src-port=110 protocol=tcp comment="pop3" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=pop3_out \
passthrough=no out-interface=wan dst-port=110 protocol=tcp comment="" \
disabled=no
add chain=prerouting action=mark-packet new-packet-mark=smtp_in passthrough=no \
in-interface=wan src-port=25 protocol=tcp comment="smtp" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=smtp_out \
passthrough=no out-interface=wan dst-port=25 protocol=tcp comment="" \
disabled=no
add chain=prerouting action=mark-packet new-packet-mark=imap_in passthrough=no \
in-interface=wan src-port=143 protocol=tcp comment="imap" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=imap_out \
passthrough=no out-interface=wan dst-port=143 protocol=tcp comment="" \
disabled=no
add chain=prerouting action=mark-packet new-packet-mark=ssh_in passthrough=no \
in-interface=wan dst-port=22 protocol=tcp comment="ssh" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=ssh_out \
passthrough=no out-interface=wan src-port=22 protocol=tcp comment="" \
disabled=no
add chain=prerouting action=mark-packet new-packet-mark=winbox_in \
passthrough=no in-interface=wan dst-port=8291 protocol=tcp \
comment="winbox" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=winbox_out \
passthrough=no out-interface=wan src-port=8291 protocol=tcp comment="" \
disabled=no
add chain=prerouting action=mark-packet new-packet-mark=dns_in passthrough=no \
in-interface=wan src-port=53 protocol=udp comment="dns" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=dns_out \
passthrough=no out-interface=wan dst-port=53 protocol=udp comment="" \
disabled=no
add chain=prerouting action=mark-packet new-packet-mark=www_in passthrough=no \
in-interface=wan src-port=80 protocol=tcp comment="www" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=www_out \
passthrough=no out-interface=wan dst-port=80 protocol=tcp comment="" \
disabled=no
add chain=prerouting action=mark-packet new-packet-mark=ssl_in passthrough=no \
in-interface=wan src-port=443 protocol=tcp comment="ssl" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=ssl_out \
passthrough=no out-interface=wan dst-port=443 protocol=tcp comment="" \
disabled=no
add chain=prerouting action=mark-packet new-packet-mark=udp_in passthrough=no \
in-interface=wan protocol=udp comment="udp" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=udp_out \
passthrough=no out-interface=wan protocol=udp comment="" disabled=no
add chain=prerouting action=mark-packet new-packet-mark=tcp_in passthrough=no \
in-interface=wan protocol=tcp comment="tcp" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=tcp_out \
passthrough=no out-interface=wan protocol=tcp comment="" disabled=no
add chain=prerouting action=mark-packet new-packet-mark=other_in \
passthrough=no in-interface=wan comment="other" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=other_out \
passthrough=no out-interface=wan comment="" disabled=no
after that we can make queue tree:
/queue tree
add name="upload_wan1" parent=global-out packet-mark="" limit-at=0 \
queue=wireless-default priority=4 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="icmp_down" parent=global-in packet-mark=icmp_in limit-at=0 \
queue=wireless-default priority=1 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="icmp_up" parent=global-out packet-mark=icmp_out limit-at=0 \
queue=wireless-default priority=1 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="winbox_down" parent=global-in packet-mark=winbox_in limit-at=0 \
queue=wireless-default priority=1 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="winbox_up" parent=global-out packet-mark=winbox_out limit-at=0 \
queue=wireless-default priority=1 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="dns_down" parent=global-in packet-mark=dns_in limit-at=0 \
queue=wireless-default priority=1 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="dns_up" parent=global-out packet-mark=dns_out limit-at=0 \
queue=wireless-default priority=1 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="www_up" parent=upload_wan1 packet-mark=www_out limit-at=0 \
queue=wireless-default priority=2 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="ssl_up" parent=upload_wan1 packet-mark=ssl_out limit-at=0 \
queue=wireless-default priority=1 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="p2p_up" parent=upload_wan1 packet-mark=p2p_out limit-at=0 \
queue=wireless-default priority=8 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="udp_up" parent=upload_wan1 packet-mark=udp_out limit-at=0 \
queue=wireless-default priority=6 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="tcp_up" parent=upload_wan1 packet-mark=tcp_out limit-at=0 \
queue=wireless-default priority=4 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="other_up" parent=upload_wan1 packet-mark=other_out limit-at=0 \
queue=wireless-default priority=7 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="download_wan1" parent=global-in packet-mark="" limit-at=0 \
queue=wireless-default priority=4 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="www_down" parent=download_wan1 packet-mark=www_in limit-at=0 \
queue=wireless-default priority=2 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="ssl_down" parent=download_wan1 packet-mark=ssl_in limit-at=0 \
queue=wireless-default priority=1 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="p2p_down" parent=download_wan1 packet-mark=p2p_in limit-at=0 \
queue=wireless-default priority=8 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="udp_down" parent=download_wan1 packet-mark=udp_in limit-at=0 \
queue=wireless-default priority=6 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="tcp_down" parent=download_wan1 packet-mark=tcp_in limit-at=0 \
queue=wireless-default priority=4 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="other" parent=download_wan1 packet-mark=other_in limit-at=0 \
queue=wireless-default priority=7 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="ssh_down" parent=global-in packet-mark=ssh_in limit-at=0 \
queue=wireless-default priority=1 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="ssh_up" parent=global-out packet-mark=ssh_out limit-at=0 \
queue=wireless-default priority=1 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="pop3_down" parent=download_wan1 packet-mark=pop3_in limit-at=0 \
queue=wireless-default priority=5 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="smtp_down" parent=download packet-mark=smtp_in limit-at=0 \
queue=wireless-default priority=5 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="imap_down" parent=download packet-mark=imap_in limit-at=0 \
queue=wireless-default priority=5 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="imap_up" parent=upload packet-mark=imap_out limit-at=0 \
queue=wireless-default priority=5 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="smtp_out" parent=upload packet-mark=smtp_out limit-at=0 \
queue=wireless-default priority=5 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="pop3_up" parent=upload packet-mark=pop3_out limit-at=0 \
queue=wireless-default priority=5 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
We have several basic download/upload queues:
- wan
- icmp
- winbox
- dns
Icmp, dns and winbox have the highest priority to ensure low ping, quick answer
of dns server and winbox connection without any problems. The second is wan.
In wan tree we decide which service has the highest priority, for which one
we want to guarantee bandwidth or decrease speed.
From: http://wiki.mikrotik.com/wiki/Mangle%2C_Queue_Tree_and_prio_by_fly_man_..._almost_done
###################
# Alternatif Mangle
###################
Prioritization Plan
^ 1
DNS,SSH,ICMP,Telnet,HTTP Request,HTTPS ...... |
|
|
Game ...... |
|
|
Voip,Skype,Video Conference,VPN,MSN ...... |
|
|
Mail,HTTP Download,sFTP,FTP ....... |
|
|
P2p.........|
|
o 8
How to mark?
=========================================================================================================
Group | Priority | Service | Protocol | Dst-Port | Other Conditions
===============|===========|=====================|===========|==========|================================
P2p_services | 8 | P2p | | | p2p=all-p2p
---------------|-----------|---------------------|-----------|----------|--------------------------------
| | | TCP | 110 |
| | |-----------|----------|--------------------------------
| | | TCP | 995 |
| | |-----------|----------|--------------------------------
| | Mails | TCP | 143 |
Download_ | | |-----------|----------|--------------------------------
Services | | | TCP | 993 |
| 7 | |-----------|----------|--------------------------------
| | | TCP | 25 |
| |---------------------|-----------|----------|--------------------------------
| | HTTP downloads | TCP | 80 | Connection-bytes=500000-0
| |---------------------|-----------|----------|--------------------------------
| | FTP | TCP | 20 |
| | |-----------|----------|--------------------------------
| | | TCP | 21 |
| |---------------------|-----------|----------|--------------------------------
| | SFTP | TCP | 22 | Packet-size=1400-1500
---------------|-----------|---------------------|-----------|----------|--------------------------------
| | DNS | TCP | 53 |
| | |-----------|----------|--------------------------------
| | | UDP | 53 |
| |---------------------|-----------|----------|--------------------------------
Ensign_services| | ICMP | ICMP | - |
| 1 |---------------------|-----------|----------|--------------------------------
| | HTTPS | TCP | 443 |
| |---------------------|-----------|----------|--------------------------------
| | Telnet | TCP | 23 |
| |---------------------|-----------|----------|--------------------------------
| | SSH | TCP | 22 |
| |---------------------|-----------|----------|--------------------------------
| | HTTP request | TCP | 80 | Connection-bytes=0-500000
---------------|-----------|---------------------|-----------|----------|--------------------------------
User_request | 3 | Online game servers | | | Dst-address-list=user_request
---------------|-----------|---------------------|-----------|----------|--------------------------------
Communication_ | | VoIP | | |
services | |---------------------|-----------|----------|--------------------------------
| | Skype | | |
| 5 |---------------------|-----------|----------|--------------------------------
| | Video conference | | |
| |---------------------|-----------|----------|--------------------------------
| | VPN | | |
| |---------------------|-----------|----------|--------------------------------
| | MSN | | |
---------------|-----------|---------------------|-----------|----------|--------------------------------
Source: MUM USA 2008, IL, Workshop Mikrotik, QoS Best Pracktice
Create packet marks in the mangle chain “Prerouting” for traffic prioritization in the global-in queue
o Ensign_services (Priority=1)
o User_requests (Priority=3)
o Communication_services (Priority=5)
o Download_services (Priority=7)
o P2P_services (Priority=8)
/ ip firewall mangle
add action=mark-connection chain=prerouting comment="Prio P2P" disabled=no \
new-connection-mark=prio_conn_p2p p2p=all-p2p passthrough=yes
add action=mark-packet chain=prerouting comment="" \
connection-mark=prio_conn_p2p disabled=no new-packet-mark=prio_p2p_packet \
passthrough=no
add action=mark-connection chain=prerouting comment="Prio Download_Services" \
disabled=no dst-port=110 new-connection-mark=prio_conn_download_services \
passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no \
dst-port=995 new-connection-mark=prio_conn_download_services \
passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no \
dst-port=143 new-connection-mark=prio_conn_download_services \
passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no \
dst-port=993 new-connection-mark=prio_conn_download_services \
passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no \
dst-port=995 new-connection-mark=prio_conn_download_services \
passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no dst-port=25 \
new-connection-mark=prio_conn_download_services passthrough=yes \
protocol=tcp
add action=mark-connection chain=prerouting comment="" \
connection-bytes=500000-0 disabled=no dst-port=80 \
new-connection-mark=prio_conn_download_services passthrough=yes \
protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no \
dst-port=20-21 new-connection-mark=prio_conn_download_services \
passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no dst-port=22 \
new-connection-mark=prio_conn_download_services packet-size=1400-1500 \
passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting comment="" \
connection-mark=prio_conn_download_services disabled=no \
new-packet-mark=prio_download_packet passthrough=yes
add action=mark-connection chain=prerouting comment="Prio Ensign_Services" \
disabled=no dst-port=53 new-connection-mark=prio_conn_ensign_services \
passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no dst-port=53 \
new-connection-mark=prio_conn_ensign_services passthrough=yes protocol=udp
add action=mark-connection chain=prerouting comment="" disabled=no \
new-connection-mark=prio_conn_ensign_services passthrough=yes \
protocol=icmp
add action=mark-connection chain=prerouting comment="" disabled=no \
dst-port=443 new-connection-mark=prio_conn_ensign_services passthrough=yes \
protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no dst-port=23 \
new-connection-mark=prio_conn_ensign_services passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="" \
connection-bytes=0-500000 disabled=no dst-port=80 \
new-connection-mark=prio_conn_ensign_services passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no \
dst-port=179 new-connection-mark=prio_conn_ensign_services passthrough=yes \
protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no \
dst-port=8000 new-connection-mark=prio_conn_ensign_services \
passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting comment="" \
connection-mark=prio_conn_ensign_services disabled=no \
new-packet-mark=prio_ensign_packet passthrough=no
add action=mark-connection chain=prerouting comment="Prio User_Request" \
disabled=no dst-port=22 new-connection-mark=prio_conn_ensign_services \
packet-size=1400-1500 passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no \
dst-address-list=user_request new-connection-mark=prio_conn_user_services \
passthrough=yes
add action=mark-packet chain=prerouting comment="" \
connection-mark=prio_conn_user_services disabled=no \
new-packet-mark=prio_request_packet passthrough=yes
add action=mark-connection chain=prerouting comment="" disabled=no \
new-connection-mark=prio_conn_comm_services passthrough=yes protocol=gre
add action=mark-connection chain=prerouting comment="Prio_Communication" \
disabled=no dst-port=5100 new-connection-mark=prio_conn_comm_services \
passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no \
dst-port=5050 new-connection-mark=prio_conn_comm_services passthrough=yes \
protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no \
dst-port=5060 new-connection-mark=prio_conn_comm_services passthrough=yes \
protocol=udp
add action=mark-connection chain=prerouting comment="" disabled=no \
dst-port=1869 new-connection-mark=prio_conn_comm_services passthrough=yes \
protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no \
dst-port=1723 new-connection-mark=prio_conn_comm_services passthrough=yes \
protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no \
dst-port=5190 new-connection-mark=prio_conn_comm_services passthrough=yes \
protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no \
dst-port=6660-7000 new-connection-mark=prio_conn_comm_services \
passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no \
new-connection-mark=prio_conn_comm_services passthrough=yes \
protocol=ipencap
add action=mark-connection chain=prerouting comment="" disabled=no \
new-connection-mark=prio_conn_comm_services passthrough=yes \
protocol=ipsec-esp
add action=mark-connection chain=prerouting comment="" disabled=no \
new-connection-mark=prio_conn_comm_services passthrough=yes \
protocol=ipsec-ah
add action=mark-connection chain=prerouting comment="" disabled=no \
new-connection-mark=prio_conn_comm_services passthrough=yes protocol=ipip
add action=mark-connection chain=prerouting comment="" disabled=no \
new-connection-mark=prio_conn_comm_services passthrough=yes protocol=encap
add action=mark-packet chain=prerouting comment="" \
connection-mark=prio_conn_comm_services disabled=no \
new-packet-mark=prio_comm_packet passthrough=no
Queue TRee
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="Priorization" packet-mark="" parent=global-in priority=1 \
queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="Communication_Services_Prio3" \
packet-mark=prio_comm_packet parent=Priorization priority=3 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="Download_Services_Prio5" \
packet-mark=prio_download_packet parent=Priorization priority=5 \
queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="Ensign_Services_Prio1" packet-mark=prio_ensign_packet \
parent=Priorization priority=1 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="P2P_Traffic_Prio8" packet-mark=prio_p2p_packet \
parent=Priorization priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="User_Request_Prio8" packet-mark=prio_request_packet \
parent=Priorization priority=8 queue=default
Arranged by Baratev
~baratev.sourceforge.net
contact: baratev[at]yahoo.com
15:18 27/05/2008
Konsep dan Terapan NTH utk Loadbalancing pada Mikrotik ( Baratev )
Posted by
Harry Chan Putra
#######################################################
Konsep dan Terapan NTH utk Loadbalancing pada Mikrotik
#######################################################
I N T R O
---------
O-----------------------------------------------------------------------------------
nth (integer,integer: 0..15,integer{0,1}) - match a particular Nth packet received
by the rule. One of 16 available
counters can be used to count packets
Every - match every Every+1th packet. For example, if Every=1 then the rule matches
every 2nd packet
Counter - specifies which counter to use. A counter increments each time the rule
containing nth match matches
Packet - match on the given packet number. The value by obvious reasons must be
between 0 and Every. If this option is used for a given counter, then
there must be at least Every+1 rules with this option, covering all values
between 0 and Every inclusively.
O-----------------------------------------------------------------------------------
nth ada 3 bagian
bilang lah A,B,C
A = every
B = counter
C = packet
setelah gw baca lagi dan lagi dan lagi manual diatas
sampe sekarang gw gak ngerti2 dari ketiga bagian diatas.
jika pake 2 line load balance ada yang buat :
every 1 counter 1 packet 0 <-- line 1
every 1 counter 1 packet 1 <--- line 2
ada juga yang buat : 1,2,0 - 1,2,1
Pemahaman Saya Mengenai Nth:
Pada dasarnya koneksi yang masuk ke proses di router akan menjadi satu arus yang sama,
walaupun mereka datang dari interface yang berbeda. (well, this one is debatable)
Saat kita ingin menerapkan metode Nth, tentunya kita juga memberikan batasan ke router
untuk hanya mem-proses koneksi dari sumber tertentu saja (ex. dari IP lokal).
Nah, begitu router telah membuat semacam 'antrian' baru untuk batasan yang kita
berikan diatas, baru proses Nth dimulai.
#Every
Angka Every adalah jumlah kelompok yang ingin dihasilkan. Jadi bila kita ingin
membagi alur koneksi yang ada menjadi 4 kelompok yang nantinya akan di load balance
ke 4 koneksi yang ada, maka angka Every = 4.
Namun, setelah saya bandingkan manual yang ada di Mikrotik dengan penjelasan tentang
penerapan Nth di Linux, ada perbedaan disini.
Pada Mikrotik, angka Every harus dikurangkan 1, hingga bila mengikuti contoh diatas,
maka kita harus mengisikan Every = 3. Hal ini mungkin dikarenakan proses Nth di
Mikrotik akan menerapkan Every+1 (lihat manual) pada pengenalan koneksinya.
Jadi, kesimpulan sementara saya, bila kita ingin membagi 2 kelompok, maka :
- Pada Linux, Every = 4
- Pada Mikrotik, Every = 3
#Counter
Angka Counter dapat diisikan angka 0-15. Maksudnya adalah menentukan counter mana
yang akan kita pakai. Pada Mikrotik terdapat 16 Counter yang dapat dipakai, hal
ini juga sama dengan penerapan yang ada di Linux.
Setelah Diskusi dengan bro D3V4, ternyata penerapan counter cukup berpengaruh.
Jadi kesimpulan sementara, counter sebaiknya diset ke every+1 untuk Mikrotik
#Packet
Nah, kita sampe ke parameter terakhir. Parameter terakhir ini yang cukup menentukan.
Bila kita ingin membuat 4 kelompok, tentunya kita harus membuat 4 mangle rules.
Nah, pada rules tersebut, angka untuk Every dan Counter haruslah sama. Namun untuk
angka packet harus berubah.
Untuk 4 kelompok, berarti angka packet untuk 4 rules tersebut adalah 0,1,2 dan 3.
Angka ini ditentukan dari 0 ... (n-1).
Penerapan angka Packet untuk Linux dan Mikrotik sama.
Contoh
Mari kita ambil contoh untuk penerapan Nth untuk 4 koneksi. Maka Angka Nth untuk
masing2 rule di Mikrotik adalah (counter yg dipakai adalah 4) :
Rule 1 = 3,4,0
Rule 2 = 3,4,1
Rule 3 = 3,4,2
Rule 4 = 3,4,3
T E O R I
---------
tcp connections 3 way handshake
1. connection establishment
2. data transfer
3. connection termination
dengan tahapan sbb :
1. LISTEN
2. SYN-SENT
3. SYN-RECEIVED
4. ESTABLISHED
5. FIN-WAIT-1
6. FIN-WAIT-2
7. CLOSE-WAIT
8. CLOSING
9. LAST-ACK
10. TIME-WAIT
11. CLOSED
jika teori gw bener (CMIIW lagi ) proses mangle itu memotong di nomer 4
alias connection nya belum ketutup tapi udah request baru lagi (new connections state)
jadi dengan kata lain :
kenoksi masih kebuka udah ngerequest ke gateway yang lainnya ... jadi semua speedy
yang kita punay kebuka dan di gunakan.
jadi walaupun kedetek ip speedy 1 tetapi bebannya masih kebagi ke sebanyak n-th
yang kita punya.. ROUND ROBIN !
CONTOH KONFIGURASI I
--------------------
Untuk koneksi dengan Modem ADSL
ada 2 pilihan:
- Set Modem sebagai Bridge, berarti Router sebagai PPPoE Client
- Set Modem sebagai PPPoE, berarti Router tinggal sesuaikan dengan IP Local Modem
Topologi
ISP1/wlan2 ISP2/wlan1
10.111.0.1/24 10.112.0.1/24
| |
| |
| |
\ /
\ /
\ /
\ /
\ /
10.111.0.2/24 ===== 10.112.0.2/24
==|==
|
Local
Configuration export from the gateway router:
########################################################################################
'''/ ip address'''
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local
add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=wlan2
add address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=wlan1
'''/ ip firewall mangle'''
add chain=prerouting src-address-list=odd in-interface=Local action=mark-connection \
new-connection-mark=odd passthrough=yes
add chain=prerouting src-address-list=odd in-interface=Local action=mark-routing \
new-routing-mark=odd passthrough=no
add chain=prerouting src-address-list=even in-interface=Local action=mark-connection \
new-connection-mark=even passthrough=yes
add chain=prerouting src-address-list=even in-interface=Local action=mark-routing \
new-routing-mark=even passthrough=no
add chain=prerouting in-interface=Local connection-state=new nth=1,1,0 \
action=mark-connection new-connection-mark=odd passthrough=yes
add chain=prerouting in-interface=Local action=add-src-to-address-list \
address-list=odd address-list-timeout=1d connection-mark=odd passthrough=yes
add chain=prerouting in-interface=Local connection-mark=odd action=mark-routing \
new-routing-mark=odd passthrough=no
add chain=prerouting in-interface=Local connection-state=new nth=1,1,1 \
action=mark-connection new-connection-mark=even passthrough=yes
add chain=prerouting in-interface=Local action=add-src-to-address-list \
address-list=even address-list-timeout=1d connection-mark=even passthrough=yes
add chain=prerouting in-interface=Local connection-mark=even action=mark-routing \
new-routing-mark=even passthrough=no
'''/ ip firewall nat'''
add chain=srcnat connection-mark=odd action=src-nat to-addresses=10.111.0.2 \
to-ports=0-65535
add chain=srcnat connection-mark=even action=src-nat to-addresses=10.112.0.2 \
to-ports=0-65535
'''/ ip route'''
add dst-address=0.0.0.0/0 gateway=10.111.0.1 scope=255 target-scope=10 routing-mark=odd
add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 routing-mark=even
add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10
########################################################################################
### Explanation
First we give a code snippet and then explain what it actually does.
~IP Addresses
The router has two upstream (WAN) interfaces with the addresses of 10.111.0.2/24 and
10.112.0.2/24. The LAN interface has the name "Local" and IP address of 192.168.0.1/24.
----------------------------------------------------------------------------------------
/ ip address
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local
add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=wlan2
add address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=wlan1
----------------------------------------------------------------------------------------
~ Mangle
All traffic from customers having their IP address previously placed in the address
list "odd" is instantly marked with connection and routing marks "odd". Afterwards
the traffic is excluded from processing against successive mangle rules in prerouting chain.
----------------------------------------------------------------------------------------
/ ip firewall mangle
add chain=prerouting src-address-list=odd in-interface=Local action=mark-connection \
new-connection-mark=odd passthrough=yes
add chain=prerouting src-address-list=odd in-interface=Local action=mark-routing \
new-routing-mark=odd
----------------------------------------------------------------------------------------
Same stuff as above, only for customers having their IP address previously placed
in the address list "even".
----------------------------------------------------------------------------------------
/ ip firewall mangle
add chain=prerouting src-address-list=even in-interface=Local action=mark-connection \
new-connection-mark=even passthrough=yes
add chain=prerouting src-address-list=even in-interface=Local action=mark-routing \
new-routing-mark=even
----------------------------------------------------------------------------------------
First we take every second packet that establishes new session (note connection-state=new),
and mark it with connection mark "odd". Consequently all successive packets belonging to
the same session will carry the connection mark "odd". Note that we are passing these
packets to the second and third rules (passthrough=yes). Second rule adds IP address
of the client to the address list to enable all successive sessions to go through
the same gateway. Third rule places the routing mark "odd" on all packets that belong
to the "odd" connection and stops processing all other mangle rules for these packets
in prerouting chain.
----------------------------------------------------------------------------------------
/ ip firewall mangle
add chain=prerouting in-interface=Local connection-state=new nth=1,1,0 \
action=mark-connection new-connection-mark=odd passthrough=yes
add chain=prerouting in-interface=Local action=add-src-to-address-list \
address-list=odd address-list-timeout=1d connection-mark=odd passthrough=yes
add chain=prerouting in-interface=Local connection-mark=odd action=mark-routing \
new-routing-mark=odd passthrough=no
----------------------------------------------------------------------------------------
These rules do the same for the remaining half of the traffic as the first three
rules for the first half of the traffic.
The code above effectively means that each new connection initiated through
the router from the local network will be marked as either "odd" or "even"
with both routing and connection marks.
----------------------------------------------------------------------------------------
/ ip firewall mangle
add chain=prerouting in-interface=Local connection-state=new nth=1,1,1 \
action=mark-connection new-connection-mark=even passthrough=yes
add chain=prerouting in-interface=Local action=add-src-to-address-list \
address-list=even address-list-timeout=1d connection-mark=even passthrough=yes
add chain=prerouting in-interface=Local connection-mark=even action=mark-routing \
new-routing-mark=even passthrough=no
----------------------------------------------------------------------------------------
The above works fine. There are however some situations where you might find
that the same IP address is listed under both the ODD and EVEN scr-address-lists.
This behavior causes issues with apps that require persistent connections.
A simple remedy for this situation is to add the following statement to your
mangle rules:
----------------------------------------------------------------------------------------
add chain=prerouting in-interface=Local connection-state=new nth=1,1,1 \
src-address-list=!odd action=mark-connection new-connection-mark=even \
passthrough=yes
----------------------------------------------------------------------------------------
This will ensure that the new connection will not already be part of the ODD s
rc-address-list. You will have to do the same for the ODD mangle rule thus
excluding IP's already part of the EVEN scr-address-list.
~NAT
All traffic marked "odd" is being NATted to source IP address of 10.111.0.2,
while traffic marked "even" gets "10.112.0.2" source IP address.
----------------------------------------------------------------------------------------
/ ip firewall nat
add chain=srcnat connection-mark=odd action=src-nat to-addresses=10.111.0.2 \
to-ports=0-65535
add chain=srcnat connection-mark=even action=src-nat to-addresses=10.112.0.2 \
to-ports=0-65535
----------------------------------------------------------------------------------------
~Routing
For all traffic marked "odd" (consequently having 10.111.0.2 translated source address)
we use 10.111.0.1 gateway. In the same manner all traffic marked "even" is routed
through the 10.112.0.1 gateway.
----------------------------------------------------------------------------------------
/ ip route
add dst-address=0.0.0.0/0 gateway=10.111.0.1 scope=255 target-scope=10 routing-mark=odd
add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 routing-mark=even
----------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------
/ ip route
add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10
----------------------------------------------------------------------------------------
Finally, we have one additional entry specifying that traffic from the router
itself (the traffic without any routing marks) should go to 10.112.0.1 gateway.
CONTOH KONFIGURASI II (PPPoE di MT)
-----------------------------------
#######################################################################################
# mar/15/2008 21:38:00 by RouterOS 2.9.XX
# software id = 2XX-RXX
#
/ interface ethernet
set Speedy1 name=”Speedy1" mtu=1500 mac-address=00:D0:5E:39:70:5C arp=enabled \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default speed=100Mbps comment=”" disabled=no
set Speedy2 name=”Speedy2" mtu=1500 mac-address=00:D0:5E:39:6F:69 arp=enabled \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default speed=100Mbps comment=”" disabled=no
set Local name=”Local” mtu=1500 mac-address=00:D0:5E:39:6F:BA arp=enabled \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default speed=100Mbps comment=”" disabled=no
/ interface pppoe-client
add name=”pppoe-out1" max-mtu=1480 max-mru=1480 interface=Speedy1 \
user=”111xxxx@telkom.net” password=”xxxx” profile=default \
service-name=”" ac-name=”" add-default-route=yes dial-on-demand=no \
use-peer-dns=no allow=pap,chap,mschap1,mschap2 disabled=no
add name=”pppoe-out2" max-mtu=1480 max-mru=1480 interface=Speedy2 \
user=”111xxxxx@telkom.net” password=”xxxx” profile=default \
service-name=”" ac-name=”" add-default-route=yes dial-on-demand=no \
use-peer-dns=no allow=pap,chap,mschap1,mschap2 disabled=no
/ ip dns
set primary-dns=203.130.193.74 secondary-dns=202.134.0.155 \
allow-remote-requests=yes cache-size=2048KiB cache-max-ttl=1w
/ ip address --- ???
add address=192.168.1.2/24 network=192.168.1.0 broadcast=192.168.1.255 \
interface=Speedy1 comment=”" disabled=no
add address=192.168.2.2/24 network=192.168.2.0 broadcast=192.168.2.255 \
interface=Speedy2 comment=”" disabled=no
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 \
interface=Local comment=”" disabled=no
/ ip route
add dst-address=0.0.0.0/0 gateway=125.162.80.1 scope=255 target-scope=10 \
comment=”" disabled=no
add dst-address=0.0.0.0/0 gateway=125.162.92.1 check-gateway=ping scope=255 \
target-scope=10 comment=”" disabled=no
/ ip firewall mangle
add chain=prerouting in-interface=Local src-address-list=Games \
action=mark-connection new-connection-mark=Games passthrough=yes \
comment=”Multi ISP” disabled=no
add chain=prerouting in-interface=Local src-address-list=Games \
action=mark-routing new-routing-mark=Games passthrough=no comment=”" \
disabled=no
add chain=prerouting in-interface=Local src-address-list=Net \
action=mark-connection new-connection-mark=Net passthrough=yes comment=”" \
disabled=no
add chain=prerouting in-interface=Local src-address-list=Net \
action=mark-routing new-routing-mark=Net passthrough=no comment=”" \
disabled=no
add chain=prerouting in-interface=Local connection-state=new nth=1,1,0 \
action=mark-connection new-connection-mark=Games passthrough=yes \
comment=”" disabled=no
add chain=prerouting in-interface=Local connection-mark=Games \
action=add-src-to-address-list address-list=Games address-list-timeout=1d \
comment=”" disabled=no
add chain=prerouting in-interface=Local connection-mark=Games \
action=mark-routing new-routing-mark=Games passthrough=no comment=”" \
disabled=no
add chain=prerouting in-interface=Local connection-state=new nth=1,1,1 \
action=mark-connection new-connection-mark=Net passthrough=yes comment=”" \
disabled=no
add chain=prerouting in-interface=Local connection-mark=Net \
action=add-src-to-address-list address-list=Net address-list-timeout=1d \
comment=”" disabled=no
add chain=prerouting in-interface=Local connection-mark=Net \
action=mark-routing new-routing-mark=Net passthrough=no comment=”" \
disabled=no
###
add chain=prerouting protocol=tcp src-port=1-1000 dst-port=1-1000 \
action=mark-connection new-connection-mark=spnet_conn passthrough=yes \
comment=”Routing Per Port Net” disabled=no
add chain=prerouting protocol=udp dst-port=1-1000 action=mark-connection \
new-connection-mark=spnet_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=tcp dst-port=3128 action=mark-connection \
new-connection-mark=spnet_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=udp dst-port=3128 action=mark-connection \
new-connection-mark=spnet_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=udp dst-port=5050-5060 action=mark-connection \
new-connection-mark=spnet_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=tcp dst-port=5050-5060 action=mark-connection \
new-connection-mark=spnet_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=tcp dst-port=6660-7000 action=mark-connection \
new-connection-mark=spnet_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=udp dst-port=6660-7000 action=mark-connection \
new-connection-mark=spnet_conn passthrough=yes comment=”" disabled=no
add chain=prerouting connection-mark=spnet_conn action=mark-packet \
new-packet-mark=spnet passthrough=no comment=”" disabled=no
####
add chain=prerouting protocol=tcp dst-port=1001-3127 action=mark-connection \
new-connection-mark=spgames_conn passthrough=yes comment=”Routing Per Port \
games” disabled=no
add chain=prerouting protocol=udp dst-port=1001-3127 action=mark-connection \
new-connection-mark=spgames_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=tcp dst-port=3129-5049 action=mark-connection \
new-connection-mark=spgames_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=udp dst-port=3129-5049 action=mark-connection \
new-connection-mark=spgames_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=tcp dst-port=5061-6659 action=mark-connection \
new-connection-mark=spgames_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=udp dst-port=5061-6659 action=mark-connection \
new-connection-mark=spgames_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=tcp dst-port=7001-8079 action=mark-connection \
new-connection-mark=spgames_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=udp dst-port=7001-8079 action=mark-connection \
new-connection-mark=spgames_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=tcp dst-port=8081-65535 action=mark-connection \
new-connection-mark=spgames_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=udp dst-port=8081-65535 action=mark-connection \
new-connection-mark=spgames_conn passthrough=yes comment=”" disabled=no
add chain=prerouting connection-mark=spgames_conn action=mark-packet \
new-packet-mark=spgames passthrough=no comment=”" disabled=no
/ ip firewall nat
add chain=dstnat dst-address=64.4.0.0/18 action=accept comment=”" disabled=no
add chain=srcnat out-interface=pppoe-out1 packet-mark=!spgames \
connection-mark=!spgames_conn dst-address-list=!Games action=masquerade \
comment=”NAT CLIENT” disabled=no
add chain=srcnat out-interface=pppoe-out2 packet-mark=!spnet \
connection-mark=!spnet_conn dst-address-list=!Net action=masquerade \
comment=”" disabled=no
######################################################################################
##FAil OVEr Script
bukanya kalo maenan fail over enakan di tool netwatch
misalkan dengan script kaya gini:
Code:
-------------------------------------------------------------------------------------
/system script add name=check-gw source={
:local R1
:local R2
:if ([/tool netwatch get R1 status]=up) do={:set R1 192.168.1.1}
:if ([/tool netwatch get R2 status]=up) do={:set R2 203.81.xxx.xxx}
/ip route set [/ip route find dst-address=0.0.0.0/0] \
gateway=($R1 . , . $R2)
}
/tool netwatch add comment=R1 host=192.168.1.1 interval=5s up-script=check-gw \
down-script=check-gw
/tool netwatch add comment=R2 host=203.81.xxx.xxx interval=5s up-script=check-gw \
down-script=check-gw
---------------------------------------------------------------------------------------
CONTOh KASUS
------------
menggunakan 5 speeda
kasus 1, Nth = 4,5,n-1
pas di cabut satu modem koneksi jadi ngaco... kebanyakan lagging time....
trus... cabut lagi satu lagi modem nya....... jadi lebih parah.... ancur2an
koneksinya.. banyak yang muncul bacaan connection time out
kasus 2, Nth = 4,0,n-1
cabut 1 modem ........... masih ga masalah.... cabut modem ke2 baru berasa ada
beberapa website yang musti di refresh......
cabut modem ke3 ..... mulai ancur2 an.........
sepertinya nTh (n,0,n-1) bisa jadi fail over dengan syarat hanya 1 koneksi yg mati.
dan melihat dari segi respon pembagian beban jauh lebih cepat dengan
counter 0 (n,0,n-1) di bandingkan dengan (n,n,n-1)
Masalah:
- Gateway yang sama
- Priority DNS
- NTH yang cocok ?
- Firewall NAT, pilihan antara Action Masquarade dengan SrcNat ?
edited by baratev
Diramu dari: - www.forummikrotik.com ([a],d3v4,akangage,dkk]
- wiki.mikrotik.com
22:21 27/04/2008
Cisco Router Configuration Commands
Friday, July 11, 2008Posted by
Harry Chan Putra
Requirement Cisco Command
Set a console password to cisco
Router(config)#line con 0
Router(config-line)#login
Router(config-line)#password cisco
Set a telnet password
Router(config)#line vty 0 4
Router(config-line)#login
Router(config-line)#password cisco
Stop console timing out
Router(config)#line con 0
Router(config-line)#exec-timeout 0 0
Set the enable password to cisco
Router(config)#enable password cisco
Set the enable secret password to peter. This password overrides the enable password and is encypted within the config file
Router(config)#enable secret peter
Enable an interface
Router(config-if)#no shutdown
To disable an interface
Router(config-if)#shutdown
Set the clock rate for a router with a DCE cable to 64K
Router(config-if)clock rate 64000
Set a logical bandwidth assignment of 64K to the serial interface
Router(config-if)bandwidth 64
Note that the zeroes are not missing
To add an IP address to a interface
Router(config-if)#ip addr 10.1.1.1 255.255.255.0
To enable RIP on all 172.16.x.y interfaces
Router(config)#router rip
Router(config-router)#network 172.16.0.0
Disable RIP
Router(config)#no router rip
To enable IRGP with a AS of 200, to all interfaces
Router(config)#router igrp 200
Router(config-router)#network 172.16.0.0
Disable IGRP
Router(config)#no router igrp 200
Static route the remote network is 172.16.1.0, with a mask of 255.255.255.0
the next hop is 172.16.2.1, at a cost of 5 hops
Router(config)#ip route 172.16.1.0 255.255.255.0 172.16.2.1 5
Disable CDP for the whole router
Router(config)#no cdp run
Enable CDP for he whole router
Router(config)#cdp run
Disable CDP on an interface
Router(config-if)#no cdp enable
Sumber : http://tomax7.com/index.html
Cisco Router Show Commands
Requirement Cisco Command
View version information
Show version
View current configuration (DRAM)
show running-config
View startup configuration (NVRAM)
Show startup-config
Show IOS file and flash space
Show flash
Shows all logs that the router has in its memory
show log
View the interface status of interface e0
show interface e0
Overview all interfaces on the router
show ip interfaces brief
View type of serial cable on s0
show controllers 0 (note the space between the ’s’ and the ‘0′)
Display a summary of connected cdp devices
show cdp neighbor
Display detailed information on all devices
show cdp entry *
Display current routing protocols
show ip protocols
Display IP routing table
show ip route
Display access lists, this includes the number of displayed matches
show access-lists
Check the router can see the ISDN switch
show isdn status
Check a Frame Relay PVC connections
show frame-relay pvc
Display the frame inverse ARP table
show frame-relay map
Cisco Router Basic Operations
Requirement Cisco Command
Enable
Enter privileged mode
Return to user mode from privileged
disable
Exit Router
Logout or exit or quit
Recall last command
up arrow or <Ctrl-P>
Recall next command
down arrow or <Ctrl-N>
Suspend or abort
<Shift> and <Ctrl> and 6 then x
Refresh screen output
<Ctrl-R>
Compleat Command
TAB
Cisco Router Copy Commands
Requirement
Cisco Command
Save the current configuration from DRAM to NVRAM
copy running-config startup-config
Merge NVRAM configuration to DRAM
copy startup-config running-config
Copy DRAM configuration to a TFTP server
copy runing-config tftp
Merge TFTP configuration with current router configuration held in DRAM
copy tftp runing-config
Backup the IOS onto a TFTP server
copy flash tftp
Upgrade the router IOS from a TFTP server
copy tftp flash
Cisco Router Debug Commands
requirement Cisco Command
Enable debug for RIP
debug ip rip
Enable summary IGRP debug information
debug ip igrp events
Enable detailed IGRP debug information
debug ip igrp transactions
Debug IPX RIP
debug ipx routing activity
Debug IPX SAP
debug IPX SAP
Enable debug for CHAP or PAP
debug ppp authentication
Switch all debugging off
no debug all
undebug all
2 Plan Setting Dasan DSLAM
Posted by
Harry Chan Putra
A. Router Catalyst / Switch DSLAM Modem Customer
* Using Fast Ethernet between the devices
B. Router DSLAM Modem Customer (PLAN B)
* Using Fast Ethernet or Ethernet between the devices
configuration speedy connection with load balancing prolink
Wednesday, January 30, 2008Posted by
Harry Chan Putra
This summary is not available. Please click here to view the post.
Free BSD Router with PPPOE Dial
Friday, January 4, 2008Posted by
Harry Chan Putra
source from sentot
a. Device Configutarion
> cat /etc/rc.conf
sshd_enable="YES"
fsck_y_enable="YES"
gateway_enable="YES"
natd_interface="tun0"
ifconfig_xl0="up"
ifconfig_xl1="inet 192.168.10.10 netmask 255.255.255.0"
hostname="router.yourhostname"
ppp_enable="YES"
ppp_mode="ddial"
ppp_profile="speedy"
ppp_nat="YES"
b. Firewall, IDS, Deamon Configuration
> cat /etc/rc.local
/usr/local/bin/portsentry -tcp
/usr/local/bin/portsentry -udp
/sbin/ipfw add deny tcp from any to any 135-137/sbin/ipfw add deny udp from any to any 135-137
/sbin/ipfw add deny tcp from any to any 6257/sbin/ipfw add deny udp from any to any 6257
/sbin/ipfw add deny tcp from any to any 6699/sbin/ipfw add deny udp from any to any 6699
/sbin/ipfw add deny tcp from any to any 2754/sbin/ipfw add deny udp from any to any 2754
/sbin/ipfw add deny tcp from any to any 2535/sbin/ipfw add deny udp from any to any 2535
/sbin/ipfw add deny tcp from any to any 4661-4672/sbin/ipfw add deny udp from any to any 4661-4672
/sbin/ipfw add deny tcp from any to any 1214/sbin/ipfw add deny udp from any to any 1214
/sbin/ipfw add deny tcp from any to any 1024/sbin/ipfw add deny udp from any to any 1024
/sbin/ipfw add deny tcp from any to any 6881-6889/sbin/ipfw add deny udp from any to any 6881-6889
/sbin/ipfw add deny tcp from any to any 6346-6347/sbin/ipfw add deny udp from any to any 6346-6347
/sbin/ipfw add deny tcp from any to any 8000/sbin/ipfw add deny udp from any to any 8000
/sbin/ipfw add deny tcp from any to any 8372/sbin/ipfw add deny udp from any to any 8372
/sbin/ipfw add deny tcp from any to any 8360/sbin/ipfw add deny udp from any to any 8360
/usr/local/squid/sbin/squid -D
/sbin/ipfw add 350 fwd 192.168.10.10,3128 tcp from 192.168.10.0/24 to any www
c. Simple squid configuration
> cat squid.conf
http_port 192.168.10.10:3128
icp_port 3130
icp_query_timeout 0
maximum_icp_query_timeout 5000
mcast_icp_query_timeout 2000
dead_peer_timeout 10 seconds
hierarchy_stoplist cgi-bin ? js
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 8 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 4096 KB
minimum_object_size 0 KB
maximum_object_size_in_memory 8 KB
ipcache_size 1024ipcache_low 90
ipcache_high 95
cache_replacement_policy lru
memory_replacement_policy lru
cache_dir diskd /cache 3000 16 256 Q1=72 Q2=64
cache_access_log /usr/local/squid/var/logs/access.log
cache_log /usr/local/squid/var/logs/cache.log
cache_store_log none
emulate_httpd_log off
log_ip_on_direct on
ftp_user areksitiung@yahoo.com
wais_relay_port 0
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
quick_abort_min 16 KB
quick_abort_max 16 KB
quick_abort_pct 95
negative_ttl 5 minute
positive_dns_ttl 6 hour
negative_dns_ttl 5 minute
range_offset_limit 0 KB
acl porn url_regex "/usr/local/squid/etc/bokep.txt"
acl noporn url_regex "/usr/local/squid/etc/nobokep.txt"
acl all src 0.0.0.0/0.0.0.0
acl manager proto
cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl handikanet src 192.168.10.0/24
acl SSL_ports port 443 563
acl irc_ports port 6667
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443 563
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
http_access deny porn !noporn
http_access allow manager localhost
http_access allow handikanet
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow CONNECT !irc_ports
http_access deny all
icp_access allow all
connect_timeout 2 minute
peer_connect_timeout 30 seconds
read_timeout 15 minute
request_timeout 30 second
client_lifetime 5 day
pconn_timeout 120 second
shutdown_lifetime 30 second
cache_mgr yourmail@yahoo.com
cache_effective_user squid
cache_effective_group squid
visible_hostname proxy.yourhostname.com
logfile_rotate 10
forwarded_for on
log_icp_queries off
icp_hit_stale off
minimum_direct_hops 4
minimum_direct_rtt 400
store_avg_object_size 13 KB
store_objects_per_bucket 20
client_db offnetdb_low 900net
db_high 1000net
db_ping_period 5 minutes
query_icmp on
test_reachability on
nonhierarchical_direct off
prefer_direct on
ignore_unknown_nameservers on
high_memory_warning
0store_dir_select_algorithm round-robin
ie_refresh on
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
#acl magic_words1 url_regex -i 192.168.10.
#acl magic_words2 url_regex -i .update .ftp .torrent .exe .vqf .rpm .zip .rar
.tar.gz .iso .mpeg .mp3 .mpe .mpg .qt .ram .rm .raw .wav .wmv .mov .avi .gp3
.fla .dat
delay_pools 3
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_access 1 allow magic_words1
delay_class 2 2delay_parameters 2 8000/80000 8000/80000
delay_access 2 allow magic_words2
Subscribe to:
Posts (Atom)
