Pengantar Cisco Route
Saturday, July 12, 2008Definisi RouterRouter adalah sebuah device yang berfungsi untuk meneruskan paket-paket dari sebuah network ke network yang lainnya (baik LAN ke LAN atau LAN ke WAN) sehingga host-host yang ada pada sebuah network bisa berkomunikasi dengan host-host yang ada pada network yang lain. Router menghubungkan network-network tersebut pada network layer dari model OSI, sehingga secara teknis Router adalah Layer 3 Gateway. 1 Router bisa berupa sebuah device yang dirancang khusus untuk berfungsi sebagai router (dedicated router), atau bisa juga berupa sebuah PC yang difungsikan sebagai router.
Dalam tulisan ini, saya hanya akan menulis tentang Cisco Router, yaitu sebuah dedicated router yang dibuat oleh Vendor bernama Cisco (http://www.cisco.com). Oleh karena itu, setiap kata Router dalam tulisan berikutnya akan diartikan sebagai Cisco Router.
Network Interface
Network Interface adalah sebuah Interface yang berfungsi untuk menyambungkan sebuah host ke network. Network Interface adalah perangkat keras yang bekerja pada layer 1 dari Model OSI. Network Interface dibutuhkan oleh Router untuk menghubungkan Router dengan sebuah LAN atau WAN. Karena Router bertugas menyambungkan network-network, sebuah router harus mempunyai minimal 2 network interface. Dengan konfigurasi minimal ini, router tersebut bisa menghubungkan 2 network, karena masing-masing network membutuhkan satu network interface yang terhubung ke Router.
Mengkonfigurasi Router
Router tidak mempunyai layar monitor untuk berinteraksi dengan network administrator, oleh karena itu, kita membutuhkan sebuah PC untuk men-setup sebuah router.
PC tersebut harus disambungkan ke router tersebut dengan salah satu dari cara berikut:
• melalui console port
• melalui Network
Men-konfigurasi Router melalui Port Console
Console port adalah sebuah port pada router yang disediakan untuk menghubungkan router tersebut pada “dunia luar”. Sebuah kabel Roll Over dibutuhkan untuk menghubungkan serial interface pada PC dan Console port pada router tersebut. Setelah Router terhubung dengan PC, Router dapat dikonfigurasi dengan menjalankan applikasi HyperTerminal dari PC. 2
Men-konfigurasi Router melalui Network
Dengan cara ini, Router dapat dikonfigurasi dengan PC yang terhubung dengan Router melalui network. Cara ini hanya bisa digunakan untuk melihat konfigurasi dan memodifikasi konfigurasi pada router. Mengapa ? Karena sebuah router hanya akan terhubung ke network jika Network Interface-nya sudah terkonfigurasi dengan benar. Di sisi lain, cara ini juga mempunyai kelebihan. Dengan cara ini, network administrator lebih leluasa menempatkan PC-nya untuk memodifikasi konfigurasi router. Network administrator bisa menempatkan PC-nya di mana saja, asalkan PC tersebut bisa terhubung ke Router melalui jaringan. Dengan cara ini, Network administrator membutuhkan applikasi telnet untuk mengkonfigurasi Router tersebut. Berikut adalah langkah-langkah menggunakan telnet pada PC dengan Sistem OperasiWindows:
• Jalankan command prompt (atau MS DOS prompt pada Windows 9x)
• Ketik perintah berikut pada command prompt:
C:\> telnet IP-address-Router
Contoh:
C:\> telnet 172.16.148.1
Inisialisasi Konfigurasi Router
Konfigurasi Router disimpan pada sebuah memory spesial pada router yang disebut nonvolatile random-access memory (NVRAM). Jika tidak ada konfigurasi yang tersimpan pada NVRAM, maka system operasi pada Router akan menjalankan sebuah routine yang akan memberikan pertanyaan-pertanyaan yang jawabannya akan digunakan untuk mengkonfigurasi router tersebut. Routine ini dalam kosakata Windows dikenal dengan nama Wizard. Namun pada Router Cisco, routine ini disebut dengan nama system configuration dialog atau setup dialog.
Setup Dialog ini hanya dirancang untuk membuat konfigurasi minimal, karena tujuan utama dari mode setup ini hanyalah untuk membuat konfigurasi secara cepat dan mudah. Untuk konfigurasi yang komplex, network administrator harus melakukannya secara manual. Setup Dialog bisa juga dipanggil walaupun NVRAM sudah berisi konfigurasi.
Administrator cukup mengetik command setup pada CLI (Command Line Interface) dan Setup Dialog akan dieksekusi.Berikut adalah contoh pemanggilan Setup Dialog dari CLI.
Tingkat akses perintah
Untuk tujuan keamaan, perintah-perintah yang bisa dijalankan dari CLI dibagi menjadi 2 tingkat akses, yaitu:
• User Mode
• Privileged Mode
User Mode ditujukan untuk melihat status router. Perintah-perintah yang diizinkan pada mode ini tidak bisa mengubah konfigurasi router, sehingga mode ini lebih aman ketika seorang network administrator hanya ingin melihat status router dan tidak ingin mengubah konfigurasi.
Privileged Mode mempunyai tingkat akses yang lebih tinggi. Dengan mode ini, network administrator bisa mengubah configurasi router. Oleh karena itu, mode ini sebaiknya digunakan dengan hati-hati sekali untuk menghindari perubahan yang tidak diinginkan pada router tersebut.
Saat log on ke router pertama kali, anda akan masuk pada user mode, dengan prompt berupa tanda (>). Untuk berpindah dari user mode ke priviledge mode, anda harus mengeksekusi perintah enable pada prompt. Prompt akan berubah menjadi tanda (#) ketika anda berada pada Privilged mode. Untuk kembali ke user mode dari priviledge mode, anda harus mengeksekusi perintah disable pada command prompt.
Contoh :
| router con0 is now available Press RETURN to get started router > router > enable router # disable router > router > logout |
Mengubah Konfigurasi Router
Seperti telah disinggung sebelumnya, Setup Dialog tidak dirancang untuk memodifikasi Konfigurasi Router ataupun membuat Konfigurasi Router yang komplex. Oleh karena itu, untuk keperluan ini, harus dilakukan secara manual dengan memasuki Mode Konfigurasi. Pengubahan konfigurasi ini bisa dilakukan langsung melalui console atau secara remote melalui jaringan seperti telah diulas pada sebelumnya. Setelah PC terhubung ke router, maka network administrator harus memasuki Privileged Mode dulu seperti yg telah disinggung sebelumnya Akhirnya, konfigurasi dapat diubah dengan perintah configure terminal untuk memasuki global configuration mode yang kemudian diikuti dengan baris-baris konfigurasi. Setelah baris-baris configurasi dituliskan, perintah exit akan diperlukan untuk keluar dari global configuration mode.
Contoh : mengubah konfigurasi router
| router con0 is now available Press RETURN to get started router > router > enable router # configure terminal router (config) # interface ethernet 0 router (config-if) # description IT Department LAN router (config-if) # exit router (config) # exit router # |
Mengamankan Router dengan Password
Untuk menyulitkan orang yang tidak berhak mengubah dan mengacau konfigurasi router, maka router tersebut perlu dilindungi dengan kata sandi (password).
Password untuk console
Jika password diaktifkan pada console, maka user tidak bisa begitu saja mendapatkan akses ke router melalui console tanpa menuliskan password console terlebih dahulu. Untuk melakukan hal ini, diperlukan perintah line console 0 diikuti dengan perintah login dan password dalam konfigurasi router.
Contoh : membuat password untuk console
| Router(config) # line console 0 Router(config-line) # login Router(config-line) # password coba Router(config-line) # exit Router(config) # exit Router(config) # |
Router yang dikonfigurasi seperti contoh akan meminta password ketika user mencoba mendapatkan akses melalui console. Dan passwordnya adalah coba.
Password untuk Virtual Terminal
Virtual Terminal ini akan digunakan ketika user ingin mendapatkan akses melalui jaringan dengan applikasi telnet. Password Virtual Terminal ini harus dikonfigurasi sebelum user bisa mendapatkan akses melalui jaringan. Tanpa password, koneksi melalui jaringan akan ditolak oleh router dan router akan memberikan pesan berikut:
Password required, but none set
Contoh : memperlihatkan bagaimana caranya mengkonfigurasi password pada Virtual Terminal.
| Router(config) # line vty 0 4 Router(config-line) # password cobain Router(config-line) # exit Router(config) # exit Router(config) # |
Pada contoh, router akan meminta password ketika diakses lewat jaringan. Dan password untuk virtual terminal tersebut adalah cobain. Angka 0 pada baris line vty 0 4 menunjukkan nomer awal virtual terminal, dan angka 4 menunjukkan nomer terakhir dari virtual terminal. Oleh karena itu, perintah tersebut memperlihatkan bahwa router tersebut mengizinkan 5 koneksi melalui virtual terminal pada waktu yang bersamaan.
Password untuk mode priviledge
Setelah user menuliskan password dengan benar untuk mendapatkan akses ke router baik melalui jaringan ataupun console, maka user akan memasuki user mode.
Jika password untuk mode priviledge dikonfigurasi, maka user juga harus menuliskan password lagi untuk masuk ke mode itu.
Perintah yang digunakan untuk memberi password pada mode ini adalah enable password, atau enable secret.
Perbedaan antara kedua perintah tersebut adalah bahwa perintah enable secret membuat password-nya terenkrip sedangkan enable password tidak. Kedua perintah tersebut juga bisa dituliskan kedua-duanya dalam mode konfigurasi global, dan keduanya juga bisa mempunyai password yang berbeda. Namun jika keduanya diletakkan pada konfigurasi, maka password pada enable secret yang akan digunakan untuk memasuki privileged mode.
Contoh : mengkonfigurasi enable password
Router(config) # enable password rahasia
Contoh : mengkonfigurasi enable secret
Router(config) # enable secret rahasiabanget
Dalam konfigurasi router, sebuah perintah bisa dihapus dengan menambahkan perintah no pada mode konfigurasi. Dengan demikian, untuk menghapus password pada contoh dapat dilakukan dengan perintah seperti yang tampak pada contoh berikut
Contoh : menghapus password enable secret
Router(config) # no enable secret rahasiabanget
Mengkonfigurasi Interface
Seperti telah dipaparkan pada sebelumnya, tugas router adalah meneruskan paketpaket dari sebuah network ke network yang lainnya. Sebuhungan dengan tugas tersebut, network interface harus dikonfigurasi sesuai dengan karakteristik-nya.
Perintah interface pada mode konfigurasi global disediakan untuk mengkonfigurasi interface-interface pada router. Ada berbagai tipe interface yang dikonfigurasi dengan perintah ini antara lain: Ethernet, Token Ring, FDDI, serial, HSSI, loopback, dialer, null, anync, ATM, BRI, dan tunnel.
Dalam tulisan ini, hanya Ethernet dan Serial saja yang akan dibahas lebih lanjut.
Mengkonfigurasi Ethernet Interface
Seperti telah dijelaskan di atas, perintah interface harus dijalankan pada mode konfigurasi global. Untuk memasuki mode konfigurasi global, gunakan perintah configure terminal, seperti yang telah dijelaskan sebelumnya.
Format perintah interface untuk memasuki mode konfigurasi interface untuk Ethernet pada router yang hanya mempunyai satu slot adalah:
interface ethernet nomer-port
Beberapa jenis router memiliki banyak slot, seperti misalnya Cisco 2600,3600 dan 4000. Untuk router-router dengan banyak slot, format perintahnya adalah:
interface ethernet nomer-slot/nomer-port
Setelah memasuki mode konfigurasi interface dengan perintah di atas, barulah Ethernet
tersebut dapat dikonfigurasi sesuai dengan kebutuhan.
Konfigurasi paling dasar yang dibutuhkan agar Ethernet dapat meneruskan paket-paket adalah IP address dan subnet mask. 3
Format konfigurasinya adalah:
ip address IP-address subnet-mask
Contoh : konfigurasi interface Ethernet
| Router# configure terminal Router(config)# interface ethernet 1/0 Router(config-if)# description LAN pada Department IT Router(config-if)# ip address 172.16.148.1 255.255.255.128 Router(config-if)# exit Router(config)# exit Router# |
Mengkonfigurasi Serial Interface
Serial interface adalah interface yang seringkali digunakan untuk koneksi ke WAN (Wide Area Network). Koneksi serial membutuhkan clocking untuk sinkronisasi. Dan oleh karena itu, hubungan serial ini harus mempunyai 2 sisi, yaitu DCE (data circuitterminating equipment_ dan DTE (data terminal equipment). DCE menyediakan clocking dan DTE akan mengikuti clock yang diberikan oleh DCE. Kabel DCE mempunyai koneksi female (perempuan), sedangkan kabel DTE mempunyai koneksi male (jantan).
Pada prakteknya, DCE biasanya disediakan oleh service provider yang biasanya adalah merupakan koneksi ke CSU/DSU. Router sendiri biasanya hanyalah berperan sebagai DTE sehingga router tersebut tidak perlu menyediakan clocking.
Walaupun demikian, cisco router juga bisa berperan sebagai DCE yang menyediakan clocking. Fungsi ini biasanya dipakai untuk uji coba router dimana kita bisa menghubungkan 2 buah router back to back sehingga salah satu router harus berfungsi sebagai DCE agar koneksi bisa terjadi.
Contoh: contoh konfigurasi interface serial sebagai DTE
| Router # configure terminal Router(config)# interface serial 0 Router(config-if)# description WAN ke Natuna Router(config-if)# ip address 172.16.158.1 255.255.255.252 Router(config-if)# bandwith 64 Router(config-if)# exit Router(config)# exit Router# |
Contoh : konfigurasi interface serial sebagai DCE
| Router # configure terminal Router(config)# interface serial 0 Router(config-if)# description Lab Cisco sebagai DCE Router(config-if)# ip address 172.16.158.1 255.255.255.252 Router(config-if)# bandwith 64 Router(config-if)# clock rate 64000 Router(config-if)# exit Router(config)# exit Router# |
Men-disable sebuah interface
Kadangkala kita perlu mematikan/mendisable sebuah interface untuk keperluan troubleshooting ataupun administratif.
Untuk keperluan tersebut, dapat digunakan perintah shutdown pada interface yang bersangkutan. Dan untuk menghidupkannya kembali, dapat digunakan perintah noshutdown.
Contoh : mematikan interface
| Router(config)# interface serial 0 Router(config-if)# shutdown Router(config-if)# exit Router(config)# Contoh 6.3-2: menghidupkan interface Router(config)# interface serial 0 Router(config-if)# no shutdown Router(config-if)# exit Router(config)# |
Routing
Akhirnya, setelah interface terkonfigurasi, router memerlukan sebuah proses agar router tahu bagaimana dan kemana sebuah paket harus diteruskan. Proses ini disebut proses routing.
Routing dapat dikelompokkan menjadi 2 kelompok, yaitu:
1. Static Routing – Router meneruskan paket dari sebuah network ke network yang lainnya berdasarkan rute (catatan: seperti rute pada bis kota) yang ditentukan oleh administrator. Rute pada static routing tidak berubah, kecuali jika diubah secara manual oleh administrator.
2. Dynamic Routing – Router mempelajari sendiri Rute yang terbaik yang akan ditempuhnya untuk meneruskan paket dari sebuah network ke network lainnya. Administrator tidak menentukan rute yang harus ditempuh oleh paket-paket tersebut. Administrator hanya menentukan bagaimana cara router mempelajari paket, dan kemudian router mempelajarinya sendiri. Rute pada dynamic routing berubah, sesuai dengan pelajaran yang didapatkan oleh router.
Dynamic Routing tidak dibahas dalam tulisan ini karena walaupun konfigurasi-nya cukup mudah, namun bagaimana cara routing tersebut bekerja saya anggap sebagai topik lanjutan sehingga tidak saya bahas pada tulisan ini. Static Routing dapat dilakukan dengan memasukkan baris ip route pada mode konfigurasi global. Adapun format penulisan baris tersebut adalah:
ip route network [mask] {alamat | interface }
dimana:
• network adalah network tujuan
• mask adalah subnet mask
• alamat adalah IP address ke mana network akan dilewatkan
• interface adalah nama interface yang digunakan untuk melewatkan paket yang ditujukan
Gambar routing
Gambar di atas memperlihatkan sebuah LAN yang terhubung ke WAN melalui 2 buah router, yaitu router A dan router B. Agar LAN tersebut bisa dihubungi dari WAN, maka router A perlu diberikan static routing dengan baris perintah seperti berikut:
RouterA(config)# ip route 172.16.10.0 255.255.255.0 172.16.158.1
Dan agar router B bisa meneruskan paket-paket yang ditujukan ke WAN, maka router B perlu dikonfigurasi dengan static routing berikut:
RouterB(config)# ip route 0.0.0.0 0.0.0.0 172.16.158.2
Menyimpan dan mengambil Konfigurasi
Berbagai konfigurasi yang telah kita tuliskan dengan perintah configure terminal hanya akan disimpan pada RAM yang merupakan memory volatile. Jika konfigurasi ini tidak disimpan di NVRAM, maka konfigurasi tersebut akan hilang ketika router dimatikan atau direstart.
Secara default, Router akan mengambil konfigurasi dari NVRAM saat start up, meletakkannya di RAM, dan kemudian menggunakan konfigurasi yang ada pada RAM untuk beroperasi. Untuk menyimpan konfigurasi yang ada di RAM ke NVRAM, diperlukan baris perintah berikut pada privileged mode:
Router# copy running-config startup-config
Sebaliknya, untuk mengambil konfigurasi yang ada di NVRAM dan meletakkannya pada RAM, dapat digunakan perintah berikut pada privileged mode:
Router# copy startup-config running-config
Dan untuk melihat konfigurasi yang sedang beroperasi (pada RAM), dapat digunakan perintah show running-config pada privileged mode.
Contoh: melihat running-config
| Router# show running-config Building configuration… Current configuration : 4479 bytes ! ! Last configuration change at 12:23:26 UTC Fri Oct 10 2003 ! version 12.2 service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption ! hostname jakarta-lina ! …. Dan selanjutnya ….. |
Beberapa Tips
Bekal pengetahuan dasar pada bab-bab di atas sebenarnya telah cukup berguna untuk segera memulai percobaan-percobaan dan mempelajari router lebih lanjut. Namun untuk melengkapi dan memudahkan proses belajar, ada baiknya anda juga mengetahui beberapa tips agar mudah mengetahui perintah-perintah apa saja yang bisa dijalankan dan format penggunaannya.
Mengetahui perintah apa saja yang bisa dijalankan
Pada mode apa saja, anda bisa mengetikkan tanda (?) pada prompt. Dengan mengetikkan tanda tersebut, router akan memberitahukan apa saja yang bisa anda tuliskan pada prompt tersebut.
Contoh: melihat perintah-perintah apa saja yang berlaku pada prompt
| Router> ? Exec commands: <1-99> Session number to resume access-enable Create a temporary Access-List entry access-profile Apply user-profile to interface clear Reset functions connect Open a terminal connection disable Turn off privileged commands disconnect Disconnect an existing network connection enable Turn on privileged commands exit Exit from the EXEC help Description of the interactive help system lat Open a lat connection lock Lock the terminal login Log in as a particular user logout Exit from the EXEC mrinfo Request neighbor and version information from a multicast router mstat Show statistics after multiple multicast traceroutes mtrace Trace reverse multicast path from destination to source name-connection Name an existing network connection pad Open a X.29 PAD connection ping Send echo messages ppp Start IETF Point-to-Point Protocol (PPP) resume Resume an active network connection rlogin Open an rlogin connection show Show running system information slip Start Serial-line IP (SLIP) systat Display information about terminal lines tclquit Quit Tool Comand Language shell tclsh Tool Comand Language a shell telnet Open a telnet connection terminal Set terminal line parameters traceroute Trace route to destination tunnel Open a tunnel connection udptn Open an udptn connection where List active connections x28 Become an X.28 PAD x3 Set X.3 parameters on PAD router> contoh 9.1-2: melihat perintah apa saja yang dimulai dengan huruf “t” router> t? tclquit tclsh telnet terminal traceroute tunnel router> t contoh 9.1-3: melihat lanjutan dari sebuah perintah router>telnet ? WORD IP address or hostname of a remote system router>telnet |
Perintah yang tidak lengkap dan Auto Completion
Sebuah perintah pada router tidak harus dituliskan secara lengkap jika perintah tersebut tidak ambiguous. Dengan fasilitas ini, administrator bisa menghemat waktu karena tidak harus mengetikkan semua perintah secara lengkap.
Contoh: perintah yang tidak lengkap
| Router # sh ru Building configuration… Current configuration : 4479 bytes ! ! Last configuration change at 12:23:26 UTC Fri Oct 10 2003 ! ……… dan selanjutnya ……… |
Tampak pada contoh berikut bahwa router menjalankan perintah show running-config, padahal administrator hanya menuliskan sh ru pada prompt.
Kadangkala kita tidak yakin dengan sebuah command sehingga kita tidak berani menuliskannya dengan tidak lengkap seperti di atas. Dengan kondisi seperti ini, administrator juga bisa menghemat waktu pengetikan dengan menekan tombol
Contoh: auto completion
Router > tel
Router > telnet
Contoh memperlihatkan bahwa administrator cukup mengetikkan tel +
Contoh Configurasi Sederhana
Akhirnya, tulisan ini akan saya tutup dengan memberikan contoh sebuah konfigurasi router sederhana secara utuh. Dan saya ucapkan selamat belajar.
Contoh : konfigurasi sederhana secara utuh
| trident16-rig#sh run Building configuration… Current configuration: ! ! No configuration change since last restart ! version 12.1 service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption ! hostname trident16-rig ! enable secret 5 $1$PlKA$Ev/ev3/gQJHnytqacioZt. ! ip subnet-zero no ip domain-lookup ip name-server 192.23.168.5 ip name-server 192.23.164.5 ! interface Ethernet0 description Local Segment for Trident 16 Rig ip address 172.16.135.1 255.255.255.192 ! interface Serial0 description VSAT link to jakarta-lina-sat bandwidth 128 ip address 172.16.158.174 255.255.255.252 ! interface Serial1 no ip address shutdown ! ip classless ip route 0.0.0.0 0.0.0.0 172.16.158.173 no ip http server ! line con 0 transport input none line aux 0 line vty 0 4 password 7 023616521D071B240C600C0D12180000 login ! end trident16-rig# |
Referensi
Steve McQuerry, Interconnecting Cisco Network Devices, published by Cisco Press
Mangle, Queue Tree and prioritization ( baratev )
#######################################
Mangle, Queue Tree and prioritization
#######################################
As we know ‘simple queue’ marks packets from/to target ip and queues them using
global-in/global-out parents for packets at the local side of router. If we want
to queue services using ‘queue tree’ we can do it at the local or public side.
However if we want to use ‘simple queue’ and ‘queue tree’ for services we don’t
have that choice. Packets are marked at the local side and queued by ‘simple queue’
(we can’t see it in /ip firewall mange and /queue tree). The second marking and
the ‘queue tree’ at the local side won’t work. That’s why, for services we need
to mark packets incoming/outgoing (prerouting/postrouting) at the public side of router.
Mangle Packet Flow
-------------------
* There are 5 places to mangle
- Prerouting
- Input
- Output
- Forward
- Postrouting
* There are 4 places to limit
- Global-in
- Global-out
- Global-total
- Interface queue
- Ether1,Ether2,etc (WAN,LAN,etc)
- Wlan1,Wlan2,etc (WAN,LAN,etc)
Mangle Packet Flow Diagram
---------------------------
+---------+
+-->| Mangle |--+
| | Forward | |
| +---------+ |
| V
_________ _________
+-------------------+ / \ / \ +-------------+
| Global-in | | Routing | | Routing | | Mangle |
| (and global-total |--->| Decision | | Decision |----> | Postrouting |
+-------------------+ \_________/ \_________/ +-------------+
^ | ^ |
| V | V
+------------+ +------------+ +------------+ +------------------+
| Mangle | | Mangle | | Mangle | | Global-out |
| Prerouting | | Input | | Output | | (and global-out) |
------------+ +------------+ +------------+ +------------------+
^ | ^ |
| V | V
+============+ +=-==-==-=-=-+----+=-=-=-=-=-=-+ +============+
| INPUT | | Local |--->| Local | | OUTPUT |
| INTERFACE | | Process-In | |Process-Out | | INTERFACE |
+============+ +=-==-==-=-=-+----+=-=-=-=-=-=-+ +============+
## Configuration
/interface set ether1 name=wan
/interface set ether2 name=lan
/ip address add address=192.168.0.1/24 interface=lan
/ip address add address=1.0.0.2/24 interface=wan
/ip route add gateway=1.0.0.1
/ip firewall nat add chain=srcnat action=masquerade src-address=192.168.0.0/24
At first we make simple queue, for example:
:for z from 2 to 254 do={/queue simple add name=(0. . $z) target-addresses=(192.168.0. . $z) \
parent=192.168.0.0/24 interface=all priority=4 queue=default/default max-limit=128000/530000 \
total-queue=default}
Now we mark packets for the services
/ ip firewall mangle
add chain=prerouting action=mark-packet new-packet-mark=icmp_in passthrough=no \
in-interface=wan protocol=icmp comment="icmp" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=icmp_out \
passthrough=no out-interface=wan protocol=icmp comment="" disabled=no
add chain=prerouting action=mark-packet new-packet-mark=p2p_in passthrough=no \
p2p=all-p2p in-interface=wan comment="p2p" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=p2p_out \
passthrough=no p2p=all-p2p out-interface=wan comment="" disabled=no
add chain=prerouting action=mark-packet new-packet-mark=pop3_in passthrough=no \
in-interface=wan src-port=110 protocol=tcp comment="pop3" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=pop3_out \
passthrough=no out-interface=wan dst-port=110 protocol=tcp comment="" \
disabled=no
add chain=prerouting action=mark-packet new-packet-mark=smtp_in passthrough=no \
in-interface=wan src-port=25 protocol=tcp comment="smtp" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=smtp_out \
passthrough=no out-interface=wan dst-port=25 protocol=tcp comment="" \
disabled=no
add chain=prerouting action=mark-packet new-packet-mark=imap_in passthrough=no \
in-interface=wan src-port=143 protocol=tcp comment="imap" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=imap_out \
passthrough=no out-interface=wan dst-port=143 protocol=tcp comment="" \
disabled=no
add chain=prerouting action=mark-packet new-packet-mark=ssh_in passthrough=no \
in-interface=wan dst-port=22 protocol=tcp comment="ssh" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=ssh_out \
passthrough=no out-interface=wan src-port=22 protocol=tcp comment="" \
disabled=no
add chain=prerouting action=mark-packet new-packet-mark=winbox_in \
passthrough=no in-interface=wan dst-port=8291 protocol=tcp \
comment="winbox" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=winbox_out \
passthrough=no out-interface=wan src-port=8291 protocol=tcp comment="" \
disabled=no
add chain=prerouting action=mark-packet new-packet-mark=dns_in passthrough=no \
in-interface=wan src-port=53 protocol=udp comment="dns" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=dns_out \
passthrough=no out-interface=wan dst-port=53 protocol=udp comment="" \
disabled=no
add chain=prerouting action=mark-packet new-packet-mark=www_in passthrough=no \
in-interface=wan src-port=80 protocol=tcp comment="www" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=www_out \
passthrough=no out-interface=wan dst-port=80 protocol=tcp comment="" \
disabled=no
add chain=prerouting action=mark-packet new-packet-mark=ssl_in passthrough=no \
in-interface=wan src-port=443 protocol=tcp comment="ssl" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=ssl_out \
passthrough=no out-interface=wan dst-port=443 protocol=tcp comment="" \
disabled=no
add chain=prerouting action=mark-packet new-packet-mark=udp_in passthrough=no \
in-interface=wan protocol=udp comment="udp" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=udp_out \
passthrough=no out-interface=wan protocol=udp comment="" disabled=no
add chain=prerouting action=mark-packet new-packet-mark=tcp_in passthrough=no \
in-interface=wan protocol=tcp comment="tcp" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=tcp_out \
passthrough=no out-interface=wan protocol=tcp comment="" disabled=no
add chain=prerouting action=mark-packet new-packet-mark=other_in \
passthrough=no in-interface=wan comment="other" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=other_out \
passthrough=no out-interface=wan comment="" disabled=no
after that we can make queue tree:
/queue tree
add name="upload_wan1" parent=global-out packet-mark="" limit-at=0 \
queue=wireless-default priority=4 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="icmp_down" parent=global-in packet-mark=icmp_in limit-at=0 \
queue=wireless-default priority=1 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="icmp_up" parent=global-out packet-mark=icmp_out limit-at=0 \
queue=wireless-default priority=1 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="winbox_down" parent=global-in packet-mark=winbox_in limit-at=0 \
queue=wireless-default priority=1 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="winbox_up" parent=global-out packet-mark=winbox_out limit-at=0 \
queue=wireless-default priority=1 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="dns_down" parent=global-in packet-mark=dns_in limit-at=0 \
queue=wireless-default priority=1 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="dns_up" parent=global-out packet-mark=dns_out limit-at=0 \
queue=wireless-default priority=1 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="www_up" parent=upload_wan1 packet-mark=www_out limit-at=0 \
queue=wireless-default priority=2 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="ssl_up" parent=upload_wan1 packet-mark=ssl_out limit-at=0 \
queue=wireless-default priority=1 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="p2p_up" parent=upload_wan1 packet-mark=p2p_out limit-at=0 \
queue=wireless-default priority=8 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="udp_up" parent=upload_wan1 packet-mark=udp_out limit-at=0 \
queue=wireless-default priority=6 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="tcp_up" parent=upload_wan1 packet-mark=tcp_out limit-at=0 \
queue=wireless-default priority=4 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="other_up" parent=upload_wan1 packet-mark=other_out limit-at=0 \
queue=wireless-default priority=7 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="download_wan1" parent=global-in packet-mark="" limit-at=0 \
queue=wireless-default priority=4 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="www_down" parent=download_wan1 packet-mark=www_in limit-at=0 \
queue=wireless-default priority=2 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="ssl_down" parent=download_wan1 packet-mark=ssl_in limit-at=0 \
queue=wireless-default priority=1 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="p2p_down" parent=download_wan1 packet-mark=p2p_in limit-at=0 \
queue=wireless-default priority=8 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="udp_down" parent=download_wan1 packet-mark=udp_in limit-at=0 \
queue=wireless-default priority=6 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="tcp_down" parent=download_wan1 packet-mark=tcp_in limit-at=0 \
queue=wireless-default priority=4 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="other" parent=download_wan1 packet-mark=other_in limit-at=0 \
queue=wireless-default priority=7 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="ssh_down" parent=global-in packet-mark=ssh_in limit-at=0 \
queue=wireless-default priority=1 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="ssh_up" parent=global-out packet-mark=ssh_out limit-at=0 \
queue=wireless-default priority=1 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="pop3_down" parent=download_wan1 packet-mark=pop3_in limit-at=0 \
queue=wireless-default priority=5 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="smtp_down" parent=download packet-mark=smtp_in limit-at=0 \
queue=wireless-default priority=5 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="imap_down" parent=download packet-mark=imap_in limit-at=0 \
queue=wireless-default priority=5 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="imap_up" parent=upload packet-mark=imap_out limit-at=0 \
queue=wireless-default priority=5 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="smtp_out" parent=upload packet-mark=smtp_out limit-at=0 \
queue=wireless-default priority=5 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="pop3_up" parent=upload packet-mark=pop3_out limit-at=0 \
queue=wireless-default priority=5 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
We have several basic download/upload queues:
- wan
- icmp
- winbox
- dns
Icmp, dns and winbox have the highest priority to ensure low ping, quick answer
of dns server and winbox connection without any problems. The second is wan.
In wan tree we decide which service has the highest priority, for which one
we want to guarantee bandwidth or decrease speed.
From: http://wiki.mikrotik.com/wiki/Mangle%2C_Queue_Tree_and_prio_by_fly_man_..._almost_done
###################
# Alternatif Mangle
###################
Prioritization Plan
^ 1
DNS,SSH,ICMP,Telnet,HTTP Request,HTTPS ...... |
|
|
Game ...... |
|
|
Voip,Skype,Video Conference,VPN,MSN ...... |
|
|
Mail,HTTP Download,sFTP,FTP ....... |
|
|
P2p.........|
|
o 8
How to mark?
=========================================================================================================
Group | Priority | Service | Protocol | Dst-Port | Other Conditions
===============|===========|=====================|===========|==========|================================
P2p_services | 8 | P2p | | | p2p=all-p2p
---------------|-----------|---------------------|-----------|----------|--------------------------------
| | | TCP | 110 |
| | |-----------|----------|--------------------------------
| | | TCP | 995 |
| | |-----------|----------|--------------------------------
| | Mails | TCP | 143 |
Download_ | | |-----------|----------|--------------------------------
Services | | | TCP | 993 |
| 7 | |-----------|----------|--------------------------------
| | | TCP | 25 |
| |---------------------|-----------|----------|--------------------------------
| | HTTP downloads | TCP | 80 | Connection-bytes=500000-0
| |---------------------|-----------|----------|--------------------------------
| | FTP | TCP | 20 |
| | |-----------|----------|--------------------------------
| | | TCP | 21 |
| |---------------------|-----------|----------|--------------------------------
| | SFTP | TCP | 22 | Packet-size=1400-1500
---------------|-----------|---------------------|-----------|----------|--------------------------------
| | DNS | TCP | 53 |
| | |-----------|----------|--------------------------------
| | | UDP | 53 |
| |---------------------|-----------|----------|--------------------------------
Ensign_services| | ICMP | ICMP | - |
| 1 |---------------------|-----------|----------|--------------------------------
| | HTTPS | TCP | 443 |
| |---------------------|-----------|----------|--------------------------------
| | Telnet | TCP | 23 |
| |---------------------|-----------|----------|--------------------------------
| | SSH | TCP | 22 |
| |---------------------|-----------|----------|--------------------------------
| | HTTP request | TCP | 80 | Connection-bytes=0-500000
---------------|-----------|---------------------|-----------|----------|--------------------------------
User_request | 3 | Online game servers | | | Dst-address-list=user_request
---------------|-----------|---------------------|-----------|----------|--------------------------------
Communication_ | | VoIP | | |
services | |---------------------|-----------|----------|--------------------------------
| | Skype | | |
| 5 |---------------------|-----------|----------|--------------------------------
| | Video conference | | |
| |---------------------|-----------|----------|--------------------------------
| | VPN | | |
| |---------------------|-----------|----------|--------------------------------
| | MSN | | |
---------------|-----------|---------------------|-----------|----------|--------------------------------
Source: MUM USA 2008, IL, Workshop Mikrotik, QoS Best Pracktice
Create packet marks in the mangle chain “Prerouting” for traffic prioritization in the global-in queue
o Ensign_services (Priority=1)
o User_requests (Priority=3)
o Communication_services (Priority=5)
o Download_services (Priority=7)
o P2P_services (Priority=8)
/ ip firewall mangle
add action=mark-connection chain=prerouting comment="Prio P2P" disabled=no \
new-connection-mark=prio_conn_p2p p2p=all-p2p passthrough=yes
add action=mark-packet chain=prerouting comment="" \
connection-mark=prio_conn_p2p disabled=no new-packet-mark=prio_p2p_packet \
passthrough=no
add action=mark-connection chain=prerouting comment="Prio Download_Services" \
disabled=no dst-port=110 new-connection-mark=prio_conn_download_services \
passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no \
dst-port=995 new-connection-mark=prio_conn_download_services \
passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no \
dst-port=143 new-connection-mark=prio_conn_download_services \
passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no \
dst-port=993 new-connection-mark=prio_conn_download_services \
passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no \
dst-port=995 new-connection-mark=prio_conn_download_services \
passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no dst-port=25 \
new-connection-mark=prio_conn_download_services passthrough=yes \
protocol=tcp
add action=mark-connection chain=prerouting comment="" \
connection-bytes=500000-0 disabled=no dst-port=80 \
new-connection-mark=prio_conn_download_services passthrough=yes \
protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no \
dst-port=20-21 new-connection-mark=prio_conn_download_services \
passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no dst-port=22 \
new-connection-mark=prio_conn_download_services packet-size=1400-1500 \
passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting comment="" \
connection-mark=prio_conn_download_services disabled=no \
new-packet-mark=prio_download_packet passthrough=yes
add action=mark-connection chain=prerouting comment="Prio Ensign_Services" \
disabled=no dst-port=53 new-connection-mark=prio_conn_ensign_services \
passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no dst-port=53 \
new-connection-mark=prio_conn_ensign_services passthrough=yes protocol=udp
add action=mark-connection chain=prerouting comment="" disabled=no \
new-connection-mark=prio_conn_ensign_services passthrough=yes \
protocol=icmp
add action=mark-connection chain=prerouting comment="" disabled=no \
dst-port=443 new-connection-mark=prio_conn_ensign_services passthrough=yes \
protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no dst-port=23 \
new-connection-mark=prio_conn_ensign_services passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="" \
connection-bytes=0-500000 disabled=no dst-port=80 \
new-connection-mark=prio_conn_ensign_services passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no \
dst-port=179 new-connection-mark=prio_conn_ensign_services passthrough=yes \
protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no \
dst-port=8000 new-connection-mark=prio_conn_ensign_services \
passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting comment="" \
connection-mark=prio_conn_ensign_services disabled=no \
new-packet-mark=prio_ensign_packet passthrough=no
add action=mark-connection chain=prerouting comment="Prio User_Request" \
disabled=no dst-port=22 new-connection-mark=prio_conn_ensign_services \
packet-size=1400-1500 passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no \
dst-address-list=user_request new-connection-mark=prio_conn_user_services \
passthrough=yes
add action=mark-packet chain=prerouting comment="" \
connection-mark=prio_conn_user_services disabled=no \
new-packet-mark=prio_request_packet passthrough=yes
add action=mark-connection chain=prerouting comment="" disabled=no \
new-connection-mark=prio_conn_comm_services passthrough=yes protocol=gre
add action=mark-connection chain=prerouting comment="Prio_Communication" \
disabled=no dst-port=5100 new-connection-mark=prio_conn_comm_services \
passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no \
dst-port=5050 new-connection-mark=prio_conn_comm_services passthrough=yes \
protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no \
dst-port=5060 new-connection-mark=prio_conn_comm_services passthrough=yes \
protocol=udp
add action=mark-connection chain=prerouting comment="" disabled=no \
dst-port=1869 new-connection-mark=prio_conn_comm_services passthrough=yes \
protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no \
dst-port=1723 new-connection-mark=prio_conn_comm_services passthrough=yes \
protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no \
dst-port=5190 new-connection-mark=prio_conn_comm_services passthrough=yes \
protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no \
dst-port=6660-7000 new-connection-mark=prio_conn_comm_services \
passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no \
new-connection-mark=prio_conn_comm_services passthrough=yes \
protocol=ipencap
add action=mark-connection chain=prerouting comment="" disabled=no \
new-connection-mark=prio_conn_comm_services passthrough=yes \
protocol=ipsec-esp
add action=mark-connection chain=prerouting comment="" disabled=no \
new-connection-mark=prio_conn_comm_services passthrough=yes \
protocol=ipsec-ah
add action=mark-connection chain=prerouting comment="" disabled=no \
new-connection-mark=prio_conn_comm_services passthrough=yes protocol=ipip
add action=mark-connection chain=prerouting comment="" disabled=no \
new-connection-mark=prio_conn_comm_services passthrough=yes protocol=encap
add action=mark-packet chain=prerouting comment="" \
connection-mark=prio_conn_comm_services disabled=no \
new-packet-mark=prio_comm_packet passthrough=no
Queue TRee
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="Priorization" packet-mark="" parent=global-in priority=1 \
queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="Communication_Services_Prio3" \
packet-mark=prio_comm_packet parent=Priorization priority=3 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="Download_Services_Prio5" \
packet-mark=prio_download_packet parent=Priorization priority=5 \
queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="Ensign_Services_Prio1" packet-mark=prio_ensign_packet \
parent=Priorization priority=1 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="P2P_Traffic_Prio8" packet-mark=prio_p2p_packet \
parent=Priorization priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="User_Request_Prio8" packet-mark=prio_request_packet \
parent=Priorization priority=8 queue=default
Arranged by Baratev
~baratev.sourceforge.net
contact: baratev[at]yahoo.com
15:18 27/05/2008
Konsep dan Terapan NTH utk Loadbalancing pada Mikrotik ( Baratev )
#######################################################
Konsep dan Terapan NTH utk Loadbalancing pada Mikrotik
#######################################################
I N T R O
---------
O-----------------------------------------------------------------------------------
nth (integer,integer: 0..15,integer{0,1}) - match a particular Nth packet received
by the rule. One of 16 available
counters can be used to count packets
Every - match every Every+1th packet. For example, if Every=1 then the rule matches
every 2nd packet
Counter - specifies which counter to use. A counter increments each time the rule
containing nth match matches
Packet - match on the given packet number. The value by obvious reasons must be
between 0 and Every. If this option is used for a given counter, then
there must be at least Every+1 rules with this option, covering all values
between 0 and Every inclusively.
O-----------------------------------------------------------------------------------
nth ada 3 bagian
bilang lah A,B,C
A = every
B = counter
C = packet
setelah gw baca lagi dan lagi dan lagi manual diatas
sampe sekarang gw gak ngerti2 dari ketiga bagian diatas.
jika pake 2 line load balance ada yang buat :
every 1 counter 1 packet 0 <-- line 1
every 1 counter 1 packet 1 <--- line 2
ada juga yang buat : 1,2,0 - 1,2,1
Pemahaman Saya Mengenai Nth:
Pada dasarnya koneksi yang masuk ke proses di router akan menjadi satu arus yang sama,
walaupun mereka datang dari interface yang berbeda. (well, this one is debatable)
Saat kita ingin menerapkan metode Nth, tentunya kita juga memberikan batasan ke router
untuk hanya mem-proses koneksi dari sumber tertentu saja (ex. dari IP lokal).
Nah, begitu router telah membuat semacam 'antrian' baru untuk batasan yang kita
berikan diatas, baru proses Nth dimulai.
#Every
Angka Every adalah jumlah kelompok yang ingin dihasilkan. Jadi bila kita ingin
membagi alur koneksi yang ada menjadi 4 kelompok yang nantinya akan di load balance
ke 4 koneksi yang ada, maka angka Every = 4.
Namun, setelah saya bandingkan manual yang ada di Mikrotik dengan penjelasan tentang
penerapan Nth di Linux, ada perbedaan disini.
Pada Mikrotik, angka Every harus dikurangkan 1, hingga bila mengikuti contoh diatas,
maka kita harus mengisikan Every = 3. Hal ini mungkin dikarenakan proses Nth di
Mikrotik akan menerapkan Every+1 (lihat manual) pada pengenalan koneksinya.
Jadi, kesimpulan sementara saya, bila kita ingin membagi 2 kelompok, maka :
- Pada Linux, Every = 4
- Pada Mikrotik, Every = 3
#Counter
Angka Counter dapat diisikan angka 0-15. Maksudnya adalah menentukan counter mana
yang akan kita pakai. Pada Mikrotik terdapat 16 Counter yang dapat dipakai, hal
ini juga sama dengan penerapan yang ada di Linux.
Setelah Diskusi dengan bro D3V4, ternyata penerapan counter cukup berpengaruh.
Jadi kesimpulan sementara, counter sebaiknya diset ke every+1 untuk Mikrotik
#Packet
Nah, kita sampe ke parameter terakhir. Parameter terakhir ini yang cukup menentukan.
Bila kita ingin membuat 4 kelompok, tentunya kita harus membuat 4 mangle rules.
Nah, pada rules tersebut, angka untuk Every dan Counter haruslah sama. Namun untuk
angka packet harus berubah.
Untuk 4 kelompok, berarti angka packet untuk 4 rules tersebut adalah 0,1,2 dan 3.
Angka ini ditentukan dari 0 ... (n-1).
Penerapan angka Packet untuk Linux dan Mikrotik sama.
Contoh
Mari kita ambil contoh untuk penerapan Nth untuk 4 koneksi. Maka Angka Nth untuk
masing2 rule di Mikrotik adalah (counter yg dipakai adalah 4) :
Rule 1 = 3,4,0
Rule 2 = 3,4,1
Rule 3 = 3,4,2
Rule 4 = 3,4,3
T E O R I
---------
tcp connections 3 way handshake
1. connection establishment
2. data transfer
3. connection termination
dengan tahapan sbb :
1. LISTEN
2. SYN-SENT
3. SYN-RECEIVED
4. ESTABLISHED
5. FIN-WAIT-1
6. FIN-WAIT-2
7. CLOSE-WAIT
8. CLOSING
9. LAST-ACK
10. TIME-WAIT
11. CLOSED
jika teori gw bener (CMIIW lagi ) proses mangle itu memotong di nomer 4
alias connection nya belum ketutup tapi udah request baru lagi (new connections state)
jadi dengan kata lain :
kenoksi masih kebuka udah ngerequest ke gateway yang lainnya ... jadi semua speedy
yang kita punay kebuka dan di gunakan.
jadi walaupun kedetek ip speedy 1 tetapi bebannya masih kebagi ke sebanyak n-th
yang kita punya.. ROUND ROBIN !
CONTOH KONFIGURASI I
--------------------
Untuk koneksi dengan Modem ADSL
ada 2 pilihan:
- Set Modem sebagai Bridge, berarti Router sebagai PPPoE Client
- Set Modem sebagai PPPoE, berarti Router tinggal sesuaikan dengan IP Local Modem
Topologi
ISP1/wlan2 ISP2/wlan1
10.111.0.1/24 10.112.0.1/24
| |
| |
| |
\ /
\ /
\ /
\ /
\ /
10.111.0.2/24 ===== 10.112.0.2/24
==|==
|
Local
Configuration export from the gateway router:
########################################################################################
'''/ ip address'''
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local
add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=wlan2
add address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=wlan1
'''/ ip firewall mangle'''
add chain=prerouting src-address-list=odd in-interface=Local action=mark-connection \
new-connection-mark=odd passthrough=yes
add chain=prerouting src-address-list=odd in-interface=Local action=mark-routing \
new-routing-mark=odd passthrough=no
add chain=prerouting src-address-list=even in-interface=Local action=mark-connection \
new-connection-mark=even passthrough=yes
add chain=prerouting src-address-list=even in-interface=Local action=mark-routing \
new-routing-mark=even passthrough=no
add chain=prerouting in-interface=Local connection-state=new nth=1,1,0 \
action=mark-connection new-connection-mark=odd passthrough=yes
add chain=prerouting in-interface=Local action=add-src-to-address-list \
address-list=odd address-list-timeout=1d connection-mark=odd passthrough=yes
add chain=prerouting in-interface=Local connection-mark=odd action=mark-routing \
new-routing-mark=odd passthrough=no
add chain=prerouting in-interface=Local connection-state=new nth=1,1,1 \
action=mark-connection new-connection-mark=even passthrough=yes
add chain=prerouting in-interface=Local action=add-src-to-address-list \
address-list=even address-list-timeout=1d connection-mark=even passthrough=yes
add chain=prerouting in-interface=Local connection-mark=even action=mark-routing \
new-routing-mark=even passthrough=no
'''/ ip firewall nat'''
add chain=srcnat connection-mark=odd action=src-nat to-addresses=10.111.0.2 \
to-ports=0-65535
add chain=srcnat connection-mark=even action=src-nat to-addresses=10.112.0.2 \
to-ports=0-65535
'''/ ip route'''
add dst-address=0.0.0.0/0 gateway=10.111.0.1 scope=255 target-scope=10 routing-mark=odd
add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 routing-mark=even
add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10
########################################################################################
### Explanation
First we give a code snippet and then explain what it actually does.
~IP Addresses
The router has two upstream (WAN) interfaces with the addresses of 10.111.0.2/24 and
10.112.0.2/24. The LAN interface has the name "Local" and IP address of 192.168.0.1/24.
----------------------------------------------------------------------------------------
/ ip address
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local
add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=wlan2
add address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=wlan1
----------------------------------------------------------------------------------------
~ Mangle
All traffic from customers having their IP address previously placed in the address
list "odd" is instantly marked with connection and routing marks "odd". Afterwards
the traffic is excluded from processing against successive mangle rules in prerouting chain.
----------------------------------------------------------------------------------------
/ ip firewall mangle
add chain=prerouting src-address-list=odd in-interface=Local action=mark-connection \
new-connection-mark=odd passthrough=yes
add chain=prerouting src-address-list=odd in-interface=Local action=mark-routing \
new-routing-mark=odd
----------------------------------------------------------------------------------------
Same stuff as above, only for customers having their IP address previously placed
in the address list "even".
----------------------------------------------------------------------------------------
/ ip firewall mangle
add chain=prerouting src-address-list=even in-interface=Local action=mark-connection \
new-connection-mark=even passthrough=yes
add chain=prerouting src-address-list=even in-interface=Local action=mark-routing \
new-routing-mark=even
----------------------------------------------------------------------------------------
First we take every second packet that establishes new session (note connection-state=new),
and mark it with connection mark "odd". Consequently all successive packets belonging to
the same session will carry the connection mark "odd". Note that we are passing these
packets to the second and third rules (passthrough=yes). Second rule adds IP address
of the client to the address list to enable all successive sessions to go through
the same gateway. Third rule places the routing mark "odd" on all packets that belong
to the "odd" connection and stops processing all other mangle rules for these packets
in prerouting chain.
----------------------------------------------------------------------------------------
/ ip firewall mangle
add chain=prerouting in-interface=Local connection-state=new nth=1,1,0 \
action=mark-connection new-connection-mark=odd passthrough=yes
add chain=prerouting in-interface=Local action=add-src-to-address-list \
address-list=odd address-list-timeout=1d connection-mark=odd passthrough=yes
add chain=prerouting in-interface=Local connection-mark=odd action=mark-routing \
new-routing-mark=odd passthrough=no
----------------------------------------------------------------------------------------
These rules do the same for the remaining half of the traffic as the first three
rules for the first half of the traffic.
The code above effectively means that each new connection initiated through
the router from the local network will be marked as either "odd" or "even"
with both routing and connection marks.
----------------------------------------------------------------------------------------
/ ip firewall mangle
add chain=prerouting in-interface=Local connection-state=new nth=1,1,1 \
action=mark-connection new-connection-mark=even passthrough=yes
add chain=prerouting in-interface=Local action=add-src-to-address-list \
address-list=even address-list-timeout=1d connection-mark=even passthrough=yes
add chain=prerouting in-interface=Local connection-mark=even action=mark-routing \
new-routing-mark=even passthrough=no
----------------------------------------------------------------------------------------
The above works fine. There are however some situations where you might find
that the same IP address is listed under both the ODD and EVEN scr-address-lists.
This behavior causes issues with apps that require persistent connections.
A simple remedy for this situation is to add the following statement to your
mangle rules:
----------------------------------------------------------------------------------------
add chain=prerouting in-interface=Local connection-state=new nth=1,1,1 \
src-address-list=!odd action=mark-connection new-connection-mark=even \
passthrough=yes
----------------------------------------------------------------------------------------
This will ensure that the new connection will not already be part of the ODD s
rc-address-list. You will have to do the same for the ODD mangle rule thus
excluding IP's already part of the EVEN scr-address-list.
~NAT
All traffic marked "odd" is being NATted to source IP address of 10.111.0.2,
while traffic marked "even" gets "10.112.0.2" source IP address.
----------------------------------------------------------------------------------------
/ ip firewall nat
add chain=srcnat connection-mark=odd action=src-nat to-addresses=10.111.0.2 \
to-ports=0-65535
add chain=srcnat connection-mark=even action=src-nat to-addresses=10.112.0.2 \
to-ports=0-65535
----------------------------------------------------------------------------------------
~Routing
For all traffic marked "odd" (consequently having 10.111.0.2 translated source address)
we use 10.111.0.1 gateway. In the same manner all traffic marked "even" is routed
through the 10.112.0.1 gateway.
----------------------------------------------------------------------------------------
/ ip route
add dst-address=0.0.0.0/0 gateway=10.111.0.1 scope=255 target-scope=10 routing-mark=odd
add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 routing-mark=even
----------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------
/ ip route
add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10
----------------------------------------------------------------------------------------
Finally, we have one additional entry specifying that traffic from the router
itself (the traffic without any routing marks) should go to 10.112.0.1 gateway.
CONTOH KONFIGURASI II (PPPoE di MT)
-----------------------------------
#######################################################################################
# mar/15/2008 21:38:00 by RouterOS 2.9.XX
# software id = 2XX-RXX
#
/ interface ethernet
set Speedy1 name=”Speedy1" mtu=1500 mac-address=00:D0:5E:39:70:5C arp=enabled \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default speed=100Mbps comment=”" disabled=no
set Speedy2 name=”Speedy2" mtu=1500 mac-address=00:D0:5E:39:6F:69 arp=enabled \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default speed=100Mbps comment=”" disabled=no
set Local name=”Local” mtu=1500 mac-address=00:D0:5E:39:6F:BA arp=enabled \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default speed=100Mbps comment=”" disabled=no
/ interface pppoe-client
add name=”pppoe-out1" max-mtu=1480 max-mru=1480 interface=Speedy1 \
user=”111xxxx@telkom.net” password=”xxxx” profile=default \
service-name=”" ac-name=”" add-default-route=yes dial-on-demand=no \
use-peer-dns=no allow=pap,chap,mschap1,mschap2 disabled=no
add name=”pppoe-out2" max-mtu=1480 max-mru=1480 interface=Speedy2 \
user=”111xxxxx@telkom.net” password=”xxxx” profile=default \
service-name=”" ac-name=”" add-default-route=yes dial-on-demand=no \
use-peer-dns=no allow=pap,chap,mschap1,mschap2 disabled=no
/ ip dns
set primary-dns=203.130.193.74 secondary-dns=202.134.0.155 \
allow-remote-requests=yes cache-size=2048KiB cache-max-ttl=1w
/ ip address --- ???
add address=192.168.1.2/24 network=192.168.1.0 broadcast=192.168.1.255 \
interface=Speedy1 comment=”" disabled=no
add address=192.168.2.2/24 network=192.168.2.0 broadcast=192.168.2.255 \
interface=Speedy2 comment=”" disabled=no
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 \
interface=Local comment=”" disabled=no
/ ip route
add dst-address=0.0.0.0/0 gateway=125.162.80.1 scope=255 target-scope=10 \
comment=”" disabled=no
add dst-address=0.0.0.0/0 gateway=125.162.92.1 check-gateway=ping scope=255 \
target-scope=10 comment=”" disabled=no
/ ip firewall mangle
add chain=prerouting in-interface=Local src-address-list=Games \
action=mark-connection new-connection-mark=Games passthrough=yes \
comment=”Multi ISP” disabled=no
add chain=prerouting in-interface=Local src-address-list=Games \
action=mark-routing new-routing-mark=Games passthrough=no comment=”" \
disabled=no
add chain=prerouting in-interface=Local src-address-list=Net \
action=mark-connection new-connection-mark=Net passthrough=yes comment=”" \
disabled=no
add chain=prerouting in-interface=Local src-address-list=Net \
action=mark-routing new-routing-mark=Net passthrough=no comment=”" \
disabled=no
add chain=prerouting in-interface=Local connection-state=new nth=1,1,0 \
action=mark-connection new-connection-mark=Games passthrough=yes \
comment=”" disabled=no
add chain=prerouting in-interface=Local connection-mark=Games \
action=add-src-to-address-list address-list=Games address-list-timeout=1d \
comment=”" disabled=no
add chain=prerouting in-interface=Local connection-mark=Games \
action=mark-routing new-routing-mark=Games passthrough=no comment=”" \
disabled=no
add chain=prerouting in-interface=Local connection-state=new nth=1,1,1 \
action=mark-connection new-connection-mark=Net passthrough=yes comment=”" \
disabled=no
add chain=prerouting in-interface=Local connection-mark=Net \
action=add-src-to-address-list address-list=Net address-list-timeout=1d \
comment=”" disabled=no
add chain=prerouting in-interface=Local connection-mark=Net \
action=mark-routing new-routing-mark=Net passthrough=no comment=”" \
disabled=no
###
add chain=prerouting protocol=tcp src-port=1-1000 dst-port=1-1000 \
action=mark-connection new-connection-mark=spnet_conn passthrough=yes \
comment=”Routing Per Port Net” disabled=no
add chain=prerouting protocol=udp dst-port=1-1000 action=mark-connection \
new-connection-mark=spnet_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=tcp dst-port=3128 action=mark-connection \
new-connection-mark=spnet_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=udp dst-port=3128 action=mark-connection \
new-connection-mark=spnet_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=udp dst-port=5050-5060 action=mark-connection \
new-connection-mark=spnet_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=tcp dst-port=5050-5060 action=mark-connection \
new-connection-mark=spnet_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=tcp dst-port=6660-7000 action=mark-connection \
new-connection-mark=spnet_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=udp dst-port=6660-7000 action=mark-connection \
new-connection-mark=spnet_conn passthrough=yes comment=”" disabled=no
add chain=prerouting connection-mark=spnet_conn action=mark-packet \
new-packet-mark=spnet passthrough=no comment=”" disabled=no
####
add chain=prerouting protocol=tcp dst-port=1001-3127 action=mark-connection \
new-connection-mark=spgames_conn passthrough=yes comment=”Routing Per Port \
games” disabled=no
add chain=prerouting protocol=udp dst-port=1001-3127 action=mark-connection \
new-connection-mark=spgames_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=tcp dst-port=3129-5049 action=mark-connection \
new-connection-mark=spgames_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=udp dst-port=3129-5049 action=mark-connection \
new-connection-mark=spgames_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=tcp dst-port=5061-6659 action=mark-connection \
new-connection-mark=spgames_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=udp dst-port=5061-6659 action=mark-connection \
new-connection-mark=spgames_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=tcp dst-port=7001-8079 action=mark-connection \
new-connection-mark=spgames_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=udp dst-port=7001-8079 action=mark-connection \
new-connection-mark=spgames_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=tcp dst-port=8081-65535 action=mark-connection \
new-connection-mark=spgames_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=udp dst-port=8081-65535 action=mark-connection \
new-connection-mark=spgames_conn passthrough=yes comment=”" disabled=no
add chain=prerouting connection-mark=spgames_conn action=mark-packet \
new-packet-mark=spgames passthrough=no comment=”" disabled=no
/ ip firewall nat
add chain=dstnat dst-address=64.4.0.0/18 action=accept comment=”" disabled=no
add chain=srcnat out-interface=pppoe-out1 packet-mark=!spgames \
connection-mark=!spgames_conn dst-address-list=!Games action=masquerade \
comment=”NAT CLIENT” disabled=no
add chain=srcnat out-interface=pppoe-out2 packet-mark=!spnet \
connection-mark=!spnet_conn dst-address-list=!Net action=masquerade \
comment=”" disabled=no
######################################################################################
##FAil OVEr Script
bukanya kalo maenan fail over enakan di tool netwatch
misalkan dengan script kaya gini:
Code:
-------------------------------------------------------------------------------------
/system script add name=check-gw source={
:local R1
:local R2
:if ([/tool netwatch get R1 status]=up) do={:set R1 192.168.1.1}
:if ([/tool netwatch get R2 status]=up) do={:set R2 203.81.xxx.xxx}
/ip route set [/ip route find dst-address=0.0.0.0/0] \
gateway=($R1 . , . $R2)
}
/tool netwatch add comment=R1 host=192.168.1.1 interval=5s up-script=check-gw \
down-script=check-gw
/tool netwatch add comment=R2 host=203.81.xxx.xxx interval=5s up-script=check-gw \
down-script=check-gw
---------------------------------------------------------------------------------------
CONTOh KASUS
------------
menggunakan 5 speeda
kasus 1, Nth = 4,5,n-1
pas di cabut satu modem koneksi jadi ngaco... kebanyakan lagging time....
trus... cabut lagi satu lagi modem nya....... jadi lebih parah.... ancur2an
koneksinya.. banyak yang muncul bacaan connection time out
kasus 2, Nth = 4,0,n-1
cabut 1 modem ........... masih ga masalah.... cabut modem ke2 baru berasa ada
beberapa website yang musti di refresh......
cabut modem ke3 ..... mulai ancur2 an.........
sepertinya nTh (n,0,n-1) bisa jadi fail over dengan syarat hanya 1 koneksi yg mati.
dan melihat dari segi respon pembagian beban jauh lebih cepat dengan
counter 0 (n,0,n-1) di bandingkan dengan (n,n,n-1)
Masalah:
- Gateway yang sama
- Priority DNS
- NTH yang cocok ?
- Firewall NAT, pilihan antara Action Masquarade dengan SrcNat ?
edited by baratev
Diramu dari: - www.forummikrotik.com ([a],d3v4,akangage,dkk]
- wiki.mikrotik.com
22:21 27/04/2008
Cisco Router Configuration Commands
Friday, July 11, 2008Requirement Cisco Command
Set a console password to cisco
Router(config)#line con 0
Router(config-line)#login
Router(config-line)#password cisco
Set a telnet password
Router(config)#line vty 0 4
Router(config-line)#login
Router(config-line)#password cisco
Stop console timing out
Router(config)#line con 0
Router(config-line)#exec-timeout 0 0
Set the enable password to cisco
Router(config)#enable password cisco
Set the enable secret password to peter. This password overrides the enable password and is encypted within the config file
Router(config)#enable secret peter
Enable an interface
Router(config-if)#no shutdown
To disable an interface
Router(config-if)#shutdown
Set the clock rate for a router with a DCE cable to 64K
Router(config-if)clock rate 64000
Set a logical bandwidth assignment of 64K to the serial interface
Router(config-if)bandwidth 64
Note that the zeroes are not missing
To add an IP address to a interface
Router(config-if)#ip addr 10.1.1.1 255.255.255.0
To enable RIP on all 172.16.x.y interfaces
Router(config)#router rip
Router(config-router)#network 172.16.0.0
Disable RIP
Router(config)#no router rip
To enable IRGP with a AS of 200, to all interfaces
Router(config)#router igrp 200
Router(config-router)#network 172.16.0.0
Disable IGRP
Router(config)#no router igrp 200
Static route the remote network is 172.16.1.0, with a mask of 255.255.255.0
the next hop is 172.16.2.1, at a cost of 5 hops
Router(config)#ip route 172.16.1.0 255.255.255.0 172.16.2.1 5
Disable CDP for the whole router
Router(config)#no cdp run
Enable CDP for he whole router
Router(config)#cdp run
Disable CDP on an interface
Router(config-if)#no cdp enable
Sumber : http://tomax7.com/index.html
Cisco Router Show Commands
Requirement Cisco Command
View version information
Show version
View current configuration (DRAM)
show running-config
View startup configuration (NVRAM)
Show startup-config
Show IOS file and flash space
Show flash
Shows all logs that the router has in its memory
show log
View the interface status of interface e0
show interface e0
Overview all interfaces on the router
show ip interfaces brief
View type of serial cable on s0
show controllers 0 (note the space between the ’s’ and the ‘0′)
Display a summary of connected cdp devices
show cdp neighbor
Display detailed information on all devices
show cdp entry *
Display current routing protocols
show ip protocols
Display IP routing table
show ip route
Display access lists, this includes the number of displayed matches
show access-lists
Check the router can see the ISDN switch
show isdn status
Check a Frame Relay PVC connections
show frame-relay pvc
Display the frame inverse ARP table
show frame-relay map
Cisco Router Basic Operations
Requirement Cisco Command
Enable
Enter privileged mode
Return to user mode from privileged
disable
Exit Router
Logout or exit or quit
Recall last command
up arrow or <Ctrl-P>
Recall next command
down arrow or <Ctrl-N>
Suspend or abort
<Shift> and <Ctrl> and 6 then x
Refresh screen output
<Ctrl-R>
Compleat Command
TAB
Cisco Router Copy Commands
Requirement
Cisco Command
Save the current configuration from DRAM to NVRAM
copy running-config startup-config
Merge NVRAM configuration to DRAM
copy startup-config running-config
Copy DRAM configuration to a TFTP server
copy runing-config tftp
Merge TFTP configuration with current router configuration held in DRAM
copy tftp runing-config
Backup the IOS onto a TFTP server
copy flash tftp
Upgrade the router IOS from a TFTP server
copy tftp flash
Cisco Router Debug Commands
requirement Cisco Command
Enable debug for RIP
debug ip rip
Enable summary IGRP debug information
debug ip igrp events
Enable detailed IGRP debug information
debug ip igrp transactions
Debug IPX RIP
debug ipx routing activity
Debug IPX SAP
debug IPX SAP
Enable debug for CHAP or PAP
debug ppp authentication
Switch all debugging off
no debug all
undebug all
2 Plan Setting Dasan DSLAM
A. Router Catalyst / Switch DSLAM Modem Customer
* Using Fast Ethernet between the devices
B. Router DSLAM Modem Customer (PLAN B)
* Using Fast Ethernet or Ethernet between the devices
