Saturday, March 08, 2014

My Mikrotik Configuration (part 3)

Step 3. Queue, Graph and more options settings.
Firewall in Mikrotik

 And the last step is rules for management bandwidth and more options settings. Many people misunderstood the purpose of bandwidth management. Bandwidth management is not the goal speed up internet connection. Or making all client have the same speed. But the goal is the bandwidth can be shared in fairness to all the clients. Fairness, that's the key. Not always fairness means all client have speed / bandwidth same. Fairness could also mean that important connections to the user will be enlarged bandwidth compared to other users.  Or essential service port will be enlarged bandwidth compared to other service ports.
Okay... before we determine the appropriate bandwidth settings. We must to know the characteristics of our network. How much total bandwidth leased to ISP ? How the distribution of bandwidth to users ?  What services or applications are often used by users and so on. Another way to look at the characteristics of users, can also go through the Mikrotik, click tools - torch.

For example. In this case my network, leased bandwidth is 50 Mbps. Upload about 10Mbps. Asymmetric bandwidth. They complained, unstable internet, often slow opened the email or youtube. After checked to the location, they opened the email, while they was still downloading with idm application or torrent application. Of course, the email or youtube would be slow. They only know the internet must be smooth because they have already paid.
The conclusion of my network characteristics, what is desired users.
  1. Users often access youtube.
  2. Users often open the email application.
  3. Users often browsing.
  4. Users often play online games.
  5. Users always download via idm / torrents application.
Based on the observation, we should already know what we will do. We should be able to divide bandwidth based on application or based on destination port. The right method to devide the bandwidth is the PCQ method. 
Now, it’s time to configure. First, configure rules “ip firewall mangle”, for marking packet.
Marking download-packet from youtube.com and googlevideo.com
/ip firewall mangle
add action=add-dst-to-address-list address-list=Youtube address-list-timeout=\
    5m chain=prerouting content=youtube.com disabled=no dst-port=80 protocol=\
    tcp
add action=add-dst-to-address-list address-list=Youtube address-list-timeout=\
    5m chain=prerouting content=googlevideo.com disabled=no dst-port=80 \
    protocol=tcp
add action=mark-connection chain=prerouting disabled=no dst-address-list=\
    Youtube dst-port=80 new-connection-mark=con80you passthrough=yes \
    protocol=tcp src-address=10.254.128.0/22
add action=mark-packet chain=prerouting connection-mark=con80you disabled=no \
    new-packet-mark=down80you passthrough=yes

Marking download-package from the website (http) or the application destination port 80.
add action=mark-connection chain=prerouting disabled=no dst-address-list=\
    !Youtube dst-port=80 new-connection-mark=con80 passthrough=yes protocol=\
    tcp src-address=10.254.128.0/22
add action=mark-packet chain=prerouting connection-mark=con80 disabled=no \
    new-packet-mark=down80 passthrough=yes

Marking all download-packet, except download-packet from website or application destination port 80.
add action=mark-connection chain=prerouting disabled=no dst-port=!80 \
    new-connection-mark=notcon80 passthrough=yes protocol=tcp src-address=\
    10.254.128.0/22
add action=mark-connection chain=prerouting disabled=no new-connection-mark=\
    notcon80 passthrough=yes protocol=!tcp src-address=10.254.128.0/22
add action=mark-packet chain=prerouting connection-mark=notcon80 disabled=no \
    new-packet-mark=notdown80 passthrough=yes

Marking upload-packet that using protocol tcp.
add action=mark-packet chain=prerouting disabled=no in-interface=LAN \
    new-packet-mark=uploadtcp passthrough=yes protocol=tcp

Marking upload-packet that using all protocol, except protocol tcp.
add action=mark-packet chain=prerouting disabled=no in-interface=LAN \
    new-packet-mark=notuploadtcp passthrough=yes protocol=!tcp

The result of mangle firewall, we have 5 packet group that have marked. Down80, down80you, notdown80, uploadtcp, and notuploadtcp,
Next, determine speed for each packet group. For example,
  • Download0, Set speed 2560 kbps. Priority 1 (most priority). This type speed for down80 group.
  • Download1, Set speed 1840 kbps. Priority 2. For notdown80you group.
  • Download2, Set speed 1600 kbps. Priority 8. For down80you group
  • Upload1, Set speed 640 kbps. Priority 1 (most priority). For uploadtcp group
  • Upload2, Set speed 512 kbps. Priority 8. For notuploadtcp group
So, this is the configuration to determine some type speed.
/queue type
add kind=pcq name=Download0 pcq-burst-rate=0 pcq-burst-threshold=0 \
    pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 \
    pcq-dst-address6-mask=64 pcq-limit=30 pcq-rate=2560k \
    pcq-src-address-mask=32 pcq-src-address6-mask=64 pcq-total-limit=2000
add kind=pcq name=Download1 pcq-burst-rate=0 pcq-burst-threshold=0 \
    pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 \
    pcq-dst-address6-mask=64 pcq-limit=30 pcq-rate=1840k \
    pcq-src-address-mask=32 pcq-src-address6-mask=64 pcq-total-limit=2000
add kind=pcq name=Download2 pcq-burst-rate=0 pcq-burst-threshold=0 \
    pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 \
    pcq-dst-address6-mask=64 pcq-limit=30 pcq-rate=1600k \
    pcq-src-address-mask=32 pcq-src-address6-mask=64 pcq-total-limit=2000
add kind=pcq name=Upload1 pcq-burst-rate=0 pcq-burst-threshold=0 \
    pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 \
    pcq-dst-address6-mask=64 pcq-limit=15 pcq-rate=640k pcq-src-address-mask=\
    32 pcq-src-address6-mask=64 pcq-total-limit=2000
add kind=pcq name=Upload2 pcq-burst-rate=0 pcq-burst-threshold=0 \
    pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 \
    pcq-dst-address6-mask=64 pcq-limit=15 pcq-rate=512k pcq-src-address-mask=\
    32 pcq-src-address6-mask=64 pcq-total-limit=2000

And this is the configuration for connecting packets that has been marked (packet group) with the type of speed.
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s comment=\
    "Download http (80)" disabled=no limit-at=0 max-limit=0 name=\
    "Download 80" packet-mark=down80 parent=global-in priority=1 queue=\
    Download1
add burst-limit=0 burst-threshold=0 burst-time=0s comment="Upload packet tcp" \
    disabled=no limit-at=0 max-limit=0 name="Upload tcp" packet-mark=\
    uploadtcp parent=global-out priority=1 queue=Upload1
add burst-limit=0 burst-threshold=0 burst-time=0s comment=\
    "Download not http (80)" disabled=no limit-at=0 max-limit=0 name=\
    "Download not 80" packet-mark=notdown80 parent=global-in priority=8 \
    queue=Download2
add burst-limit=0 burst-threshold=0 burst-time=0s comment=\
    "Upload packet not tcp" disabled=no limit-at=0 max-limit=0 name=\
    "Upload not tcp" packet-mark=notuploadtcp parent=global-out priority=8 \
    queue=Upload2
add burst-limit=0 burst-threshold=0 burst-time=0s comment="Download youtube" \
    disabled=no limit-at=0 max-limit=0 name="Download Youtube" packet-mark=\
    down80you parent=global-in priority=2 queue=Download0

Setup SNMP
Setup SNMP (simple network management protocol), so the Mikrotik can transmit data to a server cacti (10.17.123.10). In the Mikrotik version 5.20, (maybe Mikrotik version later), SNMP community public (default) can not working. For solving this problem, add the SNMP community with other name, for example public2.
/snmp
set contact=Ngeri enabled=yes engine-id="" location=Townsite trap-community=\
    public trap-generators="" trap-target=0.0.0.0 trap-version=1
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0 authentication-password="" \
    authentication-protocol=MD5 encryption-password="" encryption-protocol=\
    DES name=public read-access=yes security=none write-access=no
add addresses=0.0.0.0/0 authentication-password="" authentication-protocol=\
    MD5 encryption-password="" encryption-protocol=DES name=public2 \
    read-access=yes security=none write-access=no

Setup Graph.
/tool graphing
set page-refresh=300 store-every=5min
/tool graphing interface
add allow-address=0.0.0.0/0 disabled=no interface=all store-on-disk=yes
/tool graphing queue
add allow-address=0.0.0.0/0 allow-target=yes disabled=no simple-queue=all \
    store-on-disk=yes
/tool graphing resource
add allow-address=0.0.0.0/0 disabled=no store-on-disk=yes
This is an alternative graph beside server Cacti. Remember… to view the graph, must   access IP address Mikrotik 10.17.123.6.

Options settings.
Setup clock, Network Time Protocol (NTP) client, identity and note.
/system clock
set time-zone-name=manual
/system clock manual
set dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start=\
    "jan/01/1970 00:00:00" time-zone=+08:00
/system ntp client
set enabled=yes mode=unicast primary-ntp=152.118.24.8 secondary-ntp=\
    202.169.224.16

/system identity
set name=MyMikrotik

/system note
set note=Welcome show-at-login=yes


Done…!!! hopefully useful

Reference
http://wiki.mikrotik.com/wiki/Firewall
http://wiki.mikrotik.com/wiki/Securing_New_RouterOs_Router

2 comments:

  1. thanks veri nice ^_^
    i will try your configure
    visit back my blogger
    http://goo.gl/d9fLzs

    ReplyDelete
  2. Dear All, i have issue on bandwidth management, in simple queue , i can limit bandwidth on private ip but cant lime bandwidth on public ip the same sitting i am doing for private ip and public ip if you help me .

    Regards
    Naveed
    skype : naveed.loman

    ReplyDelete