The Magic Of IP Flow - MUM
2y ago
33 Views
1 Downloads
843.04 KB
38 Pages
Report/dmca
Download PDF

Transcription

The Magic ofIP FlowValens Riyadiinfo@mikrotik.co.idCitraweb Nusa Infomediaon Mikrotik User Meeting, KrakowJanuary 25 – 26, 2007

Introduction Name: Valens RiyadiCountry: Indonesiaz Graduated as Architect 1998z 1998 . Web developerz 2001 . Make a WISPz 2002 . Mikrotik Resellerz Photographer Administrator of www.fotografer.netzzzHead of Security Dept, Indonesian ISP AssociationVolunteer for Airputih Foundation, IT Emergency Task ForceSteering Committee for ID-SIRTIIIndonesia Security Incident Response Team on Information Infrastructurez00-2Mikrotik Certified ConsultantMikrotik Indonesia http://www.mikrotik.co.id1/18/2007

My Company Citraweb Nusa InfomediaWeb Developer (since 2000)z Small ISP (since 2001)z Mikrotik Reseller (since 2002)zLocated at : Yogyakarta Indonesia Using RouterOS since 2.3.15 00-3Mikrotik Indonesia http://www.mikrotik.co.id1/18/2007

Yogyakarta City 3,4 million of populationzzTourism CityStudent City Almost 50% of population are students from other cities.z00-4Finally . Cyber café CityMikrotik Indonesia http://www.mikrotik.co.id1/18/2007

Network ROXIESE1 TIONROUTERINTERNAL NATROUTER00-5Mikrotik Indonesia http://www.mikrotik.co.id1/18/2007

Wireless Instalation00-6Mikrotik Indonesia http://www.mikrotik.co.id1/18/2007

Wireless Network TopologyBTS2BTS3BTS4BTS5BTS1BTS6NOC-1NOC-2Ethernet CableMain Wireless LinkDistributionRouter00-7Mikrotik Indonesia http://www.mikrotik.co.idBackup Wireless Link1/18/2007

Fail Over Scenario net CableMain Wireless LinkDistributionRouter00-8Mikrotik Indonesia http://www.mikrotik.co.idBackup Wireless Link1/18/2007

Fail Over Scenario (2)BTS2BTS3BTS4BTS5BTS1BTS6XDOWNNOC-1NOC-2Ethernet CableMain Wireless LinkDistributionRouter00-9Mikrotik Indonesia http://www.mikrotik.co.idBackup Wireless Link1/18/2007

The Basic ofIP Flow

IP Flow (simple diagram)INPUTINTERFACEPREROUTINGHotspot InputConn-TrackingMangleDst-NATGlobal-In QueueGlobal-Total untingOUTPUTConn-TrackingMangleFilterMikrotik Indonesia GMangleGlobal-Out QueueGlobal-Total QueueSource-NATHotspot Output1/18/2007

OUTPUTConn-TrackingMangleFilterIP FlowBRIDGEDST-NATBridgeDecision- nINPUTINTERFACEINPUT00-12RoutingDecisionOUTPUT isBridged? BridgeDecisionIPSECDECRYPTIONPREROUTINGHotspot InputConn-TrackingMangleDst-NATGlobal-In QueueGlobal-Total QueueFORWARDMangleFilterAcountingBRIDGEFORWARD- INPUT isBridged? POSTROUTINGMangleGlobal-Out QueueGlobal-Total QueueSource-NATHotspot Output ION BRIDGESRC-NATIPsecPolicyMikrotik Indonesia 2007INTERFACE

From – To Traffic? For each data packet, you have to know:zSource of packet From outside From local ProcesszDestination of packet To Local Process To outside00-13Mikrotik Indonesia http://www.mikrotik.co.id1/18/2007

OUTPUTConn-TrackingMangleFilterRouted TrafficTo RouterBRIDGEDST-NATBridgeDecision- nINPUTINTERFACEINPUT00-14RoutingDecisionOUTPUT isBridged? BridgeDecisionIPSECDECRYPTIONPREROUTINGHotspot InputConn-TrackingMangleDst-NATGlobal-In QueueGlobal-Total QueueFORWARDMangleFilterAcountingBRIDGEFORWARD- INPUT isBridged? POSTROUTINGMangleGlobal-Out QueueGlobal-Total QueueSource-NATHotspot Output ION BRIDGESRC-NATIPsecPolicyMikrotik Indonesia 2007INTERFACE

OUTPUTConn-TrackingMangleFilterRouted TrafficFrom RouterBRIDGEDST-NATBridgeDecision- nINPUTINTERFACEINPUT00-15RoutingDecisionOUTPUT isBridged? BridgeDecisionIPSECDECRYPTIONPREROUTINGHotspot InputConn-TrackingMangleDst-NATGlobal-In QueueGlobal-Total QueueFORWARDMangleFilterAcountingBRIDGEFORWARD- INPUT isBridged? POSTROUTINGMangleGlobal-Out QueueGlobal-Total QueueSource-NATHotspot Output ION BRIDGESRC-NATIPsecPolicyMikrotik Indonesia 2007INTERFACE

OUTPUTConn-TrackingMangleFilterRouted TrafficThrough RouterBRIDGEDST-NATBridgeDecision- nINPUTINTERFACEINPUT00-16RoutingDecisionOUTPUT isBridged? BridgeDecisionIPSECDECRYPTIONPREROUTINGHotspot InputConn-TrackingMangleDst-NATGlobal-In QueueGlobal-Total QueueFORWARDMangleFilterAcountingBRIDGEFORWARD- INPUT isBridged? POSTROUTINGMangleGlobal-Out QueueGlobal-Total QueueSource-NATHotspot Output ION BRIDGESRC-NATIPsecPolicyMikrotik Indonesia 2007INTERFACE

OUTPUTConn-TrackingMangleFilterBridge TrafficThrough RouterBRIDGEDST-NATBridgeDecision- nINPUTINTERFACEINPUT00-17RoutingDecisionOUTPUT isBridged? BridgeDecisionIPSECDECRYPTIONPREROUTINGHotspot InputConn-TrackingMangleDst-NATGlobal-In QueueGlobal-Total QueueFORWARDMangleFilterAcountingBRIDGEFORWARD- INPUT isBridged? POSTROUTINGMangleGlobal-Out QueueGlobal-Total QueueSource-NATHotspot Output ION BRIDGESRC-NATIPsecPolicyMikrotik Indonesia 2007INTERFACE

Chain PositionFromToMangleFirewallQueueOutsideRouter utGlobal-totalInterface00-18Mikrotik Indonesia http://www.mikrotik.co.id1/18/2007

Simple Queue Simple Queue is located at Global-In andGlobal-Out . and also at Global Total00-19Mikrotik Indonesia http://www.mikrotik.co.id1/18/2007

Mangle & Simple Queue Manglezz chain forward in-interface LANsrc-address 192.168.0.4 action mark-packetnew-packet-mark client passthrough nochain forward out-interface LANdst-address 192.168.0.4 action mark-packetnew-packet-mark client passthrough noSimple Queuez00-20name "queue1" interface all parent nonepacket-marks client direction bothmax-limit 512000/512000Mikrotik Indonesia http://www.mikrotik.co.id1/18/2007

IP Flow (simple rAcountingPOSTROUTINGOUTPUTINTERFACEQUEUE LOADPREROUTINGHotspot InputConn-TrackingMangleDst-NATGlobal-In QueueGlobal-Total QueueLOCALPROCESSMANGLEUPLOADQUEUE ngMangleFilterMikrotik Indonesia ut QueueGlobal-Total QueueSource-NATHotspot Output1/18/2007

Mangle & Simple Queue This sample :will work for download limitingz will not work for upload limitingz because mangle will be done after simple queueprocess mangle : chain forward simple queue Æ global-in (prerouting)z00-22mangle should be in prerouting (for upload)and postrouting (for download)Mikrotik Indonesia http://www.mikrotik.co.id1/18/2007

IP Flow (simple UE DOWNLOADGLOBAL-OUTPREROUTINGHotspot InputConn-TrackingMangleDst-NATGlobal-In QueueGlobal-Total QueueLOCALPROCESSPOSTROUTINGMANGLEDOWNLOADQUEUE TConn-TrackingMangleFilterMikrotik Indonesia ut QueueGlobal-Total QueueSource-NATHotspot Output1/18/2007

Test Case (1)TransparantBandwidth Management

Queue with BridgeBRIDGEBRIDGETraffic Client - InternetINTERNETQUEUE TREE00-25Mikrotik Indonesia http://www.mikrotik.co.id1/18/2007

Queue with BridgeBRIDGEBRIDGEUpstreamINTERNETDownstreamQUEUE TREE00-26Mikrotik Indonesia http://www.mikrotik.co.id1/18/2007

Interface Setup[admin@MikroTik] in prFlags: X - disabled, D - dynamic, R - running#NameTypeRX-RATETX-RATEMTU0R LANether0015001R WANether0015002R bridge1bridge001500[admin@MikroTik] interface bridge port prFlags: X - disabled, I - inactive, D - 1128101LANbridge11281000-27Mikrotik Indonesia http://www.mikrotik.co.id1/18/2007

Mangle Setup[admin@MikroTik] ip firewall mangle printFlags: X - disabled, I - invalid, D - dynamic0 chain prerouting in-interface LANsrc-address 192.168.0.0/24 action mark-packetnew-packet-mark data-up passthrough no1 chain postrouting out-interface LANdst-address 192.168.0.0/24 action mark-packetnew-packet-mark data-down passthrough no00-28Mikrotik Indonesia http://www.mikrotik.co.id1/18/2007

Queue Tree Setup[admin@MikroTik] queue tree printFlags: X - disabled, I - invalid0 name "queue-up" parent WANpacket-mark data-up limit-at 512000queue default priority 8 max-limit 512000burst-limit 0 burst-threshold 0 burst-time 0s1 name "queue-down" parent LANpacket-mark data-down limit-at 1024000queue default priority 8 max-limit 1024000burst-limit 0 burst-threshold 0 burst-time 0s00-29Mikrotik Indonesia http://www.mikrotik.co.id1/18/2007

Test Case (2)Queue withSrc-NAT and Internal Proxy

Queue withSRC-NAT & Internal ProxyROUTERSRC-NATTraffic Client - InternetINTERNETWEB-PROXYLOCALPROCESS00-31Mikrotik Indonesia http://www.mikrotik.co.id1/18/2007

Queue withSRC-NAT & Internal ProxyROUTERDirect Upstream1SRC-NAT2Direct Downstream3INTERNET5Upstream to proxyWEB-PROXYLOCALPROCESSDownstream from proxy400-32Mikrotik Indonesia http://www.mikrotik.co.id61/18/2007

Web-Proxy Setup ip web-proxy pr enabled: yessrc-address: 0.0.0.0port: 3128hostname: "proxy"transparent-proxy: yesparent-proxy: 0.0.0.0:0cache-administrator: "webmaster"max-object-size: 4096KiBcache-drive: systemmax-cache-size: nonemax-ram-cache-size: unlimitedstatus: runningreserved-for-cache: 0KiBreserved-for-ram-cache: 154624KiB00-33Mikrotik Indonesia http://www.mikrotik.co.id1/18/2007

Firewall Setup[admin@instaler] ip firewall nat prFlags: X - disabled, I - invalid, D - dynamic0 chain srcnat out-interface publicsrc-address 192.168.1.0/24action masquerade1 chain dstnat in-interface lansrc-address 192.168.1.0/24 protocol tcpdst-port 80 action redirect to-ports 3128 00-34Mikrotik Indonesia http://www.mikrotik.co.id1/18/2007

Mangle Setup0 ;;; UP TRAFFIC / Traffic #1 and #3chain prerouting in-interface lansrc-address 192.168.1.0/24 action mark-packetnew-packet-mark test-up passthrough no1 ;;; CONN-MARKchain forward src-address 192.168.1.0/24 action markconnection new-connection-mark test-conn passthrough yes2 ;;; DOWN-DIRECT CONNECTION / Traffic #2chain forward in-interface publicconnection-mark test-conn action mark-packetnew-packet-mark test-down passthrough no3 ;;; DOWN-VIA PROXY / Traffic #4chain output out-interface lan dst-address 192.168.1.0/24action mark-packet new-packet-mark test-downpassthrough no00-35Mikrotik Indonesia http://www.mikrotik.co.id1/18/2007

Queue Setup0 ;;; For traffic #2 and #4 (download)name "downstream" parent lanpacket-mark test-down limit-at 1024000queue default priority 8 max-limit 1024000burst-limit 0 burst-threshold 0 burst-time 0s1 ;;; For traffic #1 and #3 (upload)name "upstream" parent global-inpacket-mark test-up limit-at 256000queue default priority 8 max-limit 256000burst-limit 0 burst-threshold 0 burst-time 0s00-36Mikrotik Indonesia http://www.mikrotik.co.id1/18/2007

Traffic #5 & #6 We can not manage traffic #5 and #6 basedon client IP Address, because after thetraffic hits the proxy, it will change thesource IP Address, and the traffic will be anew one:Source : Web Proxy (local process)z Destination : Web Server on Internetz00-37Mikrotik Indonesia http://www.mikrotik.co.id1/18/2007

Thank YouValens Riyadi info@mikrotik.co.id 00-38Mikrotik Indonesia http://www.mikrotik.co.id1/18/2007

00-33 Mikrotik Indonesia http://www.mikrotik.co.id 1/18/2007 Web-Proxy Setup ip web-proxy pr enabled: yes src-address: 0.0.0.0 port: 3128 hostname: "proxy" transparent-proxy: yes parent-proxy:

Related Books

Bobo's Coin Magic

Bobo's Coin Magic

Secrets of Magic - Amazon Web Services

Secrets of Magic - Amazon Web Services

Chapter 8 Internal Flow - et.byu.edu

Chapter 8 Internal Flow - et.byu.edu

Cisco 350-701

Cisco 350-701

Magic - The Trove

Magic - The Trove

Rifts Magic Reference - Weebly

Rifts Magic Reference - Weebly

MOVIE MAGIC Screenwriter - Screenplay

MOVIE MAGIC Screenwriter - Screenplay

The Magic Wand - Sacred Magick

The Magic Wand - Sacred Magick

MAGIC - The Eye

MAGIC - The Eye

RSA Archer CDM Briefing - General Information

RSA Archer CDM Briefing - General Information

NEW 2017 Gartner Magic Quadrant - umbrellar

NEW 2017 Gartner Magic Quadrant - umbrellar

harvey mudd college student newspaper 340 e. foothill blvd .

harvey mudd college student newspaper 340 e. foothill blvd .

PopularTags

Recent Views