Queue with SRC-NAT and WEB-PROXY

By admin on Mar 06, 2010 with Comments View Comments

On the use of queue (bandwidth limiter), the determination of CHAIN in a very decisive way MENGLE a rule. If we put SRC-NAT and WEB-PROXY on the same machine, often rather difficult to make a perfect queue rule. Detailed explanation of the election CHAIN,
Experiments were performed using a PC with RouterOS 2.9.28 version. In these machines, use 2 pieces interfaces, one for gateway named PUBLIC and one for local network called LAN.

[admin@instaler] > in pr
Flags: X - disabled, D - dynamic, R - running
 #    NAME       TYPE    RX-RATE    TX-RATE    MTU
 0  R public     ether   0          0          1500
 1  R lan        wlan    0          0          1500

And here is an IP Address that is used. 192.168.0.0/24 subnet is the subnet gateway for this machine.

[admin@instaler] > ip ad pr
Flags: X - disabled, I - invalid, D - dynamic
 #  ADDRESS           NETWORK      BROADCAST      INTERFACE
 0  192.168.0.217/24  192.168.0.0  192.168.0.255  public
 1  172.21.1.1/24     172.21.1.0   172.21.1.255   lan

Recommended web-proxy with transparent also activated.

 [admin@instaler] > ip web-proxy pr
                 enabled: yes
             src-address: 0.0.0.0
                    port: 3128
                hostname: "proxy"
       transparent-proxy: yes
            parent-proxy: 0.0.0.0:0
     cache-administrator: "webmaster"
         max-object-size: 4096KiB
             cache-drive: system
          max-cache-size: none
      max-ram-cache-size: unlimited
                  status: running
      reserved-for-cache: 0KiB
  reserved-for-ram-cache: 154624KiB

MASQUERADE function is activated, is also one rule Redirecting HTTP traffic to divert to the WEB-PROXY

[admin@instaler] ip firewall nat> pr
Flags: X - disabled, I - invalid, D - dynamic
 0   chain=srcnat out-interface=public
     src-address=172.21.1.0/24 action=masquerade
 1   chain=dstnat in-interface=lan src-address=172.21.1.0/24
     protocol=tcp dst-port=80 action=redirect to-ports=3128

Here are the most important step in this process, namely making Mangle. We will
need 2 pieces Packet-MARK. One for upstream data packet, which in this example we call-up test. And another for downstream data packet, which in this example we call test-down.
For the upstream data packet, manglenya process is quite simple. We can just do it with 1 piece of the rule, simply by using the parameters and the SRC-ADDRESS IN-INTERFACE. Here we use the chain prerouting. For upstream data packet is let’s call-up test.
However, for the downstream data packet, we need some fruit rule. Because we use a translation of IP / masquerade, we need a Connection Mark. In this example, let’s call test-conn.
Then, we have to make 2 pieces rule too. The first rule, for the downstream data packet non HTTP from the internet directly (not through proxy). We use the chain forward, because the data flows through the router.
The second rule, for the packet data from WEB-PROXY. We use the chain of output, because the flow of data from internal applications in the router to the machine outside the router.
Downstream data packet to the second rule we label test-down.
Do not forget, this parameter is only enabled for passthrough mark only connection.

[admin@instaler] > ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
 0   ;;; UP TRAFFIC
     chain=prerouting in-interface=lan
     src-address=172.21.1.0/24 action=mark-packet
     new-packet-mark=test-up passthrough=no 

 1   ;;; CONN-MARK
     chain=forward src-address=172.21.1.0/24
     action=mark-connection
     new-connection-mark=test-conn passthrough=yes 

 2   ;;; DOWN-DIRECT CONNECTION
     chain=forward in-interface=public
     connection-mark=test-conn action=mark-packet
     new-packet-mark=test-down passthrough=no 

 3   ;;; DOWN-VIA PROXY
     chain=output out-interface=lan
     dst-address=172.21.1.0/24 action=mark-packet
     new-packet-mark=test-down passthrough=no

For the final stage, live configure queue. Here we use queue tree. One rule for dowstream data, and one for upstream. The important point here, is the parent selection. For the downstream, we use the parent lan, in accordance with the interface that leads to the local network, and for the upstream, we use the global parent-in.

[admin@instaler] > queue tree pr
Flags: X - disabled, I - invalid
 0   name="downstream" parent=lan packet-mark=test-down
     limit-at=32000 queue=default priority=8
     max-limit=32000 burst-limit=0
     burst-threshold=0 burst-time=0s 

 1   name="upstream" parent=global-in
     packet-mark=test-up limit-at=32000
     queue=default priority=8
     max-limit=32000 burst-limit=0
     burst-threshold=0 burst-time=0s

Another variation, for bandwidth management, we also possible to use PCQ queue types, which can automatically divide the traffic per client.

Filed Under: configurasi

About the Author:

blog comments powered by Disqus
Get Adobe Flash playerPlugin by wpburn.com wordpress themes

Powered by Yahoo! Answers