Manual:Connection Rate: Difference between revisions

From MikroTik Wiki
Jump to navigation Jump to search
Line 45: Line 45:
add chain=forward action=mark-connection connection-mark=!heavy_traffic_conn \
add chain=forward action=mark-connection connection-mark=!heavy_traffic_conn \
     new-connection-mark=all_conn
     new-connection-mark=all_conn
add chain=forward action=mark-connection connection-bytes=2000000-0 \
add chain=forward action=mark-connection connection-bytes=500000-0 \
     connection-mark=all_conn connection-rate=500k-4294967295 \
     connection-mark=all_conn connection-rate=200k-4294967295 \
     new-connection-mark=heavy_traffic_conn protocol=tcp
     new-connection-mark=heavy_traffic_conn protocol=tcp
add chain=forward action=mark-connection connection-bytes=2000000-0 \
add chain=forward action=mark-connection connection-bytes=500000-0 \
     connection-mark=all_conn connection-rate=500k-4294967295 \
     connection-mark=all_conn connection-rate=200k-4294967295 \
     new-connection-mark=heavy_traffic_conn protocol=udp
     new-connection-mark=heavy_traffic_conn protocol=udp
add chain=forward action=mark-packet connection-mark=heavy_traffic_conn \
add chain=forward action=mark-packet connection-mark=heavy_traffic_conn \

Revision as of 13:26, 17 September 2009

Introduction

Connection Rate is a firewall matcher that allow to capture traffic based on speed of connection.

Theory

Each entry in connection tracking table represent bidirectional communication. Every time packet gets associated to particular entry, packet size value (including IP header) is added to "connection-bytes" value for this entry.

Connection Rate calculates speed of connection based on change of "connection-bytes". Connection Rate is recalculated every second and do not have any averages.

Both options "connection-bytes" and "connection-rate" work only with TCP and UDP traffic. (you need to specify protocol to activate these options)

You can specify range of speed that you like to capture.

ConnectionRate ::= [!]From-To
  From,To ::= 0..4294967295    (integer number)

Example

These rules will capture TCP/UDP traffic that was going trough the router when connection speed was below 100kbps

/ip firewall filter
add action=accept chain=forward connection-rate=0-100k protocol=tcp
add action=accept chain=forward connection-rate=0-100k protocol=udp

Notes

Connection Rate is available in RouterOS since v3.30. This option was introduced to allow capture traffic intensive connections.

Application Example - Traffic Prioritization

Task is to set lower priority to all "heavy" traffic (such as P2P,HTTP,FTP downloads) and prioritize VOIP and HTTP browsing and online gaming.

Lets assume that normal browsing connection is less than 500kB (4Mb) long. And VOIP requires no more than 200kbps speed.


Quick Start for Impatient

/ip firewall mangle
add chain=forward action=mark-connection connection-mark=!heavy_traffic_conn \
    new-connection-mark=all_conn
add chain=forward action=mark-connection connection-bytes=500000-0 \
    connection-mark=all_conn connection-rate=200k-4294967295 \
    new-connection-mark=heavy_traffic_conn protocol=tcp
add chain=forward action=mark-connection connection-bytes=500000-0 \
    connection-mark=all_conn connection-rate=200k-4294967295 \
    new-connection-mark=heavy_traffic_conn protocol=udp
add chain=forward action=mark-packet connection-mark=heavy_traffic_conn \
    new-packet-mark=heavy_traffic passthrough=no
add chain=forward action=mark-packet connection-mark=all_conn \
    new-packet-mark=other_traffic passthrough=no

/queue tree
add name=upload parent=public max-limit=6M
add name=other_upload parent=upload limit-at=4M max-limit=6M \
    packet-mark=other_traffic priority=1
add name=heavy_upload parent=upload limit-at=2M max-limit=6M \
    packet-mark=heavy_traffic priority=8

add name=download parent=local max-limit=6M
add name=other_download parent=download limit-at=4M max-limit=6M \
    packet-mark=other_traffic priority=1
add name=heavy_download parent=download limit-at=2M max-limit=6M \
    packet-mark=heavy_traffic priority=8




Explanation

IP Firewall mangle



Queue

/