Difference between revisions of "Queue Tree with more than two interfaces"

From MikroTik Wiki
Jump to: navigation, search
Line 1: Line 1:
 
== Basic Setup==
 
== Basic Setup==
This page will tak about how to make QUEUE TREE in RouterOS that with Masquerading for more than two interfaces.
+
This page will tak about how to make QUEUE TREE in RouterOS that with Masquerading for more than two interfaces. It's for sharing internet connection among users on each interfacess.
In manual this possibility isn't writted
+
In manual this possibility isn't writted.
 +
 
 +
----
  
 
First, let's set the basic setting first. I'm using a machine with 3 or more network interfaces:
 
First, let's set the basic setting first. I'm using a machine with 3 or more network interfaces:
Line 12: Line 14:
 
  3  R wifi3      wlan    0          0          1500
 
  3  R wifi3      wlan    0          0          1500
  
And this is the IP Address for each interface:
+
And this is the IP Addresses for each interface:
  
 
  [admin@instaler] > ip ad pr
 
  [admin@instaler] > ip ad pr
 
  Flags: X - disabled, I - invalid, D - dynamic  
 
  Flags: X - disabled, I - invalid, D - dynamic  
 
  #  ADDRESS          NETWORK      BROADCAST      INTERFACE
 
  #  ADDRESS          NETWORK      BROADCAST      INTERFACE
  0  10.10.1.0/24      10.10.1.0    10.10.1.255    public   
+
  0  10.20.1.0/24      10.20.1.0    10.20.1.255    public   
 
  1  10.10.2.0/24      10.10.2.0    10.10.2.255    wifi1
 
  1  10.10.2.0/24      10.10.2.0    10.10.2.255    wifi1
 
  2  10.10.3.0/24      10.10.3.0    10.10.3.255    wifi2
 
  2  10.10.3.0/24      10.10.3.0    10.10.3.255    wifi2
 
  3  10.10.4.0/24      10.10.4.0    10.10.4.255    wifi3
 
  3  10.10.4.0/24      10.10.4.0    10.10.4.255    wifi3
  
Don't forget to set the transparant web-proxy
+
On the public you can add NAT or proxy if you want.
 
 
[admin@instaler] > ip web-proxy pr
 
                enabled: yes
 
            src-address: 0.0.0.0
 
                    port: 3128
 
                hostname: "proxy"
 
      transparent-proxy: yes
 
            parent-proxy: 0.0.0.0:0
 
    cache-administrator: "webmaster"
 
        max-object-size: 4096KiB
 
            cache-drive: system
 
          max-cache-size: none
 
      max-ram-cache-size: unlimited
 
                  status: running
 
      reserved-for-cache: 0KiB
 
  reserved-for-ram-cache: 154624KiB
 
 
 
==Firewall NAT==
 
Make 2 NAT rules, 1 for Masquerading, and the other for redirecting transparant proxy.
 
 
 
[admin@instaler] ip firewall nat> pr
 
Flags: X - disabled, I - invalid, D - dynamic
 
0  chain=srcnat out-interface=public
 
    src-address=172.21.1.0/24 action=masquerade
 
1  chain=dstnat in-interface=lan src-address=172.21.1.0/24
 
    protocol=tcp dst-port=80 action=redirect to-ports=3128
 
  
 
==Mangle Setup==
 
==Mangle Setup==
Line 54: Line 30:
 
And now is the most important part in this case.
 
And now is the most important part in this case.
  
As we will make Queue for uplink and downlink traffic, we need 2 packet-mark. In this example, we use "test-up" for uplink traffic, and "test-down" for downlink traffic.
+
As we will make Queue for uplink and downlink traffic, we need packet-marks. In this example, we use "test-up" for uplink traffic, and "test-down" for downlink traffic.
  
 
For uplink traffic, it's quite simple. We need only one rule, using SRC-ADDRESS and IN-INTERFACE parameters, and using PREROUTING chain. Rule number #0.
 
For uplink traffic, it's quite simple. We need only one rule, using SRC-ADDRESS and IN-INTERFACE parameters, and using PREROUTING chain. Rule number #0.
Line 68: Line 44:
 
Please be aware, we use passthrough only for connection mark (rule no #1).
 
Please be aware, we use passthrough only for connection mark (rule no #1).
  
  [admin@instaler] > ip firewall mangle print
+
 +
  [admin@instaler] ip firewall mangle> print
 
  Flags: X - disabled, I - invalid, D - dynamic  
 
  Flags: X - disabled, I - invalid, D - dynamic  
  0  ;;; UP TRAFFIC
+
  0  chain=forward src-address=10.10.2.10
     chain=prerouting in-interface=lan
+
     action=mark-connection new-connection-mark=users-10U passthrough=yes
    src-address=172.21.1.0/24 action=mark-packet  
+
 
     new-packet-mark=test-up passthrough=no
+
1  chain=forward dst-address=10.10.2.10
+
    action=mark-connection new-connection-mark=users-10D passthrough=yes
  1   ;;; CONN-MARK
+
 
     chain=forward src-address=172.21.1.0/24
+
2  chain=forward connection-mark=users-10U action=mark-packet  
     action=mark-connection  
+
     new-packet-mark=10 passthrough=yes
    new-connection-mark=test-conn passthrough=yes  
+
 
+
  3   chain=forward connection-mark=users-10D action=mark-packet
  2   ;;; DOWN-DIRECT CONNECTION
+
     new-packet-mark=10 passthrough=yes
     chain=forward in-interface=public
+
 
    connection-mark=test-conn action=mark-packet  
+
chain=forward src-address=10.10.2.10
     new-packet-mark=test-down passthrough=no
+
     action=mark-connection new-connection-mark=users-10U passthrough=yes  
+
 
  3   ;;; DOWN-VIA PROXY
+
  5   chain=forward dst-address=10.10.2.10
     chain=output out-interface=lan
+
     action=mark-connection new-connection-mark=users-10D passthrough=yes
    dst-address=172.21.1.0/24 action=mark-packet  
+
 
     new-packet-mark=test-down passthrough=no
+
6  chain=forward connection-mark=users-10U action=mark-packet  
 +
     new-packet-mark=10 passthrough=yes
 +
 
 +
  7   chain=forward connection-mark=users-10D action=mark-packet
 +
     new-packet-mark=10 passthrough=yes
 +
 
 +
98  chain=forward src-address=10.10.0.0/16 dst-address=10.10.0.0/16
 +
    action=mark-connection new-connection-mark=users-lokal passthrough=yes
 +
 
 +
99  chain=forward connection-mark=users-lokal action=mark-packet  
 +
     new-packet-mark=lokalTrafic passthrough=yes
 +
 
  
  

Revision as of 12:51, 24 February 2007

Basic Setup

This page will tak about how to make QUEUE TREE in RouterOS that with Masquerading for more than two interfaces. It's for sharing internet connection among users on each interfacess. In manual this possibility isn't writted.

First, let's set the basic setting first. I'm using a machine with 3 or more network interfaces: 

[admin@instaler] > in pr
#    NAME       TYPE    RX-RATE    TX-RATE    MTU  
0  R public     ether   0          0          1500 
1  R wifi1      wlan    0          0          1500
2  R wifi2      wlan    0          0          1500
3  R wifi3      wlan    0          0          1500

And this is the IP Addresses for each interface: 

[admin@instaler] > ip ad pr
Flags: X - disabled, I - invalid, D - dynamic 
#  ADDRESS           NETWORK      BROADCAST      INTERFACE
0  10.20.1.0/24      10.20.1.0    10.20.1.255    public   
1  10.10.2.0/24      10.10.2.0    10.10.2.255    wifi1
2  10.10.3.0/24      10.10.3.0    10.10.3.255    wifi2
3  10.10.4.0/24      10.10.4.0    10.10.4.255    wifi3

On the public you can add NAT or proxy if you want.

Mangle Setup

And now is the most important part in this case.

As we will make Queue for uplink and downlink traffic, we need packet-marks. In this example, we use "test-up" for uplink traffic, and "test-down" for downlink traffic.

For uplink traffic, it's quite simple. We need only one rule, using SRC-ADDRESS and IN-INTERFACE parameters, and using PREROUTING chain. Rule number #0.

But for downlink, we have to make sevaral rules. As we use masquerading, we need Connection Mark, named as "test-conn". Rule no #1.

Then we have to make 2 more rules. First rule is for non-HTTP connection / direct connection. We use chain forward, as the data traveling through the router. Rule no #2.

The second rule is for data coming from web-proxy to the client. We use OUTPUT chain, as the data coming from internal process in the router itself. Rule no #3.

For both rules (no #2 and #3) we named it "test-down".

Please be aware, we use passthrough only for connection mark (rule no #1). 


[admin@instaler] ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic 
0   chain=forward src-address=10.10.2.10 
    action=mark-connection new-connection-mark=users-10U passthrough=yes 

1   chain=forward dst-address=10.10.2.10 
    action=mark-connection new-connection-mark=users-10D passthrough=yes 

2   chain=forward connection-mark=users-10U action=mark-packet 
    new-packet-mark=10 passthrough=yes 

3   chain=forward connection-mark=users-10D action=mark-packet 
    new-packet-mark=10 passthrough=yes 

4   chain=forward src-address=10.10.2.10 
    action=mark-connection new-connection-mark=users-10U passthrough=yes 

5   chain=forward dst-address=10.10.2.10 
    action=mark-connection new-connection-mark=users-10D passthrough=yes 

6   chain=forward connection-mark=users-10U action=mark-packet 
    new-packet-mark=10 passthrough=yes 

7   chain=forward connection-mark=users-10D action=mark-packet 
    new-packet-mark=10 passthrough=yes 

98  chain=forward src-address=10.10.0.0/16 dst-address=10.10.0.0/16 
    action=mark-connection new-connection-mark=users-lokal passthrough=yes 

99  chain=forward connection-mark=users-lokal action=mark-packet 
    new-packet-mark=lokalTrafic passthrough=yes


Queue Tree Setup

And now, the queue tree setting. We need one rule for downlink and one rule for uplink. Be careful when choosing the parent. for downlink traffic, we use parent "lan", the interface name for local network. And for uplink, we are using parent "global-in". 

[admin@instaler] > queue tree pr
Flags: X - disabled, I - invalid 
0   name="downstream" parent=lan packet-mark=test-down 
    limit-at=32000 queue=default priority=8 
    max-limit=32000 burst-limit=0 
    burst-threshold=0 burst-time=0s 

1   name="upstream" parent=global-in 
    packet-mark=test-up limit-at=32000 
    queue=default priority=8 
    max-limit=32000 burst-limit=0 
    burst-threshold=0 burst-time=0s

You can use those mangle also with PCQ.

Any question, you can contact me at : info(at)mikrotik(dot)co(dot)id

Valens Riyadi

Retrieved from "https://wiki.mikrotik.com/index.php?title=Queue_Tree_with_more_than_two_interfaces&oldid=4037"