Queue Tree with more than two interfaces

From MikroTik Wiki
Revision as of 11:05, 24 February 2007 by Fisero (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Basic Setup

This page will tak about how to make QUEUE TREE in RouterOS that with Masquerading for more than two interfaces. In manual this possibility isn't writted

First, let's set the basic setting first. I'm using a machine with 3 or more network interfaces:

admin@instaler] > in pr
#    NAME       TYPE    RX-RATE    TX-RATE    MTU  
0  R public     ether   0          0          1500 
1  R lan        wlan    0          0          1500

And this is the IP Address for each interface:

[admin@instaler] > ip ad pr
Flags: X - disabled, I - invalid, D - dynamic 
#  ADDRESS           NETWORK      BROADCAST      INTERFACE
0  192.168.0.217/24  192.168.0.0  192.168.0.255  public   
1  172.21.1.1/24     172.21.1.0   172.21.1.255   lan

Don't forget to set the transparant web-proxy

[admin@instaler] > ip web-proxy pr
                enabled: yes
            src-address: 0.0.0.0
                   port: 3128
               hostname: "proxy"
      transparent-proxy: yes
           parent-proxy: 0.0.0.0:0
    cache-administrator: "webmaster"
        max-object-size: 4096KiB
            cache-drive: system
         max-cache-size: none
     max-ram-cache-size: unlimited
                 status: running
     reserved-for-cache: 0KiB
 reserved-for-ram-cache: 154624KiB

Firewall NAT

Make 2 NAT rules, 1 for Masquerading, and the other for redirecting transparant proxy.

[admin@instaler] ip firewall nat> pr
Flags: X - disabled, I - invalid, D - dynamic 
0   chain=srcnat out-interface=public 
    src-address=172.21.1.0/24 action=masquerade 
1   chain=dstnat in-interface=lan src-address=172.21.1.0/24 
    protocol=tcp dst-port=80 action=redirect to-ports=3128

Mangle Setup

And now is the most important part in this case.

As we will make Queue for uplink and downlink traffic, we need 2 packet-mark. In this example, we use "test-up" for uplink traffic, and "test-down" for downlink traffic.

For uplink traffic, it's quite simple. We need only one rule, using SRC-ADDRESS and IN-INTERFACE parameters, and using PREROUTING chain. Rule number #0.

But for downlink, we have to make sevaral rules. As we use masquerading, we need Connection Mark, named as "test-conn". Rule no #1.

Then we have to make 2 more rules. First rule is for non-HTTP connection / direct connection. We use chain forward, as the data traveling through the router. Rule no #2.

The second rule is for data coming from web-proxy to the client. We use OUTPUT chain, as the data coming from internal process in the router itself. Rule no #3.

For both rules (no #2 and #3) we named it "test-down".

Please be aware, we use passthrough only for connection mark (rule no #1).

[admin@instaler] > ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic 
0   ;;; UP TRAFFIC
    chain=prerouting in-interface=lan 
    src-address=172.21.1.0/24 action=mark-packet 
    new-packet-mark=test-up passthrough=no 

1   ;;; CONN-MARK
    chain=forward src-address=172.21.1.0/24 
    action=mark-connection 
    new-connection-mark=test-conn passthrough=yes 

2   ;;; DOWN-DIRECT CONNECTION
    chain=forward in-interface=public 
    connection-mark=test-conn action=mark-packet 
    new-packet-mark=test-down passthrough=no 

3   ;;; DOWN-VIA PROXY
    chain=output out-interface=lan 
    dst-address=172.21.1.0/24 action=mark-packet 
    new-packet-mark=test-down passthrough=no


Queue Tree Setup

And now, the queue tree setting. We need one rule for downlink and one rule for uplink. Be careful when choosing the parent. for downlink traffic, we use parent "lan", the interface name for local network. And for uplink, we are using parent "global-in".

[admin@instaler] > queue tree pr
Flags: X - disabled, I - invalid 
0   name="downstream" parent=lan packet-mark=test-down 
    limit-at=32000 queue=default priority=8 
    max-limit=32000 burst-limit=0 
    burst-threshold=0 burst-time=0s 

1   name="upstream" parent=global-in 
    packet-mark=test-up limit-at=32000 
    queue=default priority=8 
    max-limit=32000 burst-limit=0 
    burst-threshold=0 burst-time=0s

You can use those mangle also with PCQ.

Any question, you can contact me at : info(at)mikrotik(dot)co(dot)id

Valens Riyadi