[go: up one dir, main page]
Scribd
Upload
14 views46 pages

Identifying and Managing Traffic in RouterOS

The document outlines methods for identifying and managing network traffic using MikroTik RouterOS, addressing common issues like slow applications and dropped calls. It includes technical details on configuring filters, mangle rules, and queues to optimize network performance. Additionally, it provides references for further reading and scripting examples for automation.

Uploaded by

yellow12lovesblue17
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
14 views46 pages

Identifying and Managing Traffic in RouterOS

The document outlines methods for identifying and managing network traffic using MikroTik RouterOS, addressing common issues like slow applications and dropped calls. It includes technical details on configuring filters, mangle rules, and queues to optimize network performance. Additionally, it provides references for further reading and scripting examples for automation.

Uploaded by

yellow12lovesblue17
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 46

MUM SAUDI ARABIA

OCTOBER 2017
Jonathan “JAY” Soriano
-Networking Enthusiast
-MikroTik user since 2011
-Unofficial Trainer
Identifying and
Managing Traffic
in RouterOS
Challenge

“My applications are sometimes slow”


Challenge

“My voice calls drop at times.”


Challenge

“My video stream is always buffering.”


Why

✓ Slow link to the service provider network


✓ Poor physical & logical network planning &
implementation
✓ Underpowered hardware
✓ Malicious software, online and offline
threats.
✓ Excessive downloaders, uploaders.
Identify
Filter
Mangle
DNS
Address List

Manage
Queues
hAP ac
RB962UiGS-5HacT2HnT
to recognize something
Filter
Block MAC Block IP
General General

Chain: forward Chain: forward

Out. Interface: ether1 Src. Address: 192.168.88.4


Out. Interface: ether1
Advanced

C0:D3:C0:31:E8:D1 Action
Src. MAC Address:
Action: drop
Action

Action: drop
Mangle Mark Connection
Action

Action: mark connection


Identify Port & Protocol New Connection Mark: web-connection
✓ Passthrough
General

Chain: prerouting

Protocol: 6 (tcp)
Mark Packet
Dst. Port: 80,8080,20,21,443 General

Chain: prerouting

Connection Mark: web-connection


General

Chain: prerouting Action

Protocol: 17 (udp) Action: mark packet

Dst. Port: 80,8080,20,21,443 New Packet Mark: web-packet


Passthrough
Mangle
Connection Bytes
Mark Connection Action

Action: mark connection


General
New Connection Mark: 3M-connection
Chain: prerouting
✓ Passthrough
Protocol: 6 (tcp)

Dst. Port: 80,8080,20,21,443 Mark Packet


General General

Chain: prerouting Chain: prerouting

Protocol: 17 (udp) Connection Mark: 3M-connection

Dst. Port: 80,8080,20,21,443


Action
Advanced Action: mark packet

Connection Bytes: 3000001-0 New Packet Mark: 3M-packet


Passthrough
Mangle
Layer-7
Layer-7

Firewall L7 Protocol <Video Streaming> X

Name: Video Streaming OK


Regexp: Cancel
videoplayback|video|watch
Apply
Layer-7
Mark Connection Mark Packet
General General

Chain: prerouting Chain: prerouting

Connection Mark: Video-connection


Advanced

Layer7 Protocol: Video Streaming Action

Action: mark packet


Action
New Packet Mark: Video-packet
Action: mark connection
Passthrough
New Connection Mark: Video-connection
✓ Passthrough
Mangle
DNS
DNS Cache
DNS
Script Scheduler
Address List
Address List
Mark Connection Mark Packet
General General

Chain: prerouting Chain: prerouting

Connection Mark: Video-connection


Advanced

Dst. Address List: Youtube Action

Action Action: mark packet

Action: mark connection New Packet Mark: Video-packet


Passthrough
New Connection Mark: Video-connection
✓ Passthrough
Mangle
Mangle
Other Traffic
maintain control over something
Class 1

Class 2

Class 3
Queues

Simple Queue

Queue Tree
Queues
Simple Queue
Simple Queue
Parent Queue
Simple Queue
Parent Queue
Simple Queue
Child Queue
Simple Queue
Child Queue
Queues
Simple Queue
Queues
Queue Tree
Network Diagram
Internet Source
Gateway modem
IP address: 192.168.1.1/24

MikroTik Router
ether1: DHCP client
ether2: Master port: none
ether3,4,5: Master port: ether2
local-bridge: ether2 & wlan1 ports
local-bridge IP: 192.168.88.1/24

Your Computer
Ethernet: 192.168.88.111
Queue Tree
Parent Queue
Queue Tree
Parent Queue
Queue Tree
Child Queue
Queues
Queue Tree
“I am still learning.”
-Michelangelo, age 87
Disable Fasttrack for Queues to Work
To Reset All Markings, select all then Remove

No need to reboot or shutdown the device


References
/ip firewall layer7-protocol
add name="Video Streaming" regexp=videoplayback|video|watch

/ip firewall mangle


add action=mark-connection chain=prerouting comment="Video Address List" dst-address-list=Youtube new-connection-mark=Video-connection passthrough=yes
add action=mark-connection chain=prerouting comment="Video Layer7" layer7-protocol="Video Streaming" new-connection-mark=Video-connection passthrough=yes
add action=mark-packet chain=prerouting comment="Video Packet" connection-mark=Video-connection new-packet-mark=Video-packet passthrough=no
add action=mark-connection chain=prerouting comment=Web dst-port=80,8080,443,20,21 new-connection-mark=web-connection passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting dst-port=80,8080,443,20,21 new-connection-mark=web-connection passthrough=yes protocol=udp
add action=mark-connection chain=prerouting comment="Large file more than 3Mb" connection-bytes=3000001-0 dst-port=80,8080,20,21,443 new-connection-mark=3M-connection passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting connection-bytes=3000001-0 dst-port=80,8080,20,21,443 new-connection-mark=3M-connection passthrough=yes protocol=udp
add action=mark-packet chain=prerouting comment="3M Packet" connection-mark=3M-connection new-packet-mark=3M-packet passthrough=no
add action=mark-packet chain=prerouting comment="Web Packet" connection-mark=web-connection new-packet-mark=web-packet passthrough=no
add action=mark-connection chain=prerouting comment=Other dst-port=1000-65535 new-connection-mark=other-connection passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting dst-port=1000-65535 new-connection-mark=other-connection passthrough=yes protocol=udp
add action=mark-packet chain=prerouting comment="Other Packet" connection-mark=other-connection new-packet-mark=other-packet passthrough=no

/queue tree
add limit-at=128k max-limit=5M name=Download parent=bridge queue=pcq-download-default
add limit-at=128k max-limit=1M name=Upload parent=ether1 queue=pcq-upload-default
add limit-at=3M max-limit=5M name="a. web d" packet-mark=web-packet parent=Download priority=2 queue=pcq-download-default
add limit-at=500k max-limit=3M name="d. large file d" packet-mark=3M-packet parent=Download queue=pcq-download-default
add limit-at=500k max-limit=3M name="c. video d" packet-mark=Video-packet parent=Download priority=6 queue=pcq-download-default
add limit-at=1M max-limit=4M name="b. other d" packet-mark=other-packet parent=Download priority=4 queue=pcq-download-default
add limit-at=512k max-limit=1M name="a. web u" packet-mark=web-packet parent=Upload priority=2 queue=pcq-upload-default
add limit-at=104k max-limit=256k name="d. large file u" packet-mark=3M-packet parent=Upload queue=pcq-upload-default
add limit-at=128k max-limit=500k name="c. video u" packet-mark=Video-packet parent=Upload priority=6 queue=pcq-upload-default
add limit-at=256k max-limit=768k name="b. other u" packet-mark=other-packet parent=Upload priority=4 queue=pcq-upload-default

/system scheduler
add interval=30s name="run every 30 seconds" on-event="/system script run video" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=oct/10/2017 start-time=20:00:00

URL Links:
https://wiki.mikrotik.com/wiki/Manual:Packet_Flow
https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter
https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Mangle
https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/L7
https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Address_list
https://wiki.mikrotik.com/wiki/Manual:IP/DNS
https://wiki.mikrotik.com/wiki/Sync_Address_List_from_DNS_Lookup_Results_-_CNAME_and_A_Records
https://wiki.mikrotik.com/wiki/Manual:Scripting-examples
https://wiki.mikrotik.com/wiki/Manual:Queue
http://www.istockphoto.com
/system script
add name=video owner=jay policy=\

References
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":lo\
cal myServers { \"video\" }\r\
\n:local myListName \"Youtube\"\r\
\n:local myTimeout \"00:30:00\"\r\
\n\r\
\n/ip dns cache all {\r\
\n :foreach i in=\$myServers do={\r\

Script
\n :foreach j in=[find where (name~\$i)] do={\r\
\n :do {\r\
\n :local myName [get \$j name]\r\
\n :local myType [get \$j type]\r\
\n :local myData [get \$j data]\r\
\n\r\
\n :if (\$myType = \"A\") do={\r\
\n :do {\r\
\n /ip firewall address-list add address=\$myData lis\
t=\$myListName comment=\"\$i-\$myName\" timeout=\$myTimeout\r\
\n } on-error={\r\
\n :put \"DNSCACHE: Error on \$myName \$myData \$myTy\
pe\"\r\
\n }\r\
\n }\r\
\n\r\
\n :if (\$myType = \"CNAME\") do={\r\
\n :local currentName \$j\r\
\n :local nextName [find where (name=\$myData && type=\"C\
NAME\")]\r\
\n\r\
\n :while (\$nextName != \"\") do={\r\
\n :set currentName \$nextName\r\
\n :resolve \$currentName\r\
\n :set nextName [find where (name=[get \$nextName da\
ta] && type=\"CNAME\")]\r\
\n }\r\
\n\r\
\n :resolve [get \$currentName data]\r\
\n\r\
\n :foreach k in=[find where (name=[get \$currentName dat\
a] && type=\"A\")] do={\r\
\n :set myData [get \$k data]\r\
\n :do {\r\
\n /ip firewall address-list add address=\$myData\
\_list=\$myListName comment=\"\$i-\$myName\" timeout=\$myTimeout\r\
\n } on-error={\r\
\n :put \"DNSCACHE: Error on \$myName \$myData \$\
myType\"\r\
\n }\r\
\n }\r\
\n }\r\
\n } on-error={\r\
\n :put \"DNSCACHE: Missing Entry\"\r\
\n }\r\
\n }\r\
\n }\r\
\n}"

You might also like