Agratitudesign Impression | Graphic Web Design, Computer Network, Balinese Culture

Loading...
No comments

As one of the IT staff in a company I have any request for me. How can we manage some local networks using just 1 network address but different subnets. In other word, we use the same network address that will divided by sub network. Yet I just think about when I want to manage some networks in different local port interface router so I divided into different network mask for the local network. But actually we can manage our networks into single network multiple subnets. So this implementation is about the understanding subnetting in ip address of the network. If you already knew it, just forget it! I just go to continue my notes.

For the example about Subnetting Ip Address C Class :

NETWORK ADDRESS = 192.168.1.0/26
Subnet Mask /26 = 11111111.11111111.11111111.11000000 = 255.255.255.192
Number of Subnet = 2^x = 2^2 = 4 segments
Number Host/Subnet = 2^y-2 = 2^6 – 2 = 62 host
Subnet block = 256 – 192 = 64, 64 + 64 = 128, 128+64=192 =  0, 64, 128, 192

x : number of binary 1 of the last 2nd octet 
y : number of binary 0 of the last 2nd octet

For more clearly about subnetting IP address you can go to boossit.wordpress.com and for you who want  automatic calculation of it, you can go to http://jodies.de/ipcalc

Ok lets get furthermore how we implement it into our Mikrotik router. 

Lets say we have the internet connection with the modem that has

IP gateway = 192.168.1.1

We have plan to share the internet connection to our local network

Number of Localnet = 4

The forth local network will be divided into 4 subnets in the same network address

Network Address = 192.168.2.0/24 so our subnets will be
Subnet Localnet1 : 192.168.2.0/26
Subnet Localnet2 : 192.168.2.64/26 
Subnet Localnet3 : 192.168.2.128/26
Subnet Localnet4 : 192.168.2.192/26

Reset your router with no default configuration, then we can start how to configure our mikrotik using 1 network address divided by 4 subnets of our local network.

1. Setup identity, DNS server, and NTP client of the Mikrotik router

We begin by setup identity of your router. Sometimes if you have some mikrotik routers, its better we give the name of router to prevent  the mistake which one of mikrotik router that now you setup or change. Then we chose the dns server reference and NTP client at first.

/system identity
set name=Agratitudesign
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/system ntp client
set enabled=yes primary-ntp=203.89.31.13 secondary-ntp=82.200.209.236

2. Setup Interface Port Names for all the Ports that will used

Just the name, you can give any interface port names as you like. In this case I was using internet for wan or gateway, and localnet-1, localnet-2, localnet-3, localnet-4 for the local network interface names.

/interface ethernet
set [ find default-name=ether1 ] name=internet
set [ find default-name=ether2 ] name=localnet-1
set [ find default-name=ether3 ] name=localnet-2
set [ find default-name=ether4 ] name=localnet-3
set [ find default-name=ether5 ] name=localnet-4


As the picture above, we use just 1 wan or internet whatever you say, and 2 local port interfaces. No matter if we just use 2 local port, the rest is just spare ports that will ready to use.

3. Setup Network IP address for the Interface Ports and the Route Gateway

For wan or internet interface we use 192.168.1.2/24, start from 192.168.1.2 its because our IP gateway from the ISP router is using 192.168.1.1. So don’t use 192.168.1.1/24 unless the router will not find the gateway of the internet.

/ip address
add address=192.168.1.2/24 interface=internet network=192.168.1.0
add address=192.168.2.1/26 interface=localnet-1 network=192.168.2.0
add address=192.168.2.65/26 interface=localnet-2 network=192.168.2.0
add address=192.168.2.129/26 interface=localnet-3 network=192.168.2.0
add address=192.168.2.193/26 interface=localnet-4 network=192.168.2.0
/ip route
add distance=1 gateway=192.168.1.1


As you can see, we use 192.168.2.1/26, 192.168.2.65/26, 192.168.2.129/26, 192.168.2.193/26 as the Network IP address for local port interfaces. /26 will has 4 subnets or segments of the total range network address hosts.

4. Setup DHCP Server and IP Pools for Our Local Subnet Interfaces

So 1 dhcp server and ip pool is for 1 local subnet interfaces. Because we have 4 local port subnet interfaces, we must create 4 dhcp servers with ip pools.

/ip pool
add name=dhcp_pool1 ranges=192.168.2.2-192.168.2.62
add name=dhcp_pool2 ranges=192.168.2.66-192.168.2.126
add name=dhcp_pool3 ranges=192.168.2.130-192.168.2.190
add name=dhcp_pool4 ranges=192.168.2.194-192.168.2.254

/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=localnet-1 name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=localnet-2 name=dhcp2
add address-pool=dhcp_pool3 disabled=no interface=localnet-3 name=dhcp3
add address-pool=dhcp_pool4 disabled=no interface=localnet-4 name=dhcp4

/ip dhcp-server network
add address=192.168.2.0/26 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.2.1
add address=192.168.2.64/26 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.2.65
add address=192.168.2.128/26 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.2.129
add address=192.168.2.192/26 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.2.193



5. Create Localnets Masquerade Nat rules on Firewall Nat 

We have 4 masquerading nat rules on firewall nat. If you want to make off of or disable the internet connections for those local port subnet interfaces, you can do it by disable this rules that you want to make off.

/ip firewall nat 
add action=masquerade chain=srcnat out-interface=internet src-address=192.168.2.0/26 disabled=no comment="localnet-1"
add action=masquerade chain=srcnat out-interface=internet src-address=192.168.2.64/26 disabled=no comment="localnet-2"
add action=masquerade chain=srcnat out-interface=internet src-address=192.168.2.128/26 disabled=no comment="localnet-3"
add action=masquerade chain=srcnat out-interface=internet src-address=192.168.2.192/26 disabled=no comment="localnet-4" 



For any new of the mikrotik router configuration, we should try to reboot the router, for all the rules on it is working stable and actual like we were setup before. After this, you should can use the internet connection from each local port subnet interfaces. Then from the clients side, you can see what the IP number and IP gateway they get from.


6. Setup Bridge for Local Network Port Subnet Interfaces

Obviously the clients on different network or sub network that use different interface  can not communicate the data one another thorough local networks. This is why we have to setup the bridge for those clients that was using different port interface on your router. 


The picture above is client subnet 1 is remote client subnet 2 that is using chrome remote desktop thorough internet connection. Client 1 and Client 2 are using different interface of the router. Event we share the file folder on the clients, we still could not see the file folder that have shared thorough local network.

So what will we do now is setup the bridge for each local subnet interface on mikrotik router. Open your winbox and insert this kind rules.

/interface bridge
add name=bridge_localnet
/interface bridge port
add bridge=bridge_localnet interface=localnet-1
add bridge=bridge_localnet interface=localnet-2
add bridge=bridge_localnet interface=localnet-3
add bridge=bridge_localnet interface=localnet-4

Setup bridge on each interface is like you merge the interfaces and follow dhcp server of the bridge interface that you have to setup. If you stop in this step, of course it will make all local network broken, because the clients using dhcp server for each interface that now already merge. 


What we have to do is change one of localnet dhcp server to the bridge interface name, in this case bridge_localnet like the picture below. Or you can create a new rule for the bridge dhcp server like this

/ip address
add interface=bridge_localnet address=192.168.2.1/24
/ip pool
add name=dhcp_pool_bridge ranges=192.168.2.2-192.168.2.254
/ip dhcp-server
add address-pool=dhcp_pool_ disabled=no bridge interface=bridge_localnet
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.2.1


The local subnet network will working again which is no longer using each own subnet dhcp server, otherwise is using one of the bridge dhcp server. Lets check the client get the IP, and now you can share the file folder that you want it. As the picture below the network sharing for each client across the interface router.


That’s all that I can inform you depending on experiment about implementing subnet on local port interfaces and setup the bridge interfaces on dhcp server Mikrotik router. For more clearly lets the video!



Related to this topic here the complete rules if we don’t require to use subnetting for the local port interfaces Mikrotik router!

/system identity
set name=Agratitudesign

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4

/system ntp client
set enabled=yes primary-ntp=203.89.31.13 secondary-ntp=82.200.209.236

/interface ethernet
set [ find default-name=ether1 ] name=internet
set [ find default-name=ether2 ] name=localnet-1
set [ find default-name=ether3 ] name=localnet-2
set [ find default-name=ether4 ] name=localnet-3
set [ find default-name=ether5 ] name=localnet-4

/ip address
add address=192.168.1.2/24 interface=internet network=192.168.1.0
add address=192.168.2.1/26 interface=localnet-1 network=192.168.2.0
add address=192.168.3.1/26 interface=localnet-2 network=192.168.3.0
add address=192.168.4.1/26 interface=localnet-3 network=192.168.2.0
add address=192.168.5.1/26 interface=localnet-4 network=192.168.2.0

/ip route
add distance=1 gateway=192.168.1.1

/ip pool
add name=dhcp_pool1 ranges=192.168.2.2-192.168.2.62
add name=dhcp_pool2 ranges=192.168.3.2-192.168.3.62
add name=dhcp_pool3 ranges=192.168.4.2-192.168.4.62
add name=dhcp_pool4 ranges=192.168.5.2-192.168.5.62

/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=localnet-1 name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=localnet-2 name=dhcp2
add address-pool=dhcp_pool3 disabled=no interface=localnet-3 name=dhcp3
add address-pool=dhcp_pool4 disabled=no interface=localnet-4 name=dhcp4

/ip dhcp-server network
add address=192.168.2.0/26 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.2.1
add address=192.168.3.0/26 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.3.1
add address=192.168.4.0/26 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.4.1
add address=192.168.5.0/26 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.5.1

/ip firewall nat 
add action=masquerade chain=srcnat out-interface=internet src-address=192.168.2.0/26 disabled=no comment="localnet-1"
add action=masquerade chain=srcnat out-interface=internet src-address=192.168.3.0/26 disabled=no comment="localnet-2"
add action=masquerade chain=srcnat out-interface=internet src-address=192.168.4.0/26 disabled=no comment="localnet-3"
add action=masquerade chain=srcnat out-interface=internet src-address=192.168.5.0/26 disabled=no comment="localnet-4"

/interface bridge
add name=bridge_localnet

/interface bridge port
add bridge=bridge_localnet interface=localnet-1
add bridge=bridge_localnet interface=localnet-2
add bridge=bridge_localnet interface=localnet-3
add bridge=bridge_localnet interface=localnet-4

/ip address
add interface=bridge_localnet address=192.168.2.1/24

/ip pool
add name=dhcp_pool5 ranges=192.168.2.2-192.168.2.254

/ip dhcp-server
add address-pool=dhcp_pool5 disabled=no interface=bridge_localnet

/ip dhcp-server network
add address=192.168.2.0/24 gateway=192.168.2.1
No comments

For everyone who have an internet connection from an ISP that is using PPPoE connection (Point to Point Protocol over Ethernet) it may be slightly different with how to setup it into Mikrotik router to your local internet network. Here we do not need to setup rule Ip address for the internet gateway as WAN. Instead we will use the PPPoE Client setup as a virtual interface of the gateway or wan. For you who want to learn more about the PPPoE connection, please read wiki.mikrotik.com.

Well I think you don’t waste time, lets go how to setup PPPoE Connection to Mikrotik. In here, I am using Biznet ISP as the axample for ISP that uses PPPoE Connection for their Internet. Its most commonly the same as how we setup the internet connection to mikrotik as usuall. Ok let you reset your mikrotik with no default configuration at first, before we can start.

1.  Set the name for the interface Ethernet

We put the gateway/wan cable on port1 and the local network cable on port2 on the router. So then the name of ether1 will be biznet-internet and ether2 will be lan-localnet, the rest of the ethernet ports just leave it.  Again as usual we just need two rules on it.

/interface ethernet
set [ find default-name=ether1 ] name=biznet-internet
set [ find default-name=ether2 ] name=lan-localnet 


2. Setup ip address just for local networks

It is not like usual since we were using internet connection for the ISP that was using IP gateway such as Indosat. We don’t need to setup ip address for wan network mask, instead we are going to define the route for internet gateway with PPPoE Client later. In this case we just have 1 local network so the rule is just one.

/ip address
add address=192.168.1.1/24 interface=lan-localnet network=192.168.1.0


3. Setup PPPoE client for the ISP Connection on the Router

It would be the core of PPPoE setup on Mikrotik router. In this case we set MikroTik RouterOS to be a PPPoE client, we define the interface name here. Obviously we must to know the login or authentication for PPPoE connection for the ISP.

/interface pppoe-client
add add-default-route=yes disabled=no interface=biznet-internet name=BIZNET password=xxxxxxxx user=yyyyyyyyyy


4. Dns server on the routerOS for PPPoE Connection

Yet we can know that sometimes we don’t need to setup dns server on the RouterOS. It will be created automatically during we were setting PPPoE client configuration. But in another case we still need to set the dns server on the routerOS. The only thing that we can do is make sure that the routerOS have already get Dns Server from PPPoE ISP dns itself. Optionally we can add static Dns Server manually.

/ip dns
set allow-remote-requests=yes cache-size=5000KiB max-udp-packet-size=512 servers=203.142.82.222,203.142.84.222


If we already insert the rules for dns server, try to remove all the static dns server until the routerOS has dynamic dns server. This will be the cause of the setup PPPoE intenet connection on Mikrotik router fails.

5. Masquerade Public Traffic for Lan and Setup DHCP server

This configuration rule is like usually we do, but let me give you the note. Masquerade Public Traffic on as NAT rule is using out-interface  BIZNET not biznet-internet. It must take the interface name from the PPPoE client that we have just setup.

/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade Public Traffic" out-interface=BIZNET src-address=192.168.1.0/24

the rest is creating dhcp server to provide the IP address for our local network clients

/ip pool
add name=dhcp_pool1 ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=lan-localnet name=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1


I think it is enough already. If it is not so clear for you, lets see the video below!


Related to this Topic

Somebody ask me about how to setup CCTV on mikrotik that using PPPoE Configuration Network with fixed public IP.

Ok assuming what we have is

DVR IP : 192.168.1.5 on the local network 1 : 192.168.1.0/24
TCP port : 7774
Mobile Port: 8888
Fixed Public IP: 103.12.160.202

The noted that I can suggest to avoid the problem during the CCTV setup:

1. make sure that no rules on firewall filter that probably will block connection CCTV from public IP. So you must know all the rules that you define, especially for firewall filter rules.
2. make sure that the local network has already masquerade for interface port that you were connected the DVR CCTV to that network.
3. Some kind like port forwarding divice port, DVR port on our local network with NAT rules

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=103.12.160.202 dst-port=7774 protocol=tcp to-addresses=192.168.3.5 to-ports=7774 comment="CCTV Local Inbound"
add action=dst-nat chain=dstnat dst-address=103.12.160.202 dst-port=8888 protocol=tcp to-addresses=192.168.3.5 to-ports=8888 comment="CCTV Mobile Inbound"

4. make sure that DVR port is already open. You may use yougetsignal.com from IP public.
1 comment

I am happy at this occasion, I have time to share one of the other article about how to manage the internet bandwidth from the ISP to the local network for some kind internet purposes effectively. I hope it can be one of the reference for you to manage the internet connection as you intended. Of course you have to understand about your internet network environment that you have, so that you can implemented my article as you needed.

What I explain this time is about the effective Way about Bandwidth Management of Mikrotik router with the new feature rules on ROS version 6.xx using Fasttrack Firewall Filter rules. This method will combining with Mangle, Queue Tree and PCQ rules, so that we can manage the internet connection to our network ideally, and prioritization the connection packet that we want to get priority as we like.

1. Upgrade Mikrotik Router OS to the Latest Version


Fasttrack Firewall Filter is the new feature rules of the router OS version 6.xx. At this time I am using ROS version 6.39.2. If you still use version 5.xx, please upgrade your router OS to the latest version at first before we can implemented this rules! In the other hand, upgrading the router OS can fix any problem in the router system that caused by any bug on the system that need to be fixed by upgrade or update to the latest of ROS. Don’t know how to upgrade ROS let’s see this video!

2. Basic Configuration Of Mikrotik Router

In this implementation, I don’t want any conflict between many rules that we don’t understand exactly what they do. So better we begin from scratch of the basic configuration router by resetting the previous  router configuration. Open winbox  the System > Reset Configuration, don’t forget, given the check mark on default configuration. Router will reboot automatically and reset the configuration, Let see the picture below!


After this we can start from scratch, assuming that you put gateway/wan at port 1 and localnet/lan at port 2 of your router. No matter how much localnet that you have planned, in this case I just use 1 localnet. So here it the rules that you must insert as the basic configuration of your router!

/interface ethernet
set [ find default-name=ether1 ] name=ether1-internet
set [ find default-name=ether2 ] name=ether2-localnet
set [ find default-name=ether3 ] name=ether3-slave-local
set [ find default-name=ether4 ] name=ether4-slave-local
set [ find default-name=ether5 ] name=ether5-slave-local
/ip address
add address=192.168.1.2/24 interface=ether1-internet network=192.168.1.0
add address=192.168.88.1/24 interface=ether2-localnet network=192.168.88.0

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip route
add distance=1 gateway=192.168.1.1
/ip pool
add name=dhcp_pool1 ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=ether2-localnet name=dhcp1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.88.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-internet src-address=192.168.88.0/24 disabled=no comment="ether2-localnet"
/system ntp client
set enabled=yes primary-ntp=203.89.31.13 secondary-ntp=82.200.209.236

I think no need explanation about it, but yeah… just reminding. Maybe If you have two localnet, just give the name of the interface, add IP address for the network, add dhcp server configuration and masquerade for that network. If internet connection still not available, reboot your router and you can access your router again from the gateway localnet IP. Until this step, make sure you can access the internet from localnet!

3. Fasttrack Firewall Filter Rules for Prioritizing Typical Connection Packets

The new feature rules in router firewall filter that you can setup depending on your needs. It will Fasttracked packets bypass firewall of Typical Connection Packets that you intended. Ok I give the example how that rules on the router.

/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related disabled=yes dst-address=xxx.xxx.xxx.xxx dst-port=5060,5061 protocol=udp comment="Bypass Voip UDP SIP"
add action=fasttrack-connection chain=forward connection-state=established,related dst-address=xxx.xxx.xxx.xxx dst-port=10000-20000 protocol=udp comment="Bypass Voip UDP RTP"
add action=fasttrack-connection chain=forward connection-state=established,related disabled=yes dst-address=xxx.xxx.xxx.xxx dst-port=4569,5036 protocol=udp comment="Bypass Voip UDP IAX"
add action=fasttrack-connection chain=forward connection-state=established,related disabled=yes dst-address=xxx.xxx.xxx.xxx dst-port=5060,5061 protocol=tcp comment="Bypass Voip TCP SIP"

The above rules are how you can fasttracked or bypass the Voip connection packet. The Important things here is, you have to know the port number, the protocol type, and the IP of the Voip Server that you use. Please contact the Voip server services, if you don’t know about it!

For another example, here it is how to fasttrack Lostsaga online games. Whatever the tools that you use to get the port number which is using by Lostsaga game server, please cross check the port number that was used! I have captured the port lostsaga connection server.

/ip firewall filter add action=fasttrack-connection chain=forward connection-state=established,related dst-port=14009,14010,14017,14019,14024,14025,14042,14113,14120 protocol=udp comment="UDP PORT LOSTSAGA I"
add action=fasttrack-connection chain=forward connection-state=established,related dst-port=14245,14263,15494,21530,22317,22561,26019,30146,32629,45693 protocol=udp comment="UDP PORT LOSTSAGA II"
add action=fasttrack-connection chain=forward connection-state=established,related dst-port=9000,14009,14010,61031,61034,61035,61037,61046,61047,61048,61049,61051,61058 protocol=tcp comment="TCP PORT LOSTSAGA"


Still on firewall filter rules, let’s complete our router rules with Router protection and Clients Protection to avoid something that we don’t want! For more explanation please visit wiki.mikrotik.com.

/ip firewall filter
add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid
add action=accept chain=input comment="Allow Established connections" connection-state=established
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input in-interface=!ether1-internet src-address=192.168.88.0/24
add action=drop chain=input comment="Drop everything else"
add action=drop chain=forward comment="drop invalid connections" connection-state=invalid protocol=tcp
add action=accept chain=forward comment="allow already established connections" connection-state=established
add action=accept chain=forward comment="allow related connections" connection-state=related
add action=drop chain=forward src-address=0.0.0.0/8
add action=drop chain=forward dst-address=0.0.0.0/8
add action=drop chain=forward src-address=127.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward src-address=224.0.0.0/3
add action=drop chain=forward dst-address=224.0.0.0/3
add action=jump chain=forward jump-target=tcp protocol=tcp
add action=jump chain=forward jump-target=udp protocol=udp
add action=jump chain=forward jump-target=icmp protocol=icmp
add action=drop chain=tcp comment="deny TFTP" dst-port=69 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=111 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=135 protocol=tcp
add action=drop chain=tcp comment="deny NBT" dst-port=137-139 protocol=tcp
add action=drop chain=tcp comment="deny cifs" dst-port=445 protocol=tcp
add action=drop chain=tcp comment="deny NFS" dst-port=2049 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=12345-12346 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=20034 protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" dst-port=3133 protocol=tcp
add action=drop chain=tcp comment="deny DHCP" dst-port=67-68 protocol=tcp
add action=drop chain=udp comment="deny TFTP" dst-port=69 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=111 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=135 protocol=udp
add action=drop chain=udp comment="deny NBT" dst-port=137-139 protocol=udp
add action=drop chain=udp comment="deny NFS" dst-port=2049 protocol=udp
add action=drop chain=udp comment="deny BackOriffice" dst-port=3133 protocol=udp
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow source quench" icmp-options=4:0 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types"

4. Mark Connection Packets Upload and Download based on Bytes Connection

We going to mark the connection packets for total upload and download as usual. This rules will not effect with fasttrack-connection that we have just created above. After that we create the connection packets mark based on bytes size of the connection packets.

Assuming that the client download any files with different sizes. We don’t want that the client who download the big size file spend a lot of the bandwidth spare that we have. So we have plan that the connection packets priority is down, and change Its speed is lowered. Of course its not just for download files, its for all connection packets types based on bytes sizes. Ok lets see the rules below!

/ip firewall mangle
add action=mark-connection chain=forward in-interface=ether1-internet new-connection-mark=dconn-isp comment="ISP DOWNSTEAM"
add action=mark-packet chain=forward connection-mark=dconn-isp new-packet-mark=dpkt-isp comment="Packets Total Downsteam"
add action=mark-packet chain=forward connection-bytes=0-1000000 new-packet-mark=dpkt-light-isp packet-mark=dpkt-isp passthrough=no comment="Packets Less Then 1000000"
add action=mark-packet chain=forward connection-bytes=1000001-3000000 new-packet-mark=dpkt-fair-isp packet-mark=dpkt-isp passthrough=no comment="Packets 1000001-3000000"
add action=mark-packet chain=forward connection-bytes=3000001-6000000 new-packet-mark=dpkt-weight-isp packet-mark=dpkt-isp passthrough=no comment="Packets 3000001-6000000"
add action=mark-packet chain=forward connection-bytes=6000001-0 new-packet-mark=dpkt-very-isp packet-mark=dpkt-isp passthrough=no comment="Packets more then 6000000"
/ip firewall mangle
add action=mark-connection chain=forward new-connection-mark=uconn-isp out-interface=ether1-internet comment="ISP UPSTEAM"
add action=mark-packet chain=forward connection-mark=uconn-isp new-packet-mark=upkt-isp comment="Packets Total Upsteam"

The above mangle rules means we separate connection packets into download and upload, then we separate download packets about less then 1M, 1-3M, 3-6M, more then 6M.

5. Queue tree with PCQ to manage the priority and speed limitation

Assuming we have total bandwidth 20M, we want to spread the internet connection equal for all clients using PCQ for every separated packets byte sizes that we have defined on mangle rules.  In this case I use pcq-download-default, pcq-upload-default. Change the total limit PCQ as you like, or you can create a new rule for PCQ, then use it on queue tree.

/queue tree
add max-limit=20M name=Downsteam-ISP packet-mark=dpkt-isp parent=global queue=pcq-download-default
add limit-at=1M max-limit=20M name=1.light-isp packet-mark=dpkt-light-isp parent=Downsteam-ISP priority=1 queue=pcq-download-default
add limit-at=1M max-limit=10M name=2.fair-isp packet-mark=dpkt-fair-isp parent=Downsteam-ISP priority=2 queue=pcq-download-default
add limit-at=1M max-limit=5M name=3.weight-isp packet-mark=dpkt-weight-isp parent=Downsteam-ISP priority=3 queue=pcq-download-default
add limit-at=1M max-limit=1M name=4.very-isp packet-mark=dpkt-very-isp parent=Downsteam-ISP priority=4 queue=pcq-download-default
add max-limit=20M name=Upsteam-ISP packet-mark=upkt-isp parent=global queue=pcq-upload-default

So that’s all about the Effective Way Bandwidth Management with Fasttrack Firewall Filter, I hope can be useful, and for more clearly lets see the video below! Happy exploring!


71 comments
Building Squid 3.5.4 Transparent Proxy on Ubuntu Server.

This is continuation of the previous article beginning to install Squid 3.5.4…, that is about the preparation before ready to install 3.5.4 on Ubuntu server virtual machine using VMware on windows. This method  can be implemented to the Ubuntu Server Virtual Machine or to the real machine. As you may  know on Ubuntu Server Virtual Machine using VMware we can not divide the hard drive into some partitions as manually. The partitions is created automatically by VMware itself. With this conditions we can start to build squid 3.5.4 as the transparent proxy on Ubuntu Server.
10 comments
preparing to install squid 3.5.4 ubuntu server virtual machine.

Increase the internet access speed significantly while saving quota bandwidth usage is the main goal of the open source squid development as the proxy server. This far Squid developers have many experiments and improvement to build the proxy server that more stable in high performance. Until the time this article was written, Squid have released version 3.5.4, squid 4 is still experimental.  Different with squid 2.7, squid 3.5.x is need to be compiled to use this version. This would give more flexibility in the application and development of squid to build proxy server.
15 comments
Building Local Dns Server Using BIND for Windows to the local Network.

DNS Server is the database server which will be distributed and mapping the hostnames to the IP address and otherwise. This is the process which must be passed when we are connected to the internet to access any servers in the world. So when we use the specific dns server such google dns, we will follow the domain database rules on this server. For example if google dns has blocked any webhosting server, we will not be able to access the webhosting server using this dns server. I personally prefer to use google dns because the resolve dns response more quickly and widely, but this would depend on your purposes.
Back to Top