Graphic Web Design, Computer Network, Balinese Culture

Loading...
1 comment

I am happy at this occasion, I have time to share one of the other article about how to manage the internet bandwidth from the ISP to the local network for some kind internet purposes effectively. I hope it can be one of the reference for you to manage the internet connection as you intended. Of course you have to understand about your internet network environment that you have, so that you can implemented my article as you needed.

What I explain this time is about the effective Way about Bandwidth Management of Mikrotik router with the new feature rules on ROS version 6.xx using Fasttrack Firewall Filter rules. This method will combining with Mangle, Queue Tree and PCQ rules, so that we can manage the internet connection to our network ideally, and prioritization the connection packet that we want to get priority as we like.

1. Upgrade Mikrotik Router OS to the Latest Version


Fasttrack Firewall Filter is the new feature rules of the router OS version 6.xx. At this time I am using ROS version 6.39.2. If you still use version 5.xx, please upgrade your router OS to the latest version at first before we can implemented this rules! In the other hand, upgrading the router OS can fix any problem in the router system that caused by any bug on the system that need to be fixed by upgrade or update to the latest of ROS. Don’t know how to upgrade ROS let’s see this video!

2. Basic Configuration Of Mikrotik Router

In this implementation, I don’t want any conflict between many rules that we don’t understand exactly what they do. So better we begin from scratch of the basic configuration router by resetting the previous  router configuration. Open winbox  the System > Reset Configuration, don’t forget, given the check mark on default configuration. Router will reboot automatically and reset the configuration, Let see the picture below!


After this we can start from scratch, assuming that you put gateway/wan at port 1 and localnet/lan at port 2 of your router. No matter how much localnet that you have planned, in this case I just use 1 localnet. So here it the rules that you must insert as the basic configuration of your router!

/interface ethernet
set [ find default-name=ether1 ] name=ether1-internet
set [ find default-name=ether2 ] name=ether2-localnet
set [ find default-name=ether3 ] name=ether3-slave-local
set [ find default-name=ether4 ] name=ether4-slave-local
set [ find default-name=ether5 ] name=ether5-slave-local
/ip address
add address=192.168.1.2/24 interface=ether1-internet network=192.168.1.0
add address=192.168.88.1/24 interface=ether2-localnet network=192.168.88.0

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip route
add distance=1 gateway=192.168.1.1
/ip pool
add name=dhcp_pool1 ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=ether2-localnet name=dhcp1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.88.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-internet src-address=192.168.88.0/24 disabled=no comment="ether2-localnet"
/system ntp client
set enabled=yes primary-ntp=203.89.31.13 secondary-ntp=82.200.209.236

I think no need explanation about it, but yeah… just reminding. Maybe If you have two localnet, just give the name of the interface, add IP address for the network, add dhcp server configuration and masquerade for that network. If internet connection still not available, reboot your router and you can access your router again from the gateway localnet IP. Until this step, make sure you can access the internet from localnet!

3. Fasttrack Firewall Filter Rules for Prioritizing Typical Connection Packets

The new feature rules in router firewall filter that you can setup depending on your needs. It will Fasttracked packets bypass firewall of Typical Connection Packets that you intended. Ok I give the example how that rules on the router.

/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related disabled=yes dst-address=xxx.xxx.xxx.xxx dst-port=5060,5061 protocol=udp comment="Bypass Voip UDP SIP"
add action=fasttrack-connection chain=forward connection-state=established,related dst-address=xxx.xxx.xxx.xxx dst-port=10000-20000 protocol=udp comment="Bypass Voip UDP RTP"
add action=fasttrack-connection chain=forward connection-state=established,related disabled=yes dst-address=xxx.xxx.xxx.xxx dst-port=4569,5036 protocol=udp comment="Bypass Voip UDP IAX"
add action=fasttrack-connection chain=forward connection-state=established,related disabled=yes dst-address=xxx.xxx.xxx.xxx dst-port=5060,5061 protocol=tcp comment="Bypass Voip TCP SIP"

The above rules are how you can fasttracked or bypass the Voip connection packet. The Important things here is, you have to know the port number, the protocol type, and the IP of the Voip Server that you use. Please contact the Voip server services, if you don’t know about it!

For another example, here it is how to fasttrack Lostsaga online games. Whatever the tools that you use to get the port number which is using by Lostsaga game server, please cross check the port number that was used! I have captured the port lostsaga connection server.

/ip firewall filter add action=fasttrack-connection chain=forward connection-state=established,related dst-port=14009,14010,14017,14019,14024,14025,14042,14113,14120 protocol=udp comment="UDP PORT LOSTSAGA I"
add action=fasttrack-connection chain=forward connection-state=established,related dst-port=14245,14263,15494,21530,22317,22561,26019,30146,32629,45693 protocol=udp comment="UDP PORT LOSTSAGA II"
add action=fasttrack-connection chain=forward connection-state=established,related dst-port=9000,14009,14010,61031,61034,61035,61037,61046,61047,61048,61049,61051,61058 protocol=tcp comment="TCP PORT LOSTSAGA"


Still on firewall filter rules, let’s complete our router rules with Router protection and Clients Protection to avoid something that we don’t want! For more explanation please visit wiki.mikrotik.com.

/ip firewall filter
add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid
add action=accept chain=input comment="Allow Established connections" connection-state=established
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input in-interface=!ether1-internet src-address=192.168.88.0/24
add action=drop chain=input comment="Drop everything else"
add action=drop chain=forward comment="drop invalid connections" connection-state=invalid protocol=tcp
add action=accept chain=forward comment="allow already established connections" connection-state=established
add action=accept chain=forward comment="allow related connections" connection-state=related
add action=drop chain=forward src-address=0.0.0.0/8
add action=drop chain=forward dst-address=0.0.0.0/8
add action=drop chain=forward src-address=127.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward src-address=224.0.0.0/3
add action=drop chain=forward dst-address=224.0.0.0/3
add action=jump chain=forward jump-target=tcp protocol=tcp
add action=jump chain=forward jump-target=udp protocol=udp
add action=jump chain=forward jump-target=icmp protocol=icmp
add action=drop chain=tcp comment="deny TFTP" dst-port=69 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=111 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=135 protocol=tcp
add action=drop chain=tcp comment="deny NBT" dst-port=137-139 protocol=tcp
add action=drop chain=tcp comment="deny cifs" dst-port=445 protocol=tcp
add action=drop chain=tcp comment="deny NFS" dst-port=2049 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=12345-12346 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=20034 protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" dst-port=3133 protocol=tcp
add action=drop chain=tcp comment="deny DHCP" dst-port=67-68 protocol=tcp
add action=drop chain=udp comment="deny TFTP" dst-port=69 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=111 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=135 protocol=udp
add action=drop chain=udp comment="deny NBT" dst-port=137-139 protocol=udp
add action=drop chain=udp comment="deny NFS" dst-port=2049 protocol=udp
add action=drop chain=udp comment="deny BackOriffice" dst-port=3133 protocol=udp
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow source quench" icmp-options=4:0 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types"

4. Mark Connection Packets Upload and Download based on Bytes Connection

We going to mark the connection packets for total upload and download as usual. This rules will not effect with fasttrack-connection that we have just created above. After that we create the connection packets mark based on bytes size of the connection packets.

Assuming that the client download any files with different sizes. We don’t want that the client who download the big size file spend a lot of the bandwidth spare that we have. So we have plan that the connection packets priority is down, and change Its speed is lowered. Of course its not just for download files, its for all connection packets types based on bytes sizes. Ok lets see the rules below!

/ip firewall mangle
add action=mark-connection chain=forward in-interface=ether1-internet new-connection-mark=dconn-isp comment="ISP DOWNSTEAM"
add action=mark-packet chain=forward connection-mark=dconn-isp new-packet-mark=dpkt-isp comment="Packets Total Downsteam"
add action=mark-packet chain=forward connection-bytes=0-1000000 new-packet-mark=dpkt-light-isp packet-mark=dpkt-isp passthrough=no comment="Packets Less Then 1000000"
add action=mark-packet chain=forward connection-bytes=1000001-3000000 new-packet-mark=dpkt-fair-isp packet-mark=dpkt-isp passthrough=no comment="Packets 1000001-3000000"
add action=mark-packet chain=forward connection-bytes=3000001-6000000 new-packet-mark=dpkt-weight-isp packet-mark=dpkt-isp passthrough=no comment="Packets 3000001-6000000"
add action=mark-packet chain=forward connection-bytes=6000001-0 new-packet-mark=dpkt-very-isp packet-mark=dpkt-isp passthrough=no comment="Packets more then 6000000"
/ip firewall mangle
add action=mark-connection chain=forward new-connection-mark=uconn-isp out-interface=ether1-internet comment="ISP UPSTEAM"
add action=mark-packet chain=forward connection-mark=uconn-isp new-packet-mark=upkt-isp comment="Packets Total Upsteam"

The above mangle rules means we separate connection packets into download and upload, then we separate download packets about less then 1M, 1-3M, 3-6M, more then 6M.

5. Queue tree with PCQ to manage the priority and speed limitation

Assuming we have total bandwidth 20M, we want to spread the internet connection equal for all clients using PCQ for every separated packets byte sizes that we have defined on mangle rules.  In this case I use pcq-download-default, pcq-upload-default. Change the total limit PCQ as you like, or you can create a new rule for PCQ, then use it on queue tree.

/queue tree
add max-limit=20M name=Downsteam-ISP packet-mark=dpkt-isp parent=global queue=pcq-download-default
add limit-at=1M max-limit=20M name=1.light-isp packet-mark=dpkt-light-isp parent=Downsteam-ISP priority=1 queue=pcq-download-default
add limit-at=1M max-limit=10M name=2.fair-isp packet-mark=dpkt-fair-isp parent=Downsteam-ISP priority=2 queue=pcq-download-default
add limit-at=1M max-limit=5M name=3.weight-isp packet-mark=dpkt-weight-isp parent=Downsteam-ISP priority=3 queue=pcq-download-default
add limit-at=1M max-limit=1M name=4.very-isp packet-mark=dpkt-very-isp parent=Downsteam-ISP priority=4 queue=pcq-download-default
add max-limit=20M name=Upsteam-ISP packet-mark=upkt-isp parent=global queue=pcq-upload-default

So that’s all about the Effective Way Bandwidth Management with Fasttrack Firewall Filter, I hope can be useful, and for more clearly lets see the video below! Happy exploring!


Share This Article :
Related Articles

1 comment :

  1. terima kasih blog nya sangat membantu gan, susah cari tuts ROS V6. ditunggu tutorial load balancing gan, thanks sukses selalu

    ReplyDelete

Back to Top