133581396 traffic control training course
TRANSCRIPT
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 1/142
© MikroTik 2009
M ik r o T i k R o u t e r OS Tr a i n i n g
Tr a f f i c Co n t r o l
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 2/142
© MikroTik 2009 2
Schedule
09:00 – 10:30 Morning Session I10:30 – 11:00 Morning Break
11:00 – 12:30 Morning Session II
12:30 – 13:30 Lunch Break13:30 – 15:00 Afternoon Session I
15:00 – 15:30 Afternoon Break
15:30 – 17:00 (18.00) Afternoon Session II
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 3/142
© MikroTik 2009 3
Instructors
Sergejs Boginskis, MikroTik
Support Engineer for 3 years
Specialization: Hotspot, IPSec, Routing, Wireless,
User Manager, Firewall
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 4/142
© MikroTik 2009 4
Housekeeping
Course materialsRouters, cables
Break times and lunch
Restrooms and smoking area locations
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 5/142
© MikroTik 2009 5
Course Objective
Provide knowledge and hands-on training for MikroTik RouterOS basic and advanced trafficcontrol capabilities for any size networks
Upon completion of the course you will be ableto plan, implement, adjust and debug trafficcontrol configurations implemented by MikroTikRouterOS.
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 6/142
© MikroTik 2009 6
Introduce Yourself
Please, introduce yourself to the classYour name
Your Company
Your previous knowledge about RouterOSYour previous knowledge about networking
What do you expect from this course?
Please, remember your class XY number.(X is number of the row, Y is your seat number in the row)
My number is:_________
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 7/142
© MikroTik 2009 7
Class Setup Lab
Create an 192.168.XY.0/24 Ethernet networkbetween the laptop (.1) and the router (.254)
Connect routers to the AP SSID “ap_RB_adv”
Assign IP address 10.1.1.XY/24 to the wlan1Main GW and DNS address is 10.1.1.254
Gain access to the internet from your laptops
via local router Create new user for your router and change“admin” access rights to “read”
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 8/142
© MikroTik 2009 8
Class Setup
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 9/142
© MikroTik 2009 9
Class setup Lab (cont.)
Set system identity of the board and wirelessradio name to “XY_<your_name>”. Example:“00_Janis”
Upgrade your router to the latest MikrotikRouterOS version 3.x
Upgrade your Winbox loader version
Set up NTP client – use 10.1.1.254 as server
Create a configuration backup and copy it tothe laptop (it will be default configuration)
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 10/142
© MikroTik 2009 10
Small ISP
First Clients:“Just connect us to the Internet”Situation:Only one public IP address,
ISP don't have DNS server
and have periodical virus
problems in the network
Requirements:● Masquerade● Basic IP filter
Requirements:● DHCP server● DNS cache● Port forwarding● uPnP
Web-server
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 11/142
© MikroTik 2009 11
DNS Client and Cache
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 12/142
© MikroTik 2009 12
DNS Client and Cache
DNS client is used only by router in case of web-proxy or hotspot configuration
Enable “Allow Remote Requests” option totransform DNS client into DNS cache
DNS cache allows to use your router instead of remote DNS server, as all caches - it minimizesresolution time
DNS cache also can act as DNS server for localarea network address resolution
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 13/142
© MikroTik 2009 13
Static DNS Entry
Each Static DNS entry will add or override(replace existing) entry in the DNS cache
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 14/142
© MikroTik 2009 14
DNS Cache Lab
Configure your router as DNS cache. Use10.1.1.254 as primary server
Add static DNS entry “www.XY.com” to your router's Local IP address (XY – your number)
Add static DNS entry “www.XY.com” toneighbour router's Public IP address (XY –your neighbours number)
Change your laptops DNS server address toyour routers address
Try the configuration and monitor cache list
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 15/142
© MikroTik 2009 15
DHCP
The Dynamic Host Configuration Protocol isused for dynamic distribution of network settingsuch as:
IP address and netmask
Default gateway address
DNS and NTP server addresses
More than 100 other custom option (supported only
by specific DHCP clients)DHCP is basically insecure and should only beused in trusted networks
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 16/142
© MikroTik 2009 16
DHCP Communication scenario
DHCP Discoverysrc-mac=<client>, dst-mac=<broadcast>, protocol=udp,src-ip=0.0.0.0:68, dst-ip=255.255.255.255:67
DHCP Offer
src-mac=<DHCP-server>, dst-mac=<broadcast>, protocol=udp,src-ip=<DHCP-server>:67, dst-ip=255.255.255.255:67
DHCP Request
src-mac=<client>, dst-mac=<broadcast>, protocol=udp,
src-ip=0.0.0.0:68, dst-ip=255.255.255.255:67
DHCP Acknowledgement
src-mac=<DHCP-server>, dst-mac=<broadcast>, protocol=udp,src-ip=<DHCP-server>:67, dst-ip=255.255.255.255:67
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 17/142
© MikroTik 2009 17
DHCP Client Identification
DHCP server are able to track lease associationwith particular client based on identification
The identification can be achieved in 2 ways
Based on “caller-id” option (dhcp-client-identifiefrom RFC2132)
Based on MAC address, if “caller-id” option is notspecified
“hostname” option allow RouterOS clients tosend additional identification to the server, bydefault it is “system identity” of the router
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 18/142
© MikroTik 2009 18
DHCP Client
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 19/142
© MikroTik 2009 19
DHCP Server
There can be only one DHCP server per interface/relay combination on the router
To create DHCP server you must have
IP address on desired DHCP server interface Address pool for clients
Information about planned DHCP network
All 3 options must correspond
“Lease on Disk” should be used to reducenumber of writes to the drive (useful with flashdrives)
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 20/142
© MikroTik 2009 20
DHCP Networks
In DHCP Networks menu you can configurespecific DHCP options for particular network.
Same of the options are integrated intoRouterOS, others can be assigned in raw form(specified in RFCs)
Additional information at:http://www.iana.org/assignments/bootp-dhcp-parameters
DHCP server is able to send out any optionDHCP client can receive only implementedoptions
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 21/142
© MikroTik 2009 21
DHCP Options
Implemented DHCP optionsSubnet-Mask (option 1) - netmask
Router (option 3) - gateway
Domain-Server (option 6) - dns-server
Domain-Name (option 15) - domainNTP-Servers (option 42) - ntp-server
NETBIOS-Name-Server (option 44) - wins-server
Custom DHCP options (Example:)
Classless Static Route (option 121) -“0x100A270A260101” = “network=10.39.0.0/16gateway=10.38.1.1”
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 22/142
© MikroTik 2009 22
Custom DHCP Option
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 23/142
© MikroTik 2009 23
IP Address Pool
IP address pools are used to define range of IPaddresses for dynamic distribution (DHCP,PPP, Hotspot)
Address pool must exclude already occupied
addresses (such as server or static addresses)
It is possible to assign more that one range tothe pool
It is possible to chain several pools together byusing “Next Pool” option
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 24/142
© MikroTik 2009 24
IP Address Pools
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 25/142
© MikroTik 2009 25
Address Pool in Action
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 26/142
© MikroTik 2009 26
Other DHCP Server Settings
Src.address – specifies DHCP servers addressif more than one IP on DHCP server's interface
Delay Threshold – prioritize one DHCP server over another (bigger delay less priority)
Add ARP For Leases – allow to add ARPentries for leases if interface ARP=reply-only
Always Broadcast – allow communication with
non-standard clients like pseudo-bridges
Bootp Support, Use RADIUS – (obvious)
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 27/142
© MikroTik 2009 27
Authoritative DHCP Server
Authoritative – allow DHCP server to reply onunknown client's broadcast and ask client torestart the lease(client send broadcasts only if unicast to the
server fails when renewing the lease) Authoritative allow to:
Prevent rouge DHCP server operations
Faster network adaptation to DHCP configurationchanges
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 28/142
© MikroTik 2009 28
DHCP Server
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 29/142
© MikroTik 2009 29
DHCP Relay
DHCP Relay is just a proxy that is able toreceive a DHCP discovery and request andresend them to the DHCP server
There can be only one DHCP relay between
DHCP server and DHCP client
DHCP communication with relay does notrequire IP address on the relay, but relay's
“local address” option must be the same withserver's “relay address” option
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 30/142
© MikroTik 2009 30
DHCP Relay
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 31/142
© MikroTik 2009 31
DHCP Lab
Interconnect with your neighbour using Ethernetcable
Create 3 independent setups:
Create DHCP server for your laptop
Create DHCP server and relay for your neighbour laptop (use relay option)
Create a bridged network with 2 DHCP servers and
2 DHCP clients (laptops) and try out “authoritative”and “delay threshold” options
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 32/142
© MikroTik 2009 32
Firewall Filters Structure
Firewall filter rules are organized in chainsThere are default and user-defined chains
There are three default chains
input – processes packets sent to the router output – processes packets sent by the router
forward – processes packets sent through therouter
Every user-defined chain should subordinate toat least one of the default chains
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 33/142
© MikroTik 2009 33
Firewall Filter Structure Diagram
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 34/142
© MikroTik 2009 34
Connection Tracking
Connection Tracking (or Conntrack) system isthe heart of firewall, it gathers and managesinformation about all active connections.
By disabling the conntrack system you will lose
functionality of the NAT and most of the filter and mangle conditions.
Each conntrack table entry represents
bidirectional data exchangeConntrack takes a lot of CPU resources (disableit, if you don't use firewall)
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 35/142
© MikroTik 2009 35
Conntrack Placement
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 36/142
© MikroTik 2009 36
Conntrack – Winbox View
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 37/142
© MikroTik 2009 37
Condition: Connection State
Connection state is a status assigned to eachpacket by conntrack system:
New – packet is opening a new connection
Established – packet belongs to already known
connectionInvalid – packet does not belong to any of theknown connections
Related – packet is also opening a new connection,
but it is in some kind relation to already knownconnection
Connection state ≠ TCP state
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 38/142
© MikroTik 2009 38
First Rule Example
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 39/142
© MikroTik 2009
Ch a in In p u t
Protection of the router – allowing only necessaryservices from reliable source with agreeable load.
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 40/142
© MikroTik 2009 40
Connection State Lab
Create 3 rules to ensure that only connection-state new packets will proceed through theinput filter
Drop all connection-state invalid packets
Accept all connection-state related packets
Accept all connection-state established packets
Create 2 rules to ensure that only you will be
able to connect to the router Accept all packets from your local network
Drop everything else
R t OS 3 S i
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 41/142
© MikroTik 200941
RouterOS v3 Services
R t OS S i L b
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 42/142
© MikroTik 2009 42
RouterOS Service Lab
Create a chain “services”Create rules to allow necessary RouterOSservices to be accessed from the public network
Create a “jump” rule from the chain “input” to thechain “services”
Place a “jump” rule accordingly
Write comment for each firewall rule
Ask your neighbour to check the setup
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 43/142
© MikroTik 2009
Ch a in F o r w a r d
Protection of the customers from the viruses andprotection of the Internet from the customers
Vi P t Filt
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 44/142
© MikroTik 2009 44
Virus Port Filter
At the moment the are few hundreds activetrojans and less than 50 active worms
You can download the complete “virus portblocker” chain (~330 drop rules with ~500
blocked virus ports) fromftp://[email protected]
Some viruses and trojans use standard services
ports and can not be blocked.
Ch i F d L b
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 45/142
© MikroTik 2009 45
Chain Forward Lab
Create 3 rules to ensure that only connection-state new packets will proceed through theinput filter
Drop all connection-state invalid packets
Accept all connection-state related packets
Accept all connection-state established packets
Import the viruses.rsc file into the router
Create a jump rule to the chain “viruses”
Bogon IPs
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 46/142
© MikroTik 2009 46
Bogon IPs
There are ~4,3 billion IPv4 addressesThere are several IP ranges restricted in publicnetwork
There are several of IP ranges reserved (notused at the moment) for specific purposes
There are lots of unused IP ranges!!!
You can find information about all unused IPranges at:http://www.completewhois.com/bogons/
Address List Options
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 47/142
© MikroTik 2009 47
Address List Options
Instead of creatingone filter rule for eachIP network address,you can create only
one rule for IPaddress list.
Use “Src./Dst. Address List” options
Create an addresslist in “/ip firewalladdress-list” menu
Address List Lab
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 48/142
© MikroTik 2009 48
Address List Lab
Make an address list of most common bogonIPs
Adv Address Filtering Lab
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 49/142
© MikroTik 2009 49
Adv. Address Filtering Lab
Allow packets to enter your network only fromthe valid Internet addresses
Allow packets to enter your network only to thevalid customer addresses
Allow packets to leave your network only fromthe valid customers addresses
Allow packets to leave your network only to the
valid Internet addressesPlace the rules accordingly
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 50/142
© MikroTik 2009
N e t w o r k A d d r e s s Tr a n s la t i o n
(N A T)
Destination NAT, Source NAT, NAT traversal
NAT Types
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 51/142
© MikroTik 2009 51
NAT Types
As there are two IP addresses and ports in anIP packet header, there are two types of NAT
The one, which rewrites source IP address and/or port is called source NAT (src-nat)
The other, which rewrites destination IP addressand/or port is called destination NAT (dst-nat)
Firewall NAT rules process only the first packetof each connection (connection state “new”
packets)
Firewall NAT Structure
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 52/142
© MikroTik 2009 52
Firewall NAT Structure
Firewall NAT rules are organized in chains
There are two default chains
dstnat – processes traffic sent to and through therouter, before it divides in to “input” and “forward”
chain of firewall filter.srcnat – processes traffic sent from and through therouter, after it merges from “output” and “forward”chain of firewall filter.
There are also user-defined chains
IP Firewall Diagram
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 53/142
© MikroTik 2009 53
IP Firewall Diagram
Dst-nat
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 54/142
© MikroTik 2009 54
Dst-nat
Action “dst-nat” changes packet's destinationaddress and port to specified address and port
This action can take place only in chain dstnat
Typical application: ensure access to localnetwork services from public network
Dst-nat Rule Example
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 55/142
© MikroTik 2009 55
Dst-nat Rule Example
Redirect
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 56/142
© MikroTik 2009 56
Redirect
Action “redirect” changes packet's destinationaddress to router's address and specified port
This action can take place only in chain dstnat
Typical application: transparent proxying of network services (DNS,HTTP)
Redirect Rule Example
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 57/142
© MikroTik 2009 57
Redirect Rule Example
Redirect Lab
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 58/142
© MikroTik 2009 58
Redirect Lab
Capture all TCP and UDP port 53 packetsoriginated from your private network192.168.XY.0/24 and redirect them to the router itself.
Set your laptops DNS server to the random IPaddress
Clear your router's and your browser's DNScache
Try browsing the Internet
Take a look at DNS cache of the router
Dst-nat Lab
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 59/142
© MikroTik 2009 59
Dst nat Lab
Capture all TCP port 80 (HTTP) packetsoriginated from your private network192.168.XY.0/24 and change destinationaddress to 10.1.2.1 using dst-nat rule
Clear your browser's cache on the laptopTry browsing the Internet
Universal Plug-and-Play
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 60/142
© MikroTik 2009 60
Universal Plug and Play
RouterOS allow to enable uPnP support for therouter.
UPnP allow to establish both-directionalconnectivity even if client is behind the NAT,
client must have uPnP supportThere are two interface types for UPnP-enabledrouter: internal (the one local clients areconnected to) and external (the one the Internetis connected to)
UPnP
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 61/142
© MikroTik 2009 61
UPnP
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 62/142
Source NAT Drawbacks
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 63/142
© MikroTik 2009 63
Hosts behind a NAT-enabled router do not havetrue end-to-end connectivity:
connection initiation from outside is not possible
some TCP services will work in “passive” mode
src-nat behind several IP addresses isunpredictable
same protocols will require so-called NAT helpers toto work correctly (NAT traversal)
NAT Helpers
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 64/142
© MikroTik 2009 64
p
You can specify ports for existing NAT helpers,but you can not add new helpers
Src-nat Lab
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 65/142
© MikroTik 2009 65
You have been assigned one “public” IPaddress 172.16.0.XY/32
Assign it to the wireless interface
Add src-nat rule to “hide” your private network
192.168.XY.0/24 behind the “public” address
Connect from your laptop using winbox, ssh, or telnet via your router to the main gateway
10.1.1.254Check the IP address you are connecting from(use “/user active print” on the main gateway)
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 66/142
© MikroTik 2009
F i r e w a l l M a n g l e
IP packet marking and IP header fields adjustment
What is Mangle?
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 67/142
© MikroTik 2009 67
g
The mangle facility allows to mark IP packetswith special marks.
These marks are used by other router facilitieslike routing and bandwidth management to
identify the packets. Additionally, the mangle facility is used tomodify some fields in the IP header, like TOS(DSCP) and TTL fields.
Mangle Structure
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 68/142
© MikroTik 2009 68
Mangle rules are organized in chains
There are five built-in chains:
Prerouting- making a mark before Global-In queue
Postrouting - making a mark before Global-Out
queue
Input - making a mark before Input filter
Output - making a mark before Output filter
Forward - making a mark before Forward filter New user-defined chains can be added, asnecessary
Mangle and Queue Diagram(simple)
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 69/142
© MikroTik 2009 69
(simple)
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 70/142
Marking Connections
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 71/142
© MikroTik 2009 71
Use mark connection to identify one or group of connections with the specific connection mark
Connection marks are stored in the connectiontracking table
There can be only one connection mark for oneconnection.
Connection tracking helps to associate each
packet to a specific connection (connectionmark)
Mark Connection Rule
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 72/142
© MikroTik 2009 72
Marking Packets
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 73/142
© MikroTik 2009 73
Packets can be marked
Indirectly. Using the connection tracking facility, based on previously createdconnection marks (faster)
Directly. Without the connection tracking - noconnection marks necessary, router willcompare each packet to a given conditions (thisprocess imitates some of the connectiontracking features)
Mark Packet Rule
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 74/142
© MikroTik 2009 74
Mangle Packet Mark Lab
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 75/142
© MikroTik 2009 75
Mark all connections from 192.168.XY.100
address (imaginary VIP 1)
Mark all packets from VIP 1 connections
Mark all connections from 192.168.XY.200
address (imaginary VIP 2)
Mark all packets from VIP 2 connections
Mark all other connections
Mark packets from all other connections
Mangle View
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 76/142
© MikroTik 2009 76
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 77/142
HTB
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 78/142
© MikroTik 2009 78
All Quality of Service implementation in
RouterOS is based on Hierarchical TokenBucket
HTB allows to create hierarchical queue
structure and determine relations betweenparent and child queues and relation betweenchild queues
RouterOS support 3 virtual HTBs (global-in,
global-total, global-out) and one more justbefore every interface
Mangle and HTBs
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 79/142
© MikroTik 2009 79
HTB (cont.)
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 80/142
© MikroTik 2009 80
When packet travels through the router, it
passes all 4 HTB trees
When packet travels to the router, it passesonly global-in and global-total HTB.
When packet travels from the router, it passesglobal-out, global-total and interface HTB.
HTB Features - Structure
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 81/142
© MikroTik 2009 81
As soon as queue have at least one child it
become parent queue
All child queues (don't matter how many levelsof parents they have) are on the same bottom
level of HTBChild queues make actual traffic consumption,parent queues are responsible only for trafficdistribution
Child queues are not able to get more trafficthan parent has
HTB Features - Structure
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 82/142
© MikroTik 2009 82
HTB Features – Dual Limitation
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 83/142
© MikroTik 2009 83
HTB has two rate limits:
CIR (Committed Information Rate) – in worst casescenario flow will get its limit-at no matter what(assuming we can actually send so much data)
MIR (Maximal Information Rate) – in best casescenario a flow can get up to max-limit if there isspare bandwidth
At first HTB will try to satisfy every child queue's
CIR (limit-at) – only then it will try to reach MIR(max-limit)
Dual Limitation
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 84/142
© MikroTik 2009 84
Maximal rate of the parent must be equal or
bigger than sum of committed rates of thechildren
MIR (parent) ≥ CIR(child1) +...+ CIR(childN)
Maximal rate of any child must be less or equalto maximal rate of the parent
MIR (parent) ≥ MIR(child1)
MIR (parent) ≥ MIR(child2)
MIR (parent) ≥ MIR(childN)
HTB Distribution
(limit-at)
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 85/142
© MikroTik 2009 85
HTB Distribution (max-limit)
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 86/142
© MikroTik 2009 86
HTB Distribution
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 87/142
© MikroTik 2009 87
HTB Features - Priority
W k l f hild t th
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 88/142
© MikroTik 2009 88
Work only for child queues to arrange them
8 is the lowest priority, 1 is the highest
Queue with higher priority will reach its CIRbefore the queue with lower priority
Queue with higher priority will reach its MIRbefore the queue with lower priority
Actual traffic prioritization will work only if limit-
at and max-limit is specified (not 0)
HTB Distribution (priority)
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 89/142
© MikroTik 2009 89
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 90/142
© MikroTik 2009
Q u e u e Tr e e
Advanced queue structures
Queue Tree
Queue tree is direct implementation of HTB
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 91/142
© MikroTik 2009 91
Queue tree is direct implementation of HTB
Each queue in queue tree can be assigned onlyin one HTB
Each child queue must have packet mark
assigned to it
Queue Tree and Simple Queues
Tree queue can be placed in 4 different places:
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 92/142
© MikroTik 2009 92
Tree queue can be placed in 4 different places:
Global-in (“direct” part of simple queues are placedhere automatically)
Global-out (“reverse” part of simple queues areplaced here automatically)
Global-total (“total” part simple queues are placedhere automatically)
Interface queue
If placed in same place Simple queue will taketraffic before Queue Tree
HTB Lab
Create Queue tree from the example
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 93/142
© MikroTik 2009 93
Create Queue tree from the example
Extend mangle and queue tree configuration toprioritize ICMP and HTTP traffic over all other traffic only for regular clients
Replace regular client packet mark with 3 traffictype specific marks
Create 3 child queues for regular client queue inqueue tree
Assign packet marks to queues(optional) Create the same queue tree for clientupload
HTB Lab (cont.)
Consume all the available traffic using
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 94/142
© MikroTik 2009 94
Consume all the available traffic using
bandwidth-test (through the router) and checkthe ping response times
Set highest priority to ICMP
Check the ping response times
Medium Size ISP
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 95/142
© MikroTik 2009 95
Situation:Your network is growing rapidly
and now offer public IPs to the
customers
Requirements:●Transfer all old clients from
local address to public● Increase HTTP browsing
performance
NAT Action “Netmap”
Can be used in both (srcnat and dstnat) chains
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 96/142
© MikroTik 2009 96
Can be used in both (srcnat and dstnat) chains
Allows to create address range to addressrange NATing only with one rule
It is possible to masquerade 192.168.0.3-
192.168.0.103 (100 addresses) to 88.188.32.3-88.188.32.103 only with one rule
It is possible to redirect 88.188.32.3-88.188.32.103 (100 addresses) to 192.168.0.3-192.168.0.103 with the second rule
NAT Action “same”
Can be used in both (srcnat and dstnat) chains
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 97/142
© MikroTik 2009 97
Can be used in both (srcnat and dstnat) chains
Ensures that client will be NAT'ed to the sameaddress from the specified range every time ittries to communicate with destination that was
used beforeIf client got 88.188.32.104 from the range whenit communicated to the particular server – everynext time communicating with this server it will
use the same address
QoS Feature “Burst”
Burst is one of the best ways to increase HTTP
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 98/142
© MikroTik 2009 98
Burst is one of the best ways to increase HTTP
performanceBursts are used to allow higher data rates for ashort period of time
If an average data rate is less than burst-threshold, burst could be used( actual data rate can reach burst-limit)
Average data rate is calculated from the lastburst-time seconds
Burst - Average Data Rate
Average data rate is calculated as follows:
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 99/142
© MikroTik 2009 99
Average data rate is calculated as follows:
burst-time is being divided into 16 periods
router calculates the average data rate of eachclass over these small periods
Note, that the actual burst period is not equalto the burst-time. It can be several times shorter than the burst-time depending on the max-limit,burst-limit, burst-threshold, and actual data rate
history (see the graph example on the nextslide)
Limitation with Burst
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 100/142
© MikroTik 2009 100
Web-Proxy
Web-proxy have 3 mayor features
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 101/142
© MikroTik 2009 101
p y y
HTTP and FTP traffic caching
DNS name filtering
DNS redirection
Web-proxy have two operation modesRegular – browser must be configured to use thisproxy
Transparent – this proxy is not visible for customersNAT rules must be applied
Web-Proxy Caching
No caching
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 102/142
© MikroTik 2009 102
g
Max-cache-size = none
Cache to RAM
Max-cache-size ≠ none
Cache-on-disk = no
Cache to HDD
Max-cache-size ≠ none
Cache-on-disk = yes
Cache drive
Web-Proxy OptionsMaximal-client-
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 103/142
© MikroTik 2009 103
connections -number of connections acceptedfrom clients
Maximal-server-connections -number of connections made byserver
Web-Proxy Options
Serialize-connections – use only one
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 104/142
© MikroTik 2009 104
y
connection for proxy and server communication(if server supports persistent HTTP connection)
Always-from-cache - ignore client refreshrequests if the cache content is consideredfresh
Max-fresh-time - specifies how long objects withoutan explicit expiry time will be considered fresh
Cache-hit-DSCP – specify DSCP value for allpackets generated from the web-proxy cache
Web-Proxy Statistics
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 105/142
© MikroTik 2009 105
Proxy Rule Lists
Web-proxy supports 3 sets of rules for HTTP
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 106/142
© MikroTik 2009 106
request filtering Access List – dictates policy whether to allowspecific HTTP request or not
Direct Access List – list works only if parent-proxy isspecified – dictates policy whether to bypass parentproxy for specific HTTP request or not.
Cache List – dictates policy whether to allowspecific HTTP request be cached or not
Proxy Rules
It is possible to
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 107/142
© MikroTik 2009 107
intercept HTTPrequest based on:
TCP/IP information
URL
HTTP method
Access list also allowyou to redirect denied
request to specificpage
URL Filtering
http://www.mikrotik.com /docs/ros/2.9/graphics:packet_flow31.jpg
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 108/142
© MikroTik 2009 108
Special characters
“*” - any number of any characters
“?” - any character
www.mi?roti?.com
www.mikrotik*
* mikrotik*
p g p p _ jpg
Destination host Destination path
Regular Expressions
Place “:” at the beginning to enable regular
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 109/142
© MikroTik 2009 109
expression mode”^“ - show that no symbols are allowed before thegiven pattern
“$“ - show that no symbols are allowed after the
given pattern
“[....]” - A character class matches a singlecharacter out of all the possibilities offered by thecharacter class
\ (backslash) followed by any of [\^$.|?*+() suppresstheir special meaning.
Web-Proxy Lab
Teacher will have proxy, that redirects all
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 110/142
© MikroTik 2009 110
requests to separate web-page on 10.1.1.254Enable transparent web-proxy on your router with caching to the memory
Create rules in access list to check itsfunctionality
Create rules in direct access list to check itsfunctionality
Create rules in Cache list to check itsfunctionality
Next problems
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 111/142
© MikroTik 2009 111
Problems:●
Sometimes you get unusually bigtraffic and packet counts going
trough or to your router● Some of regular clients use
routers to share connection with
neighbours● Some of regular clients use HTTP
port 80 for encrypted p2p traffic
Network Intrusion Types
Network intrusion is a serious security risk that
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 112/142
© MikroTik 2009 112
could result in not only the temporal denial, butalso in total refusal of network service
We can point out 4 major network intrusiontypes:
Ping flood
Port scan
DoS attack
DDoS attack
Ping Flood
Ping flood usually
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 113/142
© MikroTik 2009 113
consist from volumesof random ICMPmessages
With “limit” condition itis possible to boundthe rule match rate toa given limit
This condition is oftenused with action “log”
ICMP Message Types
Typical IP router uses only five types of ICMP
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 114/142
© MikroTik 2009 114
messages (type:code)For PING - messages 0:0 and 8:0
For TRACEROUTE – messages 11:0 and 3:3
For Path MTU discovery – message 3:4Other types of ICMP messages should beblocked
ICMP Message Rule Example
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 115/142
© MikroTik 2009 115
ICMP Flood Lab
Make the new chain – ICMP
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 116/142
© MikroTik 2009 116
Accept 5 necessary ICMP messages
Set match rate to 5 pps with 5 packet burstpossibility
Drop all other ICMP packetsMove all ICMP packets to ICMP chain
Create an action “ jump” rule in the chain Input
Place it accordingly
Create an action “ jump” rule in the chain Forward
Place it accordingly
Port Scan
Port Scan is
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 117/142
© MikroTik 2009 117
sequential TCP(UPD) port probing
PSD (Port scandetection) is possibleonly for TCP protocol
Low ports
From 0 to 1023
High ports
From 1024 to 65535
PSD Lab
Create PSD protection
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 118/142
© MikroTik 2009 118
Create a PSD drop rule in the chain Input
Place it accordingly
Create a PSD drop rule in the chain Forward
Place it accordingly
DoS Attacks
Main target for DoS attacks is consumption of
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 119/142
© MikroTik 2009 119
resources, such as CPU time or bandwidth, sothe standard services will get Denial of Service(DoS)
Usually router is flooded with TCP/SYN(connection request) packets. Causing theserver to respond with a TCP/SYN-ACK packet,and waiting for a TCP/ACK packet.
Mostly DoS attackers are virus infectedcustomers
DoS Attack Protection
All IP's with more than 10 connections to the
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 120/142
© MikroTik 2009 120
router should be considered as DoS attackersWith every dropped TCP connection we willallow attacker to create new connection
We should implement DoS protection into 2steps:
Detection - Creating a list of DoS attackers on thebasis of connection-limit
Suppression – applying restrictions to the detectedDoS attackers
DoS Attack Detection
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 121/142
© MikroTik 2009 121
DoS Attack Suppression
To stop the attacker
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 122/142
© MikroTik 2009 122
from creating newconnections, we willuse action “tarpit”
We must place thisrule before thedetection rule or elseaddress-list entry willrewrite all the time
DDoS attacks
A Distributed Denial
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 123/142
© MikroTik 2009 123
of Service attack isvery similar to DoSattack only it occursfrom multiple
compromisedsystems
Only thing that couldhelp is “TCPSynCookie” option inconntrack system
Mangle Action “change-ttl”
TTL is a limit of Layer3 devices that IP packet
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 124/142
© MikroTik 2009 124
can experience before it should be discardedTTL default value is 64 and each router reducevalue by one just before forwarding decision
Router will not pass traffic to the next device if itreceives IP packet with TTL=1
Useful application: eliminate possibility for clients to create masqueraded networks
Changing TTL
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 125/142
© MikroTik 2009 125
Queue Types
RouterOS have 4 queue types:
FIFO Fi t I Fi t O t (f B t f P k t )
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 126/142
© MikroTik 2009 126
FIFO – First In First Out (for Bytes or for Packets)RED – Random Early Detect (or Drop)
SFQ – Stochastic Fairness Queuing
PCQ – Per Connection Queuing (MikroTik Proprietary)
Each queue type have 2 aspects:
Aspect of the Scheduler
Aspect of the Shaper
100% Shaper
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 127/142
© MikroTik 2009 127
100% Scheduler
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 128/142
© MikroTik 2009 128
Default Queue Types
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 129/142
© MikroTik 2009 129
FIFOBehaviour:
What comes in first is handled first, what comes
in ne t aits ntil the first is finished N mber of
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 130/142
© MikroTik 2009 130
in next waits until the first is finished. Number of waiting units (Packets or Bytes) is limited by“queue size” option. If queue “is full” next unitsare dropped
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 131/142
© MikroTik 2009 131
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 132/142
© MikroTik 2009 132
RED
Behaviour:
Same as FIFO with feature additional drop
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 133/142
© MikroTik 2009 133
Same as FIFO with feature – additional dropprobability even if queue is not full.This probability is based on
comparison of average
queue length over someperiod of time to minimaland maximal threshold –closer to maximal
threshold bigger thechance of drop.
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 134/142
© MikroTik 2009 134
SFQ
Behaviour:
Based on hash value from source andd ti ti dd SFQ di id t ffi i t
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 135/142
© MikroTik 2009 135
Based on hash value from source anddestination address SFQ divides traffic into1024 sub-streams
Then Round Robin
algorithm will distributeequal amount of trafficto each sub-stream
PCQ
Behaviour:
Based on classifier PCQ divides traffic into subt E h b t b id d
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 136/142
© MikroTik 2009 136
Based on classifier PCQ divides traffic into sub-streams. Each sub-stream can be consideredas FIFO queue with queue size specified by“limit” option
After this PCQ can beconsidered as FIFOqueue where queuesize is specified by
“total-limit” option.
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 137/142
© MikroTik 2009 137
SFQ Example
SFQ should be used for equalizing similar
connection
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 138/142
© MikroTik 2009 138
connectionUsually used to manage information flow to or from the servers, so it can offer services toevery customer
Ideal for p2p limitation, it is possible to placestrict limitation without dropping connections,
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 139/142
© MikroTik 2009 139
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 140/142
© MikroTik 2009 140
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 141/142
© MikroTik 2009 141
Queue Type Lab
Try all queue types on “Other-download”
queue in your queue tree Use band-widtht t t h k it
7/27/2019 133581396 Traffic Control Training Course
http://slidepdf.com/reader/full/133581396-traffic-control-training-course 142/142
© MikroTik 2009 142
queue in your queue tree. Use band widthtest to check it.
Adjust your QoS structure with proper
queue typeCreate a packet mark for all p2p trafficand create SFQ queue for it
Change HTTP queue type to PCQ