Load Balance using PCC method (Mikrotik)

Load balance on the proxy is a technique to distribute the traffic load on two or more lines in a balanced connection, so that traffic can run optimally, maximize throughput, minimize response time and avoid overload on one connection path.

During this time many of us who think wrong, that by using loadbalance two connection lines, the large bandwidth that we'll get double the bandwidth before using loadbalance (accumulation of both the bandwidth). This needs to be clear first, that loadbalance will not add much bandwidth we get, but only served to divide the traffic from both the bandwidth so they can be used in a balanced manner.

With this article, we will prove that the use of load balancing does not like math formulas 512 + 256 = 768, but 512 + 256 = 512 + 256, or 512 + 256 = 256 + 256 + 256.

In this article we use RB433UAH with conditions as follows:

1.Ether1 and ether2 connected to different ISPs with large bandwdith different. ISP1 and ISP2 at 512kbps at 256kbps.
2.Kita will use an internal web-proxy and use OpenDNS.
3.Mikrotik RouterOS you are using version 4.5 because the PCC has become a popular feature at the 3:24 version.

If the above condition is different from the network conditions at your house, then the configuration that we describe here will have to match you with the configuration for the network at your house


Basic ConfigurationHere is a network topology and the IP address that we will use


/ Ip addressadd address = 192.168.101.2/30 interface = ether1add address = 192.168.102.2/30 interface = ether2add address = 10.10.10.1/24 interface = wlan2/ Ip dnsset allow-remote-requests = yes primary-dns = 208.67.222.222 secondary-dns = 208.67.220.220

For client connections, we use a wireless connection at wlan2 by client IP range 10.10.10.2 s / d 10.10.10.254 netmask 255.255.255.0, which matched the IP 10.10.10.1 on wlan2 serves as a gateway and dns server from the client. If you use DNS from one of your isp, then there will be additional mangle shall we give sign of thickness
After pengkonfigurasian IP and DNS are correct, we must pair the default route to each of our ISP gateway IP for the router to forward all traffic that does not connect him to the gateway. Here we use feature check-gateway and gateway is useful if one of us dropped out, then the connection will be diverted to other gateways.
/ Ip routeadd dst-address = 0.0.0.0 / 0 gateway = 192.168.101.1 distance = 1 check-gateway = pingadd dst-address = 0.0.0.0 / 0 gateway = 192.168.102.1 distance = 2 check-gateway = ping

For Access Point settings so the PC can connect to the wireless client, we use the command
/ Interface wirelesswlan2 set mode = ap-bridge band = 2.4GHz-b / g ssid = MikroTik disabled = no

In order for the client pc can connect to the internet, we also have to change the private IP to public IP client that is in our public interface that is ether1 and ether2.
/ Ip firewall natadd action = masquerade chain = srcnat out-interface = ether1add action = masquerade chain = srcnat out-interface = ether2

Until this step, the router and pc clients are able to do an internet connection. Ping the router or pc both from the client to the Internet. If not successful, check your configuration again.

Internal Webproxy
In particular RouterBoard, like RB450G, RB433AH, RB433UAH, RB800 and RB1100 has an expansion slot (USB, MicroSD, CompactFlash) for additional storage. In the next example, we will use the usb flash is attached to a USB slot. For the first time installation, this additional storage will be read status invalid in the / system store. To be used as storage media cache, then the storage must be formatted in advance and activated Later we live webproxy activate and set the cache-on-disk = yes to use our storage media. Do not forget to redirect HTTP traffic (tcp port 80) into our webproxy.
/ Store disk-drive format usb1
/ Storeadd disk = usb1 usb name = cache-type = web-proxyactivate cache-usb
/ Ip proxyset cache-on-disk = yes enabled = yes max-cache-size = 200000KiB port = 8080
/ Ip firewall natdstnat add chain = tcp protocol = dst-port = 80 in-interface = wlan2 action = redirect to-ports = 8080


Setting Mangle
In loadbalancing this time we will use a feature called PCC (Per Connection Classifier). With the PCC we can categorize traffic or outgoing connection through a router entry into several groups. These groupings can be distinguished on the basis of src-address, dst-address, src or dst-port and-port. The router will remember the beginning of the path through which the traffic gateway connections, so that the subsequent packets that are still associated with the connection initially will be passed on the same gateway route. The advantages of this PCC is to answer many complaints often break the connection on the other loadbalancing techniques prior to the PCC because of the displacement gateway ..
Before making mangle loadbalance, to prevent routing loops in the traffic, then all client traffic to the networks that connect directly to the router, should we bypass the loadbalancing. We can make a list of IP that are still in a network router and install the first time following mangle
/ Ip firewall address-listadd address = 192.168.101.0/30 local list =add address = 192.168.102.0/30 local list =add address = 10.10.10.0/24 local list =
/ Ip firewall mangleadd action = accept chain = prerouting dst-address-list = local in-interface = wlan2 comment = "local traffic"add action = accept chain = output dst-address-list = local
In certain cases, the first traffic can come from the Internet, such as the use of remote Winbox or telnet from the internet and so, therefore we also need to mark the mark-connection traffic so that traffic can pass through it also the interface where the incoming traffic
/ Ip firewall mangleadd action = mark-connection chain = prerouting connection-mark = no-mark in-interface = ether1 new-connection-mark = con-from-isp1 passthrough = yes comment = "traffic from isp1"add action = mark-connection chain = prerouting connection-mark = no-mark in-interface = ether2 new-connection-mark = con-from-isp2 passthrough = yes comment = "traffic from isp2"

Generally, an ISP will restrict access to DNS server of the IP which is only known for, so if you use the DNS from one ISP, you must add mangle for traffic control through the respective ISP gateway rather than through any other ISP gateway. Here we provide mangle DNS ISP1 through ISP1 gateway. If you are using a public DNS independent, such as OpenDNS, you do not need a mangle below.
/ Ip firewall mangleadd action = mark-connection chain = output comment = dns dst-address = 202.65.112.21 dst-port = 53 new-connection-mark = dns passthrough = yes protocol = tcp comment = "traffic control citra.net.id"add action = mark-connection chain = output dst-address = 202.65.112.21 dst-port = 53 new-connection-mark = dns passthrough = yes protocol = udpadd action = mark-routing chain = output connection-mark = dns new-routing-mark = route-to-isp1 passthrough = no

Because we use webproxy on the router, then the traffic that we need loadbalance there are 2 types. The first is the traffic from client to the Internet (non-HTTP), and traffic from webproxy to the internet. To be more structured and easier in the reading, we will use custom-chain as follows:
/ Ip firewall mangleadd action = jump chain = prerouting comment = "jump to a client-lb" connection-mark = no-mark in-interface = wlan2 jump-target = client-lbadd action = jump chain = output comment = "jump to the lb-proxy" connection-mark = no-mark out-interface =! wlan2 jump-target = lb-proxy

In the mangle above, to make sure the client loadbalance traffic parameters in-interface is the interface that is connected with the client, and for traffic loadbalance webproxy, we use the output chain with out-interface parameters which are not connected to the interface client. After a custom chain for loadbalancing made, we can create custom mangle in the following chain
/ Ip firewall mangleadd action = mark-connection chain = client-lb dst-address-type =! local new-connection-mark = to-isp1 passthrough = yes-per-connection-classifier = both-addresses: 3 / 0 comment = "initial client loadbalancing "add action = mark-connection chain = client-lb dst-address-type =! local new-connection-mark = to-isp1 passthrough = yes-per-connection-classifier = both-addresses: 3 / 1add action = mark-connection chain = client-lb dst-address-type =! local new-connection-mark = to-isp2 passthrough = yes-per-connection-classifier = both-addresses: 3 / 2add action = return chain = client-lb comment = "end of loadbalancing"
/ Ip firewall mangleadd action = mark-connection chain = lb-proxy dst-address-type =! local new-connection-mark = con-from-isp1 passthrough = yes-per-connection-classifier = both-addresses: 3 / 0 comment = "initial load balancing proxy "add action = mark-connection chain = lb-proxy dst-address-type =! local new-connection-mark = con-from-isp1 passthrough = yes-per-connection-classifier = both-addresses: 3 / 1add action = mark-connection chain = lb-proxy dst-address-type =! local new-connection-mark = con-from-isp2 passthrough = yes-per-connection-classifier = both-addresses: 3 / 2add action = return = lb-proxy chain comment = "end of loadbalancing"

For the example above, the client and webproxy loadbalancing using PCC traffic separation parameters the same, namely both-address, so the router will keep in mind based on the src-address and dst-address of a connection. Because we are a different ISP traffic (512kbps and 256kbps), we divide the traffic load into 3 parts. 2 parts will first pass through ISP1 gateway, and a final section will pass through the gateway ISP2. If the traffic of each client and proxy is selected, the next step we need to create mangle mark-route to be used in the routing process will
/ Ip firewall mangleadd action = jump chain = prerouting comment = "route marking client" connection-mark =! no-mark in-interface = wlan2 jump-target = route-clientadd action = mark-routing chain = route-client connection-mark = to-isp1 new-routing-mark = route-to-isp1 passthrough = noadd action = mark-routing chain = route-client connection-mark = to-isp2 new-routing-mark = route-to-isp2 passthrough = noadd action = mark-routing chain = route-client connection-mark = con-from-isp1 new-routing-mark = route-to-isp1 passthrough = noadd action = mark-routing chain = route-client connection-mark = con-from-isp2 new-routing-mark = route-to-isp2 passthrough = noadd action = return chain = route-client disabled = no
/ Ip firewall mangleadd action = mark-routing chain = output comment = "proxy route marking" connection-mark = con-from-isp1 new-routing-mark = route-to-isp1 out-interface =! wlan2 passthrough = noadd action = mark-routing chain = output connection-mark = con-from-isp2 new-routing-mark = route-to-isp2 out-interface =! wlan2 passthrough = no


Routing settings
Mangle settings above will not be useful if you have not made a mark-based routing route we've created. Here we will also make a backup routing, so that if a gateway is lost, then all connections will go through gateways that connect each
/ Ip routeadd check-gateway = ping dst-address = 0.0.0.0 / 0 gateway = 192.168.101.1 routing-mark = route-to-isp1 distance = 1add check-gateway = ping dst-address = 0.0.0.0 / 0 gateway = 192.168.102.1 routing-mark = route-to-isp1 distance = 2add check-gateway = ping dst-address = 0.0.0.0 / 0 gateway = 192.168.102.1 routing-mark = route-to-isp2 distance = 1add check-gateway = ping dst-address = 0.0.0.0 / 0 gateway = 192.168.101.1 routing-mark = route-to-isp2 distance = 2

Examination
From our test results, obtained as follows



From the picture shown, that only by doing a file download (1 connection), we only get 56kbps speed (448kbps) because at that time through ISP1 gateway, whereas if we download a file (open a new connection) again on another website, will get 30kBps (240kbps). From this test looks can be concluded that

≠ + 256kbps 512kbps 768kbps

Note:
• Loadbalancing use this PCC technique will be effective and balanced approach when more and more connections (from clients) that occurred.• Use an ISP that has a bandwidth of FIX not Share to obtain more optimal results.• Load Balance using the PCC is not forever and entirely a solution that would work well in all types of networks, because the process of balancing the traffic is based on the logic of probability.

 

Queue with SRC-NAT and WEB-PROXY (Mikrotik)

On the use of queue (bandwidth limiter), the CHAIN ​​on MENGLE determine the course of a rule. If we install the SRC-NAT and WEB-PROXY on the same machine, it is often quite difficult to make a perfect queue rule. CHAIN ​​detailed explanation about the elections, can be seen on the Mikrotik manual here.
Experiments were performed using a PC with Mikrotik RouterOS version 2.9.28. On these machines, used 2 pieces of interfaces, one for gateway named PUBLIC and another for a local network called LAN.

[Admin @ instaler]> in pr Flags: X - disabled, D - dynamic, R - running
 
# NAME TYPE RX-RATE TX-RATE MTU
 
0 R public ether 0 0 1500
 
1 R lan wlan 0 0 1500
And here are the IP addresses used. Subnet 192.168.0.0/24 is the subnet gateway for this machine.

[Admin @ instaler]> ip ad pr Flags: X - disabled, I - invalid, D - dynamic
 
# ADDRESS NETWORK BROADCAST INTERFACE
 
0 192.168.0.217/24 192.168.0.0 192.168.0.255 public
 
1 172.21.1.1/24 172.21.1.0 172.21.1.255 lan
Features with a transparent web-proxy is also enabled.


 
[Admin @ instaler]> ip web-proxy pr
                 
enabled: yes
             
src-address: 0.0.0.0
                    
port: 3128
                
hostname: "proxy"
       
transparent-proxy: yes
            
parent-proxy: 0.0.0.0:0
     
cache-administrator: "webmaster"
         
max-object-size: 4096KiB
             
cache-drive: system
          
max-cache-size: none
      
max-ram-cache-size: unlimited
                  
status: running
      
reserved-for-cache: 0KiB
  
reserved-for-ram-cache: 154624KiB
MASQUERADE function is activated, is also one rule Redirecting to divert traffic to the HTTP-PROXY WEB

[Admin @ instaler] ip firewall nat> pr Flags: X - disabled, I - invalid, D - dynamic
 
0 chain = srcnat out-interface = public
     
src-address = 172.21.1.0/24 action = masquerade
 
1 chain = dstnat in-interface = lan src-address = 172.21.1.0/24
     
protocol = tcp dst-port = 80 action = redirect to-ports = 3128
Here are the most important steps in this process, namely making mangle. We will need 2 pieces PACKET-MARK. One for upstream data packet, which in this example we call test-ups. And another for downstream data packet, which in this example we call test-down.
For the upstream data packet, manglenya making process is quite simple. We can simply do it with 1 piece of rule, simply by using the parameters of SRC-ADDRESS and IN-INTERFACE. Here we use the chain prerouting. This upstream data packets to naming our test-ups.
However, for downstream data packets, we need some fruit rule. Since we use IP translation / masquerade, we need a Connection Mark. In this example, we call test-conn.
Then, we have to create also 2 pieces rule. The first rule, for non-HTTP data packets are directly downstream from the internet (not through proxy). We use the chain forward, because the data flowing through routers.
The second rule, for data packets originating from the WEB-PROXY. We use the chain output, because the flow of data from internal applications in the router to the machine outside the router.
Downstream data packets to this rule on naming our second-down test.
Do not forget, this parameter is only enabled for the connection passthrough mark only.

[Admin @ instaler]> ip firewall mangle print Flags: X - disabled, I - invalid, D - dynamic
 
0;;; UP TRAFFIC
     
chain = prerouting in-interface = lan
     
src-address = 172.21.1.0/24 action = mark-packet
     
new-packet-mark = test-up passthrough = no

 
1;;; Conn-MARK
     
chain = forward src-address = 172.21.1.0/24
     
action = mark-connection
     
new-connection-mark = test-conn passthrough = yes

 
2;;; DOWN-DIRECT CONNECTION
     
chain = forward in-interface = public
     
connection-mark = test-conn action = mark-packet
     
new-packet-mark = test-down passthrough = no

 
3;;; DOWN-VIA PROXY
     
chain = output out-interface = lan
     
dst-address = 172.21.1.0/24 action = mark-packet
     
new-packet-mark = test-down passthrough = no
For the last stage, just configure the queue. Here we used queue trees. One rule for data dowstream fruit, and one for upstream. What is important here, is the selection of the parent. For the downstream, we use the parent lan, in accordance with the interface that leads to a local network, and for the upstream, we use the global parent-ins.

[Admin @ instaler]> queue tree pr Flags: X - disabled, I - invalid
 
0 name = "downstream" parent = lan packet-mark = test-down
     
limit-at = 32000 queue = default priority = 8
     
max-limit = 32000 burst-limit = 0
     
burst-threshold = 0 burst-time = 0s

 
A name = "upstream" parent = global-in
     
packet-mark = test-up limit-at = 32 000
     
queue = default priority = 8
     
max-limit = 32000 burst-limit = 0
     
burst-threshold = 0 burst-time = 0s
Another variation, for bandwidth management, it is also possible we use the queue type pcq, which can automatically divide the traffic per client.

WHAT IS HONEYPOTS ?

Basically, honeypots are a tool to get information about the attacker. Furthermore, network administrators can learn about activities that can harm and look at the trends of these activities. Honeypots is a system designed for inspection and diserang.Ada two categories of honeypots:
Production honeypot, is used to reduce the risk of attacks on network security system of information within an organization.
Reasearch honeypots, used to obtain as much information as possible about the attacker so that an administrator can learn that information.

Some have debated whether it was true honeypots add value to a system of information network security. One of the ways to try is to see how long of honeypots give the administrator time to react since the time of the attack came in, so that an administrator can protect the productive network. If within 15-20 minutes, then honeypots will have added value. Information attacker was learned also will provide added value to the network security system, because a proper counterattack will be made for defense against these new attacks. Defined by Marty Roesch, Snort creator
Honeypots do not require a specific placement on the network because she is a standard server with no special needs. Honeypots can be placed anywhere, such as a server will be placed. But it would be better if left in place, easily accessible by certain people. Honeypots can be used on the internet or intranet depending on services needed. Placement honeypots on an intranet can be useful for detecting a penyreang residing in the internal network. If the main focus on the internet, honeypots can be placed at two locations:
¥ In front of the firewall (internet)
¥ DMZ8¥ On the back of the firewall (internet) Each placement has its advantages and kekurangnnya. Sometimes not mungkinuntuk a server in front of the firewall.
Honeypot that are distributed on a network (Honeynet) can form an accurate detector except the price factor (mainly hardware and admistration costs) to be implemented Honeynet barrier factor

KNOW YOUR IP COMMAND IN CMD

MS DOS promt or CMD we used to know is famous for the plain view but are still widely used by hackers in the world to perform the action. This time I try to share a little pengatahuan more about the commands associated networks used by hackers to find out information on computer / server and our own targets, the following commands (formerly enable CMD):
-  ipconfig / all
   Function to display the connection configuration information, such as Host Name, Primary DNS type,  

   Ethernet LAN Adapter.
-  ipconfig / displaydns
    Function to display DNS Cache
- ipconfig / flushdns
   Serves to remove the DNS Cache
- ipconfig / release
  Serves to remove all connection IP address
- ipconfig / renew
  Serves to create a new IP address
- ipconfig / registerdns
  Function to perform refresh control and re-connection control register
- ipconfig / showclassid
  Function to display information DHCP Class
- Ipconfig / setclassid
  Serves to change the DHCP Class ID
  control netconections
  Serves to open the Network Connection window
- ping
   Function to test the connection to a particular site or IP address, eg ping http://www.google.com/

- tracert
  Function to display the IP Address information route
- netstat
  Function to display information on TCP / IP connection is currently active
- route
  Function to display the local route
- hostname
  Function to display the computer name