On the use of queue (bandwidth limiter), the CHAIN on MENGLE determine the course of a rule. If we install the SRC-NAT and WEB-PROXY on the same machine, it is often quite difficult to make a perfect queue rule. CHAIN detailed explanation about the elections, can be seen on the Mikrotik manual here.
Experiments were performed using a PC with Mikrotik RouterOS version 2.9.28. On these machines, used 2 pieces of interfaces, one for gateway named PUBLIC and another for a local network called LAN.
[Admin @ instaler]> in pr Flags: X - disabled, D - dynamic, R - running
# NAME TYPE RX-RATE TX-RATE MTU
0 R public ether 0 0 1500
1 R lan wlan 0 0 1500
And here are the IP addresses used. Subnet 192.168.0.0/24 is the subnet gateway for this machine.
[Admin @ instaler]> ip ad pr Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 192.168.0.217/24 192.168.0.0 192.168.0.255 public
1 172.21.1.1/24 172.21.1.0 172.21.1.255 lan
Features with a transparent web-proxy is also enabled.
[Admin @ instaler]> ip web-proxy pr
enabled: yes
src-address: 0.0.0.0
port: 3128
hostname: "proxy"
transparent-proxy: yes
parent-proxy: 0.0.0.0:0
cache-administrator: "webmaster"
max-object-size: 4096KiB
cache-drive: system
max-cache-size: none
max-ram-cache-size: unlimited
status: running
reserved-for-cache: 0KiB
reserved-for-ram-cache: 154624KiB
MASQUERADE function is activated, is also one rule Redirecting to divert traffic to the HTTP-PROXY WEB
[Admin @ instaler] ip firewall nat> pr Flags: X - disabled, I - invalid, D - dynamic
0 chain = srcnat out-interface = public
src-address = 172.21.1.0/24 action = masquerade
1 chain = dstnat in-interface = lan src-address = 172.21.1.0/24
protocol = tcp dst-port = 80 action = redirect to-ports = 3128
Here are the most important steps in this process, namely making mangle. We will need 2 pieces PACKET-MARK. One for upstream data packet, which in this example we call test-ups. And another for downstream data packet, which in this example we call test-down.
For the upstream data packet, manglenya making process is quite simple. We can simply do it with 1 piece of rule, simply by using the parameters of SRC-ADDRESS and IN-INTERFACE. Here we use the chain prerouting. This upstream data packets to naming our test-ups.
However, for downstream data packets, we need some fruit rule. Since we use IP translation / masquerade, we need a Connection Mark. In this example, we call test-conn.
Then, we have to create also 2 pieces rule. The first rule, for non-HTTP data packets are directly downstream from the internet (not through proxy). We use the chain forward, because the data flowing through routers.
The second rule, for data packets originating from the WEB-PROXY. We use the chain output, because the flow of data from internal applications in the router to the machine outside the router.
Downstream data packets to this rule on naming our second-down test.
Do not forget, this parameter is only enabled for the connection passthrough mark only.
[Admin @ instaler]> ip firewall mangle print Flags: X - disabled, I - invalid, D - dynamic
0;;; UP TRAFFIC
chain = prerouting in-interface = lan
src-address = 172.21.1.0/24 action = mark-packet
new-packet-mark = test-up passthrough = no
1;;; Conn-MARK
chain = forward src-address = 172.21.1.0/24
action = mark-connection
new-connection-mark = test-conn passthrough = yes
2;;; DOWN-DIRECT CONNECTION
chain = forward in-interface = public
connection-mark = test-conn action = mark-packet
new-packet-mark = test-down passthrough = no
3;;; DOWN-VIA PROXY
chain = output out-interface = lan
dst-address = 172.21.1.0/24 action = mark-packet
new-packet-mark = test-down passthrough = no
For the last stage, just configure the queue. Here we used queue trees. One rule for data dowstream fruit, and one for upstream. What is important here, is the selection of the parent. For the downstream, we use the parent lan, in accordance with the interface that leads to a local network, and for the upstream, we use the global parent-ins.
[Admin @ instaler]> queue tree pr Flags: X - disabled, I - invalid
0 name = "downstream" parent = lan packet-mark = test-down
limit-at = 32000 queue = default priority = 8
max-limit = 32000 burst-limit = 0
burst-threshold = 0 burst-time = 0s
A name = "upstream" parent = global-in
packet-mark = test-up limit-at = 32 000
queue = default priority = 8
max-limit = 32000 burst-limit = 0
burst-threshold = 0 burst-time = 0s
Another variation, for bandwidth management, it is also possible we use the queue type pcq, which can automatically divide the traffic per client.
Experiments were performed using a PC with Mikrotik RouterOS version 2.9.28. On these machines, used 2 pieces of interfaces, one for gateway named PUBLIC and another for a local network called LAN.
[Admin @ instaler]> in pr Flags: X - disabled, D - dynamic, R - running
# NAME TYPE RX-RATE TX-RATE MTU
0 R public ether 0 0 1500
1 R lan wlan 0 0 1500
And here are the IP addresses used. Subnet 192.168.0.0/24 is the subnet gateway for this machine.
[Admin @ instaler]> ip ad pr Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 192.168.0.217/24 192.168.0.0 192.168.0.255 public
1 172.21.1.1/24 172.21.1.0 172.21.1.255 lan
Features with a transparent web-proxy is also enabled.
[Admin @ instaler]> ip web-proxy pr
enabled: yes
src-address: 0.0.0.0
port: 3128
hostname: "proxy"
transparent-proxy: yes
parent-proxy: 0.0.0.0:0
cache-administrator: "webmaster"
max-object-size: 4096KiB
cache-drive: system
max-cache-size: none
max-ram-cache-size: unlimited
status: running
reserved-for-cache: 0KiB
reserved-for-ram-cache: 154624KiB
MASQUERADE function is activated, is also one rule Redirecting to divert traffic to the HTTP-PROXY WEB
[Admin @ instaler] ip firewall nat> pr Flags: X - disabled, I - invalid, D - dynamic
0 chain = srcnat out-interface = public
src-address = 172.21.1.0/24 action = masquerade
1 chain = dstnat in-interface = lan src-address = 172.21.1.0/24
protocol = tcp dst-port = 80 action = redirect to-ports = 3128
Here are the most important steps in this process, namely making mangle. We will need 2 pieces PACKET-MARK. One for upstream data packet, which in this example we call test-ups. And another for downstream data packet, which in this example we call test-down.
For the upstream data packet, manglenya making process is quite simple. We can simply do it with 1 piece of rule, simply by using the parameters of SRC-ADDRESS and IN-INTERFACE. Here we use the chain prerouting. This upstream data packets to naming our test-ups.
However, for downstream data packets, we need some fruit rule. Since we use IP translation / masquerade, we need a Connection Mark. In this example, we call test-conn.
Then, we have to create also 2 pieces rule. The first rule, for non-HTTP data packets are directly downstream from the internet (not through proxy). We use the chain forward, because the data flowing through routers.
The second rule, for data packets originating from the WEB-PROXY. We use the chain output, because the flow of data from internal applications in the router to the machine outside the router.
Downstream data packets to this rule on naming our second-down test.
Do not forget, this parameter is only enabled for the connection passthrough mark only.
[Admin @ instaler]> ip firewall mangle print Flags: X - disabled, I - invalid, D - dynamic
0;;; UP TRAFFIC
chain = prerouting in-interface = lan
src-address = 172.21.1.0/24 action = mark-packet
new-packet-mark = test-up passthrough = no
1;;; Conn-MARK
chain = forward src-address = 172.21.1.0/24
action = mark-connection
new-connection-mark = test-conn passthrough = yes
2;;; DOWN-DIRECT CONNECTION
chain = forward in-interface = public
connection-mark = test-conn action = mark-packet
new-packet-mark = test-down passthrough = no
3;;; DOWN-VIA PROXY
chain = output out-interface = lan
dst-address = 172.21.1.0/24 action = mark-packet
new-packet-mark = test-down passthrough = no
For the last stage, just configure the queue. Here we used queue trees. One rule for data dowstream fruit, and one for upstream. What is important here, is the selection of the parent. For the downstream, we use the parent lan, in accordance with the interface that leads to a local network, and for the upstream, we use the global parent-ins.
[Admin @ instaler]> queue tree pr Flags: X - disabled, I - invalid
0 name = "downstream" parent = lan packet-mark = test-down
limit-at = 32000 queue = default priority = 8
max-limit = 32000 burst-limit = 0
burst-threshold = 0 burst-time = 0s
A name = "upstream" parent = global-in
packet-mark = test-up limit-at = 32 000
queue = default priority = 8
max-limit = 32000 burst-limit = 0
burst-threshold = 0 burst-time = 0s
Another variation, for bandwidth management, it is also possible we use the queue type pcq, which can automatically divide the traffic per client.