01. Introduction

This page will tak about how to make QUEUE TREE in RouterOS that also running
Web-Proxy and Masquerading. Several topics in forum say it's impossible to do.

In version 2.9.x, we can not know which traffic is HIT and which traffic is MISS
from web-proxy. Several people want to make a configuration, to let cache data in
proxy (HIT traffic) deliver in maximum possible speed. In other word, if we already
have the requested data, those process will not queued.

In ver 3.0 we can do this, using TOS header modification in web-proxy feature.
We can set any TOS value for the HIT traffic, and make it as parameter in mangle.


02. Basic Setup
First, let's set the basic setting first. I'm using a machine with 2 network
interface:

---------------------------------------------------------------------------------
admin@instaler] > in pr
# NAME TYPE RX-RATE TX-RATE MTU
0 R public ether 0 0 1500
1 R lan wlan 0 0 1500
---------------------------------------------------------------------------------

And this is the IP Address for each interface:

---------------------------------------------------------------------------------
[admin@instaler] > ip ad pr
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 192.168.0.217/24 192.168.0.0 192.168.0.255 public
1 172.21.1.1/24 172.21.1.0 172.21.1.255 lan
---------------------------------------------------------------------------------

Don't forget to set the transparant web-proxy. We set cache-hit-dscp: 4.

---------------------------------------------------------------------------------
[admin@instaler] > ip proxy pr
enabled: yes
src-address: 0.0.0.0
port: 3128
parent-proxy: 0.0.0.0
parent-proxy-port: 0
cache-drive: system
cache-administrator: "webmaster"
max-cache-size: none
cache-on-disk: yes
maximal-client-connections: 600
maximal-server-connections: 600
max-fresh-time: 3d
serialize-connections: yes
cache-hit-dscp: 4
---------------------------------------------------------------------------------


03. Firewall NAT

Make 2 NAT rules, 1 for Masquerading, and the other for redirecting transparant proxy.

---------------------------------------------------------------------------------
[admin@instaler] ip firewall nat> pr
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat out-interface=public
src-address=172.21.1.0/24 action=masquerade
1 chain=dstnat in-interface=lan src-address=172.21.1.0/24
protocol=tcp dst-port=80 action=redirect to-ports=3128


04. Mangle Setup

And now is the most important part in this case.
---------------------------------------------------------------------------------
If we want to make HIT traffic from web proxy not queued, we have to make a mangle
to handle this traffic. Put this rule on the beginning of the mangle, as it will
check first.

---------------------------------------------------------------------------------
[admin@instaler] > ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; HIT TRAFFIC FROM PROXY
chain=output out-interface=lan
dscp=4 action=mark-packet
new-packet-mark=proxy-hit passthrough=no
---------------------------------------------------------------------------------

As we will make Queue for uplink and downlink traffic, we need 2 packet-mark. In this
example, we use "test-up" for uplink traffic, and "test-down" for downlink traffic.

For uplink traffic, it's quite simple. We need only one rule, using SRC-ADDRESS and
IN-INTERFACE parameters, and using PREROUTING chain. Rule number #1. But for downlink,
we have to make sevaral rules. As we use masquerading, we need Connection Mark,
named as "test-conn". Rule no #2. Then we have to make 2 more rules. First rule is
for non-HTTP connection / direct connection. We use chain forward, as the data traveling
through the router. Rule no #3.

The second rule is for data coming from web-proxy to the client (MISS traffic).
We use OUTPUT chain, as the data coming from internal process in the router itself.
Rule no #4.

For both rules (no #3 and #4) we named it "test-down".

Please be aware, we use passthrough only for connection mark (rule no #2).

---------------------------------------------------------------------------------
[admin@instaler] > ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
1 ;;; UP TRAFFIC
chain=prerouting in-interface=lan
src-address=172.21.1.0/24 action=mark-packet
new-packet-mark=test-up passthrough=no

2 ;;; CONN-MARK
chain=forward src-address=172.21.1.0/24
action=mark-connection
new-connection-mark=test-conn passthrough=yes

3 ;;; DOWN-DIRECT CONNECTION
chain=forward in-interface=public
connection-mark=test-conn action=mark-packet
new-packet-mark=test-down passthrough=no

4 ;;; DOWN-VIA PROXY
chain=output out-interface=lan
dst-address=172.21.1.0/24 action=mark-packet
new-packet-mark=test-down passthrough=no
---------------------------------------------------------------------------------

05. Queue Tree Setup

And now, the queue tree setting. We need one rule for downlink and one rule for
uplink. Be careful when choosing the parent. for downlink traffic, we use parent
"lan", the interface name for local network. And for uplink, we are using parent
"global-in".

---------------------------------------------------------------------------------
[admin@instaler] > queue tree pr
Flags: X - disabled, I - invalid
0 name="downstream" parent=lan packet-mark=test-down
limit-at=32000 queue=default priority=8
max-limit=32000 burst-limit=0
burst-threshold=0 burst-time=0s

1 name="upstream" parent=global-in
packet-mark=test-up limit-at=32000
queue=default priority=8
max-limit=32000 burst-limit=0
burst-threshold=0 burst-time=0s
---------------------------------------------------------------------------------

You can use those mangle also with PCQ.





Edited by primadonal
www.primadonal.com
primadonal[at]yahoo.com

This example explains how to use multiple gateways with one taking over when first fails. It begins with adding the gateways. Set bigger distance value for the secondary one, and check-gateway for the first one:

/ip route add gateway=192.168.1.1 check-gateway=ping
/ip route add gateway=192.168.2.1 distance=2

That's all, there are no more steps!

The first gateway will begin as it's distance is smaller (default 0); the check-gateway will make sure it's up; when the ping will fail, it will disable the first gateway and the second will take over; when first one comes up, it will return to it's function.

wo gateways failover with load balancing

First of all, you need a working system based on these examples: Improved Load Balancing over Multiple Gateways with Persistent Sessions or Improved Load Balancing over Multiple Gateways.
[edit] Route

According to the examples above, you have:

/ ip route
add dst-address=0.0.0.0/0 gateway=10.111.0.1 scope=255 target-scope=10 routing-mark=odd
add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 routing-mark=even
add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10

Now you have to change these lines to:

/ ip route
add dst-address=0.0.0.0/0 gateway=10.111.0.1 scope=255 target-scope=10 routing-mark=odd check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 routing-mark=even check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10
add dst-address=0.0.0.0/0 gateway=10.111.0.1 scope=255 target-scope=10 distance=2

If ping fails to 10.111.0.1, then all traffic marked odd go's to the gateway 10.112.0.1, the oposite is also true.

All local traffic go's to the 10.112.0.1 as it's distance is smaller, if 10.112.0.1 fails, then 10.111.0.1 takes over.

The router pings gateway every 10 seconds and if to consecutive pings to the gateway fail, the route is considered dead. So, then testing keep in mind, that gateway failure is detected in 20 to 30 seconds.
[edit] NAT

/ ip firewall nat
add chain=srcnat connection-mark=odd action=src-nat to-addresses=10.111.0.2 \
to-ports=0-65535 comment="" disabled=no
add chain=srcnat connection-mark=even action=src-nat to-addresses=10.112.0.2 \
to-ports=0-65535 comment="" disabled=no

change to:

/ip firewall nat
add chain=srcnat src-address=192.168.0.0/24 action=masquerade

1. Introduction

In this text is described how to configure Mikrotik RouterOS and mrtg (FreeBSD). You must be root on nix mashine and ports collection is installed. Web server must be configured and running on BSD mashine. In this example Web server is Apache server. All information about mrtg and apache can be found at homepages: http://www.mrtg.org http://www.apache.org


[edit] 2. RouterOS SNMP Configuration

/ snmp
set enabled=yes contact="your@mail.com" location="SomeCountry"
/ snmp community
set public name="public" address=192.168.0.5/32 read-access=yes

Ip address 192.168.0.5 is address of BSD mashine where mrtg will be installed.

[edit] 2. MRTG Installation and Configuration

Now we install and configure mrtg on BSD mashine.
cd /usr/ports/net-mgmt/
make
make install
Now we need to create configuration file for mrtg. It can be done automatically by cfgmaker program.192.168.0.1 is ip of RouterOS.
cfgmaker public@192.168.0.1 --output=/usr/local/etc/mrtg.cfg

Change WorkDir value in created mrtg file with text editor. WorkDir value specifies where html files will be created.
It must be same as DocumentRoot value in apache configuration.

For example:

### Global Config Options

# for UNIX
WorkDir: /usr/local/www/data/


### Global Defaults

# to get bits instead of bytes and graphs growing to the right
Options[_]: growright, bits

EnableIPv6: no

######################################################################
# System: Mikrotik
# Description: router
# Contact: your@mail.com
# Location: SomeCountry
######################################################################

Execute mrtg with your config to create html files.
mrtg /usr/local/etc/mrtg.cfg
Now in directory /usr/local/www/data are html files for every interface in MT.
Add this string to crontab to update graphs automatically every 5 minutes
*/5 * * * * root mrtg /usr/local/etc/mrtg.cfg
Now we can create 1 html file with graphs for all interfaces
indexmaker /usr/local/etc/mrtg.cfg --output=/usr/local/www/data/index.html


Here is a sample configuration to monitor the power on a RB333 router using MRTG and SNMP
plotting the results with the correct scale and values:

This should be entered into an existing mrtg.conf file replacing IP_Address with your IP address and MT with your community string

### Input Voltage

Target[IP_Address-voltage]:.1.3.6.1.4.1.14988.1.1.3.8.0&.1.3.6.1.4.1.14988.1.1.3.8.0:MT@IP_Address
AbsMax[IP_Address-voltage]: 200
MaxBytes[IP_Address-voltage]: 200
Title[IP_Address-voltage]: Input Voltage for a monitored -333
PageTop[IP_Address-voltage]:

Input Voltage RB333 being monitored

System:	RB333 being monitored
Maintainer:	managee
Description:	Voltage for Monitored 333

Options[IP_Address-voltage]: gauge,growright,nopercent, noo, expscale
YLegend[IP_Address-voltage]: Volts
YTicsFactor[IP_Address-voltage]: 0.1
Factor[IP_Address-voltage]: 0.1
ShortLegend[IP_Address-voltage]: V
LegendI[IP_Address-voltage]: Input Voltage
[[Category: Monitoring]]

This article, a work in progress, describes how to remotely monitor and manage one or more groups of bridged routers from a central location. The configuration instructions for RouterOS are based on WinBox, and are not intended for copy/paste. Use them as guidelines.
Contents
[hide]

* 1 Network Topology
* 2 Basic Solution - single remote subnet
o 2.1 On the Gateway Router:
o 2.2 On the Windows PC where WinBox or the Dude is run:
* 3 Solution with Hotspot on Gateway Router
* 4 Solution with Firewall/Router between Modem and Gateway Router
* 5 Solution with multiple remote subnets

[edit] Network Topology

At the network monitoring location, you want to use the Dude or WinBox to monitor and manage all of the remote routers.

Each remote bridged network looks like this:

* A cable modem or DSL modem, referred to in this article as The Modem, at a remote location
* A router, referred to in this article as the Gateway Router, connected to the Modem using a public IP address
* A bunch of routers wirelessly connected to the Gateway Router via WDS
* All of the routers having addresses on the same private subnet
* The Gateway Router is using NAT to masquerade the private subnet

You might also have these complications:

* The Gateway Router might be running a Hotspot
* There might be a non-MikroTik firewall or router between the Modem and Gateway Router
* There might be several remote subnets

[edit] Basic Solution - single remote subnet

The following 2 procedures will setup a PPTP server on the gateway router and a PPTP client on the network management PC.

When you activate the connection to the gateway router from your PC, the Dude or WinBox will appear to be on the private side of the gateway router, on the bridged subnet, and WinBox and/or the Dude will be able to connect directly to any router or all of them at once. Port forwarding is not needed.
[edit] On the Gateway Router:

ppp->pptp server->enabled (check all authentication boxes)
ppp->secrets->add
name =
password =
service = pptp
local address =
remote address =

[edit] On the Windows PC where WinBox or the Dude is run:

The following prodedure is for Windows XP SP2.

Start->Control Panel->Network Connections->Create a new connection
Connect to the network at my workplace Next>
Virtual Private Network Connection Next>
Select a name to call this VPN Next>
Do not dial the initial connection Next>
Enter the IP address of the PUBLIC side of the Gateway Router



[edit] Solution with Hotspot on Gateway Router

Since the other routers are behind the hotspot, they will not be able to communicate with the VPN tunnel in the Gateway Router, even though they are all on the same subnet. To permit access through the hotspot to each of the other routers, create an IP Binding entry as shown below for each router that is behind the hotspot. The IP addresses assigned to the routers can be outside the hotspot address pool if you prefer.

For each router, whose private ip address is of the form 192.168.x.y:
ip->hotspot->IP Bindings->Add
Address: 192.168.x.y
To Address: 192.168.x.y
Type: bypassed

[edit] Solution with Firewall/Router between Modem and Gateway Router

Assume the gateway router has IP address 192.168.a.b as viewed by the firewall/router. On the firewall/router between the Modem and the Gateway Router, do the following:

Forward port 1723 (PPTP) to IP address 192.168.a.b
Forward protocol 47 (GRE) to IP address 192.168.a.b

Note that some routers cannot forward protocols, only ports. In this case, you will NOT be able to create a VPN tunnel to the gateway router. Also, some routers can forward protocol 47, but the mechanism to do so is undocumented. There are also routers that will forward protocol 47 automatically when you forward port 1723. Consult the documentation for your router, and if you don't find any mention of PPTP or port 1723, try finding a user forum where this subject is discussed.
[edit] Solution with multiple remote subnets

Create a separate VPN tunnel to each bridged network

This small example is a PHP script, that uses SNMP to read signal strength values from wireless registration table and publish on web page. This example can be quickly transformed to read other values available for SNMP. To use scripts you need Mikrotik RouterOS, tested for version 2.9.xx (not yet for 3.0), PHP version 4 or 5, Web server (Apache, IIS). Configure Apache, and PHP only thing that needs attention is enabled snmp extension for PHP. In Windows in php.ini section Windows Extensions uncomment line



extension=php_snmp.dll .



Enable snmp on Mikrotik, and if needed, unblock UDP port 161. Copy scripts to WEB folder. Open index.php find line



$ip="hostname"; //Change IP to your host names, address

$mask_mac=false; //Use to mask MAC adress (true / false );



Replace hostname with IP address of Mikrotik, if you don’t want to see complete MAC address change false to true and now open the page in browser. You now see MAC address and signal strength. Page is auto refreshed every 10 seconds and reads values from SNMP.



The PHP code, to be saved as a .php file:

Mikrotik signal list

MAC	Signal strenght(dBm)
Please check SNMP settings and IP address

In v3.0 it is a little different implementation of NTH. It has only two parameters 'every' and 'packet'.

How it works in v3.0

Every rule has its own counter. When rule receives packet counter for current rule is increased by one. If counter matches value of 'every' packet will be matched and counter will be set to zero.

If passthrough is not set then packets will be marked as follows:

• first rule nth=2,1 rule will match every first packet of 2, hence, 50% of all the traffic that is matched by the rules
• second rule if passthrough=no will match ONLY 25% of traffic because in 3.0 you need only one rule to catch traffic not like 2.9

Example

how it is possible to match 50% of all traffic only with one rule:

/ip firewall mangle
add action=mark-packet chain=prerouting new-packet-mark=AAA nth=2,1;

If more than one rule is needed, then there are two ways to match packets:

• first rule sees all packets and matches 1/3 of all, second rule sees 2/3 of packets and matches 1/2, third rule sees and matches all packets that passed through first two rules ( 1/3 of all packets ).

/ip firewall mangle
add action=mark-packet chain=prerouting new-packet-mark=AAA nth=3,1 passthrough=no;
add action=mark-packet chain=prerouting new-packet-mark=BBB nth=2,1 passthrough=no;
add action=mark-packet chain=prerouting new-packet-mark=CCC ;

• all rules can see all packets and each rule matches every 3-rd packet.

/ip firewall mangle
add action=mark-packet chain=prerouting new-packet-mark=AAA nth=3,1 passthrough=yes;
add action=mark-packet chain=prerouting new-packet-mark=BBB nth=3,2 passthrough=yes;
add action=mark-packet chain=prerouting new-packet-mark=CCC nth=3,3 passthrough=yes;