Академический Документы
Профессиональный Документы
Культура Документы
Schedule
• 09:00 – 10:30 Morning Session I
MikroTik RouterOS (v6) Training – 10:30 – 11:00 Morning Break
• 11:00 – 12:30 Morning Session II
Traffic Control – 12:30 – 13:30 Lunch Break
• 13:30 – 15:00 Afternoon Session I
– 15:00 – 15:30 Afternoon Break
• 15:30 – 17:00 (18:00) Afternoon Session II
Instructor Housekeeping
• Vahid Shahbazian fard jahromy • Course materials
– Training, Support & Consultant • Routers, cables
– Specialization: Wireless, Firewall, The Dude, • Break times and lunch
Routing
1
01/08/2014
2
01/08/2014
3
01/08/2014
• “Lease on Disk” should be used to reduce • DHCP server is able to send out any option
number of writes to the drive (useful with flash • DHCP client can receive only implemented
drives) options
©LearnMikroTik.ir 2013 19 ©LearnMikroTik.ir 2013 20
4
01/08/2014
5
01/08/2014
6
01/08/2014
CHAIN INPUT
7
01/08/2014
RouterOS Services
Connection State Lab Nr.
1
Port
20
Protocol
TCP
Comment
FTP data connection
Nr.
21
Port
53
Protocol
UDP
Comment
DNS
2 21 TCP FTP control connection 22 67 UDP BootP or DHCP Server
3 22 TCP Secure Shell (SSH) 23 68 UDP BootP or DHCP Client
• Create 3 rules to ensure that only connection- 4 23 TCP Telnet protocol 24 123 UDP Network Time Protocol
5 53 TCP DNS 25 161 UDP SNMP
state new packets will proceed through the input 6 80 TCP World Wide Web HTTP 26 500 UDP Internet Key Exchange (IPSec)
filter 7 179 TCP Border Gateway Protocol 27 520 UDP RIP routing protocol
8 443 TCP Secure Socket Layer (SSL) 28 521 UDP RIP routing protocol
– Drop all connection-state invalid packets 9 646 TCP LDP transport session 29 646 UDP LDP hello protocol
– Accept all connection-state related packets 10 1080 TCP SOCKS proxy protocol 30 1701 UDP Layer 2 Tunnel Protocol
11 1723 TCP PPTP 31 1900 UDP Universal Plug and Play
– Accept all connection-state established packets 12 2828 TCP Universal Plug and Play 32 5678 UDP MNDP
to connect to the router 15 8291 TCP Winbox 35 --- /47 GRE (PPTP, EOIP)
16 8728 TCP API 36 --- /50 ESP (IPSec)
– Accept all packets from your local network 17 8729 TCP API-SSL 37 --- /51 AH (IPSec)
8
01/08/2014
NAT Types
• As there are two IP addresses and ports in an
IP packet header, there are two types of NAT
– The one, which rewrites source IP address and/or
port is called source NAT (src-nat)
– The other, which rewrites destination IP address
Destination NAT, Source NAT, NAT traversal and/or port is called destination NAT (dst-nat)
NETWORK ADDRESS TRANSLATION • Firewall NAT rules process only the first packet
(NAT) of each connection (connection state “new”
packets)
©LearnMikroTik.ir 2013 53 ©LearnMikroTik.ir 2013 54
9
01/08/2014
10
01/08/2014
11
01/08/2014
What is Mangle?
• The mangle facility allows to mark IP packets
with special marks.
• These marks are used by other router facilities
like routing and bandwidth management to
identify the packets.
IP packet marking and IP header fields adjustment
• Additionally, the mangle facility is used to
FIREWALL MANGLE modify some fields in the IP header, like TOS
(DSCP) and TTL fields.
12
01/08/2014
13
01/08/2014
HTB
• All Quality of Service implementation in RouterOS
is based on Hierarchical Token Bucket
• HTB allows to create hierarchical queue structure
and determine relations between parent and
child queues and relation between child queues
Hierarchical Token Bucket • RouterOS v5 or older versions support 3 virtual
HTBs (global-in, global-total, global-out) and one
HTB more just before every interface
• RouterOS v6 support 1 virtual HTB (global) and
one more just before every interface
©LearnMikroTik.ir 2013 81 ©LearnMikroTik.ir 2013 82
Mangle and HTBs in RouterOS v5 or older versions Mangle and HTBs in RouterOS v6
14
01/08/2014
15
01/08/2014
Queue Tree
• Queue tree is direct implementation of HTB
• Each queue in queue tree can be assigned only in one
HTB
• Each child queue must have packet mark assigned to it
QUEUE TREE
16
01/08/2014
performance
17
01/08/2014
18
01/08/2014
19
01/08/2014
20
01/08/2014
21
01/08/2014
22
01/08/2014
23
01/08/2014
RED
Behaviour:
Same as FIFO with feature – additional drop
probability even if queue is not full.
This probability is based on
comparison of average
queue length over some
period of time to minimal
and maximal threshold –
closer to maximal threshold
bigger the chance of drop.
©LearnMikroTik.ir 2013 141 ©LearnMikroTik.ir 2013 142
SFQ
Behaviour:
Based on hash value from source and
destination address SFQ divides traffic into 1024
sub-streams
Then Round Robin
algorithm will distribute
equal amount of traffic to
each sub-stream
24
01/08/2014
25
01/08/2014
26