Shaping and possibilities

of Mikrotik router
Email: info@ispadmin.cz | Tel.: +420 212 220 480 | www.net-service.cz | www.ispadmin.cz | www.lightkeeperpro.cz
1.
ISP admin - Shaping and possibiIities of Mikrotik router
The SP admin is able to interact and to write rules to Mikrotik. The system modifies the following section Mikrotik router
queue type.
/ ip firewaII fiIter
Here are the written rules of the firewall. First authorized P addresses of clients, their terminal equipment, routers, that
are in the segment, at the end of which is prohibited in the entire subnet FORWARD DROP rule. To add to the client
system must be listed in the "Routers" in "Network Routing" whole subnet as the "P address for WiFi users".
Firewall enroll can be switched off in the router settings by deleting the "Apply firewall rules." f this item is not checked,
the firewall rules do not enroll in the router . This can be used, for example, if you do not have in the system all users.
Then FW unwished user is blocked and therefore better not to apply FW.
By default, the FW enroll restrictions on P addresses as SRC and the DST. n some cases (e.g. due to a reduction in the
number of rules in the FW) is limited to need SRC or DST. This type of enrolling of FW can be set in the menu "Settings /
System. Setup / Mikrotik. Type of enrolling rules is in "mikrotik_fw_drop".
/ ip firewaII MangIe
This is done mangle of packets when the client receives packet mark-shaped "ispadmin_D (D is a unique client number
in the database). f the client has multiple P addresses, or where the next set of P ranges in the nternet, then, all these
P ranges mark the same packet, and thus are limited in the same QT.
/ queue tree
Here are set QT. QT options are fairly broad and are described below.
/ ip firewaII nat
Each client paused with nternet services, is entered in the NAT. Here is a redirection to ensure its operation to
"information page" and there you can edit the menu "Settings / nfo page". The suspension is done in the client tab in the
nternet. Here is the suspension of the service also can select "the reasons for the suspension" and on the basis of this
choice is selected display page.
The condition for enrolling rules is set to Nat keys "mikrotik_nat_disable_users" to "1". t is set in the menu "Settings /
System. Settings / Mikrotik. f there is set to "0", the rules are not enroll in the NAT. This can be used, for example, it is
suspended redirect users addressed by other means outside the SP admin.
f you are using PPPoE, and the nternet tab in the client selected "user type" PPPoE, it is possible to fill in name and
password for the client. This name and password are enrolled to the table, including the P address of the client.
The other tables Mikrotik admin SP does not, nor is in any way modify. System in all cases, only works with those who
comment indicated ispadmin_ "(firewall, ppp, OT), or to mark the packet indicated "ispadmin_ "(Mangle). This solution can
be to add your own router, firewall rules, restrictions QT etc. These rules are at the start of FW, Mangle, QT SP admin
and modify it.
Other rules, tht are enrolled to system in case of manual changes Mikrotik in the next update configuration override. Any
changes to the client connection speed, rate, etc. is required in the SP admin.
All configuration, the system transmits to Mikrotik, are transmitted via SSH. The configuration is transmitted
"differences". This means that the system update the configuration first retrieve the current configuration of the router, the
configuration compared with that in the router should be, and the differences transferred. This will minimize number of
minutes to flash Mikrotik.
DefauIt FirewaII
n menu "Settings / System. Settings / Mikrotik" is possible under the heading "mikrotik_default_fw" to define the default
firewall rules that enroll to all routers, which are allowed access via SSH. This is for example possible to limit the sharing
of windows or blocking the spread of specific viruses relevant ports.
The rules, which are included in the default firewall, must start "/ ip firewall filter add. The rules, which are defined as
follows, are ignored.
2.
Example of default firewall:
/ ip firewall filter add chain = forward protocol = tcp dst-port = 135-139 action = drop comment = "netbios"
/ ip firewall filter add chain = forward protocol = udp dst-port = 135-139 action = drop comment = "netbios"
/ ip firewall filter add chain = forward protocol = tcp dst-port = 445 action = drop comment = "netbios"
/ ip firewall filter add chain = forward protocol = udp dst-port = 445 action = drop comment = "netbios"
/ ip firewall filter add chain = forward src-address = 10.0.0.0 / 8 protocol = udp dst-port = 53 action = accept comment =
"DNS"
/ ip firewall filter add chain = forward src-address = 10.0.0.0 / 8 protocol = icmp action = reject reject-with = icmp-admin-
prohibited
MAC fiIter
On each router, it is possible to activate the MAC filter. Activation can be done in the router certificate items "MAC filter".
f the MAC filter is active, to FW are enrolling both P and MAC address of the client. n the event that a client should
change the P or MAC address, internet do not work to him.
The system retrieves the MAC address of the router automatically 1x per hour. n the case of activated MAC filter and
connect a new client, it is not necessary to fill a client's MAC address - the system will allow the client to FW and the client
connects to the system from the ARP table on the router the MAC address of load and make it to the client. Subsequently,
the client locks binding P and MAC addresses.
f there is a need in some cases, turn off the automatic loading of MAC addresses for a particular client, fill the value of
MAC address "-" (hyphen). The P address of the client to will be not fixed to the MAC. This applies in the case, for
instance, the P address the alternate two computers (notebooks).
Automatic loading of the MAC address can be switched off for all users in a global setting in the menu "Settings /
System. Settings / general" system variable "macfilter_getusermac".
QT and enroII to router
GeneraI
The system implements tariff entry into QT according to set rules. SQ is not supported because the set does not allow
parameters such as QT. System multiplied by the specified speed in setting the tariff value "rate_exponent", prior to
inclusion in the QT. This value can be set in the menu "Settings / System. Settings / General". Rate_exponent value
indicates the speed of the client actually receives the allocation. Rate_exponent is set to the default value of 1.2, so at
1024Kbps / s is to QT enroll speed "in 1228 Kbps / s". This fare increase will cover the client directed protocol, any packet
loss rates, which may occur on the wifi. The customer is satisfied, because mostly reaches a higher speed than is
specified in the contract. Sometimes it is impossible to explain to customer that if the rate of 102, so it is because of
protocol overhead in E never shows the download speed of 128 Kbps.
n the menu 'Settings / Tariffs "it is possible to set all parameters fare, such as connection speed, type of lines, burst,
aggregation, etc.
Setting gIobaI-in, gIobaI-out
For each router can select a setting in the popup menu "Queue type tree", which will be processed QT. You can choose
from a "global-in" or "global-out". This is ESSENTIAL for the proper functioning of the router. To understand it is
necessary to carefully study the way the packet according http://www.mikrotik.com/testdocs/ros/2.9/img/packet_flow31.jpg . f
the QOS implemented on a central router, then this option is inactive, because setting governed Mangle central router. To
change the router settings (for example, global-in on global-out), the first completely delete QT and Mangle and set up
again under the new settings. This is due to cleaning all the tables and MK is not so wrong to write the rules.
The various options are:
gIobaI-out
- The default setting router
- Packets from the client (dst-address) in the Mangle is marked in POSTROUTNG
- Packets towards the client (src-address) in the Mangle marked in PREROUTNG
- This setting is used in case of Nat on the router. Packets are correctly marked and
POSTROUTNG correctly see address of the client and not their public preNAT addresses.
- Disadvantage is that each packet must pass through all the firewall, thereby INCREASING the swap usage of router. n
the event that the router also performs NAT, but it's the only way to apply QOS to the client and limit the data flow
3.
gIobaI-in
- Packets towards the client (src-address) as well as from the client (dst-address) in the Mangle is marked in
PREROUTNG
- Using the global-in REDUCES the burden on the router
- This option can not be used in the event that the router also performs NAT. Then, the client not limited download, as
packets enter the FW as still NAT packets (public address below), are not properly marked and did not do right by
QUEUE TREE
LocaI and centraI shaping
For each router (use the "Router") is optional for the type Mikrotik using popup menu select "implement QOS on the
router" the router, that is shaping carried out. f the selected "local", then will be QoS performed directly on the router.
When selecting a different router from the shaping is performed on the target client router. f you set shaping to another
router (not locally), is displayed in the header of the router's comment that the clients on this router shaping to a different
router. When you add or edit nternet in the case shaping clients to another router appears in the selection of the router's
comment with a specific router, which is shaping implements.
Local shaping has the advantage that the client is limited to the nearest access point, thereby reducing the overall
burden shaper. Each access point is limited to a few clients. The disadvantage of using aggregated charges may be, for
example, if the access point we have 3 clients with aggregated tariff 1:10, not at this number of clients to provide
technically possible aggregation. Then it is better to use a central shaping, which at one router shaping clients, for
example, from 5 AP (for example, within the city). This one router meet more clients and aggregation are no longer
applicable. Disadvantage is the need for a central shaping is utilization of more efficient hardware that is capable of
shaping greater number of clients.

Setting queue-type
The Mikrotik router can be set system data stream, which is essential for proper function and good quality connection.
s set in the menu "Queues / Queue type.
Types of Queues are
PFFO - Packet First n First Out
pfifo and bfifo sends packets as they come. This means that packet, which came first, the first leaves. This setting is not
QueueType for shapping appropriate because it is not possible to provide meaningful shaping. There are links to
congestion, high latency etc..
This type of QT is set as default and needs to be changed.
SFQ - Stochastic Fair Queuening
t is a simple algorithm to ensure the equitable use of all active streams. Not uniform use among users or programs, but
for example, between different TCP connections.
t creates more front, which divides a single TCP connection and UDP streams based on the hash function. These queues
are processed in round robin algorithm. Each link is thus a chance to deal with it, and one long stream nezahlt most
capacity lines. Hash functions are changing over time and are dealt with conflict (two streams in the same queue they will
not stay long).
4.
RED - Random Early Detection
t is designed for busy spinal joints. According to statistics calculated reduced burden by discarding packets before the
congestion lines. The more traffic is the total maximum value, the more packets are dropped. This algorithm does not
provide any possibility of shaping and behaves to all current data as well. On the busy machines but not so high
computational demands and maintain the greatest possible throughput and lowest delay lines.
PCQ - Per Connection Queue
t facilitates a greater number of restrictions nonsharable lines.
Fares FULL dupIex (FD)
n this case, only a simple set QT, there are limited upload and download. n the case of the tariff (e.g. 1024/512) the
client can download the 1024 Kbps / s speed at the same time can send 512 Kbps / s (a total of 1,5 Mbps).
Fares HALF DUPLEX (HD)
n the application of this tariff will reduce upload and download. At the same time, both QT placed under the parent to
ensure that the client can download separately 1024 Kbps, upload 512 Kbps, but if you start downloading and sending at
the same time, the total of such speed does not exceed 1024 Kbps. The advantage is that the customer can test the
speed of the run test, which tests separately download and upload their own, so everything is OK. However, if the client
starts to download and also upload a torrent for example, does not exceed the total rate of more than 1024 Kbps.
To set this type of download links is, in our case ispadmin_7837_down, the value of "0". That's okay, because it is a
superior speed limit "ispadmin__7837 queue". Save this router CPU, since the QT is limited to one parent in the QT.
Speed parent QT is the same as the download speed and is not necessary to separately limit. f the line speed of
1024/1024, it would set the speed "0" for QT ispadmin_7837_down. QT is not technically necessary, but can be (speed is
zero) entered the grounds of counting data, creating graphs and statistics.
Shared (aggregated) HD Iine
using the aggregated links must be set top-line, which is calculated by the formula
Total Aggregate line = (Download * the number of clients) aggregation
Example in practice - in the case of aggregated lines 1:10 of the 1024/512 speed of 20 clients total line is calculated as
follows
(1024 * 20) / 10 = 2Mbps
The Mikrotik therefore base line 2 Mbps in it shall be included all clients with this aggregation. Total "aggregation" of the
group is set dynamically according to the current number of clients. f the aggregation group will contains 40 clients, total
aggregation group speed will be 4Mbps. Each client that is included in the aggregation group is limited to a maximum
speed of 1024/512, so speed does not exceed any client 1024/512 that the aggregate upload and download (as in
classical HD fare), while all these clients together does not exceed the speed of 2Mbit (again in the upload and download
combined).
5.
6.
n our example is shown QT shared HD fare. This is a fare 1024/512 Kbps with a 1:2 aggregate. According to the above
formula is calculated top-line "shared_629". The lines are placed 3 users who are limited to 1024/512 and the speed of
download + upload more globally for each client 1024 Kbps speed limits, which limits obtained download + upload (e.g.
Test_user1__7837).
Shared Line FD
f the aggregate type FD line, separated by the aggregation group, from download to upload. This means that the speed
of calculation is performed for each direction separately. n the case of aggregated FD 1024/512 line with 1:10 and
aggregation number of 20 clients shall be made to download the following calculation speed.
download = (1024 * 20) / 10 = 2Mbps
upload = (512 * 20) / 10 = 1Mbps
Aggregation is therefore set up a group specifically for download (2Mbit) and upload (1Mbit). Within these two groups to
be included download and upload of all clients in the aggregation group.
Here is a shared HD fare 1024/512 Kbps with 1:2 aggregate. In this case, is calculated separately for the download
speed (shared_629_down) and upload (shared_629_up). The aggregation of these two lines will be included separately
for upload and download of all the clients who have the fare.
Inclusion of clients in a special QT
In some cases, the need for clients to include special QT, for example, traffic on the router to split into 3 groups where
each group represents one connection (e.g. to other villages). Each service has a defined capacity (e.g. 2 Mbit).
In this case, the need for a special Mikrotik QT for each group and set the appropriate speed, or other parameters of
QT set manually. All of this is due to different requirements of each provider, if necessary, to create deeper nested
structure of QT, which is not possible to generate automatically.
The MK is a need for a named QT (which shall be entered into the system). If the QT to appoint such as VIP, it is
necessary to create MK
VIP - in this QT will arrange clients who have HD fare (shared with the upload and download)
VIP_IN - in this QT will arrange download the client if it is set FD rate
VIP_OUT - in this QT will arrange upload client if it is set FD rate
n the example are created two groups for clients, users and VP. For each group speed parameters are set according to
need, where they set the overall speed and group speed for download and upload. t shall be possible to allocate
additional restrictions such as restrictions on P2P networks or the number of connections, etc.
The entire tree can be created as necessary. The "interest" will be only to end around the tree branches, which will
arrange clients. n our case, the VP is the VP, VP_N and VP_OUT. No matter what level in the terminal branch of the
tree is located.
Now it needs a system admin SP to disclose that there is a special VP QT. This can be set in the router (the routers tab)
under the tab "Queue tree". There is a need to add QT special "VP". QT VP_N and VP_OUT not need to enter. The
existence of the QT is assumed at the time of entering the VP QT. f it is not based on QT MK VP_N and VP_OUT, the
clients who have entered fare FD arrange to QT "global-out outside this tree".
7.
8.
Click on the icon of the router "Test connection" to test the QT, which should run correctly.
f you are correctly configured on the router and QT "test" will be correct, it is possible for each client to set up a special
listing in the QT. This classification is performed when entering or editing nternet services in the client card. When editing
or adding nternet tariff is set by selecting (in the case of aggregation 1:1) another popup menu "tree Queue", where it is
possible for the client to choose the appropriate QT. Selection QT is only possible in the case of aggregation of 1:1,
otherwise the choice of special QT appears. This occurs when the client is included in the aggregate (shared) tariff.
nclude the client in a special QT is no longer possible because the client can not belong to the aggregated lines and will
be included in the special QT. t is not possible to 2x mangle packet client. Package may have only one packet mark and
thus may logically belong to only one line (shared or aggregated).
f you assign the client to QT Test_user1 VP, included in the Mikrotik as follows:
9.
All clients have the fare 1024/512 aggregation 1:1, with HD fare. Client Test_user1 and Test_user2 is included in the QT
VP, Client test_user3 normally included in the "global-out", it does not have a QT. Since the FD rate, so the download and
upload clients divided into VP_N and VP_OUT
f the tariff is set to HD, clients are assigned as follows:
Clients Test_user1 and Test_user2 are included in the VP and not QT VP_N and VP_OUT as HD fare. All clients are
set to classical HD fare, which is limited download and upload TQ parent (e.g. Test_user1__7837). Client Test_user3 is
included in the "global-out".
The above procedures can be combined as needed. n our example, clients have Test_user1 and Test_user2 set fare FD
with aggregation of 1:1 and the speed of 1024/512. Client Test_user3 has set 256/256 HD fare, it is included in the QT
VP.
10.
11.
preffered_queue
In some cases, the need for all clients to arrange a QT. For example: in the event that we need to set the overall speed of
the line. It is possible to set the previous way of each client in a QT. However, it is quite laborious, we can make errors
that a client don't attach to QT and then on will automatically be included in the global-out. For this reason, it is possible in
the menu "Settings / System. Settings / Mikrotik "key preffered_queue set QT, which is automatically included all clients in
the event that are not explicitly included in the previous manner other QT.
Again, if we set preffered_queue "VIP", the router must be a VIP QT, VIP_IN, VIP_OUT.
Control from the command line
Update configuration is carried out every 5 minutes. If the router does not any change, such as change of tariff client,
change the router settings, etc. update the configuration on this router does not. In the case of update will be transmitted
only changes and not the fully configuration. Mikrotik system can retrieve from the current configuration, compares it with
its own configuration, which would be in the router and change transferred to the router. This minimizes the number of
entries in the router.
If it is necessary to update the configuration immediately (not in 5 minutes), it is possible to carry out the command line,
run the
/ usr / local / script / ispadmin / update_conf.pl
If you run the update without any configuration parameters, you will help with a list of routers, including their ID.
Use:
/ usr / local / script / ispadmin / update_conf.pl auto - automatic mode according to the state system
/ usr / local / script / ispadmin / update_conf.pl gendocsis - will generate new files for all docsis modems
/ usr / local / script / ispadmin / update_conf.pl gendocsis <ID routeru> - docsis generate new files for the router with the
ID
/ usr / local / script / ispadmin / update_conf.pl reload all - configuration upload on all routers
/ usr / local / script / ispadmin / update_conf.pl reload <ID routeru> - configuration upload of the router with the ID
/ usr / local / script / ispadmin / update_conf.pl reload <ID routeru> force - "hard" configuration upload on the router with
the ID
The available routers:
ID IP state status router DHCP Name
-------------------------------------------------- -------------------------------------------------- --------------------------
91 88.103.224.215 online stopped home
101 10.0.0.1 online stopped mk1
if I need to do update the router number 30 internal unique number router), run the command
/ usr / local / script / ispadmin / reload update_conf.pl 91
the result looks as follows
16.2. 2009 13:24:30 system Update router 91, IP 88.146.172.90, home
16.2. 2009 13:24:30 home --- Set the home router, IP 88.146.172.90, ID 91
16.2. 2009 13:24:30 home --- Checking new home network interfaces
16.2. 2009 13:24:30 home --- Retrieving data from a router
16.2. 2009 13:24:32 home --- Set limits clients
16.2. 2009 13:24:32 home --- Updating the configuration of the router 1 / 2 (3360 b - rows 10)
16.2. 2009 13:24:32 home --- Updating the configuration of the router 2 / 2 (360 b - rows 2)
16.2. 2009 13:24:32 home --- the check depending QTREE
16.2. 2009 13:24:33 home --- Update router 91, IP 88.146.172.90, home completed