General Information
Summary
Bandwidth Control is a set of mechanisms that control data rate allocation, delay variability, timely delivery, and delivery reliability. The MikroTik RouterOS supports the following queuing disciplines:
PFIFO - Packets First-In First-Out
BFIFO - Bytes First-In First-Out
SFQ - Stochastic Fairness Queuing
RED - Random Early Detect
PCQ - Per Connection Queue
HTB - Hierarchical Token Bucket
Specifications
Packages required: system
License required: Level1 (limited to 1 queue) , Level3
Submenu level: /queue
Standards and Technologies: None
Hardware usage: significant
Related Documents
Software Package Management
IP Addresses and ARP
Mangle
Description
Quality of Service (QoS) means that the router should prioritize and shape network traffic. QoS is not so much about limiting, it is more about providing quality. Below are listed the some features of MikroTik RouterOS Bandwidth Control mechanism:
limit data rate for certain IP adresses, subnets, protocols, ports, and other parameters
limit peer-to-peer traffic
prioritize some packet flows over others
use queue bursts for faster WEB browsing
apply queues on fixed time intervals
share available traffic among users equally, or depending on the load of the channel
The queuing is applied on packets leaving the router through a real interface (i.e., the queues are applied on the outgoing interface, regarding the traffic flow), or any of the 3 additional virtual interfaces (global-in, global-out, global-total).
The QoS is performed by means of dropping packets. In case of TCP protocol, the dropped packets will be resent so there is no need to worry that with shaping we lose some TCP information.
The main terms used to describe the level of QoS for network applications, are:
queuing discipline (qdisc) - an algorithm that holds and maintains a queue of packets. It specifies the order of the outgoing packets (it means that queuing discipline can reorder packets) and which packets to drop if there is no space for them
CIR (Committed Information Rate) - the guaranteed data rate. It means that traffic rate, not exceeding this value should always be delivered
MIR (Maximal Information Rate) - the maximal data rate router will provide
Priority - the order of importance in what traffic will be processed. You can give priority to some traffic in order it to be handeled before some other traffic
Contention Ratio - the ratio to which the defined data rate is shared among users (when data rate is allocated to a number of subscribers). It is the number of subscribers that have a single speed limitation, applied to all of them together. For example, the contention ratio of 1:4 means that the allocated data rate may be shared between no more than 4 users
Before sending data over an interface, it is processed with a queuing discipline. By default, queuing disciplines are set under /queue interface for each physical interface (there is no default queuing discipline for virtual interfaces). Once we add a queue (in /queue tree) to a physical interface, the interface default queue, defined in /queue interface, for that particular interface gets ignored. It means - when a packet does not match any filter, it is sent through the interface with the highest priority.
Scheduler and Shaper qdiscs
We can classify queuing disciplines by their influence to packet flow:
schedulers - queuing disciplines only reschedule packets regarding their algorithm and drop packets which ‘do not fit in the queue’. Scheduler queuing disciplines are: PFIFO, BFIFO, SFQ, PCQ, RED
shapers - queuing disciplines that also perform the limitation. Shapers are PCQ and HTB
Virtual Interfaces
There are 3 virtual interfaces in RouterOS, in addition to real interfaces:
global-in - represents all the input interfaces in general (INGRESS queue). Please note that queues attached to global-in apply to traffic that is received by the router, before the packet filtering. global-in queueing is executed just after mangle and dst-nat
global-out - represents all the output interfaces in general. Queues attached to it apply before the ones attached to a specific interface
global-total - represents a virtual interface through which all the data, going through the router, is passing. When attaching a qdisc to global-total, the limitation is done in both directions. For example, if we set a total-max-limit to 256000, we will get upload+download=256kbps (maximum)
Introduction to HTB
HTB (Hierarchical Token Bucket) is a classful queuing discipline that is useful for applying different handling for different kinds of traffic. Generally, we can set only one queue for an interface, but in RouterOS queues are attached to the main Hierarchical Token Bucket (HTB) and thus have some properties derived from that parent queue. For example, we can set a maximum data rate for a workgroup and then distribute that amount of traffic between the members of that workgroup.
HTB qdisc in detail:
HTB terms:
queuing discipline (qdisc) - an algorithm that holds and maintains a queue of packets. It specifies the order of the outgoing packets (it means that queuing discipline can reorder packets). Qdisc also decides which packets to drop if there is no space for them
filter - a procedure that classifies packets. The filter is responsible for classifying packets so that they are put in the corresponding qdiscs
level - position of a class in the hierarchy
inner class - a class that has one or more child-classes attached to it. Inner classes do not store any packets, but they do traffic shaping. The class also does not have its own priority
leaf class - a class that has a parent but does not have any child-classes. Leaf classes are always located at level 0 of the hierarchy. Each leaf class has a qdisc, attached to it
self feed - an object that represents the exit for the packets from all the classes active at its level of the hierarchy. It consists of 8 self slots
self slot - an element of a self feed that corresponds to each particular priority. All classes, active at the same level, of one priority are attached to one self slot that they are using to send packets out through
active class (at a particular level) - a class that is attached to a self slot at the given level
inner feed - similar to self feed object, which consists of inner self slots, present on each inner class
inner feed slot - similar to self slot. Each inner feed consists of inner slots which represent a priority
Each class has a parent and may have one or more children. Classes that do not have children, are put at level 0, where queues are maintained, and are called ‘leaf classes’
Each class in the hierarchy can prioritize and shape traffic. There are 2 main parameters in RouterOS which refer to shaping and one - to prioritizing:
limit-at - data rate that is guaranteed to a class (CIR)
max-limit - maximal data rate that is allowed for a class to reach (MIR)
priority - order in which classes are served at the same level (8 is the lowest priority, 1 is the highest)
Each HTB class can be in one of 3 states, depending on data rate that it consumes:
green - a class the actual rate of which is equal or less than limit-at. At this state, the class is attached to self slot at the corresponding priority at its level, and is allowed to satisfy its limit-at limitation regardless of what limitations its parents have. For example, if we have a leaf class with limit-at=512000 and its parent has max-limit=limit-at=128000, the class will get its 512kbps!
yellow - a class the actual rate of which is greater than limit-at and equal or less than max-limit. At this state, the class is attached to the inner slot of the corresponding priority of its parent’s inner feed, which, in turn, may be attached to either its parent’s inner slot of the same priority (in case the parent is also yellow), or to its own level self slot of the same priority (in case the parent is green). Upon the transition to this state, the class ‘disconnects’ from self feed of its level, and ‘connects’ to its parent’s inner feed
red - a class the actual rate of which exceeds max-limit. This class cannot borrow rate from its parent class
Priorities
When a leaf class wants to send some traffic (as they are the only classes that hold packets), HTB checks its priority. It will begin with the highest priority and the lowest level and proceed until the lowest priority at highest level is reached:
As you can see from the picture, leaf-classes which are at the green state, will always have a higher priority than those which are borrowing because their priority is at a lower level (level0). In this picture, Leaf1 will be served only after Leaf2, although it has a higher priority (7) than Leaf1 (8).
In case of equal priorities and equal states, HTB serves these classes, using round robin algorithm.
HTB Examples
Here are some examples on how the HTB works.
Imagine the following scenario - we have 3 different kinds of traffic, marked in /ip firewall mangle (packet_mark1, packet_mark2 and packet_mark3), and now have bulit a HTB hierarchy:
[admin@MikroTik] queue tree> add name=ClassA parent=Local max-limit=2048000
[admin@MikroTik] queue tree> add name=ClassB parent=ClassA max-limit=1024000
[admin@MikroTik] queue tree> add name=Leaf1 parent=ClassA max-limit=2048000 \
\… limit-at=1024000 packet-mark=packet_mark1 priority=8
[admin@MikroTik] queue tree> add name=Leaf2 parent=ClassB max-limit=1024000 \
\… limit-at=256000 packet-mark=packet_mark2 priority=7
[admin@MikroTik] queue tree> add name=Leaf3 parent=ClassB max-limit=1024000 \
\… limit-at=768000 packet-mark=packet_mark3 priority=8
[admin@MikroTik] queue tree> print
Flags: X - disabled, I - invalid
0 name=”ClassA” parent=Local packet-mark=”" limit-at=0 queue=default
priority=8 max-limit=2048000 burst-limit=0 burst-threshold=0
burst-time=0s
1 name=”ClassB” parent=ClassA packet-mark=”" limit-at=0 queue=default
priority=8 max-limit=1024000 burst-limit=0 burst-threshold=0
burst-time=0s
2 name=”Leaf1″ parent=ClassA packet-mark=packet_mark1 limit-at=1024000
queue=default priority=8 max-limit=2048000 burst-limit=0
burst-threshold=0 burst-time=0s
3 name=”Leaf2″ parent=ClassB packet-mark=packet_mark2 limit-at=256000
queue=default priority=7 max-limit=1024000 burst-limit=0
burst-threshold=0 burst-time=0s
4 name=”Leaf3″ parent=ClassB packet-mark=packet_mark3 limit-at=768000
queue=default priority=8 max-limit=1024000 burst-limit=0
burst-threshold=0 burst-time=0s
[admin@MikroTik] queue tree>
Now let us describe some scenarios, using this HTB hierarchy.
Imagine a situation when there have packets arrived at Leaf1 and Leaf2. Because of this, Leaf1 attaches itself to this level’s (Level 0) self slot with priority=8 and Leaf2 attaches to self slot with priority=7. Leaf3 has nothing to send, so it does nothing.This is a simple situation: there are active classes (Leaf1 and Leaf2) at Level 0, and as they both are in green state, they are processed in order of their priorities - at first, we serve Leaf2, then Leaf1.
Now assume that Leaf2 has to send more than 256kbps, for this reason, it attaches itself to its parent’s (ClassB) inner feed, which recursively attaches itself to Level1 self slot at priority=7. Leaf1 continues to be at green state - it has to send packets, but not faster than 1Mbps. Leaf3 still has nothing to send.This is a very interesting situation because Leaf1 gets a higher priority than Leaf2 (when it is in the green state), although we have configured it for a lower priority ( than Leaf2. It is because Leaf2 has disconnected itself from self feed at Level 0 and now is borrowing from its parent (ClassB) which has attached to self feed at Level 1. And because of this, the priority of Leaf2 ‘has traveled to Level1′. Remember that at first, we serve those classes which are at the lowest level with the highest priority, then continuing with the next level, and so on.
Consider that Leaf1 has reached its max-limit and changed its state to red, and Leaf2 now uses more than 1Mbps (and less than 2Mbps), so its parent ClassB has to borrow from ClassA and becomes yellow. Leaf3 still has no packets to send.This scenario shows that Leaf1 has reached its max-limit, and cannot even borrow from its parent (ClassA). Leaf2 has hierarchical reached Level2 and borrows from ClassB which recursively must borrow from ClassA because it has not enough rate available. As Leaf3 has no packets to send, the only one class who sends them, is Leaf2.
Assume that Leaf2 is borrowing from ClassB, ClassB from ClassA, but ClassA reaches its max-limit (2Mbps).In this situation Leaf2 is in yellow state, but it cannot borrow (as Class B cannot borrow from Class A).
Finally, let’s see what happens, if Leaf1, Leaf2, Leaf3 and ClassB are in the yellow state, and ClassA is green.Leaf1 borrows from ClassA, Leaf2 and Leaf3 from ClassB, and ClassB also borrows from ClassA. Now all the priorities have ‘moved’ to Level2. So Leaf2 is on the highest priority and is served at first. As Leaf1 and Leaf3 are at the same priority ( on the same level (2), they are served, using the round robin algorithm.
Bursts
Bursts are used to allow higher data rates for a short period of time. Every 1/16 part of the burst-time, the router calculates the average data rate of each class over the last burst-time seconds. If this average data rate is less than burst-threshold, burst is enabled and the actual data rate reaches burst-limit bps, otherwise the actual data rate falls to max-limit or limit-at.
Let us consider that we have a setup, where max-limit=256000, burst-time=8, burst-threshold=192000 and burst-limit=512000. When a user is starting to download a file via HTTP, we can observe such a situation:
At the beginning the average data rate over the last 8 seconds is 0bps because before applying the queue rule no traffic was passed, using this rule. Since this average data rate is less than burst-threshold (192kbps), burst is allowed. After the first second, the average data rate is (0+0+0+0+0+0+0+512)/8=64kbps, which is under burst-threshold. After the second second, average data rate is (0+0+0+0+0+0+512+512)/8=128kbps. After the third second comes the breakpoint when the average data rate becomes larger than burst-threshold. At this moment burst is disabled and the current data rate falls down to max-limit (256kbps).
HTB in RouterOS
There are 4 HTB trees maintained by RouterOS:
global-in
global-total
global-out
interface queue
When adding a simple queue, it creates 3 HTB classes (in global-in, global-total and global-out), but it does not add any classes in interface queue.
Queue tree is more flexible - you can add it to any of these HTB’s.
When packet travels through the router, it passesall 4 HTB trees - global-in, global-total, global-out and interface queue. If it is directed to the router, it passes global-in and global-total HTB queues. If packets are sent from the router, they are traversing global-total, global-out and interface queues
Additional Resources
http://linux-ip.net/articles/Traffic-Control-HOWTO/overview.html
http://luxik.cdi.cz/~devik/qos/htb/
http://www.docum.org/docum.org/docs/
Queue Types
Submenu level: /queue type
Description
In this submenu you can create your custom queue types. Afterwards, you will be able to use them in /queue tree, /queue simple or /queue interface.
PFIFO and BFIFO
These queuing disciplines are based on the FIFO algorithm (First-In First-Out). The difference between PFIFO and BFIFO is that one is measured in packets and the other one in bytes. There is only one parameter called pfifo-limit (bfifo-limit) which defines how much data a FIFO queue can hold. Every packet that cannot be enqueued (if the queue is full), is dropped. Large queue sizes can increase latency.
Use FIFO queuing disciplines if you haven’t a congested link
SFQ
Stochastic Fairness Queuing (SFQ) cannot limit traffic at all. Its main idea is to equalize traffic flows (TCP sessions or UDP streams) when your link is completely full.
The fairness of SFQ is ensured by hashing and round-robin algorithms. Hashing algorithm divides the session traffic over a limited number of subqueues. After sfq-perturb seconds the hashing algorithm changes and divides the session traffic to other subqueues. The round-robin algorithm dequeues pcq-allot bytes from each subqueue in a turn.
The whole SFQ queue can contain 128 packets and there are 1024 subqueues available for these packets.
Use SFQ for congested links to ensure that some connections do not starve
PCQ
To solve some SFQ imperfectness, Per Connection Queuing (PCQ) was created. It is the only classless queuing type that can do limitation. It is an improved version of SFQ without its stohastic nature. PCQ also creates subqueues, regarding the pcq-classifier parameter. Each subqueue has a data rate limit of pcq-rate and size of pcq-limit packets. The total size of a PCQ queue cannot be greater than pcq-total-limit packets.
The following example demonstrates the usage of PCQ with packets, classified by their source address.
If you classify the packets by src-address then all packets with different source IP addresses will be grouped into different subqueues. Now you can do the limitation or equalization for each subqueue with the pcq-rate parameter. Perhaps, the most significant part is to decide to which interface should we attach this queue. If we will attach it to the Local interface, all traffic from the Public interface will be grouped by src-address (probably it’s not what we want), but if we attach it to the Public interface, all traffic from our clients will be grouped by src-address - so we can easily limit or equalize upload for clients.
To equalize rate among subqueues, classified by the pcq-classifier, set the pcq-rate to 0!
PCQ can be used to dynamically equalize or shape traffic for multiple users, using little administration.
RED
Random Early Detection is a queuing mechanism which tries to avoid network congestion by controlling the average queue size. When the average queue size reaches red-min-threshold, RED randomly chooses which arriving packet to drop. The probability how many packets will be dropped increases when the average queue size becomes larger. If the average queue size reaches red-max-threshold, the packets are dropped. However, there may be cases when the real queue size (not average) is much greater than red-max-threshold, then all packets which exceed red-limit are dropped.
Mainly, RED is used on congested links with high data rates. Works well with TCP protocol, but not so well with UDP.
Property Description
bfifo-limit (integer; default: 15000) - maximum number of bytes that the BFIFO queue can holdkind (bfifo | pcq | pfifo | red | sfq) - which queuing discipline to use
bfifo - Bytes First-In, First-Out
pcq - Per Connection Queue
pfifo - Packets First-In, First-Out
red - Random Early Detection
sfq - Stohastic Fairness Queuing
name (name) - associative name of the queue typepcq-classifier (dst-address | dst-port | src-address | src-port; default: “”) - a classifier by which PCQ will group its subqueues. Can be used several classifiers at once, e.g., src-address,src-port will group all packets with different source address and source-ports into separate subqueuespcq-limit (integer; default: 50) - number of packets that can hold a single PCQ sub-queuepcq-rate (integer; default: 0) - maximal data rate allowed for each PCQ sub-queue. Value 0 means that there is no limitation setpcq-total-limit (integer; default: 2000) - number of packets that can hold the whole PCQ queuepfifo-limit (integer) - maximum number of packets that the PFIFO queue can holdred-avg-packet (integer; default: 1000) - used by RED for average queue size calculationsred-burst (integer) - value in bytes which is used for determining how fast the average queue size will be influenced by the real queue size. Larger values will slow down the calculation by RED - longer bursts will be allowedred-limit (integer) - value in bytes. If the real queue size (not average) exceeds this value then all packets above this value are droppedred-max-threshold (integer) - value in bytes. It is the average queue size at which packet marking probability is the highestred-min-threshold (integer) - average queue size in bytes. When average RED queue size reaches this value, packet marking becomes possiblesfq-allot (integer; default: 1514) - amount of bytes that a subqueue is allowed to send before the next subqueue gets a turn (amount of bytes which can be sent from a subqueue in a single round-robin turn)sfq-perturb (integer; default: 5) - time in seconds. Specifies how often to change SFQ’s hashing algorithm
Interface Default Queues
Submenu level: /queue interface
Description
In order to send packets over an interface, they have to be enqueued in a queue even if you do not want to limit traffic at all. Here you can specify the queue type which will be used for transmitting data.
Note that if other queues are applied for a particular packet, then these settings are not used!
Property Description
interface (read-only: name; default: name of the interface) - name of the interfacequeue (name; default: default) - queue type which will be used for the interface
Example
Set the wireless interface to use wireless-default queue:
[admin@MikroTik] queue interface> set 0 queue=wireless-default
[admin@MikroTik] queue interface> print
# INTERFACE QUEUE
0 wlan1 wireless-default
[admin@MikroTik] queue interface>
Simple Queues
Description
The simpliest way to limit data rate for specific IP addresses and/or subnets, is to use simple queues.
You can also use simple queues to build advanced QoS applications. They have useful integrated features:
Peer-to-peer traffic queuing
Applying queue rules on chosen time intervals
Priorities
Using multiple packet marks from /ip firewall mangle
Shaping of bidirectional traffic (one limit for the total of upload + download)
Property Description
burst-limit (integer/integer) - maximum data rate which can be reached while the burst is active in form of in/out (target upload/download)burst-threshold (integer/integer) - used to calculate whether to allow burst. If the average data rate over the last burst-time seconds is less than burst-threshold, the actual data rate may reach burst-limit. set in form of in/out (target upload/download)burst-time (integer/integer) - used to calculate average data rate, in form of in/out (target upload/download)direction (none both upload download) - traffic flow directions, affected by this queue
none - the queue is effectively inactive
both - the queue limits both target upload and target download
upload - the queue limits only target upload, leaving the download rates unlimited
download - the queue limits only target download, leaving the upload rates unlimited
dst-address (IP address/netmask) - destination address to matchdst-netmask (netmask) - netmask for dst-address interface (text) - interface, this queue applies to (i.e., the interface the target is connected to)limit-at (integer/integer) - guaranteed data rate to this queue in form of in/out (target upload/download)max-limit (integer/integer) - data rate which can be reached if there is enough bandwidth available, in form of in/out (target upload/download)name (text) - descriptive name of the queuep2p (any | all-p2p | bit-torrent | blubster | direct-connect | edonkey | fasttrack | gnutella | soulseek | winmx) - which type of P2P traffic to match
all-p2p - match all P2P traffic
any - match any packet (i.e., do not check this property)
packet-marks (name; default: “”) - packet mark to match from /ip firewall mangle. More packet marks are separated by a comma (”,”).parent (name) - name of the parent queue in the hierarchy. Can be only other simple queuepriority (integer: 1.. - priority of the queue. 1 is the highest, 8 - the lowestqueue (name/name; default: default/default) - name of the queue from /queue type in form of in/outtarget-addresses (IP address/netmask) - limitation target IP addresses (source addresses). To use multiple addresses, separate them with commatime (time-time,sat | fri | thu | wed | tue | mon | sun{+}; default: “”) - limit queue effect to a specified time periodtotal-burst-limit (integer) - burst limit for global-total queuetotal-burst-threshold (integer) - burst threshold for global-total queuetotal-burst-time (time) - burst time for global-total queuetotal-limit-at (integer) - limit-at for global-total queue (limits cumulative upload + download to total-limit-at bps)total-max-limit (integer) - max-limit for global-total queue (limits cumulative upload + download to total-max-limit bps)total-queue (name) - queuing discipline to use for global-total queue
Queue Trees
Submenu level: /queue tree
Description
The queue trees should be used when you want to use sophisticated data rate allocation based on protocols, ports, groups of IP addresses, etc. At first you have to mark packet flows with a mark under /ip firewall mangle and then use this mark as an identifier for packet flows in queue trees.
Property Description
burst-limit (integer) - maximum data rate which can be reached while the burst is activeburst-threshold (integer) - used to calculate whether to allow burst. If the average data rate over the last burst-time seconds is less than burst-threshold, the actual data rate may reach burst-limit burst-time (time) - used to calculate average data rateflow (text) - packet flow which is marked in /ip firewall mangle. Current queue parameters apply only to packets which are marked with this flow marklimit-at (integer) - guaranteed data rate to this queuemax-limit (integer) - data rate which can be reached if there is enough bandwidth availablename (text) - descriptive name for the queueparent (text) - name of the parent queue. The top-level parents are the available interfaces (actually, main HTB). Lower level parents can be other queuespriority (integer: 1.. - priority of the queue. 1 is the highest, 8 - the lowestqueue (text) - name of the queue type. Types are defined under /queue type. This parameter applies only to the leaf queues in the tree hierarchy
Application Examples
Example of emulating a 128Kibps/64Kibps Line
Assume, we want to emulate a 128Kibps download and 64Kibps upload line, connecting IP network 192.168.0.0/24. The network is served through the Local interface of customer’s router. The basic network setup is in the following diagram:
To solve this situation, we will use simple queues.
IP addresses on MikroTik router:
[admin@MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 192.168.0.254/24 192.168.0.0 192.168.0.255 Local
1 10.5.8.104/24 10.5.8.0 10.5.8.255 Public
[admin@MikroTik] ip address>
And routes:
[admin@MikroTik] ip route> print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf
# DST-ADDRESS G GATEWAY DISTANCE INTERFACE
0 ADC 10.5.8.0/24 Public
1 ADC 192.168.0.0/24 Local
2 A S 0.0.0.0/0 r 10.5.8.1 Public
[admin@MikroTik] ip route>
Add a simple queue rule, which will limit the download traffic to 128Kib/s and upload to 64Kib/s for clients on the network 192.168.0.0/24, served by the interface Local:
[admin@MikroTik] queue simple> add name=Limit-Local interface=Local \
\… target-address=192.168.0.0/24 max-limit=65536/131072
[admin@MikroTik] queue simple> print
Flags: X - disabled, I - invalid, D - dynamic
0 name=”Limit-Local” target-addresses=192.168.0.0/24 dst-address=0.0.0.0/0
interface=Local parent=none priority=8 queue=default/default
limit-at=0/0 max-limit=65536/131072 total-queue=default
[admin@MikroTik] queue simple>
The max-limit parameter cuts down the maximum available bandwidth. From the clients’ point of view, the value 65536/131072 means that they will get maximum of 131072bps for download and 65536bps for upload. The target-addresses parameter defines the target network (or networks, separated by a comma) to which the queue rule will be applied.
Now see the traffic load:
[admin@MikroTik] interface> monitor-traffic Local
received-packets-per-second: 7
received-bits-per-second: 68kbps
sent-packets-per-second: 13
sent-bits-per-second: 135kbps
[admin@MikroTik] interface>
Probably, you want to exclude the server from being limited, if so, add a queue for it without any limitation (max-limit=0/0 which means no limitation) and move it to the beginning of the list:
[admin@MikroTik] queue simple> add name=Server target-addresses=192.168.0.1/32 \
\… interface=Local
[admin@MikroTik] queue simple> print
Flags: X - disabled, I - invalid, D - dynamic
0 name=”Limit-Local” target-addresses=192.168.0.0/24 dst-address=0.0.0.0/0
interface=Local parent=none priority=8 queue=default/default
limit-at=0/0 max-limit=65536/131072 total-queue=default
1 name=”Server” target-addresses=192.168.0.1/32 dst-address=0.0.0.0/0
interface=Local parent=none priority=8 queue=default/default
limit-at=0/0 max-limit=0/0 total-queue=default
[admin@MikroTik] queue simple> mo 1 0
[admin@MikroTik] queue simple> print
Flags: X - disabled, I - invalid, D - dynamic
0 name=”Server” target-addresses=192.168.0.1/32 dst-address=0.0.0.0/0
interface=Local parent=none priority=8 queue=default/default
limit-at=0/0 max-limit=0/0 total-queue=default
1 name=”Limit-Local” target-addresses=192.168.0.0/24 dst-address=0.0.0.0/0
interface=Local parent=none priority=8 queue=default/default
limit-at=0/0 max-limit=65536/131072 total-queue=default
[admin@MikroTik] queue simple>
Queue Tree Example With Masquerading
In the previous example we dedicated 128Kib/s download and 64Kib/s upload traffic for the local network. In this example we will guarantee 256Kib/s download (128Kib/s for the server, 64Kib/s for the Workstation and also 64Kib/s for the Laptop) and 128Kib/s for upload (64/32/32Kib/s, respectivelly) for local network devices. Additionally, if there is spare bandwidth, share it among users equally. For example, if we turn off the laptop, share its 64Kib/s download and 32Kib/s upload to the Server and Workstation.
When using masquerading, you have to mark the outgoing connection with new-connection-mark and take the mark-connection action. When it is done, you can mark all packets which belong to this connection with the new-packet-mark and use the mark-packet action.
At first, mark the Server’s download and upload traffic. With the first rule we will mark the outgoing connection and with the second one, all packets, which belong to this connection:
admin@MikroTik] ip firewall mangle> add src-address=192.168.0.1/32 \
\... action=mark-connection new-connection-mark=server-con chain=prerouting
[admin@MikroTik] ip firewall mangle> add connection-mark=server-con \
\... action=mark-packet new-packet-mark=server chain=prerouting
[admin@MikroTik] ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=prerouting src-address=192.168.0.1 action=mark-connection
new-connection-mark=server-con
1 chain=prerouting connection-mark=server-con action=mark-packet
new-packet-mark=server
[admin@MikroTik] ip firewall mangle>
The same for Laptop and Workstation:
[admin@MikroTik] ip firewall mangle> add src-address=192.168.0.2 \
\... action=mark-connection new-connection-mark=lap_works-con chain=prerouting
[admin@MikroTik] ip firewall mangle> add src-address=192.168.0.3 \
\... action=mark-connection new-connection-mark=lap_works-con chain=prerouting
[admin@MikroTik] ip firewall mangle> add connection-mark=lap_works-con \
\... action=mark-packet new-packet-mark=lap_work chain=prerouting
[admin@MikroTik] ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=prerouting src-address=192.168.0.1 action=mark-connection
new-connection-mark=server-con
1 chain=prerouting connection-mark=server-con action=mark-packet
new-packet-mark=server
2 chain=prerouting src-address=192.168.0.2 action=mark-connection
new-connection-mark=lap_works-con
3 chain=prerouting src-address=192.168.0.3 action=mark-connection
new-connection-mark=lap_works-con
4 chain=prerouting connection-mark=lap_works-con action=mark-packet
new-packet-mark=lap_work
[admin@MikroTik] ip firewall mangle>
As you can see, we marked connections that belong for Laptop and Workstation with the same flow.
In /queue tree add rules that will limit Server’s download and upload:
[admin@MikroTik] queue tree> add name=Server-Download parent=Local \
\... limit-at=131072 packet-mark=server max-limit=262144
[admin@MikroTik] queue tree> add name=Server-Upload parent=Public \
\... limit-at=65536 packet-mark=server max-limit=131072
[admin@MikroTik] queue tree> print
Flags: X - disabled, I - invalid
0 name="Server-Download" parent=Local packet-mark=server limit-at=131072
queue=default priority=8 max-limit=262144 burst-limit=0
burst-threshold=0 burst-time=0s
1 name="Server-Upload" parent=Public packet-mark=server limit-at=65536
queue=default priority=8 max-limit=131072 burst-limit=0
burst-threshold=0 burst-time=0s
[admin@MikroTik] queue tree>
And similar config for Laptop and Workstation:
[admin@MikroTik] queue tree> add name=Laptop-Wkst-Down parent=Local \
\... packet-mark=lap_work limit-at=65535 max-limit=262144
[admin@MikroTik] queue tree> add name=Laptop-Wkst-Up parent=Public \
\... packet-mark=lap_work limit-at=32768 max-limit=131072
[admin@MikroTik] queue tree> print
Flags: X - disabled, I - invalid
0 name="Server-Download" parent=Local packet-mark=server limit-at=131072
queue=default priority=8 max-limit=262144 burst-limit=0
burst-threshold=0 burst-time=0s
1 name="Server-Upload" parent=Public packet-mark=server limit-at=65536
queue=default priority=8 max-limit=131072 burst-limit=0
burst-threshold=0 burst-time=0s
2 name="Laptop-Wkst-Down" parent=Local packet-mark=lap_work limit-at=65535
queue=default priority=8 max-limit=262144 burst-limit=0
burst-threshold=0 burst-time=0s
3 name="Laptop-Wkst-Up" parent=Public packet-mark=lap_work limit-at=32768
queue=default priority=8 max-limit=131072 burst-limit=0
burst-threshold=0 burst-time=0s
[admin@MikroTik] queue tree>
Posted in Mikrotik.com | No Comments »
Network Monitor
Posted by trayspot on June 2, 2008
General Information
Summary
The Netwatch tool monitors network host by means of ping and generates events on status change.
Specifications
Packages required: system
License required: Level1
Submenu level: /tool netwatch
Standards and Technologies: None
Hardware usage: Not significant
Related Documents
* Software Package Management
*
* Scripting Host
Network Watching Tool
Specifications
Packages required: advanced-tools
License required: Level1
Submenu level: /tool netwatch
Standards and Technologies: none
Hardware usage: Not significant
Description
Netwatch monitors state of hosts on the network. It does so by sending ICMP pings to the list of specified IP addresses. For each entry in netwatch table you can specify IP address, ping interval and console scripts. The main advantage of netwatch is it’s ability to issue arbitrary console commands on host state changes.
Property Description
down-script (name) - a console script that is executed once when state of a host changes from unknown or up to down
host (IP address; default: 0.0.0.0) - IP address of host that should be monitored
interval (time; default: 1s) - the time between pings. Lowering this will make state changes more responsive, but can create unnecessary traffic and consume system resources
since (read-only: time) - indicates when state of the host changed last time
status (read-only: up | down | unknown) - shows the current status of the host
up - the host is up
down - the host is down
unknown - after any properties of this list entry were changed, or the item is enabled or disabled
timeout (time; default: 1s) - timeout for each ping. If no reply from a host is received during this time, the host is considered unreachable (down)
up-script (name) - a console script that is executed once when state of a host changes from unknown or down to up
Example
This example will run the scripts gw_1 or gw_2 which change the default gateway depending on the status of one of the gateways:
[admin@MikroTik] system script> add name=gw_1 source={/ip route set
{… [/ip route find dst 0.0.0.0] gateway 10.0.0.1}
[admin@MikroTik] system script> add name=gw_2 source={/ip route set
{.. [/ip route find dst 0.0.0.0] gateway 10.0.0.217}
[admin@MikroTik] system script> /tool netwatch
[admin@MikroTik] tool netwatch> add host=10.0.0.217 interval=10s timeout=998ms \
\… up-script=gw_2 down-script=gw_1
[admin@MikroTik] tool netwatch> print
Flags: X - disabled
# HOST TIMEOUT INTERVAL STATUS
0 10.0.0.217 997ms 10s up
[admin@MikroTik] tool netwatch> print detail
Flags: X - disabled
0 host=10.0.0.217 timeout=997ms interval=10s since=feb/27/2003 14:01:03
status=up up-script=gw_2 down-script=gw_1
[admin@MikroTik] tool netwatch>
Without scripts, netwatch can be used just as an information tool to see which links are up, or which specific hosts are running at the moment.
Let’s look at the example above - it changes default route if gateway becomes unreachable. How it’s done? There are two scripts. The script “gw_2″ is executed once when status of host changes to up. In our case, it’s equivalent to entering this console command:
[admin@MikroTik] > /ip route set [/ip route find dst 0.0.0.0] gateway 10.0.0.217
The /ip route find dst 0.0.0.0 command returns list of all routes whose dst-address value is 0.0.0.0. Usually, that is the default route. It is substituted as first argument to /ip route set command, which changes gateway of this route to 10.0.0.217
The script “gw_1″ is executed once when status of host becomes down. It does the following:
[admin@MikroTik] > /ip route set [/ip route find dst 0.0.0.0] gateway 10.0.0.1
It changes the default gateway if 10.0.0.217 address has become unreachable.
Here is another example, that sends e-mail notification whenever the 10.0.0.215 host goes down:
[admin@MikroTik] system script> add name=e-down source={/tool e-mail send
{… from=”rieks@mt.lv” server=”159.148.147.198″ body=”Router down”
{… subject=”Router at second floor is down” to=”rieks@latnet.lv”}
[admin@MikroTik] system script> add name=e-up source={/tool e-mail send
{… from=”rieks@mt.lv” server=”159.148.147.198″ body=”Router up”
{.. subject=”Router at second floor is up” to=”rieks@latnet.lv”}
[admin@MikroTik] system script>
[admin@MikroTik] system script> /tool netwatch
[admin@MikroTik] system netwatch> add host=10.0.0.215 timeout=999ms \
\… interval=20s up-script=e-up down-script=e-down
[admin@MikroTik] tool netwatch> print detail
Flags: X - disabled
0 host=10.0.0.215 timeout=998ms interval=20s since=feb/27/2003 14:15:36
status=up up-script=e-up down-script=e-down
[admin@MikroTik] tool netwatch>
Posted in Mikrotik.com | No Comments »
Setting Mikrotik Wireless Bridge
Posted by trayspot on June 2, 2008
Sering kali, kita ingin menggunakan Mikrotik Wireless untuk solusi point to point dengan mode jaringan bridge (bukan routing). Namun, Mikrotik RouterOS sendiri didesain bekerja dengan sangat baik pada mode routing. Kita perlu melakukan beberapa hal supaya link wireless kita bisa bekerja untuk mode bridge.
Mode bridge memungkinkan network yang satu tergabung dengan network di sisi satunya secara transparan, tanpa perlu melalui routing, sehingga mesin yang ada di network yang satu bisa memiliki IP Address yang berada dalam 1 subnet yang sama dengan sisi lainnya.
Namun, jika jaringan wireless kita sudah cukup besar, mode bridge ini akan membuat traffic wireless meningkat, mengingat akan ada banyak traffic broadcast dari network yang satu ke network lainnya. Untuk jaringan yang sudah cukup besar, saya menyarankan penggunaan mode routing.
Berikut ini adalah diagram network yang akan kita set.
Konfigurasi Pada Access Point
1. Buatlah sebuah interface bridge yang baru, berilah nama bridge1
2. Masukkan ethernet ke dalam interface bridge
3. Masukkan IP Address pada interface bridge1
4. Selanjutnya adalah setting wireless interface. Kliklah pada menu Wireless (1), pilihlah tab interface (2) lalu double click pada nama interface wireless yang akan digunakan (3). Pilihlah mode AP-bridge (4), tentukanlah ssid (5), band 2.4GHz-B/G (6), dan frekuensi yang akan digunakan (7). Jangan lupa mengaktifkan default authenticated ( dan default forward (9). Lalu aktifkankanlah interface wireless (10) dan klik OK (11).
5. Berikutnya adalah konfigurasi WDS pada wireless interface yang digunakan. Bukalah kembali konfigurasi wireless seperti langkah di atas, pilihlah tab WDS (1). Tentukanlah WDS Mode dynamic (2) dan pilihlah bridge interface untuk WDS ini (3). Lalu tekan tombol OK.
6. Langkah selanjutnya adalah menambahkan virtual interface WDS. Tambahkan interface WDS baru seperti pada gambar, lalu pilihlah interface wireless yang kita gunakan untuk WDS ini. Lalu tekan OK.
7. Jika WDS telah ditambahkan, maka akan tampak interface WDS baru seperti pada gambar di bawah.
Konfigurasi pada Wireless Station
Konfigurasi pada wireless station hampir sama dengan langkah-langkah di atas, kecuali pada langkah memasukkan IP Address dan konfigurasi wirelessnya. Pada konfigurasi station, mode yang digunakan adalah station-wds, frekuensi tidak perlu ditentukan, namun harus menentukan scan-list di mana frekuensi pada access point masuk dalam scan list ini. Misalnya pada access point kita menentukan frekuensi 2412, maka tuliskanlah scan-list 2400-2500.
Pengecekan link
Jika link wireless yang kita buat sudah bekerja dengan baik, maka pada menu wireless, akan muncul status R (lihat gambar di bawah).
Selain itu, mac-address dari wireless yang terkoneksi juga bisa dilihat pada jendela registration (lihat gambar di bawah).
Konfigurasi keamanan jaringan wireless
Pada Mikrotik, cara paling mudah untuk menjaga keamanan jaringan adalah dengan mendaftarkan mac-address wireless pasangan pada access list. Hal ini harus dilakukan pada sisi access point maupun pada sisi client. Jika penginputan access-list telah dilakukan, maka matikanlah fitur default authenticated pada wireless, maka wireless lain yang mac addressnya tidak terdaftar tidak akan bisa terkoneksi ke jaringan kita.
Jika kita menginginkan fitur keamanan yang lebih baik, kita juga bisa menggunakan enkripsi baik WEP maupun WPA.
Posted in Mikrotik.co.id | No Comments »
The Dude
Posted by trayspot on June 2, 2008The Dude network monitor is a new application by MikroTik which can dramatically improve the way you manage your network environment. It will automatically scan all devices within specified subnets, draw and layout a map of your networks, monitor services of your devices and alert you in case some service has problems.
Downloads:
Note, for most users we recommend the standard version. For testing and experimentation with the new features, you may download the Beta version.
Dude v2.2 Dude v3.0beta8
Send a notification to this email when a new The Dude version comes out:
>
Some of it’s features:
The Dude is free of charge!
Auto network discovery and layout
Discovers any type or brand of device
Device, Link monitoring, and notifications
Includes SVG icons for devices, and supports custom icons and backgrounds
Easy installation and usage
Allows you to draw your own maps and add custom devices
Supports SNMP, ICMP, DNS and TCP monitoring for devices that support it
Individual Link usage monitoring and graphs
Direct access to remote control tools for device management
Supports remote Dude server and local client
Runs in Linux Wine environment, MacOS Darwine, and Windows
Best price/value ratio compared to other products (free of charge)
Help:
The online version
The downloadable version (PDF)
The User Forum
Installation on Linux
The Dude version changelog
Certified Dude Consultants:
Steve Zilis steve[at]znetworks.us
Dennis Burgess dmburgess[at]linktechs.net
Posted in Mikrotik.com | No Comments »
How to make a HotSpot gateway
Posted by trayspot on May 25, 2008
The MikroTik HotSpot Gateway enables providing of public network access for clients using wireless or wired network connections. HotSpot Gateway should have at least two network interfaces:
1. HotSpot interface, which is used to connect HotSpot clients
2. LAN/WAN interface, which is used to access network resources.
The following picture shows wireless HotSpot setup
To setup simple HotSpot Gateway follow the steps below:
1. Configure wireless interface on HotSpot Gateway:
[admin@HotSpot_Gateway]> interface wireless set wlan1 ssid=HotSpot band=2.4ghz-b \
\… mode=ap-bridge
2. Configure ip address for HotSpot interface:
[admin@HotSpot_Gateway] > ip add add address=192.168.0.1/24 interface=wlan1
3. Configure ip address for WAN/LAN interface:
[admin@HotSpot_Gateway] > ip add add address=10.5.8.250/24 interface=ether1
4. Add a route on HotSpot Gateway
[admin@HotSpot_Gateway] > ip route add gateway=10.5.8.1
5. Configure Hotspot on wlan1 interface and add user admin with pasword test
[admin@MikroTik] > ip hotspot setup
hotspot interface: wlan1
local address of network: 192.168.0.1/24
masquerade network: yes
address pool of network: 192.168.0.2-192.168.0.254
select certificate: none
ip address of smtp server: 0.0.0.0
dns servers: 10.5.8.2
dns name: : admin
password for the user: test
In order to access network resources HotSpot clients have to configure their wireless interfaces setting proper ssid, band and mode, and enabling dynamic host configuration (dhcp) on the wireless interface.
Posted in Mikrotik.co.id | No Comments »
Tutorial Step By Step Seting MikroTik
Posted by trayspot on May 25, 2008
MikroTik RouterOS™ adalah sistem operasi linux yang dapat digunakan untuk menjadikan komputer menjadi router network yang handal, mencakup berbagai fitur yang dibuat untuk ip network dan jaringan wireless, cocok digunakan oleh ISP dan provider hostspot.
Ada pun fitur2 nya sbb:
* Firewall and NAT - stateful packet filtering; Peer-to-Peer protocol filtering; source and destination NAT; classification by source MAC, IP addresses (networks or a list of networks) and address types, port range, IP protocols, protocol options (ICMP type, TCP flags and MSS), interfaces, internal packet and connection marks, ToS (DSCP) byte, content, matching sequence/frequency, packet size, time and more…
* Routing - Static routing; Equal cost multi-path routing; Policy based routing (classification done in firewall); RIP v1 / v2, OSPF v2, BGP v4
* Data Rate Management - Hierarchical HTB QoS system with bursts; per IP / protocol / subnet / port / firewall mark; PCQ, RED, SFQ, FIFO queue; CIR, MIR, contention ratios, dynamic client rate equalizing (PCQ), bursts, Peer-to-Peer protocol limitation
* HotSpot - HotSpot Gateway with RADIUS authentication and accounting; true Plug-and-Play access for network users; data rate limitation; differentiated firewall; traffic quota; real-time status information; walled-garden; customized HTML login pages; iPass support; SSL secure authentication; advertisement support
* Point-to-Point tunneling protocols - PPTP, PPPoE and L2TP Access Concentrators and clients; PAP, CHAP, MSCHAPv1 and MSCHAPv2 authentication protocols; RADIUS authentication and accounting; MPPE encryption; compression for PPPoE; data rate limitation; differentiated firewall; PPPoE dial on demand
* Simple tunnels - IPIP tunnels, EoIP (Ethernet over IP)
* IPsec - IP security AH and ESP protocols; MODP Diffie-Hellman groups 1,2,5; MD5 and SHA1 hashing algorithms; DES, 3DES, AES-128, AES-192, AES-256 encryption algorithms; Perfect Forwarding Secrecy (PFS) MODP groups 1,2,5
* Proxy - FTP and HTTP caching proxy server; HTTPS proxy; transparent DNS and HTTP proxying; SOCKS protocol support; DNS static entries; support for caching on a separate drive; access control lists; caching lists; parent proxy support
* DHCP - DHCP server per interface; DHCP relay; DHCP client; multiple DHCP networks; static and dynamic DHCP leases; RADIUS support
* VRRP - VRRP protocol for high availability
* UPnP - Universal Plug-and-Play support
* NTP - Network Time Protocol server and client; synchronization with
GPS system
* Monitoring/Accounting - IP traffic accounting, firewall actions logging, statistics graphs accessible via HTTP
* SNMP - read-only access
* M3P - MikroTik Packet Packer Protocol for Wireless links and Ethernet
* MNDP - MikroTik Neighbor Discovery Protocol; also supports Cisco Discovery Protocol (CDP)
* Tools - ping; traceroute; bandwidth test; ping flood; telnet; SSH; packet sniffer; Dynamic DNS update tool
Layer 2 connectivity:
* Wireless - IEEE802.11a/b/g wireless client and access point (AP) modes; Nstreme and Nstreme2 proprietary protocols; Wireless Distribution System (WDS) support; virtual AP; 40 and 104 bit WEP; WPA pre-shared key authentication; access control list; authentication with RADIUS server; roaming (for wireless client); AP bridging
* Bridge - spanning tree protocol; multiple bridge interfaces; bridge firewalling, MAC
* VLAN - IEEE802.1q Virtual LAN support on Ethernet and wireless links; multiple VLANs; VLAN bridging
* Synchronous - V.35, V.24, E1/T1, X.21, DS3 (T3) media types; sync-PPP, Cisco HDLC, Frame Relay line protocols; ANSI-617d (ANDI or annex D) and Q933a (CCITT or annex A) Frame Relay LMI types
* Asynchronous - s*r*al PPP dial-in / dial-out; PAP, CHAP, MSCHAPv1 and MSCHAPv2 authentication protocols; RADIUS authentication and accounting; onboard s*r*al ports; modem pool with up to 128 ports; dial on demand
* ISDN - ISDN dial-in / dial-out; PAP, CHAP, MSCHAPv1 and MSCHAPv2 authentication protocols; RADIUS authentication and accounting; 128K bundle support; Cisco HDLC, x75i, x75ui, x75bui line protocols; dial on demand
* SDSL - Single-line DSL support; line termination and network termination modes
Instalasi dapat dilakukan pada Standard computer PC yang akan dijadikan router dan tidak memerlukan resource yang cukup besar untuk penggunaan standard, misalnya hanya sebagai gateway.
Berikut spec_minimal nya :
* CPU dan motherboard - bisa dgn P1 ~ P4, AMD, cyrix asal yang bukan multi-prosesor
* RAM - minimum 32 MiB, maximum 1 GiB; 64 MiB atau lebih sangat dianjurkan, kalau mau sekalian dibuat proxy , dianjurkan 1GB… perbandingannya, 15MB di memori ada 1GB di proxy..
* HDD minimal 128MB parallel ATA atau Compact Flash, tidak dianjurkan menggunakan UFD, SCSI, apa lagi S-ATA (mungkin nanti Ver. 3.0)
* NIC 10/100 atau 100/1000
Untuk keperluan beban yang besar ( network yang kompleks, routing yang rumit dll) disarankan untuk mempertimbangkan pemilihan resource PC yang memadai.
Lebih lengkap bisa dilihat di www.mikrotik.com. Meskipun demikian Mikrotik bukanlah free software, artinya kita harus membeli licensi terhadap segala fasiltas yang disediakan. Free trial hanya untuk 24 jam saja.
Kita bisa membeli software MikroTik dalam bentuk “licence” di CITRAWEB, UFOAKSES, PC24 (atau download cracknya, he he he …) yang diinstall pada HardDisk yang sebelumnya download/dibuat MikroTik RouterOS ISO kekeping CD atau disk on module (DOM). Jika kita membeli DOM tidak perlu install tetapi tinggal pasang DOM pada slot IDE PC kita.
Langkah-langkah berikut adalah dasar-dasar setup mikrotik yang dikonfigurasikan untuk jaringan
sederhana sebagai gateway server.
1. Langkah pertama adalah install Mikrotik RouterOS pada PC atau pasang DOM.
2. Login Pada Mikrotik Routers melalui console :
MikroTik v2.9.39
Login: admin
Password: (kosongkan)
Sampai langkah ini kita sudah bisa masuk pada mesin Mikrotik. User default adalah admin dan tanpa password, tinggal ketik admin kemudian tekan tombol enter.
3. Untuk keamanan ganti password default
[admin@Mikrotik] > password
old password: *****
new password: *****
retype new password: *****
[admin@ Mikrotik] >
4. Mengganti nama Mikrotik Router, pada langkah ini nama server akan kita ganti menjadi
“TraySpot” (bebas, disesuaikan dengan nama jaringan kita…)
[admin@Mikrotik] > system identity set name=TraySpot
[admin@TraySpot] >
5. Melihat interface pada Mikrotik Router
[admin@TraySpot] > interface print
Flags: X - disabled, D - dynamic, R - running
# NAME TYPE RX-RATE TX-RATE MTU
0 R ether1 ether 0 0 1500
1 R ether2 ether 0 0 1500
[admin@TraySpot] >
6. Memberikan IP address pada interface Mikrotik. Misalkan ether1 akan kita gunakan untuk koneksi ke Internet dengan IP 192.168.0.1 dan ether2 akan kita gunakan untuk network local kita dengan IP 172.16.0.1
[admin@TraySpot] > ip address add address=192.168.0.1 /
netmask=255.255.255.0 interface=ether1
[admin@TraySpot] > ip address add address=172.16.0.1 /
netmask=255.255.255.0 interface=ether2
7. Melihat konfigurasi IP address yang sudah kita berikan
[admin@TraySpot] >ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 192.168.0.1/24 192.168.0.0 192.168.0.63 ether1
1 172.16.0.1/24 172.16.0.0 172.16.0.255 ether2
[admin@TraySpot] >
8. Memberikan default Gateway, diasumsikan gateway untuk koneksi internet adalah 192.168.0.254
[admin@TraySpot] > /ip route add gateway=192.168.0.254
9. Melihat Tabel routing pada Mikrotik Routers
[admin@TraySpot] > ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf
# DST-ADDRESS PREF-SRC G GATEWAY DISTANCE INTERFACE
0 ADC 172.16.0.0/24 172.16.0.1 ether2
1 ADC 192.168.0.0/26 192.168.0.1 ether1
2 A S 0.0.0.0/0 r 192.168.0.254 ether1
[admin@TraySpot] >
10. Tes Ping ke Gateway untuk memastikan konfigurasi sudah benar
[admin@TraySpot] > ping 192.168.0.254
192.168.0.254 64 byte ping: ttl=64 time
11. Setup DNS pada Mikrotik Routers
[admin@TraySpot] > ip dns set primary-dns=192.168.0.10 /
allow-remoterequests=no
[admin@TraySpot] > ip dns set secondary-dns=192.168.0.11 /
allow-remoterequests=no
12. Melihat konfigurasi DNS
[admin@TraySpot] ip dns> pr
primary-dns: 192.168.0.10
secondary-dns: 192.168.0.11
allow-remote-requests: no
cache-size: 2048KiB
cache-max-ttl: 1w
cache-used: 21KiB
[admin@TraySpot] ip dns>
13. Tes untuk akses domain, misalnya dengan ping nama domain
[admin@TraySpot] > ping yahoo.com
216.109.112.135 64 byte ping: ttl=48 time=250 ms
10 packets transmitted, 10 packets received, 0% packet loss
round-trip min/avg/max = 571/571.0/571 ms
[admin@TraySpot] >
Jika sudah berhasil reply berarti seting DNS sudah benar.
14. Setup Masquerading, Jika Mikrotik akan kita pergunakan sebagai gateway server maka agar client computer pada network dapat terkoneksi ke internet perlu kita masquerading.
[admin@TraySpot]> ip firewall nat add action=masquerade /
outinterface=ether1 chain:srcnat
[admin@TraySpot] >
15. Melihat konfigurasi Masquerading
[admin@TraySpot]ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat out-interface=ether1 action=masquerade
[admin@TraySpot] >
Setelah langkah ini bisa dilakukan pemeriksaan untuk koneksi dari jaringan local. Dan jika berhasil berarti kita sudah berhasil melakukan instalasi MikroTik Router sebagai Gateway server. Setelah terkoneksi dengan jaringan Mikrotik dapat dimanage menggunakan WinBox yang bisa didownload dari MikroTik.com atau dari server mikrotik kita.
Misal Ip address server mikrotik kita 192.168.0.1, via browser buka http://192.168.0.1 dan download WinBox dari situ.
Jika kita menginginkan client mendapatkan IP address secara otomatis maka perlu kita setup dhcp server pada Mikrotik. Berikut langkah-langkahnya :
1. Buat IP address pool
/ip pool add name=dhcp-pool ranges=172.16.0.10-172.16.0.20
2. Tambahkan DHCP Network dan gatewaynya yang akan didistribusikan ke client Pada contoh ini networknya adalah 172.16.0.0/24 dan gatewaynya 172.16.0.1
/ip dhcp-server network add address=172.16.0.0/24 gateway=172.16.0.1
3. Tambahkan DHCP Server ( pada contoh ini dhcp diterapkan pada interface ether2 )
/ip dhcp-server add interface=ether2 address-pool=dhcp-pool
4. Lihat status DHCP server
[admin@TraySpot] > ip dhcp-server pr
Flags: X - disabled, I - invalid
# NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP
x dhcp1 ether2 dhcp_pool1 4w2d yes
[admin@TraySpot] >
Tanda X menyatakan bahwa DHCP server belum enable maka perlu dienablekan terlebih dahulu pada langkah 5.
5. Jangan Lupa dibuat enable dulu dhcp servernya
/ip dhcp-server enable 0
Kemudian cek kembali dhcp-server seperti langkah 4, jika tanda X sudah tidak ada berarti sudah aktif.
6. Tes Dari client
Run dari Comman Prompt
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\TraySpot>ping www.yahoo.com
Pinging www.yahoo-ht3.akadns.net [69.147.114.210] with 32 bytes of data:
Reply from 124.158.129.5: bytes=32 time=34ms TTL=59
Reply from 124.158.129.5: bytes=32 time=24ms TTL=59
Reply from 124.158.129.5: bytes=32 time=41ms TTL=59
Reply from 124.158.129.5: bytes=32 time=29ms TTL=59
Ping statistics for 69.147.114.210:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 24ms, Maximum = 41ms, Average = 32ms
7. Untuk bandwith controller, bisa dengan sistem simple queue ataupun bisa dengan mangle
[admin@TraySpot] queue simple> add name=Komputer01 /
interface=ether2 target-address=172.16.0.1/24 max-limit=65536/131072
[admin@TraySpot] queue simple> add name=Komputer02 /
interface=ether2 target-address=172.16.0.2/24 max-limit=65536/131072
dan seterusnya…
lengkap nya ada disini
www.mikrotik.com/docs/ros/2.9/root/queue
linux-ip.net/articles/Traffic…/overview.html
luxik.cdi.cz/~devik/qos/htb
www.docum.org/docum.org/docs
Referensi
www.mikrotik.com
www.mikrotik.com/docs/ros/2.9
fajar.uii.net.id
Forum-IMATEKOM (UPI “YPTK”) Padang
bahan2 tambahan:
KAMUS BAHASA INGGRIS-INDONESIA
Salam ….
software
Code:
http://rapidshare.de/files/30739630/mikrotik.router.os.2.9.6.ISO
Posted in Mikrotik.co.id | No Comments »
Download manual mikrotik - ebook lengkap
Posted by trayspot on May 25, 2008
Mikrotik peer to peer traffic control
http://www.mikrotik.com/testdocs/ros/2.8/ip/peer2peer.pdf
Download manual mikrotik - ebook
Ada e book dari situsnya mikrotik yang berbasis web/html, jumlahnya ratusan halaman, saya menyajikannya dalam bentuk pdf.
berikut juga dilengkapi tutorial mikrotik berbasis video.
Tutorial lengkap manual Mikrotik lengkap dari nol, sudah saya upload ke rapidshare , silahkan di download.
Reference Manual of MikroTik RouterOS :
http://rapidshare.com/files/31639172/refman2.9.pdf
Video Tutorial of MikroTik RouterOS :
http://rapidshare.com/files/31372948/Mikrotic.rar
Posted in Mikrotik.co.id | 1 Comment »
Prosedur Instalasi Wireless LAN
Posted by trayspot on May 25, 2008
PROSEDUR INSTALASI WIRELESS LAN
*Peralatan
1. Kompas dan peta topografi
2. Penggaris dan busur derajat
3. Pensil, penghapus, alat tulis
4. GPS, altimeter, klinometer
5. Kaca pantul dan teropong
6. Radio komunikasi (HT)
7. Orinoco PC Card, pigtail dan PCI / ISA adapter
8. Multimeter, SWR, cable tester, solder, timah, tang potong kabel
9. Peralatan panjat, harness, carabiner, webbing, cows tail, pulley
10. Kunci pas, kunci ring, kunci inggris, tang (potong, buaya, jepit), obeng set, tie rap, isolator gel, TBA, unibell
11. Kabel power roll, kabel UTP straight dan cross, crimping tools, konektor RJ45
12. Software AP Manager, Orinoco Client, driver dan AP Utility Planet, firmware dan operating system (NT, W2K, W98 / ME, Linux, FreeBSD + utilitynya)
*Survey Lokasi
1. Tentukan koordinat letak kedudukan station, jarak udara terhadap BTS dengan GPS dan kompas pada peta
2. Perhatikan dan tandai titik potensial penghalang (obstructure) sepanjang path
3. Hitung SOM, path dan acessories loss, EIRP, freznel zone, ketinggian antena
4. Perhatikan posisi terhadap station lain, kemungkinan potensi hidden station, over shoot dan test noise serta interferensi
5. Tentukan posisi ideal tower, elevasi, panjang kabel dan alternatif seandainya ada kesulitan dalam instalasi
6. Rencanakan sejumlah alternatif metode instalasi, pemindahan posisi dan alat
*Pemasangan Konektor
1. Kuliti kabel coaxial dengan penampang melintang, spesifikasi kabel minimum adalah RG 8 9913 dengan perhitungan losses 10 db setiap 30 m
2. Jangan sampai terjadi goresan berlebihan karena perambatan gelombang mikro adalah pada permukaan kabel
3. Pasang konektor dengan cermat dan memperhatikan penuh masalah kerapian
4. Solder pin ujung konektor dengan cermat dan rapi, pastikan tidak terjadi short
5. Perhatikan urutan pemasangan pin dan kuncian sehingga dudukan kabel dan konektor tidak mudah bergeser
6. Tutup permukaan konektor dengan aluminium foil untuk mencegah kebocoran dan interferensi, posisi harus menempel pada permukaan konektor
7. Lapisi konektor dengan aluminium foil dan lapisi seluruh permukaan sambungan konektor dengan isolator TBA (biasa untuk pemasangan pipa saluran air atau kabel listrik instalasi rumah)
8. Terakhir, tutup seluruh permukaan dengan isolator karet untuk mencegah air
9. Untuk perawatan, ganti semua lapisan pelindung setiap 6 bulan sekali
10. Konektor terbaik adalah model hexa tanpa solderan dan drat sehingga sedikit melukai permukaan kabel, yang dipasang dengan menggunakan crimping tools, disertai karet bakar sebagai pelindung pengganti isolator karet
*Pembuatan POE
1. Power over ethernet diperlukan untuk melakukan injeksi catu daya ke perangkat Wireless In A Box yang dipasang di atas tower, POE bermanfaat mengurangi kerugian power (losses) akibat penggunaan kabel dan konektor
2. POE menggunakan 2 pair kabel UTP yang tidak terpakai, 1 pair untuk injeksi + (positif) power dan 1 pair untuk injeksi – (negatif) power, digunakan kabel pair (sepasang) untuk menghindari penurunan daya karena kabel loss
3. Perhatikan bahwa permasalahan paling krusial dalam pembuatan POE adalah bagaimana cara mencegah terjadinya short, karena kabel dan konektor power penampangnya kecil dan mudah bergeser atau tertarik, tetesi dengan lilin atau isolator gel agar setiap titik sambungan terlindung dari short
4. Sebelum digunakan uji terlebih dahulu semua sambungan dengan multimeter
*Instalasi Antena
1. Pasang pipa dengan metode stack minimum sampai ketinggian 1st freznel zone terlewati terhadap obstructure terdekat
2. Perhatikan stabilitas dudukan pipa dan kawat strenght, pasang dudukan kaki untuk memanjat dan anker cows tail
3. Cek semua sambungan kabel dan konektor termasuk penangkal petir bila ada
4. Pasang antena dengan rapi dan benar, arahkan dengan menggunakan kompas dan GPS sesuai tempat kedudukan BTS di peta
5. Pasang kabel dan rapikan sementara, jangan sampai berat kabel menjadi beban sambungan konektor dan mengganggu gerak pointing serta kedudukan antena
6. Perhatikan dalam memasang kabel di tower / pipa, jangan ada posisi menekuk yang potensial menjadi akumulasi air hujan, bentuk sedemikian rupa sehingga air hujan bebas jatuh ke bawah
*Instalasi Perangkat Radio
1. Instal PC Card dan Orinoco dengan benar sampai dikenali oleh OS tanpa konflik dan pastikan semua driver serta utility dapat bekerja sempurna
2. Instalasi pada OS W2K memerlukan driver terbaru dari web site dan ada di CD utility kopian, tidak diperlukan driver PCMCIA meskipun PNP W2K melakukannya justru deteksi ini menimbulkan konflik, hapus dirver ini dari Device Manager
3. Instalasi pada NT memerlukan kecermatan alokasi alamat IO, IRQ dan DMA, pada BIOS lebih baik matikan semua device (COM, LPT dll.) dan peripheral (sound card, mpeg dll.) yang tidak diperlukan
4. Semua prosedur ini bisa diselesaikan dalam waktu kurang dari 30 menit tidak termasuk instalasi OS, lebih dari waktu ini segera jalankan prosedur selanjutnya
5. Apabila terus menerus terjadi kesulitan instalasi, untuk sementara demi efisiensi lakukan instalasi dibawah OS Win98 / ME yang lebih mudah dan sedikit masalah
6. Pada instalasi perangkat radio jenis Wireless In A Box (Mtech, Planet, Micronet dlll.), terlebih dahulu lakukan update firmware dan utility
7. Kemudian uji coba semua fungsi yang ada (AP, Inter Building, SAI Client, SAA2, SAA Ad Hoc dll.) termasuk bridging dan IP Addressing dengan menggunakan antena helical, pastikan semua fungsi berjalan baik dan stabil
8. Pastikan bahwa perangkat Power Over Ethernet (POE) berjalan sempurna
*Pengujian Noise
1. Bila semua telah berjalan normal, install semua utility yang diperlukan dan mulai lakukan pengujian noise / interferensi, pergunakan setting default
2. Tanpa antena perhatikan apakah ada signal strenght yang tertangkap dari station lain disekitarnya, bila ada dan mencapai good (sekitar 40 % – 60 %) atau bahkan lebih, maka dipastikan station tersebut beroperasi melebihi EIRP dan potensial menimbulkan gangguan bagi station yang sedang kita bangun, pertimbangkan untuk berunding dengan operator BTS / station eksisting tersebut
3. Perhatikan berapa tingkat noise, bila mencapai lebih dari tingkat sensitifitas radio (biasanya adalah sekitar – 83 dbm, baca spesifikasi radio), misalnya – 100 dbm maka di titik station tersebut interferensinya cukup tinggi, tinggal apakah signal strenght yang diterima bisa melebihi noise
4. Perhitungan standar signal strenght adalah 0 % – 40 % poor, 40 % - 60 % good, 60 % - 100 % excellent, apabila signal strenght yang diterima adalah 60 % akan tetapi noisenya mencapai 20 % maka kondisinya adalah poor connection (60 % - 20 % - 40 % poor), maka sedapat mungkin signal strenght harus mencapai 80 %
5. Koneksi poor biasanya akan menghasilkan PER (packet error rate – bisa dilihat dari persentasi jumlah RTO dalam continous ping) diatas 3 % – 7 % (dilihat dari utility Planet maupun Wave Rider), good berkisar antara 1 % - 3 % dan excellent dibawah 1 %, PER antara BTS dan station client harus seimbang
6. Perhitungan yang sama bisa dipergunakan untuk memperhatikan station lawan atau BTS kita, pada prinsipnya signal strenght, tingkat noise, PER harus imbang untuk mendapatkan stabilitas koneksi yang diharapkan
7. Pertimbangkan alternatif skenario lain bila sejumlah permasalahan di atas tidak bisa diatasi, misalkan dengan memindahkan station ke tempat lain, memutar arah pointing ke BTS terdekat lainnya atau dengan metode 3 titik (repeater) dll.
*Perakitan Antena
1. Antena microwave jenis grid parabolic dan loop serta yagi perlu dirakit karena terdiri dari sejumlah komponen, berbeda dengan jenis patch panel, panel sector maupun omni directional
2. Rakit antena sesuai petunjuk (manual) dan gambar konstruksi yang disertakan
3. Kencangkan semua mur dan baut termasuk konektor dan terutama reflektor
4. Perhatikan bahwa antena microwave sangat peka terhadap perubahan fokus, maka pada saat perakitan antena perhatikan sebaik-baiknya fokus reflektor terhadap horn (driven antena), sedikit perubahan fokus akan berakibat luas seperti misalnya perubahan gain (db) antena
5. Beberapa tipe antena grid parabolic memiliki batang extender yang bisa merubah letak fokus reflektor terhadap horn sehingga bisa diset gain yang diperlukan
*Pointing Antena
1. Secara umum antena dipasang dengan polarisasi horizontal
2. Arahkan antena sesuai arah yang ditunjukkan kompas dan GPS, arah ini kita anggap titik tengah arah (center beam)
3. Geser antena dengan arah yang tetap ke kanan maupun ke kiri center beam, satu per satu pada setiap tahap dengan perhitungan tidak melebihi ½ spesifikasi beam width antena untuk setiap sisi (kiri atau kanan), misalkan antena 24 db, biasanya memiliki beam width 12 derajat maka, maksimum pergeseran ke arah kiri maupun kanan center beam adalah 6 derajat
4. Beri tanda pada setiap perubahan arah dan tentukan skornya, penentuan arah terbaik dilakukan dengan cara mencari nilai average yang terbaik, parameter utama yang harus diperhatikan adalah signal strenght, noise dan stabilitas
5. Karena kebanyakan perangkat radio Wireless In A Box tidak memiliki utility grafis untuk merepresentasikan signal strenght, noise dsb (kecuali statistik dan PER) maka agar lebih praktis, untuk pointing gunakan perangkat radio standar 802.11b yang memiliki utility grafis seperti Orinoco atau gunakan Wave Rider
6. Selanjutnya bila diperlukan lakukan penyesuaian elevasi antena dengan klino meter sesuai sudut antena pada station lawan, hitung berdasarkan perhitungan kelengkungan bumi dan bandingkan dengan kontur pada peta topografi
7. Ketika arah dan elevasi terbaik yang diperkirakan telah tercapai maka apabila diperlukan dapat dilakukan pembalikan polarisasi antena dari horizontal ke vertical untuk mempersempit beam width dan meningkatkan fokus transmisi, syaratnya kedua titik mempergunakan antena yang sama (grid parabolic) dan di kedua titik polarisasi antena harus sama (artinya di sisi lawan polarisasi antena juga harus dibalik menjadi vertical)
*Pengujian Koneksi Radio
1. Lakukan pengujian signal, mirip dengan pengujian noise, hanya saja pada saat ini antena dan kabel (termasuk POE) sudah dihubungkan ke perangkat radio
2. Sesuaikan channel dan nama SSID (Network Name) dengan identitas BTS / AP tujuan, demikian juga enkripsinya, apabila dipergunakan otentikasi MAC Address maka di AP harus didefinisikan terlebih dahulu MAC Address station tersebut
3. Bila menggunakan otentikasi Radius, pastikan setting telah sesuai dan cobalah terlebih dahulu mekanismenya sebelum dipasang
4. Perhatikan bahwa kebanyakan perangkat radio adalah berfungsi sebagai bridge dan bekerja berdasarkan pengenalan MAC Address, sehingga IP Address yang didefinisikan berfungsi sebagai interface utility berdasarkan protokol SNMP saja, sehingga tidak perlu dimasukkan ke dalam tabel routing
5. Tabel routing didefinisikan pada (PC) router dimana perangkat radio terpasang, untuk Wireless In A Box yang perangkatnya terpisah dari (PC) router, maka pada device yang menghadap ke perangkat radio masukkan pula 1 IP Address yang satu subnet dengan IP Address yang telah didefinisikan pada perangkat radio, agar utility yang dipasang di router dapat mengenali radio
6. Lakukan continuos ping untuk menguji stabilitas koneksi dan mengetahui PER
7. Bila telah stabil dan signal strenght minimum good (setelah diperhitungkan noise) maka lakukan uji troughput dengan melakukan koneksi FTP (dengan software FTP client) ke FTP server terdekat (idealnya di titik server BTS tujuan), pada kondisi ideal average troughput akan seimbang baik saat download maupun up load, maksimum troughput pada koneksi radio 1 mbps adalah sekitar 600 kbps dan per TCP connection dengan MTU maksimum 1500 bisa dicapai 40 kbps
8. Selanjutnya gunakan software mass download manager yang mendukung TCP connection secara simultan (concurrent), lakukan koneksi ke FTP server terdekat dengan harapan maksimum troughput 5 kbps per TCP connection, maka dapat diaktifkan sekitar 120 session simultan (concurrent), asumsinya 5 x 120 = 600
9. Atau dengan cara yang lebih sederhana, digunakan skala yang lebih kecil, 12 concurrent connection dengan trouhput per session 5 kbps, apa total troughput bisa mencapai 60 kbps (average) ? bila tercapai maka stabilitas koneksi sudah dapat dijamin berada pada level maksimum
10. Pada setiap tingkat pembebanan yang dilakukan bertahap, perhatikan apakah RRT ping meningkat, angka mendekati sekitar 100 ms masih dianggap wajar
Langganan:
Posting Komentar (Atom)
Postingan
Tidak ada komentar:
Posting Komentar