...

Advanced Hotspot - QOS - MUM

by user

on
Category: Documents
1

views

Report

Comments

Transcript

Advanced Hotspot - QOS - MUM
Advanced Hotspot
- QOS by: Novan Chris
Citraweb Nusa Infomedia, Indonesia
www.mikrotik.co.id
11/7/2009
1
Introduction
• Novan Chris - [email protected]
• Company: Citraweb Nusa Infomedia
– Mikrotik Distributor (2002), Training Partner (2005)
- www.mikrotik.co.id
– Wireless ISP
- www.citra.net.id
– Web Developer
- www.citra.web.id
• Mikrotik Support and Trainer
• IT Supervisor – Honorary Member of Sat-81
Kopassus
www.mikrotik.co.id
2
HOTSPOT
• Plug-n-Play – Computer network yang memungkinkan
penggunaan null configuration pada client.
• Authentication – System autentikasi yang bisa menjaga
network tetap terkontrol walaupun bersifat public access.
• Bridge Network – hanya berjalan di bridge network dan
bisa juga di routed network jika menggunakan EoIP.
• Limitation – menjaga monopoli user.
• Quality OF Service – traffic tetap dapat terkontrol untuk
menjaga kecepatan akses client tetap rasional.
• Bypass – resource jaringan bisa diberikan tanpa
autentikasi.
3
Hotspot Network
Emulated Bridge Network using EoIP
Routing Network
Bridge Network
Bridge Network
4
Hotspot Instalation
•
[[email protected]] > /ip hotspot setup
•
Select interface to run HotSpot on
– hotspot interface: ether3
Set HotSpot address for interface
– local address of network: 10.5.51.1/24
– masquerade network: yes
Set pool for HotSpot addresses
– address pool of network: 10.5.51.2-10.5.51.254
Select hotspot SSL certificate
– select certificate: none
Select SMTP server
– ip address of smtp server: 0.0.0.0
Setup DNS configuration
– dns servers: 203.84.155.188,2.2.2.2
DNS name of local hotspot server
– dns name:
name of local hotspot user
– Username: admin
– Password:
•
•
•
•
•
•
•
5
Hotspot QOS
• Limitasi Kecepatan akses Hotspot dibagi
menjadi 2 metode:
– Built-in limiter – menggunakan parameer rate-limit di
server-profile untuk melimit total traffic dari hotspot
network sedangkan jika ingin limit per user bisa
menggunakan rate-limit di user-profile.
– Menggunakan custom limitation yang memanfaatkan
parameter Incoming-packet-mark dan outgoingpacket-mark pada user-profile.
6
Hotspot QOS
• Built-in Limitation dilakukan secara
otomatis dan mudah tetapi tidak
memungkinkan melakukan implementasi
HTB.
• Dengan menggunakan Custom Limitation
anda bisa melakukan implementasi HTB
dan melakukan limitasi berdasarkan
kriteria koneksi yang lebih beragam.
7
Hotspot Packet Flow
PRE
ROUTING
LOCAL
PROCESS
POST
ROUTING
QUEUE
GLOBAL-IN
MANGLE
POSTROUTING
MANGLE
PREROUTING
QUEUE
GLOBAL-OUT
CONNECTION
TRACKING
HTB
INTERFACE
OUTPUT
INTERFACE
INPUT
INTERFACE
8
Hotspot – The Traffic
ROUTER
Hotspot
1
SRC-NAT
Internet
9
Hotspot Built-in Limitation
• Parameter Rate-Limit pada
server profile akan membatasi
total traffic dari hotspot
network.
• Traffic Bypass juga terlimit.
10
Hotspot Built-in Limitation
• Parameter Rate-Limit pada
user profile akan membatasi
traffic dari hotspot client
dalam satu group.
• HTB tidak dapat
diimplementasikan.
11
Custom Limitation - Profile
• Parameter Incoming-packetmark dan Outgoing-packetmark didefinisikan untuk
melakukan penandaan
(marking) traffic dari user di
dalam group tersebut.
• Incoming-packet-mark
melakukan marking traffic
upload dan Outgoing-packetmark melakukan marking
traffic download.
12
Custom Limitation - Mangle
• Firewall mangle akan secara otomatis dan dinamis
melakukan marking packet traffic dari client yang
masuk di dalam group (profile).
• Dynamic Marking dilakukan di chain Hotspot.
13
Custom Limitation - Mangle
• Rule Jump dari Built-in Chain ke chain
hotspot diperlukan supaya traffic dari user
dapat dibaca di firewall.
– /ip firewall mangle add chain=prerouting
action=jump jump-target=hotspot
– /ip firewall mangle add chain=postrouting
action=jump jump-target=hotspot
14
Custom Limitation - Mangle
• ASUMSI : Network yang digunakan adalah network NAT.
• Mark-Connection harus dibuat berdasarkan mark packet dynamic
dari profile atau dari chain hotspot.
– /ip firewall mangle add chain=prerouting action=mark-connection
new-connection-mark=conn-group1 passthrough=yes packetmark=group1-in
• Selanjutnya Mark-Packet bisa dibuat supaya bisa
diimplementasikan atau dilimit trafficnya.
– /ip firewall mangle add chain=prerouting action=mark-packet newpacket-mark=packet-group1 passthrough=no connectionmark=conn-group1
– /ip firewall mangle add chain=postrouting action=mark-packet newpacket-mark=packet-group1 passthrough=no connectionmark=conn-group1
• Setelah mark packet dari traffic group1 sudah dibuat maka limitasi
bandwith bisa dibuat di Queue.
15
Custom Limitation - Queue
• /queue tree add name="0-Hotspot1-total-Upload" parent=[interface
public/global interface] packet-mark="" max-limit=2M
• /queue tree add name="0-Hotspot1-total-Download"
parent=[interface hotspot] packet-mark="" max-limit=2M
• /queue tree add name="Group1-total-Download" parent=0-Hotspot1total-Download packet-mark=packet-group1 limit-at=1M maxlimit=2M
•
/queue tree add name="Group1-total-Upload" parent=0-Hotspot1total-Upload packet-mark=packet-group1 limit-at=1M max-limit=2M
16
Custom Limitation - Queue
17
Hotspot – Based on Destination
ROUTER
Hotspot
1
SRC-NAT
International
2
Local
Exchange
18
Hotspot – Based on Destination
•
Untuk membedakan traffic IIX dan Internasional kita gunakan Address-List
Nice.
– /ip firewall mangle add chain=prerouting action=mark-connection newconnection-mark=conn-group1-iix passthrough=yes dst-address-list=nice
packet-mark=group1-in
– /ip firewall mangle add chain=prerouting action=mark-packet new-packetmark=packet-group1-iix passthrough=no connection-mark=conn-group1-iix
– /ip firewall mangle add chain=prerouting action=mark-connection newconnection-mark=conn-group1-int passthrough=yes dst-address-list=!nice
packet-mark=group1-in
– /ip firewall mangle add chain=prerouting action=mark-packet new-packetmark=packet-group1-int passthrough=no connection-mark=conn-group1-int
– /ip firewall mangle add chain=postrouting action=mark-packet new-packetmark=packet-group1-iix passthrough=no connection-mark=conn-group1-iix
– /ip firewall mangle add chain=postrouting action=mark-packet new-packetmark=packet-group1-int passthrough=no connection-mark=conn-group1-int
19
Hotspot – Based on Destination
20
Hotspot – Based on Destination
•
•
•
•
•
•
•
•
/queue tree add name="0-Hotspot1-total-Upload" parent=global-in packet-mark=""
limit-at=0 priority=1 max-limit=2M
/queue tree add name="0-Hotspot1-total-Download" parent=wlan3 packet-mark=""
limit-at=0 priority=1 max-limit=2M
/queue tree add name="Group1-total-Download" parent=0-Hotspot1-total-Download
limit-at=960k priority=1 max-limit=2M
/queue tree add name="Group1-total-Upload" parent=0-Hotspot1-total-Upload limitat=960k priority=1 max-limit=2M
/queue tree add name="Group1-Total-IIX-Download" parent=Group1-total-Download
packet-mark=packet-group1-iix limit-at=768k queue=default priority=4 max-limit=2M
/queue tree add name="Group1-Total-INT-Download" parent=Group1-total-Download
packet-mark=packet-group1-int limit-at=192k queue=default priority=3 max-limit=2M
/queue tree add name="Group1-Total-IIX-Upload" parent=Group1-total-Upload
packet-mark=packet-group1-iix limit-at=768k queue=default priority=4 max-limit=2M
/queue tree add name="Group1-Total-INT-Upload" parent=Group1-total-Upload
packet-mark=packet-group1-int limit-at=192k queue=default priority=3 max-limit=2M
21
Hotspot – Based on Destination
22
Hotspot – Internal Proxy
ROUTER
Hotspot
1
SRC-NAT
International
2
6
PROXY
5
Local
Exchange
4
3
1
Direct INT
3
MISS IIX
5
MISS Intl
2
Direct IIX
4
HIT IIX
6
HIT Intl
23
Proxy
• Pastikan option Cache-OnDisk diaktifkan.
• Parameter TOS digunakan
untuk identifikasi traffic HIT
atau MISS.
• Secondary Hardisk untuk
Cache-Drive
24
Mangle For “HIT” Traffic
• /ip firewall mangle add chain=postrouting
action=mark-packet new-packet-mark=proxy-hit
passthrough=no dscp=4
• Pastikan Rule “HIT” berada tepat di bawah Rule
jump.
25
Queue – “HIT” Traffic
• /queue tree add name="Total-Proxy-Hit"
parent=[Interface Hotspot] packet-mark=proxy-hit
max-limit=1M
26
Hotspot - Un-Auth Traffic
ROUTER
DST-NAT
2
SRC-NAT
TCP 80
INTERNASIONAL
1
6
PROXY
5
IIX
4
3
Un Authenticate Traffic
27
Un Authenticate Traffic - Mangle
• Un authenticate traffic adalah traffic dari user
yang memiliki akses bypass.
– /ip firewall mangle add chain=prerouting
action=mark-connection new-connection-mark=connunauth passthrough=yes hotspot=!auth ininterface=[Interface Hotspot]
– /ip firewall mangle add chain=prerouting
action=mark-packet new-packet-mark=packet-unauth
passthrough=no connection-mark=conn-unauth
– /ip firewall mangle add chain=postrouting
action=mark-packet new-packet-mark=packet-unauth
passthrough=no connection-mark=conn-unauth
28
Un Authenticate Traffic - Mangle
29
Un Authenticate Traffic - Queue
• Queue dari User yang belum terautentikasi dan
memiliki akses bypass akan menggunakan
parent queue Hotspot-Total-Download karena
walaupun memiliki akses bypass kecepatan
traffic akan tetap terkendali.
– /queue tree add name="Hotspot1-Unauth-Download"
parent=0-Hotspot1-total-Download packetmark=packet-unauth limit-at=64k priority=8 maxlimit=2M
– /queue tree add name="Hotspot1-Unauth-Upload"
parent=0-Hotspot1-total-Upload packetmark=packet-unauth limit-at=64k priority=8 maxlimit=2M
30
Un Authenticate Traffic - Queue
31
Workshop
• Demo
• Q&A
32
Fly UP