MUM 2018 inline Transparent Traffic Shaper

Public Channel / Mikrotik User Meeting

Share on Social Networks

Share Link

Use permanent link to share in social media

Share with a friend

Please login to send this presentation by email!

Embed in your website

Select page to start with

7. CYGNAL TECHNOLOGIES Mikrotik as IN-LINE transparent bandwidth controller

22. CYGNAL TECHNOLOGIES Filter Turned-Off - 6

23. CYGNAL TECHNOLOGIES Filter Turned-On - 6

17. CYGNAL TECHNOLOGIES Two Content Layout with Table Speed Test (video edited to cut playback time)

20. CYGNAL TECHNOLOGIES 2 Steps Configuration 1. Mark the packet at the Mangle Facility 2. Create a Bridge Filter


1. CYGNAL TECHNOLOGIES Mikrotik User Meeting 2018 Dusit Thani Hotel Makati, Philippines January 16 2018

11. CYGNAL TECHNOLOGIES 3 Steps Configuration 1. Attach the ports to a bridge. 2. Create a Bridge Filter 3. Create the bandwidth limit Lets make Mikrotik to function like Exinda!

5. CYGNAL TECHNOLOGIES Possible Solution DL:100mbps UL:100mbps  Replace the current router with Mikrotik?  It breaks all proprietary connectivity and security. O

10. CYGNAL TECHNOLOGIES  Shaz Honarzad (Rural Tech Development)  Dan Santillan (Cygnal Technologies) Make Mikrotik to function similar to Exinda Rural Tech Development (Papua New Guinea) By the way.. They are hiring now! Need 2 Mikrotik engineers

6. CYGNAL TECHNOLOGIES Solution: DL:100mbps UL:100mbps  Add a Mikrotik router just right after the fiber modem.  And make it transparent. What mode should we use? Router mode? -or- Bridged mode?

26. CYGNAL TECHNOLOGIES Almost done... Remember the reserved port? This port is a member of the in-line-bridge interface and it should not have public ip address, the port can be used for expansion by connecting another device or router to it. (although, it is ok to assign it with an ip address, we are trying to avoid for the interface to listen on any protocols on this port and just make it a managed switch) The simple solution is just to connect the “wan” port and the “in-line-bridge” port with a patch cable.

3. CYGNAL TECHNOLOGIES The Current setup:  The ISP allocated the network with small public ip-block of /29, all public IP must be assigned to the routers, and clients should NOT be natted.  The network router is a non-mikrotik router with its own proprietary services and security protocols and is connected to the remote router located overseas.  Workstations has a specific route provided by the non- mikrotik router to reach other devices on the remote side. Public IP: DL:100mbps UL:100mbps

14. CYGNAL TECHNOLOGIES Configuration: Setting up the bridge R1 R2  Bridged 4 ports. • ISP Port • 2 ports for the routers. • 1 port reserved for later use /interface bridge add name=in-line-bridge /interface bridge port add interface=ether5 bridge=in-line-bridge comment=“Reserved” /interface bridge port add interface=ether6 bridge=in-line-bridge comment=“R1” /interface bridge port add interface=ether7 bridge=in-line-bridge comment=“R2” /interface bridge port add interface=ether8 bridge=in-line-bridgecomment=“ISP Uplink” 1. Attach the ports to a bridge.

19. CYGNAL TECHNOLOGIES Firewall on Mikrotik  IP Firewall Filter  Protocol based filtering (Mangle / Firewall Filter).  DNS or Web Proxy redirection.  Layer 7 matcher.  Etc..etc. These approach are mostly based on Layer-3 and above ( and a very little portion of layer 2 ), it requires that mikrotik device MUST be the gateway in order for the filter to work. Our mikrotik in-line shaper/filter does NOT act as the gateway, therefore, it doesn’t need to have an assigned IP address or any running services like DNS or Web Proxy.

9. CYGNAL TECHNOLOGIES Exinda Appliance It’s a WAN optimization appliance • It controls the traffic (Layer 2 and above) • Application accelerator • Application Visibility • Cache Server • Monitoring and reporting • Can be set as in-line network device Effectively used in a slow network such as the VSAT systems. Price is based on the WAN bandwidth, A 2mbps wan costs US$1,000 and for 100mbps WAN priced at US$6,500

12. CYGNAL TECHNOLOGIES Note: There’s already a Transparent Traffic Shaper entry at mikrotik wiki using a simple method. I used a different approach here and you can see the difference. I separated the ingress and egress traffic by identifying the physical IN and OUT port, and by doing so, it gives more flexibility to further use of Layer 2 fields through the bridge filter. I did not use the mangle to mark the necessary packets due to its lacking of layer-2 fields.

21. CYGNAL TECHNOLOGIES Demonstration: Bridge Mark the packets here Block or Allow here Mangle Mark a packet containing the word “ESMTP” for mail transfer session. /ip firewall mangle add chain=prerouting content="ESMTP" action=mark-packet new-packet-mark=esmtp-pkt Create the bridge filter rule and attach the esmtp-pkt mark. /interface bridge filter add chain=forward in-interface=ether8 out-interface=ether7 packet-mark=esmtp-pkt action=drop Direction: from ISP to R2 R1 R2 Important: Be mindful of the direction. A demonstration of filtering packets on bridge interface (L2) and the mangle facility.

27. CYGNAL TECHNOLOGIES WAN Configuration Create the bridge for WAN /interface bridge add name=wan-bridge comment=“WAN” Add the ports to the wan-bridge /interface bridge port add interface=ether4 bridge=wan-bridge Add the Public IP to the wan-bridge /ip address add address= interface=wan-bridge Add the Public IP gateway /ip route add dst-address= gateway= distance=1 Enable DNS server /ip dns set server=“,” allow-remote-requests=yes LAN Configuration Create the bridge for natted LAN /interface bridge add name=lan-bridge comment=“LAN” Add the ports to the lan-bridge /interface bridge port add interface=ether1 bridge=lan-bridge /interface bridge port add interface=ether2 bridge=lan-bridge Add the IP address to the lan-bridge /ip address add address= interface=lan-bridge NAT the LAN subnet /ip firewall nat add chain=srcnat src-address= action=masquerade \ out-interface=wan-bridge LAN WAN

4. CYGNAL TECHNOLOGIES The Task (and considerations) : Public IP:  Provide a scalable Bandwidth management for each network.  Not to replace the existing core router  Not to make any changes to current infrastructure (e.g. IP addressing, Routing, Firewall, VPN, Security, etc.)  Minimal Downtime < 1~2 mins. • Provide Hotspot. • And a provision for a NATTED LAN. DL:100mbps UL:100mbps DL:25mbps UL:25mbps DL:75mbps UL:35mbps

8. CYGNAL TECHNOLOGIES In-Line Devices  What is an inline network device? • A device that can be installed between two or more network devices that can perform specific function, it receives the packets and forwards them to intended destination, it can enhance or alter the data in transit. • It operates at Layer-2 (data link) and some operates at L2 and L3 • It is transparent and end devices are not aware of its presence. Non-Intrusive in-line devices Coupler To extend Cable length Surge Protector PoE Network Sniffer Tap Intrusive in-line devices Appliance bandwidth Controller These taps does not alter the data in transit These taps can alter the data in transit

15. CYGNAL TECHNOLOGIES Configuration: Setting up Bridge Filter R1 R2 Identify the interface port for IN and OUT and mark the packets accordingly. Direction: ISP R1 (router #1 download) /interface bridge filter add chain=forward in-interface=ether8 out-interface=ether6 \ action=mark-packet new-packet-mark ="wan-to-R1-pkt“ comment=“R1 download” Direction: ISP R1 (router #1 upload) /interface bridge filter add chain=forward in-interface=ether6 out-interface=ether8 \ action=mark-packet new-packet-mark="R1-to-wan-pkt“ comment=“R1 Upload Direction: ISP R2 (router #2 download) /interface bridge filter add chain=forward in-interface=ether8 out-interface=ether7 \ action=mark-packet new-packet-mark="wan-to-R2-pkt“ comment=“R2 download” Direction: ISP R2 (router #2 upload) /interface bridge filter add chain=forward in-interface=ether7 out-interface=ether8 \ action=mark-packet new-packet-mark="R2-to-wan-pkt“ comment=“R2 Upload” Enable Bridge Firewall / interface bridge settings set use-ip-firewall=yes 2. Create the bridge filter.

25. CYGNAL TECHNOLOGIES Expansion R1 R2  Bridged 4 ports. • ISP Port • 2 ports for the routers. • 1 port reserved for later use What to do with the unused ports? • Use it for the natted LAN and... • Hotspot access port. • Use this port for the “WAN” port of the natted LAN and hotspot. The hotspot port and the WAN port MUST not be a member of the LAN bridge

18. CYGNAL TECHNOLOGIES Firewall on the Bridge The bridge firewall implements packet filtering and thereby provides security functions that are used to manage data flow to, from and through bridge. You can put packet marks in bridge firewall (filter and NAT), which are the same as the packet marks in IP firewall put by '/ip firewall mangle'. In this way, packet marks put by bridge firewall can be used in 'IP firewall', and vice versa. Source: ( Bridge Mark the packets here Block or Allow here Mangle Bridge Firewall Filter Block or Allow here Mark the packets here Mangle Further Packet Matching Bridge Mark the packet and Block or Allow here

2. CYGNAL TECHNOLOGIES Introduction. CYGNAL TECHNOLOGIES  Cygnal Technologies was established in the Middle East since 1997-2013 ( under the name Cygnal and PCTek ) • Internet Dial-up and VSAT Provider for military service contractors.  Established in the Philippines since 2013  Registered Internet Provider  Been using and implementing Mikrotik RouterOS since late 1999-Present  IT Solution provider • Network Infrastructure consultation and commissioning • Mikrotik consultation and deployment • Cloud Hosting Provider • Software Development • Wireless and Hotspot solution provider • Public Hotspot operator.

13. CYGNAL TECHNOLOGIES Visualization Comparison Bridge Queue Layer 3-7 Mark Packets here IN OUT Bridge Mangle FW Filter Wiki Method Bridge IN Bridge Filter Layer 2-3 Mark Packets here Queue OUT Bridge Mangle Add more L3-L7 Packets marking here and reference the bridge filter packets Optional / Additional FW Filter FW Filter Layer 2-7 support Method

16. CYGNAL TECHNOLOGIES Configuration: Setting up Bandwidth Limit R1 R2 Use Simple Queue or the Queue Tree facility R1 Limit Download /queue simple add name=R1-download packet-marks=wan-to-R1-pkt limit-at= 0 /2M \ max-limit= 0 /2M target="“ R1 Limit Upload /queue simple add name=R1-upload packet-marks=R1-to-wan-pkt limit-at=1M/ 0 \ max-limit=1M/ 0 target="“ R2 Limit Download /queue simple add name=R2-download packet-marks=wan-to-R2-pkt limit-at= 0 /5M \ max-limit= 0 /5M target="“ R2 Limit Upload /queue simple add name=R2-upload packet-marks=R1-to-wan-pkt limit-at=5M/ 0 \ max-limit=5M/ 0 target="“ 2Mbps 1Mbps 5Mbps 5Mbps 3. Create the Bandwidth Limit

24. CYGNAL TECHNOLOGIES So what L2 fields that can be used for packet matcher under the bridge filter? 1. General • Interfaces IN/OUT • Bridges IN/OUT • SRC/DST addresses • MAC Protocols • IP Src/Dst Addresses and Protocols (L3) 2. VLAN • Vlan ID • VLAN Encapsulation • 802.3 Type and SAP • Packet Types 3. ARP • Opcodes • Hardware Type • Packet Type • Addresses • SRC and DST MAC Address • Gratuitous 4. STP • STP Types • STP Flags • STP Root Addresses • STP Root Cost • STP Sender-Address • STP Port • STP Priorities • STP Ages / STP Time Mangle Rule To cover Layer 3 to Layer 7 2,3 and 4 are not available at the mangle A better chance to hit a specific packets


  • 56 Total Views
  • 40 Website Views
  • 16 Embeded Views


  • 0 Social Shares
  • 0 Dislikes

Share count

  • 0 Facebook
  • 0 Twitter
  • 0 LinkedIn
  • 0 Google+