Help básico sobre chains

**agpnet** · 30-10-2009, 15:30

Galera, estou estudando a chains para otimizar meu qos, e gostaria de saber se alguém poderia me explicar como funcionam as chains prerouting e postrouting quando estou utilizando pppoe nos clientes, uma coisa que não entra na minha cabeça é: prerouting marca entrada, mas dados vindos do link ou do cliente ? Postrouting marca saída, saída do mk para o link ou do cliente para o mk ?
Qual seria a melhor opção, tratar o priorizar pacotes chegando pelo link ou priorizar a saída do mk para os clientes ?

Valew!!!

**agpnet** · 02-11-2009, 23:12

Pessoal, conegui fazer funcionar um sistema bem eficiente de QOS usando PPPoE e proxy paralelo...
Primeiramente criamos uma queue tree global (onde o parent será global-total), criamos duas sub-queues uma UPLOAD e outra para DOWNLOAD, e dentro destas, as sub-queues referentes aos pacotes que queremos priorizar e modelar... para entender demorei mas deu certo, porque eu fazia marcação em prerouting, mas não especificava a interface em que os pacotes viriam, por ex. cliente pppoe inicia um download (porta 80), na realidade quem vai fazer o download é o proxy, mesmo que ele não armazene o arquivo (dependendo das regras do squid ex. tamanho, etc..), o download é feito pela seguinte rota (Web:80----->MK:WAN--(prerouting)---MK:PROXY-->Linux(squid)--(prerouting)-->MK:PPPoEServer--->Clientes
desta maneira não era possível definir um CIR para a regra de downloads na porta 80, pois o mesmo passava duas vezes por prerouting (na chegada do link e na chegada do proxy para o cliente, comprovei isto fazendo um download com 200kbps de banda e a regra marcava 400kbps) desta maneira o CIR valeria para os dois, e consequentemente nunca que o mk se achava com o link, pois cada queue tinha que estar com o dobro de banda alocada.
Quem quiser mais detalhes (existem muitos) posta ae, posteriormente pretendo montar um wiki sobre este assunto que salva a pele de muitos provedores que possuem links quase ou totalmente lotados.

Vou postar como ficou o resultado da primeira parte do projeto (Queue Tree), quanto a limite de banda de cada serviço ou CIR dos mesmos, estou ocultado por serem parte da regra de negócio, mas isto também fica a critério de cada provedor de acordo com o tamanho do link e suas prioridades.

Apenas relembrando: esta regra funciona com MK com 3 interfaces (LINK,PROXY,CLIENTES[PPPoE]), ainda não foi feita a escolha correta de queue type para cada queue, algumas conexões como por exemplo a regra de download da porta 80 só exite para download, pois não é permitido utilizar algumas portas (ex. 21,80) para clientes residenciais.

**superxandaoce** · 04-11-2009, 00:00

queria saber também como fazer a melhor escolha de queu type, se vc conseguir depois explicar aqui o que fez no seu e dizer se funcionou. Vlw

**superxandaoce** · 04-11-2009, 00:02

Só mais uma coizinha pode me enviar como fez teu mangle ? e queue, as regras em modo texto, ou mesmo postar aqui ?
meu e-mail: [email protected]

**agpnet** · 04-11-2009, 16:57

Segue anexo nova estrutura do Queue Tree.

Abaixo Minhas Marcações do Mangle:

Código :

/ip firewall mangle
add action=mark-connection chain=postrouting comment="Marca com e sem TOS" \
    disabled=no dscp=12 new-connection-mark=n-cache passthrough=yes protocol=\
    tcp src-port=3128
add action=mark-packet chain=postrouting comment="" connection-mark=n-cache \
    disabled=no new-packet-mark=Cache-Packet passthrough=no
add action=mark-connection chain=prerouting comment="Marcar Sa\EDda do Proxy" \
    disabled=no dscp=!12 new-connection-mark=squid-out_conexao passthrough=\
    yes protocol=tcp src-address=172.16.10.2 src-port=3128
add action=mark-packet chain=prerouting comment="" connection-mark=\
    squid-out_conexao disabled=no new-packet-mark=squid-out_pacote \
    passthrough=no
add action=mark-connection chain=prerouting comment=\
    "Marcar Conex\E3o SSH/TELNET" disabled=no dst-port=22-23 \
    new-connection-mark=ssh-telnet_conexao passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting comment="" connection-mark=\
    ssh-telnet_conexao disabled=no new-packet-mark=ssh-telnet_pacote \
    passthrough=no
add action=mark-connection chain=prerouting comment="Marcar Conex\E3o WinBox" \
    disabled=no dst-port=8291 new-connection-mark=winbox_conexao passthrough=\
    yes protocol=tcp
add action=mark-packet chain=prerouting comment="" connection-mark=\
    winbox_conexao disabled=no new-packet-mark=winbox_pacote passthrough=no
add action=mark-connection chain=prerouting comment="Marcar Conex\E3o OSPF" \
    disabled=no new-connection-mark=ospf_conexao passthrough=yes protocol=\
    ospf
add action=mark-packet chain=prerouting comment="" connection-mark=\
    ospf_conexao disabled=no new-packet-mark=ospf_pacote passthrough=no
add action=mark-connection chain=prerouting comment=\
    "Marcar Conex\E3o DNS - IN" disabled=no in-interface=WAN \
    new-connection-mark=dns-in_conexao passthrough=yes protocol=tcp src-port=\
    53
add action=mark-connection chain=prerouting comment="" disabled=no \
    in-interface=WAN new-connection-mark=dns-in_conexao passthrough=yes \
    protocol=udp src-port=53
add action=mark-connection chain=prerouting comment="" disabled=no dst-port=\
    53 in-interface=!WAN new-connection-mark=dns-in_conexao passthrough=yes \
    protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no dst-port=\
    53 in-interface=!WAN new-connection-mark=dns-in_conexao passthrough=yes \
    protocol=udp
add action=mark-packet chain=prerouting comment="" connection-mark=\
    dns-in_conexao disabled=no new-packet-mark=dns-in_pacote passthrough=no
add action=mark-connection chain=postrouting comment=\
    "Marcar Conex\E3o DNS - OUT" disabled=no dst-port=53 new-connection-mark=\
    dns-out_conexao out-interface=WAN passthrough=yes protocol=tcp
add action=mark-connection chain=postrouting comment="" disabled=no dst-port=\
    53 new-connection-mark=dns-out_conexao out-interface=WAN passthrough=yes \
    protocol=udp
add action=mark-connection chain=postrouting comment="" disabled=no \
    new-connection-mark=dns-out_conexao out-interface=!WAN passthrough=yes \
    protocol=tcp src-port=53
add action=mark-connection chain=postrouting comment="" disabled=no \
    new-connection-mark=dns-out_conexao out-interface=!WAN passthrough=yes \
    protocol=udp src-port=53
add action=mark-packet chain=postrouting comment="" connection-mark=\
    dns-out_conexao disabled=no new-packet-mark=dns-out_pacote passthrough=no
add action=mark-connection chain=prerouting comment=\
    "Marcar Conex\E3o VPN - IN" disabled=no dst-port=1723 in-interface=WAN \
    new-connection-mark=vpn_conexao passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no \
    in-interface=WAN new-connection-mark=vpn_conexao passthrough=yes \
    protocol=gre
add action=mark-packet chain=prerouting comment="" connection-mark=\
    vpn_conexao disabled=no new-packet-mark=vpn_pacote passthrough=no
add action=mark-connection chain=postrouting comment=\
    "Marcar Conex\E3o VPN - OUT" disabled=no dst-port=1723 \
    new-connection-mark=vpn-out_conexao out-interface=WAN passthrough=yes \
    protocol=tcp
add action=mark-connection chain=postrouting comment="" disabled=no \
    new-connection-mark=vpn-out_conexao out-interface=WAN passthrough=yes \
    protocol=gre
add action=mark-packet chain=postrouting comment="" connection-mark=\
    vpn-out_conexao disabled=no new-packet-mark=vpn-out_pacote passthrough=no
add action=mark-connection chain=prerouting comment=\
    "Marcar Conex\E3o Ping - IN (WAN)" disabled=no in-interface=WAN \
    new-connection-mark=ping-in-wan_conexao passthrough=yes protocol=icmp
add action=mark-packet chain=prerouting comment="" connection-mark=\
    ping-in-wan_conexao disabled=no new-packet-mark=ping-in-wan_pacote \
    passthrough=no
add action=mark-connection chain=prerouting comment=\
    "Marcar Conex\E3o Ping - IN (LAN)" disabled=no in-interface=!WAN \
    new-connection-mark=ping-in-lan_conexao passthrough=yes protocol=icmp
add action=mark-packet chain=prerouting comment="" connection-mark=\
    ping-in-lan_conexao disabled=no new-packet-mark=ping-in-lan_pacote \
    passthrough=no
add action=mark-connection chain=postrouting comment=\
    "Marcar Conex\E3o Ping - OUT (WAN)" disabled=no new-connection-mark=\
    ping-WAN_conexao out-interface=WAN passthrough=yes protocol=icmp
add action=mark-packet chain=postrouting comment="" connection-mark=\
    ping-WAN_conexao disabled=no new-packet-mark=ping-wan_pacote passthrough=\
    no
add action=mark-connection chain=postrouting comment=\
    "Marcar Conex\E3o Ping - OUT (LAN)" disabled=no new-connection-mark=\
    ping-LAN_conexao out-interface=!WAN passthrough=yes protocol=icmp
add action=mark-packet chain=postrouting comment="" connection-mark=\
    ping-LAN_conexao disabled=no new-packet-mark=ping-lan_pacote passthrough=\
    no
add action=mark-connection chain=prerouting comment=\
    "Marcar Conex\E3o P2P - IN" disabled=no in-interface=WAN \
    new-connection-mark=p2p-in_conexao p2p=all-p2p passthrough=yes
add action=mark-packet chain=prerouting comment="" connection-mark=\
    p2p-in_conexao disabled=no new-packet-mark=p2p-in_pacote passthrough=no
add action=mark-connection chain=postrouting comment=\
    "Marcar Conex\E3o P2P - OUT" disabled=no new-connection-mark=\
    p2p-out_conexao out-interface=WAN p2p=all-p2p passthrough=yes
add action=mark-packet chain=postrouting comment="" connection-mark=\
    p2p-out_conexao disabled=no new-packet-mark=p2p-out_pacote passthrough=no
add action=mark-connection chain=prerouting comment=Streaming disabled=no \
    in-interface=WAN new-connection-mark=streaming_conexao passthrough=yes \
    protocol=tcp src-port=554
add action=mark-connection chain=prerouting comment="" disabled=no \
    in-interface=WAN new-connection-mark=streaming_conexao passthrough=yes \
    protocol=udp src-port=554,1755,8554
add action=mark-packet chain=prerouting comment="" connection-mark=\
    streaming_conexao disabled=no new-packet-mark=streaming_pacote \
    passthrough=no
add action=mark-connection chain=prerouting comment=\
    "Marcar Conex\E3o FTP - IN" disabled=no in-interface=WAN \
    new-connection-mark=ftp_conexao passthrough=yes protocol=tcp src-port=\
    20-21
add action=mark-packet chain=prerouting comment="" connection-mark=\
    ftp_conexao disabled=no new-packet-mark=ftp_pacote passthrough=no
add action=mark-connection chain=postrouting comment=\
    "Marcar Conex\E3o FTP - OUT" disabled=no dst-port=20-21 \
    new-connection-mark=ftp-out_conexao out-interface=WAN passthrough=yes \
    protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark=\
    ftp-out_conexao disabled=no new-packet-mark=ftp-out_pacote passthrough=no

Continua no próximo post...

Lembrando, ainda não é o final, mas ja esta funcionando muito bem, principalmente em horários de alto uso do link...

Quem quiser colaborar, dar uma opinião, sugerir mundanças/melhorias, principalmente aqueles que mais entendem do assunto, por gentileza sua apinião é muito importante.

**agpnet** · 04-11-2009, 16:58

Código :

add action=mark-connection chain=prerouting comment=\
    "Marcar Conex\E3o HTTP-REQUEST (At\E9 256KB)" connection-bytes=0-262144 \
    disabled=no in-interface=WAN new-connection-mark=http-request_conexao \
    passthrough=yes protocol=tcp src-port=80
add action=mark-packet chain=prerouting comment="" connection-mark=\
    http-request_conexao disabled=no new-packet-mark=http-request_pacote \
    passthrough=no
add action=mark-connection chain=prerouting comment=\
    "Marcar Conex\E3o HTTP-DOWNLOADS (Acima 256KB)" connection-bytes=262145-0 \
    disabled=no in-interface=WAN new-connection-mark=http-downloads_conexao \
    passthrough=yes protocol=tcp src-port=80
add action=mark-packet chain=prerouting comment="" connection-mark=\
    http-downloads_conexao disabled=no new-packet-mark=http-downloads_pacote \
    passthrough=no
add action=mark-connection chain=prerouting comment="Marcar Conex\E3o HTTPS" \
    disabled=no in-interface=WAN new-connection-mark=https_conexao \
    passthrough=yes protocol=tcp src-port=443
add action=mark-packet chain=prerouting comment="" connection-mark=\
    https_conexao disabled=no new-packet-mark=https_pacote passthrough=no
add action=mark-connection chain=prerouting comment=\
    "Marcar Conex\E3o E-Mail - IN" disabled=no in-interface=WAN \
    new-connection-mark=e-mail_conexao passthrough=yes protocol=tcp src-port=\
    25,110,143,993,995
add action=mark-packet chain=prerouting comment="" connection-mark=\
    e-mail_conexao disabled=no new-packet-mark=e-mail_pacote passthrough=no
add action=mark-connection chain=postrouting comment=\
    "Marcar Conex\E3o E-Mail - OUT" disabled=no dst-port=25,110,143,993,995 \
    new-connection-mark=e-mail-out_conexao out-interface=WAN passthrough=yes \
    protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark=\
    e-mail-out_conexao disabled=no new-packet-mark=e-mail-out_pacote \
    passthrough=no
add action=mark-connection chain=prerouting comment=\
    "Marcar Conex\E3o Messengers - IN" disabled=no in-interface=WAN \
    new-connection-mark=messenger_conexao passthrough=yes protocol=tcp \
    src-port=1863,6891-6901
add action=mark-connection chain=prerouting comment="" disabled=no \
    in-interface=WAN new-connection-mark=messenger_conexao passthrough=yes \
    protocol=udp src-port=1863,5190,6891-6901
add action=mark-connection chain=prerouting comment="" disabled=no \
    in-interface=WAN new-connection-mark=messenger_conexao passthrough=yes \
    protocol=tcp src-port=5000-5001,5050,5101
add action=mark-connection chain=prerouting comment="" disabled=no \
    in-interface=WAN new-connection-mark=messenger_conexao passthrough=yes \
    protocol=udp src-port=5000-5010
add action=mark-packet chain=prerouting comment="" connection-mark=\
    messenger_conexao disabled=no new-packet-mark=messenger_pacote \
    passthrough=no
add action=mark-connection chain=postrouting comment=\
    "Marcar Conex\E3o Messengers - OUT" disabled=no dst-port=1863,6891-6901 \
    new-connection-mark=messenger-out_conexao out-interface=WAN passthrough=\
    yes protocol=tcp
add action=mark-connection chain=postrouting comment="" disabled=no dst-port=\
    1863,5190,6891-6901 new-connection-mark=messenger-out_conexao \
    out-interface=WAN passthrough=yes protocol=udp
add action=mark-connection chain=postrouting comment="" disabled=no dst-port=\
    5000-5001,5050,5101 new-connection-mark=messenger-out_conexao \
    out-interface=WAN passthrough=yes protocol=tcp
add action=mark-connection chain=postrouting comment="" disabled=no dst-port=\
    5000-5010 new-connection-mark=messenger-out_conexao out-interface=WAN \
    passthrough=yes protocol=udp
add action=mark-packet chain=postrouting comment="" connection-mark=\
    messenger-out_conexao disabled=no new-packet-mark=messenger-out_pacote \
    passthrough=no
add action=mark-connection chain=prerouting comment=\
    "Marcar Conex\E3o Jogos - IN" disabled=no in-interface=WAN \
    new-connection-mark=jogos_conexao passthrough=yes protocol=tcp src-port=\
    27020-27039
add action=mark-connection chain=prerouting comment="" disabled=no \
    in-interface=WAN new-connection-mark=jogos_conexao passthrough=yes \
    protocol=udp src-port=1200,27000-27015
add action=mark-connection chain=prerouting comment="" disabled=no \
    in-interface=WAN new-connection-mark=jogos_conexao passthrough=yes \
    protocol=tcp src-port=3724
add action=mark-connection chain=prerouting comment="" disabled=no \
    in-interface=WAN new-connection-mark=jogos_conexao passthrough=yes \
    protocol=tcp src-port=4376
add action=mark-connection chain=prerouting comment="" disabled=no \
    in-interface=WAN new-connection-mark=jogos_conexao passthrough=yes \
    protocol=udp src-port=4376
add action=mark-connection chain=prerouting comment="" disabled=no \
    in-interface=WAN new-connection-mark=jogos_conexao passthrough=yes \
    protocol=tcp src-port=6112-6119
add action=mark-connection chain=prerouting comment="" disabled=no \
    in-interface=WAN new-connection-mark=jogos_conexao passthrough=yes \
    protocol=udp src-port=6112-6119
add action=mark-connection chain=prerouting comment="" disabled=no \
    in-interface=WAN new-connection-mark=jogos_conexao passthrough=yes \
    protocol=tcp src-port=55905
add action=mark-connection chain=prerouting comment="" disabled=no \
    in-interface=WAN new-connection-mark=jogos_conexao passthrough=yes \
    protocol=udp src-port=55905
add action=mark-connection chain=prerouting comment="" disabled=no \
    in-interface=WAN new-connection-mark=jogos_conexao passthrough=yes \
    protocol=tcp src-port=11031,11240,11439
add action=mark-connection chain=prerouting comment="" disabled=no \
    in-interface=WAN new-connection-mark=jogos_conexao passthrough=yes \
    protocol=tcp src-port=6346
add action=mark-packet chain=prerouting comment="" connection-mark=\
    jogos_conexao disabled=no new-packet-mark=jogos_pacote passthrough=no
add action=mark-connection chain=postrouting comment=\
    "Marcar Conex\E3o Jogos - OUT" disabled=no dst-port=27020-27039 \
    new-connection-mark=jogos-out_conexao out-interface=WAN passthrough=yes \
    protocol=tcp
add action=mark-connection chain=postrouting comment="" disabled=no dst-port=\
    1200,27000-27015 new-connection-mark=jogos-out_conexao out-interface=WAN \
    passthrough=yes protocol=udp
add action=mark-connection chain=postrouting comment="" disabled=no dst-port=\
    3724 new-connection-mark=jogos-out_conexao out-interface=WAN passthrough=\
    yes protocol=tcp
add action=mark-connection chain=postrouting comment="" disabled=no dst-port=\
    4376 new-connection-mark=jogos-out_conexao out-interface=WAN passthrough=\
    yes protocol=tcp
add action=mark-connection chain=postrouting comment="" disabled=no dst-port=\
    4376 new-connection-mark=jogos-out_conexao out-interface=WAN passthrough=\
    yes protocol=udp
add action=mark-connection chain=postrouting comment="" disabled=no dst-port=\
    6112-6119 new-connection-mark=jogos-out_conexao out-interface=WAN \
    passthrough=yes protocol=tcp
add action=mark-connection chain=postrouting comment="" disabled=no dst-port=\
    6112-6119 new-connection-mark=jogos-out_conexao out-interface=WAN \
    passthrough=yes protocol=udp
add action=mark-connection chain=postrouting comment="" disabled=no dst-port=\
    55905 new-connection-mark=jogos-out_conexao out-interface=WAN \
    passthrough=yes protocol=tcp
add action=mark-connection chain=postrouting comment="" disabled=no dst-port=\
    55905 new-connection-mark=jogos-out_conexao out-interface=WAN \
    passthrough=yes protocol=udp
add action=mark-connection chain=postrouting comment="" disabled=no dst-port=\
    11031,11240,11439 new-connection-mark=jogos-out_conexao out-interface=WAN \
    passthrough=yes protocol=tcp
add action=mark-connection chain=postrouting comment="" disabled=no dst-port=\
    6346 new-connection-mark=jogos-out_conexao out-interface=WAN passthrough=\
    yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark=\
    jogos-out_conexao disabled=no new-packet-mark=jogos-out_pacote \
    passthrough=no
add action=mark-connection chain=prerouting comment=\
    "Marcar Outras Conex\F5es - IN" disabled=no in-interface=WAN \
    new-connection-mark=outras-in_conexao passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no \
    in-interface=WAN new-connection-mark=outras-in_conexao passthrough=yes \
    protocol=udp
add action=mark-packet chain=prerouting comment="" connection-mark=\
    outras-in_conexao disabled=no new-packet-mark=outras-in_pacote \
    passthrough=no
add action=mark-connection chain=postrouting comment=\
    "Marcar Outras Conex\F5es - OUT" disabled=no new-connection-mark=\
    outras-out_conexao out-interface=WAN passthrough=yes protocol=tcp
add action=mark-connection chain=postrouting comment="" disabled=no \
    new-connection-mark=outras-out_conexao out-interface=WAN passthrough=yes \
    protocol=udp
add action=mark-packet chain=postrouting comment="" connection-mark=\
    outras-out_conexao disabled=no new-packet-mark=outras-out_pacote \
    passthrough=no
add action=mark-connection chain=prerouting comment=\
    "Marcar Outros Protocolos - IN" disabled=no in-interface=WAN \
    new-connection-mark=outros_protocolos-in_conexao passthrough=yes
add action=mark-packet chain=prerouting comment="" connection-mark=\
    outros_protocolos-in_conexao disabled=no new-packet-mark=\
    outros_protocolos-in_pacote passthrough=no
add action=mark-connection chain=postrouting comment=\
    "Marcar Outros Protocolos - OUT" disabled=no new-connection-mark=\
    outros_protocolos-out_conexao out-interface=WAN passthrough=yes
add action=mark-packet chain=postrouting comment="" connection-mark=\
    outros_protocolos-out_conexao disabled=no new-packet-mark=\
    outros_protocolos-out_pacote passthrough=no

Help básico sobre chains

Ferramentas de Tópicos

Help básico sobre chains