hello all,
I am very happy to be one member of this great forum.
First
I have instructed to block such mp3, mov .........etc. not limit just block the entire download of these kinds of files.
I did limit using queue tree and pcq but How to block it at all.
Second
When I enabled Proxy the pcq queue become has no effect why? I need PCQ with Proxy
thanks
Re: Regard block the download not limiting the rate
First of all, you are going to be very very hard pressed to block people from downloading files via HTTP. As far as the router knows and is concerned someone requesting a web site or downloading an ISO via HTTP are exactly the same thing. This is also true for HTTPS, and since it's encrypted you cannot reliably match connections. You need something that operates at layer7 to do this reliably. While the router does have some layer7 options, they are very CPU intensive and should be used as a last resort. You will also likely need to write your own regex to get it working the way you want. Since you are talking about using a proxy, you may be able to do that there however instead of on the router.
As for PCQ and Proxy working together. Depending on what box is running your proxy, and at this point I'm guessing you are using the built in proxy of the RouterBoard, you need to mark things on the appropriate chains and set up queues at the appropriate locations. When running the proxy on the router, either transparently or not, traffic is being redirected to the router and all requests are being handled by the router. This means since the router is handling and making all requests to the outside world, your HTTP etc. is now on the output chain of the router instead of forward.
Look at this diagram to determine where you need to mark traffic and set up your queues.
http://wiki.mikrotik.com/wiki/Packet_Flow#Diagram
As for PCQ and Proxy working together. Depending on what box is running your proxy, and at this point I'm guessing you are using the built in proxy of the RouterBoard, you need to mark things on the appropriate chains and set up queues at the appropriate locations. When running the proxy on the router, either transparently or not, traffic is being redirected to the router and all requests are being handled by the router. This means since the router is handling and making all requests to the outside world, your HTTP etc. is now on the output chain of the router instead of forward.
Look at this diagram to determine where you need to mark traffic and set up your queues.
http://wiki.mikrotik.com/wiki/Packet_Flow#Diagram
Re: Regard block the download not limiting the rate
Hello Mr. Felklar
I forget to mention that I am using PC P4, CPU 1800, Ram 256, 40 Hard disk.
then in first point you mean that it is better to separate proxy in another mikrotik machine other main mikrotik.
I have only 15 users maximum so I see one machine is enough Am I right?
about secured HTTP its really a challenge. I hope to get around that using Mikrotik because I faced hard pressure from my boss.
second point I have to understand way path of all packets first. thanks for your link. I'll be back for a while.
thank you very much.
I forget to mention that I am using PC P4, CPU 1800, Ram 256, 40 Hard disk.
then in first point you mean that it is better to separate proxy in another mikrotik machine other main mikrotik.
I have only 15 users maximum so I see one machine is enough Am I right?
about secured HTTP its really a challenge. I hope to get around that using Mikrotik because I faced hard pressure from my boss.
second point I have to understand way path of all packets first. thanks for your link. I'll be back for a while.
thank you very much.
Re: Regard block the download not limiting the rate
For 15 end users the MikroTik proxy will be more than sufficient. I personally don't use it, so I don't know what kind of options may be there to block certain extensions. You might be able to use the path option for what you want, something like path=*.mp3
I also don't know how well the MikroTik proxy handles HTTPS, I know when you use it as a transparent proxy, it cannot do HTTPS however. So testing on your part will likely need to be done to make sure it will handle what you want correctly. If it does handle it correctly you'll obviously want to adjust your computers so the end users can't edit their proxy settings.
A better solution might be for you to get a separate proxy box and redirect everything to that. They tend to have more options and more capabilities than the built in Proxy. Something like a Squid server. You have a good enough box to run a Squid server on and then you can spend ~$100 on a 450 or 450G to handle the routing for the network and redirect.
I also don't know how well the MikroTik proxy handles HTTPS, I know when you use it as a transparent proxy, it cannot do HTTPS however. So testing on your part will likely need to be done to make sure it will handle what you want correctly. If it does handle it correctly you'll obviously want to adjust your computers so the end users can't edit their proxy settings.
A better solution might be for you to get a separate proxy box and redirect everything to that. They tend to have more options and more capabilities than the built in Proxy. Something like a Squid server. You have a good enough box to run a Squid server on and then you can spend ~$100 on a 450 or 450G to handle the routing for the network and redirect.
Who is online
Users browsing this forum: weevee and 29 guests