Mikrotik + Web Proxy Queueing is Impossible ?

t3rm · Sun Aug 26, 2007 8:41 pm

Folks,
Sorry if this question already posted before.

I want to know how to handle Queues if i have to serve users in my net with WebProxy enabled.
Once we set the queues, Mikrotik wont understand the packets cached by WebProxy should be deliver at LAN speed and non cached packets should be queue with the class defined at Queues Tree.

So, if we set WebProxy and Queues enabled, we wont have the benefits of WebProxy Caching since the packets cached still get queued by Mikrotik.

Thanks, i hope there are solutions for this.

- Rio.Martin -

GWISA · Mon Aug 27, 2007 10:41 am

Sounds like mangle chain confusion to me...

You should watch this presentation:
http://www.tiktube.com/2007/06/22/ip-fl ... ns-riyadi/

sokolov · Mon Aug 27, 2007 12:28 pm

Problem is very simple and described on http://wiki.mikrotik.com/wiki/Queue_wit ... _Web-Proxy.
you are using mangle to mark packets and connections, for outgoing traffic use in-interface and src-address and for incoming two stage.
first direct connections on forward chain and for web-proxy output chain.

[admin@instaler] > ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic 
0   ;;; UP TRAFFIC
    chain=prerouting in-interface=lan 
    src-address=172.21.1.0/24 action=mark-packet 
    new-packet-mark=test-up passthrough=no 

1   ;;; CONN-MARK
    chain=forward src-address=172.21.1.0/24 
    action=mark-connection 
    new-connection-mark=test-conn passthrough=yes 

2   ;;; DOWN-DIRECT CONNECTION
    chain=forward in-interface=public 
    connection-mark=test-conn action=mark-packet 
    new-packet-mark=test-down passthrough=no 

3   ;;; DOWN-VIA PROXY
    chain=output out-interface=lan 
    dst-address=172.21.1.0/24 action=mark-packet 
    new-packet-mark=test-down passthrough=no

0   name="downstream" parent=lan packet-mark=test-down 
    limit-at=32000 queue=default priority=8 
    max-limit=32000 burst-limit=0 
    burst-threshold=0 burst-time=0s 

1   name="upstream" parent=global-in 
    packet-mark=test-up limit-at=32000 
    queue=default priority=8 
    max-limit=32000 burst-limit=0 
    burst-threshold=0 burst-time=0s

Zarko
SkopjeWirelessNetwork

samsoft08 · Mon Aug 27, 2007 4:15 pm

its a good example but
first : it doesnt mark P2P direct connections at all ...

second : the output marking doesnt know wether the packet came from the cache disk or from the public lan !!!

we need to limit the usage of the internet bandwidth coming from the public interface only , couse we have a limited satellite connections , but we dont have to limit any packets goes to the user from the cache disk ..

t3rm · Mon Aug 27, 2007 5:25 pm

I Agree with samsoft08.

The topic in here isnt how to mark the packets or putting packets in mangle.
But more precisely how to queue packets coming from Internet without interfere the packets coming from the cache disk.

In other words, packets coming from cache disk should be deliver at maximum LAN Speed.

Thanks

- Rio.Martin -

samsoft08 · Mon Aug 27, 2007 5:38 pm

I think MT forum is not the place to find solutions !! its only a place to describe problems ..

we must c ( as in other similar forums ) some sticky topics that explain and solve the major cases , and i think bandwidth manegement is a very important think to be solved here with all cases , many local interfaces , many subnets , web-proxy , masqurading , couse even in wiki we cant find the complete solution , and i think it must be added as sticky topics instead of ADV topics for MT products , and how long can the signal reach using 2 MT routerboards installed on a very high mountains each on a side of the SEA !!!!!!!

sokolov · Mon Aug 27, 2007 9:33 pm

I think MT forum is not the place to find solutions !! its only a place to describe problems ..

we must c ( as in other similar forums ) some sticky topics that explain and solve the major cases , and i think bandwidth manegement is a very important think to be solved here with all cases , many local interfaces , many subnets , web-proxy , masqurading , couse even in wiki we cant find the complete solution , and i think it must be added as sticky topics instead of ADV topics for MT products , and how long can the signal reach using 2 MT routerboards installed on a very high mountains each on a side of the SEA !!!!!!!

you must learn networking to work with networking, so its enough documents and forum post to find the path to you perfect config.!
no one can give you solution for your setup. i have give you primer where to start! if you dont know how to use mangle rules, or ip flow at all then ... RTFM

Zarko
SkopjeWirelessNetwork

samsoft08 · Mon Aug 27, 2007 10:27 pm

OK but whts RTFM ?? is it RT FM radio ??
anyway , the example u post is in wiki for a long time and we used it , but what we asking for is not some inventions , its things many many people wanted it before but no answers .. i wonder if you understand what we asking for ? if you do why not answering ??

GWISA · Mon Aug 27, 2007 11:36 pm

you must learn networking to work with networking, so its enough documents and forum post to find the path to you perfect config.!
no one can give you solution for your setup. i have give you primer where to start! if you dont know how to use mangle rules, or ip flow at all then ... RTFM

Zarko
SkopjeWirelessNetwork

Nicely put...

If you want a nicely packaged solution, hire a consultant.

If you want education and skills to further your abilities, hire a teacher.

If you want the same for free, hang around here and don't be so demanding...

...

samsoft08 · Tue Aug 28, 2007 1:27 am

if you want to see the most wiered forum , come here !!!!
hire a consultant !!
read the manual !!
go to training !!
read the wiki !!
so why you are here ? what are you doing ? if you need to know somthing why dont you read the manual ? or if you came here to help you are not helping at all ..

we have the manual , wiki , our knowledge , but we need other tests , what did they tried and wht they succeded with ..

all i want to know how to make the holy RouterOS to recognize the packets came directly from the internet which must be limited and the packets that came from the cache disk which we dont want to limit couse we are paying nothing for cache disk bandwidth ..

can you redirect me where in the manual or wiki ??

GWISA · Tue Aug 28, 2007 1:48 am

If you come to seek help & suggestions from other users (not trainers/teachers/consultats), you should pay more attention to the suggestions...

If you weren't so hung up on having someone spell out a step-by-step guide & thereby learn nothing yourself except how to cut & paste, you would have already watched the recommended presentation and possibly figured it out for yourself by now....

/me out

t3rm · Tue Aug 28, 2007 11:16 pm

I have fully understand the documentation wrote by Valens Riyadi in this url:
http://wiki.mikrotik.com/wiki/Queue_wit ... _Web-Proxy

But still those are not the answer. Because whether packets cached or direct, once we have set transparent proxy, all the packets from LAN side would be pushed to proxy. And from the Internet to LAN side, they would stop in Proxy first before they reach the LAN side.

There has to be another way instead of marking connection or packets.

samsoft08 · Wed Aug 29, 2007 12:31 am

dear t3rm , from the users ( suggestions ) and after deep search of the whole forum , and from the deep silence of the experts , there is no other way , sorry , may be its RouterOs limitation , u know , nothing is perfect ..

GWISA · Wed Aug 29, 2007 1:49 am

t3rm - ignore samsoft08, he is just an impatient and frustrated MT user & knows not what he says.

I don't understand why you say you can't differentiate traffic originating from the proxy from traffic from the internet?

Surely mangling on the appropriate chain should accomplish what you are trying to achieve?
If you set different marks on forward vs output chain, you should be able to manage the different traffic flows?

samsoft08 · Wed Aug 29, 2007 3:46 am

t3rm - ignore samsoft08, he is just an impatient and frustrated MT user & knows not what he says.

I don't understand why you say you can't differentiate traffic originating from the proxy from traffic from the internet?

Surely mangling on the appropriate chain should accomplish what you are trying to achieve?
If you set different marks on forward vs output chain, you should be able to manage the different traffic flows?

who can solve this mestry ???

t3rm · Wed Aug 29, 2007 7:38 pm

t3rm - ignore samsoft08, he is just an impatient and frustrated MT user & knows not what he says.

I don't understand why you say you can't differentiate traffic originating from the proxy from traffic from the internet?

Surely mangling on the appropriate chain should accomplish what you are trying to achieve?
If you set different marks on forward vs output chain, you should be able to manage the different traffic flows?

GWISA,
I think samsoft08 already got the point i'm talking about.
When you pushed your users / clients with transparent proxy, it means all of the packets from clients changed and originated from the proxy. And going to internet using proxy ip address. When the packet returns, it will be delivered to the proxy first before it reach the users / clients side.

The point is, whether the packets already cached or direct access from the internet, both are coming from the proxy ip address, not from hosts outside in Internet.

So, how can you differentiate the traffic coming directly from Internet or coming from the cached in proxy ? The answer is no.
I'm using Linux already for 8 years until now. Even in Linux, we should add patch to Squid and Linux kernel to handle this situation. You can check the documentation at http://www.docum.org

And for the URL link you posted above, i know very well the author, Valens Riyadi.
The document absolutely inrelevant with this situation. Completely different.

- Rio.Martin -

GWISA · Thu Aug 30, 2007 1:50 am

It's not your past experience I'm doubting - it's your motivation for saying this is not possible.

Maybe you can correct me here, but I don't agree with your reasoning - the traffic is not identified as originating from or destined to the proxy; but the interface, chain and source/destination IP. Traffic is not addressed to the proxy's IP, but rather trapped by it and a flow decision made.

If you consider marking traffic flowing on the forward chain, then this is traffic flowing through the router but not the proxy.
If you do the same on the output chain, then you are identifying traffic originating from and flowing out of the router's local (internal) process - i.e. the proxy.
The forward chain does not pass through the output chain.

So using connection and mangle marks, I still don't see any reason why you can't manage that traffic as you'd like to.

This page in the manual is what I am basing my argument on:

http://www.mikrotik.com/testdocs/ros/2.9/ip/flow.php

A paket can enter processing conveyer of the router in two ways. First, a packet can come from one of the interfaces present in the roter (then the interface is referred as input interface). Second, it can be originated from a local process, like web proxy, VPN or others. Alike, there are two ways for a packet to leave the processing pipeline. A packet can leave through the one of the router's interfaces (in this case the interface is referred as output interface) or it can end up in the local process.

and also

the traffic which is destined to the router itself. The IP packets has destination address equal to one of the router's IP addresses. A packet enters the router through the input interface, sequentially traverses prerouting and input chains and ends up in the local process. Consequently, a packet can be filtered in the input chain filter and mangled in two places: the input and the prerouting chain filters.

the traffic is originated from the router. In this case the IP packets have their source addresses identical to one of the router's IP addresses. Such packets travel through the output chain, then they are passed to the routing facility where an appropriate routing path for each packet is determined and leave through the postrouting chain.

routable traffic, which is received at the router's MAC address, has an IP address different from any of the router's own addresses, and its destination can be found in the routing tables. These packets go through the prerouting, forward and postrouting chains.

uol-vnet · Fri Aug 31, 2007 3:33 am

hi guys ,

while u ppl r arguing with each other ,mean while i have question ,

I think marking packets according to the wiki is 100% ok and it works as per quee tree rule . I mean the proxy traffic limit in the quee tree rule can deliver the alloted speed or unlimited
from the internel cache . that is ok . But when i make a simple quee for a single user , the cache traffic does not exist any longer like the quee tree rule . It starts maintaining the speed as per simple quee rule .

so there must be something to do with simple quee rule like one rule for local traffic and other one for overseas .can anybody help me to manage the simple quee setting to get the benifit of faster cache delivery .

thanks and hope to get some ans .

GWISA · Fri Aug 31, 2007 5:19 pm

I think marking packets according to the wiki is 100% ok and it works as per quee tree rule . I mean the proxy traffic limit in the quee tree rule can deliver the alloted speed or unlimited
from the internel cache .

Hallelujah! A believer!

If your queues stop working, it's normally due to one queue having the same or similar target rules as the other, and whichever is first in the list will override all subsequent queues.

For instance, if you use 'target addresses' in simple queues as a whole subnet (/24 for example), and a dynamic pppoe simple queue is created after that queue and the address is within the target subnet of the first rule, then the pppoe queue will not work.

Is your problem possibly caused by something like this?

uol-vnet · Fri Aug 31, 2007 8:18 pm

hI GWISA,

Thanks a lot for your reply , Actually i use individual simple queue for all clients like 180.1.7.X/32 . Because I allot bandwidth to my clients based on their payment . So My question was is there any way to make the proxy traffic delivery on lan speed while using the simple queue rule ?

NB : for your kind information, all the clients are connected on mt through DHCP (MAC BINDING).

Thanks
Zubair

t3rm · Fri Aug 31, 2007 8:47 pm

GWISA : I Give Up ....

I dont quite understand with what you re saying completely. But from all the URL of documentation you gave. None of them giving me a clue for this thread.

Perhaps it would be better if you give me an example, how if you are in my side.
Let say this one:

You have clients in 192.168.1.0/29 (LAN); 192.168.1.1 and 192.168.1.2 connected to LAN Interface in Mikrotik Router.
You have connected to your ISP with ip 165.21.1.1 in Public Interface.
You set proxy in Mikrotik to listen in port 8080.

And now, perhaps by giving me an example how you manage the situation for your connected clients (192.168.1.1 and 192.168.1.2), it would be wise.
The ISP only give to two of your clients totally 64kbps. It means each client gets 32Kbps CIR and 64Kbps MIR.
They can get 100Mbps, if the packets they requested already in cache.
Now , let me see your configuration then ..

- Rio.Martin -

GWISA · Sat Sep 01, 2007 2:39 pm

GWISA : I Give Up ....

The ISP only give to two of your clients totally 64kbps. It means each client gets 32Kbps CIR and 64Kbps MIR.
They can get 100Mbps, if the packets they requested already in cache.
Now , let me see your configuration then ..

- Rio.Martin -

Let me try - I'm too lazy to give the complete config, and normally I prefer showing someone how to fish over actually giving them the fish

:

This is how I see it working -

I assume you are using simple queues with target address of each client individually, and are not marking any protocol/port specific traffic.

In that case, then I might have two separate mangle rules for each traffic flow - one on the forward chain, and one on the output chain.
I would also add the out interface for directional control - up/down traffic.

You could also mark traffic using the !src-address as ![proxy-address] ![proxy src-port] to separate proxy traffic from Internet traffic.

Then, in the simple queues, using the target address field AND packet mark, set the limits accordingly. You could then have two queue rules for each client - one for the forward chain traffic limited with your CIR and MIR rates, and one for the output chain traffic, with higher or no limits.

If you do not want to impose any limits on cached traffic originating from the proxy, then you actually only need one queue rule - the one with the target address AND the packet mark from the forward chain mangle rule.

Make sense?

samsoft08 · Sat Sep 01, 2007 3:59 pm

t3rm , router os can do everything you can imagine ,and everything you cant imagine but you have to read , read and read the manual , dont forget between lines , after reading the manual , read it again , after that go to the manual , raed it , you'll find the solution after reading the manual , and dont expect any examples !!!! no one will give you an example for somthing he doesnt know what it is !!! may be tons of words , but examples , sorry ..

Make sense?

GWISA · Sat Sep 01, 2007 4:52 pm

t3rm , router os can do everything you can imagine ,and everything you cant imagine but you have to read , read and read the manual , dont forget between lines , after reading the manual , read it again , after that go to the manual , raed it , you'll find the solution after reading the manual , and dont expect any examples !!!! no one will give you an example for somthing he doesnt know what it is !!! may be tons of words , but examples , sorry ..

Especially not to lazy users who just copy other people's work and don't have the mettle to accomplish anything by themselves...

I'm quite prepared to help t3rm in this, but samsoft08 - you are a fool, and unless you change your forum name, you can expect the same sarcastic answers from me in the future.

I have no time for fools, but all the time in the world for people who are at least prepared to make some effort.

samsoft08 · Sat Sep 01, 2007 6:21 pm

first i'm not a fool , and no one here is a fool , second if you have the courage and not afraid from laughing on you you would write some lines as an example , if you DARE !!!!! if you just understood what we need in first place , instead of silly , unpolite talking ..

GWISA · Sun Sep 02, 2007 12:57 pm

if you DARE !!!!! ..

oh puh-lease.... I remember this kind of challenge from my junior school days...

t3rm · Sun Sep 02, 2007 10:19 pm

GWISA:

I have done as you said in your post above.
The results:

1. Packets for Web Traffic always filled chain OUTPUT in mangle. Mikrotik cant differentiate whether the packets are from Internet or from Cache Disk. They both transferred to users from Mikrotik Proxy Port (eg: 3128) to Users Side. Both of packets, whether from Internet or Cache Disk, using the same port.
Mikrotik absolutely CANT differentiate these connection.

2. Packets filled chain FORWARD in mangle only if you use other ports connection, like Email (SMTP or POP3), DNS, etc.

In your mind, you must be thinking that the Web Traffic packets come directly from Internet would be using FORWARD chain in mangle and Cached data would be using OUTPUT chain. Thats wrong.

Your concept has been proved, and too bad, not works.

If you said you succeed with this one, please share your setting configuration.
There are no other way to transfer knowledges for this one except share the information.

Thanks

- Rio.Martin -

GWISA · Mon Sep 03, 2007 12:37 am

Fair enough - I choose to disagree with you. and can prove it using a few simple mangle rules:

 chain=forward action=jump jump-target=not-proxy out-interface=ether1 
     src-address=!192.168.1.2 src-port=!3128 protocol=tcp 

chain=output action=jump jump-target=proxy out-interface=ether1 
     src-address=192.168.1.2 src-port=3128 protocol=tcp

chain=proxy action=mark-connection new-connection-mark=proxy passthrough=yes 
chain=not-proxy action=mark-connection new-connection-mark=not-proxy 
     passthrough=yes
chain=proxy action=mark-packet new-packet-mark=proxy-flow passthrough=no 
     connection-mark=proxy

Just to be sure, I add this first in the list to prove my first rule:

chain=forward action=add-dst-to-address-list src-address=192.168.1.2 
     src-port=3128 protocol=tcp address-list=proxy-fwd-dst address-list-timeout=5m

And run my tests browsing from a PC running dude (what I expect to be forward chain/non-proxy traffic) I see the following results:

Cache-counter on the proxy increments as I browse, as do the hit counters.
/ip firewall connections shows clear differentiation between connections to known local IP's from the Dude monitoring marked as non-proxy, and those originating from 192.168.1.2:3128 to the test machine marked as proxy when the test machine was set to address the proxy.
Connections still marked as proxy direct to Internet IP when browser set to detect proxy automatically.
No hits on my proof rule
Monitoring traffic statistics on not-proxy rule shows correlation with torching - +/- 40kbps constant trickle of network monitoring traffic, and 140kbps-250kbps spikes on proxy rule when browsing.

As far as I am concerned this clearly shows MT can easily separate proxy from non-proxy traffic, and I am 100% sure this is working correctly - comments otherwise always welcome, as long as they are constructive of course...

samsoft08 · Mon Sep 03, 2007 2:00 am

sure its 100% correct , its similar to the example in the wiki , except in the wiki he marks packets coming out from the proxy directly without connection marking ..
we know that router os can deal with the difference , the question is not this difference..
I found an amazing explanation for packet flow so simple and so helpful its :
http://mum.mikrotik.com/presentations/2 ... traweb.pdf
and this page will show our case :

our case is : packets in (3) = packets in (2) + packets from cache disk
correct ?
now the question is how to seperate marking packets in (3) ? to give packets from the cache disk unlimited bandwidth ?
is it possible ? or its not ? if its not ..ok no problem we'll accept it ..

GWISA · Mon Sep 03, 2007 2:48 am

sure its 100% correct , its similar to the example in the wiki , except in the wiki he marks packets coming out from the proxy directly without connection marking ..
we know that router os can deal with the difference , the question is not this difference..
I found an amazing explanation for packet flow so simple and so helpful its :
http://mum.mikrotik.com/presentations/2 ... traweb.pdf

Well - that is the exact same presentation I suggested you watch in the beginning of this thread... in pdf format.
With connection marks - without - whatever... if you mark the connections at least you can track them visually...

our case is : packets in (3) = packets in (2) + packets from cache disk
correct ?

I don't think so - It should read:

packets out (3) = packets in (2) = packets from cache disk (and other local processes)
and
packets out (4) = packets in (1) + packets from cache disk

now the question is how to seperate marking packets in (3) ? to give packets from the cache disk unlimited bandwidth ?

You don't - you seperate them at (3) and a missing identifying mark on the forward chain (call it 2.5?).
Why do you keep ignoring the forward chain vs the input & output chains?
What is your test scenario to prove that it does not work?

samsoft08 · Mon Sep 03, 2007 3:14 am

samsoft08 · Mon Sep 03, 2007 3:24 am

i'm not ignoring forward .. i know its the direct connection ..
if you start downloading a file which is not exist in the cache disk ,then in mangle can you just watch where would be the increasing rate ??? it is in the proxy marking !!!
if you start downloading another file which is in the cache disk , then in mangle can you just watch where would be the increasing rate ??? it is in the proxy marking !!!
so both files whether exist or not exist in cache disk , thier packets will come out from the proxy *... but we want to give the first case limited rate and for the second case unlimited rate .. how can we know the difference ??

* a new file has to get in the local process to be saved on cached disk , so the new files and the cached one both will come out from the local process ( proxy ) ..

packets out (3) = packets in (2) = packets from cache disk (and other local processes)

when you say (2) is equal to (3) you ignored all packets came out from the local process ( cache disk )

GWISA · Mon Sep 03, 2007 11:46 am

OK - I see the problem now and have confirmed that all http traffic flows through the proxy, cached or not.

I have not yet had the time to look for methods of separating them, but I'm sure with some creative mangling between input & output chains, we can come up with something here.

Some sort of if-then type logic... (if traffic is input & output then limit; if traffic is output only then don't)?

samsoft08 · Mon Sep 03, 2007 12:51 pm

nice , but in the presentation i mentioned above , he said we cannot ..

t3rm · Mon Sep 03, 2007 6:57 pm

Thanks God

Finally GWISA understand ..

hulk-bd · Mon Sep 03, 2007 7:43 pm

Hi everybody, Hope all r doing fine. I have been reading this forum since few years but didn't join in. I think maybe this is the time to join the game

.

Ok alright you people r arguing about the cache in your MT OS whether the cache object can go with the lan speed or the cache would bind in your simple queueing which you make for your users. Am I right about your argument here? If yes then I have made a solution for it after reading this topic.

And I'll give my solution here ASAP before you people going to kill each other. Huh huh huh just joking. I know I'm new here as a forum user but I promise you about this solution. Now I'm bit busy I'll give my solution within 24 hours.

Thank you all.

Hulk-BD

npbrasil · Tue Sep 04, 2007 5:07 am

Hi! The solution is in 3.0 version. Change tos from "hits" in the proxy - Cache Hit DSCP (TOS) - option in web-proxy general settings, then mangle or anything. In version 2.9 or prior is not possible.

GWISA · Tue Sep 04, 2007 9:54 am

Thanks God

Finally GWISA understand ..

I neglected to assume one important bit of (missing) information - http traffic!

But it was an interesting exercise nonetheless... and it seems we have a solution to test now...

janisk · Tue Sep 04, 2007 10:24 am

training is the solution in this case - you have to know what you are doing and then it can be easily done using RouterOS, some things will ask more effort and more configuration rules, but over all everything can be done.

see our consultant list and pay them for complete solutions:
http://www.mikrotik.com/consultants.html

GWISA · Tue Sep 04, 2007 10:39 am

training is the solution in this case - you have to know what you are doing and then it can be easily done using RouterOS, some things will ask more effort and more configuration rules, but over all everything can be done.

see our consultant list and pay them for complete solutions:
http://www.mikrotik.com/consultants.html

Although I always advocate this, in this case I'd like to figure it out myself - what with me having completed two MT courses over the past 3 years or so...

or I'll wait a few hours and see what transpires here:

And I'll give my solution here ASAP before you people going to kill each other. Huh huh huh just joking. I know I'm new here as a forum user but I promise you about this solution. Now I'm bit busy I'll give my solution within 24 hours.

I think the killing time has passed?

hulk-bd · Tue Sep 04, 2007 3:27 pm

Hi guys,

I'm here again. Ok first of all I want to say that the problem with the cache flow from the MT OS can be solved very easily. And you don't have to put so many mangle and queueing rules. I think you all would be surprised to read that, but it’s true and I have done it in my network.

You can think this is not a good idea but it works, the main thing is that you have to use 2 MT OS for that solution. And for me this is the perfect solution to divide cache packet from your server and raw packet direct from Internet. Ok you just have to make your first MT OS as usual with all the mangle, firewall and queue rules but don’t enable your web-proxy in your first MT OS, then install 2nd MT OS without any mangle and other configuration stuffs just make that MT OS as a web proxy server. I mean enable web-proxy with transparent option and in firewall NAT just redirect port 80 to your web proxy port like 3128. You don’t have to make any masquerade rule in the 2nd MT OS.

Ok, let me tell you briefly. In the first MT OS you have to link a connection from local interface to the 2nd MT OS public interface and then link another connection from the 2nd MT OS local interface to your network. So it’ll be like:

1. From 1st MT OS the main WAN connection will link to the MT OS public interface and from the local interface the link will connect to the 2nd MT OS public interface and from the 2nd MT OS, link will go from local interface to the user network.

2. Make a bridge in the 2nd MT OS with the local and public interface and put one of your local IP in the bridge interface now. Make a simple queue for your whole local network like target address = 192.168.1.0/24 and you can put unlimited bandwidth rate here. Make another sample queue in the 1st MT OS for the 2nd MT OS IP like: queue rule for ip address = 192.168.1.2 (2nd MT OS bridge IP)

3. Then make a dstnat with Src.address= 192.168.1.0/24 (your local network address range) protocol: 6(tcp) dst.port: 80, Action: redirect port: 3128 in the 2nd MT OS.

I think that’s it, your users will get the raw bandwidth (Direct from Internet) from the 1st MT OS and get the cache bandwidth from the 2nd MT OS. Another thing don’t make any redirect nat rule in the 1st MT OS. And I think you all know other basic configurations. I don’t know if I can make myself clear here or not, but if you are smart enough then I think you’ll get my point.

If you have any questions plz let me know

Thanks

Hulk-bd

hulk-bd · Tue Sep 04, 2007 4:18 pm

Another thing, I forget to tell you about that, you must put the DNS address in the 2nd MT OS like: 1st DNS: 192.168.1.1 (local DNS) 2nd DNS your main DNS address which is provided from your main ISP or VSAT link.

Thanks

Hulk-BD

samsoft08 · Tue Sep 04, 2007 9:22 pm

see our consultant list and pay them for complete solutions:

as always cheap advertising !!

but over all everything can be done.

non real life talking , non scientific at all , we heared that talk since the early versions of router os , if it was true so why UPGRADING ???????????? if that was true it means 2.1 is equal to 3rc4 ????????

and using 2 MT's prooved that router os can't recognize these traffics ..

samsoft08 · Tue Sep 04, 2007 9:41 pm

Hi! The solution is in 3.0 version. Change tos from "hits" in the proxy - Cache Hit DSCP (TOS) - option in web-proxy general settings, then mangle or anything. In version 2.9 or prior is not possible.

maybe this is a solution , if we use output chain ,out interface = local , TOS = 4 !!!

hulk-bd · Tue Sep 04, 2007 10:21 pm

Hi guys,

I don't know if I can make myself clear or not but I'm again forget another thing which is important to put in

you have to put the gateway address in the 2nd MT OS like:

if your network address range is 192.168.1.0/24 then gateway should be 192.168.1.1 from you 1st MT router OS, so you have to put that gateway address in your 2nd MT OS IP>ROUTES>your gateway address.

I hope my solution will help you out from this problem though it's have to install 2 MT Router OS.

Thanks and take care all

Hulk-bd

npbrasil · Wed Sep 05, 2007 1:50 am

" maybe this is a solution , if we use output chain ,out interface = local , TOS = 4 !!! "

Yes samsoft08! You can change the tos for any allowed value and mangle in the correct chain. I don't think other form of separating the cache hits without the signalling of the internal process. I think that was the idea when the mikrotik team put that function in the web-proxy package.

samsoft08 · Wed Sep 05, 2007 3:31 am

Well i did some test , i think its working great ... when some file exist in the cache disk beeing downloaded its not effect the MAX limit of the direct internet downloading .. so cool .. but i have one question , is there any other kind of packets with TOS = 4 ?? i dont know about TOS , so if yes it will be a problem , i mean if any direct packets from the internet with TOS =4 ..
thanks npbrasil for your great help , and i'm waiting for an answer for my question because its an important point as i think ..

npbrasil · Wed Sep 05, 2007 4:59 am

More about TOS: http://www.mikrotik.com/testdocs/ros/2.9/ip/mangle.php
" is there any other kind of packets with TOS = 4 ?? "
Yes, is possible, but you can change the tos value of the packet in input proxy direction, then only the cache hits will have the tos = 4 (in the proxy out)

GWISA · Wed Sep 05, 2007 10:17 am

This is great - constructive input all around!

So samsoft08 - have you got this working with 2.9? Seeing as the TOS option has been there all along....

samsoft08 · Wed Sep 05, 2007 11:19 am

no its working with me on v3rc3 , i dont know how it can work on 2.9 ?

samsoft08 · Wed Sep 05, 2007 12:15 pm

I made a rule to check if any packet coming from the internet with TOS =4 , for hours its = 0 , but I wonder if TOS may change by internal processing ( any process except cahce ) ??

GWISA · Wed Sep 05, 2007 1:55 pm

no its working with me on v3rc3 , i dont know how it can work on 2.9 ?

With the same TOS setting of 4?

samsoft08 · Wed Sep 05, 2007 8:36 pm

i don't know if the packets generate from the cache disk in 2.9 have TOS=4 !!! couse i never know about TOS , I read there are 4 kinds of TOS from the manual , but i didnt work with it before ..

GWISA · Thu Sep 06, 2007 10:21 am

hmmm.... just a thought now - can we use the change-TOS function for traffic re-directed to the proxy?

hulk-bd · Thu Sep 06, 2007 2:48 pm

Hey guys,

Hope you are find a real good solution with TOS, actually I don't know much about TOS. have anyone tried my solution yet? or I'm talking bullshit here!!!

Peace

janisk · Thu Sep 06, 2007 4:13 pm

i just wanted to say - that you have to take into account from where traffic originates

so, if you have set up caching and your proxy is answering you that traffic is on the outgoing chain, if you get that data directly you get it from forward chain, knowing that you can build your solution using your own knowledge and it is not that hard.

but stating that it cannot be done is completely wrong - maybe for someone that is impossible to achieve, thats why Mikrotik have consultants available worldwide and by sending people to consultant Mikrotik is not gaining anything and everything stays between you and consultant of your choice.

and to configure RouterOS effectively you have to know packet flow of RouterOS and networking as configuration language of RouterOS is very easy to understand and get used to. If you lack that knowledge that is your problem, not our. That is why a lot of training courses are available through-out the world, so everyone can become consultant.

GWISA · Thu Sep 06, 2007 6:23 pm

yes yes - we've been through all that and proved that that is NOT the case...

Training has been done (you would have seen if you read the thread).
With proxy enabled AND a firewall redirect rule, ALL http traffic flows THROUGH the proxy - other traffic does not.

Have a look at the rest of the thread and see what we have been through already...

Please don't hijack what has become a constructive discussion just to advertise your services...

samsoft08 · Sat Sep 08, 2007 9:20 pm

Please don't hijack what has become a constructive discussion just to advertise your services...

i agree , couse we solve this issue after a long discussion :

add action=mark-packet chain=output comment="CACHE" disabled=no dscp=4 new-packet-mark=cache-packets \
    out-interface=(local)  passthrough=no

hulk-bd · Sun Sep 09, 2007 7:57 pm

O MAN, my solution is working like hell, it's really do. Just do what have i told you before with 2 MT OS and see what is the result, and I don't know why you people don't interested in my web-proxy solution with 2 MT OS?

But I'm 100% sure about my solution.

Take care

GWISA · Mon Sep 10, 2007 1:59 am

I don't know why you people don't interested in my web-proxy solution with 2 MT OS?

I'm thinking if we find a way to make it work with one ROS, why waste resources & use two?

hulk-bd · Mon Sep 10, 2007 7:03 pm

If we can do with 1 MT OS then it'll be the best solution, but haven't found any thing like it, am I right? so plz find a solution with 1 MT OS from where we can get the bandwidth from our web proxy cache as like our LAN speed.

Thanks

samsoft08 · Mon Sep 10, 2007 9:19 pm

hello , i dont know if read my past topic or not ? it has been solved my friends , and i'm monitoring the results , and it is perfect ..
its by marking traffic coming from proxy with TOS = 4 , its the traffic generated in local process ( hard disk cache ) ..
for example i downloaded a file for the first time , my Q limit reachs the max limit ( red ) , and its the same value i can see in tourch , downloading the file for the second time in tourch it's more than 1.5M/s while my Q still at about 25k/s , i repeated the test many many times and i can see how successfull is this way ..
here is the rules i wrote :

Mangle : first rule in mangle

add action=mark-packet chain=output comment="CACHE" disabled=no dscp=4 new-packet-mark=cache-packets  out-interface=(Local) passthrough=no

Simple Q : first rule in simple Q

add comment="" direction=both disabled=no dst-address=0.0.0.0/0 interface=all limit-at=10000/20000 \
    max-limit=30000/3000000 name="CACHED-PACKETS" packet-marks=cache-packets parent=none priority=3 \
    queue=pcq-upload/pcq-download target-addresses=192.168.1.0/24 total-queue=default-small

and i will post some capture images of the result..

offcourse thanks to npbrasil

Hi! The solution is in 3.0 version. Change tos from "hits" in the proxy - Cache Hit DSCP (TOS) - option in web-proxy general settings, then mangle or anything. In version 2.9 or prior is not possible.

hulk-bd · Tue Sep 11, 2007 1:00 am

Dear samsoft08,

Happy to know you have solved the problem, but have you done it with 2.9.46 version or you used Ver.3.rc? Cause ver3.3-4rc is not stable version so far. this version has so many bugs right now and can't use this version right now.

regards

GWISA · Tue Sep 11, 2007 1:59 am

Is there an echo in this room?

samsoft08 · Tue Sep 11, 2007 3:43 am

offcourse thanks to npbrasil

Quote:
Hi! The solution is in 3.0 version. Change tos from "hits" in the proxy - Cache Hit DSCP (TOS) - option in web-proxy general settings, then mangle or anything. In version 2.9 or prior is not possible.

which version is stable in your opinion ?? why do you upgrade before untill you reach v 2.9.46 ?

samsoft08 · Tue Sep 11, 2007 3:50 am

this is a sample image for what happen when i downloaded a file exist in the cache drive , the file is dude.exe , my total VSAT download is 512k/s , and i can reach 1.5M as showen whithout any effect to my Q limit , my internet bandwidth still nearly empty ..

[/img]

hulk-bd · Thu Sep 13, 2007 12:44 am

Dear Sam, so are you comfortable with the MT OS Ver.3.4rc, cause you told in another topic that you are having PC hung problem too, maybe the Ver.3.4rc is causing that problem.

samsoft08 · Thu Sep 13, 2007 8:12 am

no i didnt say i'm 100% comfortable with v3 , there is some bothering things in winbox , like its not saving settings in its windows , i mean when i choose the columns i want to apear , it wint next time i open the same window in winbox , thats all i'm facing in winbox right now ..
pc hang up , it exist since i was running 2.944 ,2.945 , 2.946 , i still cant figure out the reason ..
but for what i did with cach packet marking , i'm so pleased with it , really ..

pokeman · Thu Sep 13, 2007 8:52 am

hello , i dont know if read my past topic or not ? it has been solved my friends , and i'm monitoring the results , and it is perfect ..
its by marking traffic coming from proxy with TOS = 4 , its the traffic generated in local process ( hard disk cache ) ..
for example i downloaded a file for the first time , my Q limit reachs the max limit ( red ) , and its the same value i can see in tourch , downloading the file for the second time in tourch it's more than 1.5M/s while my Q still at about 25k/s , i repeated the test many many times and i can see how successfull is this way ..
here is the rules i wrote :

Mangle : first rule in mangle
Code: Select all
add action=mark-packet chain=output comment="CACHE" disabled=no dscp=4 new-packet-mark=cache-packets  out-interface=(Local) passthrough=no
Simple Q : first rule in simple Q
Code: Select all
add comment="" direction=both disabled=no dst-address=0.0.0.0/0 interface=all limit-at=10000/20000 \
    max-limit=30000/3000000 name="CACHED-PACKETS" packet-marks=cache-packets parent=none priority=3 \
    queue=pcq-upload/pcq-download target-addresses=192.168.1.0/24 total-queue=default-small
and i will post some capture images of the result..

offcourse thanks to npbrasil
Hi! The solution is in 3.0 version. Change tos from "hits" in the proxy - Cache Hit DSCP (TOS) - option in web-proxy general settings, then mangle or anything. In version 2.9 or prior is not possible.

hello dude

i am using 2.9.27 its works with this version ?

valens · Thu Sep 13, 2007 12:47 pm

Hello all friends.....!

I just know this interesting discussion. Quite surprise, my wiki topic, and also my pdf become reference on this topic. My presentation is based on MT ver 2.9, and once again, it's not possible to know which traffic is MISS and which traffic is HIT.

I'm glad in ver 3.0 we can do that. I haven't try in my lab to use TOS, but I imagine, it should work. I suggest this kind of solution also in ver 3.0 wishlist, but not many people vote for it. But I'm glad MT make it.

Thank you again for all friends here for the good discussion, specially for npbrasil. I think it's the time to revise my page on the WIKI

t3rm · Thu Sep 13, 2007 7:47 pm

Valens:

Take the google: Iptables+DSCP
The magic is in DSCP

Version 2.9.x didnt have DSCP. So it wont work.
I guess your Wiki and PDF should be update.

hulk-bd · Sat Sep 15, 2007 3:20 pm

Hello Friends,

Hope all are fine. I have told you that my solution about web-proxy was working 100% but sorry to say it's not. So I should let you people know that it's not 100% ok, I'm having few problems after I have installed another MT OS as a web proxy between my local network n main MT router, the browsing speed is Reduced but the download is having full lan speed. I have worked on it, changed few configurations but not happy with it. And now I'm sure I have to wait for the final MT OS VER.3 to have my web proxy in my main MT router. Thanks Samsoft for your help here I'll do it as you have done in your MT OS.

Thanks n Take Care

valens · Mon Sep 17, 2007 9:30 am

wiki is updated using TOS setting.

http://wiki.mikrotik.com/wiki/Queue_wit ... _Web-Proxy

emmanuel · Fri Sep 21, 2007 6:49 pm

TOS setting of 4 is not working in 3.0rc5 pl chcek it out

hulk-bd · Fri Sep 21, 2007 6:58 pm

emmanuel wrote: TOS setting of 4 is not working in 3.0rc5 pl chcek it out

Yes emmanuel you are right, TOS 4 is not working in my MT (3.0rc4n5) too.

skillful · Fri Sep 21, 2007 7:17 pm

I have ROS 3.0RC5 and the DSCP TOS 4 setting is working fine. Maybe you need to hire a consultant to configure your router for you.

[admin@gccl-gateway] /ip proxy> pr
enabled: yes
src-address: 0.0.0.0
port: 3128
parent-proxy: 0.0.0.0
parent-proxy-port: 0
cache-drive: secondary-master
cache-administrator: "*******"
max-cache-size: 11828000KiB
cache-on-disk: yes
maximal-client-connections: 1000
maximal-server-connections: 1000
max-fresh-time: 3d
serialize-connections: no
cache-hit-dscp: 4

/ip firewall mangle 
add action=mark-packet chain=output comment="cached packets" disabled=no \
    dscp=4 new-packet-mark=cached out-interface=!wan passthrough=no

/queue simple
add comment="" direction=both disabled=no dst-address=0.0.0.0/0 interface=all \
    limit-at=0/0 max-limit=0/0 name="cached" packet-marks=cached parent=none \
    priority=8 queue=default-small/default-small \
    target-addresses=192.168.0.0/16 total-queue=default-small

emmanuel · Fri Sep 21, 2007 7:46 pm

skillful when is working in 3.0cr4 is there any compliant and look am not the only person say that ok

hulk-bd · Sat Sep 22, 2007 7:50 am

skillful wrote:Maybe you need to hire a consultant to configure your router for you.

Hey, what do u think u r? Am I sounds like a dump shit?!!

hoga dea boirademu howwar poola.

Thanks

marcelocbf · Mon Sep 24, 2007 4:51 am

Hello guys,

I was looking exactly for this solution ... because I need to implement a web-proxy cache in my MTOS (2.9.XX) and I was dealing in how to differenciate both traffic (Internal and Internet) for my customers ... After reading all the posts and happy with the peace achieved

I still have one question ...

Who acess the internet ?????? I mean, who requests the HTTP traffic from the internet ? The web-proxy or my customer ?

Because, please correct me if I'm wrong ... If all the HTTP traffic is redirected to the proxy, and if the proxy detects that the it doesn't have what is requested in the cache and pulls from the internet, The proxy is who is consuming the bandwidth ... so there is no need to change TOS, queue the customer's HTTP traffic. I should cap the web-proxy's traffic right ? If this it true, I would need a PCQ queue for the web-cache instead, right ?

If I'm correct, I don't need to differentiate both traffics, as the tcp traffic is connection-oriented, it's gonna be slowed down itself as the web-cache doesn't serve it at the speed it expects ...

Please help me understand ...
If my customer has a cap of 64k and downloads a 3MB file for the first time. In the v3.0Rcxx, the proxy detects it is not a cache hit and do not change the TOS. So, with the queues properly configured my customer will have the 64k cap on the traffic coming from the web-proxy and the web-proxy will download the file at my full link speed (if I don't have a specific queue, right ?) If it is in the cache, the web-proxy change the TOS to 4 (for example) and gives full speed on the webproxy<->customer connection and there is no download needed from the internet ...

But my problem is ... if I have 10 customers downloading each one different 100MB files. They will not notice increased speed, because it is the first time the file is downloaded. My connection will be clogged up by the 10 web-proxy full-speed downloads, as well as all my other customer's connections ... SMTP, FTP, VPN, Voice, etc ...

Can someone help me understand if this is true ? Actually ... answering my first question resolves this issue ...

Thanks in advance guys,

laze81 · Mon Sep 24, 2007 5:08 am

Thx samsoft08

))))))) wark for me in v3.0rc5

omega-00 · Tue Sep 25, 2007 4:05 am

Perhaps this should be added in as part of the automatic configuration of the web-proxy package when enabled.

pokeman · Mon Oct 01, 2007 1:27 pm

hello

can anyone guide me how can i do this on my linux machine i have 700 clients i switch my clients on MT but not running fine and getting lots of system resources . thats way i want to done on linux distro

mac86 · Wed Oct 03, 2007 3:40 am

Hi,

If you check this old post:

http://forum.mikrotik.com/viewtopic.php ... 334&hilit=

you can see that I've asked this web-cache issue last year (without reply).

Also, I asked this on my last Mikrotik training and get no answer

This is Not possible with 2.9.x routeros (at least until 2.9.46).

With routeros 3.0 you can do it , as wiki article said

how ever , routeros 3 is unestable yet.

In order to mark HIT OBJETS, I use a Linux box , with squid patched
with:

http://zph.bratcheda.org

This is the *only way* to get HIT cache objets with unlimited rate,
on routeros 2.9 series.

HIT objects are marked with ToS on squid configuration.

a MT rule on mangle table, can sent that objects to a simple (and unlimited) queue.

Regards...

pokeman · Thu Oct 04, 2007 2:28 pm

thanks mac
i am apply this on my linux box i am getting some error .please check your email

waiting your positive response

laze81 · Sat Oct 06, 2007 1:33 am

Hi,

If you check this old post:

http://forum.mikrotik.com/viewtopic.php ... 334&hilit=

you can see that I've asked this web-cache issue last year (without reply).

Also, I asked this on my last Mikrotik training and get no answer

This is Not possible with 2.9.x routeros (at least until 2.9.46).

With routeros 3.0 you can do it , as wiki article said

how ever , routeros 3 is unestable yet.

In order to mark HIT OBJETS, I use a Linux box , with squid patched
with:

http://zph.bratcheda.org

This is the *only way* to get HIT cache objets with unlimited rate,
on routeros 2.9 series.

HIT objects are marked with ToS on squid configuration.

a MT rule on mangle table, can sent that objects to a simple (and unlimited) queue.

Regards...

to get HIT cache objects with unlimited rate
get some nice motherboard with Intel chipset p4 dual core Intel 2gb ram and RAPTOR SATA HDD
MT 3.0 (now it's baggy but work fine for me
u'll get what u wont

pokeman · Tue Oct 16, 2007 7:57 pm

thanks mac86

for your give hint . i make posible this to my linux box !

over 20 mb wan link and 2000 users are running well since 3 days ! thanks again

marko_bg · Sun Oct 21, 2007 1:42 am

Hi samsoft08,

tos work for me fine in 3.0rc7,

but I need to make one more rule, ...

I need to make rule for noncached traffic , like this ...

user have 256kbps with 1mbps burst limit, ...

I make PCQ with 256kbps for non cached traffic, and it's work.

but how to make burst limit on that , if I make burst limit in General , this is for all user total,
an I need for each user , this: http://forum.mikrotik.com/viewtopic.php?f=2&t=19264

any idea ?

hulk-bd · Sun Oct 21, 2007 2:17 pm

To samsoft,

Dear sam, I couldn't do it as you given your solution with MT OS V3, all work fine except the proxy cache HIT ratio as LAN speed, I mean I can't download things as lan speed but if I desiable my simple queue then I can download things as lan speed. your given simple queue is not working:

Simple Q : first rule in simple Q

Code:
add comment="" direction=both disabled=no dst-address=0.0.0.0/0 interface=all limit-at=10000/20000 \
max-limit=30000/3000000 name="CACHED-PACKETS" packet-marks=cache-packets parent=none priority=3 \
queue=pcq-upload/pcq-download target-addresses=192.168.1.0/24 total-queue=default-small

Can you help me out, or it is not possible with MT OS??!!

marko_bg · Sun Oct 21, 2007 2:40 pm

hulk-bd,

you must put this in first simplequeue (sam rule): limit-at=0/0 max-limit=0/0 ,

and if you need, in PCQ rule make lan speed, or put 0, if you make lan speed on other MT.

and you must put one more rule , second ,with speed for noncache traffic .

like this:
name="cached" dst-address=0.0.0.0/0 interface=all parent=none packet-marks=cached direction=both
priority=8 queue=default-small/default-small limit-at=0/0 max-limit=0/0 total-queue=default-small

name="no_cached" dst-address=0.0.0.0/0 interface=all parent=none direction=both priority=8
queue=512k_PCQ_upload/512k_PCQ_download limit-at=0/0 max-limit=0/0 total-queue=default-small

I have only Proxy on this MT, an I have only this 2 rules.

samsoft08 · Sun Oct 21, 2007 2:51 pm

you must put this rule as the FIRST rule in the simple Q list , or its not working for each rule above it ..
and you have to be sure that you mangle correctly any hit packet ..
its working and its so simple , although i cant run web-proxy with V3 couse the system will freez after some hours , i hope you guys help me to find out whts the problem , i tested 3 different hardware , it freezes after some hours .....

marko_bg · Sun Oct 21, 2007 3:08 pm

I have diferent question,

proxy can not cache msn and yahoo ?

this sites not suport cache or I make mistake in setup ?

samsoft , did you have 2 hdd, one for sistem one for cache ?

mac86 · Sun Oct 21, 2007 4:43 pm

Hi Pokeman!

for your give hint . i make posible this to my linux box ! over 20 mb wan link and 2000 users are running well since 3 days ! thanks again

Very very good ...!!

Have you tested Mikrotik web proxy (on RouterOs 3.x) ?

samsoft08 · Mon Oct 22, 2007 2:10 am

to marko_bg : yes 2 hdd .

to ALL : anybody tested web-proxy in V3 for more than 1 day ?

hulk-bd · Mon Oct 22, 2007 3:18 am

Thanks a lot guys, I didn't put that rule in the first place, ok now I think it'll work. Samsoft I'll let you know about web-proxy in ver.3 after 2 days. cause I have to run it 2 days long which you are complaining about.

Thanks

hulk-bd · Tue Oct 23, 2007 10:33 am

Hi Dudes,

I'm here again with a question

, First to Samsoft: thank you for your configuration, it is working fine I'm running my MT OS Ver.3rc7 with web proxy near a day and not yet facing any hung problem, if I find any I'll inform you. I see a disadvantage with Ver.3 web proxy and that is we can't put any max object size here and that's why when I download a file size more then 15 MB it can't be cached by web proxy now but with the older ver2.9 web proxy we can put the max object size like 24 MB and can have file cached with 24 MB size. like with Ver2.9 web proxy I can cache MSN installer (18 MB) and I can download the file from proxy cache but I can't do that with ver.3 web proxy. It can cache small files size like 3 to 5 MB max I think.

Any one think about it?

To Dear MT Programmer team can you put max object size in your new web proxy?

I think it'll be very helpful.

Thanks n Regards

samsoft08 · Wed Oct 24, 2007 1:14 am

dear hulk-bd , about your test , how many users were online ? or it was only you testing ? i tested different hardware BUT with the same RB44 lan card !!!! every time the system will freez , i need caching web pages , so its so important to me ..

mps01k · Wed Oct 24, 2007 1:49 am

i have the above setup running on 3.0vr6

and it works well. it does save msn download for me.. really cool. i have tried with up to a 24mb file and worked fine, cant figure out how to make it save youtube tho.

i have it running on 6 servers at the moment for up to 3 weeks on the very first one and have had no problems exept on the server with 6 gb it overflowed and killed my usermanger database and i had to reinstall usermanger database.

config is : p3 1ghz 256ram 6gb dell 512k/1544k (satelite) 60 users
p4 3.2 512ram 80gb clone 2M/2M(fiber) 50 users
p3 400mhz 128 ram 20gb dell 512k/1024k (microwave 45miles to fiber) 30 users
celron 2.4 512ram 40gb 512k/512k (microwave 80miles to fiber) 20 users
p3 1ghz 256ram 10gb dell 512k/512k (microwave 80miles to fiber) 35 users
p3 1ghz 256ram 10gb dell 512k/2048k (satelite) 38 users

hulk-bd · Wed Oct 24, 2007 9:55 pm

Dear mps01k,

Can you please give your web proxy setting here, It'll be very helpful. Cause I can't download big files from my web proxy cache, I don't know what is wrong.!!??

Regards

mps01k · Wed Oct 24, 2007 11:02 pm

enabled: yes
src-address: 0.0.0.0
port: 8080
parent-proxy: 0.0.0.0
parent-proxy-port: 0
cache-drive: system
cache-administrator: "webmaster"
max-cache-size: 4037000KiB
cache-on-disk: yes
maximal-client-connections: 400
maximal-server-connections: 150
max-fresh-time: 3d
serialize-connections: no
cache-hit-dscp: 4

emersonmillnitz · Wed Feb 13, 2008 3:22 pm

Hello,

Is possible this solution with 02 links with LoadBalance for service?

rajeshrouthu · Thu Mar 11, 2010 9:09 pm

i configured proxy but our customers accessing with defined speed like 64k and 128k , how to get lan speed for cache files..

config is...

ip >address>

# ADDRESS NETWORK BROADCAST INTERFACE
0 10.10.1.1/24 10.10.1.0 10.10.1.255 LAN
1 202.153.41.26/29 202.153.41.24 202.153.41.31 WAN
2 10.10.6.1/30 10.10.6.0 10.10.6.3 LAN
3 10.10.2.1/24 10.10.2.0 10.10.2.255 LAN
4 192.168.1.1/24 192.168.1.0 192.168.1.255 LAN
5 X 10.10.9.1/24 10.10.9.0 10.10.9.255 LAN
6 10.10.5.1/24 10.10.5.0 10.10.5.255 LAN2
7 10.10.8.1/24 10.10.8.0 10.10.8.255 LAN2
8 10.10.10.36/24 10.10.10.0 10.10.10.255 LAN2

ip>nat>

1 chain=srcnat action=masquerade src-address=10.10.1.3

2 chain=srcnat action=masquerade src-address=10.10.1.4

3 chain=srcnat action=masquerade src-address=10.10.1.5

4 chain=srcnat action=masquerade src-address=10.10.1.6

5 chain=srcnat action=masquerade src-address=10.10.1.7

6 chain=srcnat action=masquerade src-address=10.10.1.8

7 X chain=srcnat action=masquerade src-address=10.10.1.9

8 chain=dstnat action=redirect to-ports=3128 protocol=tcp in-interface=!WAN dst-port=80 dscp=4

ip>proxy>
enabled: yes
src-address: 0.0.0.0
port: 3128
parent-proxy: 0.0.0.0
parent-proxy-port: 0
cache-administrator: "webmaster"
max-cache-size: unlimited
cache-on-disk: yes
max-client-connections: 600
max-server-connections: 600
max-fresh-time: 3d
serialize-connections: no
always-from-cache: no
cache-hit-dscp: 4
cache-drive: secondary-master
IP>proxy>cache>
# DST-PORT DST-HOST PATH METHOD ACTION HITS
0 *.mp3 allow 4098
1 *.avi allow 4
2 *.mpg allow 28
3 *.flv allow 359
4 *.jpg allow 258930
5 *.gif allow 171895
6 *.png allow 89746
7 *.wav allow 0
8 *.wmv allow 70
9 *.exe allow 367
10 *.mp4 allow 20
ip>firewall>mangle

chain=output action=mark-packet new-packet-mark=cache-packets passthrough=no out-interface=!WAN dscp=4

que>simple>
name="queue165" target-addresses=10.10.0.0/16 dst-address=0.0.0.0/0 interface=all parent=none packet-marks=cache-packets direction=both priority=3
queue=default-small/default-small limit-at=0/0 max-limit=0/0 burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s total-queue=default-small

I am using 3.22 ROS,,,

avung · Sun Oct 16, 2011 5:28 pm

anyone have configuration powerfull internal web proxy include mangle for routeros 5.5
thanks

Who is online