There are a Local Network and a ISP Network coming to MT:
Local Network: on ether2 - 10/100Mbit LAN 192.168.0.0/24
ISP Network: on ether1 - 10/100Mbit LAN with PPPoE service, no IP address on the interface required.
There are three "users" connecting to MT via local ether2, wich means three PCs, each with its own MAC address (no authentication other than MAC address should be used)
Help me set this up:
- step 1: Setup the MT as a PPPoE client for the ISP connection, with autoredial if
disconnected (forever redial until conn is established). With this, Setup the MT run a NAT
on ether2 for one user - User1, to use the internet through it. Also to run the UPnP
service. (The ISP gives dynamic IP address with each connect. Also forces reconnect each 24
hours.)
- step 2: Filter/drop (firewall) all packets from ISP Network. Only the PPPoE
service is used on the ISP network - ether1, all other packets must be dropped and none must
be sent out. Also on the PPPoE internet connection - run a firewall that would protect MT,
close open ports, etc. Also on the local net - ether2 - make MT invisible for all others -
drop all packets not coming from Users' MAC addresses. Turn off neighbour broadcast, etc.
- step 3: This is the hard part. Setup bandwidth allocation. Three users will be
using the internet. They are on the local network wich is connected on ether2. This should
work almost like "equal bandwidth allocation amongst users" from the manual... When there's
only one user making connections to the internet - he gets all the bandwidth since it's
free. Let's suppose this is User1. Then User3 makes connections to the internet. He should
be given at least 64kbps right away. If his connection is less than 64kbps, he should be
given no more than he requires. If he leaves some of his 64kbps free they should be
immediately be free for use by User1. If User1 leaves some bandwidth free it should be
immediately given to User3 if his connections require it. So far - exactly like the
mentioned chapter in the manual, only User3 gets not the half of all but as much as 64kbps
when both users are using the internet. OK, now for User2 - he will be sharing his
connection with User1. User1 and User2 will be in one group. Let's suppose User1 is using
all of his bandwidht and User3 is also using all of his. Now User2 makes connections to the
inetrnet. He should be given 32kbps of what User1 has and what User3 is currenlty using should
not be lowered bu User2, only User1's bandwidth should be shared with User2. If User1 and
User3 are currently not making any connections to the internet (e.g. there is some free
bandwidht) it should be all given to User2.
- step 4: Priority for Web, Web caching, priority for Skype, priority for
Counter-Strike. When connections to port 80/other ports for mentioned services are made they
should get 95% of users bandiwdth and packets should get higher priority and not wait as
much in queues as other packets. Also if it's possible, a HTTP caching proxy servcie setup on MT wich has no speed limit when getting objects from the cache but when the proxy starts getting objects from the internet to deliver to the requesting user, the bandwidth allocation of that conenction (proxy<->internet) should have the same rules described in step 3. If User3 makes the connection, the proxy should start getting him the objects with no more than what his speed settings are. (described in step 3)
Please help witht these for now, more steps coming soon...
Post edited - step 4 caching added.
config MT with PPPoE, bandwidth control etc.
Last edited by dot-bot on Wed Mar 08, 2006 9:25 am, edited 2 times in total.
Re: Difficult setup - Help me config MT - real challenge ?
There are a Local Network and a ISP Network coming to MT:
Local Network: on ether2 - 10/100Mbit LAN 192.168.0.0/24
ISP Network: on ether1 - 10/100Mbit LAN with PPPoE service, no IP address on the
interface required.
There are three "users" connecting to MT via local ether2, wich means three PCs, each with
its own MAC address (no authentication other than MAC address should be used)
Help me set this up:
- step 1: Setup the MT as a PPPoE client for the ISP connection, with autoredial if
disconnected (forever redial until conn is established). With this, Setup the MT run a NAT
on ether2 for one user - User1, to use the internet through it. Also to run the UPnP
service. (The ISP gives dynamic IP address with each connect. Also forces reconnect each 24
hours.)
- step 2: Filter/drop (firewall) all packets from ISP Network. Only the PPPoE
service is used on the ISP network - ether1, all other packets must be dropped and none must
be sent out. Also on the PPPoE internet connection - run a firewall that would protect MT,
close open ports, etc. Also on the local net - ether2 - make MT invisible for all others -
drop all packets not coming from Users' MAC addresses. Turn off neighbour broadcast, etc.
- step 3: This is the hard part. Setup bandwidth allocation. Three users will be
using the internet. They are on the local network wich is connected on ether2. This should
work almost like "equal bandwidth allocation amongst users" from the manual... When there's
only one user making connections to the internet - he gets all the bandwidth since it's
free. Let's suppose this is User1. Then User3 makes connections to the internet. He should
be given at least 64kbps right away. If his connection is less than 64kbps, he should be
given no more than he requires. If he leaves some of his 64kbps free they should be
immediately be free for use by User1. If User1 leaves some bandwidth free it should be
immediately given to User3 if his connections require it. So far - exactly like the
mentioned chapter in the manual, only User3 gets not the half of all but as much as 64kbps
when both users are using the internet. OK, now for User2 - he will be sharing his
connection with User1. User1 and User2 will be in one group. Let's suppose User1 is using
all of his bandwidht and User3 is also using all of his. Now User2 makes connections to the
inetrnet. He should be given half of what User1 has and what User3 is currenlty using shiuld
not be lowered bu User2, only User1's bandwidth should be shared with User2. If User1 and
User3 are currenlt not making any connections to the internet (e.g. there is some free
bandwidht) it should be all given to User2.
- step 4: Priority for Web, Web caching, priority for Skype, priority for
Counter-Strike. When connections to port 80/other ports for mentioned services are made they
should get 95% of users bandiwdth and packets should get higher priority and not wait as
much in queues as other packets.
Please help witht these for now, more steps coming soon...
Dude... you should read the manual... and search the forums... if you need especific help post... not an entire ROS configuration 
Regards
Well, there's no challenge in your setup exept of time that nobody here has.
Everybody in here is ready to help, but nobody will do complete setup for ya.
The best way is to open the manual and try it yourself and when you are stucked, then post some questions.
That way you'll have complete control of your router
otherwise you'll be ridin' wild horse 
Cheers and good luck...
Everybody in here is ready to help, but nobody will do complete setup for ya.
The best way is to open the manual and try it yourself and when you are stucked, then post some questions.
That way you'll have complete control of your router
otherwise you'll be ridin' wild horse Cheers and good luck...
Oh no! Just the answers I felt I would get.
I thought I could cheat on this one and ask for some more help than usual. I guess I'll have to do it on my own now. Will cost me a huge effort. Oh god please give me strenght.
OK if someone can help with the bandwidth allocation only - please do.
edit: P.S. I will share my configs when I have successful results with some of the ... hard.. steps.
I thought I could cheat on this one and ask for some more help than usual. I guess I'll have to do it on my own now. Will cost me a huge effort. Oh god please give me strenght.
OK if someone can help with the bandwidth allocation only - please do.
edit: P.S. I will share my configs when I have successful results with some of the ... hard.. steps.
Last edited by dot-bot on Tue Feb 07, 2006 1:36 pm, edited 1 time in total.
Some tips...Oh no! Just the answers felt I would get.
I thought I could cheat on this one and ask for some more help than usual. I guess I'll have to do it on my own now. Will cost me a huge effort. Oh god please give me strenght.
OK if someone can help with the bandwidth allocation only - please do.
1. Read the entire manual
2. Seach the forums you will find a lot of help!
3. If you need some help when you cant do some particular thing, ask here, we wil help you.
Regards and welcome to MikroTik!!
Here's the config for steps 1 & 2, please review 'em, check 'em out.. Post comments. Thanks. I'm now woriking on steps 3 & 4....
The problem with step 3 (bandwidth) is that the ISP provieds 128kbits/s internet channel and 512kbits/s channel in the city. All-In-One connection. I'll try like this: setup equal sharing amonghst users (like the example in the manual) and limit User2 and User3 via the PPPoE max ... limits. etc. Comments on this? Will post results in matter of days.
Enjoy:
# by RouterOS 2.9.x
#
ether1 is connected to ISP, ether2 - to LAN
ether2 IP address (ether1 does not have an IP address according to the security note in the manual...:
I've setup the PPPoE client, MTU, MRU, etc. settings are default...:
I've also setup a PPPoE server to be used by User1, User2 & User3:
(MTU, MRU settings-default, 1488?)
PPPoE server client configs (I don't need an IP pool for this, I want each one to have his own IP):
Can't do without the NAT:
DNS Settings:
Drop packets on some ports on a certain interface:
Not using the Cisco/MT Discovery Protocol:
I've disabled some services that I never use, etc.:
These are default:
Does this help with something? Save RAM?:
The problem with step 3 (bandwidth) is that the ISP provieds 128kbits/s internet channel and 512kbits/s channel in the city. All-In-One connection. I'll try like this: setup equal sharing amonghst users (like the example in the manual) and limit User2 and User3 via the PPPoE max ... limits. etc. Comments on this? Will post results in matter of days.
Enjoy:
# by RouterOS 2.9.x
#
ether1 is connected to ISP, ether2 - to LAN
Code: Select all
/ interface ethernet
set ether1 name="ether1" mtu=1500 mac-address=<hidden> arp=enabled \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default speed=100Mbps comment="" disabled=no
set ether2 name="ether2" mtu=1500 mac-address=<hidden> arp=enabled \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default speed=100Mbps comment="" disabled=no
Code: Select all
/ ip address
add address=192.168.0.29/24 network=192.168.0.0 broadcast=192.168.0.255 \
interface=ether2 comment="added by setup" disabled=no
Code: Select all
/ interface pppoe-client
add name="pppoe-out1" max-mtu=1480 max-mru=1480 interface=ether1 \
user="<hidden>" password="<hidden>" profile=default \
service-name="<hidden>" ac-name="<hidden>" add-default-route=yes \
dial-on-demand=no use-peer-dns=yes allow=pap,chap,mschap1,mschap2 \
disabled=no
(MTU, MRU settings-default, 1488?)
Code: Select all
/ interface pppoe-server server
add service-name="<hidden>" interface=ether2 max-mtu=1488 max-mru=1488 \
authentication=pap,chap,mschap1,mschap2 keepalive-timeout=10 \
one-session-per-host=yes max-sessions=0 default-profile=default \
disabled=no
Code: Select all
/ ppp secret
add name="<User1_username>" service=pppoe caller-id="" password="<User1_password>" \
profile=default local-address=10.12.13.4 remote-address=10.12.13.6 \
routes="" limit-bytes-in=0 limit-bytes-out=0 comment="" disabled=no
add name="<User2_username>" service=pppoe caller-id="<User2_MAC>" \
password="<User2_password>" profile=default local-address=10.23.34.6 \
remote-address=10.23.34.9 routes="" limit-bytes-in=0 limit-bytes-out=0 \
comment="" disabled=no
add name="<User3_username>" service=pppoe caller-id="<User3_MAC>" \
password="<User3_password>" profile=default local-address=10.146.2.67 \
remote-address=10.146.2.10 routes="" limit-bytes-in=0 limit-bytes-out=0 \
comment="" disabled=no
Code: Select all
/ ip firewall nat
add chain=srcnat out-interface=pppoe-out1 action=masquerade comment="" \
disabled=no
Code: Select all
/ ip dns
set primary-dns=<assigned by PPPoE srv> secondary-dns=<assigned by PPPoE srv> \
allow-remote-requests=yes cache-size=2048KiB cache-max-ttl=1w
Code: Select all
/ ip firewall filter
add chain=input in-interface=ether2 src-address=<User3_LAN_IP> \
src-mac-address=<User3_MAC> action=accept comment="" disabled=no
add chain=input in-interface=ether2 src-address=<User2_LAN_IP> \
src-mac-address=<User2_MAC> action=accept comment="" disabled=no
add chain=input in-interface=ether2 src-mac-address=!<User1_MAC> \
action=drop comment="" disabled=no
add chain=input in-interface=pppoe-out1 protocol=tcp dst-port=21-23 \
action=drop comment="" disabled=no
add chain=input in-interface=pppoe-out1 protocol=tcp dst-port=2000 action=drop \
comment="" disabled=no
add chain=input in-interface=pppoe-out1 protocol=tcp dst-port=53 action=drop \
comment="" disabled=no
add chain=input in-interface=pppoe-out1 protocol=tcp dst-port=1720 action=drop \
comment="" disabled=no
Code: Select all
/ ip neighbor discovery
set ether1 discover=no
set ether2 discover=no
set pppoe-out1 discover=no
Code: Select all
/ ip service
set telnet port=23 address=0.0.0.0/0 disabled=yes
set ftp port=21 address=<hidden> disabled=no
set www port=<hidden> address=0.0.0.0/0 disabled=no
set ssh port=22 address=0.0.0.0/0 disabled=yes
set www-ssl port=443 address=0.0.0.0/0 certificate=none disabled=yes
Code: Select all
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=2m tcp-syn-received-timeout=1m \
tcp-established-timeout=5d tcp-fin-wait-timeout=2m \
tcp-close-wait-timeout=1m tcp-last-ack-timeout=30s \
tcp-time-wait-timeout=2m tcp-close-timeout=10s udp-timeout=30s \
udp-stream-timeout=3m icmp-timeout=30s generic-timeout=10m
Code: Select all
/ system console
add term="" disabled=yes
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=yes
set FIXME term="linux" disabled=yes
set FIXME term="linux" disabled=yes
set FIXME term="linux" disabled=yes
set FIXME term="linux" disabled=yes
set FIXME term="linux" disabled=yes
set FIXME term="linux" disabled=yes
Configuring QoS is very very hard, understanding it, etc.. So don't tell me "read the manual" it's more like "study" the manual. Only the MT manual is written bad, not translated properly etc. so ... reading the Lniux QoS docs is neccessary.... Will get back on those soon
Also, I had some configuration changes:
With the above changes the pppoe interfaces of the clients are now static and all their internal IPs begin with 10.11.12.???.
Problem: When I send out a packet with dst addr 10.11.12.??? [IF ITS NOT ONE OF THE Three used by clients] it is sent to the default Gateway added automatically by the pppoe-out1 connection. When I tracert 10.11.12.25 for example all ISP gateways respond that route is through them and the last one says: Destiantion Unreachable. I believe packets with dst addr 10.11.12.x should not be sent through ISP gateway. How do I fix this? I mean what's the best way to fix it?
Thanks anyone who helps.
A decent word from MT devs/admins would be nice. We see them post so rarely...
Also, I had some configuration changes:
Code: Select all
[*@*] ppp> export
...
/ ppp secret
add name="user1" service=pppoe password="*" \
local-address=10.11.12.3 remote-address=10.11.12.5 \
add name="user3" service=pppoe caller-id="*" \
password="*" profile=default local-address=10.11.12.3 \
remote-address=10.11.12.8
add name="user2" service=pppoe caller-id="*" \
password="*" local-address=10.11.12.3 \
remote-address=10.11.12.9
Code: Select all
[*@*] interface> print
Flags: X - disabled, D - dynamic, R - running
# NAME TYPE RX-RATE TX-RATE MTU
0 R ether1 ether 0 0 1500
1 R ether2 ether 0 0 1500
2 R pppoe-out1 pppoe-out 0 0 1480
3 R pppoe-user1 pppoe-in 0 0 1480
4 R pppoe-user2 pppoe-in 0 0 1480
5 R pppoe-user3 pppoe-in 0 0 1480
Problem: When I send out a packet with dst addr 10.11.12.??? [IF ITS NOT ONE OF THE Three used by clients] it is sent to the default Gateway added automatically by the pppoe-out1 connection. When I tracert 10.11.12.25 for example all ISP gateways respond that route is through them and the last one says: Destiantion Unreachable. I believe packets with dst addr 10.11.12.x should not be sent through ISP gateway. How do I fix this? I mean what's the best way to fix it?
Thanks anyone who helps.
A decent word from MT devs/admins would be nice. We see them post so rarely...