Follow us on...
Follow us on G+ Follow us on Twitter Follow us on Facebook Watch us on YouTube
Register
Results 1 to 9 of 9
  1. #1
    Status
    Offline
    awarmanf's Avatar
    Member
    Join Date
    Apr 2008
    Posts
    222
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0

    Beda mark-connection di chain prerouting dan forward

    Sampai sekarang saya belum mengerti benar, kapan harus menggunakan chain prerouting untuk mark-connection dan kapan harus menggunakan chain forward untuk mark-connection. Di manual miktorik, Bab Bandwidth Control, disebutkan:When using masquerading, you have to mark the outgoing connection with new-connection-mark and take the mark-connection action. When it is done, you can mark all packets which belong to this connection with the new-packet-mark and use the mark-packet action.

    Di sini mark-connection dilakukan di chain prerouting, seperti contoh di bawah:
    [admin@MikroTik] ip firewall mangle> add src-address=192.168.0.1/32 \
    \... action=mark-connection new-connection-mark=server-con chain=prerouting
    [admin@MikroTik] ip firewall mangle> add connection-mark=server-con \
    \... action=mark-packet new-packet-mark=server chain=prerouting
    Sedangkan dokumentasi bandwidth control mikrotik di malahan mark connection dilakukan di chain forward:

    1 ;;; UP TRAFFIC
    chain=prerouting in-interface=lan
    src-address=172.21.1.0/24 action=mark-packet
    new-packet-mark=test-up passthrough=no

    2 ;;; CONN-MARK
    chain=forward src-address=172.21.1.0/24
    action=mark-connection
    new-connection-mark=test-conn passthrough=yes

    3 ;;; DOWN-DIRECT CONNECTION
    chain=forward in-interface=public
    connection-mark=test-conn action=mark-packet
    new-packet-mark=test-down passthrough=no

    4 ;;; DOWN-VIA PROXY
    chain=output out-interface=lan
    dst-address=172.21.1.0/24 action=mark-packet
    new-packet-mark=test-down passthrough=no
    Mohon pencerahannya.

    Terimakasih.

  2. #2
    Status
    Offline
    awarmanf's Avatar
    Member
    Join Date
    Apr 2008
    Posts
    222
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    Oya tambahan lagi, untuk bandwidth control spt disebutkan di
    Ada 2 NAT rules yg dijalankan:
    [admin@instaler] ip firewall nat> pr
    Flags: X - disabled, I - invalid, D - dynamic
    0 chain=srcnat out-interface=public
    src-address=172.21.1.0/24 action=masquerade
    1 chain=dstnat in-interface=lan src-address=172.21.1.0/24
    protocol=tcp dst-port=80 action=redirect to-ports=3128
    Jadi saya berpikir begini, CMIIW, sesuai dg diagram packet flow di mikrotik, dstnat dilakukan setelah chain prerouting, jadi biar bisa nge-track connection maka mark-connection dilakukan pada chain forward yg posisinya setelah prerouting. Mohon koreksinya.

  3. #3
    Status
    Offline
    yosanpro's Avatar
    Co-Admin
    Join Date
    Nov 2007
    Location
    Bantul, Bantul, Yogyakarta
    Posts
    2,548
    Reviews
    Read 0 Reviews
    Downloads
    11
    Uploads
    4
    Feedback Score
    1 (100%)
    Untuk lebih jelasnya tentang urutan-urutan chain bisa dilihat disini:


  4. The Following User Says Thank You to yosanpro For This Useful Post:


  5. #4
    Status
    Offline
    tolabul's Avatar
    Newbie
    Join Date
    Apr 2010
    Location
    blitar
    Posts
    59
    Reviews
    Read 0 Reviews
    Downloads
    1
    Uploads
    0
    Feedback Score
    0
    Click here to enlarge Originally Posted by awarmanf Click here to enlarge
    Oya tambahan lagi, untuk bandwidth control spt disebutkan di
    Ada 2 NAT rules yg dijalankan:


    Jadi saya berpikir begini, CMIIW, sesuai dg diagram packet flow di mikrotik, dstnat dilakukan setelah chain prerouting, jadi biar bisa nge-track connection maka mark-connection dilakukan pada chain forward yg posisinya setelah prerouting. Mohon koreksinya.
    thank udah mewakili pertanyaam ane............. semoga para master berkenan menjabarkan Click here to enlarge

  6. #5
    Status
    Offline
    yosanpro's Avatar
    Co-Admin
    Join Date
    Nov 2007
    Location
    Bantul, Bantul, Yogyakarta
    Posts
    2,548
    Reviews
    Read 0 Reviews
    Downloads
    11
    Uploads
    4
    Feedback Score
    1 (100%)
    Mungkin ringkasnya gini, prerouting ama forward itu sama-sama sebelum routing, cuman bedanya kalau prerouting match trafik yang melewati router (forward) sekaligus yang mengarah ke router (input), sementara forward cuma yang melewati router aja. Untuk trafik yang non-routable (tidak dapat ditentukan arahnya) hanya melewati prerouting saja dan tidak melewati forward. CMIIW.

    Untuk postrouting, disamping rule-nya dijalankan setelah proses penentuan routing, rule-nya juga match trafik yang melewati router (forward) dan yang berasal dari router (output).

    referensi dari link yang terdapat di posting saya di atas.

    The traffic received for the router's MAC address on the respective port, is passed to the routing procedures and can be of one of these four types:

    • the traffic which is destined to the router itself. The IP packets has destination address equal to one of the router's IP addresses. A packet enters the router through the input interface, sequentially traverses prerouting and input chains and ends up in the local process. Consequently, a packet can be filtered in the input chain filter and mangled in two places: the input and the prerouting chain filters.
    • the traffic is originated from the router. In this case the IP packets have their source addresses identical to one of the router's IP addresses. Such packets travel through the output chain, then they are passed to the routing facility where an appropriate routing path for each packet is determined and leave through the postrouting chain.
    • routable traffic, which is received at the router's MAC address, has an IP address different from any of the router's own addresses, and its destination can be found in the routing tables. These packets go through the prerouting, forward and postrouting chains.
    • unroutable traffic, which is received at the router's MAC address, has an IP address different from any of the router's own addresses, but its destination can not be found in the routing tables. These packets go through the prerouting and stop in the routing recision.
    A person's junk is another person's treasure.

  7. The Following 2 Users Say Thank You to yosanpro For This Useful Post:


  8. #6
    Status
    Offline
    karaeng's Avatar
    VIP Member
    Join Date
    Jun 2010
    Posts
    958
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    penambahan sedikit yah.... mungkin bisa membantu untuk lebih jelas penggunaan pre, for, post, untuk di teruskan ke Que Tree


    Working with packets for bandwidth management is done in this order:

    1. Mangle chain prerouting
    2. HTB global-in
    3. Mangle chain forward
    4. Mangle chain postrouting
    5. HTB global-out
    6. HTB out interface

    So, in one router, you can do:

    a) in #1+#2 - first marking & shaping, in #3+#5 - second marking & shaping
    b) in #1+#2 - first marking & shaping, in #3+#6 - second marking & shaping
    c) in #1+#2 - first marking & shaping, in #4+#5 - second marking & shaping
    d) in #1+#2 - first marking & shaping, in #4+#6 - second marking & shaping


    There are 4 ways we can look at a flow:
    1) client upload that router receives on the local interface
    2) client upload that router sends out to the Internet
    3) client download that router receives on the public interface
    4) client download that router sends out to the customer

    1) and 3) - is Inbound traffic
    2) and 4) - is Outbound traffic

    sumber :

  9. The Following 4 Users Say Thank You to karaeng For This Useful Post:


  10. #7
    Status
    Offline
    why_you's Avatar
    Member
    Join Date
    May 2010
    Posts
    130
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    mantap agan semua

    @om karaeng, jikalau berkenan bisa contohkan om realnya Click here to enlarge

  11. #8
    Status
    Offline
    fanizar's Avatar
    Newbie
    Join Date
    Feb 2010
    Location
    Bandung
    Posts
    67
    Reviews
    Read 0 Reviews
    Downloads
    1
    Uploads
    0
    Feedback Score
    0
    Click here to enlarge Originally Posted by karaeng Click here to enlarge
    penambahan sedikit yah.... mungkin bisa membantu untuk lebih jelas penggunaan pre, for, post, untuk di teruskan ke Que Tree


    Working with packets for bandwidth management is done in this order:

    1. Mangle chain prerouting
    2. HTB global-in
    3. Mangle chain forward
    4. Mangle chain postrouting
    5. HTB global-out
    6. HTB out interface

    So, in one router, you can do:

    a) in #1+#2 - first marking & shaping, in #3+#5 - second marking & shaping
    b) in #1+#2 - first marking & shaping, in #3+#6 - second marking & shaping
    c) in #1+#2 - first marking & shaping, in #4+#5 - second marking & shaping
    d) in #1+#2 - first marking & shaping, in #4+#6 - second marking & shaping


    There are 4 ways we can look at a flow:
    1) client upload that router receives on the local interface
    2) client upload that router sends out to the Internet
    3) client download that router receives on the public interface
    4) client download that router sends out to the customer

    1) and 3) - is Inbound traffic
    2) and 4) - is Outbound traffic

    sumber :

    LANTAS interface global-out, global-in, global-total, interface-lokal, interface-public kira2 definisi detilnya gimana mas bro??? (prerouting dan forward untuk down/up stream arah interfacenya kira2 melalui yang mana. masalahnya banyak tutorial yang random memilih interfacenya)

  12. #9
    Status
    Offline
    yosanpro's Avatar
    Co-Admin
    Join Date
    Nov 2007
    Location
    Bantul, Bantul, Yogyakarta
    Posts
    2,548
    Reviews
    Read 0 Reviews
    Downloads
    11
    Uploads
    4
    Feedback Score
    1 (100%)
    Click here to enlarge Originally Posted by fanizar Click here to enlarge
    LANTAS interface global-out, global-in, global-total, interface-lokal, interface-public kira2 definisi detilnya gimana mas bro??? (prerouting dan forward untuk down/up stream arah interfacenya kira2 melalui yang mana. masalahnya banyak tutorial yang random memilih interfacenya)
    Coba buka , di sana ada gambar traffic flow, silakan perhatikan global-out, global-in dan global-total berada di chain mana. Untuk interface-lokal dan interface-public tidak ada di diagram flow karena memang sebetulnya itu hanya untuk mempermudah logika, karena interface-lokal dan interface-public sebetulnya bisa dibolak-balik sekehendak kita maupun set routing sesuai kebutuhan jaringan (umumnya interface-public adalah interface dimana ada default gateway). Yang ada dalam diagram flow adalah INPUT INTERFACE dan OUTPUT INTERFACE.

    Mungkin di bawah ane ada yang bisa menjelaskan dengan bahasa yang lebih mudah dipahami?
    A person's junk is another person's treasure.

 

 

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Antara Prerouting, postrouting dan forward;
    By choi in forum General Networking
    Replies: 9
    Last Post: 23-06-2015, 23:05
  2. (ask) chain
    By Bonny in forum Beginner Basics
    Replies: 22
    Last Post: 16-06-2012, 03:48
  3. [ask] beda packet-mark and connection-mark di PCQ?
    By sempy26 in forum General Networking
    Replies: 4
    Last Post: 28-06-2008, 00:23
  4. [ask] beda mark packet , connection , routing ?
    By rendyka in forum Beginner Basics
    Replies: 0
    Last Post: 05-03-2008, 03:45
  5. beda Chain Forward & Prerouting
    By cupu80 in forum General Networking
    Replies: 3
    Last Post: 20-09-2007, 12:33

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •