少校
- 注册时间
- 2010-1-31
- 金币
- 1969 个
- 威望
- 5 个
- 荣誉
- 1 个
尚未签到
|
发表于 2017-9-19 14:07
2014年买了个rb2011本来想深入学习ros的,但是很快就放弃了。ros wiki确实是有很多独到的文档,但是只要有linux经验很快就能将这些文档转换成openwrt下运行。https://wiki.mikrotik.com/wiki/ 。很多linux命令,ros的命令行也只是支持部分参数,必竟ros只是linux的子集,它用了一套它自己的语法格式对linux命令重新进行解释。当然当时放弃ros的最主要问题是脚本写起来太累人了。用linux gnu工具几句的事情,转换成ros运行的脚本可不容易。说到linux的qos,按说ros现在才仅仅有包到链接的过程,这都非常过时了。linux有connmark结构,这个就是所谓的包标记到链接的标记过程。但是最终都命中第一条规则。ros的我至今搞不清楚它是否是这种结构,按linux下的iptables规则自上而下的遍历过程,如果ros也这样遍历规则显然它比connmark结构低效,但是如果ros后台显示这样的规则,而真正的底层也是connmark结构,那也只能说不相上下。当然linux还有很多高级的用法。假如有13个vlan接口难道每个vlan都做1套qos?linux 有ifb接口,可以将所有的13个vlan流量都定向到统一的一个ifb0接口,统一做qos控制。
- iptables -A POSTROUTING -t mangle -j CONNMARK --restore-mark
- iptables -A POSTROUTING -t mangle -m mark ! --mark 0 -j ACCEPT
- iptables -A POSTROUTING -p tcp --dport 21 -t mangle -j MARK --set-mark 1
- iptables -A POSTROUTING -p tcp --dport 80 -t mangle -j MARK --set-mark 2
- iptables -A POSTROUTING -t mangle -j CONNMARK --save-mark
复制代码
ros的v6 queue tree
- add chain=prerouting protocol=tcp dst-port=53,22,23,123,3389,8123 in-interface=bridge2 action=mark-connection \
- new-connection-mark=High-conn passthrough=yes comment=tcp_2
- add chain=prerouting protocol=udp dst-port=53 in-interface=bridge2 action=mark-connection \
- new-connection-mark=High-conn passthrough=yes comment=udp_2
- add chain=prerouting in-interface=bridge2 connection-mark=High-conn action=mark-packet new-packet-mark=High passthrough=no
- #偷懒了就只写了一句
-
- add chain=prerouting protocol=tcp dst-port=80,443,1080,1863,4662,8080,12000,14000 in-interface=bridge2 action=mark-connection \
- new-connection-mark=Medium-conn passthrough=yes comment=tcp_3
- add chain=prerouting protocol=udp dst-port=4000-4030,4772,8000-8001 in-interface=bridge2 action=mark-connection \
- new-connection-mark=Medium-conn passthrough=yes comment=udp_3
- add chain=prerouting in-interface=bridge2 connection-mark=Medium-conn action=mark-packet new-packet-mark=Medium passthrough=no
复制代码
tc这工具太高深,用不来。只是用它来放行tcp握手包,而不是ros下的iptables length也就是所谓的小包匹配
- #$TC filter add dev $UDEV parent 1:0 prio 12 protocol arp handle 1 fw classid 1:20 # Arp traffic
- $TC filter add dev $UDEV parent 1: prio 13 protocol ip u32 match ip protocol 1 0xff flowid 1:20 #ICMP
- #$TC filter add dev $UDEV parent 1: prio 14 protocol ip u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid 1:20 #ACK
- $TC filter add dev $UDEV parent 1: prio 15 protocol ip u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x02 0x02 at 33 flowid 1:20 #SYN
- $TC filter add dev $UDEV parent 1: prio 17 protocol ip u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x01 0x01 at 33 flowid 1:20 #FIN
- $TC filter add dev $UDEV parent 1: prio 19 protocol ip u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x04 0x04 at 33 flowid 1:20 #RST
复制代码 以前做的端口qos,由于没有tc也就只能这样了。
- #http://wiki.mikrotik.com/wiki/Manual:Queues_-_PCQ_Examples
- /ip firewall mangle add chain=forward dst-address=192.168.88.0/24 out-interface=bridge2 action=mark-connection new-connection-mark=Download-conn passthrough=yes
- /ip firewall mangle add chain=forward out-interface=bridge2 connection-mark=Download-conn action=mark-packet new-packet-mark=Download passthrough=no
- #google关键词:实作RouterOS的HTB
- #这么多年一直对这个接口方向无法做到图形记忆,可以google 上面的关键词,作者简单的几句话就很容易理解
- #由于放在forward链所以用的out-interface接口
- /queue type add name=download-queue kind=pcq pcq-classifier=dst-address
- /queue tree add name=Download parent=global max-limit=5300k
- /queue tree add name=PCQ_D parent=Download packet-mark=Download queue=download-queue priority=1
- ###########################################################################################
- /ip firewall mangle
- add chain=prerouting protocol=icmp in-interface=bridge2 new-packet-mark=SP1 action=mark-packet passthrough=no comment=icmp
- add chain=prerouting protocol=tcp in-interface=bridge2 new-packet-mark=SP1 action=mark-packet passthrough=no tcp-flags=ack packet-size=0-123 comment=ack
- add chain=prerouting protocol=tcp in-interface=bridge2 new-packet-mark=SP1 action=mark-packet passthrough=no tcp-flags=syn packet-size=0-666 comment=syn
- add chain=prerouting protocol=tcp in-interface=bridge2 new-packet-mark=SP2 action=mark-packet passthrough=no tcp-flags=fin comment=fin
- add chain=prerouting protocol=tcp in-interface=bridge2 new-packet-mark=SP2 action=mark-packet passthrough=no tcp-flags=rst comment=rst
- #上面是一些以包标记实现的所谓小包规则,但是我不知道如何验证它的效果,linux下是用tc u32匹配的。ros下google不到任何跟tc有关的资料。它的这些pack-size更像是linux下的iptables语法。
- #tc filter add dev $UDEV parent 1: prio 13 protocol ip u32 match ip protocol 1 0xff flowid 1:20 #ICMP
- #tc filter add dev $UDEV parent 1: prio 14 protocol ip u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid 1:20 #ACK
- #tc filter add dev $UDEV parent 1: prio 15 protocol ip u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x02 0x02 at 33 flowid 1:20 #SYN
- #tc filter add dev $UDEV parent 1: prio 17 protocol ip u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x01 0x01 at 33 flowid 1:20 #FIN
- #tc filter add dev $UDEV parent 1: prio 19 protocol ip u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x04 0x04 at 33 flowid 1:20 #RST
- /ip firewall mangle
- add chain=prerouting protocol=tcp dst-port=2099,5060,5222,5223,6060,8088,8393-8400 in-interface=bridge2 action=mark-connection \
- new-connection-mark=Highest-conn passthrough=yes comment=tcp_1
- add chain=prerouting protocol=udp dst-port=5000-5500,5060,6060,8088 in-interface=bridge2 action=mark-connection \
- new-connection-mark=Highest-conn passthrough=yes comment=udp_1
- add chain=prerouting in-interface=bridge2 connection-mark=Highest-conn action=mark-packet new-packet-mark=Highest passthrough=no
- #一直在纠结Highest-conn跟Highest到底怎么写,最后在官方2011年文档里发现还是区别写的,按以前linux下的说法包标记和链接标记的位置#是有差别的,所以也区别写的。
- #QoS Best Practice [url=home.php?mod=space&uid=610341]@[/url] MUM USA 2009, pdf by Janis Megis, MikroTik
- #in-interface=bridge2 内网接口,填上主要避免与其它接口的数据包匹配
- #passthrough=no 怎么理解,不通过吗?linux下的数据包在iptables 链里面都是从你书写的规则里自上而下匹配的,除非你指定了#RETURN。那么这个passthrough=no的意思就是当数据包和这条带有passthrough=no 的规则匹配成功时,则不再匹配这规则下面的剩余规则。如果规则特别多的时候,网络又异常繁忙,那#它就能大大减少匹配时间,提升效率。
- add chain=prerouting protocol=tcp dst-port=53,22,23,123,3389,8123 in-interface=bridge2 action=mark-connection \
- new-connection-mark=High-conn passthrough=yes comment=tcp_2
- add chain=prerouting protocol=udp dst-port=53 in-interface=bridge2 action=mark-connection \
- new-connection-mark=High-conn passthrough=yes comment=udp_2
- add chain=prerouting in-interface=bridge2 connection-mark=High-conn action=mark-packet new-packet-mark=High passthrough=no
- #偷懒了就只写了一句
-
- add chain=prerouting protocol=tcp dst-port=80,443,1080,1863,4662,8080,12000,14000 in-interface=bridge2 action=mark-connection \
- new-connection-mark=Medium-conn passthrough=yes comment=tcp_3
- add chain=prerouting protocol=udp dst-port=4000-4030,4772,8000-8001 in-interface=bridge2 action=mark-connection \
- new-connection-mark=Medium-conn passthrough=yes comment=udp_3
- add chain=prerouting in-interface=bridge2 connection-mark=Medium-conn action=mark-packet new-packet-mark=Medium passthrough=no
- add chain=prerouting protocol=tcp dst-port=20,21,25,1024-65535 in-interface=bridge2 action=mark-connection \
- new-connection-mark=Low-conn passthrough=yes comment=tcp_4
- add chain=prerouting protocol=udp dst-port=1-65535 in-interface=bridge2 action=mark-connection \
- new-connection-mark=Low-conn passthrough=yes comment=udp_4
- add chain=prerouting in-interface=bridge2 connection-mark=Low-conn action=mark-packet new-packet-mark=Low passthrough=no
- {
- :local UPLINK 800;
- :local High 0
- :local Medium 0
- :local Mediuml
- :local Lowm 0
- :local Lowl 0
- :local k k;
- /queue tree
- add name=Upload parent=global max-limit="$UPLINK$k"
- :set Medium ($UPLINK * 8 / 10)
- add name=Queue_1:2 parent=Upload max-limit="$Medium$k" limit-at="$Medium$k"
- add name=1_Highest parent=Upload packet-mark=Highest limit-at="$Medium$k" max-limit="$UPLINK$k" priority=1
- add name=Queue_ICMPACKSYN parent=Upload packet-mark=SP1 limit-at="$Medium$k" max-limit="$UPLINK$k" priority=2
- add name=Queue_FINRST parent=Upload packet-mark=SP2 limit-at="$Medium$k" max-limit="$UPLINK$k" priority=3
- :set High ($UPLINK * 1 / 10)
- add name=2_High parent=Upload packet-mark=High limit-at="$High$k" max-limit="$UPLINK$k" priority=4
- :set Mediuml ($UPLINK * 5 / 100)
- add name=3_Medium parent=Queue_1:2 packet-mark=Medium limit-at="$Mediuml$k" max-limit="$Medium$k" priority=5
- :set Lowm ($UPLINK * 70 / 100)
- :set Lowl ($UPLINK * 3 / 100)
- add name=4_Low parent=Queue_1:2 packet-mark=Low limit-at="$Lowl$k" max-limit="$Lowm$k" queue=hotspot-default priority=8
- #按60/80 流量和延迟对比关系做的htb实现
- }
- 简单说一下simple queue 和 pcq的差别。
- 官方有关pcq的具体实现只是简单的说它是sfq的一种类型,从我自己测试过程也没注意到类似官方wiki的那种平分带宽的过程。倒是指定了pcq-rate值以后看到了限制。pcq主要是来解决simple queue亢长匹配而导致的效率问题。虽然官方提到在v6版本simpe queue效率提升了很多,单机没采用上行端口QOS的情况,特别还有web下载的时候感觉很慢啊。下面的3段代码实现了以前linux下一个根据udp数量来限速的过程。按官方文档QOS流量方向queue tree>>>>>simple queue,所以再用simple queue对特定IP进行限速没问题。
- #生成LAN IP地址列表
- / ip firewall mangle
- add chain=prerouting src-address=192.168.88.0/24 action=add-src-to-address-list \
- address-list=LAN address-list-timeout=1m comment="" disabled=no
- #
- {
- :local ip 0;
- :local udpn 0;
- :foreach a in=[/ip fir address-list find where list=LAN address!=192.168.88.1] do={
- #不包含网关ip
- :set ip [/ip fir address-list get $a address]
- :set udpn [/ip firewall connection print count-only where src-address~"^$ip:" and protocol="udp"]
- #对UDP超限的用户生成simple队列,由于simple在htb后面,有效
- :if ($udpn>10) do={/queue simple add name=$ip target="$ip" max-limit=800K/800K queue="hotspot-default" disabled=no} else={:put false}
- }
- }
- #批量删除所有simple queue
- /queue simple
- :foreach i in=[find] do={ remove $i; }
- Manual:Queues - PCQ
- http://wiki.mikrotik.com/wiki/Manual:Queues_-_PCQ
复制代码
|
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有账号?注册
x
|