Web Proxy queue

knightrider · May 9, 2006, 8:59am

I have a problem with traffic shapping from web proxy.
I mark mac address,ports,ip and nothing works.
Can`t find a way to limit traffic if web proxy is enabled.
Any Ideas?
Thanks.

valens · May 9, 2006, 9:58pm

Maybe you can try this example

P > FIREWALL > MANGLE

0 ;;; up traffic
chain=prerouting in-interface=LAN src-address=192.168.0.4 action=mark-packet new-packet-mark=test-packet-up passthrough=no

1 chain=forward src-address=192.168.0.4 action=mark-connection new-connection-mark=test-conn passthrough=yes

2 ;;; down traffic from internet
chain=forward in-interface=PUBLIC connection-mark=test-conn action=mark-packet new-packet-mark=test-packet-down passthrough=no

3 ;;; down traffic from router
chain=output out-interface=LAN dst-address=192.168.0.4 action=mark-packet new-packet-mark=test-packet-down passthrough=no

QUEUE > TREE

0 name=“test-down” parent=LAN packet-mark=test-packet-down limit-at=0 queue=default priority=8 max-limit=64000 burst-limit=0 burst-threshold=0 burst-time=0s

1 name=“test-up” parent=global-in packet-mark=test-packet-up limit-at=0 queue=default priority=8 max-limit=64000 burst-limit=0 burst-threshold=0 burst-time=0s

emmanuel · May 20, 2006, 12:16pm

hello
i have same problem,my queue would fine but when enables squid for me web catch the queue tree wiil shape well for me pl what i should now .

samsoft08 · May 21, 2006, 12:33pm

valens so nice example , i want to apply your example but first i need to show you my rules wich i’m using now , i just want to make an equal bandwidth sharing between my clients ( PCQ ) and i’m doing this :

1- firewall mangle :

chain=prerouting src-address=192.168.1.0/24 action=mark-connection new-connection-mark=users-con passthrough=no

chain=forward connection-mark=users-con action=mark-packet new-packet-mark=users passthrough=yes

2-Queues

a- type

name=“pcq-download” kind=pcq pcq-rate=0 pcq-limit=50 pcq-classifier=dst-address pcq-total-limit=2000

name=“pcq-upload” kind=pcq pcq-rate=0 pcq-limit=50 pcq-classifier=src-address pcq-total-limit=2000

b- tree

name=“queue1” parent=localnet packet-mark=users limit-at=0 queue=pcq-download priority=8 max-limit=0 burst-limit=0
burst-threshold=0 burst-time=0s

name=“queue2” parent=internet packet-mark=users limit-at=0 queue=pcq-upload priority=8 max-limit=0 burst-limit=0
burst-threshold=0 burst-time=0s

please look at this setting carefully and let me know if i made any mistake , and how to add a queue for my web-proxy to the download queue .. thanx in advanced

samsoft08 · May 22, 2006, 1:25pm

i need someone to check my setting please , is it ok ? or i have to change it to valnet example ?

samsoft08 · May 25, 2006, 1:01am

please any EXPERT advice ???

FOV · May 25, 2006, 1:25pm

Guys, I´m not an expert, very far of that.

But, I´m using this for my clients

Hope to be useful for you.

Regards,

Fernando

\

Configuro Mangle PARA PRIORIDADES

Configuro Mangle VoIp

/ ip firewall mangle add chain=prerouting protocol=tcp dst-port=5060 action=mark-connection new-connection-mark=VOIP_CON passthrough=yes comment="VoIP" disabled=no
/ ip firewall mangle add chain=prerouting protocol=udp dst-port=5060 action=mark-connection new-connection-mark=VOIP_CON passthrough=yes comment="" disabled=no
/ ip firewall mangle add chain=prerouting protocol=tcp dst-port=16384 action=mark-connection new-connection-mark=VOIP_CON passthrough=yes comment="" disabled=no
/ ip firewall mangle add chain=prerouting protocol=udp dst-port=16384 action=mark-connection new-connection-mark=VOIP_CON passthrough=yes comment="" disabled=no
/ ip firewall mangle add chain=prerouting protocol=tcp dst-port=19000-20000 action=mark-connection new-connection-mark=VOIP_CON passthrough=yes comment="" disabled=no
/ ip firewall mangle add chain=prerouting protocol=udp dst-port=19000-20000 action=mark-connection new-connection-mark=VOIP_CON passthrough=yes comment="" disabled=no
/ ip firewall mangle add chain=prerouting connection-mark=VOIP_CON action=mark-packet new-packet-mark=ALTA passthrough=no comment="" disabled=no

Configuro Mangle DNS

/ ip firewall mangle add chain=prerouting protocol=udp dst-port=53 action=mark-connection new-connection-mark=DNS_CON passthrough=yes comment="DNS" disabled=no
/ ip firewall mangle add chain=prerouting connection-mark=DNS_CON action=mark-packet new-packet-mark=ALTA passthrough=no comment="" disabled=no

Configuro Mangle Trafico Web

/ ip firewall mangle add chain=prerouting protocol=tcp dst-port=80 action=mark-connection new-connection-mark=HTTP_CON passthrough=yes comment="HTTP" disabled=no
/ ip firewall mangle add chain=prerouting protocol=tcp dst-port=443 action=mark-connection new-connection-mark=HTTP_CON passthrough=yes comment="" disabled=no
/ ip firewall mangle add chain=prerouting protocol=tcp dst-port=8080 action=mark-connection new-connection-mark=HTTP_CON passthrough=yes comment="" disabled=no
/ ip firewall mangle add chain=prerouting connection-mark=HTTP_CON action=mark-packet new-packet-mark=MEDIA_ALTA passthrough=no comment="" disabled=no

Configuro Mangle Trafico Mail

/ ip firewall mangle add chain=prerouting protocol=tcp dst-port=110 action=mark-connection new-connection-mark=MAIL_CON passthrough=yes comment="HTTP" disabled=no
/ ip firewall mangle add chain=prerouting protocol=tcp dst-port=25 action=mark-connection new-connection-mark=MAIL_CON passthrough=yes comment="" disabled=no
/ ip firewall mangle add chain=prerouting connection-mark=MAIL_CON action=mark-packet new-packet-mark=MEDIA_ALTA passthrough=no comment="" disabled=no

Configuro Mangle Trafico FTP

/ ip firewall mangle add chain=prerouting protocol=tcp dst-port=20 action=mark-connection new-connection-mark=FTP_CON passthrough=yes comment="HTTP" disabled=no
/ ip firewall mangle add chain=prerouting protocol=tcp dst-port=21 action=mark-connection new-connection-mark=FTP_CON passthrough=yes comment="" disabled=no
/ ip firewall mangle add chain=prerouting connection-mark=FTP_CON action=mark-packet new-packet-mark=MEDIA_BAJA passthrough=no comment="" disabled=no

Configuro Mangle Messenger

/ ip firewall mangle add chain=prerouting protocol=tcp dst-port=1863 action=mark-connection new-connection-mark=MSN_CON passthrough=yes comment="MSN" disabled=no
/ ip firewall mangle add chain=prerouting connection-mark=MSN_CON action=mark-packet new-packet-mark=MEDIA_BAJA passthrough=no comment="" disabled=no

Configuro Mangle Para Programas Peer to Peer

/ ip firewall mangle add chain=prerouting p2p=all-p2p action=mark-connection new-connection-mark=P2P_CON passthrough=yes comment="P2P" disabled=no
/ ip firewall mangle add chain=prerouting connection-mark=P2P_CON action=mark-packet new-packet-mark=P2P passthrough=no comment="" disabled=no

Configuro Mangle Resto de los Servicios

/ ip firewall mangle add chain=prerouting action=mark-connection new-connection-mark=OTROS_CON passthrough=yes comment="Resto del trafico" disabled=no
/ ip firewall mangle add chain=prerouting connection-mark=OTROS_CON action=mark-packet new-packet-mark=BAJA passthrough=yes comment="" disabled=no

######## Configuro el Arbol de Colas Queue tree #################
/ queue tree add name="8-P2P" parent=global-out packet-mark=P2P limit-at=64000 queue=default priority=8 max-limit=128000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
/ queue tree add name="1-Alta" parent=global-out packet-mark=ALTA limit-at=0 queue=default priority=1 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
/ queue tree add name="3-Media alta" parent=global-out packet-mark=MEDIA_ALTA limit-at=0 queue=default priority=3 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
/ queue tree add name="5-Media baja" parent=global-out packet-mark=MEDIA_BAJA limit-at=0 queue=default priority=5 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
/ queue tree add name="7-Baja" parent=global-out packet-mark=BAJA limit-at=0 queue=default priority=7 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no

maxfava · May 25, 2006, 1:25pm

Search on my post.
The conclusion is that on mk you cannot mangle proxy request.

ciao

samsoft08 · May 26, 2006, 12:38am

maxfava , thats mean if a client request somthing about 1Mb , and his request exist inside the cache , he will recieve the 1Mb out of the limit in the mangle and queue ??

npbrasil · May 28, 2006, 8:35am

Just one idea:

/ ip firewall mangle
add chain=output protocol=tcp src-port=8000 (proxy port) dst-address-list=“your list here” action=mark-packet new-packet-mark=proxy-out passthrough=yes comment=“” disabled=no

/ queue tree
add name=“proxy-out” parent=global-out packet-mark=proxy-out limit-at=1 queue=default priority=5 max-limit=1024000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=yes

PS: tested, works

samsoft08 · May 29, 2006, 6:19pm

i dont understand why the (( disabled=yes )) ?

anyway , there is more than one setup each user wrote his setup solving the same problem , and no one from mikrotik say a word !!! i dont know whos this form belongs to ??

i bought MT for a specific need , untill now i saw more than one setup all of them differ from the setup in the manual , i’m totaly lost …

cokin · May 31, 2006, 4:37am

Yes that’s right we can not mangle proxy request if web proxy was enabled