I implemented queue as sugested at
http://wiki.mikrotik.com/wiki/Queue_wit ... _Web-Proxy.
I have ETH and WLAN, for now only set up at ETH interface for testing and it's ok. I want to modify the Wiki sugestion to a system which has 2 LAN interfaces instead of one.
A question: the wiki instruction:
Make 2 NAT rules, 1 for Masquerading, and the other for redirecting transparant proxy.
[admin@instaler] ip firewall nat> pr
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat out-interface=public
src-address=172.21.1.0/24 action=masquerade
1 chain=dstnat in-interface=lan src-address=172.21.1.0/24
protocol=tcp dst-port=80 action=redirect to-ports=3128
is somewhat the same I had after use firewall settings via Webbox (#0) and later setup the web-proxy according to the manual (#1).
The only difference is that at Wiki intructions this rules specified a local network address range (172.21.1.0/24).
Since masquerading will do some operation between the public interface and one (or more) locals, can I keep the "old" firewall + web-proxy maskerading rules instead?
[admin@mramos] ip firewall nat> pr
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=public
1 chain=dstnat action=redirect to-ports=3128 protocol=tcp dst-port=80
Both locals (LAN & WLAN) needs to be "web-proxied" anyway. Or must I create two identical rules, specifying the network ranges of each interface (192.168.100.0/24 & 192.168.10.0/24 in my setup)?
And then on Wiki:
If we want to make HIT traffic from web proxy not queued, we have to make a mangle to handle this traffic. Put this rule on the beginning of the mangle, as it will check first.
[admin@instaler] > ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; HIT TRAFFIC FROM PROXY
chain=output out-interface=lan
dscp=4 action=mark-packet
new-packet-mark=proxy-hit passthrough=no
In order to make both interfaces follow the same rule is enough add the WLAN rule:
chain=output out-interface=wlan
dscp=4 action=mark-packet
new-packet-mark=proxy-hit passthrough=no
?
And more: the packet-marks could be the same for both interfaces, but creating different rules for LAN & WLAN?
[admin@instaler] > ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
1 ;;; UP TRAFFIC (LAN)
chain=prerouting in-interface=lan
src-address=192.168.100.0/24 action=mark-packet
new-packet-mark=test-up passthrough=no
2 ;;; UP TRAFFIC (WLAN)
chain=prerouting in-interface=lan
src-address=192.168.10.0/24 action=mark-packet
new-packet-mark=test-up passthrough=no
Or I need to go like this?
1 ;;; UP TRAFFIC (LAN)
chain=prerouting in-interface=lan
src-address=192.168.100.0/24 action=mark-packet
new-packet-mark=test-up1 passthrough=no
1 ;;; UP TRAFFIC WLAN
chain=prerouting in-interface=lan
src-address=192.168.10.0/24 action=mark-packet
new-packet-mark=test-up2 passthrough=no
And finally ... using this Wiki sugestion, when I set the limits for an address range this means that ALL the segment will be limited to this speed (I mean, the interface will have a single speed limit lets say 512down/128up)? Or EACH client will have it's own limits, all the same (each client 512down/128up)?
Thanks for any help.