In this example N=2

NOTE: this example assumes you have empty mangle. after rules have been processed, packets are accepted with routing-mark rules.

• Adding ip addresses to interfaces

I am assuming i have 2 outgoing WAN and 1 Local LAN. I assume that addresses on WAN are public.

/ip address add address=10.111.0.2/24 interface=first_link
/ip address add address=10.112.0.2/24 interface=second_link
/ip address add address=192.168.1.1/24 interface=Local

• Creating address list of possible local addresses

We will need this list in our configuration, so only traffic from local interfaces are marked with routing marks. You can also use in interface for one incoming LAN interface on the router.

/ip firewall address-list add address=192.168.1.0/24 list=local

• Adding routes

We should add two types of route: Default route for unmarked traffic, and 2 routes for marked routes.

/ip route add gateway=10.111.0.1
/ip route add gateway=10.111.0.1 routing-mark=first
/ip route add gateway=10.112.0.1 routing-mark=second

• Masquerade rules

So that our local addresses can access internet addresses.

/ip firewall nat add chain=srcnat out-interface=first_link action=masquerade
/ip firewall nat add chain=srcnat out-interface=second_link action=masquerade

• Mangle rules

Where the whole marking is made. I am dividing mangle in 5 sections (A-E) to make it more clear.

• Section A

These 4 rules adds address to address list, as result, we are dividing all internal addresses currently active to dynamic address lists first and second these will be correspondingly routed through corresponding gateways. When that is done, address for simplicity is added to one more address list – seen so we know that we have seen this address and do not have to check more than once. When everything is done we jump to mark connection and set routing-mark for packet we are working with. Here we are working just with new packets that we have not seen yet.

After this section finishes, these packets are not different from those that are matched in Section D, so they are passed to Section B for further processing.

/ip firewall mangle add action=add-src-to-address-list address-list=first address-list-timeout=0s chain=”mark new unseen” disabled=no nth=2,1
/ip firewall mangle add action=add-src-to-address-list address-list=second address-list-timeout=0s chain=”mark new unseen” disabled=no nth=2,2
/ip firewall mangle add action=add-src-to-address-list address-list=seen address-list-timeout=0s chain=”mark new unseen” disabled=no
/ip firewall mangle add action=jump chain=”mark new unseen” disabled=no jump-target=”mark connection”

• Section B

Next 4 rules are marking connection of both, new packets from hosts we have not seen yet and with new packets from seen hosts. First, mark connection, then add routing-mark.

/ip firewall mangle add action=mark-connection chain=”mark connection” disabled=no new-connection-mark=first_conn passthrough=yes src-address-list=first
/ip firewall mangle add action=mark-connection chain=”mark connection” disabled=no new-connection-mark=second_conn passthrough=yes src-address-list=second
/ip firewall mangle add action=mark-routing chain=”mark connection” connection-mark=first_conn disabled=no new-routing-mark=first passthrough=no
/ip firewall mangle add action=mark-routing chain=”mark connection” connection-mark=second_conn disabled=no new-routing-mark=second passthrough=no

• Section C

Next 2 rules are setting up routing-mark on packets that have connection-mark set. As result majority of packets are passing though just these 2 rules.

/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=first_conn disabled=no new-routing-mark=first passthrough=no src-address-list=first
/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=second_conn disabled=no new-routing-mark=second passthrough=no src-address-list=second

• Section D

This rule caches new connection packets that come from our “seen” clients, eg, client initiated new http download session (opening web page). Packets are passed to Section B where they are marked.

/ip firewall mangle add action=jump chain=prerouting connection-state=new disabled=no jump-target=”mark connection” src-address-list=local

• Section E

If client ip address is not in our seen list, then address is passed to Section A where it is added to address list and after that is ready to be processed.

/ip firewall mangle add action=jump chain=prerouting connection-state=new disabled=no jump-target=”mark new unseen” src-address-list=local

Packet route logic

• New packet from unseen addressee

When router is booting up it have no seen list, and no clients are assigned to gateways. Or packet is received from previously unseen client. When first packet arrives it is checked in Section C, as it does not match there, it is passed over to Section D and then to Section E where it is finally matched and passed for processing on Section A. In Section A packet is matched and assigned to either of 2 address lists (first and second) and then added to seen address-list. After that is done, packed is passed to Section B where its connection is marked and then packet receives its routing mark and is accepted.

• New packet from seen addressee

Packet is passed through Section C to Section D where it is matched and passed to Section C where connection is marked and accepted

• Packet from seen addressee

Packet arrives in Section C and is matched there and accepted.

Similarly, For more WANs, an additional IP address is added and additional route with routing-mark respectively as third, forth etc.

Then you have have to edit Sections A-C

• Changes in Section A

here we have to adjust nth field value first value is what number of packed we are looking for, usually it is equal to your WAN count. And add additional rule as in example below.

/ip firewall mangle add action=add-src-to-address-list address-list=first address-list-timeout=0s chain=”mark new unseen” disabled=no nth=3,1
/ip firewall mangle add action=add-src-to-address-list address-list=second address-list-timeout=0s chain=”mark new unseen” disabled=no nth=3,2
/ip firewall mangle add action=add-src-to-address-list address-list=third address-list-timeout=0s chain=”mark new unseen” disabled=no nth=3,3
/ip firewall mangle add action=add-src-to-address-list address-list=seen address-list-timeout=0s chain=”mark new unseen” disabled=no
/ip firewall mangle add action=jump chain=”mark new unseen” disabled=no jump-target=”mark connection”

• Changes in Section B

here we will have to add 2 new rules, to mark connections that source address is in third address-list, and after that mark routing corresponding to connection mark.

/ip firewall mangle add action=mark-connection chain=”mark connection” disabled=no new-connection-mark=first_conn passthrough=yes src-address-list=first
/ip firewall mangle add action=mark-connection chain=”mark connection” disabled=no new-connection-mark=second_conn passthrough=yes src-address-list=second
/ip firewall mangle add action=mark-connection chain=”mark connection” disabled=no new-connection-mark=third_conn passthrough=yes src-address-list=third
/ip firewall mangle add action=mark-routing chain=”mark connection” connection-mark=first_conn disabled=no new-routing-mark=first passthrough=no
/ip firewall mangle add action=mark-routing chain=”mark connection” connection-mark=second_conn disabled=no new-routing-mark=second passthrough=no
/ip firewall mangle add action=mark-routing chain=”mark connection” connection-mark=third_conn disabled=no new-routing-mark=third passthrough=no

• Changes in Section C

Here have to add rule just like in section B just change chain to prerouting as all other rules in this section.

/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=first_conn disabled=no new-routing-mark=first passthrough=no src-address-list=first
/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=second_conn disabled=no new-routing-mark=second passthrough=no src-address-list=second
/ip firewall mangle add action=mark-routing chain=”prerouting” connection-mark=third_conn disabled=no new-routing-mark=third passthrough=no

…………….:)

Web proxy, a service provided by mikrotik is placed between a client and the internet, specifically for HTTP web surfing. Only HTTP traffic is cached because HTTPS and FTP are not easy to cache. There are two main benefits to using a web-proxy.
1. Raising Security for client and network
Security is raised as the client is not directly connected to the website they are requesting data from. The client makes a connection request to the web-proxy and the web-proxy fetches the data on the client’s behalf. Therefore the internet is connected to the web-proxy interface, not directly to the client. Using a web-proxy also allows the possibility of providing other services, such as anti-virus scanning, content filtering and monitoring or reports on the websites being requested.

2. Enhanced Performance and possibly lowering costs for client and network

………more to come…………..

MRTG works on most UNIX platforms and Windows, but i have described here for UNIX platform specified on Centos 5.x version. MRTG is written in perl and some code in c language.

MRTG uses the Simple Network Management Protocl (SNMP) to send requests with two object identifiers (OIDs) to a device. The device. which must be SNMP-enabled, will have a management information base (MIB) to look up the OIDs specified.  SNMP is use to manage IP network devices such as servers, routers, switches etc. Administrators can find or manage network performance, solve problem or even optimize it further.

This document includes MRTG and snmp binary installation using rpm. Please visit the author’s website here for source installation. Required RPMs are mrtg, snmp and snmp-utils.

The first step for mrtg to work is to make sure snmp is up and running. without proper working snmp server, mrtg will not work. Lets follow the following steps for fully working mrtg server.

1: Make sure snmp server is installed
# rpm -qa | grep snmp
Run rpm commands query option to find out snmp server installed or not:

If snmp is installed then please follow the next step or else it should be installed.
# yum install net-snmp-utils net-snmp
yum command can be used to install snmp package in centos or fedora. For other distros, you can find rpms in rpmfind.net

2: Determine if SNMP server is running or not
# ps -aux | grep snmp
This command will list the process if snmp server is running.

Output:
root      1442  0.0  0.6  27432  6564 ?        Sl   Aug04   2:29 /usr/sbin/snmpd -Lsd -Lf /dev/null -p /var/run/snmpd.pid -a
root     17653  0.0  0.0   3924   696 pts/0    S+   09:18   0:00 grep snmp

Alternatively, following two commands can be run as well:
# /usr/sbin/lsof -i :199

Output:
COMMAND  PID USER   FD   TYPE DEVICE SIZE NODE NAME
snmpd   1442 root   10u  IPv4   4101       TCP mrtgtestserver:smux (LISTEN)

OR # netstat -natv | grep ‘:199′

Output:
tcp        0      0 127.0.0.1:199               0.0.0.0:*                   LISTEN

If  you get the above outputs, the you can move on to next step or you have to start the service using following command:
# service snmpd start

snmpd service should start automatically as linux boots:
# chkconfig –add snmpd

3: Make sure snmp server is configured properly
snmpwalk utility is used to request for tree of information about network entity. i.e. query snmp server for server’s ipaddress assigned to it’s interface.
# snmpwalk -v 1 -c public localhost IP-MIB::ipAdEntIfIndex

Output:
IP-MIB::ipAdEntIfIndex.192.168.1.100 = INTEGER: 2
IP-MIB::ipAdEntIfIndex.127.0.0.1 = INTEGER: 1

If the result is as given to output, then follow the next step, else you need to configure snmp server as follows:

Configure SNMP
1. Edit the file /etc/snmp/snmpd.conf using vi text editor:
# vi /etc/snmp/snmpd.conf
Modify the lines as follows:

Find lines:
com2sec notConfigUser  default          public

Replace with:
com2sec   local                localhost                 public
com2sec   mynetwork  192.168.1.0/24    public

Note: My local network is 192.168.1.0/24. What about yours? replace it with your network.

Find lines:
group        notConfigGroup    v1             notConfigUser
group        notConfigGroup    v2c          notConfigUser

Replace with:
group     MyRWGroup    v1                local
group     MyRWGroup    v2c             local
group     MyRWGroup    usm            local
group     MyROGroup     v1               mynetwork
group     MyROGroup     v2c            mynetwork
group     MyROGroup     usm           mynetwork

Find lines:
view       systemview         included           system

Replace with:
view   all           included         .1                                                  80

Find lines:
access       notConfigGroup   ” “          any          noauth          exact           systemview   none    none

Replace with:
access   MyROGroup  ” “         any          noauth         exact       all       none     none
access   MyRWGroup ” “         any          noauth         exact       all       all          none

Find lines:
syslocation Unknown (edit /etc/snmp/snmpd.conf)
syscontact Root (configure /etc/snmp/snmp.local.conf)

Replace with:
syslocation Linux (CentOS), MRTG Server.
syscontact Kijush Maharjan <kijush.maharjan@gmail.com>

Start the snmp server and test it:
a. snmpd should always start as linux boots.
# chkconfig  snmpd on
b. make sure service start whenever linux comes up after reboot.
# sevice snmpd on
c. Finally test the snmp server:
# snmpwalk -v 1 -c public localhost IP-MIB::ipAdEntIfIndex

4: Install mrtg if not installed
MRTG package may install during initial installation. It can be verified if MRTG has been installed or not by following command:
# rpm -qa | grep mrtg

If MRTG is already installed, lets move on to next step else It can be found on rmpfind.net or it is also bundled with centos installation cd.

Yum command can be used on fedora linux as well as centos to install MRTG.
# yum install mrtg

5: Configuration of MRTG
a. Create document root to store mrtg graphs and html pages:
# mkdir -p /var/www/html/mymrtg/
b. Run following commands to create mrtg configuration file:
# cfgmaker –global ‘WorkDir: /var/www/html/mymrtg’ –output /etc/mrtg/mrtg1.cfg public@localhost            (For localhost)
# cfgmaker –global ‘WorkDir: /var/www/html/mymrtg’ –output /etc/mrtg/router.cfg public@192.168.1.1      (For router)
# cfgmaker –global ‘WorkDir: /var/www/html/mymrtg’ –output /etc/mrtg/server.cfg public@192.168.1.2      (For linux/windows server)
c. Generate default index page for MRTG configuration:
# indexmaker –output=/var/www/html/mymrtg/index.html /etc/mrtg/router.cfg /etc/mrtg/server.cfg /etc/mrtg/localhost.cfg        (index.html file for all generated cfg file. It can also be separeted as necessary)
d. copy all tiny png files to the mrtg path:
# cp -av /var/www/html/mrtg/*.png /var/www/html/mymrtg/

6: First test run of MRTG
a. Run mrtg command from command line with the configuration file:
# mrtg /etc/mrtg/router.cfg
Note: This command will generate error regarding enviroment. so following command is used:
# env LANG=C /usr/bin/mrtg /etc/mrtg/router.cfg
Note: Few warning messages may be displayed, but above command should run until it stop to display warning messages.
b. Now from the web browser type url: http://<ipaddress of mrtg server>/mymrtg

7: Create crontab entry so that mrtg graphs and images get generated every 5 minutes
a. Login as root and type the following command:
# crontab -e
b. Add mrtg cron job entry to configuration file:
*/5 * * * * /usr/bin/mrtg /etc/mrtg/mymrtg.cfg –logging /var/log/mrtg.log
*/5 * * * * /usr/bin/mrtg /etc/mrtg/router.cfg –logging /var/log/mrtg.log
*/5 * * * * /usr/bin/mrtg /etc/mrtg/server.cfg –logging /var/log/mrtg.log
save file and it’s done with MRTG configuration.

8: I don’t think anyone wanna give access to their snmp server for security reasons. SNMP server users UDP 161, 162 ports for communications. Linux IPTABLES firewall can be used to restrict access to SNMP Server.
a. Allow outgoing SNMP server request from linux computer. This is useful when you query remote host/router.
SERVER=”xxx.xxx.xxx.xxx”
iptables -A OUTPUT -p udp -s $SERVER –sport 1024:65535 -d 0/0 –dport 161:162 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -s 0/0 –sport 161:162 -d $SERVER –dport 1024:65535 -m state –state ESTABLISHED -j ACCEPT

b. Allow incoming SNMP client request via iptables. This is useful when you wish to accept queries for rest of the world.
SERVER=”xxx.xxx.xxx.xxx”
iptables -A INPUT -p udp -s 0/0 –sport 1024:65535 -d $SERVER –dport 161:162 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -s $SERVER –sport 161:162 -d 0/0 –dport 124:65535 -m state –state ESTABLISHED -j ACCEPT
Note: The above two rules just SNMP specific iptables rules. Please refer iptables documents for complete information about iptables.

9: Protect MRTG graphs/html pages with password protected directory
Restricting access to MRTG reports can be accomplished with Apache webserver’s .htaccess file. Follow the process outlined to protect graphs using apache’s .htaccess file and htpasswd command:
a. Create .htaccess file in /var/www/html/mymrtg/ directory
vi /var/www/html/mymrtg/.htaccess
Add following text to file:
AuthName “MRTG Graphs/Html restricted access”
AuthType Basic
AuthUserFile /var/www/html/mymrtg/.htpasswd
require user mrtgadmin

b. Create a user and password name (-c assumes first time you are using .htpasswd file, -m for modifying):
# htpasswd -c /var/www/html/mymrtg/.htpasswd mrtgadmin
For more information about apache web server and it’s authentication method, please refer to apache web server documentation.