Proxy arp
Содержание:
Monitoring
Monitor command can be used to monitor status of the tunnel on both client and server.
/interface pptp-client monitor 0
status: "connected"
uptime: 7h24m18s
idle-time: 6h21m4s
encoding: "MPPE128 stateless"
mtu: 1460
mru: 1460
Read-only properties
| Property | Description |
|---|---|
| status () | Current PPTP status. Value other than «connected» indicates that there are some problems establishing tunnel. |
| uptime (time) | Elapsed time since tunnel was established. |
| idle-time (time) | Elapsed time since last activity on the tunnel. |
| encoding () | Used encryption method |
| mtu (integer) | Negotiated and used MTU |
| mru (integer) | Negotiated and used MRU |
Queue Tree Setup
And now, the queue tree setting. We need one rule for downlink and one rule for uplink. Be careful when choosing the parent. for downlink traffic, we use parent «lan», the interface name for local network. And for uplink, we are using parent «global-in».
> queue tree pr
Flags: X - disabled, I - invalid
0 name="downstream" parent=lan packet-mark=test-down
limit-at=32000 queue=default priority=8
max-limit=32000 burst-limit=0
burst-threshold=0 burst-time=0s
1 name="upstream" parent=global-in
packet-mark=test-up limit-at=32000
queue=default priority=8
max-limit=32000 burst-limit=0
burst-threshold=0 burst-time=0s
DNS proxy (/ip dns)
DNS (Domain Name System) cache facility on MikroTik router to provide domain name resolution for router itself as well as for the connected clients. This facility allows router works as default DNS resolver for clients on the LAN.
Router (resolver) receives local client DNS requests and forwards to public DNS only those requests that are not yet in the local DNS cache.
DNS query and response from “Wireshark” traffic analyzer:
Domain Name System (query) No. Time Source Destination Protocol Info 614 80.581710 172.16.16.243 172.16.16.1 DNS(53) Standard query A www.mikrotik.com Domain Name System (response) No. Time Source Destination Protocol Info 615 80.592878 172.16.16.1 172.16.16.243 DNS(53) Standard query response A 159.148.147.196
A special type of request is sent to the resolver on a port 53. If you want to receive IP addresses of all public domain names your local resolver must know at least one public name server. When the resolver processes a user query that is not in local cache it ask to public name server for required information. In this way resolver learns content of name server.
DNS cache is used to minimize DNS requests to an external DNS server as well as to minimize DNS resolution time.
DNS proxy (cache) setup
A MikroTik router with DNS feature enabled can be set as a DNS server for any DNS-compliant client. When the remote requests are enabled (allow-remote-requests: yes), the MikroTik router responds to TCP and UDP DNS requests on port 53.
DNS cache management can be accessed under the /ip dns submenu. To enable DNS cache, use the set command, for example:
/ip dns> set servers=10.5.8.1,159.148.60.20
allow-remote-requests=yes
/ip dns> print
servers: 10.5.8.1,159.148.60.20
allow-remote-requests: yes
max-udp-packet-size: 512
cache-size: 2048KiB
cache-max-ttl: 1w
cache-used: 144KiB
/ip dns>
Moreover, MikroTik router can be specified as a primary DNS server under its dhcp-server settings.
-
- Property Description:
|
|
|
|
servers (IP address list; default: 0.0.0.0) |
comma separated list of DNS server IP addresses |
|
allow-remote-requests (yes | no; default: no) |
specifies whether to allow network requests |
|
cache-size (integer: 512..10240; default: 2048KiB) |
specifies the size of DNS cache in KiB |
|
cache-max-ttl (time; default: 1w) |
Specifies maximum time-to-live for cache records. In other words, cache records will expire unconditionally after cache-max-ttl time. Shorter TTL received from DNS servers are respected |
|
cache-used (read-only: integer) |
displays the current cache size in KiB |
Static DNS entries
MikroTik RouterOS allows to add static DNS entries. It allows you to link the particular domain names with the respective IP addresses and advertize this address to the DNS clients. Two main properties that must be specify are address and domain name:
- address – (IP address) IP address to resolve domain name with
- name – (text) DNS name to be resolved to a given IP address. May be a regular expression
/ip dns static> add name=admin.example.com address=1.1.1.2
Remember that the meaning of a dot (.) in regular expressions is any character, so the expression should be escaped properly. For example, if you need to match anything within example.com domain but not all the domains that just end with example.com, use name=».example.com» and this condition accept domain names like www.another-example.com, ns1.another-exampe.com.
For example:
/ip dns static> print detail Flags: D - dynamic, X - disabled, R - regexp 0 name="admin.example.com" address=1.1.1.2 ttl=1d 1 R name=".example.com" address=1.2.2.3 ttl=1d
MikroTik /ip dns command references you can find:
/routing igmp-proxy mfc
Multicast forwarding cache (MFC) status.
- group (IP address) : IGMP group address
- source (IP address) : multicast data originator address
- upstream-interface (interface name) : packet stream is coming in router through this interface
- downstream-interfaces (interface name) : packet stream is going out of router through this interface
- bytes (integer) : total amount of received multicast traffic
- packets (integer) : total amount of received multicast packets
- wrong-packets (integer) : total amount of received multicast packets that arrived on a wrong interface, for example, a multicast stream that is received on a downstream interface instead of upstream interface
Summary
Internet Group Management Protocol (IGMP) proxy can be used to implement multicast routing. It is forwarding IGMP frames and commonly is used when there is no need for more advanced protocol like PIM.
IGMP proxy features:
- The simplest way how to do multicast routing;
- Can be used in topologies where PIM-SM is not suitable for some reason;
- Takes slightly less resources than PIM-SM;
- Ease of configuration.
On the other hand, IGMP proxy is not well suited for complicated multicast routing setups. Compared to PIM based solutions, IGMP proxy does not support more than one upstream interface and routing loops are not detected or avoided.
By default, IGMP proxy upstream interface will send IGMPv3 membership reports and it will detect what IGMP version the upstream device (e.g. multicast router) is using based on received queries. In case IGMPv1/v2 queries are received, the upstream port will fallback to lower IGMP version. It will convert back to IGMPv3 when IGMPv1/v2 querier present timer (400s) expires. Downstream interfaces of IGMP proxy will only send IGMPv2 queries.
Summary
Sub-menu: Standards:
MikroTik RouterOS performs proxying of HTTP and HTTP-proxy (for FTP and HTTP protocols) requests. Proxy server performs Internet object cache function by storing requested Internet objects, i.e., data available via HTTP and FTP protocols on a system positioned closer to the recipient in the form of speeding up customer browsing by delivering them requested file copies from proxy cache at local network speed. MikroTik RouterOS implements the following proxy server features:
- Regular HTTP proxy – customer (itself) specify what is proxy server for him
- Transparent proxy – customer does not know about the proxy being enabled and there isn’t need any additional configuration for web browser of client.
- Access list by source, destination, URL and requested method (HTTP firewall)
- Cache access list to specify which objects to cache, and which not.
- Direct Access List – to specify which resources should be accessed directly, and which — through another proxy server
- Logging facility – allows to get and to store information about proxy operation
- Parent proxy support – allows to specify other proxy server, (‘if they don’t have the requested object ask their parents, or to the original server.)
A proxy server usually is placed at various points between users and the destination server (also known as origin server) on the Internet. (see Figure 10.1).
A Web proxy (cache) watches requests coming from client, saving copies of the responses for itself. Then, if there is another request for the same URL, it can use the response that it has, instead of asking the origin server for it again. If proxy has not requested file, it downloads that from the original server.
There can be many potential purpose of proxy server:
- To increase access speed to resources (it takes less time for the client to get the object).
- Works as HTTP firewall (deny access to undesirable web pages),
Allows to filter web content (by specific parameters, like source address, destination address and port, URL, HTTP request method) scan outbound content, e.g., for data leak protection.
Note: it may be useful to have Web proxy running even with no cache when you want to use it only as something like HTTP and FTP firewall (for example, denying access undesired web pages or deny specific type of files e.g. .mp3 files) or to redirect requests to external proxy (possibly, to a proxy with caching functions) transparently.
Introduction
This page will talk about how to make a QUEUE TREE in RouterOS that is also running Web-Proxy and Masquerading.
Several topics in the Forum say that it’s impossible to do.
In version 2.9.x, we can not determine which traffic is HIT and which traffic is MISS from web-proxy. Several people want to make a configuration, to let cache data in proxy (HIT traffic) deliver in maximum possible speed. In other word, if we already have the requested data, those process will not queued.
In ver 3.0 we can do this, using TOS header modification in web-proxy feature. We can set any TOS value for the HIT traffic, and make it as a parameter in mangle.
Как настроить мультикаст
Эта инструкция предназначена для тех, кто разобрался с настройкой Wi-Fi роутера ASUS RT-N12, RT-N11P или RT-N10, но пока не настроил работу ТВ (впрочем, для других моделей маршрутизаторов ASUS путь будет тем же).
Перед настройкой подключите ТВ приставку к одному из разъемов LAN на тыльной стороне вашего роутера, после чего выполните следующие простые шаги.
- Зайдите в настройки вашего роутера. Обычно для этого нужно ввести адрес 192.168.1.1 в адресную строку любого браузера и ввести логи и пароль от веб-интерфейса настроек (стандартно — admin и admin соответственно, но обычно при первоначальной настройке роутера логин и пароль изменяются).
- На главной странице в меню слева выберите пункт «Локальная сеть» (или ЛВС в некоторых вариантах прошивок), а на следующей странице перейдите на вкладку IPTV
- В разделе «LAN порт» в пункте «Выбор порта IPTV STB» выберите порт LAN на роутере, к которому подключена ТВ приставка провайдера.
- Примените сделанные настройки.
Примечание: для некоторых популярных провайдеров, в частности для Ростелеком и Билайн для работы телевидения IPTV также может потребоваться включить опции:
- Многоадресная маршрутизация IGMP Proxy
- IGMP Snooping
Сделать это можно на той же странице настроек Wi-Fi роутера ASUS.
Возможно, вам также пригодятся полные инструкции:
Возможные проблемы при настройке Wi-Fi роутера
Udpxy — серверное приложение для передачи данных из сетевого потока мультикаст канала (вещаемого по UDP) в HTTP-соединение запрашивающего клиента.
Основная задача udpxy заключается в передаче данных, считанных из мультикаст-канала (рассылающего данные подписчикам по протоколу UDP), в клиентское соединение, работающее в протоколе TCP. Таким образом, клиент, не имея возможности работать с протоколом UDP, может послать запрос udpxy, установить TCP соединение и работать с данными, полученными из указанного (в изначальном запросе) мультикаст-канала. Такая возможность востребована при просмотре IPTV на мобильных устройствах, телевизорах с функциональностью SmartTV и игровых консолях.
Функция Udp Proxy на роутерах Keenetic II реализована в качестве отдельного компонента микропрограммы. Для установки данного компонента необходимо:
- Заходим в раздел Система, на вкладкеКомпоненты находим пункт UDP-HTTP прокси (udpxy) и отмечаем его галочкой;
- Нажимаем на кнопку Обновить внизу страницы;
Обратите внимание!
Протокол InARP (Inverse ARP)
InARP – специальная модификация ARP для не-broadcast сетей (например, Frame Relay или ATM). Суть проста – в сетях, где нет широковещания, обычный ARP работать не сможет, а задачи, которые им решаются, никуда не пропадают. Соответственно, нужна схема работы. Она будет достаточно интересна и проста. Узел, который поддерживает InARP, будет самостоятельно с указанной периодичностью отправлять в субинтерфейсы, поддерживающие InARP (например, в FR’овские), InARP-сообщения, в которых будет указано что-то вида “привет, я от узла с сетевым адресом таким-то”. Соответственно, принимающая сторона, получая такое сообщение из-под субинтерфейса с DLCI=abc, будет записывать у себя в таблицу – “За DLCI abc живёт товарищ с IP xyz“. В общем-то и всё.
Другие отличия будут состоять в использовании других кодов операций – 8 для запроса InARP, 9 для ответа. Ну и в механизме вложения – понятное дело, в Q.922 вкладываться – это не в 802.3
