Topologi Proxy (ZPH enabled) + Mikrotik
Tuesday, December 31, 2013
Edit
Teknologi ZPH di squid memang sangat membantu kinerja Proxy, apalagi jika dikawinkan dengan Mikrotik. Muaantaaappp kalleeee…
Hanya saja, semua tergantung topologi internet-nya.
Kalau topologi biasa, yang menggunakan satu ethernet di proxy, kurang mantap. Tapi, dengan topologi 2 ethernet dan bukan bridge, jadi bikin mantap.
Client memang di limit 128Kbps, tapi brosing-nya, enceeerrrr… kek sungai deli waktu lagi banjir. Delay Pools malah gak ada artinya…
Kalau warnet menggunakan RB-750. Dengan 5 Port yang ada, yang terpakai jadinya 4 Port. Ether1-ISP, Ether2-ProxyIN, Ether3-ProxyOut, Ether4-LAN.
Kalau setting ZPH di Squid-nya, aku gak perlu bahas lagi lah, banyak yang sudah bahas, nanti dibilang aku tukang copy paste pulak lagi, hahahah…
Setting Squid, malah standard. gak perlu banyak bikin refresh segala macam, cukup dengan mengaktifkan ZPH, lalu transparent proxy, lalu ip yang di allowkan untuk mengakses proxy, Besar cache_dir, maximum cache size, average cache size, cache_mem. Itu saja.
Untuk penghitungan cache_dir, aku juga gak bahas, dah banyak yang tulis di blog.
Lalu, di mikrotik, aku lebih banyak pakai queue tree. Kalau pake queue simple sih terserah, mangle untuk cache hit juga seperti yang telah dibahas banyak orang. Lalu per client di mangle, lalu di queue tree di limit 128kbps dengan satu parent utama. Sedangkan queue tree untuk proxy, parentnya langsung global-out.
Nah, di Mikrotik seperti yang kuketik di atas tadi, ada 4 Port yang di pakai. Contoh IP
Ether1-ISP=192.168.2.2/24
Ether2-ProxyIN=192.168.14.1/30
Ether3-ProxyOut=192.168.15.1/30
Ether4-LAN=192.168.150.1/28
DNS- mengiktui DNS ISP
Di Squid Proxy:
Ether1 = 192.168.14.2/30
Ether2= 192.168.15.2/30
Gateway=192.168.15.1
DNS- mengikuti DNS ISP.
Lalu yang di-masquerade adalah 192.168.15.0/30.
Pasti ada yang bingung kan.
Kenapa IP LAN range-nya 192.168.150.0/28, sementara IP Proxy 192.168.14.2/30 dan 192.168.15.2/30.
Nah aku pasti jawab, tapi aku mo lihat, seberapa banyak orang yang tertarik membaca blog-ku ini. Aku sengaja gak jelaskan. Send me a message…
Aku hanya tampilkan gambar aja untuk queue tree-nya
(Setelah sekian lama gak ku tulis, ini lah jamunya)
[admin@MikroTik] /ip route rule print
Flags: X – disabled, I – inactive
0 src-address=192.168.150.0/28 action=lookup table=warnet
[admin@MikroTik] /ip route print detail
Flags: X – disabled, A – active, D – dynamic, C – connect, S – static, r – rip, b – bgp, o – ospf, m – mme,
B – blackhole, U – unreachable, P – prohibit
0 A S dst-address=0.0.0.0/0 gateway=192.168.14.2 gateway-status=192.168.14.2 reachable ether2 distance=1 scope=30 target-scope=10
routing-mark=warnet
1 A S dst-address=0.0.0.0/0 gateway=192.168.2.1 gateway-status=192.168.2.1 reachable ether1 distance=1 scope=30 target-scope=10
[admin@MikroTik] /ip firewall nat print
Flags: X – disabled, I – invalid, D – dynamic
0 chain=srcnat action=masquerade src-address=192.168.15.0/30
[admin@MikroTik] /ip firewall mangle print
Flags: X – disabled, I – invalid, D – dynamic
0 ;;; Proxy HIT
chain=postrouting action=mark-connection new-connection-mark=capt_proxy passthrough=yes dscp=12
1 chain=postrouting action=mark-connection new-connection-mark=capt_proxy passthrough=yes content=X-Cache: HIT
2 chain=postrouting action=mark-packet new-packet-mark=proxy passthrough=no connection-mark=capt_proxy
3 ;;; Cabal
chain=postrouting action=mark-connection new-connection-mark=capt_cabal passthrough=yes protocol=tcp dst-address-list=cabal
dst-port=38111-38114,38121-38122,63112
4 chain=postrouting action=mark-packet new-packet-mark=cabal passthrough=no connection-mark=capt_cabal
5 chain=forward action=mark-packet new-packet-mark=spesial passthrough=no src-address=192.168.150.0/24 dst-address-list=spesial
6 ;;; Bilyard
chain=postrouting action=mark-connection new-connection-mark=capt_fbbilyard passthrough=yes protocol=tcp
dst-address=209.20.80.24 dst-port=2003,2015
7 chain=postrouting action=mark-packet new-packet-mark=bilyard passthrough=no connection-mark=capt_fbbilyard
8 ;;; Atlantica
chain=postrouting action=mark-connection new-connection-mark=capt_atlantica passthrough=yes protocol=tcp
dst-address-list=gemscool dst-port=4300
9 chain=postrouting action=mark-packet new-packet-mark=atlantica passthrough=no connection-mark=capt_atlantica
10 ;;; PointBlank
chain=postrouting action=mark-connection new-connection-mark=capt_pb passthrough=yes protocol=tcp dst-address-list=gemscool
dst-port=39100,39110,39120,39190,49100
11 chain=postrouting action=mark-connection new-connection-mark=capt_pb passthrough=yes protocol=udp dst-address-list=gemscool
dst-port=40000-40009
12 chain=postrouting action=mark-packet new-packet-mark=pb passthrough=no connection-mark=capt_pb
13 ;;; Poker
chain=postrouting action=mark-connection new-connection-mark=capt_poker passthrough=yes protocol=tcp
dst-address=74.114.14.0/24 dst-port=843,9339
14 chain=postrouting action=mark-packet new-packet-mark=poker passthrough=no connection-mark=capt_poker
15 ;;; FreeStyle
chain=postrouting action=mark-connection new-connection-mark=capt_freestyle passthrough=yes protocol=tcp
dst-address-list=gemscool dst-port=10010-10012
16 chain=postrouting action=mark-connection new-connection-mark=capt_freestyle passthrough=yes protocol=udp
dst-address-list=gemscool dst-port=10010-10012
17 chain=postrouting action=mark-packet new-packet-mark=freestyle passthrough=no connection-mark=capt_freestyle
18 ;;; Warnet
chain=forward action=mark-packet new-packet-mark=dn_warnet passthrough=no dst-address=192.168.150.0/28
[admin@MikroTik] > queue tree print
Flags: X – disabled, I – invalid
0 name=”warnet” parent=service packet-mark=dn_warnet limit-at=0 queue=pcq600k priority=8 max-limit=400k burst-limit=0 burst-threshold=0 burst-time=0s
1 name=”proxy” parent=global-out packet-mark=proxy limit-at=0 queue=default priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
2 name=”poker” parent=game packet-mark=poker limit-at=0 queue=default priority=1 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
3 name=”service” parent=global-out limit-at=0 priority=8 max-limit=2M burst-limit=0 burst-threshold=0 burst-time=0s
4 name=”game” parent=service limit-at=0 priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
5 name=”pointblank” parent=game packet-mark=pb limit-at=0 queue=default priority=1 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
6 name=”freestyle” parent=game packet-mark=freestyle limit-at=300k queue=default priority=8 max-limit=500k burst-limit=0 burst-threshold=0 burst-time=0s
7 name=”cabal” parent=game packet-mark=cabal limit-at=0 queue=default priority=1 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
8 name=”bilyard” parent=game packet-mark=bilyard limit-at=0 queue=default priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
9 name=”atlantica” parent=game packet-mark=atlantica limit-at=0 queue=default priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
10 name=”winbox” parent=global-out limit-at=0 queue=default priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
Dari gambar di atas terlihat bahwa, untuk traffik selain game yang diberi nama warnet dibatasi 400kb saja. Dan dibagian queue-types dilimit 400kbps pcq.
Sementara Proxy HIT terpisah dari traffik yang lain karena Cache HIT dibuat tidak dibatasi.
Di Proxy (Debian),
root@cache:~# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp — 192.168.150.0/28 0.0.0.0/0 tcp dpt:80 redir ports 3128
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all — 192.168.150.0/28 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@cache:~#
di squid.
yang dikerjakan hanya beberapa baris ini
#untuk diterima di mangle mikrotik
zph_mode tos
zph_local 0×30
zph_parent 0
zph_option 136
#standar proxy
http_port 3128 transparent
acl localnet src 192.168.150.0/28
http_access allow localnet
Topologi ini udah banyak aku bikin di pelanggan warnet kami. Dan sudah menjadi standar dari ISP kami.
Sudah aku coba pakai ClearOS, tapi karena ZPH gak ada, jadinya gak maksimal. Aku coba-coba upgrade sendiri squid-nya, tapi ilmu linux ku masih kurang :-D. Gatotlah (gagal total)…
OS linux yang kupakai Debian 5 atau pun semua distro linux yang squid-nya udah support ZPH.
Sumber : http://wilferd2m3.wordpress.com/
Hanya saja, semua tergantung topologi internet-nya.
Kalau topologi biasa, yang menggunakan satu ethernet di proxy, kurang mantap. Tapi, dengan topologi 2 ethernet dan bukan bridge, jadi bikin mantap.
Client memang di limit 128Kbps, tapi brosing-nya, enceeerrrr… kek sungai deli waktu lagi banjir. Delay Pools malah gak ada artinya…
Kalau warnet menggunakan RB-750. Dengan 5 Port yang ada, yang terpakai jadinya 4 Port. Ether1-ISP, Ether2-ProxyIN, Ether3-ProxyOut, Ether4-LAN.
Kalau setting ZPH di Squid-nya, aku gak perlu bahas lagi lah, banyak yang sudah bahas, nanti dibilang aku tukang copy paste pulak lagi, hahahah…
Setting Squid, malah standard. gak perlu banyak bikin refresh segala macam, cukup dengan mengaktifkan ZPH, lalu transparent proxy, lalu ip yang di allowkan untuk mengakses proxy, Besar cache_dir, maximum cache size, average cache size, cache_mem. Itu saja.
Untuk penghitungan cache_dir, aku juga gak bahas, dah banyak yang tulis di blog.
Lalu, di mikrotik, aku lebih banyak pakai queue tree. Kalau pake queue simple sih terserah, mangle untuk cache hit juga seperti yang telah dibahas banyak orang. Lalu per client di mangle, lalu di queue tree di limit 128kbps dengan satu parent utama. Sedangkan queue tree untuk proxy, parentnya langsung global-out.
Nah, di Mikrotik seperti yang kuketik di atas tadi, ada 4 Port yang di pakai. Contoh IP
Ether1-ISP=192.168.2.2/24
Ether2-ProxyIN=192.168.14.1/30
Ether3-ProxyOut=192.168.15.1/30
Ether4-LAN=192.168.150.1/28
DNS- mengiktui DNS ISP
Di Squid Proxy:
Ether1 = 192.168.14.2/30
Ether2= 192.168.15.2/30
Gateway=192.168.15.1
DNS- mengikuti DNS ISP.
Lalu yang di-masquerade adalah 192.168.15.0/30.
Pasti ada yang bingung kan.
Kenapa IP LAN range-nya 192.168.150.0/28, sementara IP Proxy 192.168.14.2/30 dan 192.168.15.2/30.
Nah aku pasti jawab, tapi aku mo lihat, seberapa banyak orang yang tertarik membaca blog-ku ini. Aku sengaja gak jelaskan. Send me a message…
Aku hanya tampilkan gambar aja untuk queue tree-nya
(Setelah sekian lama gak ku tulis, ini lah jamunya)
[admin@MikroTik] /ip route rule print
Flags: X – disabled, I – inactive
0 src-address=192.168.150.0/28 action=lookup table=warnet
[admin@MikroTik] /ip route print detail
Flags: X – disabled, A – active, D – dynamic, C – connect, S – static, r – rip, b – bgp, o – ospf, m – mme,
B – blackhole, U – unreachable, P – prohibit
0 A S dst-address=0.0.0.0/0 gateway=192.168.14.2 gateway-status=192.168.14.2 reachable ether2 distance=1 scope=30 target-scope=10
routing-mark=warnet
1 A S dst-address=0.0.0.0/0 gateway=192.168.2.1 gateway-status=192.168.2.1 reachable ether1 distance=1 scope=30 target-scope=10
[admin@MikroTik] /ip firewall nat print
Flags: X – disabled, I – invalid, D – dynamic
0 chain=srcnat action=masquerade src-address=192.168.15.0/30
[admin@MikroTik] /ip firewall mangle print
Flags: X – disabled, I – invalid, D – dynamic
0 ;;; Proxy HIT
chain=postrouting action=mark-connection new-connection-mark=capt_proxy passthrough=yes dscp=12
1 chain=postrouting action=mark-connection new-connection-mark=capt_proxy passthrough=yes content=X-Cache: HIT
2 chain=postrouting action=mark-packet new-packet-mark=proxy passthrough=no connection-mark=capt_proxy
3 ;;; Cabal
chain=postrouting action=mark-connection new-connection-mark=capt_cabal passthrough=yes protocol=tcp dst-address-list=cabal
dst-port=38111-38114,38121-38122,63112
4 chain=postrouting action=mark-packet new-packet-mark=cabal passthrough=no connection-mark=capt_cabal
5 chain=forward action=mark-packet new-packet-mark=spesial passthrough=no src-address=192.168.150.0/24 dst-address-list=spesial
6 ;;; Bilyard
chain=postrouting action=mark-connection new-connection-mark=capt_fbbilyard passthrough=yes protocol=tcp
dst-address=209.20.80.24 dst-port=2003,2015
7 chain=postrouting action=mark-packet new-packet-mark=bilyard passthrough=no connection-mark=capt_fbbilyard
8 ;;; Atlantica
chain=postrouting action=mark-connection new-connection-mark=capt_atlantica passthrough=yes protocol=tcp
dst-address-list=gemscool dst-port=4300
9 chain=postrouting action=mark-packet new-packet-mark=atlantica passthrough=no connection-mark=capt_atlantica
10 ;;; PointBlank
chain=postrouting action=mark-connection new-connection-mark=capt_pb passthrough=yes protocol=tcp dst-address-list=gemscool
dst-port=39100,39110,39120,39190,49100
11 chain=postrouting action=mark-connection new-connection-mark=capt_pb passthrough=yes protocol=udp dst-address-list=gemscool
dst-port=40000-40009
12 chain=postrouting action=mark-packet new-packet-mark=pb passthrough=no connection-mark=capt_pb
13 ;;; Poker
chain=postrouting action=mark-connection new-connection-mark=capt_poker passthrough=yes protocol=tcp
dst-address=74.114.14.0/24 dst-port=843,9339
14 chain=postrouting action=mark-packet new-packet-mark=poker passthrough=no connection-mark=capt_poker
15 ;;; FreeStyle
chain=postrouting action=mark-connection new-connection-mark=capt_freestyle passthrough=yes protocol=tcp
dst-address-list=gemscool dst-port=10010-10012
16 chain=postrouting action=mark-connection new-connection-mark=capt_freestyle passthrough=yes protocol=udp
dst-address-list=gemscool dst-port=10010-10012
17 chain=postrouting action=mark-packet new-packet-mark=freestyle passthrough=no connection-mark=capt_freestyle
18 ;;; Warnet
chain=forward action=mark-packet new-packet-mark=dn_warnet passthrough=no dst-address=192.168.150.0/28
[admin@MikroTik] > queue tree print
Flags: X – disabled, I – invalid
0 name=”warnet” parent=service packet-mark=dn_warnet limit-at=0 queue=pcq600k priority=8 max-limit=400k burst-limit=0 burst-threshold=0 burst-time=0s
1 name=”proxy” parent=global-out packet-mark=proxy limit-at=0 queue=default priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
2 name=”poker” parent=game packet-mark=poker limit-at=0 queue=default priority=1 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
3 name=”service” parent=global-out limit-at=0 priority=8 max-limit=2M burst-limit=0 burst-threshold=0 burst-time=0s
4 name=”game” parent=service limit-at=0 priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
5 name=”pointblank” parent=game packet-mark=pb limit-at=0 queue=default priority=1 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
6 name=”freestyle” parent=game packet-mark=freestyle limit-at=300k queue=default priority=8 max-limit=500k burst-limit=0 burst-threshold=0 burst-time=0s
7 name=”cabal” parent=game packet-mark=cabal limit-at=0 queue=default priority=1 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
8 name=”bilyard” parent=game packet-mark=bilyard limit-at=0 queue=default priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
9 name=”atlantica” parent=game packet-mark=atlantica limit-at=0 queue=default priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
10 name=”winbox” parent=global-out limit-at=0 queue=default priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
Dari gambar di atas terlihat bahwa, untuk traffik selain game yang diberi nama warnet dibatasi 400kb saja. Dan dibagian queue-types dilimit 400kbps pcq.
Sementara Proxy HIT terpisah dari traffik yang lain karena Cache HIT dibuat tidak dibatasi.
Di Proxy (Debian),
root@cache:~# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp — 192.168.150.0/28 0.0.0.0/0 tcp dpt:80 redir ports 3128
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all — 192.168.150.0/28 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@cache:~#
di squid.
yang dikerjakan hanya beberapa baris ini
#untuk diterima di mangle mikrotik
zph_mode tos
zph_local 0×30
zph_parent 0
zph_option 136
#standar proxy
http_port 3128 transparent
acl localnet src 192.168.150.0/28
http_access allow localnet
Topologi ini udah banyak aku bikin di pelanggan warnet kami. Dan sudah menjadi standar dari ISP kami.
Sudah aku coba pakai ClearOS, tapi karena ZPH gak ada, jadinya gak maksimal. Aku coba-coba upgrade sendiri squid-nya, tapi ilmu linux ku masih kurang :-D. Gatotlah (gagal total)…
OS linux yang kupakai Debian 5 atau pun semua distro linux yang squid-nya udah support ZPH.
Sumber : http://wilferd2m3.wordpress.com/