Mangle 和htb 的parents原則?
本帖最后由 txwwy 于 2011-6-20 17:04 编辑從http://forum.mikrotik.com/viewtopic.php?f=2&t=28339
可以發現 mangle有分
(1)Mangle preroute
(2)HTB Glob-in
(3)Mangle forward
(4)Mangle postroute
(5)HTB glob-out
(6)interface
WAN←global-out ←forward ←global-in←LAN
WAN→global-in →forward→global-out →LAN
A.也就是說
/ip firewall mangle
add chain=forward action=mark-connection new-connection-mark=icmp proto=icmp_conn passthrougt=yes
add chain=forward action=mark-packet new-packet=icmp connection-mark=icmp_conn passthrougt=no
同時標記了所有interface中的 icmp,同時作用在WAN和LAN
(1)parent=WAN
/queue tree
add name="icmp-priority" parent=WAN packet-mark=icmp limit-at=28000 queue=default priority=2 max-limit=120000 burst-limit=0 burst-threshold=0 burst-time=0s
則限制了WAN的所有icmp封包 120000bit?
- 不管是要進去或是出去?
(2)parent=global-in
/queue tree
add name="icmp-priority" parent=global-in packet-mark=icmp limit-at=28000 queue=default priority=2 max-limit=120000 burst-limit=0 burst-threshold=0 burst-time=0s
則限制了所有網卡進入router的封包
-WAN進入只能120000bit
-Lan進入也只能120000bit?
(3)parent=global-out
/queue tree
add name="icmp-priority" parent=global-out packet-mark=icmp limit-at=28000 queue=default priority=2 max-limit=120000 burst-limit=0 burst-threshold=0 burst-time=0s
則限制了所有網卡出去router的封包
-WAN出去只能120000bit
-Lan出去也只能120000bit?
B.也就是說
/ip firewall mangle
add chain=forward action=mark-connection new-connection-mark=icmp proto=icmp_conn passthrougt=yes
add chain=forward action=mark-packet new-packet=icmp connection-mark=icmp_conn src-address=192.168.88.0/24 passthrougt=no
同時標記了所有interface中src-address=192.168.88.0/24 的icmp,同時作用在WAN和LAN
(1)parent=WAN
/queue tree
add name="icmp-priority" parent=WAN packet-mark=icmp limit-at=28000 queue=default priority=2 max-limit=120000 burst-limit=0 burst-threshold=0 burst-time=0s
則限制了wan進入的所有icmp封包且src-address=192.168.88.0/24120000bit
-問題是wan根本沒有從src-address=192.168.88.0/24進入的封包?!
-問題是wan根本沒有從src-address=192.168.88.0/24要出去的包?!(nat是否偽裝成了router IP?)
(2)parent=global-in
/queue tree
add name="icmp-priority" parent=global-in packet-mark=icmp limit-at=28000 queue=default priority=2 max-limit=120000 burst-limit=0 burst-threshold=0 burst-time=0s
則限制了所有網卡進入router的封包,WAN進入只能120000bit,Lan進入也只能120000bit?
-從WAN進入根本沒src-address=192.168.88.0/24的封包
-從LAN進入端則限制在120000bit(upload)
(3)parent=global-out
/queue tree
add name="icmp-priority" parent=global-out packet-mark=icmp limit-at=28000 queue=default priority=2 max-limit=120000 burst-limit=0 burst-threshold=0 burst-time=0s
則限制了所有網卡出去router的封包,WAN出去只能120000bit,Lan出去也只能120000bit?
-從WAN出去根本沒src-address=192.168.88.0/24的封包 ?(nat是否偽裝成了router IP?)
-從LAN出去端則限制在120000bit?
C.也就是說heavy_traffic_TCP
/ip firewall mangle
add chain=forward action=mark-connection new-connection-mark=heavy_traffic_conn connection-bytes=500000-0connection-rate=200k-100Mprotocol=tcp passthrough=yes
add chain=forward action=mark-packet new-packet-mark=heavy_traffic connection-mark=heavy_traffic_conn passthrough=no
同時標記了所有interface中的heavy_traffic_TCP,同時作用在WAN和LAN
(1)parent=WAN
/queue tree
add name="heavy_traffic" parent=WAN packet-mark=heavy_traffic limit-at=3M queue=default priority=8 max-limit=12M burst-limit=0 burst-threshold=0 burst-time=0s
則限制了WAN的所有heavy封包12M 不管是要進去或是出去?
-從WAN端要進入最高12M?
-從WAN端要出去最高12M?(upload)
(2)parent=global-in
/queue tree
add name="heavy_traffic" parent=WAN packet-mark=heavy_traffic limit-at=3M queue=default priority=8 max-limit=12M burst-limit=0 burst-threshold=0 burst-time=0s
則限制了所有網卡進入router的封包,WAN進入只能12Mbit,Lan進入也只能12Mbit?
-WAN端要進來最高12M?
-LAN端要進來最高12M?(upload)
(3)parent=global-out
/queue tree
add name="heavy_traffic" parent=WAN packet-mark=heavy_traffic limit-at=3M queue=default priority=8 max-limit=12M burst-limit=0 burst-threshold=0 burst-time=0s
則限制了所有網卡出去router的封包,WAN出去只能12Mbit,Lan出去也只能12Mbit?
- WAN端要出去12M? (upload)
-LAN端要出去12M?
D.講更明白點簡單...
有WAN和LAN,分別三種封包 icmp.heavy.other.我要對上傳和下載parents=global-in or out限速到底要怎用標記呢?
评分的时候打了很多字结果显示不出来,在这里重新说说一下
不知道论坛有多人认真看过整个帖子,其中的对错先不讨论,我们现在只讨论台湾朋友的认真态度、思考的程度、然后反思国内坛友的种种行为,懂不懂就跪求之类的,从不用心思考!!我只能感慨台湾的教育确实比大陆先进了1大节!!!所以给楼主评了个最高分30分 看起来头疼 占座有空细看 路过,做个记号,回头看看…… 好多的问题,实践检验真理,
global-in/out is regard the tatal limitation. than youneed to mark , like icmp paket in mangle , than the mark use in the leef trees
粗略看了一下,就发现有点问题,如果用forward chain标记packet,htb的parent选择global-in是没有流量的,只有prerouting chain标记的packet才能用global-in来做parent,其他的没认真往下看,头疼。。。 看着就头晕
页:
[1]