注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

老毛的日记本

 
 
 

日志

 
 

ROS设置随笔  

2010-04-24 20:50:09|  分类: 默认分类 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |

想到什么记什么

1关闭端口:IP->Services,修改ssh端口22为其它端口,关闭21 23等端口,设置winbox与www端口为局域网可访问,不然对外网许可的话,担心不良攻击.昨天刚装好就有两个IP不断地攻击进来了.想外网访问的话,先连上vpn分配到内网的ip再使用winbox吧.

winbox好像要用到www服务,关闭80端口,winbox会连不上,可以修改www为其它端口,如80至8080,winbox的端口修改为8290等,改后winbox连接需要在ip地址后加:新端口号,如192.168.100.1:8290

终端设置命令:[admin@MikroTik] > ip service print
ROS设置随笔 - 老毛 - 老毛的日志本

2设置代理上网

NAT :masquerade Chain:srcnat ,OK了

ROS设置随笔 - 老毛 - 老毛的日志本

 

3,设置VPN连进来的pc只能访问一台内网pc

/ip firewall

chain=forward action=drop src-address= vpn客户机之IP dst-address=!内网pc之IP

内网ip前面有个!,表示非,禁止vpn客户机访问除这个IP之外的其它机子.

4、IP POOL地址池应用

多个客户端接入自动分配不固IP用的,IP地址不够的时候不错,还有设置更方便

ip ->pool ->+ 取个名字vpnIP,地址段比如192.168.100.10-192.168.100.20,以后vpn连进来后自动分配这段里面的一个了

ROS设置随笔 - 老毛 - 老毛的日志本

PPP->Profile 先你应用的那个配置文件,Remote Address 选 vpnIP

ROS设置随笔 - 老毛 - 老毛的日志本

PPP-Secrets 远端地址就空着吧,ok

ROS设置随笔 - 老毛 - 老毛的日志本

 

5、3.2限速脚本

[转]

3.0的脚本中ip地址段要用双引号"引上,跟2.97的差别好像就在这个地方了

固定限速
:for tsz from=2 to=253 do={/queue simple add name=("tsz" . $tsz) dst-address=("192.168.0." . $tsz) limit-at=256000/128000 interface=all  max-limit=1000000/256000}


动态限速
:for tsz from=71 to=75 do={/queue simple add name=("tsz" . $tsz) dst-address=("192.168.0." . $tsz) limit-at=256000/128000 interface=all  max-limit=1000000/256000 burst-limit=2000000/512000 burst-threshold=1000000/256000 burst-time=10s/10s}

 

脚本应用 system->scripts,+ name->run ,查看是否成功:queues->simple queues

6、Ipsec vpn 在防火墙中需要打开的端口与协议

 a、50协议IPsec-esp

 b、udp 1701和500端口

打开以上三个,外网vpn就可以连进来了,其它的可以全drop了

[admin@MikroTik] /ip firewall filter>print

38   ;;; disable all other connect
     chain=input action=drop

 7,关于burst的说明

[摘]

http://www.mikrotik.com/testdocs/ros/3.0/qos/queue.php

Bursts

limit-at : 稳定速率
max-limit : 最大速率

Bursts are used to allow higher data rates for a short period of time. Every 1/16 part of the burst-time, the router calculates the average data rate of each class over the last burst-time seconds. If this average data rate is less than burst-threshold, burst is enabled and the effective rate limit (transition to the red state) is set to burst-limit bps, otherwise the effective maximal limit falls to max-limit.

突发速率用于短时间内的超高速率数据传送。路由器每秒种(应该是在定义的突发时间的每1/16时间的时候)都在计算前一时间段(burst-time)的平均速率。如果平均速率低于设定的阀值(burst-threshold),就允许其使用突发速率(burst-limit),否则就会降低到稳定速率或最大速率

Let us consider the following setup: max-limit=256000, burst-time=8, burst-threshold=192000 and burst-limit=512000. When a user is starting to download a file via HTTP, we can observe such situation:

At the beginning the average data rate over the past 8 seconds is 0bps because no traffic has passed through this ruke before it has been created. Since this average data rate is less than burst-threshold (192kbps), burst is allowed. After the first second, the average data rate is (0+0+0+0+0+0+0+512)/8=64kbps, which is less than burst-threshold. After the second second, average data rate is (0+0+0+0+0+0+512+512)/8=128kbps. After the third second comes the breakpoint when the average data rate becomes larger than burst-threshold. At this moment burst is disabled and the effective data rate limitation falls down to max-limit (256kbps).

假设我们设置最大速率(max-limit)为256k,时间段(burst-time)为8秒,阀值为192k,突发速率
(burst-limit)为512k,当用户下载文件时可以观察到:
开始下载的前8秒速率为0,小于阀值192,所以允许达到突发速率即512;
1秒钟后,前8秒的平均速率为64(0+0+0+0+0+0+0+512)/8=64,仍然小于阀值192,所以继续
使用突发速率512;
2秒钟后,前8秒的平均速率为(0+0+0+0+0+0+512+512)/8=128;
3秒钟后,再次计算平均速率为(0+0+0+0+0+512+512+512)/8=192,达到了阀值192,所以,
3秒钟后此用户已不再允许使用突发速率,只能使用允许的最大速率了,即256kbps

 

Note how the burst-time was used. The actual duration of burst does not depend of burst-time alone! It also depends on the burst-threshold/burst-limit ratio and the actual data rate passing through the bursty class. In this example the burst ratio was 192000/512000=3/8, the time was 8, and the queue has been trying to utilize all available rate the class was providing, so the burst was 3 seconds long.

Now you can easily see why the burst-threshold should be between limit-at and max-limit for normal operation. If you specify burst-threshold higher than max-limit, then the average rate will tend to burst-threshold, but the effective maximal limit will jump between max-limit and burst-limit constantly (depending on the actual traffic rate, it may happen even on each evaluation point (1/16th of burst-time)).

显而易见的明了为什么阀值要介于稳定速率和最大速率了.

 

  评论这张
 
阅读(653)| 评论(1)
推荐 转载

历史上的今天

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017