Using Mikrotik, we can redirect HTTP traffic to SQUID proxy Server, We can also control user bandwidth, but its a good idea to deliver the already cached content to user at full lan speed, that’s why we setup cache server for, to save bandwidth and have fast browsing experience , right :p , So how can we do it in mikrotik that cache content should be delivered to users at unlimited speed, no queue on cache content. Here we go.
By using ZPH directives , we will mark cache content, so that it can later pick by Mikrotik.
Basic requirement is that Squid must be running in transparent mode, can be done via iptables and squid.conf directives.
I am using UBUNTU squid 2.7 , (in ubuntu , apt-get install squid will install squid 2.7 by default which is gr8 for our work)
Add these lines in SQUID.CONF
#=============================================================================== #ZPH for SQUID 2.7 (Default in ubuntu 10.4) / Syed Jahanzaib email@example.com #=============================================================================== tcp_outgoing_tos 0x30 lanuser [lanuser is ACL for local network, change it to match your's] zph_mode tos zph_local 0x30 zph_parent 0 zph_option 136
Use following if you have squid 3.1.19
#====================================================== #ZPH for SQUID 3.1.19 (Default in ubuntu 12.4) / Syed Jahanzaib firstname.lastname@example.org #====================================================== # ZPH for Squid 3.1.19 qos_flows local-hit=0x30
That’s it for SQUID, Now moving on to Mikrotik box ,
Add following rules,
# Marking packets with DSCP (for MT 5.x) for cache hit content coming from SQUID Proxy
/ip firewall mangle add action=mark-packet chain=prerouting disabled=no dscp=12 new-packet-mark=proxy-hit passthrough=no comment="Mark Cache Hit Packets / email@example.com" /queue tree add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=pmark packet-mark=proxy-hit parent=global-out priority=8 queue=default
# Marking packets with DSCP (for MT 6.x) for cache hit content coming from SQUID Proxy
/ip firewall mangle add action=mark-packet chain=prerouting comment="MARK_CACHE_HIT_FROM_PROXY_ZAIB" disabled=no dscp=12 new-packet-mark=proxy passthrough=no /queue simple add max-limit=100M/100M name="ZPH-Proxy Cache Hit Simple Queue / Syed Jahanzaib >firstname.lastname@example.org" packet-marks=zph-hit priority=1/1 target="" total-priority=1
# If above queue tree donot work with ROS 6.x then try adding simple queue and move it on TOP in simple QUEUE section,
Now every packet which is marked by SQUID CACHE_HIT, will be delivered to user at Full lan speed, rest of traffic will be restricted by user Queue.
the above config is fully tested with UBUNTU SQUID 2.7 and FEDORA 10 with LUSCA
Make sure your squid is marking TOS for cache hit packets. You can check it via TCPDUMP
tcpdump -vni eth0 | grep ‘tos 0×30′
(eht0 = LAN connected interface)
Can you see something like ???
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
20:25:07.961722 IP (tos 0×30, ttl 64, id 45167, offset 0, flags [DF], proto TCP (6), length 409)
20:25:07.962059 IP (tos 0×30, ttl 64, id 45168, offset 0, flags [DF], proto TCP (6), length 1480)
192 packets captured
195 packets received by filter
0 packets dropped by kernel