海运的博客

之前有介绍Nfsen和Nfdump安装，本次记录下Nfsen端口查看插件PortTracker安装。
重编译Nfdump开启nftrack：

cd /usr/local/src/nfdump-1.6.6/
./configure --enable-nfprofile --enable-nftrack --with-rrdpath=/usr/bin
make
cp bin/nftrack /usr/local/bin/

新建PortTracker数据存放目录：

mkdir /usr/local/nfsen/ports-db
chown -R apache:apache /usr/local/nfsen/ports-db/

编辑PortTracker.pm修改$PORTSDBDIR目录：

vim /usr/local/src/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.pm
my $PORTSDBDIR = "/usr/local/nfsen/ports-db";

复制PortTracker插件至相应目录：

cp PortTracker.pm /usr/local/nfsen/plugins/
cp PortTracker.php /var/www/html/nfsen/plugins/

修改Nfsen配置文件添加插件信息：

vim /usr/local/nfsen/etc/nfsen.conf 
#https://www.haiyun.me
@plugins = (
[ 'live',   'PortTracker'], 
);

生成PortTracker数据：

sudo -u apache nftrack -I -d /usr/local/nfsen/ports-db/

重新加载Nfsen：

/usr/local/nfsen/bin/nfsen reload

等5分钟左右访问Nfsen界面选择Plugins即可看到相应信息：

Nfdump是linux下netflow数据采集分析工具，Nfsen是基于nfdump是web界面工具，服务器需先安装web服务器和php环境。
安装rrdtool及所需组件：

yum install perl-rrdtool rrdtool rrdtool-devel rrdutils flex byacc

安装所需perl模块：

yum install perl-Socket6 perl-MailTools perl-Mail-Sender

安装Nfdump工具：

cd /usr/local/src/
wget http://downloads.sourceforge.net/project/nfdump/stable/nfdump-1.6.6/nfdump-1.6.6.tar.gz
tar zxvf nfdump-1.6.6.tar.gz 
cd nfdump-1.6.6/
./configure --enable-nfprofile --with-rrdpath=/usr/bin
make
make install
cd ../

下载配置Nfsen：

mkdir -p /usr/local/nfsen
wget http://downloads.sourceforge.net/project/nfsen/stable/nfsen-1.3.6p1/nfsen-1.3.6p1.tar.gz
tar zxvf nfsen-1.3.6p1.tar.gz 
cd nfsen-1.3.6p1/
cp etc/nfsen-dist.conf etc/nfsen.conf

修改Nfsen配置文件：

cat etc/nfsen.conf
#https://www.haiyun.me
$BASEDIR = "/usr/local/nfsen";
$HTMLDIR    = "/var/www/html/nfsen/";
$USER    = "apache";
$WWWUSER  = "apache";
$WWWGROUP = "apache";
%sources = (
    'upstream1'    => { 'port' => '9995', 'col' => '#0000ff', 'type' => 'netflow' },
);

安装Nfsen：

./install.pl etc/nfsen.conf 

启动Nfsen：

/usr/local/nfsen/bin/nfsen start

配置路由或交换机将netflow数据发送到nfsen配置的端口，然后访问www.haiyun.me/nfsen/nfsen.php即可通过Nfsen浏览netflow数据。

ROS配置Hotspot允许radius验证：

ip hotspot profile set hsprof use-radius=yes

添加radius客户端：

radius add service=hotspot address=192.168.1.1 secret=onovps

ROS增加user-manger用户：

tool user-manager customer add login="onovps" password="onovps" permissions=owner

增加radius验证客户：

tool user-manager router add name=Hotspot ip-address=192.168.1.1 shared-secret=123456 customer=onovps

添加用户组规则：

tool user-manager profile add name=hotspot owner=onovps

添加验证用户：

tool user-manager user add name=user password=passwd customer=onovps

也可通过Web界面www.haiyun.me/userman登录user-manager进行设置。

HotSpot是一种通过Web网页认证访问网络的方法，用户可以使网页浏览器通过HTTP快速接入网络。
ROS开启HotSpot通过以下几个步骤：
1.配置用户IP地址池：

#https://www.haiyun.me
ip pool add name=hotspot ranges=192.168.1.2-192.168.1.254

2.添加认证用户组规则：

ip hotspot user profile add name=hotspot address-pool=hotspot shared-users=1 idle-timeout=00:10 rate-limit=128k/1024k

3.添加认证用户和密码：

ip hotspot user add name=hotspot profile=hotspot server=all user=user password=passwd

4.配置服务器规则：

ip hotspot profile add name=hotspot login-by=http-chap hotspot-address=192.168.1.1 

5.新增并开启HotSpot服务：

ip hotspot add name=hotspot profile=hotspot interface=br-lan disabled=no 

然后通过ROS访问外网浏览器会自动转向hotspot认证页面：

单线ADSL带宽4M，线路损耗后实际速度3.5M左右，上传350k左右，由于ADSL满速下载、上传速度会变慢，配置ROS最高上传、下载不得超过总带宽90%，QOS配置如下：
首先分类标记上传、下载数据：

#https://www.haiyun.me
/ip firewall mangle
#小数据
add chain=prerouting action=mark-connection new-connection-mark=Small-conn passthrough=yes protocol=icmp comment=Small
add chain=prerouting action=mark-connection new-connection-mark=Small-conn passthrough=yes protocol=udp dst-port=53
add chain=postrouting action=mark-connection new-connection-mark=Small-conn passthrough=yes protocol=udp dst-port=53
add chain=prerouting action=mark-connection new-connection-mark=Small-conn passthrough=yes protocol=udp dst-port=123
add chain=postrouting action=mark-packet new-packet-mark=Small-up passthrough=no out-interface=pppoe-out1 connection-mark=Small-conn 
add chain=prerouting action=mark-packet new-packet-mark=Small-up passthrough=no in-interface=bridge-local connection-mark=Small-conn 
add chain=prerouting action=mark-packet new-packet-mark=Small-down passthrough=no in-interface=pppoe-out1 connection-mark=Small-conn 
#SSH及VPN
add chain=prerouting action=mark-connection new-connection-mark=SSH-conn passthrough=yes protocol=tcp dst-port=22 comment=SSH
add chain=prerouting action=mark-connection new-connection-mark=SSH-conn passthrough=yes protocol=tcp dst-port=23
add chain=prerouting action=mark-packet new-packet-mark=SSH-up passthrough=no in-interface=bridge-local connection-mark=SSH-conn 
add chain=prerouting action=mark-packet new-packet-mark=SSH-down passthrough=no in-interface=pppoe-out1 connection-mark=SSH-conn 
#网页数据
add chain=prerouting action=mark-connection new-connection-mark=HTTP-conn passthrough=yes protocol=tcp dst-port=80 comment=HTTP
add chain=prerouting action=mark-connection new-connection-mark=HTTP-conn passthrough=yes protocol=tcp dst-port=443
add chain=prerouting action=mark-packet new-packet-mark=HTTP-up passthrough=no in-interface=bridge-local connection-mark=HTTP-conn 
add chain=prerouting action=mark-packet new-packet-mark=HTTP-down passthrough=no in-interface=pppoe-out1 connection-mark=HTTP-conn 
#其它
add chain=prerouting action=mark-connection new-connection-mark=Other-conn passthrough=yes comment=Other
add chain=prerouting action=mark-packet new-packet-mark=Other-up passthrough=no in-interface=bridge-local connection-mark=Other-conn 
add chain=prerouting action=mark-packet new-packet-mark=Other-down passthrough=no in-interface=pppoe-out1 connection-mark=Other-conn

新建队列类型为PCQ：

#pcq-rate为每个了数据流最大速度，0为按数据流数公平分配带宽，pcq-limit为每一数据流队列长度；
#pcq-total-limit不能小于内网主机数*pcq-limit。
/queue type 
add name="Small-down" kind=pcq pcq-rate=0 pcq-limit=50 pcq-classifier=dst-address pcq-total-limit=2000 
add name="Small-up" kind=pcq pcq-rate=50k pcq-limit=50 pcq-classifier=src-address pcq-total-limit=2000 
add name="SSH-down" kind=pcq pcq-rate=0 pcq-limit=50 pcq-classifier=dst-address pcq-total-limit=2000 
add name="SSH-up" kind=pcq pcq-rate=50k pcq-limit=50 pcq-classifier=src-address pcq-total-limit=2000 
add name="HTTP-down" kind=pcq pcq-rate=0 pcq-limit=50 pcq-classifier=dst-address pcq-total-limit=2000 
add name="HTTP-up" kind=pcq pcq-rate=80k pcq-limit=50 pcq-classifier=src-address pcq-total-limit=2000 
add name="Other-down" kind=pcq pcq-rate=0 pcq-limit=50 pcq-classifier=dst-address pcq-total-limit=2000 
add name="Other-up" kind=pcq pcq-rate=30k pcq-limit=50 pcq-classifier=src-address pcq-total-limit=2000 

添加队列树调用之前标记的数据包设置优先级，队列类型设置为之前新建的PCQ类型。

/queue tree
add name="Parent-up" parent=global-out limit-at=330k max-limit=330k
add name="Parent-down" parent=global-in limit-at=3300k max-limit=3300k
add name=Small-up parent=Parent-up packet-mark=Small-up limit-at=70k max-limit=150k queue=Small-up priority=1
add name=Small-down parent=Parent-down packet-mark=Small-down limit-at=500k max-limit=1000k queue=Small-down priority=1
add name=SSH-up parent=Parent-up packet-mark=SSH-up limit-at=70k max-limit=200k queue=SSH-up priority=2
add name=SSH-down parent=Parent-down packet-mark=SSH-down limit-at=500k max-limit=1000k queue=SSH-down priority=2
add name=HTTP-up parent=Parent-up packet-mark=HTTP-up limit-at=150k max-limit=200k queue=HTTP-up priority=3
add name=HTTP-down parent=Parent-down packet-mark=HTTP-down limit-at=2000k max-limit=3000k queue=HTTP-down priority=3
add name=Other-up parent=Parent-up packet-mark=Other-up limit-at=20k max-limit=80k queue=Other-up priority=4
add name=Other-down parent=Parent-down packet-mark=Other-down limit-at=200k max-limit=2000k queue=Other-down priority=4

ROS路由设置HTB+PCQ流量控制的一些注意事项：

1.WAN限制上传，按源地址分组；LAN限制下载，按目标地址分组；
2.passthrough是否继续向下匹配此链接，选择yes会向下匹配，下面规则如有匹配标记会改变；
3.在HTB首先满足Limit At，在父级有剩余带宽的前提下才会Max Limit，优先级高的队列优先获得Max Limit；
4.mark-connection的数据包是双向的，然后通过mark-pack区分上传和下载；
5.global-in在DNAT后，global-out在SNAT前，分别可匹配目标地址和源地址。

ROS数据包流程图：