Tutorial Step by step setting mikrotik

MikroTik RouterOS™ adalah sistem operasi linux yang dapat digunakan untuk menjadikan komputer menjadi router network yang handal, mencakup berbagai fitur yang dibuat untuk ip network dan jaringan wireless, cocok digunakan oleh ISP dan provider hostspot.

Ada pun fitur2 nya sbb:

* Firewall and NAT - stateful packet filtering; Peer-to-Peer protocol filtering; source and destination NAT; classification by source MAC, IP addresses (networks or a list of networks) and address types, port range, IP protocols, protocol options (ICMP type, TCP flags and MSS), interfaces, internal packet and connection marks, ToS (DSCP) byte, content, matching sequence/frequency, packet size, time and more...

* Routing - Static routing; Equal cost multi-path routing; Policy based routing (classification done in firewall); RIP v1 / v2, OSPF v2, BGP v4

* Data Rate Management - Hierarchical HTB QoS system with bursts; per IP / protocol / subnet / port / firewall mark; PCQ, RED, SFQ, FIFO queue; CIR, MIR, contention ratios, dynamic client rate equalizing (PCQ), bursts, Peer-to-Peer protocol limitation

* HotSpot - HotSpot Gateway with RADIUS authentication and accounting; true Plug-and-Play access for network users; data rate limitation; differentiated firewall; traffic quota; real-time status information; walled-garden; customized HTML login pages; iPass support; SSL secure authentication; advertisement support

* Point-to-Point tunneling protocols - PPTP, PPPoE and L2TP Access Concentrators and clients; PAP, CHAP, MSCHAPv1 and MSCHAPv2 authentication protocols; RADIUS authentication and accounting; MPPE encryption; compression for PPPoE; data rate limitation; differentiated firewall; PPPoE dial on demand

* Simple tunnels - IPIP tunnels, EoIP (Ethernet over IP)

* IPsec - IP security AH and ESP protocols; MODP Diffie-Hellman groups 1,2,5; MD5 and SHA1 hashing algorithms; DES, 3DES, AES-128, AES-192, AES-256 encryption algorithms; Perfect Forwarding Secrecy (PFS) MODP groups 1,2,5

* Proxy - FTP and HTTP caching proxy server; HTTPS proxy; transparent DNS and HTTP proxying; SOCKS protocol support; DNS static entries; support for caching on a separate drive; access control lists; caching lists; parent proxy support

* DHCP - DHCP server per interface; DHCP relay; DHCP client; multiple DHCP networks; static and dynamic DHCP leases; RADIUS support

* VRRP - VRRP protocol for high availability

* UPnP - Universal Plug-and-Play support

* NTP - Network Time Protocol server and client; synchronization with GPS system

* Monitoring/Accounting - IP traffic accounting, firewall actions logging, statistics graphs accessible via HTTP

* SNMP - read-only access

* M3P - MikroTik Packet Packer Protocol for Wireless links and Ethernet

* MNDP - MikroTik Neighbor Discovery Protocol; also supports Cisco Discovery Protocol (CDP)

* Tools - ping; traceroute; bandwidth test; ping flood; telnet; SSH; packet sniffer; Dynamic DNS update tool

Layer 2 connectivity

* Wireless - IEEE802.11a/b/g wireless client and access point (AP) modes; Nstreme and Nstreme2 proprietary protocols; Wireless Distribution System (WDS) support; virtual AP; 40 and 104 bit WEP; WPA pre-shared key authentication; access control list; authentication with RADIUS server; roaming (for wireless client); AP bridging

* Bridge - spanning tree protocol; multiple bridge interfaces; bridge firewalling, MAC

* VLAN - IEEE802.1q Virtual LAN support on Ethernet and wireless links; multiple VLANs; VLAN bridging

* Synchronous - V.35, V.24, E1/T1, X.21, DS3 (T3) media types; sync-PPP, Cisco HDLC, Frame Relay line protocols; ANSI-617d (ANDI or annex D) and Q933a (CCITT or annex A) Frame Relay LMI types

* Asynchronous - s*r*al PPP dial-in / dial-out; PAP, CHAP, MSCHAPv1 and MSCHAPv2 authentication protocols; RADIUS authentication and accounting; onboard s*r*al ports; modem pool with up to 128 ports; dial on demand

* ISDN - ISDN dial-in / dial-out; PAP, CHAP, MSCHAPv1 and MSCHAPv2 authentication protocols; RADIUS authentication and accounting; 128K bundle support; Cisco HDLC, x75i, x75ui, x75bui line protocols; dial on demand

* SDSL - Single-line DSL support; line termination and network termination modes

Instalasi dapat dilakukan pada Standard computer PC. PC yang akan dijadikan router mikrotikpun tidak memerlukan resource yang cukup besar untuk penggunaan standard, misalnya hanya sebagai gateway. berikut spec minimal nya :

* CPU and motherboard - bisa pake P1 ampe P4, AMD, cyrix asal yang bukan multi-prosesor

* RAM - minimum 32 MiB, maximum 1 GiB; 64 MiB atau lebih sangat dianjurkan, kalau mau sekalian dibuat proxy , dianjurkan 1GB... perbandingannya, 15MB di memori ada

1GB di proxy..

* HDD minimal 128MB parallel ATA atau Compact Flash, tidak dianjurkan menggunakan UFD, SCSI, apa lagi S-ATA

*NIC 10/100 atau 100/1000

Untuk keperluan beban yang besar ( network yang kompleks, routing yang rumit dll) disarankan untuk mempertimbangkan pemilihan resource PC yang memadai.

Lebih lengkap bisa dilihat di www.mikrotik.com.

Meskipun demikian Mikrotik bukanlah free software, artinya kita harus membeli licensi terhadap segala fasiltas yang disediakan. Free trial hanya untuk 24 jam saja.

Kita bisa membeli software mikrotik dalam bentuk CD yang diinstall pada Hard disk atau disk on module (DOM). Jika kita membeli DOM tidak perlu install tetapi tinggal menancapkan DOM pada slot IDE PC kita.

Langkah-langkah berikut adalah dasar-dasar setup mikrotik yang dikonfigurasikan untuk jaringan sederhana sebagai gateway server.

1. Langkah pertama adalah install Mikrotik RouterOS pada PC atau pasang DOM.

2. Login Pada Mikrotik Routers melalui console : MikroTik v2.9.7 Login: admin <enter> Password: (kosongkan) <enter>

Sampai langkah ini kita sudah bisa masuk pada mesin Mikrotik. User default adalah admin dan tanpa password, tinggal ketik admin kemudian tekan tombol enter.

3. Untuk keamanan ganti password default [admin@Mikrotik] > password old password: ***** new password: ***** retype new password: ***** [admin@ Mikrotik]] >

4. Mengganti nama Mikrotik Router, pada langkah ini nama server akan diganti menjadi “Andre-Network” (nama ini sih bebas2 aja mo diganti) [admin@Mikrotik] > system identity set name=Andre-Network [admin@Andre-Network] >

5. Melihat interface pada Mikrotik Router [admin@Andre-Network] > interface print Flags: X - disabled, D - dynamic, R - running # NAME TYPE RX-RATE TX-RATE MTU 0 R ether1 ether 0 0 1500

1 R ether2 ether 0 0 1500 [admin@Andre-Network] >

6. Memberikan IP address pada interface Mikrotik. Misalkan ether1 akan kita gunakan untuk koneksi ke Internet dengan IP 192.168.0.1 dan ether2 akan kita gunakan untuk network local kita dengan IP 172.16.0.1

[admin@Andre-Network] > ip address add address=192.168.0.1 netmask=255.255.255.0 interface=ether1 [admin@Andre-Network] > ip address add address=172.16.0.1 netmask=255.255.255.0 interface=ether2

7. Melihat konfigurasi IP address yang sudah kita berikan [admin@Andre-Network] >ip address print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 192.168.0.1/24 192.168.0.0 192.168.0.63 ether1 1 172.16.0.1/24 172.16.0.0 172.16.0.255 ether2 [admin@Andre-Network] >

8. Memberikan default Gateway, diasumsikan gateway untuk koneksi internet adalah 192.168.0.254 [admin@Andre-Network] > /ip route add gateway=192.168.0.254

9. Melihat Tabel routing pada Mikrotik Routers [admin@Andre-Network] > ip route print Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf # DST-ADDRESS PREFSRC G GATEWAY DISTANCE INTERFACE 0 ADC 172.16.0.0/24 172.16.0.1 ether2 1 ADC 192.168.0.0/26 192.168.0.1 ether1 2 A S 0.0.0.0/0 r 192.168.0.254 ether1 [admin@Andre-Network] >

10. Tes Ping ke Gateway untuk memastikan konfigurasi sudah benar [admin@Andre-Network] > ping 192.168.0.254 192.168.0.254 64 byte ping: ttl=64 time<1 ms 192.168.0.254 64 byte ping: ttl=64 time<1 ms 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 0/0.0/0 ms [admin@Andre-Network] >

11. Setup DNS pada Mikrotik Routers [admin@Andre-Network] > ip dns set primary-dns=192.168.0.10 allow-remoterequests=no [admin@Andre-Network] > ip dns set secondary-dns=192.168.0.11 allow-remoterequests=no

12. Melihat konfigurasi DNS [admin@Andre-Network] > ip dns print

primary-dns: 192.168.0.10 secondary-dns: 192.168.0.11 allow-remote-requests: no cache-size: 2048KiB cache-max-ttl: 1w cache-used: 16KiB [admin@Andre-Network] >

13. Tes untuk akses domain, misalnya dengan ping nama domain [admin@Andre-Network] > ping yahoo.com 216.109.112.135 64 byte ping: ttl=48 time=250 ms 10 packets transmitted, 10 packets received, 0% packet loss round-trip min/avg/max = 571/571.0/571 ms [admin@Andre-Network] >

Jika sudah berhasil reply berarti seting DNS sudah benar.

14. Setup Masquerading, Jika Mikrotik akan kita pergunakan sebagai gateway server maka agar client computer pada network dapat terkoneksi ke internet perlu kita masquerading. [admin@Andre-Network]> ip firewall nat add action=masquerade outinterface= ether1 chain:srcnat [admin@Andre-Network] >

15. Melihat konfigurasi Masquerading [admin@Andre-Network]ip firewall nat print Flags: X - disabled, I - invalid, D - dynamic 0 chain=srcnat out-interface=ether1 action=masquerade [admin@Andre-Network] >

Setelah langkah ini bisa dilakukan pemeriksaan untuk koneksi dari jaringan local. Dan jika berhasil berarti kita sudah berhasil melakukan instalasi Mikrotik Router sebagai Gateway server. Setelah terkoneksi dengan jaringan Mikrotik dapat dimanage menggunakan WinBox yang bisa di download dari Mikrotik.com atau dari server mikrotik kita.

Misal Ip address server mikrotik kita 192.168.0.1, via browser buka http://192.168.0.1 dan download WinBox dari situ. Jika kita menginginkan client mendapatkan IP address secara otomatis maka perlu kita setup dhcp server pada Mikrotik. Berikut langkah-langkahnya :

1.Buat IP address pool /ip pool add name=dhcp-pool ranges=172.16.0.10-172.16.0.20

2. Tambahkan DHCP Network dan gatewaynya yang akan didistribusikan ke client Pada contoh ini networknya adalah 172.16.0.0/24 dan gatewaynya 172.16.0.1 /ip dhcp-server network add address=172.16.0.0/24 gateway=172.16.0.1

3. Tambahkan DHCP Server ( pada contoh ini dhcp diterapkan pada interface ether2 ) /ip dhcp-server add interface=ether2 address-pool=dhcp-pool

4. Lihat status DHCP server [admin@Andre-Network]> ip dhcp-server print Flags: X - disabled, I - invalid # NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP 0 X dhcp1 ether2 Tanda X menyatakan bahwa DHCP server belum enable maka perlu dienablekan terlebih dahulu pada langkah 5.

5. Jangan Lupa dibuat enable dulu dhcp servernya /ip dhcp-server enable 0

kemudian cek kembali dhcp-server seperti langkah 4, jika tanda X sudah tidak ada berarti sudah aktif.

6. Tes Dari client c:\>ping www.yahoo.com

untuk bandwith controller, bisa dengan sistem simple queue ataupun bisa dengan mangle [admin@Andre-Network] queue simple> add name=Komputer01 interface=ether2 target-address=172.16.0.1/24 max-limit=65536/131072 [admin@Andre-Network] queue simple> add name=Komputer02 interface=ether2 target-address=172.16.0.2/24 max-limit=65536/131072 dan seterusnya...

lengkap nya ada disini http://www.mikrotik.com/docs/ros/2.9/root/queue http://linux-ip.net/articles/Traffic.../overview.html http://luxik.cdi.cz/~devik/qos/htb/ http://www.docum.org/docum.org/docs/

2 ISP IN 1 ROUTER WITH LOADBALANCING

/ ip addressadd address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local comment="" \disabled=noadd address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=wlan2 \comment="" disabled=noadd address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=wlan1 \comment="" disabled=no/ ip firewall mangleadd chain=prerouting in-interface=Local connection-state=new nth=1,1,0 \action=mark-connection new-connection-mark=odd passthrough=yes comment="" \disabled=noadd chain=prerouting in-interface=Local connection-mark=odd action=mark-routing \new-routing-mark=odd passthrough=no comment="" disabled=no

add chain=prerouting in-interface=Local connection-state=new nth=1,1,1 \action=mark-connection new-connection-mark=even passthrough=yes comment="" \disabled=noadd chain=prerouting in-interface=Local connection-mark=even action=mark-routing \new-routing-mark=even passthrough=no comment="" disabled=no/ ip firewall natadd chain=srcnat connection-mark=odd action=src-nat to-addresses=10.111.0.2 \to-ports=0-65535 comment="" disabled=noadd chain=srcnat connection-mark=even action=src-nat to-addresses=10.112.0.2 \to-ports=0-65535 comment="" disabled=no/ ip routeadd dst-address=0.0.0.0/0 gateway=10.111.0.1 scope=255 target-scope=10 routing-mark=odd \comment="" disabled=noadd dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 routing-mark=even \comment="" disabled=noadd dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 comment="" \disabled=no

Mangle/ ip addressadd address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local comment="" \disabled=noadd address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=wlan2 \comment="" disabled=noadd address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=wlan1 \comment="" disabled=no

router punya 2 upstream (WAN) interfaces dengan ip address 10.111.0.2/24 and 10.112.0.2/24.dan interface LAN dengan nama interface "Local" dan ip address 192.168.0.1/24.

/ ip firewall mangleadd chain=prerouting in-interface=Local connection-state=new nth=1,1,0 \action=mark-connection new-connection-mark=odd passthrough=yes comment="" \disabled=noadd chain=prerouting in-interface=Local connection-mark=odd action=mark-routing \new-routing-mark=odd passthrough=no comment="" disabled=noadd chain=prerouting in-interface=Local connection-state=new nth=1,1,1 \action=mark-connection new-connection-mark=even passthrough=yes comment="" \disabled=noadd chain=prerouting in-interface=Local connection-mark=even action=mark-routing \new-routing-mark=even passthrough=no comment="" disabled=no

NAT

/ ip firewall natadd chain=srcnat connection-mark=odd action=src-nat to-addresses=10.111.0.2 \to-ports=0-65535 comment="" disabled=noadd chain=srcnat connection-mark=even action=src-nat to-addresses=10.112.0.2 \to-ports=0-65535 comment="" disabled=no

Routing/ ip routeadd dst-address=0.0.0.0/0 gateway=10.111.0.1 scope=255 target-scope=10 routing-mark=odd \comment="" disabled=noadd dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 routing-mark=even \comment="" disabled=noadd dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 comment="" \disabled=no comment="gateway for the router itself

1. instal pake cd mikrotik

a. boot dg cd mikrotik

b. setelah bisa boot pake iso linux, pilih beberapa paket yang dibutuhkan. (kalo bingung centang aja semua)

c ikuti aja langkahnya tekan (Yes) (Yes)

setelah restart, login : admin pass : (kosong)

trus copy paste aja tulisan berikut ;

DASAR_______________system identity set name=warnet.beenetuser set admin password=sukasukalu

ethernet____________________interface ethernet enable ether1interface ethernet enable ether2interface Ethernet set ether1 name=intranetinterface Ethernet set ether2 name=internet

IP ADDRESS_______________ip address add interface=internet address=XXXXX (dari ISP)ip address add interface=intranet address=192.168.0.1/24

route_______________ip route add gateway=XXXXX (dari ISP)

dns___________ip dns set primary-dns=XXXXX (dari ISP) 2 secondary-dns=XXXXX (dari ISP)

nat & filter firewall standar_______________ip firewall nat add action=masquerade chain=srcnatip firewall filter add chain=input connection-state=invalid action=dropip firewall filter add chain=input protocol=udp action=acceptip firewall filter add chain=input protocol=icmp action=acceptip firewall filter add chain=input in-interface=intranet action=acceptip firewall filter add chain=input in-interface=internet action=accept

dhcp server______________________________________ip dhcp-server setupdhcp server interface: intranetdhcp address space: 192.168.0.0/24gateway for dhcp network: 192.168.0.1addresses to give out: 192.168.0.2-192.168.0.254dns servers: XXXXX (dari ISP),XXXXX (dari ISP)lease time: 3d

web proxy_________________________ip web-proxyset enabled=yesset src-address=0.0.0.0set port=8080set hostname=”proxy-apaaja”set transparent-proxy=yesset parent-proxy=0.0.0.0:0set cache-administrator=”silahkan.pannggil.operator”set max-object-size=4096KiBset cache-drive=systemset max-cache-size=unlimitedset max-ram-cache-size=unlimited

bikinredirect port ke transparant proxy__________________________/ip firewall nat add chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=8080/ip firewall nat add chain=dstnat protocol=tcp dst-port=3128 action=redirect to-ports=8080/ip firewall nat add chain=dstnat protocol=tcp dst-port=8080 action=redirect to-ports=8080

PCQ ________________________/ip firewall mangle add chain=forward src-address=192.168.169.0/28 action=mark-connection new-connection-mark=client1-cm/ip firewall mangle add connection-mark=client1-cm action=mark-packet new-packet-mark=client1-pm chain=forward/queue type add name=downsteam-pcq kind=pcq pcq-classifier=dst-address/queue type add name=upstream-pcq kind=pcq pcq-classifier=src-address/queue tree add parent=intranet queue=downsteam-pcq packet-mark=client1-pm/queue tree add parent=internet queue=upstream-pcq packet-mark=client1-pm

simpel queue______________________________queue simple add name=kbu-01 target-addresses=192.168.0.11queue simple add name=kbu-02 target-addresses=192.168.0.12

queue simple add name=kbu-03 target-addresses=192.168.0.13queue simple add name=kbu-04 target-addresses=192.168.0.14queue simple add name=kbu-05 target-addresses=192.168.0.15queue simple add name=kbu-06 target-addresses=192.168.0.16queue simple add name=kbu-07 target-addresses=192.168.0.17queue simple add name=kbu-08 target-addresses=192.168.0.18queue simple add name=kbu-09 target-addresses=192.168.0.19queue simple add name=kbu-10 target-addresses=192.168.0.20queue simple add name=xbilling target-addresses=192.168.0.2

BLOX SPAM____________________________/ip firewall filter add chain=forward dst-port=135-139 protocol=tcp action=drop/ip firewall filter add chain=forward dst-port=135-139 protocol=udp action=drop/ip firewall filter add chain=forward dst-port=445 protocol=tcp action=drop/ip firewall filter add chain=forward dst-port=445 protocol=udp action=drop/ip firewall filter add chain=forward dst-port=593 protocol=tcp action=drop/ip firewall filter add chain=forward dst-port=4444 protocol=tcp action=drop/ip firewall filter add chain=forward dst-port=5554 protocol=tcp action=drop/ip firewall filter add chain=forward dst-port=9996 protocol=tcp action=drop/ip firewall filter add chain=forward dst-port=995-999 protocol=udp action=drop/ip firewall filter add chain=forward dst-port=53 protocol=tcp action=drop/ip firewall filter add chain=forward dst-port=55 protocol=tcp action=drop

the best anti-ddos rule

/ip firewall filteradd action=add-src-to-address-list address-list=black_list \address-list-timeout=1d chain=input comment="Add ddos to adress list" \connection-limit=10,32 disabled=no protocol=tcpadd action=log chain=input comment="Log ddos" connection-limit=3,32 disabled=\no log-prefix="FILTER, DDOS DROPPED:" protocol=tcp src-address-list=\black_listadd action=tarpit chain=input comment="Tarpit ddos" connection-limit=3,32 \disabled=no protocol=tcp src-address-list=black_list

[toor@extreme] /ip firewall connection tracking> export# mar/13/2009 17:42:47 by RouterOS 3.20# software id = 4H1M-LTT#/ip firewall connection trackingset enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \tcp-close-wait-timeout=10s tcp-established-timeout=1d \tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=yes \tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s[toor@extreme] /ip firewall connection tracking>

chain=forward protocol=tcptcp-flags=syn,!fin,!rst,!psh,!ack,!urg,!ece,!cwr connection-limit=20,32

limit=25,10 src-address-list=!Safe-List action=add-src-to-address-listaddress-list=tcp-syn-violators address-list-timeout=3h

Anti DDoS di Mikrotik

• Memang mencegah adalah lebih baik dari pada tidak sama sekali. begitu juga dengan dijaringan asal-asalan di tempat saya mencari makan , dengan bandwith yang sangat terbatas adalah sasaran empuk bagi para penjahat dan orang yang suka isegin di dunia cyber, bandwith yang saadanya ini jika di serang dengan DDos (bagi yang tidak mengerti DDos cari aja sendiri digoogle ya….. ). Apalagi yang nyerang mempunyai bandwith yang melimpah bisa dikatan jaringan di tempat saya ini akan mati total. Makanya kalau kamu tidak mempunyai bandwith sebesar punya mbah google, trus tiba-tiba akses internet kamu jadi lelet, lemot ping ke dns time out jangan langsung salahkan ISP dimana kamu berlangganan, silahkan di chek dulu di jaringan lokal kamu !!!!!, ehm

Tips cara mencegah bagaimana menghindari serangan DDos attach, di pasang di Mikrotik router. biarpun tidak menjamin 100% tapi mencegah adalah jalan terbaik dari pada tidak sama sekali…

kopi paste script dibawah ini:

ip firewall filter add chain=input protocol=tcp dst-port=1337 action= add-src-to-address-list address-list=DDOS address-list-timeout=15s comment=”" disabled=noip firewall filter add chain=input protocol=tcp dst-port=7331 src-address-list=knock action= add-src-to-address-list address-list=DDOS address-list-timeout=15m comment=”" disabled=no

ip firewall filter add chain=input connection-state=established action=accept comment=”accept established connection packets” disabled=noip firewall filter add chain=input connection-state=related action=accept comment=”accept related connection packets” disabled=noip firewall filter add chain=input connection-state=invalid action=drop comment=”drop Paket Invalid” disabled=no

ip firewall filter add chain=input protocol=tcp psd=21,3s,3,1 action=drop comment=”Mendetek serangan Port Scaner” disabled=noip firewall filter add chain=input protocol=tcp connection-limit=3,32 src-address-list=black_list action=tarpit comment=”Bikin kejutan ke ip penyerang” disabled=noip firewall filter add chain=input protocol=tcp connection-limit=10,32 action=add-src-to-address-list address-list=black_list address-list-timeout=1d comment=”Masukin ke karung Ip penyerang” disabled=no

ip firewall filter add chain=input protocol=icmp action=jump jump-target=ICMP comment=”jump chain ICMP” disabled=noip firewall filter add chain=input action=jump jump-target=services comment=”jump chain service” disabled=no

ip firewall filter add chain=input dst-address-type=broadcast action=accept comment=”Allow Broadcast Traffic” disabled=no

ip firewall filter add chain=input action=log log-prefix=”Filter:” comment=”Catat kegiatan penyerang” disabled=no

ip firewall filter add chain=input src-address=Subnet WAN action=accept comment=”List Ip yang boleh akses ke router”ip firewall filter add chain=input src-address=Subnet Lan action=acceptip firewall filter add chain=input src-address=Subnet DMZ action=acceptip firewall filter add chain=input action=drop comment=”Blok Semua yang aneh2″ disabled=no

ip firewall filter add chain=ICMP protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept comment=”0:0 dan limit utk 5pac/s” disabled=noip firewall filter add chain=ICMP protocol=icmp icmp-options=3:3 limit=5,5 action=accept comment=”3:3 dan limit utk 5pac/s” disabled=noip firewall filter add chain=ICMP protocol=icmp icmp-options=3:4 limit=5,5 action=accept comment=”3:4 dan limit for 5pac/s” disabled=noip firewall filter add chain=ICMP protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept comment=”8:0 and limit utk 5pac/s” disabled=noip firewall filter add chain=ICMP protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept comment=”11:0 and limit utk 5pac/s” disabled=noip firewall filter add chain=ICMP protocol=icmp action=drop comment=”Blok semua yang aneh2″ disabled=no

ip firewall filter add chain=forward protocol=icmp comment=”Perbolehkan ping”ip firewall filter add chain=forward protocol=udp comment=”Perbolehkan ke udp”ip firewall filter add chain=forward src-address=Subnet WAN action=accept comment=”Akses hanya dari ip terdaftar”ip firewall filter add chain=forward src-address=Subnet LAN action=acceptip firewall filter add chain=forward src-address=Subnet DMZ action=acceptip firewall filter add chain=forward action=drop comment=”blok semua yang aneh2″

Semoga bermanfaat, jika anda mengalami hal seperti saya diatas jangan langsung salahkan ISP tempat anda berlangganan …..

1. bersihin dulu isi route nya , dari winbox pilih ip route, trus di delete deh tuh gateway/route disitu, semuanya

2. bersihin juga manglenya, caranya ip firewal mangle print, kalo dari winbox pilih ip > firewall >mangle, abis itu delete2 semuanya tuh

3. bersihin juga nat nya, dari winbox, ip > firewall > nat , trus delete tuh isinya

4. selanjutnya ikutin langkah2 berikut ini ya slow down aja jangan sampe salah ketik, sebaiknya pake tab biar auto completing

penjelasan singkat

ada 3 interface

1.lokal=192.168.100.254/242.isp=202.182.54.74/303.fastnet=118.137.79.0/24 (nah nilai ini yang selalu di ubah2, hanya yg ini, yg lain kaga usah, ubahnya pake winbox aja)

/ip address (enter)add address=192.168.100.254/24 interface=lokal comment=”ip trafik lan” disabled=noadd address=202.182.54.74/30 interface=isp comment=”ip trafik indonesia” disabled=noadd address=118.137.79.0/24 interface=fastnet comment=”ip trafik luar” disabled=no

/ip firewall (enter)add chain=src-nat src-address=192.168.100.0/24 action=masquerade

/ip firewall mangle (enter)add action=mark-connection chain=prerouting comment=”" connection-state=new \disabled=no in-interface=Lokal new-connection-mark=fastnet \dst-address-list=!nice passthrough=yes

add action=mark-routing chain=prerouting comment=”" connection-mark=fastnet \disabled=no in-interface=Lokal new-routing-mark=fastnet passthrough=no \dst-address-list=!nice

add action=mark-connection chain=prerouting comment=”" connection-state=new \disabled=no in-interface=Lokal new-connection-mark=isp \passthrough=yes

add action=mark-routing chain=prerouting comment=”" connection-mark=isp \disabled=no in-interface=Lokal new-routing-mark=isp passthrough=no

/ip route (enter)add dst-address=0.0.0.0/0 gateway=118.137.79.1 scope=255 target-scope=10 comment=”gateway traffic internasional” disabled=noadd dst-address=0.0.0.0/0 gateway=202.182.54.73 scope=255 target-scope=10 comment=”gateway traffic IIX” mark=nice2 disabled=no

untuk simple queue nya ga usah diapa2in ya..awas loh..

jangan lupa nyobainnya ntar malam aja, sambil ngopi n ngudut djarum super ya

Memisahkan bandwith lokal dan internasional menggunakan Mikrotik

Mei 16, 2008

Versi 3

Perubahan dari versi sebelumnya

1. Proses mangle berdasarkan address-list2. Pemisahan traffic Indonesia dan overseas lebih akurat

Berikut adalah skenario jaringan dengan Mikrotik sebagai router

Gambar 1. skenario jaringan

Penjelasan :

1. Mikrotik router dengan 2 network interface card (NIC) ether1 dan ether3, dimana ether1 adalah ethernet yang terhubung langsugn ke ISP dan ether3 adalah ethernet yang terhubung langsung dengan jaringan 192.168.2.0/24

2. Bandwith dari ISP misalnya 256 Kbps internasional dan 1024 Kbps lokal IIX.3. Kompuer 192.168.2.4 akan diberi alokasi bandwith 128 Kbps internasional dan

256 Kbps lokal IIX.

Pengaturan IP address list

Mulai Mikrotik RouterOs versi 2.9, dikenal dengan vitur yang disebut IP address list. Fitur ini adalah pengelompokan IP address tertentu dan setiap IP address tersebut bisa

kita namai. Kelompok ini bisa digunakan sebagai parameter dalam mangle, firewall filter, NAT, maupun queue.

Mikrotik Indonesia telah menyediakan daftar IP address yang diavertise di OpenIXP dan IIX, yang bisa didownload dengan bebas di URL : http://www.mikrotik.co.id/getfile.php?nf=nice.rsc

File nice.rsc ini dibuat secara otomatis di server Mikrotik Indonesia setiap pagi sekitar pukul 05.30, dan meruapakan data yang telah dioptimasi untuk menghilangkan duplikat entry dan tumpang tindih subnet. Saat ini jumlah pada baris pada script tersebut berkisar 430 baris.

Contoh

# Script created by: Valens Riyadi @ www.mikrotik.co.id# Generated at 26 April 2007 05:30:02 WIB ... 431 lines

/ip firewall address-listadd list=nice address="1.2.3.4"rem [find list=nice]add list=nice address="125.162.0.0/16"add list=nice address="125.163.0.0/16"add list=nice address="152.118.0.0/16"add list=nice address="125.160.0.0/16"add list=nice address="125.161.0.0/16"add list=nice address="125.164.0.0/16"..dst...

Simpanlah file tersebut ke komputer anda dengan nama nice.rsc, lalu lakukan FTP ke router Mikrotik, dan uploadlah file tersebut di router. Contoh di bawah ini adalah proses upload MS DOS-Promt.

C:\>dir nice.*ftp 192.168.0.1admin********asciiput nice.rscbye Volume in drive C has no label. Volume Serial Number is 5418-6EEF

Directory of C:\

04/26/2007 06:42p 17,523 nice.rsc 1 File(s) 17,523 bytes 0 Dir(s) 47,038,779,392 bytes free

C:\>Connected to 192.168.0.1.220 R&D FTP server (MikroTik 2.9.39) readyUser (192.168.0.1:(none)):331 Password required for adminPassword:230 User admin logged inftp>200 Type set to Aftp>200 PORT command successful

150 Opening ASCII mode data connection for '/nice.rsc'226 ASCII transfer completeftp: 17523 bytes sent in 0.00Seconds 17523000.00Kbytes/sec.ftp>221 Closing

C:\>

Setelah file di upload, import-lah file tersebut.

[admin@MikroTik] > import nice.rscOpening script file nice.rscScript file loaded and executed successfully

Pastikan bahwa proses import telah berlangsung dengan sukses, dengan mengecek Address-List pada menu IP – Firewall.

Pengaturan Mangle

Berikut adalah perintah untuk melakukan konfigurasi mangle yang bisa dilakukan lewat tampilan text pada MikrotikOs atau terminal pada Winbox.

/ip firewall mangle

add chain=forward src-address-list=nice action=mark-connection new-connection-mark=mark-con-indonesia passtrough=yes comment=”mark all indonesia source connection traffic” disabled=no

add chain=forward src-address-list=nice action=mark-connection new-connection-mark=mark-con-indonesia passtrough=yes comment=”mark all indonesia destination connection traffic” disabled=no

add chain=forward src-address-list=!nice action=mark-connection new-connection-mark=mark-con-overseas passtrough=yes comment=”mark all overseas source connection traffic” disabled=no

add chain=forward src-address-list=!nice action=mark-connection new-connection-mark=mark-con-overseas passtrough=yes comment=”mark all overseas destination connection traffic” disabled=no

add chain=prerouting connection-mark=mark-con-indonesia action=mark-packet new-packet-mark=indonesia passtrough=yes comment=”mark all indonesia traffic” disabled=no

add chain=prerouting connection-mark=mark-con-overseas action=mark-packet new-packet-mark=overseas passtrough=yes comment=”mark all overseas traffic” disabled=no

Membuat simple queue

Langkah selanjutnya adalah mengatur bandwith melalui simple queue, untuk mengatur bandwith internasional 128 Kbps dan bandwith lokal IIX 256 Kbps pada komputer dengan IP 192.168.2.4 dapat dilakukan dengan perintah sebagai berikut.

queue simple

add name=kom1-indonesia target-address=192.168.2.4/32 dst-address=0.0.0.0/0 interface=all parent=none packet-marks=indonesia direction=both priority=8 queue=default/default limit-at=0/0 max-limit=256000/256000 total-queue=default disabled=no

add name=kom1-overeas target-address=192.168.2.4/32 dst-address=0.0.0.0/0 interface=all parent=none packet-marks=overseas direction=both priority=8 queue=default/default limit-at=0/0 max-limit=128000/128000 total-queue=default disabled=no]

Script di atas berarti hanya komputer dengan IP 192.168.2.4 saja yang dibatasi bandwithnya 128 Kbps internasional (overseas) dan 256 Kbps lokal IIX (Indonesia), sedangkan yang lainnya tidak dibatasi.

Pengecekan akhir

Setelah selesai, lakukanlah pengecekan dengan melakukan akses ke situs lokal maupun ke situs internasional, dan perhatikanlah counter baik pada firewall mangle maupun pada simple queue.

Anda juga dapat mengembangkan queue type menggunakan pcq sehingga trafik pada setiap client dapat tersebar secara merata.

Selamat mencoba, semoga membantu yach…???

Memblokir Situs dengan MikrotikRouterOS

Untuk memblokir suatu situs dengan MikrotikRouterOS maka langkahnya adalah:

1. Aktifkan webproxynya[gungun@smanelaeuy] > ip web-proxy [enter][gungun@smanelaeuy] ip web-proxy> set enabled=yes max-ram-cache-size=none max-cache-size=1GB transparent-proxy=yes [enter]* sesuaikan dengan Hardware Anda!

2. Setelah aktif kemudian lakukan perintah[gungun@smanelaeuy] ip web-proxy > acc [enter][gungun@smanelaeuy] ip web-proxy access> add action=deny comment=”porn situs” url=”*sex*” [enter]*untuk yang berbau sexato klo tau alamatnya[gungun@smanelaeuy] ip web-proxy access> add action=deny comment=”porn situs” url=”www.17tahun.com” [enter]

Memanipulasi ToS ICMP & DNS di MikroTik

Tujuan :o Memperkecil delay ping dari sisi klien ke arah Internet.o Mempercepat resolving hostname ke ip address.

Asumsi : Klien-klien berada pada subnet 10.10.10.0/281. Memanipulasi Type of Service untuk ICMP Packet :> ip firewall mangle add chain=prerouting src-address=10.10.10.0/28 protocol=icmp action=mark-connection new-connection-mark=ICMP-CM passthrough=yes> ip firewall mangle add chain=prerouting connection-mark=ICMP-CM action=mark-packet new-packet-mark=ICMP-PM passthrough=yes> ip firewall mangle add chain=prerouting packet-mark=ICMP-PM action=change-tos new-tos=min-delay2. Memanipulasi Type of Service untuk DNS Resolving :> ip firewall mangle add chain=prerouting src-address=10.10.10.0/28 protocol=tcp dst-port=53 action=mark-connection new-connection-mark=DNS-CM passthrough=yes> ip firewall mangle add chain=prerouting src-address=10.10.10.0/28 protocol=udp dst-port=53 action=mark-connection new-connection-mark=DNS-CM passthrough=yes> ip firewall mangle add chain=prerouting connection-mark=DNS-CM action=mark-packet new-packet-mark=DNS-PM passthrough=yes> ip firewall mangle add chain=prerouting packet-mark=DNS-PM action=change-tos new-tos=min-delay3. Menambahkan Queue Type :> queue type add name=”PFIFO-64″ kind=pfifo pfifo-limit=644. Mengalokasikan Bandwidth untuk ICMP Packet :

> queue tree add name=ICMP parent=INTERNET packet-mark=ICMP-PM priority=1 limit-at=8000 max-limit=16000 queue=PFIFO-645. Mengalokasikan Bandwidth untuk DNS Resolving :> queue tree add name=DNS parent=INTERNET packet-mark=DNS-PM priority=1 limit-at=8000 max-limit=16000 queue=PFIFO-646. Selamat Mencoba n Good Luck!!!

Queue dengan SRC-NAT dan WEB-PROXY

Pada penggunaan queue (bandwidth limiter), penentuan CHAIN pada MENGLE sangat menentukan jalannya sebuah rule. Jika kita memasang SRC-NAT dan WEB-PROXY pada mesin yang sama, sering kali agak sulit untuk membuat rule QUEUE yang sempurna. Penjelasan detail mengenai pemilihan CHAIN, dapat dilihat pada manual Mikrotik di sini.

Percobaan yang dilakukan menggunakan sebuah PC dengan Mikrotik RouterOS versi 2.9.28. Pada mesin tersebut, digunakan 2 buah interface, satu untuk gateway yang dinamai PUBLIC dan satu lagi untuk jaringan lokal yang dinamai LAN.[admin@instaler] > in prFlags: X - disabled, D - dynamic, R - running# NAME TYPE RX-RATE TX-RATE MTU0 R public ether 0 0 15001 R lan wlan 0 0 1500

Dan berikut ini adalah IP Address yang digunakan. Subnet 192.168.0.0/24 adalah subnet gateway untuk mesin ini.[admin@instaler] > ip ad prFlags: X - disabled, I - invalid, D - dynamic# ADDRESS NETWORK BROADCAST INTERFACE0 192.168.0.217/24 192.168.0.0 192.168.0.255 public1 172.21.1.1/24 172.21.1.0 172.21.1.255 lan

Fitur web-proxy dengan transparan juga diaktifkan.[admin@instaler] > ip web-proxy prenabled: yessrc-address: 0.0.0.0port: 3128hostname: “proxy”transparent-proxy: yesparent-proxy: 0.0.0.0:0cache-administrator: “webmaster”max-object-size: 4096KiBcache-drive: systemmax-cache-size: nonemax-ram-cache-size: unlimitedstatus: runningreserved-for-cache: 0KiBreserved-for-ram-cache: 154624KiB

Fungsi MASQUERADE diaktifkan, juga satu buah rule REDIRECTING untuk membelokkan traffic HTTP menuju ke WEB-PROXY

[admin@instaler] ip firewall nat> prFlags: X - disabled, I - invalid, D - dynamic0 chain=srcnat out-interface=publicsrc-address=172.21.1.0/24 action=masquerade1 chain=dstnat in-interface=lan src-address=172.21.1.0/24protocol=tcp dst-port=80 action=redirect to-ports=3128

Berikut ini adalah langkah terpenting dalam proses ini, yaitu pembuatan MANGLE. Kita akan membutuhkan 2 buah PACKET-MARK. Satu untuk paket data upstream, yang pada contoh ini kita sebut test-up. Dan satu lagi untuk paket data downstream, yang pada contoh ini kita sebut test-down.

Untuk paket data upstream, proses pembuatan manglenya cukup sederhana. Kita bisa langsung melakukannya dengan 1 buah rule, cukup dengan menggunakan parameter SRC-ADDRESS dan IN-INTERFACE. Di sini kita menggunakan chain prerouting. Paket data untuk upstream ini kita namai test-up.

Namun, untuk paket data downstream, kita membutuhkan beberapa buah rule. Karena kita menggunakan translasi IP/masquerade, kita membutuhkan Connection Mark. Pada contoh ini, kita namai test-conn.

Kemudian, kita harus membuat juga 2 buah rule. Rule yang pertama, untuk paket data downstream non HTTP yang langsung dari internet (tidak melewati proxy). Kita menggunakan chain forward, karena data mengalir melalui router.

Rule yang kedua, untuk paket data yang berasal dari WEB-PROXY. Kita menggunakan chain output, karena arus data berasal dari aplikasi internal di dalam router ke mesin di luar router.

Paket data untuk downstream pada kedua rule ini kita namai test-down.

Jangan lupa, parameter passthrough hanya diaktifkan untuk connection mark saja.[admin@instaler] > ip firewall mangle printFlags: X - disabled, I - invalid, D - dynamic0 ;;; UP TRAFFICchain=prerouting in-interface=lansrc-address=172.21.1.0/24 action=mark-packetnew-packet-mark=test-up passthrough=no

1 ;;; CONN-MARKchain=forward src-address=172.21.1.0/24action=mark-connectionnew-connection-mark=test-conn passthrough=yes

2 ;;; DOWN-DIRECT CONNECTIONchain=forward in-interface=publicconnection-mark=test-conn action=mark-packetnew-packet-mark=test-down passthrough=no

3 ;;; DOWN-VIA PROXYchain=output out-interface=lan

dst-address=172.21.1.0/24 action=mark-packetnew-packet-mark=test-down passthrough=no

Untuk tahap terakhir, tinggal mengkonfigurasi queue. Di sini kita menggunakan queue tree. Satu buah rule untuk data dowstream, dan satu lagi untuk upstream. Yang penting di sini, adalah pemilihan parent. Untuk downstream, kita menggunakan parent lan, sesuai dengan interface yang mengarah ke jaringan lokal, dan untuk upstream, kita menggunakan parent global-in.[admin@instaler] > queue tree prFlags: X - disabled, I - invalid0 name=”downstream” parent=lan packet-mark=test-downlimit-at=32000 queue=default priority=8max-limit=32000 burst-limit=0burst-threshold=0 burst-time=0s

1 name=”upstream” parent=global-inpacket-mark=test-up limit-at=32000queue=default priority=8max-limit=32000 burst-limit=0burst-threshold=0 burst-time=0s

Variasi lainnya, untuk bandwidth management, dimungkinkan juga kita menggunakan tipe queue PCQ, yang bisa secara otomatis membagi trafik per client.

Blocking Virus di Firewall Mikrotik

1;;; BLOCK SPAMMERS OR INFECTED USERS

/ ip firewall filterchain=forward protocol=tcp dst-port=25 src-address-list=spammeraction=drop

2;;; Detect and add-list SMTP virus or spammerschain=forward protocol=tcp dst-port=25 connection-limit=30,32 limit=50,5 src-address-list=!spammer action=add-src-to-address-listaddress-list=spammer address-list-timeout=1d

/ip firewall nat chain=srcnat out-interface=”your interface which provides internet” src-address=”network 1? action=masquerade

you need to add chains for each subnet you have ,for the head office subnet you need to add this

/ip firewall nat chain=srcnat out-interface=”your interface which provides internet” action=masquerade

/ ip firewall mangleadd chain=prerouting dst-address=202.168.47.17 protocol=udp dst-port=5060-5080 \action=mark-connection new-connection-mark=voip-con passthrough=yes \comment=”” disabled=noadd chain=prerouting dst-address=202.168.47.17 protocol=udp \

dst-port=19000-20000 action=mark-connection new-connection-mark=voip-con \passthrough=yes comment=”” disabled=noadd chain=prerouting connection-mark=voip-con action=mark-packet \new-packet-mark=voip passthrough=no comment=”” disabled=noadd chain=prerouting protocol=tcp dst-port=22-23 action=mark-connection \new-connection-mark=sshtelnet-con passthrough=yes comment=”” disabled=noadd chain=prerouting connection-mark=sshtelnet-con action=mark-packet \new-packet-mark=sshtelnet passthrough=no comment=”” disabled=noadd chain=prerouting p2p=all-p2p action=mark-connection \new-connection-mark=p2p-con passthrough=yes comment=”” disabled=noadd chain=prerouting connection-mark=p2p-con action=mark-packet \new-packet-mark=p2p passthrough=no comment=”” disabled=noadd chain=prerouting action=mark-connection new-connection-mark=everything-con \passthrough=yes comment=”” disabled=noadd chain=prerouting connection-mark=everything-con action=mark-packet \new-packet-mark=everything passthrough=yes comment=”” disabled=no

Setting Mikrotik RouterOS PPPoE Client Sebagai Internet Gateway Telkom Speedy

Kmareen nyoba - nyoba gimana seeh dial speedy melalui mikrotik dan apa keuntungannya dibandingkan dengan dial melalui modem adsl nya, kalo mencoba sesuatu harus ada keuntungannya donk, masa kita mencoba sesuatu dengan sia sia, maka waktu dan tenaga kita akan terbuang dengan sia - sia juga, betul tidak..?

Langkah pertama

sebelum langkah kedua kita jalankan alangkah baiknya langkah pertama kita lakuin dulu, khan gak mungkin langkah ketiga dulu baru ke dua :D. untuk modem ADSL yang saya gunakan JK Network, dan mikrotiknya saya gunakan versi 2.9.xx (belakangnya diumpetin).

topology yang digunakan sbb :

(INTERNET) — [Modem adsl] —- [Mikrotik] —-[Client]

diasumsikan client dapat berkomunikasi dengan radio tanpa halangan atau settingan IP address dan Nat nya sudah jalan..!

pertama - tama kita fungsikan modem sebagai bridge bukan sebagai router sebab fungsi router akan di handle oleh mikrotik. pilih menu WAN kemudian klik tombol add

(Klik Untuk memperbesar)

kemudian isi VPI dan VCI dengan 8 dan 81

setelah itu pilih menu bridging dan masukkan nama service nya setelah semua dilakuakan klik tombol save

reboot modem maka modem saat ini sudah berfungsi sebagai bridge.

Langkah kedua

Langkah yang kedua baru kita konfigurasi / setting mikrotiknya sebagai modemnya .

masuk sebagai admin ke winbox mikrotik lalu pilih menu PPP.setelah itu akan keluar window PPP klik gambar + di window tersebut dan pilih PPPoE client

Isikan nama service lalu pilih interface yang terhubung langsung ke modem.

setelah itu pilih tab Dial Out isikan username yang diberikan telkom beseta passwordnya, biarkan field yang lainnya bernilai default

lalu tahap akhir klik tombol OK maka secara otomatis mikrotik akan DIAL ke telkom.

– END SETTING —-

keunggulannya menggunakan mikrotik sebagai modem ketimbang modem ADSL biasa :

• Proses dial nya lebih cepat dibandingkan dengan menggunakan modem adsl biasa, biasanya mikrotik mendapatkan status connected dalam waktu kurang dari 15 detik, jika modem biasanya membutuhkan waktu relatif lama sekitar 2 - 4 menit.

• Modem akan lebih stabil karena yang bertindak sebagai modem adalah PC yang mempunyai resource cukup tinggi dan kemampuan yang handal untuk bekerja 24 jam sehari.

• Administrator dapat meremote mikrotiknya dan mengkonfigurasi firewal, simple queque, load balancing, dll dari jaringan external tanpa harus melakukan port forwarding.

• Modem akan lebih awet karena tidak bekerja terlalu berat, ditandainya tidak terlalu panas nya modem ketika jaringan internet dalam keadaan UP.

Setting Mikrotik RouterOS PPPoE Client Sebagai Internet Gateway Telkom Speedy

Kita mulai setup dari modem adsl nya sebagai brigding protocol mode. Settingnya dapat anda temukan dari manual masing-masing modem. Contoh setting bridging protocol pada modem TECOM AR1031 pada menu Advance setup > WAN.

Ikuti petunjuk gambar dibawah ini kemudian lakukan save/reboot.

Selesai setting modem sebagai bridging yang tidak menyimpan password dan user ID anda di modem, bagi anda yang ingin mencoba mengganti IP address default modem bisa di konfigurasi terlebih dahulu melalui PC client.

Caranya : kita ubah terlebih dahulu IP modem pada Advance Setup > LAN IP Address contoh 192.168.100.1 lakukan save/reboot. Kemudian lakukan pengubahan selanjutnya di IP client PC ke 192.168.100.2 selesai. Silahkan anda coba ketik di web browser anda IP modem (192.168.100.1). Berhasil?

Kita lanjut ke CPU Mikrotik RouterOS nya.

Tentukan IP Address masing-masing LAN card anda, misal LAN connector dari modem 202.202.202.202 (public), dan 192.168.100.1 ke jaringan lokal anda (lokal). Lakukan perintah ini terlebih dahulu jika anda ingin menspesifikasikan nama ethernet card anda.

/interface ethernet set ether1 name=public

/interface ethernet set ether2 name=lokal

Pastikan kembali dalam menentukan nama dan alur kabel tersebut, kemudian kita lanjut ke setting IP Address.

/ip address add address=202.x.x.x/24 interface=public

/ip address add address=192.168.100.1/24 interface=lokal

/ip address> print

Pastikan LAN card anda tidak dalam posisi disabled. Selanjutnya anda bisa memasukkan entry PPPoE Client.

/interface pppoe-client add name=pppoe-user-mike user=mike password=123 interface=public service-name=internet disabled=no

Sebetulnya perintah diatas dapat anda lakukan di winbox, jika ingin lebih mudah sambil cek koneksi jaringan anda ke mikrotik. Menentukan Gateway dan Routingnya dilanjutkan ke masquerading

/ip route add gateway=125.168.125.1 (IP Gateway Telkom Speedy anda)

/ip route print

IP gateway diatas belum tentu sama, lihat terlebih dahulu ip PPPoE client anda. Jika anda belum yakin 100% ip client anda dan gateway nya, lakukan login dan dialing melalui modem anda terlebih dahulu bukan pada mode bridging seperti diatas. Pada menu Device Info akan tampil informasi Default Gateway dan IP client pppoe anda. Ok?

Selanjutnya masquerading, untuk penerusan perintah dari routing yang diteruskan ke nat firewall mikrotik untuk proses routing ke semua client yang terkoneksi

/ip firewall nat add chain=srcnat action=masquerade

Selesai.. tahap routing sudah terlaksanakan. Coba lakukan ping ke mikrotik dan gateway nya. Jika anda ingin sharing ke komputer client jangan lupa masukkan ip gateway pada settingan Network Connection (windows) sesuai dengan IP lokal pada mikrotik anda.

Banyak sekali settingan mikrotik yang dapat anda pelajari dari berbagai sumber. Jika terkesan terlalu rumit dengan sistem pengetikan anda bisa melakukannya dengan winbox mode, setiap tutorial yang anda butuhkan pun dapat anda copy dan paste ke winbox nya mikrotik.

Setting DNS dan Web Proxy Transparant

Input DNS dan web-proxy pun terasa lebih mudah di winbox mode, masukkan primary, secondary dan allow remote request nya, atau dengan perintah di terminal winbox.

/ip dns set primary-dns=203.130.206.250

/ip dns set primary-dns=202.134.2.5

/ip dns allow-remote-request=yes

/ip web-proxy set enabled=yes port=8080 hostname=proxy.koe transparent-proxy=yes

/ip firewall nat add in-interface=lokal dst-port=80 protocol=tcp action=redirect to-ports=8080 chain=dstnat dst-address=!192.168.100.1/24

Setting MIKROTIK SDSL SPEEDY – BANDWITH MANAGEMENT Sebelumnya saya gambarkan dulu skema jaringannya:

LAN —> Mikrotik RouterOS —> Modem ADSL —> INTERNET

Untuk LAN, kita pake kelas C, dengan network 192.168.0.0/24. Untuk Mikrotik RouterOS, kita perlu dua ethernet card. Satu (ether1 – 192.168.1.2/24) untuk sambungan ke Modem ADSL dan satu lagi (ether2 – 192.168.0.1/24) untuk sambungan ke LAN. Untuk Modem ADSL, IP kita set 192.168.1.1/24.

Sebelum mengetikkan apapun, pastikan Anda telah berada pada root menu dengan mengetikkan “/”

Set IP untuk masing²ethernet card

ip address add address=192.168.1.2/24 interface=ether1

ip address add address=192.168.0.1/24 interface=ether2

Untuk menampilkan hasil perintah di atas ketikkan perintah berikut:

ip address print

Kemudian lakukan testing dengan mencoba nge-ping ke gateway atau ke komputer yg ada pada LAN. Jika hasilnya sukses, maka konfigurasi IP Anda sudah benar

ping 192.168.1.1

ping 192.168.0.10

Menambahkan Routing

ip route add gateway=192.168.1.1

Setting DNS

ip dns set primary-dns=202.134.1.10 allow-remote-requests=yes

ip dns set secondary-dns=202.134.0.155 allow-remote-requests=yes

Karena koneksi ini menggunakan Speedy dari Telkom, maka DNS yg aq pake ya punya Telkom. Silahkan sesuaikan dengan DNS provider Anda.

Setelah itu coba Anda lakukan ping ke yahoo.com misalnya:

ping yahoo.com

Jika hasilnya sukses, maka settingan DNS sudah benar

Source NAT (Network Address Translation) / Masquerading

Agar semua komputer yg ada di LAN bisa terhubung ke internet juga, maka Anda perlu menambahkan NAT (Masquerade) pada Mikrotik.

ip firewall nat add chain=srcnat action=masquerade out-interface=ether1

Sekarang coba lakukan ping ke yahoo.com dari komputer yang ada di LAN

ping yahoo.com

Jika hasilnya sukses, maka setting masquerade sudah benar

DHCP (DynamicHost Configuration Protocol)

Karena alasan supaya praktis, temenku pengin pake DHCP Server. Biar klo tiap ada klien yang konek, dia ga perlu setting IP secara manual. Tinggal obtain aja dari DHCP Server, beres dah. Untungnya Mikrotik ini juga ada fitur DHCP Servernya. Jadi ya ga ada masalah..

Membuat IP Address Pool

ip pool add name=dhcp-pool ranges=192.168.0.2-192.168.0.254

Menambahkan DHCP Network

ip dhcp-server network add address=192.168.0.0/24 gateway=192.168.0.1 dns-server=202.134.1.10,202.134.0.155

Menambahkan Server DHCP

ip dhcp-server add name=DHCP_LAN disabled=no interface=ether2 address-pool=dhcp-pool

Sekarang coba lakukan testing dari komputer klien, untuk me-request IP Address dari Server DHCP. Jika sukses, maka sekali lagi, settingannya udah bener

Bandwidth Control

Agar semua komputer klien pada LAN tidak saling berebut bandwidth, maka perlu dilakukan yg namanya bandwidth management atau bandwidth control

Model yg saya gunakan adalah queue trees. Untuk lebih jelas apa itu, silahkan merujuk ke situsnya Mikrotik

Kondisinya seperti ini:

Koneksi Speedy kan katanya speednya sampe 384/64 Kbps (Download/Upload), nah kondisi itu sangat jarang tercapai. Jadi kita harus cari estimasi rata²nya. Maka saya ambil minimalnya untuk download bisa dapet sekitar 300 Kbps dan untuk upload aq alokasikan 50 Kbps. Sedangkan untuk yg maksimumnya, untuk download kira² 380 Kbps dan upload 60 Kbps.

Lalu, jumlah komputer klien yang ada saat ini adalah 10 buah. Jadi harus disiapkan bandwidth itu untuk dibagikan kepada 10 klien tersebut.

Perhitungan untuk masing² klien seperti ini:

Minimal Download: 300 / 10 * 1024 = 30720 bps

Maximal Download: 380 / 10 * 1024 = 38912 bps

Minimal Upload: 50 / 10 * 1024 = 5120 bps

Maximal Upload: 60 / 10 * 1024 = 6144 bps

Selanjutnya kita mulai konfigurasinya:

Tandai semua paket yg asalnya dari LAN

ip firewall mangle add src-address=192.168.0.0/24 action=mark-connection new-connection-mark=Clients-con chain=prerouting

ip firewall mangle add connection-mark=Clients-con action=mark-packet new-packet-mark=Clients chain=prerouting

Menambahkan rule yg akan membatasi kecepatan download dan upload

queue tree add name=Clients-Download parent=ether2 packet-mark=Clients limit-at=30720 max-limit=38912

queue tree add name=Clients-Upload parent=ether1 packet-mark=Clients limit-at=5120 max-limit=6144

Sekarang coba lakukan test download dari beberapa klien, mestinya sekarang tiap2 klien akan berbagi bandwidthnya. Jika jumlah klien yg online tidak sampai 10, maka sisa bandwidth yang nganggur itu akan dibagikan kepada klien yg online.

Graphing

Mikrotik ini juga dilengkapi dengan fungsi monitoring traffic layaknya MRTG biasa. Jadi kita bisa melihat berapa banyak paket yg dilewatkan pada PC Mikrotik kita.

tool graphing set store-every=5min

Berikutnya yang akan kita monitor adalah paket² yg lewat semua interface yg ada di PC Mikrotik kita, klo di komputerku ada ether1 dan ether2.

tool graphing interface add-interface=all store-on-disk=yes

Sekarang coba arahkan browser anda ke IP Router Mikrotik. Klo aq di sini:

http://192.168.0.1/graphs/

Nanti akan ada pilihan interface apa aja yg ada di router Anda. Coba klik salah satu, maka Anda akan bisa melihat grafik dari paket2 yg lewat pada interface tersebut.

Dari tutorial diatas saya cuma sampai mengambil langkah pada setting penambahan NAT ( masquerade ) saja. Karena menurut saya DHCP yang sifatnya berubah ubah jadi nanti saat mau limit BW nya terkadang ip tidak sama. CMIIW. dan untuk setting limit saya melakukannya pada remote winbox yang lebih mudah, nah pertanyaan untuk saya sendiri. Kapan graph tool nya kamu install nak ? hehehhee… ok semoga berguna semuanya.

Membatasi inetan di kantor........dengan mikrotik..

Lanjut ah, sharing cara membatasi inetan dikantor....lagi-lagi dengan mikrotik. Kantor saya gak terlalu gede sih, denga jumlah PC dalam jaringan LAN ada sekitar 65 buah. Saya memakai ip range 192.168.0.1/24, dengan gateway saya taruh di 192.168.0.1 ya itu mikrotik sebagai gatewayya. Dari range IP tersebut ternyata sama boss tidak diijinkan semuanya dapat mengakses inet....hehe...hehe...dan agak parahnya IP yang boleh inetan itu acak alias tidak berurutan, sebagai tambahan saya memakai DHCP untuk pengaturan IP (biar gak pusing nyatetin IP klo ada perubahan cpu atau ada tambahan cpu). Kayaknya cukup untuk alasan pembatasan inetnya, kita lanjut ke settingnya...

Oh....ya semua setting dilakukan menggunakan winbox.exe soalnya bisa-nya itu je...

1. Login ke mikrotik menggunakan winbox.2. masuk ke menu /ip firewall address-list3. klik add (tanda plus)4. isikan name dengan yg unik, misalkan INET lalu isikan ip dengan ip yang punya

akses inetan.5. ulangi langkah 4 sehingga semua ip yang punya akses inetan tercatat dengan

nama address-list yang sama.6. selanjutnya kita mengubah setting masquerade kita, yang awalnya src-address

diisi dengan full range ip client. Diganti dengan cara mengosongkan src-address di tab general dan pindah ke tab advanced kemudian mengisikan src-address list dengan list ip yang baru kita buat.

7. langkah 6 akan mengakibatkan ip-ip diluar ip adress-list tidak akan dimasquerade dan sudah tentu tidak akan bisa inetan....sesuai dengan kemauan kita khan ???

8. untuk lebih memastikan lagi, sebaiknya dibuatkan rule difilter rule dengan chain forward, lalu in-interface=interface yang mengarah ke client, kemudian ke tab advanced pada bagian src-address list= ip list yang baru dibuat, kemudian beri tanda seru (pentung) disamping kirinya dan untuk action=drop. rule ini ditaruh dipaling atas.

9. langkah ke 8 akan berakibat semua ip diluar list tidak akan diforward/diteruskan permintaannya.

Lock IP dan MAC address client di Mikrotik....

Mungkin anda pernah mengalami, ada client nakal yang coba-coba memakai ip komputer admin untuk mendapatkan akses inet tanpa batas........wuih suuuuuebelnya....bukan apa-apa sich, tapi yang kena marah oleh atasan tentu yang mengatur akses inetnya (baca: saya).

Bagi anda yang menggunakan Mikrotik sebagai pengatur (gateway/router/web-proxy) akses ditempat anda, mungkin ini ada sedikit cara untuk mengatasi agar ip-ip yang mempunyai akses inet tidak bisa saling dipertukarkan...

Kita langsung ke TKP aja, yuk.....

1. Login ke Mikrotik menggunakan winbox (maaf bagi CLI mania....saya bisanya GUI..hehehehe).

2. Pastikan semua client sudah ON semua, karena kita akan merekam mac-address menggunakan IP SCAN yang ada diwinbox.

3. Masuk ke menu IP-->Firewall kebagian tab address-list

4.5. Isikan nama sesuai keinginan anda asal mudah diingat, kemudian IP client.

Prosedur ini dilakukan untuk semua client dengan nama address-list yang sama. Jika semua client sudah dimasukan ke dalam address-list selanjutnya menuju tab: NAT

6.7. Gambar diatas adalah merubah rule/script dari nat-masquerade yang sudah ada,

dimana biasanya di bagian general untuk src-address diisikan range ip client. Untuk kali ini dirubah, sehingga hanya client yang ada di address-list saja yang akan dimasquerade.

8. Langkah selanjutnya adalah merekam mac-address dari client kita, untuk itu kita menggunakan tools ip-scan. menuju menu tools dan pilih ip-scan

9.10. Interface dipilih interface yang ada dimikrotik yang mengarah ke LAN, untuk

address range silahkan disesuaikan dengan ip-range client anda. Setelah itu silahkan klik start, dan tunggu beberapa saat. Setelah semua ip berhasil ditampilkan, biarkan tool ip-scan (tidak usah di close), kemudian menuju menu IP-->ARP

11.12.Maka didalam ARP list akan muncul ip dan mac-address dari client. Selanjutnya

adalah membuat agar arp-list menjadi static dengan cara meng-klik kanan setiap pasangan ip dan mac-address tersebut dan pilih option make statik. Ini dilakukan untuk semua ip yang muncul. Setelah semua menjadi statik selanjutnya menuju menu INTERFACES

13.14.Pilih interface yang menuju klien, klik kiri dua kali sehingga muncul gambar

seperti diatas. Kemudian pada option ARP dipilih reply-only15.Selesai

Mengamankan web-proxy kita..... Setelah kita berhasil menggabungkan smoothwall dengan mikrotik. Apabila koneksi kita menggunakan speedy yang memiliki bandwidth uploadnya yang kecil, sudah selayaknya agar kita mengamankan web-proxy ini supaya hanya client lokal kita saja yang menggunakannya. Apabila ada client dari luar (dari WAN) ikut juga menikmati web-proxy ini maka dijamin koneksi inet kita akan loyo dikarenakan Bandwidth upload kita habis terpakai oleh client luar ini....jadi berhati-hati lah!!!Langkah pengamanan ini sebenarnya tidak hanya diperuntukan bagi pemakai yang menggunakan koneksi speedy (dengan mengeset modem sebagai bridge modem), tetapi juga koneksi yang lainnya, dengan menyesuaikan parameter "in-interface" disesuaikan dengan jenis koneksi WAN-nya.Kita lanjut ke tujuan utama kita:

1. Login ke Winbox kemudian masuk ke menu IP-->Firewall-->Filter

2.3. Ikuti option-option diatas,untuk jenis koneksi selain speedy tinggal menyesuaikan

"in-interface", dimana interface yang digunakan adalah interface mikrotik yang mengarah ke WAN/internet, kemudian pindah ke tab action, diisikan drop.

4. Langkah ke-2 diulang untuk port-port:3128,8085. Selesai

Setting VPN di mikrotik memakai PPtP...

Pengantar..

Sebenernya agak males untuk menulis masalah setting VPN ini, dikarenakan banyak yang sudah mengulasnya secara mendalam. Kemudian atas permintaan seorang teman dan adanya ketersediaan waktu akhirnya saya tulis juga. Namun VPN yang akan saya setting hanya menggunakan satu jenis yaitu PPtP (Point to Point tuneling protocol)

Asumsi..

1. Jaringan inet anda dengan menggunakan gateway/router mikrotik sudah berjalan dengan baik dan juga memiliki ip public.

2. IP pool untuk VPN : 192.168.15.1-192.168.15.503. IP Mikrotik yang mengarah ke LAN :192.168.0.245

Action...

1. silahkan login ke mikrotik anda dengan menggunakan winbox...2. kemudian kita masuk ke modul Ip-->Pool

3.4. untuk nama bisa diberikan sesuai dengan keinginan anda, yang penting mudah

diingat5. untuk address dimasukan : 192.168.15.1-192.168.15.50 dan next pool=none lalu

klik OK6. Selanjutnya kita masuk ke modul PPP ke tab profiles, lalu klik tanda plus..

7. Untuk nama silahkan cari yang unik, kemudian local address diisikan dengan ip mikrotik yang mengarah ke LAN dan DNS server diberi ip yang sama (dengan catatan pada setting DNS di mikrotik pada option allow remote request di ceklist) lalu klik OK

8. Selanjutnya kita pindah ke tab secrets masih pada modul PPP, kemudian diklik tanda plus-nya

9.

10.Pada bagian ini untuk memberikan akses/username untuk menggunakan atau login ke VPN kita, silahkan berikan username dan password yang unik. Untuk service silahkan klik pptp dan profile diisi dengan profile yang sudah dibuat tadi..lalu diklik OK

11. Setelah bagian ini selesai kemudian kita masuk ke TAB interface dan klik pada bagian PPTP Server

12.

13.Silahkan diikuti semua option diatas kemudian klik OK, maka telah selesai setting VPN kita

Tes koneksi dengan menggunakan windows XP

1.

2.

3.

4.

5.

6.

7.

8.

Selesai....Selamat mencoba

Setting Linksys AG241 dan Mikrotik untuk akses speedy

Pengantar...

Kenapa yang digunakan adalah Linksys AG241 tidak yang lain? jawabnya simpel, dikantor saya pakenya ini. Kenapa harus ada mikrotik juga, pake linksys AG 241 juga sudah cukup klo cuma mau share internet? jawabnya simpel juga, karena pengaturan yang "agak" ruwet untuk kebutuhan share internet dikantor dan hal ini tidak dapat dipenuhi oleh sebuah linksys AG241.Untuk kali ini linksys AG241 difungsikan sebagai bridge, sedangkan dial dilakukan oleh mikrotik. Beberapa hal yang menguntungkan jika dial dengan mikrotik :

1. Kita dapat memanage mikrotiknya secara langsung. Jika yang dial modem maka kita harus mengeset modem agar memforward ip dari speedy ke ip mikrotik.

2. Kerja modem tidak terlalu berat sehingga akan berdampak pada penurunan suhu modem (pernah mengalami modem panas ??) dan secara tidak langsung akan berdampak pada umur pemakaian dari modem itu sendiri.

3. konfigurasi filter yang lebih banyak jika menggunakan mikrotik

disamping keuntungan, juga ada beberepa kerugiannya:

1. dibutuhkan biaya tambahan untuk pc yang akan diinstall mikrotik.2. dibutuhkan keahlian tambahan dalam mengkonfigurasi mikrotik.3. dengan ada adanya tambahan device tentunya akan bertambah konsumsi

listriknya, dengan kata lain ...tambahan biaya lagi :D

Kebutuhan....

1. account speedy yang masih aktif....2. modem linksys AG241

3. Pc yang sudah terinstall dengan mikrotik dan modul ppp juga sudah terinstall...4. kabel utp yang sudah dipatch straight untuk koneksi dari modem ke mikrotik.5. Sebuah PC untuk mengkonfigure modem linksys AG241

Asumsi..

Topologi jaringan :|Inet|----|Modem|----|Mikrotik|----|switch|----|Client|

1. Ip modem (standar) :192.168.1.1/255.255.255.02. Ip mikrotik yang mengarah ke modem :192.168.1.2/255.255.255.03. Ip mikrotik yang mengarah ke switch :192.168.0.1/255.255.255.04. Dimikrotik ada minimal 2 buah Lancard, 1 yang mengarah ke modem kita

namakan WAN dan 1 lagi yang mengarah ke switch kita namakan LAN

action..

modem AG241.

1. Modem AG241 dihubungkan dengan PC menggunakan kabel UTP yang sudah disiapkan

2. IP PC dirubah disesuaikan dengan IP modem, misalkan menjadi :192.168.1.3/255.255.255.0

3. Modem dihidupkan dengan memasang adaptor ke sumber listrik, dan keluaran adaptor disambungkan ke modem.

4. Silahkan buka browser kesayangan anda, kemudian isikan 192.168.1.1 di url browser anda, maka akan muncul dialog untuk memasukan username dan password untuk masuk ke dalam menu configurasi modem. Pada keadaan standar isikan username dan password dengan admin

5. masuk ke tab setup

6.

7.8. Setting gambar diatas untuk daerah jakarta tepatnya daerah bekasi, untuk

daerah lainnya tinggal menyesuaikan VPI dan VCI saja

Mikrotik

1. PC dihubungkan ke switch yang terhubung dengan mikrotik (lihat topologi diatas) dan rubah kembali ip PC disesuaikan dengan IP yang ada, misalkan :192.168.0.3/255.255.255.0

2. Login kedalam mikrotik menggunakan winbox3. klik menu ppp, klik tanda plus pilih pppoe client

4. Pada tab general ini yang diisi hanya bagian interface, dipilih WAN5. pindah ke tab dial out

6. Pada tab dial out, yang diisi hanyalah username dan password saja. isikan username dan password dari account speedy anda.

7. Dial on demand, jika anda menginginkan mikrotik untuk dial ke speedy jika ada permintaan dari client untuk akses ke internet (cocok untuk account non unlimited) silahkan untuk diceklist. jika menginginkan agar mikrotik selalul terhubung dengan internet silahkan jangan diceklist bagian ini.

8. add default route, pada mikrotik akan ditambahkan default route yang telah disetting oleh speedy

9. Untuk Use peer DNS saya tidak begitu mengetahui jadi biarkan tidak diceklist10.untuk bagian allow silahkan di checklist semuanya lalu klik OK11. Klik menu IP-->firewall pilih tab NAT

12.Pilih chain :srcnat, src.address:192.168.0.0/24, out.interface=pppoe-out2, kemudian pindah ke tab action

13.untuk action silahkan pilih: masquerade

Remote Mikrotik bagi pengguna ip public dynamis....

Pengantar...

Bagi anda sekalian pengguna ISP Tel**m aka Speeda, yang berlangganan paket opis atau paket lainnya yang diberikan IP dinamis dan menggunakan Mikrotik sebagai routernya ( jadi modem ADSL diconfigure sebagai "Bridge Mode only" dan dial dilakukan oleh mikrotik) dan berhasrat untuk meremote mikrotiknya dari jaringan internet, tentunya akan kesulitan. Dikarenakan IP yang berubah jika modem/mikrotiknya direstart.Dengan bantuan sebuah website (disini websitenya) kita dapat meremote mikrotik kita tanpa perlu memikirkan berapa ip account speda kita.....

Action...Sebelum action dilakukan diasumsikan bahwa tidak ada masalah dalam hal koneksi internetnya dimana yang dial adalah mikrotik..Selanjutnya silahkan buat account di website tadi, buat sebuah subdomain yang ditawarkan diwebsite tersebut dan aktifkan service dns-nya.Untuk mengetesnya silahkan ping subdomain yang baru anda buat tadi...klo berhasil akan ada reply dari ip account speda andaSetelah account dibuat (berarti anda telah memiliki username dan password untuk website tersebut) kita beralih ke mikrotik....

Mikrotik...Login ke Mikrotik anda melalui winbox...Masuk kemenu /System/Scripts...Klik add....dan masukan script ini :Untuk mikrotik v2.9.xx

:log info "DDNS: Begin":global ddns-user "YOURUSERID":global ddns-pass "YOURPASSWORD":global ddns-host "*1":global ddns-interface "EXACTINTERFACENAME"

:global ddns-ip [ /ip address get [/ip address find interface=$ddns-interface] address ]

:if ([ :typeof $ddns-lastip ] = nil ) do={ :global ddns-lastip 0.0.0.0/0 }

:if ([ :typeof $ddns-ip ] = nil ) do={

:log info ("DDNS: No ip address present on " . $ddns-interface . ", please check.")

} else={

:if ($ddns-ip != $ddns-lastip) do={

:log info "DDNS: Sending UPDATE!":log info [ /tool dns-update name=$ddns-host address=[:pick $ddns-ip 0 [:find $ddns-ip "/"] ] key-name=$ddns-user key=$ddns-pass ]:global ddns-lastip $ddns-ip

} else={

:log info "DDNS: No change"

}

}

:log info "DDNS: End"Untuk Mikrotik v3.x.x# Define User Variables:global ddnsuser "CHANGEIPUSERID":global ddnspass "CHANGEIPPASSWORD":global ddnshost "FREEHOSTNAME.TOUPDATE.TLD"

# Define Global Variables:global ddnsip:global ddnslastip:if ([ :typeof $ddnslastip ] = nil ) do={ :global ddnslastip "0" }

:global ddnsinterface:global ddnssystem ("mt-" . [/system package get system version] )

# Define Local Variables:local int

# Loop thru interfaces and look for ones containing# default gateways without routing-marks:foreach int in=[/ip route find dst-address=0.0.0.0/0 active=yes ] do={:if ([:typeof [/ip route get $int routing-mark ]] != str ) do={ :global ddnsinterface [/ip route get $int interface]}}

# Grab the current IP address on that interface.:global ddnsip [ /ip address get [/ip address find interface=$ddnsinterface ] address ]

# Did we get an IP address to compare?

:if ([ :typeof $ddnsip ] = nil ) do={:log info ("DDNS: No ip address present on " . $ddnsinterface . ", please check.")} else={

:if ($ddnsip != $ddnslastip) do={

:log info "DDNS: Sending UPDATE!":log info [ :put [/tool dns-update name=$ddnshost address=[:pick $ddnsip 0 [:find $ddnsip "/"] ] key-name=$ddnsuser key=$ddnspass ] ]:global ddnslastip $ddnsip

} else={:log info "DDNS: No update required."}

}

# End of scriptKemudian beri nama script sesuai dengan keinginan anda, lalu klik OKSetelah script dibuat selanjutnya kita membuat scheduller, agar secara periodik mikrotik kita mengupdate subdomain yang dibuat di website "tersebut".Masih di winbox, masuk ke menu /system/scheduler :Klik add...beri nama schedulernya....atur tanggal dimulainya scheduler....atur jamnya....atur periodenya...mau setiap menit..setiap jam atau setiap hari....

Pada bagian On Event, tuliskan nama script yang anda buat tadi.

Selesai,selamat mencoba.

Menggabungkan Smoothwall dgn Mikrotik

Pengantar

Tidak bisa dipungkiri jika keberadaan webproxy (jika diconfigure dengan baik, dan ini bagi beberapa orang merupakan keasikan tersendiri atau juga merupakan beban tersendiri dikarenakan banyaknya parameter yang terdapat didalam squid webproxy yang dapat diconfigure. Perbedaan configure ini akan memberikan efek yang berbeda pula.)Untuk rekan-rekan yang tidak ingin ambil pusing dengan configure-configure tersebut, kecuali anda ingin "bermain-main" dengan parameter yang ada disquid, anda dapat menggunakan smoothwall atau ipcop. Memang Smoothwall atau IPCOP sesungguhnya merupakan operating sistem berbasis linux yang dikhususkan sebagai Gateway internet. Gateway ini menjembatani antara LAN dengan Internet. Namun kali ini saya akan menggabungkan kemampuan dari Mikrotik dengan kemampuan webproxy dari smoothwall. Smoothwall yang saya gunakan merupakan versi freeware atau versi community.Satu hal kenapa saya lebih memilih Smoothwall dibandingkan IPCOP adalah Dikarenakan hardware ditempat saya rata-rata sudah pakai P4, maka kernel 2.6 menjadi pilihan saya. Hal ini hanya dipenuhi oleh smoothwall sedangkan IPCOP masih berkutat pada kernel 2.4.Mikrotik digunakan sebagai gateway dan bandwidth management dikarenakan dihal tersebut mikrotik mempunyai nilai lebihnya.

Skema Jaringan| Inet Cloud |-------| Modem |-----| Mikrotik |------| Switch |-------| LAN |-----------------------------------------|-----------------------------------------|-----------------------------------------|-----------------------------------| Smoothwall |Asumsi

1. Mikrotik telah terinstall dan berjalan dengan baik.2. Client LAN telah sukses berinternetan.3. Mikrotik dan Smoothwall terletak di mesin yang berbeda.4. Untuk kasus saya,menggunakan koneksi speda (koneksi yang lain juga gpp,

sama saja pada intinya).5. Smoothwall diletakan sejajar mikrotik dikarenakan dari uji coba saya dengan

skema yang diatas lebih cocok buat saya, dibandingkan dengan skema dimana smoothwall berada sejajar client.

6. Ada baiknya untuk komputer yang akan digunakan sebagai webproxy memiliki spesifikasi, memory minimum 256 MB lebih dari itu lebih baik dianjurkan untuk memakai 1 GB. untuk Processor tidak terlalu signifikan. Untuk hardisk sebaiknya memakai SATA atau SCSI, dikarenakan untuk squid webproxy kekuatan dan kecepatan dari hardisk sangat menentukan "efek speed" dari browsing client. jikalau tidak ada SATA atau SCSI maka apa boleh buat memakai hardisk PATA.

7. Topologi pada smoothwall adalah green + red, jadi diperlukan 2 buah lancard di dalam mesin yang akan diinstall smoothwall

Peralatan Tempur

1. Smoothwall CD, dapat didonlot disini

2. putty, dapat didonlot disini3. Winscp, dapat didonlot disini4. advproxy, dapat didonlot disini5. urlfilter, dapat didonlot disini6. calamaris webproxy report, dapat didonlot disini7. Kopi/teh dan cemilan, silahkan cari ditoko terdekat :D

Action

Setelah ISO smoothwall didonlot kemudian di burning ke cd dengan program burning kesayangan anda. Untuk putty, winscp, advproxy, urlfilter dan calamaris dapat disimpan dikomputer lain yang nantinya meremote smoothwall. Karena paket-paket ini akan diinstall melalui komputer remote.Atur Bios Komputer yang akan diinstall Smoothwall agar dapat booting awal langsung dari CDROM, kemudian masukan cd Smoothwallnya.Tampilan awal Installasi Smoothwall :

Setelah di ENTER maka akan muncul :

Lalu

Tekan OK, lalu tekan enter dua kali sehingga akan muncul...

Jika anda sebelumnya pernah menginstall smoothwall dan menyimpan backup config-nya kedalam floopydisk, maka ketika tampilan dibawah ini muncul masukan floopy disk backup dan tekan yes.

Jika untuk pertama kali menginstall smoothwall maka cukup tekan tombol No.kemudian pilih keyboard mapping dan isikan nama dari smoothwall anda (hostname). Tahap selanjutnya adalah memilih "security policy" dikarenakan smoothwall kita nantinya berada didalam "zona aman" mikrotik maka kita biarkan security policy berada di open

kemudian masuk ke pemilihan topologi smoothwall

pilih green + red

Kemudian muncul tampilan konfirmasi untuk mengubah config network

klik OK, lakukan probe untuk mendeteksi secara otomatis kartu jaringan anda

Setelah semua kartu jaringan terdeteksi, kemudian kita berikan IP-nya

Untuk kasus saya ini IP untuk GREEN dan RED diisikan IP dalam satu subnet, jadi misalkan untuk GREEN diberikan 192.168.10.2/255.255.255.0 (dengan asumsi untuk kartu jaringan dimikrotik yang mengarah ke smoothwall diberikan ip 192.168.10.1) maka untuk RED diberikan IP 192.168.10.3/255.255.255.0 dengan pilihan secara statik.

Kemudian ....

Isikan DNS dan default gatewaynya, untuk default gateway isikan ip mikrotik yang mengarah ke smoothwall (dalam kasus saya adalah 192.168.10.1). Untuk DNS bisa memakai IP mikrotik dengan catatan option "allow remote request"-nya di checklist/dipilih atau bisa memakai DNS yang diberikan oleh ISP.Untuk selanjutnya akan muncul screen...

Dikarenakan akan menggunakan addons advproxy dkk, maka untuk section ini langsung saja klik finished.

Isikan password yang anda inginkan untuk mengakses smoothwall melalui web browser (user: admin)

Isikan password yang anda inginkan untuk mengakses smoothwall melalui terminal (user: root).

Installasi telah selesai, Klik OK untuk reboot.silahkan antara mikrotik dan smoothwall saling dihubungkan dengan kabel jaringan secara cross, untuk mengetesnya silahkan saling ping dari kedua sisi, apakah sudah ada reply atau belum.Setelah semua saling reply, saatnya.....

Configuring Smoothwall.....

Untuk selanjutnya kita dapat mengconfigure smoothwall melalui web browser, dengan mengetikip_smoothwall:81 di browser, sehingga akan muncul dibrowser anda seperti ini.

Setelah masuk ke configure smoothwall, langsung aja masuk ke tab service-->remote access..

ceklist bagian ssh, kemudian save...Kemudian masuk ke tab maintenance --> updatesuntuk mengupdates smoothwall agar segala bugs yang ada dapat ditambal melalui updates ini..

Jika koneksi keinternet anda tidak bermasalah maka akan terdapat updates-updates yang berasal dari websitenya smoothwall. Yang perlu diingat adalah setiap kali melakukan updates maka Mods-mods atau addons yang telah kita pasang wajib di uninstall dan install lagi, jika tidak dilakukan maka addons tidak dapat berjalan sebagaimana mestinya. Setelah semua updates didonlot kemudian diinstall dan kemudian smoothwall akan meminta reboot..untuk mengetahui apakah updates-updates tadi telah terinstall dapat dilihat di tab yang sama, maka akan muncul selain updates terbaru dari website smootwall (jika ada yang baru dan kita belum menginstallnya..) juga updates-updates yang telah terinstall oleh kita.

Installing Addons...

untuk menginstall addons (setelah kita donlot semua addons yang diperlukan) kita memerlukan peralatan tempur putty untuk menjalankan terminal smoothwall secara remote dari komputer lainnya dan juga winscp untuk memindahkan file-file addons dari komputer remote ke komputer smoothwall.

Install advproxyGunakan winscp untuk memindahkan file advproxy ke smoothwall (biasanya ditaruh difolder /tmp).login melalui ssh dengan user root, untuk windows bisa menggunakan putty dengan port ssh 222uncompress advproxytar –xzf swe3-nn-advproxy-version.tar.gzmasuk ke direktory hasil uncompress tadi dan jalankan:

./installsetelah selesai install, melalui browser masuk ke smoothwall dan di tab service sudah web-proxy.

untuk option yang diceklist silahkan melihat gambar diatas, untuk proxyport bisa memakai 8080 atau 3128 (port standar untuk webproxy, walaupun memakai yang lainnya juga gpp. Akan tetapi demi kelancaran dan keamanan lebih baik memakai satu diantara dua port tadi) memory cache size (MB) = 8Minimal object size (KB) = 0Hardisk cache size (MB) = 10000 ( hardisk yang saya pake 80 GB SATA)Maximum object size (KB) = 128000memory replacement policy = heap GDSFcache replacement policy = heap LFUDAuntuk option yang lain dibiarkan standard bawaan smoothwall ajabuat file di /var/smoothwall/proxy/store_url_rewrite.pldan isikan dengan :#!/usr/bin/perl

$|=1;while (<>) {@X = split;

$url = $X[0];$url =~s@^http://(.*?)/get_video\?(.*)video_id=(.*?)&.*@squid://videos.youtube.INTERNAL/ID=$3@;$url =~s@^http://(.*?)/get_video\?(.*)video_id=(.*?)$@squid://videos.youtube.INTERNAL/ID=$3@;$url =~s@^http://(.*?)/videodownload\?(.*)docid=(.*?)$@squid://videos.google.INTERNAL/ID=$3@;$url =~s@^http://(.*?)/videodownload\?(.*)docid=(.*?)&.*@squid://videos.google.INTERNAL/ID=$3@;$url =~s@^http://(.*?)/albums\?&.*@squid://images.photobucket.INTERNAL/ID=$3@;#print "$url\n"; }$url =~s@^http://(.*?)/albums\?$@squid://images.photobucket.INTERNAL/ID=$3@;$url =~s@^http://(.*?)/albums\?&.*@squid://videos.photobucket.INTERNAL/ID=$3@;$url =~s@^http://(.*?)/albums\?$@squid://videos.photobucket.INTERNAL/ID=$3@;print "$url\n"; }ubah kepemilikan file ke 755

edit file /var/smoothwall/proxy/advanced/acls/include.acldan tambahkan iniacl store_rewrite_list url_regex ^http://(.*?)/get_video\?acl store_rewrite_list url_regex ^http://(.*?)/videodownload\?acl store_rewrite_list url_regex ^http://i(.*?).photobucket.com/albums/(.*?)/(.*?)/(.*?)\?acl store_rewrite_list url_regex ^http://vid(.*?).photobucket.com/albums/(.*?)/(.*?)\?

# The keyword for all youtube video files are "get_video?", "videodownload?" and "videoplaybeck?id"# The "\.(jp(e?g|e|2)|gif|png|tiff?|bmp|ico|flv)\?" is only for pictures and other videos#acl store_rewrite_list urlpath_regex \/(get_video\?|videodownload\?|videoplayback\?id) \.(jp(e?g|e|2)|gif|png|tiff?|bmp|ico|flv)\? \/ads\?#acl store_rewrite_list_web url_regex ^http:\/\/([A-Za-z-]+[0-9]+)*\.[A-Za-z]*\.[A-Za-z]*#acl store_rewrite_list_path urlpath_regex \.(jp(e?g|e|2)|gif|png|tiff?|bmp|ico|flv)$#acl store_rewrite_list_web_CDN url_regex ^http:\/\/[a-z]+[0-9]\.google\.com doubleclick\.net

#add this line before cache deny#acl QUERY2 urlpath_regex get_video\? videoplayback\? \.(jp(e?g|e|2)|gif|png|tiff?|bmp|ico|flv)\?#cache allow QUERY2#cache allow store_rewrite_list_web_CDN#cache deny url that has cgi-bin and ? this is the default for below squid 2.7 version#acl QUERY urlpath_regex cgi-bin \?#cache deny QUERY

#storeurl_access allow store_rewrite_list#this is not related to youtube video its only for CDN pictures#storeurl_access allow store_rewrite_list_web_CDN#storeurl_access allow store_rewrite_list_web store_rewrite_list_path

#storeurl_access deny all#rewrite_program path is base on windows so use use your own path#storeurl_rewrite_program /var/smoothwall/proxy/google_cache.pl#storeurl_rewrite_children 1#storeurl_rewrite_concurrency 10

#http_access allow manager localhostcache allow store_rewrite_listcache allow allstoreurl_access allow store_rewrite_liststoreurl_access deny allstoreurl_rewrite_program /var/smoothwall/proxy/store_url_rewrite.plstoreurl_rewrite_children 1storeurl_rewrite_concurrency 10

acl file_terlarang url_regex -i hot_indonesia.exeacl file_terlarang url_regex -i hotsurprise_id.exeacl file_terlarang url_regex -i best-mp3-download.exeacl file_terlarang url_regex -i R32.exeacl file_terlarang url_regex -i rb32.exeacl file_terlarang url_regex -i mp3.exeacl file_terlarang url_regex -i HOTSEX.exeacl file_terlarang url_regex -i Browser_Plugin.exeacl file_terlarang url_regex -i DDialer.exeacl file_terlarang url_regex -i od-teenacl file_terlarang url_regex -i URLDownload.exeacl file_terlarang url_regex -i od-stnd67.exeacl file_terlarang url_regex -i Download_Plugin.exeacl file_terlarang url_regex -i od-teen52.exeacl file_terlarang url_regex -i malaysexacl file_terlarang url_regex -i edita.htmlacl file_terlarang url_regex -i info.exeacl file_terlarang url_regex -i run.exeacl file_terlarang url_regex -i Lovers2Goacl file_terlarang url_regex -i GlobalDialeracl file_terlarang url_regex -i WebDialeracl file_terlarang url_regex -i britneynudeacl file_terlarang url_regex -i download.exeacl file_terlarang url_regex -i backup.exeacl file_terlarang url_regex -i GnoOS2003acl file_terlarang url_regex -i wintrim.exeacl file_terlarang url_regex -i MPREXE.EXEacl file_terlarang url_regex -i exengd.EXEacl file_terlarang url_regex -i xxxvideo.exeacl file_terlarang url_regex -i Save.exeacl file_terlarang url_regex -i ATLBROWSER.DLLacl file_terlarang url_regex -i NawaL_rmacl file_terlarang url_regex -i Socks32.dllacl file_terlarang url_regex -i Sc32Lnch.exeacl file_terlarang url_regex -i dat0.exehttp_access deny file_terlarang

#youtube's videosrefresh_pattern -i (get_video\?|videodownload\?|videoplayback\?) 161280 50000% 525948 override-expire ignore-reload#and for picturesrefresh_pattern -i \.(jp(e?g|e|2)|gif|png|tiff?|bmp|ico|flv)(\?|$) 161280 3000% 525948 override-expire reload-into-imsrefresh_pattern ^http://(.*?)/get_video\? 10080 90% 999999 override-expire ignore-no-cache ignore-privaterefresh_pattern ^http://(.*?)/videodownload\? 10080 90% 999999 override-expire ignore-no-cache ignore-privaterefresh_pattern ^http://i(.*?).photobucket.com/albums/(.*?)/(.*?)/(.*?)\? 43200 90% 999999 override-expire ignore-no-cache ignore-privaterefresh_pattern ^http://vid(.*?).photobucket.com/albums/(.*?)/(.*?)\? 43200 90% 999999 override-expire ignore-no-cache ignore-privaterefresh_pattern -i (/cgi-bin/|\?) 0 0% 0refresh_pattern -i \.(swf|png|jpg|jpeg|bmp|tiff|png|gif) 43200 90% 129600 reload-into-ims override-lastmodrefresh_pattern -i \.(mov|mpg|mpeg|flv|avi|mp3|3gp|sis|wma) 43200 90% 129600 reload-into-ims override-lastmodrefresh_pattern -i \.(zip|rar|tgz|bin|ace|bz|bz2|tar|gz|exe) 43200 90% 129600 reload-into-ims override-lastmodrefresh_pattern -i (.*html$|.*htm|.*shtml|.*aspx|.*asp) 43200 90% 1440 reload-into-ims override-lastmodrefresh_pattern -i \.(class|css|js|gif|jpg)$ 10080 90% 43200 override-expirerefresh_pattern -i \.(jpe|tif)$ 10080 90% 43200 override-expirerefresh_pattern -i \.(mpe|wmv|wav|au|mid)$ 10080 90% 43200 override-expirerefresh_pattern -i \.(arj|lha|lzh)$ 10080 90% 43200 override-expirerefresh_pattern -i \.(hqx|pdf|rtf|doc|swf)$ 10080 90% 43200 override-expirerefresh_pattern -i \.(inc|cab|ad|txt|dll)$ 10080 90% 43200 override-expirerefresh_pattern -i \.(asp|acgi|pl|shtml|php3|php)$ 2 20% 4320 reload-into-imsrefresh_pattern ^http://*.google.*/.* 720 90% 4320 reload-into-ims override-lastmodrefresh_pattern ^http://*korea.*/.* 720 90% 4320 reload-into-ims override-lastmodrefresh_pattern ^http://*.akamai.*/.* 720 90% 4320 reload-into-ims override-lastmodrefresh_pattern ^http://*.windowsmedia.*/.* 720 90% 4320 reload-into-ims override-lastmodrefresh_pattern ^http://*.googlesyndication.*/.* 720 90% 4320 reload-into-ims override-lastmodrefresh_pattern ^http://*.plasa.*/.* 720 90% 4320 reload-into-ims override-lastmodrefresh_pattern ^http://*.telkom.*/.* 720 90% 4320 reload-into-ims override-lastmodrefresh_pattern ^http://*.friendster.com/.* 720 90% 10080 reload-into-ims override-lastmodrefresh_pattern ^http://*.facebook.com/.* 720 90% 10080 reload-into-ims override-lastmodrefresh_pattern ^http://*.blogspot.*/.* 720 90% 10080refresh_pattern ^http://*.wikipedia.*/.* 720 90% 10080refresh_pattern ^http://*.wordpress.*/.* 720 90% 10080refresh_pattern ^http://*.bhinneka.*/.* 720 90% 10080refresh_pattern ^http://*.okezone.*/.* 720 90% 10080refresh_pattern ^http://*.multiplay.*/.* 720 90% 10080refresh_pattern ^http://*.blogger.*/.* 720 90% 10080

refresh_pattern ^gopher: 1440 0% 1440refresh_pattern ^ftp: 43200 90% 129600 reload-into-ims override-expirerefresh_pattern ^http://www.detiksport.com/.* 180 35% 4320 override-expire override-lastmod ignore-reload reload-into-imsrefresh_pattern ^http://www.kompas.com/.* 180 35% 4320 override-expire override-lastmod ignore-reload reload-into-imsrefresh_pattern ^http://www.detiknews.com/.* 180 35% 4320 override-expire override-lastmod ignore-reload reload-into-imsrefresh_pattern ^http://www.photobucket.com/.* 180 100% 4320 override-expire override-lastmod ignore-reload reload-into-imsrefresh_pattern ^http://www.detikhot.com/.* 180 35% 4320 override-expire override-lastmod ignore-reload reload-into-imsrefresh_pattern ^http://www.kapanlagi.com/.* 180 35% 4320 override-expire override-lastmod ignore-reload reload-into-imsrefresh_pattern ^http://www.okezone.com/.* 180 35% 4320 override-expire override-lastmod ignore-reload reload-into-imsrefresh_pattern ^http://www.indowebster.com/.* 180 100% 4320 override-expire override-lastmod ignore-reload reload-into-imsrefresh_pattern ^http://www.telkomspeedy.com/.* 180 100% 4320 override-expire override-lastmod ignore-reload reload-into-imsrefresh_pattern ^http://www.imagevenue.com/.* 180 100% 4320 override-expire override-lastmod ignore-reload reload-into-imsrefresh_pattern ^http://www.flickr.com/.* 180 100% 4320 override-expire override-lastmod ignore-reload reload-into-imsrefresh_pattern ^http://www.imageshack.us/.* 180 100% 4320 override-expire override-lastmod ignore-reload reload-into-imsrefresh_pattern ^http://www.usercash.com/.* 180 100% 4320 override-expire override-lastmod ignore-reload reload-into-imsrefresh_pattern ^http://www.googlesyndication.com/.* 180 100% 4320 override-expire override-lastmod ignore-reload reload-into-imsrefresh_pattern ^http://www.co.cc/.* 180 35% 4320 override-expire override-lastmod ignore-reload reload-into-imsrefresh_pattern ^http://www.21cineplex.com/.* 180 35% 4320 override-expire override-lastmod ignore-reload reload-into-imsrefresh_pattern ^http://www.saatchi-gallery.co.uk/.* 180 100% 4320 override-expire override-lastmod ignore-reload reload-into-imsrefresh_pattern ^http://www.onemanga.com/.* 180 100% 4320 override-expire override-lastmod ignore-reload reload-into-imsrefresh_pattern ^http://www.jobsdb.com/.* 180 35% 4320 override-expire override-lastmod ignore-reload reload-into-imsrefresh_pattern ^http://www.imeem.com/.* 180 100% 4320 override-expire override-lastmod ignore-reload reload-into-imsrefresh_pattern ^http://www.download.com/.* 180 100% 4320 override-expire override-lastmod ignore-reload reload-into-imsrefresh_pattern ^http://www.amazon.com/.* 180 35% 4320 override-expire override-lastmod ignore-reload reload-into-imsrefresh_pattern ^http://www.friendster-layouts.com/.* 180 100% 4320 override-expire override-lastmod ignore-reload reload-into-imsrefresh_pattern ^http://www.geocities.com/.* 180 100% 4320 override-expire override-lastmod ignore-reload reload-into-imsrefresh_pattern ^http://www.redtube.com/.* 180 100% 4320 override-expire override-

lastmod ignore-reload reload-into-imsrefresh_pattern ^http://www.files.wordpress.com/.* 180 100% 4320 override-expire override-lastmod ignore-reload reload-into-imsrefresh_pattern ^http://indonetwork.co.id/.* 180 35% 4320 override-expire override-lastmod ignore-reload reload-into-imsrefresh_pattern ^http://gudanglagu.com/.* 180 100% 4320 override-expire override-lastmod ignore-reload reload-into-imsrefresh_pattern ^http://megaupload.com/.* 180 100% 4320 override-expire override-lastmod ignore-reload reload-into-imsrefresh_pattern ^http://www.karir.com/.* 180 35% 4320 override-expire override-lastmod ignore-reload reload-into-imsrefresh_pattern ^http://www.myspace.com/.* 180 100% 4320 override-expire override-lastmod ignore-reload reload-into-imsrefresh_pattern ^http://www.multiply.com/.* 180 100% 4320 override-expire override-lastmod ignore-reload reload-into-imsrefresh_pattern ^http://www.rapidshare.com/.* 180 100% 4320 override-expire override-lastmod ignore-reload reload-into-imsrefresh_pattern ^http://www.4shared.com/.* 180 100% 4320 override-expire override-lastmod ignore-reload reload-into-imsrefresh_pattern ^http://www.ziddu.com/.* 180 100% 4320 override-expire override-lastmod ignore-reload reload-into-imsrefresh_pattern ^http://www.kaskus.com/.* 180 35% 4320 override-expire override-lastmod ignore-reload reload-into-imsrefresh_pattern ^http://www.kaskus.us/.* 180 35% 4320 override-expire override-lastmod ignore-reload reload-into-imsrefresh_pattern ^http://www.friendster.com/.* 180 100% 4320 override-expire override-lastmod ignore-reload reload-into-imsrefresh_pattern ^http://mail.yahoo.com/.* 180 100% 4320 override-expire override-lastmod ignore-reload reload-into-imsrefresh_pattern ^http://login.yahoo.com/.* 180 100% 4320 override-expire override-lastmod ignore-reload reload-into-imsrefresh_pattern ^http://mail.yahoo.co.id/.* 180 100% 4320 override-expire override-lastmod ignore-reload reload-into-imsrefresh_pattern ^http://mail.google.com/.* 180 100% 4320 override-expire override-lastmod ignore-reload reload-into-imsrefresh_pattern ^http://*.yahoo.*/.* 180 100% 4320 override-expire override-lastmod ignore-reload reload-into-imsrefresh_pattern ^http://*.yahoo.com/.* 180 100% 4320 override-expire override-lastmod ignore-reload reload-into-imsrefresh_pattern ^http://*.yahoo.co.id/.* 180 100% 4320 override-expire override-lastmod ignore-reload reload-into-imsrefresh_pattern ^http://*.akamai.net/.* 180 100% 4320 override-expire override-lastmod ignore-reload reload-into-imsrefresh_pattern ^http://*.yimg.*/.* 180 100% 4320 override-expire override-lastmod ignore-reload reload-into-imsrefresh_pattern ^http://*.gmail.*/.* 180 100% 4320 override-expire override-lastmod ignore-reload reload-into-imsrefresh_pattern ^http://*.detik.*/.* 180 35% 4320 override-expire override-lastmod ignore-reload reload-into-imsrefresh_pattern . 0 20% 4320

#opsi zphzph_mode toszph_local 0x30zph_parent 0zph_option 136

#opsi yg lainquick_abort_min 0quick_abort_max 0quick_abort_pct 100ie_refresh offclient_lifetime 2 hours#ipcache_size 4096#ipcache_low 90#ipcache_high 95maximum_object_size_in_memory 64 KBdari browser masuk ke tab web proxy lalu klik save and restart

Install UrlfilterDengan cara yang sama, pindahkan file urlfilter hasil donlot ke folder /tmp dengan menggunakan winscp, lalu uncompresslogin melalui ssh dengan user root, untuk windows bisa menggunakan putty dengan port ssh 222uncompress urlfiltertar -xzf sw3-nn-urlfilter-version.tar.gzmasuk kedirektory hasil uncompress dan jalankan./installsetelah selesai install, melalui browser masuk ke smoothwall dan di tab service dibagian service sudah terdapat option url filter.

Untuk update blacklist-nya bisa disinisetelah semua option yang diinginkan untuk difilter kemudian di save.untuk menggabungkan dengan advproxy (dibagian paling bawah tab web-proxy terdapat option url filter) silahkan diceklist dan klik save and restart web-proxy nya.

Install calamaris webproxy reportingDengan cara yang sama, pindahkan file urlfilter hasil donlot ke folder /tmp dengan menggunakan winscp, lalu uncompresslogin melalui ssh dengan user root, untuk windows bisa menggunakan putty dengan port ssh 222uncompress urlfiltertar -xzf sw3-nn-calamaris-version.tar.gzmasuk kedirektory hasil uncompress dan jalankan./installSetelah berhasil install maka di tab logs (dilihat melalui browser) akan terdapat tab proxy report.

sedikit tuning......edit file /etc/rc.d/rc.firewall.up dengan...# set network tweaksecho 49152 > /proc/sys/fs/file-maxecho 262144 > /proc/sys/net/core/rmem_defaultecho 262144 > /proc/sys/net/core/rmem_maxecho 262144 > /proc/sys/net/core/wmem_defaultecho 262144 > /proc/sys/net/core/wmem_maxecho 4096 87380 8388608 > /proc/sys/net/ipv4/tcp_rmemecho 4096 65536 8388608 > /proc/sys/net/ipv4/tcp_wmemecho 4096 4096 4096 > /proc/sys/net/ipv4/tcp_memecho 1 > /proc/sys/net/ipv4/tcp_low_latency

echo 4000 > /proc/sys/net/core/netdev_max_backlogecho 1024 65000 > /proc/sys/net/ipv4/ip_local_port_rangeecho 16384 > /proc/sys/net/ipv4/tcp_max_syn_backloglalu reboot smoothwall-nya..

Untuk mengetest silahkan di browser client di isikan proxy secara manual dan dicoba untuk browsing..

Transparent proxy....

Masukan rule ini melalui terminal mikrotik :/ip firewall natadd action=dst-nat chain=dstnat comment="" disabled=no dst-port=80 \in-interface=LAN protocol=tcp src-address-list=LAN to-addresses=\192.168.10.2 to-ports=8080ini untuk membuat agar client tidak perlu memasukan secara manual setting port proxy kedalam browsernya (transparent) dan memaksa semua trafik http (port 80) untuk di dst-nat ke ip smoothwall (192.168.10.2 itu ip smoothwall, silahkan sesuaikan dengan jaringan anda)

Load Balancing Dual DSL Speedy di Satu Router

Jumat, 7 September 2007M24 Syaban 1428H

• data recovery • Dating • Laura Ashley • HP Compaq RAM Memory Upgrade • Psychic

Banyak pertanyaan dari teman-teman, terutama para operator warnet, admin jaringan sekolah/kampus dan korporasi tentang load balancing dua atau lebih koneksi internet. Cara praktikal sebenarnya banyak dijumpai jika kita cari di internet, namun banyak yang merasa kesulitan pada saat diintegrasikan. Penyebab utamanya adalah karena kurang mengerti konsep jaringan, baik di layer 2 atau di layer 3 protokol TCP/IP. Dan umumnya dual koneksi, atau multihome lebih banyak diimplementasikan dalam protokol BGP. Protokol routing kelas ISP ke atas, bukan protokol yang dioprek-oprek di warnet atau jaringan kecil.

Berikut beberapa konsep dasar yang sering memusingkan:

1. UnicastProtokol dalam trafik internet yang terbanyak adalah TCP, sebuah komunikasi antar host di internet (praktiknya adalah client-server, misal browser anda adalah client maka google adalah server). Trafik ini bersifat dua arah, client melakukan inisiasi koneksi dan server akan membalas inisiasi koneksi tersebut, dan terjadilah TCP session (SYN dan ACK).

2. Destination-addressDalam jaringan IP kita mengenal router, sebuah persimpangan antara network address dengan network address yang lainnya. Makin menjauh dari pengguna persimpangan itu sangat banyak, router-lah yang mengatur semua trafik tersebut. Jika dianalogikan dengan persimpangan di jalan, maka rambu penunjuk jalan adalah routing table. Penunjuk jalan atau routing table mengabaikan “anda datang dari mana”, cukup dengan “anda mau ke mana” dan anda akan diarahkan ke jalan tepat. Karena konsep inilah saat kita memasang table routing cukup dengan dua parameter, yaitu network address dan gateway saja.

3. Source-addressSource-address adalah alamat IP kita saat melakukan koneksi, saat paket menuju ke internet paket akan melewati router-router ISP, upstream provider, backbone internet dst hingga sampai ke tujuan (SYN). Selanjutnya server akan membalas koneksi (ACK) sebaliknya hingga kembali ke komputer kita. Saat server membalas koneksi namun ada gangguan saat menuju network kita (atau ISPnya) maka komputer kita sama sekali tidak akan mendeteksi adanya koneksi. Seolah-olah putus total, walaupun kemungkinan besar putusnya koneksi hanya satu arah.

4. Default gatewaySaat sebuah router mempunyai beberapa interface (seperti persimpangan, ada simpang tiga, simpang empat dan simpang lima) maka tabel routing otomatis akan bertambah, namun default router atau default gateway hanya bisa satu. Fungsinya adalah mengarahkan paket ke network address yang tidak ada dalam tabel routing (network address 0.0.0.0/0).

5. Dua koneksiPermasalahan umumnya muncul di sini, saat sebuah router mempunyai dua koneksi ke internet (sama atau berbeda ISP-nya). Default gateway di router tetap hanya bisa satu, ditambah pun yang bekerja tetap hanya satu. Jadi misal router NAT anda terhubung ke ISP A melalui interface A dan gateway A dan ke ISP B melalui interface B dan gateway B, dan default gateway ke ISP A, maka trafik downlink hanya akan datang dari ISP A saja. Begitu juga sebaliknya jika dipasang default gateway ke ISP B.

Bagaimana menyelesaikan permasalahan tersebut?Konsep utamanya adalah source-address routing. Source-address routing ibaratnya anda dicegat di persimpangan oleh polisi dan polisi menanyakan “anda dari mana?” dan anda akan ditunjukkan ke jalur yang tepat.

Pada router NAT (atau router pada umumnya), source-address secara default tidak dibaca, tidak dipertimbangkan. Jadi pada kasus di atas karena default gateway ke ISP A maka NAT akan meneruskan paket sebagai paket yang pergi dari IP address interface A (yang otomatis akan mendapat downlink dari ISP A ke interface A dan diteruskan ke jaringan dalam).

Dalam jaringan yang lebih besar (bukan NAT), source-address yang melewati network lain disebut sebagai transit (di-handle dengan protokol BGP oleh ISP). Contoh praktis misalnya anda membeli bandwidth yang turun dari satelit melalui DVB, namun koneksi uplink menggunakan jalur terestrial (dial-up, leased-line atau fixed-wireless). Dalam kasus ini paket inisiasi koneksi harus menjadi source-address network downlink DVB, agar bandwidth downlink dari internet mengarah DVB receiver, bukan ke jalur terestrial.

Di lingkungan Linux, pengaturan source-address bisa dilakukan oleh iproute2. Iproute2 akan bekerja sebelum diteruskan ke table routing. Misal kita mengatur dua segmen LAN internal agar satu segmen menjadi source-address A dan satu segmen lainnya menjadi source-address B, agar kedua koneksi ke ISP terutilisasi bersamaan.

Penerapan utilisasi dua koneksi tersebut bisa mengambil tiga konsep, yaitu round-robin, loadbalance atau failover.

6. Round-robinMisalkan anda mempunyai tiga koneksi internet di satu router NAT, koneksi pertama di sebut Batman, koneksi kedua disebut Baskin dan koneksi ketiga disebut Williams, maka konsep round-robin adalah sang Robin akan selalu berpindah-pindah secara berurutan mengambil source-address (bukan random). Misal ada satu TCP session dari komputer di jaringan internal, maka koneksi TCP tersebut tetap di source-address pertama hingga sesi TCP selesai (menjadi Batman & Robin). Saat TCP session Batman & Robin tersebut belum selesai, ada ada request koneksi baru dari jaringan, maka sang Robin akan mengambil source-address koneksi berikutnya, menjadi Baskin & Robin. Dan seterusnya sang Robin akan me-round-round setiap koneksi tanpa memperhatikan penuh atau tidaknya salah satu koneksi.

Pasti anda sedang pusing membaca kalimat di atas, atau sedang tertawa terbahak-bahak.

7. LoadbalanceKonsep loadbalance mirip dengan konsep round-robin di atas, hanya saja sang Robin dipaksa melihat utilisasi ketiga koneksi tersebut di atas. Misalkan koneksi Batman & Robin serta Baskin & Robin sudah penuh, maka koneksi yang dipilih yang lebih kosong, dan koneksi yang diambil menjadi Robin Williams. Request koneksi berikutnya kembali sang Robin harus melihat dulu utilisasi koneksi yang ada, apakah ia harus menjadi Batman & Robin, Baskin & Robin atau Robin Williams, agar semua utilisasi koneksi seimbang, balance.

8. FailoverKonsep fail-over bisa disebut sebagai backup otomatis. Misalkan kapasitas link terbesar adalah link Batman, dan link Baskin lebih kecil. Kedua koneksi tersebut terpasang online, namun koneksi tetap di satu link Batman & Robin, sehingga pada saat link Batman jatuh koneksi akan berpindah otomatis ke link Baskin, menjadi Baskin & Robin hingga link Batman up kembali.

*makan es krim Haagendaz dulu*

Tools NAT yang mempunyai ketiga fitur di atas adalah Packet Firewall (PF) di lingkungan BSD, disebut dengan nat pool. Saya belum menemukan implementasi yang bagus (dan cukup mudah) di Linux dengan iproute2.

*Uraian panjang di atas hanyalah kata sambutan sodara-sodara…*

Berikut contoh implementasi load balance dua koneksi sesuai judul di atas. Dijalankan di mesin OpenBSD sebagai NAT router dengan dua koneksi DSL Telkom, interface ethernet sk0 dan sk1.

1. Aktifkan forwarding di /etc/sysctl.conf

net.inet.ip.forwarding=1

2. Pastikan konfigurasi interface dan default routing kosong, hanya filename saja

# /etc/hosts.sk0# /etc/hosts.sk1# /etc/hostname.sk0# /etc/hostname.sk1# /etc/mygate

Script koneksi DSL Speedy, pppoe0 untuk koneksi pertama dan pppoe1 untuk koneksi kedua. Sesuaikan interface, username dan passwordnya. Jangan lupa, gunakan indent tab.

# /etc/ppp/ppp.confdefault: set log Phase Chat LCP IPCP CCP tun command set redial 15 0 set reconnect 15 10000pppoe0: set device "!/usr/sbin/pppoe -i sk0" disable acfcomp protocomp deny acfcomp set mtu max 1492 set mru max 1492 set crtscts off set speed sync enable lqr set lqrperiod 5 set cd 5 set dial set login set timeout 0 set authname blahblahblah@telkom.net set authkey asaljangandejek add! default HISADDR enable dns enable mssfixuppppoe1: set device "!/usr/sbin/pppoe -i sk1" disable acfcomp protocomp deny acfcomp set mtu max 1492 set mru max 1492 set crtscts off set speed sync enable lqr set lqrperiod 5 set cd 5 set dial set login set timeout 0 set authname blahblahblah2@telkom.net set authkey vikingboneksamasaja add! default HISADDR enable dns enable mssfixup

3. Aktifkan interface sk0 dan sk1

# ifconfig sk0 up# ifconfig sk1 up

4. Jalankan PPPoE, Point to Point Protocol over Ethernet.

# ppp -ddial pppoe0# ppp -ddial pppoe1

5. Jika koneksi Speedy berhasil, IP address dari Speedy akan di-binding di interface tunneling tun0 dan tun1

# ifconfigtun0: flags=8051 mtu 1492 groups: tun egress inet 125.xxx.xxx.113 --> 125.163.72.1 netmask 0xfffffffftun1: flags=8051 mtu 1492 groups: tun inet 125.xxx.xxx.114 --> 125.163.72.1 netmask 0xffffffff

6. Dan default gateway akan aktif

# netstat -nr |moreRouting tablesInternet:Destination Gateway Flags Refs Use Mtu Interfacedefault 125.163.72.1 UGS 7 17529 - tun0

7. Serta konfigurasi resolver DNS pun akan terisi

# cat /etc/resolv.conflookup file bindnameserver 202.134.2.5nameserver 203.130.196.5

8. Aktifkan Packet Firewall pf

# /etc/rc.confpf=”YES”

9. Script Packet Firewall NAT dan balancing dengan round-robin (ganti round-robin dengan loadbalance jika lebih sesuai dengan kebutuhan anda). Baris yang di-indent masih termasuk baris di atasnya. Entah kenapa tag <pre> malah menghilangkan karakter backslash (\).

# /etc/pf.conflan_net = "10.0.0.0/8"int_if = "vr0"ext_if1 = "tun0"ext_if2 = "tun1"ext_gw1 = "125.163.72.1"ext_gw2 = "125.163.72.1"# scrub allscrub in all# nat outgoing connections on each internet interfacenat on $ext_if1 from $lan_net to any -> ($ext_if1)

nat on $ext_if2 from $lan_net to any -> ($ext_if2)# pass all outgoing packets on internal interfacepass out on $int_if from any to $lan_net# pass in quick any packets destined for the gateway itselfpass in quick on $int_if from $lan_net to $int_if# load balance outgoing tcp traffic from internal network.pass in on $int_if route-to \ { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \ proto tcp from $lan_net to any flags S/SA modulate state# load balance outgoing udp and icmp traffic from internal networkpass in on $int_if route-to \ { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \ proto { udp, icmp } from $lan_net to any keep state# general "pass out" rules for external interfacespass out on $ext_if1 proto tcp from any to any flags S/SA modulate statepass out on $ext_if1 proto { udp, icmp } from any to any keep statepass out on $ext_if2 proto tcp from any to any flags S/SA modulate statepass out on $ext_if2 proto { udp, icmp } from any to any keep state

10. Aktifkan script yang diperlukan di /etc/rc.local agar setiap reboot langsung bekerja.

ifconfig sk0 upifconfig sk1 up# aktifkan speedyppp -ddial pppoe0ppp -ddial pppoe1

PF akan langsung bekerja membaca /etc/pf.conf.Jika harus me-restart koneksi DSL Speedy, pastikan pppoe dimatikan dulu

# pkill ppp

Jika tidak, maka ppp akan membuat tunneling baru menjadi tun2, tun3 dan seterusnya.

11. Untuk memantau fungsi nat pool round-robin di atas bekerja atau tidak, bisa menggunakan tools pftop yang bisa diambil di http://www.eee.metu.edu.tr/~canacar/pftop/

Jika anda mengoptimasikan koneksi jaringan juga dengan menggunakan proxy, misalnya Squid, maka proxy Squid jangan dipasang juga di mesin router NAT tersebut, sebab saat Squid mengakses halaman web ke internet; oleh PF dianggap bukan sebagai koneksi NAT, jadi tidak akan di-balance, dan akan stay mengambil interface utama dan default gateway pertama. Simpanlah mesin proxy/squid di belakang router NAT, agar koneksi proxy ke internet menjadi trafik NAT yang akan di-balance oleh script PF di atas.

Memisahkan Bandwidth Lokal dan International menggunakan Mikrotik

From SpeedyWikiJump to: navigation, search Written by harijanto@datautama.net.id http://www.datautama.net.idWednesday, 08 November 2006

Versi 3

Perubahan dari versi sebelumnya:

1. Proses mangle berdasarkan address-list 2. Pemisahan traffic Indonesia dan overseas lebih akurat

Semakin berkembangnya konten Internet lokal di Indonesia telah memberikan peluang bisnis baru dalam industri Internet di Indonesia. Saat ini banyak Internet Service Provider (ISP) yang menawarkan paket bandwidth lokal atau IIX yang lebih besar dibandingkan bandwidth Internet Internasional, hal ini seiring dengan semakin banyaknya pengelola RT/RW-net yang mampu menyediakan layanan koneksi Internet yang lebih terjangkau bagi lingkungan sekitarnya.

Permasalahan umum yang terjadi pada jaringan RT/RW-net adalah masalah pengaturan bandwidth. Pada umumnya pengelola RT/RW-net akan kesulitan pada saat ingin memisahkan antara traffic lokal dengan traffic internasional karena umumnya jaringan RT/RW-net hanya menggunakan static routing, berbeda dengan ISP yang mampu membangun jaringan yang lebih komplek menggunakan protocol routing BGP sehingga ISP dapat dengan mudah memisahkan antara traffic local dan internasional.

Untuk memisahkan traffic lokal dengan traffic internasional tersebut RT/RW-net dapat dengan mudah menggunakan PC Router + Sistem Operasi Mikrotik, Mikrotik sebenarnya adalah linux yang sudah di buat sedemikian rupa oleh pengembangnya sehingga sangat mudah diinstall dan di konfigur dengan banyak sekali fitur dan fungsi. Untuk lebih lanjut mengenai mikrotik dapat dilihat pada situs webnya http://www.mikrotik.com atau http://www.mikrotik.co.id

Berikut adalah sekenario jaringan dengan Mikrotik sebagai router

Gambar 1. Skenario Jaringan

Penjelasan:

1. Mikrotik Router dengan 2 Network Interface Card (NIC) Ether1 dan Ether3, dimana Ether1 adalah Ethernet yang terhubung langsung ke ISP dan Ether3 adalah Ethernet yang terhubung langsung dengan jaringan 192.168.2.0/24

2. Bandwidth dari ISP misalnya 256Kbps internasional dan 1024Kbps lokal IIX 3. Komputer 192.168.2.4 akan diberi alokasi bandwidth 128Kbps internasional dan

256Kbps lokal IIX

Untuk memisahkan antara traffic lokal IIX dengan traffic internasional caranya adalah dengan menandai paket data yang menuju atau berasal dari jaringan lokal IIX menggunakan mangle. Pertanyaannya bagaimana caranya Mikrotik bisa mengetahui paket tersebut menuju atau berasal dari jairngan lokal IIX?

Jawabannya adalah dengan mengambil data dari http://lg.mohonmaaf.com

karena http://lg.mohonmaaf.com sudah tidak aktif maka data dapat diambil dari:

http://203.89.24.3/cgi-bin/lg.cgi

Pilih Query dengan men-cek-list BGP dan klik Submit

Gambar 2. Hasil Query http://lg.mohonmaaf.com untuk perintah “show ip bgp”

Fungsi dari http://lg.mohonmaaf.com adalah sebagai fasilitas looking glass jaringan lokal yang dikelola oleh PT. IDC , terima kasih kepada Bapak Johar Alam yang telah menyediakan layanan tersebut.

Dari hasil query tersebut selanjutnya simpan sebagai text files untuk selanjutnya dapat diolah dengan menggunakan spreadsheet contohnya Ms. Excel untuk mendapatkan semua alamat Network yang diadvertise oleh router-router BGP ISP lokal Indonesia pada BGP router IDC atau National Inter Connection Exchange (NICE).

Pada penjelasan versi-2 dokumen ini saya menggunakan teknik langsung memasukkan daftar ip blok ke /ip firewall mangle, dengan teknik ini saya harus memasukkan dua kali daftar ip yang didapat dari router NICE ke /ip firewall mangle.

Cara lain yang lebih baik adalah dengan memasukkan daftar ip blok dari router NICE ke /ip firewall address-list dengan demikian maka pada /ip firewall mangle hanya terdapat beberapa baris saja dan pemisahan traffic Indonesia dan overseas dapat lebih akurat karena mangle dapat dilakukan berdasarkan address-list saja.

Lebih jelasnya adalah sbb:

Selanjutnya buat script berikut untuk dapat diimport oleh router Mikrotik

/ ip firewall address-listadd list=nice address=58.65.240.0/23 comment="" disabled=noadd list=nice address=58.65.242.0/23 comment="" disabled=noadd list=nice address=58.65.244.0/23 comment="" disabled=noadd list=nice address=58.65.246.0/23 comment="" disabled=noadd list=nice address=58.145.174.0/24 comment="" disabled=noadd list=nice address=58.147.184.0/24 comment="" disabled=no

add list=nice address=58.147.185.0/24 comment="" disabled=nodst…

untuk mendapatkan script diatas dapat melalui URL berikut:

http://www.datautama.net.id/harijanto/mikrotik/datautama-nice.php

URL diatas secara online akan melakukan query ke router NICE dari http://lg.mohonmaaf.com

CATATAN:

Karena lg.mohonmaaf.com tidak dapat diakses maka utk daftar ip local dapat di ambil dari

http://ixp.mikrotik.co.id/download/nice.rsc

atau dari

http://www.datautama.net.id/harijanto/mikrotik/datautama-nice.php

yang datanya dari looking glass DatautamaNet

dari hasil URL diatas copy lalu paste ke mikrotik dengan menggunakan aplikasi putty.exe ssh ke ipmikrotik tersebut, caranya setelah di copy teks hasil proses URL diatas lalu klik kanan mouse pada jendela ssh putty yang sedang meremote mikrotik tersebut. Cara ini agak kurang praktis tetapi karena jika script diatas dijadikan .rsc ternyata akan bermasalah karena ada beberapa baris ip blok yang saling overlap sebagai contoh:

\... add address=222.124.64.0/23 list="nice"[datautama@router-01-jkt] > /ip firewall address-list \\... add address=222.124.64.0/21 list="nice"address ranges may not overlap

dimana 222.124.64.0/21 adalah supernet dari 222.124.64.0/23 artinya diantara dua blok ip tersebut saling overlap, sehingga pada saat proses import menggunakan file .rsc akan selalu berhenti pada saat menemui situasi seperti ini.

Sampai saat ini saya belum menemukan cara yang praktis utk mengatasi hal tersebut diatas. Kalau saja kita bisa membuat address-list dari table prefix BGP yang dijalankan di mikrotik maka kita bisa mendapatkan address-list dengan lebih sempurna.

Selanjutnya pada /ip firewall mangle perlu dilakukan konfigurasi sbb:

/ ip firewall mangleadd chain=forward src-address-list=nice action=mark-connection \ new-connection-mark=mark-con-indonesia passthrough=yes comment="mark all \ indonesia source connection traffic" disabled=noadd chain=forward dst-address-list=nice action=mark-connection \ new-connection-mark=mark-con-indonesia passthrough=yes comment="mark all \ indonesia destination connection traffic" disabled=no

add chain=forward src-address-list=!nice action=mark-connection \ new-connection-mark=mark-con-overseas passthrough=yes comment="mark all \ overseas source connection traffic" disabled=noadd chain=forward dst-address-list=!nice action=mark-connection \ new-connection-mark=mark-con-overseas passthrough=yes comment="mark all \ overseas destination connection traffic" disabled=noadd chain=prerouting connection-mark=mark-con-indonesia action=mark-packet \ new-packet-mark=indonesia passthrough=yes comment="mark all indonesia \ traffic" disabled=noadd chain=prerouting connection-mark=mark-con-overseas action=mark-packet \ new-packet-mark=overseas passthrough=yes comment="mark all overseas \ traffic" disabled=no

Langkah selanjutnya adalah mengatur bandwidth melalui queue simple, untuk mengatur bandwidth internasional 128Kbps dan bandwidth lokal IIX 256Kbps pada komputer dengan IP 192.168.2.4 dapat dilakukan dengan contoh script sbb:

/ queue simpleadd name="harijant-indonesia" target-addresses=192.168.2.4/32 \ dst-address=0.0.0.0/0 interface=all parent=none packet-marks=indonesia \ direction=both priority=8 queue=default/default limit-at=0/0 \ max-limit=256000/256000 total-queue=default disabled=noadd name="harijanto-overseas" target-addresses=192.168.2.4/32 \ dst-address=0.0.0.0/0 interface=all parent=none packet-marks=overseas \ direction=both priority=8 queue=default/default limit-at=0/0 \ max-limit=128000/128000 total-queue=default disabled=no

Script diatas berarti hanya komputer dengan IP 192.168.2.4 saja yang di batasi bandwidthnya 128Kbps internasional (overseas) dan 256Kbps lokal IIX (indonesia) sedangkan yang lainnya tidak dibatasi.

Hasil dari script tersebut adalah sbb:

Gambar 3. simple queue untuk komputer 192.168.2.4

Dengan demikian maka komputer 192.168.2.4 hanya dapat mendownload atau mengupload sebesar 128Kbps untuk internasional dan 256Kbps untuk lokal IIX.

Untuk mengujinya dapat menggunakan bandwidthmeter sbb:

Gambar 4. Hasil bandwidth meter komputer 192.168.2.4 ke lokal ISP

Gambar 5. Hasil bandwidth meter ke ISP internasional

Dengan demikian berarti Mikrotik telah berhasil mengatur pemakaian bandwidth internasional dan lokal IIX sesuai dengan yang diharapkan pada komputer 192.168.2.4.

Pada penjelasan versi-3 ini proses mangle terhadap traffic “overseas” dapat lebih akurat karena menggunakan address-list dimana arti dari src-address=!nice adalah source address “bukan nice” dan dst-address=!nice adalah destination address “bukan nice”.

Sehingga demikian traffic “overseas” tidak akan salah identifikasi, sebelumnya pada penjelasan versi-2 traffic “overseas” bisa salah indentifikasi karena traffic “overseas” di definisikan sbb

add connection-mark=mark-con-indonesia action=mark-packet new-packet-mark=indonesia chain=prerouting comment="mark indonesia" add packet-mark=!indonesia action=mark-packet new-packet-mark=overseas chain=prerouting comment="mark all overseas traffic"

packet-mark=!indonesia artinya “packet-mark=bukan paket Indonesia”, padahal “bukan paket Indonesia” bisa saja paket lainnya yang telah didefinisikan sebelumnya sehingga dapat menimbulkan salah identifikasi.

Adapun teknik diatas telah di test pada router mikrotik yang menjalankan NAT , jika router mikrotik tidak menjalankan NAT coba rubah chain=prerouting menjadi chain=forward.

Untuk lebih lanjut mengenai pengaturan bandwidth pada Mikrotik dapat dilihat pada manual mikrotik yang dapat didownload pada

http://www.mikrotik.com/docs/ros/2.9/RouterOS_Reference_Manual_v2.9.pdf

Script diatas dapat diimplementasikan pada Mikrotik Versi 2.9.27 , untuk versi mikrotik sebelumnya kemungkinan ada perbedaan perintah.

Load Balancing Sederhana Pakai Mikrotik

From SpeedyWikiJump to: navigation, search

Sumber abdi_wae http://opensource.telkomspeedy.com/forum/viewtopic.php?pid=17386

mungkin bisa di load balancing aja pak - biar gampang :

modem1 --- +--- eth0 mikrotik --- eth2 LAN +--- eth1modem2 ---

manualnya ada disini : http://www.mikrotik.com/testdocs/ros/2.9/ip/route.php

Load Balancing over Multiple Gateways

From MikroTik WikiJump to: navigation, search

The typical situation where you got one router and want to connect to two ISPs:

Of course, you want to do load balancing! There are several ways how to do it. Depending on the particular situation, you may find one best suited for you.

Policy Routing based on Client IP Address

If you have a number of hosts, you may group them by IP addresses. Then, depending on the source IP address, send the traffic out through Gateway #1 or #2. This is not really the best approach, giving you perfect load balancing, but it's easy to implement, and gives you some control too.

Let us assume we use for our workstations IP addresses from network 192.168.100.0/24. The IP addresses are assigned as follows:

• 192.168.100.1-127 are used for Group A workstations • 192.168.100.128-253 are used for Group B workstations • 192.168.100.254 is used for the router.

All workstations have IP configuration with the IP address from the relevant group, they all have network mask 255.255.255.0, and 192.168.100.254 is the default gateway for them. We will talk about DNS servers later.

Now, when we have workstations divided into groups, we can refer to them using subnet addressing:

• Group A is 192.168.100.0/25, i.e., addresses 192.168.100.0-127 • Group B is 192.168.100.128/25, i.e., addresses 192.168.100.128-255

If you do not understand this, take the TCP/IP Basics course,or, look for some resources about subnetting on the Internet!

We need to add two IP Firewall Mangle rules to mark the packets originated from Group A or Group B workstations.

For Group A, specify

• Chain prerouting and Src. Address 192.168.100.0/25 • Action mark routing and New Routing Mark GroupA.

It is a good practice to add a comment as well. Your mangle rules might be interesting for someone else and for yourself as well after some time.

For Group B, specify

• Chain prerouting and Src. Address 192.168.100.128/25 • Action mark routing and New Routing Mark GroupB

All IP traffic coming from workstations is marked with the routing marks GroupA or GroupB. We can use these marks in the routing table.

Next, we should specify two default routes (destination 0.0.0.0/0) with appropriate routing marks and gateways:

This thing is not going to work, unless you do masquerading for your LAN! The simplest way to do it is by adding one NAT rule for Src. Address 192.168.100.0/24 and Action masquerade:

Test the setup by tracing the route to some IP address on the Internet!

From a workstation of Group A, it should go like this:

C:\>tracert -d 8.8.8.8

Tracing route to 8.8.8.8 over a maximum of 30 hops

1 2 ms 2 ms 2 ms 192.168.100.2542 10 ms 4 ms 3 ms 10.1.0.1...

From a workstation of Group B, it should go like this:

C:\>tracert -d 8.8.8.8

Tracing route to 8.8.8.8 over a maximum of 30 hops

1 2 ms 2 ms 2 ms 192.168.100.2542 10 ms 4 ms 3 ms 10.5.8.1...You can specify the DNS server for workstations quite freely, jArticles

Load Balancing dan Fail Over [Group] pada Mikrotik

PendingWritten on Aug-19-08 3:08pm/19/2008 8:08 GMT - Not yet published to a wikizine From: mellasaeblog.blogspot.com

Load Balancing dan Fail Over [Group] pada Mikrotik

April 27th, 2008 by admin

Load Balancing dan Fail Over [Group]

2 Speedy [atau lebih ]

dibawah ini akan di bahas tekhnik load balance dan tekhnik fail over pada mikrotik router

Tutorial bisa di Download Disini

Seumpama kita mempunyai address seperti ini :

IP Modem satu adalah 192.168.110.1 dengan interface ”Wanatas” dan IP Modem yang

satunya adalah 192.168.120.1 dengan interface ”Wantengah” sedangkan IP dari ”LAN”

172.10.12.1

Sebelum kita menuju pengkonfigurasian Load Balancing kita susun dulu blok2 IP yang akan

digroup

Masuk ke IP >> Firewall

Dan pilih tab Addess Lists dan Add

Seperti contoh diatas saya bikin Group A dan B

dan dibawah adalah tampilan ketika tombol add di klik, dan isikan Name dengan nama

group anda yang pertama, dan seterusnya.

Jika sudah menentuka blok IP berdasarkan group maka kita lanjut ke sesi berikutnya yaitu :

Konfigurasi Mangle

Tetap pada Window Firewall tapi pindah ke Tab Mangel yang seperti saya lingkari berwarna

merah tersebut, setelah itu klik tombol Add yang saya lingkari dengan warna biru.

Maka akan muncul Window seperti dibawah ini :

Chain pilih prerouting kemudian pilih tab Advance

Jika sudah pilih

Src Address List , jika kombo box belum muncul maka klik tombol panah yang sejajar

dengan text box dar src Address List hingga menjadi menghadap ke bawah

Jika sudah maka pilih group A, dan begitu nanti untuk yang B. jika sudah di pilih group

maka pindah ke tab Action

Jika sudah pilih Tab Action maka akan muncul Window seperti di bawah ini :

Pilih action menjadi mark routing dan isikan New Routing Mark sesuai nama dari Group IP ,

seperti diatas kami memberi nama mrA.

CTT : untuk Mangle yang group B ulangi intruksi diatas lagi dengan nama yang berbeda

dan pilih group yang berbeda juga ^^

OK Sudah selesai ……

Lanjut ke bagian Routing ,

Masuk ke menu

IP >> Route : maka akan muncul Window Route List

pilih Add

dan akan muncul Window dibawah ini :

isikan gatheway dengan IP modem pertama , yaitu 192.168.110.1 kemudian agar Fail Over

maka Chek Gateway pilih ping dan Mark pilih mrA untuk Group A, begitupun nanti untuk

menambahkan gatheway untuk group B dan ketika menekan tombol Apply, pastikan

interface benar tertuju ke WANatas yaitu modem Pertama, dan begitupun untuk group B.

Nah agar kedua gatheway ini berjalan lancar , maka perlu ditambahkan gatheway priority.

Caranya : sama seperti add gatheway seperti diatas, tetapi kita akan mengisikan lebih dari

satu gatheway pada satu list. Seperti gambar di bawah ini :

agar dapat menambahkan lebih dari satu gatheway, klik panah yang mengarah kebawah

yang sejajar dengan text box dari Gathway. Jika sudah Setelah tekan Tombol Apply

pastikan Interfacenya benar seperti urutan dari pengisian Gatheway.

Jika sudah tekan OK

Setelah kembali ke Route List periksa, jika salah satu List berwarna Biru, maka Link dari

modem tersebut sedang bermasalah atau tidak terkoneksi dengan Internet. Periksa kembali

jalur Internet dari jalur ke modem tersebut.

Ok

Segini ajah untuk LoadBalance mikrotik dari saya

Semoga Berhasil

Syamsy (Samson RtRwNet)[Jaylangkung.com]

rtrwnetmalang@yahoo.com

Setting MIKROTIK SDSL SPEEDY – BANDWITH MANAGEMENT

Sebelumnya saya gambarkan dulu skema jaringannya:

LAN —> Mikrotik RouterOS —> Modem ADSL —> INTERNET

Untuk LAN, kita pake kelas C, dengan network 192.168.0.0/24. Untuk Mikrotik RouterOS, kita perlu dua ethernet card. Satu (ether1 – 192.168.1.2/24) untuk sambungan ke Modem ADSL dan satu lagi (ether2 – 192.168.0.1/24) untuk sambungan ke LAN. Untuk Modem ADSL, IP kita set 192.168.1.1/24.

Sebelum mengetikkan apapun, pastikan Anda telah berada pada root menu dengan mengetikkan “/”

Set IP untuk masing²ethernet card

ip address add address=192.168.1.2/24 interface=ether1

ip address add address=192.168.0.1/24 interface=ether2

Untuk menampilkan hasil perintah di atas ketikkan perintah berikut:

ip address print

Kemudian lakukan testing dengan mencoba nge-ping ke gateway atau ke komputer yg ada pada LAN. Jika hasilnya sukses, maka konfigurasi IP Anda sudah benar

ping 192.168.1.1

ping 192.168.0.10

Menambahkan Routing

ip route add gateway=192.168.1.1

Setting DNS

ip dns set primary-dns=202.134.1.10 allow-remote-requests=yes

ip dns set secondary-dns=202.134.0.155 allow-remote-requests=yes

Karena koneksi ini menggunakan Speedy dari Telkom, maka DNS yg aq pake ya punya Telkom. Silahkan sesuaikan dengan DNS provider Anda.

Setelah itu coba Anda lakukan ping ke yahoo.com misalnya:

ping yahoo.com

Jika hasilnya sukses, maka settingan DNS sudah benar

Source NAT (Network Address Translation) / Masquerading

Agar semua komputer yg ada di LAN bisa terhubung ke internet juga, maka Anda perlu menambahkan NAT (Masquerade) pada Mikrotik.

ip firewall nat add chain=srcnat action=masquerade out-interface=ether1

Sekarang coba lakukan ping ke yahoo.com dari komputer yang ada di LAN

ping yahoo.com

Jika hasilnya sukses, maka setting masquerade sudah benar

DHCP (DynamicHost Configuration Protocol)

Karena alasan supaya praktis, temenku pengin pake DHCP Server. Biar klo tiap ada klien yang konek, dia ga perlu setting IP secara manual. Tinggal obtain aja dari DHCP Server, beres dah. Untungnya Mikrotik ini juga ada fitur DHCP Servernya. Jadi ya ga ada masalah..

Membuat IP Address Pool

ip pool add name=dhcp-pool ranges=192.168.0.2-192.168.0.254

Menambahkan DHCP Network

ip dhcp-server network add address=192.168.0.0/24 gateway=192.168.0.1 dns-server=202.134.1.10,202.134.0.155

Menambahkan Server DHCP

ip dhcp-server add name=DHCP_LAN disabled=no interface=ether2 address-pool=dhcp-pool

Sekarang coba lakukan testing dari komputer klien, untuk me-request IP Address dari Server DHCP. Jika sukses, maka sekali lagi, settingannya udah bener

Bandwidth Control

Agar semua komputer klien pada LAN tidak saling berebut bandwidth, maka perlu dilakukan yg namanya bandwidth management atau bandwidth control

Model yg saya gunakan adalah queue trees. Untuk lebih jelas apa itu, silahkan merujuk ke situsnya Mikrotik

Kondisinya seperti ini:

Koneksi Speedy kan katanya speednya sampe 384/64 Kbps (Download/Upload), nah kondisi itu sangat jarang tercapai. Jadi kita harus cari estimasi rata²nya. Maka saya ambil minimalnya untuk download bisa dapet sekitar 300 Kbps dan untuk upload aq alokasikan 50 Kbps. Sedangkan untuk yg maksimumnya, untuk download kira² 380 Kbps dan upload 60 Kbps.

Lalu, jumlah komputer klien yang ada saat ini adalah 10 buah. Jadi harus disiapkan bandwidth itu untuk dibagikan kepada 10 klien tersebut.

Perhitungan untuk masing² klien seperti ini:

Minimal Download: 300 / 10 * 1024 = 30720 bps

Maximal Download: 380 / 10 * 1024 = 38912 bps

Minimal Upload: 50 / 10 * 1024 = 5120 bps

Maximal Upload: 60 / 10 * 1024 = 6144 bps

Selanjutnya kita mulai konfigurasinya:

Tandai semua paket yg asalnya dari LAN

ip firewall mangle add src-address=192.168.0.0/24 action=mark-connection new-connection-mark=Clients-con chain=prerouting

ip firewall mangle add connection-mark=Clients-con action=mark-packet new-packet-mark=Clients chain=prerouting

Menambahkan rule yg akan membatasi kecepatan download dan upload

queue tree add name=Clients-Download parent=ether2 packet-mark=Clients limit-at=30720 max-limit=38912

queue tree add name=Clients-Upload parent=ether1 packet-mark=Clients limit-at=5120 max-limit=6144

Sekarang coba lakukan test download dari beberapa klien, mestinya sekarang tiap2 klien akan berbagi bandwidthnya. Jika jumlah klien yg online tidak sampai 10, maka sisa bandwidth yang nganggur itu akan dibagikan kepada klien yg online.

Graphing

Mikrotik ini juga dilengkapi dengan fungsi monitoring traffic layaknya MRTG biasa. Jadi kita bisa melihat berapa banyak paket yg dilewatkan pada PC Mikrotik kita.

tool graphing set store-every=5min

Berikutnya yang akan kita monitor adalah paket² yg lewat semua interface yg ada di PC Mikrotik kita, klo di komputerku ada ether1 dan ether2.

tool graphing interface add-interface=all store-on-disk=yes

Sekarang coba arahkan browser anda ke IP Router Mikrotik. Klo aq di sini:

http://192.168.0.1/graphs/

Nanti akan ada pilihan interface apa aja yg ada di router Anda. Coba klik salah satu, maka Anda akan bisa melihat grafik dari paket2 yg lewat pada interface tersebut.

Dari tutorial diatas saya cuma sampai mengambil langkah pada setting penambahan NAT ( masquerade ) saja. Karena menurut saya DHCP yang sifatnya berubah ubah jadi nanti saat mau limit BW nya terkadang ip tidak sama. CMIIW. dan untuk setting limit saya melakukannya pada remote winbox yang lebih mudah, nah pertanyaan untuk saya sendiri. Kapan graph tool nya kamu install nak ? hehehhee… ok semoga berguna semuanya.

cara nge-remote dari IP publik tersebut ke mikrotik serper kita menggunakan winbox dari jaringan luar.

Langkah awal nya adalah dengan tersenyum, bercanda dulu dengan rekan-rekan, berguyon ria sampe ketawa keras hingga akhirnya teriak dengan kencang sebanyak 100 kali “INI SANGAT MUDAHHHHHHHHHH” hehehehe

Sekarang kita akan menuliskan cara remote serper mikrotik dari luar, caranya cukup mudah, kar-ena konsepnya adalah meneruskan dari IP publik ke server mikrotik kita di rumah, maka yang harus di setting adalah modemnya.Internet -> Modem -> Mikrotik -> HUB/swicth -> ClientDisini kita akan membahas dengan menggunakan modem sanex, karena udah di coba pada 3buah modem yang berbeda, dan semuanya sukses abis.. hehehhe,

1. Buka browse pada modemnya,

2. Buka pada device info -> WAN

Disini kita akan mengetahuin IP publik yang kita dapetkan dari speedy, catet pada note-pad, ato cukup di inget2 aja.

3. Setelah itu pilih menu Advance Setup -> NAT -> Virtual server -> add

4. Isikan pada modem

custom server : miketek (atau terserah nama kesukaan anda)Server IP Address : ini isikan IP address di LAN card pc yang di install mikrotik yang mengarah ke modemIsikan External port start : 80 dan pada external port end : 8291 dan pada protokol : TCP/UDP (kedua-duanya) kmudian save/apply

5. usahakan me-reboot modem anda.. Selesai dehh… Mudah bukan???…. heheheh-hehehee….

Sekarang coba anda bawa winbox andalan ke luar jaringan anda, login dengan meng-gunakan IP publik yang telah kita ingat tadi.

taraaaaaaaaaaaaa……… bisa masuk khan??? Bisa kita remote dari jauhh.. ditinggal kemana2 serper masih aman dehh.. hehehheheh

Port Forward pake Modem Sanex logo Speedy (Remote Mikrotik di Belakang Modem)

hmmm…. sebenernya ini bukan niat gw jadiin nih topik jadi postingan pertama . berhubung temen gw ada yang minta and di tagih malem ini…. mesti deh jadinya.

Ok kita langsung ke permasalahan….

Pada topik ini kita akan meremote Mikrotik yang berada di belakang Modem (Mode Routing). Untuk kasus ini kita gunain Modem Sanex logo Speedy.

modem sanex logo speedy

Kalo kita mo pake modem sanex pertama kali harus di aktifin dulu kompi yang kita pake akses ke mode “obtain an IP address automatically”

nah nanti tinggal akses deh ke modemnya….

disini sy anggap kita telah bisa mengakses modem… untuk mengganti ip supaya statik tinggal masuk ke menu LAN => masukkan IP dan Netmask yang di inginkan (misalkan 192.168.1.1/24) => klik “Apply Changes” => klik “Commit/Reboot”

Tunggu beberapa saat untuk dapat mengakses modem kembali… dan sebagai catatan… jangan lupa mengganti IP Address komputer anda karena tadinya modem secara default di setting DHCP !!!

Ok sekarang langsung masuk ke menu Advance => Virtual Serve.

Untuk menambah server yang akan di forward klik add

di atas gw udah confirm kalo kita mo remote mikrotik yang berada di belakang modem (mode routing)

tadi sudah di perintahin klik add kan??? nah sekarang tinggal diisi,

Misalkan :

Custom Service : Mikrotik

Protocol : TCP/UDP

WAN Port : 8291 (Port Modem yang dibuka untuk koneksi dari luar/Internet)

Server Host Port : 8291 (Port Mikrotik yang akan kita remote, note : port 8291 di pakai untuk winbox)

Server IP Address : 192.168.1.2 (IP yang dimiliki Mikrotik untuk koneksi ke Modem)

Klik “OK”

Klik “Commit/Reboot” untuk menyelesaikan settingan….

Klik Reboot untuk merestart modem.

Selesai .

Nah tahap selanjutnya kita menguji hasil setting dengan meremote mikrotik dari luar jaringan.

Jalankan winbox… kalo belum punya donlot dari router anda atau dari sini

Masukkan IP Publik dari modem, Isi username dengan user yang terdapat pada mikrotik dan password.

Klik connect…… tara….. Sukses bozzz….

Setting Firewall MikrotikUntuk mengamankan router mikrotik dari traffic virus dan excess ping dapat digunakan skrip firewall berikut. Pertama buat address-list "network anda" yang berisi alamat IP radio, IP LAN dan IP WAN atau IP lainnya yang dapat dipercaya

Dalam contoh berikut alamat IP Wireless anda adalah = 10.17.17.0/16, IP LAN = 192.168.17.0/24 dan IP WAN = 202.159.155.0/24 dan IP trusted zone lainnya jika anda sedang meremote dari network luar = 202.154.42.10/24

Untuk membuat address-list dapat menggunakan contoh skrip seperti berikut ini tinggal disesuaikan dengan konfigurasi jaringan Anda.

Buat skrip berikut menggunakan notepad kemudian copy-paste ke mikrotik teminal anda

/ ip firewall address-listadd list=ournetwork address=202.159.48.155.0/21 comment="CentroTECH Network" \disabled=noadd list=ournetwork address=10.17.17.0/16 comment="IP Wireless" disabled=noadd list=ournetwork address=192.168.17.0/24 comment="LAN Network" disabled=no

Selanjutnya copy-paste skrip berikut pada mikrotik terminal anda

/ ip firewall filteradd chain=forward connection-state=established action=accept comment="allow

\established connections" disabled=noadd chain=forward connection-state=related action=accept comment="allow \related connections" disabled=noadd chain=virus protocol=udp dst-port=135-139 action=drop comment="Drop \Messenger Worm" disabled=noadd chain=forward connection-state=invalid action=drop comment="drop invalid \connections" disabled=noadd chain=virus protocol=tcp dst-port=135-139 action=drop comment="Drop \Blaster Worm" disabled=noadd chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm" \disabled=noadd chain=virus protocol=tcp dst-port=445 action=drop comment="Drop Blaster \Worm" disabled=noadd chain=virus protocol=udp dst-port=445 action=drop comment="Drop Blaster \Worm" disabled=noadd chain=virus protocol=tcp dst-port=593 action=drop comment="________" \disabled=noadd chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="________" \disabled=noadd chain=virus protocol=tcp dst-port=1080 action=drop comment="Drop MyDoom" \disabled=noadd chain=virus protocol=tcp dst-port=1214 action=drop comment="________" \disabled=noadd chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requester" \disabled=noadd chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server" \disabled=noadd chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast" \disabled=noadd chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx" \disabled=noadd chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid" \disabled=noadd chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle Virus" \disabled=noadd chain=virus protocol=tcp dst-port=2283 action=drop comment="Drop Dumaru.Y" \disabled=noadd chain=virus protocol=tcp dst-port=2535 action=drop comment="Drop Beagle" \disabled=noadd chain=virus protocol=tcp dst-port=2745 action=drop comment="Drop \Beagle.C-K" disabled=noadd chain=virus protocol=tcp dst-port=3127 action=drop comment="Drop MyDoom" \disabled=noadd chain=virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor \OptixPro" disabled=no

add chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm" \disabled=noadd chain=virus protocol=udp dst-port=4444 action=drop comment="Worm" \disabled=noadd chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop Sasser" \disabled=noadd chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop Beagle.B" \disabled=noadd chain=virus protocol=tcp dst-port=9898 action=drop comment="Drop \Dabber.A-B" disabled=noadd chain=virus protocol=tcp dst-port=10000 action=drop comment="Drop \Dumaru.Y, sebaiknya di didisable karena juga sering digunakan utk vpn atau \webmin" disabled=yesadd chain=virus protocol=tcp dst-port=10080 action=drop comment="Drop \MyDoom.B" disabled=noadd chain=virus protocol=tcp dst-port=12345 action=drop comment="Drop NetBus" \disabled=noadd chain=virus protocol=tcp dst-port=17300 action=drop comment="Drop Kuang2" \disabled=noadd chain=virus protocol=tcp dst-port=27374 action=drop comment="Drop \SubSeven" disabled=noadd chain=virus protocol=tcp dst-port=65506 action=drop comment="Drop PhatBot, \Agobot, Gaobot" disabled=noadd chain=forward action=jump jump-target=virus comment="jump to the virus \chain" disabled=noadd chain=input connection-state=established action=accept comment="Accept \established connections" disabled=noadd chain=input connection-state=related action=accept comment="Accept related \connections" disabled=noadd chain=input connection-state=invalid action=drop comment="Drop invalid \connections" disabled=noadd chain=input protocol=udp action=accept comment="UDP" disabled=noadd chain=input protocol=icmp limit=50/5s,2 action=accept comment="Allow \limited pings" disabled=noadd chain=input protocol=icmp action=drop comment="Drop excess pings" \disabled=noadd chain=input protocol=tcp dst-port=21 src-address-list=network anda \action=accept comment="FTP" disabled=noadd chain=input protocol=tcp dst-port=22 src-address-list=network anda \action=accept comment="SSH for secure shell" disabled=noadd chain=input protocol=tcp dst-port=23 src-address-list=network anda \action=accept comment="Telnet" disabled=noadd chain=input protocol=tcp dst-port=80 src-address-list=network anda \action=accept comment="Web" disabled=noadd chain=input protocol=tcp dst-port=8291 src-address-list=network anda \action=accept comment="winbox" disabled=noadd chain=input protocol=tcp dst-port=1723 action=accept comment="pptp-server" \disabled=noadd chain=input src-address-list=ournetwork action=accept comment="From \Datautama network" disabled=no

add chain=input action=log log-prefix="DROP INPUT" comment="Log everything \else" disabled=noadd chain=input action=drop comment="Drop everything else" disabled=noadd chain=virus protocol=tcp action=drop dst-port=54283 comment="SubSeven, SubSeven 2.1 Gold"add chain=virus protocol=tcp action=drop dst-port=54320 comment="Back Ori-fice 2000"add chain=virus protocol=tcp action=drop dst-port=54321 comment="Back Ori-fice 2000, School Bus"add chain=virus protocol=tcp action=drop dst-port=55165 comment="File Man-ager trojan, File Manager trojan, WM Trojan Generator"add chain=virus protocol=tcp action=drop dst-port=55166 comment="WM Trojan Generator"add chain=virus protocol=tcp action=drop dst-port=57341 comment="NetRaider"add chain=virus protocol=tcp action=drop dst-port=58339 comment="Butt Fun-nel"add chain=virus protocol=tcp action=drop dst-port=60000 comment="Deep Throat, Foreplay, Sockets des Troie"add chain=virus protocol=tcp action=drop dst-port=60001 comment="Trinity"add chain=virus protocol=tcp action=drop dst-port=60068 comment="Xzip 6000068"add chain=virus protocol=tcp action=drop dst-port=60411 comment="Connec-tion"add chain=virus protocol=tcp action=drop dst-port=61348 comment="Bunker-Hill"add chain=virus protocol=tcp action=drop dst-port=61466 comment="TeleCom-mando"add chain=virus protocol=tcp action=drop dst-port=61603 comment="Bunker-Hill"add chain=virus protocol=tcp action=drop dst-port=63485 comment="Bunker-Hill"add chain=virus protocol=tcp action=drop dst-port=64101 comment="Taskman"add chain=virus protocol=tcp action=drop dst-port=65000 comment="Devil, Sockets des Troie, Stacheldraht"add chain=virus protocol=tcp action=drop dst-port=65390 comment="Eclypse"add chain=virus protocol=tcp action=drop dst-port=65421 comment="Jade"add chain=virus protocol=tcp action=drop dst-port=65432 comment="The Trait-or th3tr41t0r"add chain=virus protocol=udp action=drop dst-port=65432 comment="The Trait-or th3tr41t0r"add chain=virus protocol=tcp action=drop dst-port=65534 comment="sbin initd"add chain=virus protocol=tcp action=drop dst-port=65535 comment="RC1 tro-jan"add chain=forward action=jump jump-target=virus comment="jump to the virus chain"virus protocol=tcp action=drop dst-port=6400 comment="The Thing"add chain=virus protocol=tcp action=drop dst-port=6661 comment="TEMan, Weia-Meia"add chain=virus protocol=tcp action=drop dst-port=6666 comment="Dark Con-nection Inside, NetBus worm"add chain=virus protocol=tcp action=drop dst-port=6667 comment="Dark FTP, ScheduleAgent, SubSeven, Subseven 2.1.4 DefCon 8, Trinity, WinSatan"add chain=virus protocol=tcp action=drop dst-port=6669 comment="Host Con-trol, Vampire"add chain=virus protocol=tcp action=drop dst-port=6670 comment="BackWeb Server, Deep Throat, Foreplay, WinNuke eXtreame"add chain=virus protocol=tcp action=drop dst-port=6711 comment="BackDoor-G, SubSeven, VP Killer"

add chain=virus protocol=tcp action=drop dst-port=6712 comment="Funny tro-jan, SubSeven"add chain=virus protocol=tcp action=drop dst-port=6713 comment="SubSeven"add chain=virus protocol=tcp action=drop dst-port=6723 comment="Mstream"add chain=virus protocol=tcp action=drop dst-port=6771 comment="Deep Throat, Foreplay"add chain=virus protocol=tcp action=drop dst-port=6776 comment="2000 Cracks, BackDoor-G, SubSeven, VP Killer"add chain=virus protocol=udp action=drop dst-port=6838 comment="Mstream"add chain=virus protocol=tcp action=drop dst-port=6883 comment="Delta Source DarkStar"add chain=virus protocol=tcp action=drop dst-port=6912 comment="Shit Heep"add chain=virus protocol=tcp action=drop dst-port=6939 comment="Indoctrina-tion"add chain=virus protocol=tcp action=drop dst-port=6969-6970 comment="Gate-Crasher, IRC 3, Net Controller, Priority"add chain=virus protocol=tcp action=drop dst-port=7000 comment="Exploit Translation Server, Kazimas, Remote Grab, SubSeven, SubSeven 2.1 Gold"add chain=virus protocol=tcp action=drop dst-port=7001 comment="Freak88, Freak2k"add chain=virus protocol=tcp action=drop dst-port=7215 comment="SubSeven, SubSeven 2.1 Gold"add chain=virus protocol=tcp action=drop dst-port=7300-7308 comment="Net-Monitor"add chain=virus protocol=tcp action=drop dst-port=7424 comment="Host Con-trol"add chain=virus protocol=udp action=drop dst-port=7424 comment="Host Con-trol"add chain=virus protocol=tcp action=drop dst-port=7597 comment="Qaz"add chain=virus protocol=tcp action=drop dst-port=7626 comment="Glacier"add chain=virus protocol=tcp action=drop dst-port=7777 comment="God Mes-sage, Tini"add chain=virus protocol=tcp action=drop dst-port=7789 comment="Back Door Setup, ICKiller"add chain=virus protocol=tcp action=drop dst-port=7891 comment="The Re-VeNgEr"add chain=virus protocol=tcp action=drop dst-port=7983 comment="Mstream"add chain=virus protocol=tcp action=drop dst-port=8787 comment="Back Ori-fice 2000"add chain=virus protocol=tcp action=drop dst-port=8988 comment="BacHack"add chain=virus protocol=tcp action=drop dst-port=8989 comment="Rcon, Re-con, Xcon"add chain=virus protocol=tcp action=drop dst-port=9000 comment="Netminis-trator"add chain=virus protocol=udp action=drop dst-port=9325 comment="Mstream"add chain=virus protocol=tcp action=drop dst-port=9400 comment="InCommand"add chain=virus protocol=tcp action=drop dst-port=9872-9875 comment="Portal of Doom"add chain=virus protocol=tcp action=drop dst-port=9876 comment="Cyber At-tacker, Rux"add chain=virus protocol=tcp action=drop dst-port=9878 comment="TransScout"add chain=virus protocol=tcp action=drop dst-port=9989 comment="Ini-Killer"add chain=virus protocol=tcp action=drop dst-port=9999 comment="The Prayer"add chain=virus protocol=tcp action=drop dst-port=10000-10005 comment="Op-winTRojan"add chain=virus protocol=udp action=drop dst-port=10067 comment="Portal of Doom"add chain=virus protocol=tcp action=drop dst-port=10085-10086 comment="Syphillis"add chain=virus protocol=tcp action=drop dst-port=10100 comment="Control Total, Gift trojan"

add chain=virus protocol=tcp action=drop dst-port=10101 comment="BrainSpy, Silencer"add chain=virus protocol=udp action=drop dst-port=10167 comment="Portal of Doom"add chain=virus protocol=tcp action=drop dst-port=10520 comment="Acid Shivers"add chain=virus protocol=tcp action=drop dst-port=10528 comment="Host Con-trol"add chain=virus protocol=tcp action=drop dst-port=10607 comment="Coma"add chain=virus protocol=udp action=drop dst-port=10666 comment="Ambush"add chain=virus protocol=tcp action=drop dst-port=11000 comment="Senna Spy Trojan Generator"add chain=virus protocol=tcp action=drop dst-port=11050-11051 comment="Host Control"add chain=virus protocol=tcp action=drop dst-port=11223 comment="Progenic trojan, Secret Agent"add chain=virus protocol=tcp action=drop dst-port=12076 comment="Gjamer"add chain=virus protocol=tcp action=drop dst-port=12223 comment="Hack´99 KeyLogger"add chain=virus protocol=tcp action=drop dst-port=12345 comment="Ashley, cron crontab, Fat Bitch trojan, GabanBus, icmp_client.c, icmp_pipe.c, Myp-ic, NetBus, NetBus Toy, NetBus worm, Pie Bill Gates, Whack Job, X-bill"add chain=virus protocol=tcp action=drop dst-port=12346 comment="Fat Bitch trojan, GabanBus, NetBus, X-bill"add chain=virus protocol=tcp action=drop dst-port=12349 comment="BioNet"add chain=virus protocol=tcp action=drop dst-port=12361-12363 comment="Whack-a-mole"add chain=virus protocol=udp action=drop dst-port=12623 comment="DUN Con-trol"add chain=virus protocol=tcp action=drop dst-port=12624 comment="ButtMan"add chain=virus protocol=tcp action=drop dst-port=12631 comment="Whack Job"add chain=virus protocol=tcp action=drop dst-port=12754 comment="Mstream"add chain=virus protocol=tcp action=drop dst-port=13000 comment="Senna Spy Trojan Generator, Senna Spy Trojan Generator"add chain=virus protocol=tcp action=drop dst-port=13010 comment="Hacker Brasil HBR"add chain=virus protocol=tcp action=drop dst-port=13013-13014 comment="PsychWard"add chain=virus protocol=tcp action=drop dst-port=13223 comment="Hack´99 KeyLogger"add chain=virus protocol=tcp action=drop dst-port=13473 comment="Chupacabra"add chain=virus protocol=tcp action=drop dst-port=14500-14503 comment="PC Invader"add chain=virus protocol=tcp action=drop dst-port=15000 comment="NetDemon"add chain=virus protocol=tcp action=drop dst-port=15092 comment="Host Con-trol"add chain=virus protocol=tcp action=drop dst-port=15104 comment="Mstream"add chain=virus protocol=tcp action=drop dst-port=15382 comment="SubZero"add chain=virus protocol=tcp action=drop dst-port=15858 comment="CDK"add chain=virus protocol=tcp action=drop dst-port=16484 comment="Mosucker"add chain=virus protocol=tcp action=drop dst-port=16660 comment="Stacheldraht"add chain=virus protocol=tcp action=drop dst-port=16772 comment="ICQ Re-venge"add chain=virus protocol=tcp action=drop dst-port=16959 comment="SubSeven, Subseven 2.1.4 DefCon 8"add chain=virus protocol=tcp action=drop dst-port=16969 comment="Priority"add chain=virus protocol=tcp action=drop dst-port=17166 comment="Mosaic"add chain=virus protocol=tcp action=drop dst-port=17300 comment="Kuang2 the virus"

add chain=virus protocol=tcp action=drop dst-port=17449 comment="Kid Ter-ror"add chain=virus protocol=tcp action=drop dst-port=17499-17500 comment="CrazzyNet"add chain=virus protocol=tcp action=drop dst-port=17569 comment="Infector"add chain=virus protocol=tcp action=drop dst-port=17593 comment="Audiodoor"add chain=virus protocol=tcp action=drop dst-port=17777 comment="Nephron"add chain=virus protocol=udp action=drop dst-port=18753 comment="Shaft"add chain=virus protocol=tcp action=drop dst-port=19864 comment="ICQ Re-venge"add chain=virus protocol=tcp action=drop dst-port=20000 comment="Millenium"add chain=virus protocol=tcp action=drop dst-port=20001 comment="Millenium, Millenium Lm"add chain=virus protocol=tcp action=drop dst-port=20002 comment="AcidkoR"add chain=virus protocol=tcp action=drop dst-port=20005 comment="Mosucker"add chain=virus protocol=tcp action=drop dst-port=20023 comment="VP Killer"add chain=virus protocol=tcp action=drop dst-port=20034 comment="NetBus 2.0 Pro, NetBus 2.0 Pro Hidden, NetRex, Whack Job"add chain=virus protocol=tcp action=drop dst-port=20203 comment="Chupacabra"add chain=virus protocol=tcp action=drop dst-port=20331 comment="BLA tro-jan"add chain=virus protocol=tcp action=drop dst-port=20432 comment="Shaft"add chain=virus protocol=udp action=drop dst-port=20433 comment="Shaft"add chain=virus protocol=tcp action=drop dst-port=21544 comment="Girl-Friend, Kid Terror"add chain=virus protocol=tcp action=drop dst-port=21554 comment="Exploiter, Kid Terror, Schwindler, Winsp00fer"add chain=virus protocol=tcp action=drop dst-port=22222 comment="Donald Dick, Prosiak, Ruler, RUX The TIc.K"add chain=virus protocol=tcp action=drop dst-port=23005-23006 comment="NetTrash"add chain=virus protocol=tcp action=drop dst-port=23023 comment="Logged"add chain=virus protocol=tcp action=drop dst-port=23032 comment="Amanda"add chain=virus protocol=tcp action=drop dst-port=23432 comment="Asylum"add chain=virus protocol=tcp action=drop dst-port=23456 comment="Evil FTP, Ugly FTP, Whack Job"add chain=virus protocol=tcp action=drop dst-port=23476 comment="Donald Dick"add chain=virus protocol=udp action=drop dst-port=23476 comment="Donald Dick"add chain=virus protocol=tcp action=drop dst-port=23477 comment="Donald Dick"add chain=virus protocol=tcp action=drop dst-port=23777 comment="InetSpy"add chain=virus protocol=tcp action=drop dst-port=24000 comment="Infector"add chain=virus protocol=tcp action=drop dst-port=25685-25982 comment="Moonpie"add chain=virus protocol=udp action=drop dst-port=26274 comment="Delta Source"add chain=virus protocol=tcp action=drop dst-port=26681 comment="Voice Spy"add chain=virus protocol=tcp action=drop dst-port=27374 comment="Bad Blood, Ramen, Seeker, SubSeven, SubSeven 2.1 Gold, Subseven 2.1.4 DefCon 8, Sub-Seven Muie, Ttfloader"add chain=virus protocol=udp action=drop dst-port=27444 comment="Trinoo"add chain=virus protocol=tcp action=drop dst-port=27573 comment="SubSeven"add chain=virus protocol=tcp action=drop dst-port=27665 comment="Trinoo"add chain=virus protocol=tcp action=drop dst-port=28678 comment="Exploit"eradd chain=virus protocol=tcp action=drop dst-port=29104 comment="NetTrojan"add chain=virus protocol=tcp action=drop dst-port=29369 comment="ovasOn"add chain=virus protocol=tcp action=drop dst-port=29891 comment="The Unex-plained"

add chain=virus protocol=tcp action=drop dst-port=30000 comment="Infector"add chain=virus protocol=tcp action=drop dst-port=30001 comment="ErrOr32"add chain=virus protocol=tcp action=drop dst-port=30003 comment="Lamers Death"add chain=virus protocol=tcp action=drop dst-port=30029 comment="AOL tro-jan"add chain=virus protocol=tcp action=drop dst-port=30100-30133 comment="Net-Sphere"add chain=virus protocol=udp action=drop dst-port=30103 comment="NetSphere"add chain=virus protocol=tcp action=drop dst-port=30303 comment="Sockets des Troie"add chain=virus protocol=tcp action=drop dst-port=30947 comment="Intruse"add chain=virus protocol=tcp action=drop dst-port=30999 comment="Kuang2"add chain=virus protocol=tcp action=drop dst-port=31335 comment="Trinoo"add chain=virus protocol=tcp action=drop dst-port=31336 comment="Bo Whack, Butt Funnel"add chain=virus protocol=tcp action=drop dst-port=31337 comment="Back Fire, Back Orifice 1.20 patches, Back Orifice Lm, Back Orifice russian, Baron Night, Beeone, BO client, BO Facil, BO spy, BO2, cron crontab, Freak88, Freak2k, icmp_pipe.c, Sockdmini"add chain=virus protocol=udp action=drop dst-port=31337 comment="Back Ori-fice, Deep BO"add chain=virus protocol=tcp action=drop dst-port=31338 comment="Back Ori-fice, Butt Funnel, NetSpy DK"add chain=virus protocol=udp action=drop dst-port=31338 comment="Deep BO"add chain=virus protocol=tcp action=drop dst-port=31339 comment="NetSpy DK"add chain=virus protocol=tcp action=drop dst-port=31666 comment="BOWhack"add chain=virus protocol=tcp action=drop dst-port=31785-31792 comment="Hack a Tack"add chain=virus protocol=udp action=drop dst-port=31791-31792 comment="Hack a Tack"add chain=virus protocol=tcp action=drop dst-port=32001 comment="Donald Dick"add chain=virus protocol=tcp action=drop dst-port=32100 comment="Peanut Brittle, Project nEXT"add chain=virus protocol=tcp action=drop dst-port=32418 comment="Acid Bat-tery"add chain=virus protocol=tcp action=drop dst-port=33270 comment="Trinity"add chain=virus protocol=tcp action=drop dst-port=33333 comment="Blakharaz, Prosiak"add chain=virus protocol=tcp action=drop dst-port=33577-33777 comment="Son of PsychWard"add chain=virus protocol=tcp action=drop dst-port=33911 comment="Spirit 2000, Spirit 2001"add chain=virus protocol=tcp action=drop dst-port=34324 comment="Big Gluck, TN"add chain=virus protocol=tcp action=drop dst-port=34444 comment="Donald Dick"add chain=virus protocol=udp action=drop dst-port=34555-35555 comment="Trinoo for Windows"add chain=virus protocol=tcp action=drop dst-port=37237 comment="Mantis"add chain=virus protocol=tcp action=drop dst-port=37651 comment="Yet Anoth-er Trojan YAT"add chain=virus protocol=tcp action=drop dst-port=40412 comment="The Spy"add chain=virus protocol=tcp action=drop dst-port=40421 comment="Agent 40421, Masters Paradise"add chain=virus protocol=tcp action=drop dst-port=40422-40426 comment="Mas-ters Paradise"add chain=virus protocol=tcp action=drop dst-port=41337 comment="Storm"add chain=virus protocol=tcp action=drop dst-port=41666 comment="Remote Boot Tool RBT, Remote Boot Tool RBT"

add chain=virus protocol=tcp action=drop dst-port=44444 comment="Prosiak"add chain=virus protocol=tcp action=drop dst-port=44575 comment="Exploiter"add chain=virus protocol=udp action=drop dst-port=47262 comment="Delta Source"add chain=virus protocol=tcp action=drop dst-port=49301 comment="OnLine KeyLogger"add chain=virus protocol=tcp action=drop dst-port=50130 comment="Enter-prise"add chain=virus protocol=tcp action=drop dst-port=50505 comment="Sockets des Troie"add chain=virus protocol=tcp action=drop dst-port=50766 comment="Fore, Schwindler"add chain=virus protocol=tcp action=drop dst-port=51966 comment="Cafeini"add chain=virus protocol=tcp action=drop dst-port=52317 comment="Acid Bat-tery 2000"add chain=virus protocol=tcp action=drop dst-port=53001 comment="Remote Windows Shutdown RWS"/ip firewall filteradd chain=virus protocol=udp action=drop dst-port=1 comment="Sockets des Troie"add chain=virus protocol=tcp action=drop dst-port=2 comment="Death"add chain=virus protocol=tcp action=drop dst-port=20 comment="Senna Spy FTP server"add chain=virus protocol=tcp action=drop dst-port=21 comment="Back Con-struction, Blade Runner, Cattivik FTP Server, CC Invader, Dark FTP, Doly Trojan, Fore, Invisible FTP, Juggernaut 42, Larva, MotIv FTP, Net Adminis-trator, Ramen, Senna Spy FTP server, The Flu, Traitor 21, WebEx, WinCrash"add chain=virus protocol=tcp action=drop dst-port=22 comment="Shaft"add chain=virus protocol=tcp action=drop dst-port=23 comment="Fire HacKer, Tiny Telnet Server TTS, Truva Atl"add chain=virus protocol=tcp action=drop dst-port=25 comment="Ajan, Anti-gen, Barok, Email Password Sender EPS, EPS II, Gip, Gris, Happy99, Hpteam mail, Hybris, I love you, Kuang2, Magic Horse, MBT Mail Bombing Trojan, Mo-scow Email trojan, Naebi, NewApt worm, ProMail trojan, Shtirlitz, Stealth, Tapiras, Terminator, WinPC, WinSpy"add chain=virus protocol=tcp action=drop dst-port=30 comment="Agent 40421"add chain=virus protocol=tcp action=drop dst-port=31 comment="Agent 31, Hackers Paradise, Masters Paradise"add chain=virus protocol=tcp action=drop dst-port=41 comment="Deep Throat, Foreplay"add chain=virus protocol=tcp action=drop dst-port=48 comment="DRAT"add chain=virus protocol=tcp action=drop dst-port=50 comment="DRAT"add chain=virus protocol=tcp action=drop dst-port=58 comment="DMSetup"add chain=virus protocol=tcp action=drop dst-port=59 comment="DMSetup"add chain=virus protocol=tcp action=drop dst-port=79 comment="CDK, Fire-hotcker"add chain=virus protocol=tcp action=drop dst-port=80 comment="711 trojan, Seven Eleven, AckCmd, Back End, Back Orifice 2000 Plug-Ins, Cafeini, CGI Backdoor, Executor, God Message, God Message Creator, Hooker, IISworm, MTX, NCX, Reverse WWW Tunnel Backdoor, RingZero, Seeker, WAN Remote, Web Server CT, WebDownloader"add chain=virus protocol=tcp action=drop dst-port=81 comment="RemoConChubo"add chain=virus protocol=tcp action=drop dst-port=99 comment="Hidden Port, NCX"add chain=virus protocol=tcp action=drop dst-port=110 comment="ProMail tro-jan"add chain=virus protocol=tcp action=drop dst-port=113 comment="Invisible Identd Deamon, Kazimas"add chain=virus protocol=tcp action=drop dst-port=119 comment="Happy99"add chain=virus protocol=tcp action=drop dst-port=121 comment="Attack Bot, God Message, JammerKillah"

add chain=virus protocol=tcp action=drop dst-port=123 comment="Net Control-ler"add chain=virus protocol=tcp action=drop dst-port=133 comment="Farnaz"add chain=virus protocol=tcp action=drop dst-port=135-139 comment="Blaster worm"add chain=virus protocol=udp action=drop dst-port=135-139 comment="messen-ger wormadd chain=virus protocol=tcp action=drop dst-port=142 comment="NetTaxi"add chain=virus protocol=tcp action=drop dst-port=146 comment="Infector"add chain=virus protocol=udp action=drop dst-port=146 comment="Infector"add chain=virus protocol=tcp action=drop dst-port=170 comment="A-trojan"add chain=virus protocol=tcp action=drop dst-port=334 comment="Backage"add chain=virus protocol=tcp action=drop dst-port=411 comment="Backage"add chain=virus protocol=tcp action=drop dst-port=420 comment="Breach, In-cognito"add chain=virus protocol=tcp action=drop dst-port=421 comment="TCP Wrappers trojan"add chain=virus protocol=tcp action=drop dst-port=445 comment="Blaster wormadd chain=virus protocol=udp action=drop dst-port=445 comment="Blaster wormadd chain=virus protocol=tcp action=drop dst-port=455 comment="Fatal Con-nections"add chain=virus protocol=tcp action=drop dst-port=456 comment="Hackers Paradise"add chain=virus protocol=tcp action=drop dst-port=513 comment="Grlogin"add chain=virus protocol=tcp action=drop dst-port=514 comment="RPC Back-door"add chain=virus protocol=tcp action=drop dst-port=531 comment="Net666, Rasmin"add chain=virus protocol=tcp action=drop dst-port=555 comment="711 trojan, Seven Eleven, Ini-Killer, Net Administrator, Phase Zero, Phase-0, Stealth Spy"add chain=virus protocol=tcp action=drop dst-port=605 comment="Secret Ser-vice"add chain=virus protocol=tcp action=drop dst-port=666 comment="Attack FTP, Back Construction, BLA trojan, Cain & Abel, NokNok, Satans Back Door SBD, ServU, Shadow Phyre, th3r1pp3rz Therippers"add chain=virus protocol=tcp action=drop dst-port=667 comment="SniperNet"add chain=virus protocol=tcp action=drop dst-port=669 comment="DP trojan"add chain=virus protocol=tcp action=drop dst-port=692 comment="GayOL"add chain=virus protocol=tcp action=drop dst-port=777 comment="AimSpy, Un-detected"add chain=virus protocol=tcp action=drop dst-port=808 comment="WinHole"add chain=virus protocol=tcp action=drop dst-port=911 comment="Dark Shadow"add chain=virus protocol=tcp action=drop dst-port=999 comment="Deep Throat, Foreplay, WinSatan"add chain=virus protocol=tcp action=drop dst-port=1000 comment="Der Spae-her, Direct Connection"add chain=virus protocol=tcp action=drop dst-port=1001 comment="Der Spae-her, Le Guardien, Silencer, WebEx"add chain=virus protocol=tcp action=drop dst-port=1010-1016 comment="Doly Trojan"add chain=virus protocol=tcp action=drop dst-port=1020 comment="Vampire"add chain=virus protocol=tcp action=drop dst-port=1024 comment="Jade, Lat-inus, NetSpy"add chain=virus protocol=tcp action=drop dst-port=1025 comment="Remote Storm"add chain=virus protocol=udp action=drop dst-port=1025 comment="Remote Storm"add chain=virus protocol=tcp action=drop dst-port=1035 comment="Multidrop-per"add chain=virus protocol=tcp action=drop dst-port=1042 comment="BLA trojan"

add chain=virus protocol=tcp action=drop dst-port=1045 comment="Rasmin"add chain=virus protocol=tcp action=drop dst-port=1049 comment="sbin initd"add chain=virus protocol=tcp action=drop dst-port=1050 comment="MiniCom-mand"add chain=virus protocol=tcp action=drop dst-port=1053 comment="The Thief"add chain=virus protocol=tcp action=drop dst-port=1054 comment="AckCmd"add chain=virus protocol=tcp action=drop dst-port=1080-1083 comment="Win-Hole"add chain=virus protocol=tcp action=drop dst-port=1090 comment="Xtreme"add chain=virus protocol=tcp action=drop dst-port=1095-1098 comment="Remote Administration Tool RAT"add chain=virus protocol=tcp action=drop dst-port=1099 comment="Blood Fest Evolution, Remote Administration Tool RAT"add chain=virus protocol=tcp action=drop dst-port=1150-1151 comment="Orion"add chain=virus protocol=tcp action=drop dst-port=1170 comment="Psyber Stream Server PSS, Streaming Audio Server, Voice"add chain=virus protocol=udp action=drop dst-port=1200-1201 comment="No-BackO"add chain=virus protocol=tcp action=drop dst-port=1207 comment="SoftWAR"add chain=virus protocol=tcp action=drop dst-port=1208 comment="Infector"add chain=virus protocol=tcp action=drop dst-port=1212 comment="Kaos"add chain=virus protocol=tcp action=drop dst-port=1234 comment="SubSeven Java client, Ultors Trojan"add chain=virus protocol=tcp action=drop dst-port=1243 comment="BackDoor-G, SubSeven, SubSeven Apocalypse, Tiles"add chain=virus protocol=tcp action=drop dst-port=1245 comment="VooDoo Doll"add chain=virus protocol=tcp action=drop dst-port=1255 comment="Scarab"add chain=virus protocol=tcp action=drop dst-port=1256 comment="Project nEXT"add chain=virus protocol=tcp action=drop dst-port=1269 comment="Matrix"add chain=virus protocol=tcp action=drop dst-port=1272 comment="The Matrix"add chain=virus protocol=tcp action=drop dst-port=1313 comment="NETrojan"add chain=virus protocol=tcp action=drop dst-port=1338 comment="Millenium Worm"add chain=virus protocol=tcp action=drop dst-port=1349 comment="Bo dll"add chain=virus protocol=tcp action=drop dst-port=1394 comment="GoFriller, Backdoor G-1"add chain=virus protocol=tcp action=drop dst-port=1441 comment="Remote Storm"add chain=virus protocol=tcp action=drop dst-port=1492 comment="FTP99CMP"add chain=virus protocol=tcp action=drop dst-port=1524 comment="Trinoo"add chain=virus protocol=tcp action=drop dst-port=1568 comment="Remote Hack"add chain=virus protocol=tcp action=drop dst-port=1600 comment="Direct Con-nection, Shivka-Burka"add chain=virus protocol=tcp action=drop dst-port=1703 comment="Exploiter"add chain=virus protocol=tcp action=drop dst-port=1777 comment="Scarab"add chain=virus protocol=tcp action=drop dst-port=1807 comment="SpySender"add chain=virus protocol=tcp action=drop dst-port=1966 comment="Fake FTP"add chain=virus protocol=tcp action=drop dst-port=1967 comment="WM FTP Server"add chain=virus protocol=tcp action=drop dst-port=1969 comment="OpC BO"add chain=virus protocol=tcp action=drop dst-port=1981 comment="Bowl, Shockrave"add chain=virus protocol=tcp action=drop dst-port=1999 comment="Back Door, SubSeven, TransScout"add chain=virus protocol=tcp action=drop dst-port=2000 comment="Der Spae-her, Insane Network, Last 2000, Remote Explorer 2000, Senna Spy Trojan Gen-erator"

add chain=virus protocol=tcp action=drop dst-port=2001 comment="Der Spae-her, Trojan Cow"add chain=virus protocol=tcp action=drop dst-port=2023 comment="Ripper Pro"add chain=virus protocol=tcp action=drop dst-port=2080 comment="WinHole"add chain=virus protocol=tcp action=drop dst-port=2115 comment="Bugs"add chain=virus protocol=udp action=drop dst-port=2130 comment="Mini Back-lash"add chain=virus protocol=tcp action=drop dst-port=2140 comment="The Invas-or"add chain=virus protocol=udp action=drop dst-port=2140 comment="Deep Throat, Foreplay"add chain=virus protocol=tcp action=drop dst-port=2155 comment="Illusion Mailer"add chain=virus protocol=tcp action=drop dst-port=2255 comment="Nirvana"add chain=virus protocol=tcp action=drop dst-port=2283 comment="Hvl RAT"add chain=virus protocol=tcp action=drop dst-port=2300 comment="Xplorer"add chain=virus protocol=tcp action=drop dst-port=2311 comment="Studio 54"add chain=virus protocol=tcp action=drop dst-port=2330-2339 comment="Con-tact"add chain=virus protocol=udp action=drop dst-port=2339 comment="Voice Spy"add chain=virus protocol=tcp action=drop dst-port=2345 comment="Doly Tro-jan"add chain=virus protocol=tcp action=drop dst-port=2565 comment="Striker trojan"add chain=virus protocol=tcp action=drop dst-port=2583 comment="WinCrash"add chain=virus protocol=tcp action=drop dst-port=2600 comment="Digital RootBeer"add chain=virus protocol=tcp action=drop dst-port=2716 comment="The Prayer"add chain=virus protocol=tcp action=drop dst-port=2773-2774 comment="Sub-Seven, SubSeven 2.1 Gold"add chain=virus protocol=tcp action=drop dst-port=2801 comment="Phineas Phucker"add chain=virus protocol=udp action=drop dst-port=2989 comment="Remote Ad-ministration Tool RAT"add chain=virus protocol=tcp action=drop dst-port=3000 comment="Remote Shut"add chain=virus protocol=tcp action=drop dst-port=3024 comment="WinCrash"add chain=virus protocol=tcp action=drop dst-port=3031 comment="Microspy"add chain=virus protocol=tcp action=drop dst-port=3128 comment="Reverse WWW Tunnel Backdoor, RingZero"add chain=virus protocol=tcp action=drop dst-port=3129 comment="Masters Paradise"add chain=virus protocol=tcp action=drop dst-port=3150 comment="The Invas-or"add chain=virus protocol=udp action=drop dst-port=3150 comment="Deep Throat, Foreplay, Mini Backlash"add chain=virus protocol=tcp action=drop dst-port=3456 comment="Terror tro-jan"add chain=virus protocol=tcp action=drop dst-port=3459 comment="Eclipse 2000, Sanctuary"add chain=virus protocol=tcp action=drop dst-port=3700 comment="Portal of Doom"add chain=virus protocol=tcp action=drop dst-port=3777 comment="PsychWard"add chain=virus protocol=tcp action=drop dst-port=3791-3801 comment="Total Solar Eclypse"add chain=virus protocol=tcp action=drop dst-port=4000 comment="SkyDance"add chain=virus protocol=tcp action=drop dst-port=4092 comment="WinCrash"add chain=virus protocol=tcp action=drop dst-port=4242 comment="Virtual Hacking Machine VHM"add chain=virus protocol=tcp action=drop dst-port=4321 comment="BoBo"

add chain=virus protocol=tcp action=drop dst-port=4444 comment="Prosiak, Swift Remote"add chain=virus protocol=tcp action=drop dst-port=4567 comment="File Nail"add chain=virus protocol=tcp action=drop dst-port=4590 comment="ICQ Trojan"add chain=virus protocol=tcp action=drop dst-port=4950 comment="ICQ Trogen Lm"add chain=virus protocol=tcp action=drop dst-port=5000 comment="Back Door Setup, Blazer5, Bubbel, ICKiller, Ra1d, Sockets des Troie"add chain=virus protocol=tcp action=drop dst-port=5001 comment="Back Door Setup, Sockets des Troie"add chain=virus protocol=tcp action=drop dst-port=5002 comment="cd00r, Shaft"add chain=virus protocol=tcp action=drop dst-port=5010 comment="Solo"add chain=virus protocol=tcp action=drop dst-port=5011 comment="One of the Last Trojans OOTLT, One of the Last Trojans OOTLT, modified"add chain=virus protocol=tcp action=drop dst-port=5025 comment="WM Remote KeyLogger"add chain=virus protocol=tcp action=drop dst-port=5031-5032 comment="Net Metropolitan"add chain=virus protocol=tcp action=drop dst-port=5321 comment="Firehotck-er"add chain=virus protocol=tcp action=drop dst-port=5333 comment="Backage, NetDemon"add chain=virus protocol=tcp action=drop dst-port=5343 comment="wCrat WC Remote Administration Tool"add chain=virus protocol=tcp action=drop dst-port=5400-5402 comment="Back Construction, Blade Runner"add chain=virus protocol=tcp action=drop dst-port=5512 comment="Illusion Mailer"add chain=virus protocol=tcp action=drop dst-port=5534 comment="The Flu"add chain=virus protocol=tcp action=drop dst-port=5550 comment="Xtcp"add chain=virus protocol=tcp action=drop dst-port=5555 comment="ServeMe"add chain=virus protocol=tcp action=drop dst-port=5556-5557 comment="BO Fa-cil"add chain=virus protocol=tcp action=drop dst-port=5569 comment="Robo-Hack"add chain=virus protocol=tcp action=drop dst-port=5637-5638 comment="PC Crasher"add chain=virus protocol=tcp action=drop dst-port=5742 comment="WinCrash"add chain=virus protocol=tcp action=drop dst-port=5760 comment="Portmap Re-mote Root Linux Exploit"add chain=virus protocol=tcp action=drop dst-port=5880-5889 comment="Y3K RAT"add chain=virus protocol=tcp action=drop dst-port=6000 comment="The Thing"add chain=virus protocol=tcp action=drop dst-port=6006 comment="Bad Blood"add chain=virus protocol=tcp action=drop dst-port=6272 comment="Secret Ser-vice"

dengan firewall list diatas anda dapat membatasi port2 yg sering digunakan oleh virus tetapi perlu diperhatikan banyak juga aplikasi2 atau service yg menggunakan port tersebut..dan server anda hanya bisa diremote dari allow list address dan network anda sendiri untuk menghindari adanya deface pada router mikrotik anda

Drop virus conficker pake firewall mikrotik

buat mangle yang menuju ke situs2 yg dituju conficker..in interface adalah yang menghadap ke jaringan kita

admin@mikrotik> ip firewall mangle add chain=prerouting in-interface=ether-download dst-address-list=jaringan-kita content=loadadv.-exe action=add-dst-to-address-list address-list=worm-dst time=02-00,00

dst-address-list kasih tanda seru>>>maksudnya agar content tsb hanya di cek kalau destina-tionnya bukan address-list ournetwork

buat firewall rule

admin@mikrotik> ip firewall filter add chain=forward dst-address-list=worm-dst action=drop

setelah rule ini diterapkan maka di tab address-list akan tercapture address untuk download worm ini.

contoh

Membuat DHCP & Internet Gateway Server di Mikrotik

Posted by antoni as Mikrotik

Untuk membuat DHCP Server diperlukan langkah-langkah sebagai berikut :

1. Membuat address pool dan menentukan IP Range2. Mengaktifkan DHCP server.Sedangkan untuk membuat Internet Gateway Server, inti langkahnya adalah melakukan masquerading yang akan melewatkan paket-paket data ke user.

Berikut ini adalah gambaran dari network dan servernya :

1. Mikrotik di install pada CPU dengan 2 ethernet card, 1 interface utk koneksi ke internet, 1 interface utk konek ke lokal.

2. IP address :- gateway (mis: ADSL modem) : 192.168.100.100- DNS : 192.168.100.110- interface utk internet : 192.168.100.1- interface utk lokal : 192.168.0.1

Untuk memulainya, kita lihat interface yang ada pada Mikrotik Router

[admin@Mikrotik] > interface printFlags: X - disabled, D - dynamic, R - running# NAME TYPE RX-RATE TX-RATE MTU

0 R ether1 ether 0 0 15001 R ether2 ether 0 0 1500[admin@Mikrotik] >

kemudian set IP address pada interface Mikrotik. Misalkan ether1 akan kita gunakan untuk koneksi ke Internet dengan IP 192.168.100.1 dan ether2 akan kita gunakan untuk network local kita dengan IP 192.168.0.1

[admin@mikrotik] > ip address add address=192.168.100.1 netmask=255.255.255.0 interface=ether1

[admin@mikrotik] > ip address add address=192.168.0.1 netmask=255.255.255.0 interface=ether2

[admin@mikrotik] >ip address printFlags: X - disabled, I - invalid, D - dynamic# ADDRESS NETWORK BROADCAST INTERFACE0 192.168.100.1/24 192.168.100.0 192.168.100.255 ether11 192.168.0.1/24 192.168.0.0 192.168.0.255 ether2[admin@mikrotik] >

Setelah selesai Barulah kita bisa melakukan setup DHCP server pada Mikrotik.

1. Membuat address pool

/ip pool add name=dhcp-pool ranges=192.168.0.2-192.168.0.100/ip dhcp-server network add address=192.168.0.0/24 gateway=192.168.0.12. Tentukan interface yang dipergunakan dan aktifkan DHCP Server.

/ip dhcp-server add interface=ether2 address-pool=dhcp-pool enable 0

[admin@mikrotik] > ip dhcp-server printFlags: X - disabled, I - invalid# NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP0 dhcp1 ether2sampai tahap ini, DHCP server telah selesai untuk dipergunakan dan sudah bisa di test dari user.

Langkah Selanjutnya adalah membuat internet gateway, Misalnya IP ADSL Modem sebagai gateway untuk koneksi internet adalah 192.168.100.100 dan DNS Servernya 192.168.100.110, maka lakukan setting default gateway dengan perintah berikut :

[admin@mikrotik] > /ip route add gateway=192.168.100.100

3. Melihat Tabel routing pada Mikrotik Routers

[admin@mikrotik] > ip route print

Flags: X - disabled, A - active, D - dynamic,C - connect, S - static, r - rip, b - bgp, o - ospf# DST-ADDRESS PREFSRC G GATEWAY DISTANCE INTERFACE0 ADC 192.168.0.0/24 192.168.0.1 ether21 ADC 192.168.100.0/24 192.168.100.1 ether1

2 A S 0.0.0.0/0 r 192.168.100.100 ether1[admin@mikrotik] >

Lanjutkan dengan Setup DNS

[admin@mikrotik] > ip dns set primary-dns=192.168.100.110 allow-remoterequests=no

[admin@mikrotik] > ip dns printprimary-dns: 192.168.100.110secondary-dns: 0.0.0.0allow-remote-requests: nocache-size: 2048KiBcache-max-ttl: 1wcache-used: 16KiB[admin@mikrotik] >

4. Tes untuk akses domain, misalnya dengan ping nama domain

[admin@mikrotik] > ping yahoo.com

216.109.112.135 64 byte ping: ttl=48 time=250 ms10 packets transmitted, 10 packets received, 0% packet lossround-trip min/avg/max = 571/571.0/571 ms

[admin@mikrotik] >

Jika sudah berhasil reply berarti seting DNS sudah benar.

5. Setup Masquerading, ini adalah langkah utama untuk menjadikan Mikrotik sebagai gateway server

[admin@mikrotik] > ip firewall nat add action=masquerade outinterface=ether1chain: srcnat

[admin@mikrotik] >

[admin@mikrotik] ip firewall nat printFlags: X - disabled, I - invalid, D - dynamic0 chain=srcnat out-interface=ether1 action=masquerade[admin@mikrotik] >Selesai, tinggal test koneksi dari user. seharusnya dengan cara ini user sudah bisa terhubung ke internet.

Cara ini memang cara yang paling mudah untuk membuat user dapat terhubung ke internet, namun tingkat keamanannya masih rendah dan diperlukan pengaturan firewall. Mudah-mudahan saya bisa membahasnya dilain waktu.

Source from http://www.vavai.com

Yoyok Riawan*Seorang Pemulung/[copy & paste] yang Berusaha Memanfaatkan Limbah* Nb: Tulislah pada Nisanmu,.. Sebelum kau mati…« Create Dota dimesin Mikrotik Tutorial Step By Step Seting MikroTik »

Instalasi, Konfigurasi dan Optimasi MikrotikRouter OS

####################################################################TOKET - Terbitan Online Kecoak ElektronikDefending the classical hackers mind since 1995

Publisher : http://www.kecoak-elektronik.netContact : staff@kecoak-elektronik.net####################################################################

Subject : Instalasi, Konfigurasi dan Optimasi MikrotikRouter OSWriter : r0t0r of Kecoak ElektronikContact : rotor@kecoak-elektronik.netStyle : Unicode Transformation Format (UTF-8)

–[1]– Kecoak Elektronik License

Kecoak Elektronik secara aktif mendukung Blue Ribbon Campaign.Kami akan berusaha untuk menerbitkan semua informasi yang kami anggappatut diketahui, baik dokumen teks, artikel majalah, atau surat kabar.Seluruh kredit akan diberikan kepada sang pengarang.

Kecoak Elektronik tidak bertanggung jawab atas tindakan orang lain.Informasi yang disajikan di situs ini adalah untuk tujuan pendidikandan informasionil belaka. Jika Anda memutuskan untuk mengejawantahkandalam bentuk apapun informasi yang tersimpan di situs ini, Andamelakukan atas keputusan sendiri, dan tidak seorangpun selain Andabertanggung jawab atas tindakan tersebut.

Dipersilahkan untuk mengambil sebagian atau seluruh dari isi artikelyang kami terbitkan dengan tetap mencantumkan kredit atas pengarangdan Kecoak Elektronik sebagai penerbit online. Artikel yang dikutipatau diambil tidak dapat dipergunakan untuk kepentingan komersil.

–[2]– Intro

MikroTik RouterOS™, merupakan system operasi Linux base yang diperuntukkan sebagai network router. Didesain untuk memberikan kemudahan bagipenggunanya. Administrasinya bisa dilakukan melalui Windows application(WinBox). Webbrowser serta via Remote Shell (telnet dan SSH). Selainitu instalasi dapat dilakukan pada Standard computer PC. PC yang akandijadi kan router mikrotikpun tidak memerlukan resource yang cukup besaruntuk penggunaan standard, misalnya hanya sebagai gateway. Untuk keperluanbeban yang besar ( network yang kompleks, routing yang rumit dll)disarankan untuk mempertimbangkan pemilihan resource PC yang memadai.

Fasilitas pada mikrotik antara lain sebagai berikut :- Protokoll routing RIP, OSPF, BGP.- Statefull firewall- HotSpot for Plug-and-Play access- remote winbox GUI admin

Lebih lengkap bisa dilihat di www.mikrotik.com.

Meskipun demikian Mikrotik bukanlah free software, artinya kita harusmembeli licensi terhadap segala fasiltas yang disediakan. Free trialhanya untuk 24 jam saja. Kita bisa membeli software mikrotik dalambentuk CD yang diinstall pada Hard disk atau disk on module (DOM).Jika kita membeli DOM tidak perlu install tetapi tinggal menancapkanDOM pada slot IDE PC kita.

Instalasi Mikrotik ada beberapa cara :1. Instalasi melalui NetInstall via jaringan2. Instalasi melalui Floppy disk3. Instalasi melalui CD-ROM.

Kali ini kita akan membahasnya instalasi melalui CD-ROM. Untuk percobaanini silahkan download ISOnya di http://adminpreman.web.id/download

Langkah-langkah berikut adalah dasar-dasar setup mikrotik yangdikonfigurasikan untuk jaringan sederhana sebagai PC Router/Gateway,Web Proxy, DNS Server, DHCP, Firewall serta Bandwidth Management.Konfigurasi ini dapat dimanfaatkan untuk membangun jaringan padaInternet Cafe atau untuk Testing pada Laboratorium Pribadi.

–[2.1]– Topologi Jaringan

Topologi jaringan ini di anggap koneksi Internetnya melalui MODEMxDSL (ADSL atau SDSL). Dengan catatan konfigurasi IP Publiknyaditanam didalam MODEM, artinya perlu pula dipilih MODEM yang memilikifasilitas seperti Routing, Firewall, dan lain-lain. Semakin lengkapsemakin bagus, namun biasanya harga semakin mahal, yang patutdipertimbangkan pilihlah MODEM yang memiliki fasilitas Firewall yangbagus.

Untuk MODEM SDSL, biasanya, IP dibawah NAT, artinya IP nya bukan IPPublik langsung. Dan umumnya untuk MODEM ADSL, IP Publiknya langsungditanam di MODEM itu sendiri.

Saat ini kita anggap IP Publiknya di tanam di MODEM, dimana InterfacePPPoE nya sudah di konfigurasikan dan sudah bisa DIAL ke server RASnya.

Agar memudahkan konfigurasi, perlu dirancang topologi jaringan yangdikonfigurasi. Sebagai contoh, skema dibawah ini:

(a) Skema Jaringan

_(o–+ ____| | / | Telpon | _/ -( +–[_] Splitter | | +—-+ +—| | Modem xDSL +–*-+ (1)| +—+ | | | (3) | | +|———+ | +—–+ | |. . . . . | | a| | | +–|-|-|-|-+ +—|=====| | | | | | | | | | | | | | |—+ +-|-|-|–[client 1] | |b +-|-|————[client 2]

| | +-|———————-[client 3] L—–J +——–[client n] (2)

Keterangan skema(1) = Modem xDSL (Ip Address : 192.168.1.1/24)(2) = Mikrotik Box dengan 2 ethernet card yaitu a (publik) dan b (local)(3) = Switch Untuk sambungan ke Client. Asumsi Client Jumlahnya 20 Client Range Ip Address : 192.168.0.0/27 Alokasi Ip Client = 192.168.0.1-192.168.0.30 Ip Net ID : 192.168.0.0/27 Ip Broadcast : 192.168.0.31/27

(b) Alokasi IP Address

[*] Mikrotik Box

Keterangan Skema a = ethernet card 1 (Publik) -> Ip Address : 192.168.1.2/24 b = ethernet card 2 (Local) -> Ip Address : 192.168.0.30/27

Gateway : 192.168.1.1 (ke Modem)

[*] Client Client 1 - Client n, Ip Address : 192.168.0.n …. n (1-30)

Contoh: Client 6 Ip Address : 192.168.0.6/27 Gateway : 192.168.0.30 (ke Mikrotik Box)

CATATAN :Angka dibelakang Ip address ( /27) sama dengan nilai netmasknyauntuk angka (/27) nilainya sama dengan 255.255.255.224.

Untuk Sub Netmask blok ip address Local kelas C, dapat diuraikansebagai berikut :

Subnetmask kelas C——————-255.255.255.0 = 24 -> 254 mesin .. .128 = 25 -> 128 mesin .. .192 = 26 -> 64 mesin .. .224 = 27 -> 32 mesin .. .240 = 28 -> 16 mesin .. .248 = 29 -> 8 mesin .. .252 = 30 -> 4 mesin .. .254 = 31 -> 2 mesin .. .255 = 32 -> 1 mesin

–[2.2]– Persiapan

- Untuk PC Router Siapkan PC, minimal Pentium I, RAM 64, HD 500Matau pake flash memory 64 - Sebagai Web proxy, Siapkan PC, minimalPentium III 450Mhz, RAM 256 Mb, HD 20 Gb. Melihat berapa minimumRAM dan HD yang dibutuhkan untuk Cache Silahkan lihathttp://adminpreman.web.id/download/Rumus%20Web%20Proxy%20Mikrotik.xls

- Siapkan minimal 2 ethernet card, 1 ke arah luar/Internet dan 1 lagi ke Network local– Burn Source CD Mikrotik OS masukan ke CDROM.

- Versi mikrotik yang digunakan adalah Mikrotik RouterOS versi 2.9.27

–[3]– Installasi Mikrotik RouterSetelah desain skema jaringan serta perangkat yang dibutuhkan telahdisiapkan, sekarang saatnya kita mulai proses instalasi ini.

–[3.1]– Booting melalui CD-ROM

Atur di BIOS agar, supaya boot lewat CD-ROM, kemudian tunggu beberapa saat di monitor akan muncul proses Instalasi.

————————————————————————-

ISOLINUX 2.08 2003-12-12 Copyrigth (C) 1994-2003 H. Peter AnvinLoading linux………………Loading initrd.rgz………….ReadyUncompressing Linux… Ok, booting the kernel

————————————————————————

–[3.2]– Memilih paket software

Setelah proses booting akan muncul menu pilihan software yang mau di install, pilih sesuai kebutuhan yang akan direncanakan.

Paket yang tersedia di Mikrotik

advanced-tools-2.9.27.npk arlan-2.9.27.npk dhcp-2.9.27.npk gps-2.9.27.npk hotspot-2.9.27.npk hotspot-fix-2.9.27.npk isdn-2.9.27.npk lcd-2.9.27.npk ntp-2.9.27.npk ppp-2.9.27.npk radiolan-2.9.27.npk routerboard-2.9.27.npk routing-2.9.27.npk routing-test-2.9.27.npk rstp-bridge-test-2.9.27.npk security-2.9.27.npk synchronous-2.9.27.npk system-2.9.27.npk telephony-2.9.27.npk ups-2.9.27.npk user-manager-2.9.27.npk web-proxy-2.9.27.npk webproxy-test-2.9.27.npk wireless-2.9.27.npk wireless-legacy-2.9.27.npk

————————————————————————–

Welcome to Mikrotik Router Software Installation

Move around menu using ‘p’ and ‘n’ or arrow keys, select with ’spacebar’.Select all with ‘a’, minimum with ‘m’. Press ‘i’ to install locally or ‘r’ toinstall remote router or ‘q’ to cancel and reboot.

[X] system [ ] lcd [ ] telephony [ ] ppp [ ] ntp [ ] ups [ ] dhcp [ ] radiolan [ ] user-manager [X] andvanced-tools [ ] routerboard [X] web-proxy [ ] arlan [ ] routing [ ] webproxy-test [ ] gps [ ] routing-test [ ] wireless [ ] hotspot [ ] rstp-bridge-test [ ] wireless-legacy [ ] hotspot [X] security [ ] isdn [ ] synchronous

————————————————————————–

Umumnya Paket Mikrotik untuk Warnet, Kantor atau SOHO adalah :

a. SYSTEM : Paket ini merupakan paket dasar, berisi Kernel dari Mikrotik

b. DHCP : Paket yang berisi fasilitas sebagai DHCP Server, DHCP client, pastikan memilih paket ini jika Anda menginginkan agar Client diberikan IP address otomatis dari DHCP Server

c. SECURITY : Paket ini berisikan fasilitas yang mengutamakan Keamanan jaringan, seperti Remote Mesin dengan SSH, Remote via MAC Address

d. WEB-PROXY : Jika Anda memilih paket ini, maka Mikrotik Box anda telah dapat menjalan service sebagai Web proxy yang akan menyimpan cache agar traffik ke Internet dapat di reduksi serta browsing untuk Web dapat dipercepat.

e. ADVANCED TOOLS : Paket yang berisi Tool didalam melakukan Admnistrasi jaringan, seperti Bandwidth meter, Scanning, Nslookup, dan lain sebagainya.

–[3.3]– Instalasi Paket

ketik “i” setelah selesai memilih software, lalu akan muncul menu pilihan seperti ini :

- Do you want to keep old configuration ? [y/n] ketik Y - continue ? [y/n] ketik Y

Setelah itu proses installasi system dimulai, disini kita tidak perlu membuat partisi hardsik karena secara otomatis mikrotik akan membuat partisi sendiri.

—————————————————————————-

wireless-legacy (depens on system):Provides support for Cisco Aironet cards and for PrismlI and Atheros wirelessstation and AP.

Do you want to keep old configuraion? [y/n]:y

Warning: all data on the disk will be erased!

Continue? [y/n]:y

Creating partition……….Formatting disk…………………………………

Installing system-2.9.27 [################## ]

—————————————————————————

Proses installasi

—————————————————————————

Continue? [y/n]:y

Creating partition…………………..Formatting disk……………………….

Installed system-2.9.27Installed advanced-tools-2.9.27Installed dhcp-2.9.27Installed security-2.9.27installed web-proxy-2.9.27

Software installed.Press ENTER to reboot

——————————————————————————

CATATAN :Proses Installasi normalnya tidak sampai 15 menit, jika lebih berarti gagal,ulangike step awal. Setelah proses installasi selesai maka kita akan diminta untukmerestart system, tekan enter untuk merestart system.

–[3.5]– Proses Check system disk

Setelah komputer booting kembali ke system mikrotik, akan ada pilihan untukmelakukan check system disk, tekan “y”.

—————————————————————————-Loading system with initrdUncompressing Linux… Ok, booting the kernel.Starting.

It is recomended to check your disk drive for error,but it may take while (~1min for 1Gb).It can be done later with “/system check-disk”.Do you want to do it now? [y/n]—————————————————————————–

–[3.6]– Proses Instalasi Selesai

Setelah proses instalasi selesai, maka akan muncul menu login dalam modusterminal, kondisi sistem saat ini dalam keadaan default.

Mikrotik login = admin Password = (kosong, enter saja)

—————————————————————————

Mikrotik 2.9.27Mikrotik Login:

MMM MMM KKK TTTTTTTTTTT KKK MMMM MMMM KKK TTTTTTTTTTT KKK MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK

MikroTik RouterOS 2.9.27 (c) 1999-2005 http://www.mikrotik.com/

Terminal vt102 detected, using multiline input mode[admin@Mikrotikl] >

—————————————————————————-

CATATAN :Konfigurasi Standar untuk mikrotik ada 2 modus, yaitu modus teks danmodus GUI. Modus Gui ada 2 juga, yaitu Via Browser serta Via Winbox.Untuk sekarang saya akan bahas via Teks. Karena cepat serta lebih memahamiterhadap sistem operasi ini.

–[4]– Perintah Dasar

Perintah mikrotik sebenarnya hampir sama dengan perintah yang ada dilinux,sebab pada dasarnya mikrotik ini merupakan kernel Linux, hasil pengolahankembali Linux dari Distribusi Debian. Pemakaian perintah shellnya sama,seperti penghematan perintah, cukup menggunakan tombol TAB di keyboardmaka perintah yang panjang, tidak perlu lagi diketikkan, hanya ketikkanawal nama perintahnya, nanti secara otomatis Shell akan menampilkan sendiriperintah yang berkenaan. Misalnya perintah IP ADDRESS di mikrotik. Cukuphanya mengetikkan IP ADD spasi tekan tombol TAB, maka otomatis shellakan mengenali dan menterjemahkan sebagai perintah IP ADDRESS.

Baiklah kita lanjutkan pengenalan perintah ini.

Setelah login, cek kondisi interface atau ethernet card.

–[4.1]– Melihat kondisi interface pada Mikrotik Router

[admin@Mikrotik] > interface print Flags: X - disabled, D - dynamic, R - running # NAME TYPE RX-RATE TX-RATE MTU 0 R ether1 ether 0 0 1500 1 R ether2 ether 0 0 1500

[admin@Mikrotik]>

Jika interfacenya ada tanda X (disabled) setelah nomor (0,1), maka periksa lagietherned cardnya, seharusnya R (running).

a. Mengganti nama interface [admin@Mikrotik] > interface(enter)

b. Untuk mengganti nama Interface ether1 menjadi Public (atau terserah namanya), maka [admin@Mikrotik] interface> set 0 name=Public

c. Begitu juga untuk ether2, misalkan namanya diganti menjadi Local, maka [admin@Mikrotik] interface> set 1 name=Local

d. atau langsung saja dari posisi root direktori, memakai tanda “/”, tanpa tanda kutip [admin@Mikrotik] > /interface set 0 name=Public

e. Cek lagi apakah nama interface sudah diganti. [admin@Mikrotik] > /interface print

Flags: X - disabled, D - dynamic, R - running # NAME TYPE RX-RATE TX-RATE MTU 0 R Local ether 0 0 1500 1 R Public ether 0 0 1500

–[4.2]– Mengganti password defaultUntuk keamanan ganti password default [admin@Mikrotik] > password old password: ***** new password: ***** retype new password: ***** [admin@ Mikrotik]]>

–[4.3]– Mengganti nama hostnameMengganti nama Mikrotik Router untuk memudahkan konfigurasi, pada langkah ini nama server akan diganti menjadi “routerku”

[admin@Mikrotik] > system identity set name=routerku [admin@routerku]>

–[5]– Setting IP Address, Gateway, Masqureade dan Name Server

–[5.1]– IP Address

Bentuk Perintah konfigurasi

ip address add address ={ip address/netmask} interface={nama interface}

a. Memberikan IP address pada interface Mikrotik. Misalkan Public akan kita gunakan untuk koneksi ke Internet dengan IP 192.168.1.2 dan Local akan kita gunakan untuk network LAN kita dengan IP 192.168.0.30 (Lihat topologi)

[admin@routerku] > ip address add address=192.168.1.2 netmask=255.255.255.0 interface=Public comment=”IP ke Internet”

[admin@routerku] > ip address add address=192.168.0.30 netmask=255.255.255.224 interface=Local comment = “IP ke LAN”

b. Melihat konfigurasi IP address yang sudah kita berikan

[admin@routerku] >ip address print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 ;;; IP Address ke Internet 192.168.0.30/27 192.168.0.0 192.168.0.31 Local 1 ;;; IP Address ke LAN 192.168.1.2/24 192.168.0.0 192.168.1.255 Public

[admin@routerku]>

–[5.2]– Gateway

Bentuk Perintah Konfigurasi

ip route add gateway={ip gateway}

a. Memberikan default Gateway, diasumsikan gateway untuk koneksi internet adalah 192.168.1.1

[admin@routerku] > /ip route add gateway=192.168.1.1

b. Melihat Tabel routing pada Mikrotik Routers

[admin@routerku] > ip route print

Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf # DST-ADDRESS PREFSRC G GATEWAY DISTANCE INTERFACE 0 ADC 192.168.0.0/24 192.168.0.30 Local 1 ADC 192.168.0.0/27 192.168.1.2 Public 2 A S 0.0.0.0/0 r 192.168.1.1 Public [admin@routerku]>

c. Tes Ping ke Gateway untuk memastikan konfigurasi sudah benar

[admin@routerku] > ping 192.168.1.1 192.168.1.1 64 byte ping: ttl=64 time<1 ms 192.168.1.1 64 byte ping: ttl=64 time<1 ms 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 0/0.0/0 ms [admin@routerku]>

–[5.3]– NAT (Network Address Translation)

Bentuk Perintah Konfigurasi

ip firewall nat add chain=srcnat action=masquerade out-inteface={ethernet yang langsung terhubung ke Internet atau Public}

a. Setup Masquerading, Jika Mikrotik akan kita pergunakan sebagai gateway server maka agar client computer pada network dapat terkoneksi ke internet perlu kita masquerading.

[admin@routerku] > ip firewall nat add chain=scrnat out-interface=Public action=masquerade [admin@routerku]>

b. Melihat konfigurasi Masquerading

[admin@routerku] ip firewall nat print Flags: X - disabled, I - invalid, D - dynamic 0 chain=srcnat out-interface=Public action=masquerade [admin@routerku]>

–[5.4] Name server

Bentuk Perintah Konfigurasi

ip dns set primary-dns={dns utama} secondary-dns={dns ke dua}

a. Setup DNS pada Mikrotik Routers, misalkan DNS dengan Ip Addressnya Primary = 202.134.0.155, Secondary = 202.134.2.5

[admin@routerku] > ip dns set primary-dns=202.134.0.155 allow-remoterequests=no [admin@routerku] > ip dns set secondary-dns=202.134.2.5 allow-remoterequests=no

b. Melihat konfigurasi DNS

[admin@routerku] > ip dns print primary-dns: 202.134.0.155 secondary-dns: 202.134.2.5 allow-remote-requests: no cache-size: 2048KiB cache-max-ttl: 1w cache-used: 16KiB

[admin@routerku]>

c. Tes untuk akses domain, misalnya dengan ping nama domain

[admin@routerku] > ping yahoo.com 216.109.112.135 64 byte ping: ttl=48 time=250 ms 10 packets transmitted, 10 packets received, 0% packet loss round-trip min/avg/max = 571/571.0/571 ms [admin@routerku]>

Jika sudah berhasil reply berarti seting DNS sudah benar.

Setelah langkah ini bisa dilakukan pemeriksaan untuk koneksi dari jaringan local. Dan jikaberhasil berarti kita sudah berhasil melakukan instalasi Mikrotik Router sebagai Gatewayserver. Setelah terkoneksi dengan jaringan Mikrotik dapat dimanage menggunakan WinBox yangbisa di download dari Mikrotik.com atau dari server mikrotik kita. Misal Ip address servermikrotik kita 192.168.0.30, via browser buka http://192.168.0.30. Di Browser akan ditampilkandalam bentuk web dengan beberapa menu, cari tulisan Download dan download WinBox dari situ.Simpan di local harddisk. Jalankan Winbox, masukkan Ip address, username dan password.

–[7]– DHCP Server

DHCP merupakan singkatan dari Dynamic Host Configuration Protocol, yaitu suatu program yangmemungkinkan pengaturan IP Address di dalam sebuah jaringan dilakukan terpusat di server,sehingga PC Client tidak perlu melakukan konfigurasi IP Addres. DHCP memudahkan administratoruntuk melakukan pengalamatan ip address untuk client.

Bentuk perintah konfigurasi

ip dhcp-server setupdhcp server interface = { interface yang digunakan }dhcp server space = { network yang akan di dhcp }

gateway for dhcp network = { ip gateway }address to give out = { range ip address }dns servers = { name server }lease time = { waktu sewa yang diberikan }

Jika kita menginginkan client mendapatkan IP address secara otomatis maka perlu kita setupdhcp server pada Mikrotik. Berikut langkah-langkahnya :

a. Tambahkan IP address pool

/ip pool add name=dhcp-pool ranges=192.168.0.1-192.168.0.30

b. Tambahkan DHCP Network dan gatewaynya yang akan didistribusikan ke client. Pada contoh ini networknya adalah 192.168.0.0/27 dan gatewaynya 122.168.0.30

/ip dhcp-server network add address=192.168.0.0/27 gateway=192.168.0.30 dns-server=192.168.0.30 comment=”"

c. Tambahkan DHCP Server ( pada contoh ini dhcp diterapkan pada interface Local )

/ip dhcp-server add interface=local address-pool=dhcp-pool

d. Lihat status DHCP server

[admin@routerku] > ip dhcp-server print

Flags: X - disabled, I - invalid

# NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP

0dhcp1 Local

Tanda X menyatakan bahwa DHCP server belum enable maka perlu dienablekan terlebihdahulu pada langkah e.

e. Jangan Lupa dibuat enable dulu dhcp servernya

/ip dhcp-server enable 0

kemudian cek kembali dhcp-server seperti langkah 4, jika tanda X sudah tidak ada berartisudah aktif

f. Tes Dari client

Misalnya :D:>ping www.yahoo.com

–[8]– Transparent Proxy Server

Proxy server merupakan program yang dapat mempercepat akses ke suatu webyang sudah diakses oleh komputer lain, karena sudah di simpan didalamcaching server.Transparent proxy menguntungkan dalam management client,karena system administrator tidak perlu lagi melakukan setup proxy disetiap browser komputer client karena redirection dilakukan otomatis di sisiserver.

Bentuk perintah konfigurasi :a. Setting web proxy :

- ip proxy set enable=yes port={ port yang mau digunakan } maximal-client-connections=1000 maximal-server-connections=1000

- ip proxy direct add src-address={ network yang akan di NAT} action=allow

- ip web-proxy set parent-proxy={proxy parent/optional} hostname={ nama host untuk proxy/optional} port={port yang mau digunakan} src-address={ address yang akan digunakan untuk koneksi ke parent proxy/default 0.0.0.0} transparent-proxy=yes max-object-size={ ukuran maximal file yang akan disimpan sebagai cache/default 4096 in Kilobytes} max-cache-size= { ukuran maximal hardisk yang akan dipakai sebagai penyimpan file cache/unlimited | none | 12 in megabytes} cache-administrator={ email administrator yang akan digunakan apabila proxy error, status akan dikirim ke email tersebut} enable==yes

Contoh konfigurasi——————-

a. Web proxy setting

/ ip web-proxyset enabled=yes src-address=0.0.0.0 port=8080 hostname=”proxy.routerku.co.id” transparent-proxy=yes parent-proxy=0.0.0.0:0 cache-administrator=”support@routerku.co.id” max-object-size=131072KiB cache-drive=system max-cache-size=unlimited max-ram-cache-size=unlimited

Nat Redirect, perlu ditambahkan yaitu rule REDIRECTING untuk membelokkantraffic HTTP menuju ke WEB-PROXY.

b. Setting firewall untuk Transparant Proxy

Bentuk perintah konfigurasi :

ip firewall nat add chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports={ port proxy }

Perintahnya:

——————————————————————————–/ ip firewall natadd chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=8080 comment=”" disabled=noadd chain=dstnat protocol=tcp dst-port=3128 action=redirect to-ports=8080 comment=”" disabled=noadd chain=dstnat protocol=tcp dst-port=8000 action=redirect to-ports=8080——————————————————————————–

perintah diatas dimaksudkan, agar semua trafik yang menuju Port 80,3128,8000dibelokkan menuju port 8080 yaitu portnya Web-Proxy.

CATATAN:Perintah

/ip web-proxy print { untuk melihat hasil konfigurasi web-proxy}/ip web-proxy monitor { untuk monitoring kerja web-proxy}

–[9]– Bandwidth Management

QoS memegang peranan sangat penting dalam hal memberikan pelayananyang baik pada client. Untuk itu kita memerlukan bandwidth managementuntuk mengatur tiap data yang lewat, sehingga pembagian bandwidth menjadiadil. Dalam hal ini Mikrotik RouterOs juga menyertakan packet softwareuntuk memanagement bandwidth.

Bentuk perintah konfigurasi:

queue simple add name={ nama }target-addresses={ ip address yang dituju }interface={ interface yang digunakan untuk melewati data }max-limit={ out/in }

Dibawah ini terdapat konfigurasi Trafik shaping atau bandwidth managementdengan metode Simple Queue, sesuai namanya, Jenis Queue ini memangsederhana, namun memiliki kelemahan, kadangkala terjadi kebocoran bandwidthatau bandwidthnya tidak secara real di monitor. Pemakaian untuk 10 Client,Queue jenis ini tidak masalah.

Diasumsikan Client ada sebanyak 15 client, dan masing-masing client diberijatah bandwidth minimum sebanyak 8kbps, dan maksimum 48kbps. SedangkanBandwidth totalnya sebanyak 192kbps. Untuk upstream tidak diberi rule,berarti masing-masing client dapat menggunakan bandwidth uptream secaramaksimum. Perhatikan perintah priority, range priority di Mikrotik sebanyakdelapan. Berarti dari 1 sampai 8, priority 1 adalah priority tertinggi,sedangkan priority 8 merupakan priority terendah.

Berikut Contoh kongirufasinya.——————————————————————————–/ queue simpleadd name=”trafikshaping” target-addresses=192.168.0.0/27 dst-address=0.0.0.0/0 interface=all parent=none priority=1 queue=default/default limit-at=0/64000 max-limit=0/192000 total-queue=default disabled=noadd name=”01″ target-addresses=192.168.0.1/32 dst-address=0.0.0.0/0 interface=all parent=trafikshaping priority=1 queue=default/default limit-at=0/8000 max-limit=0/48000 total-queue=default disabled=noadd name=”02″ target-addresses=192.168.0.2/32 dst-address=0.0.0.0/0 interface=all parent=trafikshaping priority=1 queue=default/default limit-at=0/8000 max-limit=0/48000 total-queue=default disabled=noadd name=”03″ target-addresses=192.168.0.3/32 dst-address=0.0.0.0/0 interface=all parent=trafikshaping priority=1 queue=default/default limit-at=0/8000 max-limit=0/48000 total-queue=default disabled=noadd name=”04″ target-addresses=192.168.0.4/32 dst-address=0.0.0.0/0 interface=all parent=trafikshaping priority=1 queue=default/default limit-at=0/8000 max-limit=0/48000 total-queue=default disabled=noadd name=”10″ target-addresses=192.168.0.25/32 dst-address=0.0.0.0/0 interface=all parent=trafikshaping priority=1 queue=default/default limit-at=0/8000 max-limit=0/48000 total-queue=default disabled=noadd name=”05″ target-addresses=192.168.0.5/32 dst-address=0.0.0.0/0

interface=all parent=trafikshaping priority=1 queue=default/default limit-at=0/8000 max-limit=0/48000 total-queue=default disabled=noadd name=”06″ target-addresses=192.168.0.6/32 dst-address=0.0.0.0/0 interface=all parent=trafikshaping priority=1 queue=default/default limit-at=0/8000 max-limit=0/48000 total-queue=default disabled=noadd name=”07″ target-addresses=192.168.0.7/32 dst-address=0.0.0.0/0 interface=all parent=trafikshaping priority=1 queue=default/default limit-at=0/8000 max-limit=0/48000 total-queue=default disabled=noadd name=”08″ target-addresses=192.168.0.8/32 dst-address=0.0.0.0/0 interface=all parent=trafikshaping priority=1 queue=default/default limit-at=0/8000 max-limit=0/48000 total-queue=default disabled=noadd name=”09″ target-addresses=192.168.0.9/32 dst-address=0.0.0.0/0 interface=all parent=trafikshaping priority=1 queue=default/default limit-at=0/8000 max-limit=0/48000 total-queue=default disabled=noadd name=”10″ target-addresses=192.168.0.10/32 dst-address=0.0.0.0/0 interface=all parent=trafikshaping priority=1 queue=default/default limit-at=0/8000 max-limit=0/48000 total-queue=default disabled=noadd name=”11″ target-addresses=192.168.0.11/32 dst-address=0.0.0.0/0 interface=all parent=trafikshaping priority=1 queue=default/default limit-at=0/8000 max-limit=0/48000 total-queue=default disabled=noadd name=”12″ target-addresses=192.168.0.12/32 dst-address=0.0.0.0/0 interface=all parent=trafikshaping priority=1 queue=default/default limit-at=0/8000 max-limit=0/48000 total-queue=default disabled=noadd name=”13″ target-addresses=192.168.0.13/32 dst-address=0.0.0.0/0 interface=all parent=trafikshaping priority=1 queue=default/default limit-at=0/8000 max-limit=0/48000 total-queue=default disabled=noadd name=”14″ target-addresses=192.168.0.14/32 dst-address=0.0.0.0/0 interface=all parent=trafikshaping priority=1 queue=default/default limit-at=0/8000 max-limit=0/48000 total-queue=default disabled=noadd name=”15″ target-addresses=192.168.0.15/32 dst-address=0.0.0.0/0 interface=all parent=trafikshaping priority=1 queue=default/default limit-at=0/8000 max-limit=0/48000 total-queue=default disabled=no

Perintah diatas karena dalam bentuk command line, bisa juga di copypaste, selanjutnya di paste saja ke consol mikrotiknya. ingat lihatdulu path atau direktory aktif. Silahkan dipaste saja, kalau posisidirektorynya di Root.

——————————————————————-Terminal vt102 detected, using multiline input mode[admin@mikrotik] >——————————————————————

Pilihan lain metode bandwidth manajemen ini, kalau seandainya inginbandwidth tersebut dibagi sama rata oleh Mikrotik, seperti bandwidth256kbps downstream dan 256kbps upstream. Sedangkan client yang akanmengakses sebanyak 10 client, maka otomatis masing-masing clientmendapat jatah bandwidth upstream dan downstream sebanyak 256kbpsdibagi 10. Jadi masing-masing dapat 25,6kbps. Andaikata hanya 2 Clientyang mengakses maka masing-masing dapat 128kbps.

Untuk itu dipakai type PCQ (Per Connection Queue), yang bisa secaraotomatis membagi trafik per client. Tentang jenis queue di mikrotikini dapat dibaca pada manualnya di http://www.mikrotik.com/testdocs/ros/2.9/root/queue.php.

Sebelumnya perlu dibuat aturan di bagian MANGLE. Seperti :

——————————————————————–/ip firewall mangle add chain=forward src-address=192.168.0.0/27 action=mark-connection new-connection-mark=users-con/ip firewall mangle add connection-mark=users-con action=mark-packet

new-packet-mark=users chain=forward———————————————————————-

Karena type PCQ belum ada, maka perlu ditambah, ada 2 type PCQ ini.Pertama diberi nama pcq-download, yang akan mengatur semua trafikmelalui alamat tujuan/destination address. Trafik ini melewatiinterface Local. Sehingga semua traffik download/downstream yangdatang dari jaringan 192.168.0.0/27 akan dibagi secara otomatis.

Tipe PCQ kedua, dinamakan pcq-upload, untuk mengatur semua trafik upstreamyang berasal dari alamat asal/source address. Trafik ini melewatiinterface public. Sehingga semua traffik upload/upstream yang berasaldari jaringan 192.168.0.0/27 akan dibagi secara otomatis.

Perintah:————————————————————————-/queue type add name=pcq-download kind=pcq pcq-classifier=dst-address/queue type add name=pcq-upload kind=pcq pcq-classifier=src-address————————————————————————-

Setelah aturan untuk PCQ dan Mangle ditambahkan, sekarang untuk aturanpembagian trafiknya. Queue yang dipakai adalah Queue Tree, Yaitu:

————————————————————————-/queue tree add parent=Local queue=pcq-download packet-mark=users/queue tree add parent=Public queue=pcq-upload packet-mark=users————————————————————————-

Perintah diatas mengasumsikan, kalau bandwidth yang diterima dari providerInternet berflukstuasi atau berubah-rubah. Jika kita yakin bahwa bandwidthyang diterima, misalkan dapat 256kbs downstream, dan 256kbps upstream, makaada lagi aturannya, seperti :

Untuk trafik downstreamnya :————————————————————————/queue tree add name=Download parent=Local max-limit=256k/queue tree add parent=Download queue=pcq-download packet-mark=users————————————————————————-

Dan trafik upstreamnya :—————————————————————————/queue tree add name=Upload parent=Public max-limit=256k/queue tree add parent=Upload queue=pcq-upload packet-mark=users—————————————————————————

–[10]– Monitor MRTG via Web

Fasilitas ini diperlukan untuk monitoring trafik dalam bentuk grafik, dapatdilihat dengan menggunakan browser. MRTG (The Multi Router Traffic Grapher)telah dibuild sedemikian rupa, sehingga memudahkan kita memakainya. Telahtersedia dipaket dasarnya.

Contoh konfigurasinya

————————————————————————-/ tool graphingset store-every=5min/ tool graphing interfaceadd interface=all allow-address=0.0.0.0/0 store-on-disk=yes disabled=no—————————————————————————

Perintah diatas akan menampilkan grafik dari trafik yang melewati interface

jaringan baik berupa Interface Public dan Interface Local, yang direndersetiap 5 menit sekali. Juga dapat diatur Alamat apa saja yang dapat mengaksesMRTG ini, pada parameter allow-address.

–[11]– Keamanan di Mikrotik

Setelah beberapa Konfigurasi diatas telah disiapkan, tentu tidak lupa kitaperhatikan keamanan dari Mesin gateway Mikrotik ini, ada beberapa fasilitasyang dipergunakan. Dalam hal ini akan dibahas tentang Firewallnya. FasilitasFirewall ini secara pringsip serupa dengan IP TABLES di Gnu/Linux hanya sajabeberapa perintah telah di sederhanakan namun berdaya guna.

Di Mikrotik perintah firewall ini terdapat dalam modus IP, yaitu

[admin@routerku] > /ip firewall

Terdapat beberapa packet filter seperti mangle, nat, dan filter.

————————————————————————-[admin@routerku] ip firewall> ?

Firewall allows IP packet filtering on per packet basis.

.. — go up to ipmangle/ — The packet marking managementnat/ — Network Address Translationconnection/ — Active connectionsfilter/ — Firewall filtersaddress-list/ –service-port/ — Service port managementexport –————————————————————————–

Untuk kali ini kita akan lihat konfigurasi pada ip firewall filternya.

Karena Luasnya parameter dari firewall filter ini untuk pembahasan FirewallFilter selengkapnya dapat dilihat pada manual mikrotik, dihttp://www.mikrotik.com/testdocs/ros/2.9/ip/filter.php

Konfigurasi dibawah ini dapat memblokir beberapa Trojan, Virus, Backdooryang telah dikenali sebelumnya baik Nomor Port yang dipakai serta Protokolnya.Juga telah di konfigurasikan untuk menahan Flooding dari Jaringan Publik danjaringan Lokal. Serta pemberian rule untuk Access control agar, Rentangjaringan tertentu saja yang bisa melakukan Remote atau mengakses servicetertentu terhadap Mesin Mikrotik kita.

Contoh Aplikasi Filternya—————————————————————————–/ ip firewall filteradd chain=input connection-state=invalid action=drop comment=”Drop Invalid connections” disabled=noadd chain=input src-address=!192.168.0.0/27 protocol=tcp src-port=1024-65535 dst-port=8080 action=drop comment=”Block to Proxy” disabled=noadd chain=input protocol=udp dst-port=12667 action=drop comment=”Trinoo” disabled=noadd chain=input protocol=udp dst-port=27665 action=drop comment=”Trinoo” disabled=noadd chain=input protocol=udp dst-port=31335 action=drop comment=”Trinoo” disabled=noadd chain=input protocol=udp dst-port=27444 action=drop comment=”Trinoo” disabled=no

add chain=input protocol=udp dst-port=34555 action=drop comment=”Trinoo” disabled=noadd chain=input protocol=udp dst-port=35555 action=drop comment=”Trinoo” disabled=noadd chain=input protocol=tcp dst-port=27444 action=drop comment=”Trinoo” disabled=noadd chain=input protocol=tcp dst-port=27665 action=drop comment=”Trinoo” disabled=noadd chain=input protocol=tcp dst-port=31335 action=drop comment=”Trinoo” disabled=noadd chain=input protocol=tcp dst-port=31846 action=drop comment=”Trinoo” disabled=noadd chain=input protocol=tcp dst-port=34555 action=drop comment=”Trinoo” disabled=noadd chain=input protocol=tcp dst-port=35555 action=drop comment=”Trinoo” disabled=noadd chain=input connection-state=established action=accept comment=”Allow Established connections” disabled=noadd chain=input protocol=udp action=accept comment=”Allow UDP” disabled=noadd chain=input protocol=icmp action=accept comment=”Allow ICMP” disabled=noadd chain=input src-address=192.168.0.0/27 action=accept comment=”Allow access to router from known network” disabled=noadd chain=input action=drop comment=”Drop anything else” disabled=noadd chain=forward protocol=tcp connection-state=invalid action=drop comment=”drop invalid connections” disabled=noadd chain=forward connection-state=established action=accept comment=”allow already established connections” disabled=noadd chain=forward connection-state=related action=accept comment=”allow related connections” disabled=noadd chain=forward src-address=0.0.0.0/8 action=drop comment=”" disabled=noadd chain=forward dst-address=0.0.0.0/8 action=drop comment=”" disabled=noadd chain=forward src-address=127.0.0.0/8 action=drop comment=”" disabled=noadd chain=forward dst-address=127.0.0.0/8 action=drop comment=”" disabled=noadd chain=forward src-address=224.0.0.0/3 action=drop comment=”" disabled=noadd chain=forward dst-address=224.0.0.0/3 action=drop comment=”" disabled=noadd chain=forward protocol=tcp action=jump jump-target=tcp comment=”" disabled=noadd chain=forward protocol=udp action=jump jump-target=udp comment=”" disabled=noadd chain=forward protocol=icmp action=jump jump-target=icmp comment=”" disabled=noadd chain=tcp protocol=tcp dst-port=69 action=drop comment=”deny TFTP” disabled=noadd chain=tcp protocol=tcp dst-port=111 action=drop comment=”deny RPC portmapper” disabled=noadd chain=tcp protocol=tcp dst-port=135 action=drop comment=”deny RPC portmapper” disabled=noadd chain=tcp protocol=tcp dst-port=137-139 action=drop comment=”deny NBT” disabled=noadd chain=tcp protocol=tcp dst-port=445 action=drop comment=”deny cifs” disabled=noadd chain=tcp protocol=tcp dst-port=2049 action=drop comment=”deny NFS” disabled=noadd chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment=”deny NetBus” disabled=noadd chain=tcp protocol=tcp dst-port=20034 action=drop comment=”deny NetBus” disabled=noadd chain=tcp protocol=tcp dst-port=3133 action=drop comment=”deny BackOriffice” disabled=noadd chain=tcp protocol=tcp dst-port=67-68 action=drop comment=”deny DHCP” disabled=no

add chain=udp protocol=udp dst-port=69 action=drop comment=”deny TFTP” disabled=noadd chain=udp protocol=udp dst-port=111 action=drop comment=”deny PRC portmapper” disabled=noadd chain=udp protocol=udp dst-port=135 action=drop comment=”deny PRC portmapper” disabled=noadd chain=udp protocol=udp dst-port=137-139 action=drop comment=”deny NBT” disabled=noadd chain=udp protocol=udp dst-port=2049 action=drop comment=”deny NFS” disabled=noadd chain=udp protocol=udp dst-port=3133 action=drop comment=”deny BackOriffice” disabled=noadd chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list=”port scanners” address-list-timeout=2w comment=”Port scanners to list ” disabled=noadd chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=”port scanners” address-list-timeout=2w comment=”NMAP FIN Stealth scan” disabled=noadd chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list=”port scanners” address-list-timeout=2w comment=”SYN/FIN scan” disabled=noadd chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list=”port scanners” address-list-timeout=2w comment=”SYN/RST scan” disabled=noadd chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list=”port scanners” address-list-timeout=2w comment=”FIN/PSH/URG scan” disabled=noadd chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list=”port scanners” address-list-timeout=2w comment=”ALL/ALL scan” disabled=noadd chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=”port scanners” address-list-timeout=2w comment=”NMAP NULL scan” disabled=noadd chain=input src-address-list=”port scanners” action=drop comment=”dropping port scanners” disabled=noadd chain=icmp protocol=icmp icmp-options=0:0 action=accept comment=”drop invalid connections” disabled=noadd chain=icmp protocol=icmp icmp-options=3:0 action=accept comment=”allow established connections” disabled=noadd chain=icmp protocol=icmp icmp-options=3:1 action=accept comment=”allow already established connections” disabled=noadd chain=icmp protocol=icmp icmp-options=4:0 action=accept comment=”allow source quench” disabled=noadd chain=icmp protocol=icmp icmp-options=8:0 action=accept comment=”allow echo request” disabled=noadd chain=icmp protocol=icmp icmp-options=11:0 action=accept comment=”allow time exceed” disabled=noadd chain=icmp protocol=icmp icmp-options=12:0 action=accept comment=”allow parameter bad” disabled=noadd chain=icmp action=drop comment=”deny all other types” disabled=noadd chain=tcp protocol=tcp dst-port=25 action=reject reject-with=icmp-network-unreachable comment=”Smtp” disabled=noadd chain=tcp protocol=udp dst-port=25 action=reject reject-with=icmp-network-unreachable comment=”Smtp” disabled=noadd chain=tcp protocol=tcp dst-port=110 action=reject reject-with=icmp-network-unreachable comment=”Smtp” disabled=noadd chain=tcp protocol=udp dst-port=110 action=reject reject-with=icmp-network-unreachable comment=”Smtp” disabled=noadd chain=tcp protocol=udp dst-port=110 action=reject reject-with=icmp-network-unreachable comment=”Smtp” disabled=no—————————————————————————–

–[11.1]– Service dan Melihat Service yang Aktif dengan PortScanner

Untuk memastikan Service apa saja yang aktif di Mesin mikrotik, perlu kitapindai terhadap port tertentu, seandainya ada service yang tidak dibutuhkan,sebaiknya dimatikan saja.

Untuk menonaktifkan dan mengaktifkan servise, perintah adalah :

Kita periksa dahulu service apa saja yang aktif

———————————————————————————-[admin@routerku] > ip service[admin@routerku] ip service> printFlags: X - disabled, I - invalid # NAME PORT ADDRESS CERTIFICATE 0 X telnet 23 0.0.0.0/0 1 ftp 21 0.0.0.0/0 2 www 80 0.0.0.0/0 3 ssh 22 0.0.0.0/0 4 www-ssl 443 0.0.0.0/0 none[admin@routerku] ip service>———————————————————————————-

Misalkan service FTP akan dinonaktifkan, yaitu di daftar diatas terletak padanomor 1 (lihat bagian Flags) maka :

———————————————————————————[admin@routerku] ip service> set 1 disabled=yes———————————————————————————

Perlu kita periksa lagi,

———————————————————————————[admin@routerku] ip service> printFlags: X - disabled, I - invalid # NAME PORT ADDRESS CERTIFICATE 0 X telnet 23 0.0.0.0/0 1 X ftp 21 0.0.0.0/0 2 www 80 0.0.0.0/0 3 ssh 22 0.0.0.0/0 4 www-ssl 443 0.0.0.0/0 none[admin@router.dprd.provinsi] ip service>———————————————————————————

Sekarang service FTP telah dinonaktifkan.

Dengan memakai tool nmap kita dapat mencek port apa saja yang aktif pada mesingateway yang telah dikonfigurasikan.

Perintah : nmap -vv -sS -sV -P0 192.168.0.30

Hasil :

————————————————————————————-Starting Nmap 4.20 ( http://insecure.org ) at 2007-04-04 19:55 SE Asia Standard TimeInitiating ARP Ping Scan at 19:55Scanning 192.168.0.30 [1 port]

Completed ARP Ping Scan at 19:55, 0.31s elapsed (1 total hosts)Initiating Parallel DNS resolution of 1 host. at 19:55Completed Parallel DNS resolution of 1 host. at 19:55, 0.05s elapsedInitiating SYN Stealth Scan at 19:55Scanning 192.168.0.30 [1697 ports]Discovered open port 22/tcp on 192.168.0.30Discovered open port 53/tcp on 192.168.0.30Discovered open port 80/tcp on 192.168.0.30Discovered open port 21/tcp on 192.168.0.30Discovered open port 3986/tcp on 192.168.0.30Discovered open port 2000/tcp on 192.168.0.30Discovered open port 8080/tcp on 192.168.0.30Discovered open port 3128/tcp on 192.168.0.30Completed SYN Stealth Scan at 19:55, 7.42s elapsed (1697 total ports)Initiating Service scan at 19:55Scanning 8 services on 192.168.0.30Completed Service scan at 19:57, 113.80s elapsed (8 services on 1 host)Host 192.168.0.30 appears to be up … good.Interesting ports on 192.168.0.30:Not shown: 1689 closed portsPORT STATE SERVICE VERSION21/tcp open ftp MikroTik router ftpd 2.9.2722/tcp open ssh OpenSSH 2.3.0 mikrotik 2.9.27 (protocol 1.99)53/tcp open domain?80/tcp open http MikroTik router http config2000/tcp open callbook?3128/tcp open http-proxy Squid webproxy 2.5.STABLE113986/tcp open mapper-ws_ethd?8080/tcp open http-proxy Squid webproxy 2.5.STABLE112 services unrecognized despite returning data. If you know the service/version,please submit the following fingerprints athttp://www.insecure.org/cgi-bin/servicefp-submit.cgi :

==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============SF-Port53-TCP:V=4.20%I=7%D=4/4%Time=4613A03C%P=i686-pc-windows-windows%r(DSF:NSVersionBindReq,E,”x0cx06×81x84″)%r(DNSStatusRSF:equest,E,”x0cx90×84″);==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============SF-Port2000-TCP:V=4.20%I=7%D=4/4%Time=4613A037%P=i686-pc-windows-windows%rSF:(NULL,4,”x01″)%r(GenericLines,4,”x01″)%r(GetRequest,18,”SF:x01×02d?xe4{x9dx02×1axccx8bxd1Vxb2Fxff9xb0″)%r(SF:HTTPOptions,18,”x01×02d?xe4{x9dx02×1axccx8bxd1VxSF:b2Fxff9xb0″)%r(RTSPRequest,18,”x01×02d?xe4{x9dx02xSF:1axccx8bxd1Vxb2Fxff9xb0″)%r(RPCCheck,18,”x01×02d?SF:xe4{x9dx02×1axccx8bxd1Vxb2Fxff9xb0″)%r(DNSVersionBindReq,18,”SF:x01×02d?xe4{x9dx02×1axccx8bxd1Vxb2Fxff9xb0″)%r(SF:DNSStatusRequest,4,”x01″)%r(Help,4,”x01″)%r(X11Probe,4,”SF:x01″)%r(FourOhFourRequest,18,”x01×02xb9×15&xf1ASF:]+x11nxf6×9bxa0,xb0xe1xa5″)%r(LPDString,4,”x01″)%r(LDAPSF:BindReq,4,”x01″)%r(LANDesk-RC,18,”x01×02xb9×15&SF:xf1A]+x11nxf6×9bxa0,xb0xe1xa5″)%r(TerminalServer,4,”x01SF:0″)%r(NCP,18,”x01×02xb9×15&xf1A]+x11nxf6×9bxa0,SF:xb0xe1xa5″)%r(NotesRPC,18,”x01×02xb9×15&xf1A]+x1SF:1nxf6×9bxa0,xb0xe1xa5″)%r(NessusTPv10,4,”x01″);MAC Address: 00:90:4C:91:77:02 (Epigram)Service Info: Host: routerku; Device: router

Service detection performed. Please report any incorrect results athttp://insecure.org/nmap/submit/ .

Nmap finished: 1 IP address (1 host up) scanned in 123.031 seconds

Raw packets sent: 1706 (75.062KB) | Rcvd: 1722 (79.450KB)

—————————————————————————

Dari hasil scanning tersebut dapat kita ambil kesimpulan, bahwa service danport yang aktif adalah FTP dalam versi MikroTik router ftpd 2.9.27. UntukSSH dengan versi OpenSSH 2.3.0 mikrotik 2.9.27 (protocol 1.99). Serta Webproxy memakai Squid dalam versi Squid webproxy 2.5.STABLE11.

Tentu saja pihak vendor mikrotik telah melakukan patch terhadap Hole atauVulnerabilities dari Versi Protocol diatas.

–[11.2]– Tool administrasi Jaringan

Secara praktis terdapat beberapa tool yang dapat dimanfaatkan dalam melakukan troubleshooting jaringan, seperti tool ping, traceroute, SSH, dll.Beberapa tool yang sering digunakan nantinya dalam administrasi sehari-hariadalah :

o Telneto SSHo Tracerouteo Sniffer

a. TelnetPerintah remote mesin ini hampir sama penggunaan dengan telnet yang adadi Linux atau Windows.

[admin@routerku] > system telnet ?

Perintah diatas untuk melihat sekilias paramater apa saja yang ada. Misalnyamesin remote dengan ip address 192.168.0.21 dan port 23. Maka

[admin@routerku] > system telnet 192.168.0.21

Penggunaan telnet sebaiknya dibatasi untuk kondisi tertentu dengan alasankeamanan, seperti kita ketahui, packet data yang dikirim melalui telnetbelum di enskripsi. Agar lebih amannya kita pergunakan SSH.

b. SSHSama dengan telnet perintah ini juga diperlukan dalam remote mesin, sertapringsipnya sama juga parameternya dengan perintah di Linux dan Windows.

[admin@routerku] > system ssh 192.168.0.21

Parameter SSH diatas, sedikit perbedaan dengan telnet. Jika lihat helpnyamemiliki parameter tambahan yaitu user.

——————————————————————————[admin@routerku] > system ssh ?The SSH feature can be used with various SSH Telnet clients to securely connectto and administrate the router

<address> –user — User nameport — Port number

[admin@routerku] >——————————————————————————

Misalkan kita akan melakukan remote pada suatu mesin dengan sistem

operasinya Linux, yang memiliki Account, username Root dan Password123456 pada Address 66.213.7.30. Maka perintahnya,

—————————————————————————–[admin@routerku] > system ssh 66.213.7.30 user=rootroot@66.213.7.30’s password:—————————————————————————-

c. Traceroute

Mengetahui hops atau router apa saja yang dilewati suatu packet sampai packetitu terkirim ke tujuan, lazimnya kita menggunakan traceroute. Dengan tool inidapat di analisa kemana saja route dari jalannya packet.

Misalkan ingin mengetahui jalannya packet yang menuju server yahoo, maka:

—————————————————————————-[admin@routerku] > tool traceroute yahoo.com ADDRESS STATUS 1 63.219.6.nnn 00:00:00 00:00:00 00:00:00 2 222.124.4.nnn 00:00:00 00:00:00 00:00:00 3 192.168.34.41 00:00:00 00:00:00 00:00:00 4 61.94.1.253 00:00:00 00:00:00 00:00:00 5 203.208.143.173 00:00:00 00:00:00 00:00:00 6 203.208.182.5 00:00:00 00:00:00 00:00:00 7 203.208.182.114 00:00:00 00:00:00 00:00:00 8 203.208.168.118 00:00:00 00:00:00 00:00:00 9 203.208.168.134 timeout 00:00:00 00:00:00 10 216.115.101.34 00:00:00 timeout timeout 11 216.115.101.129 timeout timeout 00:00:00 12 216.115.108.1 timeout timeout 00:00:00 13 216.109.120.249 00:00:00 00:00:00 00:00:00 14 216.109.112.135 00:00:00 timeout timeout——————————————————————————

d. Sniffer

Kita dapat menangkap dan menyadap packet-packet yang berjalandi jaringan kita, tool ini telah disediakan oleh Mikrotik yang bergunadalam menganalisa trafik.

—————————————————————————-[admin@routerku] > tool snifferPacket sniffering

.. — go up to toolstart — Start/reset snifferingstop — Stop snifferingsave — Save currently sniffed packetspacket/ — Sniffed packets managementprotocol/ — Protocol managementhost/ — Host managementconnection/ — Connection managementprint –get — get value of propertyset –edit — edit value of propertyexport –—————————————————————————-

Untuk memulai proses sniffing dapat menggunakan perintah Start, sedangkanmenghentikannya dapat menggunaka perintah Stop.

[admin@routerku] > tool sniffer start

Proses sniffing sedang dikerjakan, tunggu saja beberapa lama, kemudianketikkan perintah stop jika ingin menghentikannya. Melihat hasil packetyang ditangkap dapat menggunakan perintah print, untuk mengeksportnyadalam bentuk file dapat digunakan perintah export.

–[12]– Kesimpulan

Untuk pemakaian jaringan berskala Kecil-menengah produk dari Latvia ini,dapat menjadi pilihan, saya disini bukan untuk mempromosikan Produk ini.Namun sebagai gambaran, bagaimana memanfaatkan produk ini untuk berbagaikeperluan, lagipula sebagai alternatif dari produk sejenis yang harganyacenderung mahal.

Dengan Mikrotik yang saat ini sedang populernya diterapkan pada berbagaiISP Wireless, Warnet-warnet serta beberapa Perusahaan. Maka AdministrasiSistem Jaringan dapat lebih mudah dan sederhana. Yang jelas untuk sekedarmemanfaatkan fasilitas Routing saja, PC TUA anda dapat digunakan.

Mudah-mudahan paparan diatas dapat membantu pembaca dalam memahami, apadan bagaimana mikrotik ini.

–[13]– Referensi

Artikel ini merupakan kompilasi dari berbagai sumber

1. Web Blog - http://dhanis.web.id - http://okawardhana.web.id - http://harrychanputra.web.id

2. Website - http://www.cgd.co.id - http://www.ilmukomputer.org - http://www.mikrotik.com - http://www.mikrotik.co.id - http://forum.mikrotik.com

oO Using no way as a way, Using no limitations as a limitation Oo

Salam dan terimakasih,r0t0r <rotor@kecoak-elektronik.net>———————————————————————–Copyleft Unreserved by Law 1995 - 2007 Kecoak Elektronik Indonesiahttp://www.kecoak-elektronik.net

.L.A.M.P.I.R.A.N.

Daftar Port dan Protocol berbagai jenis Trojan, Backdoor, Virus.daftar ini dapat saja tidak berlaku, atau dapat pula perlu ditambahseiring perkembangan Malware tersebut. Update terus Filter Rulemesin mikrotik anda.

2000 Cracks 6776 TCPAcid Battery 32418 TCPAcid Battery 2000 52317 TCPAcid Shivers 10520 TCPAgent 31 31 TCPAgent 40421 40421 TCPAim Spy 777 TCPAjan 25 TCP

Ambush 10666 UDPAntiGen 25 TCPAOL Trojan 30029 TCPAttack FTP 666 TCPBack Construction 666/5400/5401 TCPBack Door Setup 5000/5001/7789 TCPBack Orifice 31337/31338 UDPBack Orifice 2000 8787/54320/54321 TCPBack Orifice DLL 1349 UDPBackDoor 1999 TCPBackDoor-G 1243/6776 TCPBackDoor-QE 10452 TCPBackDoor-QO 3332 TCPBackDoor-QR 12973/12975 TCPBackFire 31337 UDPBaron Night 31337 TCPBig Gluck (TN) 34324 TCPBioNet 12349 TCPBla 1042/20331 TCPBlack Construction 21 TCPBlade Runner 21/5400-5402 TCPBO client 31337 TCPBO Facil 5556/5557/31337 TCPBo Wack 31336 TCPBoBo 4321 TCPBOWhack 31666 TCPBrainSpy 10101 TCPBubbel 5000 TCPBugBear 36794 TCPBugs 2115 TCPBunker-Hill 61348/61603/63485 TCPCain e Abel 666 TCPChargen 9 UDPChupacabra 20203 TCPComa 10607 TCPCyber Attacker 9876 TCPDark Shadow 911 TCPDeath 2 TCPDeep Back Orifice 31338 UDPDeep Throat 41/2140/3150/6771 TCPDeep Throat v2 2140/3150/6670/6711/60000 TCPDeep Throat v3 6674 TCPDeepBO 31337 UDPDeepThroat 999 TCPDelta Source 26274 UDPDelta Source 47262 UDPDer Spacher 3 1000/1001/2000/2001 TCPDevil 65000 TCPDigital RootBeer 2600 TCPDMsetup 58/59 TCPDNS 53 TCPDoly Trojan 21/1010-1012/1015 TCPDonald Dick 23476/23477 TCPDRAT 48/50 TCPDUN Control 12623 UDPEclipse 2000 3459 TCPEclypse 3801 UDPEmail Password Sender 25 TCPEvil FTP 23456 TCPExecuter 80 TCPFile Nail 4567 TCPFirehotcker 79/5321 TCP

Fore 21/50766 TCPFTP - Trojan 21 TCPFTP99cmp 1492 TCPGaban Bus 12345/12346 TCPGate Crasher 6969/6970 TCPGirlFriend 21554 TCPGjamer 12076 TCPHack ‘99 KeyLogger 12223 TCPHack ‘a’ Tack 31780/31785/31787-31789 TCPHack ‘a’ Tack 31791/31792 UDPHackCity Ripper Pro 2023 TCPHackers Paradise 31/456 TCPHackOffice 8897 TCPHaebu Coceda 25 TCPHappy 99 25/119 TCPHidden Port 99 TCPHooker 80 TCPHost Control 6669/11050 TCPHVL Rat5 2283 TCPicKiller 7789 TCPICQ (ICQ.com - community, people search and messaging service!) 1027/1029/1032 TCPICQ Revenge 16772/19864 TCPICQ Trojan 4590 TCPIllusion Mailer 2155/5512 TCPInCommand 9400 TCPIndoctrination 6939 TCPInfector 146 TCPInfector 146 UDPiNi-Killer 555/9989 TCPInsane Network 2000 TCPInvisible FTP 21 TCPIRC-3 6969 TCPJammerKillah 121 TCPKazimas 113/7000 TCPKuang2 25/17300/30999 TCPLarva 21 TCPLogged 20203 TCPMasters’ Paradise 31/3129/40421-40423/40425-40426 TCPMavericks Matrix 1269 TCPMillenium 20000-20001 TCPMiniCommand 1050 TCPMosucker 16484 TCPNephron 17777 TCPNet Administrator 21/555 TCPNet Controller 123 TCPNetbios datagram (DoS Attack) 138 TCPNetbios name (DoS Attack) 137 TCPNetbios session (DoS Attack) 139 TCPNetBus 12345-12346 TCPNetBus Pro 20034 TCPNetMetropolitan 5031 TCPNetMonitor 7300-7301/7306-7308 TCPNetRaider 57341 TCPNETrojan 1313 TCPNetSphere 30100-30103 TCPNetSpy 1024/1033/31338-31339 TCPNewApt 25 TCPNoBackO 1200-1201 UDPOne of the Last Trojan (OOTLT) 5011 TCPOpC BO 1969 TCPPC Crasher 5637-5638 TCP

Phase Zero 555 TCPPhineas Phucker 2801 TCPPie Bill Gates 12345 TCPPortal of Doom 3700/9872-9875 TCPPortal of Doom 10067/10167 UDPPriority 6969/16969 TCPProgenic 11223 TCPProMail Trojan 25/110 TCPProsiak 22222/33333 TCPPsyber Stream Server 1024/1170/1509/4000 TCPRasmin 531/1045 TCPRAT 1095/1097-1099/2989 TCPRC 65535 TCPRcon 8989 TCPRemote Grab 7000 TCPRemote Windows Shutdown 53001 TCPRingZero 80/3128/8080 TCPRobo-Hack 5569 TCPSatanz backDoor 666 TCPScheduleAgent 6667 TCPSchool Bus 54321 TCPSchwindler 21554/50766 TCPSecret Agent 11223 TCPSecret Service 605/6272 TCPSenna Spy FTP Server 21/11000/13000 TCPServeMe 5555 TCPServeU 666 TCPShadow Phyre 666 TCPShit Heep 6912 TCPShockRave 1981 TCPShtirlitz 25 TCPSivka-Burka 1600 TCPSK Silencer 1001 TCPSocket25 30303 TCPSockets de Troie 5000-5001/30303/50505 TCPSoftWAR 1207 TCPSpirit 2001a 33911 TCPSpySender 1807 TCPStealth 25 TCPStealth Spy 555 TCPStreaming Audio trojan 1170 TCPStriker 2565 TCPSubSeven 1243/2773/6711-6713/6776/7000/7215/27374/27573/54283 TCPSubSeven Apocalypse 1243 TCPSyphillis 10086 TCPTapiras 25 TCPTCP Wrappers 421 TCPTeleCommando 61466 TCPTerminator 25 TCPTerror Trojan 3456 TCPThe Invasor 2140/3150 TCPThe Prayer 2716/9999 TCPThe Spy 40412 TCPThe Thing 6000/6400 TCPThe Traitor 65432 TCPThe Traitor 65432 UDPThe Trojan Cow 2001 TCPThe Unexplained 29891 UDPTiny Telnet Server 23/34324 TCPTransScout 1999-2005/9878 TCPTrinoo 34555/35555 UDP

Truva Atl 23 TCPUgly FTP 23456 TCPUltor’s Trojan 1234 TCPVampire 1020 TCPVampyre 6669 TCPVirtual Hacking Machine 4242 TCPVoice 1024/1170/4000 TCPVoodoo Doll 1245 TCPWack-a-mole 12361-12362 TCPWeb Ex 21/1001 TCPWhackJob 12631/23456 TCPWinCrash 21/2583/3024/4092/5714/5741-5742 TCPWinGate (socks-proxy) 1080 TCPWinHole 1080/1082 TCPWinNuke 135/139 TCPWinPC 25 TCPWinSatan 999 TCPWinSpy 25 TCPX-bill 12345-12346 TCPXplorer 2300 TCPXtcp 5550 TCPXtreme 1090 TCPYAT 37651

########## Pembatasan Brute Force #################################/ ip firewall filteradd chain=input protocol=tcp dst-port=22 connection-limit=1,32 action=add-src-to-address-list address-list=ssh_logins address-list-timeout=2m comment=”" disabled=noadd chain=input protocol=tcp dst-port=22 src-address-list=!ssh_logins action=accept comment=”" disabled=noadd chain=forward src-address=192.168.1.10 protocol=tcp src-port=21 content=”password incorrect” action=add-dst-to-address-list address-list=ftp_logins address-list-timeout=1m comment=”" disabled=noadd chain=forward src-address-list=ftp_logins action=drop comment=”" disabled=no########################################################################

Pemblokiran beberapa URL tertentu dapat dilakukan pada mikrotik.Jika paket web-proxy telah terinstall dan web-proxynya juga telahdikonfigurasi, maka perintah dibawah ini dapat disertakan.

Update terus URL dibawah ini, sesuai dengan kebutuhan Anda.

### Blok URL Tertentu untuk Web Proxy Access list. Cari Sendiri URL yang akan diblok ######

/ip web-proxy accessadd url=”ds.eyeblaster.com” action=deny comment=”" disabled=noadd url=”duolaimi.net” action=deny comment=”" disabled=noadd url=”dutch-sex.com” action=deny comment=”" disabled=noadd url=”dvdbank.org” action=deny comment=”" disabled=noadd url=”eager-sex.com” action=deny comment=”" disabled=noadd url=”eases.net” action=deny comment=”" disabled=noadd url=”easyantispy.com” action=deny comment=”" disabled=noadd url=”easycategories.com” action=deny comment=”" disabled=noadd url=”easy-search.net” action=deny comment=”" disabled=noadd url=”ecosrioplatenses.org” action=deny comment=”" disabled=noadd url=”ecstasyporn.net” action=deny comment=”" disabled=noadd url=”ehg-bestbuy.hitbox.com” action=deny comment=”" disabled=noadd url=”ehg-dig.hitbox.com” action=deny comment=”" disabled=noadd url=”ehg-espn.hitbox.com” action=deny comment=”" disabled=no

add url=”ehg-intel.hitbox.com” action=deny comment=”" disabled=noadd url=”ehg-macromedia.hitbox.com” action=deny comment=”" disabled=no

################################################################

Entri ini ditulis oleh Yoyok Riawan dan dikirimkan oleh Juni 2, 2007 at 11:53 pm dan disimpan di bawah Mikrotik, Networking, Security. Tandai permalink. Telusuri setiap komentar di sini dengan RSS feed kiriman ini. Tulis komen atau tinggalkan trackback: URL Trackback. « Create Dota dimesin Mikrotik Tutorial Step By Step Seting MikroTik »

Tulisan Terakhir

o Integrasi driver SATA windows 2000/XP/2003 o Prosedur Instalasi Wireless LAN o 5 Cara Melatih Berpikir Kreatif o Free CCNA tutorials: Interactive CCNA course. Free training courses o Compensation & Benefits – Strategi, kiat praktis negosiasi gaji, remunerasi &

kompensasi lainnya o Resume Center – Cara terbaik membuat resume o Work Life – Referensi tentang dunia kerja pada umumnya o Job Interviews – Kiat dan strategi menghadapi wawancara kerja o Penghitungan Subneting o Setup file server dengan SAMBA o Instalasi Webmin SUSE 10.1 o Mempercantik Font di Fedora Core 6 o CentOS 5.0 live CD o Mac OS o Microsoft Windows

• Tulisan Terataso Tutorial Step By Step Seting MikroTik o Mikrotik crack download o Tutorial Mikrotik VPN : Point to Point Tunnel Protocol (PPTP) o Mikrotik Web Proxy Setting for Transparant proxy o Hotspot Mikrotik o Download manual mikrotik - ebook lengkap o Resume Center - Cara terbaik membuat resume o Mikrotik DHCP Server o Perintah Dasar Linux dan sering dipergunakan o SETTING MICROTIK o Contoh Desain Jaringan Internet untuk Pelanggan ISP o Penghitungan Subneting

Blog pada WordPress.com. | Sandbox

Tutorial Setting Mikrotik RouterOS PPPoE Client Sebagai Gateway Telkom Speedy

Sebetulnya saya sendiri masih kurang begitu menguasai mikrotik, disini saya mencoba untuk berbagi pengalaman aja. Semoga bermanfaat.

Kita mulai setup dari modem adsl nya sebagai brigding protocol mode. Settingnya dapat anda temukan dari manual masing-masing modem. Contoh setting bridging protocol pada modem TE-COM AR1031 pada menu Advance setup > WAN. Ikuti petunjuk gambar dibawah ini kemudian lakukan save/reboot.

Selesai setting modem sebagai bridging yang tidak menyimpan password dan user ID anda di modem, bagi anda yang ingin mencoba mengganti IP address default modem bisa di konfigurasi terlebih dahulu melalui PC client. Caranya : kita ubah terlebih dahulu IP modem pada Advance Setup > LAN IP Address contoh 10.10.10.1 lakukan save/reboot. Kemudian lakukan pengubahan selanjutnya di IP client PC ke 10.10.10.2 selesai. Silahkan anda coba ketik di web browser anda IP modem (10.10.10.1). Berhasil?Kita lanjut ke CPU Mikrotik RouterOS nya.

Tentukan IP Address masing-masing LAN card anda, misal LAN connector dari modem 10.10.10.2 (public), dan 192.168.1.1 ke jaringan lokal anda (lokal). Lakukan perintah ini terlebih dahulu jika anda ingin menspesifikasikan nama ethernet card anda.

interface ethernet set ether1 name=publicinterface ethernet set ether2 name=lokal

Pastikan kembali dalam menentukan nama dan alur kabel tersebut, kemudian kita lanjut ke set-ting IP Address.

/ip address add address=10.10.10.2/24 interface=public/ip address add address=192.168.1.1/24 interface=lokal/ip address> print

Pastikan LAN card anda tidak dalam posisi disabled.

Selanjutnya anda bisa memasukkan entry PPPoE Client.

/interface pppoe-client add name=pppoe-user-mike user=mike password=123 interface=public service-name=internet disabled=no

Sebetulnya perintah diatas dapat anda lakukan di winbox, jika ingin lebih mudah sambil cek koneksi jaringan anda ke mikrotik.

Menentukan Gateway dan Routingnya dilanjutkan ke masquerading

/ip route add gateway=125.168.125.1 (IP Gateway Telkom Speedy anda)/ip route print

IP gateway diatas belum tentu sama, lihat terlebih dahulu ip pppoe client anda. Jika anda belum yakin 100% ip client anda dan gateway nya, lakukan login dan dialing melalui modem anda ter-lebih dahulu bukan pada mode bridging seperti diatas. Pada menu Device Info akan tampil in-formasi Default Gateway dan IP client pppoe anda. Ok?Selanjutnya masquerading, untuk penerusan perintah dari routing yang diteruskan ke nat firewall mikrotik untuk proses routing ke semua client yang terkoneksi

/ip firewall nat add chain=srcnat action=masquerade

Selesai.. tahap routing sudah terlaksanakan. Coba lakukan ping ke mikrotik dan gateway nya. Jika anda ingin sharing ke komputer client jangan lupa masukkan ip gateway pada settingan Net-work Connection (windows) sesuai dengan IP lokal pada mikrotik anda.

Banyak sekali settingan mikrotik yang dapat anda pelajari dari berbagai sumber. Jika terkesan terlalu rumit dengan sistem pengetikan anda bisa melakukannya dengan winbox mode, setiap tu-torial yang anda butuhkan pun dapat anda copy dan paste ke winbox nya mikrotik.

Setting DNS dan Web Proxy Transparant

Input DNS dan web-proxy pun terasa lebih mudah di winbox mode, masukkan primary, second-ary dan allow remote request nya, atau dengan perintah di terminal winbox.

/ip dns set primary-dns=203.130.206.250/ip dns set primary-dns=202.134.2.5/ip dns allow-remote-request=yes

/ip web-proxy set enabled=yes port=8080 hostname=proxy.koe transparent-proxy=yes/ip firewall nat add in-interface=lokal dst-port=80 protocol=tcp action=redirect to-ports=8080 chain=dstnat dst-address=!192.168.1.1/24

Link-link firewall pada mikrotikhttp://www.mikrotik.com/testdocs/ros/2.9/ip/filter.phphttp://wiki.mikrotik.com/wiki/Firewall

Semoga membantu.

Jangan lupa untuk menset IP gateway client anda ke 192.168.1.1 agar terkoneksi ke server mik-rotik anda dan tidak lupa saya ucapkan terima kasih untuk “kadhol” yang dahulu berkenan mem-berikan tutor step by step setup mikrotik router newbie buat saya.

Kita mulai setup dari modem adsl nya sebagai brigding protocol mode. Settingnya dapat anda temukan dari manual masing-masing modem. Contoh setting bridging protocol pada modem TECOM AR1031 pada menu Advance setup > WAN. Ikuti petunjuk gambar dibawah ini kemudian lakukan save/reboot.(http://jagsblog.files.wordpress.com/2007/05/bridge.jpg)

Selesai setting modem sebagai bridging yang tidak menyimpan password dan user ID anda di modem, bagi anda yang ingin mencoba mengganti IP address default modem bisa di konfigurasi terlebih dahulu melalui PC client. Caranya : kita ubah terlebih dahulu IP modem pada Advance

Setup > LAN IP Address contoh 10.10.10.1 lakukan save/reboot. Kemudian lakukan pengubahan selanjutnya di IP client PC ke 10.10.10.2 selesai. Silahkan anda coba ketik di web browser anda IP modem (10.10.10.1). Berhasil?Kita lanjut ke CPU Mikrotik RouterOS nya.

Tentukan IP Address masing-masing LAN card anda, misal LAN connector dari modem 10.10.10.2 (public), dan 192.168.1.1 ke jaringan lokal anda (lokal). Lakukan perintah ini terlebih dahulu jika anda ingin menspesifikasikan nama ethernet card anda.

interface ethernet set ether1 name=public interface ethernet set ether2 name=lokal

Pastikan kembali dalam menentukan nama dan alur kabel tersebut, kemudian kita lanjut ke setting IP Address.

/ip address add address=10.10.10.2/24 interface=public /ip address add address=192.168.1.1/24 interface=lokal /ip address> print

Pastikan LAN card anda tidak dalam posisi disabled.

Selanjutnya anda bisa memasukkan entry PPPoE Client.

/interface pppoe-client add name=pppoe-user-mike user=mike password=123 interface=public service-name=internet disabled=no

Sebetulnya perintah diatas dapat anda lakukan di winbox, jika ingin lebih mudah sambil cek koneksi jaringan anda ke mikrotik.

Menentukan Gateway dan Routingnya dilanjutkan ke masquerading

/ip route add gateway=125.168.125.1 (IP Gateway Telkom Speedy anda) /ip route print

IP gateway diatas belum tentu sama, lihat terlebih dahulu ip pppoe client anda. Jika anda belum yakin 100% ip client anda dan gateway nya, lakukan login dan dialing melalui modem anda terlebih dahulu bukan pada mode bridging seperti diatas. Pada menu Device Info akan tampil informasi Default Gateway dan IP client pppoe anda. Ok?Selanjutnya masquerading, untuk penerusan perintah dari routing yang diteruskan ke nat firewall mikrotik untuk proses routing ke semua client yang terkoneksi

/ip firewall nat add chain=srcnat action=masquerade

Selesai.. tahap routing sudah terlaksanakan. Coba lakukan ping ke mikrotik dan gateway nya. Jika anda ingin sharing ke komputer client jangan lupa masukkan ip gateway pada settingan Network Connection (windows) sesuai dengan IP lokal pada mikrotik anda.

Banyak sekali settingan mikrotik yang dapat anda pelajari dari berbagai sumber. Jika terkesan terlalu rumit dengan sistem pengetikan anda bisa melakukannya dengan winbox mode, setiap tutorial yang anda butuhkan pun dapat anda copy dan paste ke winbox nya mikrotik.

Setting DNS dan Web Proxy Transparant

Input DNS dan web-proxy pun terasa lebih mudah di winbox mode, masukkan primary, secondary dan allow remote request nya, atau dengan perintah di terminal winbox.

/ip dns set primary-dns=203.130.206.250 /ip dns set primary-dns=202.134.2.5 /ip dns allow-remote-request=yes

/ip web-proxy set enabled=yes port=8080 hostname=proxy.koe transpa rent-proxy=yes /ip firewall nat add in-interface=lokal dst-port=80 protocol=tcp action=redirect to-ports=8080 chain=dstnat dst-address=!192.168.1.1/24

Ada beberapa macam modem speedy yang sering saya temui antara lain Sanex dan Aztech. Un-tuk setting kedua modem ini ternyata nggak susah susah amat, cukup dengan ketelitian dan shar-ing tentunya.langkah-langkah untuk setting modem speedy Sanex antara lain :1. Setelah anda mmemasang splitter dengan baik dan benar , satu keluaran splitter untuk line tel-pon, satu lagi untuk ke modem speedy.2. Pastikan Line telpon anda sudah di aktifkan oleh pihak speedy /Telkom. hal ini ditandai dengan hidupnya lampu link di modem anda.

3. Colokan kabel Straight dari modem ke port lan pc anda. lalu atur alamat komputer /IP address dengan cara klik start menu, control panel -> klik network connection lalu klik 2x pada gambar komputer. pilih Properties lalu klik pada Internet Protocol/TCP IP lalu pilih properties yang ada dibawanya. Pilih use the following IP address dan masukkan alamat ini 192.168.1.5dan subnet mask akan terisi sendiri secara otomatis ketika anda mengklik default gateway, masukkan alamat default gateway menjadi 192.168.1.1 dan Preffered DNS 192.168.1.1 lalu alternative DNS 202.134.0.155 setelah itu klik Ok dan ok.

Setelah itu kita masuk ke setting modem adsl nya: buka internet explorer atau browser lainnya, ketikkan alamat 192.168.1.1 karena biasanya itu adalah IP default untuk modem Sanex atau kamu bisa melihat di buku panduannya. Masukkan username dengan admin lalu password ad-min, atau lihat lagi buku panduaanya. setelah itu, kamu akan dibawa menuju halaman setting modem. Pilih menu WAN, klik pada kolom select yang ada di Current ATM VC Table. isi VPI=8 VCI =81 dan di channel mode terdapat beberapa pilihan:

• 1483 Bridge : pilih ini jika kamu ingin dial up speedy melalui komputer kamu, yang bearti kamu menjadikan modem adsl sebagai jembatan.

• PPoE : Jika kamu memilih ini kamu akan di minta untuk memasukkan username dan password speedy, berarti kamu harus dial up melalui modem. di Connections type ter-dapat pilihan antara lain : Continues : yang artinya modem akan melakukan dial up se-cara otomatis ketika dihidupkan. Connect On Demand : modem akan melakukan dial hanya jika diperlukan. Manual : kamu harus mendial up modem melalui menu Status -> WAN klik connect.

Untuk sekedar saran, jika kamu berlangganan speedy paket personal sebaiknya pilih channel mode 1483 Bridge, atau bisa juga PPoE dengan Connection type Manual agar speedy kamu ng-gak meledak bayarnya hee....

setelah selesai pilih tombol modify yang ada dibawah dan klik Commit/Reboot dan modem speedy akan merestart sendiri.

kalo modemnya tidak kamu Restart, biasanya modem akan kembali ke setting default (setting awal) ketika kamu mematikan dan mmenghidupkan modem. Sampai disini, setting nya udah selesai jika kamu memilih channel mode PPoE tinggal mengkoneksikannya dengan internet. Untuk mengkoneksikannya dengan Channel mode PPoE, silahkan klik menu Status lalu Connect.

Jika kamu memilih channel mode 1483 Bridge maka kamu harus membuat dial up speedy dikomputer kamu dan caranya :

Masuk ke Control Panel, lalu Network Connection, disamping window terdapat Create a New Connection, klik next dan pilih connect to the internet lalu pilih Setup My Connection a Manu-ally lalu pilih opsi yang di tengah yang artinya koneksi yang selalu meminta username dan pass-word. lalu buat Nama koneksi seperti Speedy, klik next dan masukkan Username dan Password speedy kamu, masukkan password yang sama pada Confirmasi Password, klik next dan beri check pada Add Shortcut untuk membuat shortcut speedy di desktop komputer kamu. lalu Finish dan selesai. kamu bisa mendial up speedy kamu sekarang.

Untuk modem merk lainnya saya rasa settingnya tidak jauh beda, selamat mencoba...

selamat berinternet ria...

Block ip yg mencoba login mikrotik Kesel juga klo ada yg coba2 login di router, apalagi dengan menggunakan BRUTE FORCE. Saya sendiri pernah mengalami hal ini, di router mikrotik OS yg pernah saya setting tercatat 300an kali user mencoba coba login via ftp :P Trus karena jengkel, akirnya saya mencoba untuk memblock ip yg coba coba login tersebut.

CODE / ip firewall filteradd chain=input in-interface=ether1 protocol=tcp dst-port=22 src-address-list=ftp_blacklist action=drop

# accept 10 incorrect logins per minute/ ip firewall filteradd chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m

#add to blacklistadd chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" address-list=blacklist address-list-timeout=23h

Maksud dari kode diatas adalah jika dalam 1 menit berusaha 10 kali login ( dst-limit=1/1m,9 di login nya yg kesepuluh masuk daftar hitam dan dibanned selama 23jam, address-list=blacklist

address-list-timeout=23h).

untuk memberi range port edit bagian

CODE / ip firewall filteradd chain=input in-interface=ether1 protocol=tcp dst-port=22 src-address-list=ftp_blacklist action=drop

menjadi

CODE / ip firewall filteradd chain=input in-interface=ether1 protocol=tcp dst-port=21-23 src-address-list=ftp_blacklist action=drop

isi sesuai port yang anda aplikasikan pada settingan router anda, port di atas berlaku untuk settingan standart ftp, ssh dan telnet.

Save file web proxy cache mikrotik

Tips untuk mempercepat browsing dan access download video pada komputer client menggunakan web-proxy server mikrotik.

Salah satu fungsi dari webproxy adalah untuk menyimpan pages beserta content dari hasil browsing pada memory cache web proxy, sehingga saat client melakukan request >1 pada halaman yang sama, request tersebut akan diambilkan dari memory cache oleh server tanpa harus meload dari network luar (internet) sehingga access internet terasa lebih cepat. Untuk menyimpan file-file seperti video, gambar, dan file lain yang diinginkan seperti *.exe *.zip dll kita bisa menggunakan script dibawah ini pada server mikrotik.

/ ip web-proxy cache

add url=":\\.flv\$.zip\$.exe\$ .jpg\$ .gif\$ .bmp\$ .tiff\$.png\$" action=allow comment="Simpan Cache File" disabled=no

add url="http*youtube*get_video*" action=allow comment="Simpan Cache Pages" disabled=no

Block ip dan port camfrog messenger

Untuk blocking software ini anda bisa block ip dan domain berikut menggunakan squid maupun iptables:- login.camfrog.com- 66.77.107.71

- 63.236.61.148- 74.55.217.80Untuk port yang di block adalah port 2778, 6005 dan 2112.Berikut adalah contoh blocking paket out/floward menggunakan server mikrotik dan linux.

MIKROTIK/ip firewall filter add chain=forward dst-address=66.77.107.71 action=drop disable=no/ip firewall filter add chain=forward dst-address=63.236.61.148 action=drop disable=no/ip firewall filter add chain=forward dst-address=74.55.217.80 action=drop disable=no

LINUX/sbin/iptables -A OUTGOING -d 66.77.107.71 -j DROP/sbin/iptables -A OUTGOING -d 63.236.61.148 -j DROP/sbin/iptables -A OUTGOING -d 74.55.217.80 -j DROP

FTP Brute Force di Mikrotik

[xco@rouTer] ip firewall filter> add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop[xco@rouTer] ip firewall filter> add chain=output protocol=tcp content="530 Login Incorrect" dst-limit=1/1m,9,dst-address/1m action=accept[xco@rouTer] ip firewall filter> add chain=output protocol=tcp content="530 Login Incorrect" address-list=ftp_blacklist address-list-timeout=3h action=add-dst-to-address-list

/ip firewall filter add chain=output protocol=tcp content="530 Login Incor-rect" address-list=ftp_blacklist address-list-timeout=3h action=add-dst-to-address-list/ip firewall filter add chain=output protocol=tcp content="530 Login Incor-rect" dst-limit=1/1m,9,dst-address/1m action=accept/ip firewall filter add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop

preventing SSH brute force

/ip firewall filter add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \comment="drop ssh brute forcers" disabled=no

/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new \src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \address-list-timeout=10d comment="" disabled=no

/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new \src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \address-list-timeout=1m comment="" disabled=no

/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no

/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no

membangun web server di jaringan speedy dibelakang mikrotik

rule jaringan saya untuk web server ialah

Modem Linksys AG241 -> Mikrotik -> Web Server (windows[WAMP]).

dengan konfigurasi IP ialah.

1.0.0.1 [modem] -> 1.0.0.2 [ether1] – [mikrotik] – 192.168.1.200 [ether2] -> 192.168.1.200 [webserver]

1. pertama kita set Port Forwarding di Modem LinkSys untuk semua port 0 – 65535.

a. masuk ke ip setup modem (1.0.0.1)

b. masuk ke Applications and Gaming kemudian pilih tab Port Range Forwarding.

c. isi nama aplikasi dalam contoh ini saya kasih nama ‘All Ports’ kemudian masukkan Range 0 – 65535.

d. masukan ip router mikrotik di box sebelah dalam contoh ini ip mikrotik saya yaitu 1.0.0.2

e. enable kan rule ini.

2. setting src-nat dan dst-nat mikrotik.

a. rule NAT mikrotik

0 ;;; WEBSERVERchain=dstnat action=dst-nat to-addresses=192.168.1.200 to-ports=80protocol=tcp dst-address=1.0.0.2 dst-port=12

1 chain=srcnat action=src-nat to-addresses=192.168.1.1 to-ports=0-65535protocol=tcp dst-address=192.168.1.200 dst-port=80

b. dalam contoh diatas saya sett untuk membuka jalur web server pada port 12 silahkan ganti dst-port di rule no 0 jika anda menginginkan membuka web server pada port 2711 misalnya.

c. di rule no 0 to-address silahkan anda isi dengan ip lokal webserver anda, dalam contoh yaitu 192.168.1.200.

d. dst-address di rule no 0 itu anda isi dengan ip lokal mikrotik anda [pada Lan Card 1]

e. pada rule no 1 to -addresses anda isi dengan ip lokal mikrotik anda [pada Lan Card 2] dan dst-address di rule no 1 isi dengan ip lokal web server anda.

wokeh jika anda mengikuti settingan diatas sama persis silahkan kunjungi http://ip-public-speedy-anda/ pada port 12 atau http://ip-public-speedy-anda:12/

dengan cara ini anda bisa mempunyai webserver dalam jumlah yang banyak sesuai port aja dalam 1 ip public.

*info jika anda ingin membuka port 80 untuk webserver harap ganti port services www mikrotik di IP > Services ke port lain selain 80.

*ps sebagai info keamanan agaknya anda lebih bijaksana membuka port apakah memang diperlukan pembukaan port dari range 0 – 65535 atau tidak karena saya baru buka port 15 menit eh udah di bruteforce SSH mikrotik saya. entah darimana :p.

mikrotik script dan scheduler disable user siang enable user malam

di warnet saya ada operator yang kalo malem suka download dan dia minta akses exclusive ke mikrotik warnet sayaberikan akses hanya untuk tertentu saja.

yaitu akses untuk membuka bandwith (simple queue) untuk beberapa client biasanya untuk download dan main game DoTA.

untuk groups dan policy nya ialah dengan user “budi” dan groups “budi”:

view sourceprint ? 1.[ray16@deenet] > user print2.Flags: X - disabled3.# NAME GROUP ADDRESS4.0 ;;; system default user5.ray16 full 0.0.0.0/06.1 X budi budi 0.0.0.0/0

yang saya sett adalah scheduler agar

a. pagi hari jam 8 user budi di nonaktifkan agar tidak ada interepsi dari pihak luar atau agar budi hanya bisa akses winbox pada malam hari aja.

b. jam 11 malam user budi akan aktif.

1. script untuk disable dan enable

view sourceprint ? 1.[ray16@deenet] /system script add name=budi-siang source=/user disable 1;2.[ray16@deenet] /system script add name=budi-malem source=/user enable 1;

2. buat scheduler

view sourceprint ? 1.[ray16@deenet] /system scheduler> add name=budi-siang on-event=budi_siang start-date=aug/17/2009 start-time=06:00:00 interval=1d2.[ray16@deenet] /system scheduler> add name=budi-malem on-event=budi_malem start-date=aug/17/2009 start-time=23:00:00 interval=1d

Good Luck!

ip and mac filtering di mikrotik

kemarin saya setting mikrotik untuk 30 pintu kost an di daerah depok, mereka minta install mikrotik + speedy 3Mbps, karena tidak puas dengan ISP yang sudah ada, katanya lemot…

untuk install mereka minta agar kost an yang tidak patungan gak dapet internet tapi masih bisa konek ke jaringan dan satu subnet dengan mereka.

kalo gini mikrotik nya saya set agar hanya reply ke IP / Pintu yang sudah terautentikasi bayar di server

setiap pintu mempunyai 1 komputer dan 1 ip, jadi berurutan mulai dari ip

172.16.0.2 – 172.16.0.255 (mereka random ip) pada subnet mask 255.255.255.0

ip mikrotik di 172.16.0.7 (interface ether1 atau LAN) subnet mask 255.255.255.0.

Flags: D – dynamic, X – disabled, R – running, S – slave# NAME TYPE MTU0 R SPEEDY ether 15001 R LAN ether 15002 X OnBoard ether 15003 X Speedy pppoe-out

sebenernya untuk menfilter ip sangat simple hanya mengaktifkan arp-reply only di interface, dan kita add ip dan mac address yang diperbolehkan untuk connect di IP > ARP.

1. aktifkan arp-reply only

[admin@mikrotik] interface ethernet set LAN arp=reply-only

atau rubah lewat winbox di Interface.

setelah itu arp akan aktif dan semua koneksi yang menuju LAN akan di deny / drop terkecuali kita add IP yang kita perbolehkan

2. add IP address dan MAC address yang diperbolehkan

[admin@mikrotik] ip arp add address=172.16.0.8 interface=LAN mac-address:00:00:00:00:00:00

atau via winbox di IP > ARP

done, sampe sini untuk ip 172.16.0.8 dan MAC address bla bla bla bisa terkoneksi ke mikrotik dan mendapat reply koneksi namun jika IP tersebut Mac Address nya diganti in case pake laptop maka koneksi tidak akan terbentuk alias untuk MAC address itu aja.

karena waktu itu ada 30 komputer maka saya secara massal ngeliat MAC address mereka lewat NetScan, dengan Scan Range 172.16.0.1 – 172.16.0.255 dan meng enable kan Mac Address scan. contoh:

MAC Address nya dari dash (-) di convert ke titik dua (:).

*ps: Jika Anda setting seperti ini dari winbox atau remote comp maka Langkah awalnya yaitu nge Add komputer Anda dulu ke dalam Arp, baru mengaktifkan Arpreply only, Agar comp anda tidak terkena filter

Securing New RouterOs Router (MIKROTIK)

by

White_Heaven_Angels

Dokumen ini dirancang untuk perangkat RouterOs tapi yang tidak mempunyai konfigurasi, kon-figurasi yang dijelaskan dalam tutorial ini dapat bekerja untuk router sudah dikonfigurasi tetapi harus hati-hati semoga yang diambil konfigurasi ini tidak mempengaruhi perangkat.

Harap membaca dan memahami seluruh dokumen sebelum mendaftar ke perangkat ini, kegagalan untuk melakukan hal ini dapat menyebabkan Anda tidak dapat mengakses perangkat.

Maksud dari dokumen ini untuk mengambil langkah-langkah yang diperlukan untuk mengamankan akses ke perangkat RouterOs sambil mempertahankan kemampuan untuk per-angkat lain untuk berkomunikasi dan menggunakan layanan tertentu. Tutorial ini bekerja pada konsep ‘hanya cukup-akses, yaitu layanan atau orang yang membutuhkan akses ke router ada’ hanya-cukup ‘istimewa pada router untuk melakukan pekerjaan mereka – dan tidak ada lagi. Tidak ada alasan lain bahwa hanya akses router dari BGP pada perangkat untuk memiliki akses penuh dan juga pengguna yang masuk ke dalam memantau sambungan nirkabel harus mempun-yai akses tulis atau kemampuan untuk reboot / shutdown etc etc Dengan ini dalam pikiran Anda harus melihat area lain pada jaringan Anda dan bagaimana mereka asses setup / dikonfigurasi – mereka mungkin memerlukan perhatian untuk sepenuhnya aman jaringan anda secara keselur-uhan.

The user’s going to pick dancing pigs over security every time. — Bruce Schneier

1. Configuring Packages & Hardening Services

Selalu gunakan installasi minimal :

• Advanced-Tools• Ntp• Security• System

Ini adalah paket untuk menginstal sistem dasar di mana Anda dapat menyimpan jam dalam sink-ro dengan sumber eksternal, sebuah suite alat canggih yang memungkinkan pemantauan, pelaporan dan memungkinkan Anda untuk berbicara dengan router aman.

Anda harus berpikir tentang peranan yang tepat akan memiliki router sebelum anda mulai mengaktifkan lagi paket pada router, “it’s a simple” nirkabel pemancar maka mengapa perlu diaktifkan DHCP atau tidak? Jika router adalah menjadi Ethernet berbasis firewall maka

mengapa tidak perlu nirkabel diaktifkan. Hanya memungkinkan paket router perlu untuk melak-ukan pekerjaannya, jadi yang kita fikirkan adalah keadaan cukup aman pada router kita.

Secara default router bisa diakses mengguanakan :

• Telnet• SSH• HTTP• Winbox• FTP• Mac-Telnet

Untuk itu maka gunakanlah 1 cara dengan cara menonaktifkan semuanya dan gunakan salah satu cara saja untuk masuk ke sebuah router, itu adalah cara yang aman.

/ip services print

maka akan memunculkan

Flags: X – disabled, I – invalid # NAME PORT ADDRESS CERTIFICATE0 telnet 23 0.0.0.0/0

1 ftp 21 0.0.0.0/0

2 www 80 0.0.0.0/0

3 ssh 22 0.0.0.0/0

4 X www-ssl 443 0.0.0.0/0

none

untuk menonaktifkan gunakan perintah

/ip service disable <name>

Anda telah mengkonfigurasi layanan yang Anda sukai sekarang saatnya untuk melihat cara lain untuk antarmuka dengan router, pertama adalah atas SNMP yang digunakan oleh banyak pro-gram untuk memonitor perangkat (Ie The Dude). SNMP dimatikan secara default dan jika anda memiliki cara lain monitoring perangkat ini aman untuk meninggalkan dinonaktifkan. Saya lebih suka menggunakan The Dude untuk memonitor jaringan, jadi saya akan pergi ke depan dan memungkinkan akses dan membantu mengatur beberapa bidang.

/snmp set enabled=yes location=”The Matrix” contact=neo@zion.org

SNMP di RouterOs 2,9 adalah membaca saja, sehingga hanya bahaya yang memungkinkan akses ke sana adalah bahwa tanpa firewall untuk menghentikan akses ada pada jaringan atau jika router memiliki alamat IP publik akan dapat melihat sinyal nirkabel, tingkat jaringan, dll.

Sekarang bahwa Anda memiliki dasar keamanan router keamanan dan sekarang adalah waktu untuk melihat pengguna yang mengakses router dan bahwa mereka memiliki hak istimewa atau tidak.

2. Users & Passwords

Secara default mikrotik akan mempunyai user akses adalah admin

maka gunakanlah kebijakan di kantor anda untuk mengetahui user mana yang harus memiliki privilage :

/user set admin password=putpasshere

gunakalah hanya satu jalur masuk, contohnya gunakan winbox, dan matikan semua layanan yang berjalan diatas, ini berguna untuk melindungi diri dari attacker yang menggunakan ssh brute force, maupun telnet, dan ftp begitu juga menggunakan browser untuk masuk ke router anda. yang berikutnya adalah gunakan 1 komputer di jaringan lokal anda yang hanya bisa masuk router. ini mencegah dari banyak client yang ingin menggunakan router anda dari client meng-gunakan winbox, jadi meskipun client menginstall winbox dan mengetahui user dan password admin maka tidak akan bisa diijinkan masuk karena hanya IP anda yang bisa anda gunakan untuk masuk.

/user add name=badmin password=putpasshere group=full address=192.168.12.3/32

Setelah itu gunakan winbox untuk menyimpan user dan password anda.

3. Port Knocking

Di firewall kita akan meload ke router nanti kita bahas dibagi menjadi 2 bagian :

1. daftar alamat device yang bisa diakses router.

2. semua device yang lain punya batas waktu untuk akses ke router.

Satu hal bahwa semua perangkat lain yang hanya terbatas bagi mereka yang tidak memiliki Win-box / SSH / telnet akses ke router, yang kadang-kadang berarti Anda tidak bisa memasukinya. Salah satu cara untuk sementara membolehkan akses penuh ke router adalah port ketukan.

port knocking RouterOs adalah salah satu cara untuk menambahkan alamat IP dinamis ke dalam daftar alamat untuk jumlah waktu yang ditentukan. Cara kerjanya adalah seperti ini.

1. client mengirim paket ke router dengan port 1337

2. router menambah ip client ke address list “temp” misalkan dengan waktu 15 menit.

3. client mengirim paket ke router degnen port 7331

4. router mengecek untuk melihat apakah IP client ada di address list “temp”.

5. jika demikian maka router menambah IP address ke address list “safe” dengan waktu 15 men-it.

6. client akan mengakses router selama 15 menit.

Jadi dengan ini client dibatasi waktu aksesnya ke router. ini membuat router lebih aman.

bagi yang belum punya softwarenya silahkan didownload di http://www.zeroflux.org/proj/knock/files/knock-cygwin.zip

Knock.exe <IP Address> port:protocol port:protocol port:protocol…

Knock.exe 192.168.0.2 1337:tcp 7331:tcp

Meskipun fitur ini berguna namun dalam keamanan, dalam aturan firewall saya akan menun-jukkan aturan yang digunakan untuk membuat sebuah port knocking, jika Anda keluar dari atur-an ini maka tidak ada port knocking di router anda.

4. Loading A Firewall

Yups sekarang saatnya kita membahas tentang firewall, sekarang router Anda sudah aman dari akses oleh password, tetapi password merupakan salah satu lapisan keamanan – bukan hanya lapisan. Script ini berdasarkan firewall digunakan pada router MT demo tetapi memiliki be-berapa perubahan disana, hanya melindungi router dan tidak ‘foward’ dalam aturan firewall.

/ ip firewall filter

add chain=input protocol=tcp dst-port=1337 action=add-src-to-address-list address-list=knock \ address-list-timeout=15s comment=”" disabled=no

add chain=input protocol=tcp dst-port=7331 src-address-list=knock action= add-src-to-ad-dress-list \ address-list=safe address-list-timeout=15m comment=”" disabled=no

Pada peraturan setup port knocking, setup diatas digunakan pada contoh kami akan gunakan un-tuk menambahkan alamat IP agar ‘aman’-daftar alamat ini adalah alamat yang digunakan dalam daftar ini firewall untuk mengizinkan penuh akses ke router.

add chain=input connection-state=established action=accept comment="accept established connection packets" disabled=noadd chain=input connection-state=related action=accept comment="accept re-lated connection packets" disabled=noadd chain=input connection-state=invalid action=drop comment="drop invalid packets" disabled=no

Aturan ini hanya berlaku pastikan sambungan pergi ke router dan akan mematikan apapun yang tidak sah.

add chain=input src-address-list=safe action=accept comment=”Allow access to router from known network” disabled=no

Aturan ini merupakan aturan yang memungkinkan akses penuh ke router untuk alamat IP ter-tentu, ini berisi daftar IP statis untuk masukan dari Anda akan selalu memiliki akses dan juga berisi IP dinamis dari orang-orang ditambah port knocking jika digunakan.

add chain=input protocol=tcp psd=21,3s,3,1 action=drop comment=”detect and drop port scan connections” disabled=no

add chain=input protocol=tcp connection-limit=3,32 src-address-list=black_list action=tarpit \ comment=”suppress DoS attack” disabled=no

add chain=input protocol=tcp connection-limit=10,32 action= add-src-to-address-list \ address-list=black_list address-list-timeout=1d comment=”detect DoS attack” disabled=no

Ini adalah aturan dari sedikit reaktif ke DoS dan yang mencoba untuk menggunakan port scan-ner, port scan adalah menurun tetapi serangan DoS adalah ‘tarpitted’ dalam bahwa semua konek-si yang diperlambat bawah untuk meningkatkan penggunaan sumber daya pada perangkat penyerang.

add chain=input protocol=icmp action=jump jump-target=ICMP comment=”jump to chain ICMP” disabled=no

add chain=input action=jump jump-target=services comment=”jump to chain services” dis-abled=no

2 peraturan ini beralih ke rantai kita akan membuat, jumping adalah berguna karena memun-gkinkan Anda untuk kembali aturan yang sama di berbagai rantai (Ie Input dan Forward dapat beralih ke rantai yang sama dan menjalankan peraturan yang sama)

add chain=input dst-address-type=broadcast action=accept comment=”Allow Broadcast Traffic” disabled=no

Broadcast membolehkan lalu lintas ke router, hal ini kadang-kadang diperlukan oleh hal-hal sep-erti NTP

add chain=input action=log log-prefix=”Filter:” comment=”" disabled=no

add chain=input action=drop comment=”drop everything else” disabled=no

Dan ini merupakan aturan yang menolak semua akses ke router, lalu lintas jika belum diterima oleh aturan-aturan di atas maka akan drop.

add chain=ICMP protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept comment="0:0 and limit for 5pac/s" disabled=noadd chain=ICMP protocol=icmp icmp-options=3:3 limit=5,5 action=accept com-ment="3:3 and limit for 5pac/s" disabled=noadd chain=ICMP protocol=icmp icmp-options=3:4 limit=5,5 action=accept com-ment="3:4 and limit for 5pac/s" disabled=noadd chain=ICMP protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept comment="8:0 and limit for 5pac/s" disabled=noadd chain=ICMP protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept comment="11:0 and limit for 5pac/s" disabled=noadd chain=ICMP protocol=icmp action=drop comment="Drop everything else" dis-abled=no

Aturan-aturan ini membentuk ‘ICMP’ rantai yang kami melompat dari prediksi, ia terbatas berbagai paket ICMP untuk menghentikan orang-orang yang ping flooding oleh attacker.

add chain=services src-address-list=127.0.0.1 dst-address=127.0.0.1 action=accept comment="accept localhost" disabled=noadd chain=services protocol=udp dst-port=20561 action=accept comment="allow MACwinbox " disabled=noadd chain=services protocol=tcp dst-port=2000 action=accept comment="Band-width server" disabled=noadd chain=services protocol=udp dst-port=5678 action=accept comment=" MT Dis-covery Protocol" disabled=noadd chain=services protocol=tcp dst-port=161 action=accept comment="allow SNMP" disabled=yesadd chain=services protocol=tcp dst-port=179 action=accept comment="Allow BGP" disabled=yesadd chain=services protocol=udp dst-port=5000-5100 action=accept comment="al-low BGP" disabled=yesadd chain=services protocol=udp dst-port=123 action=accept comment="Allow NTP" disabled=yesadd chain=services protocol=tcp dst-port=1723 action=accept comment="Allow PPTP" disabled=yesadd chain=services protocol=gre action=accept comment="allow PPTP and EoIP" disabled=yesadd chain=services protocol=tcp dst-port=53 action=accept comment="allow DNS request" disabled=yesadd chain=services protocol=udp dst-port=53 action=accept comment="Allow DNS request" disabled=yesadd chain=services protocol=udp dst-port=1900 action=accept comment="UPnP" disabled=yesadd chain=services protocol=tcp dst-port=2828 action=accept comment="UPnP" disabled=yesadd chain=services protocol=udp dst-port=67-68 action=accept comment="allow DHCP" disabled=yesadd chain=services protocol=tcp dst-port=8080 action=accept comment="allow Web Proxy" disabled=yesadd chain=services protocol=ipencap action=accept comment="allow IPIP" dis-abled=yesadd chain=services protocol=tcp dst-port=443 action=accept comment="allow ht-tps for Hotspot" disabled=yesadd chain=services protocol=tcp dst-port=1080 action=accept comment="allow Socks for Hotspot" disabled=yesadd chain=services protocol=udp dst-port=500 action=accept comment="allow IPSec connections" disabled=yesadd chain=services protocol=ipsec-esp action=accept comment="allow IPSec" disabled=yesadd chain=services protocol=ipsec-ah action=accept comment="allow IPSec" dis-abled=yesadd chain=services protocol=udp dst-port=520-521 action=accept comment="allow RIP" disabled=yesadd chain=services protocol=ospf action=accept comment="allow OSPF" disabled=yesadd chain=services action=return comment="" disabled=no

Ini adalah layanan yang kami Izinkan setiap mengakses, karena Anda dapat melihat kebanyakan mereka dinonaktifkan secara default. Satu-satunya adalah layanan yang memungkinkan pribadi saya merasa harus selalu dapat diakses.

• Mac-Telnet• Bandwidth Test Server• MT Discovery

Semua layanan lainnya hanya boleh diaktifkan bila mereka merasa diperlukan, menjalankan script ini pada produksi router yang sudah dikonfigurasi akan menyebabkan ia terjatuh ke IPSec, BGP, dan EOIP a bunch dari layanan lainnya, jadi harus diperiksa aturan2 tersebut, jangan asal copy paste. Sekali lagi baca dengan teliti, dan seksama untuk menerapkan aturan ini.

5. Logging & Syslog

Nah penyimpanan yang melebihi 100 baris akan hilang di router. maka log sangat diperlukan un-tuk memantau semua jaringan.

berikut ini setting default log.

/system logging print

Flags: X – disabled, I – invalid

# TOPICS ACTION PREFIX

0 info memory

1 error memory

2 warning memory

3 critical echo

jadi yang terlihat adalah ketika terjadi booting ulang maka kita akan kehilangan semua log kita.

oleh sebab itu kita harus menanamnya di hardisk.

/system logging print

/system logging remove 0

/system logging remove 1

/system logging remove 2

/system logging remove 3

sekarang kita setup log beberapa ke disk.

/system logging add topics=critical action=disk

/system logging add topics=critical action=echo

/system logging add topics=error action=disk

/system logging add topics=warning action=disk

/system logging add topics=info action=memory

sekarang tinggal mau diset berapa, klo saya 300 baris log untuk memori tapi klo hardisk saya kasih 1000 baris log.

/system logging action print

/system logging action set 0 disk-lines=XXX

/system logging action set 1 disk-lines=XXX

atau sekarang bisa juga kita buat aturan bahwa log tidak di memori namun langsung tersimpan di hardisk, caranya adalah seperti dibawah ini :

/system logging action add target=disk disk-lines=XXX name=FirewallHits

Kemudian kita mengubah logging tindakan untuk menghentikan firewall clogging up log

/system logging print

/system logging set 0 topics=info,!firewall

Dan sekarang kita atur agar semua firewall hits mendapatkan dikirim ke sasaran baru.

/system logging add topics=firewall action=FirewallHits

sekarang tinggal ditentukan alamat IP mana file ini akan disimpan :

/system logging action print

/system logging action set 3 remote=192.168.0.3:514

Jangan lupa untuk menambahkan ‘: 514′ di bagian akhir alamat IP seperti ini menentukan port yang digunakan. Setelah kami telah mengatur IP kita dapat maju dan menambahkan sebuah atur-an untuk masuk ke semua daemon

/system logging add action=remote topics=info,warning,critical,firewall,error prefix=”Router-Id”

setelah itu periksalah tiap hari log tersebut, jangan hanya akan menjadi file sampah ya…

Under *nix-like OS kamu dapat melakukan (FreeBSD):

1. vi /etc/rc.conf

syslogd_enable=”YES” # Run syslog daemon (or NO). syslogd_program=”/usr/sbin/syslogd” # path to syslogd, if you want a different o syslogd_flags=”" # Flags to syslogd (if enabled).

(By default into “syslogd_flags” set “-s” option. Don’t forget remove it. The “-a” options are ig-nored if the “-s” option is also specified. See man syslogd. )

2. vi /etc/syslog.conf

+@ # syslog settings of current system +* # +<ip-address or host of your router> *.* /var/log/mikrotik.log +*

3. /etc/rc.d/syslogd restart

6. NTP Sync & Misc.

Waktu itu harus disetting jangan lupa.. jangan2 belum diset time di compynya..

/system clock set time-zone=+12

kita juga harus mensetup NTP Client

/system ntp client set enabled=yes primary-ntp=192.168.0.2 secondary-ntp=192.168.0.3 mode=unicast

Thanks to : jasakom, echo, jatimcrew, and all security forum indonesia

Pentest Lab with Mikrotik from primadonal.wordpress.com

Lebih lengkap silahkan dilihat di SINI

xxxxxxxxxxxxxxxxxxxxxPentest Labxxxxxxxxxxxxxxxxxxxxx

Secara default untuk mengakses RouterOS dapat melalui:

o Telneto SSHo HTTPo Winboxo FTPo Mac-Telnet

### Minimal Firewall Configuration

Fig. Topologi

Target Attacker[ vmWare ] ;——–x x———; [ Notebook ]192.168.0.1/24 192.168.0.2/24RouterOS winXP

Alatbantu:

- PortScanner . Nmap v4.2- HTTP BruteForce . FScan v0.6- SSH BruteForce

- FTP BruteForce- Portknock

;;;;;;;;;;;; Ada lima Rule ;;;;;;;;;;

o1. Drop Port Scannero2. Drop SSH BruteForceo3. Drop FTP BruteForceo4. Drop HTTP/HTTPS BruteForceo5. PortKnocking Rule

o1. Drop Port Scanner

———————————————————————————–D:\>nmap -vv -sX -sV -p U:53,111,137,500,T:21-25,80,139,179,8080 192.168.0.1

Starting Nmap 4.22SOC8 ( http://insecure.org ) at 2008-07-19 17:12 SE Asia Standard TimeInitiating ARP Ping Scan at 17:12Scanning 192.168.0.1 [1 port]Completed ARP Ping Scan at 17:12, 0.11s elapsed (1 total hosts)Initiating Parallel DNS resolution of 1 host. at 17:12Completed Parallel DNS resolution of 1 host. at 17:12, 16.50s elapsedInitiating XMAS Scan at 17:12Scanning 192.168.0.1 [9 ports]Completed XMAS Scan at 17:12, 1.27s elapsed (9 total ports)Initiating Service scan at 17:12Scanning 4 services on 192.168.0.1Discovered open port 80/tcp on 192.168.0.1Discovered open|filtered port 80/tcp on 192.168.0.1 is actually openDiscovered open port 23/tcp on 192.168.0.1Discovered open|filtered port 23/tcp on 192.168.0.1 is actually openDiscovered open port 22/tcp on 192.168.0.1Discovered open|filtered port 22/tcp on 192.168.0.1 is actually openDiscovered open port 21/tcp on 192.168.0.1Discovered open|filtered port 21/tcp on 192.168.0.1 is actually openCompleted Service scan at 17:12, 6.09s elapsed (4 services on 1 host)SCRIPT ENGINE: Initiating script scanning.Host 192.168.0.1 appears to be up … good.Interesting ports on 192.168.0.1:PORT STATE SERVICE VERSION21/tcp open ftp MikroTik router ftpd 2.9.2722/tcp open ssh OpenSSH 2.3.0 mikrotik 2.9 (protocol 1.99)23/tcp open telnet Linux telnetd24/tcp closed priv-mail25/tcp closed smtp80/tcp open http MikroTik router http config139/tcp closed netbios-ssn179/tcp closed bgp8080/tcp closed http-proxy

MAC Address: 00:0C:29:D1:59:AB (VMware)Service Info: Host: MikroTik; OS: Linux; Device: router

Read data files from: C:\Program Files\NmapService detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .Nmap done: 1 IP address (1 host up) scanned in 24.203 secondsRaw packets sent: 14 (562B) | Rcvd: 7 (302B)

D:\>———————————————————————————–

Tambahkan rule;———————————————————————————–| add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list \| address-list=”port scanners” address-list-timeout=2w comment=”Drop Port \| Scanners” disabled=no| add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg \| action=add-src-to-address-list address-list=”port scanners” \| address-list-timeout=2w comment=”" disabled=no| add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list \| address-list=”port scanners” address-list-timeout=2w comment=”" \| disabled=no| add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list \| address-list=”port scanners” address-list-timeout=2w comment=”" \| disabled=no| add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack \| action=add-src-to-address-list address-list=”port scanners” \| address-list-timeout=2w comment=”" disabled=no| add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg \| action=add-src-to-address-list address-list=”port scanners” \| address-list-timeout=2w comment=”" disabled=no| add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg \| action=add-src-to-address-list address-list=”port scanners” \| address-list-timeout=2w comment=”" disabled=no| add chain=input src-address-list=”port scanners” action=drop comment=”" \| disabled=no———————————————————————————–

IP address Attacker akan dimasukkan kedalam ip firewall address-list, Maka;———————————————————————————–D:\>nmap -vv -sX -sV -p U:53,111,137,500,T:21-25,80,139,179,8080 192.168.0.1

Starting Nmap 4.22SOC8 ( http://insecure.org ) at 2008-07-19 17:16 SE Asia Standard TimeInitiating ARP Ping Scan at 17:16Scanning 192.168.0.1 [1 port]Completed ARP Ping Scan at 17:16, 0.11s elapsed (1 total hosts)Initiating Parallel DNS resolution of 1 host. at 17:16Completed Parallel DNS resolution of 1 host. at 17:17, 16.50s elapsedInitiating XMAS Scan at 17:17

Scanning 192.168.0.1 [9 ports]Completed XMAS Scan at 17:17, 1.26s elapsed (9 total ports)Initiating Service scan at 17:17Scanning 9 services on 192.168.0.1Completed Service scan at 17:17, 5.00s elapsed (9 services on 1 host)SCRIPT ENGINE: Initiating script scanning.Host 192.168.0.1 appears to be up … good.Interesting ports on 192.168.0.1:PORT STATE SERVICE VERSION21/tcp open|filtered ftp22/tcp open|filtered ssh23/tcp open|filtered telnet24/tcp open|filtered priv-mail25/tcp open|filtered smtp80/tcp open|filtered http139/tcp open|filtered netbios-ssn179/tcp open|filtered bgp8080/tcp open|filtered http-proxyMAC Address: 00:0C:29:D1:59:AB (VMware)

Read data files from: C:\Program Files\NmapService detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .Nmap done: 1 IP address (1 host up) scanned in 23.094 secondsRaw packets sent: 19 (762B) | Rcvd: 1 (42B)

D:\>

[admin@MikroTik] ip firewall address-list> printFlags: X - disabled, D - dynamic# LIST ADDRESS0 Save Haven 192.168.0.3-192.168.0.51 D Save Haven 192.168.0.22 D port scanners 192.168.0.2[admin@MikroTik] ip firewall address-list>

C:\Documents and Settings\adminz>ping 192.168.0.1 -t

Pinging 192.168.0.1 with 32 bytes of data:

Reply from 192.168.0.1: bytes=32 time<1ms TTL=64Reply from 192.168.0.1: bytes=32 time<1ms TTL=64Reply from 192.168.0.1: bytes=32 time<1ms TTL=64Reply from 192.168.0.1: bytes=32 time<1ms TTL=64Reply from 192.168.0.1: bytes=32 time<1ms TTL=64Reply from 192.168.0.1: bytes=32 time<1ms TTL=64Reply from 192.168.0.1: bytes=32 time<1ms TTL=64Reply from 192.168.0.1: bytes=32 time<1ms TTL=64Request timed out.Request timed out.Request timed out.

Request timed out.Request timed out.

Ping statistics for 192.168.0.1:Packets: Sent = 24, Received = 19, Lost = 5 (20% loss),Approximate round trip times in milli-seconds:Minimum = 0ms, Maximum = 0ms, Average = 0msControl-C^CC:\Documents and Settings\adminz>

———————————————————————————–

o2. Drop SSH BruteForces———————————————————————————–| add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist \| action=drop comment=”Drop SSH brute forcers” disabled=no| add chain=input protocol=tcp dst-port=22 connection-state=new \| src-address-list=ssh_stage3 action=add-src-to-address-list \| address-list=ssh_blacklist address-list-timeout=1w3d comment=”" \| disabled=no| add chain=input protocol=tcp dst-port=22 connection-state=new \| src-address-list=ssh_stage2 action=add-src-to-address-list \| address-list=ssh_stage3 address-list-timeout=1m comment=”" disabled=no| add chain=input protocol=tcp dst-port=22 connection-state=new \| src-address-list=ssh_stage1 action=add-src-to-address-list \| address-list=ssh_stage2 address-list-timeout=1m comment=”" disabled=no| add chain=input protocol=tcp dst-port=22 connection-state=new \| action=add-src-to-address-list address-list=ssh_stage1 \| address-list-timeout=1m comment=”" disabled=no———————————————————————————–

o3. Drop FTP BruteForce———————————————————————————–| add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist \| action=drop comment=”Drop FTP brute forcers” disabled=no| add chain=output protocol=tcp content=”530 Login incorrect” \| dst-limit=1/1m,9,dst-address/1m action=accept comment=”" disabled=no| add chain=output protocol=tcp content=”530 Login incorrect” \| action=add-dst-to-address-list address-list=ftp_blacklist \| address-list-timeout=3h comment=”" disabled=no———————————————————————————–

o4. Drop HTTP/HTTPS BruteForce

Meminimalkan attacking terhadap port http/https ke RouterOS dengan BruteForce

Seperti:————————————————————————————D:\fscan>fscan.exe –ports 80 –hosts 192.168.0.1 –threads 200

Fast HTTP Auth Scanner v0.6(c) Andres Tarasco - http://www.514.es

[+] Loaded 26 user/pass combinations[+] Loaded 42 ignored webservers[+] Loaded 41 Router authentication schemes[+] Loaded 51 webform authentication schemes[+] Loaded 13 Single Users[+] Scanning 1 hosts (192.168.0.1 - (null))[+] Scanning 1 ports - bruteforce is active

Server Port status password banner192.168.0.1 80 200 not:found (mikrotik routeros)scan Finished

D:\fscan>————————————————————————————

Jika dilihat pada log RouterOS :————————————————————————————[admin@MikroTik] > log print16:49:45 system,error,critical login failure for user admin from 192.168.0.2 via web16:49:45 system,error,critical login failure for user admin from 192.168.0.2 via web16:49:45 system,error,critical login failure for user from 192.168.0.2 via web16:49:45 system,error,critical login failure for user Admin from 192.168.0.2 via web16:49:45 system,error,critical login failure for user admin from 192.168.0.2 via web16:49:45 system,error,critical login failure for user admin from 192.168.0.2 via web16:49:45 system,error,critical login failure for user admin from 192.168.0.2 via web16:49:45 system,error,critical login failure for user admin from 192.168.0.2 via web16:49:45 system,error,critical login failure for user admin from 192.168.0.2 via web16:49:45 system,error,critical login failure for user admin from 192.168.0.2 via web16:49:45 system,error,critical login failure for user admin from 192.168.0.2 via web16:49:45 system,error,critical login failure for user cisco from 192.168.0.2 via web16:49:45 system,error,critical login failure for user 1234 from 192.168.0.2 via web16:49:45 system,error,critical login failure for user operator from 192.168.0.2 via web16:49:45 system,error,critical login failure for user user from 192.168.0.2 via web16:49:45 system,error,critical login failure for user root from 192.168.0.2 via web16:49:45 system,error,critical login failure for user root from 192.168.0.2 via web16:49:45 system,error,critical login failure for user root from 192.168.0.2 via web16:49:45 system,error,critical login failure for user root from 192.168.0.2 via web16:49:45 system,error,critical login failure for user super from 192.168.0.2 via web16:49:45 system,error,critical login failure for user test from 192.168.0.2 via web16:49:45 system,error,critical login failure for user Cisco from 192.168.0.2 via web16:49:45 system,error,critical login failure for user from 192.168.0.2 via web16:49:45 system,error,critical login failure for user smc from 192.168.0.2 via web16:49:45 system,error,critical login failure for user support from 192.168.0.2 via web16:52:17 system,error,critical login failure for user admin via local————————————————————————————

Tambahkan Rule di firewall RouterOS———————————————————————————–

| add chain=input protocol=tcp dst-port=80 src-address-list=web_blacklist \| action=drop comment=”Drop Web brute forcers” disabled=no| add chain=input protocol=tcp dst-port=443 src-address-list=web_blacklist \| action=drop comment=”" disabled=no| add chain=output protocol=tcp content=”invalid user name or password” \| dst-limit=1/1m,9,dst-address/1m action=accept comment=”" disabled=no| add chain=output protocol=tcp content=”invalid user name or password” \| action=add-dst-to-address-list address-list=web_blacklist \| address-list-timeout=3h comment=”" disabled=no———————————————————————————–

Dilakukan Bruteforce lagi, maka:———————————————————————————–[admin@MikroTik] ip firewall address-list> prFlags: X - disabled, D - dynamic# LIST ADDRESS0 Save Haven 192.168.0.3-192.168.0.51 D Save Haven 192.168.0.22 D web_blacklist 192.168.0.2[admin@MikroTik] ip firewall address-list>

D:\fscan>fscan.exe –ports 80 –hosts 192.168.0.1 –threads 200Fast HTTP Auth Scanner v0.6(c) Andres Tarasco - http://www.514.es

[+] Loaded 26 user/pass combinations[+] Loaded 42 ignored webservers[+] Loaded 41 Router authentication schemes[+] Loaded 51 webform authentication schemes[+] Loaded 13 Single Users[+] Scanning 1 hosts (192.168.0.1 - (null))[+] Scanning 1 ports - bruteforce is active

Server Port status password bannerscan Finished

D:\fscan>———————————————————————————–

o5. PortKnocking Rule

Tambahkan Rule pada Firewall filter:———————————————————————————–| add chain=input protocol=tcp dst-port=1337 action=add-src-to-address-list \| address-list=knock-knock address-list-timeout=15s comment=”Port Knocking” \| disabled=no| add chain=input protocol=udp dst-port=17954 src-address-list=knock-knock \| action=add-src-to-address-list address-list=”Save Haven” \| address-list-timeout=3h comment=”" disabled=no| add chain=input src-address-list=”Save Haven” action=accept comment=”" \| disabled=no

| add chain=input action=drop comment=”" disabled=no———————————————————————————–

———————————————————————————–# Download tool portknocking

D:\>wget http://www.zeroflux.org/proj/knock/files/knock-cygwin.zip

# Ekstrak file

D:\knock>dirVolume in drive D is —data.Volume Serial Number is 20B3-1A4D

Directory of D:\knock

19/07/2008 15:24 <DIR> .19/07/2008 15:24 <DIR> ..03/07/2005 02:30 1.295.582 cygwin1.dll10/08/2005 14:52 15.238 knock.exe2 File(s) 1.310.820 bytes2 Dir(s) 714.395.648 bytes free

D:\knock>

C:\Documents and Settings\adminz>ping 192.168.0.1 -t

Pinging 192.168.0.1 with 32 bytes of data:

Request timed out.Request timed out.Request timed out.Request timed out.Request timed out.Request timed out.

Ping statistics for 192.168.0.1:Packets: Sent = 6, Received = 0, Lost = 6 (100% loss),Control-C^CC:\Documents and Settings\adminz>

D:\>telnet 192.168.0.1 22Connecting To 192.168.0.1…Could not open connection to the host, on port 22: Connect failed

D:\>putty -ssh -l admin 192.168.0.1

D:\>

———————————————|PuTTY Fatal Error [x]||——————————————-|| || (X) Network error: Connection timed out || || +———–+ || | OK | || +———–+ || |———————————————

D:\knock>knock.exeusage: knock [options] <host> <port[:proto]> [port[:proto]] …options:-u, –udp make all ports hits use UDP (default is TCP)-v, –verbose be verbose-V, –version display version-h, –help this help

example: knock myserver.example.com 123:tcp 456:udp 789:tcp

D:\knock>knock 192.168.0.1 1337:tcp 17954:udp

D:\knock>

C:\Documents and Settings\adminz>ping 192.168.0.1 -t

Pinging 192.168.0.1 with 32 bytes of data:

Request timed out.Request timed out.Request timed out.Request timed out.Request timed out.Request timed out.Request timed out.Reply from 192.168.0.1: bytes=32 time<1ms TTL=64Reply from 192.168.0.1: bytes=32 time<1ms TTL=64Reply from 192.168.0.1: bytes=32 time<1ms TTL=64Reply from 192.168.0.1: bytes=32 time<1ms TTL=64Reply from 192.168.0.1: bytes=32 time<1ms TTL=64Reply from 192.168.0.1: bytes=32 time<1ms TTL=64Reply from 192.168.0.1: bytes=32 time<1ms TTL=64Reply from 192.168.0.1: bytes=32 time<1ms TTL=64Reply from 192.168.0.1: bytes=32 time<1ms TTL=64Reply from 192.168.0.1: bytes=32 time<1ms TTL=64Reply from 192.168.0.1: bytes=32 time<1ms TTL=64

Ping statistics for 192.168.0.1:Packets: Sent = 18, Received = 11, Lost = 7 (38% loss),

Approximate round trip times in milli-seconds:Minimum = 0ms, Maximum = 0ms, Average = 0msControl-C^CC:\Documents and Settings\adminz>

D:\>putty -ssh -l admin 192.168.0.1D:\>=======================================================================================| 192.168.0.1 - PuTTY [_][O][X]||————————————————————————————-+|Using username “admin”. [^]||admin@192.168.0.1’s password: | ||| | ||| MMM MMM KKK TTTTTTTTTTT KKK | ||| MMMM MMMM KKK TTTTTTTTTTT KKK | ||| MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK | ||| MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK | ||| MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK | ||| MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK | ||| | ||| MikroTik RouterOS 2.9.27 (c) 1999-2006 http://www.mikrotik.com/ | ||| | ||| | ||| | ||| | ||| | ||| | ||| | ||| | ||| | ||| | ||| | ||| | |||Terminal xterm detected, using multiline input mode | |||[admin@MikroTik] > log print | |||17:38:31 system,info,account user admin logged in from 192.168.0.2 via ssh [v]|=======================================================================================

Export file configuration————————-;

/ ip firewall filteradd chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list \address-list=”port scanners” address-list-timeout=2w comment=”Drop Port \Scanners” disabled=noadd chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg \action=add-src-to-address-list address-list=”port scanners” \

address-list-timeout=2w comment=”" disabled=noadd chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list \address-list=”port scanners” address-list-timeout=2w comment=”" \disabled=noadd chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list \address-list=”port scanners” address-list-timeout=2w comment=”" \disabled=noadd chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack \action=add-src-to-address-list address-list=”port scanners” \address-list-timeout=2w comment=”" disabled=noadd chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg \action=add-src-to-address-list address-list=”port scanners” \address-list-timeout=2w comment=”" disabled=noadd chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg \action=add-src-to-address-list address-list=”port scanners” \address-list-timeout=2w comment=”" disabled=noadd chain=input src-address-list=”port scanners” action=drop comment=”" \disabled=noadd chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist \action=drop comment=”Drop SSH brute forcers” disabled=noadd chain=input protocol=tcp dst-port=22 connection-state=new \src-address-list=ssh_stage3 action=add-src-to-address-list \address-list=ssh_blacklist address-list-timeout=1w3d comment=”" \disabled=noadd chain=input protocol=tcp dst-port=22 connection-state=new \src-address-list=ssh_stage2 action=add-src-to-address-list \address-list=ssh_stage3 address-list-timeout=1m comment=”" disabled=noadd chain=input protocol=tcp dst-port=22 connection-state=new \src-address-list=ssh_stage1 action=add-src-to-address-list \address-list=ssh_stage2 address-list-timeout=1m comment=”" disabled=noadd chain=input protocol=tcp dst-port=22 connection-state=new \action=add-src-to-address-list address-list=ssh_stage1 \address-list-timeout=1m comment=”" disabled=noadd chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist \action=drop comment=”Drop FTP brute forcers” disabled=noadd chain=output protocol=tcp content=”530 Login incorrect” \dst-limit=1/1m,9,dst-address/1m action=accept comment=”" disabled=noadd chain=output protocol=tcp content=”530 Login incorrect” \action=add-dst-to-address-list address-list=ftp_blacklist \address-list-timeout=3h comment=”" disabled=noadd chain=input protocol=tcp dst-port=80 src-address-list=web_blacklist \action=drop comment=”Drop Web brute forcers” disabled=noadd chain=input protocol=tcp dst-port=443 src-address-list=web_blacklist \action=drop comment=”" disabled=noadd chain=output protocol=tcp content=”invalid user name or password” \dst-limit=1/1m,9,dst-address/1m action=accept comment=”" disabled=noadd chain=output protocol=tcp content=”invalid user name or password” \action=add-dst-to-address-list address-list=web_blacklist \address-list-timeout=3h comment=”" disabled=noadd chain=input protocol=tcp dst-port=1337 action=add-src-to-address-list \address-list=knock-knock address-list-timeout=15s comment=”Port Knocking” \

disabled=noadd chain=input protocol=udp dst-port=17954 src-address-list=knock-knock \action=add-src-to-address-list address-list=”Save Haven” \address-list-timeout=3h comment=”" disabled=noadd chain=input src-address-list=”Save Haven” action=accept comment=”" \disabled=noadd chain=input action=drop comment=”" disabled=no

### Other Security

o SSH Preshated Key authentication

Generate Publik dan private key

Menggunakan ssh keygen pada *NIX

sh$ ssh-keygen -t dsa -f ./id_dsaGenerating public/private dsa key pair.Enter passphrase (empty for no passphrase):Enter same passphrase again:Your identification has been saved in ./id_dsa.Your public key has been saved in ./id_dsa.pub.The key fingerprint is:91:d7:08:be:b6:a1:67:5e:81:02:cb:4d:47:d6:a0:3b admin-ssh@beka

Menggunakan PuTTYGen Pada Windows

Upload file publik key ke RouterOS gunakan Scp, selanjutnya import file,

[admin@MikroTik] user ssh-keys> import file=id_dsa.pub user=admin-ssh[admin@MikroTik] user ssh-keys> print# USER KEY-OWNER0 admin-ssh admin-ssh@beka[admin@MikroTik] user ssh-keys>

o Firewall - http://wiki.mikrotik.com/wiki/Dmitry_on_firewallingo Syslog Daemon

Repost:Mendalami HTB pada QoS RouterOS Mikrotik

Implementasi QoS (Quality of Services) di Mikrotik banyak bergantung pada sistem HTB (Hierarchical Token Bucket). HTB memungkinkan kita membuat queue menjadi lebih terstruktur, dengan melakukan pengelompokan-pengelompokan bertingkat. Yang banyak tidak disadari adalah, jika kita tidak mengimplementasikan HTB pada Queue (baik Simple Queue maupun Queue Tree), ternyata ada beberapa parameter yang tidak bekerja seperti yang kita inginkan.Beberapa parameter yang tidak bekerja adalah priority, dan dual limitation (CIR / MIR).

Pada pembahasan artikel ini, kita akan mengambil contoh sebuah sistem QoS sederhana, di mana kita ingin mengalokasikan bandwidth sebesar 400kbps untuk 3 client, di mana masing-masing

client bisa mendapatkan maksimal 200kbps. Di antara ketiga client tersebut, memiliki prioritas yang berbeda, yaitu: 1,2, dan 3.

Untuk mempermudah pemantauan dan pembuktian, kita akan menggunakan queue tree.

Cara paling mudah untuk melakukan queue dengan queue tree, adalah dengan menentukan parameter :

• parent (yang harus diisi dengan outgoing-interface),• packet-mark (harus dibuat terlebih dahulu di ip-firewall-mangle),• max-limit (yang merupakan batas kecepatan maksimum), atau dikenal juga dengan MIR

(Maximum Information Rate)

Untuk percobaan awal, semua priority diisi angka yang sama: 8, dan parameter limit-at tidak kita isi. Gambar berikut ini adalah ilustrasi apa yang akan terjadi dengan konfigurasi di atas.

Karena alokasi bandwidth yang tersedia hanya 400kbps, sedangkan total akumulasi ketiga client melebihinya (600 kbps), maka ketiga client akan saling berebut, dan tidak bisa diprediksikan siapa yang akan menang (menggunakan bandwidth secara penuh) dan siapa yang akan kalah (tidak mendapatkan bandwidth yang sesuai).

Misalkan q1 adalah client dengan prioritas tertinggi, dan q3 adalah client dengan prioritas terbawah. Kita akan mencoba memasukkan nilai prioritas untuk masing-masing client sesuai dengan prioritasnya.

Tampak pada gambar di atas, meskipun sekarang q1 sudah memiliki prioritas tertinggi, namun ketiga client masih berebutan bandwidth dan tidak terkontrol.

Gambar berikut akan mencoba mengimplementasikan nilai limit-at. Seharusnya, limit-at adalah CIR (Committed Information Rate), merupakan parameter di mana suatu client akan mendapatkan bandwidthnya, apapun kondisi lainnya, selama bandwidthnya memang tersedia.

Ternyata q1 masih tidak mendapatkan bandwidth sesuai dengan limit-at (CIR) nya. Padahal, karena bandwidth yang tersedia adalah 400kbps, seharusnya mencukupi untuk mensuplai masing-masing client sesuai dengan limit-at nya.

Berikutnya, kita akan menggunakan parent queue, dan menempatkan ketiga queue client tadi sebagai child queue dari parent queue yang akan kita buat. Pada parent queue, kita cukup memasukkan outgoing-interface pada parameter parent, dan untuk ketiga child, kita mengubah parameter parent menjadi nama parent queue. Pertama-tama, kita belum akan memasukkan nilai max-limit pada parent-queue, dan menghapus semua parameter limit-at pada semua client.

Tampak pada contoh di atas, karena kita tidak memasukkan nilai max-limit pada parent, maka priority pada child pun belum bisa terjaga.

Setelah kita memasang parameter max-limit pada parent queue, barulah prioritas pada client akan berjalan.

Tampak pada contoh di atas, q1 dan q2 mendapatkan bandwidth hampir sebesar max-limitnya, sedangkan q3 hampir tidak kebagian bandwidth. Prioritas telah berjalan dengan baik. Namun, pada kondisi sebenarnya, tentu kita tidak ingin ada client yang sama sekali tidak mendapatkan bandwidth.

Untuk itu, kita perlu memasang nilai limit-at pada masing-masing client. Nilai limit-at ini adalah kecepatan minimal yang akan di dapatkan oleh client, dan tidak akan terganggu oleh client lainnya, seberapa besarpun client lainnya ‘menyedot’ bandwidth, ataupun berapapun prioritasnya. Kita memasang nilai 75kbps sebagai limit-at di semua client.

Tampak bahwa q3, yang memiliki prioritas paling bawah, mendapatkan bandwidth sebesar limit-at nya. q1 yang memiliki prioritas tertinggi, bisa mendapatkan bandwidth sebesar max-limitnya, sedangkan q2 yang prioritasnya di antara q1 dan q3, bisa mendapatkan bandwidth di atas limit-at, tapi tidak mencapai max-limit. Pada contoh di atas, semua client akan terjamin mendapatkan bandwidth sebesar limit-at, dan jika ada sisa, akan dibagikan hingga jumlah totalnya mencapai max-limit parent, sesuai dengan prioritas masing-masing client.

Jumlah akumulatif dari limit-at tidaklah boleh melebihi max-limit parent. Jika hal itu terjadi, seperti contoh di bawah ini, jumlah limit-at ketiga client adalah 600kbps, sedangkan nilai max-limit parent hanyalah 400kbps, maka max-limit parent akan bocor. Contoh di bawah ini mengasumsikan bahwa kapasitas keseluruhan memang bisa mencapai nilai total limit-at. Namun, apabila bandwidth yang tersedia tidak mencapai total limit-at, maka client akan kembali berebutan dan sistem prioritas menjadi tidak bekerja.

Sedangkan, mengenai max-limit, max-limit sebuah client tidak boleh melebihi max-limit parent. Jika hal ini terjadi, maka client tidak akan pernah mencapai max-limit, dan hanya akan mendapatkan kecepatan maksimum sebesar max-limit parent (lebih kecil dari max-limit client).

Jika semua client memiliki prioritas yang sama, maka client akan berbagi bandwidth sisa. Tampak pada contoh di bawah ini, semua client mendapatkan bandwidth yang sama, sekitar 130kbps (total 400kbps dibagi 3).

Yang perlu diingat mengenai HTB:

1. HTB hanya bisa berjalan, apabila rule queue client berada di bawah setidaknya 1 level parent, setiap queue client memiliki parameter limit-at dan max-limit, dan parent queue harus memiliki besaran max-limit.

2. Jumlah seluruh limit-at client tidak boleh melebihi max-limit parent.3. Max-limit setiap client harus lebih kecil atau sama dengan max-limit parent.4. Untuk parent dengan level tertinggi, hanya membutuhkan max-limit (tidak membutuhkan

parameter limit-at).5. Untuk semua parent, maupun sub parent, parameter priority tidak diperhitungkan. Prior-

ity hanya diperhitungkan pada child queue.6. Perhitungan priority baru akan dilakukan setelah semua limit-at (baik pada child queue

maupun sub parent) telah terpenuhi.

Panduan praktis cara perhitungan limit-at dan max-limit

Di asumsikan bandwidth yang tersedia sebesar 1000kbps. Dan jumlah seluruh client adalah 70. Yang perlu diketahui adalah :

1. Berapa jumlah maksimal client yang menggunakan internet pada saat yang bersamaan. Jumlah ini belum tentu sama dengan jumlah komputer yang ada, apabila semua client tidak pernah terkoneksi secara bersamaan. Sebagai contoh, untuk kasus ini kita asumsik-an adalah 50.

2. Berapa jumlah minimal client yang menggunakan internet pada saat yang bersamaan. Se-bagai contoh, untuk kasus ini kita asumsikan adalah 10

Maka, untuk setiap client (1 client dibuatkan 1 rule queue), limit-at nya adalah 1000 / 50 = 20kbps, dan max-limit nya adalah 1000 / 10 = 100 kbps.

Jangan lupa untuk menambahkan parent dengan max-limit sebesar 1000kbps (tidak perlu limit-at), dan memasukkan semua queue client di bawah parent queue. Jika untuk terminal tertentu membutuhkan priority lebih besar, maka kita bisa menggunakan priority yang berbeda-beda, tergantung dengan urutan prioritasnya.

Load Balancing 3 Line Speedy

Load Balancing 3 Line Speedy

Mencoba berbagi pengalaman karena baru saja disuruh load balancing 3 line speedy dengan mikrotik. Walaupun mungkin bisa dikatakan belum sempurna, tapi tidak ada salahnya tho bagi-ilmu??

Load balancing yang coba aku bahas saat ini dilakukan pada mikrotik 2.9 (Jadul euy) yang diinstall pada PC pentium 3 dengan ethernet card sebanyak 4 buah yang diinstal di slot PCI.

Gambaran topologi yang aku tulis seperti ini :

Langkah-langkah load balancing :

1. Ubah IP dan Nama interface ethernet tiap port ehternet seperti contoh gambar di atas.Ex : Ether1 -> Nama interface diganti menjadi “local” dan IP di set 192.168.10.1/24

2. Mulai dengan menambah gateway di mikrotik 3. ip route add dst-address=0.0.0.0/0 gateway 192.168.1.1 scope=255 tar-

get-scope=10 routing-mark=satu comment="" disabled=no4.5. ip route add dst-address=0.0.0.0/0 gateway 192.168.2.1 scope=255 tar-

get-scope=10 routing-mark=dua comment="" disabled=no6.

ip route add dst-address=0.0.0.0/0 gateway 192.168.3.1 scope=255 target-scope=10 routing-mark=tiga comment="" disabled=no

7. Dilanjutkan dengan menggunakan ip firewall mangle 8. ip firewall mangle9.10.add chain=prerouting in-interface=local connection-state=new nth=2,3,0

action=mark-connection new-connection-mark=satu passtrough=yes comment="load balancing" disabled=no

11.12.add chain=prerouting in-interface=local connection-mark=satu

action=mark-routing new-routing-mark=satu passthrough=no comment="" disabled=no

13.14.add chain=prerouting in-interface=local connection-state=new nth=2,3,1

action=mark-connection new-connection-mark=dua passtrough=yes comment="" disabled=no

15.16.add chain=prerouting in-interface=local connection-mark=dua

action=mark-routing new-routing-mark=dua passthrough=no comment="" dis-abled=no

17.18.add chain=prerouting in-interface=local connection-state=new nth=2,3,2

action=mark-connection new-connection-mark=tiga passtrough=yes comment="" disabled=no

19.add chain=prerouting in-interface=local connection-mark=tiga action=mark-routing new-routing-mark=tiga passthrough=no comment="" disabled=no

20. dan yan terakhir dengan proses NAT 21.ip firewall nat add chain=srcnat out-interface=speedy1 action=masquer-

ade22.23.ip firewall nat add chain=srcnat out-interface=speedy2 action=masquer-

ade24.

ip firewall nat add chain=srcnat out-interface=speedy3 action=masquerade

Selamat mencoba…

Sumber : http://infonesia.info

Tags:

<!-- –>

Wed 22 Apr 2009

Load Balancing 3 Line Speedy

Posted by harinto under MikrotikNo Comments

MMM MMM KKK TTTTTTTTTTT KKKMMMM MMMM KKK TTTTTTTTTTT KKKMMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKKMMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKKMMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKKMMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK

MikroTik RouterOS 2.9.27 (c) 1999-2006 http://www.mikrotik.com/

/ interface ethernetset Local name=”Local” mtu=1500 mac-address=0A:C0:18:1A:3C:8A arp=enabled disable-running-check=yes auto-negotiation=no \full-duplex=yes cable-settings=default speed=100Mbps comment=”” disabled=noset Speedy1 name=”Speedy1? mtu=1500 mac-address=0A:C0:18:1A:3C:75 arp=enabled disable-running-check=yes \auto-negotiation=no full-duplex=yes cable-settings=default speed=1Gbps comment=”” disabled=noset Speedy2 name=”Speedy2? mtu=1500 mac-address=C0:10:18:C0:30:94 arp=enabled disable-running-check=yes \auto-negotiation=no full-duplex=yes cable-settings=default speed=1Gbps comment=”” disabled=noset Speedy3 name=”Speedy3? mtu=1500 mac-address=00:0C:6E:D3:0D:FC arp=enabled disable-running-check=yes \auto-negotiation=no full-duplex=yes cable-settings=default speed=1Gbps comment=”” disabled=no/ interface l2tp-server serverset enabled=no max-mtu=1460 max-mru=1460 authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption/ interface pptp-serveradd name=”vpn” user=”” disabled=no/ interface pptp-server serverset enabled=yes max-mtu=1460 max-mru=1460 authentication=mschap1,mschap2 keepalive-timeout=30 default-profile=vpn/ interface pppoe-clientadd name=”pppoe-out1? max-mtu=1480 max-mru=1480 interface=Speedy2 user=”111401104174@telkom.net” password=”sttlqg13mc” \profile=default service-name=”” ac-name=”” add-default-route=yes dial-on-demand=no use-peer-dns=no \allow=pap,chap,mschap1,mschap2 disabled=no/ ip pooladd name=”dhcp_pool1? ranges=10.2.1.1-10.2.1.252,10.2.1.254add name=”vpn” ranges=172.16.1.1-172.16.1.6/ ip accountingset enabled=no account-local-traffic=no threshold=256/ ip accounting web-accessset accessible-via-web=no address=0.0.0.0/0

/ ip serviceset telnet port=23 address=0.0.0.0/0 disabled=yesset ftp port=21 address=0.0.0.0/0 disabled=yesset www port=7479 address=0.0.0.0/0 disabled=noset ssh port=1981 address=0.0.0.0/0 disabled=noset www-ssl port=443 address=0.0.0.0/0 certificate=none disabled=yes/ ip upnpset enabled=no allow-disable-external-interface=yes show-dummy-rule=yes/ ip arp/ ip socksset enabled=no port=1080 connection-idle-timeout=2m max-connections=200/ ip dnsset primary-dns=203.130.193.74 secondary-dns=202.134.0.155 allow-remote-requests=yes cache-size=2048KiB cache-max-ttl=1w/ ip dns staticadd name=”www.ktr-pjk-pdg.org” address=10.2.1.253 ttl=1d/ ip traffic-flowset enabled=no interfaces=all cache-entries=4k active-flow-timeout=30m inactive-flow-timeout=15s/ ip addressadd address=10.2.1.253/24 network=10.2.1.0 broadcast=10.2.1.255 interface=Local comment=”” disabled=noadd address=192.168.1.2/24 network=192.168.1.0 broadcast=192.168.1.255 interface=Speedy1 comment=”” disabled=noadd address=192.168.2.2/24 network=192.168.2.0 broadcast=192.168.2.255 interface=Speedy2 comment=”” disabled=noadd address=192.168.3.2/24 network=192.168.3.0 broadcast=192.168.3.255 interface=Speedy3 comment=”” disabled=noadd address=172.16.1.1/29 network=172.16.1.0 broadcast=172.16.1.7 interface=Local comment=”” disabled=no/ ip proxyset enabled=no port=8080 parent-proxy=0.0.0.0:0 maximal-client-connecions=1000 maximal-server-connectons=1000/ ip proxy accessadd dst-port=23-25 action=deny comment=”block telnet & spam e-mail relaying” disabled=no/ ip neighbor discoveryset Local discover=yesset Speedy1 discover=yesset Speedy2 discover=yesset Speedy3 discover=yesset pppoe-out1 discover=noset vpn discover=no/ ip routeadd dst-address=0.0.0.0/0 gateway=192.168.1.1 scope=255 target-scope=10 routing-mark=speedy1 comment=”” disabled=noadd dst-address=0.0.0.0/0 gateway=125.165.112.1 scope=255 target-scope=10 routing-mark=speedy2 comment=”” disabled=noadd dst-address=0.0.0.0/0 gateway=192.168.3.1 scope=255 target-scope=10 routing-mark=speedy3 comment=”” disabled=noadd dst-address=0.0.0.0/0 gateway=125.165.112.1 scope=255 target-scope=10 comment=”” disabled=no

/ ip firewall mangleadd chain=prerouting p2p=all-p2p action=mark-connection new-connection-mark=prio_conn_p2p passthrough=yes comment=”Prio \P2P” disabled=yesadd chain=prerouting connection-mark=prio_conn_p2p action=mark-packet new-packet-mark=prio_p2p_packet passthrough=no \comment=”” disabled=yesadd chain=prerouting protocol=tcp dst-port=995 action=mark-connection new-connection-mark=prio_conn_download_services \passthrough=yes comment=”Prio Download_Services” disabled=yesadd chain=prerouting protocol=tcp dst-port=143 action=mark-connection new-connection-mark=prio_conn_download_services \passthrough=yes comment=”” disabled=yesadd chain=prerouting protocol=tcp dst-port=993 action=mark-connection new-connection-mark=prio_conn_download_services \passthrough=yes comment=”” disabled=yesadd chain=prerouting protocol=tcp dst-port=995 action=mark-connection new-connection-mark=prio_conn_download_services \passthrough=yes comment=”” disabled=yesadd chain=prerouting protocol=tcp dst-port=25 action=mark-connection new-connection-mark=prio_conn_download_services \passthrough=yes comment=”” disabled=yesadd chain=prerouting protocol=tcp dst-port=80 action=mark-connection new-connection-mark=prio_conn_download_services \passthrough=yes comment=”” disabled=yesadd chain=prerouting protocol=tcp dst-port=20-21 action=mark-connection new-connection-mark=prio_conn_download_services \passthrough=yes comment=”” disabled=yesadd chain=prerouting protocol=tcp dst-port=22 packet-size=1400-1500 action=mark-connection \new-connection-mark=prio_conn_download_services passthrough=yes comment=”” disabled=yesadd chain=prerouting connection-mark=prio_conn_download_services action=mark-packet new-packet-mark=prio_download_packet \passthrough=no comment=”” disabled=yesadd chain=prerouting protocol=tcp dst-port=53 action=mark-connection new-connection-mark=prio_conn_ensign_services \passthrough=yes comment=”Prio Ensign_Services” disabled=yesadd chain=prerouting protocol=udp dst-port=53 action=mark-connection new-connection-mark=prio_conn_ensign_services \passthrough=yes comment=”” disabled=yesadd chain=prerouting protocol=icmp action=mark-connection new-connection-mark=prio_conn_ensign_services passthrough=yes \comment=”” disabled=yesadd chain=prerouting protocol=tcp dst-port=443 action=mark-connection new-connection-mark=prio_conn_ensign_services \passthrough=yes comment=”” disabled=yesadd chain=prerouting protocol=tcp dst-port=23 action=mark-connection new-connection-mark=prio_conn_ensign_services \passthrough=yes comment=”” disabled=yesadd chain=prerouting protocol=tcp dst-port=80 connection-bytes=0-500000 action=mark-

connection \new-connection-mark=prio_conn_ensign_services passthrough=yes comment=”” disabled=yesadd chain=prerouting protocol=tcp dst-port=8080 action=mark-connection new-connection-mark=prio_conn_ensign_services \passthrough=yes comment=”” disabled=yesadd chain=prerouting connection-mark=prio_conn_ensign_services action=mark-packet new-packet-mark=prio_ensign_packet \passthrough=no comment=”” disabled=yesadd chain=prerouting protocol=tcp dst-port=22 packet-size=1400-1500 action=mark-connection \new-connection-mark=prio_conn_user_services passthrough=yes comment=”Prio User_Request” disabled=yesadd chain=prerouting protocol=tcp dst-port=8291 packet-size=1400-1500 action=mark-connection \new-connection-mark=prio_conn_user_services passthrough=yes comment=”” disabled=yesadd chain=prerouting connection-mark=prio_conn_user_services action=mark-packet new-packet-mark=prio_request_packet \passthrough=no comment=”” disabled=yesadd chain=prerouting protocol=tcp dst-port=5100 action=mark-connection new-connection-mark=prio_conn_comm_services \passthrough=yes comment=”Prio_Communication” disabled=yesadd chain=prerouting protocol=tcp dst-port=5050 action=mark-connection new-connection-mark=prio_conn_comm_services \passthrough=yes comment=”” disabled=yesadd chain=prerouting protocol=udp dst-port=5060 action=mark-connection new-connection-mark=prio_conn_comm_services \passthrough=yes comment=”” disabled=yesadd chain=prerouting protocol=tcp dst-port=1869 action=mark-connection new-connection-mark=prio_conn_comm_services \passthrough=yes comment=”” disabled=yesadd chain=prerouting protocol=tcp dst-port=1723 action=mark-connection new-connection-mark=prio_conn_comm_services \passthrough=yes comment=”” disabled=yesadd chain=prerouting protocol=tcp dst-port=5190 action=mark-connection new-connection-mark=prio_conn_comm_services \passthrough=yes comment=”” disabled=yesadd chain=prerouting protocol=tcp dst-port=6660-7000 action=mark-connection new-connection-mark=prio_conn_comm_services \passthrough=yes comment=”” disabled=yesadd chain=prerouting protocol=ipencap action=mark-connection new-connection-mark=prio_conn_comm_services passthrough=yes \comment=”” disabled=yesadd chain=prerouting protocol=gre action=mark-connection new-connection-mark=prio_conn_comm_services passthrough=yes \comment=”” disabled=yesadd chain=prerouting protocol=ipsec-esp action=mark-connection new-connection-mark=prio_conn_comm_services passthrough=yes \comment=”” disabled=yesadd chain=prerouting protocol=ipsec-ah action=mark-connection new-connection-mark=prio_conn_comm_services passthrough=yes \comment=”” disabled=yes

add chain=prerouting protocol=ipip action=mark-connection new-connection-mark=prio_conn_comm_services passthrough=yes \comment=”” disabled=yesadd chain=prerouting protocol=encap action=mark-connection new-connection-mark=prio_conn_comm_services passthrough=yes \comment=”” disabled=yesadd chain=prerouting connection-mark=prio_conn_comm_services action=mark-packet new-packet-mark=prio_comm_packet \passthrough=no comment=”” disabled=yesadd chain=prerouting in-interface=Local connection-state=new nth=2,1,0 action=mark-connection new-connection-mark=speedy1 \passthrough=yes comment=”LB 3 Line Speedy” disabled=noadd chain=prerouting in-interface=Local connection-mark=speedy1 action=mark-routing new-routing-mark=speedy1 \passthrough=no comment=”” disabled=noadd chain=prerouting in-interface=Local connection-state=new nth=2,1,1 action=mark-connection new-connection-mark=speedy2 \passthrough=yes comment=”” disabled=noadd chain=prerouting in-interface=Local connection-mark=speedy2 action=mark-routing new-routing-mark=speedy2 \passthrough=no comment=”” disabled=noadd chain=prerouting in-interface=Local connection-state=new nth=2,1,2 action=mark-connection new-connection-mark=speedy3 \passthrough=yes comment=”” disabled=noadd chain=prerouting in-interface=Local connection-mark=speedy3 action=mark-routing new-routing-mark=speedy3 \passthrough=no comment=”” disabled=no/ ip firewall natadd chain=srcnat connection-mark=speedy1 action=src-nat to-addresses=192.168.1.2 to-ports=0-65535 comment=”NAT 2 CLIENT” \disabled=noadd chain=srcnat connection-mark=speedy2 action=src-nat to-addresses=125.165.115.184 to-ports=0-65535 comment=”” \disabled=noadd chain=srcnat connection-mark=speedy3 action=src-nat to-addresses=192.168.3.2 to-ports=0-65535 comment=”” disabled=noadd chain=srcnat src-address=172.16.1.0/29 action=masquerade comment=”NAT VPN” disabled=no/ ip firewall connection trackingset enabled=yes tcp-syn-sent-timeout=5s tcp-syn-received-timeout=5s tcp-established-timeout=1d tcp-fin-wait-timeout=10s \tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s \udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m tcp-syncookie=no/ ip firewall filteradd chain=forward src-address=0.0.0.0/8 action=drop comment=”Block Bogus IP Address” disabled=noadd chain=forward dst-address=0.0.0.0/8 action=drop comment=”” disabled=noadd chain=forward src-address=127.0.0.0/8 action=drop comment=”” disabled=noadd chain=forward dst-address=127.0.0.0/8 action=drop comment=”” disabled=noadd chain=forward src-address=224.0.0.0/3 action=drop comment=”” disabled=no

add chain=forward dst-address=224.0.0.0/3 action=drop comment=”” disabled=noadd chain=forward src-address=192.168.1.99 protocol=tcp content=www action=drop comment=”block browsing 1? disabled=yesadd chain=forward src-address=192.168.1.7 content=!www action=drop comment=”” disabled=yesadd chain=forward src-address=192.168.1.8 protocol=tcp content=www action=drop comment=”” disabled=yesadd chain=forward src-address=192.168.1.9 action=drop comment=”” disabled=yesadd chain=forward src-address=192.168.1.10 content=!www action=drop comment=”” disabled=yesadd chain=forward src-address=192.168.1.11 protocol=tcp content=www action=drop comment=”” disabled=yesadd chain=forward src-address=192.168.1.12 protocol=tcp content=www action=drop comment=”” disabled=yesadd chain=forward src-address=192.168.1.99 protocol=tcp content=http: action=drop comment=”block browsing 2? disabled=yesadd chain=forward src-address=192.168.1.4 protocol=tcp content=http: action=drop comment=”” disabled=yesadd chain=forward src-address=192.168.1.5 protocol=tcp content=http: action=drop comment=”” disabled=yesadd chain=forward src-address=192.168.1.6 protocol=tcp content=http: action=drop comment=”” disabled=yesadd chain=forward src-address=192.168.1.7 content=!http: action=drop comment=”” disabled=yesadd chain=forward src-address=192.168.1.8 protocol=tcp content=http: action=drop comment=”” disabled=yesadd chain=input src-address=192.168.1.9 action=drop comment=”” disabled=yesadd chain=input src-address=192.168.1.10 content=!http: action=drop comment=”” disabled=yesadd chain=forward src-address=192.168.1.11 protocol=tcp content=http: action=drop comment=”” disabled=yesadd chain=forward src-address=192.168.1.12 protocol=tcp content=http: action=drop comment=”” disabled=yesadd chain=forward protocol=icmp icmp-options=11:0 action=drop comment=”Drop Traceroute” disabled=noadd chain=forward protocol=icmp icmp-options=3:3 action=drop comment=”Drop Traceroute” disabled=noadd chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop comment=”Drop SSH brute forcers” \disabled=noadd chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage3 action=add-src-to-address-list \address-list=ssh_blacklist address-list-timeout=1w3d comment=”” disabled=noadd chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage2 action=add-src-to-address-list \address-list=ssh_stage3 address-list-timeout=1m comment=”” disabled=noadd chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 action=add-src-to-address-list \address-list=ssh_stage2 address-list-timeout=1m comment=”” disabled=noadd chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list address-list=ssh_stage1 \address-list-timeout=1m comment=”” disabled=no

add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list=”port scanners” \address-list-timeout=2w comment=”Port Scanners to list ” disabled=noadd chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=”port \scanners” address-list-timeout=2w comment=”” disabled=noadd chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list=”port scanners” \address-list-timeout=2w comment=”” disabled=noadd chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list=”port scanners” \address-list-timeout=2w comment=”” disabled=noadd chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list=”port \scanners” address-list-timeout=2w comment=”” disabled=noadd chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list=”port scanners” \address-list-timeout=2w comment=”” disabled=noadd chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=”port \scanners” address-list-timeout=2w comment=”” disabled=noadd chain=input src-address-list=”port scanners” action=drop comment=”” disabled=noadd chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop comment=”Filter FTP to Box” \disabled=noadd chain=output protocol=tcp content=”530 Login incorrect” dst-limit=1/1m,9,dst-address/1m action=accept comment=”” \disabled=noadd chain=output protocol=tcp content=”530 Login incorrect” action=add-dst-to-address-list address-list=ftp_blacklist \address-list-timeout=3h comment=”” disabled=noadd chain=forward protocol=tcp action=jump jump-target=tcp comment=”Separate Protocol into Chains” disabled=noadd chain=forward protocol=udp action=jump jump-target=udp comment=”” disabled=noadd chain=forward protocol=icmp action=jump jump-target=icmp comment=”” disabled=noadd chain=input protocol=tcp action=jump jump-target=tcp comment=”” disabled=noadd chain=input protocol=udp action=jump jump-target=udp comment=”” disabled=noadd chain=udp protocol=udp dst-port=69 action=drop comment=”Blocking UDP Packet” disabled=noadd chain=udp protocol=udp dst-port=111 action=drop comment=”” disabled=noadd chain=udp protocol=udp dst-port=135 action=drop comment=”” disabled=noadd chain=udp protocol=udp dst-port=445 action=drop comment=”” disabled=noadd chain=udp protocol=udp dst-port=137-139 action=drop comment=”” disabled=noadd chain=udp protocol=udp dst-port=2049 action=drop comment=”” disabled=noadd chain=udp protocol=udp dst-port=3133 action=drop comment=”” disabled=noadd chain=tcp protocol=tcp dst-port=25 action=drop comment=”Bloking TCP Packet” disabled=noadd chain=tcp protocol=tcp dst-port=69 action=drop comment=”” disabled=noadd chain=tcp protocol=tcp dst-port=111 action=drop comment=”” disabled=noadd chain=tcp protocol=tcp dst-port=137-139 action=drop comment=”” disabled=noadd chain=tcp protocol=tcp dst-port=135 action=drop comment=”” disabled=no

add chain=tcp protocol=tcp dst-port=119 action=drop comment=”” disabled=noadd chain=tcp protocol=tcp dst-port=445 action=drop comment=”———— Virus — Conficker” disabled=noadd chain=tcp protocol=tcp dst-port=2049 action=drop comment=”” disabled=noadd chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment=”” disabled=noadd chain=tcp protocol=tcp dst-port=20034 action=drop comment=”” disabled=noadd chain=tcp protocol=tcp dst-port=3133 action=drop comment=”” disabled=noadd chain=tcp protocol=tcp dst-port=67-68 action=drop comment=”” disabled=noadd chain=icmp protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept comment=”Limited Ping Flood” disabled=noadd chain=icmp protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept comment=”” disabled=noadd chain=icmp protocol=icmp icmp-options=3:3 limit=5,5 action=accept comment=”” disabled=noadd chain=icmp protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept comment=”” disabled=noadd chain=icmp protocol=icmp icmp-options=3:4 limit=5,5 action=accept comment=”” disabled=noadd chain=icmp protocol=icmp action=drop comment=”” disabled=noadd chain=input dst-address-type=broadcast action=accept comment=”Allow Broadcast Traffic” disabled=noadd chain=input connection-state=established action=accept comment=”Connection State” disabled=noadd chain=input connection-state=related action=accept comment=”” disabled=noadd chain=input protocol=icmp limit=50/5s,2 action=accept comment=”” disabled=noadd chain=input connection-state=invalid action=drop comment=”” disabled=no/ ip firewall service-portset ftp ports=21 disabled=yesset tftp ports=69 disabled=yesset irc ports=6667 disabled=yesset h323 disabled=yesset quake3 disabled=yesset gre disabled=yesset pptp disabled=yes/ ip hotspot service-portset ftp ports=21 disabled=no/ ip hotspot profileset default name=”default” hotspot-address=0.0.0.0 dns-name=”” html-directory=hotspot rate-limit=”” http-proxy=0.0.0.0:0 \smtp-server=0.0.0.0 login-by=cookie,http-chap http-cookie-lifetime=3d split-user-domain=no use-radius=no/ ip hotspot user profileset default name=”default” idle-timeout=none keepalive-timeout=2m status-autorefresh=1m shared-users=1 \transparent-proxy=yes open-status-page=always advertise=no/ ip dhcp-serveradd name=”dhcp1? interface=Local lease-time=3d address-pool=dhcp_pool1 bootp-support=static authoritative=after-2sec-delay \disabled=no/ ip dhcp-server configset store-leases-disk=5m

/ ip dhcp-server lease/ ip dhcp-server networkadd address=10.2.1.0/24 gateway=10.2.1.253 comment=””/ ip ipsec proposaladd name=”default” auth-algorithms=sha1 enc-algorithms=3des lifetime=30m lifebytes=0 pfs-group=modp1024 disabled=no/ ip web-proxyset enabled=yes src-address=0.0.0.0 port=3128 hostname=”proxy” transparent-proxy=yes parent-proxy=0.0.0.0:0 \cache-administrator=”webmaster” max-object-size=4096KiB cache-drive=system max-cache-size=unlimited \max-ram-cache-size=unlimited/ ip web-proxy accessadd dst-port=23-25 action=deny comment=”block telnet & spam e-mail relaying” disabled=no/ ip web-proxy cacheadd url=”:cgi-bin \\?” action=deny comment=”don’t cache dynamic http pages” disabled=no/ system loggingadd topics=info prefix=”” action=memory disabled=noadd topics=error prefix=”” action=memory disabled=noadd topics=warning prefix=”” action=memory disabled=noadd topics=critical prefix=”” action=echo disabled=no/ system logging actionset memory name=”memory” target=memory memory-lines=100 memory-stop-on-full=noset disk name=”disk” target=disk disk-lines=100 disk-stop-on-full=noset echo name=”echo” target=echo remember=yesset remote name=”remote” target=remote remote=0.0.0.0:514/ system upgrade mirrorset enabled=no primary-server=0.0.0.0 secondary-server=0.0.0.0 check-interval=1d user=””/ system clock dstset dst-delta=+00:00 dst-start=”jan/01/1970 00:00:00? dst-end=”jan/01/1970 00:00:00?/ system watchdogset reboot-on-failure=yes watch-address=none watchdog-timer=yes no-ping-delay=5m automatic-supout=yes auto-send-supout=no/ system consoleadd port=serial0 term=”” disabled=noset FIXME term=”linux” disabled=noset FIXME term=”linux” disabled=noset FIXME term=”linux” disabled=noset FIXME term=”linux” disabled=noset FIXME term=”linux” disabled=noset FIXME term=”linux” disabled=noset FIXME term=”linux” disabled=noset FIXME term=”linux” disabled=no/ system console screenset line-count=25/ system identityset name=”ROUTER-NET”/ system noteset show-at-login=yes note=””/ portset serial0 name=”serial0? baud-rate=9600 data-bits=8 parity=none stop-bits=1 flow-

control=hardware/ ppp profileset default name=”default” use-compression=default use-vj-compression=default use-encryption=default only-one=default \change-tcp-mss=yes comment=””add name=”vpn” local-address=vpn remote-address=vpn use-compression=default use-vj-compression=default \use-encryption=required only-one=default change-tcp-mss=default dns-server=203.130.193.74 comment=””set default-encryption name=”default-encryption” use-compression=default use-vj-compression=default use-encryption=yes \only-one=default change-tcp-mss=yes comment=””/ ppp secretadd name=”areksitiung” service=pptp caller-id=”” password=”sentot” profile=vpn routes=”” limit-bytes-in=0 \limit-bytes-out=0 comment=”” disabled=no/ ppp aaaset use-radius=yes accounting=yes interim-update=0s/ queue typeset default name=”default” kind=pfifo pfifo-limit=50set ethernet-default name=”ethernet-default” kind=pfifo pfifo-limit=50set wireless-default name=”wireless-default” kind=sfq sfq-perturb=5 sfq-allot=1514set synchronous-default name=”synchronous-default” kind=red red-limit=60 red-min-threshold=10 red-max-threshold=50 \red-burst=20 red-avg-packet=1000set hotspot-default name=”hotspot-default” kind=sfq sfq-perturb=5 sfq-allot=1514add name=”default-small” kind=pfifo pfifo-limit=10/ queue simpleadd name=”DreamNet” target-addresses=192.168.1.0/24 dst-address=0.0.0.0/0 interface=Local parent=none direction=both \priority=1 queue=default-small/default-small limit-at=0/0 max-limit=0/0 total-queue=default-small disabled=noadd name=”Down_Services” dst-address=0.0.0.0/0 interface=all parent=none packet-marks=prio_download_packet direction=both \priority=5 queue=default-small/default-small limit-at=0/0 max-limit=0/0 total-queue=default-small disabled=noadd name=”Ensign_Services” dst-address=0.0.0.0/0 interface=all parent=none packet-marks=prio_ensign_packet direction=both \priority=1 queue=default-small/default-small limit-at=0/0 max-limit=0/0 total-queue=default-small disabled=noadd name=”User_Request” dst-address=0.0.0.0/0 interface=all parent=none packet-marks=prio_request_packet direction=both \priority=8 queue=default-small/default-small limit-at=0/0 max-limit=0/0 total-queue=default-small disabled=noadd name=”Communication” target-addresses=0.0.0.0/0 dst-address=0.0.0.0/0 interface=all parent=none \packet-marks=prio_comm_packet direction=both priority=3 queue=default-small/default-small limit-at=0/0 max-limit=0/0 \total-queue=default-small disabled=noadd name=”Kasir” target-addresses=192.168.1.99/32 dst-address=0.0.0.0/0 interface=Local parent=DreamNet direction=both \

priority=8 queue=default-small/default-small limit-at=16000/32000 max-limit=32000/128000 total-queue=default-small \disabled=noadd name=”Client1? target-addresses=192.168.1.15/32 dst-address=0.0.0.0/0 interface=Local parent=DreamNet direction=both \priority=8 queue=default-small/default-small limit-at=16000/32000 max-limit=32000/128000 total-queue=default \disabled=noadd name=”Client2? target-addresses=192.168.1.4/32 dst-address=0.0.0.0/0 interface=Local parent=DreamNet direction=both \priority=8 queue=default-small/default-small limit-at=16000/32000 max-limit=32000/128000 total-queue=default \disabled=noadd name=”Client3? target-addresses=192.168.1.5/32 dst-address=0.0.0.0/0 interface=Local parent=DreamNet direction=both \priority=8 queue=default-small/default-small limit-at=16000/32000 max-limit=32000/128000 total-queue=default \disabled=noadd name=”Client4? target-addresses=192.168.1.6/32 dst-address=0.0.0.0/0 interface=Local parent=DreamNet direction=both \priority=8 queue=default-small/default-small limit-at=16000/32000 max-limit=32000/128000 total-queue=default \disabled=noadd name=”Client5? target-addresses=192.168.1.7/32 dst-address=0.0.0.0/0 interface=Local parent=DreamNet direction=both \priority=8 queue=default-small/default-small limit-at=16000/32000 max-limit=32000/128000 total-queue=default \disabled=noadd name=”Client6? target-addresses=192.168.1.8/32 dst-address=0.0.0.0/0 interface=Local parent=DreamNet direction=both \priority=8 queue=default-small/default-small limit-at=16000/32000 max-limit=32000/128000 total-queue=default \disabled=noadd name=”Client7? target-addresses=192.168.1.9/32 dst-address=0.0.0.0/0 interface=Local parent=DreamNet direction=both \priority=8 queue=default-small/default-small limit-at=16000/32000 max-limit=32000/128000 total-queue=default \disabled=noadd name=”Client8? target-addresses=192.168.1.10/32 dst-address=0.0.0.0/0 interface=Local parent=DreamNet direction=both \priority=8 queue=default-small/default-small limit-at=16000/32000 max-limit=32000/128000 total-queue=default \disabled=noadd name=”Client9? target-addresses=192.168.1.11/32 dst-address=0.0.0.0/0 interface=Local parent=DreamNet direction=both \priority=8 queue=default-small/default-small limit-at=16000/32000 max-limit=32000/128000 total-queue=default \disabled=noadd name=”Client10? target-addresses=192.168.1.12/32 dst-address=0.0.0.0/0 interface=Local parent=DreamNet direction=both \priority=8 queue=default-small/default-small limit-at=16000/32000 max-limit=32000/128000

total-queue=default \disabled=no/ useradd name=”admin” group=full address=0.0.0.0/0 comment=”system default user” disabled=yesadd name=”areksitiung” group=full address=0.0.0.0/0 comment=”” disabled=noadd name=”nanda” group=full address=0.0.0.0/0 comment=”” disabled=noadd name=”riko” group=full address=0.0.0.0/0 comment=”” disabled=noadd name=”padang” group=full address=0.0.0.0/0 comment=”” disabled=no/ user groupadd name=”read” policy=local,telnet,ssh,reboot,read,test,winbox,password,web,!ftp,!write,!policyadd name=”write” policy=local,telnet,ssh,reboot,read,write,test,winbox,password,web,!ftp,!policyadd name=”full” policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web/ user aaaset use-radius=no accounting=yes interim-update=0s default-group=read/ radius incomingset accept=no port=1700/ driver/ snmpset enabled=no contact=”” location=””/ snmp communityset public name=”public” address=0.0.0.0/0 read-access=yes/ tool bandwidth-serverset enabled=yes authenticate=yes allocate-udp-ports-from=2000 max-sessions=10/ tool mac-server pingset enabled=yes/ tool e-mailset server=0.0.0.0 from=”<>”/ tool snifferset interface=all only-headers=no memory-limit=10 file-name=”” file-limit=10 streaming-enabled=no streaming-server=0.0.0.0 \filter-stream=yes filter-protocol=ip-only filter-address1=0.0.0.0/0:0-65535 filter-address2=0.0.0.0/0:0-65535/ tool graphingset store-every=5min/ tool graphing queueadd simple-queue=all allow-address=0.0.0.0/0 store-on-disk=yes allow-target=yes disabled=no/ tool graphing resourceadd allow-address=0.0.0.0/0 store-on-disk=yes disabled=no/ tool graphing interfaceadd interface=all allow-address=0.0.0.0/0 store-on-disk=yes disabled=no/ routing ospfset router-id=0.0.0.0 distribute-default=never redistribute-connected=no redistribute-static=no redistribute-rip=no \redistribute-bgp=no metric-default=1 metric-connected=20 metric-static=20 metric-rip=20 metric-bgp=20/ routing ospf areaset backbone area-id=0.0.0.0 type=default translator-role=translate-candidate authentication=none prefix-list-import=”” \prefix-list-export=”” disabled=no

/ routing bgpset enabled=no as=1 router-id=0.0.0.0 redistribute-static=no redistribute-connected=no redistribute-rip=no \redistribute-ospf=no/ routing ripset redistribute-static=no redistribute-connected=no redistribute-ospf=no redistribute-bgp=no metric-static=1 \metric-connected=1 metric-ospf=1 metric-bgp=1 update-timer=30s timeout-timer=3m garbage-timer=2m

Bikin billing Hotspot!

August 20th, 2009 | Author: admin

Setting Billing Hotspot integrasi Router Mikrotik sangatlah mudah, setalah install mikrotik dengan benar, jalankan aplikasi “Winbox Loader” sehingga anda bisa mengkonfigurasi Mikrotik Router dari Desktop Windows secara mudah dan cepat tanpa harus menghafal command line Mikrotik. Setelah klik dua kali aplikasi Winbox maka akan muncul tampilan sebagai berikut :

Setelah itu klik tanda … maka akan muncul MAC Address Mikrotik yang sedang aktif dalam hal ini klik dua kali Mac Address 00:0B:CD:64:D9:22 dan isikan user admin dan password secara default adalah kosong kemudian klik “Connect”

IP ==> Address ListKlik tanda plus |+| kemudian pada “Address” kemudian isikan nomor IP yang diinginkan misal 192.168.1.110/24 (slash 24 artinya nanti secara otomatis akan mengisi Network dan Broadcast). Kemudian pada “Interface” pilih ether1 dimana ether1 yang akan terhubung dengan Modem/ISP.

IP ==> Route ListKlik tanda plus |+| kemudian pada “Gateway” isikan IP Gateway anda, misal 192.168.1.1 Kemudian klik “OK”

New TerminalMaka akan muncul tampilan konsole sebagai berikut dan kemudian lakukan ping ke Gateway Internet anda, ketikkan ping 192.168.1.1 Jika berhasil maka akan tampilan seperti gambar di

bawah ini dan itu artinya jaringan dari Mikrotik ke Gateway/Modem telah terhubung dengan normal.

Interface ==> Interface ListIni adalah untuk melihat interface atau Ethernet card yang mana sedang aktif (konek ke jaringan) yaitu pada posisi “Tx” dan “Rx” maka akan muncul trafik xxx bps. Dalam hal ini adalah ether1 sedang terhubung dengan jaringan LAN

IP ==> DNS Kemudian klik “Setting” pada “Primary DNS” isikan DNS1 misal 202.134.1.10 dan pada “Secondary DNS” isikan DNS2 misal 202.134.0.155 dan jika setelah klik “OK”

New TerminalLakukan testing ping keluar yaitu ke internet misal ke google.com dengan mengetikkan perintah ping google.com jika hasil seperti di bawah ini maka koneksi internet anda sudah konek.

IP ==> Hotspot ==> Hotspot SetupPada “Hotspot Interface” pilih ether yang mana yang ingin di jadikan untuk hotspot, dalam hal ini adalah ether3 dan jika ada wireless antena anda pilih wireless. Kemudian klik “Next”

Pada “Local Address of Network” adalah Gateway Hotspot anda, kemudian klik “Next”

Pada “Address Pool of Network” adalah Range IP DHCP yang nantinya di berikan ke user hotspot. Anda bisa tentukan berapa range IP inginkan dalam hal ini adalah dari 10.5.50.2 s/d 10.5.50.254 kemudian klik “Next”

Pada “Select Certificate” pilih “none” kemudian klik “Next”

Pada “IP Address of SMTP Server” biarkan kosong kemudian klik “Next”

Pada “DNS Servers” sudah terisi DNS anda dengan benar dan langsung aja klik “Next”

Pada “DNS Name” biarkan saja kosong kemudian klik “Next”

Kemudian langsung saja klik “Next”

Setelah selesai maka akan muncul kotak dialog sebagai berikut kemudian klik “OK”

Kemudian lanjutkan dengan konfigurasi Hotspot Mikrotik agar terkoneksi dengan software Billing Hotspot sebaik berikut :

IP ==> Hotspot ==> Server Profiles ==> hsprof1 (klik 2x)Dari tab “General” pindah ke tab “Login” kemudian hilangkan tanda centang (uncheck) pada “Cookies” kemudian klik “Apply”

Kemudian pindah ke tab “Radius” dan hilangkan tanda centang (uncheck) pada “Use RADIUS” kemudian klik “Apply” lalu klik “OK”

RadiusKlik tanda plus |+| dan pada tab General beri tanda centang pada service hotspot kemudian pada “Address” isikan IP Address radius server Billing Hotspot (PC Linux) dan “Secret” isikan secret id misal 123457890 sesuai yang anda isikan di Linux, kemudian jika selesai klik “OK”

Agar Halaman Login User Hotspot muncul halaman login Billing Hotspot seperti gambar di bawah ini

IP ==> Hotspot ==> Walled GardenKlik tanda plus |+| dan pada posisi “Action = allow” pilih “Dst. Address” isikan nomer IP server Billing Hotspot, misal 192.168.1.10 kemudian klik “OK”

Jika selesai lakukan upload file ke dalam mikrotik yang udah di konfigurasi oleh Team software

Billing Hotspot

Langkah selanjutnya agar Billing Hotspot terintegrasi dengan Router Mikrotik, anda harus login dulu ke Billing Hotspot Manager. Masukkan username, password dan Security Code dengan benar seperti berikut ini.

Setelah berhasil masuk ke Billing Hotspot Manager, masuk Menu Preference ==> Setting Service ==> Pilih /var/www/html/config.client.php kemudian klik “Edit” dan jika selesai klik “Save”

$ipServer=”192.168.1.2”; ==> isikan nomor IP Server Billing Hotspot$ipMikrotik=”192.168.1.10”; ==> isikan nomor IP Router Mikrotik$userMikrotik=”admin”; ==> isikan nama user Router Mikrotik$passMikrotik=”admin”; ==> isikan password Router Mikrotik

Bila tidak bisa di simpan masuk ke Konsole sebagai root di Linux dan ketikkan perintah chmod 775 /var/www/html/config.client.php

Masuk Preference ==> Setting Service ==> Pilih /etc/raddb/clients.conf kemudian klik “Edit” tarik scroll ke baris paling bawah kemudian tambahkan empat baris perintah sebagai berikut dan jika selesai klik “Save”

client 192.168.1.2 ==> isikan dengan nomor IP Router Mikrotiksecret=123457890 ==> isikan secret sesuai di RADIUS Mikrotikshortname=mikrotik ==> isikan dengan nama label ‘mikrotik’

Masuk Preference ==> Setting Service ==> Pilih /etc/raddb/naslist kemudian klik “Edit”

Bila tidak bisa di simpan masuk ke Konsole sebagai root di Linux dan ketikkan perintah chmod 775 /etc/raddb/naslist

Konfigurasi Hotspot Mikrotik

August 20th, 2009 | Author: admin

Setting Hotspot pada Mikrotik Router OS sangat mudah dikonfigurasi. Sistem autentikasi hotspot biasa digunakan ketika kita akan menyediakan akses internet pada areal publik, seperti : Hotel, café, Kampus, airport, taman, mall dll. Teknologi akses internet ini biasanya menggunakan jaringan wireless atau wired. Biasanya menyediakan akses internet gratis dengan menggunakan hotspot atau bisa juga menggunakan Voucher untuk autentikasinya. Ketika membuka halaman web maka router akan mengecek apakah user sudah di autentikasi atau belum. Jika belum melakukan autentikasi, maka user akan di arahkan pada hotspot login page yang mengharuskan mengisi username dan password. Jika informasi login yang dimasukkan sudah benar, maka router akan memasukkan user tersebut kedalam sistem hotspot dan client sudah bisa mengakses halaman web. Selain itu akan muncul popup windows berisi status ip address, byte rate dan time live. Penggunaan akses internet hotspot dapat dihitung berdasarkan waktu (time-based) dan data yang di download/upload (volume-based). Selain itu dapat juga dilakukan melimit bandwidth berdasarkan data rate, total data upload/download atau bisa juga di limit berdasarkan lama pemakaian.

Cara mudah setting hotspot pada mikrotik adalah ada 2 (dua) pilihan selain menggunakan teks mode kita juga bisa menggunakan setting wizard dengan menggunakan Winbox Router OS, Langkah-langkat berikut merupakan konfigurasi dasar hotspot mikrotik sebagai Gateway Server. Pertama install Mikrotik Router OS pada PC atau pasang DOM atau kalau menggunakan Rouer Board langsung aja Login = ‘admin’ sedangkan untuk pasword anda kosongin untuk defaultnya.

Masuk ke IP ==> Hotspot ==> Setup

Kemudian tentukan IP lokal hospot yang akan ada gunakan, misal 192.168.10.1 dan Tentukan IP DHCP ke clientnya yang akan anda gunakan, dalam contoh ini adalah 192.168.10.2-192.168.10.255

Untuk SMTP Server sebaiknya anda kosongin saja, Kemudian DNS servernya anda isikan sesuaikan dengan Provider anda, dalam contoh ini adalah DNS1=202.47.78.1 DNS2=202.47.78.9

DNS lokal hotspot anda NEXT saja kemudian pada Hotspot user anda dalam contoh berikut diisi admin password admin123

Hotspot Server Profile digunakan untuk mensetting server yang akan sering digunakan untuk semua user seperti metode autentikasi dan Limitasi data rate. Ada 6 jenis autentikasi Hotspot mikrotik yang berbeda dalam profile setting, jenis autentikas tersebut adalah : HTTP PAP, HTTP CHAP, HTTPS, HTTP cookie, MAC address, Trial

Metode autentikasi yang akan digunakan, biasanya cukup menggunakan metode HTTP CHAP

Data rate limitation digunakan sebagai default setting untuk user yang belum di setting bandwidth limit pemakaiannya. Dimana RX adalah Client upload dan TX adalah Client download. Misal setting default data rate di 64k/128k (upload/download)

Hotspot user profile digunakan untuk menyimpan data user yang akan dibuatkan rule profilenya. Dimana didalamnya bisa dilakukan setting firewall filter chain untuk traffic yang keluar/masuk, juga bisa untuk mensetting limitasi data rate dan selain itu dapat juga dilakukan paket marking untuk setiap user yang masuk kedalam profile tersebut secara otomatis.

Hotspot user yaitu nama-nama user yang akan diautentikasi pada sistem hotspot. Beberapa hal yang dapat dilakukan dalam konfigurasi hotspot user yaitu : username dan password, Membatasi user berdasarkan waktu dan paket data yang akan digunakan, hanya ip address tertentu dari ip address dhcp yang ditawarkan atau hanya mengizinkan user untuk koneksi ke sistem hotspot dari MAC Address tertentu saja.

IP Bindings digunakan untuk mengizinkan ip tertentu untuk membypass autentikasi hotpot, ini sangat berguna sekali ketika kita ingin menjalankan layanan server, atau IP telephony dibawah system hotspot. Misal, PC atau Notebook anda untuk dapat membypass hotspot system, dengan demikian anda dapat melakukan browsing tanpa autentikasi

Posted in Mikrotik | No Comments »

pantau yang flooding ala om tamam

August 12th, 2009 | Author: admin

pagi2 iseng2 say hallo to om tamam yg super sibuk orang nya..hahahah (becanda OMz)..nie trik dari om tamam .tau deh ap namanya…semoga berguna. ok langsung aj..buka winbox nya trus login..masuk ke system trus klik logging–pilih rule klik tanda + maka muncul lah seperti gmbar di bawah ini. untuk topics arahkan ke web-proxy,prefix di biarin kosong..lalu untuk action pilih action satu etis tunggu dulu…pertama2 aq jg bingung,..kok di winbox q nggk nampil action1..bersambung..

setalah langkah di atas selesai selanjutnya klik menu di sebelah rule yaitu actions untuk name—default action1 trus untuk type pilih echo..kemudian centang save trus klik apply….. alhamdulillah selesai ..eitsss tunggu jangan lupa untuk check dns anda klik ip–dns—setting pastikan allow remote request nya sudah di centang..setalah itu reboot miketek anda …setelah berhasil reebot..login kembali dengan winbox..trus klik new terminal..insyaALLAh keliatan tan tuh log2 ip client yg lagi akses..liatin aj..klo memang ad yang mencurigakan alias bukan dari client kita..blocking aj deh.. pegal juga ngetik sebanyak ini..nggk ad bakat jadi writer neh..

or untuk keterangan lebih lanjut hub segera (kyk dokter aj ) mampir aj ke blog om tamam http://tamampapua.wordpress.com/semoga bermanfaat.

Posted in Mikrotik | No Comments »

Rate-limiting RapidShare – Mikrotik

July 30th, 2009 | Author: admin

I have to say that RapidShare is a great invention, but sometimes it can be a problem that they are so well connected *G* Compared to torrent/edonkey/… RapidShare customers normally

have full speed for their downloads from the very first second. RapidShare is connected by many HUGE carriers, like Global Crossing (Tier 1), Cogent (Tier 1), Level3 (Tier 1), … which is just great for the person downloading, but on the other hand it’s sometimes a pain in the admin’s a**. The bandwidth you are giving your customers will be used for the download – completelly! A let’s say 8mbit cable client will download with 8mbit. If you want the customers to browse the web lightning fast but don’t want him to constantly consume his full bandwidth by downloading multiple gigs from RapidShare, you could do the following:

Create an address list with all RapidShare networks (2008-12-03)

/ip firewall address-listadd address=62.140.31.0/24 list=RapidShareadd address=62.153.244.0/24 list=RapidShareadd address=62.67.46.0/24 list=RapidShareadd address=62.67.50.0/24 list=RapidShareadd address=62.67.57.0/24 list=RapidShareadd address=64.211.146.0/24 list=RapidShareadd address=64.214.225.0/24 list=RapidShareadd address=64.215.245.0/24 list=RapidShareadd address=80.152.62.0/24 list=RapidShareadd address=80.231.128.0/24 list=RapidShareadd address=80.231.24.0/24 list=RapidShareadd address=80.231.41.0/24 list=RapidShareadd address=80.231.56.0/24 list=RapidShareadd address=80.239.137.0/24 list=RapidShareadd address=80.239.151.0/24 list=RapidShareadd address=80.239.152.0/24 list=RapidShareadd address=80.239.159.0/24 list=RapidShareadd address=80.239.226.0/24 list=RapidShareadd address=80.239.236.0/24 list=RapidShareadd address=80.239.239.0/24 list=RapidShareadd address=82.129.33.0/24 list=RapidShareadd address=82.129.35.0/24 list=RapidShareadd address=82.129.36.0/24 list=RapidShareadd address=82.129.39.0/24 list=RapidShareadd address=195.122.131.0/24 list=RapidShareadd address=195.122.149.0/24 list=RapidShareadd address=195.122.151.0/24 list=RapidShareadd address=195.122.152.0/24 list=RapidShareadd address=195.122.153.0/24 list=RapidShareadd address=195.219.1.0/24 list=RapidShareadd address=206.57.14.0/24 list=RapidShareadd address=207.138.168.0/24 list=RapidShareadd address=208.48.186.0/24 list=RapidShareadd address=212.162.2.0/24 list=RapidShareadd address=212.162.63.0/24 list=RapidShareadd address=217.243.210.0/24 list=RapidShare

BTW: It was a quick and dirty awk hack with /24 only, but 195.122.152.0 could be added as /23 as well!

Now let’s mark all traffic that matches the address list

/ip firewall mangleadd action=mark-connection chain=prerouting comment=”Entire Traffic” \disabled=no new-connection-mark=”Entire Traffic” \passthrough=yesadd action=mark-connection chain=prerouting \comment=”RapidShare Connections” connection-mark=”Entire Traffic” \disabled=no new-connection-mark=”RapidShare Connections” \passthrough=yes src-address-list=RapidShareadd action=mark-packet chain=prerouting comment=”RapidShare Traffic” \connection-mark=”RapidShare Connections” disabled=no \new-packet-mark=”RapidShare Traffic” passthrough=no

This is the interessting part: Limit ‘em *G* (in this case it’s 1M)

/queue simpleadd comment=”RapidShare” direction=both disabled=no \dst-address=0.0.0.0/0 interface=all limit-at=1000000/1000000 \max-limit=1000000/1000000 name=”RapidShare” \packet-marks=”RapidShare Traffic” parent=none priority=8 \queue=default-small/default-small total-queue=default-small

Posted in Mikrotik | No Comments »

Limit Different Bandwidth In Day and Night in Mikrotik

July 30th, 2009 | Author: admin

There are lot many ways to limit bandwidth for day and Night, but personally I found this is the easiest way, Here it is.

I have used Simple Queue, Script and Scheduler.

Suppose we have one network 192.168.1.0/24 and want to limit Bandwidth for day and Night Time.

Network 192.168.1.0/24Bandwidth = 06:00am – 18:00pm – 1Mbps.Bandwidth = 18:00pm – 06:00am – 2Mbps.

Create two simple queues for the same network with different Bandwidth Limit.

/queue simple#name=”Day” target-addresses=192.168.1.0/24 dst-address=0.0.0.0/0interface= parent=none direction=both priority=8queue=default-small/default-small limit-at=512k/512kmax-limit=1M/1M total-queue=default-small

#name=”Night” target-addresses=192.168.1.0/24 dst-address=0.0.0.0/0interface= parent=none direction=both priority=8

queue=default-small/default-small limit-at=1M/1Mmax-limit=2M/2M total-queue=default-small

Now, write scripts

/system script#name=”Day” source=/queue simple enable Day; /queue simple disable Night

#name=”Night” source=/queue simple enable Night; /queue simple disable Day

Finally, Schedule it

/system scheduler#name=”Day” on-event=Day start-date=oct/13/2007 start-time=06:00:00 interval=1d

#name=”Night” on-event=Night start-date=oct/13/2007 start-time=18:

Posted in Mikrotik | No Comments »

Ngeblok Koneksi Bit-Torrent Di Mikrotik

July 30th, 2009 | Author: admin

Sebenarnya cara ngeblok software download per-to-per ini sangat mudah dengan simple scripts yaitu

/ip firewall filter add chain=forward p2p=bit-torrent action=drop

Bisa di Cek deh Trafiknya….

[admin@Cendekia] /queue simple> printFlags: X – disabled, I – invalid, D – dynamic0 name=”P2P” dst-address=0.0.0.0/0 interface=ether4 parent=nonedirection=both priority=8 queue=wireless-default/wireless-defaultlimit-at=1000000/64000 max-limit=1000000/64000total-queue=default-small time=0s-1d,sun,mon,tue,wed,thu,fri,satp2p=all-p2p

Posted in Mikrotik | No Comments »

Caching YouTube via Mikrotik

July 30th, 2009 | Author: admin

Untuk menyimpan video streaming dari YouTube ke dalam Web proxynya Mikrotik.

Perintah:/ip web-proxy access add url=”http*youtube*get_video*” action=allow comment=”youtube” disabled=no

Sumber Forum Mikrotik

Posted in Mikrotik | No Comments »

The Little Guide to MT Hotspot

July 30th, 2009 | Author: admin

This little guide takes you through a step-by-step approach to setting up a simple hotspot using the excellent MikroTik RouterOS software. Some detail and explanations are left out to keep things clearer. This guide assumes that you have installed RouterOS v2.9.27 and upwards.

Code:[admin@MikroTik] > system reset

(The system restores itself to a clean install state and reboots)

Let’s see what interfaces we have on the computer:Code:[admin@MikroTik] > /interface print

Flags: X – disabled, D – Dynamic, R – Running# NAME TYPE MTU0 X ether1 ether 15001 X ether2 ether 1500

(You can see that there are two Ethernet ports on this computer, both disabled)So let’s enable them both:Code:[admin@MikroTik] interface> set 0,1 disabled=no[admin@MikroTik] interface> print

Flags: X – disabled, D – Dynamic, R – Running# NAME TYPE MTU0 R ether1 ether 15001 R ether2 ether 1500

Let’s give the Ethernet ports names, as it’s getting complicated already:

Code:[admin@MikroTik] interface> set 0 name=”hotspot”[admin@MikroTik] interface> set 1 name=”internet”[admin@MikroTik] interface> print

Flags: X – disabled, D – Dynamic, R – Running# NAME TYPE MTU0 R internet ether 15001 R hotspot ether 1500

We can now more easily refer to the interfaces by name, which is also easier to remember. Now, let’s set up the address of Ethernet card on the internet side. In this case, we’re going to call the

MikroTik box 192.168.1.2 and the gateway (ie the broadband router) as 192.168.1.1 and the DNS given to you by your ISP. In this case, our example is using the DNS from Plusnet of 212.159.13.50

Code:[admin@MikroTik] > /ip[admin@MikroTik] ip> address add address=192.168.1.2/24 interface=internet[admin@MikroTik] ip> route add gateway=192.168.1.1[admin@MikroTik] ip> dns[admin@MikroTik] ip dns> set primary-dns=212.159.13.50[admin@MikroTik] ip dns> set secondary-dns=212.159.11.50

To speed things up a little, you can cache dns requests local to the MikroTik box as follows:

Code:[admin@MikroTik] ip dns> set allow-remote-requests=yes[admin@MikroTik] ip dns> ..

Now set up the hotspot side:

Code:[admin@MikroTik] ip> hotspot[admin@MikroTik] ip hotspot> setupSelect interface on which to run HotSpotHotspot interface: hotspotEnable universal client configuration?Enable universal client: yes

This is a feature that allows remote computers to connect even if they have totally different network settings already set up on them

Code:Local address of hotspot network gateway: 10.5.50.1/24Masquerade hotspot network: yesAddress pool of hotspot network will be: 10.5.50.2-10.5.50.254ip address of smtp server: 192.168.1.3

(We have to enter here the IP address of your ISP SMTP server, or otherwise put the address of your local one. If you don’t have one, then just give it an an address on the “internet” side of the MikroTik box)

Code:Use local DNS cache?use local DNS cache: yesSetup DNS Configurationdns servers: 192.168.1.2

We enter here the IP address of the MikroTik box on the “internet” side, becasue we have already set up a DNS cache earlier.

Code:Name of hotspot user: adminPassword for the user: admin

(This is the hotspot administrator username and password – keep the details safe)

Code:Select another port for (www) serviceAnother port for service: 8081

The port that you specify here is the port for Winbox.

Code:Use transparent web proxy for hotspot clients?Use transparent web proxy: yesAnd that’s about it. Connect to your MikroTik box from either the internet side using the address of http://192.168.1.2:8081 or on the hotspot side (use your admin password).

Download the Winbox from that link, and go to the Hotspot section to manage users. And there you have it – your Hotspot.

Taken From Mikrotik Forum

Posted in Mikrotik | No Comments »

Mikrotik dan Squid Proxy

July 30th, 2009 | Author: admin

Alpha version. o Instalasi Jaringan untuk Warnet dengan Mikrotik dan Proxy o.

–[0]– Intro

Instalasi Mikrotik sebagai bandwidth management dengan Squid Proxy ServerBisa dipergunakan untuk Warnet, Laboratorium Perguruan tinggi atau Sekolah

–[1]– Persiapan

Percobaan saat dilakukan dengan menggunakan PC, uraian spesifikasinya sbb:

o Spesifikasi Mesin Proxy pake CentOs 4.4- Prosesor Pentium 4 Cpu Clock 2.4 Ghz- RAM 512 MB- Harddisk 40 GB- satu buah Card LAN Dlink

o Spesifikasi Mesin Mikrotik- Prosesor Pentium III Cpu Clock 1,3 Ghz- RAM 256 MB

- Harddisk 40 GB- 2 Card LAN Dlink + 1 prolink

Mesin silahkan disesuaikan sesuai kondisi yang ada.

(a) Skema/topologi jaringan

Asumsi:

Koneksi Internet dengan menggunakan xDSL menggunakan modem, bisa lewatinfrastuktur telkom atau provider lainnya. Untuk koneksi melalui providerwireless bisa disesuaikan.

_(o--+ ____| | / | Telpon | _/ -( +--[_] Splitter | | +----+ +---| | Modem xDSL +--*-+ (1)| +---+ | | | (3) | | +|---------+ | +-----+ | |. . . . . | | a| | | +--|-|-|-|-+ +---|=====| | | | | | | | | | | | | | |---+ +-|-|-|--[client 1] +----| |b +-|-|------------[client 2] | c| | +-|----------------------[client 3] | L-----J +--------[client n] | (2) d| +-----+ | | (4) |=====| | | | | | | | | L-----J

Keterangan skema

(1) = Modem xDSL (Ip Address : 192.168.1.1/24)(2) = Mikrotik Box dengan 3 ethernet card yaitu a (publik), b (local) dan c (Proxy)(3) = Switch

Untuk sambungan ke Client. Asumsi Client Jumlahnya 20 ClientRange Ip Address : 192.168.0.0/27Alokasi Ip Client = 192.168.0.1-192.168.0.30Ip Net ID : 192.168.0.0/27Ip Broadcast : 192.168.0.31/27

(4) = Proxy Server Box

(b) Alokasi IP Address

[*] Mikrotik Box

Keterangan Skemaa = ethernet card 1 (Publik) -> Ip Address : 192.168.1.2/24b = ethernet card 2 (Local) -> Ip Address : 192.168.0.30/27c = ethernet card 3 (Proxy) -> Ip Address : 192.168.2.1/30

Gateway : 192.168.1.1 (ke Modem)

[*] ClientClient 1 – Client n, Ip Address : 192.168.0.n …. n (1-30)

Contoh:Client 6Ip Address : 192.168.0.6/27Gateway : 192.168.0.30 (ke Mikrotik Box)

[*] Linux untuk Proxy

d = ethernet card 4 (Linux) -> Ip Address : 192.168.2.2/30Gateway : 192.168.2.1/30 (ke ethernet 3 di Mikrotik)

CATATAN :- Angka dibelakang Ip address ( /27) sama dengan nilai netmasknyauntuk angka (/27) nilainya sama dengan 255.255.255.224.

Untuk Sub Netmask blok ip address Local kelas C, dapat diuraikansebagai berikut :

Subnetmask kelas C——————-255.255.255.0 = 24 -> 254 mesin.. .128 = 25 -> 128 mesin.. .192 = 26 -> 64 mesin.. .224 = 27 -> 32 mesin.. .240 = 28 -> 16 mesin.. .248 = 29 -> 8 mesin.. .252 = 30 -> 4 mesin.. .254 = 31 -> 2 mesin.. .255 = 32 -> 1 mesin

!! Perlu dikurangin juga untuk 2 Ip adress yang tidak digunakan pada mesin.Yaitu 1 ip address untuk Network ID dan 1 ip address untuk broadcast

- Susunan kabel UTP antara (2)-Mikrotik Box dengan (4)-Linux Box adalah Cross,

–[2]– Konfigurasi Dasar

Sebagaimana di gambarkan pada skema jaringan diatas, jenis sistem operasi yang perlu disiapkan ada Sistem Operasi untuk Router yaitu Mikrotik RouterOS versi 2.9.27 level 6 dan Sistem Operasi Gnu/Linux distro CentOs versi 4.4 yang dipakai nantinya untuk mesin Proxy.

Informasi untuk mikrotik ini dapat dilihat pada official websitenya di http://www.mikrotik.com dan http://www.mikrotik.co.id untuk Indonesia.

Silahkan siapkan dulu ISOnya, andaikata pembaca belum mempunyainya, untuk ISO sample silahkan download di SINI.

Begitu juga untuk Linux CentOsnya, silahkan download dahulu ISOnya di http://mirror.nsc.liu.se/CentOS/4.4/isos/i386/. CentOS ini versi 4.4.

Sesuaikan saja Sistem Operasinya jika pembaca ingin memamakai Sistem Operasi yang berbeda dari percobaan yang dilakukan. Misalnya untuk mikrotik memakai MT Versi 2.8.x atau diatasnya lagi, begitu juga dengan Linux, silahkan dipilih sendiri Distrobusi yang disukai. Secara konsep konfigurasinya sama.

Nah, di anggap kedua mesin telah siap beroperasi tentu telah di installkan pada kedua mesin, Untuk Mikrotik silahkan lihat metode instalasinya di SINI juga di SINI. Sedangkan untuk CentOs, jika pembaca ingin membuat partisi khusus untuk /cache/ silahkan saja, Memang percobaan kali ini partisinya dibuat khusus.

Konfigurasi dasar.

(a) Mikrotik

- Instalasi paket SYSTEM, SECURITY, DHCP (optional)

- Set Ip addressnya sesuai dengan Skema, karena memeliki 3 card lan, makadi set IP address untuk ketiga card tersebut. Sesuaikan nama interfacenyaberdasarkan skema diatas, berarti ada nama interface yaitu:1. interface Public2. interface Local3. interface Proxy

#Interface——————————————————————————-[admin@MikroTik] interface> printFlags: X – disabled, D – dynamic, R – running# NAME TYPE RX-RATE TX-RATE MTU0 R public ether 0 0 15001 R proxy ether 0 0 15002 R local ether 0 0 1500[admin@MikroTik] interface>——————————————————————————-

Tentu saja nama interface boleh tidak sesuai dengan nama diatas, terserahpembaca. Yang jelas ketiga interface diatas memiliki Subnet Ip address berbeda, perhatikan skema.

# IP Address——————————————————————————[admin@MikroTik] > ip address printFlags: X – disabled, I – invalid, D – dynamic# ADDRESS NETWORK BROADCAST INTERFACE0 192.168.1.2/24 192.168.1.0 192.168.1.255 public1 192.168.0.30/27 192.168.0.0 192.168.0.31 local2 192.168.2.1/30 192.168.2.0 192.168.2.3 proxy[admin@MikroTik] >——————————————————————————

- Set Ip Gateway atau routing. Untuk mikrotik gatewaynya ke Modem yaitu 192.168.1.1

# Ip Gateway

————————————————————————————[admin@MikroTik] > ip route printFlags: X – disabled, A – active, D – dynamic,C – connect, S – static, r – rip, b – bgp, o – ospf# DST-ADDRESS PREFSRC G GATEWAY DISTANCE INTERFACE0 ADC 192.168.2.0/30 192.168.2.1 proxy1 ADC 192.168.0.0/27 192.168.0.30 local2 ADC 192.168.1.0/24 192.168.1.2 public3 A S 0.0.0.0/0 r 192.168.1.1 public[admin@MikroTik] >————————————————————————————

- Set DNS

#Ip DNS

————————————————————————————[admin@MikroTik] > [admin@MikroTik] >invalid command name[admin@MikroTik] > ip dns printprimary-dns: 203.130.193.74secondary-dns: 202.134.0.155allow-remote-requests: yescache-size: 10240KiBcache-max-ttl: 1wcache-used: 271KiB[admin@MikroTik] >————————————————————————————

- Tambahkan rule di /ip firewall nat nya, untuk masquarade.

#Rule Firewall NAT, Redirect ke Web Proxy

————————————————————————————-[admin@MikroTik] ip firewall nat> pr

Flags: X – disabled, I – invalid, D – dynamic0 chain=srcnat out-interface=public action=masquerade

1 chain=dstnat src-address=192.168.0.0/27 protocol=tcp dst-port=80action=redirect to-ports=8080

2 chain=dstnat src-address=192.168.0.0/27 protocol=tcp dst-port=8000action=redirect to-ports=3128

3 chain=dstnat src-address=192.168.0.0/27 protocol=tcp dst-port=3128action=redirect to-ports=8080————————————————————————————-

# Bandwidth management dengan PCQ

### Set Trafik lewat Proxy dan Trafik Langsung

/ ip firewall mangleadd chain=prerouting src-address=192.168.n.n/27 action=mark-packet \new-packet-mark=test-up passthrough=no comment=”UP TRAFFIC” disabled=noadd chain=forward src-address=192.168.14.n.n/27 action=mark-connection \new-connection-mark=test-conn passthrough=yes comment=”CONN-MARK” \disabled=noadd chain=forward in-interface=Public connection-mark=test-conn \action=mark-packet new-packet-mark=test-down passthrough=no comment=” \DOWN-DIRECT CONNECTION” disabled=noadd chain=output out-interface=Local dst-address=192.168.n.n/27 \action=mark-packet new-packet-mark=test-down passthrough=no \comment=”DOWN-VIA PROXY” disabled=no

##### Set PCQ type

/ queue typeadd name=”pcq-download” kind=pcq pcq-rate=0 pcq-limit=50 \pcq-classifier=dst-address pcq-total-limit=2000add name=”pcq-upload” kind=pcq pcq-rate=0 pcq-limit=50 \pcq-classifier=src-address pcq-total-limit=2000

####### ini Queue Treenya Simple Amat

/ queue treeadd name=”downstream” parent=Local packet-mark=test-down limit-at=0 \queue=pcq-download priority=8 max-limit=0 burst-limit=0 burst-threshold=0 \burst-time=0s disabled=noadd name=”upstream” parent=global-in packet-mark=test-up limit-at=0 \queue=pcq-upload priority=8 max-limit=0 burst-limit=0 burst-threshold=0 \burst-time=0s disabled=no

#Konfigurasi Squid.conf

#============================================================$

# rotor - www.somethink.org $# SQUID PROXY CACHE $# alpha version $#============================================================$

http_port 8080 transparenticp_port 3130icp_query_timeout 0mcast_icp_query_timeout 2000dead_peer_timeout 10 seconds

#============================================================$hierarchy_stoplist cgi-bin ? .js .jsp localhost visicom indosat.net.idacl QUERY urlpath_regex cgi-bin ? .js .jsp localhost visicom indosat.net.idno_cache deny QUERY#============================================================$

#============================================================$# OPTIONS WHICH AFFECT THE CACHE SIZE#============================================================$cache_mem 8 MBmaximum_object_size 128 MBmaximum_object_size_in_memory 32 KBcache_swap_low 98%cache_swap_high 99%store_dir_select_algorithm round-robinipcache_size 2048ipcache_low 98ipcache_high 99fqdncache_size 2048cache_replacement_policy heap LFUDAmemory_replacement_policy heap GDSF

#============================================================$# LOGFILE PATHNAMES AND CACHE DIRECTORIES#============================================================$cache_dir aufs /cache/squid 4500 18 256

cache_access_log /var/log/squid/access.logcache_log nonecache_store_log none

mime_table /etc/mime.confpid_filename /var/run/squid.pidlog_fqdn offlog_mime_hdrs offlog_ip_on_direct offlogfile_rotate 7debug_options ALL,1buffered_logs offemulate_httpd_log off

#============================================================$# FTP section#============================================================$ftp_user anonymous@ftp_list_width 32ftp_passive onftp_sanitycheck on

#============================================================$# DNS resolution section

#============================================================$cache_dns_program /squid/libexec/dnsserverdns_children 24dns_nameservers 127.0.0.1 XXX.XXX.XXX.XXX

#============================================================$# Refresh Rate#============================================================$refresh_pattern -i .(swf|png|jpg|jpeg|bmp|tiff|png|gif) 43200 90% 129600 override-expirerefresh_pattern -i (.*html$|.*htm|.*shtml|.*aspx|.*asp) 0 90% 1440refresh_pattern ^ftp: 10080 95% 241920 reload-into-ims override-lastmodrefresh_pattern . 180 95% 120960 reload-into-ims override-lastmod

quick_abort_min 0 KBquick_abort_max 0 KBquick_abort_pct 98negative_ttl 3 minutespositive_dns_ttl 53 secondsnegative_dns_ttl 29 secondsforward_timeout 4 minutesconnect_timeout 2 minutespeer_connect_timeout 1 minutespconn_timeout 120 secondsshutdown_lifetime 10 secondsread_timeout 15 minutesrequest_timeout 5 minutespersistent_request_timeout 1 minuteclient_lifetime 60 minuteshalf_closed_clients off

#============================================================$# ACL section#============================================================$acl all src 0.0.0.0/0.0.0.0acl manager proto cache_objectacl localhost src 127.0.0.1/255.255.255.255acl skynet src xxx.xxx.xxx.xxx/xxacl to_localhost dst 127.0.0.0/8acl SSL_ports port 443 563 # https, snewsacl Safe_ports port 80 # httpacl Safe_ports port 21 # ftpacl Safe_ports port 443 563 # https, snewsacl Safe_ports port 70 # gopheracl Safe_ports port 210 # waisacl Safe_ports port 1025-65535 # unregistered portsacl Safe_ports port 280 # http-mgmtacl Safe_ports port 488 # gss-httpacl Safe_ports port 591 # filemakeracl Safe_ports port 777 # multiling httpacl Safe_ports port 631 # cupsacl Safe_ports port 873 # rsyncacl Safe_ports port 901 # SWATacl purge method PURGEacl CONNECT method CONNECT#acl badip url_regex -i "/squid/ip-deny"#acl badurl url_regex -i "/squid/bad-url"acl warnet src xxx.xxx.xxx.xxx/xxacl virus dst 204.177.92.204/32 64.191.99.145/32acl gator dstdom_regex gator hot_indonesia.exeacl exploit urlpath_regex winnt/system32/cmd.exe?acl exploit urlpath_regex splashPages/black.sps?

acl BADPORTS port 7 9 11 19 22 23 25 110 119 513 514

http_access deny virushttp_access deny gatorhttp_access deny exploithttp_access deny BADPORTShttp_access deny badiphttp_access deny badurlhttp_access allow managerhttp_access allow localhosthttp_access allow skynethttp_access allow warnethttp_access deny !Safe_portshttp_access deny CONNECT !SSL_portshttp_access deny allhttp_reply_access allow allicp_access deny allmiss_access allow allalways_direct allow localhost warnetalways_direct deny all

#============================================================$# Parameter Administratif $#============================================================$cache_mgr support@somethink.orgcache_effective_user squidcache_effective_group _squidvisible_hostname proxyiblis.somethink.orgunique_hostname support@somethink.org

#============================================================$# Transparent proxy setting#============================================================$httpd_accel_host virtualhttpd_accel_port 80httpd_accel_with_proxy onhttpd_accel_uses_host_header onhttpd_accel_no_pmtu_disc onhttpd_accel_single_host offhalf_closed_clients offheader_access From deny allheader_access Referer deny allheader_access Server deny allheader_access WWW-Authenticate deny allheader_access Link deny allheader_access Via deny allheader_access X-Forwarded-For deny allheader_access Accept-Encoding deny allheader_access User-Agent deny allheader_replace User-Agent Mozilla/5.0 (compatible; MSIE 6.0)header_access Accept deny allheader_replace Accept */*header_access Accept-Language deny allheader_replace Accept-Language id, en

#============================================================$# ACCELERATOR#============================================================$

memory_pools offforwarded_for offlog_icp_queries off

icp_hit_stale onminimum_direct_hops 4minimum_direct_rtt 400store_avg_object_size 13 KBstore_objects_per_bucket 20client_db onnetdb_low 9900netdb_high 10000netdb_ping_period 30 secondsquery_icmp offpipeline_prefetch onreload_into_ims onvary_ignore_expire onmax_open_disk_fds 100nonhierarchical_direct onprefer_direct off

#============================================================$# MISCELLANEOUS#============================================================$logfile_rotate 3store_dir_select_algorithm round-robinshutdown_lifetime 10 secondscachemgr_passwd disable shutdowncachemgr_passwd allbuffered_logs offoffline_mode off

coredump_dir /squidignore_unknown_nameservers onacl hotmail dstdomain .hotmail.com .msn.com .passport.net .msn.co.id .passport.comheader_access Accept-Encoding deny hotmail

#============================================================$# DELAY POOLS#============================================================$ acl download url_regex -i ftp .exe .mp3 .vqf .tar.gz .wmv .tar.bz .tar.bz2 .gz .rpm .zip acl download url_regex -i .rar .avi .mpeg .mpe .mpg .qt .ram .rm .iso .raw .wav .tar .doc acl download url_regex -i .ppt .z .wmf .mov .arj .lzh .gzip .bin .wma

# delay_pools 2delay_pools 2delay_class 1 2delay_parameters 1 8000/8000 6000/8000delay_access 1 allow downloaddelay_access 1 deny all

delay_class 2 2delay_parameters 2 25000/25000 10000/16000 #200kb/200kb 80Kb/128Kbdelay_access 2 allow userdelay_access 2 deny all

# Silahkan diisi

#============================================================$# DOWNLOAD LIMIT#============================================================$#reply_body_max_size 3072000 deny !client> Ganti nilai dengan yang dikehendaki

#============================================================$# SNMP#============================================================$acl snmpcommunity snmp_community publicsnmp_port 3401snmp_access allow snmpcommunity localhostsnmp_access deny all

–[3]– Evaluasi–[4]– Troubleshooting

- Subnetmask antara interface Public dengan interface Proxy Sama, ping dari mikrotik ke mesin linux tidak reply

–[5]– Referensihttp://primadonal.wordpress.com/category/mikrotik/page/10/

Posted in Mikrotik | No Comments »

Mikrotik Web Proxy Cleaning Scheduler

July 30th, 2009 | Author: admin

—— sCRIPt———-

/ system scriptadd name="Proxy-off" source="/ip firewall nat set \[/ip firewall nat find \comment=\"Proxy\"\] disable=yes\n/ip web-proxy set enabled=no" \policy=ftp,reboot,read,write,policy,test,winbox,passwordadd name="Proxy-limpacache" source="/ip web-proxy clear-cache" \policy=ftp,reboot,read,write,policy,test,winbox,passwordadd name="Proxy-on" source="/ip web-proxy set enabled=yes\n/ip firewall nat \set \[/ip firewall nat find comment=\"Proxy\"\] disable=no" \policy=ftp,reboot,read,write,policy,test,winbox,password

/ system scheduleradd name="control-proxy-off" on-event=Proxy-off start-date=may/30/2007 \start-time=04:30:00 interval=1w comment="" disabled=noadd name="control-proxy-limpacache" on-event=Proxy-limpacache \start-date=may/30/2007 start-time=04:31:00 interval=1w comment="" \disabled=noadd name="controle-proxy-on" on-event=Proxy-on start-date=may/30/2007 \start-time=04:40:00 interval=1w comment="" disabled=no

Kopi Paste ke Terminal Mikrotik. Dengan Syarat, Mikrotik telah terinstall System Packet Web-proxy, dan telah dijalankan.

Script diatas, berguna membuat skedule pembersihan Cache web-proxy, dengan Jarak waktu selama tujuh hari. Script diatas melakukan proses pencarian berdasarkan Comment=proxy, jadi pada ip firewall nat nya, dituliskan comment Proxy, tulisan bersifat Case sensitive. Silahkan di kustomais sesuai kebutuhan. Ada baiknya dilakukan test-script, pada script-list di Winbox, Jalankan Run script, untuk melihat benar tidaknya script yang dituliskan.

Alur script diatas kira-kira seperti ini:

1. Cari pada direktori mikrotik, untuk perintah ip firewall nat berdasarkan kata kunci=”Proxy”. Jika ditemukan, maka matikan perintah redirect ke port proxy.

2. Setelah service web-proxy tidak aktif, maka lakukan proses pembersihan Cache.3. Berdasarkan interval waktu yang diberikan untuk proses pembersihan Cache, maka akti-

fkan kembali perintah redirect ke port proxy pada perintah ip firewall natnya.

Selamat mencoba,

Different bandwidth in day and night for several categories of users

Introduction

Maybe you have many users, institutions, and alike, that use the internet during the day. And maybe you have “power users” that have two jobs, come home at 19.00 and they want to make it all at once, read mail, chat, download with p2p programs, etc.

Let’s say you have corporate users / institutions / government. People that arrive at 07.00 and leave the office 18.00 at most. You reserve them 1 mbit/s all the time. Most of your home users are using maximum bandwidth after 15.00 and just after midnight. You decide to allow them to use all the bandwidth you can afford, after the “big” clients get offline ( institutions, and alike, wich pay big money for quality services)

So, you decide you may “lend” some of the bandwidth of the users that are not working, while they are not…

How ?

You can of course add 2 ( two ) queues for each limit you want to put, but you can also put a single queue, and modify it’s limits from a script.

That’s the way we will do it. Might just be simpler. Why ? You keep the limits for different type of users in a single place ( the script). Also you can graph a single queue, that may be more acceptable for you and for some users if you allow them to view their traffic graphs.Premises:

You are using simple queues to limit the traffic.

( This can be easily adapted to queue tree, by modifying limits in the queue tree…. but that’s another story. Work it out yourself.)You have 3 types of users:

- 256k/256k at day, 1M/1M at night

- 512k/512k at day, 2M/2M at night

- 1M/1M at day, 4M/4M at nightYou limit your users by individual simple queues, and distinction among categories is by comment.

( I put this also on queue name to make it easier to see. It seems to me that winbox does not display comments on simple queues on v3.6, at least on the RB I am working with right now :(, but the console uses them right and the scripts work fine )

How do we do it?

- Put simple queues with established limits, and distinctive queue _comment_ for each category of users. ( eg. “”Vasile_CAT1″”, “”Vasile2_CAT2″”, etc as queue names, and [CAT1, CAT2 will be the category identifiers, put in comment]

- Establish limits for each category: CAT1, CAT2, etc., we will modify this from the 2 scripts that handle everything.

- Put the script to run from the scheduler every 24 hours, and modify limits for day/night, reg. each category of users. The script for the “day” starts 06.00 hours, and ends 18.00 hours, when the script for the “night” starts, enabling the night modifications.

Setup NTP Client

Ok. Now, for this to work, first of all sync your clock. Or you might get strange results and complains, if your clock is out of sync :)

/system ntp clientset enabled=yes mode=unicast primary-ntp=213.239.154.12 secondary-ntp=213.249.66.35

( You can put primary-ntp and secondary-npt to be resolved to whatever 0.europe.pool.ntp.org and 1.europe.pool.ntp.org is pointing to. Please replace “europe” with your continent, for further improvement on response times and proximity. See ntp.org for further information )

Setup the queues

( I put 4 for this example only. you can setup as many as you like, it does not matter )

/queue simpleadd comment="CAT1" direction=both disabled=no dst-address=192.168.4.15/32 \ max-limit=256000/256000 name="George_CAT1" parent=none priority=8 \ queue=default-small/default-smalladd comment="CAT1" direction=both disabled=no dst-address=192.168.4.16/32 \ max-limit=256000/256000 name="Robinson_CAT1" parent=none priority=8 \ queue=default-small/default-smalladd comment="CAT2" direction=both disabled=no dst-address=192.168.4.17/32 \ max-limit=512000/512000 name="Crusoe_CAT2" parent=none priority=8 \ queue=default-small/default-smalladd comment="CAT3" direction=both disabled=no dst-address=192.168.4.18/32 \ max-limit=1024000/1024000 name="Momma_CAT3" parent=none priority=8 \ queue=default-small/default-small

Now, these were the queues. Let’s see:

[edit] Setup the scripts

For the “day” limits:

/system scheduleradd comment="" disabled=no interval=1d name="Day" on-event="/queue simple\r\nset [find \ comment=CAT1] max-limit=256000/256000\r\nset [find comment=CAT2] \ max-limit=512000/512000\r\nset [find comment=CAT3] max-limit=1024000/1024000\r\n" \ start-date=jan/01/1970 start-time=06:00:00

For the “night” limits:

/system scheduleradd comment="" disabled=no interval=1d name="Night" on-event="/queue simple\r\nset [find \ comment=CAT1] max-limit=1024000/1024000\r\nset [find comment=CAT2] \ max-limit=2048000/2048000\r\nset [find comment=CAT3] max-limit=4096000/4096000\r\n" \ start-date=jan/01/1970 start-time=18:00:00

Well, in clear text, they look (better)like this:

DAY:

/queue simpleset [find comment=CAT1] max-limit=256000/256000set [find comment=CAT2] max-limit=512000/512000set [find comment=CAT3] max-limit=1024000/1024000

NIGHT:

/queue simpleset [find comment=CAT1] max-limit=1024000/1024000set [find comment=CAT2] max-limit=2048000/2048000set [find comment=CAT3] max-limit=4096000/4096000

Each script is put to run at 1 day interval, “Day” script starts at 06.00, “Night” script starts at 18.00.

Limit Different Bandwidth In Day and Night

Limit Different Bandwidth In Day and Night.

There are lot many ways to limit bandwidth for day and Night, but personally I found this is the easiest way, Here it is.

I have used Simple Queue, Script and Scheduler.

Suppose we have one network 192.168.1.0/24 and want to limit Bandwidth for day and Night Time.

Network 192.168.1.0/24Bandwidth = 06:00am – 18:00pm – 1Mbps. <Max-Limit>Bandwidth = 18:00pm – 06:00am – 2Mbps. <Max-Limit>

Create two simple queues for the same network with different Bandwidth Limit.

/queue simple#name=”Day” target-addresses=192.168.1.0/24 dst-address=0.0.0.0/0interface=<ether-x> parent=none direction=both priority=8queue=default-small/default-small limit-at=512k/512kmax-limit=1M/1M total-queue=default-small

#name=”Night” target-addresses=192.168.1.0/24 dst-address=0.0.0.0/0interface=<ether-x> parent=none direction=both priority=8queue=default-small/default-small limit-at=1M/1Mmax-limit=2M/2M total-queue=default-small

Now, write scripts

/system script#name=”Day” source=/queue simple enable Day; /queue simple disable Night

#name=”Night” source=/queue simple enable Night; /queue simple disable Day

Finally, Schedule it

/system scheduler#name=”Day” on-event=Day start-date=oct/13/2007 start-time=06:00:00 interval=1dsource = wiki.mikrotik.com

#name=”Night” on-event=Night start-date=oct/13/2007 start-time=18:00:00 interval=1d

Queue Tree with more than two interfaces

Basic Setup

This page will talk about how to make QUEUE TREE in RouterOS that with Masquerading for more than two interfaces. It’s for sharing internet connection among users on each interfaces. In manual this possibility isn’t written.

First, let’s set the basic setting first. I’m using a machine with 3 or more network interfaces:

[admin@instaler] > in pr# NAME TYPE RX-RATE TX-RATE MTU0 R public ether 0 0 15001 R wifi1 wlan 0 0 15002 R wifi2 wlan 0 0 1500

3 R wifi3 wlan 0 0 1500

And this is the IP Addresses for each interface:

[admin@instaler] > ip ad prFlags: X - disabled, I - invalid, D - dynamic# ADDRESS NETWORK BROADCAST INTERFACE0 10.20.1.0/24 10.20.1.0 10.20.1.255 public1 10.10.2.0/24 10.10.2.0 10.10.2.255 wifi12 10.10.3.0/24 10.10.3.0 10.10.3.255 wifi23 10.10.4.0/24 10.10.4.0 10.10.4.255 wifi3

On the public you can add NAT or proxy if you want.

Mangle Setup

And now is the most important part in this case.

We need to mark our users. One connection for upload and second for download. In this example I add mangle for one user. At the end I add mangle for local transmission because I don’t QoS local trafic emong users. But for user I need to separate upload and download.

[admin@instaler] ip firewall mangle> printFlags: X - disabled, I - invalid, D - dynamic disabled=no0 chain=forward src-address=10.10.2.36 action=mark-connection \ new-connection-mark=users-userU passthrough=yes comment="" disabled=no1 chain=forward dst-address=10.10.2.36 action=mark-connection \ new-connection-mark=users-userD passthrough=yes comment="" disabled=no2 chain=forward connection-mark=users-userU action=mark-packet \ new-packet-mark=userU passthrough=yes comment="" disabled=no3 chain=forward connection-mark=users-userD action=mark-packet \ new-packet-mark=userD passthrough=yes comment="" disabled=no98 chain=forward src-address=10.10.0.0/16 dst-address=10.10.0.0/16 action=mark-connection new-connection-mark=users-lokal passthrough=yes99 chain=forward connection-mark=users-lokal action=mark-packet new-packet-mark=lokalTrafic passthrough=yes

Queue Tree Setup

And now, the queue tree setting. We need one rule for downlink and one rule for uplink. Be careful when choosing the parent. for downlink traffic, we use parent “global-out”, because we have two or more downloading interfaces. And for uplink, we are using parent “public”, we want QoS uplink traffic. (I’m using pcq-up and download from manual) This example is for 2Mb/1Mb

[admin@instaler] > queue tree prFlags: X - disabled, I - invalid0 name="Download" parent=global-out packet-mark="" limit-at=0 queue=pcq-download priority=1 max-limit=2000000 burst-limit=0 burst-threshold=0 burst-time=0s1 name="Upload" parent=WGW packet-mark="" limit-at=0 queue=pcq-upload priority=1 max-limit=1000000 burst-limit=0 burst-threshold=0 burst-time=0s

Now we add our user:

2 name="user10D" parent=Download packet-mark=userD limit-at=0 queue=pcq-download priority=5 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s3 name="user10U" parent=Upload packet-mark=userU limit-at=0 queue=pcq-upload priority=5 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0ssouce = wiki.mikrotik.com

Queue with Masquerading and Internal Web-Proxy

Introduction

This page will tak about how to make QUEUE TREE in RouterOS that also running Web-Proxy and Masquerading. Several topics in forum say it’s impossible to do.

In version 2.9.x, we can not know which traffic is HIT and which traffic is MISS from web-proxy. Several people want to make a configuration, to let cache data in proxy (HIT traffic) deliver in maximum possible speed. In other word, if we already have the requested data, those process will not queued.

In ver 3.0 we can do this, using TOS header modification in web-proxy feature. We can set any TOS value for the HIT traffic, and make it as parameter in mangle.

Basic Setup

First, let’s set the basic setting first. I’m using a machine with 2 network interface:

admin@instaler] > in pr# NAME TYPE RX-RATE TX-RATE MTU0 R public ether 0 0 15001 R lan wlan 0 0 1500

And this is the IP Address for each interface:

[admin@instaler] > ip ad prFlags: X - disabled, I - invalid, D - dynamic# ADDRESS NETWORK BROADCAST INTERFACE0 192.168.0.217/24 192.168.0.0 192.168.0.255 public1 172.21.1.1/24 172.21.1.0 172.21.1.255 lan

Don’t forget to set the transparant web-proxy. We set cache-hit-dscp: 4.

[admin@instaler] > ip proxy pr enabled: yes src-address: 0.0.0.0 port: 3128 parent-proxy: 0.0.0.0 parent-proxy-port: 0 cache-drive: system cache-administrator: "webmaster" max-cache-size: none cache-on-disk: yes maximal-client-connections: 600 maximal-server-connections: 600

max-fresh-time: 3d serialize-connections: yes cache-hit-dscp: 4

Firewall NAT

Make 2 NAT rules, 1 for Masquerading, and the other for redirecting transparant proxy.

[admin@instaler] ip firewall nat> prFlags: X - disabled, I - invalid, D - dynamic0 chain=srcnat out-interface=public src-address=172.21.1.0/24 action=masquerade1 chain=dstnat in-interface=lan src-address=172.21.1.0/24 protocol=tcp dst-port=80 action=redirect to-ports=3128

Mangle Setup

And now is the most important part in this case.

If we want to make HIT traffic from web proxy not queued, we have to make a mangle to handle this traffic. Put this rule on the beginning of the mangle, as it will check first.

[admin@instaler] > ip firewall mangle printFlags: X - disabled, I - invalid, D - dynamic0 ;;; HIT TRAFFIC FROM PROXY chain=output out-interface=lan dscp=4 action=mark-packet new-packet-mark=proxy-hit passthrough=no

As we will make Queue for uplink and downlink traffic, we need 2 packet-mark. In this example, we use “test-up” for uplink traffic, and “test-down” for downlink traffic.

For uplink traffic, it’s quite simple. We need only one rule, using SRC-ADDRESS and IN-INTERFACE parameters, and using PREROUTING chain. Rule number #1.

But for downlink, we have to make sevaral rules. As we use masquerading, we need Connection Mark, named as “test-conn”. Rule no #2.

Then we have to make 2 more rules. First rule is for non-HTTP connection / direct connection. We use chain forward, as the data traveling through the router. Rule no #3.

The second rule is for data coming from web-proxy to the client (MISS traffic). We use OUTPUT chain, as the data coming from internal process in the router itself. Rule no #4.

For both rules (no #3 and #4) we named it “test-down”.

Please be aware, we use passthrough only for connection mark (rule no #2).

[admin@instaler] > ip firewall mangle printFlags: X - disabled, I - invalid, D - dynamic1 ;;; UP TRAFFIC chain=prerouting in-interface=lan src-address=172.21.1.0/24 action=mark-packet new-packet-mark=test-up passthrough=no

2 ;;; CONN-MARK chain=forward src-address=172.21.1.0/24 action=mark-connection new-connection-mark=test-conn passthrough=yes

3 ;;; DOWN-DIRECT CONNECTION chain=forward in-interface=public connection-mark=test-conn action=mark-packet new-packet-mark=test-down passthrough=no

4 ;;; DOWN-VIA PROXY chain=output out-interface=lan dst-address=172.21.1.0/24 action=mark-packet new-packet-mark=test-down passthrough=no

Queue Tree Setup

And now, the queue tree setting. We need one rule for downlink and one rule for uplink. Be careful when choosing the parent. for downlink traffic, we use parent “lan”, the interface name for local network. And for uplink, we are using parent “global-in”.

[admin@instaler] > queue tree prFlags: X - disabled, I - invalid0 name="downstream" parent=lan packet-mark=test-down limit-at=32000 queue=default priority=8 max-limit=32000 burst-limit=0 burst-threshold=0 burst-time=0s

1 name="upstream" parent=global-in packet-mark=test-up limit-at=32000 queue=default priority=8 max-limit=32000 burst-limit=0 burst-threshold=0 burst-time=0s

You can use those mangle also with PCQ.

source = wiki.mikrotik.com

Mrtg Report

Mrtg Report

Mik SNMP

trafic monitoring

interface 1

interface 2

Setting web proxy mikrotik untuk warnet lupa asalnya

Beberapa hari yang lalu seorang teman meminta bantuan untuk setting warnetnya menggunakan Proxy server, yang selama ini warnetnya tanpa menggunakan Proxy server.Asumsinya ketika client1 mengakses website A maka proses yang terjadi adalah client1 meminta/request ke web server yang mempunyai website A tersebut. Ketika client2 atau yang lain mengakses website yang sama (website A) maka proses client tersebut akan mengulang kembali proses meminta/request ke web server tersebut. Seandainya ada banyak client lain yang mengakses website yang sama (website A) maka proses yang sama akan dilakukan lagi. nah inilah yang membuat akses terasa lambat.

Disinilah peran sebuah Proxy sangat dibutuhkan untuk mempercepat akses website. Suatu halaman website yang pernah dikunjungi oleh client akan disimpan (cache) di server proxy. Ketika ada client yang meminta/request suatu website maka client tidak langsung request ke webserver. client akan mencari website yang direquest-nya ke proxy dulu, kalo ada maka proxy akan menjawab request tersebut dan memberikannya ke client, jika website yang dicari tidak ditemukan di simpanan/Cache proxy barulah proxy server request website tersebut ke webserver dituju.

Ada banyak macam proxy, untuk basis OS windows bisa menggunakan winroute,winproxy, dll. untuk basis OS linux bisa menggunakan Squid. Disini saia menngunakan basis linux mikrotik. selain handal digunakan sebagai router, mikrotik juga bisa digunakan sebagai web proxy server. settingannya dibawah ini yang saia gunakan

Spek PC : P3 800 Mhz, Mem 256, HD 30 Gb, 2 buah LAN Card (1 LAN onboard, 1 LAN tambahan)OS : Mikrotik OS 2.29.XXISP : Telkom Speedy (Profesional) 1 lineModem merk Sanex standard bawaan speedyClient : 10 komputer

Konfigurasi Mikrotik :

#1. Setting Interface LAN card/interfaceset ether1 name=modemset ether2 name=lan

keterangan:ether1 diganti nama (interface) menjadi modem (koneksi dari dan ke modem)

ether2 diganti nama (interface) menjadi lan (koneksi dari dan ke jaringan LAN)tujuannya biar mudah di ingat gak ada pengaruh ke akses-nya.

#2. Setting IP address/ip addressadd address=192.168.1.2/24 interface=modemadd address=192.168.10.1/24 interface=lan

keterangan :ip address standart (umumnya) modem 192.168.1.1 jadi ip interface dari-ke modem antara 192.168.1.2-254 (suka-suka)

#3. Setting Gateway/ip route/add gateway=192.168.1.1

#4. Setting DNS/ip dnsset primary-dns=202.134.1.10set secondary-dns=203.130.196.155set allow-remote-requests=yes

Keterangan :DNS digunakan untuk menerjemahkan alamat IP ke domain (****.com, ****.net, dll) atau sebaliknya, ada beberapa DNS untuk speedy pilih yang latency-nya kecil dengan nge-ping agar akses ke dns-nya agak cepat dikit.

#5. Setting NAT/ip firewall natadd chain=srcnat action=masquerade out-interface=modem

keterangan :Network Address Translation (NAT) fasilitas router untuk meneruskan paket dari ip asal dan atau ke ip tujuan dan merupakan standart internet yang mengizinkan komputer host dapat berkomunikasi dengan jaringan luar menggunakan ip address public.

#6. Setting web Proxy (transparent)/ip web-proxyset enabled=yesset hostname=proxywarnetkuset transparent-proxy=yesset cache-administrator=admin@warnetmu

Keterangan :settingan web proxy yang lain menggunakan default bawaan mikrotik.hostname=hostname dns atau ip address web proxycache-administrator=email admin yang bisa dihubungi ketika proxy error, yang akan ditampilkan pada browser client ketika proxy error.

#7. Setting redirect ke proxy/ip firewall natadd chain=dstnat protocol=tcp dst-port=80 action=redirect to-port=3128

keterangan :Redirect digunakan untuk membelokkan/memaksa koneksi port 80 (www/web) dari client ke port 3128 default-nya web proxy mikrotik, jadi semua request client yang menggunakan port 80 (www/web) akan di belokkan ke web proxy mikrotik.

#8. Memonitor web proxy/ip web-proxymonitor interval=1

keterangan :memonitor penggunaan web proxy mikrotik dengan interval waktu 1 detik

Hasilnya : memuaskan dan bikin puas…puas…!Sengaja tidak setting DHCP karena ip client (windows) disetting manual hubungannya dengan billing warnet. Untuk jaringan yang besar dan client banyak sebaiknya menggunakan Squid dari linux.

Selamat Mencoba

Mikrotik Router dan Proxy FreeBSD

modem ————–Mikrotik–192.168.2.1—BSD 192.168.2.2192.168.1.1 192.168.1.2hub — client

client 192.168.0.1A. Konfig Mikrotik1. Interface/ interface ethernetset PUBLIC name=”PUBLIC” mtu=1500 mac-address=00:50:DA:EE:A5:F2 arp=enabled \disable-running-check=yes auto-negotiation=yes full-duplex=yes \cable-settings=default speed=100Mbps comment=”” disabled=noset PROXY name=”PROXY” mtu=1500 mac-address=00:01:02:86:DA:1E arp=enabled \disable-running-check=yes auto-negotiation=yes full-duplex=yes \cable-settings=default speed=100Mbps comment=”” disabled=noset LAN name=”LAN” mtu=1500 mac-address=00:50:DA:EC:85:0C arp=enabled \disable-running-check=yes auto-negotiation=yes full-duplex=yes \cable-settings=default speed=100Mbps comment=”” disabled=no2. Poll IP addres untuk dhcp server/ ip pooladd name=”dhcp_pool1? ranges=192.168.0.2-192.168.0.143. Dns server isp/ ip dnsset primary-dns=202.134.0.155 secondary-dns=203.130.193.74 \allow-remote-requests=yes cache-size=2048KiB cache-max-ttl=1w4. Setting ip address / interface/ ip addressadd address=192.168.1.2/24 network=192.168.1.0 broadcast=192.168.1.255 \interface=PUBLIC comment=”” disabled=noadd address=192.168.2.1/30 network=192.168.2.0 broadcast=192.168.2.3 \interface=PROXY comment=”” disabled=noadd address=192.168.0.1/27 network=192.168.0.0 broadcast=192.168.0.31 \interface=LAN comment=”” disabled=no5. Routing Gateway/ ip routeadd dst-address=0.0.0.0/0 gateway=192.168.1.1 scope=255 target-scope=10 \comment=”” disabled=no

6. Packet mark/ ip firewall mangleadd chain=prerouting protocol=tcp dst-port=80 action=mark-connection \new-connection-mark=http_conn passthrough=yes comment=”” disabled=noadd chain=prerouting protocol=tcp dst-port=443 action=mark-connection \new-connection-mark=http_conn passthrough=yes comment=”” disabled=noadd chain=prerouting protocol=tcp dst-port=53 action=mark-connection \new-connection-mark=dns_conn passthrough=yes comment=”” disabled=noadd chain=prerouting protocol=udp dst-port=53 action=mark-connection \new-connection-mark=dns_conn passthrough=yes comment=”” disabled=noadd chain=prerouting protocol=tcp dst-port=5050-5061 action=mark-connection \new-connection-mark=ym_conn passthrough=yes comment=”” disabled=noadd chain=prerouting protocol=udp dst-port=27015 action=mark-connection \new-connection-mark=cs_conn passthrough=yes comment=”” disabled=noadd chain=prerouting protocol=tcp dst-port=6000-7000 action=mark-connection \new-connection-mark=irc_conn passthrough=yes comment=”” disabled=noadd chain=prerouting protocol=tcp dst-port=8291 action=mark-connection \new-connection-mark=mt_conn passthrough=yes comment=”” disabled=noadd chain=prerouting protocol=tcp dst-port=110 action=mark-connection \new-connection-mark=email_conn passthrough=yes comment=”” disabled=noadd chain=prerouting protocol=tcp dst-port=25 action=mark-connection \new-connection-mark=email_conn passthrough=yes comment=”” disabled=noadd chain=prerouting protocol=tcp dst-port=22 action=mark-connection \new-connection-mark=ssh_conn passthrough=yes comment=”” disabled=noadd chain=prerouting connection-mark=http_conn action=mark-packet \new-packet-mark=http passthrough=no comment=”” disabled=noadd chain=prerouting connection-mark=dns_conn action=mark-packet \new-packet-mark=dns passthrough=no comment=”” disabled=noadd chain=prerouting connection-mark=ym_conn action=mark-packet \new-packet-mark=ym passthrough=no comment=”” disabled=noadd chain=forward src-address=192.168.0.0/27 action=mark-connection \new-connection-mark=local passthrough=yes comment=”” disabled=noadd chain=prerouting connection-mark=irc_conn action=mark-packet \new-packet-mark=irc passthrough=no comment=”” disabled=noadd chain=prerouting connection-mark=mt_conn action=mark-packet \new-packet-mark=mt passthrough=no comment=”” disabled=noadd chain=prerouting connection-mark=email_conn action=mark-packet \new-packet-mark=email passthrough=no comment=”” disabled=noadd chain=prerouting connection-mark=ssh_conn action=mark-packet \new-packet-mark=ssh passthrough=no comment=”” disabled=noadd chain=forward dst-address=192.168.0.0/27 action=mark-connection \new-connection-mark=local passthrough=yes comment=”” disabled=noadd chain=forward src-address=192.168.0.2 protocol=tcp connection-mark=local \action=mark-packet new-packet-mark=billing passthrough=no comment=”” \disabled=noadd chain=forward dst-address=192.168.0.2 protocol=tcp connection-mark=local \action=mark-packet new-packet-mark=billing passthrough=no comment=”” \disabled=noadd chain=forward src-address=192.168.0.3 protocol=tcp connection-mark=local \action=mark-packet new-packet-mark=meja1 passthrough=no comment=”” \disabled=noadd chain=forward dst-address=192.168.0.3 protocol=tcp connection-mark=local \action=mark-packet new-packet-mark=meja1 passthrough=no comment=”” \disabled=noadd chain=forward src-address=192.168.0.4 protocol=tcp connection-mark=local \action=mark-packet new-packet-mark=meja2 passthrough=no comment=”” \disabled=noadd chain=forward dst-address=192.168.0.4 protocol=tcp connection-mark=local \action=mark-packet new-packet-mark=meja2 passthrough=no comment=”” \disabled=noadd chain=forward src-address=192.168.0.5 protocol=tcp connection-mark=local \action=mark-packet new-packet-mark=meja3 passthrough=no comment=”” \disabled=noadd chain=forward dst-address=192.168.0.5 protocol=tcp connection-mark=local \action=mark-packet new-packet-mark=meja3 passthrough=no comment=”” \disabled=noadd chain=forward src-address=192.168.0.6 protocol=tcp connection-mark=local \action=mark-packet new-packet-mark=meja4 passthrough=no comment=”” \disabled=noadd chain=forward dst-

address=192.168.0.6 protocol=tcp connection-mark=local \action=mark-packet new-packet-mark=meja4 passthrough=no comment=”” \disabled=noadd chain=forward src-address=192.168.0.7 protocol=tcp connection-mark=local \action=mark-packet new-packet-mark=meja5 passthrough=no comment=”” \disabled=noadd chain=forward dst-address=192.168.0.7 protocol=tcp connection-mark=local \action=mark-packet new-packet-mark=meja5 passthrough=no comment=”” \disabled=noadd chain=forward src-address=192.168.0.8 protocol=tcp connection-mark=local \action=mark-packet new-packet-mark=meja6 passthrough=no comment=”” \disabled=noadd chain=forward dst-address=192.168.0.8 protocol=tcp connection-mark=local \action=mark-packet new-packet-mark=meja6 passthrough=no comment=”” \disabled=noadd chain=forward src-address=192.168.0.9 protocol=tcp connection-mark=local \action=mark-packet new-packet-mark=meja7 passthrough=no comment=”” \disabled=noadd chain=forward dst-address=192.168.0.9 protocol=tcp connection-mark=local \action=mark-packet new-packet-mark=meja7 passthrough=no comment=”” \disabled=noadd chain=forward src-address=192.168.0.10 protocol=tcp connection-mark=local \action=mark-packet new-packet-mark=meja8 passthrough=no comment=”” \disabled=noadd chain=forward dst-address=192.168.0.10 protocol=tcp connection-mark=local \action=mark-packet new-packet-mark=meja8 passthrough=no comment=”” \disabled=noadd chain=forward src-address=192.168.0.11 protocol=tcp connection-mark=local \action=mark-packet new-packet-mark=meja9 passthrough=no comment=”” \disabled=noadd chain=forward dst-address=192.168.0.11 protocol=tcp connection-mark=local \action=mark-packet new-packet-mark=meja9 passthrough=no comment=”” \disabled=noadd chain=forward src-address=192.168.0.12 protocol=tcp connection-mark=local \action=mark-packet new-packet-mark=meja10 passthrough=no comment=”” \disabled=noadd chain=forward dst-address=192.168.0.12 protocol=tcp connection-mark=local \action=mark-packet new-packet-mark=meja10 passthrough=no comment=”” \disabled=noadd chain=forward src-address=192.168.0.13 protocol=tcp connection-mark=local \action=mark-packet new-packet-mark=meja11 passthrough=no comment=”” \disabled=noadd chain=forward dst-address=192.168.0.13 protocol=tcp connection-mark=local \action=mark-packet new-packet-mark=meja11 passthrough=no comment=”” \disabled=noadd chain=forward src-address=192.168.0.14 protocol=tcp connection-mark=local \action=mark-packet new-packet-mark=meja12 passthrough=no comment=”” \disabled=noadd chain=forward dst-address=192.168.0.14 protocol=tcp connection-mark=local \action=mark-packet new-packet-mark=meja12 passthrough=no comment=”” \disabled=noadd chain=forward src-address=192.168.0.15 protocol=tcp connection-mark=local \action=mark-packet new-packet-mark=meja13 passthrough=no comment=”” \disabled=noadd chain=forward dst-address=192.168.0.15 protocol=tcp connection-mark=local \action=mark-packet new-packet-mark=meja13 passthrough=no comment=”” \disabled=noadd chain=forward src-address=192.168.0.16 protocol=tcp connection-mark=local \action=mark-packet new-packet-mark=meja14 passthrough=no comment=”” \disabled=noadd chain=forward dst-address=192.168.0.16 protocol=tcp connection-mark=local \action=mark-packet new-packet-mark=meja14 passthrough=no comment=”” \disabled=noadd chain=forward src-address=192.168.0.17 protocol=tcp connection-mark=local \action=mark-packet new-packet-mark=meja15 passthrough=no comment=”” \disabled=noadd chain=forward dst-address=192.168.0.17 protocol=tcp connection-mark=local \action=mark-packet new-packet-mark=meja15 passthrough=no comment=”” \disabled=noadd chain=forward src-address=192.168.0.18 protocol=tcp connection-mark=local \action=mark-packet new-packet-mark=meja16 passthrough=no comment=”” \disabled=noadd chain=forward dst-address=192.168.0.18 protocol=tcp connection-mark=local \action=mark-packet new-packet-mark=meja16 passthrough=no comment=”” \disabled=noadd chain=forward src-address=192.168.0.19 protocol=tcp connection-mark=local \action=mark-packet new-packet-

mark=meja17 passthrough=no comment=”” \disabled=noadd chain=forward dst-address=192.168.0.19 protocol=tcp connection-mark=local \action=mark-packet new-packet-mark=meja17 passthrough=no comment=”” \disabled=noadd chain=forward src-address=192.168.0.20 protocol=tcp connection-mark=local \action=mark-packet new-packet-mark=meja18 passthrough=no comment=”” \disabled=noadd chain=forward dst-address=192.168.0.20 protocol=tcp connection-mark=local \action=mark-packet new-packet-mark=meja18 passthrough=no comment=”” \disabled=noadd chain=forward src-address=192.168.0.21 protocol=tcp connection-mark=local \action=mark-packet new-packet-mark=meja19 passthrough=no comment=”” \disabled=noadd chain=forward dst-address=192.168.0.21 protocol=tcp connection-mark=local \action=mark-packet new-packet-mark=meja19 passthrough=no comment=”” \disabled=noadd chain=forward src-address=192.168.0.22 protocol=tcp connection-mark=local \action=mark-packet new-packet-mark=meja20 passthrough=no comment=”” \disabled=noadd chain=forward dst-address=192.168.0.22 protocol=tcp connection-mark=local \action=mark-packet new-packet-mark=meja20 passthrough=no comment=”” \disabled=noadd chain=forward src-address=192.168.0.23 protocol=tcp connection-mark=local \action=mark-packet new-packet-mark=meja21 passthrough=no comment=”” \disabled=noadd chain=forward dst-address=192.168.0.23 protocol=tcp connection-mark=local \action=mark-packet new-packet-mark=meja21 passthrough=no comment=”” \disabled=noadd chain=forward src-address=192.168.0.24 protocol=tcp connection-mark=local \action=mark-packet new-packet-mark=meja22 passthrough=no comment=”” \disabled=noadd chain=forward dst-address=192.168.0.24 protocol=tcp connection-mark=local \action=mark-packet new-packet-mark=meja22 passthrough=no comment=”” \disabled=noadd chain=forward src-address=192.168.0.25 protocol=tcp connection-mark=local \action=mark-packet new-packet-mark=meja23 passthrough=no comment=”” \disabled=noadd chain=forward dst-address=192.168.0.25 protocol=tcp connection-mark=local \action=mark-packet new-packet-mark=meja23 passthrough=no comment=”” \disabled=no7. Netwotrk Address Translator/ ip firewall natadd chain=srcnat out-interface=PUBLIC action=masquerade comment=”” disabled=noadd chain=dstnat src-address=192.168.0.0/27 protocol=tcp dst-port=80 \action=dst-nat to-addresses=192.168.2.2 to-ports=3128 comment=”” \disabled=yesadd chain=dstnat src-address=192.168.0.0/27 protocol=tcp dst-port=8080 \action=dst-nat to-addresses=192.168.2.2 to-ports=3128 comment=”” \disabled=yesadd chain=dstnat src-address=192.168.0.0/27 protocol=tcp dst-port=3128 \action=dst-nat to-addresses=192.168.2.2 to-ports=3128 comment=”” \disabled=yesadd chain=dstnat src-address=192.168.0.0/27 protocol=tcp dst-port=8081 \action=dst-nat to-addresses=192.168.2.2 to-ports=3128 comment=”” \disabled=yesadd chain=dstnat src-address=192.168.0.0/27 protocol=tcp dst-port=8090 \action=dst-nat to-addresses=192.168.2.2 to-ports=3128 comment=”” \disabled=yesadd chain=dstnat src-address=192.168.0.0/27 protocol=tcp dst-port=3127 \action=dst-nat to-addresses=192.168.2.2 to-ports=3128 comment=”” \disabled=yesadd chain=dstnat protocol=tcp dst-port=8050 action=dst-nat \to-addresses=192.168.2.2 to-ports=3128 comment=”” disabled=yes8. Paket Firewall fiter/ ip firewall filteradd chain=forward src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=tcp \src-port=0-65535 dst-port=80 action=accept comment=”” disabled=noadd chain=forward src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=tcp \src-port=0-65535 dst-port=8291 action=accept comment=”” disabled=noadd chain=forward src-address=0.0.0.0/0 action=accept comment=”” disabled=noadd chain=forward src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=tcp \src-port=0-65535 dst-port=5000-5050 action=accept comment=”” disabled=noadd chain=forward src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=tcp \src-port=0-65535 dst-port=6667-7000 action=accept comment=”” disabled=noadd chain=forward connection-state=established action=accept comment=”allow \established connections” disabled=noadd

chain=forward connection-state=related action=accept comment=”allow \related connections” disabled=noadd chain=virus protocol=udp dst-port=135-139 action=drop comment=”Drop \Messenger Worm” disabled=noadd chain=forward connection-state=invalid action=drop comment=”drop invalid \connections” disabled=noadd chain=virus protocol=tcp dst-port=135-139 action=drop comment=”Drop \Blaster Worm” disabled=noadd chain=virus protocol=tcp dst-port=1433-1434 action=drop comment=”Worm” \disabled=noadd chain=virus protocol=tcp dst-port=445 action=drop comment=”Drop Blaster \Worm” disabled=noadd chain=virus protocol=udp dst-port=445 action=drop comment=”Drop Blaster \Worm” disabled=noadd chain=virus protocol=tcp dst-port=593 action=drop comment=”________” \disabled=noadd chain=virus protocol=tcp dst-port=1024-1030 action=drop comment=”________” \disabled=noadd chain=virus protocol=tcp dst-port=1080 action=drop comment=”Drop MyDoom” \disabled=noadd chain=virus protocol=tcp dst-port=1214 action=drop comment=”Drop Kazaa” \disabled=noadd chain=virus protocol=tcp dst-port=1363 action=drop comment=”ndm requester” \disabled=noadd chain=virus protocol=tcp dst-port=1364 action=drop comment=”ndm server” \disabled=noadd chain=virus protocol=tcp dst-port=1368 action=drop comment=”screen cast” \disabled=noadd chain=virus protocol=tcp dst-port=1373 action=drop comment=”hromgrafx” \disabled=noadd chain=virus protocol=tcp dst-port=1377 action=drop comment=”cichlid” \disabled=noadd chain=virus protocol=tcp dst-port=2745 action=drop comment=”Beagle Virus” \disabled=noadd chain=virus protocol=tcp dst-port=2283 action=drop comment=”Drop Dumaru.Y” \disabled=noadd chain=virus protocol=tcp dst-port=2535 action=drop comment=”Drop Beagle” \disabled=noadd chain=virus protocol=tcp dst-port=2745 action=drop comment=”Drop \Beagle.C-K” disabled=noadd chain=virus protocol=tcp dst-port=3127 action=drop comment=”Drop MyDoom” \disabled=noadd chain=virus protocol=tcp dst-port=3410 action=drop comment=”Drop Backdoor \OptixPro” disabled=noadd chain=virus protocol=tcp dst-port=4444 action=drop comment=”Worm” \disabled=noadd chain=virus protocol=udp dst-port=4444 action=drop comment=”Worm” \disabled=noadd chain=virus protocol=tcp dst-port=5554 action=drop comment=”Drop Sasser” \disabled=noadd chain=virus protocol=tcp dst-port=8866 action=drop comment=”Drop Beagle.B” \disabled=noadd chain=virus protocol=tcp dst-port=9898 action=drop comment=”Drop \Dabber.A-B” disabled=noadd chain=virus protocol=tcp dst-port=10080 action=drop comment=”Drop \MyDoom.B” disabled=noadd chain=virus protocol=tcp dst-port=12345 action=drop comment=”Drop NetBus” \disabled=noadd chain=virus protocol=tcp dst-port=17300 action=drop comment=”Drop Kuang2? \disabled=noadd chain=virus protocol=tcp dst-port=27374 action=drop comment=”Drop \SubSeven” disabled=noadd chain=virus protocol=tcp dst-port=65506 action=drop comment=”Drop \PhatBot,Agobot, Gaobot” disabled=noadd chain=forward action=jump jump-target=virus comment=”jump to the virus \chain” disabled=noadd chain=virus protocol=tcp dst-port=6881-6889 action=drop comment=”Drop \BitTorrent” disabled=noadd chain=virus protocol=tcp dst-port=6345-6349 action=drop comment=”Drop \Gnutella” disabled=noadd chain=virus protocol=tcp dst-port=31337 action=drop comment=”Drop \Streaming Virus” disabled=noadd chain=virus protocol=tcp dst-port=6257 action=drop comment=”winmx napster” \disabled=noadd chain=virus protocol=tcp dst-port=6699 action=drop comment=”winmx napster” \disabled=noadd chain=virus protocol=tcp dst-port=2754 action=drop comment=”winmx napster” \disabled=noadd chain=virus protocol=tcp dst-port=2535 action=drop comment=”winmx napster” \disabled=noadd chain=virus protocol=tcp dst-port=4661-4672 action=drop comment=”Edonkey \Clones” disabled=noadd chain=virus protocol=tcp dst-port=5556-5557 action=drop comment=”Edonkey \Clones” disabled=noadd chain=input in-interface=PUBLIC protocol=tcp dst-port=8080 action=drop \comment=”” disabled=noadd chain=forward out-interface=PUBLIC protocol=tcp p2p=all-p2p action=drop \comment=”” disabled=noadd chain=forward out-interface=PUBLIC protocol=udp p2p=all-p2p action=drop \comment=”” disabled=noadd chain=forward in-interface=PUBLIC dst-address=192.168.0.2

protocol=tcp \dst-port=6000-6667 action=drop comment=”” disabled=noadd chain=forward src-address=208.65.153.251 action=drop comment=”” \disabled=noadd chain=forward src-address=208.65.153.253 action=drop comment=”” \disabled=no9. service port yang di aloow dan tidak/ ip firewall service-portset ftp ports=21 disabled=yesset tftp ports=69 disabled=yesset irc ports=6667 disabled=yesset h323 disabled=yesset quake3 disabled=yesset gre disabled=yesset pptp disabled=yes10. Services dhcp server/ ip dhcp-serveradd name=”dhcp1? lease-time=3d address-pool=dhcp_pool1 bootp-support=static \authoritative=after-2sec-delay disabled=yes11. Log System di mikrotik/ system loggingadd topics=info prefix=”” action=remote disabled=noadd topics=error prefix=”” action=remote disabled=noadd topics=firewall prefix=”” action=remote disabled=noadd topics=critical prefix=”” action=remote disabled=noadd topics=debug prefix=”” action=remote disabled=noadd topics=web-proxy prefix=”” action=remote disabled=noadd topics=firewall prefix=”” action=remote disabled=noadd topics=packet prefix=”” action=remote disabled=noadd topics=state prefix=”” action=remote disabled=noadd topics=system prefix=”” action=remote disabled=noadd topics=watchdog prefix=”” action=remote disabled=noadd topics=keepalive prefix=”” action=memory disabled=noadd topics=web-proxy prefix=”” action=remote disabled=no/ system logging actionset memory name=”memory” target=memory memory-lines=100 memory-stop-on-full=noset disk name=”disk” target=disk disk-lines=100 disk-stop-on-full=noset echo name=”echo” target=echo remember=yesset remote name=”remote” target=remote remote=192.168.0.24:514/ system upgrade mirrorset enabled=no primary-server=0.0.0.0 secondary-server=0.0.0.0 \check-interval=1d user=””12. Name router/ system identityset name=”Payau.NET”13. Tipe quee/ queue typeset default name=”default” kind=bfifo bfifo-limit=15000set ethernet-default name=”ethernet-default” kind=pfifo pfifo-limit=50set wireless-default name=”wireless-default” kind=sfq sfq-perturb=5 \sfq-allot=1514set synchronous-default name=”synchronous-default” kind=red red-limit=60 \red-min-threshold=10 red-max-threshold=50 red-burst=20 red-avg-packet=1000set hotspot-default name=”hotspot-default” kind=sfq sfq-perturb=5 \sfq-allot=1514add name=”default-small” kind=pfifo pfifo-limit=1014. bw management pakai quee tree/ queue treeadd name=”UPSTREAM” parent=PUBLIC packet-mark=”” limit-at=0 queue=default \priority=1 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s \disabled=noadd name=”BILLING-UP” parent=UPSTREAM packet-mark=billing limit-at=0 \queue=default priority=5 max-limit=0 burst-limit=0 burst-threshold=0 \burst-time=0s disabled=noadd name=”MEJA1-UP” parent=UPSTREAM packet-mark=meja1 limit-at=0 queue=default \priority=5 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s \disabled=noadd name=”MEJA2-UP” parent=UPSTREAM packet-mark=meja2 limit-at=0 queue=default \priority=5 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s \disabled=noadd name=”MEJA3-UP” parent=UPSTREAM packet-mark=meja3 limit-at=0 queue=default \priority=5 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s \disabled=noadd name=”MEJA4-UP” parent=UPSTREAM packet-mark=meja4 limit-at=0 queue=default \priority=5 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s \disabled=noadd name=”MEJA5-UP” parent=UPSTREAM packet-mark=meja5 limit-at=0 queue=default \priority=5 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s \disabled=noadd name=”MEJA6-UP” parent=UPSTREAM packet-mark=meja6 limit-at=0 queue=default \priority=5 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s \disabled=noadd name=”MEJA7-UP” parent=UPSTREAM packet-mark=meja7 limit-at=0 queue=default \priority=5 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s

\disabled=noadd name=”MEJA8-UP” parent=UPSTREAM packet-mark=meja8 limit-at=0 queue=default \priority=5 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s \disabled=noadd name=”MEJA9-UP” parent=UPSTREAM packet-mark=meja9 limit-at=0 queue=default \priority=5 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s \disabled=noadd name=”MEJA10-UP” parent=UPSTREAM packet-mark=meja10 limit-at=0 \queue=default priority=5 max-limit=0 burst-limit=0 burst-threshold=0 \burst-time=0s disabled=noadd name=”DOWNSTREAM” parent=LAN packet-mark=”” limit-at=0 queue=default \priority=1 max-limit=384000 burst-limit=0 burst-threshold=0 burst-time=0s \disabled=noadd name=”BILLING-DOWN” parent=DOWNSTREAM packet-mark=billing limit-at=0 \queue=default priority=5 max-limit=0 burst-limit=0 burst-threshold=0 \burst-time=0s disabled=noadd name=”MEJA2-DOWN” parent=DOWNSTREAM packet-mark=meja2 limit-at=0 \queue=default priority=5 max-limit=96000 burst-limit=0 burst-threshold=0 \burst-time=0s disabled=noadd name=”MEJA3-DOWN” parent=DOWNSTREAM packet-mark=meja3 limit-at=0 \queue=default priority=5 max-limit=96000 burst-limit=0 burst-threshold=0 \burst-time=0s disabled=noadd name=”MEJA4-DOWN” parent=DOWNSTREAM packet-mark=meja4 limit-at=0 \queue=default priority=5 max-limit=96000 burst-limit=0 burst-threshold=0 \burst-time=0s disabled=noadd name=”MEJA5-DOWN” parent=DOWNSTREAM packet-mark=meja5 limit-at=0 \queue=default priority=5 max-limit=96000 burst-limit=0 burst-threshold=0 \burst-time=0s disabled=noadd name=”MEJA6-DOWN” parent=DOWNSTREAM packet-mark=meja6 limit-at=0 \queue=default priority=5 max-limit=96000 burst-limit=0 burst-threshold=0 \burst-time=0s disabled=noadd name=”MEJA7-DOWN” parent=DOWNSTREAM packet-mark=meja7 limit-at=0 \queue=default priority=5 max-limit=96000 burst-limit=0 burst-threshold=0 \burst-time=0s disabled=noadd name=”MEJA8-DOWN” parent=DOWNSTREAM packet-mark=meja8 limit-at=0 \queue=default priority=5 max-limit=96000 burst-limit=0 burst-threshold=0 \burst-time=0s disabled=noadd name=”MEJA9-DOWN” parent=DOWNSTREAM packet-mark=meja9 limit-at=0 \queue=default priority=5 max-limit=96000 burst-limit=0 burst-threshold=0 \burst-time=0s disabled=noadd name=”MEJA10-DOWN” parent=DOWNSTREAM packet-mark=meja10 limit-at=0 \queue=default priority=5 max-limit=96000 burst-limit=0 burst-threshold=0 \burst-time=0s disabled=noadd name=”MEJA20-DOWN” parent=DOWNSTREAM packet-mark=meja20 limit-at=0 \queue=default priority=5 max-limit=96000 burst-limit=0 burst-threshold=0 \burst-time=0s disabled=noadd name=”MEJA19-DOWN” parent=DOWNSTREAM packet-mark=meja19 limit-at=0 \queue=default priority=5 max-limit=96000 burst-limit=0 burst-threshold=0 \burst-time=0s disabled=noadd name=”MEJA18-DOWN” parent=DOWNSTREAM packet-mark=meja18 limit-at=0 \queue=default priority=5 max-limit=96000 burst-limit=0 burst-threshold=0 \burst-time=0s disabled=noadd name=”MEJA11-UP” parent=UPSTREAM packet-mark=meja11 limit-at=0 \queue=default priority=5 max-limit=0 burst-limit=0 burst-threshold=0 \burst-time=0s disabled=noadd name=”MEJA12-UP” parent=UPSTREAM packet-mark=meja12 limit-at=0 \queue=default priority=5 max-limit=0 burst-limit=0 burst-threshold=0 \burst-time=0s disabled=noadd name=”MEJA-13UP” parent=UPSTREAM packet-mark=meja13 limit-at=0 \queue=default priority=5 max-limit=0 burst-limit=0 burst-threshold=0 \burst-time=0s disabled=noadd name=”MEJA-14UP” parent=UPSTREAM packet-mark=meja14 limit-at=0 \queue=default priority=5 max-limit=0 burst-limit=0 burst-threshold=0 \burst-time=0s disabled=noadd name=”MEJA-15UP” parent=UPSTREAM packet-mark=meja15 limit-at=0 \queue=default priority=5 max-limit=0 burst-limit=0 burst-threshold=0 \burst-time=0s disabled=noadd name=”MEJA-16UP” parent=UPSTREAM packet-mark=meja16 limit-at=0 \queue=default priority=5 max-limit=0 burst-limit=0 burst-threshold=0 \burst-time=0s disabled=noadd name=”MEJA-17UP” parent=UPSTREAM packet-mark=meja17 limit-at=0 \queue=default priority=5 max-limit=0 burst-limit=0 burst-threshold=0 \burst-time=0s disabled=noadd name=”MEJA-18UP” parent=UPSTREAM packet-mark=meja18 limit-at=0 \queue=default priority=5 max-limit=0 burst-limit=0 burst-threshold=0 \burst-time=0s disabled=noadd name=”MEJA-19UP” parent=UPSTREAM packet-mark=meja19 limit-at=0

\queue=default priority=5 max-limit=0 burst-limit=0 burst-threshold=0 \burst-time=0s disabled=noadd name=”MEJA-20UP” parent=UPSTREAM packet-mark=meja20 limit-at=0 \queue=default priority=5 max-limit=0 burst-limit=0 burst-threshold=0 \burst-time=0s disabled=noadd name=”MEJA11-DOWN” parent=DOWNSTREAM packet-mark=meja11 limit-at=0 \queue=default priority=5 max-limit=96000 burst-limit=0 burst-threshold=0 \burst-time=0s disabled=noadd name=”MEJA12-DOWN” parent=DOWNSTREAM packet-mark=meja12 limit-at=0 \queue=default priority=5 max-limit=96000 burst-limit=0 burst-threshold=0 \burst-time=0s disabled=noadd name=”MEJA13-DOWN” parent=DOWNSTREAM packet-mark=meja13 limit-at=0 \queue=default priority=5 max-limit=96000 burst-limit=0 burst-threshold=0 \burst-time=0s disabled=noadd name=”MEJA14-DOWN” parent=DOWNSTREAM packet-mark=meja14 limit-at=0 \queue=default priority=5 max-limit=96000 burst-limit=0 burst-threshold=0 \burst-time=0s disabled=noadd name=”MEJA15-DOWN” parent=DOWNSTREAM packet-mark=meja15 limit-at=0 \queue=default priority=5 max-limit=96000 burst-limit=0 burst-threshold=0 \burst-time=0s disabled=noadd name=”MEJA16-DOWN” parent=DOWNSTREAM packet-mark=meja16 limit-at=0 \queue=default priority=5 max-limit=96000 burst-limit=0 burst-threshold=0 \burst-time=0s disabled=noadd name=”MEJA17-DOWN” parent=DOWNSTREAM packet-mark=meja17 limit-at=0 \queue=default priority=5 max-limit=96000 burst-limit=0 burst-threshold=0 \burst-time=0s disabled=noadd name=”MEJA1-DOWN” parent=DOWNSTREAM packet-mark=meja1 limit-at=0 \queue=default priority=5 max-limit=0 burst-limit=0 burst-threshold=0 \burst-time=0s disabled=no15. user mikrotik/ useradd name=”admin” group=full address=0.0.0.0/0 comment=”system default user” \disabled=noadd name=”areksitiung” group=full address=0.0.0.0/0 comment=”” disabled=noadd name=”dartox” group=full address=0.0.0.0/0 comment=”” disabled=noadd name=”aldie” group=full address=0.0.0.0/0 comment=”” disabled=noadd name=”Rivol” group=full address=0.0.0.0/0 comment=”” disabled=no/ user groupadd name=”read” policy=local,telnet,ssh,reboot,read,test,winbox,password,web,!f\tp,!write,!policyadd name=”write” policy=local,telnet,ssh,reboot,read,write,test,winbox,password\,web,!ftp,!policyadd name=”full” policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbo\x,password,webB. Instalasi FReeBSdInstal Router dengan FreeBSD1. Install freeBSD melalui CDRoom/Ftp/DOS.( saya gunakan freeBSD.4.9-RELEASE )2. setelah tahap install selesai, lalu isikan ip address untuk Routernya.ketik command :/stand/sysinstall –> Configure –> Networking –> Interfaces –> rl0Note :rl0 ==> dalam hal ini di artikan eth0 jika di linux.3. OK sekarang untuk membuat Router dan Squid kita coba lakukan Kompile kerneldengan option pendukung :cd /usr/src/sys/i386/confcp GENERIC ROUTER —> copy kernel asli jika kemudian terjadi masalahbisa kembali ke awal

a. OK lalu masukan option-optin di bawah ini :ident ROUTER #pastikan ident sama dengan nama kerneloptions IPDIVERT #option untuk NAT#option untuk firewall dan forwardoptions IPFILTERoptions IPFILTER_LOGoptions IPFIREWALLoptions IPFIREWALL_VERBOSEoptions IPFIREWALL_VERBOSE_LIMIToptions IPFIREWALL_FORWARDb. kemudian kita kompile kernelnya :config ROUTERcd ../../compile/ROUTERmake depend && make && make install

( setelah selesai coba reboot dengan single User mode ).4. Lanjutkan dengan Installasi Squid saya menggunakan squid-2.5.STABLE7.tar.gz )Download file squid versi squid-2.5.STABLE7.tar.gz dari google fetch http://hostname/squid-2.5.STABLE7.tar.gz —-> fetch = wgettar -zxvf squid-2.5.STABLE7.tar.gz./configure \–prefix=/usr/local/squid \–exec-prefix=/usr/local/squid \–enable-delay-pools \–enable-cache-diggests \–enable-poll \–disable-ident-lookups \–enable-snmpmakemake install5. setelah selesai lanjutkan ke bagian konfigurasi squid nya :ee /usr/local/squid/etc/squid.conf —> edit squid.conf#dibawah ini contoh penggalan isi dari squid.conf#direktory cache dan logcache_dir ufs /usr/local/squid/var/cache 512 16 256cache_access_log /var/log/squid/access.logcache_log /var/log/squid/cache.log#group dan user squidcache_effective_user squidcache_effective_group squid6. Lanjutkan ke bagian user group dan dir untuk cache dan logs nya :mkdir /usr/local/squid/var/cache —–> bikin dir cache dan logs (kalau belum ada).mkdir /usr/local/squid/var/logspw groupadd squid —–> buat group squidpw useradd squid -g squid -d dev/null -s etc/shells —–> buat user squidchown -R squid:squid /usr/local/squid/var/cache —> rubah permisions untuk cache lognyachown -R squid:squid /usr/local/squid/var/logs/usr/local/squid/sbin/squid -z —–> jalankan command ini untuk membuat swap dir.7. Ok setelah semuah konfigurasi selesai coba jalankan squidnya :/usr/local/squid/sbin/squid -D -f /usr/local/squid/etc/squid.confps axgrep squid —> ketikan command ini untuk memastikan squidnya jalan.setelah itu coba cek apa squid benar-benar OK :tail -f /var/log/messagestail -f /var/log/squid/cache.log8. Untuk mempermudah gunakan script ini sebagai alat bantu ee /usr/sbin/squid.sh —> buat file shell.chmod 755 squid.sh —> lakukan perubahan permision file.———————– Cut di sini ———————————#!/bin/shecho -n ‘ Squid ‘case “$1? instart)/usr/local/squid/sbin/squid -D -f /usr/local/squid/etc/squid.conf;;stop)/usr/local/squid/sbin/squid -k shutdown;;restart)/usr/local/squid/sbin/squid -k reconfigure;;*)echo “Usage: `basename $0` {startstoprestart}”;;esac———————– Cut di sini ———————————Nah… jadi jika ingin men stop atau me-run kan squid tinggal gunakan command :/usr/sbin/squid.sh start —> ( gunakan start, stop atau restart ).9. OK squid sudah beres sekarang masuk ke konfigurasi ip forward nya ee /etc/sysctl.conf —-> edit file sysctl.confnet.inet.ip.forwarding=1 —> masukan option forward.sekarang pastikan command di bawah ini pada file rc.conf anda :ee /etc/rc.conf —–> edit file rc.confgateway_enable=YESfirewall_enable=YESfirewall_type=OPENnatd_enable=YESnatd_interface=”rl0?inetd_enable=YESrouter_enable=YESnamed_enable=YESsshd_enable=YESifconfig_rl0=”192.168.2.2?–”inet ip_public netmask public_mask”defaultrouter=”192.168.2.1?–”gw ip_public”10. Langkah terakhir rule untuk ip forwardnya agar lebih aman masukan langsung rule nyake file rc.local .. so sewaktu server di reboot bisa di bacanya hehehe….btw sekalian squidnya jugak

boleh jadi coba pastekan aja langsung file di bawah ke rc.local :ee /etc/rc.local —> edit file rc.local/sbin/ipfw -f flush/sbin/ipfw add divert natd all from any to any via rl0/sbin/ipfw add pass all from any to any/sbin/ipfw add 00050 fwd 192.168.0.254,3128 tcp from any to any 80 via rl0 /usr/sbin/squid.sh startC. Suid.confhttp_port 192.168.0.254:3128 transparenthttp_port 127.0.0.1:3128 transparenticp_port 3130hierarchy_stoplist cgi-bin ?acl QUERY urlpath_regex cgi-bin \?no_cache deny QUERYcache_mem 8 MBcache_swap_low 98cache_swap_high 99ipcache_size 4096ipcache_low 98ipcache_high 99fqdncache_size 4096maximum_object_size 32 MBmaximum_object_size_in_memory 16 KBcache_replacement_policy heap LFUDAmemory_replacement_policy heap GDSFcache_dir diskd /cache 10000 26 256 Q1=72 Q2=88access_log /var/log/squid/access.logcache_log /var/log/squid/cache.log#access_log noneallow_underscore onpid_filename /var/run/squid/squid.pidcache_store_log noneauth_param basic children 5auth_param basic realm Squid proxy-caching web serverauth_param basic credentialsttl 2 hoursauth_param basic casesensitive off##REFRESH PATTERNrefresh_pattern yahoo 0 20% 4320refresh_pattern -i \.(classcssjsgifjpg)$ 10080 100% 43200 override-expirerefresh_pattern -i \.(jpejpegpngbmptif)$ 10080 100% 43200 override-expirerefresh_pattern -i \.(tiffmovaviqtmpeg)$ 10080 100% 43200 override-expirerefresh_pattern -i \.(mpgmpewavaumid)$ 10080 100% 43200 override-expirerefresh_pattern -i \.(zipgzarjlhalzh)$ 10080 100% 43200 override-expirerefresh_pattern -i \.(rartgztarexebin)$ 10080 100% 43200 override-expirerefresh_pattern -i \.(hqxpdfrtfdocswf)$ 10080 100% 43200 override-expirerefresh_pattern -i \.(inccabadtxtdll)$ 10080 100% 43200 override-expirerefresh_pattern -i \.(aspacgiplshtmlphp3php)$ 2 20% 4320 reload-into-imsrefresh_pattern -i \? 2 20% 4320 reload-into-imsrefresh_pattern -i cgi-bin 2 20% 4320 reload-into-imsrefresh_pattern http://.*\.friendster\.com/ 960 20% 4320refresh_pattern http://.*\.yahoo\.com/ 960 20% 4320refresh_pattern http://.*\login.yahoo\.com/ 10080 20% 4320refresh_pattern . 960 90% 43200 reload-into-imsquick_abort_min 0quick_abort_max 0quick_abort_pct 100client_lifetime 3 hoursshutdown_lifetime 10 secondshalf_closed_clients offhigh_memory_warning 400 mbhigh_response_time_warning 0high_page_fault_warning 2strip_query_terms offlog_fqdn offmemory_pools offacl all src 0.0.0.0/0.0.0.0acl manager proto cache_objectacl localhost src 127.0.0.1/255.255.255.255acl lan src 192.168.1.0/30 192.168.0.0/24acl hotmail dstdomain .hotmail.com .msn.com .passport.net .msn.co.id .passport.comacl file_berat url_regex -i ^ftp://acl file_berat url_regex -i .exe .mp3 .vqf .tar.gz .rpm .raracl file_berat url_regex -i .mpeg .mpg .iso .rm .wmv .avi .asf .swfacl file_berat url_regex -i .cab .mov .qtacl gator1 dstdomain .riaa.com .gator.com .xxxtoolbar.com .hotbar.com ftpaol.newsacl gator2 dstdom_regex gator hot_indonesia.exeacl blokir dstdomain .rankyou.com .x10.com .infostart.com .startgp.com .iwantnet.netacl blokir dstdomain .goclick.com .00fun.com .xupiter.com .sexlist.com .pageseeker.conacl blokir dstdomain .terra.es .fastmetasearch.com .trendmicro.com .grab.nastydollars.com .adserver.securityfocus.comacl blokir dstdomain .evidence-eliminator.com .supereva.it .tjaw.com .a248.e.akamai.netacl blokir dstdomain .180solutions.com .hrvg.tk .cerials.net .vesperexchange.com .pagead2.googlesyndication.comacl blokir dstdomain .nude-celebs-top.com .aqonk.com .mtvxxx.com .kittens.plays.com .ai134.insightexpressai.comacl blokir dstdomain .sex-info.cjb.net .usa-download.nocreditcard.com .pusatvcd.comacl blokir dstdomain .dev-download.nocreditcard.com .wazzupnet.com .hamsah.net .casalemedia.com .doubleclick.netacl blokir dstdomain .hackwars.com .vasile200.home.ro .mrazirnydasice.cz .XXXTOLBAR.comacl blokir dstdomain .hitbox.com .adlogix.com .daddyswap.comacl blokir dstdomain .internet-optimizer.com .offshoreclicks.com .animespy.comacl blokir dstdomain .leader.linkexchange.com .layer-ads.de .animedc.com .paypopup.com .sugarporn.netacl blokir dstdomain .kaza.com .kazza

.nastyxpix.com .reliz.ru .fullmovies.net .adfarm.mediaplex.comacl blokir dstdomain

.virtuagirl2.com .spybouncer.com .kerclink.com tradedoubler.com .xxxindonesia.comacl blokir dstdomain .getright.com .kazaa.com .sleazydream.com .revenue.net .view.atdmt.comacl blokir dstdomain .freshdevices.com .gozilla.com .reget.com .89.com .xnxx.com .yieldmanager.comacl blokir dstdomain .leechget.de .as.cmpnet.com .netants.com .gadisbandung.comacl blokir dstdomain .netvampire.com .downloadaccelerator.com .tribalfusion.com .etology.comacl blokir dstdomain .cometsystems.com .mtreexxx.net .japanxtgp.net .ceritabokep.com .teen-images.com .quatangtraitim.us.tfacl blokir dstdomain .fleshlightcash.com .adsrevenue.net .xxx .nude .porn .sex .spermacl file_terlarang url_regex -i hot_indonesia.exeacl file_terlarang url_regex -i hotsurprise_id.exeacl file_terlarang url_regex -i best-mp3-download.exeacl file_terlarang url_regex -i R32.exeacl file_terlarang url_regex -i rb32.exeacl file_terlarang url_regex -i mp3.exeacl file_terlarang url_regex -i HOTSEX.exeacl file_terlarang url_regex -i Browser_Plugin.exeacl file_terlarang url_regex -i DDialer.exeacl file_terlarang url_regex -i od-teenacl file_terlarang url_regex -i URLDownload.exeacl file_terlarang url_regex -i od-stnd67.exeacl file_terlarang url_regex -i Download_Plugin.exeacl file_terlarang url_regex -i od-teen52.exeacl file_terlarang url_regex -i malaysexacl file_terlarang url_regex -i edita.htmlacl file_terlarang url_regex -i info.exeacl file_terlarang url_regex -i run.exeacl file_terlarang url_regex -i Lovers2Goacl file_terlarang url_regex -i GlobalDialeracl file_terlarang url_regex -i WebDialeracl file_terlarang url_regex -i download.exeacl file_terlarang url_regex -i backup.exeacl file_terlarang url_regex -i GnoOS2003acl file_terlarang url_regex -i wintrim.exeacl file_terlarang url_regex -i MPREXE.EXEacl file_terlarang url_regex -i exengd.EXEacl file_terlarang url_regex -i xxxvideo.exeacl file_terlarang url_regex -i Save.exeacl file_terlarang url_regex -i ATLBROWSER.DLLacl file_terlarang url_regex -i NawaL_rmacl file_terlarang url_regex -i Socks32.dllacl file_terlarang url_regex -i Sc32Lnch.exeacl file_terlarang url_regex -i dat0.exeacl manager proto cache_objectacl SSL_ports port 443 563acl Safe_ports port 80 # httpacl Safe_ports port 81acl Safe_ports port 84acl Safe_ports port 21 # ftpacl Safe_ports port 443 563 # https, snewsacl Safe_ports port 70 # gopheracl Safe_ports port 210 # waisacl Safe_ports port 1025-65535 # unregistered portsacl Safe_ports port 280 # http-mgmtacl Safe_ports port 488 # gss-httpacl Safe_ports port 591 # filemakeracl Safe_ports port 777 # multiling httpacl CONNECT method CONNECTacl BADPORTS port 7 9 11 19 22 23 25 110 119 513 514 445 213 137 138 32768acl VIRUS urlpath_regex winnt/system32/cmd.exe?http_access allow manager localhosthttp_access deny managerhttp_access deny !Safe_portshttp_access deny CONNECT !SSL_portshttp_access deny gator1http_access deny gator2http_access deny blokirhttp_access deny file_terlaranghttp_access deny VIRUShttp_access deny BADPORTShttp_access allow lanhttp_access allow localhosthttp_access deny allicp_access allow lanicp_access deny allmiss_access allow lanmiss_access deny allftp_user areksitiung@yahoo.comftp_list_width 32ftp_passive onforwarded_for offstore_objects_per_bucket 15store_avg_object_size 13 kbdebug_options ALL,1 98,2max_open_disk_fds 100store_dir_select_algorithm round-robincache_mgr areksitiung@yahoo.comcache_effective_user squidcache_effective_group squidvisible_hostname proxy.englishfirst.comlogfile_rotate 1pipeline_prefetch onvary_ignore_expire oncachemgr_passwd lifesource andalaswavebuffered_logs onignore_unknown_nameservers offheader_access Accept-Encoding deny hotmailie_refresh offdelay_pools 1#delay_class 1 1#delay_parameters 1 2000/64000#delay_access 1 allow lan#delay_access 1 deny alldelay_class 1 1delay_parameters 1 8000/16000delay_access 1 allow file_beratdelay_access 1 deny allFiled under: BSD, Mikrotik, Router« Sumatera Gempa Khususnya padang potensil tsunami speedy tidak bisa VPN ??? »

Load Balancing dengan Mikrotik Untuk Router Warnet

Disini akses yang digunakan adalah 2 Line Speedy Office Unlimitted untuk salah satu warnet yang ada di kota Padang, contoh confignya adalah :

Login: areksitiungPassword:

MMM MMM KKK TTTTTTTTTTT KKKMMMM MMMM KKK TTTTTTTTTTT KKKMMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKKMMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKKMMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKKMMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK

MikroTik RouterOS 2.9.27 (c) 1999-2006 http://www.mikrotik.com/

# nov/27/2008 11:26:36 by RouterOS 2.9.27# software id = HUI7-TQN#/ interface ethernetset Local name=”Local” mtu=1500 mac-address=00:11:6B:95:D4:49 arp=enabled disable-running-check=yes auto-negotiation=yes \full-duplex=yes cable-settings=default speed=100Mbps comment=”" disabled=noset Speedy1 name=”Speedy1″ mtu=1500 mac-address=00:11:6B:94:F0:C5 arp=enabled disable-running-check=yes \auto-negotiation=yes full-duplex=yes cable-settings=default speed=100Mbps comment=”" disabled=noset Speedy2 name=”Speedy2″ mtu=1500 mac-address=00:19:21:28:5F:87 arp=enabled disable-running-check=yes \auto-negotiation=yes full-duplex=yes cable-settings=default speed=100Mbps comment=”" disabled=no/ interface l2tp-server serverset enabled=no max-mtu=1460 max-mru=1460 authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption/ interface pptp-server serverset enabled=no max-mtu=1460 max-mru=1460 authentication=mschap1,mschap2 keepalive-timeout=30 \default-profile=default-encryption/ interface pppoe-clientadd name=”pppoe-out2″ max-mtu=1480 max-mru=1480 interface=Speedy2 user=”11140xxxxx@telkom.net” password=”xxxxxx” \profile=default service-name=”" ac-name=”" add-default-route=yes dial-on-demand=no use-peer-dns=no \allow=pap,chap,mschap1,mschap2 disabled=no/ ip accountingset enabled=no account-local-traffic=no threshold=256/ ip accounting web-accessset accessible-via-web=no address=0.0.0.0/0/ ip serviceset telnet port=23 address=0.0.0.0/0 disabled=yes

set ftp port=21 address=0.0.0.0/0 disabled=yesset www port=1979 address=0.0.0.0/0 disabled=noset ssh port=1982 address=0.0.0.0/0 disabled=noset www-ssl port=443 address=0.0.0.0/0 certificate=none disabled=yes/ ip upnpset enabled=no allow-disable-external-interface=yes show-dummy-rule=yes/ ip arp/ ip socksset enabled=no port=1080 connection-idle-timeout=2m max-connections=200/ ip dnsset primary-dns=203.130.193.74 secondary-dns=202.134.0.155 allow-remote-requests=yes cache-size=2048KiB cache-max-ttl=1w/ ip traffic-flowset enabled=no interfaces=all cache-entries=4k active-flow-timeout=30m inactive-flow-timeout=15s/ ip addressadd address=192.168.1.1/24 network=192.168.1.0 broadcast=192.168.1.255 interface=Local comment=”" disabled=noadd address=192.168.2.2/24 network=192.168.2.0 broadcast=192.168.2.255 interface=Speedy1 comment=”" disabled=noadd address=192.168.3.2/24 network=192.168.3.0 broadcast=192.168.3.255 interface=Speedy2 comment=”" disabled=yes/ ip proxyset enabled=no port=8080 parent-proxy=0.0.0.0:0 maximal-client-connecions=1000 maximal-server-connectons=1000/ ip proxy accessadd dst-port=23-25 action=deny comment=”block telnet & spam e-mail relaying” disabled=no/ ip neighbor discoveryset Local discover=yesset Speedy1 discover=yesset Speedy2 discover=yesset pppoe-out2 discover=no/ ip routeadd dst-address=0.0.0.0/0 gateway=192.168.2.1 scope=255 target-scope=10 routing-mark=one comment=”" disabled=no/ ip firewall mangleadd chain=prerouting in-interface=Local connection-state=new nth=1,1,0 action=mark-connection new-connection-mark=one \passthrough=yes comment=”" disabled=noadd chain=prerouting in-interface=Local connection-mark=one action=mark-routing new-routing-mark=one passthrough=no \comment=”" disabled=noadd chain=prerouting in-interface=Local connection-state=new nth=1,1,1 action=mark-connection new-connection-mark=two \passthrough=yes comment=”" disabled=noadd chain=prerouting in-interface=Local connection-mark=two action=mark-routing new-routing-mark=two passthrough=no \comment=”" disabled=no/ ip firewall natadd chain=srcnat out-interface=Speedy1 connection-mark=one action=masquerade comment=”" disabled=no

add chain=srcnat out-interface=pppoe-out2 connection-mark=two action=masquerade comment=”" disabled=no/ ip firewall connection trackingset enabled=yes tcp-syn-sent-timeout=5s tcp-syn-received-timeout=5s tcp-established-timeout=1d tcp-fin-wait-timeout=10s \tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s \udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m tcp-syncookie=no/ ip firewall filteradd chain=virus protocol=tcp dst-port=135-139 action=drop comment=”Drop Blaster Worm” disabled=noadd chain=virus protocol=udp dst-port=135-139 action=drop comment=”Drop Messenger Worm” disabled=noadd chain=virus protocol=tcp dst-port=445-3000 action=drop comment=”Drop Blaster Worm” disabled=noadd chain=virus protocol=udp dst-port=445-3000 action=drop comment=”Drop Blaster Worm” disabled=noadd chain=virus protocol=tcp dst-port=593 action=drop comment=”________” disabled=noadd chain=virus protocol=udp dst-port=7000 action=drop comment=”Setan1″ disabled=noadd chain=virus protocol=tcp dst-port=100-1000 action=drop comment=”Setan1″ disabled=noadd chain=virus protocol=udp dst-port=100-1000 action=drop comment=”Drop Messenger Worm” disabled=noadd chain=virus protocol=tcp dst-port=1000-3000 action=drop comment=”Setan1″ disabled=noadd chain=virus protocol=udp dst-port=1000-3000 action=drop comment=”Drop Messenger Worm” disabled=noadd chain=virus protocol=tcp dst-port=40000-50000 action=drop comment=”Setan1″ disabled=noadd chain=virus protocol=udp dst-port=40000-50000 action=drop comment=”Drop Messenger Worm” disabled=noadd chain=virus protocol=tcp dst-port=7000 action=drop comment=”Setan1″ disabled=noadd chain=virus protocol=udp dst-port=135-139 action=drop comment=”Drop Messenger Worm” disabled=noadd chain=virus protocol=tcp dst-port=7000 action=drop comment=”Setan1″ disabled=noadd chain=virus protocol=udp dst-port=135-139 action=drop comment=”Drop Messenger Worm” disabled=noadd chain=virus action=return comment=”" disabled=noadd chain=input connection-state=invalid action=drop comment=”Drop invalid connections” disabled=noadd chain=input connection-state=established action=accept comment=”Allow esatblished connections” disabled=noadd chain=input connection-state=related action=accept comment=”Allow related connections” disabled=noadd chain=input protocol=udp action=accept comment=”Allow UDP” disabled=noadd chain=input protocol=icmp action=accept comment=”Allow ICMP” disabled=noadd chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list=”port scanners” \address-list-timeout=2w comment=”Port scanners to list ” disabled=noadd chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=”port \scanners” address-list-timeout=2w comment=”NMAP FIN Stealth scan” disabled=noadd chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list=”port

scanners” \address-list-timeout=2w comment=”SYN/FIN scan” disabled=noadd chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list=”port scanners” \address-list-timeout=2w comment=”SYN/RST scan” disabled=noadd chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list=”port \scanners” address-list-timeout=2w comment=”FIN/PSH/URG scan” disabled=noadd chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list=”port scanners” \address-list-timeout=2w comment=”ALL/ALL scan” disabled=noadd chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=”port \scanners” address-list-timeout=2w comment=”NMAP NULL scan” disabled=no/ ip firewall service-portset ftp ports=21 disabled=yesset tftp ports=69 disabled=yesset irc ports=6667 disabled=yesset h323 disabled=yesset quake3 disabled=yesset gre disabled=yesset pptp disabled=yes/ ip hotspot service-portset ftp ports=21 disabled=no/ ip hotspot profileset default name=”default” hotspot-address=0.0.0.0 dns-name=”" html-directory=hotspot rate-limit=”" http-proxy=0.0.0.0:0 \smtp-server=0.0.0.0 login-by=cookie,http-chap http-cookie-lifetime=3d split-user-domain=no use-radius=no/ ip hotspot user profileset default name=”default” idle-timeout=none keepalive-timeout=2m status-autorefresh=1m shared-users=1 \transparent-proxy=yes open-status-page=always advertise=no/ ip dhcp-server configset store-leases-disk=5m/ ip ipsec proposaladd name=”default” auth-algorithms=sha1 enc-algorithms=3des lifetime=30m lifebytes=0 pfs-group=modp1024 disabled=no/ ip web-proxyset enabled=no src-address=0.0.0.0 port=3128 hostname=”proxy” transparent-proxy=no parent-proxy=0.0.0.0:0 \cache-administrator=”webmaster” max-object-size=4096KiB cache-drive=system max-cache-size=none \max-ram-cache-size=unlimited/ ip web-proxy accessadd dst-port=23-25 action=deny comment=”block telnet & spam e-mail relaying” disabled=no/ ip web-proxy cacheadd url=”:cgi-bin \\?” action=deny comment=”don’t cache dynamic http pages” disabled=no/ system loggingadd topics=info prefix=”" action=memory disabled=noadd topics=error prefix=”" action=memory disabled=no

add topics=warning prefix=”" action=memory disabled=noadd topics=critical prefix=”" action=echo disabled=no/ system logging actionset memory name=”memory” target=memory memory-lines=100 memory-stop-on-full=noset disk name=”disk” target=disk disk-lines=100 disk-stop-on-full=noset echo name=”echo” target=echo remember=yesset remote name=”remote” target=remote remote=0.0.0.0:514/ system upgrade mirrorset enabled=no primary-server=0.0.0.0 secondary-server=0.0.0.0 check-interval=1d user=”"/ system clock dstset dst-delta=+00:00 dst-start=”jan/01/1970 00:00:00″ dst-end=”jan/01/1970 00:00:00″/ system watchdogset reboot-on-failure=yes watch-address=none watchdog-timer=yes no-ping-delay=5m automatic-supout=yes auto-send-supout=no/ system consoleadd port=serial0 term=”" disabled=noset FIXME term=”linux” disabled=noset FIXME term=”linux” disabled=noset FIXME term=”linux” disabled=noset FIXME term=”linux” disabled=noset FIXME term=”linux” disabled=noset FIXME term=”linux” disabled=noset FIXME term=”linux” disabled=noset FIXME term=”linux” disabled=no/ system console screenset line-count=25/ system identityset name=”ROUTER-99NET”/ system noteset show-at-login=yes note=”"/ portset serial0 name=”serial0″ baud-rate=9600 data-bits=8 parity=none stop-bits=1 flow-control=hardware/ ppp profileset default name=”default” use-compression=default use-vj-compression=default use-encryption=default only-one=default \change-tcp-mss=yes comment=”"set default-encryption name=”default-encryption” use-compression=default use-vj-compression=default use-encryption=yes \only-one=default change-tcp-mss=yes comment=”"/ ppp aaaset use-radius=no accounting=yes interim-update=0s/ queue typeset default name=”default” kind=pfifo pfifo-limit=50set ethernet-default name=”ethernet-default” kind=pfifo pfifo-limit=50set wireless-default name=”wireless-default” kind=sfq sfq-perturb=5 sfq-allot=1514set synchronous-default name=”synchronous-default” kind=red red-limit=60 red-min-threshold=10 red-max-threshold=50 \red-burst=20 red-avg-packet=1000set hotspot-default name=”hotspot-default” kind=sfq sfq-perturb=5 sfq-allot=1514add name=”pcq-download” kind=pcq pcq-rate=384000 pcq-limit=50 pcq-classifier=dst-address

pcq-total-limit=2000add name=”pcq-upload” kind=pcq pcq-rate=64000 pcq-limit=50 pcq-classifier=src-address pcq-total-limit=2000add name=”PFIFO-64″ kind=pfifo pfifo-limit=64add name=”default-small” kind=pfifo pfifo-limit=10/ queue simpleadd name=”99.net” target-addresses=192.168.1.0/24 dst-address=0.0.0.0/0 interface=Local parent=none direction=both \priority=1 queue=ethernet-default/ethernet-default limit-at=0/0 max-limit=0/0 total-queue=default-small disabled=yesadd name=”Server” target-addresses=192.168.1.100/32 dst-address=0.0.0.0/0 interface=all parent=99.net direction=both \priority=8 queue=ethernet-default/ethernet-default limit-at=0/0 max-limit=0/0 total-queue=default-small disabled=yesadd name=”Meja-1″ target-addresses=192.168.1.11/32 dst-address=0.0.0.0/0 interface=all parent=99.net direction=both \priority=8 queue=ethernet-default/ethernet-default limit-at=64000/128000 max-limit=64000/128000 \total-queue=default-small disabled=noadd name=”Meja-2″ target-addresses=192.168.1.12/32 dst-address=0.0.0.0/0 interface=all parent=none direction=both \priority=8 queue=default-small/default-small limit-at=0/0 max-limit=64000/128000 total-queue=default-small \disabled=yesadd name=”Meja-3″ target-addresses=192.168.1.13/32 dst-address=0.0.0.0/0 interface=all parent=99.net direction=both \priority=8 queue=ethernet-default/ethernet-default limit-at=64000/128000 max-limit=64000/128000 \total-queue=default-small disabled=noadd name=”Meja-4″ target-addresses=192.168.1.14/32 dst-address=0.0.0.0/0 interface=all parent=99.net direction=both \priority=8 queue=ethernet-default/ethernet-default limit-at=64000/128000 max-limit=64000/128000 \total-queue=default-small disabled=noadd name=”Meja-5″ target-addresses=192.168.1.15/32 dst-address=0.0.0.0/0 interface=all parent=99.net direction=both \priority=8 queue=ethernet-default/ethernet-default limit-at=64000/128000 max-limit=64000/128000 \total-queue=default-small disabled=noadd name=”Meja-6″ target-addresses=192.168.1.16/32 dst-address=0.0.0.0/0 interface=all parent=none direction=both \priority=8 queue=default-small/default-small limit-at=0/0 max-limit=64000/128000 total-queue=default-small disabled=noadd name=”Meja-7″ target-addresses=192.168.1.17/32 dst-address=0.0.0.0/0 interface=all parent=99.net direction=both \priority=8 queue=ethernet-default/ethernet-default limit-at=64000/128000 max-limit=64000/128000 \total-queue=default-small disabled=noadd name=”Meja-8″ target-addresses=192.168.1.18/32 dst-address=0.0.0.0/0 interface=all parent=99.net direction=both \priority=8 queue=ethernet-default/ethernet-default limit-at=64000/128000 max-

limit=64000/128000 \total-queue=default-small disabled=noadd name=”Meja-9″ target-addresses=192.168.1.19/32 dst-address=0.0.0.0/0 interface=all parent=99.net direction=both \priority=8 queue=ethernet-default/ethernet-default limit-at=64000/128000 max-limit=64000/128000 \total-queue=default-small disabled=noadd name=”Meja-10″ target-addresses=192.168.1.20/32 dst-address=0.0.0.0/0 interface=all parent=99.net direction=both \priority=8 queue=ethernet-default/ethernet-default limit-at=64000/128000 max-limit=64000/128000 \total-queue=default-small disabled=noadd name=”Meja-11″ target-addresses=192.168.1.25/32 dst-address=0.0.0.0/0 interface=all parent=99.net direction=both \priority=8 queue=ethernet-default/ethernet-default limit-at=64000/128000 max-limit=64000/128000 \total-queue=default-small time=0s-0s, disabled=noadd name=”Meja-12″ target-addresses=192.168.1.22/32 dst-address=0.0.0.0/0 interface=all parent=99.net direction=both \priority=8 queue=ethernet-default/ethernet-default limit-at=64000/128000 max-limit=64000/128000 \total-queue=default-small disabled=noadd name=”Meja-13″ target-addresses=192.168.1.23/32 dst-address=0.0.0.0/0 interface=all parent=99.net direction=both \priority=8 queue=ethernet-default/ethernet-default limit-at=64000/128000 max-limit=64000/128000 \total-queue=default-small disabled=noadd name=”Meja-14″ target-addresses=192.168.1.24/32 dst-address=0.0.0.0/0 interface=all parent=99.net direction=both \priority=8 queue=ethernet-default/ethernet-default limit-at=64000/128000 max-limit=64000/128000 \total-queue=default-small disabled=noadd name=”Meja-15″ target-addresses=192.168.1.21/32 dst-address=0.0.0.0/0 interface=all parent=99.net direction=both \priority=8 queue=ethernet-default/ethernet-default limit-at=64000/128000 max-limit=64000/128000 \total-queue=default-small disabled=noadd name=”Meja-16″ target-addresses=192.168.1.22/32 dst-address=0.0.0.0/0 interface=all parent=99.net direction=both \priority=8 queue=ethernet-default/ethernet-default limit-at=0/0 max-limit=64000/128000 total-queue=default-small \disabled=noadd name=”Meja-17″ target-addresses=192.168.1.27/32 dst-address=0.0.0.0/0 interface=all parent=99.net direction=both \priority=8 queue=ethernet-default/ethernet-default limit-at=0/96000 max-limit=0/96000 total-queue=default-small \disabled=noadd name=”Meja-18″ target-addresses=192.168.1.28/32 dst-address=0.0.0.0/0 interface=all parent=99.net direction=both \priority=8 queue=ethernet-default/ethernet-default limit-at=0/96000 max-limit=0/96000 total-queue=default-small \

disabled=noadd name=”Meja-19″ target-addresses=192.168.1.29/32 dst-address=0.0.0.0/0 interface=all parent=99.net direction=both \priority=8 queue=ethernet-default/ethernet-default limit-at=0/96000 max-limit=0/96000 total-queue=default-small \disabled=noadd name=”Printer” target-addresses=192.168.1.26/32 dst-address=0.0.0.0/0 interface=all parent=none direction=both \priority=8 queue=default-small/default-small limit-at=0/0 max-limit=0/0 total-queue=default-small disabled=no/ queue treeadd name=”ICMP” parent=global-in packet-mark=ICMP-PM limit-at=8000 queue=PFIFO-64 priority=1 max-limit=16000 burst-limit=0 \burst-threshold=0 burst-time=0s disabled=noadd name=”DNS” parent=global-in packet-mark=DNS-PM limit-at=8000 queue=PFIFO-64 priority=1 max-limit=16000 burst-limit=0 \burst-threshold=0 burst-time=0s disabled=no/ useradd name=”admin” group=full address=0.0.0.0/0 comment=”system default user” disabled=yesadd name=”areksitiung” group=full address=0.0.0.0/0 comment=”" disabled=noadd name=”99net” group=full address=0.0.0.0/0 comment=”" disabled=no/ user groupadd name=”read” policy=local,telnet,ssh,reboot,read,test,winbox,password,web,!ftp,!write,!policyadd name=”write” policy=local,telnet,ssh,reboot,read,write,test,winbox,password,web,!ftp,!policyadd name=”full” policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web/ user aaaset use-radius=no accounting=yes interim-update=0s default-group=read/ radius incomingset accept=no port=1700/ driver/ snmpset enabled=no contact=”" location=”"/ snmp communityset public name=”public” address=0.0.0.0/0 read-access=yes/ tool bandwidth-serverset enabled=yes authenticate=yes allocate-udp-ports-from=2000 max-sessions=10/ tool mac-server pingset enabled=yes/ tool e-mailset server=0.0.0.0 from=”<>”/ tool snifferset interface=all only-headers=no memory-limit=10 file-name=”" file-limit=10 streaming-enabled=no streaming-server=0.0.0.0 \filter-stream=yes filter-protocol=ip-only filter-address1=0.0.0.0/0:0-65535 filter-address2=0.0.0.0/0:0-65535/ tool graphingset store-every=5min/ tool graphing queueadd simple-queue=all allow-address=0.0.0.0/0 store-on-disk=yes allow-target=yes disabled=no

/ tool graphing resourceadd allow-address=0.0.0.0/0 store-on-disk=yes disabled=no/ tool graphing interfaceadd interface=all allow-address=0.0.0.0/0 store-on-disk=yes disabled=no/ routing ospfset router-id=0.0.0.0 distribute-default=never redistribute-connected=no redistribute-static=no redistribute-rip=no \redistribute-bgp=no metric-default=1 metric-connected=20 metric-static=20 metric-rip=20 metric-bgp=20/ routing ospf areaset backbone area-id=0.0.0.0 type=default translator-role=translate-candidate authentication=none prefix-list-import=”" \prefix-list-export=”" disabled=no/ routing bgpset enabled=no as=1 router-id=0.0.0.0 redistribute-static=no redistribute-connected=no redistribute-rip=no \redistribute-ospf=no/ routing ripset redistribute-static=no redistribute-connected=no redistribute-ospf=no redistribute-bgp=no metric-static=1 \metric-connected=1 metric-ospf=1 metric-bgp=1 update-timer=30s timeout-timer=3m garbage-timer=2m[areksitiung@ROUTER-99NET] >

Mikrotik Modem ADSL Bridge and Dial PPPoe Client On Mikrotik

MMM MMM KKK TTTTTTTTTTT KKKMMMM MMMM KKK TTTTTTTTTTT KKKMMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKKMMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKKMMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKKMMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK

MikroTik RouterOS 2.9.27 (c) 1999-2006 http://www.mikrotik.com/

[areksitiung@DREAMNET] > export# mar/22/2009 19:38:44 by RouterOS 2.9.27# software id = BP3G-RUN#/ interface ethernetset Local name=”Local” mtu=1500 mac-address=0E:1A:18:1A:37:E1 arp=enabled disable-running-check=yes auto-negotiation=no \full-duplex=yes cable-settings=default speed=100Mbps comment=”" disabled=noset Public name=”Public” mtu=1500 mac-address=00:EE:B1:05:BC:DB arp=enabled disable-running-check=yes auto-negotiation=no \full-duplex=yes cable-settings=default speed=100Mbps comment=”" disabled=no/ interface l2tp-server serverset enabled=no max-mtu=1460 max-mru=1460 authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption

/ interface pptp-server serverset enabled=no max-mtu=1460 max-mru=1460 authentication=mschap1,mschap2 keepalive-timeout=30 \default-profile=default-encryption/ interface pppoe-clientadd name=”pppoe-out1″ max-mtu=1480 max-mru=1480 interface=Public user=”11140xxxxxxx@telkom.net” password=”xxxxxx” \profile=default service-name=”" ac-name=”" add-default-route=yes dial-on-demand=no use-peer-dns=no \allow=pap,chap,mschap1,mschap2 disabled=no/ ip pooladd name=”dhcp_pool1″ ranges=192.168.1.2-192.168.1.254/ ip accountingset enabled=no account-local-traffic=no threshold=256/ ip accounting web-accessset accessible-via-web=no address=0.0.0.0/0/ ip serviceset telnet port=23 address=0.0.0.0/0 disabled=yesset ftp port=21 address=0.0.0.0/0 disabled=yesset www port=7479 address=0.0.0.0/0 disabled=noset ssh port=1981 address=0.0.0.0/0 disabled=noset www-ssl port=443 address=0.0.0.0/0 certificate=none disabled=yes/ ip upnpset enabled=no allow-disable-external-interface=yes show-dummy-rule=yes/ ip arp/ ip socksset enabled=no port=1080 connection-idle-timeout=2m max-connections=200/ ip dnsset primary-dns=203.130.193.74 secondary-dns=202.134.0.155 allow-remote-requests=yes cache-size=2048KiB cache-max-ttl=1w/ ip traffic-flowset enabled=no interfaces=all cache-entries=4k active-flow-timeout=30m inactive-flow-timeout=15s/ ip addressadd address=192.168.2.2/24 network=192.168.2.0 broadcast=192.168.2.255 interface=Public comment=”" disabled=noadd address=192.168.1.1/24 network=192.168.1.0 broadcast=192.168.1.255 interface=Local comment=”" disabled=no/ ip proxyset enabled=no port=8080 parent-proxy=0.0.0.0:0 maximal-client-connecions=1000 maximal-server-connectons=1000/ ip proxy accessadd dst-port=23-25 action=deny comment=”block telnet & spam e-mail relaying” disabled=noadd src-address=0.0.0.0/0 dst-address=0.0.0.0/0 dst-port=8080 action=deny comment=”" disabled=yes/ ip neighbor discoveryset Local discover=yesset Public discover=yesset pppoe-out1 discover=no/ ip route/ ip firewall mangle

add chain=prerouting p2p=all-p2p action=mark-connection new-connection-mark=prio_conn_p2p passthrough=yes comment=”Prio \P2P” disabled=noadd chain=prerouting connection-mark=prio_conn_p2p action=mark-packet new-packet-mark=prio_p2p_packet passthrough=no \comment=”" disabled=noadd chain=prerouting protocol=tcp dst-port=995 action=mark-connection new-connection-mark=prio_conn_download_services \passthrough=yes comment=”Prio Download_Services” disabled=noadd chain=prerouting protocol=tcp dst-port=143 action=mark-connection new-connection-mark=prio_conn_download_services \passthrough=yes comment=”" disabled=noadd chain=prerouting protocol=tcp dst-port=993 action=mark-connection new-connection-mark=prio_conn_download_services \passthrough=yes comment=”" disabled=noadd chain=prerouting protocol=tcp dst-port=995 action=mark-connection new-connection-mark=prio_conn_download_services \passthrough=yes comment=”" disabled=noadd chain=prerouting protocol=tcp dst-port=25 action=mark-connection new-connection-mark=prio_conn_download_services \passthrough=yes comment=”" disabled=noadd chain=prerouting protocol=tcp dst-port=80 action=mark-connection new-connection-mark=prio_conn_download_services \passthrough=yes comment=”" disabled=noadd chain=prerouting protocol=tcp dst-port=20-21 action=mark-connection new-connection-mark=prio_conn_download_services \passthrough=yes comment=”" disabled=noadd chain=prerouting protocol=tcp dst-port=22 packet-size=1400-1500 action=mark-connection \new-connection-mark=prio_conn_download_services passthrough=yes comment=”" disabled=noadd chain=prerouting connection-mark=prio_conn_download_services action=mark-packet new-packet-mark=prio_download_packet \passthrough=no comment=”" disabled=noadd chain=prerouting protocol=tcp dst-port=53 action=mark-connection new-connection-mark=prio_conn_ensign_services \passthrough=yes comment=”Prio Ensign_Services” disabled=noadd chain=prerouting protocol=udp dst-port=53 action=mark-connection new-connection-mark=prio_conn_ensign_services \passthrough=yes comment=”" disabled=noadd chain=prerouting protocol=icmp action=mark-connection new-connection-mark=prio_conn_ensign_services passthrough=yes \comment=”" disabled=noadd chain=prerouting protocol=tcp dst-port=443 action=mark-connection new-connection-mark=prio_conn_ensign_services \passthrough=yes comment=”" disabled=noadd chain=prerouting protocol=tcp dst-port=23 action=mark-connection new-connection-mark=prio_conn_ensign_services \passthrough=yes comment=”" disabled=noadd chain=prerouting protocol=tcp dst-port=80 connection-bytes=0-500000 action=mark-connection \

new-connection-mark=prio_conn_ensign_services passthrough=yes comment=”" disabled=noadd chain=prerouting protocol=tcp dst-port=8080 action=mark-connection new-connection-mark=prio_conn_ensign_services \passthrough=yes comment=”" disabled=noadd chain=prerouting connection-mark=prio_conn_ensign_services action=mark-packet new-packet-mark=prio_ensign_packet \passthrough=no comment=”" disabled=noadd chain=prerouting protocol=tcp dst-port=22 packet-size=1400-1500 action=mark-connection \new-connection-mark=prio_conn_user_services passthrough=yes comment=”Prio User_Request” disabled=noadd chain=prerouting protocol=tcp dst-port=8291 packet-size=1400-1500 action=mark-connection \new-connection-mark=prio_conn_user_services passthrough=yes comment=”" disabled=noadd chain=prerouting connection-mark=prio_conn_user_services action=mark-packet new-packet-mark=prio_request_packet \passthrough=no comment=”" disabled=noadd chain=prerouting protocol=tcp dst-port=5100 action=mark-connection new-connection-mark=prio_conn_comm_services \passthrough=yes comment=”Prio_Communication” disabled=noadd chain=prerouting protocol=tcp dst-port=5050 action=mark-connection new-connection-mark=prio_conn_comm_services \passthrough=yes comment=”" disabled=noadd chain=prerouting protocol=udp dst-port=5060 action=mark-connection new-connection-mark=prio_conn_comm_services \passthrough=yes comment=”" disabled=noadd chain=prerouting protocol=tcp dst-port=1869 action=mark-connection new-connection-mark=prio_conn_comm_services \passthrough=yes comment=”" disabled=noadd chain=prerouting protocol=tcp dst-port=1723 action=mark-connection new-connection-mark=prio_conn_comm_services \passthrough=yes comment=”" disabled=noadd chain=prerouting protocol=tcp dst-port=5190 action=mark-connection new-connection-mark=prio_conn_comm_services \passthrough=yes comment=”" disabled=noadd chain=prerouting protocol=tcp dst-port=6660-7000 action=mark-connection new-connection-mark=prio_conn_comm_services \passthrough=yes comment=”" disabled=noadd chain=prerouting protocol=ipencap action=mark-connection new-connection-mark=prio_conn_comm_services passthrough=yes \comment=”" disabled=noadd chain=prerouting protocol=gre action=mark-connection new-connection-mark=prio_conn_comm_services passthrough=yes \comment=”" disabled=noadd chain=prerouting protocol=ipsec-esp action=mark-connection new-connection-mark=prio_conn_comm_services passthrough=yes \comment=”" disabled=noadd chain=prerouting protocol=ipsec-ah action=mark-connection new-connection-mark=prio_conn_comm_services passthrough=yes \comment=”" disabled=noadd chain=prerouting protocol=ipip action=mark-connection new-connection-

mark=prio_conn_comm_services passthrough=yes \comment=”" disabled=noadd chain=prerouting protocol=encap action=mark-connection new-connection-mark=prio_conn_comm_services passthrough=yes \comment=”" disabled=noadd chain=prerouting connection-mark=prio_conn_comm_services action=mark-packet new-packet-mark=prio_comm_packet \passthrough=no comment=”" disabled=noadd chain=postrouting out-interface=pppoe-out1 protocol=tcp tcp-flags=syn connection-state=new packet-size=40-100 \action=mark-connection new-connection-mark=upstream_conn passthrough=yes comment=”Testing TCP Flags” disabled=noadd chain=postrouting out-interface=pppoe-out1 protocol=tcp tcp-flags=rst connection-state=new packet-size=40-100 \action=mark-connection new-connection-mark=upstream_conn passthrough=yes comment=”" disabled=noadd chain=postrouting out-interface=pppoe-out1 protocol=tcp tcp-flags=ack connection-state=new packet-size=40-100 \action=mark-connection new-connection-mark=upstream_conn passthrough=yes comment=”" disabled=noadd chain=postrouting out-interface=pppoe-out1 protocol=tcp tcp-flags=fin connection-state=new packet-size=40-100 \action=mark-connection new-connection-mark=upstream_conn passthrough=yes comment=”" disabled=noadd chain=postrouting out-interface=pppoe-out1 protocol=tcp tcp-flags=syn connection-state=established packet-size=40-100 \action=mark-connection new-connection-mark=upstream_conn passthrough=yes comment=”" disabled=noadd chain=postrouting protocol=tcp connection-mark=upstream_conn action=mark-packet new-packet-mark=upstream_ack \passthrough=no comment=”" disabled=noadd chain=prerouting src-address=192.168.1.0/24 action=mark-packet new-packet-mark=upstream_ack passthrough=no comment=”Up \Traffic” disabled=noadd chain=forward src-address-list=user action=mark-connection new-connection-mark=user-conn passthrough=yes comment=”Mark \user traffic” disabled=noadd chain=output out-interface=Local dst-address-list=user action=mark-packet new-packet-mark=user-conn-traffic \passthrough=no comment=”" disabled=noadd chain=forward src-address-list=kasir action=mark-connection new-connection-mark=kasir-conn passthrough=yes \comment=”Mark kasir traffic” disabled=noadd chain=forward in-interface=pppoe-out1 connection-mark=kasir-conn src-address-list=kasir action=mark-packet \new-packet-mark=kasir-conn-traffic passthrough=yes comment=”" disabled=noadd chain=output out-interface=Local dst-address-list=kasir action=mark-packet new-packet-mark=kasir-conn-traffic \passthrough=no comment=”" disabled=no/ ip firewall natadd chain=srcnat out-interface=pppoe-out1 action=masquerade comment=”" disabled=no

add chain=dstnat src-address=192.168.1.0/24 protocol=tcp dst-port=8000 action=redirect to-ports=8080 comment=”webproxy” \disabled=noadd chain=dstnat src-address=192.168.1.0/24 protocol=tcp dst-port=8080 action=redirect to-ports=3128 comment=”" \disabled=noadd chain=dstnat src-address=192.168.1.0/24 protocol=tcp dst-port=3128 action=redirect to-ports=8080 comment=”" \disabled=noadd chain=dstnat src-address=192.168.1.0/24 protocol=tcp dst-port=9000 action=redirect to-ports=3128 comment=”" \disabled=noadd chain=dstnat src-address=192.168.1.0/24 protocol=tcp dst-port=10000 action=redirect to-ports=3128 comment=”" \disabled=noadd chain=dstnat in-interface=Local src-address=192.168.1.0/24 protocol=tcp dst-port=80 action=redirect to-ports=3128 \comment=”block” disabled=no/ ip firewall connection trackingset enabled=yes tcp-syn-sent-timeout=5s tcp-syn-received-timeout=5s tcp-established-timeout=1d tcp-fin-wait-timeout=10s \tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s \udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m tcp-syncookie=no/ ip firewall filteradd chain=virus protocol=tcp dst-port=135-139 action=drop comment=”Drop Blaster Worm” disabled=noadd chain=virus protocol=udp dst-port=135-139 action=drop comment=”Drop Messenger Worm” disabled=noadd chain=virus protocol=tcp dst-port=445 action=drop comment=”Drop Blaster Worm” disabled=noadd chain=virus protocol=udp dst-port=445 action=drop comment=”Drop Blaster Worm” disabled=noadd chain=virus in-interface=Local protocol=tcp dst-port=593 action=drop comment=”Virus” disabled=noadd chain=input protocol=tcp dst-port=8291 src-address-list=ournetwork action=accept comment=”winbox” disabled=noadd chain=input in-interface=Local p2p=all-p2p action=drop comment=”Drop All P2P” disabled=noadd chain=forward src-address=192.168.1.15 protocol=tcp action=drop comment=”CLient 1″ disabled=yesadd chain=input src-address=192.168.1.15 protocol=tcp action=drop comment=”" disabled=yesadd chain=output src-address=192.168.1.15 protocol=tcp action=drop comment=”" disabled=yesadd chain=forward src-address=192.168.1.4 protocol=tcp action=drop comment=”Client 2″ disabled=yesadd chain=input src-address=192.168.1.4 protocol=tcp action=drop comment=”" disabled=yesadd chain=output src-address=192.168.1.4 protocol=tcp action=drop comment=”" disabled=yesadd chain=forward src-address=192.168.1.5 protocol=tcp action=drop comment=”Client 3″ disabled=yesadd chain=input src-address=192.168.1.5 protocol=tcp action=drop comment=”" disabled=yesadd chain=output src-address=192.168.1.5 protocol=tcp action=drop comment=”" disabled=yes

add chain=forward src-address=192.168.1.6 protocol=tcp action=drop comment=”Client 4″ disabled=yesadd chain=input src-address=192.168.1.6 protocol=tcp action=drop comment=”" disabled=yesadd chain=output src-address=192.168.1.6 protocol=tcp action=drop comment=”" disabled=yesadd chain=forward src-address=192.168.1.7 protocol=tcp action=drop comment=”Client 5″ disabled=yesadd chain=input src-address=192.168.1.7 protocol=tcp action=drop comment=”" disabled=yesadd chain=output src-address=192.168.1.7 protocol=tcp action=drop comment=”" disabled=yesadd chain=forward src-address=192.168.1.8 protocol=tcp action=drop comment=”Client 6″ disabled=yesadd chain=input src-address=192.168.1.8 protocol=tcp action=drop comment=”" disabled=yesadd chain=output src-address=192.168.1.8 protocol=tcp action=drop comment=”" disabled=yesadd chain=forward src-address=192.168.1.9 protocol=tcp action=drop comment=”Client 7″ disabled=yesadd chain=input src-address=192.168.1.9 protocol=tcp action=drop comment=”" disabled=yesadd chain=output src-address=192.168.1.9 protocol=tcp action=drop comment=”" disabled=yesadd chain=forward src-address=192.168.1.10 protocol=tcp action=drop comment=”Client 8″ disabled=yesadd chain=input src-address=192.168.1.10 protocol=tcp action=drop comment=”" disabled=yesadd chain=output src-address=192.168.1.10 protocol=tcp action=drop comment=”" disabled=yesadd chain=forward src-address=192.168.1.11 protocol=tcp action=drop comment=”Client 9″ disabled=yesadd chain=input src-address=192.168.1.11 protocol=tcp action=drop comment=”" disabled=yesadd chain=output src-address=192.168.1.11 protocol=tcp action=drop comment=”" disabled=yesadd chain=forward src-address=192.168.1.12 protocol=tcp action=drop comment=”Client 10″ disabled=yesadd chain=input src-address=192.168.1.12 protocol=tcp action=drop comment=”" disabled=yesadd chain=output src-address=192.168.1.12 protocol=tcp action=drop comment=”" disabled=yesadd chain=forward src-address=192.168.1.99 protocol=tcp action=drop comment=”Operator” disabled=yesadd chain=input src-address=192.168.1.99 protocol=tcp action=drop comment=”" disabled=yesadd chain=output src-address=192.168.1.99 protocol=tcp action=drop comment=”" disabled=yesadd chain=forward protocol=icmp icmp-options=11:0 action=drop comment=”ngeDrop Traceroute dari client” disabled=noadd chain=forward protocol=icmp icmp-options=3:3 action=drop comment=”ngeDrop Traceroute dari client” disabled=noadd chain=forward out-interface=Local protocol=tcp dst-port=8080 action=drop comment=”" disabled=yes/ ip firewall address-listadd list=ournetwork address=192.168.1.0/24 comment=”LAN Network” disabled=noadd list=speedy address=125.162.93.0/24 comment=”Speedy Network” disabled=no/ ip firewall service-portset ftp ports=21 disabled=yesset tftp ports=69 disabled=yesset irc ports=6667 disabled=yesset h323 disabled=yesset quake3 disabled=yesset gre disabled=yesset pptp disabled=yes/ ip hotspot service-portset ftp ports=21 disabled=no

/ ip hotspot profileset default name=”default” hotspot-address=0.0.0.0 dns-name=”" html-directory=hotspot rate-limit=”" http-proxy=0.0.0.0:0 \smtp-server=0.0.0.0 login-by=cookie,http-chap http-cookie-lifetime=3d split-user-domain=no use-radius=no/ ip hotspot user profileset default name=”default” idle-timeout=none keepalive-timeout=2m status-autorefresh=1m shared-users=1 \transparent-proxy=yes open-status-page=always advertise=no/ ip dhcp-serveradd name=”dhcp1″ interface=Local lease-time=3d address-pool=dhcp_pool1 bootp-support=static authoritative=after-2sec-delay \disabled=no/ ip dhcp-server configset store-leases-disk=5m/ ip dhcp-server networkadd address=192.168.1.0/24 gateway=192.168.1.1 comment=”"/ ip ipsec proposaladd name=”default” auth-algorithms=sha1 enc-algorithms=3des lifetime=30m lifebytes=0 pfs-group=modp1024 disabled=no/ ip web-proxyset enabled=yes src-address=0.0.0.0 port=3128 hostname=”proxy.dream.net” transparent-proxy=yes parent-proxy=0.0.0.0:0 \cache-administrator=”Maintenance” max-object-size=4096KiB cache-drive=system max-cache-size=unlimited \max-ram-cache-size=unlimited/ ip web-proxy accessadd dst-port=23-25 action=deny comment=”block telnet & spam e-mail relaying” disabled=noadd url=”xxx” action=deny comment=”" disabled=noadd url=”porn” action=deny comment=”" disabled=noadd url=”koncek” action=deny comment=”" disabled=noadd url=”sperms” action=deny comment=”" disabled=noadd url=”redtube.com” action=deny comment=”" disabled=noadd url=”memek” action=deny comment=”" disabled=noadd url=”rape” action=deny comment=”" disabled=noadd url=”susuaku” action=deny comment=”" disabled=noadd url=”lalatx” action=deny comment=”" disabled=noadd url=”17tahun” action=deny comment=”" disabled=noadd url=”tube8″ action=deny comment=”" disabled=noadd url=”duniasex.com” action=deny comment=”" disabled=noadd url=”ninjaclock.com” action=deny comment=”" disabled=noadd url=”adult” action=deny comment=”" disabled=noadd url=”sex” action=deny comment=”" disabled=noadd url=”Hacker” action=allow comment=”" disabled=noadd url=”kontol” action=deny comment=”" disabled=noadd src-address=192.168.1.15/32 dst-port=80 url=”http://www” action=deny comment=”Block Browsing” disabled=noadd src-address=192.168.1.4/32 dst-port=80 url=”http://www” action=deny comment=”" disabled=noadd src-address=192.168.1.5/32 dst-port=80 url=”http://www” action=deny comment=”" disabled=no

add src-address=192.168.1.6/32 dst-port=80 url=”http://www” action=deny comment=”" disabled=noadd src-address=192.168.1.7/32 dst-port=80 url=”http://www” action=deny comment=”" disabled=noadd src-address=192.168.1.8/32 dst-port=80 url=”http://www” action=deny comment=”" disabled=noadd src-address=192.168.1.9/32 dst-port=80 url=”http://www” action=deny comment=”" disabled=noadd src-address=192.168.1.10/32 dst-port=80 url=”http://www” action=deny comment=”" disabled=noadd src-address=192.168.1.11/32 dst-port=80 url=”http://www” action=deny comment=”" disabled=noadd src-address=192.168.1.12/32 dst-port=80 url=”http://www” action=deny comment=”" disabled=noadd src-address=192.168.1.15/32 dst-port=80 url=”www” action=deny comment=”Block Browsing2″ disabled=noadd src-address=192.168.1.4/32 dst-port=80 url=”www” action=deny comment=”" disabled=noadd src-address=192.168.1.5/32 dst-port=80 url=”www” action=deny comment=”" disabled=noadd src-address=192.168.1.6/32 dst-port=80 url=”www” action=deny comment=”" disabled=noadd src-address=192.168.1.7/32 dst-port=80 url=”www” action=deny comment=”" disabled=noadd src-address=192.168.1.8/32 dst-port=80 url=”www” action=deny comment=”" disabled=noadd src-address=192.168.1.9/32 dst-port=80 url=”www” action=deny comment=”" disabled=noadd src-address=192.168.1.10/32 dst-port=80 url=”www” action=deny comment=”" disabled=noadd src-address=192.168.1.11/32 dst-port=80 url=”www” action=deny comment=”" disabled=noadd src-address=192.168.1.12/32 dst-port=80 url=”www” action=deny comment=”" disabled=noadd dst-port=8080 action=deny comment=”" disabled=yesadd dst-port=80 action=deny comment=”" disabled=yes/ ip web-proxy cacheadd url=”:cgi-bin \\?” action=deny comment=”don’t cache dynamic http pages” disabled=no/ system loggingadd topics=info prefix=”" action=memory disabled=noadd topics=error prefix=”" action=memory disabled=noadd topics=warning prefix=”" action=memory disabled=noadd topics=critical prefix=”" action=echo disabled=no/ system logging actionset memory name=”memory” target=memory memory-lines=100 memory-stop-on-full=noset disk name=”disk” target=disk disk-lines=100 disk-stop-on-full=noset echo name=”echo” target=echo remember=yesset remote name=”remote” target=remote remote=0.0.0.0:514/ system upgrade mirrorset enabled=no primary-server=0.0.0.0 secondary-server=0.0.0.0 check-interval=1d user=”"/ system clock dstset dst-delta=+00:00 dst-start=”jan/01/1970 00:00:00″ dst-end=”jan/01/1970 00:00:00″/ system watchdogset reboot-on-failure=yes watch-address=none watchdog-timer=yes no-ping-delay=5m automatic-supout=yes auto-send-supout=no/ system consoleadd term=”" disabled=noset FIXME term=”linux” disabled=noset FIXME term=”linux” disabled=noset FIXME term=”linux” disabled=no

set FIXME term=”linux” disabled=noset FIXME term=”linux” disabled=noset FIXME term=”linux” disabled=noset FIXME term=”linux” disabled=noset FIXME term=”linux” disabled=no/ system console screenset line-count=25/ system identityset name=”DREAMNET”/ system noteset show-at-login=yes note=”"/ ppp profileset default name=”default” use-compression=default use-vj-compression=default use-encryption=default only-one=default \change-tcp-mss=yes comment=”"set default-encryption name=”default-encryption” use-compression=default use-vj-compression=default use-encryption=yes \only-one=default change-tcp-mss=yes comment=”"/ ppp aaaset use-radius=no accounting=yes interim-update=0s/ queue typeset default name=”default” kind=pfifo pfifo-limit=50set ethernet-default name=”ethernet-default” kind=pfifo pfifo-limit=50set wireless-default name=”wireless-default” kind=sfq sfq-perturb=5 sfq-allot=1514set synchronous-default name=”synchronous-default” kind=red red-limit=60 red-min-threshold=10 red-max-threshold=50 \red-burst=20 red-avg-packet=1000set hotspot-default name=”hotspot-default” kind=sfq sfq-perturb=5 sfq-allot=1514add name=”PCQ_down_user” kind=pcq pcq-rate=0 pcq-limit=20 pcq-classifier=dst-address pcq-total-limit=500add name=”PCQ_up_user” kind=pcq pcq-rate=32000 pcq-limit=20 pcq-classifier=src-address pcq-total-limit=500add name=”PCQ_up_kasir” kind=pcq pcq-rate=0 pcq-limit=20 pcq-classifier=src-address pcq-total-limit=500add name=”PCQ_down_kasir” kind=pcq pcq-rate=0 pcq-limit=20 pcq-classifier=dst-address pcq-total-limit=500add name=”PCQ_download” kind=pcq pcq-rate=0 pcq-limit=50 pcq-classifier=dst-address pcq-total-limit=2000add name=”PCQ_upload” kind=pcq pcq-rate=0 pcq-limit=50 pcq-classifier=src-address pcq-total-limit=2000add name=”PFIFO-64″ kind=pfifo pfifo-limit=64add name=”default-small” kind=pfifo pfifo-limit=10/ queue simpleadd name=”DreamNet” target-addresses=192.168.1.0/24 dst-address=0.0.0.0/0 interface=Local parent=none direction=both \priority=1 queue=default-small/default-small limit-at=0/0 max-limit=0/0 total-queue=default-small disabled=noadd name=”P2P” dst-address=0.0.0.0/0 interface=all parent=none packet-marks=prio_p2p_packet direction=both priority=8 \queue=default-small/default-small limit-at=0/0 max-limit=0/0 total-queue=default-small disabled=no

add name=”Down_Services” dst-address=0.0.0.0/0 interface=all parent=none packet-marks=prio_download_packet direction=both \priority=5 queue=default-small/default-small limit-at=0/0 max-limit=0/0 total-queue=default-small disabled=noadd name=”Ensign_Services” dst-address=0.0.0.0/0 interface=all parent=none packet-marks=prio_ensign_packet direction=both \priority=1 queue=default-small/default-small limit-at=0/0 max-limit=0/0 total-queue=default-small disabled=noadd name=”User_Request” dst-address=0.0.0.0/0 interface=all parent=none packet-marks=prio_request_packet direction=both \priority=8 queue=default-small/default-small limit-at=0/0 max-limit=0/0 total-queue=default-small disabled=noadd name=”Communication” target-addresses=0.0.0.0/0 dst-address=0.0.0.0/0 interface=all parent=none \packet-marks=prio_comm_packet direction=both priority=3 queue=default-small/default-small limit-at=0/0 max-limit=0/0 \total-queue=default-small disabled=noadd name=”Operator” target-addresses=192.168.1.99/32 dst-address=0.0.0.0/0 interface=Local parent=DreamNet direction=both \priority=8 queue=default/default limit-at=0/64000 max-limit=0/64000 total-queue=default disabled=noadd name=”Client1″ target-addresses=192.168.1.15/32 dst-address=0.0.0.0/0 interface=Local parent=DreamNet direction=both \priority=8 queue=default/default limit-at=0/128000 max-limit=0/192000 total-queue=default disabled=noadd name=”Client2″ target-addresses=192.168.1.4/32 dst-address=0.0.0.0/0 interface=Local parent=DreamNet direction=both \priority=8 queue=default/default limit-at=0/128000 max-limit=0/192000 total-queue=default disabled=noadd name=”Client3″ target-addresses=192.168.1.5/32 dst-address=0.0.0.0/0 interface=Local parent=DreamNet direction=both \priority=8 queue=default/default limit-at=0/128000 max-limit=0/192000 total-queue=default disabled=noadd name=”Client4″ target-addresses=192.168.1.6/32 dst-address=0.0.0.0/0 interface=Local parent=DreamNet direction=both \priority=8 queue=default/default limit-at=0/128000 max-limit=0/192000 total-queue=default disabled=noadd name=”Client5″ target-addresses=192.168.1.7/32 dst-address=0.0.0.0/0 interface=Local parent=DreamNet direction=both \priority=8 queue=default/default limit-at=0/128000 max-limit=0/192000 total-queue=default disabled=noadd name=”Client6″ target-addresses=192.168.1.8/32 dst-address=0.0.0.0/0 interface=Local parent=DreamNet direction=both \priority=8 queue=default/default limit-at=0/128000 max-limit=0/192000 total-queue=default disabled=noadd name=”Client7″ target-addresses=192.168.1.9/32 dst-address=0.0.0.0/0 interface=Local parent=DreamNet direction=both \priority=8 queue=default/default limit-at=0/128000 max-limit=0/192000 total-queue=default disabled=noadd name=”Client8″ target-addresses=192.168.1.10/32 dst-address=0.0.0.0/0 interface=Local parent=DreamNet direction=both \

priority=8 queue=default/default limit-at=0/128000 max-limit=0/192000 total-queue=default disabled=noadd name=”Client9″ target-addresses=192.168.1.11/32 dst-address=0.0.0.0/0 interface=Local parent=DreamNet direction=both \priority=8 queue=default/default limit-at=0/128000 max-limit=0/192000 total-queue=default disabled=noadd name=”Clent10″ target-addresses=192.168.1.12/32 dst-address=0.0.0.0/0 interface=Local parent=DreamNet direction=both \priority=8 queue=default/default limit-at=0/128000 max-limit=0/192000 total-queue=default disabled=no/ queue treeadd name=”Total_download” parent=Local packet-mark=”" limit-at=0 queue=default priority=1 max-limit=0 burst-limit=0 \burst-threshold=0 burst-time=0s disabled=yesadd name=”Total_upload” parent=pppoe-out1 packet-mark=”" limit-at=0 queue=default priority=1 max-limit=0 burst-limit=0 \burst-threshold=0 burst-time=0s disabled=yesadd name=”User_download” parent=Total_download packet-mark=user-conn-traffic limit-at=0 queue=PCQ_down_user priority=1 \max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=yesadd name=”Kasir_download” parent=Total_download packet-mark=kasir-conn-traffic limit-at=0 queue=PCQ_down_kasir priority=8 \max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=yesadd name=”User_upload” parent=Total_upload packet-mark=user-conn-traffic limit-at=0 queue=PCQ_up_user priority=1 \max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=yesadd name=”Kasir_upload” parent=Total_upload packet-mark=kasir-conn-traffic limit-at=0 queue=PCQ_up_kasir priority=8 \max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=yesadd name=”Priorization” parent=global-in packet-mark=”" limit-at=0 queue=default priority=1 max-limit=0 burst-limit=0 \burst-threshold=0 burst-time=0s disabled=yesadd name=”Communication_Services_Prio7″ parent=Priorization packet-mark=prio_comm_packet limit-at=0 queue=default \priority=7 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=yesadd name=”Download_Services_Prio5″ parent=Priorization packet-mark=prio_download_packet limit-at=0 queue=default \priority=5 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=yesadd name=”Ensign_Services_Prio1″ parent=Priorization packet-mark=prio_ensign_packet limit-at=0 queue=default priority=1 \max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=yesadd name=”P2P_Traffic_Prio8″ parent=Priorization packet-mark=prio_p2p_packet limit-at=0 queue=default priority=8 \max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=yesadd name=”User_Request_Prio3″ parent=Priorization packet-mark=prio_request_packet limit-at=0 queue=default priority=3 \max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=yesadd name=”Tcp_ack” parent=Total_upload packet-mark=upstream_ack limit-at=0 queue=synchronous-default priority=1 \max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=yes/ user

add name=”admin” group=full address=0.0.0.0/0 comment=”system default user” disabled=yesadd name=”areksitiung” group=full address=0.0.0.0/0 comment=”" disabled=noadd name=”rimor” group=full address=0.0.0.0/0 comment=”" disabled=noadd name=”ririn” group=read address=0.0.0.0/0 comment=”" disabled=no/ user groupadd name=”read” policy=local,telnet,ssh,reboot,read,test,winbox,password,web,!ftp,!write,!policyadd name=”write” policy=local,telnet,ssh,reboot,read,write,test,winbox,password,web,!ftp,!policyadd name=”full” policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web/ user aaaset use-radius=no accounting=yes interim-update=0s default-group=read/ radius incomingset accept=no port=1700/ driver/ snmpset enabled=no contact=”" location=”"/ snmp communityset public name=”public” address=0.0.0.0/0 read-access=yes/ tool bandwidth-serverset enabled=yes authenticate=yes allocate-udp-ports-from=2000 max-sessions=10/ tool mac-server pingset enabled=yes/ tool e-mailset server=0.0.0.0 from=”<>”/ tool snifferset interface=all only-headers=no memory-limit=10 file-name=”" file-limit=10 streaming-enabled=no streaming-server=0.0.0.0 \filter-stream=yes filter-protocol=ip-only filter-address1=0.0.0.0/0:0-65535 filter-address2=0.0.0.0/0:0-65535/ tool graphingset store-every=5min/ tool graphing queueadd simple-queue=all allow-address=0.0.0.0/0 store-on-disk=yes allow-target=yes disabled=no/ tool graphing resourceadd allow-address=0.0.0.0/0 store-on-disk=yes disabled=no/ tool graphing interfaceadd interface=all allow-address=0.0.0.0/0 store-on-disk=yes disabled=no/ routing ospfset router-id=0.0.0.0 distribute-default=never redistribute-connected=no redistribute-static=no redistribute-rip=no \redistribute-bgp=no metric-default=1 metric-connected=20 metric-static=20 metric-rip=20 metric-bgp=20/ routing ospf areaset backbone area-id=0.0.0.0 type=default translator-role=translate-candidate authentication=none prefix-list-import=”" \prefix-list-export=”" disabled=no/ routing bgpset enabled=no as=1 router-id=0.0.0.0 redistribute-static=no redistribute-connected=no redistribute-rip=no \redistribute-ospf=no

/ routing ripset redistribute-static=no redistribute-connected=no redistribute-ospf=no redistribute-bgp=no metric-static=1 \metric-connected=1 metric-ospf=1 metric-bgp=1 update-timer=30s timeout-timer=3m garbage-timer=2m[areksitiung@DREAMNET] >

configuration speedy connection with load balancing prolink

this example internet cafe use speedy connection. this costumer use 2 line adsl connection

1.the connection using office unlimted package 384/64 up to

the equitment we use :

1. 2 adsl modem

2. 1 loadbalancing machine

3. 1 router pc linux and 1 mirktoik box

a. hasil monitoring load balacing

Data MonitorTime : 12:31:41

Load Balance Mode : Weight round robin

SessionWAN1 WAN2 WAN3 WAN4TCP Session 39 41 0 0UDP Session 5 5 0 0ICMP Session 1 2 0 0Current Session 45 48 0 0Accumulative Session 25094 30166 0 0

Current BandwidthWAN1 WAN2 WAN3 WAN4Download Speed (byte/sec) 3310 20358 0 0Upload Speed (byte/sec) 2331 7127 0 0

Accumulative Data CounterWAN1 WAN2 WAN3 WAN4Usage (%) 63 36 0 0Byte Received (Kbytes) 938673 671939 0 0Byte Transmitted (Kbytes) 414539 97349 0 0Total Bytes (Kbytes) 1353212 769288 0 0

Config Show

System Configuration Setting

=========================================================================

Firmware: Version : TMH141-A V1023-MB2.4-E

Release Date : Dec 28 2006

Printout Time : FRI JAN 02 12:35:04 1970

Time Zone : GM+06:00

Primary NTP IP: time.nist.gov

Secondary NTP : stdtime.gov.hk

=========================================================

LAN status: IP address : 192.168.1.254

MAC address : 00:D0:DA:00:3B:5F

Mask : 255.255.255.0

Dhcp status : Disable

Dhcp IP Start : 192.168.1.12 - 192.168.1.20

DNS IP address: 168.95.1.1

=========================================================

DHCP

reserved IP: MAC address IP address

———————————–

=========================================================

WAN status: 1.IP address : 192.168.11.100

Netmask : 255.255.255.0

MAC address : 00.d0.da.00.3b.60

Connect To : InterNet

Current status: Enable

Healthy Check : NoDefault

Type : Static IP

Primary DNS : 203.130.193.74

Secondary DNS : 202.134.0.155

GatewayAddress: 192.168.11.254

Schedule : Disable

———————————————————

2.IP address : 192.168.12.100

Netmask : 255.255.255.0

MAC address : 00.d0.da.00.3b.61

Connect To : InterNet

Current status: Enable

Healthy Check : NoDefault

Type : Static IP

Primary DNS : 203.130.193.74

Secondary DNS : 202.134.0.155

GatewayAddress: 192.168.12.254

Schedule : DisableRouting setup: Work mode : Basic NAT mode

Static Route :

Network NetMask Gateway Status

——————————————————-

———————————————————

Dynamic Route : Status: Disable

=========================================================

Routing Table: Network NetMask Gateway

—————————————————

0.0.0.0 0.0.0.0 192.168.12.254

192.168.1.0 255.255.255.0 192.168.1.254

192.168.11.0 255.255.255.0 192.168.11.100

192.168.12.0 255.255.255.0 192.168.12.100

=========================================================

IP Filtering: No. IP address Port Pass/Drop status

——————————————————————————————-

=========================================================

Remote

IP Filtering: No. IP address Status

—————————

=========================================================

DoS Defense: Function Parameter Time of Lock Status

———————————————————

Oversized Ping 32 Enable

Port Scan 1000 5 Enable

TCP SYN Flooding (Wan) 1000 5 Enable

TCP SYN Flooding (Lan) 1000 5 Enable

ICMP Flooding (Wan) 1000 5 Enable

ICMP Flooding (Lan) 1000 5 Enable

UDP Flooding (Wan) 1000 5 Enable

UDP Flooding (Lan) 1000 5 Enable

=========================================================

ALG: Options Status

———————————————————

Ipsec Pass Through (Port 500) Disable

PPTP Pass Through (Port 1723) Disable

VOIP Pass Through Disable

=========================================================

Virtual Server: ID Global_Port Local_Port Local_IP_address Status

—————————————————–

———————————————————

Group: StartPort EndPort Local_IP_address TCP/UDP Status

—————————————————–

=========================================================

Multi-DMZ Host: No. DMZ_Host_IP_address IP_address_from_ISP Status

—————————————————–

———————————————————

Dynamic-IP-DMZ: Wan HOST_IP_address Status

———————————-

1 0.0.0.0 Disable

2 0.0.0.0 Disable

3 0.0.0.0 Disable

4 0.0.0.0 Disable

=========================================================

Multi-NAT: No LAN_IP_address NetMask Wan_IP Wan_No

———————————————————

=========================================================

Load Balance: Weight Round Robin

Wan 1: 1

Wan 2: 1

Wan 3: 1

Wan 4: 1

=========================================================

Dynamic DNS: Status : Disable

=========================================================

Proxy Server: Status: Disable

=========================================================

Mail Alert : Status: Disable

=========================================================

URL Filtering : Status: Disable

=========================================================

Throughput

Control : Wan DownLoad(kbits/s) UpLoad(kbits/s) Port Usage% Status

———————————————————

1. 384 64

———————————————————

2. 384 64 80 60 Enable

25 1 Enable

21 30 Enable

3128 30 Enable

8080 30 Enable

———————————————————

3. 0 0

———————————————————

4. 0 0

=========================================================

WAN CONTROL:

Special : StartPort EndPort Select-WAN Status

Application —————————————-

1000 3000 Wan1 Enable

3000 3028 Wan1 Enable

3128 3128 Wan2 Enable

3129 8079 Wan1 Enable

8080 8080 Wan2 Enable

8081 40000 Wan1 Enable

0 80 Wan2 Enable

21 21 Wan2 Enable

6000 7000 Wan1 Enable

———————————————————

IP binding : No Start-Remote-IP End-Remote-IP StartPort EndPort Select-WAN Status

————————————————————————-

1. 0.0.0.0 0.0.0.0 1000 3000 Wan1 Enable

2. 0.0.0.0 0.0.0.0 3000 3028 Wan1 Enable

3. 0.0.0.0 0.0.0.0 3128 3128 Wan2 Enable

4. 0.0.0.0 0.0.0.0 3129 8079 Wan1 Enable

5. 0.0.0.0 0.0.0.0 8080 8080 Wan2 Enable

6. 0.0.0.0 0.0.0.0 8081 40000 Wan1 Enable

7. 0.0.0.0 0.0.0.0 0 80 Wan2 Enable

8. 0.0.0.0 0.0.0.0 21 21 Wan2 Enable

9. 0.0.0.0 0.0.0.0 6000 7000 Wan1 Enable

———————————————————

Special IP : Start-IP-Address End-IP-Address WAN Status

Assignment ——————————————–

=========================================================

QoS IP Control: Local_IP_address DownLoad(kbits) UpLoad(kbits) Wan-Apply Min/Max Status

————————————————————————

=========================================================

Remote Control: Status: Disable

=========================================================

MAC IP binding: Status: Disable

========================================================================b. mikrotik configuration# jan/26/2008 20:00:05 by RouterOS 2.9.27# software id = IMAX-IAN#/ interface ethernetset Public name=”Public” mtu=1500 mac-address=00:19:21:5E:E4:9D arp=enabled \disable-running-check=yes auto-negotiation=yes full-duplex=yes \cable-settings=default speed=100Mbps comment=”" disabled=noset Local name=”Local” mtu=1500 mac-address=00:1C:F0:5C:BA:5F arp=enabled \disable-running-check=yes auto-negotiation=yes full-duplex=yes \cable-settings=default speed=100Mbps comment=”" disabled=no/ ip pooladd name=”dhcp_pool1″ ranges=192.168.0.1-192.168.0.29

/ ip dnsset primary-dns=203.130.193.74 secondary-dns=202.134.0.155 \allow-remote-requests=yes cache-size=2048KiB cache-max-ttl=1w/ ip addressadd address=192.168.0.30/27 network=192.168.0.0 broadcast=192.168.0.31 \interface=Local comment=”" disabled=noadd address=192.168.1.2/24 network=192.168.1.0 broadcast=192.168.1.255 \interface=Public comment=”" disabled=no/ ip routeadd dst-address=0.0.0.0/0 gateway=192.168.1.254 scope=255 target-scope=10 \comment=”" disabled=no/ ip firewall mangleadd chain=prerouting src-address=192.168.0.0/27 protocol=icmp \action=mark-connection new-connection-mark=ICMP-CM passthrough=yes \comment=”ToS” disabled=noadd chain=prerouting connection-mark=ICMP-CM action=mark-packet \new-packet-mark=ICMP-PM passthrough=yes comment=”" disabled=noadd chain=prerouting packet-mark=ICMP-PM action=change-tos new-tos=min-delay \comment=”" disabled=noadd chain=prerouting src-address=192.168.0.0/27 protocol=tcp dst-port=53 \action=mark-connection new-connection-mark=DNS-CM passthrough=yes \

comment=”" disabled=noadd chain=prerouting src-address=192.168.0.0/27 protocol=udp dst-port=53 \action=mark-connection new-connection-mark=DNS-CM passthrough=yes \comment=”" disabled=noadd chain=prerouting connection-mark=DNS-CM action=mark-packet \new-packet-mark=DNS-PM passthrough=yes comment=”" disabled=noadd chain=prerouting packet-mark=DNS-PM action=change-tos new-tos=min-delay \comment=”" disabled=noadd chain=prerouting protocol=tcp dst-port=80 action=mark-connection \new-connection-mark=http_conn passthrough=yes comment=”Services” \disabled=noadd chain=prerouting protocol=tcp dst-port=443 action=mark-connection \new-connection-mark=http_conn passthrough=yes comment=”" disabled=noadd chain=prerouting protocol=tcp dst-port=8080 action=mark-connection \new-connection-mark=http_conn passthrough=yes comment=”" disabled=noadd chain=prerouting protocol=tcp dst-port=3128 action=mark-connection \new-connection-mark=http_conn passthrough=yes comment=”" disabled=noadd chain=prerouting connection-mark=http_conn action=mark-packet \new-packet-mark=http passthrough=no comment=”" disabled=noadd chain=prerouting protocol=tcp dst-port=5050-5061 action=mark-connection \new-connection-mark=ym_conn passthrough=yes comment=”" disabled=noadd chain=prerouting connection-mark=ym_conn action=mark-packet \new-packet-mark=ym passthrough=no comment=”" disabled=noadd chain=prerouting protocol=udp dst-port=27015 action=mark-connection \new-connection-mark=cs_conn passthrough=yes comment=”" disabled=noadd chain=prerouting connection-mark=cs_conn action=mark-packet \new-packet-mark=cs passthrough=no comment=”" disabled=noadd chain=prerouting protocol=tcp dst-port=6667-7000 action=mark-connection \new-connection-mark=irc_conn passthrough=yes comment=”" disabled=noadd chain=prerouting connection-mark=irc_conn action=mark-packet \new-packet-mark=irc passthrough=no comment=”" disabled=noadd chain=prerouting protocol=tcp dst-port=8291 action=mark-connection \new-connection-mark=mt_conn passthrough=yes comment=”" disabled=noadd chain=prerouting connection-mark=mt_conn action=mark-packet \new-packet-mark=mt passthrough=no comment=”" disabled=noadd chain=prerouting protocol=tcp dst-port=110 action=mark-connection \new-connection-mark=email_conn passthrough=yes comment=”" disabled=noadd chain=prerouting protocol=tcp dst-port=25 action=mark-connection \new-connection-mark=email_conn passthrough=yes comment=”" disabled=noadd chain=prerouting connection-mark=email_conn action=mark-packet \new-packet-mark=email passthrough=no comment=”" disabled=noadd chain=prerouting protocol=tcp dst-port=22 action=mark-connection \new-connection-mark=ssh_conn passthrough=yes comment=”" disabled=noadd chain=prerouting connection-mark=ssh_conn action=mark-packet \new-packet-mark=ssh passthrough=no comment=”" disabled=noadd chain=prerouting protocol=tcp dst-port=500-3127 action=mark-connection \new-connection-mark=games_conn passthrough=yes comment=”" disabled=noadd chain=prerouting protocol=tcp dst-port=3129-6665 action=mark-connection \new-connection-mark=games_conn passthrough=yes comment=”" disabled=noadd chain=prerouting protocol=tcp dst-port=7001-65535 action=mark-connection \new-connection-mark=games_conn passthrough=yes comment=”" disabled=no

add chain=prerouting protocol=udp dst-port=500-3127 action=mark-connection \new-connection-mark=games_conn passthrough=yes comment=”" disabled=noadd chain=prerouting protocol=udp dst-port=3129-6665 action=mark-connection \new-connection-mark=games_conn passthrough=yes comment=”" disabled=noadd chain=prerouting protocol=udp dst-port=7001-65535 action=mark-connection \new-connection-mark=games_conn passthrough=yes comment=”" disabled=noadd chain=prerouting connection-mark=games_conn action=mark-packet \new-packet-mark=games passthrough=no comment=”" disabled=noadd chain=prerouting src-address=192.168.0.0/27 action=mark-packet \new-packet-mark=Naik passthrough=no comment=”Up Traffic” disabled=noadd chain=forward src-address=192.168.0.0/27 action=mark-connection \new-connection-mark=Koneksi passthrough=yes comment=”Conn-Mark” \disabled=noadd chain=forward in-interface=Public connection-mark=Koneksi \action=mark-packet new-packet-mark=Turun passthrough=no \comment=”Down-Direct Connection” disabled=noadd chain=output out-interface=Local dst-address=192.168.0.0/27 \action=mark-packet new-packet-mark=Turun passthrough=no comment=”Down-Via \Proxy” disabled=no/ ip firewall natadd chain=srcnat out-interface=Public action=masquerade comment=”Nat” \disabled=noadd chain=dstnat src-address=192.168.0.0/27 protocol=tcp dst-port=80 \action=redirect to-ports=8080 comment=”Tanpa proxy Linux” disabled=noadd chain=dstnat src-address=192.168.0.0/27 protocol=tcp dst-port=3128 \action=redirect to-ports=8080 comment=”" disabled=noadd chain=dstnat src-address=192.168.0.0/27 protocol=tcp dst-port=8080 \action=redirect to-ports=8080 comment=”" disabled=no/ ip firewall connection trackingset enabled=yes tcp-syn-sent-timeout=5s tcp-syn-received-timeout=5s \tcp-established-timeout=1d tcp-fin-wait-timeout=10s \tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s \tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s \udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m \tcp-syncookie=no/ ip firewall filteradd chain=input connection-state=invalid action=drop comment=”Drop invalid \connections” disabled=noadd chain=input connection-state=established action=accept comment=”Allow \esatblished connections” disabled=noadd chain=input connection-state=related action=accept comment=”Allow related \connections” disabled=noadd chain=input protocol=udp action=accept comment=”Allow UDP” disabled=noadd chain=input protocol=icmp action=accept comment=”Allow ICMP” disabled=noadd chain=input in-interface=!Public action=accept comment=”Allow connection \to router from local network” disabled=noadd chain=input action=drop comment=”Drop everything else” disabled=noadd chain=input protocol=tcp dst-port=1337 action=add-src-to-address-list \address-list=knock address-list-timeout=15s comment=”" disabled=noadd chain=input protocol=tcp dst-port=7331 src-address-list=knock \action=add-src-to-address-list address-list=safe address-list-timeout=15m \

comment=”" disabled=noadd chain=input connection-state=established action=accept comment=”accept \established connection packets” disabled=noadd chain=input connection-state=related action=accept comment=”accept related \connection packets” disabled=noadd chain=input connection-state=invalid action=drop comment=”drop invalid \packets” disabled=noadd chain=input protocol=tcp psd=21,3s,3,1 action=drop comment=”detect and \drop port scan connections” disabled=noadd chain=input protocol=tcp connection-limit=3,32 src-address-list=black_list \action=tarpit comment=”suppress DoS attack” disabled=noadd chain=input protocol=tcp connection-limit=10,32 \action=add-src-to-address-list address-list=black_list \address-list-timeout=1d comment=”detect DoS attack” disabled=noadd chain=input protocol=icmp action=jump jump-target=ICMP comment=”jump to \chain ICMP” disabled=noadd chain=input action=jump jump-target=services comment=”jump to chain \services” disabled=noadd chain=input dst-address-type=broadcast action=accept comment=”Allow \Broadcast Traffic” disabled=noadd chain=input action=log log-prefix=”Filter:” comment=”" disabled=noadd chain=input action=accept comment=”Allow access to router from known \network” disabled=noadd chain=input src-address=192.168.0.0/27 action=accept comment=”" \disabled=noadd chain=input src-address=192.168.1.0/24 action=accept comment=”" \disabled=noadd chain=input src-address=63.219.6.0/24 action=accept comment=”" disabled=noadd chain=input src-address=125.0.0.0/8 action=accept comment=”" disabled=noadd chain=input action=drop comment=”drop everything else” disabled=noadd chain=ICMP protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept \comment=”0:0 and limit for 5pac/s” disabled=noadd chain=ICMP protocol=icmp icmp-options=3:3 limit=5,5 action=accept \comment=”3:3 and limit for 5pac/s” disabled=noadd chain=ICMP protocol=icmp icmp-options=3:4 limit=5,5 action=accept \comment=”3:4 and limit for 5pac/s” disabled=noadd chain=ICMP protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept \comment=”8:0 and limit for 5pac/s” disabled=noadd chain=ICMP protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept \comment=”11:0 and limit for 5pac/s” disabled=noadd chain=ICMP protocol=icmp action=drop comment=”Drop everything else” \disabled=noadd chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list \address-list=”port scanners” address-list-timeout=2w comment=”Port \scanners to list ” disabled=noadd chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg \action=add-src-to-address-list address-list=”port scanners” \address-list-timeout=2w comment=”NMAP FIN Stealth scan” disabled=noadd chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list \address-list=”port scanners” address-list-timeout=2w comment=”SYN/FIN \scan” disabled=no

add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list \address-list=”port scanners” address-list-timeout=2w comment=”SYN/RST \scan” disabled=noadd chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack \action=add-src-to-address-list address-list=”port scanners” \address-list-timeout=2w comment=”FIN/PSH/URG scan” disabled=noadd chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg \action=add-src-to-address-list address-list=”port scanners” \address-list-timeout=2w comment=”ALL/ALL scan” disabled=noadd chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg \action=add-src-to-address-list address-list=”port scanners” \address-list-timeout=2w comment=”NMAP NULL scan” disabled=noadd chain=input src-address-list=”port scanners” action=drop comment=”dropping \port scanners” disabled=noadd chain=forward connection-state=established action=accept comment=”allow \established connections” disabled=noadd chain=forward connection-state=related action=accept comment=”allow \related connections” disabled=noadd chain=forward connection-state=invalid action=drop comment=”drop invalid \connections” disabled=noadd chain=virus protocol=tcp dst-port=135-139 action=drop comment=”Drop \Blaster Worm” disabled=noadd chain=virus protocol=udp dst-port=135-139 action=drop comment=”Drop \Messenger Worm” disabled=noadd chain=virus protocol=tcp dst-port=445 action=drop comment=”Drop Blaster \Worm” disabled=noadd chain=virus protocol=udp dst-port=445 action=drop comment=”Drop Blaster \Worm” disabled=noadd chain=virus protocol=tcp dst-port=593 action=drop comment=”________” \disabled=noadd chain=virus protocol=tcp dst-port=1024-1030 action=drop comment=”________” \disabled=noadd chain=virus protocol=tcp dst-port=1080 action=drop comment=”Drop MyDoom” \disabled=noadd chain=virus protocol=tcp dst-port=1214 action=drop comment=”________” \disabled=noadd chain=virus protocol=tcp dst-port=1363 action=drop comment=”ndm requester” \disabled=noadd chain=virus protocol=tcp dst-port=1364 action=drop comment=”ndm server” \disabled=noadd chain=virus protocol=tcp dst-port=1368 action=drop comment=”screen cast” \disabled=noadd chain=virus protocol=tcp dst-port=1373 action=drop comment=”hromgrafx” \disabled=noadd chain=virus protocol=tcp dst-port=1377 action=drop comment=”cichlid” \disabled=noadd chain=virus protocol=tcp dst-port=1433-1434 action=drop comment=”Worm” \disabled=noadd chain=virus protocol=tcp dst-port=2745 action=drop comment=”Bagle Virus” \disabled=noadd chain=virus protocol=tcp dst-port=2283 action=drop comment=”Drop Dumaru.Y” \

disabled=noadd chain=virus protocol=tcp dst-port=2535 action=drop comment=”Drop Beagle” \disabled=noadd chain=virus protocol=tcp dst-port=2745 action=drop comment=”Drop \Beagle.C-K” disabled=noadd chain=virus protocol=tcp dst-port=3127 action=drop comment=”Drop MyDoom” \disabled=noadd chain=virus protocol=tcp dst-port=3410 action=drop comment=”Drop Backdoor \OptixPro” disabled=noadd chain=virus protocol=tcp dst-port=4444 action=drop comment=”Worm” \disabled=noadd chain=virus protocol=udp dst-port=4444 action=drop comment=”Worm” \disabled=noadd chain=virus protocol=tcp dst-port=5554 action=drop comment=”Drop Sasser” \disabled=noadd chain=virus protocol=tcp dst-port=8866 action=drop comment=”Drop Beagle.B” \disabled=noadd chain=virus protocol=tcp dst-port=9898 action=drop comment=”Drop \Dabber.A-B” disabled=noadd chain=virus protocol=tcp dst-port=10000 action=drop comment=”Drop \Dumaru.Y” disabled=noadd chain=virus protocol=tcp dst-port=10080 action=drop comment=”Drop \MyDoom.B” disabled=noadd chain=virus protocol=tcp dst-port=12345 action=drop comment=”Drop NetBus” \disabled=noadd chain=virus protocol=tcp dst-port=17300 action=drop comment=”Drop Kuang2″ \disabled=noadd chain=virus protocol=tcp dst-port=27374 action=drop comment=”Drop \SubSeven” disabled=noadd chain=virus protocol=tcp dst-port=65506 action=drop comment=”Drop PhatBot, \Agobot, Gaobot” disabled=noadd chain=forward action=jump jump-target=virus comment=”jump to the virus \chain” disabled=noadd chain=input connection-state=invalid action=drop comment=”Drop Invalid \connections” disabled=noadd chain=input connection-state=established action=accept comment=”Allow \Established connections” disabled=noadd chain=input protocol=udp action=accept comment=”Allow UDP” disabled=noadd chain=input protocol=icmp action=accept comment=”Allow ICMP” disabled=noadd chain=input action=drop comment=”Drop anything else” disabled=noadd chain=forward protocol=tcp connection-state=invalid action=drop \comment=”drop invalid connections” disabled=noadd chain=forward connection-state=established action=accept comment=”allow \already established connections” disabled=noadd chain=forward connection-state=related action=accept comment=”allow \related connections” disabled=noadd chain=forward src-address=0.0.0.0/8 action=drop comment=”" disabled=noadd chain=forward dst-address=0.0.0.0/8 action=drop comment=”" disabled=noadd chain=forward src-address=127.0.0.0/8 action=drop comment=”" disabled=noadd chain=forward dst-address=127.0.0.0/8 action=drop comment=”" disabled=noadd chain=forward src-address=224.0.0.0/3 action=drop comment=”" disabled=no

add chain=forward dst-address=224.0.0.0/3 action=drop comment=”" disabled=noadd chain=forward protocol=tcp action=jump jump-target=tcp comment=”" \disabled=noadd chain=forward protocol=udp action=jump jump-target=udp comment=”" \disabled=noadd chain=forward protocol=icmp action=jump jump-target=icmp comment=”" \disabled=noadd chain=tcp protocol=tcp dst-port=69 action=drop comment=”deny TFTP” \disabled=noadd chain=tcp protocol=tcp dst-port=111 action=drop comment=”deny RPC \portmapper” disabled=noadd chain=tcp protocol=tcp dst-port=135 action=drop comment=”deny RPC \portmapper” disabled=noadd chain=tcp protocol=tcp dst-port=137-139 action=drop comment=”deny NBT” \disabled=noadd chain=tcp protocol=tcp dst-port=445 action=drop comment=”deny cifs” \disabled=noadd chain=tcp protocol=tcp dst-port=2049 action=drop comment=”deny NFS” \disabled=noadd chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment=”deny \NetBus” disabled=noadd chain=tcp protocol=tcp dst-port=20034 action=drop comment=”deny NetBus” \disabled=noadd chain=tcp protocol=tcp dst-port=3133 action=drop comment=”deny \BackOriffice” disabled=noadd chain=tcp protocol=tcp dst-port=67-68 action=drop comment=”deny DHCP” \disabled=noadd chain=udp protocol=udp dst-port=69 action=drop comment=”deny TFTP” \disabled=noadd chain=udp protocol=udp dst-port=111 action=drop comment=”deny PRC \portmapper” disabled=noadd chain=udp protocol=udp dst-port=135 action=drop comment=”deny PRC \portmapper” disabled=noadd chain=udp protocol=udp dst-port=137-139 action=drop comment=”deny NBT” \disabled=noadd chain=udp protocol=udp dst-port=2049 action=drop comment=”deny NFS” \disabled=noadd chain=udp protocol=udp dst-port=3133 action=drop comment=”deny \BackOriffice” disabled=noadd chain=icmp protocol=icmp icmp-options=0:0 action=accept comment=”drop \invalid connections” disabled=noadd chain=icmp protocol=icmp icmp-options=3:0 action=accept comment=”allow \established connections” disabled=noadd chain=icmp protocol=icmp icmp-options=3:1 action=accept comment=”allow \already established connections” disabled=noadd chain=icmp protocol=icmp icmp-options=4:0 action=accept comment=”allow \source quench” disabled=noadd chain=icmp protocol=icmp icmp-options=8:0 action=accept comment=”allow \echo request” disabled=noadd chain=icmp protocol=icmp icmp-options=11:0 action=accept comment=”allow \time exceed” disabled=no

add chain=icmp protocol=icmp icmp-options=12:0 action=accept comment=”allow \parameter bad” disabled=noadd chain=icmp action=drop comment=”deny all other types” disabled=noadd chain=input connection-state=established action=accept comment=”Accept \established connections” disabled=noadd chain=input connection-state=related action=accept comment=”Accept related \connections” disabled=noadd chain=input connection-state=invalid action=drop comment=”Drop invalid \connections” disabled=noadd chain=input protocol=udp action=accept comment=”UDP” disabled=noadd chain=input protocol=icmp limit=50/5s,2 action=accept comment=”Allow \limited pings” disabled=noadd chain=input protocol=icmp action=drop comment=”Drop excess pings” \disabled=noadd chain=input protocol=tcp dst-port=22 action=accept comment=”SSH for secure \shell” disabled=noadd chain=input protocol=tcp dst-port=8291 action=accept comment=”winbox” \disabled=noadd chain=input src-address=159.148.172.192/28 action=accept comment=”From \Mikrotikls network” disabled=noadd chain=input src-address=192.168.0.0/27 action=accept comment=”From our \private LAN” disabled=noadd chain=input action=log log-prefix=”DROP INPUT” comment=”Log everything \else” disabled=noadd chain=tcp protocol=tcp p2p=all-p2p action=drop comment=”deny DHCP” \disabled=noadd chain=tcp src-address=192.168.0.2 protocol=tcp dst-port=3133 p2p=all-p2p \action=drop comment=”deny BackOriffice” disabled=no/ ip firewall service-portset ftp ports=21 disabled=noset tftp ports=69 disabled=yesset irc ports=6667 disabled=noset h323 disabled=yesset quake3 disabled=yesset gre disabled=yesset pptp disabled=yes/ ip dhcp-serveradd name=”dhcp1″ interface=Local lease-time=3d address-pool=dhcp_pool1 \bootp-support=static add-arp=yes authoritative=after-2sec-delay \disabled=no/ ip dhcp-server configset store-leases-disk=5m/ ip dhcp-server leaseadd address=192.168.0.29 mac-address=00:14:2A:8D:66:D1 \client-id=”1:0:14:2a:8d:66:d1″ server=dhcp1 comment=”" disabled=no/ ip dhcp-server networkadd address=192.168.0.0/27 gateway=192.168.0.30 \dns-server=192.168.1.1,203.130.193.74,202.134.0.155 comment=”"/ ip ipsec proposaladd name=”default” auth-algorithms=sha1 enc-algorithms=3des lifetime=30m \lifebytes=0 pfs-group=modp1024 disabled=no

/ ip web-proxyset enabled=yes src-address=0.0.0.0 port=8080 \hostname=”proxy.smart.war.net.id” transparent-proxy=yes \parent-proxy=0.0.0.0:0 cache-administrator=”webmaster@smart.war.net.id” \max-object-size=4096KiB cache-drive=system max-cache-size=unlimited \max-ram-cache-size=unlimited/ ip web-proxy accessadd dst-port=23-25 action=deny comment=”block telnet & spam e-mail relaying” \disabled=noadd url=”suck***” action=deny comment=”" disabled=yesadd url=”nude****” action=deny comment=”" disabled=yesadd url=”bugil****” action=deny comment=”" disabled=yesadd url=”gay***” action=deny comment=”" disabled=yesadd url=”penis” action=deny comment=”" disabled=yesadd url=”vagina” action=deny comment=”" disabled=yesadd url=”vagina” action=deny comment=”" disabled=yes/ ip web-proxy cacheadd url=”:cgi-bin \\?” action=deny comment=”don’t cache dynamic http pages” \disabled=noadd url=”\\.exe\$” action=allow comment=”" disabled=noadd url=”\\.zip\$” action=allow comment=”" disabled=noadd url=”\\.mpeg\$” action=allow comment=”" disabled=noadd url=”\\.mp3\$” action=allow comment=”" disabled=noadd url=”\\.avi\$” action=allow comment=”" disabled=noadd url=”\\.pdf\$” action=allow comment=”" disabled=noadd url=”\\.rar\$” action=allow comment=”" disabled=noadd url=”\\.mov\$” action=allow comment=”" disabled=noadd url=”\\.mpg\$” action=allow comment=”" disabled=noadd url=”\\.dat\$” action=allow comment=”" disabled=noadd url=”\\.3gp\$” action=allow comment=”" disabled=noadd url=”\\.jpg\$” action=allow comment=”" disabled=noadd url=”\\.gif\$” action=allow comment=”" disabled=noadd action=allow comment=”" disabled=noadd url=”http*youtube*get_video*” action=allow comment=”YouTube” disabled=noadd url=”http*friendster.com” action=allow comment=”Friendster” disabled=noadd url=”http*pu.go.id” action=allow comment=”PU” disabled=noadd url=”http*detik*com” action=allow comment=”Detik” disabled=noadd url=”http*domai.com” action=allow comment=”Domai” disabled=noadd url=”http*nigmae.net” action=allow comment=”Nigmae” disabled=noadd url=”http*kompas.com” action=allow comment=”Kompas” disabled=noadd url=”http*lalatx.com” action=allow comment=”Lalatx” disabled=noadd url=”http*yahoo.com” action=allow comment=”Yahoo” disabled=noadd url=”http*kapanlagi.com” action=allow comment=”Kapanlagi” disabled=noadd url=”http*plasa.com” action=allow comment=”Plasa” disabled=noadd url=”http*kaskus.us” action=allow comment=”Kaskus” disabled=noadd url=”http*avaxhome*org” action=allow comment=”Avaxhome” disabled=noadd url=”www.worth1000.com” action=allow comment=”Worth1000″ disabled=noadd url=”http*rf-online*.web.id” action=allow comment=”Eramuslim” disabled=noadd url=”http***” action=allow comment=”semua http” disabled=noadd url=”http*hi5.com” action=allow comment=”PU” disabled=noadd action=allow comment=”Allow sado alahe” disabled=no

add url=”:cgi-bin \\?” action=deny comment=”don’t cache dynamic http pages” \disabled=noadd url=”cgi-bin \\?” action=deny comment=”" disabled=no/ system loggingadd topics=info prefix=”" action=disk disabled=noadd topics=error prefix=”" action=disk disabled=noadd topics=warning prefix=”" action=disk disabled=noadd topics=critical prefix=”" action=echo disabled=noadd topics=debug prefix=”" action=disk disabled=noadd topics=web-proxy prefix=”" action=disk disabled=no/ system logging actionset memory name=”memory” target=memory memory-lines=100 memory-stop-on-full=noset disk name=”disk” target=disk disk-lines=100 disk-stop-on-full=noset echo name=”echo” target=echo remember=yesset remote name=”remote” target=remote remote=0.0.0.0:514

/ queue typeset default name=”default” kind=pfifo pfifo-limit=50set ethernet-default name=”ethernet-default” kind=pfifo pfifo-limit=50set wireless-default name=”wireless-default” kind=sfq sfq-perturb=5 \sfq-allot=1514set synchronous-default name=”synchronous-default” kind=red red-limit=60 \red-min-threshold=10 red-max-threshold=50 red-burst=20 red-avg-packet=1000set hotspot-default name=”hotspot-default” kind=sfq sfq-perturb=5 \sfq-allot=1514add name=”PFIFO-64″ kind=pfifo pfifo-limit=64add name=”pcq-download” kind=pcq pcq-rate=384000 pcq-limit=50 \pcq-classifier=dst-address pcq-total-limit=2000add name=”pcq-upload” kind=pcq pcq-rate=64000 pcq-limit=50 \pcq-classifier=src-address pcq-total-limit=2000add name=”default-small” kind=pfifo pfifo-limit=10/ queue simpleadd name=”Smart.Net” target-addresses=192.168.0.0/27 dst-address=0.0.0.0/0 \interface=Local parent=none direction=both priority=1 \queue=ethernet-default/ethernet-default limit-at=0/512000 \max-limit=0/512000 total-queue=default disabled=noadd name=”Kasir” target-addresses=192.168.0.29/32 dst-address=0.0.0.0/0 \interface=Local parent=Smart.Net direction=both priority=8 \queue=default/default limit-at=0/8000 max-limit=16000/48000 \total-queue=default disabled=noadd name=”01″ target-addresses=192.168.0.1/32 dst-address=0.0.0.0/0 \interface=Local parent=Smart.Net direction=both priority=1 \queue=default/default limit-at=0/8000 max-limit=16000/48000 \total-queue=default disabled=noadd name=”02″ target-addresses=192.168.0.2/32 dst-address=0.0.0.0/0 \interface=Local parent=Smart.Net direction=both priority=1 \queue=default/default limit-at=0/8000 max-limit=16000/48000 \total-queue=default disabled=noadd name=”03″ target-addresses=192.168.0.3/32 dst-address=0.0.0.0/0 \interface=Local parent=Smart.Net direction=both priority=1 \queue=default/default limit-at=0/8000 max-limit=16000/48000 \

total-queue=default disabled=noadd name=”04″ target-addresses=192.168.0.4/32 dst-address=0.0.0.0/0 \interface=Local parent=Smart.Net direction=both priority=1 \queue=default/default limit-at=0/8000 max-limit=16000/48000 \total-queue=default disabled=noadd name=”05″ target-addresses=192.168.0.5/32 dst-address=0.0.0.0/0 \interface=Local parent=Smart.Net direction=both priority=1 \queue=default/default limit-at=0/8000 max-limit=16000/48000 \total-queue=default disabled=noadd name=”06″ target-addresses=192.168.0.6/32 dst-address=0.0.0.0/0 \interface=Local parent=Smart.Net direction=both priority=1 \queue=default/default limit-at=0/8000 max-limit=16000/48000 \total-queue=default disabled=noadd name=”07″ target-addresses=192.168.0.7/32 dst-address=0.0.0.0/0 \interface=Local parent=Smart.Net direction=both priority=1 \queue=default/default limit-at=0/8000 max-limit=16000/48000 \total-queue=default disabled=noadd name=”08″ target-addresses=192.168.0.8/32 dst-address=0.0.0.0/0 \interface=Local parent=Smart.Net direction=both priority=1 \queue=default/default limit-at=0/8000 max-limit=16000/48000 \total-queue=default disabled=noadd name=”09″ target-addresses=192.168.0.9/32 dst-address=0.0.0.0/0 \interface=Local parent=Smart.Net direction=both priority=1 \queue=default/default limit-at=0/8000 max-limit=16000/48000 \total-queue=default disabled=noadd name=”10″ target-addresses=192.168.0.10/32 dst-address=0.0.0.0/0 \interface=Local parent=Smart.Net direction=both priority=1 \queue=default/default limit-at=0/8000 max-limit=16000/48000 \total-queue=default disabled=noadd name=”11″ target-addresses=192.168.0.11/32 dst-address=0.0.0.0/0 \interface=Local parent=Smart.Net direction=both priority=1 \queue=default/default limit-at=0/8000 max-limit=16000/48000 \total-queue=default disabled=noadd name=”12″ target-addresses=192.168.0.12/32 dst-address=0.0.0.0/0 \interface=Local parent=Smart.Net direction=both priority=1 \queue=default/default limit-at=0/8000 max-limit=16000/48000 \total-queue=default disabled=noadd name=”13″ target-addresses=192.168.0.13/32 dst-address=0.0.0.0/0 \interface=Local parent=Smart.Net direction=both priority=1 \queue=default/default limit-at=0/8000 max-limit=16000/48000 \total-queue=default disabled=noadd name=”14″ target-addresses=192.168.0.14/32 dst-address=0.0.0.0/0 \interface=Local parent=Smart.Net direction=both priority=1 \queue=default/default limit-at=0/8000 max-limit=16000/48000 \total-queue=default disabled=noadd name=”15″ target-addresses=192.168.0.15/32 dst-address=0.0.0.0/0 \interface=Local parent=Smart.Net direction=both priority=1 \queue=default/default limit-at=0/8000 max-limit=16000/48000 \total-queue=default disabled=noadd name=”16″ target-addresses=192.168.0.16/32 dst-address=0.0.0.0/0 \interface=Local parent=Smart.Net direction=both priority=1 \

queue=default/default limit-at=0/8000 max-limit=16000/48000 \total-queue=default disabled=noadd name=”17″ target-addresses=192.168.0.17/32 dst-address=0.0.0.0/0 \interface=Local parent=Smart.Net direction=both priority=1 \queue=default/default limit-at=0/8000 max-limit=16000/48000 \total-queue=default disabled=noadd name=”18″ target-addresses=192.168.0.18/32 dst-address=0.0.0.0/0 \interface=Local parent=Smart.Net direction=both priority=1 \queue=default/default limit-at=0/8000 max-limit=16000/48000 \total-queue=default disabled=noadd name=”19″ target-addresses=192.168.0.19/32 dst-address=0.0.0.0/0 \interface=Local parent=Smart.Net direction=both priority=1 \queue=default/default limit-at=0/8000 max-limit=16000/48000 \total-queue=default disabled=noadd name=”20″ target-addresses=192.168.0.20/32 dst-address=0.0.0.0/0 \interface=Local parent=Smart.Net direction=both priority=1 \queue=default/default limit-at=0/8000 max-limit=16000/48000 \total-queue=default disabled=noadd name=”21″ target-addresses=192.168.0.21/32 dst-address=0.0.0.0/0 \interface=Local parent=Smart.Net direction=both priority=1 \queue=default/default limit-at=0/8000 max-limit=16000/48000 \total-queue=default disabled=noadd name=”22″ target-addresses=192.168.0.22/32 dst-address=0.0.0.0/0 \interface=Local parent=Smart.Net direction=both priority=1 \queue=default/default limit-at=0/8000 max-limit=16000/48000 \total-queue=default disabled=noadd name=”23″ target-addresses=192.168.0.23/32 dst-address=0.0.0.0/0 \interface=Local parent=Smart.Net direction=both priority=1 \queue=default/default limit-at=0/8000 max-limit=16000/48000 \total-queue=default disabled=noadd name=”24″ target-addresses=192.168.0.24/32 dst-address=0.0.0.0/0 \interface=Local parent=Smart.Net direction=both priority=1 \queue=default/default limit-at=0/8000 max-limit=16000/48000 \total-queue=default disabled=noadd name=”25″ target-addresses=192.168.0.25/32 dst-address=0.0.0.0/0 \interface=Local parent=Smart.Net direction=both priority=1 \queue=default/default limit-at=0/8000 max-limit=16000/48000 \total-queue=default disabled=noadd name=”27″ target-addresses=192.168.0.27/32 dst-address=0.0.0.0/0 \interface=Local parent=Smart.Net direction=both priority=1 \queue=default/default limit-at=0/8000 max-limit=16000/48000 \total-queue=default disabled=noadd name=”28″ target-addresses=192.168.0.28/32 dst-address=0.0.0.0/0 \interface=Local parent=Smart.Net direction=both priority=1 \queue=default/default limit-at=0/8000 max-limit=16000/48000 \total-queue=default disabled=noadd name=”26″ target-addresses=192.168.0.26/32 dst-address=0.0.0.0/0 \interface=Local parent=Smart.Net direction=both priority=1 \queue=default/default limit-at=0/8000 max-limit=16000/48000 \total-queue=default disabled=no/ queue tree

add name=”ICMP” parent=global-in packet-mark=ICMP-PM limit-at=8000 \queue=PFIFO-64 priority=1 max-limit=16000 burst-limit=0 burst-threshold=0 \burst-time=0s disabled=noadd name=”DNS” parent=global-in packet-mark=DNS-PM limit-at=8000 \queue=PFIFO-64 priority=1 max-limit=16000 burst-limit=0 burst-threshold=0 \burst-time=0s disabled=noadd name=”downstream” parent=Local packet-mark=Turun limit-at=0 \queue=pcq-download priority=1 max-limit=0 burst-limit=0 burst-threshold=0 \burst-time=0s disabled=noadd name=”upstream” parent=global-in packet-mark=Naik limit-at=0 \queue=pcq-upload priority=1 max-limit=0 burst-limit=0 burst-threshold=0 \burst-time=0s disabled=no/ system identityset name=”Smart.net”c. linux router configuration

« Simple sample Prolink Load Balancing Cryptone.Net Free BSD Router with PPPOE Dial »

Planning Internet Cafe With Speedy internet Connection

Using PC LINUX and router Mikrotik

Network Schema 192.168.1.2/29

Modem 4 Port ———-Mikrotik —Hub——-Client 192.168.0.0/24

192.168.1.1/29 192.168.0.254/24

Linux proxy192.168.1.3/29

A. Router Mikrotik Configuration

a. Interface

/ interface ethernetset Local name=”Local” mtu=1500 mac-address=00:50:DA:5F:AB:16 arp=enabled \disable-running-check=yes auto-negotiation=yes full-duplex=yes \cable-settings=default speed=100Mbps comment=”" disabled=noset Public name=”Public” mtu=1500 mac-address=00:A0:D2:11:C2:79 arp=enabled \disable-running-check=yes auto-negotiation=yes full-duplex=yes \cable-settings=default speed=100Mbps comment=”" disabled=no

b. ARP

/ ip arpadd address=192.168.0.7 mac-address=00:19:21:14:4A:E7 interface=Local \comment=”" disabled=noadd address=192.168.0.4 mac-address=00:E0:4D:2F:81:6E interface=Local \comment=”" disabled=no

add address=192.168.0.1 mac-address=00:1B:B9:57:79:75 interface=Local \comment=”" disabled=noadd address=192.168.0.6 mac-address=00:E0:4D:2F:4D:F3 interface=Local \comment=”" disabled=noadd address=192.168.0.11 mac-address=00:1B:B9:57:7E:31 interface=Local \comment=”" disabled=noadd address=192.168.0.2 mac-address=00:E0:4D:2F:81:6D interface=Local \comment=”" disabled=noadd address=192.168.0.5 mac-address=00:19:21:DD:90:F4 interface=Local \comment=”" disabled=noadd address=192.168.0.10 mac-address=00:1B:B9:95:EB:6D interface=Local \comment=”" disabled=noadd address=192.168.0.253 mac-address=00:1A:92:56:79:5E interface=Local \comment=”" disabled=noadd address=192.168.1.1 mac-address=00:18:6E:CA:4F:2E interface=Public \comment=”" disabled=noadd address=192.168.1.3 mac-address=00:1B:11:66:2A:69 interface=Public \comment=”" disabled=noc. DNS ISP/ ip dnsset primary-dns=192.168.1.3 secondary-dns=202.134.0.155 \allow-remote-requests=yes cache-size=2048KiB cache-max-ttl=1w

d. IP address

/ ip addressadd address=192.168.1.2/29 network=192.168.1.0 broadcast=192.168.1.7 \interface=Public comment=”" disabled=noadd address=192.168.0.254/24 network=192.168.0.0 broadcast=192.168.0.255 \interface=Local comment=”" disabled=no

e. Mangle

/ ip firewall mangleadd chain=prerouting src-address=192.168.0.0/24 protocol=icmp \action=mark-connection new-connection-mark=ICMP-CM passthrough=yes \comment=”ToS” disabled=noadd chain=prerouting connection-mark=ICMP-CM action=mark-packet \new-packet-mark=ICMP-PM passthrough=yes comment=”" disabled=noadd chain=prerouting packet-mark=ICMP-PM action=change-tos new-tos=min-delay \comment=”" disabled=noadd chain=prerouting src-address=192.168.0.0/24 protocol=tcp dst-port=53 \action=mark-connection new-connection-mark=DNS-CM passthrough=yes \comment=”" disabled=noadd chain=prerouting src-address=192.168.0.0/24 protocol=udp dst-port=53 \action=mark-connection new-connection-mark=DNS-CM passthrough=yes \comment=”" disabled=noadd chain=prerouting connection-mark=DNS-CM action=mark-packet \new-packet-mark=DNS-PM passthrough=yes comment=”" disabled=noadd chain=prerouting packet-mark=DNS-PM action=change-tos new-tos=min-delay \comment=”" disabled=no

add chain=prerouting protocol=tcp dst-port=80 action=mark-connection \new-connection-mark=http_conn passthrough=yes comment=”Services” \disabled=noadd chain=prerouting protocol=tcp dst-port=443 action=mark-connection \new-connection-mark=http_conn passthrough=yes comment=”" disabled=noadd chain=prerouting protocol=tcp dst-port=8080 action=mark-connection \new-connection-mark=http_conn passthrough=yes comment=”" disabled=noadd chain=prerouting protocol=tcp dst-port=3128 action=mark-connection \new-connection-mark=http_conn passthrough=yes comment=”" disabled=noadd chain=prerouting connection-mark=http_conn action=mark-packet \new-packet-mark=http passthrough=no comment=”" disabled=noadd chain=prerouting protocol=tcp dst-port=5050-5061 action=mark-connection \new-connection-mark=ym_conn passthrough=yes comment=”" disabled=noadd chain=prerouting connection-mark=ym_conn action=mark-packet \new-packet-mark=ym passthrough=no comment=”" disabled=noadd chain=prerouting protocol=udp dst-port=27015 action=mark-connection \new-connection-mark=cs_conn passthrough=yes comment=”" disabled=noadd chain=prerouting connection-mark=cs_conn action=mark-packet \new-packet-mark=cs passthrough=no comment=”" disabled=noadd chain=prerouting protocol=tcp dst-port=6667-7000 action=mark-connection \new-connection-mark=irc_conn passthrough=yes comment=”" disabled=noadd chain=prerouting connection-mark=irc_conn action=mark-packet \new-packet-mark=irc passthrough=no comment=”" disabled=noadd chain=prerouting protocol=tcp dst-port=8291 action=mark-connection \new-connection-mark=mt_conn passthrough=yes comment=”" disabled=noadd chain=prerouting connection-mark=mt_conn action=mark-packet \new-packet-mark=mt passthrough=no comment=”" disabled=noadd chain=prerouting protocol=tcp dst-port=110 action=mark-connection \new-connection-mark=email_conn passthrough=yes comment=”" disabled=noadd chain=prerouting protocol=tcp dst-port=25 action=mark-connection \new-connection-mark=email_conn passthrough=yes comment=”" disabled=noadd chain=prerouting connection-mark=email_conn action=mark-packet \new-packet-mark=email passthrough=no comment=”" disabled=noadd chain=prerouting protocol=tcp dst-port=22 action=mark-connection \new-connection-mark=ssh_conn passthrough=yes comment=”" disabled=noadd chain=prerouting connection-mark=ssh_conn action=mark-packet \new-packet-mark=ssh passthrough=no comment=”" disabled=noadd chain=prerouting protocol=tcp dst-port=500-3127 action=mark-connection \new-connection-mark=games_conn passthrough=yes comment=”" disabled=noadd chain=prerouting protocol=tcp dst-port=3129-6665 action=mark-connection \new-connection-mark=games_conn passthrough=yes comment=”" disabled=noadd chain=prerouting protocol=tcp dst-port=7001-65535 action=mark-connection \new-connection-mark=games_conn passthrough=yes comment=”" disabled=noadd chain=prerouting protocol=udp dst-port=500-3127 action=mark-connection \new-connection-mark=games_conn passthrough=yes comment=”" disabled=noadd chain=prerouting protocol=udp dst-port=3129-6665 action=mark-connection \new-connection-mark=games_conn passthrough=yes comment=”" disabled=noadd chain=prerouting protocol=udp dst-port=7001-65535 action=mark-connection \new-connection-mark=games_conn passthrough=yes comment=”" disabled=noadd chain=prerouting connection-mark=games_conn action=mark-packet \new-packet-mark=games passthrough=no comment=”" disabled=no

add chain=prerouting src-address=192.168.0.0/24 action=mark-packet \new-packet-mark=Naik passthrough=no comment=”Up Traffic” disabled=noadd chain=forward src-address=192.168.0.0/24 action=mark-connection \new-connection-mark=Koneksi passthrough=yes comment=”Conn-Mark” \disabled=noadd chain=forward in-interface=Public connection-mark=Koneksi \action=mark-packet new-packet-mark=Turun passthrough=no \comment=”Down-Direct Connection” disabled=noadd chain=output out-interface=Local dst-address=192.168.0.0/24 \action=mark-packet new-packet-mark=Turun passthrough=no comment=”Down-Via \Proxy” disabled=nof. ip nat

/ ip firewall natadd chain=srcnat out-interface=Public action=masquerade comment=”" disabled=noadd chain=dstnat src-address=192.168.0.0/24 protocol=tcp dst-port=80 \dst-address-list=!servergames action=dst-nat to-addresses=192.168.1.3 \to-ports=8080 comment=”Pakai Proxy Linux” disabled=noadd chain=dstnat src-address=192.168.0.0/24 protocol=tcp dst-port=3128 \dst-address-list=!servergames action=dst-nat to-addresses=192.168.1.3 \to-ports=8080 comment=”" disabled=noadd chain=dstnat src-address=192.168.0.0/24 protocol=tcp dst-port=8080 \dst-address-list=!servergames action=dst-nat to-addresses=192.168.1.3 \to-ports=8080 comment=”" disabled=noadd chain=dstnat src-address=192.168.0.0/24 protocol=tcp dst-port=80 \action=redirect to-ports=8080 comment=”Tanpa proxy Linux” disabled=yesadd chain=dstnat src-address=192.168.0.0/24 protocol=tcp dst-port=3128 \action=redirect to-ports=8080 comment=”" disabled=yesadd chain=dstnat src-address=192.168.0.0/24 protocol=tcp dst-port=8080 \action=redirect to-ports=8080 comment=”" disabled=yes

g. filter

/ ip firewall filteradd chain=input connection-state=invalid action=drop comment=”Drop invalid \connections” disabled=noadd chain=input connection-state=established action=accept comment=”Allow \esatblished connections” disabled=noadd chain=input connection-state=related action=accept comment=”Allow related \connections” disabled=noadd chain=input protocol=udp action=accept comment=”Allow UDP” disabled=noadd chain=input protocol=icmp action=accept comment=”Allow ICMP” disabled=noadd chain=input in-interface=!Public action=accept comment=”Allow connection \to router from local network” disabled=noadd chain=input action=drop comment=”Drop everything else” disabled=noadd chain=input protocol=tcp dst-port=1337 action=add-src-to-address-list \address-list=knock address-list-timeout=15s comment=”" disabled=noadd chain=input protocol=tcp dst-port=7331 src-address-list=knock \action=add-src-to-address-list address-list=safe address-list-timeout=15m \comment=”" disabled=noadd chain=input connection-state=established action=accept comment=”accept \

established connection packets” disabled=noadd chain=input connection-state=related action=accept comment=”accept related \connection packets” disabled=noadd chain=input connection-state=invalid action=drop comment=”drop invalid \packets” disabled=noadd chain=input protocol=tcp psd=21,3s,3,1 action=drop comment=”detect and \drop port scan connections” disabled=noadd chain=input protocol=tcp connection-limit=3,32 src-address-list=black_list \action=tarpit comment=”suppress DoS attack” disabled=noadd chain=input protocol=tcp connection-limit=10,32 \action=add-src-to-address-list address-list=black_list \address-list-timeout=1d comment=”detect DoS attack” disabled=noadd chain=input protocol=icmp action=jump jump-target=ICMP comment=”jump to \chain ICMP” disabled=noadd chain=input action=jump jump-target=services comment=”jump to chain \services” disabled=noadd chain=input dst-address-type=broadcast action=accept comment=”Allow \Broadcast Traffic” disabled=noadd chain=input action=log log-prefix=”Filter:” comment=”" disabled=noadd chain=input action=accept comment=”Allow access to router from known \network” disabled=noadd chain=input src-address=192.168.0.0/24 action=accept comment=”" \disabled=noadd chain=input src-address=192.168.5.0/29 action=accept comment=”" \disabled=noadd chain=input src-address=192.168.4.0/29 action=accept comment=”" \disabled=noadd chain=input src-address=63.219.6.0/24 action=accept comment=”" disabled=noadd chain=input src-address=125.0.0.0/8 action=accept comment=”" disabled=noadd chain=input action=drop comment=”drop everything else” disabled=noadd chain=ICMP protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept \comment=”0:0 and limit for 5pac/s” disabled=noadd chain=ICMP protocol=icmp icmp-options=3:3 limit=5,5 action=accept \comment=”3:3 and limit for 5pac/s” disabled=noadd chain=ICMP protocol=icmp icmp-options=3:4 limit=5,5 action=accept \comment=”3:4 and limit for 5pac/s” disabled=noadd chain=ICMP protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept \comment=”8:0 and limit for 5pac/s” disabled=noadd chain=ICMP protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept \comment=”11:0 and limit for 5pac/s” disabled=noadd chain=ICMP protocol=icmp action=drop comment=”Drop everything else” \disabled=noadd chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list \address-list=”port scanners” address-list-timeout=2w comment=”Port \scanners to list ” disabled=noadd chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg \action=add-src-to-address-list address-list=”port scanners” \address-list-timeout=2w comment=”NMAP FIN Stealth scan” disabled=noadd chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list \address-list=”port scanners” address-list-timeout=2w comment=”SYN/FIN \scan” disabled=no

add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list \address-list=”port scanners” address-list-timeout=2w comment=”SYN/RST \scan” disabled=noadd chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack \action=add-src-to-address-list address-list=”port scanners” \address-list-timeout=2w comment=”FIN/PSH/URG scan” disabled=noadd chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg \action=add-src-to-address-list address-list=”port scanners” \address-list-timeout=2w comment=”ALL/ALL scan” disabled=noadd chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg \action=add-src-to-address-list address-list=”port scanners” \address-list-timeout=2w comment=”NMAP NULL scan” disabled=noadd chain=input src-address-list=”port scanners” action=drop comment=”dropping \port scanners” disabled=noadd chain=forward connection-state=established action=accept comment=”allow \established connections” disabled=noadd chain=forward connection-state=related action=accept comment=”allow \related connections” disabled=noadd chain=forward connection-state=invalid action=drop comment=”drop invalid \connections” disabled=noadd chain=virus protocol=tcp dst-port=135-139 action=drop comment=”Drop \Blaster Worm” disabled=noadd chain=virus protocol=udp dst-port=135-139 action=drop comment=”Drop \Messenger Worm” disabled=noadd chain=virus protocol=tcp dst-port=445 action=drop comment=”Drop Blaster \Worm” disabled=noadd chain=virus protocol=udp dst-port=445 action=drop comment=”Drop Blaster \Worm” disabled=noadd chain=virus protocol=tcp dst-port=593 action=drop comment=”________” \disabled=noadd chain=virus protocol=tcp dst-port=1024-1030 action=drop comment=”________” \disabled=noadd chain=virus protocol=tcp dst-port=1080 action=drop comment=”Drop MyDoom” \disabled=noadd chain=virus protocol=tcp dst-port=1214 action=drop comment=”________” \disabled=noadd chain=virus protocol=tcp dst-port=1363 action=drop comment=”ndm requester” \disabled=noadd chain=virus protocol=tcp dst-port=1364 action=drop comment=”ndm server” \disabled=noadd chain=virus protocol=tcp dst-port=1368 action=drop comment=”screen cast” \disabled=noadd chain=virus protocol=tcp dst-port=1373 action=drop comment=”hromgrafx” \disabled=noadd chain=virus protocol=tcp dst-port=1377 action=drop comment=”cichlid” \disabled=noadd chain=virus protocol=tcp dst-port=1433-1434 action=drop comment=”Worm” \disabled=noadd chain=virus protocol=tcp dst-port=2745 action=drop comment=”Bagle Virus” \disabled=noadd chain=virus protocol=tcp dst-port=2283 action=drop comment=”Drop Dumaru.Y” \

disabled=noadd chain=virus protocol=tcp dst-port=2535 action=drop comment=”Drop Beagle” \disabled=noadd chain=virus protocol=tcp dst-port=2745 action=drop comment=”Drop \Beagle.C-K” disabled=noadd chain=virus protocol=tcp dst-port=3127 action=drop comment=”Drop MyDoom” \disabled=noadd chain=virus protocol=tcp dst-port=3410 action=drop comment=”Drop Backdoor \OptixPro” disabled=noadd chain=virus protocol=tcp dst-port=4444 action=drop comment=”Worm” \disabled=noadd chain=virus protocol=udp dst-port=4444 action=drop comment=”Worm” \disabled=noadd chain=virus protocol=tcp dst-port=5554 action=drop comment=”Drop Sasser” \disabled=noadd chain=virus protocol=tcp dst-port=8866 action=drop comment=”Drop Beagle.B” \disabled=noadd chain=virus protocol=tcp dst-port=9898 action=drop comment=”Drop \Dabber.A-B” disabled=noadd chain=virus protocol=tcp dst-port=10000 action=drop comment=”Drop \Dumaru.Y” disabled=noadd chain=virus protocol=tcp dst-port=10080 action=drop comment=”Drop \MyDoom.B” disabled=noadd chain=virus protocol=tcp dst-port=12345 action=drop comment=”Drop NetBus” \disabled=noadd chain=virus protocol=tcp dst-port=17300 action=drop comment=”Drop Kuang2″ \disabled=noadd chain=virus protocol=tcp dst-port=27374 action=drop comment=”Drop \SubSeven” disabled=noadd chain=virus protocol=tcp dst-port=65506 action=drop comment=”Drop PhatBot, \Agobot, Gaobot” disabled=noadd chain=forward action=jump jump-target=virus comment=”jump to the virus \chain” disabled=noadd chain=input connection-state=invalid action=drop comment=”Drop Invalid \connections” disabled=noadd chain=input connection-state=established action=accept comment=”Allow \Established connections” disabled=noadd chain=input protocol=udp action=accept comment=”Allow UDP” disabled=noadd chain=input protocol=icmp action=accept comment=”Allow ICMP” disabled=noadd chain=input action=drop comment=”Drop anything else” disabled=noadd chain=forward protocol=tcp connection-state=invalid action=drop \comment=”drop invalid connections” disabled=noadd chain=forward connection-state=established action=accept comment=”allow \already established connections” disabled=noadd chain=forward connection-state=related action=accept comment=”allow \related connections” disabled=noadd chain=forward src-address=0.0.0.0/8 action=drop comment=”" disabled=noadd chain=forward dst-address=0.0.0.0/8 action=drop comment=”" disabled=noadd chain=forward src-address=127.0.0.0/8 action=drop comment=”" disabled=noadd chain=forward dst-address=127.0.0.0/8 action=drop comment=”" disabled=noadd chain=forward src-address=224.0.0.0/3 action=drop comment=”" disabled=no

add chain=forward dst-address=224.0.0.0/3 action=drop comment=”" disabled=noadd chain=forward protocol=tcp action=jump jump-target=tcp comment=”" \disabled=noadd chain=forward protocol=udp action=jump jump-target=udp comment=”" \disabled=noadd chain=forward protocol=icmp action=jump jump-target=icmp comment=”" \disabled=noadd chain=tcp protocol=tcp dst-port=69 action=drop comment=”deny TFTP” \disabled=noadd chain=tcp protocol=tcp dst-port=111 action=drop comment=”deny RPC \portmapper” disabled=noadd chain=tcp protocol=tcp dst-port=135 action=drop comment=”deny RPC \portmapper” disabled=noadd chain=tcp protocol=tcp dst-port=137-139 action=drop comment=”deny NBT” \disabled=noadd chain=tcp protocol=tcp dst-port=445 action=drop comment=”deny cifs” \disabled=noadd chain=tcp protocol=tcp dst-port=2049 action=drop comment=”deny NFS” \disabled=noadd chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment=”deny \NetBus” disabled=noadd chain=tcp protocol=tcp dst-port=20034 action=drop comment=”deny NetBus” \disabled=noadd chain=tcp protocol=tcp dst-port=3133 action=drop comment=”deny \BackOriffice” disabled=noadd chain=tcp protocol=tcp dst-port=67-68 action=drop comment=”deny DHCP” \disabled=noadd chain=udp protocol=udp dst-port=69 action=drop comment=”deny TFTP” \disabled=noadd chain=udp protocol=udp dst-port=111 action=drop comment=”deny PRC \portmapper” disabled=noadd chain=udp protocol=udp dst-port=135 action=drop comment=”deny PRC \portmapper” disabled=noadd chain=udp protocol=udp dst-port=137-139 action=drop comment=”deny NBT” \disabled=noadd chain=udp protocol=udp dst-port=2049 action=drop comment=”deny NFS” \disabled=noadd chain=udp protocol=udp dst-port=3133 action=drop comment=”deny \BackOriffice” disabled=noadd chain=icmp protocol=icmp icmp-options=0:0 action=accept comment=”drop \invalid connections” disabled=noadd chain=icmp protocol=icmp icmp-options=3:0 action=accept comment=”allow \established connections” disabled=noadd chain=icmp protocol=icmp icmp-options=3:1 action=accept comment=”allow \already established connections” disabled=noadd chain=icmp protocol=icmp icmp-options=4:0 action=accept comment=”allow \source quench” disabled=noadd chain=icmp protocol=icmp icmp-options=8:0 action=accept comment=”allow \echo request” disabled=noadd chain=icmp protocol=icmp icmp-options=11:0 action=accept comment=”allow \time exceed” disabled=no

add chain=icmp protocol=icmp icmp-options=12:0 action=accept comment=”allow \parameter bad” disabled=noadd chain=icmp action=drop comment=”deny all other types” disabled=noadd chain=input connection-state=established action=accept comment=”Accept \established connections” disabled=noadd chain=input connection-state=related action=accept comment=”Accept related \connections” disabled=noadd chain=input connection-state=invalid action=drop comment=”Drop invalid \connections” disabled=noadd chain=input protocol=udp action=accept comment=”UDP” disabled=noadd chain=input protocol=icmp limit=50/5s,2 action=accept comment=”Allow \limited pings” disabled=noadd chain=input protocol=icmp action=drop comment=”Drop excess pings” \disabled=noadd chain=input protocol=tcp dst-port=22 action=accept comment=”SSH for secure \shell” disabled=noadd chain=input protocol=tcp dst-port=8291 action=accept comment=”winbox” \disabled=noadd chain=input src-address=159.148.172.192/28 action=accept comment=”From \Mikrotikls network” disabled=noadd chain=input src-address=192.168.0.0/24 action=accept comment=”From our \private LAN” disabled=noadd chain=input action=log log-prefix=”DROP INPUT” comment=”Log everything \else” disabled=noadd chain=tcp protocol=tcp p2p=all-p2p action=drop comment=”deny DHCP” \disabled=noadd chain=tcp src-address=192.168.0.2 protocol=tcp dst-port=3133 p2p=all-p2p \action=drop comment=”deny BackOriffice” disabled=noh. ip firewaal address list/ ip firewall address-listadd list=servergames address=202.93.20.201 comment=”" disabled=noi.queue type

/ queue typeset default name=”default” kind=pfifo pfifo-limit=50set ethernet-default name=”ethernet-default” kind=pfifo pfifo-limit=50set wireless-default name=”wireless-default” kind=sfq sfq-perturb=5 \sfq-allot=1514set synchronous-default name=”synchronous-default” kind=red red-limit=60 \red-min-threshold=10 red-max-threshold=50 red-burst=20 red-avg-packet=1000set hotspot-default name=”hotspot-default” kind=sfq sfq-perturb=5 \sfq-allot=1514add name=”PFIFO-64″ kind=pfifo pfifo-limit=64add name=”default-small” kind=pfifo pfifo-limit=10add name=”pcq-download” kind=pcq pcq-rate=384000 pcq-limit=50 \pcq-classifier=dst-address pcq-total-limit=2000add name=”pcq-upload” kind=pcq pcq-rate=64000 pcq-limit=50 \pcq-classifier=src-address pcq-total-limit=2000

j.queue tree

/ queue treeadd name=”ICMP” parent=global-in packet-mark=ICMP-PM limit-at=8000 \queue=PFIFO-64 priority=1 max-limit=16000 burst-limit=0 burst-threshold=0 \burst-time=0s disabled=noadd name=”DNS” parent=global-in packet-mark=DNS-PM limit-at=8000 \queue=PFIFO-64 priority=1 max-limit=16000 burst-limit=0 burst-threshold=0 \burst-time=0s disabled=noadd name=”downstream” parent=Local packet-mark=Turun limit-at=0 \queue=pcq-download priority=1 max-limit=0 burst-limit=0 burst-threshold=0 \burst-time=0s disabled=noadd name=”upstream” parent=global-in packet-mark=Naik limit-at=0 \queue=pcq-upload priority=1 max-limit=0 burst-limit=0 burst-threshold=0 \burst-time=0s disabled=nok. queue simple

/ queue simpleadd name=”Fantasy.net” dst-address=0.0.0.0/0 interface=Local parent=none \priority=1 queue=default/default limit-at=0/786000 max-limit=0/786000 \total-queue=default disabled=noadd name=”01″ target-addresses=192.168.0.1/32 dst-address=0.0.0.0/0 \interface=Local parent=Fantasy.net priority=8 \queue=ethernet-default/ethernet-default limit-at=0/16000 \max-limit=8000/48000 total-queue=default time=0s-0s, p2p=fasttrack \disabled=noadd name=”02″ target-addresses=192.168.0.2/32 dst-address=0.0.0.0/0 \interface=Local parent=Fantasy.net priority=8 \queue=ethernet-default/ethernet-default limit-at=0/16000 \max-limit=8000/48000 total-queue=default disabled=noadd name=”03″ target-addresses=192.168.0.3/32 dst-address=0.0.0.0/0 \interface=Local parent=Fantasy.net priority=8 \queue=ethernet-default/ethernet-default limit-at=0/16000 \max-limit=8000/48000 total-queue=default disabled=noadd name=”04″ target-addresses=192.168.0.4/32 dst-address=0.0.0.0/0 \interface=Local parent=Fantasy.net priority=8 \queue=ethernet-default/ethernet-default limit-at=0/16000 \max-limit=8000/48000 total-queue=default time=0s-0s, disabled=noadd name=”06″ target-addresses=192.168.0.6/32 dst-address=0.0.0.0/0 \interface=Local parent=Fantasy.net priority=8 \queue=ethernet-default/ethernet-default limit-at=0/16000 \max-limit=8000/48000 total-queue=default p2p=fasttrack disabled=noadd name=”05″ target-addresses=192.168.0.5/32 dst-address=0.0.0.0/0 \interface=Local parent=Fantasy.net priority=8 \queue=ethernet-default/ethernet-default limit-at=0/16000 \max-limit=8000/60000 total-queue=default disabled=noadd name=”07″ target-addresses=192.168.0.7/32 dst-address=0.0.0.0/0 \interface=Local parent=Fantasy.net priority=8 \queue=ethernet-default/ethernet-default limit-at=0/16000 \max-limit=8000/48000 total-queue=default disabled=noadd name=”08″ target-addresses=192.168.0.8/32 dst-address=0.0.0.0/0 \interface=Local parent=Fantasy.net priority=8 \queue=ethernet-default/ethernet-default limit-at=0/16000 \

max-limit=8000/48000 total-queue=default disabled=noadd name=”09″ target-addresses=192.168.0.9/32 dst-address=0.0.0.0/0 \interface=Local parent=Fantasy.net priority=8 \queue=ethernet-default/ethernet-default limit-at=0/16000 \max-limit=8000/48000 total-queue=default disabled=noadd name=”10″ target-addresses=192.168.0.10/32 dst-address=0.0.0.0/0 \interface=Local parent=Fantasy.net priority=8 queue=default/default \limit-at=0/16000 max-limit=8000/48000 total-queue=default disabled=noadd name=”11″ target-addresses=192.168.0.11/32 dst-address=0.0.0.0/0 \interface=Local parent=Fantasy.net priority=8 \queue=ethernet-default/ethernet-default limit-at=0/16000 \max-limit=8000/48000 total-queue=default p2p=all-p2p disabled=noadd name=”Server” target-addresses=192.168.0.253/32 dst-address=0.0.0.0/0 \interface=Local parent=Fantasy.net priority=8 \queue=ethernet-default/ethernet-default limit-at=0/16000 \max-limit=8000/120000 total-queue=default disabled=yes

B. LINUX Proxy

a. vi /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0

BOOTPROTO=staticBROADCAST=192.168.1.255HWADDR=00:1B:11:66:2A:69IPADDR=192.168.1.3NETMASK=255.255.255.0NETWORK=192.168.1.0ONBOOT=yesTYPE=Ethernet

b. Routing Proxy Ke Modem

[root@proxies squid]# netstat -rKernel IP routing tableDestination Gateway Genmask Flags MSS Window irtt Iface192.168.1.0 * 255.255.255.0 U 0 0 0 eth0

169.254.0.0 * 255.255.0.0 U 0 0 0 eth0

default . 192.168.1.1 UG 0 0 0 eth0

c. named.conf

tambahkan opsi fowarder di named.conf

// query-source address * port 53;forwarders {203.130.193.74;202.134.0.155;

202.134.2.5;};

};

d. resolve.conf

[root@proxies squid]# cat /etc/resolv.confnameserver 192.168.1.1nameserver 203.130.193.74nameserver 202.134.0.155nameserver 202.134.2.5

e. Squid.conf

http_port 8080#icp_port 3130

icp_query_timeout 0maximum_icp_query_timeout 5000mcast_icp_query_timeout 2000dead_peer_timeout 10 secondshierarchy_stoplist cgi-bin ? localhostacl QUERY urlpath_regex cgi-bin \? localhost

### Opsi Cachecache_mem 6 MBcache_swap_low 98cache_swap_high 99maximum_object_size 128 MBminimum_object_size 0 KBmaximum_object_size_in_memory 32 KBipcache_size 10240ipcache_low 98ipcache_high 99fqdncache_size 256cache_replacement_policy heap LFUDAmemory_replacement_policy heap GDSF

### Opsi Tuning Squidrefresh_pattern -i \.(swfpngjpgjpegbmptiffpnggif) 43200 90% 129600 reload-into-ims override-lastmodrefresh_pattern -i \.(movmpgmpegflvavimp33gpsiswma) 43200 90% 129600 reload-into-ims override-lastmodrefresh_pattern -i \.(zipraracebzbz2targzexe) 43200 90% 129600 reload-into-ims override-lastmodrefresh_pattern -i (.*html$.*htm.*shtml.*aspx.*asp) 43200 90% 1440 reload-into-ims override-lastmodrefresh_pattern -i \.(classcssjsgifjpg)$ 10080 100% 43200 override-expirerefresh_pattern -i \.(jpejpegpngbmptif)$ 10080 100% 43200 override-expirerefresh_pattern -i \.(tiffmovaviqtmpeg)$ 10080 100% 43200 override-expire

refresh_pattern -i \.(mpgmpewavaumid)$ 10080 100% 43200 override-expirerefresh_pattern -i \.(zipgzarjlhalzh)$ 10080 100% 43200 override-expirerefresh_pattern -i \.(rartgztarexebin)$ 10080 100% 43200 override-expirerefresh_pattern -i \.(hqxpdfrtfdocswf)$ 10080 100% 43200 override-expirerefresh_pattern -i \.(inccabadtxtdll)$ 10080 100% 43200 override-expirerefresh_pattern -i \.(aspacgiplshtmlphp3php)$ 2 20% 4320 reload-into-imsrefresh_pattern ^http://*.google.*/.* 720 100% 4320 reload-into-ims override-lastmodrefresh_pattern ^http://*korea.*/.* 720 100% 4320 reload-into-ims override-lastmodrefresh_pattern ^http://*.akamai.*/.* 720 100% 4320 reload-into-ims override-lastmodrefresh_pattern ^http://*.windowsmedia.*/.* 720 100% 4320 reload-into-ims override-lastmodrefresh_pattern ^http://*.googlesyndication.*/.* 720 100% 4320 reload-into-ims override-lastmodrefresh_pattern ^http://*.plasa.*/.* 720 100% 4320 reload-into-ims override-lastmodrefresh_pattern ^http://*.telkom.*/.* 720 100% 4320 reload-into-ims override-lastmodrefresh_pattern ^http://www.friendster.com/.* 720 100% 4320 reload-into-ims override-lastmodrefresh_pattern ^http://mail.yahoo.com/.* 720 100% 4320 reload-into-ims override-lastmodrefresh_pattern ^http://*.yahoo.*/.* 720 100% 4320 reload-into-ims override-lastmodrefresh_pattern ^http://*.yimg.*/.* 720 100% 4320 reload-into-ims override-lastmodrefresh_pattern ^http://*.gmail.*/.* 720 100% 4320 reload-into-ims override-lastmodrefresh_pattern ^http://*.detik.*/.* 720 100% 4320 reload-into-ims override-lastmodrefresh_pattern ^gopher: 1440 0% 1440refresh_pattern ^ftp: 43200 90% 129600 reload-into-ims override-expire#refresh_pattern ^ftp: 1440 20% 10080#refresh_pattern ^gopher: 1440 0% 1440refresh_pattern . 0 20% 4320#refresh_pattern . 180 95% 120960 reload-into-ims override-lastmod

### Direktori cache#cache_dir aufs /cache 20000 16 256#cache_dir diskd /cache 7000 16 256 Q1=72 Q2=88cache_dir aufs /cache 50000 16 256

### Logcache_access_log /var/log/squid/access.loglogfile_rotate 1cache_log nonecache_store_log noneemulate_httpd_log offlog_ip_on_direct onlog_fqdn offlog_icp_queries off

### DNS serverdns_nameservers 127.0.0.1

quick_abort_min 0quick_abort_max 0quick_abort_pct 98%negative_ttl 15 minutepositive_dns_ttl 24 hours

negative_dns_ttl 5 minutesrange_offset_limit 0 KB

### Opsi Timeoutconnect_timeout 1 minutepeer_connect_timeout 5 secondsread_timeout 30 minuterequest_timeout 1 minute#client_lifetime 10 hourhalf_closed_clients offpconn_timeout 15 secondshutdown_lifetime 15 second

### Opsi ACLacl manager proto cache_objectacl all src 0.0.0.0/0.0.0.0acl client src 192.168.1.0/29acl tidakbebasdownload time 08:00-22:00acl porn url_regex -i /usr/local/squid/etc/bokep.txt time 08:00-22:00acl noporn url_regex -i /usr/local/squid/etc/nobokep.txt time 08:00-22:00acl file_terlarang url_regex -i hot_indonesia.exeacl file_terlarang url_regex -i hotsurprise_id.exeacl file_terlarang url_regex -i best-mp3-download.exeacl file_terlarang url_regex -i R32.exeacl file_terlarang url_regex -i rb32.exeacl file_terlarang url_regex -i mp3.exeacl file_terlarang url_regex -i HOTSEX.exeacl file_terlarang url_regex -i Browser_Plugin.exeacl file_terlarang url_regex -i DDialer.exeacl file_terlarang url_regex -i od-teenacl file_terlarang url_regex -i URLDownload.exeacl file_terlarang url_regex -i od-stnd67.exeacl file_terlarang url_regex -i Download_Plugin.exeacl file_terlarang url_regex -i od-teen52.exeacl file_terlarang url_regex -i malaysexacl file_terlarang url_regex -i edita.htmlacl file_terlarang url_regex -i info.exeacl file_terlarang url_regex -i run.exeacl file_terlarang url_regex -i Lovers2Goacl file_terlarang url_regex -i GlobalDialeracl file_terlarang url_regex -i WebDialeracl file_terlarang url_regex -i britneynudeacl file_terlarang url_regex -i download.exeacl file_terlarang url_regex -i backup.exeacl file_terlarang url_regex -i GnoOS2003acl file_terlarang url_regex -i wintrim.exeacl file_terlarang url_regex -i MPREXE.EXEacl file_terlarang url_regex -i exengd.EXEacl file_terlarang url_regex -i xxxvideo.exeacl file_terlarang url_regex -i Save.exeacl file_terlarang url_regex -i ATLBROWSER.DLL

acl file_terlarang url_regex -i NawaL_rmacl file_terlarang url_regex -i Socks32.dllacl file_terlarang url_regex -i Sc32Lnch.exeacl file_terlarang url_regex -i dat0.exeacl IIX dst_as 7713 4622 4795 7597 4787 4795 4800acl block url_regex -i \.(aiffasfavidifdivxmovmoviemp3mpe?g?mpv2oggra?msndqtwavwmfwmv)$acl local-domain dstdomain localhostacl Bad_ports port 7 9 11 19 22 23 25 53 110 119 513 514acl Safe_ports port 21 70 80 210 443 488 563 591 777 1025-65535acl Virus urlpath_regex winnt/system32/cmd.exe?acl connect method CONNECTacl post method POSTacl ssl method CONNECTacl purge method PURGEacl IpAddrProbeUA browser ^Mozilla/4.0.\(compatible;.MSIE.5.5;.Windows.98\)$acl IpAddrProbeURL url_regex //[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/$no_cache deny QUERY manager

http_access allow manager IIX Safe_portshttp_access allow clienthttp_access deny porn !nopornhttp_access deny Bad_ports Virus IpAddrProbeUA IpAddrProbeURLhttp_access deny file_terlaranghttp_access deny all

### Paramater Administratifcache_mgr support@fantasy.war.net.idcache_effective_user squidcache_effective_group squidvisible_hostname proxy.fantasy.war.net.id

### Opsi Akseleratormemory_pools offforwarded_for onlog_icp_queries officp_hit_stale onminimum_direct_hops 4minimum_direct_rtt 400store_avg_object_size 13 KBstore_objects_per_bucket 20client_db onnetdb_low 9900netdb_high 10000netdb_ping_period 30 secondsquery_icmp offpipeline_prefetch onreload_into_ims onpipeline_prefetch onvary_ignore_expire onmax_open_disk_fds 100

nonhierarchical_direct onprefer_direct off

### Pendukung Transparan Proxyhttpd_accel_host virtualhttpd_accel_port 80httpd_accel_with_proxy onhttpd_accel_uses_host_header on

### Membatasi Besar File untuk downloadreply_body_max_size 3512000 allow client block tidakbebasdownload

### SNMP#snmp_port 3401#acl snmppublic snmp_community public#snmp_access allow all

header_access User-Agent deny allheader_replace User-Agent Mozilla/5.0 (compatible; MSIE 6.0)header_access Accept deny allheader_replace Accept */*header_access Accept-Language deny allheader_replace Accept-Language id, en

f. firewall tambahan di proxy

#05-12-05/sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 –destination-port 12 -j DROP/sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 –destination-port 12 -j REJECT/sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 –destination-port 12 -j DROP/sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 –destination-port 12 -j REJECT/sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 –destination-port 16 -j DROP/sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 –destination-port 16 -j REJECT/sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 –destination-port 16 -j DROP/sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 –destination-port 16 -j REJECT/sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 –destination-port 17 -j DROP/sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 –destination-port 17 -j REJECT/sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 –destination-port 17 -j DROP/sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 –destination-port 17 -j REJECT/sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 –destination-port 12:20 -j DROP/sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 –destination-port 12:20 -j REJECT/sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 –destination-port 12:20 -j DROP/sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 –destination-port 12:20 -j REJECT

/sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 –destination-port 110 -j DROP/sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 –destination-port 110 -j REJECT/sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 –destination-port 110 -j DROP/sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 –destination-port 110 -j REJECT/sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 –destination-port 25 -j DROP/sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 –destination-port 25 -j REJECT/sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 –destination-port 25 -j DROP

/sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 –destination-port 25 -j REJECT/sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 –destination-port 24 -j DROP/sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 –destination-port 24 -j REJECT/sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 –destination-port 123 -j DROP/sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 –destination-port 123 -j REJECT/sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 –destination-port 123 -j DROP/sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 –destination-port 123 -j REJECT/sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 –destination-port 24 -j DROP/sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 –destination-port 24 -j REJECT/sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 –destination-port 24 -j DROP/sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 –destination-port 24 -j REJECT/sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 –destination-port 23 -j DROP/sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 –destination-port 23 -j REJECT

/sbin/iptables -N syn-flood/sbin/iptables -A INPUT -i input_interface -p tcp –syn -j syn-flood/sbin/iptables -A syn-flood -m limit –limit 1/s –limit-burst 4 -j RETURN/sbin/iptables -A syn-flood -j DROP

/sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 –destination-port 199 -j DROP/sbin/iptables -I INPUT -p udp -s 0/0 -d 0/0 –destination-port 199 -j DROP/sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 –destination-port 199 -j REJECT/sbin/iptables -A FORWARD -p udp -s 0/0 -d 0/0 –destination-port 199 -j REJECT/sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 –destination-port 119 -j DROP/sbin/iptables -I INPUT -p udp -s 0/0 -d 0/0 –destination-port 119 -j DROP/sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 –destination-port 119 -j REJECT/sbin/iptables -A FORWARD -p udp -s 0/0 -d 0/0 –destination-port 119 -j REJECT/sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 –destination-port 111 -j DROP/sbin/iptables -I INPUT -p udp -s 0/0 -d 0/0 –destination-port 111 -j DROP/sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 –destination-port 111 -j REJECT/sbin/iptables -A FORWARD -p udp -s 0/0 -d 0/0 –destination-port 111 -j REJECT/sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 –destination-port 411 -j DROP/sbin/iptables -I INPUT -p udp -s 0/0 -d 0/0 –destination-port 411 -j DROP/sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 –destination-port 67:68 -j REJECT/sbin/iptables -A FORWARD -p udp -s 0/0 -d 0/0 –destination-port 67:68 -j REJECT

Have nice try this tips.