#######################################################
Konsep dan Terapan NTH utk Loadbalancing pada Mikrotik
#######################################################
I N T R O
---------
O-----------------------------------------------------------------------------------
nth (integer,integer: 0..15,integer{0,1}) - match a particular Nth packet received
by the rule. One of 16 available
counters can be used to count packets
Every - match every Every+1th packet. For example, if Every=1 then the rule matches
every 2nd packet
Counter - specifies which counter to use. A counter increments each time the rule
containing nth match matches
Packet - match on the given packet number. The value by obvious reasons must be
between 0 and Every. If this option is used for a given counter, then
there must be at least Every+1 rules with this option, covering all values
between 0 and Every inclusively.
O-----------------------------------------------------------------------------------
nth ada 3 bagian
bilang lah A,B,C
A = every
B = counter
C = packet
setelah gw baca lagi dan lagi dan lagi manual diatas
sampe sekarang gw gak ngerti2 dari ketiga bagian diatas.
jika pake 2 line load balance ada yang buat :
every 1 counter 1 packet 0 <-- line 1
every 1 counter 1 packet 1 <--- line 2
ada juga yang buat : 1,2,0 - 1,2,1
Pemahaman Saya Mengenai Nth:
Pada dasarnya koneksi yang masuk ke proses di router akan menjadi satu arus yang sama,
walaupun mereka datang dari interface yang berbeda. (well, this one is debatable)
Saat kita ingin menerapkan metode Nth, tentunya kita juga memberikan batasan ke router
untuk hanya mem-proses koneksi dari sumber tertentu saja (ex. dari IP lokal).
Nah, begitu router telah membuat semacam 'antrian' baru untuk batasan yang kita
berikan diatas, baru proses Nth dimulai.
#Every
Angka Every adalah jumlah kelompok yang ingin dihasilkan. Jadi bila kita ingin
membagi alur koneksi yang ada menjadi 4 kelompok yang nantinya akan di load balance
ke 4 koneksi yang ada, maka angka Every = 4.
Namun, setelah saya bandingkan manual yang ada di Mikrotik dengan penjelasan tentang
penerapan Nth di Linux, ada perbedaan disini.
Pada Mikrotik, angka Every harus dikurangkan 1, hingga bila mengikuti contoh diatas,
maka kita harus mengisikan Every = 3. Hal ini mungkin dikarenakan proses Nth di
Mikrotik akan menerapkan Every+1 (lihat manual) pada pengenalan koneksinya.
Jadi, kesimpulan sementara saya, bila kita ingin membagi 2 kelompok, maka :
- Pada Linux, Every = 4
- Pada Mikrotik, Every = 3
#Counter
Angka Counter dapat diisikan angka 0-15. Maksudnya adalah menentukan counter mana
yang akan kita pakai. Pada Mikrotik terdapat 16 Counter yang dapat dipakai, hal
ini juga sama dengan penerapan yang ada di Linux.
Setelah Diskusi dengan bro D3V4, ternyata penerapan counter cukup berpengaruh.
Jadi kesimpulan sementara, counter sebaiknya diset ke every+1 untuk Mikrotik
#Packet
Nah, kita sampe ke parameter terakhir. Parameter terakhir ini yang cukup menentukan.
Bila kita ingin membuat 4 kelompok, tentunya kita harus membuat 4 mangle rules.
Nah, pada rules tersebut, angka untuk Every dan Counter haruslah sama. Namun untuk
angka packet harus berubah.
Untuk 4 kelompok, berarti angka packet untuk 4 rules tersebut adalah 0,1,2 dan 3.
Angka ini ditentukan dari 0 ... (n-1).
Penerapan angka Packet untuk Linux dan Mikrotik sama.
Contoh
Mari kita ambil contoh untuk penerapan Nth untuk 4 koneksi. Maka Angka Nth untuk
masing2 rule di Mikrotik adalah (counter yg dipakai adalah 4) :
Rule 1 = 3,4,0
Rule 2 = 3,4,1
Rule 3 = 3,4,2
Rule 4 = 3,4,3
T E O R I
---------
tcp connections 3 way handshake
1. connection establishment
2. data transfer
3. connection termination
dengan tahapan sbb :
1. LISTEN
2. SYN-SENT
3. SYN-RECEIVED
4. ESTABLISHED
5. FIN-WAIT-1
6. FIN-WAIT-2
7. CLOSE-WAIT
8. CLOSING
9. LAST-ACK
10. TIME-WAIT
11. CLOSED
jika teori gw bener (CMIIW lagi ) proses mangle itu memotong di nomer 4
alias connection nya belum ketutup tapi udah request baru lagi (new connections state)
jadi dengan kata lain :
kenoksi masih kebuka udah ngerequest ke gateway yang lainnya ... jadi semua speedy
yang kita punay kebuka dan di gunakan.
jadi walaupun kedetek ip speedy 1 tetapi bebannya masih kebagi ke sebanyak n-th
yang kita punya.. ROUND ROBIN !
CONTOH KONFIGURASI I
--------------------
Untuk koneksi dengan Modem ADSL
ada 2 pilihan:
- Set Modem sebagai Bridge, berarti Router sebagai PPPoE Client
- Set Modem sebagai PPPoE, berarti Router tinggal sesuaikan dengan IP Local Modem
Topologi
ISP1/wlan2 ISP2/wlan1
10.111.0.1/24 10.112.0.1/24
| |
| |
| |
\ /
\ /
\ /
\ /
\ /
10.111.0.2/24 ===== 10.112.0.2/24
==|==
|
Local
Configuration export from the gateway router:
########################################################################################
'''/ ip address'''
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local
add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=wlan2
add address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=wlan1
'''/ ip firewall mangle'''
add chain=prerouting src-address-list=odd in-interface=Local action=mark-connection \
new-connection-mark=odd passthrough=yes
add chain=prerouting src-address-list=odd in-interface=Local action=mark-routing \
new-routing-mark=odd passthrough=no
add chain=prerouting src-address-list=even in-interface=Local action=mark-connection \
new-connection-mark=even passthrough=yes
add chain=prerouting src-address-list=even in-interface=Local action=mark-routing \
new-routing-mark=even passthrough=no
add chain=prerouting in-interface=Local connection-state=new nth=1,1,0 \
action=mark-connection new-connection-mark=odd passthrough=yes
add chain=prerouting in-interface=Local action=add-src-to-address-list \
address-list=odd address-list-timeout=1d connection-mark=odd passthrough=yes
add chain=prerouting in-interface=Local connection-mark=odd action=mark-routing \
new-routing-mark=odd passthrough=no
add chain=prerouting in-interface=Local connection-state=new nth=1,1,1 \
action=mark-connection new-connection-mark=even passthrough=yes
add chain=prerouting in-interface=Local action=add-src-to-address-list \
address-list=even address-list-timeout=1d connection-mark=even passthrough=yes
add chain=prerouting in-interface=Local connection-mark=even action=mark-routing \
new-routing-mark=even passthrough=no
'''/ ip firewall nat'''
add chain=srcnat connection-mark=odd action=src-nat to-addresses=10.111.0.2 \
to-ports=0-65535
add chain=srcnat connection-mark=even action=src-nat to-addresses=10.112.0.2 \
to-ports=0-65535
'''/ ip route'''
add dst-address=0.0.0.0/0 gateway=10.111.0.1 scope=255 target-scope=10 routing-mark=odd
add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 routing-mark=even
add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10
########################################################################################
### Explanation
First we give a code snippet and then explain what it actually does.
~IP Addresses
The router has two upstream (WAN) interfaces with the addresses of 10.111.0.2/24 and
10.112.0.2/24. The LAN interface has the name "Local" and IP address of 192.168.0.1/24.
----------------------------------------------------------------------------------------
/ ip address
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local
add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=wlan2
add address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=wlan1
----------------------------------------------------------------------------------------
~ Mangle
All traffic from customers having their IP address previously placed in the address
list "odd" is instantly marked with connection and routing marks "odd". Afterwards
the traffic is excluded from processing against successive mangle rules in prerouting chain.
----------------------------------------------------------------------------------------
/ ip firewall mangle
add chain=prerouting src-address-list=odd in-interface=Local action=mark-connection \
new-connection-mark=odd passthrough=yes
add chain=prerouting src-address-list=odd in-interface=Local action=mark-routing \
new-routing-mark=odd
----------------------------------------------------------------------------------------
Same stuff as above, only for customers having their IP address previously placed
in the address list "even".
----------------------------------------------------------------------------------------
/ ip firewall mangle
add chain=prerouting src-address-list=even in-interface=Local action=mark-connection \
new-connection-mark=even passthrough=yes
add chain=prerouting src-address-list=even in-interface=Local action=mark-routing \
new-routing-mark=even
----------------------------------------------------------------------------------------
First we take every second packet that establishes new session (note connection-state=new),
and mark it with connection mark "odd". Consequently all successive packets belonging to
the same session will carry the connection mark "odd". Note that we are passing these
packets to the second and third rules (passthrough=yes). Second rule adds IP address
of the client to the address list to enable all successive sessions to go through
the same gateway. Third rule places the routing mark "odd" on all packets that belong
to the "odd" connection and stops processing all other mangle rules for these packets
in prerouting chain.
----------------------------------------------------------------------------------------
/ ip firewall mangle
add chain=prerouting in-interface=Local connection-state=new nth=1,1,0 \
action=mark-connection new-connection-mark=odd passthrough=yes
add chain=prerouting in-interface=Local action=add-src-to-address-list \
address-list=odd address-list-timeout=1d connection-mark=odd passthrough=yes
add chain=prerouting in-interface=Local connection-mark=odd action=mark-routing \
new-routing-mark=odd passthrough=no
----------------------------------------------------------------------------------------
These rules do the same for the remaining half of the traffic as the first three
rules for the first half of the traffic.
The code above effectively means that each new connection initiated through
the router from the local network will be marked as either "odd" or "even"
with both routing and connection marks.
----------------------------------------------------------------------------------------
/ ip firewall mangle
add chain=prerouting in-interface=Local connection-state=new nth=1,1,1 \
action=mark-connection new-connection-mark=even passthrough=yes
add chain=prerouting in-interface=Local action=add-src-to-address-list \
address-list=even address-list-timeout=1d connection-mark=even passthrough=yes
add chain=prerouting in-interface=Local connection-mark=even action=mark-routing \
new-routing-mark=even passthrough=no
----------------------------------------------------------------------------------------
The above works fine. There are however some situations where you might find
that the same IP address is listed under both the ODD and EVEN scr-address-lists.
This behavior causes issues with apps that require persistent connections.
A simple remedy for this situation is to add the following statement to your
mangle rules:
----------------------------------------------------------------------------------------
add chain=prerouting in-interface=Local connection-state=new nth=1,1,1 \
src-address-list=!odd action=mark-connection new-connection-mark=even \
passthrough=yes
----------------------------------------------------------------------------------------
This will ensure that the new connection will not already be part of the ODD s
rc-address-list. You will have to do the same for the ODD mangle rule thus
excluding IP's already part of the EVEN scr-address-list.
~NAT
All traffic marked "odd" is being NATted to source IP address of 10.111.0.2,
while traffic marked "even" gets "10.112.0.2" source IP address.
----------------------------------------------------------------------------------------
/ ip firewall nat
add chain=srcnat connection-mark=odd action=src-nat to-addresses=10.111.0.2 \
to-ports=0-65535
add chain=srcnat connection-mark=even action=src-nat to-addresses=10.112.0.2 \
to-ports=0-65535
----------------------------------------------------------------------------------------
~Routing
For all traffic marked "odd" (consequently having 10.111.0.2 translated source address)
we use 10.111.0.1 gateway. In the same manner all traffic marked "even" is routed
through the 10.112.0.1 gateway.
----------------------------------------------------------------------------------------
/ ip route
add dst-address=0.0.0.0/0 gateway=10.111.0.1 scope=255 target-scope=10 routing-mark=odd
add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 routing-mark=even
----------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------
/ ip route
add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10
----------------------------------------------------------------------------------------
Finally, we have one additional entry specifying that traffic from the router
itself (the traffic without any routing marks) should go to 10.112.0.1 gateway.
CONTOH KONFIGURASI II (PPPoE di MT)
-----------------------------------
#######################################################################################
# mar/15/2008 21:38:00 by RouterOS 2.9.XX
# software id = 2XX-RXX
#
/ interface ethernet
set Speedy1 name=”Speedy1" mtu=1500 mac-address=00:D0:5E:39:70:5C arp=enabled \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default speed=100Mbps comment=”" disabled=no
set Speedy2 name=”Speedy2" mtu=1500 mac-address=00:D0:5E:39:6F:69 arp=enabled \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default speed=100Mbps comment=”" disabled=no
set Local name=”Local” mtu=1500 mac-address=00:D0:5E:39:6F:BA arp=enabled \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default speed=100Mbps comment=”" disabled=no
/ interface pppoe-client
add name=”pppoe-out1" max-mtu=1480 max-mru=1480 interface=Speedy1 \
user=”111xxxx@telkom.net” password=”xxxx” profile=default \
service-name=”" ac-name=”" add-default-route=yes dial-on-demand=no \
use-peer-dns=no allow=pap,chap,mschap1,mschap2 disabled=no
add name=”pppoe-out2" max-mtu=1480 max-mru=1480 interface=Speedy2 \
user=”111xxxxx@telkom.net” password=”xxxx” profile=default \
service-name=”" ac-name=”" add-default-route=yes dial-on-demand=no \
use-peer-dns=no allow=pap,chap,mschap1,mschap2 disabled=no
/ ip dns
set primary-dns=203.130.193.74 secondary-dns=202.134.0.155 \
allow-remote-requests=yes cache-size=2048KiB cache-max-ttl=1w
/ ip address --- ???
add address=192.168.1.2/24 network=192.168.1.0 broadcast=192.168.1.255 \
interface=Speedy1 comment=”" disabled=no
add address=192.168.2.2/24 network=192.168.2.0 broadcast=192.168.2.255 \
interface=Speedy2 comment=”" disabled=no
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 \
interface=Local comment=”" disabled=no
/ ip route
add dst-address=0.0.0.0/0 gateway=125.162.80.1 scope=255 target-scope=10 \
comment=”" disabled=no
add dst-address=0.0.0.0/0 gateway=125.162.92.1 check-gateway=ping scope=255 \
target-scope=10 comment=”" disabled=no
/ ip firewall mangle
add chain=prerouting in-interface=Local src-address-list=Games \
action=mark-connection new-connection-mark=Games passthrough=yes \
comment=”Multi ISP” disabled=no
add chain=prerouting in-interface=Local src-address-list=Games \
action=mark-routing new-routing-mark=Games passthrough=no comment=”" \
disabled=no
add chain=prerouting in-interface=Local src-address-list=Net \
action=mark-connection new-connection-mark=Net passthrough=yes comment=”" \
disabled=no
add chain=prerouting in-interface=Local src-address-list=Net \
action=mark-routing new-routing-mark=Net passthrough=no comment=”" \
disabled=no
add chain=prerouting in-interface=Local connection-state=new nth=1,1,0 \
action=mark-connection new-connection-mark=Games passthrough=yes \
comment=”" disabled=no
add chain=prerouting in-interface=Local connection-mark=Games \
action=add-src-to-address-list address-list=Games address-list-timeout=1d \
comment=”" disabled=no
add chain=prerouting in-interface=Local connection-mark=Games \
action=mark-routing new-routing-mark=Games passthrough=no comment=”" \
disabled=no
add chain=prerouting in-interface=Local connection-state=new nth=1,1,1 \
action=mark-connection new-connection-mark=Net passthrough=yes comment=”" \
disabled=no
add chain=prerouting in-interface=Local connection-mark=Net \
action=add-src-to-address-list address-list=Net address-list-timeout=1d \
comment=”" disabled=no
add chain=prerouting in-interface=Local connection-mark=Net \
action=mark-routing new-routing-mark=Net passthrough=no comment=”" \
disabled=no
###
add chain=prerouting protocol=tcp src-port=1-1000 dst-port=1-1000 \
action=mark-connection new-connection-mark=spnet_conn passthrough=yes \
comment=”Routing Per Port Net” disabled=no
add chain=prerouting protocol=udp dst-port=1-1000 action=mark-connection \
new-connection-mark=spnet_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=tcp dst-port=3128 action=mark-connection \
new-connection-mark=spnet_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=udp dst-port=3128 action=mark-connection \
new-connection-mark=spnet_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=udp dst-port=5050-5060 action=mark-connection \
new-connection-mark=spnet_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=tcp dst-port=5050-5060 action=mark-connection \
new-connection-mark=spnet_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=tcp dst-port=6660-7000 action=mark-connection \
new-connection-mark=spnet_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=udp dst-port=6660-7000 action=mark-connection \
new-connection-mark=spnet_conn passthrough=yes comment=”" disabled=no
add chain=prerouting connection-mark=spnet_conn action=mark-packet \
new-packet-mark=spnet passthrough=no comment=”" disabled=no
####
add chain=prerouting protocol=tcp dst-port=1001-3127 action=mark-connection \
new-connection-mark=spgames_conn passthrough=yes comment=”Routing Per Port \
games” disabled=no
add chain=prerouting protocol=udp dst-port=1001-3127 action=mark-connection \
new-connection-mark=spgames_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=tcp dst-port=3129-5049 action=mark-connection \
new-connection-mark=spgames_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=udp dst-port=3129-5049 action=mark-connection \
new-connection-mark=spgames_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=tcp dst-port=5061-6659 action=mark-connection \
new-connection-mark=spgames_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=udp dst-port=5061-6659 action=mark-connection \
new-connection-mark=spgames_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=tcp dst-port=7001-8079 action=mark-connection \
new-connection-mark=spgames_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=udp dst-port=7001-8079 action=mark-connection \
new-connection-mark=spgames_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=tcp dst-port=8081-65535 action=mark-connection \
new-connection-mark=spgames_conn passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=udp dst-port=8081-65535 action=mark-connection \
new-connection-mark=spgames_conn passthrough=yes comment=”" disabled=no
add chain=prerouting connection-mark=spgames_conn action=mark-packet \
new-packet-mark=spgames passthrough=no comment=”" disabled=no
/ ip firewall nat
add chain=dstnat dst-address=64.4.0.0/18 action=accept comment=”" disabled=no
add chain=srcnat out-interface=pppoe-out1 packet-mark=!spgames \
connection-mark=!spgames_conn dst-address-list=!Games action=masquerade \
comment=”NAT CLIENT” disabled=no
add chain=srcnat out-interface=pppoe-out2 packet-mark=!spnet \
connection-mark=!spnet_conn dst-address-list=!Net action=masquerade \
comment=”" disabled=no
######################################################################################
##FAil OVEr Script
bukanya kalo maenan fail over enakan di tool netwatch
misalkan dengan script kaya gini:
Code:
-------------------------------------------------------------------------------------
/system script add name=check-gw source={
:local R1
:local R2
:if ([/tool netwatch get R1 status]=up) do={:set R1 192.168.1.1}
:if ([/tool netwatch get R2 status]=up) do={:set R2 203.81.xxx.xxx}
/ip route set [/ip route find dst-address=0.0.0.0/0] \
gateway=($R1 . , . $R2)
}
/tool netwatch add comment=R1 host=192.168.1.1 interval=5s up-script=check-gw \
down-script=check-gw
/tool netwatch add comment=R2 host=203.81.xxx.xxx interval=5s up-script=check-gw \
down-script=check-gw
---------------------------------------------------------------------------------------
CONTOh KASUS
------------
menggunakan 5 speeda
kasus 1, Nth = 4,5,n-1
pas di cabut satu modem koneksi jadi ngaco... kebanyakan lagging time....
trus... cabut lagi satu lagi modem nya....... jadi lebih parah.... ancur2an
koneksinya.. banyak yang muncul bacaan connection time out
kasus 2, Nth = 4,0,n-1
cabut 1 modem ........... masih ga masalah.... cabut modem ke2 baru berasa ada
beberapa website yang musti di refresh......
cabut modem ke3 ..... mulai ancur2 an.........
sepertinya nTh (n,0,n-1) bisa jadi fail over dengan syarat hanya 1 koneksi yg mati.
dan melihat dari segi respon pembagian beban jauh lebih cepat dengan
counter 0 (n,0,n-1) di bandingkan dengan (n,n,n-1)
Masalah:
- Gateway yang sama
- Priority DNS
- NTH yang cocok ?
- Firewall NAT, pilihan antara Action Masquarade dengan SrcNat ?
edited by baratev
Diramu dari: - www.forummikrotik.com ([a],d3v4,akangage,dkk]
- wiki.mikrotik.com
22:21 27/04/2008
Showing posts with label mikrotik. Show all posts
Showing posts with label mikrotik. Show all posts
Saturday, July 12, 2008
Konsep dan Terapan NTH utk Loadbalancing pada Mikrotik ( Baratev )
Wednesday, January 30, 2008
configuration speedy connection with load balancing prolink
This summary is not available. Please
click here to view the post.
Tuesday, December 25, 2007
Planning Internet Cafe With Speedy internet Connection
Using PC LINUX and router Mikrotik
Network Schema 192.168.1.2/29
Modem 4 Port ----------Mikrotik ---Hub-------Client 192.168.0.0/24
192.168.1.1/29 192.168.0.254/24
Linux proxy
192.168.1.3/29
A. Router Mikrotik Configuration
a. Interface
/ interface ethernet
set Local name="Local" mtu=1500 mac-address=00:50:DA:5F:AB:16 arp=enabled \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default speed=100Mbps comment="" disabled=no
set Public name="Public" mtu=1500 mac-address=00:A0:D2:11:C2:79 arp=enabled \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default speed=100Mbps comment="" disabled=no
b. ARP
/ ip arp
add address=192.168.0.7 mac-address=00:19:21:14:4A:E7 interface=Local \
comment="" disabled=no
add address=192.168.0.4 mac-address=00:E0:4D:2F:81:6E interface=Local \
comment="" disabled=no
add address=192.168.0.1 mac-address=00:1B:B9:57:79:75 interface=Local \
comment="" disabled=no
add address=192.168.0.6 mac-address=00:E0:4D:2F:4D:F3 interface=Local \
comment="" disabled=no
add address=192.168.0.11 mac-address=00:1B:B9:57:7E:31 interface=Local \
comment="" disabled=no
add address=192.168.0.2 mac-address=00:E0:4D:2F:81:6D interface=Local \
comment="" disabled=no
add address=192.168.0.5 mac-address=00:19:21:DD:90:F4 interface=Local \
comment="" disabled=no
add address=192.168.0.10 mac-address=00:1B:B9:95:EB:6D interface=Local \
comment="" disabled=no
add address=192.168.0.253 mac-address=00:1A:92:56:79:5E interface=Local \
comment="" disabled=no
add address=192.168.1.1 mac-address=00:18:6E:CA:4F:2E interface=Public \
comment="" disabled=no
add address=192.168.1.3 mac-address=00:1B:11:66:2A:69 interface=Public \
comment="" disabled=no
c. DNS ISP
/ ip dns
set primary-dns=192.168.1.3 secondary-dns=202.134.0.155 \
allow-remote-requests=yes cache-size=2048KiB cache-max-ttl=1w
d. IP address
/ ip address
add address=192.168.1.2/29 network=192.168.1.0 broadcast=192.168.1.7 \
interface=Public comment="" disabled=no
add address=192.168.0.254/24 network=192.168.0.0 broadcast=192.168.0.255 \
interface=Local comment="" disabled=no
e. Mangle
/ ip firewall mangle
add chain=prerouting src-address=192.168.0.0/24 protocol=icmp \
action=mark-connection new-connection-mark=ICMP-CM passthrough=yes \
comment="ToS" disabled=no
add chain=prerouting connection-mark=ICMP-CM action=mark-packet \
new-packet-mark=ICMP-PM passthrough=yes comment="" disabled=no
add chain=prerouting packet-mark=ICMP-PM action=change-tos new-tos=min-delay \
comment="" disabled=no
add chain=prerouting src-address=192.168.0.0/24 protocol=tcp dst-port=53 \
action=mark-connection new-connection-mark=DNS-CM passthrough=yes \
comment="" disabled=no
add chain=prerouting src-address=192.168.0.0/24 protocol=udp dst-port=53 \
action=mark-connection new-connection-mark=DNS-CM passthrough=yes \
comment="" disabled=no
add chain=prerouting connection-mark=DNS-CM action=mark-packet \
new-packet-mark=DNS-PM passthrough=yes comment="" disabled=no
add chain=prerouting packet-mark=DNS-PM action=change-tos new-tos=min-delay \
comment="" disabled=no
add chain=prerouting protocol=tcp dst-port=80 action=mark-connection \
new-connection-mark=http_conn passthrough=yes comment="Services" \
disabled=no
add chain=prerouting protocol=tcp dst-port=443 action=mark-connection \
new-connection-mark=http_conn passthrough=yes comment="" disabled=no
add chain=prerouting protocol=tcp dst-port=8080 action=mark-connection \
new-connection-mark=http_conn passthrough=yes comment="" disabled=no
add chain=prerouting protocol=tcp dst-port=3128 action=mark-connection \
new-connection-mark=http_conn passthrough=yes comment="" disabled=no
add chain=prerouting connection-mark=http_conn action=mark-packet \
new-packet-mark=http passthrough=no comment="" disabled=no
add chain=prerouting protocol=tcp dst-port=5050-5061 action=mark-connection \
new-connection-mark=ym_conn passthrough=yes comment="" disabled=no
add chain=prerouting connection-mark=ym_conn action=mark-packet \
new-packet-mark=ym passthrough=no comment="" disabled=no
add chain=prerouting protocol=udp dst-port=27015 action=mark-connection \
new-connection-mark=cs_conn passthrough=yes comment="" disabled=no
add chain=prerouting connection-mark=cs_conn action=mark-packet \
new-packet-mark=cs passthrough=no comment="" disabled=no
add chain=prerouting protocol=tcp dst-port=6667-7000 action=mark-connection \
new-connection-mark=irc_conn passthrough=yes comment="" disabled=no
add chain=prerouting connection-mark=irc_conn action=mark-packet \
new-packet-mark=irc passthrough=no comment="" disabled=no
add chain=prerouting protocol=tcp dst-port=8291 action=mark-connection \
new-connection-mark=mt_conn passthrough=yes comment="" disabled=no
add chain=prerouting connection-mark=mt_conn action=mark-packet \
new-packet-mark=mt passthrough=no comment="" disabled=no
add chain=prerouting protocol=tcp dst-port=110 action=mark-connection \
new-connection-mark=email_conn passthrough=yes comment="" disabled=no
add chain=prerouting protocol=tcp dst-port=25 action=mark-connection \
new-connection-mark=email_conn passthrough=yes comment="" disabled=no
add chain=prerouting connection-mark=email_conn action=mark-packet \
new-packet-mark=email passthrough=no comment="" disabled=no
add chain=prerouting protocol=tcp dst-port=22 action=mark-connection \
new-connection-mark=ssh_conn passthrough=yes comment="" disabled=no
add chain=prerouting connection-mark=ssh_conn action=mark-packet \
new-packet-mark=ssh passthrough=no comment="" disabled=no
add chain=prerouting protocol=tcp dst-port=500-3127 action=mark-connection \
new-connection-mark=games_conn passthrough=yes comment="" disabled=no
add chain=prerouting protocol=tcp dst-port=3129-6665 action=mark-connection \
new-connection-mark=games_conn passthrough=yes comment="" disabled=no
add chain=prerouting protocol=tcp dst-port=7001-65535 action=mark-connection \
new-connection-mark=games_conn passthrough=yes comment="" disabled=no
add chain=prerouting protocol=udp dst-port=500-3127 action=mark-connection \
new-connection-mark=games_conn passthrough=yes comment="" disabled=no
add chain=prerouting protocol=udp dst-port=3129-6665 action=mark-connection \
new-connection-mark=games_conn passthrough=yes comment="" disabled=no
add chain=prerouting protocol=udp dst-port=7001-65535 action=mark-connection \
new-connection-mark=games_conn passthrough=yes comment="" disabled=no
add chain=prerouting connection-mark=games_conn action=mark-packet \
new-packet-mark=games passthrough=no comment="" disabled=no
add chain=prerouting src-address=192.168.0.0/24 action=mark-packet \
new-packet-mark=Naik passthrough=no comment="Up Traffic" disabled=no
add chain=forward src-address=192.168.0.0/24 action=mark-connection \
new-connection-mark=Koneksi passthrough=yes comment="Conn-Mark" \
disabled=no
add chain=forward in-interface=Public connection-mark=Koneksi \
action=mark-packet new-packet-mark=Turun passthrough=no \
comment="Down-Direct Connection" disabled=no
add chain=output out-interface=Local dst-address=192.168.0.0/24 \
action=mark-packet new-packet-mark=Turun passthrough=no comment="Down-Via \
Proxy" disabled=no
f. ip nat
/ ip firewall nat
add chain=srcnat out-interface=Public action=masquerade comment="" disabled=no
add chain=dstnat src-address=192.168.0.0/24 protocol=tcp dst-port=80 \
dst-address-list=!servergames action=dst-nat to-addresses=192.168.1.3 \
to-ports=8080 comment="Pakai Proxy Linux" disabled=no
add chain=dstnat src-address=192.168.0.0/24 protocol=tcp dst-port=3128 \
dst-address-list=!servergames action=dst-nat to-addresses=192.168.1.3 \
to-ports=8080 comment="" disabled=no
add chain=dstnat src-address=192.168.0.0/24 protocol=tcp dst-port=8080 \
dst-address-list=!servergames action=dst-nat to-addresses=192.168.1.3 \
to-ports=8080 comment="" disabled=no
add chain=dstnat src-address=192.168.0.0/24 protocol=tcp dst-port=80 \
action=redirect to-ports=8080 comment="Tanpa proxy Linux" disabled=yes
add chain=dstnat src-address=192.168.0.0/24 protocol=tcp dst-port=3128 \
action=redirect to-ports=8080 comment="" disabled=yes
add chain=dstnat src-address=192.168.0.0/24 protocol=tcp dst-port=8080 \
action=redirect to-ports=8080 comment="" disabled=yes
g. filter
/ ip firewall filter
add chain=input connection-state=invalid action=drop comment="Drop invalid \
connections" disabled=no
add chain=input connection-state=established action=accept comment="Allow \
esatblished connections" disabled=no
add chain=input connection-state=related action=accept comment="Allow related \
connections" disabled=no
add chain=input protocol=udp action=accept comment="Allow UDP" disabled=no
add chain=input protocol=icmp action=accept comment="Allow ICMP" disabled=no
add chain=input in-interface=!Public action=accept comment="Allow connection \
to router from local network" disabled=no
add chain=input action=drop comment="Drop everything else" disabled=no
add chain=input protocol=tcp dst-port=1337 action=add-src-to-address-list \
address-list=knock address-list-timeout=15s comment="" disabled=no
add chain=input protocol=tcp dst-port=7331 src-address-list=knock \
action=add-src-to-address-list address-list=safe address-list-timeout=15m \
comment="" disabled=no
add chain=input connection-state=established action=accept comment="accept \
established connection packets" disabled=no
add chain=input connection-state=related action=accept comment="accept related \
connection packets" disabled=no
add chain=input connection-state=invalid action=drop comment="drop invalid \
packets" disabled=no
add chain=input protocol=tcp psd=21,3s,3,1 action=drop comment="detect and \
drop port scan connections" disabled=no
add chain=input protocol=tcp connection-limit=3,32 src-address-list=black_list \
action=tarpit comment="suppress DoS attack" disabled=no
add chain=input protocol=tcp connection-limit=10,32 \
action=add-src-to-address-list address-list=black_list \
address-list-timeout=1d comment="detect DoS attack" disabled=no
add chain=input protocol=icmp action=jump jump-target=ICMP comment="jump to \
chain ICMP" disabled=no
add chain=input action=jump jump-target=services comment="jump to chain \
services" disabled=no
add chain=input dst-address-type=broadcast action=accept comment="Allow \
Broadcast Traffic" disabled=no
add chain=input action=log log-prefix="Filter:" comment="" disabled=no
add chain=input action=accept comment="Allow access to router from known \
network" disabled=no
add chain=input src-address=192.168.0.0/24 action=accept comment="" \
disabled=no
add chain=input src-address=192.168.5.0/29 action=accept comment="" \
disabled=no
add chain=input src-address=192.168.4.0/29 action=accept comment="" \
disabled=no
add chain=input src-address=63.219.6.0/24 action=accept comment="" disabled=no
add chain=input src-address=125.0.0.0/8 action=accept comment="" disabled=no
add chain=input action=drop comment="drop everything else" disabled=no
add chain=ICMP protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept \
comment="0:0 and limit for 5pac/s" disabled=no
add chain=ICMP protocol=icmp icmp-options=3:3 limit=5,5 action=accept \
comment="3:3 and limit for 5pac/s" disabled=no
add chain=ICMP protocol=icmp icmp-options=3:4 limit=5,5 action=accept \
comment="3:4 and limit for 5pac/s" disabled=no
add chain=ICMP protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept \
comment="8:0 and limit for 5pac/s" disabled=no
add chain=ICMP protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept \
comment="11:0 and limit for 5pac/s" disabled=no
add chain=ICMP protocol=icmp action=drop comment="Drop everything else" \
disabled=no
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list \
address-list="port scanners" address-list-timeout=2w comment="Port \
scanners to list " disabled=no
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg \
action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w comment="NMAP FIN Stealth scan" disabled=no
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list \
address-list="port scanners" address-list-timeout=2w comment="SYN/FIN \
scan" disabled=no
add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list \
address-list="port scanners" address-list-timeout=2w comment="SYN/RST \
scan" disabled=no
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack \
action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w comment="FIN/PSH/URG scan" disabled=no
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg \
action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w comment="ALL/ALL scan" disabled=no
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg \
action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w comment="NMAP NULL scan" disabled=no
add chain=input src-address-list="port scanners" action=drop comment="dropping \
port scanners" disabled=no
add chain=forward connection-state=established action=accept comment="allow \
established connections" disabled=no
add chain=forward connection-state=related action=accept comment="allow \
related connections" disabled=no
add chain=forward connection-state=invalid action=drop comment="drop invalid \
connections" disabled=no
add chain=virus protocol=tcp dst-port=135-139 action=drop comment="Drop \
Blaster Worm" disabled=no
add chain=virus protocol=udp dst-port=135-139 action=drop comment="Drop \
Messenger Worm" disabled=no
add chain=virus protocol=tcp dst-port=445 action=drop comment="Drop Blaster \
Worm" disabled=no
add chain=virus protocol=udp dst-port=445 action=drop comment="Drop Blaster \
Worm" disabled=no
add chain=virus protocol=tcp dst-port=593 action=drop comment="________" \
disabled=no
add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="________" \
disabled=no
add chain=virus protocol=tcp dst-port=1080 action=drop comment="Drop MyDoom" \
disabled=no
add chain=virus protocol=tcp dst-port=1214 action=drop comment="________" \
disabled=no
add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requester" \
disabled=no
add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server" \
disabled=no
add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast" \
disabled=no
add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx" \
disabled=no
add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid" \
disabled=no
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm" \
disabled=no
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle Virus" \
disabled=no
add chain=virus protocol=tcp dst-port=2283 action=drop comment="Drop Dumaru.Y" \
disabled=no
add chain=virus protocol=tcp dst-port=2535 action=drop comment="Drop Beagle" \
disabled=no
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Drop \
Beagle.C-K" disabled=no
add chain=virus protocol=tcp dst-port=3127 action=drop comment="Drop MyDoom" \
disabled=no
add chain=virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor \
OptixPro" disabled=no
add chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm" \
disabled=no
add chain=virus protocol=udp dst-port=4444 action=drop comment="Worm" \
disabled=no
add chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop Sasser" \
disabled=no
add chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop Beagle.B" \
disabled=no
add chain=virus protocol=tcp dst-port=9898 action=drop comment="Drop \
Dabber.A-B" disabled=no
add chain=virus protocol=tcp dst-port=10000 action=drop comment="Drop \
Dumaru.Y" disabled=no
add chain=virus protocol=tcp dst-port=10080 action=drop comment="Drop \
MyDoom.B" disabled=no
add chain=virus protocol=tcp dst-port=12345 action=drop comment="Drop NetBus" \
disabled=no
add chain=virus protocol=tcp dst-port=17300 action=drop comment="Drop Kuang2" \
disabled=no
add chain=virus protocol=tcp dst-port=27374 action=drop comment="Drop \
SubSeven" disabled=no
add chain=virus protocol=tcp dst-port=65506 action=drop comment="Drop PhatBot, \
Agobot, Gaobot" disabled=no
add chain=forward action=jump jump-target=virus comment="jump to the virus \
chain" disabled=no
add chain=input connection-state=invalid action=drop comment="Drop Invalid \
connections" disabled=no
add chain=input connection-state=established action=accept comment="Allow \
Established connections" disabled=no
add chain=input protocol=udp action=accept comment="Allow UDP" disabled=no
add chain=input protocol=icmp action=accept comment="Allow ICMP" disabled=no
add chain=input action=drop comment="Drop anything else" disabled=no
add chain=forward protocol=tcp connection-state=invalid action=drop \
comment="drop invalid connections" disabled=no
add chain=forward connection-state=established action=accept comment="allow \
already established connections" disabled=no
add chain=forward connection-state=related action=accept comment="allow \
related connections" disabled=no
add chain=forward src-address=0.0.0.0/8 action=drop comment="" disabled=no
add chain=forward dst-address=0.0.0.0/8 action=drop comment="" disabled=no
add chain=forward src-address=127.0.0.0/8 action=drop comment="" disabled=no
add chain=forward dst-address=127.0.0.0/8 action=drop comment="" disabled=no
add chain=forward src-address=224.0.0.0/3 action=drop comment="" disabled=no
add chain=forward dst-address=224.0.0.0/3 action=drop comment="" disabled=no
add chain=forward protocol=tcp action=jump jump-target=tcp comment="" \
disabled=no
add chain=forward protocol=udp action=jump jump-target=udp comment="" \
disabled=no
add chain=forward protocol=icmp action=jump jump-target=icmp comment="" \
disabled=no
add chain=tcp protocol=tcp dst-port=69 action=drop comment="deny TFTP" \
disabled=no
add chain=tcp protocol=tcp dst-port=111 action=drop comment="deny RPC \
portmapper" disabled=no
add chain=tcp protocol=tcp dst-port=135 action=drop comment="deny RPC \
portmapper" disabled=no
add chain=tcp protocol=tcp dst-port=137-139 action=drop comment="deny NBT" \
disabled=no
add chain=tcp protocol=tcp dst-port=445 action=drop comment="deny cifs" \
disabled=no
add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS" \
disabled=no
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny \
NetBus" disabled=no
add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus" \
disabled=no
add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny \
BackOriffice" disabled=no
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP" \
disabled=no
add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP" \
disabled=no
add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC \
portmapper" disabled=no
add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC \
portmapper" disabled=no
add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT" \
disabled=no
add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS" \
disabled=no
add chain=udp protocol=udp dst-port=3133 action=drop comment="deny \
BackOriffice" disabled=no
add chain=icmp protocol=icmp icmp-options=0:0 action=accept comment="drop \
invalid connections" disabled=no
add chain=icmp protocol=icmp icmp-options=3:0 action=accept comment="allow \
established connections" disabled=no
add chain=icmp protocol=icmp icmp-options=3:1 action=accept comment="allow \
already established connections" disabled=no
add chain=icmp protocol=icmp icmp-options=4:0 action=accept comment="allow \
source quench" disabled=no
add chain=icmp protocol=icmp icmp-options=8:0 action=accept comment="allow \
echo request" disabled=no
add chain=icmp protocol=icmp icmp-options=11:0 action=accept comment="allow \
time exceed" disabled=no
add chain=icmp protocol=icmp icmp-options=12:0 action=accept comment="allow \
parameter bad" disabled=no
add chain=icmp action=drop comment="deny all other types" disabled=no
add chain=input connection-state=established action=accept comment="Accept \
established connections" disabled=no
add chain=input connection-state=related action=accept comment="Accept related \
connections" disabled=no
add chain=input connection-state=invalid action=drop comment="Drop invalid \
connections" disabled=no
add chain=input protocol=udp action=accept comment="UDP" disabled=no
add chain=input protocol=icmp limit=50/5s,2 action=accept comment="Allow \
limited pings" disabled=no
add chain=input protocol=icmp action=drop comment="Drop excess pings" \
disabled=no
add chain=input protocol=tcp dst-port=22 action=accept comment="SSH for secure \
shell" disabled=no
add chain=input protocol=tcp dst-port=8291 action=accept comment="winbox" \
disabled=no
add chain=input src-address=159.148.172.192/28 action=accept comment="From \
Mikrotikls network" disabled=no
add chain=input src-address=192.168.0.0/24 action=accept comment="From our \
private LAN" disabled=no
add chain=input action=log log-prefix="DROP INPUT" comment="Log everything \
else" disabled=no
add chain=tcp protocol=tcp p2p=all-p2p action=drop comment="deny DHCP" \
disabled=no
add chain=tcp src-address=192.168.0.2 protocol=tcp dst-port=3133 p2p=all-p2p \
action=drop comment="deny BackOriffice" disabled=no
h. ip firewaal address list
/ ip firewall address-list
add list=servergames address=202.93.20.201 comment="" disabled=no
i.queue type
/ queue type
set default name="default" kind=pfifo pfifo-limit=50
set ethernet-default name="ethernet-default" kind=pfifo pfifo-limit=50
set wireless-default name="wireless-default" kind=sfq sfq-perturb=5 \
sfq-allot=1514
set synchronous-default name="synchronous-default" kind=red red-limit=60 \
red-min-threshold=10 red-max-threshold=50 red-burst=20 red-avg-packet=1000
set hotspot-default name="hotspot-default" kind=sfq sfq-perturb=5 \
sfq-allot=1514
add name="PFIFO-64" kind=pfifo pfifo-limit=64
add name="default-small" kind=pfifo pfifo-limit=10
add name="pcq-download" kind=pcq pcq-rate=384000 pcq-limit=50 \
pcq-classifier=dst-address pcq-total-limit=2000
add name="pcq-upload" kind=pcq pcq-rate=64000 pcq-limit=50 \
pcq-classifier=src-address pcq-total-limit=2000
j.queue tree
/ queue tree
add name="ICMP" parent=global-in packet-mark=ICMP-PM limit-at=8000 \
queue=PFIFO-64 priority=1 max-limit=16000 burst-limit=0 burst-threshold=0 \
burst-time=0s disabled=no
add name="DNS" parent=global-in packet-mark=DNS-PM limit-at=8000 \
queue=PFIFO-64 priority=1 max-limit=16000 burst-limit=0 burst-threshold=0 \
burst-time=0s disabled=no
add name="downstream" parent=Local packet-mark=Turun limit-at=0 \
queue=pcq-download priority=1 max-limit=0 burst-limit=0 burst-threshold=0 \
burst-time=0s disabled=no
add name="upstream" parent=global-in packet-mark=Naik limit-at=0 \
queue=pcq-upload priority=1 max-limit=0 burst-limit=0 burst-threshold=0 \
burst-time=0s disabled=no
k. queue simple
/ queue simple
add name="Fantasy.net" dst-address=0.0.0.0/0 interface=Local parent=none \
priority=1 queue=default/default limit-at=0/786000 max-limit=0/786000 \
total-queue=default disabled=no
add name="01" target-addresses=192.168.0.1/32 dst-address=0.0.0.0/0 \
interface=Local parent=Fantasy.net priority=8 \
queue=ethernet-default/ethernet-default limit-at=0/16000 \
max-limit=8000/48000 total-queue=default time=0s-0s, p2p=fasttrack \
disabled=no
add name="02" target-addresses=192.168.0.2/32 dst-address=0.0.0.0/0 \
interface=Local parent=Fantasy.net priority=8 \
queue=ethernet-default/ethernet-default limit-at=0/16000 \
max-limit=8000/48000 total-queue=default disabled=no
add name="03" target-addresses=192.168.0.3/32 dst-address=0.0.0.0/0 \
interface=Local parent=Fantasy.net priority=8 \
queue=ethernet-default/ethernet-default limit-at=0/16000 \
max-limit=8000/48000 total-queue=default disabled=no
add name="04" target-addresses=192.168.0.4/32 dst-address=0.0.0.0/0 \
interface=Local parent=Fantasy.net priority=8 \
queue=ethernet-default/ethernet-default limit-at=0/16000 \
max-limit=8000/48000 total-queue=default time=0s-0s, disabled=no
add name="06" target-addresses=192.168.0.6/32 dst-address=0.0.0.0/0 \
interface=Local parent=Fantasy.net priority=8 \
queue=ethernet-default/ethernet-default limit-at=0/16000 \
max-limit=8000/48000 total-queue=default p2p=fasttrack disabled=no
add name="05" target-addresses=192.168.0.5/32 dst-address=0.0.0.0/0 \
interface=Local parent=Fantasy.net priority=8 \
queue=ethernet-default/ethernet-default limit-at=0/16000 \
max-limit=8000/60000 total-queue=default disabled=no
add name="07" target-addresses=192.168.0.7/32 dst-address=0.0.0.0/0 \
interface=Local parent=Fantasy.net priority=8 \
queue=ethernet-default/ethernet-default limit-at=0/16000 \
max-limit=8000/48000 total-queue=default disabled=no
add name="08" target-addresses=192.168.0.8/32 dst-address=0.0.0.0/0 \
interface=Local parent=Fantasy.net priority=8 \
queue=ethernet-default/ethernet-default limit-at=0/16000 \
max-limit=8000/48000 total-queue=default disabled=no
add name="09" target-addresses=192.168.0.9/32 dst-address=0.0.0.0/0 \
interface=Local parent=Fantasy.net priority=8 \
queue=ethernet-default/ethernet-default limit-at=0/16000 \
max-limit=8000/48000 total-queue=default disabled=no
add name="10" target-addresses=192.168.0.10/32 dst-address=0.0.0.0/0 \
interface=Local parent=Fantasy.net priority=8 queue=default/default \
limit-at=0/16000 max-limit=8000/48000 total-queue=default disabled=no
add name="11" target-addresses=192.168.0.11/32 dst-address=0.0.0.0/0 \
interface=Local parent=Fantasy.net priority=8 \
queue=ethernet-default/ethernet-default limit-at=0/16000 \
max-limit=8000/48000 total-queue=default p2p=all-p2p disabled=no
add name="Server" target-addresses=192.168.0.253/32 dst-address=0.0.0.0/0 \
interface=Local parent=Fantasy.net priority=8 \
queue=ethernet-default/ethernet-default limit-at=0/16000 \
max-limit=8000/120000 total-queue=default disabled=yes
B. LINUX Proxy
a. vi /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=static
BROADCAST=192.168.1.255
HWADDR=00:1B:11:66:2A:69
IPADDR=192.168.1.3
NETMASK=255.255.255.0
NETWORK=192.168.1.0
ONBOOT=yes
TYPE=Ethernet
b. Routing Proxy Ke Modem
[root@proxies squid]# netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth0
default . 192.168.1.1 UG 0 0 0 eth0
c. named.conf
tambahkan opsi fowarder di named.conf
// query-source address * port 53;
forwarders {
203.130.193.74;
202.134.0.155;
202.134.2.5;
};
};
d. resolve.conf
[root@proxies squid]# cat /etc/resolv.conf
nameserver 192.168.1.1
nameserver 203.130.193.74
nameserver 202.134.0.155
nameserver 202.134.2.5
e. Squid.conf
http_port 8080
#icp_port 3130
icp_query_timeout 0
maximum_icp_query_timeout 5000
mcast_icp_query_timeout 2000
dead_peer_timeout 10 seconds
hierarchy_stoplist cgi-bin ? localhost
acl QUERY urlpath_regex cgi-bin \? localhost
### Opsi Cache
cache_mem 6 MB
cache_swap_low 98
cache_swap_high 99
maximum_object_size 128 MB
minimum_object_size 0 KB
maximum_object_size_in_memory 32 KB
ipcache_size 10240
ipcache_low 98
ipcache_high 99
fqdncache_size 256
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
### Opsi Tuning Squid
refresh_pattern -i \.(swfpngjpgjpegbmptiffpnggif) 43200 90% 129600 reload-into-ims override-lastmod
refresh_pattern -i \.(movmpgmpegflvavimp33gpsiswma) 43200 90% 129600 reload-into-ims override-lastmod
refresh_pattern -i \.(zipraracebzbz2targzexe) 43200 90% 129600 reload-into-ims override-lastmod
refresh_pattern -i (.*html$.*htm.*shtml.*aspx.*asp) 43200 90% 1440 reload-into-ims override-lastmod
refresh_pattern -i \.(classcssjsgifjpg)$ 10080 100% 43200 override-expire
refresh_pattern -i \.(jpejpegpngbmptif)$ 10080 100% 43200 override-expire
refresh_pattern -i \.(tiffmovaviqtmpeg)$ 10080 100% 43200 override-expire
refresh_pattern -i \.(mpgmpewavaumid)$ 10080 100% 43200 override-expire
refresh_pattern -i \.(zipgzarjlhalzh)$ 10080 100% 43200 override-expire
refresh_pattern -i \.(rartgztarexebin)$ 10080 100% 43200 override-expire
refresh_pattern -i \.(hqxpdfrtfdocswf)$ 10080 100% 43200 override-expire
refresh_pattern -i \.(inccabadtxtdll)$ 10080 100% 43200 override-expire
refresh_pattern -i \.(aspacgiplshtmlphp3php)$ 2 20% 4320 reload-into-ims
refresh_pattern ^http://*.google.*/.* 720 100% 4320 reload-into-ims override-lastmod
refresh_pattern ^http://*korea.*/.* 720 100% 4320 reload-into-ims override-lastmod
refresh_pattern ^http://*.akamai.*/.* 720 100% 4320 reload-into-ims override-lastmod
refresh_pattern ^http://*.windowsmedia.*/.* 720 100% 4320 reload-into-ims override-lastmod
refresh_pattern ^http://*.googlesyndication.*/.* 720 100% 4320 reload-into-ims override-lastmod
refresh_pattern ^http://*.plasa.*/.* 720 100% 4320 reload-into-ims override-lastmod
refresh_pattern ^http://*.telkom.*/.* 720 100% 4320 reload-into-ims override-lastmod
refresh_pattern ^http://www.friendster.com/.* 720 100% 4320 reload-into-ims override-lastmod
refresh_pattern ^http://mail.yahoo.com/.* 720 100% 4320 reload-into-ims override-lastmod
refresh_pattern ^http://*.yahoo.*/.* 720 100% 4320 reload-into-ims override-lastmod
refresh_pattern ^http://*.yimg.*/.* 720 100% 4320 reload-into-ims override-lastmod
refresh_pattern ^http://*.gmail.*/.* 720 100% 4320 reload-into-ims override-lastmod
refresh_pattern ^http://*.detik.*/.* 720 100% 4320 reload-into-ims override-lastmod
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern ^ftp: 43200 90% 129600 reload-into-ims override-expire
#refresh_pattern ^ftp: 1440 20% 10080
#refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
#refresh_pattern . 180 95% 120960 reload-into-ims override-lastmod
### Direktori cache
#cache_dir aufs /cache 20000 16 256
#cache_dir diskd /cache 7000 16 256 Q1=72 Q2=88
cache_dir aufs /cache 50000 16 256
### Log
cache_access_log /var/log/squid/access.log
logfile_rotate 1
cache_log none
cache_store_log none
emulate_httpd_log off
log_ip_on_direct on
log_fqdn off
log_icp_queries off
### DNS server
dns_nameservers 127.0.0.1
quick_abort_min 0
quick_abort_max 0
quick_abort_pct 98%
negative_ttl 15 minute
positive_dns_ttl 24 hours
negative_dns_ttl 5 minutes
range_offset_limit 0 KB
### Opsi Timeout
connect_timeout 1 minute
peer_connect_timeout 5 seconds
read_timeout 30 minute
request_timeout 1 minute
#client_lifetime 10 hour
half_closed_clients off
pconn_timeout 15 second
shutdown_lifetime 15 second
### Opsi ACL
acl manager proto cache_object
acl all src 0.0.0.0/0.0.0.0
acl client src 192.168.1.0/29
acl tidakbebasdownload time 08:00-22:00
acl porn url_regex -i /usr/local/squid/etc/bokep.txt time 08:00-22:00
acl noporn url_regex -i /usr/local/squid/etc/nobokep.txt time 08:00-22:00
acl file_terlarang url_regex -i hot_indonesia.exe
acl file_terlarang url_regex -i hotsurprise_id.exe
acl file_terlarang url_regex -i best-mp3-download.exe
acl file_terlarang url_regex -i R32.exe
acl file_terlarang url_regex -i rb32.exe
acl file_terlarang url_regex -i mp3.exe
acl file_terlarang url_regex -i HOTSEX.exe
acl file_terlarang url_regex -i Browser_Plugin.exe
acl file_terlarang url_regex -i DDialer.exe
acl file_terlarang url_regex -i od-teen
acl file_terlarang url_regex -i URLDownload.exe
acl file_terlarang url_regex -i od-stnd67.exe
acl file_terlarang url_regex -i Download_Plugin.exe
acl file_terlarang url_regex -i od-teen52.exe
acl file_terlarang url_regex -i malaysex
acl file_terlarang url_regex -i edita.html
acl file_terlarang url_regex -i info.exe
acl file_terlarang url_regex -i run.exe
acl file_terlarang url_regex -i Lovers2Go
acl file_terlarang url_regex -i GlobalDialer
acl file_terlarang url_regex -i WebDialer
acl file_terlarang url_regex -i britneynude
acl file_terlarang url_regex -i download.exe
acl file_terlarang url_regex -i backup.exe
acl file_terlarang url_regex -i GnoOS2003
acl file_terlarang url_regex -i wintrim.exe
acl file_terlarang url_regex -i MPREXE.EXE
acl file_terlarang url_regex -i exengd.EXE
acl file_terlarang url_regex -i xxxvideo.exe
acl file_terlarang url_regex -i Save.exe
acl file_terlarang url_regex -i ATLBROWSER.DLL
acl file_terlarang url_regex -i NawaL_rm
acl file_terlarang url_regex -i Socks32.dll
acl file_terlarang url_regex -i Sc32Lnch.exe
acl file_terlarang url_regex -i dat0.exe
acl IIX dst_as 7713 4622 4795 7597 4787 4795 4800
acl block url_regex -i \.(aiffasfavidifdivxmovmoviemp3mpe?g?mpv2oggra?msndqtwavwmfwmv)$
acl local-domain dstdomain localhost
acl Bad_ports port 7 9 11 19 22 23 25 53 110 119 513 514
acl Safe_ports port 21 70 80 210 443 488 563 591 777 1025-65535
acl Virus urlpath_regex winnt/system32/cmd.exe?
acl connect method CONNECT
acl post method POST
acl ssl method CONNECT
acl purge method PURGE
acl IpAddrProbeUA browser ^Mozilla/4.0.\(compatible;.MSIE.5.5;.Windows.98\)$
acl IpAddrProbeURL url_regex //[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/$
no_cache deny QUERY manager
http_access allow manager IIX Safe_ports
http_access allow client
http_access deny porn !noporn
http_access deny Bad_ports Virus IpAddrProbeUA IpAddrProbeURL
http_access deny file_terlarang
http_access deny all
### Paramater Administratif
cache_mgr support@fantasy.war.net.id
cache_effective_user squid
cache_effective_group squid
visible_hostname proxy.fantasy.war.net.id
### Opsi Akselerator
memory_pools off
forwarded_for on
log_icp_queries off
icp_hit_stale on
minimum_direct_hops 4
minimum_direct_rtt 400
store_avg_object_size 13 KB
store_objects_per_bucket 20
client_db on
netdb_low 9900
netdb_high 10000
netdb_ping_period 30 seconds
query_icmp off
pipeline_prefetch on
reload_into_ims on
pipeline_prefetch on
vary_ignore_expire on
max_open_disk_fds 100
nonhierarchical_direct on
prefer_direct off
### Pendukung Transparan Proxy
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
### Membatasi Besar File untuk download
reply_body_max_size 3512000 allow client block tidakbebasdownload
### SNMP
#snmp_port 3401
#acl snmppublic snmp_community public
#snmp_access allow all
header_access User-Agent deny all
header_replace User-Agent Mozilla/5.0 (compatible; MSIE 6.0)
header_access Accept deny all
header_replace Accept */*
header_access Accept-Language deny all
header_replace Accept-Language id, en
f. firewall tambahan di proxy
#05-12-05
/sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 --destination-port 12 -j DROP
/sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --destination-port 12 -j REJECT
/sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 --destination-port 12 -j DROP
/sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 --destination-port 12 -j REJECT
/sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 --destination-port 16 -j DROP
/sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --destination-port 16 -j REJECT
/sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 --destination-port 16 -j DROP
/sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 --destination-port 16 -j REJECT
/sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 --destination-port 17 -j DROP
/sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --destination-port 17 -j REJECT
/sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 --destination-port 17 -j DROP
/sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 --destination-port 17 -j REJECT
/sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 --destination-port 12:20 -j DROP
/sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --destination-port 12:20 -j REJECT
/sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 --destination-port 12:20 -j DROP
/sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 --destination-port 12:20 -j REJECT
/sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 --destination-port 110 -j DROP
/sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --destination-port 110 -j REJECT
/sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 --destination-port 110 -j DROP
/sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 --destination-port 110 -j REJECT
/sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 --destination-port 25 -j DROP
/sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 --destination-port 25 -j REJECT
/sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 --destination-port 25 -j DROP
/sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --destination-port 25 -j REJECT
/sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 --destination-port 24 -j DROP
/sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 --destination-port 24 -j REJECT
/sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 --destination-port 123 -j DROP
/sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --destination-port 123 -j REJECT
/sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 --destination-port 123 -j DROP
/sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 --destination-port 123 -j REJECT
/sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 --destination-port 24 -j DROP
/sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --destination-port 24 -j REJECT
/sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 --destination-port 24 -j DROP
/sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 --destination-port 24 -j REJECT
/sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 --destination-port 23 -j DROP
/sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 --destination-port 23 -j REJECT
/sbin/iptables -N syn-flood
/sbin/iptables -A INPUT -i input_interface -p tcp --syn -j syn-flood
/sbin/iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
/sbin/iptables -A syn-flood -j DROP
/sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 --destination-port 199 -j DROP
/sbin/iptables -I INPUT -p udp -s 0/0 -d 0/0 --destination-port 199 -j DROP
/sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --destination-port 199 -j REJECT
/sbin/iptables -A FORWARD -p udp -s 0/0 -d 0/0 --destination-port 199 -j REJECT
/sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 --destination-port 119 -j DROP
/sbin/iptables -I INPUT -p udp -s 0/0 -d 0/0 --destination-port 119 -j DROP
/sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --destination-port 119 -j REJECT
/sbin/iptables -A FORWARD -p udp -s 0/0 -d 0/0 --destination-port 119 -j REJECT
/sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 --destination-port 111 -j DROP
/sbin/iptables -I INPUT -p udp -s 0/0 -d 0/0 --destination-port 111 -j DROP
/sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --destination-port 111 -j REJECT
/sbin/iptables -A FORWARD -p udp -s 0/0 -d 0/0 --destination-port 111 -j REJECT
/sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 --destination-port 411 -j DROP
/sbin/iptables -I INPUT -p udp -s 0/0 -d 0/0 --destination-port 411 -j DROP
/sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --destination-port 67:68 -j REJECT
/sbin/iptables -A FORWARD -p udp -s 0/0 -d 0/0 --destination-port 67:68 -j REJECT
Have nice try this tips.
Subscribe to:
Posts (Atom)