Selasa, 12 Mei 2009
ini tulisan dibuat karena aku baru bisa ngeset router sederhana pakai mikrotik
wenak poll gawe RT/RW net sederhana berkualitas
caranya tinggal instal mikrotik klo malas pilih apa yang mau di isi langsung aja semua masukan dengan tekan “a” terus “i” untuk instal
tekan n buat pilihan safe configure lama
tekan y buat terusin proses dengan format dll
abis itu enter buat reboot dan lepas deh cd mikrotiknya
setelah masuk username : mikrotik passwordnya enter aja deh
ketik “/interface print”
/interface set wlan1 name=(kei jeneng sak karep)
/interface set ether1 name=(kei jeneng sak karep)
ketik “/setup”
ketik a
wlan1=192.168.x.x/255.255.255.x
ketik a
ether1=10.0.0.x/255.255.255.x
ketik q
ketik /ip address print
ketik /ip route add gateway=192.168.x.1 (gtw ne piro dari isp)
ketik “/ip firewall nat add chain=srcnat action=masquerade out-interface=wan disable=no”
/ip dns set primary-dns=x.x.x.x secondary-dns=x.x.x.x allow-remote-requests=yes disable=no
web proxy
/ip web-proxy
/ip web-proxy set enabled=yes
/ip web-proxy set src-address=0.0.0.0
/ip web-proxy set port=8080
/ip web-proxy set hostname=proxy-wek.ku
/ip web-proxy set transparent-proxy=yes
/ip web-proxy set parent-proxy=0.0.0.0:0
/ip web-proxy set cache-administrator=telpon@fatah.aja
/ip web-proxy set max-object-size=4096KiB
/ip web-proxy set cache-drive=system
/ip web-proxy set max-cache-size=unlimited
/ip web-proxy set max-ram-cache-size=unlimited
bikin redirect port ke transparant proxy
/ip firewall nat add chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=8080
/ip firewall nat add chain=dstnat protocol=tcp dst-port=3128 action=redirect to-ports=8080
/ip firewall nat add chain=dstnat protocol=tcp dst-port=8080 action=redirect to-ports=8080
PCQ firewal mangle gawe shipping bandwidth
/ip firewall mangle add chain=forward src-address=192.168.169.0/28 action=mark-connection new-connection-mark=client1-cm
/ip firewall mangle add connection-mark=client1-cm action=mark-packet new-packet-mark=client1-pm chain=forward
/queue type add name=downsteam-pcq kind=pcq pcq-classifier=dst-address
/queue type add name=upstream-pcq kind=pcq pcq-classifier=src-address
/queue tree add parent=intranet queue=lokal-pcq packet-mark=client1-pm
/queue tree add parent=internet queue=wan(wireless)-pcq packet-mark=client1-pm
simpel queue buat nanti klo bagi bandwith termudah
queue simple add name=agus target-addresses=192.168.0.11
queue simple add name=arip target-addresses=192.168.0.12
queue simple add name=junet target-addresses=192.168.0.13
queue simple add name=dony target-addresses=192.168.0.14
queue simple add name=gimbrut target-addresses=192.168.0.15
queue simple add name=ngemol target-addresses=192.168.0.16
queue simple add name=cayank target-addresses=192.168.0.17
queue simple add name=cwapek target-addresses=192.168.0.18
queue simple add name=gebetan target-addresses=192.168.0.19
queue simple add name=mimin target-addresses=192.168.0.20
queue simple add name=admin target-addresses=192.168.0.2
BLOX SPAM
/ip firewall filter add chain=forward dst-port=135-139 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=135-139 protocol=udp action=drop
/ip firewall filter add chain=forward dst-port=445 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=445 protocol=udp action=drop
/ip firewall filter add chain=forward dst-port=593 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=4444 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=5554 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=9996 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=995-999 protocol=udp action=drop
/ip firewall filter add chain=forward dst-port=53 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=55 protocol=tcp action=drop
wes di winbox tinggal ngeset berapa besaran bandwith buat masing2 client
sampun cekap semanten parikan kulo menawi lepat nyuwun ngapuro
Equal bandwidth sharing among users
This example shows how to equally share 10Mibps download and 2Mibps upload among active users in the network 192.168.0.0/24. If Host A is downloading 2 Mibps, Host B gets 8 Mibps and vice versa. There might be situations when both hosts want to use maximum bandwidth (10 Mibps), then they will receive 5 Mibps each, the same goes for upload. This setup is also valid for more than 2 users.
At first, mark all traffic, coming from local network 192.168.0.0/24 with a mark users:
/ip firewall mangle add chain=forward src-address=192.168.0.0/24 \
action=mark-connection new-connection-mark=users-con
/ip firewall mangle add connection-mark=users-con action=mark-packet \
new-packet-mark=users chain=forward
Now we will add 2 new PCQ types. The first, called pcq-download will group all traffic by destination address. As we will attach this queue type to the Local interface, it will create a dynamic queue for each destination address (user) which is downloading to the network 192.168.0.0/24. The second type, called pcq-upload will group the traffic by source address. We will attach this queue to the Public interface so it will make one dynamic queue for each user who is uploading to Internet from the local network 192.168.0.0/24.
/queue type add name=pcq-download kind=pcq pcq-classifier=dst-address
/queue type add name=pcq-upload kind=pcq pcq-classifier=src-address
Finally, make a queue tree for download traffic:
/queue tree add name=Download parent=Local max-limit=10240000
/queue tree add parent=Download queue=pcq-download packet-mark=users
And for upload traffic:
/queue tree add name=Upload parent=Public max-limit=2048000
/queue tree add parent=Upload queue=pcq-upload packet-mark=users
Note! If your ISP cannot guarantee you a fixed amount of traffic, you can use just one queue for upload and one for download, attached directly to the interface:
/queue tree add parent=Local queue=pcq-download packet-mark=users
/queue tree add parent=Public queue=pcq-upload packet-mark=users
Load balancing fail over
Untuk kasus ini dimisalkan ISP memiliki 2 jalur ke Internet. Satu menggunakan akses DSL (256 Kbps) dan lainnya menggunakan Wireless (512 Kbps). Dengan rasio pemakaian DSL:Wireless = 1:2 .
Yang akan dilakukan :
1. Menggunakan semua jalur gateway yang tersedia dengan teknik load-balancing.
2. Menjadikan salah satunya sebagai back-up dengan teknik fail-over.
OK, mari saja kita mulai eksperimennya :
1. IP address untuk akses ke LAN :
> /ip address add address=192.168.0.1/28 interface=LAN
IP address untuk akses ke jalur DSL :
> /ip address add address=10.32.57.253/29 interface=DSL
IP address untuk akses ke jalur Wireless :
> /ip address add address=10.9.8.2/29 interface=WIRELESS
Tentukan gateway dengan rasionya masing-masing :
> /ip route add gateway=10.32.57.254,10.9.8.1,10.9.8.1
2. Pada kasus untuk teknik fail-over. Diasumsikan jalur utama melalui Wireless dengan jalur DSL sebagai back-up apabila jalur utama tidak dapat dilalui. Untuk mengecek apakah jalur utama dapat dilalui atau tidak, digunakan command ping.
> /ip firewall mangle add chain=prerouting src-address=192.168.0.0/28 action=mark-routing new-routing-mark=SUBNET1-RM
> /ip route add gateway=10.9.8.1 routing-mark=SUBNET1-RM check-gateway=ping
> /ip route add gateway=10.32.57.254
3. Good Luck!!
PCQ
Dengan menggunakan queue type pcq di Mikrotik, kita bisa membagi bandwidth yang ada secara merata untuk para pelahap-bandwidth™ Dsaat jaringan pada posisi peak.
Contohnya, kita berlangganan 256 Kbps. Kalau ada yang sedang berinternet ria, maka beliau dapat semua itu jatah bandwidth. Tetapi begitu teman-temannya datang, katakanlah 9 orang lagi, maka masing-masingnya dapat sekitar 256/10 Kbps. Yah.. masih cukup layaklah untuk buka-buka situs non-porn atau sekedar cek e-mail & blog ).
OK, langsung saja ke caranya :
1. Asumsi : Network Address 192.168.169.0/28, interface yang mengarah ke pengguna diberi nama LAN, dan interface yang mengarah ke upstream provider diberi nama INTERNET;
2. Ketikkan di console atau terminal :
> /ip firewall mangle add chain=forward src-address=192.168.169.0/28 action=mark-connection new-connection-mark=NET1-CM
> /ip firewall mangle add connection-mark=NET1-CM action=mark-packet new-packet-mark=NET1-PM chain=forward
> /queue type add name=downsteam-pcq kind=pcq pcq-classifier=dst-address
> /queue type add name=upstream-pcq kind=pcq pcq-classifier=src-address
> /queue tree add parent=LAN queue=DOWNSTREAM packet-mark=NET1-PM
> /queue tree add parent=INTERNET queue=UPSTREAM packet-mark=NET1-PM
3. Good Luck!!
Memanipulasi ToS ICMP & DNS di MikroTik
Tujuan :
* Memperkecil delay ping dari sisi klien ke arah Internet.
* Mempercepat resolving hostname ke ip address.
Asumsi : Klien-klien berada pada subnet 10.10.10.0/28
1. Memanipulasi Type of Service untuk ICMP Packet :
> ip firewall mangle add chain=prerouting src-address=10.10.10.0/28 protocol=icmp action=mark-connection new-connection-mark=ICMP-CM passthrough=yes
> ip firewall mangle add chain=prerouting connection-mark=ICMP-CM action=mark-packet new-packet-mark=ICMP-PM passthrough=yes
> ip firewall mangle add chain=prerouting packet-mark=ICMP-PM action=change-tos new-tos=min-delay
2. Memanipulasi Type of Service untuk DNS Resolving :
> ip firewall mangle add chain=prerouting src-address=10.10.10.0/28 protocol=tcp dst-port=53 action=mark-connection new-connection-mark=DNS-CM passthrough=yes
> ip firewall mangle add chain=prerouting src-address=10.10.10.0/28 protocol=udp dst-port=53 action=mark-connection new-connection-mark=DNS-CM passthrough=yes
> ip firewall mangle add chain=prerouting connection-mark=DNS-CM action=mark-packet new-packet-mark=DNS-PM passthrough=yes
> ip firewall mangle add chain=prerouting packet-mark=DNS-PM action=change-tos new-tos=min-delay
3. Menambahkan Queue Type :
> queue type add name=”PFIFO-64″ kind=pfifo pfifo-limit=64
4. Mengalokasikan Bandwidth untuk ICMP Packet :
> queue tree add name=ICMP parent=INTERNET packet-mark=ICMP-PM priority=1 limit-at=8000 max-limit=16000 queue=PFIFO-64
5. Mengalokasikan Bandwidth untuk DNS Resolving :
> queue tree add name=DNS parent=INTERNET packet-mark=DNS-PM priority=1 limit-at=8000 max-limit=16000 queue=PFIFO-64
6. Good Luck!!
Queue Tree with more than two interfaces
Basic Setup
This page will tak about how to make QUEUE TREE in RouterOS that with Masquerading for more than two interfaces. It’s for sharing internet connection among users on each interfacess. In manual this possibility isn’t writted.
First, let’s set the basic setting first. I’m using a machine with 3 or more network interfaces:
[admin@instaler] > in pr
# NAME TYPE RX-RATE TX-RATE MTU
0 R public ether 0 0 1500
1 R wifi1 wlan 0 0 1500
2 R wifi2 wlan 0 0 1500
3 R wifi3 wlan 0 0 1500
And this is the IP Addresses for each interface:
[admin@instaler] > ip ad pr
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 10.20.1.0/24 10.20.1.0 10.20.1.255 public
1 10.10.2.0/24 10.10.2.0 10.10.2.255 wifi1
2 10.10.3.0/24 10.10.3.0 10.10.3.255 wifi2
3 10.10.4.0/24 10.10.4.0 10.10.4.255 wifi3
On the public you can add NAT or proxy if you want.
Mangle Setup
And now is the most important part in this case.
We need to mark our users. One connectoin for upload and second for download. In this example I add mangle for one user. At the end I add mangle for local transmission because I don’t QoS local trafic emong users. But for user I need to separate upload and download.
[admin@instaler] ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic
disabled=no
0 chain=forward dst-address=10.10.2.36 action=mark-connection
new-connection-mark=users-userU passthrough=yes comment=”” disabled=no
1 chain=forward dst-address=10.10.2.36 action=mark-connection
new-connection-mark=users-userD passthrough=yes comment=”” disabled=no
2 chain=forward connection-mark=users-userU action=mark-packet
new-packet-mark=userU passthrough=yes comment=”” disabled=no
3 chain=forward connection-mark=users-userD action=mark-packet
new-packet-mark=userD passthrough=yes comment=”” disabled=no
98 chain=forward src-address=10.10.0.0/16 dst-address=10.10.0.0/16
action=mark-connection new-connection-mark=users-lokal passthrough=yes
99 chain=forward connection-mark=users-lokal action=mark-packet
new-packet-mark=lokalTrafic passthrough=yes
Queue Tree Setup
And now, the queue tree setting. We need one rule for downlink and one rule for uplink. Be careful when choosing the parent. for downlink traffic, we use parent “global-out”, because we have two or more downloading interfaces. And for uplink, we are using parent “public”, we want QoS uplink traffic. (I’m using pcq-up and download from manual) This example is for 2Mb/1Mb
[admin@instaler] > queue tree pr
Flags: X - disabled, I - invalid
0 name=”Download” parent=global-out packet-mark=”” limit-at=0
queue=pcq-download priority=1 max-limit=2000000 burst-limit=0
burst-threshold=0 burst-time=0s
1 name=”Upload” parent=WGW packet-mark=”” limit-at=0 queue=pcq-upload
priority=1 max-limit=1000000 burst-limit=0 burst-threshold=0
burst-time=0s
Now we add our user:
2 name=”user10D” parent=Download packet-mark=userD limit-at=0
queue=pcq-download priority=5 max-limit=0 burst-limit=0
burst-threshold=0 burst-time=0s
3 name=”user10U” parent=Upload packet-mark=userU limit-at=0
queue=pcq-upload priority=5 max-limit=0 burst-limit=0 burst-threshold=0
burst-time=0s
MAC Address + IP Address Linux
#!/bin/sh
iptables=/sbin/iptables
#definisikan default policy disini
$iptables -F INPUT
$iptables -F OUTPUT
$iptables -P INPUT DROP
$iptables -P OUTPUT DROP #ingat nanti buka policy output yg perlu
$iptables -F FORWARD
$iptables -F -t nat
$iptables -P FORWARD DROP
#definisi default policy dan bikin chain baru bernama maccheck di interface eth1
$iptables -t mangle -F
$iptables -t mangle -F maccheck
$iptables -t mangle -X maccheck
$iptables -t mangle -N maccheck
$iptables -t mangle -I PREROUTING -i eth1 -p all -j maccheck
#self explanatory… ip address + mac
$iptables -t mangle -A maccheck -s 192.168.0.1 -i eth1 -m mac -j RETURN
–mac-source
00:80:11:11:11:11
$iptables -t mangle -A maccheck -s 192.168.0.2 -i eth1 -m mac -j RETURN
–mac-source
00:80:22:22:22:22
$iptables -t mangle -A maccheck -s 192.168.0.3 -i eth1 -m mac -j RETURN
–mac-source
00:80:33:33:33:33
#selain yg terdaftar baik ip maupun mac akan di mark untuk nanti di drop, isi
dengan salah satu
mac yg aktif yg mana saja
#disini contohnya 00:80:11:11:11:11 yg sudah kita definisikan di atas
$iptables -t mangle -A maccheck -s 0/0 -i eth1 -m mac -j MARK –mac-source !
00:80:11:11:11:11
–set-mark 1
$iptables -t mangle -A maccheck -s 0/0 -i eth1 -p all -j MARK –set-mark 1
#drop packet yg di mark
$iptables -A INPUT -i eth1 -m mark –mark 1 -j DROP
$iptables -A OUTPUT -o eth1 -m mark –mark 1 -j DROP
$iptables -A FORWARD -i eth1 -m mark –mark 1 -j DROP
Membuat bridging untuk bagi bandwith
/ interface bridge add name=”bridge1″
/ interface bridge port
add interface=atas bridge=bridge1
add interface=bawah bridge=bridge1
/ ip firewall mangle
add chain=prerouting protocol=tcp dst-port=80 action=mark-connection new-connection-mark=http_conn passthrough=yes
add chain=prerouting connection-mark=http_conn action=mark-packet new-packet-mark=http passthrough=no
add chain=prerouting p2p=all-p2p action=mark-connection new-connection-mark=p2p_conn passthrough=yes
add chain=prerouting connection-mark=p2p_conn action=mark-packet new-packet-mark=p2p passthrough=no
add chain=prerouting action=mark-connection new-connection-mark=other_conn passthrough=yes
add chain=prerouting connection-mark=other_conn action=mark-packet new-packet-mark=other passthrough=no
/ queue simple
add name=”main” target-addresses=192.168.100.2/27 max-limit=256000/512000
add name=”http” parent=main packet-marks=http max-limit=240000/500000
add name=”p2p” parent=main packet-marks=p2p max-limit=64000/64000
add name=”other” parent=main packet-marks=other max-limit=128000/128000