MikroTik RouterOS 2.9.27 (c) 1999-2006       http://www.mikrotik.com/

/ interface ethernet

set Local name=”Local” mtu=1500 mac-address=00:10:5A:6C:5E:86 arp=enabled disable-running-check=yes auto-negotiation=no \
    full-duplex=yes cable-settings=default speed=100Mbps comment=”" disabled=no
set Speedy1 name=”Speedy1″ mtu=1500 mac-address=00:10:5A:6C:5F:1C arp=enabled disable-running-check=yes \
    auto-negotiation=no full-duplex=yes cable-settings=default speed=100Mbps comment=”" disabled=no
set Speedy2 name=”Speedy2″ mtu=1500 mac-address=00:10:4B:11:73:69 arp=enabled disable-running-check=yes \
    auto-negotiation=no full-duplex=yes cable-settings=default speed=100Mbps comment=”" disabled=no
set Speedy3 name=”Speedy3″ mtu=1500 mac-address=00:10:4B:11:72:44 arp=enabled disable-running-check=yes \
    auto-negotiation=no full-duplex=yes cable-settings=default speed=100Mbps comment=”" disabled=no
set Hotspot name=”Hotspot” mtu=1500 mac-address=00:60:97:3D:3C:5F arp=enabled disable-running-check=yes \
    auto-negotiation=no full-duplex=yes cable-settings=default speed=100Mbps comment=”" disabled=no
set Speedy4 name=”Speedy4″ mtu=1500 mac-address=00:0C:42:1A:2F:84 arp=enabled disable-running-check=yes \
    auto-negotiation=yes full-duplex=yes cable-settings=default speed=100Mbps comment=”" disabled=no
set Speedy5 name=”Speedy5″ mtu=1500 mac-address=00:0C:42:1A:2F:85 arp=enabled disable-running-check=yes \
    auto-negotiation=yes full-duplex=yes cable-settings=default speed=100Mbps comment=”" disabled=no
set Speedy6 name=”Speedy6″ mtu=1500 mac-address=00:0C:42:1A:2F:86 arp=enabled disable-running-check=yes \
    auto-negotiation=yes full-duplex=yes cable-settings=default speed=100Mbps comment=”" disabled=no
set Speedy7 name=”Speedy7″ mtu=1500 mac-address=00:0C:42:1A:2F:87 arp=enabled disable-running-check=yes \
    auto-negotiation=yes full-duplex=yes cable-settings=default speed=100Mbps comment=”" disabled=no

/ interface pppoe-client
add name=”pppoe-out1″ max-mtu=1480 max-mru=1480 interface=Speedy1 user=”1114021xxxx@telkom.net” password=”tairinighani” \
    profile=default service-name=”" ac-name=”" add-default-route=yes dial-on-demand=no use-peer-dns=no \
    allow=pap,chap,mschap1,mschap2 disabled=no
add name=”pppoe-out2″ max-mtu=1480 max-mru=1480 interface=Speedy2 user=”1114021xxxx@telkom.net” password=”pocarisweat” \
    profile=default service-name=”" ac-name=”" add-default-route=yes dial-on-demand=no use-peer-dns=no \
    allow=pap,chap,mschap1,mschap2 disabled=no
add name=”pppoe-out3″ max-mtu=1480 max-mru=1480 interface=Speedy3 user=”1114021xxxx@telkom.net” password=”fnjozz56xq” \
    profile=default service-name=”" ac-name=”" add-default-route=yes dial-on-demand=no use-peer-dns=no \
    allow=pap,chap,mschap1,mschap2 disabled=no
add name=”pppoe-out4″ max-mtu=1480 max-mru=1480 interface=Speedy5 user=”1114021xxxx@telkom.net” password=”pocarisweat” \
    profile=default service-name=”" ac-name=”" add-default-route=yes dial-on-demand=no use-peer-dns=no \
    allow=pap,chap,mschap1,mschap2 disabled=no

/ ip dns
set primary-dns=203.130.193.74 secondary-dns=202.134.0.155 allow-remote-requests=yes cache-size=2048KiB cache-max-ttl=1w

/ ip dns static
add name=”www.palimo.net” address=192.168.6.1 ttl=1d

/ ip address
add address=192.168.0.254/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local comment=”" disabled=no
add address=192.168.2.2/24 network=192.168.2.0 broadcast=192.168.2.255 interface=Speedy1 comment=”" disabled=no
add address=192.168.3.2/24 network=192.168.3.0 broadcast=192.168.3.255 interface=Speedy2 comment=”" disabled=no
add address=192.168.4.2/24 network=192.168.4.0 broadcast=192.168.4.255 interface=Speedy3 comment=”" disabled=no
add address=192.168.5.2/24 network=192.168.5.0 broadcast=192.168.5.255 interface=Speedy4 comment=”" disabled=no
add address=192.168.6.1/24 network=192.168.6.0 broadcast=192.168.6.255 interface=Hotspot comment=”" disabled=no
add address=192.168.7.2/24 network=192.168.7.0 broadcast=192.168.7.255 interface=Speedy5 comment=”" disabled=no
add address=192.168.8.2/24 network=192.168.8.0 broadcast=192.168.8.255 interface=Speedy6 comment=”" disabled=no
add address=192.168.9.2/24 network=192.168.9.0 broadcast=192.168.9.255 interface=Speedy7 comment=”" disabled=no

/ ip route
add dst-address=0.0.0.0/0 gateway=125.162.84.1 scope=255 target-scope=10 routing-mark=speedy1 comment=”" disabled=no
add dst-address=0.0.0.0/0 gateway=125.162.88.1 scope=255 target-scope=10 routing-mark=speedy2 comment=”" disabled=no
add dst-address=0.0.0.0/0 gateway=125.165.156.1 scope=255 target-scope=10 routing-mark=speedy3 comment=”" disabled=no
add dst-address=0.0.0.0/0 gateway=192.168.5.1 scope=255 target-scope=10 routing-mark=speedy4 comment=”" disabled=no
add dst-address=0.0.0.0/0 gateway=125.165.104.1 scope=255 target-scope=10 routing-mark=speedy5 comment=”" disabled=no
add dst-address=0.0.0.0/0 gateway=125.162.80.1 scope=255 target-scope=10 routing-mark=speedy6 comment=”" disabled=no
add dst-address=0.0.0.0/0 gateway=125.162.82.1 scope=255 target-scope=10 routing-mark=speedy7 comment=”" disabled=no

/ ip firewall mangle
add chain=prerouting in-interface=Local connection-state=new nth=4,1,0 action=mark-connection new-connection-mark=speedy1 \
    passthrough=yes comment=”LoadBalancing 4 Line Speedy” disabled=no
add chain=prerouting in-interface=Local connection-mark=speedy1 action=mark-routing new-routing-mark=speedy1 \
    passthrough=no comment=”" disabled=no
add chain=prerouting in-interface=Local connection-state=new nth=4,1,1 action=mark-connection new-connection-mark=speedy2 \
    passthrough=yes comment=”" disabled=no
add chain=prerouting in-interface=Local connection-mark=speedy2 action=mark-routing new-routing-mark=speedy2 \
    passthrough=no comment=”" disabled=no
add chain=prerouting in-interface=Local connection-state=new nth=4,1,2 action=mark-connection new-connection-mark=speedy3 \
    passthrough=yes comment=”" disabled=no
add chain=prerouting in-interface=Local connection-mark=speedy3 action=mark-routing new-routing-mark=speedy3 \
    passthrough=no comment=”" disabled=no
add chain=prerouting in-interface=Local connection-state=new nth=4,1,3 action=mark-connection new-connection-mark=speedy4 \
    passthrough=yes comment=”" disabled=no
add chain=prerouting in-interface=Local connection-mark=speedy4 action=mark-routing new-routing-mark=speedy4 \
    passthrough=no comment=”" disabled=no
add chain=prerouting in-interface=Local connection-state=new nth=4,1,4 action=mark-connection new-connection-mark=speedy5 \
    passthrough=yes comment=”" disabled=no
add chain=prerouting in-interface=Local connection-mark=speedy5 action=mark-routing new-routing-mark=speedy5 \
    passthrough=no comment=”" disabled=no

/ ip firewall nat
add chain=srcnat connection-mark=speedy1 action=src-nat to-addresses=125.162.84.xx to-ports=0-65535 comment=”NAT 2 CLIENT \
    5 LINE SPEEDY” disabled=no
add chain=srcnat connection-mark=speedy2 action=src-nat to-addresses=125.162.88.xx to-ports=0-65535 comment=”" disabled=no
add chain=srcnat connection-mark=speedy3 action=src-nat to-addresses=125.165.158.xx to-ports=0-65535 comment=”" \
    disabled=no
add chain=srcnat src-address=192.168.6.0/24 action=masquerade comment=”Masquerade Network Hotspot ” disabled=no
add chain=srcnat connection-mark=speedy4 action=src-nat to-addresses=192.168.5.2 to-ports=0-65535 comment=”" disabled=no
add chain=srcnat connection-mark=speedy5 action=src-nat to-addresses=125.165.110.xxx to-ports=0-65535 comment=”" \
    disabled=no

/ ip firewall filter
add chain=input connection-state=established action=accept comment=”Connection State” disabled=yes
add chain=input connection-state=related action=accept comment=”" disabled=yes
add chain=input protocol=icmp limit=50/5s,2 action=accept comment=”" disabled=yes
add chain=input connection-state=invalid action=drop comment=”" disabled=yes
add chain=forward src-address=0.0.0.0/8 action=drop comment=”Block Bogus IP Address” disabled=no
add chain=forward dst-address=0.0.0.0/8 action=drop comment=”" disabled=no
add chain=forward src-address=127.0.0.0/8 action=drop comment=”" disabled=no
add chain=forward dst-address=127.0.0.0/8 action=drop comment=”" disabled=no
add chain=forward src-address=224.0.0.0/3 action=drop comment=”" disabled=no
add chain=forward dst-address=224.0.0.0/3 action=drop comment=”" disabled=no
add chain=forward protocol=icmp icmp-options=11:0 action=drop comment=”Drop Traceroute” disabled=no
add chain=forward protocol=icmp icmp-options=3:3 action=drop comment=”" disabled=no
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop comment=”Drop SSH brute forcers” \
    disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage3 action=add-src-to-address-list \
    address-list=ssh_blacklist address-list-timeout=1w3d comment=”" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage2 action=add-src-to-address-list \
    address-list=ssh_stage3 address-list-timeout=1m comment=”" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 action=add-src-to-address-list \
    address-list=ssh_stage2 address-list-timeout=1m comment=”" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m comment=”" disabled=no
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list=”port scanners” \
    address-list-timeout=2w comment=”Port Scanners to list ” disabled=no
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=”port \
    scanners” address-list-timeout=2w comment=”" disabled=no
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list=”port scanners” \
    address-list-timeout=2w comment=”" disabled=no
add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list=”port scanners” \
    address-list-timeout=2w comment=”" disabled=no
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list=”port \
    scanners” address-list-timeout=2w comment=”" disabled=no
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list=”port scanners” \
    address-list-timeout=2w comment=”" disabled=no
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=”port \
    scanners” address-list-timeout=2w comment=”" disabled=no
add chain=input src-address-list=”port scanners” action=drop comment=”" disabled=no
add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop comment=”Filter FTP to Box” \
    disabled=no
add chain=output protocol=tcp content=”530 Login incorrect” dst-limit=1/1m,9,dst-address/1m action=accept comment=”" \
    disabled=no
add chain=output protocol=tcp content=”530 Login incorrect” action=add-dst-to-address-list address-list=ftp_blacklist \
    address-list-timeout=3h comment=”" disabled=no
add chain=forward protocol=tcp action=jump jump-target=tcp comment=”Separate Protocol into Chains” disabled=no
add chain=forward protocol=udp action=jump jump-target=udp comment=”" disabled=no
add chain=forward protocol=icmp action=jump jump-target=icmp comment=”" disabled=no
add chain=input protocol=tcp action=jump jump-target=tcp comment=”" disabled=no
add chain=input protocol=udp action=jump jump-target=udp comment=”" disabled=no
add chain=udp protocol=udp dst-port=69 action=drop comment=”Blocking UDP Packet” disabled=no
add chain=udp protocol=udp dst-port=111 action=drop comment=”" disabled=no
add chain=udp protocol=udp dst-port=135 action=drop comment=”" disabled=no
add chain=udp protocol=udp dst-port=445 action=drop comment=”" disabled=no
add chain=udp protocol=udp dst-port=137-139 action=drop comment=”" disabled=no
add chain=udp protocol=udp dst-port=2049 action=drop comment=”" disabled=no
add chain=udp protocol=udp dst-port=3133 action=drop comment=”" disabled=no
add chain=tcp protocol=tcp dst-port=25 action=drop comment=”Bloking TCP Packet” disabled=no
add chain=tcp protocol=tcp dst-port=69 action=drop comment=”" disabled=no
add chain=tcp protocol=tcp dst-port=111 action=drop comment=”" disabled=no
add chain=tcp protocol=tcp dst-port=137-139 action=drop comment=”" disabled=no
add chain=tcp protocol=tcp dst-port=135 action=drop comment=”" disabled=no
add chain=tcp protocol=tcp dst-port=119 action=drop comment=”" disabled=no
add chain=tcp protocol=tcp dst-port=445 action=add-src-to-address-list address-list=conficker address-list-timeout=5m \
    comment=”———— Virus — Conficker” disabled=no
add chain=tcp protocol=tcp dst-port=445 action=drop comment=”———— Virus — Conficker” disabled=no
add chain=tcp protocol=tcp dst-port=2049 action=drop comment=”" disabled=no
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment=”" disabled=no
add chain=tcp protocol=tcp dst-port=20034 action=drop comment=”" disabled=no
add chain=tcp protocol=tcp dst-port=3133 action=drop comment=”" disabled=no
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment=”" disabled=no
add chain=icmp protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept comment=”Limited Ping Flood” disabled=no
add chain=icmp protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept comment=”" disabled=no
add chain=icmp protocol=icmp icmp-options=3:3 limit=5,5 action=accept comment=”" disabled=no
add chain=icmp protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept comment=”" disabled=no
add chain=icmp protocol=icmp icmp-options=3:4 limit=5,5 action=accept comment=”" disabled=no
add chain=input dst-address-type=broadcast action=accept comment=”Allow Broadcast Traffic” disabled=no

# may/11/2009 10:24:04 by RouterOS 2.9.27
# software id = 2RS9-M0T
#

/ interface ethernet
set Local name=”Local” mtu=1500 mac-address=00:10:5A:6C:5E:86 arp=enabled disable-running-check=yes auto-negotiation=no \
full-duplex=yes cable-settings=default speed=100Mbps comment=”" disabled=no
set Speedy1 name=”Speedy1″ mtu=1500 mac-address=00:10:5A:6C:5F:1C arp=enabled disable-running-check=yes \
auto-negotiation=no full-duplex=yes cable-settings=default speed=100Mbps comment=”" disabled=no
set Speedy2 name=”Speedy2″ mtu=1500 mac-address=00:10:4B:11:73:69 arp=enabled disable-running-check=yes \
auto-negotiation=no full-duplex=yes cable-settings=default speed=100Mbps comment=”" disabled=no
set Speedy3 name=”Speedy3″ mtu=1500 mac-address=00:10:4B:11:72:44 arp=enabled disable-running-check=yes \
auto-negotiation=no full-duplex=yes cable-settings=default speed=100Mbps comment=”" disabled=no
set Speedy4 name=”Speedy4″ mtu=1500 mac-address=00:10:4B:11:72:3B arp=enabled disable-running-check=yes \
auto-negotiation=no full-duplex=yes cable-settings=default speed=100Mbps comment=”" disabled=no
set Hotspot name=”Hotspot” mtu=1500 mac-address=00:60:97:3D:3C:5F arp=enabled disable-running-check=yes \
auto-negotiation=no full-duplex=yes cable-settings=default speed=100Mbps comment=”" disabled=no

/ interface pppoe-client
add name=”pppoe-out1″ max-mtu=1480 max-mru=1480 interface=Speedy1 user=”11140xxxxx@telkom.net” password=”xxxxx” \
profile=default service-name=”" ac-name=”" add-default-route=yes dial-on-demand=no use-peer-dns=no \
allow=pap,chap,mschap1,mschap2 disabled=no
add name=”pppoe-out2″ max-mtu=1480 max-mru=1480 interface=Speedy2 user=”11140xxxxx@telkom.net” password=”xxxxx” \
profile=default service-name=”" ac-name=”" add-default-route=yes dial-on-demand=no use-peer-dns=no \
allow=pap,chap,mschap1,mschap2 disabled=no
add name=”pppoe-out3″ max-mtu=1480 max-mru=1480 interface=Speedy3 user=”11140xxxxx@telkom.net” password=”xxxxx” \
profile=default service-name=”" ac-name=”" add-default-route=yes dial-on-demand=no use-peer-dns=no \
allow=pap,chap,mschap1,mschap2 disabled=no

/ ip dns
set primary-dns=203.130.193.74 secondary-dns=202.134.0.155 allow-remote-requests=yes cache-size=2048KiB cache-max-ttl=1w

/ ip dns static
add name=”router.palimo.net” address=192.168.0.254 ttl=1d

/ ip traffic-flow
set enabled=no interfaces=all cache-entries=4k active-flow-timeout=30m inactive-flow-timeout=15s

/ ip address
add address=192.168.0.254/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local comment=”" disabled=no
add address=192.168.2.2/24 network=192.168.2.0 broadcast=192.168.2.255 interface=Speedy1 comment=”" disabled=no
add address=192.168.3.2/24 network=192.168.3.0 broadcast=192.168.3.255 interface=Speedy2 comment=”" disabled=no
add address=192.168.4.2/24 network=192.168.4.0 broadcast=192.168.4.255 interface=Speedy3 comment=”" disabled=no
add address=192.168.5.2/24 network=192.168.5.0 broadcast=192.168.5.255 interface=Speedy4 comment=”" disabled=no
add address=192.168.6.1/24 network=192.168.6.0 broadcast=192.168.6.255 interface=Hotspot comment=”" disabled=no

/ ip route
add dst-address=0.0.0.0/0 gateway=125.162.84.1 scope=255 target-scope=10 routing-mark=speedy1 comment=”" disabled=no
add dst-address=0.0.0.0/0 gateway=125.162.88.1 scope=255 target-scope=10 routing-mark=speedy2 comment=”" disabled=no
add dst-address=0.0.0.0/0 gateway=125.165.156.1 scope=255 target-scope=10 routing-mark=speedy3 comment=”" disabled=no
add dst-address=0.0.0.0/0 gateway=192.168.5.1 scope=255 target-scope=10 routing-mark=speedy4 comment=”" disabled=no

/ ip firewall mangle
add chain=prerouting in-interface=Local connection-state=new nth=3,4,0 action=mark-connection new-connection-mark=speedy1 \
passthrough=yes comment=”LB 4 Line Speedy” disabled=no
add chain=prerouting in-interface=Local connection-mark=speedy1 action=mark-routing new-routing-mark=speedy1 \
passthrough=no comment=”" disabled=no
add chain=prerouting in-interface=Local connection-state=new nth=3,4,1 action=mark-connection new-connection-mark=speedy2 \
passthrough=yes comment=”" disabled=no
add chain=prerouting in-interface=Local connection-mark=speedy2 action=mark-routing new-routing-mark=speedy2 \
passthrough=no comment=”" disabled=no
add chain=prerouting in-interface=Local connection-state=new nth=3,4,2 action=mark-connection new-connection-mark=speedy3 \
passthrough=yes comment=”" disabled=no
add chain=prerouting in-interface=Local connection-mark=speedy3 action=mark-routing new-routing-mark=speedy3 \
passthrough=no comment=”" disabled=no
add chain=prerouting in-interface=Local connection-state=new nth=3,4,3 action=mark-connection new-connection-mark=speedy4 \
passthrough=yes comment=”" disabled=no
add chain=prerouting in-interface=Local connection-mark=speedy4 action=mark-routing new-routing-mark=speedy4 \
passthrough=no comment=”" disabled=no

/ ip firewall nat
add chain=srcnat connection-mark=speedy1 action=src-nat to-addresses=125.162.84.155 to-ports=0-65535 comment=”NAT 2 CLIENT \
4 LINE SPEEDY” disabled=no
add chain=srcnat connection-mark=speedy2 action=src-nat to-addresses=125.162.88.93 to-ports=0-65535 comment=”" disabled=no
add chain=srcnat connection-mark=speedy3 action=src-nat to-addresses=125.165.158.18 to-ports=0-65535 comment=”" \
disabled=no
add chain=srcnat connection-mark=speedy4 action=src-nat to-addresses=192.168.5.2 to-ports=0-65535 comment=”" disabled=no
add chain=srcnat src-address=192.168.6.0/24 action=masquerade comment=”masquerade hotspot network” disabled=no

Load balancing yang coba aku bahas saat ini dilakukan pada mikrotik 2.9 (Jadul euy) yang diinstall pada PC pentium 3 dengan ethernet card sebanyak 4 buah yang diinstal di slot PCI.

Gambaran topologi yang aku tulis seperti ini :

Langkah-langkah load balancing :

1. Ubah IP dan Nama interface ethernet tiap port ehternet seperti contoh gambar di atas.
   Ex : Ether1 -> Nama interface diganti menjadi “local” dan IP di set 192.168.10.1/24
2. Mulai dengan menambah  gateway di mikrotik

   ip route add dst-address=0.0.0.0/0 gateway 192.168.1.1 scope=255 target-scope=10 routing-mark=satu comment="" disabled=no
   
   ip route add dst-address=0.0.0.0/0 gateway 192.168.2.1 scope=255 target-scope=10 routing-mark=dua comment="" disabled=no
   
   ip route add dst-address=0.0.0.0/0 gateway 192.168.3.1 scope=255 target-scope=10 routing-mark=tiga comment="" disabled=no

3. Dilanjutkan dengan menggunakan ip firewall mangle

   ip firewall mangle
   
   add chain=prerouting in-interface=local connection-state=new nth=2,3,0 action=mark-connection new-connection-mark=satu passtrough=yes comment="load balancing" disabled=no
   
   add chain=prerouting in-interface=local connection-mark=satu action=mark-routing new-routing-mark=satu passthrough=no comment="" disabled=no
   
   add chain=prerouting in-interface=local connection-state=new nth=2,3,1 action=mark-connection new-connection-mark=dua passtrough=yes comment="" disabled=no
   
   add chain=prerouting in-interface=local connection-mark=dua action=mark-routing new-routing-mark=dua passthrough=no comment="" disabled=no
   
   add chain=prerouting in-interface=local connection-state=new nth=2,3,2 action=mark-connection new-connection-mark=tiga passtrough=yes comment="" disabled=no
   
   add chain=prerouting in-interface=local connection-mark=tiga action=mark-routing new-routing-mark=tiga passthrough=no comment="" disabled=no

4. dan yan terakhir dengan proses NAT

   ip firewall nat add chain=srcnat out-interface=speedy1 action=masquerade
   
   ip firewall nat add chain=srcnat out-interface=speedy2 action=masquerade
   
   ip firewall nat add chain=srcnat out-interface=speedy3 action=masquerade

Selamat mencoba…

Sumber : http://infonesia.info

MikroTik RouterOS 2.9.27 (c) 1999-2006 http://www.mikrotik.com/

/ interface ethernet
set Local name=”Local” mtu=1500 mac-address=0A:C0:18:1A:3C:8A arp=enabled disable-running-check=yes auto-negotiation=no \
full-duplex=yes cable-settings=default speed=100Mbps comment=”" disabled=no
set Speedy1 name=”Speedy1″ mtu=1500 mac-address=0A:C0:18:1A:3C:75 arp=enabled disable-running-check=yes \
auto-negotiation=no full-duplex=yes cable-settings=default speed=1Gbps comment=”" disabled=no
set Speedy2 name=”Speedy2″ mtu=1500 mac-address=C0:10:18:C0:30:94 arp=enabled disable-running-check=yes \
auto-negotiation=no full-duplex=yes cable-settings=default speed=1Gbps comment=”" disabled=no
set Speedy3 name=”Speedy3″ mtu=1500 mac-address=00:0C:6E:D3:0D:FC arp=enabled disable-running-check=yes \
auto-negotiation=no full-duplex=yes cable-settings=default speed=1Gbps comment=”" disabled=no
/ interface l2tp-server server
set enabled=no max-mtu=1460 max-mru=1460 authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption
/ interface pptp-server
add name=”vpn” user=”" disabled=no
/ interface pptp-server server
set enabled=yes max-mtu=1460 max-mru=1460 authentication=mschap1,mschap2 keepalive-timeout=30 default-profile=vpn
/ interface pppoe-client
add name=”pppoe-out1″ max-mtu=1480 max-mru=1480 interface=Speedy2 user=”111401104174@telkom.net” password=”sttlqg13mc” \
profile=default service-name=”" ac-name=”" add-default-route=yes dial-on-demand=no use-peer-dns=no \
allow=pap,chap,mschap1,mschap2 disabled=no
/ ip pool
add name=”dhcp_pool1″ ranges=10.2.1.1-10.2.1.252,10.2.1.254
add name=”vpn” ranges=172.16.1.1-172.16.1.6
/ ip accounting
set enabled=no account-local-traffic=no threshold=256
/ ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ ip service
set telnet port=23 address=0.0.0.0/0 disabled=yes
set ftp port=21 address=0.0.0.0/0 disabled=yes
set www port=7479 address=0.0.0.0/0 disabled=no
set ssh port=1981 address=0.0.0.0/0 disabled=no
set www-ssl port=443 address=0.0.0.0/0 certificate=none disabled=yes
/ ip upnp
set enabled=no allow-disable-external-interface=yes show-dummy-rule=yes
/ ip arp
/ ip socks
set enabled=no port=1080 connection-idle-timeout=2m max-connections=200
/ ip dns
set primary-dns=203.130.193.74 secondary-dns=202.134.0.155 allow-remote-requests=yes cache-size=2048KiB cache-max-ttl=1w
/ ip dns static
add name=”www.ktr-pjk-pdg.org” address=10.2.1.253 ttl=1d
/ ip traffic-flow
set enabled=no interfaces=all cache-entries=4k active-flow-timeout=30m inactive-flow-timeout=15s
/ ip address
add address=10.2.1.253/24 network=10.2.1.0 broadcast=10.2.1.255 interface=Local comment=”" disabled=no
add address=192.168.1.2/24 network=192.168.1.0 broadcast=192.168.1.255 interface=Speedy1 comment=”" disabled=no
add address=192.168.2.2/24 network=192.168.2.0 broadcast=192.168.2.255 interface=Speedy2 comment=”" disabled=no
add address=192.168.3.2/24 network=192.168.3.0 broadcast=192.168.3.255 interface=Speedy3 comment=”" disabled=no
add address=172.16.1.1/29 network=172.16.1.0 broadcast=172.16.1.7 interface=Local comment=”" disabled=no
/ ip proxy
set enabled=no port=8080 parent-proxy=0.0.0.0:0 maximal-client-connecions=1000 maximal-server-connectons=1000
/ ip proxy access
add dst-port=23-25 action=deny comment=”block telnet & spam e-mail relaying” disabled=no
/ ip neighbor discovery
set Local discover=yes
set Speedy1 discover=yes
set Speedy2 discover=yes
set Speedy3 discover=yes
set pppoe-out1 discover=no
set vpn discover=no
/ ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1 scope=255 target-scope=10 routing-mark=speedy1 comment=”" disabled=no
add dst-address=0.0.0.0/0 gateway=125.165.112.1 scope=255 target-scope=10 routing-mark=speedy2 comment=”" disabled=no
add dst-address=0.0.0.0/0 gateway=192.168.3.1 scope=255 target-scope=10 routing-mark=speedy3 comment=”" disabled=no
add dst-address=0.0.0.0/0 gateway=125.165.112.1 scope=255 target-scope=10 comment=”" disabled=no
/ ip firewall mangle
add chain=prerouting p2p=all-p2p action=mark-connection new-connection-mark=prio_conn_p2p passthrough=yes comment=”Prio \
P2P” disabled=yes
add chain=prerouting connection-mark=prio_conn_p2p action=mark-packet new-packet-mark=prio_p2p_packet passthrough=no \
comment=”" disabled=yes
add chain=prerouting protocol=tcp dst-port=995 action=mark-connection new-connection-mark=prio_conn_download_services \
passthrough=yes comment=”Prio Download_Services” disabled=yes
add chain=prerouting protocol=tcp dst-port=143 action=mark-connection new-connection-mark=prio_conn_download_services \
passthrough=yes comment=”" disabled=yes
add chain=prerouting protocol=tcp dst-port=993 action=mark-connection new-connection-mark=prio_conn_download_services \
passthrough=yes comment=”" disabled=yes
add chain=prerouting protocol=tcp dst-port=995 action=mark-connection new-connection-mark=prio_conn_download_services \
passthrough=yes comment=”" disabled=yes
add chain=prerouting protocol=tcp dst-port=25 action=mark-connection new-connection-mark=prio_conn_download_services \
passthrough=yes comment=”" disabled=yes
add chain=prerouting protocol=tcp dst-port=80 action=mark-connection new-connection-mark=prio_conn_download_services \
passthrough=yes comment=”" disabled=yes
add chain=prerouting protocol=tcp dst-port=20-21 action=mark-connection new-connection-mark=prio_conn_download_services \
passthrough=yes comment=”" disabled=yes
add chain=prerouting protocol=tcp dst-port=22 packet-size=1400-1500 action=mark-connection \
new-connection-mark=prio_conn_download_services passthrough=yes comment=”" disabled=yes
add chain=prerouting connection-mark=prio_conn_download_services action=mark-packet new-packet-mark=prio_download_packet \
passthrough=no comment=”" disabled=yes
add chain=prerouting protocol=tcp dst-port=53 action=mark-connection new-connection-mark=prio_conn_ensign_services \
passthrough=yes comment=”Prio Ensign_Services” disabled=yes
add chain=prerouting protocol=udp dst-port=53 action=mark-connection new-connection-mark=prio_conn_ensign_services \
passthrough=yes comment=”" disabled=yes
add chain=prerouting protocol=icmp action=mark-connection new-connection-mark=prio_conn_ensign_services passthrough=yes \
comment=”" disabled=yes
add chain=prerouting protocol=tcp dst-port=443 action=mark-connection new-connection-mark=prio_conn_ensign_services \
passthrough=yes comment=”" disabled=yes
add chain=prerouting protocol=tcp dst-port=23 action=mark-connection new-connection-mark=prio_conn_ensign_services \
passthrough=yes comment=”" disabled=yes
add chain=prerouting protocol=tcp dst-port=80 connection-bytes=0-500000 action=mark-connection \
new-connection-mark=prio_conn_ensign_services passthrough=yes comment=”" disabled=yes
add chain=prerouting protocol=tcp dst-port=8080 action=mark-connection new-connection-mark=prio_conn_ensign_services \
passthrough=yes comment=”" disabled=yes
add chain=prerouting connection-mark=prio_conn_ensign_services action=mark-packet new-packet-mark=prio_ensign_packet \
passthrough=no comment=”" disabled=yes
add chain=prerouting protocol=tcp dst-port=22 packet-size=1400-1500 action=mark-connection \
new-connection-mark=prio_conn_user_services passthrough=yes comment=”Prio User_Request” disabled=yes
add chain=prerouting protocol=tcp dst-port=8291 packet-size=1400-1500 action=mark-connection \
new-connection-mark=prio_conn_user_services passthrough=yes comment=”" disabled=yes
add chain=prerouting connection-mark=prio_conn_user_services action=mark-packet new-packet-mark=prio_request_packet \
passthrough=no comment=”" disabled=yes
add chain=prerouting protocol=tcp dst-port=5100 action=mark-connection new-connection-mark=prio_conn_comm_services \
passthrough=yes comment=”Prio_Communication” disabled=yes
add chain=prerouting protocol=tcp dst-port=5050 action=mark-connection new-connection-mark=prio_conn_comm_services \
passthrough=yes comment=”" disabled=yes
add chain=prerouting protocol=udp dst-port=5060 action=mark-connection new-connection-mark=prio_conn_comm_services \
passthrough=yes comment=”" disabled=yes
add chain=prerouting protocol=tcp dst-port=1869 action=mark-connection new-connection-mark=prio_conn_comm_services \
passthrough=yes comment=”" disabled=yes
add chain=prerouting protocol=tcp dst-port=1723 action=mark-connection new-connection-mark=prio_conn_comm_services \
passthrough=yes comment=”" disabled=yes
add chain=prerouting protocol=tcp dst-port=5190 action=mark-connection new-connection-mark=prio_conn_comm_services \
passthrough=yes comment=”" disabled=yes
add chain=prerouting protocol=tcp dst-port=6660-7000 action=mark-connection new-connection-mark=prio_conn_comm_services \
passthrough=yes comment=”" disabled=yes
add chain=prerouting protocol=ipencap action=mark-connection new-connection-mark=prio_conn_comm_services passthrough=yes \
comment=”" disabled=yes
add chain=prerouting protocol=gre action=mark-connection new-connection-mark=prio_conn_comm_services passthrough=yes \
comment=”" disabled=yes
add chain=prerouting protocol=ipsec-esp action=mark-connection new-connection-mark=prio_conn_comm_services passthrough=yes \
comment=”" disabled=yes
add chain=prerouting protocol=ipsec-ah action=mark-connection new-connection-mark=prio_conn_comm_services passthrough=yes \
comment=”" disabled=yes
add chain=prerouting protocol=ipip action=mark-connection new-connection-mark=prio_conn_comm_services passthrough=yes \
comment=”" disabled=yes
add chain=prerouting protocol=encap action=mark-connection new-connection-mark=prio_conn_comm_services passthrough=yes \
comment=”" disabled=yes
add chain=prerouting connection-mark=prio_conn_comm_services action=mark-packet new-packet-mark=prio_comm_packet \
passthrough=no comment=”" disabled=yes
add chain=prerouting in-interface=Local connection-state=new nth=2,1,0 action=mark-connection new-connection-mark=speedy1 \
passthrough=yes comment=”LB 3 Line Speedy” disabled=no
add chain=prerouting in-interface=Local connection-mark=speedy1 action=mark-routing new-routing-mark=speedy1 \
passthrough=no comment=”" disabled=no
add chain=prerouting in-interface=Local connection-state=new nth=2,1,1 action=mark-connection new-connection-mark=speedy2 \
passthrough=yes comment=”" disabled=no
add chain=prerouting in-interface=Local connection-mark=speedy2 action=mark-routing new-routing-mark=speedy2 \
passthrough=no comment=”" disabled=no
add chain=prerouting in-interface=Local connection-state=new nth=2,1,2 action=mark-connection new-connection-mark=speedy3 \
passthrough=yes comment=”" disabled=no
add chain=prerouting in-interface=Local connection-mark=speedy3 action=mark-routing new-routing-mark=speedy3 \
passthrough=no comment=”" disabled=no
/ ip firewall nat
add chain=srcnat connection-mark=speedy1 action=src-nat to-addresses=192.168.1.2 to-ports=0-65535 comment=”NAT 2 CLIENT” \
disabled=no
add chain=srcnat connection-mark=speedy2 action=src-nat to-addresses=125.165.115.184 to-ports=0-65535 comment=”" \
disabled=no
add chain=srcnat connection-mark=speedy3 action=src-nat to-addresses=192.168.3.2 to-ports=0-65535 comment=”" disabled=no
add chain=srcnat src-address=172.16.1.0/29 action=masquerade comment=”NAT VPN” disabled=no
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=5s tcp-syn-received-timeout=5s tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s \
udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m tcp-syncookie=no
/ ip firewall filter
add chain=forward src-address=0.0.0.0/8 action=drop comment=”Block Bogus IP Address” disabled=no
add chain=forward dst-address=0.0.0.0/8 action=drop comment=”" disabled=no
add chain=forward src-address=127.0.0.0/8 action=drop comment=”" disabled=no
add chain=forward dst-address=127.0.0.0/8 action=drop comment=”" disabled=no
add chain=forward src-address=224.0.0.0/3 action=drop comment=”" disabled=no
add chain=forward dst-address=224.0.0.0/3 action=drop comment=”" disabled=no
add chain=forward src-address=192.168.1.99 protocol=tcp content=www action=drop comment=”block browsing 1″ disabled=yes
add chain=forward src-address=192.168.1.7 content=!www action=drop comment=”" disabled=yes
add chain=forward src-address=192.168.1.8 protocol=tcp content=www action=drop comment=”" disabled=yes
add chain=forward src-address=192.168.1.9 action=drop comment=”" disabled=yes
add chain=forward src-address=192.168.1.10 content=!www action=drop comment=”" disabled=yes
add chain=forward src-address=192.168.1.11 protocol=tcp content=www action=drop comment=”" disabled=yes
add chain=forward src-address=192.168.1.12 protocol=tcp content=www action=drop comment=”" disabled=yes
add chain=forward src-address=192.168.1.99 protocol=tcp content=http: action=drop comment=”block browsing 2″ disabled=yes
add chain=forward src-address=192.168.1.4 protocol=tcp content=http: action=drop comment=”" disabled=yes
add chain=forward src-address=192.168.1.5 protocol=tcp content=http: action=drop comment=”" disabled=yes
add chain=forward src-address=192.168.1.6 protocol=tcp content=http: action=drop comment=”" disabled=yes
add chain=forward src-address=192.168.1.7 content=!http: action=drop comment=”" disabled=yes
add chain=forward src-address=192.168.1.8 protocol=tcp content=http: action=drop comment=”" disabled=yes
add chain=input src-address=192.168.1.9 action=drop comment=”" disabled=yes
add chain=input src-address=192.168.1.10 content=!http: action=drop comment=”" disabled=yes
add chain=forward src-address=192.168.1.11 protocol=tcp content=http: action=drop comment=”" disabled=yes
add chain=forward src-address=192.168.1.12 protocol=tcp content=http: action=drop comment=”" disabled=yes
add chain=forward protocol=icmp icmp-options=11:0 action=drop comment=”Drop Traceroute” disabled=no
add chain=forward protocol=icmp icmp-options=3:3 action=drop comment=”Drop Traceroute” disabled=no
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop comment=”Drop SSH brute forcers” \
disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage3 action=add-src-to-address-list \
address-list=ssh_blacklist address-list-timeout=1w3d comment=”" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage2 action=add-src-to-address-list \
address-list=ssh_stage3 address-list-timeout=1m comment=”" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 action=add-src-to-address-list \
address-list=ssh_stage2 address-list-timeout=1m comment=”" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m comment=”" disabled=no
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list=”port scanners” \
address-list-timeout=2w comment=”Port Scanners to list ” disabled=no
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=”port \
scanners” address-list-timeout=2w comment=”" disabled=no
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list=”port scanners” \
address-list-timeout=2w comment=”" disabled=no
add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list=”port scanners” \
address-list-timeout=2w comment=”" disabled=no
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list=”port \
scanners” address-list-timeout=2w comment=”" disabled=no
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list=”port scanners” \
address-list-timeout=2w comment=”" disabled=no
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=”port \
scanners” address-list-timeout=2w comment=”" disabled=no
add chain=input src-address-list=”port scanners” action=drop comment=”" disabled=no
add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop comment=”Filter FTP to Box” \
disabled=no
add chain=output protocol=tcp content=”530 Login incorrect” dst-limit=1/1m,9,dst-address/1m action=accept comment=”" \
disabled=no
add chain=output protocol=tcp content=”530 Login incorrect” action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h comment=”" disabled=no
add chain=forward protocol=tcp action=jump jump-target=tcp comment=”Separate Protocol into Chains” disabled=no
add chain=forward protocol=udp action=jump jump-target=udp comment=”" disabled=no
add chain=forward protocol=icmp action=jump jump-target=icmp comment=”" disabled=no
add chain=input protocol=tcp action=jump jump-target=tcp comment=”" disabled=no
add chain=input protocol=udp action=jump jump-target=udp comment=”" disabled=no
add chain=udp protocol=udp dst-port=69 action=drop comment=”Blocking UDP Packet” disabled=no
add chain=udp protocol=udp dst-port=111 action=drop comment=”" disabled=no
add chain=udp protocol=udp dst-port=135 action=drop comment=”" disabled=no
add chain=udp protocol=udp dst-port=445 action=drop comment=”" disabled=no
add chain=udp protocol=udp dst-port=137-139 action=drop comment=”" disabled=no
add chain=udp protocol=udp dst-port=2049 action=drop comment=”" disabled=no
add chain=udp protocol=udp dst-port=3133 action=drop comment=”" disabled=no
add chain=tcp protocol=tcp dst-port=25 action=drop comment=”Bloking TCP Packet” disabled=no
add chain=tcp protocol=tcp dst-port=69 action=drop comment=”" disabled=no
add chain=tcp protocol=tcp dst-port=111 action=drop comment=”" disabled=no
add chain=tcp protocol=tcp dst-port=137-139 action=drop comment=”" disabled=no
add chain=tcp protocol=tcp dst-port=135 action=drop comment=”" disabled=no
add chain=tcp protocol=tcp dst-port=119 action=drop comment=”" disabled=no
add chain=tcp protocol=tcp dst-port=445 action=drop comment=”———— Virus — Conficker” disabled=no
add chain=tcp protocol=tcp dst-port=2049 action=drop comment=”" disabled=no
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment=”" disabled=no
add chain=tcp protocol=tcp dst-port=20034 action=drop comment=”" disabled=no
add chain=tcp protocol=tcp dst-port=3133 action=drop comment=”" disabled=no
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment=”" disabled=no
add chain=icmp protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept comment=”Limited Ping Flood” disabled=no
add chain=icmp protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept comment=”" disabled=no
add chain=icmp protocol=icmp icmp-options=3:3 limit=5,5 action=accept comment=”" disabled=no
add chain=icmp protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept comment=”" disabled=no
add chain=icmp protocol=icmp icmp-options=3:4 limit=5,5 action=accept comment=”" disabled=no
add chain=icmp protocol=icmp action=drop comment=”" disabled=no
add chain=input dst-address-type=broadcast action=accept comment=”Allow Broadcast Traffic” disabled=no
add chain=input connection-state=established action=accept comment=”Connection State” disabled=no
add chain=input connection-state=related action=accept comment=”" disabled=no
add chain=input protocol=icmp limit=50/5s,2 action=accept comment=”" disabled=no
add chain=input connection-state=invalid action=drop comment=”" disabled=no
/ ip firewall service-port
set ftp ports=21 disabled=yes
set tftp ports=69 disabled=yes
set irc ports=6667 disabled=yes
set h323 disabled=yes
set quake3 disabled=yes
set gre disabled=yes
set pptp disabled=yes
/ ip hotspot service-port
set ftp ports=21 disabled=no
/ ip hotspot profile
set default name=”default” hotspot-address=0.0.0.0 dns-name=”" html-directory=hotspot rate-limit=”" http-proxy=0.0.0.0:0 \
smtp-server=0.0.0.0 login-by=cookie,http-chap http-cookie-lifetime=3d split-user-domain=no use-radius=no
/ ip hotspot user profile
set default name=”default” idle-timeout=none keepalive-timeout=2m status-autorefresh=1m shared-users=1 \
transparent-proxy=yes open-status-page=always advertise=no
/ ip dhcp-server
add name=”dhcp1″ interface=Local lease-time=3d address-pool=dhcp_pool1 bootp-support=static authoritative=after-2sec-delay \
disabled=no
/ ip dhcp-server config
set store-leases-disk=5m
/ ip dhcp-server lease
/ ip dhcp-server network
add address=10.2.1.0/24 gateway=10.2.1.253 comment=”"
/ ip ipsec proposal
add name=”default” auth-algorithms=sha1 enc-algorithms=3des lifetime=30m lifebytes=0 pfs-group=modp1024 disabled=no
/ ip web-proxy
set enabled=yes src-address=0.0.0.0 port=3128 hostname=”proxy” transparent-proxy=yes parent-proxy=0.0.0.0:0 \
cache-administrator=”webmaster” max-object-size=4096KiB cache-drive=system max-cache-size=unlimited \
max-ram-cache-size=unlimited
/ ip web-proxy access
add dst-port=23-25 action=deny comment=”block telnet & spam e-mail relaying” disabled=no
/ ip web-proxy cache
add url=”:cgi-bin \\?” action=deny comment=”don’t cache dynamic http pages” disabled=no
/ system logging
add topics=info prefix=”" action=memory disabled=no
add topics=error prefix=”" action=memory disabled=no
add topics=warning prefix=”" action=memory disabled=no
add topics=critical prefix=”" action=echo disabled=no
/ system logging action
set memory name=”memory” target=memory memory-lines=100 memory-stop-on-full=no
set disk name=”disk” target=disk disk-lines=100 disk-stop-on-full=no
set echo name=”echo” target=echo remember=yes
set remote name=”remote” target=remote remote=0.0.0.0:514
/ system upgrade mirror
set enabled=no primary-server=0.0.0.0 secondary-server=0.0.0.0 check-interval=1d user=”"
/ system clock dst
set dst-delta=+00:00 dst-start=”jan/01/1970 00:00:00″ dst-end=”jan/01/1970 00:00:00″
/ system watchdog
set reboot-on-failure=yes watch-address=none watchdog-timer=yes no-ping-delay=5m automatic-supout=yes auto-send-supout=no
/ system console
add port=serial0 term=”" disabled=no
set FIXME term=”linux” disabled=no
set FIXME term=”linux” disabled=no
set FIXME term=”linux” disabled=no
set FIXME term=”linux” disabled=no
set FIXME term=”linux” disabled=no
set FIXME term=”linux” disabled=no
set FIXME term=”linux” disabled=no
set FIXME term=”linux” disabled=no
/ system console screen
set line-count=25
/ system identity
set name=”ROUTER-NET”
/ system note
set show-at-login=yes note=”"
/ port
set serial0 name=”serial0″ baud-rate=9600 data-bits=8 parity=none stop-bits=1 flow-control=hardware
/ ppp profile
set default name=”default” use-compression=default use-vj-compression=default use-encryption=default only-one=default \
change-tcp-mss=yes comment=”"
add name=”vpn” local-address=vpn remote-address=vpn use-compression=default use-vj-compression=default \
use-encryption=required only-one=default change-tcp-mss=default dns-server=203.130.193.74 comment=”"
set default-encryption name=”default-encryption” use-compression=default use-vj-compression=default use-encryption=yes \
only-one=default change-tcp-mss=yes comment=”"
/ ppp secret
add name=”areksitiung” service=pptp caller-id=”" password=”sentot” profile=vpn routes=”" limit-bytes-in=0 \
limit-bytes-out=0 comment=”" disabled=no
/ ppp aaa
set use-radius=yes accounting=yes interim-update=0s
/ queue type
set default name=”default” kind=pfifo pfifo-limit=50
set ethernet-default name=”ethernet-default” kind=pfifo pfifo-limit=50
set wireless-default name=”wireless-default” kind=sfq sfq-perturb=5 sfq-allot=1514
set synchronous-default name=”synchronous-default” kind=red red-limit=60 red-min-threshold=10 red-max-threshold=50 \
red-burst=20 red-avg-packet=1000
set hotspot-default name=”hotspot-default” kind=sfq sfq-perturb=5 sfq-allot=1514
add name=”default-small” kind=pfifo pfifo-limit=10
/ queue simple
add name=”DreamNet” target-addresses=192.168.1.0/24 dst-address=0.0.0.0/0 interface=Local parent=none direction=both \
priority=1 queue=default-small/default-small limit-at=0/0 max-limit=0/0 total-queue=default-small disabled=no
add name=”Down_Services” dst-address=0.0.0.0/0 interface=all parent=none packet-marks=prio_download_packet direction=both \
priority=5 queue=default-small/default-small limit-at=0/0 max-limit=0/0 total-queue=default-small disabled=no
add name=”Ensign_Services” dst-address=0.0.0.0/0 interface=all parent=none packet-marks=prio_ensign_packet direction=both \
priority=1 queue=default-small/default-small limit-at=0/0 max-limit=0/0 total-queue=default-small disabled=no
add name=”User_Request” dst-address=0.0.0.0/0 interface=all parent=none packet-marks=prio_request_packet direction=both \
priority=8 queue=default-small/default-small limit-at=0/0 max-limit=0/0 total-queue=default-small disabled=no
add name=”Communication” target-addresses=0.0.0.0/0 dst-address=0.0.0.0/0 interface=all parent=none \
packet-marks=prio_comm_packet direction=both priority=3 queue=default-small/default-small limit-at=0/0 max-limit=0/0 \
total-queue=default-small disabled=no
add name=”Kasir” target-addresses=192.168.1.99/32 dst-address=0.0.0.0/0 interface=Local parent=DreamNet direction=both \
priority=8 queue=default-small/default-small limit-at=16000/32000 max-limit=32000/128000 total-queue=default-small \
disabled=no
add name=”Client1″ target-addresses=192.168.1.15/32 dst-address=0.0.0.0/0 interface=Local parent=DreamNet direction=both \
priority=8 queue=default-small/default-small limit-at=16000/32000 max-limit=32000/128000 total-queue=default \
disabled=no
add name=”Client2″ target-addresses=192.168.1.4/32 dst-address=0.0.0.0/0 interface=Local parent=DreamNet direction=both \
priority=8 queue=default-small/default-small limit-at=16000/32000 max-limit=32000/128000 total-queue=default \
disabled=no
add name=”Client3″ target-addresses=192.168.1.5/32 dst-address=0.0.0.0/0 interface=Local parent=DreamNet direction=both \
priority=8 queue=default-small/default-small limit-at=16000/32000 max-limit=32000/128000 total-queue=default \
disabled=no
add name=”Client4″ target-addresses=192.168.1.6/32 dst-address=0.0.0.0/0 interface=Local parent=DreamNet direction=both \
priority=8 queue=default-small/default-small limit-at=16000/32000 max-limit=32000/128000 total-queue=default \
disabled=no
add name=”Client5″ target-addresses=192.168.1.7/32 dst-address=0.0.0.0/0 interface=Local parent=DreamNet direction=both \
priority=8 queue=default-small/default-small limit-at=16000/32000 max-limit=32000/128000 total-queue=default \
disabled=no
add name=”Client6″ target-addresses=192.168.1.8/32 dst-address=0.0.0.0/0 interface=Local parent=DreamNet direction=both \
priority=8 queue=default-small/default-small limit-at=16000/32000 max-limit=32000/128000 total-queue=default \
disabled=no
add name=”Client7″ target-addresses=192.168.1.9/32 dst-address=0.0.0.0/0 interface=Local parent=DreamNet direction=both \
priority=8 queue=default-small/default-small limit-at=16000/32000 max-limit=32000/128000 total-queue=default \
disabled=no
add name=”Client8″ target-addresses=192.168.1.10/32 dst-address=0.0.0.0/0 interface=Local parent=DreamNet direction=both \
priority=8 queue=default-small/default-small limit-at=16000/32000 max-limit=32000/128000 total-queue=default \
disabled=no
add name=”Client9″ target-addresses=192.168.1.11/32 dst-address=0.0.0.0/0 interface=Local parent=DreamNet direction=both \
priority=8 queue=default-small/default-small limit-at=16000/32000 max-limit=32000/128000 total-queue=default \
disabled=no
add name=”Client10″ target-addresses=192.168.1.12/32 dst-address=0.0.0.0/0 interface=Local parent=DreamNet direction=both \
priority=8 queue=default-small/default-small limit-at=16000/32000 max-limit=32000/128000 total-queue=default \
disabled=no
/ user
add name=”admin” group=full address=0.0.0.0/0 comment=”system default user” disabled=yes
add name=”areksitiung” group=full address=0.0.0.0/0 comment=”" disabled=no
add name=”nanda” group=full address=0.0.0.0/0 comment=”" disabled=no
add name=”riko” group=full address=0.0.0.0/0 comment=”" disabled=no
add name=”padang” group=full address=0.0.0.0/0 comment=”" disabled=no
/ user group
add name=”read” policy=local,telnet,ssh,reboot,read,test,winbox,password,web,!ftp,!write,!policy
add name=”write” policy=local,telnet,ssh,reboot,read,write,test,winbox,password,web,!ftp,!policy
add name=”full” policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web
/ user aaa
set use-radius=no accounting=yes interim-update=0s default-group=read
/ radius incoming
set accept=no port=1700
/ driver
/ snmp
set enabled=no contact=”" location=”"
/ snmp community
set public name=”public” address=0.0.0.0/0 read-access=yes
/ tool bandwidth-server
set enabled=yes authenticate=yes allocate-udp-ports-from=2000 max-sessions=10
/ tool mac-server ping
set enabled=yes
/ tool e-mail
set server=0.0.0.0 from=”<>”
/ tool sniffer
set interface=all only-headers=no memory-limit=10 file-name=”" file-limit=10 streaming-enabled=no streaming-server=0.0.0.0 \
filter-stream=yes filter-protocol=ip-only filter-address1=0.0.0.0/0:0-65535 filter-address2=0.0.0.0/0:0-65535
/ tool graphing
set store-every=5min
/ tool graphing queue
add simple-queue=all allow-address=0.0.0.0/0 store-on-disk=yes allow-target=yes disabled=no
/ tool graphing resource
add allow-address=0.0.0.0/0 store-on-disk=yes disabled=no
/ tool graphing interface
add interface=all allow-address=0.0.0.0/0 store-on-disk=yes disabled=no
/ routing ospf
set router-id=0.0.0.0 distribute-default=never redistribute-connected=no redistribute-static=no redistribute-rip=no \
redistribute-bgp=no metric-default=1 metric-connected=20 metric-static=20 metric-rip=20 metric-bgp=20
/ routing ospf area
set backbone area-id=0.0.0.0 type=default translator-role=translate-candidate authentication=none prefix-list-import=”" \
prefix-list-export=”" disabled=no
/ routing bgp
set enabled=no as=1 router-id=0.0.0.0 redistribute-static=no redistribute-connected=no redistribute-rip=no \
redistribute-ospf=no
/ routing rip
set redistribute-static=no redistribute-connected=no redistribute-ospf=no redistribute-bgp=no metric-static=1 \
metric-connected=1 metric-ospf=1 metric-bgp=1 update-timer=30s timeout-timer=3m garbage-timer=2m

Modem di set mode bridge, jadi yang dial PPPoE dari loadbalancer nya

2. Setting Mikrotik

—> Ethernet Card

name=”Speedy” mtu=1500 mac-address=4C:00:10:1B:4E:6F arp=enabled disable-running-check=yes auto-negotiation=yes full-duplex=yes cable-settings=default speed=100Mbps

name=”Lokal” mtu=1500 mac-address=00:02:2A:BF:E2:08 arp=enabled disable-running-check=yes auto-negotiation=yes full-duplex=yes cable-settings=default speed=100Mbps

name=”Squid” mtu=1500 mac-address=00:0E:2E:01:62:24 arp=enabled disable-running-check=yes auto-negotiation=yes full-duplex=yes cable-settings=default speed=100Mbps

—> IP address

[admin@satelit-internet]/ip address
add address=192.168.8.1/24 interface=Speedy
add address=192.168.1.1/24 interface=Lokal
add address=192.168.15.1/24 interface=Squid

—> DNS

[admin@satelit-internet]/ip dns
set primary-dns=192.168.8.10 allow-remote-request=yes

—> Route

[admin@satelit-internet]/ip route
add gateway=192.168.8.10

—> NAT

[admin@satelit-internet]/ip firewall nat
add chain=dstnat src-address=!192.168.8.0/24 protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.8.10 to-ports=818

add chain=srcnat out-interface=Speedy action=masquerade

tujuannya membelokkan semua port 80 dari client ke port 818 (squid IPCOP) yang berfungsi sebagai web proxy

—> Mangle

tujuannya
memisahkan bandwidth internasional dan lokal (OpenIXP dan IIX)
Daftar IP Address yang diadvertise di OpenIXP dan IIX dapat di download di http://www.mikrotik.co.id/getfile.php?nf=nice.rsc
File nice.rsc ini dibuat secara otomatis di server Mikrotik Indonesia setiap pagi sekitar pk 05.30, dan merupakan data yang telah di optimasi untuk menghilangkan duplikat entry dan tumpang tindih subnet.
Untuk tutorial auto import script ke mikrotik bisa diintip disini

[admin@satelit-internet] >/ip firewall mangle

add chain=forward dst-address=192.168.1.0/24 action=change-ttl new-ttl=set:1 comment=”change TTL”

add chain=forward out-interface=internet protocol=tcp tcp-flags=syn action=change-mss new-mss=1300 comment=”change mss”

add chain=forward content=X-Cache: HIT action=mark-connection new-connection-mark=squid_conn passthrough=yes comment=”squid proxy”

chain=forward connection-mark=squid_conn action=mark-packet new-packet-mark=squid_packet passthrough=no

/* Prioritaskan ping dan DNS */

add chain=prerouting protocol=icmp action=mark-connection new-connection-mark=icmp passthrough=yes comment=”icmp”

add chain=prerouting connection-mark=icmp action=change-tos new-tos=min-delay

add chain=prerouting connection-mark=icmp action=mark-packet new-packet-mark=icmp passthrough=no

add chain=prerouting protocol=udp dst-port=53 action=mark-connection new-connection-mark=DNS passthrough=yes comment=”DNS”

add chain=prerouting connection-mark=DNS action=change-tos new-tos=max-throughput

add chain=prerouting protocol=udp dst-port=53 connection-mark=DNS action=mark-packet new-packet-mark=DNS passthrough=no

add chain=forward protocol=tcp dst-port=6000-7000 action=mark-connection new-connection-mark=IRC passthrough=yes comment=”irc”

add chain=prerouting src-address=192.168.1.0/24 protocol=tcp dst-port=6000-7000 action=mark-packet new-packet-mark=irc passthrough=no

add chain=forward connection-mark=IRC action=mark-packet new-packet-mark=irc passthrough=no

/* Upload Connections */

add chain=prerouting src-address=192.168.1.0/24 dst-address-list=!nice action=mark-packet new-packet-mark=upload comment=”upload” passthrough=no

/* Download Connections hanya untuk bandwidth internasional (OpenIXP) */

add chain=forward dst-address=!192.168.1.0/24 connection-mark=!squid_conn dst-address-list=!nice action=mark-connection new-connection-mark=download passthrough=yes comment=”download”

add chain=forward connection-mark=download action=mark-packet new-packet-mark=download passthrough=no

—> Queue type

[admin@satelit-internet]/queue tree

add name=”pfifo-64″ kind=pfifo pfifo-limit=64

add name=”pcq-down” kind=pcq pcq-rate=0 pcq-limit=50 pcq-classifier=dst-address pcq-total-limit=2000

add name=”pcq-up” kind=pcq pcq-rate=0 pcq-limit=50 pcq-classifier=src-address pcq-total-limit=2000

—> Queue Tree

[admin@satelit-internet]/queue tree

add name=”download” parent=lan packet-mark=download limit-at=0 queue=pcq-down priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s

—> Queue simple

[admin@satelit-internet]/queue simple

add name=”squid” dst-address=0.0.0.0/0 interface=all parent=none packet-marks=squid_packet direction=both priority=8 queue=default-small/ethernet-default limit-at=0/0 max-limit=0/0 total-queue=default-small

add name=”irc” dst-address=0.0.0.0/0 interface=all parent=none packet-marks=irc direction=both priority=8 queue=default-small/default-small limit-at=16000/16000 max-limit=16000/16000 total-queue=default-small

add name=”DNS” dst-address=0.0.0.0/0 interface=all parent=none packet-marks=DNS direction=both priority=8 queue=pfifo-64/pfifo-64 limit-at=8000/8000 max-limit=8000/8000 total-queue=default-small

add name=”icmp” dst-address=0.0.0.0/0 interface=all parent=none packet-marks=icmp direction=both priority=8 queue=pfifo-64/pfifo-64 limit-at=8000/8000 max-limit=8000/8000 total-queue=default-small

add name=”parent” dst-address=0.0.0.0/0 interface=all parent=none packet-marks=download,upload direction=both priority=8 queue=default-small/pcq-down limit-at=0/0 max-limit=0/0 total-queue=default-small

add name=”Satelit-01″ target-addresses=192.168.1.100/32 dst-address=0.0.0.0/0 interface=all parent=parent packet-marks=download,upload direction=both priority=8 queue=default-small/default-small limit-at=0/0 max-limit=0/0 total-queue=default-small
.
.
.
dst sampe 15 client

source: http://echo.or.id

Gara-gara satu orang user, maka kita terpaksa dikomplain seluruh pelanggan yang lain. Namun untuk memberikan peringatan pada satu orang itu, rasanya juga sulit karena dia merasa membayar sehingga merasa berhak untuk menggunakan akses internet sesuka hati.

Ada cara yang cukup efektif untuk menahan hal semacam ini dengan cara membuat shaper berbasis quota. Misalnya begini : jika pemakaian download masih dibawah 75 MB maka user akan mendapat kecepatan maksimal 128 kbps. Tapi jika dia sudah menggunakan lebih dari 75 MB tapi masih kurang dari 150 MB, maka kecepatannya menurun menjadi hanya 92 kbps. Tapi kalau dia sudah mendownload lebih dari 150 MB, maka kecepatannya kita batasi hanya tersisa 64 kbps.

Cara untuk melakukan hal semacam itu adalah dengan memasang script berikut ini :

/queue simple
:local traf;
:local maxi;
:set traf [get [find name="<eddy>"] total-bytes]
:set maxi [get [find name="<eddy>"] max-limit]
:set ips [get [find name="<eddy>"] target-address]
:if ($traf  > 150000000) do = { :log info “Si Eddy sudah melampaui 150MB”;
set [find name="<eddy>"] max-limit= “64000/64000″}
:if ($traf  < 150000000) do = { :log info “Si Eddy masih dibawah 150MB”;
set [find name="<eddy>"] max-limit= “92000/92000″}
:if ($traf  < 75000000) do = { :log info “Si Eddy masih dibawah 75MB”;
set [find name="<eddy>"] max-limit= “128000/128000″}

Keterangan :

• 150000000 : artinya 150 MB
• <eddy> : adalah nama queue yang sudah kita setting di queue simple list
• :log info  : untuk membuat keterangan dibagian LOG agar kita bisa lihat proses yang dijalankan
• max-limit adalah perintah untuk melakukan perubahan limiter

Script ini kita letakkan di bagian /system scheduler dengan menambahkan schedule (misalnya):

start-date=feb/20/2009 start-time=02:25:00 interval=30m

Kemudian pada bagian on-event kita tuliskan script kita tersebut di atas. Artinya, setiap 30 menit sekali, mikrotik akan menjalankan script cek tadi dan user eddy akan diaudit setiap 30 menit sekali. Dengan demikian setiap 30 menit akan dicek pemakaian si eddy apakah sudah melampaui batas atau belum.

Kita bisa mengatur interval menjadi lebih cepat ataupun lebih lambat sesuai dengan kehendak kita. Selamat mencoba dan semoga berguna.

Setelah di burn ke CD, booting komputer menggunakan CD mikrotik dan tunggu sampai menu pilihan muncul seperti ini :

Kita tinggal memilih paket-paket yang kita butuhkan dengan menekan tombol spasi. Paket-paket yang kita perlukan misalnya ppp, dhcp, advanced tools, hotspot, ntp, routing, security, telephony, ups, user manager, web-proxy. Untuk system harus dicentang karena kalau tidak salah-salah tidak nginstall mikrotik tapi nginstall windows… hahaha…

Setelah itu tekan huruf ‘i’ untuk mulai menginstall dan tunggu selama proses installasi. Setelah proses installasi selesai, maka komputer akan reboot sendiri. Lepas CD mikrotik dan biarkan komputer booting dari harddisk. Tunggu selama proses booting pertama ini sampai muncul halaman login seperti ini :

Untuk bisa login, username yang kita pakai adalah ‘admin’ dan passwordnya kosong (langsung enter saja). Pada kondisi default, mikrotik yang baru terinstall tidak memiliki IP sehingga kita tidak bisa meremote ke Mikrotik. Untuk melakukan setting awal, gunakan perintah ini :

* interface print

gunanya untuk mengetahui interface yang aktif di mikrotik. Hasilnya kurang lebih akan seperti ini :

[ayom@Heliconia-RT/RW-net] > interface print
Flags: D – dynamic, X – disabled, R – running, S – slave
#     NAME                                              TYPE             MTU
0     ether1                                             ether            1500
1     ether2                                            ether            1500
[ayom@Heliconia-RT/RW-net] >

Setelah itu kita bisa memberikan IP ke interface yang kita mau dengan cara :

* ip address add interface=ether1 address=192.168.1.254/24

maka interface ether1 sudah akan berisi IP 192.168.1.254/24. Dan mikrotik kita sudah bisa kita remote dari PC dengan menuliskan http://192.168.1.254 di web-browser (IE atau Firefox). Jika benar, akan muncul halaman layar seperti berikut :

Silakan download WINBOX yang ada di sebelah kiri atas web ini untuk memudahkan kita melakukan remote mikrotik. Kalau sudah di-download, maka akan muncul program seperti berikut :

Tekan tanda titik-titik yang ada disebelah kiri Connect untuk menemukan mac address atau IP address dari mikrotik yang baru saja kita install. Username yang dipakai masih sama yaitu admin dengan password masih kosong. Setelah itu, kita sudah akan melihat menu lengkap Mikrotik melalui Winbox seperti berikut ini :

Setelah itu maka kita bisa dengan mudah mengisi dan mempelajari Mikrotik.

sumber: http://www.istanaku.biz

Dalam tutorial ini saya ingin memberikan sedikit tata cara untuk membuat shaper atau BM di Mikrotik secara mudah dan simple dengan SIMPLE QUEUE. Untuk dapat mengikuti tutorial ini, silakan menggunakan WINBOX untuk login ke Mikrotik anda dan mengisi IP, username, dan password sesuai dengan yang tersedia di Mikrotik anda. Jika sudah, kita akan mulai dari tampilan menu seperti dibawah ini :

Setelah tampil menu seperti diatas, maka kita memulai semua proses shaper atau BM dari menu Queues yang ada di sebelah kiri nomor 7 dari atas. Kalau kita client Queues maka akan muncul tampilan baru sebagai berikut :

Untuk membuat shaper, ada 2 cara yaitu menggunakan langkah yang mudah melalui Simple Queue, dan langkah yang lebih rumit namun bisa untuk berbagai macam kebutuhan melalui Queue Tree. Untuk pelajaran awal, saya menerangkan cara untuk membuat shaper menggunakan Simple Queue untuk mudah dimengerti dan dapat segera diimplementasikan.

Untuk membuat entry pada Simple Queue, kita bisa menekan tanda + (tambah) di sebelah kiri atas pada tab Simple Queue. Jika sudah, maka akan muncul tab baru sebagai berikut :

Untuk mengisi, cukup mudah.

• Name adalah nama yang ingin kita pakai untuk menerangkan shaper yang kita buat ini. Misalnya PC1
• target address adalah IP address yang ingin kita shaper misalnya : 192.168.0.2. Kita tidak boleh menuliskan subnet /24 atau /29 jika kita hanya ingin menshaper 1 IP saja. Jika beberapa IP yang tidak berada dalam satu subnet kita bisa menekan tanda panah ke bawah disisi kanan Target Address untuk mendapatkan baris kedua IP Address.
• Target upload : adalah kecepatan maksimal yang kita inginkan untuk berikan untuk client tersebut untuk bisa mengirim data ke luar network (UPLOAD).
• Target download : adalah kecepatan maksimal yang kita inginkan untuk berikan ke client tersebut untuk bisa menerima atau mendownload data ke komputernya.
• Burst adalah kondisi khusus yang ingin kita berikan kepada client tersebut dimana pada kondisi tertentu dia bisa melampaui batas yang sudah kita berikan pada Target Upload ataupun target Download. Burst adalah bandwidth extra yang kita berikan kepada client.
• Burst limit adalah batas atas burst yang kita berikan sebagai batas tertinggi client bisa mendapat bandwidth
• Burst threshold adalah batas control pada sistem burst. Biasanya threshold adalah angka bandwidth yang akan menjadi rata-rata pemakaian jika pengguna akses terus menerus menghabiskan bandwidth yang tersedia. Bagian ini agak rumit untuk diterangkan di tulisan, tapi akan lebih mudah dimengerti dalam implementasi di lapangan.
• Burst Time : adalah waktu burst yang diizinkan. Konsep burst adalah client boleh menggunakan angka bandwidth yang tersedia di burst limit selama sekian detik yang ditentukan oleh burst time. Setelah sekian detik itu, maka limit akan dikembalikan kepada bandwidth yang sebenarnya. Kurang lebih aturannya begitu walaupun mungkin tidak 100% seperti itu.
• Time adalah saat dimana kita ingin shaper ini difungsikan. Diluar jam/hari yang ditentukan, shaper ini tidak akan berfungsi. Hal ini berguna untuk mengatur misalnya : selama jam kerja, shaper dibuat ketat, namun diluar jam kerja, shaper menjadi tidak ada.

Contoh mengisi shaper adalah seperti berikut :

Pada contoh tersebut, saya mengisi shaper dengan nama pc1 yang diperuntukkan untuk IP 192.168.0.3 dengan kecepatan upload maksimal 32 kbps dan download maksimal 64 kbps. Untuk kecepatan 1024 kbps kita bisa juga menuliskan 1M. Jika kita tidak menuliskan tanda ‘k’ maka artinya adalah bits.

Setelah itu klik Apply dan OK. Maka selesailah sudah shaper kita. Kita bisa juga membuat shaper-shaper yang lain dengan cara yang sama. Paling tidak kita bisa mendapatkan shaper seperti berikut :

Tampak pada gambar diatas, pc1 mendapat bandwidth yang lebih banyak untuk download dibanding pc2 hingga pc6, namun semuanya mendapat bandwidth yang sama besar untuk upload yaitu hanya 32k.

Jika Simple Queue yang kita berikan benar, maka begitu di apply, maka shaper ini akan segera berfungsi. Dan jika berfungsi, kita akan melihat angka Upload Rate dan Download Rate akan bergerak dan berubah-ubah sesuai dengan pemakaian masing-masing komputer.

Warna merah menandakan komputer tersebut sudah menggunakan bandwidth secara penuh atau hampir penuh. Sedangkan warna kuning menandakan separo kapasitas sudah terpakai. Sedangkan warna hijau artinya tidak terpakai atau hanya terpakai kurang dari separo batas.

Dengan demikian selesai sudah shaper yang kita kerjakan untuk network kita. Dengan shaper, kita bisa menjaga operasional network kita agar berfungsi secara maksimal dan sesuai dengan semustinya. Dan membuat everybody happy.

source:  http://www.istanaku.biz

1. To make filter brute forces

/ ip firewall filter
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop comment=”Drop SSH brute forcers” disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d comment=”” disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m comment=”” disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m comment=”” disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m comment=”” \
disabled=no

2. To make filter port scaning
/ ip firewall filter

add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list=”port scanners” address-list-timeout=2w comment=”Port Scanners to list \
” disabled=no
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=”port scanners” address-list-timeout=2w \
comment=”” disabled=no
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list=”port scanners” address-list-timeout=2w comment=”” disabled=no
add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list=”port scanners” address-list-timeout=2w comment=”” disabled=no
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list=”port scanners” address-list-timeout=2w \
comment=”” disabled=no
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list=”port scanners” address-list-timeout=2w comment=”” \
disabled=no
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=”port scanners” address-list-timeout=2w \
comment=”” disabled=no
add chain=input src-address-list=”port scanners” action=drop comment=”” disabled=no

3.To make filter ftp port

/ ip firewall filter

add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop comment=”Filter FTP to Box” disabled=no
add chain=output protocol=tcp content=”530 Login incorrect” dst-limit=1/1m,9,dst-address/1m action=accept comment=”” disabled=no
add chain=output protocol=tcp content=”530 Login incorrect” action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h comment=”” \
disabled=no

4. To make separate packet flag

/ ip firewall filter

add chain=forward protocol=tcp action=jump jump-target=tcp comment=”Separate Protocol into Chains” disabled=no
add chain=forward protocol=udp action=jump jump-target=udp comment=”” disabled=no
add chain=forward protocol=icmp action=jump jump-target=icmp comment=”” disabled=no

5. To make blocking udp satan traffic

/ ip firewall filter
add chain=udp protocol=udp dst-port=69 action=drop comment=”Blocking UDP Packet” disabled=no
add chain=udp protocol=udp dst-port=111 action=drop comment=”” disabled=no
add chain=udp protocol=udp dst-port=135 action=drop comment=”” disabled=no
add chain=udp protocol=udp dst-port=137-139 action=drop comment=”” disabled=no
add chain=udp protocol=udp dst-port=2049 action=drop comment=”” disabled=no
add chain=udp protocol=udp dst-port=3133 action=drop comment=”” disabled=no

6. To make blocking tcp satan traffic

/ ip firewall filter

add chain=tcp protocol=tcp dst-port=69 action=drop comment=”Bloking TCP Packet” disabled=no
add chain=tcp protocol=tcp dst-port=111 action=drop comment=”” disabled=no
add chain=tcp protocol=tcp dst-port=119 action=drop comment=”” disabled=no
add chain=tcp protocol=tcp dst-port=135 action=drop comment=”” disabled=no
add chain=tcp protocol=tcp dst-port=137-139 action=drop comment=”” disabled=no
add chain=tcp protocol=tcp dst-port=445 action=drop comment=”” disabled=no
add chain=tcp protocol=tcp dst-port=2049 action=drop comment=”” disabled=no
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment=”” disabled=no
add chain=tcp protocol=tcp dst-port=20034 action=drop comment=”” disabled=no
add chain=tcp protocol=tcp dst-port=3133 action=drop comment=”” disabled=no
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment=”” disabled=no

7. To make blocking bukis mail traffic

/ ip firewall filter

add chain=forward protocol=tcp dst-port=25 action=drop comment=”Allow SMTP” disabled=no

8. To make filter dos traffic

/ ip firewall filter

add chain=icmp protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept comment=”Limited Ping Flood” disabled=no
add chain=icmp protocol=icmp icmp-options=3:3 limit=5,5 action=accept comment=”” disabled=no
add chain=icmp protocol=icmp icmp-options=3:4 limit=5,5 action=accept comment=”” disabled=no
add chain=icmp protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept comment=”” disabled=no
add chain=icmp protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept comment=”” disabled=no
add chain=icmp protocol=icmp action=drop comment=”” disabled=no

9. To make filter p2p traffic

/ ip firewall filter

add chain=forward p2p=all-p2p action=accept comment=”trafik P2P ” disabled=no

10. To make filter access network mapping traffic

/ ip firewall filter
add chain=input dst-address-type=broadcast,multicast action=accept comment=”Allow Broadcast Traffic” disabled=no
add chain=input src-address=192.168.0.0/28 action=accept comment=”Allow access to router from known network” disabled=no
add chain=input src-address=192.168.1.0/24 action=accept comment=”” disabled=no
add chain=input src-address=192.168.2.0/30 action=accept comment=”” disabled=no
add chain=input src-address=125.162.0.0/16 action=accept comment=”” disabled=no

11. To make filter junk traffic and real traffic connection

/ ip firewall filter

add chain=input connection-state=established action=accept comment=”Connection State” disabled=no
add chain=input connection-state=related action=accept comment=”” disabled=no
add chain=input connection-state=invalid action=drop comment=”” disabled=no

sumber : http://harrychanputra.wordpress.com/

kenapa ping bisa besar ?? karena limit bandwidth di koneksi dia sudah habis/mepet. nah icmp yang akan lewat “diapsen” dan akan di “antri” ….

64 bytes from 66.94.234.13: icmp_seq=1 ttl=48 time=1045.0 ms
64 bytes from 66.94.234.13: icmp_seq=2 ttl=48 time=1922.0 ms
64 bytes from 66.94.234.13: icmp_seq=5 ttl=49 time=2013.0 ms
64 bytes from 66.94.234.13: icmp_seq=6 ttl=48 time=1903.0 ms
64 bytes from 66.94.234.13: icmp_seq=7 ttl=48 time=1979.2 ms
64 bytes from 66.94.234.13: icmp_seq=8 ttl=48 time=1932.0 ms
64 bytes from 66.94.234.13: icmp_seq=9 ttl=48 time=2300.2 ms

Triknya adalah menyediakan sedikit bandwidth dari limitnya lab bersangkutan untuk didedikasikan packet ICMP.

pertama tama bikin manglenya :
/ip firewall mangle add chain=forward src-address=192.168.0.64/
28 protocol=icmp action=mark-connection new-connection-mark=lab1icmp-cm passthrough=yes
/ip firewall mangle add chain=forward connection-mark=lab1icmp-
cm action=mark-packet new-packet-mark=lab1icmp-pm passthrough=yes
/ip firewall mangle add chain=forward packet-mark=lab1icmp-pm a
ction=change-tos new-tos=min-delay

Ok sekarang bikin Queuenya
Skema saya adalah sebagai berikut :
Bandwidth 128 Kbps : 4 Kbps untuk ICMP sisanya untuk service internet lainnya…
pertama kita dedikasikan dulu bandwith yang nanti dijadikan parent oleh rule queue yang kita buat.
/queue tree add name=lab1-down parent=Downstream max-limit=128k
kemudian kita pecah menjadi:
/queue tree add name=downlab1 parent=lab1-down packet-mark=lab1
-pm queue=default max-limit=124k
/queue tree add name=icmplab1 parent=lab1-down packet-mark=lab1
icmp-pm queue=default max-limit=4k
Hasilnya :
64 bytes from 66.94.234.13: icmp_seq=22 ttl=48 time=655.3 ms
64 bytes from 66.94.234.13: icmp_seq=23 ttl=48 time=645.0 ms
64 bytes from 66.94.234.13: icmp_seq=24 ttl=49 time=645.0 ms
64 bytes from 66.94.234.13: icmp_seq=25 ttl=48 time=635.0 ms
64 bytes from 66.94.234.13: icmp_seq=26 ttl=48 time=634.7 ms
64 bytes from 66.94.234.13: icmp_seq=27 ttl=48 time=634.8 ms
64 bytes from 66.94.234.13: icmp_seq=28 ttl=48 time=655.3 ms
sumber:om google