Contoh 2 ISP load balance
interface ethernet set ether4 name=LAN
interface ethernet set ether3 name=WAN1
interface ethernet set ether2 name=WAN2
interface ethernet set ether1 name=WAN3
/ ip address
add address=10.1.0.1/27 network=10.1.0.0 broadcast=10.1.0.31 interface=LAN comment="LAN IP" disabled=no
add address=10.111.0.4/29 network=10.111.0.0 broadcast=10.111.0.7 interface=WAN1 comment="Fastnet A1/17" disabled=no
add address=10.112.0.2/29 network=10.112.0.0 broadcast=10.112.0.7 interface=WAN2 comment="Fastnet A1/1" disabled=no
ip dns set primary-dns=202.73.99.8 allow-remote-request=no
ip dns set secondary-dns=61.247.0.8 allow-remote-request=no
/ ip firewall mangle
add chain=prerouting in-interface=LAN connection-state=new nth=2,2 action=mark-connection new-connection-mark=odd passthrough=yes comment="" disabled=no
add chain=prerouting in-interface=LAN connection-mark=odd action=mark-routing new-routing-mark=odd passthrough=no comment="" disabled=no
add chain=prerouting in-interface=LAN connection-state=new nth=2,1 action=mark-connection new-connection-mark=even passthrough=yes comment="" disabled=no
add chain=prerouting in-interface=LAN connection-mark=even action=mark-routing new-routing-mark=even passthrough=no comment="" disabled=no
/ ip firewall nat
add chain=srcnat connection-mark=odd action=src-nat to-addresses=10.112.0.6 to-ports=0-65535 comment="" disabled=no
add chain=srcnat connection-mark=even action=src-nat to-addresses=10.111.0.6 to-ports=0-65535 comment="" disabled=no
/ ip route
add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 routing-mark=odd comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=10.111.0.1 scope=255 target-scope=10 routing-mark=even comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=10.111.0.1 scope=255 target-scope=10 comment="" disabled=no
/ip pool add name=dhcp-pool ranges=192.168.0.31-192.168.0.100
/ip dhcp-server network add address=192.168.0.0/24 gateway=192.168.0.2
/ip dhcp-server add interface=LAN address-pool=dhcp-pool
XP-Solution Surabaya # Modul Training Mikrotik # By Nathan Gusti Ryan
Contoh 3 koneksi load balance
/ ip address
add address=172.15.15.1/25 network=172.15.15.0 broadcast=172.15.15.127 interface=LAN comment="LAN IP" disabled=no
add address=10.111.0.2/29 network=10.111.0.0 broadcast=10.111.0.7 interface=WAN1 comment="WAN1" disabled=no
add address=172.16.1.15/24 network=172.16.1.0 broadcast=172.16.1.255 interface=WAN2 comment="Fastnet Dari PERAK" disabled=no
add address=172.15.15.2/29 network=172.15.15.0 broadcast=172.15.15.7 interface=WAN3 comment="Fastnet Dari TP" disabled=no
/ ip firewall mangle
add chain=prerouting in-interface=LAN connection-state=new nth=1,2,0 action=mark-connection new-connection-mark=odd passthrough=yes comment="” disabled=no
add chain=prerouting in-interface=LAN connection-mark=odd action=mark-routing new-routing-mark=odd passthrough=no comment="" disabled=no
add chain=prerouting in-interface=LAN connection-state=new nth=1,2,1 action=mark-connection new-connection-mark=even passthrough=yes comment="" disabled=no
add chain=prerouting in-interface=LAN connection-mark=even action=mark-routing new-routing-mark=even passthrough=no comment="" disabled=no
add chain=prerouting in-interface=LAN connection-state=new nth=2,3,2 action=mark-connection new-connection-mark=even passthrough=yes comment="" disabled=no
add chain=prerouting in-interface=LAN connection-mark=even action=mark-routing new-routing-mark=even passthrough=no comment="" disabled=no
/ ip firewall nat
add chain=srcnat connection-mark=odd action=src-nat to-addresses=172.15.15.1 to-ports=0-65535 comment="" disabled=no
add chain=srcnat connection-mark=even action=src-nat to-addresses=172.16.1.1 to-ports=0-65535 comment="" disabled=no
add chain=srcnat connection-mark=even action=src-nat to-addresses=10.113.0.2 to-ports=0-65535 comment="" disabled=no
/ ip route
add dst-address=0.0.0.0/0 gateway=172.15.15.1 scope=7 target-scope=10 routing-mark=odd comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=172.16.1.1 scope=255 target-scope=10 routing-mark=even comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=10.113.0.1 scope=255 target-scope=10 routing-mark=even comment="" disabled=no
****add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 comment="" disabled=no
Mari kita ambil contoh untuk penerapan Nth untuk 4 koneksi. Maka Angka Nth untuk masing2 rule di Mikrotik adalah (counter yg dipakai adalah 4) :
Rule 1 = 3,4,0
Rule 2 = 3,4,1
Rule 3 = 3,4,2
Rule 4 = 3,4,3
XP-Solution Surabaya # Modul Training Mikrotik # By Nathan Gusti Ryan
Contoh mengabungkan 5 koneksi speedy
/interface pppoe-client
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 comment="" dial-on-demand=no disabled=no interface=Speedy-1 max-mru=1480 max-mtu=1480 mrru=disabled
name="******@telkom.net" password="***" profile=default service-name="" use-peer-dns=no user="***"
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 comment="" dial-on-demand=no disabled=no interface=Speedy-2 max-mru=1480 max-mtu=1480 mrru=disabled
name="******@telkom.net" password="***" profile=default service-name="" use-peer-dns=no user="***"
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 comment="" dial-on-demand=no disabled=no interface=Speedy-3 max-mru=1480 max-mtu=1480 mrru=disabled
name="******@telkom.net" password="***" profile=default service-name="" use-peer-dns=no user="***"
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 comment="" dial-on-demand=no disabled=no interface=Speedy-4 max-mru=1480 max-mtu=1480 mrru=disabled
name="******@telkom.net" password="***" profile=default service-name="" use-peer-dns=no user="***"
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 comment="" dial-on-demand=no disabled=no interface=Speedy-5 max-mru=1480 max-mtu=1480 mrru=disabled
name="******@telkom.net" password="***" profile=default service-name="" use-peer-dns=no user="***"
/ip firewall mangle
add chain=prerouting action=mark-connection new-connection-mark=ADSL-1 passthrough=yes connection-state=new in-interface=HotSpot nth=5,1 comment="" disabled=no
add chain=prerouting action=mark-routing new-routing-mark=ADSL-1 passthrough=no in-interface=HotSpot connection-mark=ADSL-1 comment="" disabled=no
add chain=prerouting action=mark-connection new-connection-mark=ADSL-2 passthrough=yes connection-state=new in-interface=HotSpot nth=5,2 comment="" disabled=no
add chain=prerouting action=mark-routing new-routing-mark=ADSL-2 passthrough=no in-interface=HotSpot connection-mark=ADSL-2 comment="" disabled=no
add chain=prerouting action=mark-connection new-connection-mark=ADSL-3 passthrough=yes connection-state=new in-interface=HotSpot nth=5,3 comment="" disabled=no
add chain=prerouting action=mark-routing new-routing-mark=ADSL-3 passthrough=no in-interface=HotSpot connection-mark=ADSL-3 comment="" disabled=no
add chain=prerouting action=mark-connection new-connection-mark=ADSL-4 passthrough=yes connection-state=new in-interface=HotSpot nth=5,4 comment="" disabled=no
add chain=prerouting action=mark-routing new-routing-mark=ADSL-4 passthrough=no in-interface=HotSpot connection-mark=ADSL-4 comment="" disabled=no
add chain=prerouting action=mark-connection new-connection-mark=ADSL-5 passthrough=yes connection-state=new in-interface=HotSpot nth=5,5 comment="" disabled=no
add chain=prerouting action=mark-routing new-routing-mark=ADSL-5 passthrough=no in-interface=HotSpot connection-mark=ADSL-5 comment="" disabled=no
/ip firewall nat
add chain=srcnat action=src-nat to-addresses=[IP-Speedy-1] to-ports=0-65535 connection-mark=ADSL-1 comment="" disabled=no
add chain=srcnat action=src-nat to-addresses=[IP-Speedy-2] to-ports=0-65535 connection-mark=ADSL-2 comment="" disabled=no
add chain=srcnat action=src-nat to-addresses=[IP-Speedy-3] to-ports=0-65535 connection-mark=ADSL-3 comment="" disabled=no
add chain=srcnat action=src-nat to-addresses=[IP-Speedy-4] to-ports=0-65535 connection-mark=ADSL-4 comment="" disabled=no
add chain=srcnat action=src-nat to-addresses=[IP-Speedy-5] to-ports=0-65535 connection-mark=ADSL-5 comment="" disabled=no
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=PPPoE-1 routing-mark=ADSL-1
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=PPPoE-2 routing-mark=ADSL-2
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=PPPoE-3 routing-mark=ADSL-3
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=PPPoE-4 routing-mark=ADSL-4
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=PPPoE-5 routing-mark=ADSL-5
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=PPPoE-1
XP-Solution Surabaya # Modul Training Mikrotik # By Nathan Gusti Ryan
Setup Filtering Virus
/ip firewall filter
add chain=forward connection-state=established comment=”allow established connections”
add chain=forward connection-state=related comment=”allow related connections”
add chain=forward connection-state=invalid action=drop comment=”drop invalid connections”
/ip firewall filter
add chain=forward action=jump jump-target=virus comment=”jump to the virus chain”
add chain=virus protocol=tcp dst-port=135-139 action=drop comment=”Drop Blaster Worm”
add chain=virus protocol=udp dst-port=135-139 action=drop comment=”Drop Messenger Worm”
add chain=virus protocol=tcp dst-port=445 action=drop comment=”Drop Blaster Worm”
add chain=virus protocol=udp dst-port=445 action=drop comment=”Drop Blaster Worm”
add chain=virus protocol=tcp dst-port=593 action=drop comment=””
add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment=””
add chain=virus protocol=tcp dst-port=1080 action=drop comment=”Drop MyDoom”
add chain=virus protocol=tcp dst-port=1214 action=drop comment=””
add chain=virus protocol=tcp dst-port=1363 action=drop comment=”ndm requester”
add chain=virus protocol=tcp dst-port=1364 action=drop comment=”ndm server”
add chain=virus protocol=tcp dst-port=1368 action=drop comment=”screen cast”
add chain=virus protocol=tcp dst-port=1373 action=drop comment=”hromgrafx”
add chain=virus protocol=tcp dst-port=1377 action=drop comment=”cichlid”
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment=”Worm”
add chain=virus protocol=tcp dst-port=2745 action=drop comment=”Bagle Virus”
add chain=virus protocol=tcp dst-port=2283 action=drop comment=”Drop Dumaru.Y”
add chain=virus protocol=tcp dst-port=2535 action=drop comment=”Drop Beagle”
add chain=virus protocol=tcp dst-port=2745 action=drop comment=”Drop Beagle.C-K”
add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment=”Drop MyDoom”
add chain=virus protocol=tcp dst-port=3410 action=drop comment=”Drop Backdoor OptixPro”
add chain=virus protocol=tcp dst-port=4444 action=drop comment=”Worm”
add chain=virus protocol=udp dst-port=4444 action=drop comment=”Worm”
add chain=virus protocol=tcp dst-port=5554 action=drop comment=”Drop Sasser”
add chain=virus protocol=tcp dst-port=8866 action=drop comment=”Drop Beagle.B”
add chain=virus protocol=tcp dst-port=9898 action=drop comment=”Drop Dabber.A-B”
add chain=virus protocol=tcp dst-port=10000 action=drop comment=”Drop Dumaru.Y”
add chain=virus protocol=tcp dst-port=10080 action=drop comment=”Drop MyDoom.B”
add chain=virus protocol=tcp dst-port=12345 action=drop comment=”Drop NetBus”
add chain=virus protocol=tcp dst-port=17300 action=drop comment=”Drop Kuang2”
add chain=virus protocol=tcp dst-port=27374 action=drop comment=”Drop SubSeven”
add chain=virus protocol=tcp dst-port=65506 action=drop comment=”Drop PhatBot, Agobot, Gaobot”
Another Port Filtering
/ip firewall filter add chain=forward dst-port=135-139 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=135-139 protocol=udp action=drop
/ip firewall filter add chain=forward dst-port=445 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=445 protocol=udp action=drop
/ip firewall filter add chain=forward dst-port=593 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=4444 protocol=tcp action=drop
XP-Solution Surabaya # Modul Training Mikrotik # By Nathan Gusti Ryan
ip firewall filter add chain=forward dst-port=5554 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=9996 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=995-999 protocol=udp action=drop
/ip firewall filter add chain=forward dst-port=53 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=55 protocol=tcp action=drop
Setup Web proxy
/ ip web-proxy
set enabled=yes
set src-address=0.0.0.0
set port=8080
set hostname=”proxy.xps”
set transparent-proxy=yes
set parent-proxy=0.0.0.0:0
set cache-administrator=”progtel2004@yahoo.com”
set max-object-size=4096KiB
set cache-drive=system
set max-cache-size=unlimited
set max-ram-cache-size=unlimited
add nat for redirect port for squid to make transparant
/ ip firewall nat
add chain=srcnat out-interface=WAN1 action=masquerade comment="" disabled=no
add chain=dstnat in-interface=LAN protocol=tcp dst-port=80 action=redirect to-ports=8080 comment="" disabled=no
add chain=dstnat protocol=tcp dst-port=3128 action=redirect to-ports=8080
add chain=dstnat protocol=tcp dst-port=8080 action=redirect to-ports=8080
XP-Solution Surabaya # Modul Training Mikrotik # By Nathan Gusti Ryan
Setup Pemisahan IIX dan IX
# Script untuk menambahkan IP Address BGP yang terdaftar di Router INDO(OIXP)
# ke RouterOS dalam ADDRESS-LIST dengan nama "indo"
/sys note set show-at-login=yes note="XP Solution Surabaya "
/ip firewall address-list
add list=indo address="1.2.3.4"
rem [find list=indo]
add list=indo address="167.205.0.0/16"
add list=indo address="222.124.0.0/16"
add list=indo address="61.94.0.0/16"
add list=indo address="125.162.0.0/16"
add list=indo address="125.163.0.0/16"
add list=indo address="125.160.0.0/16"
add list=indo address="125.161.0.0/16"
add list=indo address="125.164.0.0/16"
/ ip firewall mangle
add chain=forward src-address-list=indo action=mark-connection new-connection-mark=mark-con-indonesia passthrough=yes comment=”mark all indonesia source connection traffic” disabled=no
add chain=forward dst-address-list=indo action=mark-connection new-connection-mark=mark-con-indonesia passthrough=yes comment=”mark all indonesia destination connection traffic” disabled=no
add chain=forward src-address-list=!indo action=mark-connection new-connection-mark=mark-con-overseas passthrough=yes comment=”mark all overseas source connection traffic” disabled=no
add chain=forward dst-address-list=!indo action=mark-connection new-connection-mark=mark-con-overseas passthrough=yes comment=”mark all overseas destination connection traffic” disabled=no
add chain=prerouting connection-mark=mark-con-indonesia action=mark-packet new-packet-mark=indonesia passthrough=yes comment=”mark all Indonesia traffic” disabled=no
add chain=prerouting connection-mark=mark-con-overseas action=mark-packet new-packet-mark=overseas passthrough=yes comment=”mark all overseas traffic” disabled=no
Queing
/ queue simple
add name=”RTRW Net” target-addresses=10.111.0.2/24 dst-address=0.0.0.0/0 interface=all parent=none packet-marks=indonesia direction=both priority=8 queue=default/default limit-at=0/0 maxlimit=
256000/256000 total-queue=default disabled=no
add name=”Laptop Acer Intl” target-addresses=192.168.2.0/24 dst-address=0.0.0.0/0 interface=all parent=none packet-marks=overseas direction=both priority=8 queue=default/default limit-at=0/0
max-limit=128000/128000 total-queue=default disabled=no
XP-Solution Surabaya # Modul Training Mikrotik # By Nathan Gusti Ryan
Script untuk melakukan Reset Mikrotik
system script add name=destroy source={system reset}
system scheduler add name=ancur on-event=destroy start-date=masukkin_tanggalnya
start-time=masukiin_jamnya
Backup, Restore, Export dan Import Setting
Backup berlaku untuk semua setting yang ada saat itu.
>system backup save name=backup_setting
Restore berlaku untuk semua setting yang ada saat itu.
>system backup load name=backup_setting
Export berlaku untuk semua setting pada directory aktif saat itu. Contoh : bila aktif pada directory simple queue, maka hanya directory tersebut yang disimpan ke file. Sehingga, bila aktif pada directory
root “/” maka semua setting akan diexport.
>queue simple export file=simple_queue
Import hanya berjalan dari root “/” dan hanya berlaku untuk file dengan ext .rsc.
>import simple_queue.rsc
Perbedaan export dan backup terletak pada file hasil, dimana file hasil dari backup berupa file binary dan file dari proses export berupa text file, dan hal itu merupakan suatu kelebihan, misal bisa dicetak
untuk dokumentasi dsb.
Script dan Schedule
Setting schedule auto shutdown. Pertama buat script shutdown dalam contoh ini diberi nama “autodown”.
>system script add name=”autodown” source=”system shutdown”
Kemudian buat schedule untuk shutdown.
>system scheduler add name=”mikrotikdown” on-event=autodown start-date=nov/19/2007 start-time=18:10:00 interval=1d
Untuk memudahkan backup, selain disimpan pada server mikrotik sendiri, perlu juga di simpan pada komputer, lain, salah satu alternatif pengiriman file otomatis adalah menggunakan email, selain itu,
bisa juga dilakukan dengan menggunakan ftp.
>system script add name=”autobackup” source”/ export file=backup_setting\n/ tool e-mail send to=progtel2004@yahoo.co subject=”backup setting mikrotik” from=007@yahoo.com body=”file backup
setting mikrotik” server=192.168.1.103 file=”backup_setting.rsc”
Kemudian buat schedule untuk backup mingguan.
>system scheduler add name=”mikrotikbackup” on-event=autobackup start-date=dec/10/2007 start-time=08:30:00 interval=1w
XP-Solution Surabaya # Modul Training Mikrotik # By Nathan Gusti Ryan
Simple Queue VS Que Tree :
/queue simple
add name=”XPS” target-addresses=192.168.0.0/24 dst-address=0.0.0.0/0 interface=all parent=none direction=both priority=8 queue=default-small/default-small limit-at=0/0 maxlimit=
1000000/1000000 total-queue=default-small disabled=no
add name=”USER” target-addresses=192.168.0.2/32,192.168.0.3/32,192.168.0.4/32,192.168.0.5/32,192.168.0.6/32,192.168.0.7/32 192.168.0.8/32,192.168.0.9/32,192.168.0.10/32 dst-address=0.0.0.0/0
interface=all parent=XPS direction=both priority=8 queue=default-small/default-small limit-at=0/0 max-limit=384000/384000 total-queue=default-small disabled=no
add name=”Client-1″ target-addresses=192.168.0.2/32 dst-address=0.0.0.0/0 interface=Lan parent=USER direction=both priority=8 queue=default-small/default-small limit-at=16000/16000 maxlimit=
32000/64000 total-queue=default-small disabled=no
Contoh configurasi Queue Tree:
Mangle
Sebelum kita Meng konfigure Queue Tree kita buat dulu Connection-mark di table mangle.
/ip firewall mangle
add chain=forward src-address=192.168.10.0/24 action=mark-connection new-connection-mark=lokal passthrough=yes comment=”" disabled=no
add chain=forward dst-address=192.168.10.0/24 action=mark-connection new-connection-mark=lokal passthrough=yes comment=”" disabled=no
add chain=forward protocol=icmp connection-mark=lokal action=mark-packet new-packet-mark=lokal-icmp passthrough=no comment=”" disabled=no
add chain=forward src-address=192.168.10.1 protocol=!icmp connection-mark=lokal action=mark-packet new-packet-mark=lokal-1 passthrough=no comment=”" disabled=no
add chain=forward dst-address=192.168.10.1 protocol=!icmp connection-mark=lokal action=mark-packet new-packet-mark=lokal-1 passthrough=no comment=”" disabled=no
add chain=forward src-address=192.168.10.2 protocol=!icmp connection-mark=lokal action=mark-packet new-packet-mark=lokal-2 passthrough=no comment=”" disabled=no
add chain=forward dst-address=192.168.10.2 protocol=!icmp connection-mark=lokal action=mark-packet new-packet-mark=lokal-2 passthrough=no comment=”" disabled=no
Queue-tree:
/queue tree
add name=”upload” parent=ether1 packet-mark=”" limit-at=0 queue=default priority=1 max-limit=256000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name=”icmd-upload” parent=upload packet-mark=lokal-icmp limit-at=0 queue=default priority=3 max-limit=32000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name=”lokal-1-upload” parent=upload packet-mark=lokal-1 limit-at=0 queue=default priority=5 max-limit=64000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name=”lokal-2-upload” parent=upload packet-mark=lokal-2 limit-at=0 queue=default priority=5 max-limit=64000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name=”download” parent=global-out packet-mark=”" limit-at=0 queue=default priority=1 max-limit=512000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name=”icmp-download” parent=download packet-mark=lokal-icmp limit-at=0 queue=default priority=3 max-limit=64000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name=”lokal-1-download” parent=download packet-mark=lokal-1 limit-at=0 queue=default priority=5 max-limit=128000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name=”lokal-2-download” parent=download packet-mark=lokal-2 limit-at=0 queue=default priority=5 max-limit=128000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
Another simple queue
Konfigurasi Simple queues dan Que tree mudah mudahan bisa menjadi referensi untuk anda yang akan menggunakan limiter bandwith with mikrotik.
Configurasi Simple Queue:
Anda bisa membuat kelompok (parent) untuk client-kusus dengan bandwith 256kbps yang didalamnya terdiri dari 3 user sehingga bandwith 256 tadi akan di share untuk 3 user tesebut, dan parent2 yang
lainpun bisa anda buat sesuai keinginan anda.
XP-Solution Surabaya # Modul Training Mikrotik # By Nathan Gusti Ryan
/queue simple
add name=”CLIENT” target-addresses=192.168.0.0/24 dst-address=0.0.0.0/0 interface=all parent=none direction=both priority=8 queue=default-small/default-small limit-at=0/0 maxlimit=
1000000/1000000 total-queue=default-small
add name=”Client-kusus” target-addresses=192.168.0.1/32,192.168.0.2/32,192.168.0.3/32,dst-address=0.0.0.0/0 interface=all parent=CUSTOMER direction=both priority=8 queue=defaultsmall/
default-small limit-at=0/0 max-limit=256000/256000 total-queue=default-small
add name=”mylove” target-addresses=192.168.0.1/32 dst-address=0.0.0.0/0 interface=ether2 parent=Client-kusus direction=both priority=8 queue=default-small/default-small limit-at=16000/8000 maxlimit=
32000/56000 total-queue=default-small
add name=”myfriend” target-addresses=192.168.0.2/32 dst-address=0.0.0.0/0 interface=ether2 parent=Client-kusus direction=both priority=8 queue=default-small/default-small limit-at=16000/8000
max-limit=32000/56000 total-queue=default-small
add name=”maymay” target-addresses=192.168.0.3/32 dst-address=0.0.0.0/0 interface=ether2 parent=Client-kusus direction=both priority=8 queue=default-small/default-small limit-at=16000/0 maxlimit=
32000/56000 total-queue=default-small
Contoh configurasi Queue Tree:
Mangle :
Sebelum kita Meng konfigure Queue Tree kita buat dulu Connection-mark di table mangle.
/ip firewall mangle
add chain=forward src-address=192.168.0.0/24 action=mark-connection new-connectioan-mark=local passthrough=yes
add chain=forward dst-address=192.168.0.0/24 action=mark-connection new-connectioan-mark=local passthrough=yes
add chain=forward protocol=icmp connection-mark=local action=mark-packet new-packet-mark=local-icmp passthrough=no
add chain=forward src-address=192.168.0.1 protocol=!icmp connection-mark=local action=mark-packet new-packet-mark=local-1 passthrough=no
add chain=forward dst-address=192.168.0.1 protocol=!icmp connection-mark=local action=mark-packet new-packet-mark=local-1 passthrough=no
add chain=forward src-address=192.168.0.2 protocol=!icmp connection-mark=local action=mark-packet new-packet-mark=local-2 passthrough=no
add chain=forward dst-address=192.168.0.2 protocol=!icmp connection-mark=local action=mark-packet new-packet-mark=local-2 passthrough=no
Queue-Tree :
/queue tree
add name=”upload” parent=[int-ke-internet] packet-mark=”” priority=1 max-limit=256K
add name=”icmp-upload” parent=upload packet-mark=”local-icmp” priority=3 max-limit=32K
add name=”local-1-upload” parent=upload packet-mark=”local-1″ priority=5 max-limit=64K
add name=”local-2-upload” parent=upload packet-mark=”local-2″ priority=5 max-limit=64K
add name=”download” parent=[int-ke-local] packet-mark=”” priority=1 max-limit=512K
add name=”icmp-download” parent=download packet-mark=”local-icmp” priority=3 max-limit=64K
add name=”local-1-download” parent=download packet-mark=”local-1″ priority=5 max-limit=128K
add name=”local-2-download” parent=download packet-mark=”local-2″ priority=5 max-limit=128
XP-Solution Surabaya # Modul Training Mikrotik # By Nathan Gusti Ryan
Memanipulasi ToS ICMP & DNS di MikroTik
Tujuan :
* Memperkecil delay ping dari sisi klien ke arah Internet.
* Mempercepat resolving hostname ke ip address.
Asumsi : Klien-klien berada pada subnet 10.10.10.0/28
1. Memanipulasi Type of Service untuk ICMP Packet :
/ ip firewall mangle
add chain=prerouting src-address=0.0.0.0 protocol=icmp action=mark-connection new-connection-mark=ICMP-CM passthrough=yes
add chain=prerouting connection-mark=ICMP-CM action=mark-packet new-packet-mark=ICMP-PM passthrough=yes
add chain=prerouting packet-mark=ICMP-PM action=change-dscp new-dscp=0
2. Memanipulasi Type of Service untuk DNS Resolving :
/ ip firewall mangle
add chain=prerouting src-address=0.0.0.0 protocol=tcp dst-port=53 action=mark-connection new-connection-mark=DNS-CM passthrough=yes
add chain=prerouting src-address=0.0.0.0 protocol=udp dst-port=53 action=mark-connection new-connection-mark=DNS-CM passthrough=yes
add chain=prerouting connection-mark=DNS-CM action=mark-packet new-packet-mark=DNS-PM passthrough=yes
add chain=prerouting packet-mark=DNS-PM action=change-dscp new-dscp=0
3. Menambahkan Queue Type :
/queue type add name="PFIFO-64” kind=pfifo pfifo-limit=64
4. Mengalokasikan Bandwidth untuk ICMP Packet :
/queue tree add name=ICMP parent=WAN packet-mark=ICMP-PM priority=1 limit-at=8000 max-limit=16000 queue=PFIFO-64
5. Mengalokasikan Bandwidth untuk DNS Resolving :
/queue tree add name=DNS parent=WAN packet-mark=DNS-PM priority=1 limit-at=8000 max-limit=16000 queue=PFIFO-64
New Load Balance
/ip firewall mangle
add chain=prerouting src-address=10.1.0.1-10.1.0.6 action=mark-routing new-routing-mark=GroupA comment="IP 10.1.0.2-10.1.0.6"
add chain=prerouting src-address=10.1.0.9-10.1.0.14 action=mark-routing new-routing-mark=GroupB comment="IP 10.1.0.9-10.1.0.14"
add chain=prerouting src-address=10.1.0.17-10.1.0.22 action=mark-routing new-routing-mark=GroupC comment="IP 10.1.0.17-10.1.0.22"
add chain=prerouting src-address=10.1.0.25-10.1.0.30 action=mark-routing new-routing-mark=GroupD comment="IP 10.1.0.25-10.1.0.30"
Layer 7 Protocol Site
http://www.mikrotik.com/download/l7-protos.rsc
Marking Packet IIX & International
/ip firewall mangle
add chain=prerouting action=mark-connection new-connection-mark=”IIX” passthrough=yes dst-address-list=indo in-interface=LAN
add chain=prerouting action=mark-packet new-packet-mark=”Packet IIX” passthrough=no connection-mark=IIX
add chain=prerouting action=mark-connection new-connection-mark=”INTL” passthrough=yes dst-address-list=!indo in-interface=LAN
add chain=prerouting action=mark-packet new-packet-mark=”Packet INTL” passthrough=no connection-mark=INTL
interface ethernet set ether4 name=LAN
interface ethernet set ether3 name=WAN1
interface ethernet set ether2 name=WAN2
interface ethernet set ether1 name=WAN3
/ ip address
add address=10.1.0.1/27 network=10.1.0.0 broadcast=10.1.0.31 interface=LAN comment="LAN IP" disabled=no
add address=10.111.0.4/29 network=10.111.0.0 broadcast=10.111.0.7 interface=WAN1 comment="Fastnet A1/17" disabled=no
add address=10.112.0.2/29 network=10.112.0.0 broadcast=10.112.0.7 interface=WAN2 comment="Fastnet A1/1" disabled=no
ip dns set primary-dns=202.73.99.8 allow-remote-request=no
ip dns set secondary-dns=61.247.0.8 allow-remote-request=no
/ ip firewall mangle
add chain=prerouting in-interface=LAN connection-state=new nth=2,2 action=mark-connection new-connection-mark=odd passthrough=yes comment="" disabled=no
add chain=prerouting in-interface=LAN connection-mark=odd action=mark-routing new-routing-mark=odd passthrough=no comment="" disabled=no
add chain=prerouting in-interface=LAN connection-state=new nth=2,1 action=mark-connection new-connection-mark=even passthrough=yes comment="" disabled=no
add chain=prerouting in-interface=LAN connection-mark=even action=mark-routing new-routing-mark=even passthrough=no comment="" disabled=no
/ ip firewall nat
add chain=srcnat connection-mark=odd action=src-nat to-addresses=10.112.0.6 to-ports=0-65535 comment="" disabled=no
add chain=srcnat connection-mark=even action=src-nat to-addresses=10.111.0.6 to-ports=0-65535 comment="" disabled=no
/ ip route
add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 routing-mark=odd comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=10.111.0.1 scope=255 target-scope=10 routing-mark=even comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=10.111.0.1 scope=255 target-scope=10 comment="" disabled=no
/ip pool add name=dhcp-pool ranges=192.168.0.31-192.168.0.100
/ip dhcp-server network add address=192.168.0.0/24 gateway=192.168.0.2
/ip dhcp-server add interface=LAN address-pool=dhcp-pool
XP-Solution Surabaya # Modul Training Mikrotik # By Nathan Gusti Ryan
Contoh 3 koneksi load balance
/ ip address
add address=172.15.15.1/25 network=172.15.15.0 broadcast=172.15.15.127 interface=LAN comment="LAN IP" disabled=no
add address=10.111.0.2/29 network=10.111.0.0 broadcast=10.111.0.7 interface=WAN1 comment="WAN1" disabled=no
add address=172.16.1.15/24 network=172.16.1.0 broadcast=172.16.1.255 interface=WAN2 comment="Fastnet Dari PERAK" disabled=no
add address=172.15.15.2/29 network=172.15.15.0 broadcast=172.15.15.7 interface=WAN3 comment="Fastnet Dari TP" disabled=no
/ ip firewall mangle
add chain=prerouting in-interface=LAN connection-state=new nth=1,2,0 action=mark-connection new-connection-mark=odd passthrough=yes comment="” disabled=no
add chain=prerouting in-interface=LAN connection-mark=odd action=mark-routing new-routing-mark=odd passthrough=no comment="" disabled=no
add chain=prerouting in-interface=LAN connection-state=new nth=1,2,1 action=mark-connection new-connection-mark=even passthrough=yes comment="" disabled=no
add chain=prerouting in-interface=LAN connection-mark=even action=mark-routing new-routing-mark=even passthrough=no comment="" disabled=no
add chain=prerouting in-interface=LAN connection-state=new nth=2,3,2 action=mark-connection new-connection-mark=even passthrough=yes comment="" disabled=no
add chain=prerouting in-interface=LAN connection-mark=even action=mark-routing new-routing-mark=even passthrough=no comment="" disabled=no
/ ip firewall nat
add chain=srcnat connection-mark=odd action=src-nat to-addresses=172.15.15.1 to-ports=0-65535 comment="" disabled=no
add chain=srcnat connection-mark=even action=src-nat to-addresses=172.16.1.1 to-ports=0-65535 comment="" disabled=no
add chain=srcnat connection-mark=even action=src-nat to-addresses=10.113.0.2 to-ports=0-65535 comment="" disabled=no
/ ip route
add dst-address=0.0.0.0/0 gateway=172.15.15.1 scope=7 target-scope=10 routing-mark=odd comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=172.16.1.1 scope=255 target-scope=10 routing-mark=even comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=10.113.0.1 scope=255 target-scope=10 routing-mark=even comment="" disabled=no
****add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 comment="" disabled=no
Mari kita ambil contoh untuk penerapan Nth untuk 4 koneksi. Maka Angka Nth untuk masing2 rule di Mikrotik adalah (counter yg dipakai adalah 4) :
Rule 1 = 3,4,0
Rule 2 = 3,4,1
Rule 3 = 3,4,2
Rule 4 = 3,4,3
XP-Solution Surabaya # Modul Training Mikrotik # By Nathan Gusti Ryan
Contoh mengabungkan 5 koneksi speedy
/interface pppoe-client
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 comment="" dial-on-demand=no disabled=no interface=Speedy-1 max-mru=1480 max-mtu=1480 mrru=disabled
name="******@telkom.net" password="***" profile=default service-name="" use-peer-dns=no user="***"
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 comment="" dial-on-demand=no disabled=no interface=Speedy-2 max-mru=1480 max-mtu=1480 mrru=disabled
name="******@telkom.net" password="***" profile=default service-name="" use-peer-dns=no user="***"
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 comment="" dial-on-demand=no disabled=no interface=Speedy-3 max-mru=1480 max-mtu=1480 mrru=disabled
name="******@telkom.net" password="***" profile=default service-name="" use-peer-dns=no user="***"
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 comment="" dial-on-demand=no disabled=no interface=Speedy-4 max-mru=1480 max-mtu=1480 mrru=disabled
name="******@telkom.net" password="***" profile=default service-name="" use-peer-dns=no user="***"
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 comment="" dial-on-demand=no disabled=no interface=Speedy-5 max-mru=1480 max-mtu=1480 mrru=disabled
name="******@telkom.net" password="***" profile=default service-name="" use-peer-dns=no user="***"
/ip firewall mangle
add chain=prerouting action=mark-connection new-connection-mark=ADSL-1 passthrough=yes connection-state=new in-interface=HotSpot nth=5,1 comment="" disabled=no
add chain=prerouting action=mark-routing new-routing-mark=ADSL-1 passthrough=no in-interface=HotSpot connection-mark=ADSL-1 comment="" disabled=no
add chain=prerouting action=mark-connection new-connection-mark=ADSL-2 passthrough=yes connection-state=new in-interface=HotSpot nth=5,2 comment="" disabled=no
add chain=prerouting action=mark-routing new-routing-mark=ADSL-2 passthrough=no in-interface=HotSpot connection-mark=ADSL-2 comment="" disabled=no
add chain=prerouting action=mark-connection new-connection-mark=ADSL-3 passthrough=yes connection-state=new in-interface=HotSpot nth=5,3 comment="" disabled=no
add chain=prerouting action=mark-routing new-routing-mark=ADSL-3 passthrough=no in-interface=HotSpot connection-mark=ADSL-3 comment="" disabled=no
add chain=prerouting action=mark-connection new-connection-mark=ADSL-4 passthrough=yes connection-state=new in-interface=HotSpot nth=5,4 comment="" disabled=no
add chain=prerouting action=mark-routing new-routing-mark=ADSL-4 passthrough=no in-interface=HotSpot connection-mark=ADSL-4 comment="" disabled=no
add chain=prerouting action=mark-connection new-connection-mark=ADSL-5 passthrough=yes connection-state=new in-interface=HotSpot nth=5,5 comment="" disabled=no
add chain=prerouting action=mark-routing new-routing-mark=ADSL-5 passthrough=no in-interface=HotSpot connection-mark=ADSL-5 comment="" disabled=no
/ip firewall nat
add chain=srcnat action=src-nat to-addresses=[IP-Speedy-1] to-ports=0-65535 connection-mark=ADSL-1 comment="" disabled=no
add chain=srcnat action=src-nat to-addresses=[IP-Speedy-2] to-ports=0-65535 connection-mark=ADSL-2 comment="" disabled=no
add chain=srcnat action=src-nat to-addresses=[IP-Speedy-3] to-ports=0-65535 connection-mark=ADSL-3 comment="" disabled=no
add chain=srcnat action=src-nat to-addresses=[IP-Speedy-4] to-ports=0-65535 connection-mark=ADSL-4 comment="" disabled=no
add chain=srcnat action=src-nat to-addresses=[IP-Speedy-5] to-ports=0-65535 connection-mark=ADSL-5 comment="" disabled=no
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=PPPoE-1 routing-mark=ADSL-1
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=PPPoE-2 routing-mark=ADSL-2
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=PPPoE-3 routing-mark=ADSL-3
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=PPPoE-4 routing-mark=ADSL-4
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=PPPoE-5 routing-mark=ADSL-5
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=PPPoE-1
XP-Solution Surabaya # Modul Training Mikrotik # By Nathan Gusti Ryan
Setup Filtering Virus
/ip firewall filter
add chain=forward connection-state=established comment=”allow established connections”
add chain=forward connection-state=related comment=”allow related connections”
add chain=forward connection-state=invalid action=drop comment=”drop invalid connections”
/ip firewall filter
add chain=forward action=jump jump-target=virus comment=”jump to the virus chain”
add chain=virus protocol=tcp dst-port=135-139 action=drop comment=”Drop Blaster Worm”
add chain=virus protocol=udp dst-port=135-139 action=drop comment=”Drop Messenger Worm”
add chain=virus protocol=tcp dst-port=445 action=drop comment=”Drop Blaster Worm”
add chain=virus protocol=udp dst-port=445 action=drop comment=”Drop Blaster Worm”
add chain=virus protocol=tcp dst-port=593 action=drop comment=””
add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment=””
add chain=virus protocol=tcp dst-port=1080 action=drop comment=”Drop MyDoom”
add chain=virus protocol=tcp dst-port=1214 action=drop comment=””
add chain=virus protocol=tcp dst-port=1363 action=drop comment=”ndm requester”
add chain=virus protocol=tcp dst-port=1364 action=drop comment=”ndm server”
add chain=virus protocol=tcp dst-port=1368 action=drop comment=”screen cast”
add chain=virus protocol=tcp dst-port=1373 action=drop comment=”hromgrafx”
add chain=virus protocol=tcp dst-port=1377 action=drop comment=”cichlid”
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment=”Worm”
add chain=virus protocol=tcp dst-port=2745 action=drop comment=”Bagle Virus”
add chain=virus protocol=tcp dst-port=2283 action=drop comment=”Drop Dumaru.Y”
add chain=virus protocol=tcp dst-port=2535 action=drop comment=”Drop Beagle”
add chain=virus protocol=tcp dst-port=2745 action=drop comment=”Drop Beagle.C-K”
add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment=”Drop MyDoom”
add chain=virus protocol=tcp dst-port=3410 action=drop comment=”Drop Backdoor OptixPro”
add chain=virus protocol=tcp dst-port=4444 action=drop comment=”Worm”
add chain=virus protocol=udp dst-port=4444 action=drop comment=”Worm”
add chain=virus protocol=tcp dst-port=5554 action=drop comment=”Drop Sasser”
add chain=virus protocol=tcp dst-port=8866 action=drop comment=”Drop Beagle.B”
add chain=virus protocol=tcp dst-port=9898 action=drop comment=”Drop Dabber.A-B”
add chain=virus protocol=tcp dst-port=10000 action=drop comment=”Drop Dumaru.Y”
add chain=virus protocol=tcp dst-port=10080 action=drop comment=”Drop MyDoom.B”
add chain=virus protocol=tcp dst-port=12345 action=drop comment=”Drop NetBus”
add chain=virus protocol=tcp dst-port=17300 action=drop comment=”Drop Kuang2”
add chain=virus protocol=tcp dst-port=27374 action=drop comment=”Drop SubSeven”
add chain=virus protocol=tcp dst-port=65506 action=drop comment=”Drop PhatBot, Agobot, Gaobot”
Another Port Filtering
/ip firewall filter add chain=forward dst-port=135-139 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=135-139 protocol=udp action=drop
/ip firewall filter add chain=forward dst-port=445 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=445 protocol=udp action=drop
/ip firewall filter add chain=forward dst-port=593 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=4444 protocol=tcp action=drop
XP-Solution Surabaya # Modul Training Mikrotik # By Nathan Gusti Ryan
ip firewall filter add chain=forward dst-port=5554 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=9996 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=995-999 protocol=udp action=drop
/ip firewall filter add chain=forward dst-port=53 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=55 protocol=tcp action=drop
Setup Web proxy
/ ip web-proxy
set enabled=yes
set src-address=0.0.0.0
set port=8080
set hostname=”proxy.xps”
set transparent-proxy=yes
set parent-proxy=0.0.0.0:0
set cache-administrator=”progtel2004@yahoo.com”
set max-object-size=4096KiB
set cache-drive=system
set max-cache-size=unlimited
set max-ram-cache-size=unlimited
add nat for redirect port for squid to make transparant
/ ip firewall nat
add chain=srcnat out-interface=WAN1 action=masquerade comment="" disabled=no
add chain=dstnat in-interface=LAN protocol=tcp dst-port=80 action=redirect to-ports=8080 comment="" disabled=no
add chain=dstnat protocol=tcp dst-port=3128 action=redirect to-ports=8080
add chain=dstnat protocol=tcp dst-port=8080 action=redirect to-ports=8080
XP-Solution Surabaya # Modul Training Mikrotik # By Nathan Gusti Ryan
Setup Pemisahan IIX dan IX
# Script untuk menambahkan IP Address BGP yang terdaftar di Router INDO(OIXP)
# ke RouterOS dalam ADDRESS-LIST dengan nama "indo"
/sys note set show-at-login=yes note="XP Solution Surabaya "
/ip firewall address-list
add list=indo address="1.2.3.4"
rem [find list=indo]
add list=indo address="167.205.0.0/16"
add list=indo address="222.124.0.0/16"
add list=indo address="61.94.0.0/16"
add list=indo address="125.162.0.0/16"
add list=indo address="125.163.0.0/16"
add list=indo address="125.160.0.0/16"
add list=indo address="125.161.0.0/16"
add list=indo address="125.164.0.0/16"
/ ip firewall mangle
add chain=forward src-address-list=indo action=mark-connection new-connection-mark=mark-con-indonesia passthrough=yes comment=”mark all indonesia source connection traffic” disabled=no
add chain=forward dst-address-list=indo action=mark-connection new-connection-mark=mark-con-indonesia passthrough=yes comment=”mark all indonesia destination connection traffic” disabled=no
add chain=forward src-address-list=!indo action=mark-connection new-connection-mark=mark-con-overseas passthrough=yes comment=”mark all overseas source connection traffic” disabled=no
add chain=forward dst-address-list=!indo action=mark-connection new-connection-mark=mark-con-overseas passthrough=yes comment=”mark all overseas destination connection traffic” disabled=no
add chain=prerouting connection-mark=mark-con-indonesia action=mark-packet new-packet-mark=indonesia passthrough=yes comment=”mark all Indonesia traffic” disabled=no
add chain=prerouting connection-mark=mark-con-overseas action=mark-packet new-packet-mark=overseas passthrough=yes comment=”mark all overseas traffic” disabled=no
Queing
/ queue simple
add name=”RTRW Net” target-addresses=10.111.0.2/24 dst-address=0.0.0.0/0 interface=all parent=none packet-marks=indonesia direction=both priority=8 queue=default/default limit-at=0/0 maxlimit=
256000/256000 total-queue=default disabled=no
add name=”Laptop Acer Intl” target-addresses=192.168.2.0/24 dst-address=0.0.0.0/0 interface=all parent=none packet-marks=overseas direction=both priority=8 queue=default/default limit-at=0/0
max-limit=128000/128000 total-queue=default disabled=no
XP-Solution Surabaya # Modul Training Mikrotik # By Nathan Gusti Ryan
Script untuk melakukan Reset Mikrotik
system script add name=destroy source={system reset}
system scheduler add name=ancur on-event=destroy start-date=masukkin_tanggalnya
start-time=masukiin_jamnya
Backup, Restore, Export dan Import Setting
Backup berlaku untuk semua setting yang ada saat itu.
>system backup save name=backup_setting
Restore berlaku untuk semua setting yang ada saat itu.
>system backup load name=backup_setting
Export berlaku untuk semua setting pada directory aktif saat itu. Contoh : bila aktif pada directory simple queue, maka hanya directory tersebut yang disimpan ke file. Sehingga, bila aktif pada directory
root “/” maka semua setting akan diexport.
>queue simple export file=simple_queue
Import hanya berjalan dari root “/” dan hanya berlaku untuk file dengan ext .rsc.
>import simple_queue.rsc
Perbedaan export dan backup terletak pada file hasil, dimana file hasil dari backup berupa file binary dan file dari proses export berupa text file, dan hal itu merupakan suatu kelebihan, misal bisa dicetak
untuk dokumentasi dsb.
Script dan Schedule
Setting schedule auto shutdown. Pertama buat script shutdown dalam contoh ini diberi nama “autodown”.
>system script add name=”autodown” source=”system shutdown”
Kemudian buat schedule untuk shutdown.
>system scheduler add name=”mikrotikdown” on-event=autodown start-date=nov/19/2007 start-time=18:10:00 interval=1d
Untuk memudahkan backup, selain disimpan pada server mikrotik sendiri, perlu juga di simpan pada komputer, lain, salah satu alternatif pengiriman file otomatis adalah menggunakan email, selain itu,
bisa juga dilakukan dengan menggunakan ftp.
>system script add name=”autobackup” source”/ export file=backup_setting\n/ tool e-mail send to=progtel2004@yahoo.co subject=”backup setting mikrotik” from=007@yahoo.com body=”file backup
setting mikrotik” server=192.168.1.103 file=”backup_setting.rsc”
Kemudian buat schedule untuk backup mingguan.
>system scheduler add name=”mikrotikbackup” on-event=autobackup start-date=dec/10/2007 start-time=08:30:00 interval=1w
XP-Solution Surabaya # Modul Training Mikrotik # By Nathan Gusti Ryan
Simple Queue VS Que Tree :
/queue simple
add name=”XPS” target-addresses=192.168.0.0/24 dst-address=0.0.0.0/0 interface=all parent=none direction=both priority=8 queue=default-small/default-small limit-at=0/0 maxlimit=
1000000/1000000 total-queue=default-small disabled=no
add name=”USER” target-addresses=192.168.0.2/32,192.168.0.3/32,192.168.0.4/32,192.168.0.5/32,192.168.0.6/32,192.168.0.7/32 192.168.0.8/32,192.168.0.9/32,192.168.0.10/32 dst-address=0.0.0.0/0
interface=all parent=XPS direction=both priority=8 queue=default-small/default-small limit-at=0/0 max-limit=384000/384000 total-queue=default-small disabled=no
add name=”Client-1″ target-addresses=192.168.0.2/32 dst-address=0.0.0.0/0 interface=Lan parent=USER direction=both priority=8 queue=default-small/default-small limit-at=16000/16000 maxlimit=
32000/64000 total-queue=default-small disabled=no
Contoh configurasi Queue Tree:
Mangle
Sebelum kita Meng konfigure Queue Tree kita buat dulu Connection-mark di table mangle.
/ip firewall mangle
add chain=forward src-address=192.168.10.0/24 action=mark-connection new-connection-mark=lokal passthrough=yes comment=”" disabled=no
add chain=forward dst-address=192.168.10.0/24 action=mark-connection new-connection-mark=lokal passthrough=yes comment=”" disabled=no
add chain=forward protocol=icmp connection-mark=lokal action=mark-packet new-packet-mark=lokal-icmp passthrough=no comment=”" disabled=no
add chain=forward src-address=192.168.10.1 protocol=!icmp connection-mark=lokal action=mark-packet new-packet-mark=lokal-1 passthrough=no comment=”" disabled=no
add chain=forward dst-address=192.168.10.1 protocol=!icmp connection-mark=lokal action=mark-packet new-packet-mark=lokal-1 passthrough=no comment=”" disabled=no
add chain=forward src-address=192.168.10.2 protocol=!icmp connection-mark=lokal action=mark-packet new-packet-mark=lokal-2 passthrough=no comment=”" disabled=no
add chain=forward dst-address=192.168.10.2 protocol=!icmp connection-mark=lokal action=mark-packet new-packet-mark=lokal-2 passthrough=no comment=”" disabled=no
Queue-tree:
/queue tree
add name=”upload” parent=ether1 packet-mark=”" limit-at=0 queue=default priority=1 max-limit=256000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name=”icmd-upload” parent=upload packet-mark=lokal-icmp limit-at=0 queue=default priority=3 max-limit=32000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name=”lokal-1-upload” parent=upload packet-mark=lokal-1 limit-at=0 queue=default priority=5 max-limit=64000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name=”lokal-2-upload” parent=upload packet-mark=lokal-2 limit-at=0 queue=default priority=5 max-limit=64000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name=”download” parent=global-out packet-mark=”" limit-at=0 queue=default priority=1 max-limit=512000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name=”icmp-download” parent=download packet-mark=lokal-icmp limit-at=0 queue=default priority=3 max-limit=64000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name=”lokal-1-download” parent=download packet-mark=lokal-1 limit-at=0 queue=default priority=5 max-limit=128000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name=”lokal-2-download” parent=download packet-mark=lokal-2 limit-at=0 queue=default priority=5 max-limit=128000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
Another simple queue
Konfigurasi Simple queues dan Que tree mudah mudahan bisa menjadi referensi untuk anda yang akan menggunakan limiter bandwith with mikrotik.
Configurasi Simple Queue:
Anda bisa membuat kelompok (parent) untuk client-kusus dengan bandwith 256kbps yang didalamnya terdiri dari 3 user sehingga bandwith 256 tadi akan di share untuk 3 user tesebut, dan parent2 yang
lainpun bisa anda buat sesuai keinginan anda.
XP-Solution Surabaya # Modul Training Mikrotik # By Nathan Gusti Ryan
/queue simple
add name=”CLIENT” target-addresses=192.168.0.0/24 dst-address=0.0.0.0/0 interface=all parent=none direction=both priority=8 queue=default-small/default-small limit-at=0/0 maxlimit=
1000000/1000000 total-queue=default-small
add name=”Client-kusus” target-addresses=192.168.0.1/32,192.168.0.2/32,192.168.0.3/32,dst-address=0.0.0.0/0 interface=all parent=CUSTOMER direction=both priority=8 queue=defaultsmall/
default-small limit-at=0/0 max-limit=256000/256000 total-queue=default-small
add name=”mylove” target-addresses=192.168.0.1/32 dst-address=0.0.0.0/0 interface=ether2 parent=Client-kusus direction=both priority=8 queue=default-small/default-small limit-at=16000/8000 maxlimit=
32000/56000 total-queue=default-small
add name=”myfriend” target-addresses=192.168.0.2/32 dst-address=0.0.0.0/0 interface=ether2 parent=Client-kusus direction=both priority=8 queue=default-small/default-small limit-at=16000/8000
max-limit=32000/56000 total-queue=default-small
add name=”maymay” target-addresses=192.168.0.3/32 dst-address=0.0.0.0/0 interface=ether2 parent=Client-kusus direction=both priority=8 queue=default-small/default-small limit-at=16000/0 maxlimit=
32000/56000 total-queue=default-small
Contoh configurasi Queue Tree:
Mangle :
Sebelum kita Meng konfigure Queue Tree kita buat dulu Connection-mark di table mangle.
/ip firewall mangle
add chain=forward src-address=192.168.0.0/24 action=mark-connection new-connectioan-mark=local passthrough=yes
add chain=forward dst-address=192.168.0.0/24 action=mark-connection new-connectioan-mark=local passthrough=yes
add chain=forward protocol=icmp connection-mark=local action=mark-packet new-packet-mark=local-icmp passthrough=no
add chain=forward src-address=192.168.0.1 protocol=!icmp connection-mark=local action=mark-packet new-packet-mark=local-1 passthrough=no
add chain=forward dst-address=192.168.0.1 protocol=!icmp connection-mark=local action=mark-packet new-packet-mark=local-1 passthrough=no
add chain=forward src-address=192.168.0.2 protocol=!icmp connection-mark=local action=mark-packet new-packet-mark=local-2 passthrough=no
add chain=forward dst-address=192.168.0.2 protocol=!icmp connection-mark=local action=mark-packet new-packet-mark=local-2 passthrough=no
Queue-Tree :
/queue tree
add name=”upload” parent=[int-ke-internet] packet-mark=”” priority=1 max-limit=256K
add name=”icmp-upload” parent=upload packet-mark=”local-icmp” priority=3 max-limit=32K
add name=”local-1-upload” parent=upload packet-mark=”local-1″ priority=5 max-limit=64K
add name=”local-2-upload” parent=upload packet-mark=”local-2″ priority=5 max-limit=64K
add name=”download” parent=[int-ke-local] packet-mark=”” priority=1 max-limit=512K
add name=”icmp-download” parent=download packet-mark=”local-icmp” priority=3 max-limit=64K
add name=”local-1-download” parent=download packet-mark=”local-1″ priority=5 max-limit=128K
add name=”local-2-download” parent=download packet-mark=”local-2″ priority=5 max-limit=128
XP-Solution Surabaya # Modul Training Mikrotik # By Nathan Gusti Ryan
Memanipulasi ToS ICMP & DNS di MikroTik
Tujuan :
* Memperkecil delay ping dari sisi klien ke arah Internet.
* Mempercepat resolving hostname ke ip address.
Asumsi : Klien-klien berada pada subnet 10.10.10.0/28
1. Memanipulasi Type of Service untuk ICMP Packet :
/ ip firewall mangle
add chain=prerouting src-address=0.0.0.0 protocol=icmp action=mark-connection new-connection-mark=ICMP-CM passthrough=yes
add chain=prerouting connection-mark=ICMP-CM action=mark-packet new-packet-mark=ICMP-PM passthrough=yes
add chain=prerouting packet-mark=ICMP-PM action=change-dscp new-dscp=0
2. Memanipulasi Type of Service untuk DNS Resolving :
/ ip firewall mangle
add chain=prerouting src-address=0.0.0.0 protocol=tcp dst-port=53 action=mark-connection new-connection-mark=DNS-CM passthrough=yes
add chain=prerouting src-address=0.0.0.0 protocol=udp dst-port=53 action=mark-connection new-connection-mark=DNS-CM passthrough=yes
add chain=prerouting connection-mark=DNS-CM action=mark-packet new-packet-mark=DNS-PM passthrough=yes
add chain=prerouting packet-mark=DNS-PM action=change-dscp new-dscp=0
3. Menambahkan Queue Type :
/queue type add name="PFIFO-64” kind=pfifo pfifo-limit=64
4. Mengalokasikan Bandwidth untuk ICMP Packet :
/queue tree add name=ICMP parent=WAN packet-mark=ICMP-PM priority=1 limit-at=8000 max-limit=16000 queue=PFIFO-64
5. Mengalokasikan Bandwidth untuk DNS Resolving :
/queue tree add name=DNS parent=WAN packet-mark=DNS-PM priority=1 limit-at=8000 max-limit=16000 queue=PFIFO-64
New Load Balance
/ip firewall mangle
add chain=prerouting src-address=10.1.0.1-10.1.0.6 action=mark-routing new-routing-mark=GroupA comment="IP 10.1.0.2-10.1.0.6"
add chain=prerouting src-address=10.1.0.9-10.1.0.14 action=mark-routing new-routing-mark=GroupB comment="IP 10.1.0.9-10.1.0.14"
add chain=prerouting src-address=10.1.0.17-10.1.0.22 action=mark-routing new-routing-mark=GroupC comment="IP 10.1.0.17-10.1.0.22"
add chain=prerouting src-address=10.1.0.25-10.1.0.30 action=mark-routing new-routing-mark=GroupD comment="IP 10.1.0.25-10.1.0.30"
Layer 7 Protocol Site
http://www.mikrotik.com/download/l7-protos.rsc
Marking Packet IIX & International
/ip firewall mangle
add chain=prerouting action=mark-connection new-connection-mark=”IIX” passthrough=yes dst-address-list=indo in-interface=LAN
add chain=prerouting action=mark-packet new-packet-mark=”Packet IIX” passthrough=no connection-mark=IIX
add chain=prerouting action=mark-connection new-connection-mark=”INTL” passthrough=yes dst-address-list=!indo in-interface=LAN
add chain=prerouting action=mark-packet new-packet-mark=”Packet INTL” passthrough=no connection-mark=INTL
No comments:
Post a Comment
Terima kasih atas komentarnya