ab-intermedia.com

Kadang Kita menjumpai kondisi jaringan yang berfariasi. tidak semua konfigurasi jaringan menggunakan kebijakan pengelolaan bandwith berdasarkan IP komputer yang mengakses. Tetapi situasi tertentu Konfigurasi ini perlu sesuaikan dengan kondisi yang ada. Agar user tetap dapat menikmati browsing yang stabil dan tidak terganggu dengan aktifitas user lain yang mendownload file berjenis tertentu kita bisa menggunakan contoh konfigurasi berikut, Disini hanya contoh untuk menfilter bandwith pada jenis file bertipe exe, iso, mpg, dan mp3. untuk jenis lain silahkan bisa ditambahkan lebih lanjut yaaa ok. silahkan dicoba…

/ip firewall filter add chain=forward src-address=[ip Local ] protocol=tcp content=.exe action=add-dst-to-address-list address-list=cekek address-list-timeout=01:00:00
/ip firewall filter add chain=forward src-address=[ip Local ] protocol=tcp content=.iso action=add-dst-to-address-list address-list=cekek address-list-timeout=01:00:00
/ip firewall filter add chain=forward src-address=[ip Local ] protocol=tcp content=.mpg action=add-dst-to-address-list address-list=cekek address-list-timeout=01:00:00
/ip firewall filter add chain=forward src-address=[ip Local ] protocol=tcp content=.mp3 action=add-dst-to-address-list address-list=cekek address-list-timeout=01:00:00

Setting di Mangle

/ip firewall mangle add chain=forward protocol=tcp src-address-list=cekek action=mark-packet new-packet-mark=cekek-bw

Sekarang di bagian Simple Quee nya tinggal disesuaikan dengan jaringan masing-masing2 aja.

/queue simple add name=download-files max-limit=64000/64000 packet-marks=cekek-bw

Untuk melindungi network user, kita harus memeriksa semua traffic yang melewati router dan blok yang tidak diinginkan.Untuk traffic ICMP, TCP, UDP kita akan membuat chain dimana akan melakukan DROP untuk paket-paket yang tidak diinginkan.

/ip firewall filter
add chain=forward connection-state=established comment=”allow established connections”
add chain=forward connection-state=related comment=”allow related connections”
add chain=forward connection-state=invalid action=drop comment=”drop invalid connections”

Untuk mencegah Jaringan LAN dari virus   input dan forward nya bisa disesuaikan dengan kebutuhan

add action=jump chain=forward comment=”PREVENT VIRUS COME FROM LOCAL NETWORK” \
disabled=no in-interface=ether-local jump-target=viruses
add action=jump chain=forward comment=\
“PREVENT VIRUS COME FROM PUBLIC INTERNET NETWORK” disabled=no \
in-interface=ether-public jump-target=viruses
add action=jump chain=input comment=”PREVENT VIRUS COME FROM LAN” disabled=no \
in-interface=ether-local jump-target=viruses
add action=jump chain=input comment=”PREVENT VIRUS COME FROM PUBLIC INTERNET” \
disabled=no in-interface=ether-public jump-target=viruses
add action=jump chain=viruses comment=”Jump to handle virus from TCP port” \
disabled=no jump-target=tcp-viruses protocol=tcp
add action=jump chain=viruses comment=”Jump to handle virus from UDP port” \
disabled=no jump-target=udp-viruses protocol=udp
add action=return chain=viruses comment=”Back to previous rules” disabled=no



Script Hemat untuk blok Netbios di windows sumber muasal Confliker disini :

/ip fi fi
add action=drop chain=forward comment="Conficker Filter" disabled=no dst-port=135-139,445 protocol=tcp
add action=drop chain=forward disabled=no protocol=tcp src-port=135-139,445
add action=drop chain=forward disabled=no dst-port=135-139,445 protocol=udp
add action=drop chain=forward disabled=no protocol=udp src-port=135-139,445
add action=add-dst-to-address-list address-list=conficker address-list-timeout=0s chain=forward disabled=no dst-port=135-139,445 protocol=tcp
add action=add-dst-to-address-list address-list=conficker address-list-timeout=0s chain=forward disabled=no protocol=tcp src-port=135-139,445
add action=add-dst-to-address-list address-list=conficker address-list-timeout=0s chain=forward disabled=no dst-port=135-139,445 protocol=udp
add action=add-dst-to-address-list address-list=conficker address-list-timeout=0s chain=forward disabled=no protocol=udp src-port=135-139,445
add action=drop chain=forward disabled=no src-address-list=conficker

tambahan :

21   chain=virus action=drop protocol=1tcp dst-port=135K-139K
22   chain=virus action=drop protocol=6icmp dst-port=135K-139K
23   chain=virus action=drop protocol=tcp dst-port=445K
24   chain=virus action=drop protocol=ICMP dst-port=445K
25   chain=virus action=drop protocol=tcp dst-port=593K
26   chain=virus action=drop protocol=tcp dst-port=1024K-1030K
27   chain=virus action=drop protocol=tcp dst-port=1080K
28   chain=virus action=drop protocol=1tcp dst-port=1214K
29   chain=virus action=drop protocol=1tcp dst-port=1364K
25   chain=virus action=drop protocol=1tcp dst-port=593K
26   chain=virus action=drop protocol=1tcp dst-port=1024K-1030K
27   chain=virus action=drop protocol=1tcp dst-port=1080K
28   chain=virus action=drop protocol=1tcp dst-port=1214K
29   chain=virus action=drop protocol=1tcp dst-port=1364K
30   chain=virus action=drop protocol=6icmp dst-port=1364K
31   chain=virus action=drop protocol=1tcp dst-port=1368k
32   chain=virus action=drop protocol=1tcp dst-port=1373k
33   chain=virus action=drop protocol=1tcp dst-port=1377k
34   chain=virus action=drop protocol=1tcp dst-port=1433k-1434k
35   chain=virus action=drop protocol=1tcp dst-port=2745k
36   chain=virus action=drop protocol=1tcp dst-port=2283k
37   chain=virus action=drop protocol=1tcp dst-port=2535k
38   chain=virus action=drop protocol=1tcp dst-port=2745k
39   chain=virus action=drop protocol=1tcp dst-port=3127-3128k
40   chain=virus action=drop protocol=1tcp dst-port=3410k
41   chain=virus action=drop protocol=1tcp dst-port=4444k
42   chain=virus action=drop protocol=icmp dst-port=4444k
43   chain=virus action=drop protocol=1tcp dst-port=5554k
44   chain=virus action=drop protocol=1tcp dst-port=8866k
45   chain=virus action=drop protocol=1tcp dst-port=9898k
46   chain=virus action=drop protocol=1tcp dst-port=10000k
47   chain=virus action=drop protocol=1udp dst-port=10000k
48   chain=virus action=drop protocol=1tcp dst-port=12345k
49   chain=virus action=drop protocol=1tcp dst-port=17306k
50   chain=virus action=drop protocol=1tcp dst-port=27374k
51   chain=virus action=drop protocol=1tcp dst-port=65500k

Diatas kita telah dapatkan daftar rule untuk memfilter paket-paket dari protocol dan posrt yang merupakan berasal dari Virus ataupun Trojan. Daftar diatas belum komplit, kita bisa mendapatkan rule-rule tambahan dari berbagai sumber, tapi setidaknya rule diatas dapat menjadi awal.

Agar paket dari chain forward dapat menuju ke chain virus kita dapat menererapkan action=jump, seperti rule dibawah ini :
add chain=forward action=jump jump-target=virus comment=”jump to the virus chain”

Bila paket yang ter-jump ke chain virus tidak ter-filter, maka paket tersebut akan dikembalikan ke chain forward.
Kita dapat dengan mudah menambahkan rule yang membolehkan udp dan ping dan drop yang lainnnya (jika tidak ada service pada network user yang perlu diakses dari network luar) :
add chain=forward protocol=icmp comment=”allow ping”
add chain=forward protocol=udp comment=”allow udp”
add chain=forward action=drop comment=”drop everything else”

Sumber : http://www.forummikrotik.com

Tips Manipulasi TOS ICMP dan DNS Resolving

Tujuan :

• Memperkecil delay ping dari sisi klien ke arah Internet.
• Mempercepat resolving hostname ke ip address.

Asumsi : Klien-klien berada pada subnet 192.168.1.0/24

1. Memanipulasi Type of Service untuk ICMP Packet :
   - ip firewall mangle add chain=prerouting src-address=192.168.1.0/24 protocol=icmp action=mark-connection new-connection-mark=ICMP-CM passthrough=yes
   -ip firewall mangle add chain=prerouting connection-mark=ICMP-CM action=mark-packet new-packet-mark=ICMP-PM passthrough=yes
   - ip firewall mangle add chain=prerouting packet-mark=ICMP-PM action=change-tos new-tos=min-delay
2. Memanipulasi Type of Service untuk DNS Resolving :
   - ip firewall mangle add chain=prerouting src-address=192.168.1.0/24 protocol=tcp dst-port=53 action=mark-connection new-connection-mark=DNS-CM passthrough=yes
   - ip firewall mangle add chain=prerouting src-address=192.168.1.0/24 protocol=udp dst-port=53 action=mark-connection new-connection-mark=DNS-CM passthrough=yes
   - ip firewall mangle add chain=prerouting connection-mark=DNS-CM action=mark-packet new-packet-mark=DNS-PM passthrough=yes
   - ip firewall mangle add chain=prerouting packet-mark=DNS-PM action=change-tos new-tos=min-delay
3. Menambahkan Queue Type :
   - queue type add name=”PFIFO-64″ kind=pfifo pfifo-limit=64
4. Mengalokasikan Bandwidth untuk ICMP Packet :
   - queue tree add name=ICMP parent=INTERNET packet-mark=ICMP-PM priority=1 limit-at=8000 max-limit=16000 queue=PFIFO-64
5. Mengalokasikan Bandwidth untuk DNS Resolving :
   - queue tree add name=DNS parent=INTERNET packet-mark=DNS-PM priority=1 limit-at=8000 max-limit=16000 queue=PFIFO-64

Tips Manipulasi Ping dari Client ke internet Secepat dari Lokal (buat lucu2)

pakai WinBox -> Ip -> Firewall -> NAT
klik [+]
isikan chain : dstnat
protocol : 1 (icmp)
in interface : ether1(lokal)
-> di menu action
action : redirect
to ports : 1(kalo versi 2.9.27 gunakan 16) veris diatasnya Default aja
klik Apllay dan Lanjut OK

Selamat mencoba… Good Luck…

Sumber dari http://www.forummikrotik.com/wireless-networking/

Seeting Load balancing 2 Line Speedy dengan PPoe Built In Mikrotik, dan Modem di posisikan sebagain bridging.

- Setting modem Speedy1

• Ip Address : 192.168.1.2, Subnet : 255.255.255.0 Fitru DHCP pada interface LAN di Non aktifkan, Mode sebagai Bridge

- Setting Modem Speedy2

• Ip address : 192.168.2.2, Subnet : 255.255.255.0 Fitru DHCP pada interface LAN di non aktifkan, Modem sebagai Bridge

Login ke Mikrotik dan atur sebagai berikut :

contohnya buat mikrotik versi 3.xx (saya pakai di mikrotik OS bawaan RB450G) :

Ip Ke modem1  : 192.168.1.1 interface=speedy1
IP Ke Modem2 : 192.168.2.1 interface=speedy2
IP Local : 192.168.3.1  interface=Local