Asa Bucat Bisul!!! orang sunda bilang ehehe, 2 hari saya tidak posting karena masih meneliti kinerja settingan mikrotik yang saya gunakan dan alhasil banyak penemuan penemuan baru ahahaha,. posting kali ini mungkin agak panjang nich masalah Setting Mikrotik dan Squid Proxy External Full Versi.
Settingan ini cocok untuk warnet atau penyedia hotspot menurut saya, tau menurut sobatmah ahahhaha. Settingan ini yang saya pake sekarang, Sudah siap untuk melihat dan menelitinya?
Ok Lanjuuuuuuuut.......!!!
Alat Yang di Gunakan :
- Modem Speedy
- RB750 ROS 4.6 atau Mikrotik v5.xx
- Squid proxy yang berjalan transparant pada port 3128 + zph
Topologi :
- Speedy 2M down dan 512 up
- 1M untuk jatah download semua client dengan batasan maksimal 256kbps/client
- Akses tanpa dibatasi limit untuk beberapa IP tertentu (dalam hal ini IP 192.168.2.16 dan 192.168.2.17)
- Browsing tidak dibatasi
- Aplikasi QOS pada outbound/paket yang keluar dari modem speedy
Manifest IP address yang digunakan :
[MODEM]
Public IP Address = 192.168.1.2/24
[CLIENTS]
Client IP Address = 192.168.2.2-192.168.2.17 (ip selain itu tidak konek internet)
[SQUID BOX]
Proxy Ip Address = 192.168.3.2
squid.conf dengan zph
http_port 3128 transparent
zph_mode tos
zph_local 0x30
zph_parent 0
zph_option 136
- Modem Speedy
- RB750 ROS 4.6 atau Mikrotik v5.xx
- Squid proxy yang berjalan transparant pada port 3128 + zph
Topologi :
- Speedy 2M down dan 512 up
- 1M untuk jatah download semua client dengan batasan maksimal 256kbps/client
- Akses tanpa dibatasi limit untuk beberapa IP tertentu (dalam hal ini IP 192.168.2.16 dan 192.168.2.17)
- Browsing tidak dibatasi
- Aplikasi QOS pada outbound/paket yang keluar dari modem speedy
Manifest IP address yang digunakan :
[MODEM]
Public IP Address = 192.168.1.2/24
[CLIENTS]
Client IP Address = 192.168.2.2-192.168.2.17 (ip selain itu tidak konek internet)
[SQUID BOX]
Proxy Ip Address = 192.168.3.2
squid.conf dengan zph
http_port 3128 transparent
zph_mode tos
zph_local 0x30
zph_parent 0
zph_option 136
================Basic Configuration================
/interface ethernet
set 0 comment="Public Interface" name=Public
set 1 comment="Local Interface" name=Local
set 2 comment="Proxy Interface" name=Proxy
/ip address
add address=192.168.2.1/24 broadcast=192.168.2.2 comment="" disabled=no \
interface=Local network=192.168.2.0
add address=192.168.3.1/24 broadcast=192.168.3.2 comment="" disabled=no \
interface=Proxy network=192.168.3.0
add address=192.168.1.2/24 broadcast=192.168.1.3 comment="" disabled=no \
interface=Public network=192.168.1.0
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=4096KiB \
max-udp-packet-size=512 servers="125.160.4.82,203.130.196.155"
(sesuaikan dengan DNS ISP sobat)
/ip route
add gateway=192.168.1.1 comment="" disabled=no
/ip service
set telnet address=0.0.0.0/0 disabled=yes port=23
set ftp address=0.0.0.0/0 disabled=yes port=21
set www address=0.0.0.0/0 disabled=no port=80
set ssh address=0.0.0.0/0 disabled=yes port=22
set www-ssl address=0.0.0.0/0 certificate=none disabled=yes port=443
set api address=0.0.0.0/0 disabled=yes port=8728
set winbox address=0.0.0.0/0 disabled=no port=8291
/system ntp client
set enabled=yes mode=unicast primary-ntp=152.118.24.8 secondary-ntp=\
202.169.224.16
/ip firewall address-list
add address=192.168.3.1/24 comment="" disabled=no list=ProxyNET
add address=192.168.2.2-192.168.2.17 comment="" disabled=no list=localNet
(saya hanya menjalankan client konek internet 2-17 client)
set 0 comment="Public Interface" name=Public
set 1 comment="Local Interface" name=Local
set 2 comment="Proxy Interface" name=Proxy
/ip address
add address=192.168.2.1/24 broadcast=192.168.2.2 comment="" disabled=no \
interface=Local network=192.168.2.0
add address=192.168.3.1/24 broadcast=192.168.3.2 comment="" disabled=no \
interface=Proxy network=192.168.3.0
add address=192.168.1.2/24 broadcast=192.168.1.3 comment="" disabled=no \
interface=Public network=192.168.1.0
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=4096KiB \
max-udp-packet-size=512 servers="125.160.4.82,203.130.196.155"
(sesuaikan dengan DNS ISP sobat)
/ip route
add gateway=192.168.1.1 comment="" disabled=no
/ip service
set telnet address=0.0.0.0/0 disabled=yes port=23
set ftp address=0.0.0.0/0 disabled=yes port=21
set www address=0.0.0.0/0 disabled=no port=80
set ssh address=0.0.0.0/0 disabled=yes port=22
set www-ssl address=0.0.0.0/0 certificate=none disabled=yes port=443
set api address=0.0.0.0/0 disabled=yes port=8728
set winbox address=0.0.0.0/0 disabled=no port=8291
/system ntp client
set enabled=yes mode=unicast primary-ntp=152.118.24.8 secondary-ntp=\
202.169.224.16
/ip firewall address-list
add address=192.168.3.1/24 comment="" disabled=no list=ProxyNET
add address=192.168.2.2-192.168.2.17 comment="" disabled=no list=localNet
(saya hanya menjalankan client konek internet 2-17 client)
=================end of basic configuration=================
Untuk firewall filternya saya terapkan yang terpentingnya saja.
/ip firewall filter
add action=drop chain=input comment="Drop Invalid connections" \
connection-state=invalid disabled=no
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Port scanners to list " \
disabled=no protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
disabled=no protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan" disabled=no \
protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan" disabled=no \
protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" disabled=\
no protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan" disabled=no \
protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP NULL scan" disabled=no \
protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="Dropping port scanners" disabled=no \
src-address-list="port scanners"
add action=accept chain=input comment="Allow Established connections" \
connection-state=established disabled=no
add action=accept chain=input comment="Allow Related connections" \
connection-state=related disabled=no
add action=accept chain=input comment="Allow ICMP from LOCAL Network" \
disabled=no protocol=icmp src-address-list=localNet
add action=accept chain=input comment="Allow ICMP from PROXY Network" \
disabled=no protocol=icmp src-address-list=ProxyNET
add action=accept chain=input comment="Allow Input from LOCAL Network" \
disabled=no src-address-list=localNet
add action=accept chain=input comment="Allow Input from PROXY Network" \
disabled=no src-address-list=ProxyNET
add action=drop chain=input comment="Drop everything else" disabled=no
add action=drop chain=forward comment="Drop Invalid connections" \
connection-state=invalid disabled=no
add action=jump chain=forward comment="Bad packets filtering" disabled=no \
jump-target=tcp protocol=tcp
add action=jump chain=forward comment="" disabled=no jump-target=udp \
protocol=udp
add action=jump chain=forward comment="" disabled=no jump-target=icmp \
protocol=icmp
add action=drop chain=tcp comment="deny SMTP" disabled=no dst-port=25 \
protocol=tcp
add action=drop chain=tcp comment="deny TFTP" disabled=no dst-port=69 \
protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" disabled=no dst-port=\
111 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" disabled=no dst-port=\
135 protocol=tcp
add action=drop chain=tcp comment="deny NBT" disabled=no dst-port=137-139 \
protocol=tcp
add action=drop chain=tcp comment="deny cifs" disabled=no dst-port=445 \
protocol=tcp
add action=drop chain=tcp comment="deny NFS" disabled=no dst-port=2049 \
protocol=tcp
add action=drop chain=tcp comment="deny NetBus" disabled=no dst-port=\
12345-12346 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" disabled=no dst-port=20034 \
protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" disabled=no dst-port=\
3133 protocol=tcp
add action=drop chain=tcp comment="deny DHCP" disabled=no dst-port=67-68 \
protocol=tcp
add action=drop chain=tcp comment="deny P2P" disabled=no p2p=all-p2p
add action=drop chain=udp comment="deny TFTP" disabled=no dst-port=69 \
protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" disabled=no dst-port=\
111 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" disabled=no dst-port=\
135 protocol=udp
add action=drop chain=udp comment="deny NBT" disabled=no dst-port=137-139 \
protocol=udp
add action=drop chain=udp comment="deny NFS" disabled=no dst-port=2049 \
protocol=udp
add action=drop chain=udp comment="deny BackOriffice" disabled=no dst-port=\
3133 protocol=udp
add action=accept chain=icmp comment="limit packets 5/secs" disabled=no \
icmp-options=0:0-255 limit=5,5 protocol=icmp
add action=accept chain=icmp comment="limit packets 5/secs" disabled=no \
icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="limit packets 5/secs" disabled=no \
icmp-options=3:3 limit=5,5 protocol=icmp
add action=accept chain=icmp comment="limit packets 5/secs" disabled=no \
icmp-options=3:4 limit=5,5 protocol=icmp
add action=accept chain=icmp comment="limit packets 5/secs" disabled=no \
icmp-options=8:0-255 limit=5,5 protocol=icmp
add action=accept chain=icmp comment="limit packets 5/secs" disabled=no \
icmp-options=11:0-255 limit=5,5 protocol=icmp
add action=drop chain=icmp comment="Drop other icmp packets" disabled=no
add action=accept chain=forward comment="Allow Established connections" \
connection-state=established disabled=no
add action=accept chain=forward comment="Allow Forward from LOCAL Network" \
disabled=no src-address-list=localNet
add action=accept chain=forward comment="Allow Forward from PROXY Network" \
disabled=no src-address-list=ProxyNET
add action=drop chain=forward comment="Drop everything else" disabled=no
add action=drop chain=input comment="Drop Invalid connections" \
connection-state=invalid disabled=no
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Port scanners to list " \
disabled=no protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
disabled=no protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan" disabled=no \
protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan" disabled=no \
protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" disabled=\
no protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan" disabled=no \
protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP NULL scan" disabled=no \
protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="Dropping port scanners" disabled=no \
src-address-list="port scanners"
add action=accept chain=input comment="Allow Established connections" \
connection-state=established disabled=no
add action=accept chain=input comment="Allow Related connections" \
connection-state=related disabled=no
add action=accept chain=input comment="Allow ICMP from LOCAL Network" \
disabled=no protocol=icmp src-address-list=localNet
add action=accept chain=input comment="Allow ICMP from PROXY Network" \
disabled=no protocol=icmp src-address-list=ProxyNET
add action=accept chain=input comment="Allow Input from LOCAL Network" \
disabled=no src-address-list=localNet
add action=accept chain=input comment="Allow Input from PROXY Network" \
disabled=no src-address-list=ProxyNET
add action=drop chain=input comment="Drop everything else" disabled=no
add action=drop chain=forward comment="Drop Invalid connections" \
connection-state=invalid disabled=no
add action=jump chain=forward comment="Bad packets filtering" disabled=no \
jump-target=tcp protocol=tcp
add action=jump chain=forward comment="" disabled=no jump-target=udp \
protocol=udp
add action=jump chain=forward comment="" disabled=no jump-target=icmp \
protocol=icmp
add action=drop chain=tcp comment="deny SMTP" disabled=no dst-port=25 \
protocol=tcp
add action=drop chain=tcp comment="deny TFTP" disabled=no dst-port=69 \
protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" disabled=no dst-port=\
111 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" disabled=no dst-port=\
135 protocol=tcp
add action=drop chain=tcp comment="deny NBT" disabled=no dst-port=137-139 \
protocol=tcp
add action=drop chain=tcp comment="deny cifs" disabled=no dst-port=445 \
protocol=tcp
add action=drop chain=tcp comment="deny NFS" disabled=no dst-port=2049 \
protocol=tcp
add action=drop chain=tcp comment="deny NetBus" disabled=no dst-port=\
12345-12346 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" disabled=no dst-port=20034 \
protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" disabled=no dst-port=\
3133 protocol=tcp
add action=drop chain=tcp comment="deny DHCP" disabled=no dst-port=67-68 \
protocol=tcp
add action=drop chain=tcp comment="deny P2P" disabled=no p2p=all-p2p
add action=drop chain=udp comment="deny TFTP" disabled=no dst-port=69 \
protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" disabled=no dst-port=\
111 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" disabled=no dst-port=\
135 protocol=udp
add action=drop chain=udp comment="deny NBT" disabled=no dst-port=137-139 \
protocol=udp
add action=drop chain=udp comment="deny NFS" disabled=no dst-port=2049 \
protocol=udp
add action=drop chain=udp comment="deny BackOriffice" disabled=no dst-port=\
3133 protocol=udp
add action=accept chain=icmp comment="limit packets 5/secs" disabled=no \
icmp-options=0:0-255 limit=5,5 protocol=icmp
add action=accept chain=icmp comment="limit packets 5/secs" disabled=no \
icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="limit packets 5/secs" disabled=no \
icmp-options=3:3 limit=5,5 protocol=icmp
add action=accept chain=icmp comment="limit packets 5/secs" disabled=no \
icmp-options=3:4 limit=5,5 protocol=icmp
add action=accept chain=icmp comment="limit packets 5/secs" disabled=no \
icmp-options=8:0-255 limit=5,5 protocol=icmp
add action=accept chain=icmp comment="limit packets 5/secs" disabled=no \
icmp-options=11:0-255 limit=5,5 protocol=icmp
add action=drop chain=icmp comment="Drop other icmp packets" disabled=no
add action=accept chain=forward comment="Allow Established connections" \
connection-state=established disabled=no
add action=accept chain=forward comment="Allow Forward from LOCAL Network" \
disabled=no src-address-list=localNet
add action=accept chain=forward comment="Allow Forward from PROXY Network" \
disabled=no src-address-list=ProxyNET
add action=drop chain=forward comment="Drop everything else" disabled=no
Untuk NAT nya sebagai berikut :
/ip firewall nat
add action=masquerade src-address-list=localNet chain=srcnat comment="NAT-LOCAL" disabled=no \
out-interface=Public
add action=masquerade src-address-list=ProxyNet chain=srcnat comment="NAT-PROXY" disabled=no \
out-interface=Public
add action=dst-nat chain=dstnat comment="TRANSPARENT PROXY" disabled=no \
dst-address-list=!ProxyNET dst-port=80,8080,3128 in-interface=Local \
protocol=tcp to-addresses=192.168.3.2 to-ports=3128
src-address=192.168.2.2-192.168.2.17 dst-port=80,8080,3128 in-interface=Local \
protocol=tcp to-addresses=192.168.3.2 to-ports=3128
add action=dst-nat chain=dstnat comment="TRANSPARENT DNS" disabled=no \
dst-port=53 in-interface=Local protocol=udp to-ports=53
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=53 \
in-interface=Local protocol=tcp to-ports=53
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=53 \
in-interface=Proxy protocol=udp to-ports=53
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=53 \
in-interface=Proxy protocol=tcp to-ports=53
add action=masquerade src-address-list=localNet chain=srcnat comment="NAT-LOCAL" disabled=no \
out-interface=Public
add action=masquerade src-address-list=ProxyNet chain=srcnat comment="NAT-PROXY" disabled=no \
out-interface=Public
add action=dst-nat chain=dstnat comment="TRANSPARENT PROXY" disabled=no \
dst-address-list=!ProxyNET dst-port=80,8080,3128 in-interface=Local \
protocol=tcp to-addresses=192.168.3.2 to-ports=3128
(atau yang saya punya redirect proxy seperti ini :)
add action=dst-nat chain=dstnat comment="TRANSPARENT PROXY" disabled=no \src-address=192.168.2.2-192.168.2.17 dst-port=80,8080,3128 in-interface=Local \
protocol=tcp to-addresses=192.168.3.2 to-ports=3128
add action=dst-nat chain=dstnat comment="TRANSPARENT DNS" disabled=no \
dst-port=53 in-interface=Local protocol=udp to-ports=53
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=53 \
in-interface=Local protocol=tcp to-ports=53
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=53 \
in-interface=Proxy protocol=udp to-ports=53
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=53 \
in-interface=Proxy protocol=tcp to-ports=53
Penjelasan :
- Transparent DNS agar client tidak bisa menggunakan NS selain yang terpasang di mikrotik
(bisa sobat gunakan atau tidak, tergantung keinginan)
- Mengarahkan request dari client tujuan port 80,8080,3128 ke squid external
saya beri contoh 2 untuk redirect terserah sobat mo pilih yang mana pastinya keduanya jalan
jika ada interface lain misalkan hotspot sobat tingal tambahkan tanda ! pada src.address atau dst.address list
Untuk manglenya biar saya jelaskan satu-persatu biar tidak bingung :
/ip firewall mangle
add action=mark-packet chain=forward comment="PROXY-HIT-DSCP 12" disabled=no \
dscp=12 new-packet-mark=proxy-hit passthrough=no
add action=mark-packet chain=forward comment="PROXY-HIT-DSCP 12" disabled=no \
dscp=12 new-packet-mark=proxy-hit passthrough=no
Menandai paket proxy-hit dari external proxy yang nantinya pada rule queue diberikan kebebasan tanpa proses limitasi
add action=change-dscp chain=postrouting comment=CRITICAL disabled=no \
new-dscp=1 protocol=icmp
add action=change-dscp chain=postrouting comment="" disabled=no dst-port=53 \
new-dscp=1 protocol=udp
add action=change-dscp chain=postrouting comment="" disabled=no dst-port=53 \
new-dscp=1 protocol=tcp
add action=mark-connection chain=postrouting comment="" disabled=no dscp=1 \
new-connection-mark=critical_conn passthrough=yes
add action=mark-packet chain=postrouting comment="" connection-mark=\
critical_conn disabled=no new-packet-mark=critical_pkt passthrough=no
new-dscp=1 protocol=icmp
add action=change-dscp chain=postrouting comment="" disabled=no dst-port=53 \
new-dscp=1 protocol=udp
add action=change-dscp chain=postrouting comment="" disabled=no dst-port=53 \
new-dscp=1 protocol=tcp
add action=mark-connection chain=postrouting comment="" disabled=no dscp=1 \
new-connection-mark=critical_conn passthrough=yes
add action=mark-packet chain=postrouting comment="" connection-mark=\
critical_conn disabled=no new-packet-mark=critical_pkt passthrough=no
Menandai paket ICMP dan DNS request untuk diberikan prioritas tertinggi
add action=mark-connection chain=prerouting comment=MARK-ALL-CONN disabled=no \
dst-address-list=!localNet in-interface=Local new-connection-mark=\
all.pre_conn passthrough=yes
add action=mark-connection chain=forward comment="" disabled=no \
new-connection-mark=all.post_conn out-interface=Local passthrough=yes \
src-address-list=!localNet
add action=mark-packet chain=prerouting comment="" connection-mark=\
all.pre_conn disabled=no new-packet-mark=all.pre_pkt passthrough=yes
add action=mark-packet chain=forward comment="" connection-mark=all.post_conn \
disabled=no new-packet-mark=all.post_pkt passthrough=yes
dst-address-list=!localNet in-interface=Local new-connection-mark=\
all.pre_conn passthrough=yes
add action=mark-connection chain=forward comment="" disabled=no \
new-connection-mark=all.post_conn out-interface=Local passthrough=yes \
src-address-list=!localNet
add action=mark-packet chain=prerouting comment="" connection-mark=\
all.pre_conn disabled=no new-packet-mark=all.pre_pkt passthrough=yes
add action=mark-packet chain=forward comment="" connection-mark=all.post_conn \
disabled=no new-packet-mark=all.post_pkt passthrough=yes
Menandai SEMUA paket keluar masuk dari Local interface SELAIN ke Local Address
add action=mark-connection chain=prerouting comment=GAMES connection-mark=\
all.pre_conn disabled=no dst-port=9339,843 new-connection-mark=games_conn \
passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="" connection-mark=\
all.pre_conn disabled=no dst-port=40000-40010 new-connection-mark=\
games_conn passthrough=yes protocol=udp
add action=mark-packet chain=forward comment="" connection-mark=games_conn \
disabled=no new-packet-mark=games_pkt passthrough=no
all.pre_conn disabled=no dst-port=9339,843 new-connection-mark=games_conn \
passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="" connection-mark=\
all.pre_conn disabled=no dst-port=40000-40010 new-connection-mark=\
games_conn passthrough=yes protocol=udp
add action=mark-packet chain=forward comment="" connection-mark=games_conn \
disabled=no new-packet-mark=games_pkt passthrough=no
Menandai Paket GAMES untuk diberikan prioritas KEDUA
add action=mark-connection chain=prerouting comment=HTTP-CLIENT \
connection-mark=all.pre_conn disabled=no new-connection-mark=\
browsing_conn packet-size=0-64 passthrough=yes protocol=tcp tcp-flags=ack
add action=mark-connection chain=prerouting comment="" connection-mark=\
all.pre_conn disabled=no dst-port=80,443 new-connection-mark=\
browsing_conn passthrough=yes protocol=tcp
add action=mark-packet chain=forward comment="" connection-bytes=0-131072 \
connection-mark=browsing_conn disabled=no new-packet-mark=browsing_pkt \
passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment=HTTP-PROXY disabled=no \
dst-address-list=!localNet dst-port=80,443 new-connection-mark=proxy_conn \
passthrough=yes protocol=tcp src-address-list=ProxyNET
add action=mark-packet chain=forward comment="" connection-mark=proxy_conn \
disabled=no new-packet-mark=proxy_pkt passthrough=no
connection-mark=all.pre_conn disabled=no new-connection-mark=\
browsing_conn packet-size=0-64 passthrough=yes protocol=tcp tcp-flags=ack
add action=mark-connection chain=prerouting comment="" connection-mark=\
all.pre_conn disabled=no dst-port=80,443 new-connection-mark=\
browsing_conn passthrough=yes protocol=tcp
add action=mark-packet chain=forward comment="" connection-bytes=0-131072 \
connection-mark=browsing_conn disabled=no new-packet-mark=browsing_pkt \
passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment=HTTP-PROXY disabled=no \
dst-address-list=!localNet dst-port=80,443 new-connection-mark=proxy_conn \
passthrough=yes protocol=tcp src-address-list=ProxyNET
add action=mark-packet chain=forward comment="" connection-mark=proxy_conn \
disabled=no new-packet-mark=proxy_pkt passthrough=no
Menandai paket untuk browsing TERMASUK http req dari external proxy dengan conn-byte=0-131072 serta paket-paket protocol tcp yang berukuran kecil (packet-size=0-64 tcp-flags=ack) untuk diberikan prioritas KETIGA
add action=mark-connection chain=prerouting comment=REALTIME connection-mark=\
all.pre_conn disabled=no dst-port=22,179,110,161,8291 \
new-connection-mark=realtime_conn passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="" connection-mark=\
all.pre_conn disabled=no dst-port=123 new-connection-mark=realtime_conn \
passthrough=yes protocol=udp
add action=mark-packet chain=forward comment="" connection-mark=realtime_conn \
disabled=no new-packet-mark=realtime_pkt passthrough=no
all.pre_conn disabled=no dst-port=22,179,110,161,8291 \
new-connection-mark=realtime_conn passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="" connection-mark=\
all.pre_conn disabled=no dst-port=123 new-connection-mark=realtime_conn \
passthrough=yes protocol=udp
add action=mark-packet chain=forward comment="" connection-mark=realtime_conn \
disabled=no new-packet-mark=realtime_pkt passthrough=no
Menandai paket-paket REALTIME ACCESS untuk diberikan prioritas KEEMPAT
add action=mark-connection chain=prerouting comment=FILETRANSER \
connection-mark=all.pre_conn disabled=no dst-port=20,21,23 \
new-connection-mark=communication_conn passthrough=yes protocol=tcp
add action=mark-packet chain=forward comment="" connection-mark=\
communication_conn disabled=no new-packet-mark=communication_pkt \
passthrough=no
connection-mark=all.pre_conn disabled=no dst-port=20,21,23 \
new-connection-mark=communication_conn passthrough=yes protocol=tcp
add action=mark-packet chain=forward comment="" connection-mark=\
communication_conn disabled=no new-packet-mark=communication_pkt \
passthrough=no
Menandai paket-paket FILETRANSFER untuk diberikan prioritas KELIMA
add action=mark-connection chain=prerouting comment=NORMAL connection-mark=\
all.pre_conn disabled=no dst-address-list=!ProxyNET new-connection-mark=\
normal_conn passthrough=yes
add action=mark-packet chain=forward comment="" connection-mark=normal_conn \
disabled=no new-packet-mark=normal_pkt passthrough=no
all.pre_conn disabled=no dst-address-list=!ProxyNET new-connection-mark=\
normal_conn passthrough=yes
add action=mark-packet chain=forward comment="" connection-mark=normal_conn \
disabled=no new-packet-mark=normal_pkt passthrough=no
Menandai semua paket yang tersisa SELAIN tujuan Proxy untuk diberikan prioritas KEENAM
add action=mark-packet chain=forward comment=DOWNLOAD connection-bytes=\
131072-4294967295 connection-mark=all.post_conn disabled=no dst-address=\
192.168.2.2 new-packet-mark=client1 passthrough=no protocol=tcp
add action=mark-packet chain=forward comment="" connection-bytes=\
131072-4294967295 connection-mark=all.post_conn disabled=no dst-address=\
192.168.2.3 new-packet-mark=client2 passthrough=no protocol=tcp
131072-4294967295 connection-mark=all.post_conn disabled=no dst-address=\
192.168.2.16 new-packet-mark=client16 passthrough=no protocol=tcp
add action=mark-packet chain=forward comment="" connection-bytes=\
131072-4294967295 connection-mark=all.post_conn disabled=no dst-address=\
192.168.2.17 new-packet-mark=client17 passthrough=no protocol=tcp
131072-4294967295 connection-mark=all.post_conn disabled=no dst-address=\
192.168.2.2 new-packet-mark=client1 passthrough=no protocol=tcp
add action=mark-packet chain=forward comment="" connection-bytes=\
131072-4294967295 connection-mark=all.post_conn disabled=no dst-address=\
192.168.2.3 new-packet-mark=client2 passthrough=no protocol=tcp
………………..dst sampai jumlah client yang di perlukanterpenuhi
add action=mark-packet chain=forward comment=DOWNLOAD-NO-LIMIT connection-bytes=\131072-4294967295 connection-mark=all.post_conn disabled=no dst-address=\
192.168.2.16 new-packet-mark=client16 passthrough=no protocol=tcp
add action=mark-packet chain=forward comment="" connection-bytes=\
131072-4294967295 connection-mark=all.post_conn disabled=no dst-address=\
192.168.2.17 new-packet-mark=client17 passthrough=no protocol=tcp
Menandai paket protocol tcp yang diteruskan ke client untuk memberikan batasan download pada masing-masing client dengan conn-byte=131072-4294967295
Setelah itu buat queue type nya
/queue type
add kind=pcq name=pcq_up pcq-classifier=src-address pcq-limit=200 pcq-rate=0 \
pcq-total-limit=8000
add kind=pcq name=pcq_down pcq-classifier=dst-address pcq-limit=200 pcq-rate=\
0 pcq-total-limit=8000
add kind=pfifo name=pfifo-critical pfifo-limit=10
add kind=pcq name=pcq_critical.up pcq-classifier=src-address,src-port \
pcq-limit=20 pcq-rate=0 pcq-total-limit=500
add kind=pcq name=pcq_critical.down pcq-classifier=dst-address,dst-port \
pcq-limit=20 pcq-rate=0 pcq-total-limit=500
add kind=pcq name=pcq_up pcq-classifier=src-address pcq-limit=200 pcq-rate=0 \
pcq-total-limit=8000
add kind=pcq name=pcq_down pcq-classifier=dst-address pcq-limit=200 pcq-rate=\
0 pcq-total-limit=8000
add kind=pfifo name=pfifo-critical pfifo-limit=10
add kind=pcq name=pcq_critical.up pcq-classifier=src-address,src-port \
pcq-limit=20 pcq-rate=0 pcq-total-limit=500
add kind=pcq name=pcq_critical.down pcq-classifier=dst-address,dst-port \
pcq-limit=20 pcq-rate=0 pcq-total-limit=500
di lanjut menambahkan queue tree nya…..
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="A. PROXY HIT" packet-mark=proxy-hit parent=Local \
priority=1 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="B. CRITICAL" packet-mark=critical_pkt parent=Public \
priority=1 queue=pfifo-critical
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="C. INBOUND" packet-mark=all.post_pkt parent=global-out \
priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="D. OUTBOUND" packet-mark=all.pre_pkt parent=Public \
priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="A. GAMES" packet-mark=games_pkt parent="C. INBOUND" \
priority=2 queue=pcq_critical.down
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="B. HTTP" packet-mark=browsing_pkt parent="C. INBOUND" \
priority=3 queue=pcq_down
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=64k \
max-limit=128k name="C. REALTIME" packet-mark=realtime_pkt parent=\
"C. INBOUND" priority=4 queue=pcq_critical.down
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=64k \
max-limit=128k name="D. FILETRANS" packet-mark=communication_pkt parent=\
"C. INBOUND" priority=5 queue=pcq_down
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=64k \
max-limit=128k name="E. NORMAL" packet-mark=normal_pkt parent=\
"C. INBOUND" priority=6 queue=pcq_down
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=1024k name="F. DOWN 1M" parent="C. INBOUND" priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="G. DOWN 2M" parent="C. INBOUND" priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=256k name=Client1 packet-mark=client1 parent=\
"F. DOWN 1M" priority=8 queue=pcq_down
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=256k name=Client2 packet-mark=client2 parent=\
"F. DOWN 1M" priority=8 queue=pcq_down
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=Client16 packet-mark=client16 parent=\
"G. DOWN 2M" priority=8 queue=pcq_down
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=Client17 packet-mark=client17 parent=\
"G. DOWN 2M" priority=8 queue=pcq_down
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="A. GAMES UP" packet-mark=games_pkt parent="D. OUTBOUND" \
priority=2 queue=pcq_critical.up
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=64k \
max-limit=256k name="B. HTTP UP" packet-mark=proxy_pkt parent=\
"D. OUTBOUND" priority=3 queue=pcq_up
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=32k \
max-limit=64k name="C. REALTIME UP" packet-mark=realtime_pkt parent=\
"D. OUTBOUND" priority=4 queue=pcq_critical.up
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=64k \
max-limit=128k name="D. FILETRANS UP" packet-mark=communication_pkt \
parent="D. OUTBOUND" priority=5 queue=pcq_up
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=64k \
max-limit=128k name="E. NORMAL UP" packet-mark=normal_pkt parent=\
"D. OUTBOUND" priority=6 queue=pcq_up
C a t a t a n
- Silahkan sobat sesuaikan Untuk IP ADDRESS, Nama Ethernet. dll
- Tanda Hijau Biru dan Merah sengaja saya tandai agar sobat tidak tertukar jika sobat sudah memberi nama lain (maksudnya harus di sesuaikan)
- Tanda Jingga da Ping harus sama dengan yang ada di address list (jika sobat mengganti dengan nama lain)
- Silahkan sobat Kopi script yang saya buat dan pastekan dahulu di notepad (maksudnya di di hilangkan keterangan-keteranganya, buat satu block satu block biar tidak pusing eheheh)
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="A. PROXY HIT" packet-mark=proxy-hit parent=Local \
priority=1 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="B. CRITICAL" packet-mark=critical_pkt parent=Public \
priority=1 queue=pfifo-critical
Tanpa limit dengan prioritas pertama untuk proxy hit dan critical
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="C. INBOUND" packet-mark=all.post_pkt parent=global-out \
priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="D. OUTBOUND" packet-mark=all.pre_pkt parent=Public \
priority=8
Membuat parent untuk inbound (traffic masuk ke client) dan outbound (traffic keluar dari public)
Untuk child INBOUND nya saya bagi menjadi beberapa prioritas seperti berikut :
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="A. GAMES" packet-mark=games_pkt parent="C. INBOUND" \
priority=2 queue=pcq_critical.down
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="B. HTTP" packet-mark=browsing_pkt parent="C. INBOUND" \
priority=3 queue=pcq_down
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=64k \
max-limit=128k name="C. REALTIME" packet-mark=realtime_pkt parent=\
"C. INBOUND" priority=4 queue=pcq_critical.down
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=64k \
max-limit=128k name="D. FILETRANS" packet-mark=communication_pkt parent=\
"C. INBOUND" priority=5 queue=pcq_down
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=64k \
max-limit=128k name="E. NORMAL" packet-mark=normal_pkt parent=\
"C. INBOUND" priority=6 queue=pcq_down
selanjutnya parent untuk download per client nya :
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=1024k name="F. DOWN 1M" parent="C. INBOUND" priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="G. DOWN 2M" parent="C. INBOUND" priority=8
membuat 2 parent untuk 1M dan 2M (atau tanpa limit)
Setelah itu buat child nya, untuk memberikan batasan download per clientnya
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=256k name=Client1 packet-mark=client1 parent=\
"F. DOWN 1M" priority=8 queue=pcq_down
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=256k name=Client2 packet-mark=client2 parent=\
"F. DOWN 1M" priority=8 queue=pcq_down
…………………..dst sampai semua paket ke client yang di perlukan terpenuhi
Batasan download sebesar 1M untuk semua client dan maksimum 256k per client
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=Client16 packet-mark=client16 parent=\
"G. DOWN 2M" priority=8 queue=pcq_down
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=Client17 packet-mark=client17 parent=\
"G. DOWN 2M" priority=8 queue=pcq_down
Tanpa batasan download untuk IP 192.168.2.16 dan 192.168.2.17
Kemudiam membuat limit untuk uploadnya
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="A. GAMES UP" packet-mark=games_pkt parent="D. OUTBOUND" \
priority=2 queue=pcq_critical.up
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=64k \
max-limit=256k name="B. HTTP UP" packet-mark=proxy_pkt parent=\
"D. OUTBOUND" priority=3 queue=pcq_up
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=32k \
max-limit=64k name="C. REALTIME UP" packet-mark=realtime_pkt parent=\
"D. OUTBOUND" priority=4 queue=pcq_critical.up
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=64k \
max-limit=128k name="D. FILETRANS UP" packet-mark=communication_pkt \
parent="D. OUTBOUND" priority=5 queue=pcq_up
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=64k \
max-limit=128k name="E. NORMAL UP" packet-mark=normal_pkt parent=\
"D. OUTBOUND" priority=6 queue=pcq_up
C a t a t a n
- Silahkan sobat sesuaikan Untuk IP ADDRESS, Nama Ethernet. dll
- Tanda Hijau Biru dan Merah sengaja saya tandai agar sobat tidak tertukar jika sobat sudah memberi nama lain (maksudnya harus di sesuaikan)
- Tanda Jingga da Ping harus sama dengan yang ada di address list (jika sobat mengganti dengan nama lain)
- Silahkan sobat Kopi script yang saya buat dan pastekan dahulu di notepad (maksudnya di di hilangkan keterangan-keteranganya, buat satu block satu block biar tidak pusing eheheh)
Diurutkan berdasarkan prioritas paket keluar, mulai dari games, http request, realtime connection, filetransfer dan normal request
Hasil akhir yang saya capai, masing-masing client tidak terganggu oleh aktifitas download ketika mereka browsing atau main games, baik pada saat user sedang upload pun tidak mengganggu/memperbesar latency games…. sependek pengetahuan saya soal mikrotik setelah beberapa kali uji coba, mungkin ini settingan terbaik yang pernah saya buat.
Semoga bermanfaat dan selamat mereset Mikrotiknya, succes!!!!
Hasil akhir yang saya capai, masing-masing client tidak terganggu oleh aktifitas download ketika mereka browsing atau main games, baik pada saat user sedang upload pun tidak mengganggu/memperbesar latency games…. sependek pengetahuan saya soal mikrotik setelah beberapa kali uji coba, mungkin ini settingan terbaik yang pernah saya buat.
Semoga bermanfaat dan selamat mereset Mikrotiknya, succes!!!!
mantaps sekali tutorialnya pak mas bro. terima terima kasih uda posting tutrial mantap ini. uda 3 hari ini baca2 blog anda dan saya rasa isinya mantap semua
ReplyDelete@yan Ma : Makaasih gan kalo di mengerti,... tapi maaf jika bahasa postingan nya rancu,... ahahahha sukses slalu gan!!!
ReplyDeleteadul alah ieu .... sigana resep na sedap masbro .... punya resep yang lebih simpel ga ya supaya bisa proxy hit ( loss ) dgn proxy external tapi pengaturan queque nya pake yang simple queque ... hatur nuhun pisan
ReplyDeleteTerimakasih banget sebelumnya gan,
ReplyDeleteaq mo nanya mengenai squid ini,
aq paker RB750 sebagai router
ether 0, ke modem
ether 1, ke client
ether 2, ke hotspot
Dengan kondisi client udah tak isi juga squid for windows untuk client warnet dan sudah running.
Yang jadi pertanyaan klo mau setting ginian utuk yang hotspot jadi biar ngambil dulu di komputer yang sudah terinstaal squid settingnya gimana?
Maaf masih awam banget ttg mikrotik kek gini.
Thx sebelumnya
@Mumtazian : pake simple queues? cpna baca artikel saya disini http://gressnet-hotspot.blogspot.com/2012/03/cara-setting-mangle-mikrotik-untuk.html ambil yang bagian proxy loss nya aja terus di bagian simple queues di tab advanced packet-marks=proxy-hit dan prioritynya 1 selesai deh proxy loss,....
ReplyDeletemantap masbro. setting diatas q coba unt upload video & hasilnya smua client jd lelet.solusinya gi mana masbro
ReplyDeletedi periksa kembali siapa tau ada yang salah
ReplyDeleteatur atur di bagian queues tree nya mas broo!!
untuk download dan upload sengaja di bikin lelet biar tidak menggangu yng browsing dan game eheheh
tapi disitu juga ada ip2 tertentu yang tidak kena limit.. jadi coba diamati lagi,...
squid proxy nya pakek os apa ?!?
ReplyDeletecuma gitu doank tutor nya ?!?
gak ada step by step seting mikrotik dan squid proxy nya ?!?
masih belum aku....
masih newbee....maklum.
@mazz alee : - squidnya pake ubuntu.
ReplyDeletecuma gitu doank tutor nya ?!? ya untuk postingan ini cuma segitu,.. coba lihat untuk postingan yang lain nya di label proxy!
perasaan itu udah komplit gan coba mas bro geser scroll nya itu kan banyak amat settingan nya ehehehe...
Tutorial yang sangat bermanfaat kang, tapi di tutorial yang lain setelah saya kok gak dijelaskan tentang zph... padahal disini proxy ubuntu + zph... :) mohon pencerahan...
ReplyDeleteBegini kang sedikit mengulas :
ReplyDeleteZPH (Zero Penalty Hit)
zph fungsi di di mikrotik untuk memarking paket TCP_HIT.
Dengan menambahkan baris :
zph_mode tos
zph_local 0x30
zph_parent 0
zph_option 136
di squid.conf
dan penambahan 2 rule di mikrotik,
/ip firewall mangle
add action=mark-packet chain=forward comment="PROXY-HIT-DSCP 12" disabled=no \
dscp=12 new-packet-mark=proxy-hit passthrough=no
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="A. PROXY HIT" packet-mark=proxy-hit parent=Local \
priority=1 queue=default
ini fungsikan untuk memanage BW agar tidak terlimit oleh mikrotik.. (TCP_HIT proxy loss)
Semua request dari client mendapat traffic full sebesar local-loop yang dipunyai.
begitu kira kira kang pemikiran saya,.. maaf jikalau salah!
untuk yng hotspot sudah tak tambahkan ! kok nggak ngecache di hotspotnya mas......? terima kasih ilmunya
ReplyDelete@pulau_biru : periksa lagi bagian redirect proxy nya untuk interface hotspot
ReplyDeletemasbro,kalau browsing untuk semua client dibatasi max 1800k,settingnya ditambah gimana masbro
ReplyDeleteOk bro!
Deletecandra : aturdi bagian queue tree nya mas bro!!!
ReplyDeleteKang, bisa gak step2nya untuk Interface Hotspot? Soalnya kena limit sama Simple Queues otomatis untk user hotspot. Atau bisa kasih solusi kang.Makasih..
ReplyDelete@Herman : agan pake settingan yang mn?
ReplyDeleteatau agan settingan nya pake apa?
masih bingung nie,..
mas, saya punya beberapa pertanyaan:
ReplyDelete1. settingan yg mas gunakan proxynya sejajar klien atau sejajar mikrotik?
2. kalo settingan mas digunakan, apa di proxy ada di buat script iptables juga?
3.kalo misalnya proxynya sejajar mikrotik, dan NIC proxy dijadikan 2 buah. yg mesti di ubah dari setting mas di atas apa aja? dan scriptnya bagaimana? soalnya, saya pernah menjumpai artikel yg menggunakan 2 NIC ini (maaf, saya lupa situsnya), sehingga aktivitas komputer menjadi lebih cepat dalam pengiriman data dari dan ke klien.
mohon pencerahannya mas. terima kasih
@fadly:
ReplyDelete1. untuk settingan ini saya pake system proxy SEJAJAR ROUTER MIKROTIK
2. Untuk IP table tidak untuk ACL pasti
3. maaf ini menurut pemikiran saya yang pake 2 nic itu proxy sejajar dengan client atau topologinya,.. modem->proxy->mikrotik->client
Memang saya lagi memikirkan proxy sejajar mikrotik tapi pake 2 nic,.. difungsikan untuk pembedaan cache proxy setiap klien (tapi itu ide gila saya ahahhahah),.. masih taha test dan percobaan belum bisa share,... takut merugikan,...!!!
anda keliru memasukkan mangle download hanya di LAN saja mas bro, kecuali kalo kaga pake proxy. ingat semua request diredirect ke proxy, yang HIT emang bisa los tapi yang belom HIT, anda masih belom membatasi download via proxy. Anda pasti pusing 7 keliling jika client anda pake IDM dan Squidnya pake LUSCA
ReplyDeleteHADO : trus yang benernya macam mana bro.., fungsinya ini buat apa kalo bukan memberikan batasan download pada masing-masing client dengan conn-byte=131072-4294967295. cuma komentar aja kau pintar nya tdk bisa kaseh solusi
ReplyDelete@HADO: maksih gan sudah mengkoreksi scripnya,settingan mikrotik ini memang jauh dari kesempurnaan,.. tapi sedikit demi sedikit saya akan berusaha mencari letak kekuranganya,.. alangkah senangnya jika gan HADO sembari memberikan komentar sambil sambil solusi.. biar sobat yang bekinjung kesini tidak kebingungan,...
ReplyDeleteoh iya coba perhatikan lagi di queue tree bagian D. OUTBOUND
@sobat:thanks udah memberikan penjelasan,.. maksih juga dah berkunjung dan meluangkan waktu untuk memberikan komentar
gini sobat semua, solusinya yang paling mudah untuk pengaturan B/W adalah dengan menggunakan delay pool di squid, karena kasusnya disini mikrotik dijadikan B/W management+router maka kita harus mengetahui request sebelum menuju ke squid/proxy, kalo lihat dari contoh diatas
ReplyDeletesebelum:
add action=dst-nat chain=dstnat comment="TRANSPARENT PROXY" disabled=no \
dst-address-list=!ProxyNET dst-port=80,8080,3128 in-interface=Local \
protocol=tcp to-addresses=192.168.3.2 to-ports=3128
masukkan identifikasi ip address tujuan ke internet
/ip firewall nat add action=add-dst-to-address-list chain=dstnat add-dst-to-address-list-timeout=1d in-interface=Local address-list="IP-Tujuan"
ip tujuan inilah yang bisa dimanage lewat mikrotik termasuk yang dikelola squid, sedangkan OUTBOUND atau conn-byte untuk kasus diatas cobalah uji dengan download file besar lewat IDM, berikan limit downloadnya setelah 1 menit hilangkan limitnya dan perhatikan ratenya terjadi lonjakan tajam, Local in --> Proxy --> public --> proxy --> local out, di sini mestinya yg dikontrol dr public ke proxy bukan dari public langsung ke Local
@HADO. bener bro. delay kelamaan
ReplyDeleteDan inilah sedikit solusi yang jitu untuk Manajemen bandwitdh perPC khusus mikrotik
ReplyDeletesebelumnya sempurnakan dulu PROXY HITnya seperti berikut
/ip firewall mangle add
chain=forward in-interface=(MODEM/PUBLIC) out-interface=(PROXY) action=mark-packet new-packet-mark="PROXY HIT" dscp=12 disabled=no
tanda dalam kurung sesuaikan interface anda
Masukkan masing ip pc dan digabung dg ip-Proxy (mis. 192.168.3.2)
/ip firewall address-list
add disabled=no list=M01 address=192.168.2.1 --> PC-01
add disabled=no list=M01 address=192.168.3.2 --> Proxy
add disabled=no list=M02 address=192.168.2.2 --> PC-02
add disabled=no list=M02 address=192.168.3.2 --> Proxy
dst .... sesuaikan jumlah pc anda
Dan tentukan tujuan ip PC ke publik dengan cara
/ip firewall mangle
add chain=prerouting src-address=192.168.2.1 in-interface=LAN action=add-dst-to-address-list address-list=Public-01 address-list-timeout=00:01:00
add chain=prerouting src-address=192.168.2.2 in-interface=LAN action=add-dst-to-address-list address-list=Public-02 address-list-timeout=00:01:00
dst .... sesuaikan jumlah pc anda
Buat manglenya download scr langsung dari public/modem (buat sumbernya dari PUBLIC-01 dst menuju address list M01 dst)
/ip firewall mangle
add chain=forward in-interface=MODEM src-address-list=Public-01 dst-address-list=M01 action=mark-packet new-packet-mark="Packet PC 01" disabled=no passthrough=no
add chain=forward in-interface=MODEM src-address-list=Public-02 dst-address-list=M02 action=mark-packet new-packet-mark="Packet PC 01" disabled=no passthrough=no
dst .... sesuaikan jumlah pc anda
/queue tree
add name=Client parent=global-out disabled=no
add name="PC-01" parent=Client disabled=no packet-mark="Packet PC 01" priority=6 limit-at=158k max-limit=1000k (sesuaikan limit yg dibutuhkan)
add name="PC-02" parent=Client disabled=no packet-mark="Packet PC 02" priority=6 limit-at=158k max-limit=1000k
dari contoh di atas bisa membatasi speed download IDM dari masing2 PC
Catatan: Ini sekedar contoh untuk pembagian bandwitd perPC, anda bisa kembangkan sendiri berdasarkan GAME/BROWSING/DOWNLOAD/STREAMING
semoga membantu ...
SORRY REVISI UNTUK HIT PROXYNYA
ReplyDelete/ip firewall mangle add
chain=forward in-interface=(PROXY) out-interface=(LAN) action=mark-packet new-packet-mark="PROXY HIT" dscp=12 disabled=no
@HADO: makasih gan untuk info revisinya,... ehhh
ReplyDeleteSolusi ini sudah saya post bbrp hari yg lalu, tapi kok gak bisa tampil ya.
ReplyDeleteuntuk management bandwitdh per pc dengan proxy
/ip firewall address-list
add disabled=no list=M01 address=192.168.2.1 --> PC-01
add disabled=no list=M01 address=192.168.3.2 --> Proxy
add disabled=no list=M02 address=192.168.2.2 --> PC-02
add disabled=no list=M02 address=192.168.3.2 --> Proxy
dst .... sesuaikan jumlah pc anda
Dan tentukan tujuan ip PC ke publik dengan cara
/ip firewall mangle
add chain=prerouting src-address=192.168.2.1 in-interface=LAN action=add-dst-to-address-list address-list=Public-01 address-list-timeout=00:01:00
add chain=prerouting src-address=192.168.2.2 in-interface=LAN action=add-dst-to-address-list address-list=Public-02 address-list-timeout=00:01:00
dst .... sesuaikan jumlah pc anda
Buat manglenya download scr langsung dari public/modem (buat sumbernya dari PUBLIC-01 dst menuju address list M01 dst)
/ip firewall mangle
add chain=forward in-interface=MODEM src-address-list=Public-01 dst-address-list=M01 action=mark-packet new-packet-mark="Packet PC 01" disabled=no passthrough=no
add chain=forward in-interface=MODEM src-address-list=Public-02 dst-address-list=M02 action=mark-packet new-packet-mark="Packet PC 01" disabled=no passthrough=no
dst .... sesuaikan jumlah pc anda
/queue tree
add name=Client parent=global-out disabled=no
add name="PC-01" parent=Client disabled=no packet-mark="Packet PC 01" priority=6 limit-at=158k max-limit=1000k (sesuaikan limit yg dibutuhkan)
add name="PC-02" parent=Client disabled=no packet-mark="Packet PC 02" priority=6 limit-at=158k max-limit=1000k
dari contoh di atas bisa membatasi speed download IDM dari masing PC
Catatan: Ini sekedar contoh untuk pembagian bandwitd perPC, anda bisa kembangkan sendiri berdasarkan GAME/BROWSING/DOWNLOAD/STREAMING
semoga membantu ...
Solusi ini sudah sy post bbrp hari yg lalu, tapi kok gak bisa tampil ya.
ReplyDeletesaya coba terus.
untuk management bandwitdh per pc dengan proxy
/ip firewall address-list
add disabled=no list=M01 address=192.168.2.1 --> PC-01
add disabled=no list=M01 address=192.168.3.2 --> Proxy
add disabled=no list=M02 address=192.168.2.2 --> PC-02
add disabled=no list=M02 address=192.168.3.2 --> Proxy
dst .... sesuaikan jumlah pc anda
Dan tentukan tujuan ip PC ke publik dengan cara
/ip firewall mangle
add chain=prerouting src-address=192.168.2.1 in-interface=LAN action=add-dst-to-address-list address-list=Public-01 address-list-timeout=00:01:00
add chain=prerouting src-address=192.168.2.2 in-interface=LAN action=add-dst-to-address-list address-list=Public-02 address-list-timeout=00:01:00
dst .... sesuaikan jumlah pc anda
Buat manglenya download scr langsung dari public/modem (buat sumbernya dari PUBLIC-01 dst menuju address list M01 dst)
/ip firewall mangle
add chain=forward in-interface=MODEM src-address-list=Public-01 dst-address-list=M01 action=mark-packet new-packet-mark="Packet PC 01" disabled=no passthrough=no
add chain=forward in-interface=MODEM src-address-list=Public-02 dst-address-list=M02 action=mark-packet new-packet-mark="Packet PC 01" disabled=no passthrough=no
dst .... sesuaikan jumlah pc anda
/queue tree
add name=Client parent=global-out disabled=no
add name="PC-01" parent=Client disabled=no packet-mark="Packet PC 01" priority=6 limit-at=158k max-limit=1000k (sesuaikan limit yg dibutuhkan)
add name="PC-02" parent=Client disabled=no packet-mark="Packet PC 02" priority=6 limit-at=158k max-limit=1000k
dari contoh di atas bisa membatasi speed download IDM dari masing PC
Catatan: Ini sekedar contoh untuk pembagian bandwitd perPC, anda bisa kembangkan sendiri berdasarkan GAME/BROWSING/DOWNLOAD/STREAMING
semoga membantu ...(Hado)
Solusi ini sudah sy post bbrp hari yg lalu, tapi kok gak bisa tampil ya.
ReplyDeletesaya coba terus.
untuk management bandwitdh per pc dengan proxy
/ip firewall address-list
add disabled=no list=M01 address=192.168.2.1 --> PC-01
add disabled=no list=M01 address=192.168.3.2 --> Proxy
add disabled=no list=M02 address=192.168.2.2 --> PC-02
add disabled=no list=M02 address=192.168.3.2 --> Proxy
dst .... sesuaikan jumlah pc anda
Dan tentukan tujuan ip PC ke publik dimangle
/ip firewall mangle
add chain=prerouting src-address=192.168.2.1 in-interface=LAN action=add-dst-to-address-list address-list=Public-01 address-list-timeout=00:01:00
add chain=prerouting src-address=192.168.2.2 in-interface=LAN action=add-dst-to-address-list address-list=Public-02 address-list-timeout=00:01:00
dst .... sesuaikan jumlah pc anda
(next) .. Hado
(lanjutan)
ReplyDeleteBuat manglenya download scr langsung dari public/modem (buat sumbernya dari PUBLIC-01 dst menuju address list M01 dst)
/ip firewall mangle
add chain=forward in-interface=MODEM src-address-list=Public-01 dst-address-list=M01 action=mark-packet new-packet-mark="Packet PC 01" disabled=no passthrough=no
add chain=forward in-interface=MODEM src-address-list=Public-02 dst-address-list=M02 action=mark-packet new-packet-mark="Packet PC 01" disabled=no passthrough=no
dst .... sesuaikan jumlah pc anda
/queue tree
add name=Client parent=global-out disabled=no
add name="PC-01" parent=Client disabled=no packet-mark="Packet PC 01" priority=6 limit-at=158k max-limit=1000k (sesuaikan limit yg dibutuhkan)
add name="PC-02" parent=Client disabled=no packet-mark="Packet PC 02" priority=6 limit-at=158k max-limit=1000k
dari contoh di atas bisa membatasi speed download IDM dari masing PC
Catatan: Ini sekedar contoh untuk pembagian bandwitd perPC, anda bisa kembangkan sendiri berdasarkan GAME/BROWSING/DOWNLOAD/STREAMING
semoga membantu ...(Hado)
(lanjutan)
ReplyDeleteBuat manglenya download scr langsung dari public/modem (buat sumbernya dari PUBLIC-01 dst menuju address list M01 dst)
/ip firewall mangle
add chain=forward in-interface=MODEM src-address-list=Public-01 dst-address-list=M01 action=mark-packet new-packet-mark="Packet PC 01" disabled=no passthrough=no
add chain=forward in-interface=MODEM src-address-list=Public-02 dst-address-list=M02 action=mark-packet new-packet-mark="Packet PC 01" disabled=no passthrough=no
dst .... sesuaikan jumlah pc anda
(lanjutan)
ReplyDelete/queue tree
add name=Client parent=global-out disabled=no
add name="PC-01" parent=Client disabled=no packet-mark="Packet PC 01" priority=6 limit-at=158k max-limit=1000k (sesuaikan limit yg dibutuhkan)
add name="PC-02" parent=Client disabled=no packet-mark="Packet PC 02" priority=6 limit-at=158k max-limit=1000k
dari contoh di atas bisa membatasi speed download IDM dari masing PC
Catatan: Ini sekedar contoh untuk pembagian bandwitd perPC, anda bisa kembangkan sendiri berdasarkan GAME/BROWSING/DOWNLOAD/STREAMING
semoga membantu ...(Hado)
Ini Posting yang hilang sebelum lanjutan.
ReplyDeletesusah sekali posting (setelah refresh hilang)
/ip firewall address-list
add disabled=no list=M01 address=192.168.2.1 PC-02
add disabled=no list=M02 address=192.168.2.2 PC-01
add disabled=no list=M01 address=192.168.3.2 (Proxy)
add disabled=no list=M02 address=192.168.3.2 (Proxy)
dst ... sesuai jmlh pcnya
/ip firewall mangle
add chain=prerouting src-address=192.168.2.1 in-interface=LAN action=add-dst-to-address-list address-list=Matrix-01 address-list-timeout=00:01:00
add chain=prerouting src-address=192.168.2.2 in-interface=LAN action=add-dst-to-address-list address-list=Matrix-02 address-list-timeout=00:01:00
dst ... sesuai jmlh pcnya (Hado)
postingnya hilang lagi 2x capek dech, revisi Matrix-01/02 ganti dg Public-01/02, posting pertama udah benar, coba posting lagi jadi salah copas script pribadi ni
ReplyDelete@hado: utk game online nya gimana agar 100% aman.kasih script dong. dgn script anda diatas game masih lag bos...., max BW browsing blm blm dibatasi ni ....
ReplyDeletegampang aja mas bro untuk game online, anda cukup membatasi parent dari semua PC di queue treenya u/ kebutuhan game, dan semua jalur game jangan masuk di pc client. contoh dari scrip di atas ganti:
ReplyDelete/ip firewall mangle
add chain=prerouting src-address=192.168.2.1 in-interface=LAN action=add-dst-to-address-list address-list=Matrix-01 address-list-timeout=00:01:00 connection-mark=!games_conn
dan kemudian anda bikin connection port gamenya khusus game dengan nama games_con
saya barusan posting script untuk mas andra kok ilang/gak tampil, coba ke facebook aja deh, kalo ada yg nanya lagi search hadisuprayitno@yahoo.com
ReplyDeleteeh sorry, hadisuprayitno10@yahoo.com
ReplyDeletegan HAdo maaf,.. posting komentarnya baru muncul,... hahay ,.. soale dianggap spam sama mbah,.. skarang udah muncul semua,... ehehe Maaf gan!!!
ReplyDelete@hado.kalau misalnya semua pc max brousing+download di kasih 1500kbps settingnya gimana mas bro. jadi sisanya untuk ping dan game dari total 2M. setting anda sy coba hanya download yg terkendali sedang browsing blm ni.ping & game sering lag
ReplyDeletemas hado saya masih bingung dengan script mas hado,, seperti contoh :
ReplyDeleteadd chain=prerouting src-address=192.168.2.1 in-interface=LAN action=add-dst-to-address-list address-list=Public-01 address-list-timeout=00:01:00
adreess-list=Public-01
sdangkan di adrees list blum ada,,,
saya mau masukin bingung,,,
nilai Public-01 itu ip mikrotik menuju modem ato bagaimna?
lagian ada temenya Public-02 sdangkan ip adrees modem cuma satu,,
hehehe
maaf newbie bertanya,,
malu bertanya sesat d kamar,,
hehehe
makasih sebelumnya
maaf, mau nanya, kok queue treenya ga jalan semua yak di gw? kecuali yang untuk limit untuk download?
ReplyDeleteom untuk setting bandwidth up to 1 MBPS gimana yah...mohon petunjuknya om. makasih sebelumnya
ReplyDeletemasih menunggu......
ReplyDeleteBos, web na sae pisan, hade pokona mah. mantap surantap
ReplyDeletejempol seratus buat agan..
ReplyDeletesalutt. lengkap bgt..
itu logo ga modal banget gan, itukan logo situs http://mikrotik-squid.com/
ReplyDeletebikin sendiri logonya donk.........
Sory Gan saya sibuk tak keburu edit gambar.Itu logo hasil pencarian google,saya kira tak mengandung hak cipta.
DeleteLagian logo saya edit sendiri bos,lihat logo Gressinet diatas.Klo profil postingan saya akui,Ok nanti saya ganti klo Agan keberatan.
Salam kompak dan salam sukses selalu,makasih kunjungannya.
Mas kalau dari proxy(192.168.3.29) eksternal ping inet bisa,ping dari winbox(192.168.88.254) juga bisa, tapi proxy gak mau jalan cacchenya salah dimana mas? pas tak nyalan tranparant proxy mumet saja, memang salahnya dimana? yang bagus untuk transparan proxy bagaimana rulenya mas......Makasih
DeleteNice Tutorial Gan..!
ReplyDeletePake gambar mungkin lebih bisa dimengerti bagi yang awam seperti ane gan..
Dah ane cuba, masih kurang mudeng,, heheheheh!
lebih aman pakai setingaan ini untuk client pakai simple quee dan parent proxy di quee tree pakai global out aman dari idm proxy tetap loss sudah saya praktekan untuk warnet dan hotspot terimakasih setingan gratisnya he..he..
ReplyDeletemas bro interface publik (warna hijau) tuh = modem atau PPPoE client, mohon bantuanya ya mas.. thanks
ReplyDeletePCQ total limitnya tuh nentuinya gimana ya?? kok bisa 8000 ama 500
ReplyDeletemaaf gan
ReplyDeleteknpa kok terlimit juga yg sudah di download
Maaf, kalo pertanyaan agak melenceng kayaknya. Mikrotik+squid externalku kok ngak bisa buka email yahoo. Email lain spt: gmail, hotmail dll kok bisa ??? Kira-kira salahnya dimana ya ???
ReplyDeleteTerima kasih sebelumnya.
wah keren nih artikelnya....insya ALLAh kalau saya jadi buka penyedia hotspot akan saya terapkan masss.... salam kenal yah mohon dukungan di kontes saya dan tolong di G+ yah.....
ReplyDeletemau tany dong bro, itu dial speedy nya di modem atau di Mikrotik bro? maklum nyubie heheeheheeh
ReplyDeletepermisi mas brow mau nanya nihh....
ReplyDeletesaya udah pakai tutor di atas dan semua IP udah saya samakan dengan tutor tersebut tapi knp gak bisa browsing tapi kalau di ping ke google udah konek? tolong dong mas broww!
untuk setingan squidnya gak di share ???
ReplyDeletepost sekalian dong setingan squid nya
Maaf gan mau tanya nich, dari settingan diatas apa yang harus di rubah ya klu di setting PPPOE Client di Mikrotik? sy sdh test koq jd gk bs browsing ya? mohon pencerahannya....thanks
ReplyDeletemaaf gan greesnet,, may tanya nih boleh saya tau no kontak/hp nya.. karena saya mau konsultasi lebih lanjut,, karena saya ada niat mau bikin warnet dan hostpot.. ini email saya kk.ridwan@gmail.com
ReplyDeletemohon bantuannya.. plsss
share yang sangat berarti dan mohon ijin untuk penerapan di mikrotik saya
ReplyDeletegood share mas bro thank udah dishare...
ReplyDeleteagak susah di pahami , yang penting mudeng deh :D
ReplyDeleteDear Om,
ReplyDeletethak's ya om dah bagi2 ilmunya,saya pemula dan saya akan coba memperlajarinya serta mempraktekannya.
alhasil proxy ga jalan krn ubuntu saya malah ga bisa konek internet jd sementara nat TRANSPARENT PROXY nya saya disable, kira2 apanya ya gan?
ReplyDeletetuto ini jln ngk om internel roxy mikrotik
ReplyDeletedan kalau sy terapkan di ipfire squid/27.stable9 kira2 jalan ngk
ReplyDeleteBoleh minta tolong backup filenya kak? kirim ke arkandragneel11@gmail.com
ReplyDeleteBoleh minta di kirimin Back up filenya kak? hehe
ReplyDeleteNdasku ngelu cak...hahahaha
ReplyDelete