Limit Video size

/ip firewall layer7-protocol
add name=High regexp="^.*get.+\\.(exe|rar|iso|zip|7zip|0[0-9][1-9]|flv|mkv|avi|mp4|3gp|rmvb|mp3|img|dat|mov).*\$"
add name=Mid regexp="^.*get.+\\.(zip|rar|7z).*\$"
add name=End regexp="^.*get.+\\.(pdf|doc|docx|xlsx|xls|rtf|ppt|ppt).*\$"
add name=Video regexp="http/(0\\.9|1\\.0|1\\.1)[\\x09-\\x0d ][1-5][0-9][0-9][\\x09-\\x0d -~]*(content-type: video)"
add name=Update-an regexp="^.*get.+\\.(bin|idx|cab|gz|avc|gem|mcs|klz|dat|kdc).*\$"
add name=youtube regexp="o-o.preferred.pttelkom-|a.youtube.com|b.youtube.com|c.youtube.com|d.youtube.com|e.youtube.c om|f.youtube.com|g.youtube.com|h.youtube.com|i.youtube.com|j.youtube.com|l.youtube.com"

/ip firewall mangle
add action=mark-packet chain=forward comment="High Eks" disabled=no layer7-protocol=High new-packet-mark=High-Ext passthrough=no protocol=tcp
add action=mark-packet chain=forward comment="Mid Eks" connection-bytes=10485760-4294967295 disabled=no layer7-protocol=Mid new-packet-mark=Mid-Ext passthrough=no \
    protocol=tcp
add action=mark-packet chain=forward comment="Low Eks" disabled=no layer7-protocol=High new-packet-mark=End-Ext passthrough=no protocol=tcp
add action=mark-connection chain=forward comment=Video connection-bytes=0-131072 disabled=no layer7-protocol=youtube new-connection-mark=Conn-video passthrough=yes \
    protocol=tcp
add action=mark-connection chain=forward connection-bytes=131072-4294967295 disabled=no new-connection-mark=conn-videodown passthrough=yes protocol=tcp
add action=mark-packet chain=forward connection-mark=Conn-video disabled=no new-packet-mark=Video passthrough=no
add action=mark-packet chain=forward connection-mark=conn-videodown disabled=no new-packet-mark=Videolimit passthrough=no
add action=mark-packet chain=forward comment=Updatean disabled=no layer7-protocol=Update-an new-packet-mark=Update-an passthrough=no protocol=tcp


add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name="Limit(Ekstensi|Streaming|Updatean)" parent=global-out priority=3
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=32k max-limit=32k name=High packet-mark=High-Ext parent="Limit(Ekstensi|Streaming|Updatean)" \
    priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=32k max-limit=32k name=Mid packet-mark=Mid-Ext parent="Limit(Ekstensi|Streaming|Updatean)" priority=\
    6 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=512k max-limit=1M name=End packet-mark=End-Ext parent="Limit(Ekstensi|Streaming|Updatean)" priority=\
    4 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=64k max-limit=128k name=Stream-Video packet-mark=Video parent="Limit(Ekstensi|Streaming|Updatean)" \
    priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=32k max-limit=32k name=Update-an packet-mark=Update-an parent="Limit(Ekstensi|Streaming|Updatean)" \
    priority=5 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=15k max-limit=32k name=Stream-VideoLimit packet-mark=Videolimit parent=\
    "Limit(Ekstensi|Streaming|Updatean)" priority=8 queue=default

Limit Ekstensi dengan Layer 7 Mikrotik

Merasa jengkel dengan user yg mendownload file secara besar dan menggunakan Download Manager pasti susah di atasi.

berikut cara limit ekstensi yang paling sering di download.
saya menggunakan mikroitk versi 4 running d RB 750G.

Pertama tandai ekstensi

1	/ip firewall layer7-protocol

2	add comment="" name=High regexp="^.*get.+\\.(exe|rar|iso|zip|7zip|0[0-9][1-9]|flv|mkv|avi|mp4|3gp|rmvb|mp3|img|dat|mov).*\$"

3	add comment="" name=Mid regexp="^.*get.+\\.(zip|rar|7z).*\$"

4	add comment="" name=End regexp="^.*get.+\\.(pdf|doc|docx|xlsx|xls|rtf|ppt|ppt).*\$"

5	add comment="" name=Video regexp="http/(0\\.9|1\\.0|1\\.1)[\\x09-\\x0d ][1-5][0-9][0-9][\\x09-\\x0d -~]*(content-type: video)"

Menggunakan Regular Expersion silahkan googling untuk penjelasanya.
High = File yg biasa berukuran besar dan paling sering didownload
Mid = File bertype zip rar 7z berukuran hanya sampai 10 MB jika lebih akan dilimit
End = File yg tidak ingin di limit
Video = Stream Video

Kedua tandai mangle

1	/ip firewall mangle

2	add action=mark-packet chain=forward comment="High Eks" disabled=no dst-address-list=!Bypass layer7-protocol=High new-packet-mark=High-Ext passthrough=no protocol=tcp

3	add action=mark-packet chain=forward comment="Mid Eks" connection-bytes=10485760-4294967295 disabled=no layer7-protocol=Mid new-packet-mark=Mid-Ext passthrough=no protocol=tcp

4	add action=mark-packet chain=forward comment="Low Eks" disabled=no layer7-protocol=End new-packet-mark=End-Ext passthrough=no protocol=tcp

5	add action=mark-packet chain=forward comment=Video disabled=no layer7-protocol=Video new-packet-mark=Video passthrough=no protocol=tcp src-address-list=!Bypass

Ketiga Buat PCQ dan Simple untuk limit/jepit ekstensi

1	/queue type add kind=pcq name=PCQ_Limit_Video pcq-classifier=dst-address pcq-limit=50 pcq-rate=64000 pcq-total-limit=2000

2

3	/queue simple

4	add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s comment="" direction=both disabled=no dst-address=0.0.0.0/0 interface=all limit-at=0/0 max-limit=64k/64k name=High packet-marks=High-Ext parent=none priority=8 queue=default-small/default-small total-queue=default-small

5	add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s comment="" direction=both disabled=no dst-address=0.0.0.0/0 interface=all limit-at=0/0 max-limit=128k/128k name=Mid packet-marks=Mid-Ext parent=none priority=5 queue=default-small/default-small total-queue=default-small

6	add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s comment="" direction=both disabled=no dst-address=0.0.0.0/0 interface=all limit-at=0/0 max-limit=1M/1M name=End packet-marks=End-Ext parent=none priority=2 queue=default-small/default-small total-queue=default-small

7	add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s comment="" direction=both disabled=no dst-address=0.0.0.0/0 interface=all limit-at=0/0 max-limit=64k/64k name=Video packet-marks=Video parent=none priority=8 queue=default-small/PCQ_Limit_Video total-queue=default-small

Untuk jatah limit / jepit sesuaikan dengan keinginan anda.

untuk script download disini

 http://merahputihsegoroasat.blogspot.com/2013/08/limit-ekstensi-dengan-layer-7-mikrotik.html

Detect dan shapping download connection byte

Sehubungan dengan banyaknya pertanyaan mengenai cara membatasi download aktifity, berikut ada trik lain selain “delaypool rasa mikrotik”.
Adapun trik ini adalah dengan memanfaatkan fasilitas “connection bytes” pada mangle.
Mengenai fungsi connection bytes kalo tidak salah adalah : mendeteksi jumlah bytes yang telah tertransfer dalam satu koneksi antar dua pihak.
Sebagai contoh :
ip 192.168.10.12 melakukan koneksi ke 202.1.2.xx. Nah selama koneksi ini terjadi, connection bytes akan mencatat trafic bandwitdh yang terjadi dalam koneksi ini. dari 0 byte sampai tak terhingga dan penghitungan akan dihentikan setelah koneksi terputus. Dan untuk connection bytes ini akan mumpuni jika dilakukan pada queue tree.
Sebagai ilustrasi, saya akan membatasi client dengan ip 192.168.10.12.
Jika melakukan koneksi pada satu web dengan jumlah bytes masih antara 0-128 KB, maka koneksi ini diberi prioritas 1, dan diberi jatah bandwith 128kbps. namun setelah bytes lebih dari 128KB pada koneksi itu, maka priority akan diturunkan menjadi prio 8 dan bandwith akan dicekek ke 32kbps
Mangle :
Pertama lakukan mark connection pada setiap aktifitas LAN ke luar
Quote:
chain=postrouting out-interface=ether1 dst-address=192.168.10.0/24 protocol=tcp src-port=80 action=markconnection new-connection-mark=http_conn passthrough=yes
Selanjutnya menangkap bytes yang tertransfer dari suatu web ke ip 192.168.10.12. dimana pada mangle pertama mendeteksi hanya pada transfer antara 0-128KB. jika lebih dari itu maka akan ditangani oleh mangle kedua.
Quote:
chain=postrouting out-interface=ether1 dst-address=192.168.10.12 connection-mark=http_conn connectionbytes= 0-131072 action=mark-packet new-packet-mark=client12_browsing passthrough=no chain=postrouting out-interface=ether1 dst-address=192.168.10.12 connection-mark=http_conn connectionbytes= 131073-4294967295 action=mark-packet new-packet-mark=client12_download passthrough=no
Selesai dimangle sekarang kita lakukan shaping pada kedua mangle tersebut dengan queue tree. Pada queue tree ini kita memanfaatkan queue type pcq, dan untuk byte antara 0-128KB kita beri rate 128kbps, sementara jika lebih dari 128KB maka akan diberi rate 32kbps.
queue type :
Quote:
name=”browsing” kind=pcq pcq-rate=128000 pcq-limit=50 pcq-classifier=dst-address pcq-total-limit=2000
name=”download” kind=pcq pcq-rate=32000 pcq-limit=50 pcq-classifier=dst-address pcq-total-limit=2000
Selanjutnya masuk ke queue tree:
queue tree :
Pertama bikin parent queue
Quote:
name=”choi” parent=ether1 packet-mark=”" limit-at=1024000 queue=default priority=3 max-limit=1024000 burst-limit=0 burst-threshold=0 burst-time=0s
Selanjutnya bikin child queue khusus untuk ip 192.168.10.12 tersebut dimangle diatas
Quote:
name=”client12_browsing” parent=choi packet-mark=”client12_browsing” limit-at=0 queue=browsing
priority=1 max-limit=0 burst-limit=0 burst-threshold=0
name=”client12_download” parent=choi packet-mark=”client12_download” limit-at=0 queue=download
priority=8 max-limit=0 burst-limit=0 burst-threshold=0
Quote:
chain=postrouting out-interface=ether1 dst-address=192.168.10.0/24 protocol=tcp src-port=80 action=markconnection new-connection-mark=http_conn passthrough=yes
Saya coba modifikasi sedikit sehingga arah setingannya lebih ‘global’ tidak hanya berdasarkan ip client, menggunakan webproxy dan sejauh ini berjalan dengan baik. (menggunakan list nice, sehingga aktifitas browsing/download IIX tidak dibatasi). Saya juga menggunakan prerouting pada manglenya.
di mangle
Code:
chain=prerouting protocol=tcp dst-port=80 dst-address-list=!nice action=markconnection
new-connection-mark=http_conn passthrough=yes
chain=prerouting connection-mark=http_conn connection-bytes=0-131072 action=markpacket new-packet-mark=browsing passthrough=no
chain=output connection-mark=http_conn connection-bytes=0-131072 action=mark-packet new-packet-mark=browsing passthrough=no
chain=prerouting connection-mark=http_conn connection-bytes=131073-4294967295
action=mark-packet new-packet-mark=download passthrough=no
chain=output connection-mark=http_conn connection-bytes=131073-4294967295
action=mark-packet new-packet-mark=download passthrough=no
pada queue type
Code:
name=”browsing” kind=pcq pcq-rate=512000 pcq-limit=50 pcq-classifier=dst-address
pcq-total-limit=2000
name=”download” kind=pcq pcq-rate=32000 pcq-limit=50 pcq-classifier=dst-address pcqtotal-
limit=2000
pada queue tree
Code:
name=”clovanzo” parent=LAN packet-mark=”" limit-at=10000000 queue=default priority=3
max-limit=10000000 burst-limit=0 burst-threshold=0 burst-time=0s
name=”client_browsing” parent=clovanzo packet-mark=browsing limit-at=0
queue=browsing priority=1 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
name=”client_download” parent=clovanzo packet-mark=download limit-at=0
queue=download priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s

Sumber: http://tutorialmikrotik.com/detect-dan-shapping-download-connection-byte.php

Load Balancing nth buat Mikrotik Ver 3.xx dan 2.9xx

Sebelumnya saya minta maaf dulu yach kalo seandainya REPOST

berikut contohnya buat mikrotik versi 3.xx (saya pakai di mikrotik 3.16) :

Ip Modem 01 : 192.168.1.1 interface=speedy1

IP Modem 02 : 192.168.2.1 interface=speedy2

IP Local : 10.18.92.1 interface=Local

Setting Buat Mangle

/ip firewall mangle

add chain=prerouting action=mark-connection new-connection-mark=Santaria1 \

passthrough=yes connection-state=new in-interface=Local nth=2,1 \

comment="" disabled=no

add chain=prerouting action=mark-routing new-routing-mark=Santaria1 passthrough=no \

in-interface=HotSpot connection-mark=Santaria1 comment="" disabled=no

add chain=prerouting action=mark-connection new-connection-mark=Santaria2 \

passthrough=yes connection-state=new in-interface=Local nth=1,1 \

comment="" disabled=no

add chain=prerouting action=mark-routing new-routing-mark=Santaria2 passthrough=no \

in-interface=HotSpot connection-mark=Santaria2 comment="" disabled=no

Setting NAT

/ip firewall nat

add chain=srcnat action=masquerade out-interface=speedy1

add chain=srcnat action=masquerade out-interface=speedy2

add chain=srcnat action=masquerade src-address="10.18.92.0/24"

Setting Routenya

/ ip route

add dst-address=0.0.0.0/0 gateway=192.168.1.1 scope=255 target-scope=10 \

routing-mark=Santaria1 comment="" disabled=no

add dst-address=0.0.0.0/0 gateway=192.168.2.1 scope=255 target-scope=10 \

routing-mark=Santaria2 comment="" disabled=no

add dst-address=0.0.0.0/0 gateway=192.168.1.1 scope=255 target-scope=10 \

comment="primary connection" disabled=no

Berikut scripting Load Balancing dengan konfigurasi 2 Line untuk Mikrotik versi 2.9.27

Sesuaikan IP masing-masing interface menurut network kita.

Note : 10.11.90.1 = IP Local

192.168.1.1 = IP Modem Speedy 1

192.168.2.1 = IP Modem Speedy 2

By JoySolutions.

/ ip address

add address=10.11.90.1/24 network=10.11.90.0 broadcast=10.11.90.255 \

interface=local comment="" disabled=no

add address=192.168.1.254/24 network=192.168.1.0 broadcast=192.168.1.255 \

interface="Internet" comment="" disabled=no

add address=192.168.2.254/24 network=192.168.2.0 broadcast=192.168.2.255 \

interface="Speedy" comment="" disabled=no

/ ip firewall mangle

add chain=prerouting in-interface=local connection-state=new nth=1,1,0 \

action=mark-connection new-connection-mark=santaria1 passthrough=yes \

comment="Load Balancing Client" disabled=no

add chain=prerouting in-interface=local connection-mark=santaria1 \

action=mark-routing new-routing-mark=santaria1 passthrough=no comment="" \

disabled=no

add chain=prerouting in-interface=local connection-state=new nth=1,1,1 \

action=mark-connection new-connection-mark=santaria2 passthrough=yes \

comment="" disabled=no

add chain=prerouting in-interface=local connection-mark=santaria2 \

action=mark-routing new-routing-mark=santaria2 passthrough=no comment="" \

disabled=no

/ ip firewall nat

add chain=srcnat out-interface="Internet" action=masquerade comment="" \

disabled=no

add chain=srcnat out-interface="Speedy" action=masquerade comment="" \

disabled=no

/ ip route

add dst-address=0.0.0.0/0 gateway=192.168.2.1 scope=255 target-scope=10 \

routing-mark=santaria1 comment="" disabled=no

add dst-address=0.0.0.0/0 gateway=192.168.1.1 scope=255 target-scope=10 \

routing-mark=santaria2 comment="" disabled=no

add dst-address=0.0.0.0/0 gateway=192.168.1.1 scope=255 target-scope=10 \

comment="primary connection" disabled=no

SETING PPTP SERVER & CLIENT

langkah 1:


1. buka winbox


2. klik interface


3. klik add PPTP client


4. masukkan server address (ip publik mikrotik)


5. user (user yg akan konek ke mikrotik)


6. password (passwordnya)


7. profile (default)


8. allow (centang semua)


langkah 2:


1. buka PPP


2. klik PPTP Server


3. klik enabled


4. authentication (klik smuanya)


5. klik secret


6. klik add


7. masukan name & password


8. service PPTP


9. routes ip lokal gateway (ip lokal si mikrotik)


10. local address (ip pptp server lokal yg bakal di add di ip address, terserah yg penting ip nya blom ada di


jaringan)


11. remote address (ip yg bakal di pake untuk meremote di jaringan lokal, terserah juga)


langkah 3:


1. bikin koneksi VPN PPTP di windows


Quote:


inget...!!!!! username & password musti sama di PPTP client (interface) dengan PPP Secret

load balancing dari Wiki neh.....

/ ip address


add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local comment="" \


disabled=no


add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=wlan2 \


comment="" disabled=no


add address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=wlan1 \


comment="" disabled=no


/ ip firewall mangle


add chain=prerouting in-interface=Local connection-state=new nth=1,1,0 \


action=mark-connection new-connection-mark=odd passthrough=yes comment="" \


disabled=no


add chain=prerouting in-interface=Local connection-mark=odd action=mark-routing \


new-routing-mark=odd passthrough=no comment="" disabled=no


add chain=prerouting in-interface=Local connection-state=new nth=1,1,1 \


action=mark-connection new-connection-mark=even passthrough=yes comment="" \


disabled=no


add chain=prerouting in-interface=Local connection-mark=even action=mark-routing \


new-routing-mark=even passthrough=no comment="" disabled=no


/ ip firewall nat


add chain=srcnat connection-mark=odd action=src-nat to-addresses=10.111.0.2 \


to-ports=0-65535 comment="" disabled=no


add chain=srcnat connection-mark=even action=src-nat to-addresses=10.112.0.2 \


to-ports=0-65535 comment="" disabled=no


/ ip route


add dst-address=0.0.0.0/0 gateway=10.111.0.1 scope=255 target-scope=10 routing-mark=odd \


comment="" disabled=no


add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 routing-mark=even \


comment="" disabled=no


add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 comment="" \


disabled=no


Mangle


/ ip address


add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local comment="" \


disabled=no


add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=wlan2 \


comment="" disabled=no


add address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=wlan1 \


comment="" disabled=no


router punya 2 upstream (WAN) interfaces dengan ip address 10.111.0.2/24 and 10.112.0.2/24. dan


interface LAN dengan nama interface "Local" dan ip address 192.168.0.1/24.


/ ip firewall mangle


add chain=prerouting in-interface=Local connection-state=new nth=1,1,0 \


action=mark-connection new-connection-mark=odd passthrough=yes comment="" \


disabled=no


add chain=prerouting in-interface=Local connection-mark=odd action=mark-routing \


new-routing-mark=odd passthrough=no comment="" disabled=no


add chain=prerouting in-interface=Local connection-state=new nth=1,1,1 \


action=mark-connection new-connection-mark=even passthrough=yes comment="" \


disabled=no


add chain=prerouting in-interface=Local connection-mark=even action=mark-routing \


new-routing-mark=even passthrough=no comment="" disabled=no


NAT


/ ip firewall nat


add chain=srcnat connection-mark=odd action=src-nat to-addresses=10.111.0.2 \


to-ports=0-65535 comment="" disabled=no


add chain=srcnat connection-mark=even action=src-nat to-addresses=10.112.0.2 \


to-ports=0-65535 comment="" disabled=no


Routing


/ ip route


add dst-address=0.0.0.0/0 gateway=10.111.0.1 scope=255 target-scope=10 routing-mark=odd \


comment="" disabled=no


add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 routing-mark=even \


comment="" disabled=no


add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 comment="" \


disabled=no comment="gateway for the router itself"

Delaypool rasa Mikrotik

Langkah 1


Kita masukan rule di firewall untuk mendapatkan IP dari download server dan memasukan IP tersebut ke


dalam address list


/ip firewall filter add chain=forward \


src-address=192.168.10.0/24 protocol=tcp content=.mp3 \


action=add-dst-to-address-list address-list=downloads \


address-list-timeout=01:00:00


/ip firewall filter add chain=forward \


src-address=192.168.10.0/24 protocol=tcp content=.exe \


action=add-dst-to-address-list address-list=downloads \


address-list-timeout=01:00:00


Rule diatas akan menangkap semua traffic dengan content .mp3 dan .exe yang berasal dari blok IP LAN dan


memasukannya ke addres list downloads selama 1 jam.

Langkah 2


Kita lakukan mangle untuk marking paket yang berasal dari address list yang telah kita dapat dari


Langkah 1


/ip firewall mangle add chain=forward \


protocol=tcp src-address-list=downloads \


action=mark-packet new-packet-mark=download-paket


Mangle ini kita perlukan untuk melabeli paket sehingga simple queue dapat menangkap traffic dari IP-IP


yang telah terdapat pada address list "downloads"

Langkah 3


Langkah terakhir kita masukkan simple queue dari paket mark yang telah kita dapet dari langkah 2


/queue simple add name=download-files \


max-limit=64000/64000 packet-marks=download-paket


Letakan queue di urutan paling atas supaya dibaca dulu oleh mikortik

cara lainnya:

/ip firewall ma


add chain=forward protocol=tcp content=.exe \


action=mark-connection new-connection-mark=con-dowloader passthrough=yes \


comment="" disabled=no


add chain=output protocol=tcp content=.exe \


action=mark-connection new-connection-mark=con-dowloader passthrough=yes \


comment="" disabled=no


add chain=forward protocol=tcp content=.avi \


action=mark-connection new-connection-mark=con-dowloader passthrough=yes \


comment="" disabled=no


add chain=output protocol=tcp content=.avi \


action=mark-connection new-connection-mark=con-dowloader passthrough=yes \


comment="" disabled=no


add chain=forward protocol=tcp content=.zip \


action=mark-connection new-connection-mark=con-dowloader passthrough=yes \


comment="" disabled=no


add chain=output protocol=tcp content=.zip \


action=mark-connection new-connection-mark=con-dowloader passthrough=yes \


comment="" disabled=no


add chain=output connection-mark=con-dowloader action=mark-packet \


new-packet-mark=downloader-pkt passthrough=no comment="" disabled=no


add chain=forward connection-mark=con-dowloader action=mark-packet \


new-packet-mark=downloader-pkt passthrough=no comment="" disabled=no

*tambahin sendiri ext pa ja sampe puaas taro diatas

queuenya

Quote:


/queue simple


add name="downloader" dst-address=0.0.0.0/0 interface=all \


packet-marks=downloader-pkt direction=both priority=8 \


queue=default-small/default-small limit-at=0/64000 max-limit=0/64000 \


burst-limit=/128000 burst-threshold=/96000 burst-time=/10s \


total-queue=default-small disabled=no

Memisahkan IIX ke ISP wireless dan Internasional

1. Bikin src-address list dengan nama nise

2. atau dengan copy-paste src-address yg di sediain oleh nise

http://www.datautama.net.id/harijant...utama-nice.php

copy-paste bisa di lakukan dari putty.exe

3. Bikin mangel / supaya tau itu koneksi & paket nya dateng dari lokal ato international

/ ip firewall mangle

- add chain=forward src-address-list=nice action=mark-connection \

new-connection-mark=con-indonesia passthrough=yes comment="mark all \

indonesia source connection traffic" disabled=no

----> untuk lokal

- add chain=forward dst-address-list=nice action=mark-connection \

new-connection-mark=con-indonesia passthrough=yes comment="mark all \

indonesia destination connection traffic" disabled=no ----> untuk lokal

- add chain=forward src-address-list=!nice action=mark-connection \

new-connection-mark=con-overseas passthrough=yes comment="mark all \

overseas source connection traffic" disabled=no ---> Untuk International

- add chain=forward dst-address-list=!nice action=mark-connection \

new-connection-mark=con-overseas passthrough=yes comment="mark all \

overseas destination connection traffic" disabled=no

- add chain=prerouting connection-mark=con-indonesia action=mark-packet \

new-packet-mark=indonesia passthrough=yes comment="mark all indonesia \

traffic" disabled=no ---> paket lokal

- add chain=prerouting connection-mark=con-overseas action=mark-packet \

new-packet-mark=overseas passthrough=yes comment="mark all overseas \

traffic" disabled=no ----> paket international

4. Bikin simple queue =

/ queue simple

- add name="test-indonesia" target-addresses=xxx.xxx.xxx.xxx/xx \

dst-address=0.0.0.0/0 interface=all parent=none packet-marks=indonesia \

direction=both priority=8 queue=default/default limit-at=0/0 \

max-limit=256000/256000 total-queue=default disabled=no ---> 256 UPLOAD & DOWNLOAD

(LOKAL)

- add name="test-overseas" target-addresses=xxx.xxx.xxx.xxx/xx \

dst-address=0.0.0.0/0 interface=all parent=none packet-marks=overseas \

direction=both priority=8 queue=default/default limit-at=0/0 \

max-limit=128000/128000 total-queue=default disabled=no ----> 256 UPLOAD & DOWNLOAD

(INTERNATIONAL)

load balancing with connecction tracking

/ ip address

add address=10.0.128.14 network=10.0.128.0 broadcast=10.0.128.255 \


interface=IndosatM2 comment="" disabled=no


add address=192.178.10.62/26 network=192.178.10.0 broadcast=192.178.10.63 \


interface=HotSpot comment="" disabled=no


add address=192.168.1.2/29 network=192.168.1.0 broadcast=192.168.1.7 \


interface=Speedy comment="" disabled=no

/ ip firewall mangle

add chain=prerouting in-interface=HotSpot connection-state=new nth=1,0,0 action=mark-connection new-connection-mark=satu passthrough=yes comment="" disabled=no


add chain=prerouting in-interface=HotSpot connection-mark=satu action=mark-routing new-routing-mark=satu passthrough=no comment="" disabled=no


add chain=prerouting in-interface=HotSpot connection-state=new nth=1,0,1 action=mark-connection new-connection-mark=dua passthrough=yes comment="" disabled=no


add chain=prerouting in-interface=HotSpot connection-mark=dua action=mark-routing new-routing-mark=dua passthrough=no comment="" disabled=no

/ ip firewall nat

add chain=srcnat connection-mark=satu action=src-nat to-addresses=10.0.128.14 to-ports=0-65535 comment="" disabled=no


add chain=srcnat connection-mark=dua action=src-nat to-addresses=192.168.1.2 to-ports=0-65535 comment="" disabled=no

/ ip route

add dst-address=0.0.0.0/0 gateway=10.0.128.XX scope=255 target-scope=10 routing-mark=satu comment="" disabled=no


add dst-address=0.0.0.0/0 gateway=192.168.1.1 scope=255 target-scope=10 routing-mark=dua comment="" disabled=no

add dst-address=0.0.0.0/0 gateway=192.168.1.1 scope=255 target-scope=10 comment="ini default route ke speedy 1"

ip firewall connection tracking> pr


set enabled: yes


tcp-syn-sent-timeout: 1s


tcp-syn-received-timeout: 1s


tcp-established-timeout: 1d


tcp-fin-wait-timeout: 5s


tcp-close-wait-timeout: 5s


tcp-last-ack-timeout: 1s


tcp-time-wait-timeout: 1s


tcp-close-timeout: 1s


udp-timeout: 1s


udp-stream-timeout: 1m


icmp-timeout: 5s


generic-timeout: 5m


tcp-syncookie: no

Bruteforce login prevention (FTP & SSH)

/ip firewall filter
add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop

add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-
limit=1/1m,9,dst-address/1m

add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login
incorrect" \
address-list=ftp_blacklist address-list-timeout=3h

add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute forcers" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=10d comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new src-address-
list=ssh_stage1 \
action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m
comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-
address-list \
address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no

Firewall Komplit

Components of the filter
• protocol classifier
• invalid packet filter
• port-scan detector • policy classifier
• application protocol filter
• TCP-specific filters
• application protocol specific filters
/ ip firewall mangle
add chain=prerouting protocol=tcp connection-state=new action=jump jump-target=tcp-
services
add chain=prerouting protocol=udp connection-state=new action=jump jump-target=udp-
services
add chain=prerouting connection-state=new action=jump jump-target=other-services

add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=20-21 action=mark-
connection new-connection-mark=ftp passthrough=no
add chain=tcp-services protocol=tcp src-port=513-65535 dst-port=22 action=mark-
connection new-connection-mark=ssh passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=23 action=mark-
connection new-connection-mark=telnet passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=25 action=mark-
connection new-connection-mark=smtp passthrough=no
add chain=tcp-services protocol=tcp src-port=53 dst-port=53 action=mark-connection
new-connection-mark=dns passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=53 action=mark-
connection new-connection-mark=dns passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=80 action=mark-
connection new-connection-mark=http passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=110 action=mark-
connection new-connection-mark=pop3 passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=113 action=mark-
connection new-connection-mark=auth passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=119 action=mark-
connection new-connection-mark=nntp passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=143 action=mark-
connection new-connection-mark=imap passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=161-162
action=mark-connection new-connection-mark=snmp passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=443 action=mark-
connection new-connection-mark=https passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=465 action=mark-
connection new-connection-mark=smtps passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=993 action=mark-
connection new-connection-mark=imaps passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=995 action=mark-
connection new-connection-mark=pop3s passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=1723 action=mark-
connection new-connection-mark=pptp passthrough=no add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=2379 action=mark-
connection new-connection-mark=kgs passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=3128 action=mark-
connection new-connection-mark=proxy passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=3389 action=mark-
connection new-connection-mark=win-ts passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=4242-4243
action=mark-connection new-connection-mark=emule passthrough=no
add chain=tcp-services protocol=tcp src-port=4661-4662 dst-port=1024-65535
action=mark-connection new-connection-mark=overnet passthrough=no
add chain=tcp-services protocol=tcp src-port=4711 dst-port=1024-65535 action=mark-
connection new-connection-mark=emule passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=5900-5901
action=mark-connection new-connection-mark=vnc passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=6667-6669
action=mark-connection new-connection-mark=irc passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=6881-6889
action=mark-connection new-connection-mark=bittorrent passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=8080 action=mark-
connection new-connection-mark=http passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=8291 action=mark-
connection new-connection-mark=winbox passthrough=no
add chain=tcp-services protocol=tcp action=mark-connection new-connection-
mark=other-tcp passthrough=no

add chain=udp-services protocol=udp src-port=1024-65535 dst-port=53 action=mark-
connection new-connection-mark=dns passthrough=no
add chain=udp-services protocol=udp src-port=1024-65535 dst-port=123 action=mark-
connection new-connection-mark=ntp passthrough=no
add chain=udp-services protocol=udp src-port=1024-65535 dst-port=1701 action=mark-
connection new-connection-mark=l2tp passthrough=no
add chain=udp-services protocol=udp src-port=1024-65535 dst-port=4665 action=mark-
connection new-connection-mark=emule passthrough=no
add chain=udp-services protocol=udp src-port=1024-65535 dst-port=4672 action=mark-
connection new-connection-mark=emule passthrough=no
add chain=udp-services protocol=udp src-port=4672 dst-port=1024-65535 action=mark-
connection new-connection-mark=emule passthrough=no
add chain=udp-services protocol=udp src-port=1024-65535 dst-port=12053 action=mark-
connection new-connection-mark=overnet passthrough=no
add chain=udp-services protocol=udp src-port=12053 dst-port=1024-65535 action=mark-
connection new-connection-mark=overnet passthrough=no
add chain=udp-services protocol=udp src-port=36725 dst-port=1024-65535 action=mark-
connection new-connection-mark=skype passthrough=no
add chain=udp-services protocol=udp connection-state=new action=mark-connection
new-connection-mark=other-udp passthrough=no
add chain=other-services protocol=icmp icmp-options=8:0-255 action=mark-connection
new-connection-mark=ping passthrough=no
add chain=other-services protocol=gre action=mark-connection new-connection-
mark=gre passthrough=no
add chain=other-services action=mark-connection new-connection-mark=other
passthrough=no

Most generic invalid packet and port-scan detection techniques
/ip firewall mangle
add chain=prerouting in-interface=Public dst-address-list=nat-addr action=mark-packet
new-packet-mark=nat-traversal passthrough=no

/ ip firewall address-list
add list=illegal-addr address=0.0.0.0/8 comment="illegal addresses"
add list=illegal-addr address=127.0.0.0/8
add list=illegal-addr address=224.0.0.0/3
add list=illegal-addr address=10.0.0.0/8
add list=illegal-addr address=172.16.0.0/12
add list=illegal-addr address=192.168.0.0/16
add list=local-addr address=172.31.255.0/29 comment="my local network"
add list=nat-addr address=172.31.255.0/29 comment="my local network"

/ ip firewall filter
add chain=forward in-interface=Local out-interface=Local action=accept
comment="Allow traffic between wired and wireless networks"

/ ip firewall filter
add chain=forward action=jump jump-target=sanity-check comment="Sanity Check"
add chain=sanity-check packet-mark=nat-traversal action=jump jump-target=drop
comment="Deny illegal NAT traversal"
add chain=sanity-check protocol=tcp psd=20,3s,3,1 action=add-src-to-address-list
address-list=blocked-addr address-list-timeout=1d comment="Block port scans"
add chain=sanity-check protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-
to-address-list address-list=blocked-addr address-list-timeout=1d comment="Block TCP
Null scan"
add chain=sanity-check protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-
src-to-address-list address-list=blocked-addr address-list-timeout=1d comment="Block
TCP Xmas scan"
add chain=sanity-check protocol=tcp src-address-list=blocked-addr action=jump jump-
target=drop
add chain=sanity-check protocol=tcp tcp-flags=rst action=jump jump-target=drop
comment="Drop TCP RST"
add chain=sanity-check protocol=tcp tcp-flags=fin,syn action=jump jump-target=drop
comment="Drop TCP SYN+FIN"
add chain=sanity-check connection-state=invalid action=jump jump-target=drop
comment="Dropping invalid connections at once" add chain=sanity-check connection-state=established action=accept
comment="Accepting already established connections"
add chain=sanity-check connection-state=related action=accept comment="Also
accepting related connections"
add chain=sanity-check dst-address-type=broadcast,multicast action=jump jump-
target=drop comment="Drop all traffic that goes to multicast or broadcast addresses"
add chain=sanity-check in-interface=Local dst-address-list=illegal-addr dst-address-
type=!local action=jump jump-target=drop comment="Drop illegal destination
addresses"
add chain=sanity-check in-interface=Local src-address-list=!local-addr action=jump
jump-target=drop comment="Drop everything that goes from local interface but not from
local address"
add chain=sanity-check in-interface=Public src-address-list=illegal-addr action=jump
jump-target=drop comment="Drop illegal source addresses"
add chain=sanity-check in-interface=Public dst-address-list=!local-addr action=jump
jump-target=drop comment="Drop everything that goes from public interface but not to
local address"
add chain=sanity-check src-address-type=broadcast,multicast action=jump jump-
target=drop comment="Drop all traffic that goes from multicast or broadcast addresses"

/ ip firewall filter
add chain=forward protocol=tcp action=jump jump-target=restrict-tcp
add chain=forward protocol=udp action=jump jump-target=restrict-udp
add chain=forward action=jump jump-target=restrict-ip
add chain=restrict-tcp connection-mark=auth action=reject
add chain=restrict-tcp connection-mark=smtp action=jump jump-target=smtp-first-drop
comment="anti-spam policy"
add chain=smtp-first-drop src-address-list=first-smtp action=add-src-to-address-list
address-list=approved-smtp
add chain=smtp-first-drop src-address-list=approved-smtp action=return
add chain=smtp-first-drop action=add-src-to-address-list address-list=first-smtp
add chain=smtp-first-drop action=reject reject-with=icmp-network-unreachable

/ ip firewall filter
add chain=restrict-tcp connection-mark=other-tcp action=jump jump-target=drop
add chain=restrict-udp connection-mark=other-udp action=jump jump-target=drop
add chain=restrict-ip connection-mark=other action=jump jump-target=drop

/ ip firewall filter
add chain=input src-address-type=local dst-address-type=local action=accept
comment="Allow local traffic \(between router applications\)"
add chain=input in-interface=Local protocol=udp src-port=68 dst-port=67 action=jump
jump-target=dhcp comment="DHCP protocol would not pass sanity checking, so
enabling it explicitly before other checks"
add chain=input action=jump jump-target=sanity-check comment="Sanity Check" add chain=input dst-address-type=!local action=jump jump-target=drop
comment="Dropping packets not destined to the router itself, including all broadcast
traffic"
add chain=input connection-mark=ping limit=5,5 action=accept comment="Allow pings,
but at a very limited rate \(5 per sec\)"
add chain=input in-interface=Local action=jump jump-target=local-services
comment="Allowing some services to be accessible from the local network"
add chain=input in-interface=Public action=jump jump-target=public-services
comment="Allowing some services to be accessible from the Internet"
add chain=input action=jump jump-target=drop
add chain=dhcp src-address=0.0.0.0 dst-address=255.255.255.255 action=accept
add chain=dhcp src-address=0.0.0.0 dst-address-type=local action=accept
add chain=dhcp src-address-list=local-addr dst-address-type=local action=accept
add chain=local-services connection-mark=ssh action=accept comment="SSH
\(22/TCP\)"
add chain=local-services connection-mark=dns action=accept comment="DNS"
add chain=local-services connection-mark=proxy action=accept comment="HTTP Proxy
\(3128/TCP\)"
add chain=local-services connection-mark=winbox comment="Winbox \(8291/TCP\)"
disabled=no
add chain=local-services action=drop comment="Drop Other Local Services"
add chain=public-services connection-mark=ssh action=accept comment="SSH
\(22/TCP\)"
add chain=public-services connection-mark=pptp action=accept comment="PPTP
\(1723/TCP\)"
add chain=public-services connection-mark=gre action=accept comment="GRE for
PPTP"
add chain=public-services action=drop comment="Drop Other Public Services"

Proxying everything
/ ip firewall nat
add chain=dstnat in-interface=Local connection-mark=dns action=redirect
comment="proxy for DNS requests"
add chain=dstnat in-interface=Local connection-mark=http protocol=tcp action=redirect
to-ports=3128 comment="proxy for HTTP requests"
add chain=dstnat in-interface=Local connection-mark=ntp action=redirect
comment="proxy for NTP requests"

Enable Proxy servers
/ system ntp server
set enabled=yes broadcast=no multicast=no manycast=no
/ system ntp client
set enabled=yes mode=unicast primary-ntp=xxx.xxx.xxx.xxx secondary-ntp=0.0.0.0
/ ip proxy set enabled=yes port=3128 parent-proxy=0.0.0.0:1 maximal-client-connections=1000
maximal-server-connections=1000
/ ip dns
set primary-dns=yyy.yyy.yyy.yyy secondary-dns=0.0.0.0 allow-remote-requests=yes
cache-size=2048KiB cache-max-ttl=1w

Protect customer

/ip firewall filter
add chain=forward connection-state=established comment="allow established
connections"
add chain=forward connection-state=related comment="allow related connections"
add chain=forward connection-state=invalid action=drop comment="drop invalid
connections"
add chain=virus protocol=tcp dst-port=135-139 action=drop comment="Drop Blaster
Worm"
add chain=virus protocol=udp dst-port=135-139 action=drop comment="Drop Messenger
Worm"
add chain=virus protocol=tcp dst-port=445 action=drop comment="Drop Blaster Worm"
add chain=virus protocol=udp dst-port=445 action=drop comment="Drop Blaster Worm"
add chain=virus protocol=tcp dst-port=593 action=drop comment="________"
add chain=virus protocol=tcp dst-port=1024-1030 action=drop
comment="________" add chain=virus protocol=tcp dst-port=1080 action=drop comment="Drop MyDoom"
add chain=virus protocol=tcp dst-port=1214 action=drop comment="________"
add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requester"
add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server"
add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast"
add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx"
add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid"
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm"
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle Virus"
add chain=virus protocol=tcp dst-port=2283 action=drop comment="Drop Dumaru.Y"
add chain=virus protocol=tcp dst-port=2535 action=drop comment="Drop Beagle"
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Drop Beagle.C-K"
add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment="Drop
MyDoom"
add chain=virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor
OptixPro"
add chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm"
add chain=virus protocol=udp dst-port=4444 action=drop comment="Worm"
add chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop Sasser"
add chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop Beagle.B"
add chain=virus protocol=tcp dst-port=9898 action=drop comment="Drop Dabber.A-B"
add chain=virus protocol=tcp dst-port=10000 action=drop comment="Drop Dumaru.Y"
add chain=virus protocol=tcp dst-port=10080 action=drop comment="Drop MyDoom.B"
add chain=virus protocol=tcp dst-port=12345 action=drop comment="Drop NetBus"
add chain=virus protocol=tcp dst-port=17300 action=drop comment="Drop Kuang2"
add chain=virus protocol=tcp dst-port=27374 action=drop comment="Drop SubSeven"
add chain=virus protocol=tcp dst-port=65506 action=drop comment="Drop PhatBot,
Agobot, Gaobot"

add chain=forward action=jump jump-target=virus comment="jump to the virus chain"

add chain=forward action=accept protocol=tcp dst-port=80 comment="Allow HTTP"
add chain=forward action=accept protocol=tcp dst-port=25 comment="Allow SMTP"
add chain=forward protocol=tcp comment="allow TCP"
add chain=forward protocol=icmp comment="allow ping"
add chain=forward protocol=udp comment="allow udp"
add chain=forward action=drop comment="drop everything else"

How to autodetect infected or spammer users and temporary block the SMTP output

/ip firewall filter

add chain=forward protocol=tcp dst-port=25 src-address-list=spammer
action=drop comment="BLOCK SPAMMERS OR INFECTED USERS"

add chain=forward protocol=tcp dst-port=25 connection-limit=30,32 limit=50,5
action=add-src-to-address-list
address-list=spammer address-list-timeout=1d comment="Detect and add-list SMTP
virus or spammers"

/system script
add name="spammers" source=":log error \"----------Users detected like \
SPAMMERS -------------\";
\n:foreach i in \[/ip firewall address-list find \
list=spammer\] do={:set usser \[/ip firewall address-list get \$i \
address\];
\n:foreach j in=\[/ip hotspot active find address=\$usser\] \
do={:set ip \[/ip hotspot active get \$j user\];
\n:log error \$ip;
\n:log \
error \$usser} };" policy=ftp,read,write,policy,test,winbox

Drop port scanners

/ip firewall filter
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-
list="port scanners"
address-list-timeout=2w comment="Port scanners to list " disabled=no

add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="NMAP FIN Stealth scan"

add chain=input protocol=tcp tcp-flags=fin,syn
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="SYN/FIN scan"

add chain=input protocol=tcp tcp-flags=syn,rst
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="SYN/RST scan"

add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="FIN/PSH/URG scan"

add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="ALL/ALL scan"

add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="NMAP NULL scan"

add chain=input src-address-list="port scanners" action=drop comment="dropping port
scanners" disabled=no

Firewall untuk router mikrotik

Untuk mengamankan router mikrotik dari traffic virus dan excess ping dapat digunakan skrip firewall berikut
Pertama buat address-list “ournetwork” yang berisi alamat IP radio, IP LAN dan IP WAN atau IP lainnya yang dapat dipercaya
Dalam contoh berikut alamat IP radio adalah = 10.0.0.0/16, IP LAN = 192.168.2.0/24 dan IP WAN = 203.89.24.0/21 dan IP lainnya yang dapat dipercaya = 202.67.33.7
Untuk membuat address-list dapat menggunakan contoh skrip seperti berikut ini tinggal disesuaikan dengan konfigurasi jaringan Anda.
Buat skrtip berikut menggunakan notepad kemudian copy-paste ke console mikrotik
/ ip firewall address-list
add list=ournetwork address=203.89.24.0/21 comment=”Datautama Network” \
disabled=no
add list=ournetwork address=10.0.0.0/16 comment=”IP Radio” disabled=no
add list=ournetwork address=192.168.2.0/24 comment=”LAN Network” disabled=no
Selanjutnya copy-paste skrip berikut pada console mikrotik
/ ip firewall filter
add chain=forward connection-state=established action=accept comment=”allow \
established connections” disabled=no
add chain=forward connection-state=related action=accept comment=”allow \
related connections” disabled=no
add chain=virus protocol=udp dst-port=135-139 action=drop comment=”Drop \
Messenger Worm” disabled=no
add chain=forward connection-state=invalid action=drop comment=”drop invalid \
connections” disabled=no
add chain=virus protocol=tcp dst-port=135-139 action=drop comment=”Drop \
Blaster Worm” disabled=no
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment=”Worm” \
disabled=no
add chain=virus protocol=tcp dst-port=445 action=drop comment=”Drop Blaster \
Worm” disabled=no
add chain=virus protocol=udp dst-port=445 action=drop comment=”Drop Blaster \
Worm” disabled=no
add chain=virus protocol=tcp dst-port=593 action=drop comment=”________” \
disabled=no
add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment=”________” \
disabled=no
add chain=virus protocol=tcp dst-port=1080 action=drop comment=”Drop MyDoom” \
disabled=no
add chain=virus protocol=tcp dst-port=1214 action=drop comment=”________” \
disabled=no
add chain=virus protocol=tcp dst-port=1363 action=drop comment=”ndm requester” \
disabled=no
add chain=virus protocol=tcp dst-port=1364 action=drop comment=”ndm server” \
disabled=no
add chain=virus protocol=tcp dst-port=1368 action=drop comment=”screen cast” \
disabled=no
add chain=virus protocol=tcp dst-port=1373 action=drop comment=”hromgrafx” \
disabled=no
add chain=virus protocol=tcp dst-port=1377 action=drop comment=”cichlid” \
disabled=no
add chain=virus protocol=tcp dst-port=2745 action=drop comment=”Bagle Virus” \
disabled=no
add chain=virus protocol=tcp dst-port=2283 action=drop comment=”Drop Dumaru.Y” \
disabled=no
add chain=virus protocol=tcp dst-port=2535 action=drop comment=”Drop Beagle” \
disabled=no
add chain=virus protocol=tcp dst-port=2745 action=drop comment=”Drop \
Beagle.C-K” disabled=no
add chain=virus protocol=tcp dst-port=3127 action=drop comment=”Drop MyDoom” \
disabled=no
add chain=virus protocol=tcp dst-port=3410 action=drop comment=”Drop Backdoor \
OptixPro” disabled=no
add chain=virus protocol=tcp dst-port=4444 action=drop comment=”Worm” \
disabled=no
add chain=virus protocol=udp dst-port=4444 action=drop comment=”Worm” \
disabled=no
add chain=virus protocol=tcp dst-port=5554 action=drop comment=”Drop Sasser” \
disabled=no
add chain=virus protocol=tcp dst-port=8866 action=drop comment=”Drop Beagle.B” \
disabled=no
add chain=virus protocol=tcp dst-port=9898 action=drop comment=”Drop \
Dabber.A-B” disabled=no
add chain=virus protocol=tcp dst-port=10000 action=drop comment=”Drop \
Dumaru.Y, sebaiknya di didisable karena juga sering digunakan utk vpn atau \
webmin” disabled=yes
add chain=virus protocol=tcp dst-port=10080 action=drop comment=”Drop \
MyDoom.B” disabled=no
add chain=virus protocol=tcp dst-port=12345 action=drop comment=”Drop NetBus” \
disabled=no
add chain=virus protocol=tcp dst-port=17300 action=drop comment=”Drop Kuang2″ \
disabled=no
add chain=virus protocol=tcp dst-port=27374 action=drop comment=”Drop \
SubSeven” disabled=no
add chain=virus protocol=tcp dst-port=65506 action=drop comment=”Drop PhatBot, \
Agobot, Gaobot” disabled=no
add chain=forward action=jump jump-target=virus comment=”jump to the virus \
chain” disabled=no
add chain=input connection-state=established action=accept comment=”Accept \
established connections” disabled=no
add chain=input connection-state=related action=accept comment=”Accept related \
connections” disabled=no
add chain=input connection-state=invalid action=drop comment=”Drop invalid \
connections” disabled=no
add chain=input protocol=udp action=accept comment=”UDP” disabled=no
add chain=input protocol=icmp limit=50/5s,2 action=accept comment=”Allow \
limited pings” disabled=no
add chain=input protocol=icmp action=drop comment=”Drop excess pings” \
disabled=no
add chain=input protocol=tcp dst-port=21 src-address-list=ournetwork \
action=accept comment=”FTP” disabled=no
add chain=input protocol=tcp dst-port=22 src-address-list=ournetwork \
action=accept comment=”SSH for secure shell” disabled=no
add chain=input protocol=tcp dst-port=23 src-address-list=ournetwork \
action=accept comment=”Telnet” disabled=no
add chain=input protocol=tcp dst-port=80 src-address-list=ournetwork \
action=accept comment=”Web” disabled=no
add chain=input protocol=tcp dst-port=8291 src-address-list=ournetwork \
action=accept comment=”winbox” disabled=no
add chain=input protocol=tcp dst-port=1723 action=accept comment=”pptp-server” \
disabled=no
add chain=input src-address-list=ournetwork action=accept comment=”From \
Datautama network” disabled=no
add chain=input action=log log-prefix=”DROP INPUT” comment=”Log everything \
else” disabled=no
add chain=input action=drop comment=”Drop everything else” disabled=no
Efek dari skrip diatas adalah:
1. router mikrotik hanya dapat diakses FTP, SSH, Web dan Winbox dari IP yang didefinisikan dalam address-list “ournetwork” sehingga tidak bisa diakses dari sembarang tempat.
2. Port-port yang sering dimanfaatkan virus di blok sehingga traffic virus tidak dapat dilewatkan, tetapi perlu diperhatikan jika ada user yang kesulitan mengakses service tertentu harus dicek pada chain=”virus” apakah port yang dibutuhkan user tersebut terblok oleh firewall.
3. Packet ping dibatasi untuk menghindari excess ping.
Selain itu yang perlu diperhatikan adalah: sebaiknya buat user baru dan password dengan group full kemudian disable user admin, hal ini untuk meminimasi resiko mikrotik Anda di hack orang.
Selamat mencoba
source dari teman2 DutaUtama

Memanipulasi ToS ICMP & DNS di MikroTik

Tujuan :
• Memperkecil delay ping dari sisi klien ke arah Internet.
• Mempercepat resolving hostname ke ip address.
Asumsi : Klien-klien berada pada subnet 10.10.10.0/28
1. Memanipulasi Type of Service untuk ICMP Packet :
> ip firewall mangle add chain=prerouting src-address=10.10.10.0/28 protocol=icmp action=mark-connection new-connection-mark=ICMP-CM passthrough=yes
> ip firewall mangle add chain=prerouting connection-mark=ICMP-CM action=mark-packet new-packet-mark=ICMP-PM passthrough=yes
> ip firewall mangle add chain=prerouting packet-mark=ICMP-PM action=change-tos new-tos=min-delay
2. Memanipulasi Type of Service untuk DNS Resolving :
> ip firewall mangle add chain=prerouting src-address=10.10.10.0/28 protocol=tcp dst-port=53 action=mark-connection new-connection-mark=DNS-CM passthrough=yes
> ip firewall mangle add chain=prerouting src-address=10.10.10.0/28 protocol=udp dst-port=53 action=mark-connection new-connection-mark=DNS-CM passthrough=yes
> ip firewall mangle add chain=prerouting connection-mark=DNS-CM action=mark-packet new-packet-mark=DNS-PM passthrough=yes
> ip firewall mangle add chain=prerouting packet-mark=DNS-PM action=change-tos new-tos=min-delay
3. Menambahkan Queue Type :
> queue type add name="PFIFO-64" kind=pfifo pfifo-limit=64
4. Mengalokasikan Bandwidth untuk ICMP Packet :
> queue tree add name=ICMP parent=INTERNET packet-mark=ICMP-PM priority=1 limit-at=8000 max-limit=16000 queue=PFIFO-64
5. Mengalokasikan Bandwidth untuk DNS Resolving :
> queue tree add name=DNS parent=INTERNET packet-mark=DNS-PM priority=1 limit-at=8000 max-limit=16000 queue=PFIFO-64
6. Good Luck!!

Memisahkan Bandwidth Lokal dan International menggunakan Mikrotik Versi 3

Memisahkan Bandwidth Lokal dan International menggunakan Mikrotik
Versi 3
Perubahan dari versi sebelumnya:
1. Proses mangle berdasarkan address-list
2. Pemisahan traffic Indonesia dan overseas lebih akurat
Semakin berkembangnya konten Internet lokal di Indonesia telah memberikan peluang bisnis baru dalam industri Internet di Indonesia. Saat ini banyak Internet Service Provider
(ISP) yang menawarkan paket bandwidth lokal atau IIX yang lebih besar dibandingkan bandwidth Internet Internasional, hal ini seiring dengan semakin banyaknya pengelola RT-RW Net yang mampu menyediakan layanan koneksi Internet yang lebih terjangkau bagi lingkungan sekitarnya.

Permasalahan umum yang terjadi pada jaringan RT-RW Net adalah masalah pengaturan bandwidth. Pada umumnya pengelola RT-RW Net akan kesulitan pada saat ingin memisahkan antara traffic lokal dengan traffic internasional karena umumnya jaringan RT-RW Net hanya menggunakan static routing, berbeda dengan ISP yang mampu membangun jaringan yang lebih komplek menggunakan protocol routing BGP sehingga ISP dapat dengan mudah memisahkan antara traffic local dan internasional.

Untuk memisahkan traffic lokal dengan traffic internasional tersebut RT-RW Net dapat dengan mudah menggunakan PC Router + Sistem Operasi Mikrotik, Mikrotik sebenarnya adalah linux yang sudah di buat sedemikian rupa oleh pengembangnya sehingga sangat mudah diinstall dan di konfigur dengan banyak sekali fitur dan fungsi. Untuk lebih lanjut mengenai mikrotik dapat dilihat pada situs webnya http://www.mikrotik.com atau http://www.mikrotik.co.id

Berikut adalah sekenario jaringan dengan Mikrotik sebagai router

Gambar 1. Sekenario Jaringan

Penjelasan:
1. Mikrotik Router dengan 2 Network Interface Card (NIC) Ether1 dan Ether3, dimana Ether1 adalah Ethernet yang terhubung langsung ke ISP dan Ether3 adalah Ethernet yang terhubung langsung dengan jaringan 192.168.2.0/24
2. Bandwidth dari ISP misalnya 256Kbps internasional dan 1024Kbps lokal IIX
3. Komputer 192.168.2.4 akan diberi alokasi bandwidth 128Kbps internasional dan 256Kbps lokal IIX

Untuk memisahkan antara traffic lokal IIX dengan traffic internasional caranya adalah dengan menandai paket data yang menuju atau berasal dari jaringan lokal IIX menggunakan mangle. Pertanyaannya bagaimana caranya Mikrotik bisa mengetahui paket tersebut menuju atau berasal dari jairngan lokal IIX?
Jawabannya adalah dengan mengambil data dari http://lg.mohonmaaf.com
karena http://lg.mohonmaaf.com sudah tidak aktif maka data dapat diambil dari:
http://203.89.24.3/cgi-bin/lg.cgi
Pilih Query dengan men-cek-list BGP dan klik Submit

Gambar 2. Hasil Query http://lg.mohonmaaf.com untuk perintah “show ip bgp”

Fungsi dari http://lg.mohonmaaf.com adalah sebagai fasilitas looking glass jaringan lokal yang dikelola oleh PT. IDC , terima kasih kepada Bapak Johar Alam yang telah menyediakan layanan tersebut.
Dari hasil query tersebut selanjutnya simpan sebagai text files untuk selanjutnya dapat diolah dengan menggunakan spreadsheet contohnya Ms. Excel untuk mendapatkan semua alamat Network yang diadvertise oleh router-router BGP ISP lokal Indonesia pada BGP router IDC atau National Inter Connection Exchange (NICE).
Pada penjelasan versi-2 dokumen ini saya menggunakan teknik langsung memasukkan daftar ip blok ke /ip firewall mangle, dengan teknik ini saya harus memasukkan dua kali daftar ip yang didapat dari router NICE ke /ip firewall mangle.
Cara lain yang lebih baik adalah dengan memasukkan daftar ip blok dari router NICE ke /ip firewall address-list dengan demikian maka pada /ip firewall mangle hanya terdapat beberapa baris saja dan pemisahan traffic Indonesia dan overseas dapat lebih akurat karena mangle dapat dilakukan berdasarkan address-list saja.
Lebih jelasnya adalah sbb:
Selanjutnya buat script berikut untuk dapat diimport oleh router Mikrotik
/ ip firewall address-list
add list=nice address=58.65.240.0/23 comment=”” disabled=no
add list=nice address=58.65.242.0/23 comment=”” disabled=no
add list=nice address=58.65.244.0/23 comment=”” disabled=no
add list=nice address=58.65.246.0/23 comment=”” disabled=no
add list=nice address=58.145.174.0/24 comment=”” disabled=no
add list=nice address=58.147.184.0/24 comment=”” disabled=no
add list=nice address=58.147.185.0/24 comment=”” disabled=no
dst…
untuk mendapatkan script diatas dapat melalui URL berikut:
http://www.datautama.net.id/harijanto/mikrotik/datautama-nice.php
URL diatas secara online akan melakukan query ke router NICE dari http://lg.mohonmaaf.com
CATATAN:
Karena lg.mohonmaaf.com tidak dapat diakses maka utk daftar ip local dapat di ambil dari
http://ixp.mikrotik.co.id/download/nice.rsc
atau dari http://www.datautama.net.id/harijanto/mikrotik/datautama-nice.php
yang datanya dari looking glass DatautamaNet

dari hasil URL diatas copy lalu paste ke mikrotik dengan menggunakan aplikasi putty.exe ssh ke ipmikrotik tersebut, caranya setelah di copy teks hasil proses URL diatas lalu klik kanan mouse pada jendela ssh putty yang sedang meremote mikrotik tersebut. Cara ini agak kurang praktis tetapi karena jika script diatas dijadikan .rsc ternyata akan bermasalah karena ada beberapa baris ip blok yang saling overlap sebagai contoh:
\… add address=222.124.64.0/23 list=”nice”
[datautama@router-01-jkt] > /ip firewall address-list \
\… add address=222.124.64.0/21 list=”nice”
address ranges may not overlap
dimana 222.124.64.0/21 adalah supernet dari 222.124.64.0/23 artinya diantara dua blok ip tersebut saling overlap, sehingga pada saat proses import menggunakan file .rsc akan selalu berhenti pada saat menemui situasi seperti ini.
Sampai saat ini saya belum menemukan cara yang praktis utk mengatasi hal tersebut diatas.
Kalau saja kita bisa membuat address-list dari table prefix BGP yang dijalankan di mikrotik maka kita bisa mendapatkan address-list dengan lebih sempurna.

Selanjutnya pada /ip firewall mangle perlu dilakukan konfigurasi sbb:
/ ip firewall mangle
add chain=forward src-address-list=nice action=mark-connection \
new-connection-mark=mark-con-indonesia passthrough=yes comment=”mark all \
indonesia source connection traffic” disabled=no
add chain=forward dst-address-list=nice action=mark-connection \
new-connection-mark=mark-con-indonesia passthrough=yes comment=”mark all \
indonesia destination connection traffic” disabled=no
add chain=forward src-address-list=!nice action=mark-connection \
new-connection-mark=mark-con-overseas passthrough=yes comment=”mark all \
overseas source connection traffic” disabled=no
add chain=forward dst-address-list=!nice action=mark-connection \
new-connection-mark=mark-con-overseas passthrough=yes comment=”mark all \
overseas destination connection traffic” disabled=no
add chain=prerouting connection-mark=mark-con-indonesia action=mark-packet \
new-packet-mark=indonesia passthrough=yes comment=”mark all indonesia \
traffic” disabled=no
add chain=prerouting connection-mark=mark-con-overseas action=mark-packet \
new-packet-mark=overseas passthrough=yes comment=”mark all overseas \
traffic” disabled=no
Langkah selanjutnya adalah mengatur bandwidth melalui queue simple, untuk mengatur bandwidth internasional 128Kbps dan bandwidth lokal IIX 256Kbps pada komputer dengan IP 192.168.2.4 dapat dilakukan dengan contoh script sbb:
/ queue simple
add name=”harijant-indonesia” target-addresses=192.168.2.4/32 \
dst-address=0.0.0.0/0 interface=all parent=none packet-marks=indonesia \
direction=both priority=8 queue=default/default limit-at=0/0 \
max-limit=256000/256000 total-queue=default disabled=no
add name=”harijanto-overseas” target-addresses=192.168.2.4/32 \
dst-address=0.0.0.0/0 interface=all parent=none packet-marks=overseas \
direction=both priority=8 queue=default/default limit-at=0/0 \
max-limit=128000/128000 total-queue=default disabled=no
Script diatas berarti hanya komputer dengan IP 192.168.2.4 saja yang di batasi bandwidthnya 128Kbps internasional (overseas) dan 256Kbps lokal IIX (indonesia) sedangkan yang lainnya tidak dibatasi.
Hasil dari script tersebut adalah sbb:

Gambar 3. simple queue untuk komputer 192.168.2.4
Dengan demikian maka komputer 192.168.2.4 hanya dapat mendownload atau mengupload sebesar 128Kbps untuk internasional dan 256Kbps untuk lokal IIX.
Untuk mengujinya dapat menggunakan bandwidthmeter sbb:


Gambar 4. Hasil bandwidth meter komputer 192.168.2.4 ke lokal ISP


Gambar 5. Hasil bandwidth meter ke ISP internasional
Dengan demikian berarti Mikrotik telah berhasil mengatur pemakaian bandwidth internasional dan lokal IIX sesuai dengan yang diharapkan pada komputer 192.168.2.4.
Pada penjelasan versi-3 ini proses mangle terhadap traffic “overseas” dapat lebih akurat karena menggunakan address-list dimana arti dari src-address=!nice adalah source address “bukan nice” dan dst-address=!nice adalah destination address “bukan nice”.
Sehingga demikian traffic “overseas” tidak akan salah identifikasi, sebelumnya pada penjelasan versi-2 traffic “overseas” bisa salah indentifikasi karena traffic “overseas” di definisikan sbb
add connection-mark=mark-con-indonesia action=mark-packet new-packet-mark=indonesia chain=prerouting comment=”mark indonesia”
add packet-mark=!indonesia action=mark-packet new-packet-mark=overseas chain=prerouting comment=”mark all overseas traffic”
packet-mark=!indonesia artinya “packet-mark=bukan paket Indonesia”, padahal “bukan paket Indonesia” bisa saja paket lainnya yang telah didefinisikan sebelumnya sehingga dapat menimbulkan salah identifikasi.
Adapun teknik diatas telah di test pada router mikrotik yang menjalankan NAT , jika router mikrotik tidak menjalankan NAT coba rubah chain=prerouting menjadi chain=forward.
Untuk lebih lanjut mengenai pengaturan bandwidth pada Mikrotik dapat dilihat pada manual mikrotik yang dapat didownload pada
http://www.mikrotik.com/docs/ros/2.9/RouterOS_Reference_Manual_v2.9.pdf
Script diatas dapat diimplementasikan pada Mikrotik Versi 2.9.27 , untuk versi mikrotik sebelumnya kemungkinan ada perbedaan perintah.

Reference:
* http://www.mikrotik.com
* http://www.mikrotik.co.id
* http://wiki.mikrotik.com