.png)
Setting mikrotik ditambah proksi eksternal
Source:
www.wirelessrouterproxy.blogspot.com
Untuk uji coba, silahkan download file berikut, import ke mikrotik, kemudian lakukan restore.
https://drive.google.com/file/d/0B5Acwv0xYYV7Y2lCVVRDZUIzMmM/edit?usp=sharing
Untuk port eternet dan address dapat disesuaikan seperlunya.
ether port 1 : "public" 192.168.1.2/24 gateway: 192.168.1.1 (modem)
ether port 2 : "local" 192.168.100.1/24 gateway: 192.168.100.254 (LAN)
ether port 3 : "proxy" 192.168.200.1/24 gateway: 192.168.200.254 (proksi eksternal)
1. Set jam supaya tetap dan tidak berubah
/system ntp client set enabled=yes mode=unicast primary-ntp=152.118.24.8 secondary-ntp=202.169.224.16
2. System note (identitas saat buka terminal)
/system note set note="jaya2na@gmail.com" show-at-login=yes
3. Set interface ethernet
/interface set 0 name=public \ ;/interface set 1 name=local \ ;/interface set 2 name=proxy
4. Set address (sesuaikan dengan kondisi)
/ip address add address=192.168.1.2/24 disabled=no interface=public network=192.168.1.0 add address=192.168.100.254/24 disabled=no interface=local network=192.168.100.0 add address=192.168.200.254/24 disabled=no interface=proxy network=192.168.200.0
5. Set NAT buat proksi dan masquerade lokal
/ip firewall nat
add action=dst-nat chain=dstnat comment=PROXY disabled=no dst-port=80 in-interface=local protocol=tcp src-address=!192.168.200.0/24 to-addresses=192.168.200.1 \
to-ports=3128
add action=masquerade chain=srcnat comment=MASQUERADE disabled=no out-interface=public
6. Set layer7-protocol untuk limit ekstensi
/ip firewall layer7-protocol add name="6.Youtube download" regexp="http/(0\\.9|1\\.0|1\\.1)[\\x09-\\x0d ][1-5][0-9][0-9][\\x09-\\x0d -~]*(content-type: video)" add name="7.Youtube streaming" regexp="^.+(youtube.com|googlevideo.com).*\$" add name=5.Bokep regexp="^.+(porn|porno|bokep|bugil|ngentot|telanjang).*\$" add name=3.Video regexp="^.*get.+\\.(mkv|mp*g|wmv|flv|mp4|3gp|mov|avi).*\$" add name=4.Music regexp="^.*get.+\\.(mp3|wav|ogg).*\$" add name=2.Compressed regexp="^.*get.+\\.(iso|img|rar|7z|0*).*\$" add name=1.Executable regexp="^.*get.+\\.(exe|msi).*\$"
7. Set ip firewall filter untuk drop virus, limit ip, dll
/ip firewall filter
add action=accept chain=input comment="FILTER DROP VIRUS" disabled=no dst-port=8291 protocol=tcp
add action=drop chain=forward connection-state=invalid disabled=no
add action=drop chain=virus disabled=no dst-port=135-139 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1433-1434 protocol=tcp
add action=drop chain=virus disabled=no dst-port=445 protocol=tcp
add action=drop chain=virus disabled=no dst-port=445 protocol=udp
add action=drop chain=virus disabled=no dst-port=593 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1024-1030 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1080 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1214 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1363 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1364 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1368 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1373 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1377 protocol=tcp
add action=drop chain=virus disabled=no dst-port=2745 protocol=tcp
add action=drop chain=virus disabled=no dst-port=2283 protocol=tcp
add action=drop chain=virus disabled=no dst-port=2535 protocol=tcp
add action=drop chain=virus disabled=no dst-port=2745 protocol=tcp
add action=drop chain=virus disabled=no dst-port=3127 protocol=tcp
add action=drop chain=virus disabled=no dst-port=3410 protocol=tcp
add action=drop chain=virus disabled=no dst-port=4444 protocol=tcp
add action=drop chain=virus disabled=no dst-port=4444 protocol=udp
add action=drop chain=virus disabled=no dst-port=5554 protocol=tcp
add action=drop chain=virus disabled=no dst-port=8866 protocol=tcp
add action=drop chain=virus disabled=no dst-port=9898 protocol=tcp
add action=drop chain=virus disabled=no dst-port=10080 protocol=tcp
add action=drop chain=virus disabled=no dst-port=12345 protocol=tcp
add action=drop chain=virus disabled=no dst-port=17300 protocol=tcp
add action=drop chain=virus disabled=no dst-port=27374 protocol=tcp
add action=drop chain=virus disabled=no dst-port=65506 protocol=tcp
add action=jump chain=forward disabled=no jump-target=virus
add action=drop chain=input connection-state=invalid disabled=no
add action=accept chain=input disabled=no protocol=udp
add action=accept chain=input disabled=no limit=50/5s,2 protocol=icmp
add action=drop chain=input disabled=no protocol=icmp
add action=accept chain=input disabled=no dst-port=21 protocol=tcp
add action=accept chain=input disabled=no dst-port=22 protocol=tcp
add action=accept chain=input disabled=no dst-port=23 protocol=tcp
add action=accept chain=input disabled=no dst-port=80 protocol=tcp
add action=accept chain=input disabled=no dst-port=8291 protocol=tcp
add action=accept chain=input disabled=no dst-port=1723 protocol=tcp
add action=accept chain=input disabled=no dst-port=23 protocol=tcp
add action=accept chain=input disabled=no dst-port=80 protocol=tcp
add action=accept chain=input disabled=no dst-port=1723 protocol=tcp
add action=add-src-to-address-list address-list=DDOS address-list-timeout=15s chain=input disabled=no dst-port=1337 protocol=tcp
add action=add-src-to-address-list address-list=DDOS address-list-timeout=15m chain=input disabled=no dst-port=7331 protocol=tcp src-address-list=knock
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Port scanners to list " disabled=no protocol=tcp \
psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/FIN scan" disabled=no protocol=tcp tcp-flags=\
fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/RST scan" disabled=no protocol=tcp tcp-flags=\
syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" disabled=no protocol=tcp \
tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="ALL/ALL scan" disabled=no protocol=tcp tcp-flags=\
fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP NULL scan" disabled=no protocol=tcp tcp-flags=\
!fin,!syn,!rst,!psh,!ack,!urg
add action=accept chain=input comment="ANTI NETCUT" disabled=no dst-port=0-65535 protocol=tcp src-address=61.213.183.1-61.213.183.254
add action=accept chain=input comment="ANTI NETCUT" disabled=no dst-port=0-65535 protocol=tcp src-address=67.195.134.1-67.195.134.254
add action=accept chain=input comment="ANTI NETCUT" disabled=no dst-port=0-65535 protocol=tcp src-address=68.142.233.1-68.142.233.254
add action=accept chain=input comment="ANTI NETCUT" disabled=no dst-port=0-65535 protocol=tcp src-address=68.180.217.1-68.180.217.254
add action=accept chain=input comment="ANTI NETCUT" disabled=no dst-port=0-65535 protocol=tcp src-address=203.84.204.1-203.84.204.254
add action=accept chain=input comment="ANTI NETCUT" disabled=no dst-port=0-65535 protocol=tcp src-address=69.63.176.1-69.63.176.254
add action=accept chain=input comment="ANTI NETCUT" disabled=no dst-port=0-65535 protocol=tcp src-address=69.63.181.1-69.63.181.254
add action=accept chain=input comment="ANTI NETCUT" disabled=no dst-port=0-65535 protocol=tcp src-address=63.245.209.1-63.245.209.254
add action=accept chain=input comment="ANTI NETCUT" disabled=no dst-port=0-65535 protocol=tcp src-address=63.245.213.1-63.245.213.254
8. Set Mangle
/ip firewall mangle
add action=mark-packet chain=postrouting comment="SQUID PROXY HIT" disabled=no dscp=12 new-packet-mark=SquidProxyHit_mark passthrough=no
add action=mark-connection chain=prerouting comment=ICMP disabled=no new-connection-mark=ICMP_conn passthrough=yes protocol=icmp
add action=change-dscp chain=prerouting connection-mark=ICMP_conn disabled=no new-dscp=1 passthrough=yes
add action=mark-packet chain=prerouting connection-mark=ICMP_conn disabled=no new-packet-mark=ICMP_mark passthrough=no
add action=mark-connection chain=prerouting comment=DNS disabled=no dst-port=53 new-connection-mark=DNS_conn passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting disabled=no dst-port=53 new-connection-mark=DNS_conn passthrough=yes protocol=udp
add action=change-dscp chain=prerouting connection-mark=DNS_conn disabled=no new-dscp=1 passthrough=yes
add action=mark-packet chain=prerouting connection-mark=DNS_conn disabled=no new-packet-mark=DNS_mark passthrough=no
add action=mark-connection chain=prerouting comment=POINTBLANK disabled=no dst-port=39190,14009 new-connection-mark=GameOnline_conn passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting disabled=no dst-port=40000-40010 new-connection-mark=GameOnline_conn passthrough=yes protocol=udp
add action=mark-connection chain=prerouting comment=ATLANTICA disabled=no dst-port=4300 new-connection-mark=GameOnline_conn passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="LOST SAGA" disabled=no dst-port=14009,14010 new-connection-mark=GameOnline_conn passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting disabled=no dst-port=14009-14026 new-connection-mark=GameOnline_conn passthrough=yes protocol=udp
add action=mark-connection chain=prerouting comment="MODOO MARBLE" disabled=no dst-port=28901-28925 new-connection-mark=GameOnline_conn passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment=AYODANCE disabled=no dst-port=18901-18909 new-connection-mark=GameOnline_conn passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="GAME FACEBOOK" disabled=no dst-port=8890,9339,843,8001,8012,8000 new-connection-mark=GameFacebook_conn passthrough=yes \
protocol=tcp
add action=mark-packet chain=prerouting comment="MARK PACKET GO" connection-mark=GameOnline_conn disabled=no new-packet-mark=GameOnline_mark passthrough=no
add action=mark-packet chain=prerouting comment="MARK PACKET GF" connection-mark=GameFacebook_conn disabled=no new-packet-mark=GameFacebook_mark passthrough=no
add action=mark-connection chain=prerouting comment=DLL disabled=no dst-port=1935 new-connection-mark=DLL_conn passthrough=yes protocol=tcp
add action=mark-packet chain=forward connection-mark=DLL_conn disabled=no new-packet-mark=DLL_mark passthrough=no
add action=mark-connection chain=postrouting comment=HTTPS disabled=no dst-port=443 new-connection-mark=HTTPS_conn passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting connection-mark=HTTPS_conn disabled=no new-packet-mark=HTTPS_mark passthrough=no
add action=mark-connection chain=forward comment="1.EXECUTABLE FILE" disabled=no layer7-protocol=1.Executable new-connection-mark=ExecutableFile_conn passthrough=yes
add action=mark-packet chain=forward connection-mark=ExecutableFile_conn disabled=no new-packet-mark=ExecutableFile_mark passthrough=no
add action=mark-connection chain=forward comment="2.COMPRESSED FILE" disabled=no layer7-protocol=2.Compressed new-connection-mark=CompressedFile_conn passthrough=yes
add action=mark-packet chain=forward connection-mark=CompressedFile_conn disabled=no new-packet-mark=CompressedFile_mark passthrough=no
add action=mark-connection chain=forward comment="3.VIDEO FILE" disabled=no layer7-protocol=3.Video new-connection-mark=VideoFile_conn passthrough=yes
add action=mark-packet chain=forward connection-mark=VideoFile_conn disabled=no new-packet-mark=VideoFile_mark passthrough=no
add action=mark-connection chain=forward comment="4.MUSIC FILE" disabled=no layer7-protocol=4.Music new-connection-mark=MusicFile_conn passthrough=yes
add action=mark-packet chain=forward connection-mark=MusicFile_conn disabled=no new-packet-mark=MusicFile_mark passthrough=no
add action=mark-connection chain=forward comment="5.BOKEP SITE" disabled=no layer7-protocol=5.Bokep new-connection-mark=BokepSite_conn passthrough=yes
add action=mark-packet chain=forward connection-mark=BokepSite_conn disabled=no new-packet-mark=BokepSite_mark passthrough=no
add action=mark-connection chain=forward comment="6.YT DOWNLOAD" disabled=no layer7-protocol="6.Youtube download" new-connection-mark=YtDown_conn passthrough=yes
add action=mark-packet chain=forward connection-mark=YtDown_conn disabled=no new-packet-mark=YtDown_mark passthrough=no
add action=mark-connection chain=prerouting comment="7.YT STREAM" disabled=no layer7-protocol="7.Youtube streaming" new-connection-mark=YtStream_conn passthrough=yes
add action=mark-packet chain=prerouting connection-mark=YtStream_conn disabled=no new-packet-mark=YtStream_mark passthrough=no
add action=mark-connection chain=prerouting comment=HTTP disabled=no dst-port=80 in-interface=proxy new-connection-mark=HTTP_conn passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting connection-mark=HTTP_conn disabled=no dst-address=192.168.200.0/24 new-packet-mark=HTTPDown_mark passthrough=no
add action=mark-packet chain=postrouting connection-mark=HTTP_conn disabled=no new-packet-mark=HTTPUP_mark passthrough=no src-address=192.168.200.0/24
9. Set queue type
/queue type
add kind=pcq name=1.UP pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=src-address,src-port pcq-dst-address-mask=32 pcq-dst-address6-mask=128 \
pcq-limit=50 pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=128 pcq-total-limit=3000
add kind=pcq name=2.DOWN pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address,dst-port pcq-dst-address-mask=32 pcq-dst-address6-mask=128 \
pcq-limit=50 pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=128 pcq-total-limit=3000
add kind=pcq name=3.DOWN_GO pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address,dst-port pcq-dst-address-mask=32 pcq-dst-address6-mask=128 \
pcq-limit=50 pcq-rate=100k pcq-src-address-mask=32 pcq-src-address6-mask=128 pcq-total-limit=3000
add kind=pcq name=4.PROXY_DOWN pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=src-address,dst-address,src-port,dst-port pcq-dst-address-mask=32 \
pcq-dst-address6-mask=128 pcq-limit=50 pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=128 pcq-total-limit=3000
add kind=pcq name=5.HTTPS pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=src-address,dst-address,src-port,dst-port pcq-dst-address-mask=32 \
pcq-dst-address6-mask=128 pcq-limit=50 pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=128 pcq-total-limit=3000
add kind=pcq name=6.DLL pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=src-address,dst-address,src-port,dst-port pcq-dst-address-mask=32 \
pcq-dst-address6-mask=128 pcq-limit=50 pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=128 pcq-total-limit=3000
add kind=pfifo name=7.PING pfifo-limit=64
add kind=pcq name=8.DOWN_YT pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address,dst-port pcq-dst-address-mask=32 pcq-dst-address6-mask=128 \
pcq-limit=50 pcq-rate=100k pcq-src-address-mask=32 pcq-src-address6-mask=128 pcq-total-limit=3000
10. Langkah terkahir, set queue tree nya. Silahkan edit seperlunya
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=3M name="4.ALL DOWN" packet-mark="" parent=global-out priority=4
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=2200k name="C.LIMIT EXTENTION" packet-mark="" parent="4.ALL DOWN" priority=5
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=500k max-limit=1500k name=6.YOUTUBE packet-mark="" parent="C.LIMIT EXTENTION" priority=5
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name="5.BOKEP SITE" packet-mark=BokepSite_mark parent="C.LIMIT EXTENTION" priority=6 \
queue=2.DOWN
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=3.GAME packet-mark="" parent=global-out priority=2
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=500k max-limit=1500k name=A.BROWSING packet-mark=HTTPDown_mark parent="4.ALL DOWN" priority=4 queue=\
2.DOWN
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=300k name="2.BROWSING UPLOAD" packet-mark=HTTPUP_mark parent=global-out priority=4 \
queue=1.UP
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name="YOUTUBE STREAMING" packet-mark=YtStream_mark parent=6.YOUTUBE priority=5 queue=\
8.DOWN_YT
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name="1.EXECUTABEL FILE" packet-mark=ExecutableFile_mark parent="C.LIMIT EXTENTION" \
priority=6 queue=2.DOWN
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name="4.MUSIC FILE" packet-mark=MusicFile_mark parent="C.LIMIT EXTENTION" priority=6 \
queue=2.DOWN
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name="3.VIDEO FILE" packet-mark=VideoFile_mark parent="C.LIMIT EXTENTION" priority=6 \
queue=2.DOWN
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name="2.COMPRESSED FILE" packet-mark=CompressedFile_mark parent="C.LIMIT EXTENTION" \
priority=6 queue=2.DOWN
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name="YOUTUBE DOWNLOAD" packet-mark=YtDown_mark parent=6.YOUTUBE priority=5 queue=\
8.DOWN_YT
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=80M max-limit=80M name="1.PROXY HIT" packet-mark=SquidProxyHit_mark parent=local priority=2 queue=\
4.PROXY_DOWN
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name="A.GAME ONLINE" packet-mark=GameOnline_mark parent=3.GAME priority=2 queue=\
3.DOWN_GO
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=1M name="B.GAME FACEBOOK" packet-mark=GameFacebook_mark parent=3.GAME priority=4 queue=\
2.DOWN
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=500k max-limit=1500k name=B.HTTPS packet-mark=HTTPS_mark parent="4.ALL DOWN" priority=4 queue=\
4.PROXY_DOWN
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=1M name=D.DLL packet-mark=DLL_mark parent="4.ALL DOWN" priority=8 queue=4.PROXY_DOWN
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=100M max-limit=100M name=5.ICMP packet-mark=ICMP_mark parent=global-out priority=1 queue=7.PING
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=100M max-limit=100M name=7.DNS packet-mark=DNS_mark parent=global-out priority=1 queue=7.PING
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=100M max-limit=100M name=6.ICMP packet-mark=ICMP_mark parent=public priority=1 queue=7.PING
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=100M max-limit=100M name=8.DNS packet-mark=DNS_mark parent=public priority=1 queue=7.PING
