MIKROTIK-BALANCE

27 September 2012

Load Balancing 5 WAN dengan Failover

Load Balancing 5 WAN dengan Failover

Leave a Reply
Menggunakan router board mikrotik RB493 dengan 5 interface WAN untuk koneksi ke internet menggunakan speedy. Semua modem speedy diset router. Pemodelan koneksi adalah sbb:
  • Load Balancing menggunakan NTH untuk trafik browsing (tcp port 80) dan PCC untuk trafik non browsing.
  • Koneksi ke speedy dianggap tidak stabil dan perlu dibuat fail over sehingga jika salah satu speedy putus maka Load Balancing PCC dan NTH masih berjalan.
  • Koneksi internet user (clients) ke tcp port 80 (browsing) akan dilewatkan server proxy.
  • Koneksi internet server proxy akan melalui Load Balancing NTH.
  • Koneksi internet user (clients) selain browsing di atas akan melalui Load Balancing PCC.
Topologi RB493 + 5 WAN + 1 Proxy
Topologi Load Balancing 5 WAN Speedy

/interface ethernet
set 0 arp=enabled auto-negotiation=yes comment=eth1 disabled=no full-duplex=\
    yes l2mtu=1526 mac-address=00:XX:XX:XX:XX:8F mtu=1500 name=lan speed=\
    100Mbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    eth2 disabled=no full-duplex=yes l2mtu=1522 mac-address=00:XX:XX:XX:XX:90 \
    master-port=none mtu=1500 name=proxy speed=100Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    eth3 disabled=no full-duplex=yes l2mtu=1522 mac-address=00:XX:XX:XX:XX:91 \
    master-port=none mtu=1500 name=wan1 speed=100Mbps
set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    eth4 disabled=no full-duplex=yes l2mtu=1522 mac-address=00:XX:XX:XX:XX:92 \
    master-port=none mtu=1500 name=wan2 speed=100Mbps
set 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    eth5 disabled=no full-duplex=yes l2mtu=1522 mac-address=00:XX:XX:XX:XX:93 \
    master-port=none mtu=1500 name=wan3 speed=100Mbps
set 5 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    eth6 disabled=no full-duplex=yes l2mtu=1522 mac-address=00:XX:XX:XX:XX:94 \
    master-port=none mtu=1500 name=wan4 speed=100Mbps
set 6 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    eth7 disabled=no full-duplex=yes l2mtu=1522 mac-address=00:XX:XX:XX:XX:95 \
    master-port=none mtu=1500 name=wan5 speed=100Mbps
set 7 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    eth8 disabled=no full-duplex=yes l2mtu=1522 mac-address=00:XX:XX:XX:XX:95 \
    master-port=none mtu=1500 name=ether8 speed=100Mbps
set 8 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    eth9 disabled=no full-duplex=yes l2mtu=1522 mac-address=00:XX:XX:XX:XX:97 \
    master-port=none mtu=1500 name=ether9 speed=100Mbps

/ip adress
add address=192.168.0.254/24 broadcast=192.168.0.255 comment="" disabled=no \
    interface=lan network=192.168.0.0
add address=192.168.100.2/24 broadcast=192.168.100.255 comment="" disabled=no \
    interface=proxy network=192.168.100.0
add address=192.168.1.3/24 broadcast=192.168.1.255 comment="" disabled=no \
    interface=wan1 network=192.168.1.0
add address=192.168.2.3/24 broadcast=192.168.2.255 comment="" disabled=no \
    interface=wan2 network=192.168.2.0
add address=192.168.3.3/24 broadcast=192.168.3.255 comment="" disabled=no \
    interface=wan3 network=192.168.3.0
add address=192.168.4.3/24 broadcast=192.168.4.255 comment="" disabled=no \
    interface=wan4 network=192.168.4.0
add address=192.168.5.3/24 broadcast=192.168.5.255 comment="" disabled=no \
    interface=wan5 network=192.168.5.0

/ip adress
add address=192.168.0.254/24 broadcast=192.168.0.255 comment="" disabled=no \
    interface=lan network=192.168.0.0
add address=192.168.100.2/24 broadcast=192.168.100.255 comment="" disabled=no \
    interface=proxy network=192.168.100.0
add address=192.168.1.3/24 broadcast=192.168.1.255 comment="" disabled=no \
    interface=wan1 network=192.168.1.0
add address=192.168.2.3/24 broadcast=192.168.2.255 comment="" disabled=no \
    interface=wan2 network=192.168.2.0
add address=192.168.3.3/24 broadcast=192.168.3.255 comment="" disabled=no \
    interface=wan3 network=192.168.3.0
add address=192.168.4.3/24 broadcast=192.168.4.255 comment="" disabled=no \
    interface=wan4 network=192.168.4.0
add address=192.168.5.3/24 broadcast=192.168.5.255 comment="" disabled=no \
    interface=wan5 network=192.168.5.0

/ip route
add comment=wan1 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    192.168.1.1 routing-mark=wan1 scope=255 target-scope=10
add comment=wan2 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    192.168.2.1 routing-mark=wan2 scope=255 target-scope=10
add comment=wan3 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    192.168.3.1 routing-mark=wan3 scope=255 target-scope=10
add comment=wan4 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    192.168.4.1 routing-mark=wan4 scope=255 target-scope=10
add comment=wan5 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    192.168.5.1 routing-mark=wan5 scope=255 target-scope=10
add comment=nssby.telkom.net.id disabled=no distance=1 dst-address=\
    202.134.1.10/32 gateway=192.168.1.1 scope=30 target-scope=10
add comment=ns1.indosat.net.id disabled=no distance=1 dst-address=\
    202.155.0.20/32 gateway=192.168.2.1 scope=30 target-scope=10
add comment=PE-JR-HUAWEI.telkom.net.id disabled=no distance=1 dst-address=\
    125.160.0.97/32 gateway=192.168.3.1 scope=30 target-scope=10
add comment=ns1.rad.net.id disabled=no distance=1 dst-address=202.154.1.2/32 \
    gateway=192.168.4.1 scope=30 target-scope=10
add comment=ns1.indosat.net.id disabled=no distance=1 dst-address=\
    202.155.0.15/32 gateway=192.168.5.1 scope=30 target-scope=10

add check-gateway=ping comment="LB Router" disabled=no distance=1 \
    dst-address=0.0.0.0/0 \
    gateway=192.168.5.1,192.168.4.1,192.168.3.1,192.168.2.1,192.168.1.1
    scope=255 target-scope=10

Penjelasan:
  1. Baris routing yang berwarna hijau ditulis secara otomatis oleh script.
  2. Koneksi dari router keluar (internet) akan melalui semua gateway yang hidup (dalam contoh di atas ada 5 gateway).
  3. Untuk deteksi koneksi internet masing-masing wan dilakukan dengan cara ping ke ip tertentu di mana routing ke ip tersebut sudah dibuat statik per wan.
    • Untuk cek koneksi wan1 dilakukan dengan ping ke ip 202.134.1.10
    • Untuk cek koneksi wan2 dilakukan dengan ping ke ip 202.155.0.20
    • Untuk cek koneksi wan3 dilakukan dengan ping ke ip 125.160.0.97
    • Untuk cek koneksi wan4 dilakukan dengan ping ke ip 202.154.1.2
    • Untuk cek koneksi wan5 dilakukan dengan ping ke ip 202.154.0.15

/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=3072KiB \
    max-udp-packet-size=512 primary-dns=202.134.0.155 secondary-dns=\
    203.130.196.155

/ip dns static
add address=192.168.0.254 disabled=no name=cache-ns.domainku.org ttl=1d

/system clock
set time-zone-name=Asia/Jakarta

/system ntp client
set enabled=yes mode=unicast primary-ntp=202.162.32.12 secondary-ntp=203.160.128.3

/system ntp server
set broadcast=no enabled=yes manycast=yes multicast=no

/ip firewall filter
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="Port scanners to list " \
    disabled=no in-interface=wan1 protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="Port scanners to list " \
    disabled=no in-interface=wan2 protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="Port scanners to list " \
    disabled=no in-interface=wan3 protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="Port scanners to list " \
    disabled=no in-interface=wan4 protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="Port scanners to list " \
    disabled=no in-interface=wan5 protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="Port scanners to list " \
    disabled=no in-interface=proxy protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
    disabled=no protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/FIN scan" disabled=no \
    protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/RST scan" disabled=no \
    protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" disabled=\
    no protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="ALL/ALL scan" disabled=no \
    protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP NULL scan" disabled=no \
    protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" disabled=no \
    src-address-list="port scanners"
add action=accept chain=input comment="Allow Established connections" \
    connection-state=established disabled=no
add action=accept chain=input comment="Allow UDP" disabled=no protocol=udp
add action=accept chain=input comment="Allow limited pings" disabled=no \
    limit=50/5s,2 protocol=icmp
add action=drop chain=input comment="Drop excess pings" disabled=no protocol=\
    icmp
add action=drop chain=input comment="drop ssh brute forcers" disabled=no \
    dst-port=22 in-interface=!proxy protocol=tcp src-address-list=\
    ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input comment="" connection-state=new \
    disabled=no dst-port=22 in-interface=!proxy protocol=tcp \
    src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input comment="" connection-state=new \
    disabled=no dst-port=22 in-interface=!proxy protocol=tcp \
    src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input comment="" connection-state=new \
    disabled=no dst-port=22 in-interface=!proxy protocol=tcp \
    src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input comment="" connection-state=new \
    disabled=no dst-port=22 in-interface=!proxy protocol=tcp
add action=accept chain=input comment="SSH for secure shell" disabled=no \
    dst-port=22 protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" disabled=no \
    dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=accept chain=input comment=winbox disabled=no dst-port=8291 \
    protocol=tcp
add action=accept chain=input comment="Allow input from clients" disabled=no \
    src-address-list=clients
add action=drop chain=input comment="Drop Invalid connections" \
    connection-state=invalid disabled=no
add action=drop chain=forward comment="drop invalid connections" \
    connection-state=invalid disabled=no protocol=tcp
add action=accept chain=forward comment=\
    "allow already established connections" connection-state=established \
    disabled=no
add action=accept chain=forward comment="allow related connections" \
    connection-state=related disabled=no
add action=accept chain=forward comment="Enable to exceptions" disabled=no \
    dst-address-list=exceptions in-interface=lan src-address-list=clients
add action=drop chain=forward comment="" disabled=no src-address=0.0.0.0/8
add action=drop chain=forward comment="" disabled=no dst-address=0.0.0.0/8
add action=drop chain=forward comment="" disabled=no src-address=127.0.0.0/8
add action=drop chain=forward comment="" disabled=no dst-address=127.0.0.0/8
add action=drop chain=forward comment="" disabled=no src-address=224.0.0.0/3
add action=drop chain=forward comment="" disabled=no dst-address=224.0.0.0/3
add action=drop chain=forward comment="Drop to private networks" disabled=no \
    dst-address-list=private-networks in-interface=lan
add action=jump chain=forward comment="" disabled=no jump-target=tcp \
    protocol=tcp
add action=jump chain=forward comment="" disabled=no jump-target=udp \
    protocol=udp
add action=jump chain=forward comment="" disabled=no jump-target=icmp \
    protocol=icmp
add action=drop chain=forward comment="Port scanners to list " disabled=no \
    protocol=tcp psd=21,3s,3,1
add action=drop chain=forward comment="NMAP FIN Stealth scan" disabled=no \
    protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=forward comment="SYN/FIN scan" disabled=no protocol=tcp \
    tcp-flags=fin,syn
add action=drop chain=forward comment="SYN/RST scan" disabled=no protocol=tcp \
    tcp-flags=syn,rst
add action=drop chain=forward comment="FIN/PSH/URG scan" disabled=no \
    protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=drop chain=forward comment="ALL/ALL scan" disabled=no protocol=tcp \
    tcp-flags=fin,syn,rst,psh,ack,urg
add action=drop chain=forward comment="NMAP NULL scan" disabled=no protocol=\
    tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=forward comment="dropping port scanners" disabled=no \
    src-address-list="port scanners"
add action=accept chain=forward comment="Menghindari Spam SMTP Dari Virus" \
    disabled=no dst-port=25 protocol=tcp src-address-list=smtp-email
add action=add-src-to-address-list address-list=smtp-email \
    address-list-timeout=5m chain=forward comment="" disabled=no dst-port=25 \
    protocol=tcp
add action=drop chain=forward comment="" disabled=no dst-port=25 protocol=tcp
add action=drop chain=forward comment="Drop tcp syn from client > 20" \
    connection-limit=30,32 disabled=no in-interface=lan protocol=tcp \
    tcp-flags=syn
add action=accept chain=forward comment="Allow forward from clients" \
    disabled=no in-interface=lan src-address-list=clients
add action=accept chain=forward comment="Allow from proxy" disabled=no \
    src-address-list=proxy
add action=drop chain=forward comment="Drop connection from lan" disabled=no \
    in-interface=lan
add action=drop chain=tcp comment="deny TFTP" disabled=no dst-port=69 \
    protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" disabled=no dst-port=\
    111 protocol=tcp
add action=drop chain=tcp comment="deny NFS" disabled=no dst-port=2049 \
    protocol=tcp
add action=drop chain=tcp comment="deny NetBus" disabled=no dst-port=\
    12345-12346 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" disabled=no dst-port=20034 \
    protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" disabled=no dst-port=\
    3133 protocol=tcp
add action=drop chain=tcp comment="deny DHCP" disabled=no dst-port=67-68 \
    protocol=tcp
add action=drop chain=tcp comment="Drop Blaster Worm" disabled=no dst-port=\
    135-139 protocol=tcp
add action=drop chain=tcp comment="Drop Messenger Worm" disabled=no dst-port=\
    135-139 protocol=udp
add action=drop chain=tcp comment="Drop Blaster Worm" disabled=no dst-port=\
    445 protocol=tcp
add action=drop chain=tcp comment="Drop Blaster Worm" disabled=no dst-port=\
    445 protocol=udp
add action=drop chain=tcp comment=________ disabled=no dst-port=593 protocol=\
    tcp
add action=drop chain=tcp comment=________ disabled=no dst-port=1024-1030 \
    protocol=tcp
add action=drop chain=tcp comment="Drop MyDoom" disabled=no dst-port=1080 \
    protocol=tcp
add action=drop chain=tcp comment=________ disabled=no dst-port=1214 \
    protocol=tcp
add action=drop chain=tcp comment="ndm requester" disabled=no dst-port=1363 \
    protocol=tcp
add action=drop chain=tcp comment="ndm server" disabled=no dst-port=1364 \
    protocol=tcp
add action=drop chain=tcp comment="screen cast" disabled=no dst-port=1368 \
    protocol=tcp
add action=drop chain=tcp comment=hromgrafx disabled=no dst-port=1373 \
    protocol=tcp
add action=drop chain=tcp comment=cichlid disabled=no dst-port=1377 protocol=\
    tcp
add action=drop chain=tcp comment=Worm disabled=no dst-port=1433-1434 \
    protocol=tcp
add action=drop chain=tcp comment="Bagle Virus" disabled=no dst-port=2745 \
    protocol=tcp
add action=drop chain=tcp comment="Drop Dumaru.Y" disabled=no dst-port=2283 \
    protocol=tcp
add action=drop chain=tcp comment="Drop Beagle" disabled=no dst-port=2535 \
    protocol=tcp
add action=drop chain=tcp comment="Drop Beagle.C-K" disabled=no dst-port=2745 \
    protocol=tcp
add action=drop chain=tcp comment="Drop MyDoom" disabled=no dst-port=\
    3127-3128 protocol=tcp
add action=drop chain=tcp comment="Drop Backdoor OptixPro" disabled=no \
    dst-port=3410 protocol=tcp
add action=drop chain=tcp comment=Worm disabled=no dst-port=4444 protocol=tcp
add action=drop chain=tcp comment=Worm disabled=no dst-port=4444 protocol=udp
add action=drop chain=tcp comment="Drop Sasser" disabled=no dst-port=5554 \
    protocol=tcp
add action=drop chain=tcp comment="Drop Beagle.B" disabled=no dst-port=8866 \
    protocol=tcp
add action=drop chain=tcp comment="Drop Dabber.A-B" disabled=no dst-port=9898 \
    protocol=tcp
add action=drop chain=tcp comment="Drop Dumaru.Y" disabled=no dst-port=10000 \
    protocol=tcp
add action=drop chain=tcp comment="Drop MyDoom.B" disabled=no dst-port=10080 \
    protocol=tcp
add action=drop chain=tcp comment="Drop Kuang2" disabled=no dst-port=17300 \
    protocol=tcp
add action=drop chain=tcp comment="Drop SubSeven" disabled=no dst-port=27374 \
    protocol=tcp
add action=drop chain=tcp comment="Drop PhatBot, Agobot, Gaobot" disabled=no \
    dst-port=65506 protocol=tcp
add action=drop chain=udp comment="deny TFTP" disabled=no dst-port=69 \
    protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" disabled=no dst-port=\
    111 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" disabled=no dst-port=\
    135 protocol=udp
add action=drop chain=udp comment="deny NBT" disabled=no dst-port=137-139 \
    protocol=udp
add action=drop chain=udp comment="deny NFS" disabled=no dst-port=2049 \
    protocol=udp
add action=drop chain=udp comment="deny BackOriffice" disabled=no dst-port=\
    3133 protocol=udp
add action=accept chain=icmp comment="drop invalid connections" disabled=no \
    icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="allow established connections" \
    disabled=no icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="allow already established connections" \
    disabled=no icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="allow source quench" disabled=no \
    icmp-options=4:0 protocol=icmp
add action=accept chain=icmp comment="allow echo request" disabled=no \
    icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" disabled=no \
    icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" disabled=no \
    icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types" disabled=no

/ip firewall address-list
add address=192.168.0.254 comment="ip router mikrotik" disabled=no list=router
add address=10.0.0.0/8 comment="" disabled=no list=private-networks
add address=172.16.0.0/12 comment="" disabled=no list=private-networks
add address=192.168.0.0/16 comment="" disabled=no list=private-networks
add address=192.168.1.1 comment="Modem spidi wan1" disabled=no list=exceptions
add address=192.168.2.1 comment="Modem spidi wan2" disabled=no list=exceptions
add address=192.168.3.1 comment="Modem spidi wan3" disabled=no list=exceptions
add address=192.168.4.1 comment="Modem spidi wan4" disabled=no list=exceptions
add address=192.168.5.1 comment="Modem spidi wan5" disabled=no list=exceptions
add address=192.168.100.1 comment="proxy server" disabled=no list=exceptions
add address=192.168.0.0/24 comment="" disabled=no list=local
add address=192.168.1.1 comment="" disabled=no list=local
add address=192.168.2.1 comment="" disabled=no list=local
add address=192.168.3.1 comment="" disabled=no list=local
add address=192.168.4.1 comment="" disabled=no list=local
add address=192.168.5.1 comment="" disabled=no list=local
add address=192.168.100.1 comment="" disabled=no list=local
add address=192.168.0.0/24 comment="" disabled=no list=clients
add address=192.168.100.1 comment="" disabled=no list=proxy
add address=192.168.1.1 comment=wan1 disabled=no list=bypasswww
add address=192.168.2.1 comment=wan2 disabled=no list=bypasswww
add address=192.168.3.1 comment=wan3 disabled=no list=bypasswww
add address=192.168.4.1 comment=wan4 disabled=no list=bypasswww
add address=192.168.5.1 comment=wan5 disabled=no list=bypasswww
add address=192.168.100.1 comment=proxy disabled=no list=bypasswww

/ip firewall nat
add action=redirect chain=dstnat comment="DNS REDIRECT to router" disabled=no \
    dst-port=53 in-interface=lan protocol=udp src-address-list=clients \
    to-ports=53
add action=redirect chain=dstnat comment="DNS REDIRECT to router" disabled=no \
    dst-port=53 in-interface=lan protocol=tcp src-address-list=clients \
    to-ports=53
add action=dst-nat chain=dstnat comment=proxy_external disabled=no \
    dst-address-list=!bypasswww dst-port=80,3128,8080 in-interface=lan \
    protocol=tcp src-address-list=clients to-addresses=192.168.100.1 \
    to-ports=8080
add action=masquerade chain=srcnat comment=wan1 disabled=no out-interface=\
    wan1 src-address-list=clients
add action=masquerade chain=srcnat comment=wan2 disabled=no out-interface=\
    wan2 src-address-list=clients
add action=masquerade chain=srcnat comment=wan3 disabled=no out-interface=\
    wan3 src-address-list=clients
add action=masquerade chain=srcnat comment=wan4 disabled=no out-interface=\
    wan4 src-address-list=clients
add action=masquerade chain=srcnat comment=wan5 disabled=no out-interface=\
    wan5 src-address-list=clients
add action=masquerade chain=srcnat comment=wan1 disabled=no out-interface=\
    wan1 src-address-list=proxy
add action=masquerade chain=srcnat comment=wan2 disabled=no out-interface=\
    wan2 src-address-list=proxy
add action=masquerade chain=srcnat comment=wan3 disabled=no out-interface=\
    wan3 src-address-list=proxy
add action=masquerade chain=srcnat comment=wan4 disabled=no out-interface=\
    wan4 src-address-list=proxy
add action=masquerade chain=srcnat comment=wan5 disabled=no out-interface=\
    wan5 src-address-list=proxy

/ip firewall mangle
add action=mark-packet chain=prerouting comment=\
    "MARK PACKET DIRECT to proxy clients-up" disabled=no dst-address-list=\
    proxy dst-port=3128,8080 in-interface=lan new-packet-mark=clients-up \
    passthrough=no protocol=tcp
add action=mark-packet chain=prerouting comment="MARK PACKET LOCAL local-up" \
    disabled=no dst-address-list=local in-interface=lan new-packet-mark=\
    clients-local-up passthrough=no src-address-list=clients
add action=mark-packet chain=prerouting comment=\
    "MARK PACKET clients tcp port 80,3128,8080 REDIRECT to proxy" disabled=no \
    dst-address-list=!bypasswww dst-port=80,3128,8080 in-interface=lan \
    new-packet-mark=clients-up-www passthrough=no protocol=tcp \
    src-address-list=clients
add action=mark-packet chain=prerouting comment=\
    "MARK PACKET clients-up" disabled=no in-interface=lan \
    new-packet-mark=clients-up passthrough=yes src-address-list=clients
add action=mark-packet chain=forward comment="MARK Proxy Cache Hits" \
    disabled=no dscp=12 new-packet-mark=proxy-hit passthrough=no protocol=tcp \
    src-port=8080
add action=mark-packet chain=forward comment=\
    "MARK PACKET clients-down from proxy" disabled=no dst-address-list=\
    clients new-packet-mark=clients-down passthrough=no protocol=tcp \
    src-address-list=proxy src-port=8080
add action=mark-packet chain=forward comment="MARK PACKET LOCAL clients-down" \
    disabled=no dst-address-list=clients new-packet-mark=clients-local-down \
    passthrough=no src-address-list=local
add action=mark-packet chain=forward comment=\
    "MARK PACKET clients-down" disabled=no dst-address-list=clients \
    new-packet-mark=clients-down passthrough=no

add action=mark-connection chain=prerouting comment=LB_PCC connection-state=\
    new disabled=no dst-address-list=!local dst-address-type=!local \
    in-interface=lan new-connection-mark=wan5-con passthrough=yes \
    per-connection-classifier=both-addresses:5/0 src-address-list=clients
add action=mark-routing chain=prerouting comment=LB_PCC connection-mark=\
    wan5-con disabled=no in-interface=lan new-routing-mark=wan5 passthrough=no
add action=mark-connection chain=prerouting comment=LB_NTH connection-state=\
    new disabled=no dst-address-list=!local in-interface=proxy \
    new-connection-mark=wan5-con nth=5,1 passthrough=yes
add action=mark-routing chain=prerouting comment=LB_NTH connection-mark=\
    wan5-con disabled=no in-interface=proxy new-routing-mark=wan5 \
    passthrough=no
add action=mark-connection chain=prerouting comment=LB_PCC connection-state=\
    new disabled=no dst-address-list=!local dst-address-type=!local \
    in-interface=lan new-connection-mark=wan4-con passthrough=yes \
    per-connection-classifier=both-addresses:4/0 src-address-list=clients
add action=mark-routing chain=prerouting comment=LB_PCC connection-mark=\
    wan4-con disabled=no in-interface=lan new-routing-mark=wan4 passthrough=no
add action=mark-connection chain=prerouting comment=LB_NTH connection-state=\
    new disabled=no dst-address-list=!local in-interface=proxy \
    new-connection-mark=wan4-con nth=4,1 passthrough=yes
add action=mark-routing chain=prerouting comment=LB_NTH connection-mark=\
    wan4-con disabled=no in-interface=proxy new-routing-mark=wan4 \
    passthrough=no
add action=mark-connection chain=prerouting comment=LB_PCC connection-state=\
    new disabled=no dst-address-list=!local dst-address-type=!local \
    in-interface=lan new-connection-mark=wan3-con passthrough=yes \
    per-connection-classifier=both-addresses:3/0 src-address-list=clients
add action=mark-routing chain=prerouting comment=LB_PCC connection-mark=\
    wan3-con disabled=no in-interface=lan new-routing-mark=wan3 passthrough=\
    no
add action=mark-connection chain=prerouting comment=LB_NTH connection-state=\
    new disabled=no dst-address-list=!local in-interface=proxy \
    new-connection-mark=wan3-con nth=3,1 passthrough=yes
add action=mark-routing chain=prerouting comment=LB_NTH connection-mark=\
    wan3-con disabled=no in-interface=proxy new-routing-mark=wan3 \
    passthrough=no
add action=mark-connection chain=prerouting comment=LB_PCC connection-state=\
    new disabled=no dst-address-list=!local dst-address-type=!local \
    in-interface=lan new-connection-mark=wan2-con passthrough=yes \
    per-connection-classifier=both-addresses:2/0 src-address-list=clients
add action=mark-routing chain=prerouting comment=LB_PCC connection-mark=\
    wan2-con disabled=no in-interface=lan new-routing-mark=wan2 passthrough=\
    no
add action=mark-connection chain=prerouting comment=LB_NTH connection-state=\
    new disabled=no dst-address-list=!local in-interface=proxy \
    new-connection-mark=wan2-con nth=2,1 passthrough=yes
add action=mark-routing chain=prerouting comment=LB_NTH connection-mark=\
    wan2-con disabled=no in-interface=proxy new-routing-mark=wan2 \
    passthrough=no
add action=mark-connection chain=prerouting comment=LB_PCC connection-state=\
    new disabled=no dst-address-list=!local dst-address-type=!local \
    in-interface=lan new-connection-mark=wan1-con passthrough=yes \
    per-connection-classifier=both-addresses:1/0 src-address-list=clients
add action=mark-routing chain=prerouting comment=LB_PCC connection-mark=\
    wan1-con disabled=no in-interface=lan new-routing-mark=wan1 passthrough=\
    no
add action=mark-connection chain=prerouting comment=LB_NTH connection-state=\
    new disabled=no dst-address-list=!local in-interface=proxy \
    new-connection-mark=wan1-con nth=1,1 passthrough=yes
add action=mark-routing chain=prerouting comment=LB_NTH connection-mark=\
    wan1-con disabled=no in-interface=proxy new-routing-mark=wan1 \
    passthrough=no

Baris-baris rule mangle yang berwarna hijau itu ditulis secara otomatis melalui script yang akan dijelaskan nanti.

param
Saat router reboot script param di bawah ini akan dieksekusi:



#
# script: param
#
# Jumlah koneksi wan
:global nwan 5;
# daftar ip internet yang dirouting secara statik
:global ips "202.134.1.10,202.155.0.20,125.160.0.97,202.154.1.2,202.155.0.15";
# daftar ip wan atau gateway
:global gws "192.168.1.1,192.168.2.1,192.168.3.1,192.168.4.1,192.168.5.1";
# nilai atau score untuk masing-masing wan
:global scrs "2,4,8,16,32";
:global SCORE 0;
 
 
 Variable score scrs untuk menyimpan nilai atau score per wan sedangkan SCORE untuk menyimpan status online semua wan:
  • Nilai SCORE 0 berarti semua WAN tidak online.
  • Jika WAN 1 online maka nilai SCORE menjadi bertambah 2.
  • Jika WAN 2 online maka nilai SCORE menjadi bertambah 4.
  • Jika WAN 3 online maka nilai SCORE menjadi bertambah 8.
  • Jika WAN 4 online maka nilai SCORE menjadi bertambah 16.
  • Jika WAN 5 online maka nilai SCORE menjadi bertambah 32.
  • Jika semua WAN online nilai SCORE adalah 2+4+8+16+32 = 62.

deadgwdetection
Script ini dijalankan via schedule setiap 120 detik atau 2 menit


#
# script: deadgwdetection
#
:global SCORE;
:global nwan;
:global ips;
:global gws;
:global scrs;
:local nth 0;
:local ipArr [:toarray $ips];
:local gwArr [:toarray $gws];
:local scrArr [:toarray $scrs];
:local wanArr {};
:local score 0;
:local lbs "";
:for x from=1 to="$nwan" \
  do={ :if ([ /interface ethernet get "wan$x" running ]) \
      do { :local ip [:pick $ipArr ($x-1)]; :local gw [:pick $gwArr ($x-1)]; :local succ 0;
           :for z from=1 to=3 \
             do={ :if ([/ping "$ip" count=1 size=28]=1) do { :set succ ($succ+1) }; 
                  /interface monitor-traffic "wan$x" once do={ :if ($"rx-bits-per-second" > 4096) do={:set succ ($succ+1) }}};
           :if ($succ>1) \
              do { :set wanArr ($wanArr, $x);:set nth ($nth+1); :set score ($score+[:pick $scrArr ($x-1)])} \
              else { :log warning "Modem spidi wan$x is down." };
           };
     };
:local ptr [ /system logging find topics="info"];
/system logging disable $ptr;
:if ($SCORE!=$score) \
do { /ip firewall mangle remove [ find comment="LB_NTH" ];
     /ip firewall mangle remove [ find comment="LB_PCC" ];
     :for x from=$nth to=1 \
     do={:local y [:pick $wanArr ($x-1)];
         :if ($x>1) do { :set lbs ($lbs . "192.168.$y" . ".1,"); };
         :if ($x=1) do { :set lbs ($lbs . "192.168.$y" . ".1"); };
         /ip firewall mangle add action=mark-connection chain=prerouting comment="LB_PCC" \
         connection-state=new disabled=no dst-address-list=!local dst-address-type=!local \
         in-interface=lan src-address-list=clients new-connection-mark="wan$y-con" \
         per-connection-classifier="both-addresses:$x/0" passthrough=yes;
         /ip firewall mangle add action=mark-routing chain=prerouting comment="LB_PCC" \
         connection-mark="wan$y-con" disabled=no in-interface=lan new-routing-mark="wan$y" passthrough=no;
         /ip firewall mangle add action=mark-connection chain=prerouting comment="LB_NTH" \
         connection-state=new disabled=no dst-address-list=!local \
         in-interface=proxy new-connection-mark="wan$y-con" nth="$x,1" passthrough=yes;
         /ip firewall mangle add action=mark-routing chain=prerouting comment="LB_NTH" \
         connection-mark="wan$y-con" disabled=no in-interface=proxy new-routing-mark="wan$y" passthrough=no; };

/ip route remove [ find comment="LB Router" ];
/ip route add check-gateway=ping comment="LB Router" disabled=no distance=1 \
    dst-address=0.0.0.0/0 gateway="$lbs" scope=255 target-scope=10;
};
/system logging enable $ptr;
:set SCORE $score;
:put $SCORE; 
 
 
 
 Penjelasan:
  1. Pertama deteksi apakah koneksi fisik ke wan running atau tidak (baris 17).
  2. Kedua apakah melalui wan tersebut bisa ping ke tertentu (baris 20).
  3. Jika tidak bisa diping cek trafik received yang melalui wan tadi apakah melewati threshold atau ambang batas tertentu sehingga bisa dianggap wan ini online (baris 21).
  4. Jika salah satu di atas berhasil, no 2 atau 3, maka naikkan jumlah wan dan tulis link wan yang aktif (baris 23). Jika semua gagal tulis di log bahwa koneksi melalui wan ini down (baris 24).
  5. Agar tidak terlalu banyak output ke log, matikan untuk sementara fungsi ini di baris 28.
  6. Jika ada perubahan jumlah koneksi atau nilai SCORE (baris 29) maka buat baru baris-baris mangle (baris 30-31).
  7. Baris 34-46 menulis ip firewall mangle Load Balancing PCC untuk koneksi non browsing (tcp port 80) dari clients dan Load Balancing NTH untuk koneksi dari proxy.
  8. Baris 48-50 menulis routing default yang baru untuk mikrotik.
  9. Fungsi logging diaktifkan kembali di baris 52.
  10. Nilai SCORE dari jumlah koneksi sekarang disimpan (baris 53-54).

Sekarang aktifkan schedule untuk dua script di atas:
/system scheduler
add comment="" disabled=no interval=0s name=sch-param-startup on-event=param \
    policy=read,write,test start-time=startup
add comment="" disabled=no interval=2m name=sch-deadgwdetction on-event=\
    deadgwdetection policy=read,write,test start-date=jan/01/1970 \
    start-time=00:00:10

 
 
 
Load balancing 7 WAN dengan mikrotik + proxy external

Load balancing 7 WAN dengan mikrotik + proxy external

Leave a Reply
Untuk deteksi koneksi internet yang putus di salah satu atau beberapa modem speedy digunakan teknik khusus yang saya beri nama dynamic routing and dead gateway detection yang source codenya bisa dilihat di gambar bawah.

Topologi
Topologi RB493 + 7 WAN + 1 Proxy

System resources RB493
system resource
Konfigurasi interface
interface list
Keterangan:
  1. eth1: local area network (lan) terlihat menerima trafik dari mikrotik sebesar 10.4Mbps (Tx).
  2. eth2: mikrotik menerima paket dari source http dan cache hit dari mesin proxy squid sebesar 9.9Mbps (Rx) dan forward trafik ke mesin proxy sebesar 3.8Mbps. Secara kasar cache hit: 9.9Mbps – 3.8Mbps = 6.1Mpbs
  3. eth3: modem adsl speedy wan1.
  4. eth4: modem adsl speedy wan2.
  5. eth5: modem adsl speedy wan3.
  6. eth6: modem adsl speedy wan4.
  7. eth7: modem adsl speedy wan5.
  8. eth8: modem adsl speedy wan6.
  9. eth9: modem adsl speedy wan7.

Routing list
routing list
Keterangan:
  1. Tujuh baris teratas membuat routing mark yang sesuai dengan koneksi ke spidi (wan1 – wan7).
  2. Baris yang ada comment “LB Router” itu metode loadbalancing dengan ECMP (Equal Cost Multi-Path) Routing.
  3. Untuk deteksi koneksi setiap modem speedy dari modem 1 s/d 7 (wan1 s/d wan7) maka dibuatkan routing statik dengan ip tujuan berturut-turut 202.134.1.10, 202.155.0.20, 125.160.0.97, 202.154.1.2, 218.100.27.179, 202.152.1.1, 125.167.72.1 (pada gambar terlihat di kolom destination).

Routing policy (ip route list)
routing policy

Mangle untuk loadbalancing n+th (policy based routing) dan queue management
ip firewall mangle
Keterangan:
  1. Baris 0 menandai paket icmp dari router ke internet.
  2. Baris 1 menandai paket dari client (user) melalui device lan ke router. Gunanya mangle ini agar trafik ini tidak kena bandwidth management.
  3. Baris 2 menandai paket cache hit dari proxy server eksternal ke client. Gunanya agar object cache hit dari proxy tidak dilimit atau dishaping.
  4. Baris 3 menandai paket dari client lan ke proxy non port 8080 protocol tcp.
  5. Baris 4 menandai paket lokal dari proxy ke client non port 8080 protocol tcp.
  6. Baris 5 menandai paket dari proxy ke client port 8080 protocol tcp.
  7. Baris 6 menandai paket dari internet dengan tujuan client.
  8. Baris 7 menandai paket dari client ke port 80 (www) yang dilewatkan secara transparent ke proxy eksternal.
  9. Baris 8 – 9 menandai paket dari client ke port 25 dan 6600-7000 protocol tcp agar selalu dilewatkan ke device wan tertentu.
  10. Baris 10 dan selanjutnya membuat loadbalancing dengan n+th untuk paket yang datang client dan proxy server.

N A T
ip firewall nat
Keterangan:
  1. Baris 0 dan 1 membelokkan trafik request dns dari client ke dns cache mikrotik.
  2. Baris 2 membelokkan trafik ke port 80/tcp dari client ke proxy server external.
  3. Baris 3 – 9 masquerade untuk koneksi client ke internet.
  4. Baris 10 – 16 masquerade untuk koneksi proxy server external ke internet.
  5. Baris 17 masquerade untuk koneksi client ke tujuan non proxy server.
  6. Baris 18 masquerade untuk koneksi proxy server ke tujuan non clients.

Bandwidth managemenet dengan Queue Simple
queue simple

Tool Netwatch
tool netwatch
Alat bantu netwatch akan memonitor koneksi lokal ke masing-masing modem adsl.

Source code dynamic routing & dead gateway detection
dynamic routing & dead gateway detection
Keterangan:
  1. Script di atas dijalankan per 1 menit melalui schedule.
  2. Saat dijalankan yang dilakukan adalah cek status (cek koneksi lokal) modem adsl speedy di tool netwatch.
  3. Selanjutnya adalah cek koneksi internet modem dengan ping ke ip tujuan tertentu yang telah diset routingnya secara statik agar melalui modem tersebut.
  4. Selain metode ping juga dilakukan pengamatan trafik yang lewat interface ke modem.
  5. Hal ini dilakukan berulang-ulang sampai semua modem adsl speedy selesai dimonitor baik koneksi lokal maupun internet.
  6. Jika ada salah satu atau beberapa koneksi internet modem putus maka dilakukan perhitungan kembali loadbalancing n+th dan penentuan kembali statik routing untuk tujuan ke port 25/tcp dan 6600-7000/tcp.
  7. Koneksi internet modem yang terputus akan ditulis di log.

Load Balancing n+th in action
Analisa ini untuk melihat apakah load balancing n+th dijalankan dengan benar. Untuk itu akan dimonitor trafik dari salah satu client, ip 192.168.0.37. Client menjalankan aplikasi Download Accelerator Plus (DAP) dengan membuka sesi download lebih dari 5. Buka Tools > Torch lalu isi seperti di bawah ini:
Interface: lan
Src. Address: 192.168.0.37
Dst. Address: 0.0.0.0/0
Protocol	: tcp
Port		: any
Kotak Src. Address, Dst. Address, Protocol (pilih tcp) dan Port (pilih any) dicentang dahulu.
monitoring trafik dari client 192.168.0.37
Terlihat ip tujuan adalah 174.140.128.13, sekarang stop torch dan isikan parameter seperti di bawah ini untuk monitor trafik yang lewat interface wan1:
Interface: wan1
Src. Address: 174.140.128.13
Dst. Address: 0.0.0.0/0
Lakukan hal yang sama untuk monitor trafik yang lewat interface wan2 – wan7. Maka akan diperoleh gambar-gambar berikut:
wan1-client-37
wan2-client-37
wan3-client-37
wan4-client-37
wan5-client-37
wan6-client-37
wan7-client-37

Trafik monitoring mikrotik di device eth0 (LAN)
mrtg
Keterangan:
  1. Pukul 01:00-02:00, trafik mencapai limit bandwidth root yang diset 5Mbps (gambar tengah).
  2. Pukul 16:00 trafik loss sampai hampir 8Mbps saat bandwidth management dilepas (gambar kanan).

    3.  sumber:http://awarmanf.wordpress.com/2010/01/06/lb7wan-rb439-proxy-external/

09 June 2012

Load Balance 2 Line Speedy + external Proxy

Load Balance 2 Line Speedy + external Proxy

Leave a Reply
Berikut script :
Set Interface disesuiakan Gan:
/ip adrress
- 192.168.4.1/24 interface proxy
- 192.168.1.1/24 interface lokal
- 192.168.2.1/24  interface modem1
- 192.168.3.1/24  interface modem2

/interface pppoe-client
add ac-name=”" add-default-route=no allow=pap,chap,mschap1,mschap2 comment=”"
dial-on-demand=no disabled=no interface=modem1 max-mru=1480 max-mtu=1480
mrru=disabled name=”spedaku” user=”******@telkom.net” password=”***” profile=default
service-name=”" use-peer-dns=no
add ac-name=”" add-default-route=no allow=pap,chap,mschap1,mschap2 comment=”"
dial-on-demand=no disabled=no interface=modem2 max-mru=1480 max-mtu=1480
mrru=disabled name=”spedamu” user=”******@telkom.net” password=”***” profile=default
service-name=”" use-peer-dns=no

/ip firewall mangle
add action=mark-packet chain=prerouting comment=proxy-hit disabled=no dscp=12
new-packet-mark=proxy-hit passthrough=yes
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
max-limit=0 name=HIT packet-mark=proxy-hit parent=global-out priority=1
queue=default

## mangel
/ip firewall mangle
add action=mark-connection chain=input comment=
“PCC RULE —- MARK ALL PPPoE CONN” connection-state=new disabled=no
in-interface=pppoe_1 new-connection-mark=pppoe1_conn passthrough=yes
add action=mark-connection chain=input comment=”" connection-state=new
disabled=no in-interface=pppoe_2 new-connection-mark=pppoe2_conn
passthrough=yes
add action=mark-connection chain=prerouting comment=”" connection-state=
established disabled=no in-interface=pppoe_1 new-connection-mark=
pppoe1_conn passthrough=yes
add action=mark-connection chain=prerouting comment=”" connection-state=
established disabled=no in-interface=pppoe_2 new-connection-mark=
pppoe2_conn passthrough=yes
add action=mark-connection chain=prerouting comment=”" connection-state=
related disabled=no in-interface=pppoe_1 new-connection-mark=pppoe1_conn
passthrough=yes
add action=mark-connection chain=prerouting comment=”" connection-state=
related disabled=no in-interface=pppoe_2 new-connection-mark=pppoe2_conn
passthrough=yes
add action=mark-routing chain=output comment=”" connection-mark=pppoe1_conn
disabled=no new-routing-mark=pppoe_1 passthrough=no
add action=mark-routing chain=output comment=”" connection-mark=pppoe2_conn
disabled=no new-routing-mark=pppoe_2 passthrough=no

/ip firewall mangle
add action=mark-connection chain=prerouting comment=
“PCC RULE MARK HTTP CONN” connection-state=established disabled=no
dst-address-type=!local dst-port=80 in-interface=proxy
new-connection-mark=http_pppoe_1 passthrough=yes
per-connection-classifier=both-addresses-and-ports:2/0 protocol=tcp
add action=mark-connection chain=prerouting comment=”" connection-state=
established disabled=no dst-address-type=!local dst-port=80 in-interface=
proxy new-connection-mark=http_pppoe_2 passthrough=yes
per-connection-classifier=both-addresses-and-ports:2/1 protocol=tcp
add action=mark-connection chain=prerouting comment=”" connection-state=
related disabled=no dst-address-type=!local dst-port=80 in-interface=
proxy new-connection-mark=http_pppoe_1 passthrough=yes
per-connection-classifier=both-addresses-and-ports:2/0 protocol=tcp
add action=mark-connection chain=prerouting comment=”" connection-state=
related disabled=no dst-address-type=!local dst-port=80 in-interface=
proxy new-connection-mark=http_pppoe_2 passthrough=yes
per-connection-classifier=both-addresses-and-ports:2/1 protocol=tcp
/ip firewall mangle
add action=mark-connection chain=prerouting comment=
“PCC RULE —- MARK – NON -HTTP CONN” connection-state=established
disabled=no dst-address-type=!local dst-port=!80 in-interface=lokal
new-connection-mark=non.http_pppoe_1 passthrough=yes
per-connection-classifier=both-addresses-and-ports:2/0 protocol=tcp
add action=mark-connection chain=prerouting comment=”" connection-state=
established disabled=no dst-address-type=!local dst-port=!80
in-interface=lokal new-connection-mark=non.http_pppoe_2 passthrough=yes
per-connection-classifier=both-addresses-and-ports:2/1 protocol=tcp
add action=mark-connection chain=prerouting comment=”" connection-state=
related disabled=no dst-address-type=!local dst-port=!80 in-interface=lokal
new-connection-mark=non.http_pppoe_1 passthrough=yes
per-connection-classifier=both-addresses-and-ports:2/0 protocol=tcp
add action=mark-connection chain=prerouting comment=”" connection-state=
related disabled=no dst-address-type=!local dst-port=!80 in-interface=lokal
new-connection-mark=non.http_pppoe_2 passthrough=yes
per-connection-classifier=both-addresses-and-ports:2/1 protocol=tcp
add action=mark-connection chain=prerouting comment=”" connection-state=
established disabled=no dst-address-type=!local in-interface=lokal
new-connection-mark=non.http_pppoe_1 passthrough=yes
per-connection-classifier=both-addresses-and-ports:2/0 protocol=udp
add action=mark-connection chain=prerouting comment=”" connection-state=
established disabled=no dst-address-type=!local in-interface=lokal
new-connection-mark=non.http_pppoe_2 passthrough=yes
per-connection-classifier=both-addresses-and-ports:2/1 protocol=udp
add action=mark-connection chain=prerouting comment=”" connection-state=
related disabled=no dst-address-type=!local in-interface=lokal
new-connection-mark=non.http_pppoe_1 passthrough=yes
per-connection-classifier=both-addresses-and-ports:2/0 protocol=udp
add action=mark-connection chain=prerouting comment=”" connection-state=
related disabled=no dst-address-type=!local in-interface=lokal
new-connection-mark=non.http_pppoe_2 passthrough=yes
per-connection-classifier=both-addresses-and-ports:2/1 protocol=udp

/ip firewall mangle
add action=mark-routing chain=prerouting comment=
“PCC RULE —- MARK – HTTP ROUTE” connection-mark=http_pppoe_1 disabled=
no new-routing-mark=pppoe_1 passthrough=yes
add action=mark-routing chain=prerouting comment=”" connection-mark=
http_pppoe_2 disabled=no new-routing-mark=pppoe_2 passthrough=yes
add action=mark-routing chain=prerouting comment=
“PCC RULE  MARK NON HTTP ROUTE” connection-mark=non.http_pppoe_1
disabled=no new-routing-mark=pppoe_1 passthrough=yes
add action=mark-routing chain=prerouting comment=”" connection-mark=
non.http_pppoe_2 disabled=no new-routing-mark=pppoe_2 passthrough=yes
#Nat
/ip firewall nat
add action=masquerade chain=srcnat comment=MASQUERADE1 disabled=no
out-interface=spedaku
add action=masquerade chain=srcnat comment=MASQUERADE2 disabled=no
out-interface=spedamu
add action=masquerade chain=srcnat comment=MASQUERADE3 disabled=no
out-interface=proxy
add action=dst-nat chain=dstnat comment=TRANSPARENT-DNS disabled=no dst-port=
53 in-interface=lokal protocol=udp to-ports=53
add action=dst-nat chain=dstnat comment=”" disabled=no dst-port=53
in-interface=lokal protocol=tcp to-ports=53
add action=dst-nat chain=dstnat comment=”" disabled=no dst-port=53
in-interface=proxy protocol=udp to-ports=53
add action=dst-nat chain=dstnat comment=”" disabled=no dst-port=53
in-interface=proxy protocol=tcp to-ports=53
add action=dst-nat chain=dstnat comment=TRANSPARENT-proxy disabled=no
dst-address-list=!proxyNET dst-port=80,8080,3128 in-interface=lokal
protocol=tcp to-addresses=192.168.4.2 to-ports=3128
add action=dst-nat chain=dstnat comment=”REMOTE PROXY” disabled=no
dst-address=118.96.40.xxx dst-port=22 protocol=tcp to-addresses=
192.168.4.2 to-ports=22

#Addres List
/ip firewall address-list
add address=192.168.1.0/24 comment=”" disabled=no list=lanNET
add address=192.168.4.0/24 comment=”" disabled=no list=proxyNET
#Routing
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
spedaku routing-mark=pppoe_1 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
spedamu routing-mark=pppoe_2 scope=30 target-scope=10
add check-gateway=ping comment=Default-Route-pppoe1-Distance-1 disabled=no
distance=1 dst-address=0.0.0.0/0 gateway=spedaku scope=30 target-scope=10
add check-gateway=ping comment=Default-Route-pppoe2-Distance-2 disabled=no
distance=2 dst-address=0.0.0.0/0 gateway=spedamu scope=30 target-scope=10

Catatan tambahan :
Di Edisi Berikutnya sy tambahkan Rule untuk Optimalisasi pada Game Online dan POker Untuk Optimal dan Terbebas dari LAG…
Rule untuk game online dan Poker masih di evaluasi lebih lanjut.. jadi mohon sabar yaaaa.. :-)
Load Balance 2 Line Speedy + external Proxy Suport Game Online dan Poker

08 June 2012

LOAD BALANCING 3 LINE SPEEDY PAKET GAME

Leave a Reply


# LOAD BALANCING 3 LINE SPEEDY PAKET GAME 
# Diterapkan pada Mikrotik RouterOS 4.2 dan sudah di UJI dan di COBA 100% berjalan dengan aman nyampe sekarang

Spesifikasi PC Router yang di gunakan :
- Intel Pentium 4 2,6 Ghz
- Mikrotik DOM level 4
- DDR2 1 Gb
- HDD 40 Gb
- 3 Lan Card

Interface :
3 Line Speedy
  - SPEEDY1 (192.168.1.2) => MODEM1 (2 Mbps) BRIDGE (192.168.1.1)
  - SPEEDY2 (192.168.2.2) => MODEM2 (2 Mbps) BRIDGE (192.168.2.1)
  - SPEEDY3 (192.168.3.2) => MODEM3 (1 Mbps) BRIDGE (192.168.3.1)
1 Local    (192.168.0.30)
  - JUMLAH CLINET 14 PC 
  - IP address client 192.168.0.1 - 192.168.0.14 
  - IP address untuk OP 192.168.0.25
  - Subnet mask 255.255.255.224
  - Default Gateway 192.168.0.30
  - DNS Server 192.168.0.30

Ganti ID dan PASSWORD sesuai dengan id speedy (atau isp lain) sesuai dengan id yg diperoleh dari isp langganan anda, pada tulisan yang bercetak tebal dan miring, dan jangan lupa MODEM di seting BRIDGE

Maaf sebelumnya saya masih NEWbie, seandainya ada kekeliruan atau kesalah mohon di koreksi...

Silahkan di cicipi, tinggal copy paste pada CONSOLE mikrotik.
- Boleh disebar luaskan
- Boleh diedit
- COPYLEFT (HAK CIPTA HANYA MILIK ALLAH SWT) 


#== COPY MULAI DARI SINI ===#

22 March 2012

LOAD BALANCING pada MIKROTIK di RB 750

LOAD BALANCING pada MIKROTIK di RB 750

Leave a Reply
Disini mencoba membuat load balancing dengan menggunakan routerboard RB 750 indoor yang mempunyai 5 interface, apabila kita ingin membuat load balancing failover pada mikrotik versi 4.11, disini saya menggunakan 2 jalur input WAN dengan 1 jalur output yang ditujukan pada Local Area Network.
Disini diatur interface dengan setting
- LAN = 192.168.1.0/24
- Uplink = WAN 1 = 192.168.20.6/28
- Uplink = WAN 2 = 192.168.10.12/24
Disini saya menggunakan 2 ISP WLAN, kalo di tempat anda menggunakan telkom speedy maka lihat dulu line tersebut mempunyai gateway yang sama atau tidak .  Apabila gateway sama,  anda harus setting PPPOE (mikrotik yang dial PPPOE sendiri),  maka anda pilih salahsatu dari gateway yang sama itu buat PPPOE yang lain bikin setting PPPOE dial dari modem yaitu modem yang jadi gateway.  Hal ini digunakan biar traffik jalan dengan maksimal, biasanya kalo cuma PPPOE dial mikrotik dengan gateway yang sama loadbalancing kurang maksimal bahkan sering terjadi 1 gateway saja yang jalan aktif.
Setting di mikrotik versi 4.11 adalah sebagai berikut :
/ ip firewall mangle
add chain=prerouting action=mark-connection new-connection-mark=conn_1
passthrough=yes connection-state=new in-interface=LAN nth=2,1
add chain=prerouting action=mark-routing new-routing-mark=conn_1
passthrough=no in-interface=LAN connection-mark=conn_1
add chain=prerouting action=mark-connection new-connection-mark=conn_2
passthrough=yes connection-state=new in-interface=LAN nth=1,1
add chain=prerouting action=mark-routing new-routing-mark=conn_2
passthrough=no in-interface=LAN connection-mark=conn_2
/ip firewall nat
add chain=srcnat action=masquerade out-interface=WAN1 connection-mark=conn_1
add chain=srcnat action=masquerade out-interface=WAN2 connection-mark=conn_2
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.20.14 scope=255 target-scope=10 routing-mark=conn_1 comment=”"disabled=no
add dst-address=0.0.0.0/0 gateway=192.168.10.100 scope=255 target-scope=10 routing-mark=conn_2 comment=”"disabled=no
add dst-address=0.0.0.0/0 gateway=192.168.20.14 scope=255 target-scope=10 comment=”"disabled=no

06 January 2012

Load Balancing with two interfaces

Load Balancing with two interfaces

Leave a Reply

Network Diagram

Image:ibgp_load_bal.png

Configuration

On Router A: 
# loopback interface /interface bridge add name=lobridge  # addresses /ip address add address=1.1.1.1/24 interface=ether1 /ip address add address=2.2.2.1/24 interface=ether2 /ip address add address=9.9.9.1/32 interface=lobridge  # ECMP route to peer's loopback /ip route add dst-address=9.9.9.2/32 gateway=1.1.1.2,2.2.2.2  # BGP /routing bgp instance set default as=65000 /routing bgp add name=peer1 remote-address=9.9.9.2 remote-as=65000 update-source=lobridge
On Router B: 
# loopback interface /interface bridge add name=lobridge  # addresses /ip address add address=1.1.1.2/24 interface=ether1 /ip address add address=2.2.2.2/24 interface=ether2 /ip address add address=9.9.9.2/32 interface=lobridge  # ECMP route to peer's loopback /ip route add dst-address=9.9.9.1/32 gateway=1.1.1.1,2.2.2.1  # BGP /routing bgp instance set default as=65000 /routing bgp add name=peer1 remote-address=9.9.9.1 remote-as=65000 update-source=lobridge  # a route to advertise /routing bgp network add network=4.4.4.0/24

Results

Check that BGP connection is established: 
[admin@B] > /routing bgp peer print status Flags: X - disabled 0   name="peer1" instance=default remote-address=9.9.9.1 remote-as=65000     tcp-md5-key="" nexthop-choice=default multihop=no route-reflect=no hold-time=3m     ttl=255 in-filter="" out-filter="" address-families=ip     update-source=lobridge default-originate=no remote-id=1.1.1.1     local-address=9.9.9.2 uptime=28s prefix-count=0 updates-sent=1     updates-received=0 withdrawn-sent=0 withdrawn-received=0 remote-hold-time=3m     used-hold-time=3m used-keepalive-time=1m refresh-capability=yes     as4-capability=yes state=established
Route table on Router A: 
[admin@A] > /ip route print Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit #      DST-ADDRESS        PREF-SRC        G GATEWAY                 DISTANCE INTER... 0 ADC  1.1.1.0/24         1.1.1.1                                   0        ether1 1 ADC  2.2.2.0/24         2.2.2.1                                   0        ether2 2 ADb  4.4.4.0/24                         r 9.9.9.2                 200      ether1                                                                              ether2 3 ADC  9.9.9.1/32         9.9.9.1                                   0        lobridge 4 A S  9.9.9.2/32                         r 1.1.1.2                 1        ether1                                           r 2.2.2.2                          ether2 
[admin@A] > /ip route print detail Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 0 ADC  dst-address=1.1.1.0/24 pref-src=1.1.1.1 interface=ether1 distance=0 scope=10  1 ADC  dst-address=2.2.2.0/24 pref-src=2.2.2.1 interface=ether2 distance=0 scope=10  2 ADb  dst-address=4.4.4.0/24 gateway=9.9.9.2 interface=ether1,ether2        gateway-state=recursive distance=200 scope=40 target-scope=30        bgp-local-pref=100 bgp-origin=igp received-from=9.9.9.2  3 ADC  dst-address=9.9.9.1/32 pref-src=9.9.9.1 interface=lobridge distance=0 scope=10  4 A S  dst-address=9.9.9.2/32 gateway=1.1.1.2,2.2.2.2 interface=ether1,ether2        gateway-state=reachable,reachable distance=1 scope=30 target-scope=10
The route 4.4.4.0./24 is installed in Linux kernel now with two nexthops: 1.1.1.2 (on ether1) and 2.2.2.2 (on ether2).

Example with eBGP


Network Diagram

Image:ebgp_load_bal.png

Configuration

Here the example given above is further developed for eBGP case. By default, eBGP peers are required to be directly reachable. If we are using loopback interfaces, they technically are not, so multihop=yes configuration setting must be specified.
On Router A: 
/routing bgp instance set default as=65000 /routing bgp set peer1 remote-address=9.9.9.2 remote-as=65001 update-source=lobridge multihop=yes
On Router B: 
/routing bgp instance set default as=65001 /routing bgp set peer1 remote-address=9.9.9.1 remote-as=65000 update-source=lobridge multihop=yes

Results

If we now print the route table on Router A, we see that the route from Router B is there, but it's not active: 
... 2  Db  dst-address=4.4.4.0/24 gateway=9.9.9.2 interface="" gateway-state=unreachable        distance=20 scope=40 target-scope=10 bgp-as-path="65001" bgp-origin=igp        received-from=9.9.9.2 ...
This is because eBGP routes are installed with lesser target-scope by default. To solve this, setup routing filter that sets larger target-scope: 
/routing filter add chain=bgp-in set-target-scope=30 /routing bgp set peer1 in-filter=bgp-in
Or else, modify scope attribute of the static route: 
/ip route set [find dst-address=9.9.9.2/32] scope=10
Either way, the route to 4.4.4.0/24 should be active now: 
2 ADb  dst-address=4.4.4.0/24 gateway=9.9.9.2 interface=ether1,ether2        gateway-state=recursive distance=20 scope=40 target-scope=10        bgp-as-path="65001" bgp-origin=igp received-from=9.9.9.2

Notes

  • BGP itself as protocol does not supports ECMP routes. When a recursively resolved BGP route is propagated further in the network, only one nexthop can be selected (as described here) and included in the BGP UPDATE message.

02 January 2012

Load Balance 2 ISP -Policy Routing based on Client IP Address

Load Balance 2 ISP -Policy Routing based on Client IP Address

Leave a Reply


Waktu itu kalo g salah pernah ada di salah satu thread tapi g ada tuts-nya makanya sekarang mau nyumbang dulu....

ISP 1 : 10.0.128.13
ISP 2 : 202.6.238.253

Mari kita berandaikan jika jaringan kamu memiliki IP Address seperti ini :
Game : 192.178.40.0/26
Internet : 192.178.40.32/26
Router : 192.178.40.125/25

lalu, kita perlu menyeting mangle...
/ip fi ma add chain=prerouting src-address=192.178.40.0/26 action=mark-routing new-routing-mark=Game comment=Game
/ip fi ma add chain=prerouting src-address=192.178.40.32/26 action=mark-routing new-routing-mark=Internet comment=Internet

kemudian, menuju ke Route...
/ip ro add gateway=10.0.128.13 mark=Game
/ip ro add gateway=202.6.238.153 mark=Internet

Jangan melupakan NAT Masquerade yah
/ip na add chain=srcnat src-address=192.178.40.0/25 action=masquerade

Silahkan di coba di komputer client "Game" apakah sudah masuk ke jalur ISP 1 dan client "Internet" apakah sudah masuk ke jalur ISP 2



Waktu itu kalo g salah pernah ada di salah satu thread tapi g ada tuts-nya makanya sekarang mau nyumbang dulu....

ISP 1 : 10.0.128.13
ISP 2 : 202.6.238.253

Mari kita berandaikan jika jaringan kamu memiliki IP Address seperti ini :
Game : 192.178.40.0/26
Internet : 192.178.40.32/26
Router : 192.178.40.125/25

lalu, kita perlu menyeting mangle...
/ip fi ma add chain=prerouting src-address=192.178.40.0/26 action=mark-routing new-routing-mark=Game comment=Game
/ip fi ma add chain=prerouting src-address=192.178.40.32/26 action=mark-routing new-routing-mark=Internet comment=Internet

kemudian, menuju ke Route...
/ip ro add gateway=10.0.128.13 mark=Game
/ip ro add gateway=202.6.238.153 mark=Internet

Jangan melupakan NAT Masquerade yah
/ip na add chain=srcnat src-address=192.178.40.0/25 action=masquerade

Silahkan di coba di komputer client "Game" apakah sudah masuk ke jalur ISP 1 dan client "Internet" apakah sudah masuk ke jalur ISP 2
yup benar kalo untuk 1 network client oke lah...

tp gmn kalo kita punya banyak client yang berbeda networknya (dalam 1 ethernet & 1 hub), ex:

192.168.0.xxx
192.168.1.xx
dst...

gw da mslh ni, rule spt itu gw terapkan di Inet gw. gw dpt 2 koneksi, Wlan + Vsat.

Di lokal gw ada bbrp client yg berbeda network.

webserver lokal yg gw direct jg ga jalan coz di ping aja ga bs.

Begitu juga dengan Radmin. smua ga fungsi...

Ada solusi??




 Loh?? gampang!! tinggal di masquerade sama tambah rule lagi... misal gini

Network Pertama
Game : 192.178.40.0/26
Internet : 192.178.40.32/26
Router : 192.178.40.125/25


Code:
/ip fi ma add chain=prerouting src-address=192.178.40.0/26 action=mark-routing new-routing-mark=Game comment=Game
/ip fi ma add chain=prerouting src-address=192.178.40.32/26 action=mark-routing new-routing-mark=Internet comment=Internet

/ip na add chain=srcnat src-address=192.178.40.0/25 action=masquerade
Network Kedua
Internet : 192.168.30.0/26
Router : 192.168.30.125/25
Code:
/ip fi ma add chain=prerouting src-address=192.168.30.0/26 action=mark-routing new-routing-mark=Internet comment=Internet

/ip na add chain=srcnat src-address=192.178.30.0/25 action=masquerade
Jadi yang penting adalah PENGETAHUAN TENTANG SUBNET jika belum tahu silahkan belajar dahulu, karena ini adalah pembagian alokasi IP pada client basis sama subnet.
TIPS MENGATASI BROWSING LEMOT PADA LOAD BALANCING

TIPS MENGATASI BROWSING LEMOT PADA LOAD BALANCING

Leave a Reply
TIPS MENGATASI BROWSING LEMOT PADA LOAD BALANCING
diterapkan pada 2 ISP berbeda Provider dan Bandwith
Speedy 1024 VS ISP X 256Kbps 1:8

konsepnya sama dengan load balancing biasa Simple Load Balancing + DNS Resolver + Secret Fiture
hanya di sini kita akali menambah satu ISP palsu untuk menyeimbangkan akses

langsung praktek ja.. biar ga bingung heheheh

1. Pake WinBox masuk ke -> IP -> Address
-> klik [+] -> isikan Address : 192.168.1.1/24
Network : 192.168.1.0
Broadcast : 192.168.1.255 -> Konfigurasi LAN ( Local)
Interface : Ether1
-> klik [+] -> isikan Address : 192.168.2.2/24
Network : 192.168.2.0
Broadcast : 192.168.2.255 -> Konfigurasi WAN 1 (Speedy)
Interface : Ether2
-> klik [+] -> isikan Address : 192.168.3.2/24
Network : 192.168.3.0
Broadcast : 192.168.3.255 -> Konfigurasi WAN 2 (ISP)
Interface : Ether3


2. Buat Mangle. Pake WinBox pilih -> New Terminal
Paste kan Kode Berikut
/ip firewall mangle [lalu enter]
add chain=prerouting in-interface="ether1" connection-state=new nth=2,3,0 action=mark-connection new-connection-mark=lb_1 passthrough=yes comment="LB Client" disabled=no
add chain=prerouting in-interface="ether1" connection-mark=lb_1 action=mark-routing new-routing-mark=route_lb_1 passthrough=no comment="" disabled=no
add chain=prerouting in-interface="ether1" connection-state=new nth=2,3,1 action=mark-connection new-connection-mark=lb_2 passthrough=yes comment="" disabled=no
add chain=prerouting in-interface="ether1" connection-mark=lb_2 action=mark-routing new-routing-mark=route_lb_2 passthrough=no comment="" disabled=no
add chain=prerouting in-interface="ether1" connection-state=new nth=2,3,2 action=mark-connection new-connection-mark=lb_3 passthrough=yes comment="" disabled=no
add chain=prerouting in-interface="ether1" connection-mark=lb_3 action=mark-routing new-routing-mark=route_lb_3 passthrough=no comment="" disabled=no

3. Buat Nat. Pake WinBox pilih -> New Terminal
Lagi Lagi Paste kan [ maklum sebagai newbie males nulis ]
/ ip firewall nat
add chain=srcnat out-interface="ether3" action=masquerade comment="" disabled=no
add chain=srcnat out-interface="ether2" action=masquerade comment="" disabled=no

4. Buat Route. Pake WinBox pilih -> New Terminal
Copy Paste Lagi Bosssss
/ ip route
add dst-address=0.0.0.0/0 gateway=192.168.2.1 scope=255 target-scope=10 routing-mark=route_lb_1 comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=192.168.3.1 scope=255 target-scope=10 routing-mark=route_lb_2 comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=192.168.2.1 scope=255 target-scope=10 routing-mark=route_lb_3 comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=192.168.2.1 scope=255 target-scope=10 comment="default routing connection" disabled=no

Sampai Disini Load Balancing Telah Beres...

jadi hanya Dua ISP di buat 3 Round Load Balancing + 1 Default Gateway

breAK dlu abis ini gw lanjutin... save as dlu




untuk menyempurnakan Aksi Tipu Tipu tadi.. wajib kita tambahkan settingan ini..

1. aktifkan Web Proxy
jangan tanya caranya... klo ga tau kebangeten... heheh
di sini saya contohkan dengan menggunakan port:3128 ( standar bangeeeet )

2. buat NAT Rulenya
pake winbox > ip > firewall > NAT
[+] (add)

chain : dstnat
protocol : (6) tcp
dst.port : 80
in. interface : ether1 (lan localnya)
connection mark : [!] lb_2 <--- tanda [!] di check ( artinya selain )
Routing mark :[!] route_lb_2
submenu > Action
action : redirect
to ports : 3128 ( port WebProxy )

eiiiitt.... ada yang ketinggalan..

Mencegah YM dan MIRC Diskonek saat Load Balancing
pada mangle pembuatan connection mark yang telah dibuat di Load Balancing tadi [ bukalah pakai WinBox -> Ip -> Firewall -> mangle ] pada kolom protocol tambahkan 6(TCP) dan dst port 80 ( jangan lupa aplikasikan pada ketiga mangle tersebut baik lb_1 lb_2 maupaun lb_3 )
apa fungsinya ??
fungsinya semua koneksi selain HTTP (80) akan di routing menggunakan default routing conncetion alias satu IP Route jadi ndak bolak balik drop.

wis dijamin sip tuh.. load balancing + Web Proxynya..

01 January 2012

Load Balancing di Game Center untuk Speedy

Load Balancing di Game Center untuk Speedy

Leave a Reply 


modem 1
192.168.1.1
|
|
192.168.1.2
MIkrotik Load Balancing—–192.168.0.254–hub——-Client
192.168.2.1
|
|
modem 2
192.168.2.1
Pc-Router Speknya

PIII -1Ghz-Memory 256Mhz -Hardisk 40 Gb

Interface Konfigurasi


/ interface ethernet
set Modem1 name=”Modem1″ mtu=1500 mac-address=00:10:4B:0D:95:02 arp=enabled \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default speed=100Mbps comment=”" disabled=no
set Lan name=”Lan” mtu=1500 mac-address=00:0D:88:B2:7D:50 arp=enabled \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default speed=100Mbps comment=”" disabled=no
set Modem2 name=”Modem2″ mtu=1500 mac-address=00:13:46:2CE:13 arp=enabled \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default speed=100Mbps comment=”" disabled=no

 Ip Address Konfigurasi

/ ip address
add address=192.168.0.254/24 network=192.168.0.0 broadcast=192.168.0.255 \
interface=Lan comment=”" disabled=no
add address=192.168.1.2/24 network=192.168.1.0 broadcast=192.168.1.255 \
interface=Modem1 comment=”" disabled=no
add address=192.168.2.2/24 network=192.168.2.0 broadcast=192.168.2.255 \
interface=Modem2 comment=”" disabled=no

Routing IP

/ ip route
add dst-address=0.0.0.0/0 gateway=192.168.2.1 scope=255 target-scope=10 \
routing-mark=odd comment=”" disabled=no
add dst-address=0.0.0.0/0 gateway=192.168.1.1 scope=255 target-scope=10 \
routing-mark=even comment=”" disabled=no
add dst-address=0.0.0.0/0 gateway=192.168.1.1 scope=255 target-scope=10 \
comment=”" disabled=no
4. Mangle Marking Paket

/ ip firewall mangle
a. Load Balancing

add chain=prerouting in-interface=Lan connection-state=new nth=1,1,0 \
action=mark-connection new-connection-mark=odd passthrough=yes \
comment=”Load Balancing” disabled=no
add chain=prerouting in-interface=Lan connection-mark=odd action=mark-routing \
new-routing-mark=odd passthrough=no comment=”" disabled=no
add chain=prerouting in-interface=Lan connection-state=new nth=1,1,1 \
action=mark-connection new-connection-mark=even passthrough=yes comment=”" \
disabled=no
add chain=prerouting in-interface=Lan connection-mark=even action=mark-routing \
new-routing-mark=even passthrough=no comment=”" disabled=no
b. Turunin latensy ( ping ke dns )

add chain=prerouting src-address=192.168.0.0/24 protocol=icmp \
action=mark-connection new-connection-mark=ICMP-CM passthrough=yes \
comment=”ToS” disabled=no
add chain=prerouting connection-mark=ICMP-CM action=mark-packet \
new-packet-mark=ICMP-PM passthrough=yes comment=”" disabled=no
add chain=prerouting packet-mark=ICMP-PM action=change-tos new-tos=min-delay \
comment=”" disabled=no
add chain=prerouting src-address=192.168.0.0/24 protocol=tcp dst-port=53 \
action=mark-connection new-connection-mark=DNS-CM passthrough=yes \
comment=”" disabled=no
add chain=prerouting src-address=192.168.0.0/24 protocol=udp dst-port=53 \
action=mark-connection new-connection-mark=DNS-CM passthrough=yes \
comment=”" disabled=no
add chain=prerouting connection-mark=DNS-CM action=mark-packet \
new-packet-mark=DNS-PM passthrough=yes comment=”" disabled=no
add chain=prerouting packet-mark=DNS-PM action=change-tos new-tos=min-delay \
comment=”" disabled=no
c. Tandain Services Yang mau di prioritykan

add chain=prerouting protocol=tcp dst-port=80 action=mark-connection \
new-connection-mark=http_conn passthrough=yes comment=”Tandai Service” \
disabled=no
add chain=prerouting connection-mark=http_conn action=mark-packet \
new-packet-mark=http passthrough=no comment=”" disabled=no
add chain=prerouting protocol=tcp dst-port=6000-7000 action=mark-connection \
new-connection-mark=irc_conn passthrough=yes comment=”" disabled=no
add chain=prerouting connection-mark=irc_conn action=mark-packet \
new-packet-mark=irc passthrough=no comment=”" disabled=no
add chain=prerouting protocol=tcp dst-port=5050-5061 action=mark-connection \
new-connection-mark=ym_conn passthrough=yes comment=”" disabled=no
add chain=prerouting connection-mark=ym_conn action=mark-packet \
new-packet-mark=ym passthrough=no comment=”" disabled=no
add chain=prerouting protocol=tcp dst-port=8291 action=mark-connection \
new-connection-mark=mt_conn passthrough=yes comment=”" disabled=no
add chain=prerouting connection-mark=mt_conn action=mark-packet \
new-packet-mark=mt passthrough=no comment=”" disabled=no
add chain=prerouting protocol=tcp dst-port=443 action=mark-connection \
new-connection-mark=http_conn passthrough=yes comment=”" disabled=no

d. Optimasi Proxy pada paket mark

add chain=prerouting src-address=192.168.0.0/24 action=mark-packet \
new-packet-mark=Naik passthrough=no comment=”Up Traffic” disabled=yes
add chain=forward src-address=192.168.0.0/24 action=mark-connection \
new-connection-mark=Koneksi passthrough=yes comment=”Conn-Mark” \
disabled=yes
add chain=output out-interface=Lan dst-address=192.168.0.0/24 \
action=mark-packet new-packet-mark=Turun passthrough=no comment=”Down-Via \
Proxy” disabled=yes

 Filter Firewall

/ ip firewall filter
a. penentuan proteksi router

add chain=input connection-state=invalid action=drop comment=”Drop invalid \
connections” disabled=no
add chain=input connection-state=established action=accept comment=”Allow \
esatblished connections” disabled=no
add chain=input connection-state=related action=accept comment=”Allow related \
connections” disabled=no
add chain=input protocol=udp action=accept comment=”Allow UDP” disabled=no
add chain=input protocol=icmp action=accept comment=”Allow ICMP” disabled=no
add chain=input in-interface=!Modem1 action=accept comment=”Allow connection \
to router from local network” disabled=no
add chain=input in-interface=!Modem2 action=accept comment=”" disabled=no
add chain=input action=accept comment=”" disabled=no
add chain=forward in-interface=Lan protocol=tcp dst-port=6112 \
connection-limit=100,32 action=reject reject-with=icmp-network-unreachable \
comment=”" disabled=no
b. penentuan proteksi dari akses gain ke router


add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list \
address-list=”port scanners” address-list-timeout=2w comment=”Port \
scanners to list ” disabled=no

add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg \
action=add-src-to-address-list address-list=”port scanners” \
address-list-timeout=2w comment=”NMAP FIN Stealth scan” disabled=no
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list \
address-list=”port scanners” address-list-timeout=2w comment=”SYN/FIN \
scan” disabled=no
add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list \
address-list=”port scanners” address-list-timeout=2w comment=”SYN/RST \
scan” disabled=no
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack \
action=add-src-to-address-list address-list=”port scanners” \
address-list-timeout=2w comment=”FIN/PSH/URG scan” disabled=no
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg \
action=add-src-to-address-list address-list=”port scanners” \
address-list-timeout=2w comment=”ALL/ALL scan” disabled=no
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg \
action=add-src-to-address-list address-list=”port scanners” \
address-list-timeout=2w comment=”NMAP NULL scan” disabled=no
add chain=input src-address-list=”port scanners” action=drop comment=”dropping \ port scanners” disabled=no
c. Drop Port Aneh2

add chain=virus protocol=tcp dst-port=135-139 action=drop comment=”Drop \
Blaster Worm” disabled=no
add chain=virus protocol=udp dst-port=135-139 action=drop comment=”Drop \
Messenger Worm” disabled=no
add chain=virus protocol=tcp dst-port=445-3000 action=drop comment=”Drop \
Blaster Worm” disabled=no
add chain=virus protocol=udp dst-port=445-3000 action=drop comment=”Drop \
Blaster Worm” disabled=no
add chain=virus protocol=tcp dst-port=593 action=drop comment=”________” \
disabled=no
add chain=virus protocol=udp dst-port=7000 action=drop comment=”Setan1″ \
disabled=no
add chain=virus protocol=tcp dst-port=100-1000 action=drop comment=”Setan1″ \
disabled=no
add chain=virus protocol=udp dst-port=100-1000 action=drop comment=”Drop \
Messenger Worm” disabled=no
add chain=virus protocol=tcp dst-port=1000-3000 action=drop comment=”Setan1″ \
disabled=no
add chain=virus protocol=udp dst-port=1000-3000 action=drop comment=”Drop \
Messenger Worm” disabled=no
add chain=virus protocol=tcp dst-port=40000-50000 action=drop comment=”Setan1″ \
disabled=no
add chain=virus protocol=udp dst-port=40000-50000 action=drop comment=”Drop \
Messenger Worm” disabled=no
add chain=virus protocol=tcp dst-port=7000 action=drop comment=”Setan1″ \
disabled=no
add chain=virus protocol=udp dst-port=135-139 action=drop comment=”Drop \
Messenger Worm” disabled=no
add chain=virus protocol=tcp dst-port=7000 action=drop comment=”Setan1″ \
disabled=no
add chain=virus protocol=tcp dst-port=25 action=drop comment=”Drop Blaster \
Worm” disabled=no
add chain=virus protocol=udp dst-port=135-139 action=drop comment=”Drop \
Messenger Worm” disabled=no
add chain=virus action=return comment=”" disabled=no
add chain=virus protocol=tcp dst-port=110 action=drop comment=”Drop Blaster \
Worm” disabled=no

 Proxy

a. Aktivasi proxy di ip web proxy

/ ip web-proxy
set enabled=yes src-address=0.0.0.0 port=8080 hostname=”proxy.phonix.net” \
transparent-proxy=yes parent-proxy=0.0.0.0:0 \
cache-administrator=”webmaster@phonix.net” max-object-size=4096KiB \
cache-drive=system max-cache-size=unlimited max-ram-cache-size=unlimited

max-cache-size=unlimited max-ram-cache-size=unlimited –>> tegantung besar hardisk

b. memblok web disini

/ ip web-proxy access
add dst-port=23-25 action=deny comment=”block telnet & spam e-mail relaying” \
disabled=no
c. optimasi cache isi web

/ ip web-proxy cache
add action=allow comment=”" disabled=no
add url=”http*youtube*get_video*” action=allow comment=”YouTube” disabled=no
add url=”http*friendster.com” action=allow comment=”Friendster” disabled=no
add url=”http*pu.go.id” action=allow comment=”PU” disabled=no
add url=”http*detik*com” action=allow comment=”Detik” disabled=no
add url=”http*domai.com” action=allow comment=”Domai” disabled=no
add url=”http*nigmae.net” action=allow comment=”Nigmae” disabled=no
add url=”http*kompas.com” action=allow comment=”Kompas” disabled=no
add url=”http*lalatx.com” action=allow comment=”Lalatx” disabled=no
add url=”http*yahoo.com” action=allow comment=”Yahoo” disabled=no
add url=”http*kapanlagi.com” action=allow comment=”Kapanlagi” disabled=no
add url=”http*plasa.com” action=allow comment=”Plasa” disabled=no
add url=”http*kaskus.us” action=allow comment=”Kaskus” disabled=no
add url=”http*avaxhome*org” action=allow comment=”Avaxhome” disabled=no
add url=”www.worth1000.com” action=allow comment=”Worth1000″ disabled=no
add action=allow comment=”Allow sado alahe” disabled=no
add url=”:cgi-bin \\?” action=deny comment=”don’t cache dynamic http pages” \
disabled=no

 Queue type


/ queue type
set default name=”default” kind=pfifo pfifo-limit=50
set ethernet-default name=”ethernet-default” kind=pfifo pfifo-limit=50
set wireless-default name=”wireless-default” kind=sfq sfq-perturb=5 \
sfq-allot=1514
set synchronous-default name=”synchronous-default” kind=red red-limit=60 \
red-min-threshold=10 red-max-threshold=50 red-burst=20 red-avg-packet=1000
set hotspot-default name=”hotspot-default” kind=sfq sfq-perturb=5 \
sfq-allot=1514
a. pcq konsep

add name=”pcq-download” kind=pcq pcq-rate=0 pcq-limit=50 \
pcq-classifier=dst-address pcq-total-limit=2000
add name=”pcq-upload” kind=pcq pcq-rate=0 pcq-limit=50 \
pcq-classifier=src-address pcq-total-limit=2000
b. limit bw untuk icmp

add name=”PFIFO-64″ kind=pfifo pfifo-limit=64
add name=”default-small” kind=pfifo pfifo-limit=10

 queue simple untuk bagi bw /pc

/ queue simple
add name=”Phonix.Net” dst-address=192.168.0.0/24 interface=Lan parent=none \
priority=1 queue=ethernet-default/ethernet-default limit-at=0/768000 \
max-limit=0/768000 total-queue=default disabled=no
add name=”01″ target-addresses=192.168.0.1/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Phonix.Net priority=8 \
queue=ethernet-default/ethernet-default limit-at=0/16000 max-limit=0/96000 \
total-queue=default disabled=no
add name=”02″ target-addresses=192.168.0.2/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Phonix.Net priority=8 \
queue=ethernet-default/ethernet-default limit-at=0/16000 max-limit=0/96000 \
total-queue=default disabled=no
add name=”03″ target-addresses=192.168.0.3/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Phonix.Net priority=8 \
queue=ethernet-default/ethernet-default limit-at=0/16000 max-limit=0/96000 \
total-queue=default disabled=no
add name=”04″ target-addresses=192.168.0.4/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Phonix.Net priority=8 \
queue=ethernet-default/ethernet-default limit-at=0/16000 max-limit=0/96000 \
total-queue=default disabled=no
add name=”05″ target-addresses=192.168.0.5/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Phonix.Net priority=8 \
queue=ethernet-default/ethernet-default limit-at=0/16000 max-limit=0/96000 \
total-queue=default disabled=no
add name=”06″ target-addresses=192.168.0.6/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Phonix.Net priority=8 \
queue=ethernet-default/ethernet-default limit-at=0/16000 max-limit=0/96000 \
total-queue=default disabled=no
add name=”07″ target-addresses=192.168.0.7/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Phonix.Net priority=8 \
queue=ethernet-default/ethernet-default limit-at=0/16000 max-limit=0/96000 \
total-queue=default disabled=no
add name=”08″ target-addresses=192.168.0.8/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Phonix.Net priority=8 \
queue=ethernet-default/ethernet-default limit-at=0/16000 max-limit=0/96000 \
total-queue=default disabled=no
add name=”09″ target-addresses=192.168.0.9/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Phonix.Net priority=8 \
queue=ethernet-default/ethernet-default limit-at=0/16000 max-limit=0/96000 \
total-queue=default disabled=no
add name=”10″ target-addresses=192.168.0.10/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Phonix.Net priority=8 \
queue=ethernet-default/ethernet-default limit-at=0/16000 max-limit=0/96000 \
total-queue=default disabled=no
add name=”11″ target-addresses=192.168.0.11/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Phonix.Net priority=8 \
queue=ethernet-default/ethernet-default limit-at=0/16000 max-limit=0/96000 \
total-queue=default disabled=no
add name=”12″ target-addresses=192.168.0.12/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Phonix.Net priority=8 \
queue=ethernet-default/ethernet-default limit-at=0/16000 max-limit=0/96000 \
total-queue=default disabled=no
add name=”13″ target-addresses=192.168.0.13/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Phonix.Net priority=8 \
queue=ethernet-default/ethernet-default limit-at=0/16000 max-limit=0/96000 \
total-queue=default disabled=no
add name=”14″ target-addresses=192.168.0.14/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Phonix.Net priority=8 \
queue=ethernet-default/ethernet-default limit-at=0/16000 max-limit=0/96000 \
total-queue=default disabled=no
add name=”15″ target-addresses=192.168.0.15/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Phonix.Net priority=8 \
queue=ethernet-default/ethernet-default limit-at=0/16000 max-limit=8/96000 \
total-queue=default disabled=no
add name=”16″ target-addresses=192.168.0.16/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Phonix.Net priority=8 \
queue=ethernet-default/ethernet-default limit-at=0/16000 max-limit=0/96000 \
total-queue=default disabled=no
add name=”17″ target-addresses=192.168.0.17/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Phonix.Net priority=8 \
queue=ethernet-default/ethernet-default limit-at=0/16000 max-limit=0/96000 \
total-queue=default disabled=no
add name=”18″ target-addresses=192.168.0.18/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Phonix.Net packet-marks=”" priority=8 \
queue=ethernet-default/ethernet-default limit-at=0/16000 max-limit=0/96000 \
total-queue=default disabled=no
add name=”19″ target-addresses=192.168.0.19/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Phonix.Net priority=8 \
queue=ethernet-default/ethernet-default limit-at=0/16000 max-limit=0/96000 \
total-queue=default disabled=no
add name=”20″ target-addresses=192.168.0.20/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Phonix.Net priority=8 \
queue=ethernet-default/ethernet-default limit-at=0/16000 max-limit=0/96000 \
total-queue=default disabled=no
add name=”21″ target-addresses=192.168.0.21/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Phonix.Net priority=8 \
queue=ethernet-default/ethernet-default limit-at=0/16000 max-limit=0/96000 \
total-queue=default disabled=no
add name=”22″ target-addresses=192.168.0.22/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Phonix.Net packet-marks=”" priority=8 \
queue=ethernet-default/ethernet-default limit-at=0/16000 max-limit=0/96000 \
total-queue=default disabled=no
add name=”23″ target-addresses=192.168.0.23/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Phonix.Net priority=8 \
queue=ethernet-default/ethernet-default limit-at=0/16000 max-limit=0/96000 \
total-queue=default disabled=no
add name=”24″ target-addresses=192.168.0.24/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Phonix.Net priority=8 \
queue=ethernet-default/ethernet-default limit-at=0/16000 max-limit=0/96000 \
total-queue=default disabled=no
add name=”25″ target-addresses=192.168.0.25/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Phonix.Net packet-marks=”" priority=8 \
queue=ethernet-default/ethernet-default limit-at=0/16000 max-limit=0/96000 \
total-queue=default disabled=no

 quee tree

/ queue tree
a. pcq

add name=”downstream” parent=Lan packet-mark=Turun limit-at=0 \
queue=pcq-download priority=1 max-limit=0 burst-limit=0 burst-threshold=0 \
burst-time=0s disabled=no
add name=”upstream” parent=global-in packet-mark=Naik limit-at=0 \
queue=pcq-upload priority=1 max-limit=0 burst-limit=0 burst-threshold=0 \
burst-time=0s disabled=no
b. bw over untuk icmp / latensy

add name=”ICMP” parent=global-in packet-mark=ICMP-PM limit-at=8000 \
queue=PFIFO-64 priority=1 max-limit=16000 burst-limit=0 burst-threshold=0 \
burst-time=0s disabled=no
add name=”DNS” parent=global-in packet-mark=DNS-PM limit-at=8000 \
queue=PFIFO-64 priority=1 max-limit=16000 burst-limit=0 burst-threshold=0 \
burst-time=0s disabled=no

Regard
kalau ada tambahan makin bagus. hehehe. ini sample aja