24 Mar 2011 ~ Lazuardy Network

Load Balancing Mikrotik

21.54 Hary Kartono No comments

/ ip address
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local comment="" \
disabled=no
add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=wlan2 \
comment="" disabled=no
add address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=wlan1 \
comment="" disabled=no
/ ip firewall mangle
add chain=prerouting in-interface=Local connection-state=new nth=1,1,0 \
action=mark-connection new-connection-mark=odd passthrough=yes comment="" \
disabled=no
add chain=prerouting in-interface=Local connection-mark=odd action=mark-routing \
new-routing-mark=odd passthrough=no comment="" disabled=no
add chain=prerouting in-interface=Local connection-state=new nth=1,1,1 \
action=mark-connection new-connection-mark=even passthrough=yes comment="" \
disabled=no
add chain=prerouting in-interface=Local connection-mark=even action=mark-routing \
new-routing-mark=even passthrough=no comment="" disabled=no
/ ip firewall nat
add chain=srcnat connection-mark=odd action=src-nat to-addresses=10.111.0.2 \
to-ports=0-65535 comment="" disabled=no
add chain=srcnat connection-mark=even action=src-nat to-addresses=10.112.0.2 \
to-ports=0-65535 comment="" disabled=no
/ ip route
add dst-address=0.0.0.0/0 gateway=10.111.0.1 scope=255 target-scope=10 routing-mark=odd check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 routing-mark=even check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10
add dst-address=0.0.0.0/0 gateway=10.111.0.1 scope=255 target-scope=10 distance=2

Script Failover via netwatch

21.52 Hary Kartono No comments

/ tool netwatch
add host=125.163.xx.xx timeout=100ms interval=15s up-script="/ip route enable \[/ip route find comment="GATEWAY-DSL"\]" down-script="/ip route disable \[/ip route find comment="GATEWAY-DSL"\]" comment="Ping Gateway IIX >> jika koneksi wireless putus script jalan >> " disabled=no

Prioritas Upstream agar browsing tetep wuss wuss

21.51 Hary Kartono No comments

/ ip firewall mangle
add chain=postrouting out-interface=MAIN-LB protocol=tcp tcp-flags=syn \
connection-state=new packet-size=40-100 action=mark-connection \
new-connection-mark=upstream_conn passthrough=yes comment="Testing TCP \
Flags" disabled=no
add chain=postrouting out-interface=MAIN-LB protocol=tcp tcp-flags=rst \
connection-state=new packet-size=40-100 action=mark-connection \
new-connection-mark=upstream_conn passthrough=yes comment="" disabled=no
add chain=postrouting out-interface=MAIN-LB protocol=tcp tcp-flags=ack \
connection-state=new packet-size=40-100 action=mark-connection \
new-connection-mark=upstream_conn passthrough=yes comment="" disabled=no
add chain=postrouting out-interface=MAIN-LB protocol=tcp tcp-flags=fin \
connection-state=new packet-size=40-100 action=mark-connection \
new-connection-mark=upstream_conn passthrough=yes comment="" disabled=no
add chain=postrouting out-interface=MAIN-LB protocol=tcp tcp-flags=syn \
connection-state=established packet-size=40-100 action=mark-connection \
new-connection-mark=upstream_conn passthrough=yes comment="" disabled=no
add chain=postrouting protocol=tcp connection-mark=upstream_conn \
action=mark-packet new-packet-mark=upstream_ack passthrough=no comment="" \
disabled=no

Prioritas Upstream agar browsing tetep wuss wuss

21.51 Hary Kartono No comments

Bogon address List

21.50 Hary Kartono No comments

/ ip firewall address-list
add list=bogons address=1.0.0.0/8 comment="" disabled=no
add list=bogons address=2.0.0.0/8 comment="" disabled=no
add list=bogons address=5.0.0.0/8 comment="" disabled=no
add list=bogons address=10.0.0.0/8 comment="" disabled=no
add list=bogons address=23.0.0.0/8 comment="" disabled=no
add list=bogons address=27.0.0.0/8 comment="" disabled=no
add list=bogons address=31.0.0.0/8 comment="" disabled=no
add list=bogons address=36.0.0.0/8 comment="" disabled=no
add list=bogons address=37.0.0.0/8 comment="" disabled=no
add list=bogons address=39.0.0.0/8 comment="" disabled=no
add list=bogons address=42.0.0.0/8 comment="" disabled=no
add list=bogons address=46.0.0.0/8 comment="" disabled=no
add list=bogons address=49.0.0.0/8 comment="" disabled=no
add list=bogons address=50.0.0.0/8 comment="" disabled=no
add list=bogons address=100.0.0.0/8 comment="" disabled=no
add list=bogons address=101.0.0.0/8 comment="" disabled=no
add list=bogons address=102.0.0.0/8 comment="" disabled=no
add list=bogons address=103.0.0.0/8 comment="" disabled=no
add list=bogons address=104.0.0.0/8 comment="" disabled=no
add list=bogons address=105.0.0.0/8 comment="" disabled=no
add list=bogons address=106.0.0.0/8 comment="" disabled=no
add list=bogons address=107.0.0.0/8 comment="" disabled=no
add list=bogons address=108.0.0.0/8 comment="" disabled=no
add list=bogons address=109.0.0.0/8 comment="" disabled=no
add list=bogons address=110.0.0.0/8 comment="" disabled=no
add list=bogons address=111.0.0.0/8 comment="" disabled=no
add list=bogons address=112.0.0.0/8 comment="" disabled=no
add list=bogons address=113.0.0.0/8 comment="" disabled=no
add list=bogons address=169.254.0.0/16 comment="" disabled=no
add list=bogons address=172.16.0.0/12 comment="" disabled=no
add list=bogons address=173.0.0.0/8 comment="" disabled=no
add list=bogons address=174.0.0.0/8 comment="" disabled=no
add list=bogons address=175.0.0.0/8 comment="" disabled=no
add list=bogons address=176.0.0.0/8 comment="" disabled=no
add list=bogons address=177.0.0.0/8 comment="" disabled=no
add list=bogons address=178.0.0.0/8 comment="" disabled=no
add list=bogons address=180.0.0.0/8 comment="" disabled=no
add list=bogons address=181.0.0.0/8 comment="" disabled=no
add list=bogons address=182.0.0.0/8 comment="" disabled=no
add list=bogons address=183.0.0.0/8 comment="" disabled=no
add list=bogons address=184.0.0.0/8 comment="" disabled=no
add list=bogons address=185.0.0.0/8 comment="" disabled=no
add list=bogons address=192.0.2.0/24 comment="" disabled=no
add list=bogons address=197.0.0.0/8 comment="" disabled=no
add list=bogons address=198.18.0.0/15 comment="" disabled=no
add list=bogons address=223.0.0.0/8 comment="" disabled=no

preventing natted access

19.57 Hary Kartono No comments

How to prevent NATed access

Sesuai dengan judul diatas,
inti dari kasus ini adalah penyedia jasa tidak ingin BW yang diberikan kepada user di sharing lagi mempergunakan nat-router.

Ilmu baru buat saya, dengan memberikan TTL=1 ?, mmmm aneh sekali.

Hasil dari googling di wikipedia di dapat informasi sebagai berikut :

The TTL field is set by the sender of the datagram, and reduced by every host on the route to its destination. If the TTL field reaches zero before the datagram arrives at its destination, then the datagram is discarded and an ICMP error datagram (11 - Time Exceeded) is sent back to the sender.

Supaya tidak hilang ditelan hari, dikopi saja ke situs

Diambil dari http://forum.mikrotik.com/viewtopic.php?f=9&t=19484

/ip firewall mangle

add action=change-ttl dst-address=192.168.1.0/24 \

chain=forward new-ttl=set:1

Maksud dari baris perintah diatas, adalah paket yang lewat router mikrotik hanya dibuat valid untuk 1 hop berikutnya ke arah klient, yang berarti hanya valid untuk 1 pc, karena begitu masuk ke PC tersebut TTL berkurang 1, sehingga menjadi 0.

Jangan lupa, peletakan firewallnya harus dibaris yang tepat, bila tidak tepat rule ini tidak akan terbaca.

drop flooding

19.56 Hary Kartono No comments

/ip firewall filter add chain=syn-flood action=return tcp-flags=syn,!fin,!rst,!ack protocol=tcp limit=5,10

/ip firewall filter add chain=syn-flood action=return protocol=!tcp disabled=yes

/ip firewall filter add chain=syn-flood action=return tcp-flags=!,syn,!fin,!rst,!ack protocol=tcp disabled=yes

/ip firewall filter add chain=syn-flood action=log log-prefix=”SYN FLOOD:”

/ip firewall filter add chain=syn-flood action=drop disabled=yes

Burst for each TCP connection

19.55 Hary Kartono No comments

This is little how-to create manual burst using queue tree.
As it is bandwidth control using queue tree first we need to mangle traffic
first i mangle all connections, then i mark first 2Mbytes then i mark the rest of packets

/ip firewall mangle add chain=forward protocol=tcp action=mark-connection new-connection-mark=new_conn passthrough=yes comment="mark all new connections" disabled=no
/ip firewall mangle add chain=forward protocol=tcp connection-mark=new_conn connection-bytes=0-2000000 action=mark-packet new-packet-mark=new_packet passthrough=no comment="mark packets" disabled=no
/ip firewall mangle add chain=forward protocol=tcp connection-mark=new_conn action=mark-packet new-packet-mark=old_packets passthrough=no comment="marking old packets" disabled=no

now, when packets has been marked i need queue types that allows me limit traffic per-user basis, so i have to create 2 queue types.

/queue type add name="PCQ_Upload" kind=pcq pcq-rate=0 pcq-limit=50 pcq-classifier=src-address pcq-total-limit=2000
/queue type add name="PCQ_Download" kind=pcq pcq-rate=0 pcq-limit=50 pcq-classifier=dst-address pcq-total-limit=2000

now i have to limit all the rates using queue tree, i will limit it that way - that first 2Mbits (as in mangle) will have higher priority over rest of traffic where connection bytes exceed 2Mbits.

i assume that connection that is available have 5Mbits full-duplex

/queue tree add name="Main_Upload" parent=Public packet-mark="" limit-at=0 queue=default priority=8 max-limit=5000000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no

/ queue tree add name="Up First 2Mbyte" parent=Main_Upload packet-mark=new_packet limit-at=4000000 queue=PCQ_Upload priority=1 max-limit=5000000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no

/ queue tree add name="Up Rest Mbytes" parent=Main_Upload packet-mark=old_packets limit-at=1000000 queue=PCQ_Upload priority=8 max-limit=5000000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no

/ queue tree add name="Main_Download" parent=Local packet-mark="" limit-at=0 queue=default priority=8 max-limit=5000000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no

/ queue tree add name="Down First 2Mbyte" parent=Main_Download packet-mark=new_packet limit-at=4000000 queue=PCQ_Download priority=1 max-limit=5000000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no

/ queue tree add name="Down Rest Mbytes" parent=Main_Download packet-mark=old_packets limit-at=1000000 queue=PCQ_Download priority=8 max-limit=5000000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no

source : forum. mikrotik.com

Block Trace Route

19.54 Hary Kartono No comments

ngeblok trace route gini boz,

/ip firewall filter add chain=forward protocol=icmp icmp-options=11:0 action=drop comment="Drop
Traceroute"
/ip firewall filter add chain=forward protocol=icmp icmp-options=3:3 action=drop comment="Drop Traceroute"

Batasin ping, ada client yang iseng banjiri traffic dengan ping yang gak jelas, cara batasi ping-nya

/ip firewall filter add chain=input action=accept protocol=icmp limit=50/5s,2

bagi rata koneksi

19.53 Hary Kartono No comments

/ip firewall mangle add chain=forward src-address=172.16.0.0/12 \
action=mark-connection new-connection-mark=users-con
/ip firewall mangle add connection-mark=users-con action=mark-packet \
new-packet-mark=users chain=forward

/queue type add name=pcq-download kind=pcq pcq-classifier=dst-address
/queue type add name=pcq-upload kind=pcq pcq-classifier=src-address

/queue tree add name=Download parent=Lan max-limit=2048000
/queue tree add parent=Download queue=pcq-download packet-mark=users

/queue tree add name=Upload parent=Public max-limit=1024000
/queue tree add parent=Upload queue=pcq-upload packet-mark=users

/queue tree add parent=Lan queue=pcq-download packet-mark=users
/queue tree add parent=Public queue=pcq-upload packet-mark=users

drop port scanner pada mikrotik

19.53 Hary Kartono No comments

/ip firewall filter
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list \
address-list="port scanners" address-list-timeout=2w \
comment="Port scanners to list " disabled=no

add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg\
action=add-src-to-address-list address-list="port scanners"\
address-list-timeout=2w comment="NMAP FIN Stealth scan"

add chain=input protocol=tcp tcp-flags=fin,syn\
action=add-src-to-address-list address-list="port scanners"\
address-list-timeout=2w comment="SYN/FIN scan"

add chain=input protocol=tcp tcp-flags=syn,rst\
action=add-src-to-address-list address-list="port scanners"\
address-list-timeout=2w comment="SYN/RST scan"

add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack\
action=add-src-to-address-list address-list="port scanners"\
address-list-timeout=2w comment="FIN/PSH/URG scan"

add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg\
action=add-src-to-address-list address-list="port scanners"\
address-list-timeout=2w comment="ALL/ALL scan"

add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg\
action=add-src-to-address-list address-list="port scanners"\
address-list-timeout=2w comment="NMAP NULL scan"

add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no

Mikrotik Router Protection

19.52 Hary Kartono 1 comment

/ip firewall filter
add chain=input connection-state=invalid action=drop \
comment="Drop Invalid connections"
add chain=input connection-state=established action=accept \
comment="Allow Established connections"
add chain=input protocol=icmp action=accept \
comment="Allow ICMP"
add chain=input src-address=192.168.0.0/24 action=accept \
in-interface=!ether1
add chain=input action=drop comment="Drop everything else"

/ip firewall filter
add chain=forward protocol=tcp connection-state=invalid \
action=drop comment="drop invalid connections"
add chain=forward connection-state=established action=accept \
comment="allow already established connections"
add chain=forward connection-state=related action=accept \
comment="allow related connections"

add chain=forward src-address=0.0.0.0/8 action=drop
add chain=forward dst-address=0.0.0.0/8 action=drop
add chain=forward src-address=127.0.0.0/8 action=drop
add chain=forward dst-address=127.0.0.0/8 action=drop
add chain=forward src-address=224.0.0.0/3 action=drop
add chain=forward dst-address=224.0.0.0/3 action=drop

add chain=forward protocol=tcp action=jump jump-target=tcp
add chain=forward protocol=udp action=jump jump-target=udp
add chain=forward protocol=icmp action=jump jump-target=icmp

add chain=tcp protocol=tcp dst-port=69 action=drop \
comment="deny TFTP"
add chain=tcp protocol=tcp dst-port=111 action=drop \
comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=135 action=drop \
comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=137-139 action=drop \
comment="deny NBT"
add chain=tcp protocol=tcp dst-port=445 action=drop \
comment="deny cifs"
add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS"
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny BackOriffice"
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"

add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP"
add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT"
add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS"
add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice

add chain=icmp protocol=icmp icmp-options=0:0 action=accept \
comment="echo reply"
add chain=icmp protocol=icmp icmp-options=3:0 action=accept \
comment="net unreachable"
add chain=icmp protocol=icmp icmp-options=3:1 action=accept \
comment="host unreachable"
add chain=icmp protocol=icmp icmp-options=4:0 action=accept \
comment="allow source quench"
add chain=icmp protocol=icmp icmp-options=8:0 action=accept \
comment="allow echo request"
add chain=icmp protocol=icmp icmp-options=11:0 action=accept \
comment="allow time exceed"
add chain=icmp protocol=icmp icmp-options=12:0 action=accept \
comment="allow parameter bad"
add chain=icmp action=drop comment="deny all other types"

burst Queue

19.51 Hary Kartono No comments

keterangan:
(N = x * y / z)

N = long burst-time (interval / durasi)
x = burst-threshold
y = burst-time
z = burst-limit

langkah-langkah :
1. menghitung perkiraan waktu rata-rata yang dibutuhkan untuk loading page, pada contoh ini saya kira2 aja = 8detik

2. seting max-limit, saya berikan = 256k

3. set N = 8detik

4. set y = 20detik

5. set z = 1M (perhitungan BW untuk meLOAD page, dengan BW 1M saya rasa sudah lumayan cepat)

6. nahh, sekarang kita hitung burst-thresholdnya,
Quote:
N = ( x * y ) / z
8 = ( x * 20 ) / 1000

x = 400k, jadi burst-threshold di set 400k
Quote:
N = 8
x = 400k
y = 10
z = 1000k (1M)
penjelasan :
pada penjelasan di atas yaitu, pada detik ke "0 - 8" klien akan menggunakan BW 1M / burst-limit diaktifkan, dan setelah itu, akan turun menjadi 256k / burst-limit tidak diijinkan, kemudian pada detik ke-20, burt-limit akan diaktifkan kembali...

Lazuardy Network

Please .... !!!!

Agar mendapatkan nilai throughput yang tinggi

sangat sangat kami anjurkan

Gunakan antena seperti ini

ENJOY ... SHARE

Best Connection

Load Balancing Mikrotik

Script Failover via netwatch

Prioritas Upstream agar browsing tetep wuss wuss

Prioritas Upstream agar browsing tetep wuss wuss

Bogon address List

preventing natted access

drop flooding

Burst for each TCP connection

Block Trace Route

bagi rata koneksi

drop port scanner pada mikrotik

Mikrotik Router Protection

burst Queue

PayPal Account : lazuardyuq@yahoo.com

GUEST

INSPIRASI

Artikel

Tips & Triks

Popular Posts

Blog Archive

Share

Smadav

HELP

MIKROTIK

ALL LINUX

Links