mikrotik warnet

Konfigurasi Warnet Spedy pakai MIkx+LinuxProx Konfigurasi ini menggunakan modem 4 port Dlink dan settingnya seperti berikut :

192.168.1.1

|modem —–192.168.1.3 Proxy -> GW ke Modem yaitu 192.168.1.1

||MIkrotik 192.168.1.2 Mikrotik –>> GW ke Modem Yaitu 192.168.1.1

|192.168.0.254 —HUb —-LANManagement BW

1. Konfig Mikrotinya :

/ ip pooladd name=”dhcp_pool1″ ranges=192.168.0.1-192.168.0.30/ ip dnsset primary-dns=203.130.193.74 secondary-dns=202.134.0.155 allow-remote-requests=yes cache-size=2048KiB cache-max-ttl=1w/ ip addressadd address=192.168.1.2/24 network=192.168.1.0 broadcast=192.168.1.255interface=Public comment=”” disabled=no

add address=192.168.0.254/24 network=192.168.0.0 broadcast=192.168.0.255interface=Lan comment=”” disabled=no

/ ip proxyset enabled=no port=8080 parent-proxy=0.0.0.0:0 maximal-client-connecions=1000maximal-server-connectons=1000/ ip routeadd dst-address=0.0.0.0/0 gateway=192.168.1.1 scope=255 target-scope=10 comment=””disabled=no/ ip firewall mangleadd chain=prerouting protocol=tcp dst-port=80 action=mark-connection new-connection-mark=http_conn passthrough=yes comment=”” disabled=noadd chain=prerouting protocol=tcp dst-port=443 action=mark-connection new-connection-mark=http_conn passthrough=yes comment=”” disabled=noadd chain=prerouting protocol=tcp dst-port=3128 action=mark-connection new-connection-mark=http_conn passthrough=yes comment=”” disabled=noadd chain=prerouting protocol=tcp dst-port=8080 action=mark-connection new-connection-mark=http_conn passthrough=yes comment=”” disabled=no

add chain=prerouting protocol=tcp dst-port=53 action=mark-connection new-connection-mark=dns_conn passthrough=yes comment=”” disabled=noadd chain=prerouting protocol=udp dst-port=53 action=mark-connection new-connection-mark=dns_conn passthrough=yes comment=”” disabled=noadd chain=prerouting protocol=tcp dst-port=5050-5061 action=mark-connection new-connection-mark=ym_conn passthrough=yes comment=”” disabled=noadd chain=prerouting protocol=udp dst-port=27015 action=mark-connection new-connection-mark=cs_conn passthrough=yes

comment=”” disabled=noadd chain=prerouting protocol=tcp dst-port=6000-7000 action=mark-connection new-connection-mark=irc_conn passthrough=yes \comment=”” disabled=noadd chain=prerouting protocol=tcp dst-port=8291 action=mark-connection new-connection-mark=mt_conn passthrough=yes \comment=”” disabled=noadd chain=prerouting protocol=tcp dst-port=110 action=mark-connection new-connection-mark=email_conn passthrough=yes \comment=”” disabled=noadd chain=prerouting protocol=tcp dst-port=25 action=mark-connection new-connection-mark=email_conn passthrough=yes \comment=”” disabled=noadd chain=prerouting protocol=tcp dst-port=22 action=mark-connection new-connection-

mark=ssh_conn passthrough=yes \

comment=”” disabled=no

add chain=prerouting connection-mark=http_conn action=mark-packet new-packet-

mark=http passthrough=no comment=”” \

disabled=no

add chain=prerouting connection-mark=dns_conn action=mark-packet new-packet-

mark=dns passthrough=no comment=”” disabled=no

add chain=prerouting connection-mark=ym_conn action=mark-packet new-packet-

mark=ym passthrough=no comment=”” disabled=no

add chain=prerouting connection-mark=cs_conn action=mark-packet new-packet-

mark=cs passthrough=no comment=”” disabled=no

add chain=prerouting connection-mark=irc_conn action=mark-packet new-packet-

mark=irc passthrough=no comment=”” disabled=no

add chain=prerouting connection-mark=mt_conn action=mark-packet new-packet-

mark=mt passthrough=no comment=”” disabled=no

add chain=prerouting connection-mark=email_conn action=mark-packet new-packet-

mark=email passthrough=no comment=”” \

disabled=no

add chain=prerouting connection-mark=ssh_conn action=mark-packet new-packet-

mark=ssh passthrough=no comment=”” disabled=no

add chain=prerouting src-address=192.168.0.0/24 action=mark-packet new-packet-

mark=test-up passthrough=no comment=”UP \

TRAFFIC” disabled=no

add chain=forward src-address=192.168.1.0/29 action=mark-connection new-connection-

mark=test-conn passthrough=yes \ comment=”CONN-MARK” disabled=no add chain=forward in-interface=Public connection-mark=test-conn action=mark-packet

new-packet-mark=test-down \

passthrough=no comment=” DOWN-DIRECT CONNECTION” disabled=no

add chain=forward in-interface=Public src-address=192.168.1.0/24 action=mark-

connection new-connection-mark=test-conn \

passthrough=yes comment=”” disabled=no

add chain=output out-interface=Lan dst-address=192.168.0.0/24 action=mark-packet

new-packet-mark=test-down passthrough=no \

comment=”DOWN- VIA PROXY” disabled=no

/ ip firewall nat

add chain=srcnat out-interface=Public action=masquerade comment=”” disabled=no

add chain=dstnat protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.1.3 to-

ports=8080 comment=”” disabled=no





add chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=8080 comment=””

disabled=yes


disabled=yes


disabled=yes

/ ip firewall connection tracking

set enabled=yes tcp-syn-sent-timeout=5s tcp-syn-received-timeout=5s tcp-established-

timeout=1d tcp-fin-wait-timeout=10s \ tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s tcp-time-wait-timeout=10s tcp- close-timeout=10s udp-timeout=10s \

udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m tcp-syncookie=no

/ ip firewall filter

add chain=input connection-state=invalid action=drop comment=”Drop invalid

connections” disabled=no

add chain=input connection-state=established action=accept comment=”Allow

esatblished connections” disabled=no

add chain=input connection-state=related action=accept comment=”Allow related


add chain=input protocol=udp action=accept comment=”Allow UDP” disabled=no

add chain=input protocol=icmp action=accept comment=”Allow ICMP” disabled=no

add chain=input in-interface=!Public action=accept comment=”Allow connection to

router from local network” disabled=no

add chain=input action=drop comment=”Drop everything else” disabled=no

add chain=input protocol=tcp dst-port=1337 action=add-src-to-address-list address-

list=knock address-list-timeout=15s \

comment=”” disabled=no

add chain=input protocol=tcp dst-port=7331 src-address-list=knock action=add-src-to-

address-list address-list=safe \

address-list-timeout=15m comment=”” disabled=no

add chain=input connection-state=established action=accept comment=”accept

established connection packets” disabled=no

add chain=input connection-state=related action=accept comment=”accept related

connection packets” disabled=no

add chain=input connection-state=invalid action=drop comment=”drop invalid packets”

disabled=no

add chain=input protocol=tcp psd=21,3s,3,1 action=drop comment=”detect and drop port

scan connections” disabled=no

add chain=input protocol=tcp connection-limit=3,32 src-address-list=black_list

action=tarpit comment=”suppress DoS attack” \

disabled=no

add chain=input protocol=tcp connection-limit=10,32 action=add-src-to-address-list

address-list=black_list \

address-list-timeout=1d comment=”detect DoS attack” disabled=no

add chain=input protocol=icmp action=jump jump-target=ICMP comment=”jump to

chain ICMP” disabled=no

add chain=input action=jump jump-target=services comment=”jump to chain services”

disabled=no

add chain=input dst-address-type=broadcast action=accept comment=”Allow Broadcast

Traffic” disabled=no

add chain=input action=log log-prefix=”Filter:” comment=”” disabled=no

add chain=input action=accept comment=”Allow access to router from known network”

disabled=no

add chain=input src-address=192.168.0.0/24 action=accept comment=”” disabled=no


add chain=input action=drop comment=”drop everything else” disabled=no

add chain=ICMP protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept

comment=”0:0 and limit for 5pac/s” disabled=no

add chain=ICMP protocol=icmp icmp-options=3:3 limit=5,5 action=accept


add chain=ICMP protocol=icmp icmp-options=3:4 limit=5,5 action=accept






add chain=ICMP protocol=icmp action=drop comment=”Drop everything else”

disabled=no

add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-

list=”port scanners” \

address-list-timeout=2w comment=”Port scanners to list ” disabled=no

add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-

address-list address-list=”port \

scanners” address-list-timeout=2w comment=”NMAP FIN Stealth scan” disabled=no

add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-

list=”port scanners” \ address-list-timeout=2w comment=”SYN/FIN scan” disabled=no add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address- list=”port scanners” \

address-list-timeout=2w comment=”SYN/RST scan” disabled=no

add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-


scanners” address-list-timeout=2w comment=”FIN/PSH/URG scan” disabled=no

add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-

list address-list=”port scanners” \

address-list-timeout=2w comment=”ALL/ALL scan” disabled=no

add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-


scanners” address-list-timeout=2w comment=”NMAP NULL scan” disabled=no

add chain=input src-address-list=”port scanners” action=drop comment=”dropping port

scanners” disabled=no

add chain=forward connection-state=established action=accept comment=”allow

established connections” disabled=no

add chain=forward connection-state=related action=accept comment=”allow related


add chain=forward connection-state=invalid action=drop comment=”drop invalid


add chain=virus protocol=tcp dst-port=135-139 action=drop comment=”Drop Blaster

Worm” disabled=no

add chain=virus protocol=udp dst-port=135-139 action=drop comment=”Drop

Messenger Worm” disabled=no

add chain=virus protocol=tcp dst-port=445 action=drop comment=”Drop Blaster Worm”

disabled=no

add chain=virus protocol=udp dst-port=445 action=drop comment=”Drop Blaster Worm”

disabled=no

add chain=virus protocol=tcp dst-port=593 action=drop comment=”________”

disabled=no

add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment=”________”

disabled=no

add chain=virus protocol=tcp dst-port=1080 action=drop comment=”Drop MyDoom”

disabled=no

add chain=virus protocol=tcp dst-port=1214 action=drop comment=”________”

disabled=no

add chain=virus protocol=tcp dst-port=1363 action=drop comment=”ndm requester”

disabled=no

add chain=virus protocol=tcp dst-port=1364 action=drop comment=”ndm server”

disabled=no

add chain=virus protocol=tcp dst-port=1368 action=drop comment=”screen cast”

disabled=no

add chain=virus protocol=tcp dst-port=1373 action=drop comment=”hromgrafx”

disabled=no

add chain=virus protocol=tcp dst-port=1377 action=drop comment=”cichlid”

disabled=no

add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment=”Worm”

disabled=no

add chain=virus protocol=tcp dst-port=2745 action=drop comment=”Bagle Virus”

disabled=no

add chain=virus protocol=tcp dst-port=2283 action=drop comment=”Drop Dumaru.Y”

disabled=no

add chain=virus protocol=tcp dst-port=2535 action=drop comment=”Drop Beagle”

disabled=no

add chain=virus protocol=tcp dst-port=2745 action=drop comment=”Drop Beagle.C-K”

disabled=no

add chain=virus protocol=tcp dst-port=3127 action=drop comment=”Drop MyDoom”

disabled=no

add chain=virus protocol=tcp dst-port=3410 action=drop comment=”Drop Backdoor

OptixPro” disabled=no

add chain=virus protocol=tcp dst-port=4444 action=drop comment=”Worm” disabled=no

add chain=virus protocol=udp dst-port=4444 action=drop comment=”Worm”

disabled=no

add chain=virus protocol=tcp dst-port=5554 action=drop comment=”Drop Sasser”

disabled=no

add chain=virus protocol=tcp dst-port=8866 action=drop comment=”Drop Beagle.B”

disabled=no

add chain=virus protocol=tcp dst-port=9898 action=drop comment=”Drop Dabber.A-B”

disabled=no

add chain=virus protocol=tcp dst-port=10000 action=drop comment=”Drop Dumaru.Y”

disabled=no

add chain=virus protocol=tcp dst-port=10080 action=drop comment=”Drop MyDoom.B”

disabled=no

add chain=virus protocol=tcp dst-port=12345 action=drop comment=”Drop NetBus”

disabled=no

add chain=virus protocol=tcp dst-port=17300 action=drop comment=”Drop Kuang2″

disabled=no

add chain=virus protocol=tcp dst-port=27374 action=drop comment=”Drop SubSeven”

disabled=no

add chain=virus protocol=tcp dst-port=65506 action=drop comment=”Drop PhatBot,

Agobot, Gaobot” disabled=no

add chain=forward action=jump jump-target=virus comment=”jump to the virus chain”

disabled=no

add chain=input connection-state=invalid action=drop comment=”Drop Invalid


add chain=input connection-state=established action=accept comment=”Allow

Established connections” disabled=no

add chain=input protocol=udp action=accept comment=”Allow UDP” disabled=no

add chain=input protocol=icmp action=accept comment=”Allow ICMP” disabled=no

add chain=input src-address=192.168.0.0/24 action=accept comment=”Allow access to

router from known network” disabled=no



add chain=input action=drop comment=”Drop anything else” disabled=no

add chain=forward protocol=tcp connection-state=invalid action=drop comment=”drop

invalid connections” disabled=no

add chain=forward connection-state=established action=accept comment=”allow already


add chain=forward connection-state=related action=accept comment=”allow related


add chain=forward src-address=0.0.0.0/8 action=drop comment=”” disabled=no

add chain=forward dst-address=0.0.0.0/8 action=drop comment=”” disabled=no





add chain=forward protocol=tcp action=jump jump-target=tcp comment=”” disabled=no

add chain=forward protocol=udp action=jump jump-target=udp comment=””

disabled=no

add chain=forward protocol=icmp action=jump jump-target=icmp comment=””

disabled=no

add chain=tcp protocol=tcp dst-port=69 action=drop comment=”deny TFTP”

disabled=no

add chain=tcp protocol=tcp dst-port=111 action=drop comment=”deny RPC portmapper”

disabled=no

add chain=tcp protocol=tcp dst-port=135 action=drop comment=”deny RPC portmapper”

disabled=no

add chain=tcp protocol=tcp dst-port=137-139 action=drop comment=”deny NBT”

disabled=no

add chain=tcp protocol=tcp dst-port=445 action=drop comment=”deny cifs” disabled=no

add chain=tcp protocol=tcp dst-port=2049 action=drop comment=”deny NFS”

disabled=no

add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment=”deny NetBus”

disabled=no

add chain=tcp protocol=tcp dst-port=20034 action=drop comment=”deny NetBus”

disabled=no

add chain=tcp protocol=tcp dst-port=3133 action=drop comment=”deny BackOriffice”

disabled=no

add chain=tcp protocol=tcp dst-port=67-68 action=drop comment=”deny DHCP”

disabled=no

add chain=udp protocol=udp dst-port=69 action=drop comment=”deny TFTP”

disabled=no

add chain=udp protocol=udp dst-port=111 action=drop comment=”deny PRC

portmapper” disabled=no

add chain=udp protocol=udp dst-port=135 action=drop comment=”deny PRC

portmapper” disabled=no

add chain=udp protocol=udp dst-port=137-139 action=drop comment=”deny NBT”

disabled=no

add chain=udp protocol=udp dst-port=2049 action=drop comment=”deny NFS”

disabled=no

add chain=udp protocol=udp dst-port=3133 action=drop comment=”deny BackOriffice”

disabled=no

add chain=icmp protocol=icmp icmp-options=0:0 action=accept comment=”drop invalid


add chain=icmp protocol=icmp icmp-options=3:0 action=accept comment=”allow



already established connections” disabled=no

add chain=icmp protocol=icmp icmp-options=4:0 action=accept comment=”allow source

quench” disabled=no

add chain=icmp protocol=icmp icmp-options=8:0 action=accept comment=”allow echo

request” disabled=no

add chain=icmp protocol=icmp icmp-options=11:0 action=accept comment=”allow time

exceed” disabled=no


parameter bad” disabled=no

add chain=icmp action=drop comment=”deny all other types” disabled=no

/ ip firewall service-port

set ftp ports=21 disabled=no

set tftp ports=69 disabled=yes

set irc ports=6667 disabled=no

set h323 disabled=yes

set quake3 disabled=yes

set gre disabled=yes

set pptp disabled=yes

/ ip hotspot service-port

set ftp ports=21 disabled=no

/ ip hotspot profile

set default name=”default” hotspot-address=0.0.0.0 dns-name=”” html-directory=hotspot

rate-limit=”” http-proxy=0.0.0.0:0 \

smtp-server=0.0.0.0 login-by=cookie,http-chap http-cookie-lifetime=3d split-user-

domain=no use-radius=no

/ ip hotspot user profile

set default name=”default” idle-timeout=none keepalive-timeout=2m status-

autorefresh=1m shared-users=1 \

transparent-proxy=yes open-status-page=always advertise=no

/ ip dhcp-server

add name=”dhcp1″ interface=Lan lease-time=3d address-pool=dhcp_pool1 bootp-

support=static add-arp=yes \

authoritative=after-2sec-delay disabled=no

/ ip dhcp-server config

set store-leases-disk=5m

/ ip dhcp-server lease

add address=192.168.0.1 mac-address=00:13:D3:E4:FA:52 client-

id=”1:0:13:d3:e4:fa:52″ server=dhcp1 comment=”” disabled=no add address=192.168.0.2 mac-address=00:13:D3:FD:36:98 client- id=”1:0:13:d3:fd:36:98″ server=dhcp1 comment=”” disabled=no

add address=192.168.0.3 mac-address=00:13:D3:E4:FA:9D client-id=”1:0:13:d3:e4:fa:9d” server=dhcp1 comment=”” disabled=noadd address=192.168.0.4 mac-address=00:13:D3:FD:02:7E client-id=”1:0:13:d3:fd:2:7e”server=dhcp1 comment=”” disabled=noadd address=192.168.0.5 mac-address=00:13:D3:E4:FA:30 client-

id=”1:0:13:d3:e4:fa:30″ server=dhcp1 comment=”” disabled=no add address=192.168.0.6 mac-address=00:13:D3:FD:36:61 client-

id=”1:0:13:d3:fd:36:61″ server=dhcp1 comment=”” disabled=no

add address=192.168.0.11 mac-address=00:18:F3:43:D4:66 client-

id=”1:0:18:f3:43:d4:66″ server=dhcp1 comment=”” disabled=no

add address=192.168.0.10 mac-address=00:13:D3:FD:37:BA client-id=”1:0:13:d3:fd:37:ba” server=dhcp1 comment=”” disabled=no

add address=192.168.0.9 mac-address=00:13:D3:C9:E7:C1 client- id=”1:0:13:d3:c9:e7:c1″ server=dhcp1 comment=”” disabled=no

add address=192.168.0.8 mac-address=00:13:D3:FD:36:6A client-

id=”1:0:13:d3:fd:36:6a” server=dhcp1 comment=”” disabled=no

add address=192.168.0.7 mac-address=00:13:D3:E4:FA:2A client-

id=”1:0:13:d3:e4:fa:2a” server=dhcp1 comment=”” disabled=no

/ ip dhcp-server network

add address=192.168.0.0/24 gateway=192.168.0.254 dns-

server=192.168.0.254,202.134.0.155,203.130.193.74 comment=””

/ ip ipsec proposal

add name=”default” auth-algorithms=sha1 enc-algorithms=3des lifetime=30m

lifebytes=0 pfs-group=modp1024 disabled=no

/ ip web-proxy

set enabled=no src-address=0.0.0.0 port=3128 hostname=”proxy” transparent-proxy=no

parent-proxy=0.0.0.0:0 \ cache-administrator=”webmaster” max-object-size=4096KiB cache-drive=system max- cache-size=none \ max-ram-cache-size=unlimited

/ ip web-proxy access

add dst-port=23-25 action=deny comment=”block telnet & spam e-mail relaying”

disabled=no

/ ip web-proxy cache

add url=”:cgi-bin \\?” action=deny comment=”don’t cache dynamic http pages”

disabled=no

/ system logging

add topics=info prefix=”” action=memory disabled=no

add topics=error prefix=”” action=memory disabled=no

add topics=warning prefix=”” action=memory disabled=no

add topics=critical prefix=”” action=echo disabled=no

/ system logging action

set memory name=”memory” target=memory memory-lines=100 memory-stop-on-

full=no

set disk name=”disk” target=disk disk-lines=100 disk-stop-on-full=no

set echo name=”echo” target=echo remember=yes

set remote name=”remote” target=remote remote=0.0.0.0:514

/ system upgrade mirror

set enabled=no primary-server=0.0.0.0 secondary- server=0.0.0.0 check-interval=1d

user=””

/ system clock dst

set dst-delta=+00:00 dst-start=”jan/01/1970 00:00:00″ dst-end=”jan/01/1970 00:00:00″

/ system watchdog

set reboot-on-failure=yes watch-address=none watchdog-timer=yes no-ping-delay=5m

automatic-supout=yes auto-send-supout=no

/ system console

add port=serial0 term=”” disabled=no

set FIXME term=”linux” disabled=no


set FIXME term=”linux” disabled=no set FIXME term=”linux” disabled=no set FIXME term=”linux”

disabled=no set FIXME term=”linux” disabled=no set FIXME term=”linux” disabled=no


/ system console screen

set line-count=25

/ system identity

set name=”MikroTik”

/ system note

set show-at-login=yes note=””

/ system gps

set enabled=no set-system-time=yes

/ system lcd

set enabled=no type=24×4 port=parallel contrast=0

/ system lcd page

set time display-time=5s disabled=yes

set resources display-time=5s disabled=yes

set uptime display-time=5s disabled=yes

set packets display-time=5s disabled=yes

set bits display-time=5s disabled=yes

set version display-time=5s disabled=yes

set Public display-time=5s disabled=yes

set Lan display-time=5s disabled=yes

/ system ntp server

set enabled=no broadcast=no multicast=no manycast=yes

/ system ntp client

set enabled=no mode=unicast primary-ntp=0.0.0.0 secondary-ntp=0.0.0.0

/ system routerboard bios

set / system health set state-after-reboot=enabled

/ port

set serial0 name=”serial0″ baud-rate=9600 data-bits=8 parity=none stop-bits=1 flow-

control=hardware

set serial1 name=”serial1″ baud-rate=9600 data-bits=8 parity=none stop-bits=1 flow-

control=hardware

/p p p p rofile

set default name=”default” use-compression=default use-vj-compression=default use- encryption=default only-one=default \

change-tcp-mss=yes comment=””

set default-encryption name=”default-encryption” use-compression=default use-vj-

compression=default use-encryption=yes \

only-one=default change-tcp-mss=yes comment=””

/ ppp aaa

set use-radius=no accounting=yes interim-update=0s

/ queue type

set default name=”default” kind=pfifo pfifo-limit=50

set ethernet-default name=”ethernet-default” kind=pfifo pfifo-limit=50

set wireless-default name=”wireless-default” kind=sfq sfq-perturb=5 sfq-allot=1514

set synchronous-default name=”synchronous-default” kind=red red-limit=60 red-min-

threshold=10 red-max-threshold=50 \ red-burst=20 red-avg-packet=1000

set hotspot-default name=”hotspot-default” kind=sfq sfq-perturb=5 sfq-allot=1514

add name=”Upload” kind=pcq pcq-rate=0 pcq-limit=50 pcq-classifier=src-address pcq-

total-limit=2000

add name=”Download” kind=pcq pcq-rate=0 pcq-limit=50 pcq-classifier=dst-address

pcq-total-limit=2000

add name=”default-small” kind=pfifo pfifo-limit=10

/ queue simple

add name=”HTTP” target-addresses=0.0.0.0/0 dst-address=0.0.0.0/0 interface=all

parent=none packet-marks=http \

direction=both priority=1 queue=default/default limit-at=0/0 max-limit=0/0 total-

queue=default disabled=no

add name=”DNS” target- addresses=0.0.0.0/0 dst-address=0.0.0.0/0 interface=all

parent=none packet-marks=dns direction=both \

priority=1 queue=default/default limit-at=0/0 max-limit=0/0 total-queue=default

disabled=no

add name=”YMessenger” target-addresses=0.0.0.0/0 dst-address=0.0.0.0/0 interface=all

parent=none packet-marks=ym \



add name=”CounterStrike” target-addresses=0.0.0.0/0 dst-address=0.0.0.0/0 interface=all

parent=none packet-marks=cs \



add name=”IRC” target-addresses=0.0.0.0/0 dst-address=0.0.0.0/0 interface=all

parent=none packet-marks=irc direction=both \

priority=1 queue=default/default limit-at=0/0 max-limit=0/0 total-queue=default

disabled=no

add name=”Mikrotik” target-addresses=0.0.0.0/0 dst-address=0.0.0.0/0 interface=all

parent=none packet-marks=mt \



add name=”Email” target-addresses=0.0.0.0/0 dst-address=0.0.0.0/0 interface=all

parent=none packet-marks=email \



add name=”Oasis” target-addresses=0.0.0.0/0 dst-address=0.0.0.0/0 interface=Lan

parent=none direction=both priority=8 \

queue=ethernet-default/ethernet-default limit-at=64000/384000 max-limit=64000/384000

total-queue=default disabled=no

add name=”1″ target-addresses=192.168.0.1/32 dst-address=0.0.0.0/0 interface=Lan

parent=Oasis packet-marks=test-down \

direction=both priority=8 queue=ethernet-default/ethernet-default limit-at=0/8000 max-

limit=0/64000 \





limit=0/64000 \





limit=0/64000 \





limit=0/64000 \





limit=0/64000 \





limit=0/64000 \




direction=both priority=8 queue=ethernet-default/ethernet-default limit-at=0/8000 max- limit=0/64000 \

total-queue=default disabled=noadd name=”8″ target-addresses=192.168.0.8/32 dst-address=0.0.0.0/0 interface=Lanparent=Oasis packet-marks=test-down \direction=both priority=8 queue=ethernet-default/ethernet-default limit-at=0/8000 max-

limit=0/64000 \


limit=0/64000 \


limit=0/64000 \


limit=0/64000 \


limit=0/64000 \


limit=0/64000 \


limit=0/64000 \


limit=0/64000 \ total-queue=default disabled=no

direction=both priority=8 queue=ethernet-default/ethernet-default limit-at=0/8000 max- limit=0/64000 \


limit=0/64000 \


limit=0/64000 \


limit=0/64000 \


limit=0/64000 \


limit=0/64000 \


limit=0/64000 \


limit=0/64000 \


limit=0/64000 \ total-queue=default disabled=no




limit=0/64000 \





limit=0/64000 \





limit=0/64000 \





limit=0/64000 \





limit=0/64000 \





limit=0/64000 \





limit=0/64000 \





limit=0/64000 \





limit=0/64000 \


limit=0/64000 \


limit=0/64000 \

total-queue=default disabled=no/ queue treeadd name=”upstream” parent=global-out packet-mark=test-up limit-at=384000queue=default priority=8 max-limit=384000 \burst-limit=0 burst-threshold=0 burst-time=0s disabled=noadd name=”downstream” parent=Lan packet-mark=test-down limit-at=384000queue=Download priority=8 max-limit=384000 \burst-limit=0 burst-threshold=0 burst-time=0s disabled=no/ useradd name=”admin” group=full address=0.0.0.0/0 comment=”system default user”

disabled=no / user group

add name=”read”

policy=local,telnet,ssh,reboot,read,test,winbox,password,web,!ftp,!write,!policy

add name=”write”

policy=local,telnet,ssh,reboot,read,write,test,winbox,password,web,!ftp,!policy

add name=”full”

policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web

/ user aaa

set use-radius=no accounting=yes interim-update=0s default-group=read

/ radius incoming

set accept=yes port=1700

/ driver

/ snmp

set enabled=yes contact=”admin” location=”admin”

/ snmp community

set public name=”public” address=0.0.0.0/0 read-access=yes

/ tool bandwidth-server

set enabled=yes authenticate=yes allocate-udp-ports-from=2000 max-sessions=10

/ tool mac-server ping

set enabled=yes

/ tool e-mail

set server=0.0.0.0 from=”<>”

/ tool sniffer

set interface=all only-headers=no memory-limit=10 file-name=”” file-limit=10

streaming-enabled=no streaming-server=0.0.0.0 \

filter-stream=yes filter-protocol=ip-only filter-address1=0.0.0.0/0:0-65535 filter-

address2=0.0.0.0/0:0-65535

/ tool graphing

set store-every=5min

/ tool graphing queue

add simple-queue=all allow-address=0.0.0.0/0 store-on-disk=yes allow-target=yes

disabled=no

/ tool graphing resource

add allow-address=0.0.0.0/0 store-on-disk=yes disabled=no

/ tool graphing interface

add interface=all allow-address=0.0.0.0/0 store-on -disk=yes disabled=no

/ routing ospf

set router-id=0.0.0.0 distribute-default=never redistribute-connected=no redistribute-

static=no redistribute-rip=no \

redistribute-bgp=no metric-default=1 metric-connected=20 metric-static=20 metric-

rip=20 metric-bgp=20

/ routing ospf area

set backbone area-id=0.0.0.0 type=default translator-role=translate-candidate

authentication=none prefix-list-import=”” \

prefix-list-export=”” disabled=no

/ routing bgp

set enabled=no as=1 router-id=0.0.0.0 redistribute-static=no redistribute-connected=no

redistribute-rip=no \

redistribute-ospf=no

/ routing rip

set redistribute-static=no redistribute-connected=no redistribute-ospf=no redistribute-

bgp=no metric-static=1 \

metric-connected=1 metric-ospf=1 metric-bgp=1 update-timer=30s timeout-timer=3m

garbage-timer=2m

[admin@MikroTik] >

2. Konfig LINUX PROXY a. Squid.conf http_port 8080 #icp_port 3130

icp_query_timeout 0

maximum_icp_query_timeout 5000

mcast_icp_query_timeout 2000

dead_peer_timeout 10 seconds

hierarchy_stoplist cgi-bin ? localhost acl QUERY urlpath_regex cgi-bin \? localhost

### Opsi Cache

cache_mem 6 MB

cache_swap_low 98

cache_swap_high 99

maximum_object_size 128 MB

minimum_object_size 0 KB

maximum_object_size_in_memory 32 KB

ipcache_size 10240

ipcache_low 98

ipcache_high 99

fqdncache_size 256

cache_replacement_policy heap LFUDA

memory_replacement_policy heap GDSF

### Opsi Tuning Squid

refresh_pattern -i \.(swf|png|jpg|jpeg|bmp|tiff|png|gif) 43200 90% 129600 reload-into-ims

override-lastmod

refresh_pattern -i \.(mov|mpg|mpeg|flv|avi|mp3|3gp|sis|wma) 43200 90% 129600 reload-

into-ims override-lastmod

refresh_pattern -i \.(zip|rar|ace|bz|bz2|tar|gz|exe) 43200 90% 129600 reload-into-ims

override-lastmod

refresh_pattern -i (.*html$|.*htm|.*shtml|.*aspx|.*asp) 43200 90% 1440 reload-into-ims

override-lastmod

refresh_pattern -i \.(class|css|js|gif|jpg)$ 10080 100% 43200 override-expire

refresh_pattern -i \.(jpe|jpeg|png|bmp|tif)$ 10080 100% 43200 override-expire

refresh_pattern -i \.(tiff|mov|avi|qt|mpeg)$ 10080 100% 43200 override-expire

refresh_pattern -i \.(mpg|mpe|wav|au|mid)$ 10080 100% 43200 override-expire

refresh_pattern -i \.(zip|gz|arj|lha|lzh)$ 10080 100% 43200 override-expire

refresh_pattern -i \.(rar|tgz|tar|exe|bin)$ 10080 100% 43200 override-expire

refresh_pattern -i \.(hqx|pdf|rtf|doc|swf)$ 10080 100% 43200 override-expire

refresh_pattern -i \.(inc|cab|ad|txt|dll)$ 10080 100% 43200 override-expire

refresh_pattern -i \.(asp|acgi|pl|shtml|php3|php)$ 2 20% 4320 reload-into-ims

refresh_pattern ^http://*.google.*/.* 720 100% 4320 reload-into-ims override-lastmod

refresh_pattern ^http://*korea.*/.* 720 100% 4320 reload-into-ims override-lastmod

refresh_pattern ^http://*.akamai.*/.* 720 100% 4320 reload-into-ims override-lastmod

refresh_pattern ^http://*.windowsmedia.*/.* 720 100% 4320 reload-into-ims override-

lastmod

refresh_pattern ^http://*.googlesyndication.*/.* 720 100% 4320 reload-into-ims override-

lastmod

refresh_pattern ^http://*.plasa.*/.* 720 100% 4320 reload-into-ims override-lastmod

refresh_pattern ^http://*.telkom.*/.* 720 100% 4320 reload-into-ims override-lastmod

refresh_pattern ^http://www.friendster.com/.* 720 100% 4320 reload-into-ims override-

lastmod

refresh_pattern ^http://mail.yahoo.com/.* 720 100% 4320 reload-into-ims override-

lastmod

refresh_pattern ^http://*.yahoo.*/.* 720 100% 4320 reload-into-ims override-lastmod

refresh_pattern ^http://*.yimg.*/.* 720 100% 4320 reload-into-ims override-lastmod

refresh_pattern ^http://*.gmail.*/.* 720 100% 4320 reload-into-ims override-lastmod

refresh_pattern ^http://*.detik.*/.* 720 100% 4320 reload-into-ims override-lastmod

refresh_pattern ^gopher: 1440 0% 1440

refresh_pattern ^ftp: 43200 90% 129600 reload-into-ims override-expire

#refresh_pattern ^ftp: 1440 20% 10080

#refresh_pattern ^gopher: 1440 0% 1440

refresh_pattern . 0 20% 4320

#refresh_pattern . 180 95% 120960 reload-into-ims override-lastmod

### Direktori cache

#cache_dir aufs /cache 20000 16 256

cache_dir diskd /cache 7000 16 256 Q1=72 Q2=88


### Log

cache_access_log /var/log/squid/access.log

logfile_rotate 1

cache_log none

cache_store_log none

emulate_httpd_log off

log_ip_on_direct on

log_fqdn off

log_icp_queries off

### DNS server dns_nameservers 127.0.0.1

quick_abort_min 0

quick_abort_max 0

quick_abort_pct 98%

negative_ttl 15 minute

positive_dns_ttl 24 hours

negative_dns_ttl 5 minutes range_offset_limit 0 KB

### Opsi Timeout

connect_timeout 1 minute

peer_connect_timeout 5 seconds

read_timeout 30 minute

request_timeout 1 minute

#client_lifetime 10 hour

half_closed_clients off

pconn_timeout 15 second

shutdown_lifetime 15 second

### Opsi ACL

acl manager proto cache_object

acl all src 0.0.0.0/0.0.0.0

acl client src 192.168.5.0/29

acl tidakbebasdownload time 08:00-22:00

acl porn url_regex -i /usr/local/squid/etc/bokep.txt time 08:00-22:00

acl noporn url_regex -i /usr/local/squid/etc/nobokep.txt time 08:00-22:00

acl file_terlarang url_regex -i hot_indonesia.exe

acl file_terlarang url_regex -i hotsurprise_id.exe

acl file_terlarang url_regex -i best-mp3-download.exe

acl file_terlarang url_regex -i R32.exe

acl file_terlarang url_regex -i rb32.exe

acl file_terlarang url_regex -i mp3.exe

acl file_terlarang url_regex -i HOTSEX.exe

acl file_terlarang url_regex -i Browser_Plugin.exe

acl file_terlarang url_regex -i DDialer.exe

acl file_terlarang url_regex -i od-teen

acl file_terlarang url_regex -i URLDownload.exe

acl file_terlarang url_regex -i od-stnd67.exe

acl file_terlarang url_regex -i Download_Plugin.exe

acl file_terlarang url_regex -i od-teen52.exe

acl file_terlarang url_regex -i malaysex

acl file_terlarang url_regex -i edita.html

acl file_terlarang url_regex -i info.exe

acl file_terlarang url_regex -i run.exe

acl file_terlarang url_regex -i Lovers2Go

acl file_terlarang url_regex -i GlobalDialer

acl file_terlarang url_regex -i WebDialer

acl file_terlarang url_regex -i britneynude

acl file_terlarang url_regex -i download.exe

acl file_terlarang url_regex -i backup.exe

acl file_terlarang url_regex -i GnoOS2003

acl file_terlarang url_regex -i wintrim.exe

acl file_terlarang url_regex -i MPREXE.EXE

acl file_terlarang url_regex -i exengd.EXE

acl file_terlarang url_regex -i xxxvideo.exe

acl file_terlarang url_regex -i Save.exe

acl file_terlarang url_regex -i ATLBROWSER.DLL

acl file_terlarang url_regex -i NawaL_rm

acl file_terlarang url_regex -i Socks32.dll

acl file_terlarang url_regex -i Sc32Lnch.exe

acl file_terlarang url_regex -i dat0.exe

acl IIX dst_as 7713 4622 4795 7597 4787 4795 4800

acl block url_regex -i

\.(aiff|asf|avi|dif|divx|mov|movie|mp3|mpe?g?|mpv2|ogg|ra?m|snd|qt|wav|wmf|wmv)$

acl local-domain dstdomain localhost

acl Bad_ports port 7 9 11 19 22 23 25 53 110 119 513 514

acl Safe_ports port 21 70 80 210 443 488 563 591 777 1025-65535

acl Virus urlpath_regex winnt/system32/cmd.exe?

acl connect method CONNECT

acl post method POST

acl ssl method CONNECT

acl purge method PURGE

acl IpAddrProbeUA browser ^Mozilla/4.0.$compatible;.MSIE.5.5;.Windows.98$$

acl IpAddrProbeURL url_regex //[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/$

no_cache deny QUERY manager

http_access allow manager IIX Safe_ports

http_access allow client

http_access deny porn !noporn

http_access deny Bad_ports Virus IpAddrProbeUA IpAddrProbeURL

http_access deny file_terlarang

http_access deny all

### Paramater Administratifcache_mgr [email protected]_effective_user squidcache_effective_group squidvisible_hostname proxy.primadona.war.net.id

### Opsi Akselerator memory_pools off forwarded_for on

log_icp_queries off

icp_hit_stale on

minimum_direct_hops 4

minimum_direct_rtt 400

store_avg_object_size 13 KB

store_objects_per_bucket 20

client_db on

netdb_low 9900

netdb_high 10000

netdb_ping_period 30 seconds

query_icmp off

pipeline_prefetch on

reload_into_ims on


vary_ignore_expire on

max_open_disk_fds 100

nonhierarchical_direct on

prefer_direct off

### Pendukung Transparan Proxy

httpd_accel_host virtual

httpd_accel_port 80

httpd_accel_with_proxy on

httpd_accel_uses_host_header on

### Membatasi Besar File untuk download reply_body_max_size 3512000 allow client block tidakbebasdownload

### SNMP

#snmp_port 3401

#acl snmppublic snmp_community public

#snmp_access allow all

header_access User-Agent deny all

header_replace User-Agent Mozilla/5.0 (compatible; MSIE 6.0)

header_access Accept deny all

header_replace Accept */*

header_access Accept-Language deny all

header_replace Accept-Language id, en

http_port 8080 #icp_port 3130

icp_query_timeout 0

maximum_icp_query_timeout 5000

mcast_icp_query_timeout 2000

dead_peer_timeout 10 seconds

hierarchy_stoplist cgi-bin ? localhost acl QUERY urlpath_regex cgi-bin \? localhost

### Opsi Cache

cache_mem 6 MB

cache_swap_low 98

cache_swap_high 99

maximum_object_size 128 MB

minimum_object_size 0 KB

maximum_object_size_in_memory 32 KB

ipcache_size 10240

ipcache_low 98

ipcache_high 99

fqdncache_size 256

cache_replacement_policy heap LFUDA

memory_replacement_policy heap GDSF

### Opsi Tuning Squid

refresh_pattern -i \.(swf|png|jpg|jpeg|bmp|tiff|png|gif) 43200 90% 129600 reload-into-ims

override-lastmod

refresh_pattern -i \.(mov|mpg|mpeg|flv|avi|mp3|3gp|sis|wma) 43200 90% 129600 reload-

into-ims override-lastmod

refresh_pattern -i \.(zip|rar|ace|bz|bz2|tar|gz|exe) 43200 90% 129600 reload-into-ims

override-lastmod

refresh_pattern -i (.*html$|.*htm|.*shtml|.*aspx|.*asp) 43200 90% 1440 reload-into-ims

override-lastmod

refresh_pattern -i \.(class|css|js|gif|jpg)$ 10080 100% 43200 override-expire

refresh_pattern -i \.(jpe|jpeg|png|bmp|tif)$ 10080 100% 43200 override-expire

refresh_pattern -i \.(tiff|mov|avi|qt|mpeg)$ 10080 100% 43200 override-expire

refresh_pattern -i \.(mpg|mpe|wav|au|mid)$ 10080 100% 43200 override-expire

refresh_pattern -i \.(zip|gz|arj|lha|lzh)$ 10080 100% 43200 override-expire

refresh_pattern -i \.(rar|tgz|tar|exe|bin)$ 10080 100% 43200 override-expire

refresh_pattern -i \.(hqx|pdf|rtf|doc|swf)$ 10080 100% 43200 override-expire

refresh_pattern -i \.(inc|cab|ad|txt|dll)$ 10080 100% 43200 override-expire

refresh_pattern -i \.(asp|acgi|pl|shtml|php3|php)$ 2 20% 4320 reload-into-ims

refresh_pattern ^http://*.google.*/.* 720 100% 4320 reload-into-ims override-lastmod

refresh_pattern ^http://*korea.*/.* 720 100% 4320 reload-into-ims override-lastmod

refresh_pattern ^http://*.akamai.*/.* 720 100% 4320 reload-into-ims override-lastmod

refresh_pattern ^http://*.windowsmedia.*/.* 720 100% 4320 reload-into-ims override-

lastmod


lastmod




lastmod


lastmod











### Direktori cache




### Log


logfile_rotate 1

cache_log none



log_ip_on_direct on

log_fqdn off

log_icp_queries off


quick_abort_min 0

quick_abort_max 0

quick_abort_pct 98%



lastmod


lastmod




lastmod


lastmod











### Direktori cache




### Log


logfile_rotate 1

cache_log none



log_ip_on_direct on

log_fqdn off

log_icp_queries off


quick_abort_min 0

quick_abort_max 0

quick_abort_pct 98%




### Opsi Timeout






half_closed_clients off pconn_timeout 15 second shutdown_lifetime 15 second

### Opsi ACL


acl all src 0.0.0.0/0.0.0.0




























lastmod


lastmod




lastmod


lastmod











### Direktori cache




### Log


logfile_rotate 1

cache_log none



log_ip_on_direct on

log_fqdn off

log_icp_queries off


quick_abort_min 0

quick_abort_max 0

quick_abort_pct 98%




### Opsi Timeout







### Opsi ACL


acl all src 0.0.0.0/0.0.0.0








































acl IIX dst_as 7713 4622 4795 7597 4787 4795 4800






















lastmod


lastmod




lastmod


lastmod











### Direktori cache




### Log


logfile_rotate 1

cache_log none



log_ip_on_direct on

log_fqdn off

log_icp_queries off


quick_abort_min 0

quick_abort_max 0

quick_abort_pct 98%




### Opsi Timeout







### Opsi ACL


acl all src 0.0.0.0/0.0.0.0








































acl IIX dst_as 7713 4622 4795 7597 4787 4795 4800






















log_icp_queries off

icp_hit_stale on





client_db on

netdb_low 9900

netdb_high 10000


query_icmp off


reload_into_ims on





prefer_direct off



httpd_accel_port 80




### SNMP

#snmp_port 3401









b. Named.Conf













acl IIX dst_as 7713 4622 4795 7597 4787 4795 4800






















log_icp_queries off

icp_hit_stale on





client_db on

netdb_low 9900

netdb_high 10000


query_icmp off


reload_into_ims on





prefer_direct off



httpd_accel_port 80




### SNMP

#snmp_port 3401









b. Named.Conf

// //named.conf for Red Hat caching-nameserver //

options {

directory “/var/named”;

dump-file “/var/named/data/cache_dump.db”;

statistics-file “/var/named/data/named_stats.txt”;

/*

* If there is a firewall between you and nameservers you want

* to talk to, you might need to uncomment the query-source

* directive below. Previous versions of BIND always asked

* questions using port 53, but BIND 8.1 uses an unprivileged

* port by default.

*/

// query-source address * port 53;

forwarders {

203.130.193.74;

202.134.0.155;

202.134.2.5;

};

};

//

//a caching only nameserver config

//

controls {

inet 127.0.0.1 allow { localhost; } keys { rndckey; };

};

zone “.” IN {

type hint;

file “named.ca”;

};

zone “localdomain” IN {

type master;

file “localdomain.zone”;

allow-update { none; };

}; zone “localhost” IN { type master;













acl IIX dst_as 7713 4622 4795 7597 4787 4795 4800






















log_icp_queries off

icp_hit_stale on





client_db on

netdb_low 9900

netdb_high 10000


query_icmp off


reload_into_ims on





prefer_direct off



httpd_accel_port 80




### SNMP

#snmp_port 3401









b. Named.Conf

// //named.conf for Red Hat caching-nameserver //

options {

directory “/var/named”;

dump-file “/var/named/data/cache_dump.db”;

statistics-file “/var/named/data/named_stats.txt”;

/*

* If there is a firewall between you and nameservers you want

* to talk to, you might need to uncomment the query-source

* directive below. Previous versions of BIND always asked

* questions using port 53, but BIND 8.1 uses an unprivileged

* port by default.

*/

// query-source address * port 53;

forwarders {

203.130.193.74;

202.134.0.155;

202.134.2.5;

};

};

//

//a caching only nameserver config

//

controls {

inet 127.0.0.1 allow { localhost; } keys { rndckey; }; };

zone “.” IN {

type hint;

file “named.ca”;

};

zone “localdomain” IN {

type master;

file “localdomain.zone”;


}; zone “localhost” IN { type master;

file “localhost.zone”; allow-update { none; }; };

zone “0.0.127.in-addr.arpa” IN {

type master;

file “named.local”;

allow-update { none; }; };

zone “0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa” IN {

type master;

file “named.ip6.local”;


};

zone “255.in-addr.arpa” IN {

type master;

file “named.broadcast”;

allow-update { none; }; }; zone “0.in-addr.arpa” IN { type master;

file “named.zero”;


};

include “/etc/rndc.key”; c. Gateway 192.168.1.1

mikrotik warnet

Documents

stateestablished

staterelated

limit00 totalqueuedefault

default kindsfq

add chainprerouting

add chaininput

add chainforward

add chainforward