Friday, June 27, 2014

Konfigurasi Mikrotik Warnet (My Backup Configuration)

Beberapa hari yang lalu, saya selesaikan membuat konfigurasi network teman yang bikin warnet. Tentu saja ndak gratis… hahaha… Gambar networknya seperti di bawah ini. Konfigurasi yang dijelaskan disini hanya pada bagian Mikrotiknya saja. Pada bagian2 tertentu saya tambahkan sedikit penjelasan saja. Ya... setidaknya ini konfigurasi sebagai backup konfigurasi saya kedepannya... :) (Untuk hotspot dan squid bisa dilihat pada posting sebelumnya di blog ini).
Network warnet


Konfigurasi interface dan ip addressnya.
# jun/13/2014 21:00:49 by RouterOS 5.26
/interface ethernet
set 0 arp=enabled auto-negotiation=yes disabled=no full-duplex=yes l2mtu=1526 \
    mac-address=4C:5E:0C:43:30:1A mtu=1500 name="ether1 WAN" speed=100Mbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited \
    disabled=no full-duplex=yes l2mtu=1522 mac-address=4C:5E:0C:43:30:1B \
    master-port=none mtu=1500 name="ether2 SQUID" speed=100Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited \
    disabled=no full-duplex=yes l2mtu=1522 mac-address=4C:5E:0C:43:30:1C \
    master-port=none mtu=1500 name="ether3 LAN" speed=100Mbps
set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited \
    disabled=no full-duplex=yes l2mtu=1522 mac-address=4C:5E:0C:43:30:1D \
    master-port=none mtu=1500 name="ether4 HOTSPOT" speed=100Mbps

/ip address
add address=192.168.1.2/24 disabled=no interface="ether1 WAN" network=\
    192.168.1.0
add address=192.168.200.1/24 disabled=no interface="ether2 SQUID" network=\
    192.168.200.0
add address=192.168.100.1/24 disabled=no interface="ether3 LAN" network=\
    192.168.100.0

Untuk koneksi ke internet, menggunakan ADSL Telkom speedy. Modem speedy disetting sebagai bridge. Dan di mikrotik dibuat pppoe-client.
/interface pppoe-client
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 \
    dial-on-demand=yes disabled=no interface="ether1 WAN" max-mru=1480 \
    max-mtu=1480 mrru=disabled name="PPPoE TO INTERNET" password=******* \
    profile=default service-name="" use-peer-dns=no user=\
    172*******@telkom.net

Setting DNS-nya.
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
    max-udp-packet-size=4096 servers=202.134.1.10,8.8.8.8

Setting default routingnya.
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.200.2 \
    routing-mark=markwebtosquid scope=30 target-scope=10

Setting NAT-nya. Ini nat agar client bisa connect ke internet.
/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=\
    "PPPoE TO INTERNET" src-address=192.168.100.0/24

Ini NAT untuk client / IP-nya admin bisa connect ke modem speedy.
/ip firewall nat
add action=masquerade chain=srcnat disabled=no dst-address=192.168.1.0/24 \
    out-interface="ether1 WAN" src-address=192.168.100.2
add action=masquerade chain=srcnat disabled=no dst-address=192.168.1.0/24 \
    out-interface="ether1 WAN" src-address=192.168.200.2
Ini NAT untuk squid agar bisa connect ke internet.
/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=\
    "PPPoE TO INTERNET" src-address=192.168.200.2
Ini destination NAT (DNAT) agar dari internet, bisa connect ke dalam squid. Istilah lainnya agar squid bisa diremote dari luar (internet ).
/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-port=222 protocol=tcp \
    src-address-list=half-trust to-addresses=192.168.200.2 to-ports=22
add action=dst-nat chain=dstnat disabled=no dst-port=8080 protocol=tcp \
    src-address-list=half-trust to-addresses=192.168.200.2 to-ports=80

Untuk keamanan mikrotik menggunakan firewall filter. Pertama buat dulu kelompok IP address, seperti di bawah ini.
/ip firewall address-list
add address=3*.0.0.0/8 disabled=no list=half-trust
add address=118.**.0.0/16 disabled=no list=half-trust
add address=180.***.0.0/16 disabled=no list=half-trust
add address=180.***.0.0/16 disabled=no list=half-trust
add address=1**.0.0.0/8 disabled=no list=half-trust
add address=192.168.100.0/24 disabled=no list=lan
add address=192.168.200.0/24 disabled=no list=lan

Dengan adanya kelompok/group IP address seperti di atas, akan memudahkan dalam penerapan firewall filter.
/ip firewall filter
add action=drop chain=forward comment="drop invalid connections" \
    connection-state=invalid disabled=no
add action=accept chain=forward connection-state=established disabled=no
add action=accept chain=forward comment="allow related connections" \
    connection-state=related disabled=no
add action=accept chain=input disabled=no protocol=icmp src-address-list=lan
add action=drop chain=input disabled=no dst-port=!53,5353 \
    in-interface="PPPoE TO INTERNET" protocol=tcp src-address-list=!half-trust
add action=accept chain=input disabled=no dst-port=!22,8291,8080,222 \
    in-interface="PPPoE TO INTERNET" protocol=tcp src-address-list=half-trust

Setting firewall mangle, untuk meredirect web ke squid.
/ip firewall mangle
add action=mark-routing chain=prerouting comment="Redirect to Squid" \
    disabled=no dst-port=80 new-routing-mark=markwebtosquid passthrough=yes \
    protocol=tcp src-address=192.168.100.0/24

Setting firewall mangle, untuk me-mark trafik game online.
/ip firewall mangle
add action=mark-connection chain=prerouting disabled=no dst-port=\
    1818,2001,3010,4300,5105,5121,5126,5171,5340-5352,6000-6152,6675,7777 \
    new-connection-mark=GAME-ONLINE passthrough=yes protocol=tcp src-address=\
    192.168.100.0/24
add action=mark-connection chain=prerouting disabled=no dst-port="7341-7350,74\
    51,8085,9600,9601-9602,9300,9376-9377,9400,9700,10001-10011,10424" \
    new-connection-mark=GAME-ONLINE passthrough=yes protocol=tcp src-address=\
    192.168.100.0/24
add action=mark-connection chain=prerouting disabled=no dst-port=\
    19101,22100,27780,28012,29000,29200,39100,39110,39220,39190,40000,49100 \
    new-connection-mark=GAME-ONLINE passthrough=yes protocol=tcp src-address=\
    192.168.100.0/24
add action=mark-connection chain=prerouting disabled=no dst-port=\
    14009-14010,12683,5222,5223,9015,6203,6210,6217,6320,10360 \
    new-connection-mark=GAME-ONLINE passthrough=yes protocol=tcp src-address=\
    192.168.100.0/24
add action=mark-connection chain=prerouting disabled=no dst-port=\
    47611,8401-8408,8000-8010,36456,36567,36570,37466 new-connection-mark=\
    GAME-ONLINE passthrough=yes protocol=tcp src-address=192.168.100.0/24
add action=mark-connection chain=prerouting disabled=no dst-port=\
    14300,14400-14406,14500-14600,10009,30001-30003,10089 \
    new-connection-mark=GAME-ONLINE passthrough=yes protocol=tcp src-address=\
    192.168.100.0/24
add action=mark-connection chain=prerouting disabled=no dst-port=\
    13933,14001-14999,31928,31929,5222,5223,10074,28941 new-connection-mark=\
    GAME-ONLINE passthrough=yes protocol=udp src-address=192.168.100.0/24
add action=mark-connection chain=prerouting disabled=no dst-port="1151,1293,14\
    79,6100-6152,7777-7977,9401,9600-9602,12020-12080,30000,40000-40010" \
    new-connection-mark=GAME-ONLINE passthrough=yes protocol=udp src-address=\
    192.168.100.0/24
add action=mark-connection chain=prerouting disabled=no dst-port="42001-42052,\
    10112,10201-10210,10294-10295,11100-11125,11440-11460,16400-16410,18061,19\
    223" new-connection-mark=GAME-ONLINE passthrough=yes protocol=udp \
    src-address=192.168.100.0/24
add action=mark-connection chain=prerouting disabled=no dst-port=\
    8001-8010,40100-42000,12060-12070,27005-27015,31929,9647,42406-42441 \
    new-connection-mark=GAME-ONLINE passthrough=yes protocol=udp src-address=\
    192.168.100.0/24
add action=mark-connection chain=prerouting disabled=no dst-port=\
    15100-15200,9001-9099,39030-39040,42106,42423,17327,17565 \
    new-connection-mark=GAME-ONLINE passthrough=yes protocol=udp src-address=\
    192.168.100.0/24
add action=mark-connection chain=prerouting disabled=no dst-port=\
    9339,843,8890 new-connection-mark=GAME-FACEBOOK passthrough=yes protocol=\
    tcp src-address=192.168.100.0/24
add action=mark-connection chain=prerouting disabled=no dst-port="10402,11011-\
    11041,12011,12110,13008,13413,15000-15002,16402-16502,16666,18901-18909,19\
    000" new-connection-mark=GAME-ONLINE passthrough=yes protocol=tcp \
    src-address=192.168.100.0/24
add action=mark-packet chain=forward connection-mark=GAME-ONLINE disabled=no \
    new-packet-mark=GAME-PAKET passthrough=yes
add action=mark-packet chain=forward connection-mark=GAME-FACEBOOK disabled=\
    no new-packet-mark=GAME-PAKET passthrough=yes

Setting firewall mangle, untuk me-mark trafik hit squid
/ip firewall mangle
add action=mark-packet chain=postrouting disabled=no dscp=12 new-packet-mark=\
    proxy-hit passthrough=yes
add action=mark-packet chain=prerouting disabled=no dscp=12 new-packet-mark=\
    proxy-hit passthrough=yes

Tutup service port yang tidak digunakan.
/ip service
set telnet address="" disabled=yes port=23
set ftp address="" disabled=yes port=21
set www address="" disabled=no port=80
set ssh address="" disabled=no port=22
set www-ssl address="" certificate=none disabled=yes port=443
set api address="" disabled=yes port=8728
set winbox address="" disabled=no port=8291

Untuk pembagian bandwidth (queue), saya masih percaya sama queue simple.
/queue simple
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s direction=both \
    disabled=no interface=all limit-at=0/0 max-limit=0/0 name=TOTAL \
    packet-marks="" parent=none priority=1 queue=default-small/default-small \
    target-addresses="" total-queue=default-small
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s direction=both \
    disabled=no interface=all limit-at=0/0 max-limit=1M/1M name=GAME \
    packet-marks=GAME-PAKET,dns-mark parent=TOTAL priority=8 queue=\
    default-small/default-small target-addresses="" total-queue=default-small
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s direction=both \
    disabled=no interface=all limit-at=0/0 max-limit=10M/10M name=HIT-PROXY \
    packet-marks=proxy-hit parent=TOTAL priority=1 queue=\
    default-small/default-small target-addresses="" total-queue=default-small
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s direction=both \
    disabled=no interface=all limit-at=0/0 max-limit=256k/512k name=admin \
    packet-marks="" parent=TOTAL priority=8 queue=default-small/default-small \
    target-addresses=192.168.100.2/32 total-queue=default-small
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s direction=both \
    disabled=no interface=all limit-at=0/0 max-limit=256k/440k name="User 1" \
    packet-marks="" parent=TOTAL priority=8 queue=default-small/default-small \
    target-addresses=192.168.100.3/32 total-queue=default-small
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s direction=both \
    disabled=no interface=all limit-at=0/0 max-limit=256k/440k name="User 2" \
    packet-marks="" parent=TOTAL priority=8 queue=default-small/default-small \
    target-addresses=192.168.100.4/32 total-queue=default-small
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s direction=both \
    disabled=no interface=all limit-at=0/0 max-limit=256k/440k name="User 3" \
    packet-marks="" parent=TOTAL priority=8 queue=default-small/default-small \
    target-addresses=192.168.100.5/32 total-queue=default-small
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s direction=both \
    disabled=no interface=all limit-at=0/0 max-limit=256k/440k name="User 4" \
    packet-marks="" parent=TOTAL priority=8 queue=default-small/default-small \
    target-addresses=192.168.100.6/32 total-queue=default-small

Ini script untuk memantau squid, jika squid tidak connect, secara otomatis trafik web tidak akan melewati proxy squid, melainkan langsung menuju ke internet. Dengan demikian client tidak akan terdisconnect.
/system script
add name=down policy=\
    ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
    source=":log info \"Squid Proxy Server is not responding. Please Check Con\
    nectivity\"\r\
    \n/ip firewall mangle disable [find comment=\"Redirect to Squid\"]"
add name=up policy=\
    ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
    source=":log info \"Squid Proxy Server is OK.\"\r\
    \n/ip firewall mangle enable [find comment=\"Redirect to Squid\"]"

/tool netwatch
add comment="Cek Squid" disabled=no down-script="/sys script run down" host=\
    192.168.200.2 interval=45s timeout=1s up-script="/sys script run up"

Settingan lainnya.
/system clock
set time-zone-name=Asia/Makassar

/system identity
set name=MikroTik

/system ntp client
set enabled=yes mode=unicast primary-ntp=152.118.24.8 secondary-ntp=\
    202.169.224.16
Settinga selesai, Alhamdulillah....

No comments:

Post a Comment