Thursday, February 26, 2015

Full Konfigurasi Mikrotik Warnet

Kembali kita bahas mengenai mikrotik…
Mikro… mikro aja Om… bosen tau ??
Yang bosen, silahkan keluar…
Ok. Lanjut… ini hanya backup mikrotik punya teman… Sudah banyak dibahas dan tidak banyak berbeda dari yang sebelumnya. So,… untuk konfigurasi di bawah ini, keterangan atau komentarnya tidak akan banyak…
Mikrotik 5.26 - settings

Sebelumnya, perlu diketahui, sebenarnya mikrotik ini adalah mikrotik virtual. Ada 4 lancard yang digunakan, 3 lancard yang fisik, dan 1 lancard yang virtual.
  • Adapter / lancard 1, terhubung ke modem speedy (internet)
  • Adapter / lancard 2 (lancard virtual), terhubung ke virtualbox lainnya (linux Ubuntu virtual)
  • Adapter / lancard 3, terhubung ke switch lan
  • Adapter / lancard 4, terhubung ke wireless Hotspot.


Langsung ke konfigurasinya. Seperti biasanya, beberapa hal sengaja diedit atau diberi tanda bintang. Dan beberapa yang tidak penting dibuang.
/interface ethernet
set 0 arp=enabled auto-negotiation=yes cable-settings=default \
    disabled=no full-duplex=yes name="ether1 - WAN" speed=100Mbps
set 1 arp=enabled auto-negotiation=yes cable-settings=default \
    disabled=no full-duplex=yes name="ether2 - PROXY" speed=100Mbps
set 2 arp=enabled auto-negotiation=yes cable-settings=default \
    disabled=no full-duplex=yes name="ether3 - LAN" speed=100Mbps
set 3 arp=enabled auto-negotiation=yes cable-settings=default \
    disabled=no full-duplex=yes name="ether4 - HOTSPOT" speed=100Mbps

/interface pppoe-client
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 \
    dial-on-demand=yes disabled=no interface="ether1 - WAN" max-mru=1480 \
    max-mtu=1480 mrru=disabled name="pppoe-out1 (WAN)" password=********** \
    profile=default service-name="" use-peer-dns=no user=\
    172*********@telkom.net

/ip address
add address=10.10.10.254/24 disabled=no interface="ether2 - PROXY" network=\
    10.10.10.0
add address=192.168.1.1/24 disabled=no interface="ether3 - LAN" network=\
    192.168.1.0
add address=192.168.2.2/24 disabled=no interface="ether1 - WAN" network=\
    192.168.2.0
add address=20.20.20.1/24 disabled=no interface="ether4 - HOTSPOT" network=\
    20.20.20.0

/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
    max-udp-packet-size=4096 servers=8.8.8.8,202.134.1.10


Clientnya diurutkan dari IP 192.168.1.2 sampai dengan 192.168.1.31. Menggunakan IP address list. Tujuannya, agar admin lebih mudah untuk merubah bandwidth client. Misalnya ada yang “rese” dan ingin dibatasi bandwidthnya. Cukup dengan masuk ke ip-firewall-address-list, pilih IP clientnya dan ubah listnya menjadi “clients(lelet)”.
/ip firewall address-list
add address=192.168.1.103 disabled=no list=Clients
add address=8.8.4.4 disabled=no list=full-trust
add address=152.118.24.8 disabled=no list=full-trust
add address=202.169.224.16 disabled=no list=full-trust
add address=8.8.8.8 disabled=no list=full-trust
add address=202.134.1.10 disabled=no list=full-trust
add address=1**.0.0.0/8 disabled=no list=half-trust
add address=**5.0.0.0/8 disabled=no list=half-trust
add address=3*.0.0.0/8 disabled=no list=half-trust
add address=**8.0.0.0/8 disabled=no list=half-trust
add address=2**.0.0.0/8 disabled=no list=half-trust
add address=**2.0.0.0/8 disabled=no list=half-trust
add address=3*.**.2**.1** disabled=no list=full-trust
add address=*7*.0.0.0/8 disabled=no list=half-trust
add address=192.168.1.0/24 disabled=no list=full-trust
add address=127.0.0.0/8 disabled=no list=full-trust
add address=7*.0.0.0/8 disabled=no list=half-trust
add address=1**.1**.1**.7* disabled=no list=full-trust
add address=192.168.1.6 disabled=no list=Clients
add address=192.168.1.5 disabled=no list=Clients
add address=192.168.1.4 disabled=no list=Clients
add address=192.168.1.3 disabled=no list=Clients
add address=192.168.1.2 disabled=no list=Clients
add address=192.168.1.7 disabled=no list=Clients
add address=192.168.1.8 disabled=no list=Clients
add address=192.168.1.9 disabled=no list=Clients
add address=192.168.1.10 disabled=no list=Clients
add address=192.168.1.11 disabled=no list=Clients
add address=192.168.1.12 disabled=no list=Clients
add address=192.168.1.18 disabled=no list=Clients
add address=192.168.1.13 disabled=no list=Clients
add address=192.168.1.14 disabled=no list=Clients
add address=192.168.1.15 disabled=no list=Clients
add address=192.168.1.16 disabled=no list=Clients
add address=192.168.1.17 disabled=no list=Clients
add address=192.168.1.19 disabled=no list=Clients
add address=192.168.1.20 disabled=no list=Clients
add address=192.168.1.21 disabled=no list=Clients
add address=192.168.1.22 disabled=no list=Clients
add address=192.168.1.23 disabled=no list=Clients
add address=192.168.1.32 disabled=no list=Clients
add address=192.168.1.25 disabled=no list=Clients
add address=192.168.1.26 disabled=no list=Clients
add address=192.168.1.27 disabled=no list=Clients
add address=192.168.1.28 disabled=no list=Clients
add address=192.168.1.29 disabled=no list=Clients
add address=192.168.1.30 disabled=no list=Clients
add address=192.168.1.31 disabled=no list=Clients(Lelet)

Di firewall mangle, dibuat rules untuk marking.
  1. Mark IP 192.168.1.254 ke IP 192.168.2.1, untuk Setting modem. 
  2. Mark untuk bypass situs, untuk situs ndak support dengan squid. 
  3. Mark clients lelet. 
  4. Mark port 80 dari client dan diarahkan/redirect ke squid. 
  5. Mark port dns. 
  6. Mark port game. 
  7. Mark Hit squid.
/ip firewall mangle
add action=mark-routing chain=prerouting comment="For Setting Modem" \
    disabled=no dst-address=192.168.2.1 new-routing-mark="Setting Modem" \
    passthrough=yes src-address=192.168.1.254
add action=mark-packet chain=prerouting comment="For Clients Lelet..." \
    disabled=no new-packet-mark=Clients-lelet-packet passthrough=yes \
    src-address-list="Clients(Lelet)"
add action=mark-routing chain=prerouting comment="Bypass situs" disabled=no \
    dst-port=80 layer7-protocol=bypass new-routing-mark=bypass passthrough=\
    yes protocol=tcp src-address=192.168.1.0/24
add action=mark-routing chain=prerouting comment=\
    "Redirect to Squid Client LAN" disabled=no dst-address=!192.168.2.1 \
    dst-port=80 new-routing-mark=markwebtosquid passthrough=yes protocol=tcp \
    src-address-list=Clients
add action=mark-routing chain=prerouting comment=\
    "Redirect to Squid Client Hotspot" disabled=no dst-address=!20.20.20.1 \
    dst-port=80 new-routing-mark=markwebtosquid passthrough=yes protocol=tcp \
    src-address=20.20.20.0/24
add action=mark-connection chain=prerouting disabled=no dst-port=53 \
    new-connection-mark=DNS-con passthrough=yes protocol=tcp src-address=\
    192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no dst-port=53 \
    new-connection-mark=DNS-con passthrough=yes protocol=tcp src-address=\
    192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no dst-port=53 \
    new-connection-mark=DNS-con passthrough=yes protocol=udp src-address=\
    192.168.1.0/24
add action=mark-packet chain=prerouting connection-mark=DNS-con disabled=no \
    new-packet-mark=DNS-packet passthrough=yes
add action=mark-connection chain=prerouting disabled=no dst-port="1818,2001,30\
    10,4300,5105,5121,5126,5171,5340-5352,5567-5570,6000-6152,6675" \
    new-connection-mark=GAME-ONLINE passthrough=yes protocol=tcp src-address=\
    192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no dst-port="7341-7350,74\
    51,8085,9300,9376-9377,9400,9600,9601-9602,9700,10001-10011,10424" \
    new-connection-mark=GAME-ONLINE passthrough=yes protocol=tcp src-address=\
    192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no dst-port="19101,22100,\
    27780,28012,29000-29001,29200,39100,39110,39190,39220,40000,49100" \
    new-connection-mark=GAME-ONLINE passthrough=yes protocol=tcp src-address=\
    192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no dst-port="5222,5223,55\
    40-5580,9015,6203,6210,6217,6320,6543-6546,10360,12683,14000-14050" \
    new-connection-mark=GAME-ONLINE passthrough=yes protocol=tcp src-address=\
    192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no dst-port="1230-1260,50\
    00-5020,7777,8000-8010,8401-8408,10089,36456,36567,36570,37466,47611" \
    new-connection-mark=GAME-ONLINE passthrough=yes protocol=tcp src-address=\
    192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no dst-port=\
    14300-15512,30001-30003,38101,38110-38600,60170-60180,63000-64000 \
    new-connection-mark=GAME-ONLINE passthrough=yes protocol=tcp src-address=\
    192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no dst-port=\
    1660-2960,5222,5223,10074,13000-13080,13933,14000-14999,28941,31928,31929 \
    new-connection-mark=GAME-ONLINE passthrough=yes protocol=udp src-address=\
    192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no dst-port="1151,1293,14\
    79,6100-6152,7777-7977,9401,9600-9602,12000-15900,30000,40000-40010" \
    new-connection-mark=GAME-ONLINE passthrough=yes protocol=udp src-address=\
    192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no dst-port="10112,10201-\
    10210,10294-10295,11100-11125,11440-11460,16400-16410,18061,19223,42001-42\
    052" new-connection-mark=GAME-ONLINE passthrough=yes protocol=udp \
    src-address=192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no dst-port="8001-8010,96\
    47,10020-10022,27005-27015,31929,39311,40040-42000,42406-42441" \
    new-connection-mark=GAME-ONLINE passthrough=yes protocol=udp src-address=\
    192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no dst-port="7020-7050,82\
    00-8220,9000-9099,15000-15500,17327,17565,39030-39040,42106,42423" \
    new-connection-mark=GAME-ONLINE passthrough=yes protocol=udp src-address=\
    192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no dst-port="5101,5201,12\
    310-12320,15500,20000-20020,27019,50000-50100,54500-56500,14101-14105" \
    new-connection-mark=GAME-ONLINE passthrough=yes protocol=udp src-address=\
    192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no dst-port="7200,10087,1\
    6320-16340,17001-17002,26001-26010,27000-27050,29000-29010,49330-49350" \
    new-connection-mark=GAME-ONLINE passthrough=yes protocol=udp src-address=\
    192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no dst-port=\
    3478,4379,4380 new-connection-mark=GAME-ONLINE passthrough=yes protocol=\
    udp src-address=192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no dst-port=\
    843,5220-5230,8890,9339,9430-9450,9810-9860,52510,53100-53110,54100,55100 \
    new-connection-mark=GAME-FACEBOOK passthrough=yes protocol=tcp \
    src-address=192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no dst-port="10402,11011-\
    11041,12011,12110,13008,13413,15000-15002,16402-16502,16666,18900-18910,19\
    000" new-connection-mark=GAME-ONLINE passthrough=yes protocol=tcp \
    src-address=192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no dst-port=\
    10000-10030,10009,10500-10610,13008,13412,16666,28012,20101-20301,39311 \
    new-connection-mark=GAME-ONLINE passthrough=yes protocol=tcp src-address=\
    192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no dst-port="8086,9090-90\
    99,12310-12320,14300-14310,16666-16668,28000-28013,28901-28920" \
    new-connection-mark=GAME-ONLINE passthrough=yes protocol=tcp src-address=\
    192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no dst-port="5101,5201,72\
    01-7210,7320-7350,7401,7770-7790,15500,27930-27940,28000-28020" \
    new-connection-mark=GAME-ONLINE passthrough=yes protocol=tcp src-address=\
    192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no dst-port="7200,7400,71\
    06,7999,9000,9150-9160,9330-9340,10500-10515,27014-27050,36567,47611" \
    new-connection-mark=GAME-ONLINE passthrough=yes protocol=tcp src-address=\
    192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no dst-port=\
    7450-7460,64990-65010 new-connection-mark=GAME-ONLINE passthrough=yes \
    protocol=tcp src-address=192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no dst-address=\
    103.14.108.0/24 dst-port=443,6112,6000-6099,39190 new-connection-mark=\
    GAME-ONLINE passthrough=yes protocol=tcp src-address=192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no dst-address=\
    49.50.4.62 dst-port=2001,2002,2003 new-connection-mark=GAME-ONLINE \
    passthrough=yes protocol=tcp src-address=192.168.1.0/24
add action=mark-packet chain=forward connection-mark=GAME-ONLINE disabled=no \
    new-packet-mark=GAME-PAKET passthrough=yes
add action=mark-packet chain=forward connection-mark=GAME-FACEBOOK disabled=\
    no new-packet-mark=GAME-PAKET passthrough=yes
add action=mark-packet chain=postrouting disabled=no dscp=12 new-packet-mark=\
    proxy-hit passthrough=yes
add action=mark-packet chain=prerouting disabled=no dscp=12 new-packet-mark=\
    proxy-hit passthrough=yes

/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes to-addresses=0.0.0.0
add action=masquerade chain=srcnat disabled=no out-interface=\
    "pppoe-out1 (WAN)" src-address=10.10.10.1
add action=masquerade chain=srcnat disabled=no out-interface=\
    "pppoe-out1 (WAN)" src-address=10.10.10.2
add action=masquerade chain=srcnat disabled=no out-interface=\
    "pppoe-out1 (WAN)" src-address=10.10.10.10
add action=masquerade chain=srcnat disabled=no dst-address=192.168.2.1 \
    out-interface="ether1 - WAN" src-address=192.168.1.254
add action=masquerade chain=srcnat comment="Router / Computer Server Proxy" \
    disabled=no out-interface="pppoe-out1 (WAN)" src-address=192.168.1.254
add action=masquerade chain=srcnat comment="IP Client" disabled=no \
    out-interface="pppoe-out1 (WAN)" src-address-list=Clients
add action=masquerade chain=srcnat comment="IP Client (Lelet)" disabled=no \
    out-interface="pppoe-out1 (WAN)" src-address-list="Clients(Lelet)"
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    disabled=no out-interface="pppoe-out1 (WAN)" src-address=20.20.20.0/24
add action=add-src-to-address-list address-list="IPs connect to Proxy" \
    address-list-timeout=0s chain=dstnat comment="Redirect SSH To Proxy" \
    disabled=no dst-port=222,333 protocol=tcp src-address-list=half-trust \
    to-addresses=10.10.10.1 to-ports=22
add action=dst-nat chain=dstnat disabled=no dst-port=222 protocol=tcp \
    src-address-list=half-trust to-addresses=10.10.10.1 to-ports=22
add action=dst-nat chain=dstnat disabled=no dst-port=333 protocol=tcp \
    src-address-list=half-trust to-addresses=10.10.10.2 to-ports=22

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.2.1 \
    routing-mark="Setting Modem" scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway="pppoe-out1 (WAN" \
    routing-mark=bypass scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.10.10.1 \
    routing-mark=markwebtosquid scope=30 target-scope=10

/ip service
set telnet address="" disabled=yes port=23
set ftp address="" disabled=yes port=21
set www address=\
    192.168.1.0/24,1**.1**.1**.**/32,182.0.0.0/8 disabled=no port=80
set ssh address="" disabled=no port=22
set www-ssl address="" certificate=none disabled=yes port=443
set api address="" disabled=no port=8728
set winbox address="" disabled=no port=8291

Untuk pembagian bandwidth menggunakan simple queue. Hasil mark pada rule ip firewall mangle, diarahkan ke queue. Dibuat beberapa queue, yaitu
  1. Queue Game dengan priority 2. 
  2. Queue Hit Proxy dengan priority 2. 
  3.  ...
Katanya tadi ndak mau komentar banyak… ini komentar sudah terlalu banyak…
Ok… ok... sorry… lanjut…
/queue simple
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s direction=both \
    disabled=no interface=all limit-at=0/0 max-limit=0/0 name=TOTAL \
    packet-marks="" parent=none priority=1 queue=default-small/default-small \
    target-addresses="" total-queue=default-small
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s direction=both \
    disabled=no interface=all limit-at=0/0 max-limit=1M/1M name=GAME \
    packet-marks=GAME-PAKET parent=TOTAL priority=2 queue=\
    default-small/default-small target-addresses="" total-queue=default-small
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s direction=both \
    disabled=no interface=all limit-at=0/0 max-limit=10M/10M name=HIT-PROXY \
    packet-marks=proxy-hit parent=TOTAL priority=2 queue=\
    default-small/default-small target-addresses="" total-queue=default-small
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s direction=both \
    disabled=no interface=all limit-at=0/0 max-limit=1M/1M name=HOTSPOT \
    packet-marks="" parent=TOTAL priority=3 queue=default-small/default-small \
    target-addresses=20.20.20.0/24 total-queue=default-small
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s direction=both \
    disabled=no interface="ether3 - LAN" limit-at=128k/512k max-limit=1M/6M \
    name="For All Clients" packet-marks="" parent=TOTAL priority=5 queue=\
    default-small/default-small target-addresses=192.168.1.0/24 total-queue=\
    default-small
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s direction=both \
    disabled=no interface=all limit-at=256k/256k max-limit=512k/512k name=DNS \
    packet-marks=DNS-packet parent=TOTAL priority=1 queue=DNS-Pfifo/DNS-Pfifo \
    target-addresses="" total-queue=default-small
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s direction=both \
    disabled=no interface=all limit-at=0/0 max-limit=5k/5k name=Clients-Lelet \
    packet-marks=Clients-lelet-packet parent=TOTAL priority=8 queue=\
    default-small/default-small target-addresses="" total-queue=default-small

/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=drop chain=forward comment="drop invalid connections" \
    connection-state=invalid disabled=no
add action=accept chain=forward connection-state=established disabled=no
add action=accept chain=forward comment="allow related connections" \
    connection-state=related disabled=no
add action=accept chain=input disabled=no src-address=192.168.1.103
add action=accept chain=input disabled=no in-interface="pppoe-out1 (WAN)" \
    src-address-list=full-trust
add action=accept chain=input disabled=no dst-port=53,5353 in-interface=\
    "ether3 - LAN" protocol=tcp src-address=192.168.1.0/24
add action=accept chain=input disabled=no dst-port=53,5353 in-interface=\
    "ether3 - LAN" protocol=udp src-address=192.168.1.0/24
add action=add-src-to-address-list address-list="IP connect to web Mikrotik" \
    address-list-timeout=0s chain=input disabled=no dst-address=192.168.1.1 \
    dst-port=80 in-interface="ether3 - LAN" protocol=tcp src-address=\
    192.168.1.0/24
add action=drop chain=input comment="Rules Firewall Block Untrust" disabled=\
    no in-interface="pppoe-out1 (WAN)" src-address-list=!half-trust
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=14w1d chain=input comment="Port scanners to list " \
    disabled=no protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=14w1d chain=input comment="NMAP FIN Stealth scan" \
    disabled=no protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=14w1d chain=input comment="SYN/FIN scan" disabled=no \
    protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=14w1d chain=input comment="SYN/RST scan" disabled=no \
    protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=14w1d chain=input comment="FIN/PSH/URG scan" \
    disabled=no protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=14w1d chain=input comment="ALL/ALL scan" disabled=no \
    protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=14w1d chain=input comment="NMAP NULL scan" disabled=\
    no protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" disabled=no \
    src-address-list="port scanners"
add action=accept chain=icmp comment="Limited Ping Flood" disabled=no \
    icmp-options=0:0-255 limit=5,5 protocol=icmp
add action=accept chain=icmp disabled=no icmp-options=3:3 limit=5,5 protocol=\
    icmp
add action=accept chain=icmp disabled=no icmp-options=3:4 limit=5,5 protocol=\
    icmp
add action=accept chain=icmp disabled=no icmp-options=8:0-255 limit=5,5 \
    protocol=icmp
add action=accept chain=icmp disabled=no icmp-options=11:0-255 limit=5,5 \
    protocol=icmp
add action=drop chain=icmp disabled=no protocol=icmp
add action=drop chain=input comment="drop ssh brute forcers" disabled=no \
    dst-port=22,8291,8729 in-interface="pppoe-out1 (WAN)" protocol=tcp \
    src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=12w6d chain=input connection-state=new disabled=no \
    dst-port=22,8291,8728 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1d2h22m22s chain=input connection-state=new \
    disabled=no dst-port=22,8291,8728 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1d2h22m22s chain=input connection-state=new \
    disabled=no dst-port=22,8291,8728 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1d2h22m22s chain=input connection-state=new \
    disabled=no dst-port=22,8291,8728 protocol=tcp src-address-list=half-trust

/radius
add accounting-backup=no accounting-port=1813 address=127.0.0.1 \
    authentication-port=1812 called-id="" disabled=no domain="" realm="" \
    secret=hotspot123 service=hotspot timeout=300ms

/radius incoming
set accept=yes port=1700

/system ntp client
set enabled=yes mode=unicast primary-ntp=152.118.24.8 secondary-ntp=\
    202.169.224.16


Untuk hotspot.
/ip hotspot profile
add dns-name="" hotspot-address=20.20.20.1 html-directory=hotspot http-proxy=\
    0.0.0.0:0 login-by=http-chap name=hsprof1 nas-port-type=wireless-802.11 \
    radius-accounting=yes radius-default-domain="" radius-interim-update=\
    received radius-location-id="" radius-location-name="" radius-mac-format=\
    XX:XX:XX:XX:XX:XX rate-limit="" smtp-server=0.0.0.0 split-user-domain=no \
    use-radius=yes

/ip dhcp-server network
add address=20.20.20.0/24 comment="hotspot network" dhcp-option="" \
    dns-server="" gateway=20.20.20.1 ntp-server="" wins-server=""
/ip pool
add name=hs-pool-4 ranges=20.20.20.100-20.20.20.254

/ip dhcp-server
add address-pool=hs-pool-4 authoritative=after-2sec-delay bootp-support=\
    static disabled=no interface="ether4 - HOTSPOT" lease-time=1h name=dhcp1

/ip hotspot
add address-pool=hs-pool-4 addresses-per-mac=2 disabled=no idle-timeout=5m \
    interface="ether4 - HOTSPOT" keepalive-timeout=none name=hotspot1 \
    profile=hsprof1

/tool user-manager profile profile-limitation
add from-time=0s limitation="Malam Speed" profile=Malam till-time=23h59m59s \
    weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation="Hotspot Speed" profile="Voucher Hotspot" \
    till-time=23h59m59s weekdays=\
    sunday,monday,tuesday,wednesday,thursday,friday,saturday
/tool user-manager router
add coa-port=1700 customer=admin disabled=no ip-address=127.0.0.1 log=\
    auth-fail name=Router shared-secret=hotspot123

/tool user-manager customer
add backup-allowed=yes disabled=no login=admin password=m************a \
    paypal-accept-pending=no paypal-allowed=no paypal-secure-response=no \
    permissions=owner signup-allowed=no time-zone=-00:00

/tool user-manager profile
add name="Voucher Hotspot" name-for-users="" override-shared-users=off owner=\
    admin price=5000 starts-at=logon validity=30s
add name=Malam name-for-users="" override-shared-users=off owner=admin price=\
    0 starts-at=logon validity=4w2d

/tool user-manager user
add customer=admin disabled=no name=p343w6 password=8qdvbm shared-users=1 \
    wireless-enc-algo=none wireless-enc-key="" wireless-psk=""
add customer=admin disabled=no name=64qyg6 password=rn4m5j shared-users=1 \
    wireless-enc-algo=none wireless-enc-key="" wireless-psk=""
add customer=admin disabled=no name=v6s55a password=ifh7q4 shared-users=1 \
    wireless-enc-algo=none wireless-enc-key="" wireless-psk=""
add customer=admin disabled=no name=123 password=123 shared-users=1 \
    wireless-enc-algo=none wireless-enc-key="" wireless-psk=""
/user aaa
set accounting=yes default-group=read exclude-groups="" interim-update=0s \
    use-radius=no

Done…

1 comment:

  1. om ngeri bikin simulasi home inet yg di newmont dong...

    ReplyDelete