Kembali kita bahas
mengenai mikrotik…
Mikro… mikro aja Om… bosen tau ??
Yang bosen,
silahkan keluar…
Ok. Lanjut… ini
hanya backup mikrotik punya teman… Sudah banyak dibahas dan tidak banyak
berbeda dari yang sebelumnya. So,… untuk konfigurasi di bawah ini, keterangan
atau komentarnya tidak akan banyak…
Sebelumnya,
perlu diketahui, sebenarnya mikrotik ini adalah mikrotik virtual. Ada 4 lancard
yang digunakan, 3 lancard yang fisik, dan 1 lancard yang virtual.
- Adapter / lancard 1, terhubung ke modem speedy (internet)
- Adapter / lancard 2 (lancard virtual), terhubung ke virtualbox lainnya (linux Ubuntu virtual)
- Adapter / lancard 3, terhubung ke switch lan
- Adapter / lancard 4, terhubung ke wireless Hotspot.
Langsung ke konfigurasinya.
Seperti biasanya, beberapa hal sengaja diedit atau diberi tanda bintang. Dan
beberapa yang tidak penting dibuang.
/interface ethernet
set 0 arp=enabled auto-negotiation=yes cable-settings=default \
disabled=no full-duplex=yes
name="ether1 - WAN" speed=100Mbps
set 1 arp=enabled auto-negotiation=yes cable-settings=default \
disabled=no full-duplex=yes
name="ether2 - PROXY" speed=100Mbps
set 2 arp=enabled auto-negotiation=yes cable-settings=default \
disabled=no full-duplex=yes
name="ether3 - LAN" speed=100Mbps
set 3 arp=enabled auto-negotiation=yes cable-settings=default \
disabled=no full-duplex=yes
name="ether4 - HOTSPOT" speed=100Mbps
/interface pppoe-client
add ac-name="" add-default-route=yes
allow=pap,chap,mschap1,mschap2 \
dial-on-demand=yes
disabled=no interface="ether1 - WAN" max-mru=1480 \
max-mtu=1480 mrru=disabled
name="pppoe-out1 (WAN)" password=********** \
profile=default
service-name="" use-peer-dns=no user=\
172*********@telkom.net
/ip address
add address=10.10.10.254/24 disabled=no interface="ether2 -
PROXY" network=\
10.10.10.0
add address=192.168.1.1/24 disabled=no interface="ether3 -
LAN" network=\
192.168.1.0
add address=192.168.2.2/24 disabled=no interface="ether1 -
WAN" network=\
192.168.2.0
add address=20.20.20.1/24 disabled=no interface="ether4 -
HOTSPOT" network=\
20.20.20.0
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
max-udp-packet-size=4096
servers=8.8.8.8,202.134.1.10
Clientnya diurutkan
dari IP 192.168.1.2 sampai dengan 192.168.1.31. Menggunakan IP address list. Tujuannya,
agar admin lebih mudah untuk merubah bandwidth client. Misalnya ada yang “rese”
dan ingin dibatasi bandwidthnya. Cukup dengan masuk ke ip-firewall-address-list,
pilih IP clientnya dan ubah listnya menjadi “clients(lelet)”.
/ip firewall address-list
add address=192.168.1.103 disabled=no list=Clients
add address=8.8.4.4 disabled=no list=full-trust
add address=152.118.24.8 disabled=no list=full-trust
add address=202.169.224.16 disabled=no list=full-trust
add address=8.8.8.8 disabled=no list=full-trust
add address=202.134.1.10 disabled=no list=full-trust
add address=1**.0.0.0/8 disabled=no list=half-trust
add address=**5.0.0.0/8 disabled=no list=half-trust
add address=3*.0.0.0/8 disabled=no list=half-trust
add address=**8.0.0.0/8 disabled=no list=half-trust
add address=2**.0.0.0/8 disabled=no list=half-trust
add address=**2.0.0.0/8 disabled=no list=half-trust
add address=3*.**.2**.1** disabled=no list=full-trust
add address=*7*.0.0.0/8 disabled=no list=half-trust
add address=192.168.1.0/24 disabled=no list=full-trust
add address=127.0.0.0/8 disabled=no list=full-trust
add address=7*.0.0.0/8 disabled=no list=half-trust
add address=1**.1**.1**.7* disabled=no list=full-trust
add address=192.168.1.6 disabled=no list=Clients
add address=192.168.1.5 disabled=no list=Clients
add address=192.168.1.4 disabled=no list=Clients
add address=192.168.1.3 disabled=no list=Clients
add address=192.168.1.2 disabled=no list=Clients
add address=192.168.1.7 disabled=no list=Clients
add address=192.168.1.8 disabled=no list=Clients
add address=192.168.1.9 disabled=no list=Clients
add address=192.168.1.10 disabled=no list=Clients
add address=192.168.1.11 disabled=no list=Clients
add address=192.168.1.12 disabled=no list=Clients
add address=192.168.1.18 disabled=no list=Clients
add address=192.168.1.13 disabled=no list=Clients
add address=192.168.1.14 disabled=no list=Clients
add address=192.168.1.15 disabled=no list=Clients
add address=192.168.1.16 disabled=no list=Clients
add address=192.168.1.17 disabled=no list=Clients
add address=192.168.1.19 disabled=no list=Clients
add address=192.168.1.20 disabled=no list=Clients
add address=192.168.1.21 disabled=no list=Clients
add address=192.168.1.22 disabled=no list=Clients
add address=192.168.1.23 disabled=no list=Clients
add address=192.168.1.32 disabled=no list=Clients
add address=192.168.1.25 disabled=no list=Clients
add address=192.168.1.26 disabled=no list=Clients
add address=192.168.1.27 disabled=no list=Clients
add address=192.168.1.28 disabled=no list=Clients
add address=192.168.1.29 disabled=no list=Clients
add address=192.168.1.30 disabled=no list=Clients
add address=192.168.1.31 disabled=no list=Clients(Lelet)
Di firewall
mangle, dibuat rules untuk marking.
- Mark IP 192.168.1.254 ke IP 192.168.2.1, untuk Setting modem.
- Mark untuk bypass situs, untuk situs ndak support dengan squid.
- Mark clients lelet.
- Mark port 80 dari client dan diarahkan/redirect ke squid.
- Mark port dns.
- Mark port game.
- Mark Hit squid.
/ip firewall mangle
add action=mark-routing chain=prerouting comment="For Setting
Modem" \
disabled=no
dst-address=192.168.2.1 new-routing-mark="Setting Modem" \
passthrough=yes
src-address=192.168.1.254
add action=mark-packet chain=prerouting comment="For Clients
Lelet..." \
disabled=no
new-packet-mark=Clients-lelet-packet passthrough=yes \
src-address-list="Clients(Lelet)"
add action=mark-routing chain=prerouting comment="Bypass
situs" disabled=no \
dst-port=80
layer7-protocol=bypass new-routing-mark=bypass passthrough=\
yes protocol=tcp
src-address=192.168.1.0/24
add action=mark-routing chain=prerouting comment=\
"Redirect to Squid
Client LAN" disabled=no dst-address=!192.168.2.1 \
dst-port=80
new-routing-mark=markwebtosquid passthrough=yes protocol=tcp \
src-address-list=Clients
add action=mark-routing chain=prerouting comment=\
"Redirect to Squid
Client Hotspot" disabled=no dst-address=!20.20.20.1 \
dst-port=80
new-routing-mark=markwebtosquid passthrough=yes protocol=tcp \
src-address=20.20.20.0/24
add action=mark-connection chain=prerouting disabled=no dst-port=53 \
new-connection-mark=DNS-con
passthrough=yes protocol=tcp src-address=\
192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no dst-port=53 \
new-connection-mark=DNS-con
passthrough=yes protocol=tcp src-address=\
192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no dst-port=53 \
new-connection-mark=DNS-con passthrough=yes
protocol=udp src-address=\
192.168.1.0/24
add action=mark-packet chain=prerouting connection-mark=DNS-con
disabled=no \
new-packet-mark=DNS-packet
passthrough=yes
add action=mark-connection chain=prerouting disabled=no
dst-port="1818,2001,30\
10,4300,5105,5121,5126,5171,5340-5352,5567-5570,6000-6152,6675" \
new-connection-mark=GAME-ONLINE passthrough=yes protocol=tcp
src-address=\
192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no
dst-port="7341-7350,74\
51,8085,9300,9376-9377,9400,9600,9601-9602,9700,10001-10011,10424"
\
new-connection-mark=GAME-ONLINE passthrough=yes protocol=tcp
src-address=\
192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no
dst-port="19101,22100,\
27780,28012,29000-29001,29200,39100,39110,39190,39220,40000,49100"
\
new-connection-mark=GAME-ONLINE passthrough=yes protocol=tcp
src-address=\
192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no dst-port="5222,5223,55\
40-5580,9015,6203,6210,6217,6320,6543-6546,10360,12683,14000-14050"
\
new-connection-mark=GAME-ONLINE passthrough=yes protocol=tcp
src-address=\
192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no dst-port="1230-1260,50\
00-5020,7777,8000-8010,8401-8408,10089,36456,36567,36570,37466,47611"
\
new-connection-mark=GAME-ONLINE passthrough=yes protocol=tcp
src-address=\
192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no dst-port=\
14300-15512,30001-30003,38101,38110-38600,60170-60180,63000-64000 \
new-connection-mark=GAME-ONLINE passthrough=yes protocol=tcp
src-address=\
192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no dst-port=\
1660-2960,5222,5223,10074,13000-13080,13933,14000-14999,28941,31928,31929
\
new-connection-mark=GAME-ONLINE passthrough=yes protocol=udp
src-address=\
192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no
dst-port="1151,1293,14\
79,6100-6152,7777-7977,9401,9600-9602,12000-15900,30000,40000-40010"
\
new-connection-mark=GAME-ONLINE passthrough=yes protocol=udp
src-address=\
192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no
dst-port="10112,10201-\
10210,10294-10295,11100-11125,11440-11460,16400-16410,18061,19223,42001-42\
052"
new-connection-mark=GAME-ONLINE passthrough=yes protocol=udp \
src-address=192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no
dst-port="8001-8010,96\
47,10020-10022,27005-27015,31929,39311,40040-42000,42406-42441"
\
new-connection-mark=GAME-ONLINE passthrough=yes protocol=udp
src-address=\
192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no
dst-port="7020-7050,82\
00-8220,9000-9099,15000-15500,17327,17565,39030-39040,42106,42423"
\
new-connection-mark=GAME-ONLINE passthrough=yes protocol=udp
src-address=\
192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no
dst-port="5101,5201,12\
310-12320,15500,20000-20020,27019,50000-50100,54500-56500,14101-14105"
\
new-connection-mark=GAME-ONLINE passthrough=yes protocol=udp
src-address=\
192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no
dst-port="7200,10087,1\
6320-16340,17001-17002,26001-26010,27000-27050,29000-29010,49330-49350"
\
new-connection-mark=GAME-ONLINE passthrough=yes protocol=udp
src-address=\
192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no dst-port=\
3478,4379,4380 new-connection-mark=GAME-ONLINE
passthrough=yes protocol=\
udp
src-address=192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no dst-port=\
843,5220-5230,8890,9339,9430-9450,9810-9860,52510,53100-53110,54100,55100
\
new-connection-mark=GAME-FACEBOOK
passthrough=yes protocol=tcp \
src-address=192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no
dst-port="10402,11011-\
11041,12011,12110,13008,13413,15000-15002,16402-16502,16666,18900-18910,19\
000" new-connection-mark=GAME-ONLINE
passthrough=yes protocol=tcp \
src-address=192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no dst-port=\
10000-10030,10009,10500-10610,13008,13412,16666,28012,20101-20301,39311
\
new-connection-mark=GAME-ONLINE
passthrough=yes protocol=tcp src-address=\
192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no
dst-port="8086,9090-90\
99,12310-12320,14300-14310,16666-16668,28000-28013,28901-28920" \
new-connection-mark=GAME-ONLINE passthrough=yes protocol=tcp
src-address=\
192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no
dst-port="5101,5201,72\
01-7210,7320-7350,7401,7770-7790,15500,27930-27940,28000-28020" \
new-connection-mark=GAME-ONLINE
passthrough=yes protocol=tcp src-address=\
192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no
dst-port="7200,7400,71\
06,7999,9000,9150-9160,9330-9340,10500-10515,27014-27050,36567,47611"
\
new-connection-mark=GAME-ONLINE
passthrough=yes protocol=tcp src-address=\
192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no dst-port=\
7450-7460,64990-65010
new-connection-mark=GAME-ONLINE passthrough=yes \
protocol=tcp src-address=192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no dst-address=\
103.14.108.0/24
dst-port=443,6112,6000-6099,39190 new-connection-mark=\
GAME-ONLINE passthrough=yes
protocol=tcp src-address=192.168.1.0/24
add action=mark-connection chain=prerouting disabled=no dst-address=\
49.50.4.62
dst-port=2001,2002,2003 new-connection-mark=GAME-ONLINE \
passthrough=yes
protocol=tcp src-address=192.168.1.0/24
add action=mark-packet chain=forward connection-mark=GAME-ONLINE
disabled=no \
new-packet-mark=GAME-PAKET
passthrough=yes
add action=mark-packet chain=forward connection-mark=GAME-FACEBOOK
disabled=\
no
new-packet-mark=GAME-PAKET passthrough=yes
add action=mark-packet chain=postrouting disabled=no dscp=12 new-packet-mark=\
proxy-hit passthrough=yes
add action=mark-packet chain=prerouting disabled=no dscp=12
new-packet-mark=\
proxy-hit passthrough=yes
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules
here" disabled=yes to-addresses=0.0.0.0
add action=masquerade chain=srcnat disabled=no out-interface=\
"pppoe-out1
(WAN)" src-address=10.10.10.1
add action=masquerade chain=srcnat disabled=no out-interface=\
"pppoe-out1 (WAN)"
src-address=10.10.10.2
add action=masquerade chain=srcnat disabled=no out-interface=\
"pppoe-out1
(WAN)" src-address=10.10.10.10
add action=masquerade chain=srcnat disabled=no
dst-address=192.168.2.1 \
out-interface="ether1
- WAN" src-address=192.168.1.254
add action=masquerade chain=srcnat comment="Router / Computer
Server Proxy" \
disabled=no
out-interface="pppoe-out1 (WAN)" src-address=192.168.1.254
add action=masquerade chain=srcnat comment="IP Client"
disabled=no \
out-interface="pppoe-out1
(WAN)" src-address-list=Clients
add action=masquerade chain=srcnat comment="IP Client
(Lelet)" disabled=no \
out-interface="pppoe-out1 (WAN)"
src-address-list="Clients(Lelet)"
add action=masquerade chain=srcnat comment="masquerade hotspot
network" \
disabled=no
out-interface="pppoe-out1 (WAN)" src-address=20.20.20.0/24
add action=add-src-to-address-list address-list="IPs connect to
Proxy" \
address-list-timeout=0s
chain=dstnat comment="Redirect SSH To Proxy" \
disabled=no
dst-port=222,333 protocol=tcp src-address-list=half-trust \
to-addresses=10.10.10.1
to-ports=22
add action=dst-nat chain=dstnat disabled=no dst-port=222 protocol=tcp
\
src-address-list=half-trust
to-addresses=10.10.10.1 to-ports=22
add action=dst-nat chain=dstnat disabled=no dst-port=333 protocol=tcp
\
src-address-list=half-trust
to-addresses=10.10.10.2 to-ports=22
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.2.1
\
routing-mark="Setting
Modem" scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0
gateway="pppoe-out1 (WAN" \
routing-mark=bypass
scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.10.10.1 \
routing-mark=markwebtosquid
scope=30 target-scope=10
/ip service
set telnet address="" disabled=yes port=23
set ftp address="" disabled=yes port=21
set www address=\
192.168.1.0/24,1**.1**.1**.**/32,182.0.0.0/8
disabled=no port=80
set ssh address="" disabled=no port=22
set www-ssl address="" certificate=none disabled=yes
port=443
set api address="" disabled=no port=8728
set winbox address="" disabled=no port=8291
Untuk pembagian
bandwidth menggunakan simple queue. Hasil mark pada rule ip firewall mangle,
diarahkan ke queue. Dibuat beberapa queue, yaitu
- Queue Game dengan priority 2.
- Queue Hit Proxy dengan priority 2.
- ...
Katanya tadi ndak mau komentar banyak… ini komentar sudah terlalu banyak…
Ok… ok... sorry…
lanjut…
/queue simple
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s
direction=both \
disabled=no interface=all
limit-at=0/0 max-limit=0/0 name=TOTAL \
packet-marks=""
parent=none priority=1 queue=default-small/default-small \
target-addresses="" total-queue=default-small
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s direction=both
\
disabled=no interface=all
limit-at=0/0 max-limit=1M/1M name=GAME \
packet-marks=GAME-PAKET
parent=TOTAL priority=2 queue=\
default-small/default-small
target-addresses="" total-queue=default-small
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s
direction=both \
disabled=no interface=all
limit-at=0/0 max-limit=10M/10M name=HIT-PROXY \
packet-marks=proxy-hit
parent=TOTAL priority=2 queue=\
default-small/default-small
target-addresses="" total-queue=default-small
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s
direction=both \
disabled=no interface=all
limit-at=0/0 max-limit=1M/1M name=HOTSPOT \
packet-marks=""
parent=TOTAL priority=3 queue=default-small/default-small \
target-addresses=20.20.20.0/24
total-queue=default-small
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s
direction=both \
disabled=no
interface="ether3 - LAN" limit-at=128k/512k max-limit=1M/6M \
name="For All
Clients" packet-marks="" parent=TOTAL priority=5 queue=\
default-small/default-small
target-addresses=192.168.1.0/24 total-queue=\
default-small
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s
direction=both \
disabled=no interface=all
limit-at=256k/256k max-limit=512k/512k name=DNS \
packet-marks=DNS-packet
parent=TOTAL priority=1 queue=DNS-Pfifo/DNS-Pfifo \
target-addresses="" total-queue=default-small
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s
direction=both \
disabled=no interface=all
limit-at=0/0 max-limit=5k/5k name=Clients-Lelet \
packet-marks=Clients-lelet-packet parent=TOTAL priority=8 queue=\
default-small/default-small
target-addresses="" total-queue=default-small
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules
here" disabled=yes
add action=drop chain=forward comment="drop invalid
connections" \
connection-state=invalid
disabled=no
add action=accept chain=forward connection-state=established
disabled=no
add action=accept chain=forward comment="allow related
connections" \
connection-state=related
disabled=no
add action=accept chain=input disabled=no src-address=192.168.1.103
add action=accept chain=input disabled=no
in-interface="pppoe-out1 (WAN)" \
src-address-list=full-trust
add action=accept chain=input disabled=no dst-port=53,5353
in-interface=\
"ether3 - LAN"
protocol=tcp src-address=192.168.1.0/24
add action=accept chain=input disabled=no dst-port=53,5353
in-interface=\
"ether3 - LAN"
protocol=udp src-address=192.168.1.0/24
add action=add-src-to-address-list address-list="IP connect to
web Mikrotik" \
address-list-timeout=0s
chain=input disabled=no dst-address=192.168.1.1 \
dst-port=80
in-interface="ether3 - LAN" protocol=tcp src-address=\
192.168.1.0/24
add action=drop chain=input comment="Rules Firewall Block
Untrust" disabled=\
no
in-interface="pppoe-out1 (WAN)" src-address-list=!half-trust
add action=add-src-to-address-list address-list="port
scanners" \
address-list-timeout=14w1d
chain=input comment="Port scanners to list " \
disabled=no protocol=tcp
psd=21,3s,3,1
add action=add-src-to-address-list address-list="port
scanners" \
address-list-timeout=14w1d
chain=input comment="NMAP FIN Stealth scan" \
disabled=no protocol=tcp
tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port
scanners" \
address-list-timeout=14w1d
chain=input comment="SYN/FIN scan" disabled=no \
protocol=tcp
tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port
scanners" \
address-list-timeout=14w1d
chain=input comment="SYN/RST scan" disabled=no \
protocol=tcp
tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port
scanners" \
address-list-timeout=14w1d
chain=input comment="FIN/PSH/URG scan" \
disabled=no protocol=tcp
tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port
scanners" \
address-list-timeout=14w1d
chain=input comment="ALL/ALL scan" disabled=no \
protocol=tcp
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port
scanners" \
address-list-timeout=14w1d
chain=input comment="NMAP NULL scan" disabled=\
no protocol=tcp
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port
scanners" disabled=no \
src-address-list="port
scanners"
add action=accept chain=icmp comment="Limited Ping Flood"
disabled=no \
icmp-options=0:0-255
limit=5,5 protocol=icmp
add action=accept chain=icmp disabled=no icmp-options=3:3 limit=5,5
protocol=\
icmp
add action=accept chain=icmp disabled=no icmp-options=3:4 limit=5,5
protocol=\
icmp
add action=accept chain=icmp disabled=no icmp-options=8:0-255
limit=5,5 \
protocol=icmp
add action=accept chain=icmp disabled=no icmp-options=11:0-255
limit=5,5 \
protocol=icmp
add action=drop chain=icmp disabled=no protocol=icmp
add action=drop chain=input comment="drop ssh brute
forcers" disabled=no \
dst-port=22,8291,8729
in-interface="pppoe-out1 (WAN)" protocol=tcp \
src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=12w6d
chain=input connection-state=new disabled=no \
dst-port=22,8291,8728 protocol=tcp
src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1d2h22m22s chain=input connection-state=new \
disabled=no
dst-port=22,8291,8728 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1d2h22m22s chain=input connection-state=new \
disabled=no
dst-port=22,8291,8728 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1d2h22m22s chain=input connection-state=new \
disabled=no
dst-port=22,8291,8728 protocol=tcp src-address-list=half-trust
/radius
add accounting-backup=no accounting-port=1813 address=127.0.0.1 \
authentication-port=1812
called-id="" disabled=no domain="" realm="" \
secret=hotspot123
service=hotspot timeout=300ms
/radius incoming
set accept=yes port=1700
/system ntp client
set enabled=yes mode=unicast primary-ntp=152.118.24.8 secondary-ntp=\
202.169.224.16
Untuk hotspot.
/ip hotspot profile
add dns-name="" hotspot-address=20.20.20.1
html-directory=hotspot http-proxy=\
0.0.0.0:0
login-by=http-chap name=hsprof1 nas-port-type=wireless-802.11 \
radius-accounting=yes
radius-default-domain="" radius-interim-update=\
received
radius-location-id="" radius-location-name=""
radius-mac-format=\
XX:XX:XX:XX:XX:XX
rate-limit="" smtp-server=0.0.0.0 split-user-domain=no \
use-radius=yes
/ip dhcp-server network
add address=20.20.20.0/24 comment="hotspot network"
dhcp-option="" \
dns-server=""
gateway=20.20.20.1 ntp-server="" wins-server=""
/ip pool
add name=hs-pool-4 ranges=20.20.20.100-20.20.20.254
/ip dhcp-server
add address-pool=hs-pool-4 authoritative=after-2sec-delay
bootp-support=\
static disabled=no
interface="ether4 - HOTSPOT" lease-time=1h name=dhcp1
/ip hotspot
add address-pool=hs-pool-4 addresses-per-mac=2 disabled=no
idle-timeout=5m \
interface="ether4 -
HOTSPOT" keepalive-timeout=none name=hotspot1 \
profile=hsprof1
/tool user-manager profile profile-limitation
add from-time=0s limitation="Malam Speed" profile=Malam
till-time=23h59m59s \
weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation="Hotspot Speed"
profile="Voucher Hotspot" \
till-time=23h59m59s
weekdays=\
sunday,monday,tuesday,wednesday,thursday,friday,saturday
/tool user-manager router
add coa-port=1700 customer=admin disabled=no ip-address=127.0.0.1
log=\
auth-fail name=Router
shared-secret=hotspot123
/tool user-manager customer
add backup-allowed=yes disabled=no login=admin password=m************a
\
paypal-accept-pending=no
paypal-allowed=no paypal-secure-response=no \
permissions=owner signup-allowed=no
time-zone=-00:00
/tool user-manager profile
add name="Voucher Hotspot" name-for-users=""
override-shared-users=off owner=\
admin price=5000
starts-at=logon validity=30s
add name=Malam name-for-users="" override-shared-users=off
owner=admin price=\
0 starts-at=logon
validity=4w2d
/tool user-manager user
add customer=admin disabled=no name=p343w6 password=8qdvbm
shared-users=1 \
wireless-enc-algo=none
wireless-enc-key="" wireless-psk=""
add customer=admin disabled=no name=64qyg6 password=rn4m5j
shared-users=1 \
wireless-enc-algo=none
wireless-enc-key="" wireless-psk=""
add customer=admin disabled=no name=v6s55a password=ifh7q4
shared-users=1 \
wireless-enc-algo=none
wireless-enc-key="" wireless-psk=""
add customer=admin disabled=no name=123 password=123 shared-users=1 \
wireless-enc-algo=none
wireless-enc-key="" wireless-psk=""
/user aaa
set accounting=yes default-group=read exclude-groups=""
interim-update=0s \
use-radius=no
Done…
om ngeri bikin simulasi home inet yg di newmont dong...
ReplyDelete