Mikrotik Configuration for Transparent web proxy One function is to store theproxy cache.

If a LAN uses a proxy to connect to the Internet, it is done by the browser when a user accesses a web server url is taking these requests in a proxy server. Whereas if the data has not been contained in the proxy server then get directly from the web proxy server. Then the request is stored in the proxy cache. Furthermore, if there are clients who make requests to the same url, it will be taken from the cache. This will make access to the Internet faster. How to ensure that every user accessing the Internet through a web proxy that we have enabled? For this we can implement a transparent proxy. With the transparent proxy, every browser on a computer that use this gateway automatically go through a proxy. All these features enable the web proxy in mikrotik: [admin@ Mikrotik]> / ip proxy set enabled = yes [admin @ Mikrotik]> / ip web-proxy set cache-administrator = admin.fauzi @ infoasia.net [admin @ Mikrotik]> / ip web-proxy print enabled: yes src-address: 0.0.0.0 port: 3128 hostname: "Mikrotik" transparent-proxy: yes parent-proxy: 0.0.0.0:0 cache-administrator: "admin@localhost" max-object-size: 8192KiB cache-drive: system max-cache-size: unlimited max-ram-cache-size: unlimited status: running reserved-for-cache: 4733952KiB reserved-for-ram-cache: 2048KiB Creating a rule for transparent proxy on the firewall NAT, rather there is masquerading under the rule for NAT: [admin @ Mikrotik]> / ip firewall nat add chain = dstnat in-interface = local src-address = 192.168.0.0/24 protocol = tcp dstport = 80 action = redirect to-ports = 3128 [admin @ Mikrotik]> / ip firewall nat print Flags: X - disabled, I - invalid, D - dynamic 0 chain = srcnat out-interface = Public action = masquerade 1 chain = dstnat in-interface = local src-address = 192.168.0.0/24 protocol = tcp dst-port = 80 action = redirect to-ports = 3128 Mikrotik Configuration for NAT Network Address Translationor more commonly referred to as NAT is a method to connect more than one computer to the Internet network using a single IP address. Much use of this method due to the limited availability of IP addresses, the need for safety (security), and the ease and flexibility in network administration. Currently, the widely used IP protocol is IP version 4 (IPv4). With a length of 4 bytes address means that there are 2 to the power 32 = 4,294,967,296 IP addresses available. This amount is theoretically the number of computers that can directly connect to the internet. Because of this limitation most of the ISPs (Internet Service Provider) will only allocate one address for one user and this address is dynamic, meaning that a given IP address will be different each time the user connects to the internet. This would make it difficult for businesses to lower middle class. On the one hand they need a lot of computers that are connected to the internet, but on the other hand only one IP address available, which means there is only one computer that can connect to the internet. This can be overcome by the NAT method. With a NAT gateway running on one computer, an IP address can be shared with several other computers and they can connect to the internet simultaneously. Suppose we want to hide the local network / LAN 192.168.0.0/24 202.51.192.42 behind one IP address provided by ISP, which we use is a feature of Mikrotik source network address translation (masquerading). Masquerading changes the data packets from the IP address and port from network 192.168.0.0/24 to 202.51.192.42 to be next to the global Internet network. To use masquerading, source NAT rule with action 'masquerade' should be added to the firewall configuration: [admin@ MikroTik]> / ip firewall nat add chain = srcnat action = masquerade out-interface = public Mikrotik Router OS basic commands H4BZTXM9N6MC Mikrotik command actually almost the same as the existing command linux, mikrotik because basically this is a Linux kernel, the result of processing back from the Debian distribution of Linux. Use the same command shell, such as saving the command, simply use the TAB key on the keyboard then a long command, no longer need to be typed, simply

type the beginning of the command is called, will automatically display the Shell will own commands respect. For example IP ADDRESS command in mikrotik. Enough just type in the IP ADD spaced press the TAB key, then the automatic shell will recognize and translate the IP ADDRESS command. Let us continue with the introduction of this command. Once logged in, check the condition of the interface or ethernet card. 1. Looking at the condition of the interface on Router Mikrotik [Admin @ MikroTik]> interface print Flags: X - disabled, D - dynamic, R - running # NAME TYPE RX-RATE TX-RATE MTU 0 R ether1 ether 0 0 1500 1 R ether2 ether 0 0 1500 [Admin @ MikroTik]> If there is an X interface (disabled) after the number (0.1), then check again etherned card, should be R (running). a. Renaming interface [Admin @ MikroTik]> interface (enter) b. To rename a Public Interface ether1 (or whatever his name), then [Admin @ MikroTik] interface> set 0 name = Public c. Likewise for ether2, say his name changed to Local, then [Admin @ MikroTik] interface> set 1 name = Local d. or just from the position of the root directory, use the sign "/", without quotes [Admin @ MikroTik]> / interface set 0 name = Public e. Check again if the interface name had been changed. [Admin @ MikroTik]> / interface print Flags: X - disabled, D - dynamic, R - running # NAME TYPE RX-RATE TX-RATE MTU 0 R Local ether 0 0 1500 1 R Public ether 0 0 1500 2. - Change the default password To change the default password security [Admin @ Mikrotik]> password old password: ***** New password: ***** Retype new password: ***** [Admin @ Mikrotik]]> 3. - Renaming hostname Renaming Mikrotik Router for easy configuration, in this step server name will be changed to "myrouter" [Admin @ MikroTik]> system identity set name = myrouter [Admin @ myrouter]> 4. - Setting the IP Address, Gateway, and Name Server Masqureade - [4.1] - IP Address Order form configuration ip address add address = {ip address / netmask} interfaces = {interface name} a. Provides the IP address on the interface Mikrotik. Public suppose we will use to connection to the Internet with IP 192.168.1.2 and the Local will be used for the LAN network us with the IP 192.168.0.30 (See topology) [Admin @ myrouter]> ip address add address = 192.168.1.2 \ netmask = 255.255.255.0 interface = Public comment = "IP to the Internet" [Admin @ myrouter]> ip address add address = 192.168.0.30 \ netmask = 255 255 255 224 interface = Local comment = "IP to the LAN" b. Viewing the IP address configuration we have given

[Admin @ myrouter]> ip address print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0;;; IP Address to the Internet 192.168.0.30/27 192.168.0.0 192.168.0.31 Local 1;;; IP Address to the LAN 192.168.1.2/24 192.168.0.0 192.168.1.255 Public [Admin @ myrouter]> - [4.2] - Gateway Forms Configuration Commands ip route add gateway = {ip gateway} a. Providing default gateway, the gateway to the internet connection is assumed is 192.168.1.1 [Admin @ myrouter]> / ip route add gateway = 192.168.1.1 b. Viewing the routing table on MikroTik Routers [Admin @ myrouter]> ip route print Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf # DST-ADDRESS G GATEWAY DISTANCE INTERFACE PREFSRC 0 ADC 192.168.0.0/24 192.168.0.30 Local 1 ADC 192.168.0.0/27 192.168.1.2 Public 2 A S 0.0.0.0 / 0 r 192.168.1.1 Public [Admin @ myrouter]> c. Ping test to the Gateway to ensure the configuration is correct [Admin @ myrouter]> ping 192.168.1.1 192.168.1.1 64 byte ping: ttl = 64 time <1 ms 192.168.1.1 64 byte ping: ttl = 64 time <1 ms 2 packets transmitted, 2 packets received, 0% packet loss round-trip min / avg / max = 0/0.0/0 ms [Admin @ myrouter]> - [4.3] - NAT (Network Address Translation) Forms Configuration Commands ip firewall nat add chain = srcnat action = masquerade out-inteface = {ethernet are directly connected to the Internet or Public} a. Setup Masquerading, if Mikrotik will we use as a gateway server so that client computer on the network can connect to the internet we need to masquerading. [Admin @ myrouter]> ip firewall nat add chain = scrnat out-interface = Public action = masquerade [Admin @ myrouter]> b. Look at the configuration Masquerading [Admin @ myrouter] ip firewall nat print Flags: X - disabled, I - invalid, D - dynamic 0 chain = srcnat out-interface = Public action = masquerade [Admin @ myrouter]> - [4.4] Name servers Forms Configuration Commands ip dns set primary-dns = {primary} secondary-dns dns dns = {second} a. Setup DNS on Mikrotik Routers, eg DNS with Ip Addressnya Primary = 202.134.0.155, Secondary = 202.134.2.5 [Admin @ myrouter]> ip dns set primary-dns = 202.134.0.155 allow-remoterequests = yes [Admin @ myrouter]> ip dns set secondary-dns = 202.134.2.5 allow-remoterequests = yes

b. Viewing the configuration control [Admin @ myrouter]> ip dns print primary-dns: 202.134.0.155 secondary-dns: 202.134.2.5 allow-remote-requests: no cache-size: 2048KiB cache-max-ttl: 1w cache-used: 16KiB [Admin @ myrouter]> c. Tests for the access domain, for example with ping domain name [Admin @ myrouter]> ping yahoo.com 216 109 112 135 64 byte ping: ttl = 48 time = 250 ms 10 packets transmitted, 10 packets received, 0% packet loss round-trip min / avg / max = 571/571.0/571 ms [Admin @ myrouter]> If you have successfully reply mean DNS settings are correct. After this step can be done to check the connection from the local network. And if means we have successfully managed to install Mikrotik Router as a Gateway server. After connecting with Mikrotik network can be managed using the WinBox can be downloaded from the server mikrotik Mikrotik.com or from us. Eg Ip address server mikrotik we 192.168.0.30, via a browser open http://192.168.0.30. In the Browser will be displayed in a web form with multiple menus, search and download text Download WinBox from there. Save on the local hard drive. Winbox Run, enter the IP address, username and password. 5. - DHCP Server DHCP stands for Dynamic Host Configuration Protocol, which is a program that allows setting the IP Address on a network performed on a centralized server, so the PC Client does not need to configure IP Address. DHCP allows an administrator for addressing the ip address for the client. Form of configuration commands ip dhcp-server setup dhcp server interfaces = {interface used} dhcp server space = {network that will be in dhcp} gateway for dhcp network = {ip gateway} address to give out ip address = {range} dns servers = {server name} lease time = {} of the lease granted If we want the client get IP address automatically then we need to setup dhcp server on the Mikrotik. Here are the steps: a. Add the IP address pool / Ip pool add name = dhcp-pool ranges = 192.168.0.1-192.168.0.30 b. Add a DHCP Network and gateway that will be distributed to the client. In this example networknya gateway is 192.168.0.0/27 and 122.168.0.30 / Ip dhcp-server network add address = 192.168.0.0/27 gateway = 192.168.0.30 dns-server = 192.168.0.30 \ comment = "" c. Add a DHCP server (in this example applied to the Local interface dhcp) / Ip dhcp-server add interface = local address-pool = dhcp-pool d. Check the status of the DHCP server [Admin @ myrouter]> ip dhcp-server print Flags: X - disabled, I - invalid # NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP Local 0dhcp1 X states that the DHCP server has not enabled it is necessary first dienablekan previously in step e.

e. Do not Forget made first enable dhcp server / Ip dhcp-server enable 0 then check back to the dhcp-server such as step 4, if X has no meaning already active f. Tests From the client For example: D: \> ping www.yahoo.com 6.- Transparent Proxy Server Proxy server is a program that can speed up access to a web that have been accessed by another computer, because it was in the store in caching proxy server.Transparent profitable in client management, because system administrators do not need to setup a proxy in each client computer's browser for the automatic redirection is performed on the server. Form of configuration commands: a. Web proxy settings: - Ip proxy set enabled = yes port = {port that will be used} maximal-client-connections = 1000 maximal-server-connections = 1000 - Ip proxy direct add src-address = {network that will be NAT} action = allow - Ip web-proxy set parent-proxy = {proxy parent / optional} hostname = {hostname for the proxy / optional} port = {port that will be used} src-address = {address will be used for connection to the parent proxy / default 0.0.0.0} transparent-proxy = yes max-object-size = {maximum size file to be saved as a cache / default 4096 in Kilobytes} max-cache-size = {maximum size hard drive that will used as a storage cache file / unlimited | None | 12 in megabytes} cache-administrator = {email administrator that will be used if a proxy error, the status will be sent to email} enable == yes Sample configuration ------a. Web proxy settings / Ip web-proxy set enabled = yes src-address = 0.0.0.0 port = 8080 \ hostname = "proxy.myrouter.com" transparent-proxy = yes \ parent-proxy = 0.0.0.0:0 cache-administrator = "support@myrouter.com" \ max-object-size = 131072KiB cache-drive = system max-cache-size = unlimited \ max-ram-cache-size = unlimited Nat Redirect, the rule should be added to deflect REDIRECTING HTTP traffic to the WEB-PROXY. b. Setting for Transparant proxy firewall Form of configuration commands: ip firewall nat add chain = dstnat protocol = tcp dst-port = 80 action = redirect to-ports = {proxy port} The command:

--------------------------/ Ip firewall nat add chain = dstnat protocol = tcp dst-port = 80 action = redirect to-ports = 8080 \ comment = "" disabled = no add chain = dstnat protocol = tcp dst-port = 3128 action = redirect to-ports = 8080 \ comment = "" disabled = no add chain = dstnat protocol = tcp dst-port = 8000 action = redirect to-ports = 8080 \ --------------------------above command is intended, so that all traffic to Port 80,3128,8000 deflected toward the port 8080 is a Web-Proxy port. NOTE: Command / Ip web-proxy print {to see the results of a web-proxy configuration} / Ip web-proxy monitor for monitoring the work {web-proxy} 7. - Bandwidth Management QoS plays an important role in terms of providing services good on the client. For that we need the bandwidth management for each data set is passed, so the division of bandwidth into fair. In this case also includes a packet RouterOS software for memanagement bandwidth. Form of configuration commands: queue simple add name = {name} target-addresses = {ip address of the destination} interfaces = {interface used to pass data} max-limit = {out / in} Below there is a configuration of traffic shaping or bandwidth management with Simple Queue method, as the name implies, this type of queue is simple, but has a weakness, sometimes leak bandwidth or bandwidth is not real in the monitor. Usage for 10 clients, Queue type is not a problem. Client is assumed there are as many as 15 clients, and each client was given ration of 8kbps minimum bandwidth, and a maximum of 48kbps. Whereas Total bandwidth of 192Kbps. For the upstream is not given a rule, means each client can use the bandwidth uptream maximum. Note the priority command, the range of priority in Mikrotik eight. Means from 1 to 8, priority 1 is highest priority, while priority 8 is the lowest priority. The following example kongirufasinya. --------------------------/ Queue simple add name = "trafikshaping" target-addresses = 192.168.0.0/27 dst-address = 0.0.0.0 / 0 \ interface = all parent = none priority = 1 queue = default / default \ limit-at = 0 / 64 000 max-limit = 0 / 192 000 total-queue = default disabled = no add name = "01" target-addresses = 192.168.0.1/32 dst-address = 0.0.0.0 / 0 \ interface = all parent = trafikshaping priority = 1 queue = default / default \ limit-at = 0 / 8000 max-limit = 0 / 48000 total-queue = default disabled = no add name = "02" target-addresses = 192.168.0.2/32 dst-address = 0.0.0.0 / 0 \ interface = all parent = trafikshaping priority = 1 queue = default / default \ limit-at = 0 / 8000 max-limit = 0 / 48000 total-queue = default disabled = no add name = "03" target-addresses = 192.168.0.3/32 dst-address = 0.0.0.0 / 0 \ interface = all parent = trafikshaping priority = 1 queue = default / default \ limit-at = 0 / 8000 max-limit = 0 / 48000 total-queue = default disabled = no add name = "04" target-addresses = 192.168.0.4/32 dst-address = 0.0.0.0 / 0 \ interface = all parent = trafikshaping priority = 1 queue = default / default \ limit-at = 0 / 8000 max-limit = 0 / 48000 total-queue = default disabled = no add name = "10" target-addresses = 192.168.0.25/32 dst-address = 0.0.0.0 / 0 \ interface = all parent = trafikshaping priority = 1 queue = default / default \ limit-at = 0 / 8000 max-limit = 0 / 48000 total-queue = default disabled = no add name = "05" target-addresses = 192.168.0.5/32 dst-address = 0.0.0.0 / 0 \ interface = all parent = trafikshaping priority = 1 queue = default / default \ limit-at = 0 / 8000 max-limit = 0 / 48000 total-queue = default disabled = no add name = "06" target-addresses = 192.168.0.6/32 dst-address = 0.0.0.0 / 0 \ interface = all parent = trafikshaping priority = 1 queue = default / default \ limit-at = 0 / 8000 max-limit = 0 / 48000 total-queue = default disabled = no add name = "07" target-addresses = 192.168.0.7/32 dst-address = 0.0.0.0 / 0 \

interface = all parent = trafikshaping priority = 1 queue = default / default \ limit-at = 0 / 8000 max-limit = 0 / 48000 total-queue = default disabled = no add name = "08" target-addresses = 192.168.0.8/32 dst-address = 0.0.0.0 / 0 \ interface = all parent = trafikshaping priority = 1 queue = default / default \ limit-at = 0 / 8000 max-limit = 0 / 48000 total-queue = default disabled = no add name = "09" target-addresses = 192.168.0.9/32 dst-address = 0.0.0.0 / 0 \ interface = all parent = trafikshaping priority = 1 queue = default / default \ limit-at = 0 / 8000 max-limit = 0 / 48000 total-queue = default disabled = no add name = "10" target-addresses = 192.168.0.10/32 dst-address = 0.0.0.0 / 0 \ interface = all parent = trafikshaping priority = 1 queue = default / default \ limit-at = 0 / 8000 max-limit = 0 / 48000 total-queue = default disabled = no add name = "11" target-addresses = 192.168.0.11/32 dst-address = 0.0.0.0 / 0 \ interface = all parent = trafikshaping priority = 1 queue = default / default \ limit-at = 0 / 8000 max-limit = 0 / 48000 total-queue = default disabled = no add name = "12" target-addresses = 192.168.0.12/32 dst-address = 0.0.0.0 / 0 \ interface = all parent = trafikshaping priority = 1 queue = default / default \ limit-at = 0 / 8000 max-limit = 0 / 48000 total-queue = default disabled = no add name = "13" target-addresses = 192.168.0.13/32 dst-address = 0.0.0.0 / 0 \ interface = all parent = trafikshaping priority = 1 queue = default / default \ limit-at = 0 / 8000 max-limit = 0 / 48000 total-queue = default disabled = no add name = "14" target-addresses = 192.168.0.14/32 dst-address = 0.0.0.0 / 0 \ interface = all parent = trafikshaping priority = 1 queue = default / default \ limit-at = 0 / 8000 max-limit = 0 / 48000 total-queue = default disabled = no add name = "15" target-addresses = 192.168.0.15/32 dst-address = 0.0.0.0 / 0 \ interface = all parent = trafikshaping priority = 1 queue = default / default \ limit-at = 0 / 8000 max-limit = 0 / 48000 total-queue = default disabled = no The command above because in the form of the command line, can also copy paste, then paste it into the consol mikrotiknya. remember see first path or active directory. Please dipaste course, if the position direktorynya in Root. ----------------------Terminal vt102 detected, using multiline input mode [Admin @ MikroTik]> ---------------------Another option is the method of bandwidth management, if if wanted bandwidth is shared equally by Mikrotik, such as bandwidth 256kbps downstream and 256kbps upstream. While the client will access as many as 10 clients, each client automatically gets a small upstream and downstream bandwidth of 256kbps divided by 10. So each one can be 25.6 kbps. If only 2 Client who access it each can be 128kbps. For that type used PCQ (Per Connection Queue), which can be automatically divide the traffic per client. About the type of queue in mikrotik This can be read on the manual in http://www.mikrotik.com/testdocs/ros/2.9/root/queue.php. Previously need to be made a rule in the mangle. Such as: ----------------------/ Ip firewall mangle add chain = forward src-address = 192.168.0.0/27 \ action = mark-connection new-connection-mark = users-con / Ip firewall mangle add connection-mark = users-con action = mark-packet \ new-packet-mark = users chain = forward -----------------------Because type PCQ does not exist, then it needs to be added, there are two types of this PCQ. First named pcq-download, which will regulate all traffic through the destination address / destination address. Traffic is passing Local interface. So that all traffic download / downstream coming from the network 192.168.0.0/27 will be shared automatically. PCQ second type, called pcq-upload, to regulate all upstream traffic derived from the source address / source address. Traffic is passing public interface. So that all traffic upload / upstream originating from the network 192.168.0.0/27 will be shared automatically. Command: ------------------------/ Queue type add name = pcq-download kind = pcq pcq-classifier = dst-address / Queue type add name = pcq-upload kind = pcq pcq-classifier = src-address ------------------------Once the rules for the PCQ and Mangle added, now for the rules traffic division. Queue Queue Tree is used, ie:

------------------------/ Queue tree add parent = Local queue = pcq-download packet-mark = users / Queue tree add parent = Public queue = pcq-upload packet-mark = users ------------------------The command above assumes that if the bandwidth received from the provider Internet berflukstuasi or changing. If we believe that the bandwidth received, for example can 256kbs downstream, and 256kbps upstream, then No more rules, such as: For downstream traffic: -----------------------/ Queue tree add name = Download parent = Local max-limit = 256k / Queue tree add parent = Download queue = pcq-download packet-mark = users ------------------------And upstream traffic: ------------------------/ Queue tree add name = Upload parent = Public max-limit = 256k / Queue tree add parent = Upload queue = pcq-upload packet-mark = users ------------------------8. - MRTG Monitor via Web This facility is necessary for monitoring traffic in the form of graphs, can viewed using a browser. MRTG (The Multi Router Traffic Grapher) has dibuild such a way that allows us to use it. Already available packaged basically. Example configuration ------------------------/ Tool graphing set store-every = 5min / Tool graphing interface add interface = all allow-address = 0.0.0.0 / 0 store-on-disk = yes disabled = no ------------------------The above command will display a graph of the traffic that passes through the interface good network of Public Interface and Local Interface, which rendered every 5 minutes. Addresses can also be set anything that can access MRTG is, the allowaddress parameter. 9. - Security in Mikrotik After some configuration above has been prepared, of course not forgetting our consider the security of this mikrotik gateway machine, there are few facilities used. In this case will be discussed on the firewall. Facilities The underlying this firewall is similar to IP TABLES on Gnu / Linux only some commands have been simplified but efficient. In Mikrotik firewall command is contained in IP mode, ie [Admin @ myrouter]> / ip firewall There are several packet filters like mangle, nat, and filters. ------------------------[Admin @ myrouter] ip firewall>? Firewall allows IP packet filtering on per packet basis. .. - Go up to the ip mangle / - The packet marking management nat / - Network Address Translation connection / - Active Connections filter / - Firewall filters address-list / service-port / - Service port management export ------------------------For this time we will see the ip firewall filter configuration. Because the breadth of the firewall filter parameters for the discussion of Firewall Filters can be seen in the manual mikrotik, in http://www.mikrotik.com/testdocs/ros/2.9/ip/filter.php

Configuration below can block some of the Trojan, Virus, Backdoor which have been identified previously used either Port Numbers and Protocols. It has also been configured to withstand the flooding of the Network and Public Local network. As well as providing rules for access control in order, Range only certain tissues that can perform remote or access the service Mikrotik specific to our machine. Sample Application filter -------------------------/ Ip firewall filter add chain = input connection-state = invalid action = drop comment = "Drop Invalid \ connections "disabled = no add chain = input src-address =! 192.168.0.0/27 protocol = tcp src-port = 1024-65535 \ dst-port = 8080 action = drop comment = "Block to Proxy" disabled = no add chain = input protocol = udp dst-port = 12667 action = drop comment = "trinoo" \ disabled = no add chain = input protocol = udp dst-port = 27665 action = drop comment = "trinoo" \ disabled = no add chain = input protocol = udp dst-port = 31335 action = drop comment = "trinoo" \ disabled = no add chain = input protocol = udp dst-port = 27444 action = drop comment = "trinoo" \ disabled = no add chain = input protocol = udp dst-port = 34555 action = drop comment = "trinoo" \ disabled = no add chain = input protocol = udp dst-port = 35555 action = drop comment = "trinoo" \ disabled = no add chain = input protocol = tcp dst-port = 27444 action = drop comment = "trinoo" \ disabled = no add chain = input protocol = tcp dst-port = 27665 action = drop comment = "trinoo" \ disabled = no add chain = input protocol = tcp dst-port = 31335 action = drop comment = "trinoo" \ disabled = no add chain = input protocol = tcp dst-port = 31846 action = drop comment = "trinoo" \ disabled = no add chain = input protocol = tcp dst-port = 34555 action = drop comment = "trinoo" \ disabled = no add chain = input protocol = tcp dst-port = 35555 action = drop comment = "trinoo" \ disabled = no add chain = input connection-state = established action = accept comment = "Allow \ Established connections "disabled = no add chain = input protocol = udp action = accept comment = "Allow UDP" disabled = no add chain = input protocol = icmp action = accept comment = "Allow ICMP" disabled = no add chain = input src-address = 192.168.0.0/27 action = accept comment = "Allow access \ to router from known network "disabled = no add chain = input action = drop comment = "Drop anything else" disabled = no add chain = forward protocol = tcp connection-state = invalid action = drop \ comment = "drop invalid connections" disabled = no add chain = forward connection-state = established action = accept comment = "allow \ already established connections "disabled = no add chain = forward connection-state = related action = accept comment = "allow \ related connections "disabled = no add chain = forward src-address = 0.0.0.0 / 8 action = drop comment = "" disabled = no add chain = forward dst-address = 0.0.0.0 / 8 action = drop comment = "" disabled = no add chain = forward src-address = 127.0.0.0 / 8 action = drop comment = "" disabled = no add chain = forward dst-address = 127.0.0.0 / 8 action = drop comment = "" disabled = no add chain = forward src-address = 224.0.0.0 / 3 action = drop comment = "" disabled = no add chain = forward dst-address = 224.0.0.0 / 3 action = drop comment = "" disabled = no add chain = forward protocol = tcp action = jump jump-target = tcp comment = "" \ disabled = no add chain = forward protocol = udp action = jump jump-target = udp comment = "" \ disabled = no add chain = forward protocol = icmp action = jump jump-target = icmp comment = "" \ disabled = no add chain = tcp protocol = tcp dst-port = 69 action = drop comment = "deny TFTP" \ disabled = no add chain = tcp protocol = tcp dst-port = 111 action = drop comment = "deny RPC \ portmapper "disabled = no add chain = tcp protocol = tcp dst-port = 135 action = drop comment = "deny RPC \ portmapper "disabled = no add chain = tcp protocol = tcp dst-port = 137-139 action = drop comment = "deny NBT" \ disabled = no

add chain = tcp protocol = tcp dst-port = 445 action = drop comment = "deny cifs" \ disabled = no add chain = tcp protocol = tcp dst-port = 2049 action = drop comment = "deny NFS" \ disabled = no add chain = tcp protocol = tcp dst-port = 12345-12346 action = drop comment = "deny \ NetBus "disabled = no add chain = tcp protocol = tcp dst-port = 20034 action = drop comment = "deny NetBus" \ disabled = no add chain = tcp protocol = tcp dst-port = 3133 action = drop comment = "deny \ BackOriffice "disabled = no add chain = tcp protocol = tcp dst-port = 67-68 action = drop comment = "deny DHCP" \ disabled = no add chain = udp protocol = udp dst-port = 69 action = drop comment = "deny TFTP" \ disabled = no add chain = udp protocol = udp dst-port = 111 action = drop comment = "deny PRC \ portmapper "disabled = no add chain = udp protocol = udp dst-port = 135 action = drop comment = "deny PRC \ portmapper "disabled = no add chain = udp protocol = udp dst-port = 137-139 action = drop comment = "deny NBT" \ disabled = no add chain = udp protocol = udp dst-port = 2049 action = drop comment = "deny NFS" \ disabled = no add chain = udp protocol = udp dst-port = 3133 action = drop comment = "deny \ BackOriffice "disabled = no add chain = input protocol = tcp psd = 21.3 s, 3.1 action = add-src-to-address-list \ address-list = "port scanners" address-list-timeout = 2w comment = "Port \ scanners to list "disabled = no add chain = input protocol = tcp tcp-flags = fin,! syn,! rst,! PSH,! ack,! URG \ action = add-src-to-address-list address-list = "port scanners" \ address-list-timeout = 2w comment = "NMAP FIN Stealth scan" disabled = no add chain = input protocol = tcp tcp-flags = fin, syn action = add-src-to-address-list \ address-list = "port scanners" address-list-timeout = 2w comment = "SYN / FIN \ scan "disabled = no add chain = input protocol = tcp tcp-flags = syn, rst action = add-src-to-address-list \ address-list = "port scanners" address-list-timeout = 2w comment = "SYN / RST \ scan "disabled = no add chain = input protocol = tcp tcp-flags = FIN, PSH, URG,! syn,! rst,! ack \ action = add-src-to-address-list address-list = "port scanners" \ address-list-timeout = 2w comment = "FIN / PSH / URG scan" disabled = no add chain = input protocol = tcp tcp-flags = fin, syn, rst, PSH, ACK, URG \ action = add-src-to-address-list address-list = "port scanners" \ address-list-timeout = 2w comment = "ALL / ALL scan" disabled = no add chain = input protocol = tcp tcp-flags =! fin,! syn,! rst,! PSH,! ack,! URG \ action = add-src-to-address-list address-list = "port scanners" \ address-list-timeout = 2w comment = "NMAP NULL scan" disabled = no add chain = input src-address-list = "port scanners" action = drop comment = "dropping \ port scanners "disabled = no add chain = icmp protocol = icmp icmp-options = 0:0 action = accept comment = "drop \ invalid connections "disabled = no add chain = icmp protocol = icmp icmp-options = 3:0 action = accept comment = "allow \ established connections "disabled = no add chain = icmp protocol = icmp icmp-options = 3:1 action = accept comment = "allow \ already established connections "disabled = no add chain = icmp protocol = icmp icmp-options = 4:0 action = accept comment = "allow \ source quench "disabled = no add chain = icmp protocol = icmp icmp-options = 8:0 action = accept comment = "allow \ echo request "disabled = no add chain = icmp protocol = icmp icmp-options = 11:0 action = accept comment = "allow \ time exceed "disabled = no add chain = icmp protocol = icmp icmp-options = 12:0 action = accept comment = "allow \ parameter bad "disabled = no add chain = icmp action = drop comment = "deny all other types" disabled = no add chain = tcp protocol = tcp dst-port = 25 action = reject \ reject-with = icmp-network-unreachable comment = "smtp" disabled = no add chain = tcp protocol = udp dst-port = 25 action = reject \ reject-with = icmp-network-unreachable comment = "smtp" disabled = no add chain = tcp protocol = tcp dst-port = 110 action = reject \ reject-with = icmp-network-unreachable comment = "smtp" disabled = no add chain = tcp protocol = udp dst-port = 110 action = reject \

reject-with = icmp-network-unreachable comment = "smtp" disabled = no add chain = tcp protocol = udp dst-port = 110 action = reject \ reject-with = icmp-network-unreachable comment = "smtp" disabled = no -------------------------- [10/01] - Service and Viewing the Active Service with PortScanner To ensure that any active service in Machine mikrotik, we need to scan to a specific port, if there are services that are not needed, better off alone. To disable and enable servise, the command is: We verify what services are active ---------------------------[Admin @ myrouter]> ip service [Admin @ myrouter] ip service> print Flags: X - disabled, I - invalid # NAME PORT ADDRESS CERTIFICATE X 0 telnet 23 0.0.0.0 / 0 1 ftp 21 0.0.0.0 / 0 2 www 80 0.0.0.0 / 0 3 ssh 22 0.0.0.0 / 0 4 www-ssl 443 0.0.0.0 / 0 none [Admin @ myrouter]ip service> ---------------------------Suppose the FTP service is disabled, ie in the above list is located at number 1 (see Flags) then: --------------------------[Admin @ myrouter] ip service> set 1 disabled = yes --------------------------We need to check again, --------------------------[Admin @ myrouter] ip service> print Flags: X - disabled, I - invalid # NAME PORT ADDRESS CERTIFICATE X 0 telnet 23 0.0.0.0 / 0 1 X ftp 21 0.0.0.0 / 0 2 www 80 0.0.0.0 / 0 3 ssh 22 0.0.0.0 / 0 4 www-ssl 443 0.0.0.0 / 0 none [Admin@myrouter] ip service> --------------------------Now the FTP service has been disabled. Using nmap tool we can check what ports are active on the machine gateway has been configured. Command: nmap-vv-sS-sV-P0 192.168.0.30 Results: ----------------------------Starting Nmap 4.20 (http://insecure.org) at 2007-04-04 19:55 SE Asia Standard Time Initiating ARP Ping Scan at 19:55 Scanning 192.168.0.30 [1 port] Completed ARP Ping Scan at 19:55, 0.31s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 19:55 Completed Parallel DNS resolution of 1 host. at 19:55, 0.05s elapsed Initiating SYN Stealth Scan at 19:55 Scanning 192.168.0.30 [1697 ports] Discovered open port 22/tcp on 192.168.0.30 Discovered open port 53/tcp on 192.168.0.30 Discovered open port 80/tcp on 192.168.0.30

Discovered open port 21/tcp on 192.168.0.30 Discovered open port 3986/tcp on 192.168.0.30 Discovered open port 2000/tcp on 192.168.0.30 Discovered open port 8080/tcp on 192.168.0.30 Discovered open port 3128/tcp on 192.168.0.30 Completed SYN Stealth Scan at 19:55, 7.42s elapsed (1697 total ports) Initiating Service scan at 19:55 Scanning 8 services on 192.168.0.30 Completed Service scan at 19:57, 113.80s elapsed (8 services on 1 host) Host 192.168.0.30 Appears to be up ... good. Interesting ports on 192.168.0.30: Not shown: 1689 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp MikroTik router ftpd 2.9.27 22/tcp open ssh OpenSSH 2.3.0 mikrotik 2.9.27 (protocol 1.99) 53/tcp open domain? 80/tcp open http MikroTik router http config 2000/tcp open callbook? 3128/tcp open http-proxy Squid webproxy 2.5.STABLE11 3986/tcp open mapper-ws_ethd? 8080/tcp open http-proxy Squid webproxy 2.5.STABLE11 2 services unrecognized despite returning data. If you know the service / version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi: ============== NEXT SERVICE FINGERPRINT (SUBMIT Individually )============== SF-Port53-TCP: V = 4.20% I = 7% D = 4 / 4% Time = 4613A03C% P = i686-pc-windows-windows% r (D SF: NSVersionBindReq, E, "\ x0c \ x06 \ x81 \ x84")% r (DNSStatusR SF: equest, E, "\ x0c \ X90 \ x84"); ============== NEXT SERVICE FINGERPRINT (SUBMIT Individually )============== SF-Port2000-TCP: V = 4.20% I = 7% D = 4 / 4% Time = 4613A037% P = i686-pc-windows-windows% r SF: (NULL, 4, "\ x01")% r (GenericLines, 4, "\ x01")% r (GetRequest, 18, "\ SF: x01 \ x02d \? \ Xe4 {\ x9d \ x02 \ x1a \ xcc \ x8b \ xd1V \ xb2F \ xff9 \ xb0 ")% r ( SF: HTTPOptions, 18, "\ x01 \ x02d \? \ Xe4 {\ x9d \ x02 \ x1a \ xcc \ x8b \ xd1V \ x SF: b2F \ xff9 \ xb0 ")% r (RTSPRequest, 18," \ x01 \ x02d \? \ Xe4 {\ x9d \ x02 \ x SF: 1a \ xcc \ x8b \ xd1V \ xb2F \ xff9 \ xb0 ")% r (RPCCheck, 18," \ x01 \ x02d \? \ SF: xe4 {\ x9d \ x02 \ x1a \ xcc \ x8b \ xd1V \ xb2F \ xff9 \ xb0 ")% r (DNSVersionBindReq, 18," \ SF: x01 \ x02d \? \ Xe4 {\ x9d \ x02 \ x1a \ xcc \ x8b \ xd1V \ xb2F \ xff9 \ xb0 ")% r ( SF: DNSStatusRequest, 4, "\ x01")% r (Help, 4, "\ x01")% r (X11Probe, 4, "\ SF: x01 ")% r (FourOhFourRequest, 18," \ x01 \ x02 \ xb9 \ x15 & \ xf1A \ SF:] \ + \ x11 \ n \ xf6 \ x9b \ xa0, \ xb0 \ xe1 \ xa5 ")% r (LPDString, 4," \ x01 ")% r (LDAP SF: BindReq, 4, "\ x01")% r (LANDesk-RC, 18, "\ x01 \ x02 \ xb9 \ x15 & \ SF: xf1A \] \ + \ x11 \ n \ xf6 \ x9b \ xa0, \ xb0 \ xe1 \ xa5 ")% r (TerminalServer, 4," \ x01 \ SF: 0 ")% r (NCP, 18," \ x01 \ x02 \ xb9 \ x15 & \ xf1A \] \ + \ x11 \ n \ xf6 \ x9b \ xa0, SF: \ xb0 \ xe1 \ xa5 ")% r (NotesRPC, 18," \ x01 \ x02 \ xb9 \ x15 & \ xf1A \] \ + \ x1 SF: 1 \ n \ xf6 \ x9b \ xa0, \ xb0 \ xe1 \ xa5 ")% r (NessusTPv10, 4," \ x01 "); MAC Address: 00:90:4 C: 91:77:02 (Epigram) Service Info: Host: myrouter; Device: router Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/. Nmap finished: 1 IP address (1 host up) scanned in 123 031 seconds Raw packets sent: 1706 (75.062KB) | rcvd: 1722 (79.450KB) ------------------------From the results of such scanning can we take the conclusion, that the service and active port is a FTP version of the MikroTik router ftpd 2.9.27. To SSH with OpenSSH version 2.3.0 mikrotik 2.9.27 (protocol 1.99). And the Web use the Squid proxy in Squid version webproxy 2.5.STABLE11. Of course, the vendor has to patch against mikrotik Hole or Vulnerabilities of the above Protocol Version. - [10/02] - Network Administration Tool Practically speaking, there are some tools that can be utilized in mela do network troubleshooting, such as tools ping, traceroute, ssh, etc.. Some tools are often used later in the day-to-day administration are:

o Telnet o SSH o Traceroute o Sniffer a. Telnet Remote commands are almost the same machine with the use of the existing telnet on Linux or Windows. [Admin @myrouter]> system telnet? Sekilias above command to see what parameters are there. For example remote machine with IP address 192.168.0.21 and port 23. Then [Admin @ myrouter]> system telnet 192.168.0.21 Use of telnet should be limited to certain conditions for reasons security, as we know, a packet of data sent via telnet has not been encrypted. To be more safe we use SSH. b. SSH Together with the telnet command is also needed in the remote machine, and principle same parameters with the command on Linux and Windows. [Admin @myrouter]> system ssh 192.168.0.21 SSH parameters above, a slight difference with telnet. If you see helpnya has an additional parameter of the user. -------------------------[Admin @ myrouter]> ssh system? The SSH feature can be used with Various SSH Telnet clients to securely connect to and administrate the router user - User name port - Port number [Admin @ myrouter]> -------------------------Suppose we are going to be remotely on a machine with the system Linux operation, which has the account, username and password Root 123 456 in the address 66.213.7.30. Then the command, -------------------------[Admin @ myrouter]> system 66.213.7.30 ssh user = root root@66.213.7.30 's password: -------------------------c. Traceroute Knowing what or router hops through which a packet until the packet was sent to the destination, we usually use the traceroute. With this tool can be routed anywhere in the analysis of the course packet. Suppose want to know the path the packet to the server yahoo, then: -------------------------[Admin @ myrouter]> tool traceroute yahoo.com ADDRESS STATUS 1 63.219.6.nnn 00:00:00 00:00:00 00:00:00 2 222.124.4.nnn 00:00:00 00:00:00 00:00:00 3 192.168.34.41 00:00:00 00:00:00 00:00:00 4 61.94.1.253 00:00:00 00:00:00 00:00:00 5 203,208,143,173 00:00:00 00:00:00 00:00:00 6 203.208.182.5 00:00:00 00:00:00 00:00:00 7 203,208,182,114 00:00:00 00:00:00 00:00:00 8 203,208,168,118 00:00:00 00:00:00 00:00:00 9 203 208 168 134 timeout 00:00:00 00:00:00 Timeout timeout 10 00:00:00 216.115.101.34 11 216 115 101 129 0:00:00 timeout timeout 12 216.115.108.1 timeout timeout 00:00:00 13 216,109,120,249 00:00:00 00:00:00 00:00:00

14 216 109 112 135 0:00:00 timeout timeout -------------------------d. Sniffer We can capture and packet-packet tap running in our network, this tool has been provided by Mikrotik useful in analyzing the traffic. -------------------------[Admin @ myrouter]> sniffer tool Packet sniffering .. - Go up to tool start - Start / reset sniffering stop - Stop sniffering save - Save currently sniffed packets packet / - sniffed packets management protocol / - Protocol management host / - Host management connection / - Connection management print get - get value of property set edit - edit the value of property export -------------------------To begin the process of sniffing can use the Start command, while stop it can make use of the Stop command. [Admin @ myrouter]> start sniffer tool

Queue dengan SRC-NAT dan WEB-PROXY

Kategori: Tips & Trik Pada penggunaan queue (bandwidth limiter), penentuan CHAIN pada MENGLE sangat menentukan jalannya sebuah rule. Jika kita memasang SRC-NAT dan WEB-PROXY pada mesin yang sama, sering kali agak sulit untuk membuat rule QUEUE yang sempurna. Penjelasan detail mengenai pemilihan CHAIN, dapat dilihat pada manual Mikrotik di sini. Percobaan yang dilakukan menggunakan sebuah PC dengan Mikrotik RouterOS versi 2.9.28. Pada mesin tersebut, digunakan 2 buah interface, satu untuk gateway yang dinamai PUBLIC dan satu lagi untuk jaringan lokal yang dinamai LAN.

[admin@instaler] > in pr Flags: X - disabled, D - dynamic, R - running # NAME TYPE RX-RATE TX-RATE MTU 0 R public ether 0 0 1500 1 R lan wlan 0 0 1500 Dan berikut ini adalah IP Address yang digunakan. Subnet 192.168.0.0/24 adalah subnet gateway untuk mesin ini.

[admin@instaler] > ip ad pr Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 192.168.0.217/24 192.168.0.0 192.168.0.255 public 1 172.21.1.1/24 172.21.1.0 172.21.1.255 lan Fitur web-proxy dengan transparan juga diaktifkan.

[admin@instaler] > ip web-proxy pr enabled: yes src-address: 0.0.0.0 port: 3128 hostname: "proxy"

transparent-proxy: yes parent-proxy: 0.0.0.0:0 cache-administrator: "webmaster" max-object-size: 4096KiB cache-drive: system max-cache-size: none max-ram-cache-size: unlimited status: running reserved-for-cache: 0KiB reserved-for-ram-cache: 154624KiB Fungsi MASQUERADE diaktifkan, juga satu buah rule REDIRECTING untuk membelokkan traffic HTTP menuju ke WEBPROXY

[admin@instaler] ip firewall nat> pr Flags: X - disabled, I - invalid, D - dynamic 0 chain=srcnat out-interface=public src-address=172.21.1.0/24 action=masquerade 1 chain=dstnat in-interface=lan src-address=172.21.1.0/24 protocol=tcp dst-port=80 action=redirect to-ports=3128 Berikut ini adalah langkah terpenting dalam proses ini, yaitu pembuatan MANGLE. Kita akan membutuhkan 2 buah PACKET-MARK. Satu untuk paket data upstream, yang pada contoh ini kita sebut test-up. Dan satu lagi untuk paket data downstream, yang pada contoh ini kita sebut test-down. Untuk paket data upstream, proses pembuatan manglenya cukup sederhana. Kita bisa langsung melakukannya dengan 1 buah rule, cukup dengan menggunakan parameter SRC-ADDRESS dan IN-INTERFACE. Di sini kita menggunakan chain prerouting. Paket data untuk upstream ini kita namai test-up. Namun, untuk paket data downstream, kita membutuhkan beberapa buah rule. Karena kita menggunakan translasi IP/masquerade, kita membutuhkan Connection Mark. Pada contoh ini, kita namai test-conn. Kemudian, kita harus membuat juga 2 buah rule. Rule yang pertama, untuk paket data downstream non HTTP yang langsung dari internet (tidak melewati proxy). Kita menggunakan chain forward, karena data mengalir melalui router. Rule yang kedua, untuk paket data yang berasal dari WEB-PROXY. Kita menggunakan chain output, karena arus data berasal dari aplikasi internal di dalam router ke mesin di luar router. Paket data untuk downstream pada kedua rule ini kita namai test-down. Jangan lupa, parameter passthrough hanya diaktifkan untuk connection mark saja.

[admin@instaler] > ip firewall mangle print Flags: X - disabled, I - invalid, D - dynamic 0 ;;; UP TRAFFIC chain=prerouting in-interface=lan src-address=172.21.1.0/24 action=mark-packet new-packet-mark=test-up passthrough=no 1 ;;; CONN-MARK chain=forward src-address=172.21.1.0/24 action=mark-connection new-connection-mark=test-conn passthrough=yes 2 ;;; DOWN-DIRECT CONNECTION chain=forward in-interface=public connection-mark=test-conn action=mark-packet new-packet-mark=test-down passthrough=no 3 ;;; DOWN-VIA PROXY chain=output out-interface=lan dst-address=172.21.1.0/24 action=mark-packet new-packet-mark=test-down passthrough=no

Untuk tahap terakhir, tinggal mengkonfigurasi queue. Di sini kita menggunakan queue tree. Satu buah rule untuk data dowstream, dan satu lagi untuk upstream. Yang penting di sini, adalah pemilihan parent. Untuk downstream, kita menggunakan parent lan, sesuai dengan interface yang mengarah ke jaringan lokal, dan untuk upstream, kita menggunakan parentglobal-in.

[admin@instaler] > queue tree pr Flags: X - disabled, I - invalid 0 name="downstream" parent=lan packet-mark=test-down limit-at=32000 queue=default priority=8 max-limit=32000 burst-limit=0 burst-threshold=0 burst-time=0s 1 name="upstream" parent=global-in packet-mark=test-up limit-at=32000 queue=default priority=8 max-limit=32000 burst-limit=0 burst-threshold=0 burst-time=0s Variasi lainnya, untuk bandwidth management, dimungkinkan juga kita menggunakan tipe queue PCQ, yang bisa secara otomatis membagi trafik per client.

Membuat Server Gateway/Router dengan Mikrotik

By Adam Rachmad Disini saya menjelaskan bagaimana cara membuat server router yang paling dasar. Saya anggap anda sudah mengerti cara menginstall mikrotik pada PC dan sudah bisa terkoneksi ke mikrotik tersebut (biasanya untuk konfigurasi awal menggunakan MAC Address untuk login ke winbox) dan mengerti perhitungan jumlah IP menggunakan /xx KONDISI JARINGAN Mikrotik PC mempunyai 2 ethernet card/port, port 1 untuk ISP port 2 untuk jaringan lokal IP didapat dari provider/ISP IP Address : 10.10.15.2 Netmask : 255.255.255.252 atau /30 Gateway : 100.10.151 DNS : 100.10.20.1, 100.10.20.2 IP range yang digunakan untuk jaringan lokal 192.168.0.1/24 (untuk jumlah client sesuka anda, max 254 client) Tanpa menggunakan DHCP server (jika ingin menggunakan dhcp, anda bisa lihat tutorialnya di blog ini)

QUICK START Tambahkan IP address pada masing-masing interface (contoh: untuk IP dari ISP pada ether1 yaitu 100.10.15.2/30, Untuk IP LAN pada ether2 yaitu 192.168.0.1/24 << ip lan tersebut akan menjadi gateway masing-masing client dalam setting networknya) /ip address ip address add address=100.10.15.2/30 interface=ether1 disabled=no ip address add address=192.168.0.1/24 interface=ether2 disabled=no Tambahkan gateway provider dalam ip route /ip route add gateway=100.10.15.1 Membuat NAT dalam ip firewall nat

/ip firewall nat add chain=srcnat action=masquerade disabled=no Masukan IP DNS yang diberikan oleh ISP (misalkan:100.10.20.1 dan 100.10.20.2) /ip dns set primary-dns=100.10.20.1 secondary-dns=100.10.20.2 allow-remote-requests=yes Sebelum ada setting network pada komputer client anda, test dulu apakah mikrotik anda terhubung keinternet(ex: menggunakan ping yahoo.com pada terminal console) Setting network komputer anda dengan konfigurasi : IP address : 192.168.0.2 Netmask : 255.255.255.0 Gateway : 192.168.0.1 DNS Server : 192.168.0.1

Blokir Situs / Download File dengan Mikrotik

By Adam Rachmad Mungkin ada beberapa dari anda yg ingin mem blokir salah situs atau download file denganmikrotik. Disini kita bisa manfaatin proxy internal mikrotik. Aplikasi ini biasanya di terapkan pada kantoran yg tidak ingin karyawannya mengunjungin salah situs (situs facebook mungkin) Anda bisa lihat tulisan saya sebelumnya disini tutorial proxy internal mikrotik. Untuk blokir salah satu website /ip proxy access add dst-host=www.gakboleh.com action=deny Itu akan memblokir situs www.gakboleh.com Kita juga bisa memblokir aktifitas download file /ip proxy access add path=*.exe action=deny add path=*.mp3 action=deny add path=*.zip action=deny add path=*.rar action=deny Memblokir akses URL yg berisi ektensi tersebut Atau anda bisa juga coba ini /ip proxy access add dst-host=:download action=deny ini akan memblokir situs yang ber isi kata download. Contoh : www.download.com download.gratis.com www.freedownload.com akan ter blokir

Blok Akses Facebook Dengan Mikrotik

By Adam Rachmad http://adamonline.web.id Yang ga mau karyawannya maen pesbuk an mulu Tutor nie dengan basis address list tanpa web proxy

Pertama buat mangle dulu atau marking yang berbau facebook

/ip firewall mangle add action=add-dst-to-address-list address-list=facebook address-list-timeout=1m chain=prerouting comment="" content=facebook.com disabled=no Ket : itu akan membuat address list otomatis dengan nama facebook dan marking dengan bau2nya facebook.com. Timeout dibuat 1 menit, jdi ip yg masuk address list facebook akan bertahan cma 1 menit, abis ntu ilang sendiri Kedua bru eksekusi facebooknya /ip firewall filter add action=drop chain=forward comment="Drop Facebook" disabled=no dst-address-list=facebook Ket : Rules diatas nge drop ip-ip yg terdaftar di address-list facebook Coba deh buka facebook n buka web yg lain, liat statistik di rules yg abis dibuat.. kalo buka web yg lain status rukes ga jalan dan kalo buka facebook bru bergerak eng i eng.. Bye2 pesbuk!