Mikrotik cukup handal digunakan
sebagai server, saat ini sudah banyak yang menggunakannya, baik warnet yang
bertipe SOHO hingga ISP sampai skala besar dengan client yang banyak. baik
mikrotik type Routerboard yang dipasarkan oleh pabrikan maupun Router OS
berbentuk PC masing - masing mempunyai kelebihan dan kekurangan, tapi bagi saya,
mikrotik PC tetap lebih menjanjikan karena frekwensinya dapat diupgrade
sekehendak hati tergantung kesanggupan anda membeli hardware komputernya,
hingga penggunaan cache dengan memberdayakan Hardisk dengan kapasitas besar
sebagai proxi internal. dari sisi PC, saya cenderung menggunakan DOM Hardisk
untuk dijadikan engine dengan menginstal mikrotik ke dalamnya serta
menggandengnya dengan hardisk SATA sebagai cache proxi, ketimbang menggunakan
hardisk tunggal yang engine dan cache tergabung jadi satu didalamnya. DOM
hardisk sendiri terasa lebih aman sebagai engine mengingat biasanya PC mikrotik
dihidupkan secara terus menerus, hardisk biasa menggunakan cakram sebagai media
read/write sehingga rawan over heating akibat gesekan yang terus menerus,
seandainya anda tetap menggunakan hardisk, saya sarankan untuk memasang kipas
tambahan dibagian dalam PC untuk menyedot panas berlebih hingga sirkulasi panas
terjaga dan suhu tetap stabil.
Menginstal Mikrotik ke PC
Bagi yg mau
menginstal mikrotik ke PC/Komputer untuk dijadikan router, saya akan berikan
tehniknya, mikrotik disini saya bagi dalam 2 versi, untuk Pentium 3 kebawah
saya anjurkan menggunakan versi 3.30 agar tidak terlalu berat, dan versi 5.18
untuk Pentium 4, tapi tergantung anda mau makek yg mana atau lebih familiar
yang mana, yang penting keduanya udah license level 6 hingga user yg bisa
ditangani tidak terbatas alias unlimited, perhatikan tahapan sebagai berikut:
MIKROTIK OS
v3.30 License Level 6
- Download
file MikroTik Routers and
Wireless
- Setelah
selesai, extract menggunakan winrar
- Didalamnya
terdapat beberapa file antara lain file mikrotik, file gentoo, tutorial
dan key license, cari file dengan extensi ISO, yaitu Mikrotik Iso files
dan Gentoo Iso files, silahkan burn keduanya ke 2 CD yang berbeda, dan
ingat bahwa file key yaitu HU6I-XPT.key nanti digunakan untuk meregister
mikrotik.
- Tahap
pertama, Masukan CD Mikrotik yang sudah di burn td, Install MikroTik 3.30
terkecuali mpls-test, routing-test, dan xen dan tekan "i" untuk
melanjutkan "yes" dan "yes", instal sampai selesai.
lalu restart komputer, keluarkan CD mikrotik.
- Masukkan
CD Gentoo, Booting komputer dengan linux livecd-gentoo.
- Matikan
komputer.
- Hidupkan
komputer dan booting MikroTik (isikan ip address pada mikrotik untuk
remote).
- Buka
Winbox dan remote ke mikrotik, System -> license -> Import key ->
pilih file HU6I-XPT.key yang ada di folder extract-kan file pertama yang
anda download tadi dan kemudian restart Mikrotik
- Akhirnya
MikroTik versi 3.30 selesai. (lihat system->license)
MIKROTIK OS
v5.18 License Level 6
- Download
filenya mikrotik 5.20 atau mikrotik 5.18.
- Extract
lalu burn file yang berekstensi .ISO ke CD
- Boot
Komputer dengan CD mikrotik iso hasil burn td
- Instal
mikrotik dengan mencentang semua pilihan menggunakan tombol spasi, untuk
melanjutkan proses instal, klik huruf "i" lalu "yes"
dan "yes" jika selesai, komputer akan meminta reboot dengan
menekan enter, keluarkan CD mikrotik.
- Buka
winbox, scan dan masuk menggunakan alamat IP Mikrotik atau jika ip nya
0.0.0.0 dan tidak bisa masuk, maka cobalah masuk dengan alamat Mac
address-nya.
- booting
mikrotik, username : admin, password: <kosongkan>
- Sekarang
Import licence key ke MikroTik yang sudah dinstal tadi.
- Pada
WinBox : System ----> Lincense ------> Import Key Cari file
W5EY-LHT9.key lalu "Ok" dan restart mikrotik
- Selesai.
INSTALL
MIKROTIK OS dengan FLASHDISK
Khusus bagi
yang males menggunakan CD sebagai bootable, anda bisa menggunakan flashdisk
sebagai installer, PC yang dipersyaratkan hanya yang bisa booting dari USB
disk.
- Download
file-file mikrotik yang anda butuhkan diatas dan extract.
- Download
juga file Unetbootin.
- Klik 2
kali file Unetbootin yang sudah selesai di download lalu pilih Opsi
"Disk Image"
- Klik
Open dan Cari file extrakan mikrotik, Terus cari Type, pilih USB Drive,
kemudian pilih Drive posisi flashdisk anda, dan klik OK.
- setelah
selesai, gunakan flashdisk untuk booting komputer dengan mode bios first
boot USB disk, lakukan tahapan yang sama seperti tutorial diatas layaknya
menggunakan CD.
SETTING MIKROTIK
Berikan
sedikit command setting untuk firewall, pengaturan Gateway, DHCP_server, Filter
Rules anti virus, anti DDOS, anti netcut dan anti porno, Penggunakan mangle dan
Queue tree, tutorial ini langsung saya arahkan untuk menangani bandwidth
limiter dengan pola pcq-download dan upload.
# Mikrotik
RouterOS version 5.18
# scripting
by jinho.diaz
# pastikan
PC yang diaktifkan memiliki 2 buah lancard
# Lancard
pertama sebagai ether1-gateway out interface 192.168.1.0/24 dengan gateway
192.168.1.254 mengarah ke modem
# Lancard
kedua sebagai ether2-local-master in interface 192.168.2.0/24 dengan gateway
192.168.2.254 mengarah ke LAN
# script ini
memuat anti netcut, DDOS, anti situs porno dan anti virus
# khusus
anti porno dapat anda nonaktifkan dengan mengganti dns nawala dengan open DNS
lain dari menu IP - DNS pada winbox
# Script ini
Khusus untuk PC, tidak dianjurkan di terapkan pada Routerboard dengan
spesifikasi rendah ( < 800 mhz)
# copy paste
seluruh script dibawah ini ke new terminal pada winbox
/interface
ethernet
set 0
arp=enabled auto-negotiation=yes cable-settings=default \
disable-running-check=yes disabled=no full-duplex=yes l2mtu=16383 \
mtu=1500 name=ether1-gateway speed=100Mbps
set 1
arp=reply-only auto-negotiation=yes cable-settings=default \
disable-running-check=yes disabled=no full-duplex=yes \
mtu=1500 name=ether2-local-master speed=100Mbps
/ip firewall
layer7-protocol
add
name=download
regexp="\\.(exe|rar|zip|7z|cab|asf|pdf|wav|mp3|ram|msu|msi|n\
up|vdf|rmvb|daa|iso|nrg|bin|vcd|mp2|qt|raw|ogg|doc|xls|ppt|xlxs|mov|wmv|mp\
g|mpeg|mkv|avi|flv|rm|mp4|dat|3gp|mpe|wma|docx|pptx|deb|flv2|tar|bzip|gzip\
|gzip2).*\$"
add
name=google
regexp="google.com|google.co.id|yahoo.com|yahoo.co.id|yahoo|go\
ogle|bing|msn|wordpress|blogspot|blogger|web.id|co.id|net.id|go.id|hotmail\
|twitter"
add
name=youtube regexp=o-o|youtube.com|webm
add
name=http-video
regexp="mivo.tv|mivotv|imediabiz|imedia|porn|video|stream|\
movie|live|0\\.9|.tv|.0|video|mov|wmv|mpg|mpeg|mkv|avi|flv|rm|mp4|dat|3gp|\
mpe|wma|xhamster|xnxx|fuck|flv2"
/ip pool
add
name=default-dhcp ranges=192.168.1.1-192.168.1.253
add
name=dhcp_pool1 ranges=192.168.1.1-192.168.1.253
add
name=dhcp_pool2 ranges=192.168.1.1-192.168.1.253
add
name=dhcp_pool3 ranges=192.168.2.1-192.168.2.253
/ip
dhcp-server
add
add-arp=yes address-pool=dhcp_pool1 authoritative=after-2sec-delay \
bootp-support=static disabled=no interface=ether1-gateway lease-time=3d
\
name=dhcp1
add
add-arp=yes address-pool=dhcp_pool3 authoritative=after-2sec-delay \
bootp-support=static disabled=no interface=ether2-local-master \
lease-time=3d name=dhcp_server
/queue tree
add
burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=1M name=3.DOWNLOAD packet-mark="" parent=global-in
priority=8
add
burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=3.1.Limited packet-mark=users parent=3.DOWNLOAD \
priority=8
add
burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=1.BROWSING packet-mark="" parent=global-out
priority=3
add
burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=786k name=6.TUBE-TV packet-mark=users parent=global-out \
priority=8
add
burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=2.KONEKSI packet-mark="" parent=global-total
priority=1
add
burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=786k name="4.LIVE VIDEO" packet-mark=""
parent=global-in \
priority=8
add
burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=1M name=5.GAME packet-mark="" parent=global-out
priority=2
add
burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=786k name=7.Chat packet-mark=users parent=global-in priority=8
/queue type
set 0
kind=pfifo name=default pfifo-limit=50
set 1
kind=pfifo name=ethernet-default pfifo-limit=50
set 2
kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5
set 3
kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 \
red-limit=60 red-max-threshold=50 red-min-threshold=10
set 4
kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
add kind=pcq
name=PCQ_download pcq-burst-rate=0 pcq-burst-threshold=0 \
pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 \
pcq-dst-address6-mask=128 pcq-limit=50 pcq-rate=0
pcq-src-address-mask=32 \
pcq-src-address6-mask=128 pcq-total-limit=2000
add kind=pcq
name=PCQ_upload pcq-burst-rate=0 pcq-burst-threshold=0 \
pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 \
pcq-dst-address6-mask=128 pcq-limit=50 pcq-rate=0
pcq-src-address-mask=32 \
pcq-src-address6-mask=128 pcq-total-limit=2000
add kind=pcq
name=pcq-download2 pcq-burst-rate=0 pcq-burst-threshold=0 \
pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 \
pcq-dst-address6-mask=128 pcq-limit=50 pcq-rate=0
pcq-src-address-mask=32 \
pcq-src-address6-mask=128 pcq-total-limit=2000
add kind=pcq
name=pcq-upload pcq-burst-rate=0 pcq-burst-threshold=0 \
pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 \
pcq-dst-address6-mask=128 pcq-limit=50 pcq-rate=0
pcq-src-address-mask=32 \
pcq-src-address6-mask=128 pcq-total-limit=2000
add
kind=pfifo name=PING pfifo-limit=64
add kind=pcq
name=DOWN pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=\
10s pcq-classifier=dst-address,dst-port pcq-dst-address-mask=32 \
pcq-dst-address6-mask=128 pcq-limit=50 pcq-rate=0
pcq-src-address-mask=32 \
pcq-src-address6-mask=128 pcq-total-limit=2000
set 11
kind=none name=only-hardware-queue
set 12
kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-default
set 13
kind=pfifo name=default-small pfifo-limit=10
/queue tree
add
burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=5.1.Game-Online packet-mark=online parent=5.GAME \
priority=2 queue=default
add
burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="5.2.Game FB" packet-mark=gamefb
parent=5.GAME priority=\
2 queue=default
add
burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=3.1.2.Hit packet-mark=hit parent=3.1.Limited priority=8
\
queue=default
add
burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=3.1.1.IDM packet-mark=idm parent=3.1.Limited priority=8
\
queue=default
add
burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=4.1.youtube packet-mark=stream-idm parent="4.LIVE
VIDEO" \
priority=8 queue=DOWN
add
burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="1.1.http brows" packet-mark=google
parent=1.BROWSING \
priority=3 queue=pcq-upload
add
burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=2.1.ping-out packet-mark="paket ip"
parent=2.KONEKSI \
priority=1 queue=PING
add
burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=2.2.ping-in packet-mark="paket dp"
parent=2.KONEKSI \
priority=1 queue=PING
add
burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="6.1.Tube Stream" packet-mark=users
parent=6.TUBE-TV \
priority=8 queue=pcq-download2
add
burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=6.2.Mivo.TV packet-mark=paket-mtc parent=6.TUBE-TV \
priority=8 queue=pcq-upload
add
burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="7.1. Camfrog" packet-mark=camfrog
parent=7.Chat \
priority=8 queue=pcq-upload
/interface
bridge settings
set
use-ip-firewall=yes use-ip-firewall-for-pppoe=no \
use-ip-firewall-for-vlan=no
/ip address
add address=192.168.1.1/24
comment="default configuration" disabled=no \
interface=ether1-gateway network=192.168.1.0
add
address=192.168.2.254/24 comment="default configuration" disabled=no
\
interface=ether2-local-master network=192.168.2.0
/ip dhcp-client
add
add-default-route=yes comment="default configuration" \
default-route-distance=1 disabled=no interface=ether1-gateway \
use-peer-dns=yes use-peer-ntp=yes
/ip
dhcp-server config
set
store-leases-disk=5m
/ip
dhcp-server network
add address=192.168.1.0/24
dhcp-option="" dns-server="" gateway=192.168.1.254 \
ntp-server="" wins-server=""
add
address=192.168.2.0/24 comment="default configuration"
dhcp-option="" \
dns-server="" gateway=192.168.2.254 ntp-server=""
wins-server=""
/ip dns
set
allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
max-udp-packet-size=512 servers=180.131.144.144,180.131.145.145
/ip dns
static
add
address=180.131.144.144 disabled=no name=router ttl=1d
/ip firewall
connection tracking
set enabled=yes
generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall
filter
add
action=drop chain=input comment=\
"ANTI BRUTE FORCE - block ssh brute forcers" disabled=no
dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add
action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input comment=\
"add ssh brute forcers ip to blacklist" connection-state=new
disabled=no \
dst-port=22 protocol=tcp src-address-list=ssh_stage3
add
action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input comment=\
"add ssh brute forcers ip to stage3" connection-state=new
disabled=no \
dst-port=22 protocol=tcp src-address-list=ssh_stage2
add
action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input comment=\
"add ssh brute forcers ip to stage2" connection-state=new
disabled=no \
dst-port=22 protocol=tcp src-address-list=ssh_stage1
add
action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input comment=\
"add ssh brute forcers ip to stage1" connection-state=new
disabled=no \
dst-port=22 protocol=tcp
add
action=drop chain=forward comment="drop ssh brute downstream" disabled=no
\
dst-port=22 protocol=tcp src-address-list=ssh_blacklist
/ip firewall
filter
add
action=accept chain=input comment=\
"Virus Scan, DDOS & anti Netcut, jangan di non aktifkan" \
disabled=no dst-port=8291 protocol=tcp
add
action=drop chain=forward connection-state=invalid disabled=no
add
action=drop chain=virus disabled=no dst-port=135-139 protocol=tcp
add
action=drop chain=virus disabled=no dst-port=1433-1434 protocol=tcp
add
action=drop chain=virus disabled=no dst-port=445 protocol=tcp
add
action=drop chain=virus disabled=no dst-port=445 protocol=udp
add
action=drop chain=virus disabled=no dst-port=593 protocol=tcp
add
action=drop chain=virus disabled=no dst-port=1024-1030 protocol=tcp
add
action=drop chain=virus disabled=no dst-port=1080 protocol=tcp
add
action=drop chain=virus disabled=no dst-port=1214 protocol=tcp
add
action=drop chain=virus disabled=no dst-port=1363 protocol=tcp
add
action=drop chain=virus disabled=no dst-port=1364 protocol=tcp
add
action=drop chain=virus disabled=no dst-port=1368 protocol=tcp
add
action=drop chain=virus disabled=no dst-port=1373 protocol=tcp
add
action=drop chain=virus disabled=no dst-port=1377 protocol=tcp
add
action=drop chain=virus disabled=no dst-port=2745 protocol=tcp
add
action=drop chain=virus disabled=no dst-port=2283 protocol=tcp
add
action=drop chain=virus disabled=no dst-port=2535 protocol=tcp
add
action=drop chain=virus disabled=no dst-port=2745 protocol=tcp
add
action=drop chain=virus disabled=no dst-port=3127 protocol=tcp
add action=drop
chain=virus disabled=no dst-port=3410 protocol=tcp
add
action=drop chain=virus disabled=no dst-port=4444 protocol=tcp
add
action=drop chain=virus disabled=no dst-port=4444 protocol=udp
add
action=drop chain=virus disabled=no dst-port=5554 protocol=tcp
add
action=drop chain=virus disabled=no dst-port=8866 protocol=tcp
add
action=drop chain=virus disabled=no dst-port=9898 protocol=tcp
add
action=drop chain=virus disabled=no dst-port=10080 protocol=tcp
add
action=drop chain=virus disabled=no dst-port=12345 protocol=tcp
add
action=drop chain=virus disabled=no dst-port=17300 protocol=tcp
add
action=drop chain=virus disabled=no dst-port=27374 protocol=tcp
add
action=drop chain=virus disabled=no dst-port=65506 protocol=tcp
add
action=jump chain=forward disabled=no jump-target=virus
add
action=drop chain=input connection-state=invalid disabled=no
add
action=accept chain=input disabled=no protocol=udp
add
action=accept chain=input disabled=no limit=50/5s,2 protocol=icmp
add
action=drop chain=input disabled=no protocol=icmp
add
action=accept chain=input disabled=no dst-port=21 protocol=tcp
add
action=accept chain=input disabled=no dst-port=22 protocol=tcp
add
action=accept chain=input disabled=no dst-port=23 protocol=tcp
add
action=accept chain=input disabled=no dst-port=80 protocol=tcp
add
action=accept chain=input disabled=no dst-port=8291 protocol=tcp
add
action=accept chain=input disabled=no dst-port=1723 protocol=tcp
add
action=accept chain=input disabled=no dst-port=23 protocol=tcp
add
action=accept chain=input disabled=no dst-port=80 protocol=tcp
add
action=accept chain=input disabled=no dst-port=1723 protocol=tcp
add
action=add-src-to-address-list address-list=DDOS address-list-timeout=15s \
chain=input disabled=no dst-port=1337 protocol=tcp
add
action=add-src-to-address-list address-list=DDOS address-list-timeout=15m \
chain=input disabled=no dst-port=7331 protocol=tcp
src-address-list=knock
add
action=add-src-to-address-list address-list=port-scanners \
address-list-timeout=2w chain=input comment=port-scanner disabled=no \
protocol=tcp psd=21,3s,3,1
add
action=add-src-to-address-list address-list=port-scanners \
address-list-timeout=2w chain=input comment=SYN/FIN disabled=no
protocol=\
tcp tcp-flags=fin,syn
add action=add-src-to-address-list
address-list=port-scanners \
address-list-timeout=2w chain=input comment=SYN/RST disabled=no
protocol=\
tcp tcp-flags=syn,rst
add
action=add-src-to-address-list address-list=port-scanners \
address-list-timeout=2w chain=input comment=FIN/PSH/URG disabled=no \
protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add
action=add-src-to-address-list address-list=port-scanners \
address-list-timeout=2w chain=input comment="ALL/ALL scan"
disabled=no \
protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add
action=add-src-to-address-list address-list=port-scanners \
address-list-timeout=2w chain=input comment=NMAP disabled=no
protocol=tcp \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add
action=accept chain=input comment=ANTI-NETCUT disabled=no dst-port=\
0-65535 protocol=tcp src-address=61.213.183.1-61.213.183.254
add
action=accept chain=input comment=ANTI-NETCUT disabled=no dst-port=\
0-65535 protocol=tcp src-address=67.195.134.1-67.195.134.254
add action=accept
chain=input comment=ANTI-NETCUT disabled=no dst-port=\
0-65535 protocol=tcp src-address=68.142.233.1-68.142.233.254
add
action=accept chain=input comment=ANTI-NETCUT disabled=no dst-port=\
0-65535 protocol=tcp src-address=68.180.217.1-68.180.217.254
add
action=accept chain=input comment=ANTI-NETCUT disabled=no dst-port=\
0-65535 protocol=tcp src-address=203.84.204.1-203.84.204.254
add
action=accept chain=input comment=ANTI-NETCUT disabled=no dst-port=\
0-65535 protocol=tcp src-address=69.63.176.1-69.63.176.254
add
action=accept chain=input comment=ANTI-NETCUT disabled=no dst-port=\
0-65535 protocol=tcp src-address=69.63.181.1-69.63.181.254
add
action=accept chain=input comment=ANTI-NETCUT disabled=no dst-port=\
0-65535 protocol=tcp src-address=63.245.209.1-63.245.209.254
add
action=accept chain=input comment=ANTI-NETCUT disabled=no dst-port=\
0-65535 protocol=tcp src-address=63.245.213.1-63.245.213.254
/ip firewall
mangle
add
action=mark-packet chain=postrouting comment=HIT disabled=no dscp=12 \
new-packet-mark=hit passthrough=no
add
action=mark-packet chain=postrouting content=X-Cache:HIT disabled=no \
new-packet-mark=hit passthrough=no
add
action=mark-connection chain=prerouting comment=GAME disabled=no \
dst-port=1818,2001,3010,4300,5105,5121,5126,5171,5340-5352,6000-6152,7777 \
new-connection-mark=GAMEONLINE passthrough=yes protocol=tcp
add
action=mark-connection chain=prerouting disabled=no dst-port=\
7341-7350,7451,8085,9600,9601-9602,9300,9376-9377,9400,9700,10001-10011
\
new-connection-mark=GAMEONLINE passthrough=yes protocol=tcp
add
action=mark-connection chain=prerouting disabled=no
dst-port="10402,11011-\
11041,12011,12110,13008,13413,15000-15002,16402-16502,16666,18901-18909,19\
000" new-connection-mark=GAMEONLINE passthrough=yes protocol=tcp
add
action=mark-connection chain=prerouting disabled=no dst-port=\
19101,22100,27780,28012,29000,29200,39100,39110,39220,39190,40000,49100
\
new-connection-mark=GAMEONLINE passthrough=yes protocol=tcp
add
action=mark-connection chain=prerouting disabled=no dst-port=14009-14010 \
new-connection-mark=GAMEONLINE passthrough=yes protocol=tcp
add
action=mark-connection chain=prerouting disabled=no dst-port=14009-14010 \
new-connection-mark=GAMEONLINE passthrough=yes protocol=udp
add
action=mark-connection chain=prerouting disabled=no
dst-port="1293,1479,61\
00-6152,7777-7977,8001,9401,9600-9602,12020-12080,30000,40000-40010" \
new-connection-mark=GAMEONLINE passthrough=yes protocol=udp
add
action=mark-connection chain=prerouting disabled=no dst-port=\
42051-42052,11100-11125,11440-11460 new-connection-mark=GAMEONLINE \
passthrough=yes protocol=udp
add
action=mark-packet chain=prerouting connection-mark=GAMEONLINE disabled=\
no new-packet-mark=online passthrough=no
add
action=mark-connection chain=prerouting content=facebook.com disabled=no \
new-connection-mark=fb_game passthrough=yes
add
action=mark-connection chain=prerouting content=fbcdn.net disabled=no \
new-connection-mark=fb_game passthrough=yes
add
action=mark-connection chain=prerouting content=facebook.net disabled=no \
new-connection-mark=fb_game passthrough=yes
add
action=mark-connection chain=prerouting content=zynga.com disabled=no \
new-connection-mark=fb_game passthrough=yes
add
action=mark-connection chain=prerouting content=\
static.ak.connect.facebook.com disabled=no new-connection-mark=fb_game \
passthrough=yes
add
action=mark-connection chain=prerouting content=\
statics.poker.static.zynga.com disabled=no new-connection-mark=fb_game \
passthrough=yes
add
action=mark-connection chain=prerouting disabled=no dst-port=9339,843 \
new-connection-mark=fb_game passthrough=yes protocol=tcp
add
action=mark-packet chain=prerouting connection-mark=fb_game disabled=no \
new-packet-mark=gamefb passthrough=no
add
action=mark-connection chain=prerouting disabled=no new-connection-mark=\
users-con passthrough=yes src-address=!192.168.2.254
src-address-list=!IP
add
action=mark-packet chain=prerouting connection-mark=users-con disabled=no \
new-packet-mark=users passthrough=yes
add
action=mark-connection chain=prerouting comment=IDM disabled=no \
layer7-protocol=download new-connection-mark=idm passthrough=yes \
src-address=!192.168.2.254 src-address-list=!IP
add
action=mark-packet chain=prerouting connection-mark=idm disabled=no \
new-packet-mark=idm passthrough=no
add
action=mark-connection chain=prerouting comment=Browsing disabled=no \
layer7-protocol=google new-connection-mark=google passthrough=yes \
src-address=!192.168.2.254 src-address-list=!IP
add
action=mark-packet chain=forward connection-mark=google disabled=no \
new-packet-mark=google passthrough=no src-address=!192.168.2.254
add
action=mark-connection chain=prerouting disabled=no layer7-protocol=\
youtube new-connection-mark=stream-idm passthrough=yes src-address=\
!192.168.2.254 src-address-list=!IP
add action=mark-packet
chain=prerouting connection-mark=stream-idm disabled=\
no new-packet-mark=stream-idm passthrough=no
add
action=mark-connection chain=prerouting comment=ICMP disabled=no \
new-connection-mark="paket ic" passthrough=yes protocol=icmp
add
action=mark-packet chain=prerouting connection-mark="paket ic"
disabled=\
no new-packet-mark="paket ip" passthrough=yes
add
action=change-dscp chain=prerouting disabled=no new-dscp=1 packet-mark=\
"paket ip" passthrough=yes
add
action=mark-connection chain=prerouting comment=DNS disabled=no dst-port=\
53 new-connection-mark="paket dc" passthrough=yes protocol=tcp
add
action=mark-connection chain=prerouting disabled=no dst-port=53 \
new-connection-mark="paket dc" passthrough=yes protocol=udp
add
action=mark-packet chain=prerouting connection-mark="paket dc"
disabled=\
no new-packet-mark="paket dp" passthrough=yes
add
action=change-dscp chain=prerouting disabled=no new-dscp=1 packet-mark=\
"paket dp" passthrough=yes
add action=mark-connection
chain=prerouting comment="MIVO TV" disabled=no \
layer7-protocol=http-video new-connection-mark=paket-mtc passthrough=yes
\
src-address=!192.168.2.254 src-address-list=!IP
add
action=mark-packet chain=forward connection-mark=paket-mtc disabled=no \
new-packet-mark=paket-mtc passthrough=no
add
action=mark-connection chain=prerouting comment=Camfrog disabled=no \
dst-port=2779,6667 new-connection-mark=camfrog passthrough=yes
protocol=\
tcp
add
action=mark-packet chain=prerouting connection-mark=camfrog disabled=no \
new-packet-mark=camfrog passthrough=no
/ip firewall
nat
add
action=masquerade chain=srcnat comment="default configuration"
disabled=\
no out-interface=ether1-gateway src-address=192.168.2.0/24
add
action=redirect chain=dstnat comment=\
"Redirect ke Port 53 untuk nawala anti porno project"
disabled=no \
dst-port=53 protocol=tcp src-address=192.168.2.0/24 to-ports=53
add
action=redirect chain=dstnat disabled=no dst-port=53 protocol=udp \
src-address=192.168.2.0/24 to-ports=53
add
action=redirect chain=dstnat comment="Redirect To Proxy, aktifkan
error.ht\
ml - non aktifkan dulu redirect ke port 53" disabled=yes
dst-port=80 \
protocol=tcp to-ports=8080
add
action=redirect chain=dstnat disabled=yes dst-port=3128 protocol=tcp \
to-ports=8080
add
action=redirect chain=dstnat disabled=yes dst-port=8080 protocol=tcp \
to-addresses=0.0.0.0 to-ports=8080
/ip proxy
set
always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 \
cache-on-disk=no enabled=yes max-cache-size=none
max-client-connections=\
600 max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0 \
parent-proxy-port=0 port=8080 serialize-connections=no src-address=\
192.168.2.254
/ip route
add
disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.254 scope=\
30 target-scope=10
/ip service
set telnet
address="" disabled=yes port=23
set ftp
address="" disabled=yes port=21
set www
address="" disabled=yes port=80
set ssh
address="" disabled=yes port=22
set www-ssl
address="" certificate=none disabled=yes port=443
set api
address="" disabled=yes port=8728
set winbox
address="" disabled=no port=8291
/queue
interface
set
ether1-gateway queue=ethernet-default
set ether2-local-master
queue=ethernet-default
/system
clock
set
time-zone-name=manual
/system
clock manual
set
dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start=\
"jan/01/1970 00:00:00" time-zone=+00:00
/system
identity
set
name=mikrotik
/system note
set
note=Input.command.by.jinho.diaz show-at-login=yes
/system ntp
client
set
enabled=yes mode=unicast primary-ntp=207.46.197.32 secondary-ntp=\
192.43.244.18
/system ntp
server
set
broadcast=no broadcast-addresses="" enabled=no manycast=yes multicast=no
/system
scheduler
add
disabled=no interval=20m name="cache flush" on-event=cacheflush
policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive \
start-date=aug/16/2012 start-time=12:05:00
add
disabled=no interval=1d name=schedule1 on-event=dnschange policy=\
reboot,read,write,policy,test,password,sniff,sensitive start-date=\
aug/16/2012 start-time=04:55:00
add
disabled=no interval=1d name=antinetcut1 on-event=antinetcut1 policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
start-date=oct/07/2012 start-time=04:03:40
add
disabled=no interval=1d name=antinetcut2 on-event=antinetcut2 policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
start-date=oct/07/2012 start-time=04:04:46
/system
script
add
name=cacheflush policy=ftp,reboot,read,write,policy,test,winbox,password \
source="/ip dns cache flush"
add
name=dnschange policy=ftp,reboot,read,write,policy,test,winbox,password \
source="/ip dns set servers=180.131.144.144,180.131.145.145
allow-remote-r\
equests=yes"
add
name=antinetcut1 policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
source=":local hosts [/ip dhcp-server lease find]\r\
\n:local pcname \"X\"\r\
\n:local pcnum 0\r\
\n:global hacklist \"\"\r\
\n:foreach h in \$hosts do={\r\
\n:local host [/ip dhcp-server lease get \$h host-name]\r\
\n:if ([:len \$host] >0) do {\r\
\n:set pcname (\$pcname . \",\" . \$host)\r\
\n:set pcnum (\$pcnum + 1)\r\
\n}\r\
\n}\r\
\n:foreach h in \$pcname do={\r\
\n:local hh 0\r\
\n:if (!([:find \$hacklist \$h]>=0)) do={\r\
\n:foreach k in \$pcname do={ :if (\$k=\$h) do={:set hh (\$hh + 1) }
}\r\
\n:if (\$hh>2) do={\r\
\n:if ([:len \$hacklist] >0) do {:set hacklist (\$hacklist .
\",\" . \$h)}\
\_else={:set hacklist \$h}\r\
\n}\r\
\n}\r\
\n}\r\
\n:local timer [:pick [/system clock get time] 3 5]\r\
\n:if ((\$switch > 0) || (\$timer >= \"58\")) do={\r\
\n:log warning (\"New Hacklist: \" . \$hacklist)"
add
name=antinetcut2 policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
source="# use global hacklist variable\r\
\n#:log info (\$hacklist)\r\
\n:foreach host in \$hacklist do={\r\
\n:foreach i in= [/ip dhcp-server lease find host-name \$host] do={\r\
\n:local ipnum [/ip dhcp-server lease get \$i address]\r\
\n:local unum [/ip hotspot active find address \$ipnum]\r\
\n:if ([:len \$unum] >0) do {\r\
\n:local usr [/ip hotspot active get \$unum user]\r\
\n:log warning (\$host . \" \" . \$ipnum . \" \" .
\$usr)\r\
\n#next line kick them out right now, could also check pppoe\r\
\n/ip hotspot active remove \$unum\r\
\n#other stuff can do now with the identified IP and USER\r\
\n}\r\
\n}\r\
\n}"
/system
watchdog
set
auto-send-supout=no automatic-supout=yes no-ping-delay=5m watch-address=\
none watchdog-timer=no
sumber:
http://rumah-it01.blogspot.com/2013/06/tutorial-setting-mikrotik-lengkap.html
Tidak ada sistem yang aman 100%, karena begitu banyak kemungkinan
jika kita melihat dari berbagai sisi, sebelumnya penulis menulis artikel
untuk hacking mikrotik dari sisi celah di telnet, tapi sebenarnya sama
bahayanya dengan telnet yaitu FTP.
Ingin dapat bandwidth full ?
