You are on page 1of 10

Fatah Design, Inc.

Mikrotik Dual WAN, DMZ, Shape, Web Proxy

http://fatahdesign.co.cc/mikrotik-dual-wan-dmz-shape-web-proxy/

1. 2. 3. 4. 5.

Home sweet home About knowing better Portfolio hand made works Galeries me on world Blog scratching notes

Fatah Design, Inc. :: Simple.Punk.Rebel. Apr30th

fatah coretan, networking, tutorial 2010 at 9:19 pm Sudah hampir 3 minggu, setting mikrotik untuk dual WAN, DMZ, queue shaping, dan web-proxy cache, akhirnya berhasil juga. Dengan bantuan Bung Haris (hrz, red) kita mulai oprek dari mark-routing. Metode yang digunakan sama umumnya dengan halnya Load Balancing over Multiple Gateways pada artikel di dokumentasi mikrotik website. Berikut adalah langkah-langkah mengimplementasikan dual WAN, DMZ, queue shaping dan web-proxy pada kondisi jaringan seperti ini (sample aja ya): WAN1 adalah broadband, public DHCP, sedangkan WAN2 adalah public static IP, untuk DMZ dan LAN dipisah menjadi 2 network berbeda, tetapi dalam 1 interface, menggunakan subnetting ip kelas C.

So langkah yang dilakukan pertama adalah marking paket untuk memisahkan routing. Yang jelas pertama kita musti tentukan dulu dong alamat IP masing-masing interface. Mikrotik yang saya coba adalah RB450, mempunyai 5 port ethernet, tapi saya hanya memakai 3 interface saja, yaitu ether1, ether2, dan ether5. Interface ether1 saya beri nama isp01, ether2 isp02, dan ether5 saya beri nama local. Karena subnetting pertama adalah /27 = 32 host, maka pembagian subnet berikutnya adalah 32, 64, lalu 128 host (supaya match dengan ip kelas C yaitu /24 = 256 host). Setelah sepakat dengan Bung Haris, kita pisah menjadi 4 network, dan kita namakan masing-masing adalah Block DMZ, Block 2, Block 3, dan Block 4.

1 of 10

5/1/2011 7:41 PM

Fatah Design, Inc. Mikrotik Dual WAN, DMZ, Shape, Web Proxy

http://fatahdesign.co.cc/mikrotik-dual-wan-dmz-shape-web-proxy/

/interface set ether1 name=isp01 /interface set ether2 name=isp02 /interface set ether5 name=local /ip address add address=202.155.0.2/30 interface=isp02 /ip address add address=192.168.0.1/27 interface=local /ip address add address=192.168.0.33/27 interface=local /ip address add address=192.168.0.65/26 interface=local /ip address add address=192.168.0.129/25 interface=local

Karena ISP01 sumbernya adalah menggunakan DHCP, jadi kita nda perlu set alamat IP untuk interface ether1, nanti juga bisa dapet sendiri kok. OK, lanjut, setelah ini, kita boleh set DHCP server dan DNS. Karena dual koneksi, kita musti tetapkan bahwa resolver DNS akan menggunakan jalur ISP mana? Karena nanti sebagai default internet connectionnya menggunakan ISP02, maka DNS musti di set menggunakan jalur isp02. Saya pilih ini karena isp02 karena menggunakan IP Static BROADBAND WAN1 Karena WAN1 adalah broadband, dan menggunakan DHCP, maka kita musti set dial-up menggunakan PPPoE.
/interface pppoe-client add ac-name="" add-default-route=yes allow=pap,mschap1 comment="" \ dial-on-demand=yes disabled=yes interface=isp01 max-mru=1480 max-mtu=\ 1480 mrru=disabled name=isp01-pppoe password=123456 profile=default \ service-name="" use-peer-dns=yes user=barkun /ip dns set primary-dns=192.168.0.2 secondary-dns=202.155.0.10 allow-remoterequest=yes /ip dhcp-server setup

DNS Domain Name Server, karena kita memang sudah mempunyai domain name server local, kita manfaatkan saja disini, DNS untuk mikrotik kita set menjadi 192.168.0.2 (mesin DNS ini ada di lingkungan DMZ), sedangkan untuk secondary DNS, kita gunakan jalur ISP yang kedua, karena menggunakan static IP pada sisi gateway nya. DHCP Server Untuk DHCP server, kita pisah menjadi 3 bagian, yaitu sebagai berikut: range: 192.168.0.34 ~ 192.168.0.62, gateway: 192.168.0.33 range: 192.168.0.66 ~ 192.168.0.127, gateway: 192.168.0.65 range: 192.168.0.130 ~ 192.168.0.254, gateway: 192.168.0.129 DNS untuk masing-masing DHCP pool ini kita set menjadi 192.168.0.2 dan 192.168.0.1 Routing, Firewall Nah, ini dia disini kita mulai oprek, ubek2, try-error, coba2, dan eksperimen. Dengan bermodal basic jaringan yang kita miliki, kita coba mengexplore kemampuan mesin mikrotik router OS ini. OK, carry on! Firewall Mangle Prerouting for Marking Route Pada saat sebelum terjadi routing, kita mark paket-paket yang berasal dari masing-masing subnetwork, dan kemudian kita kelompokan dan kita namakan sesuai dengan jalur tujuan lewatnya paket tersebut. Sebelum memulai pekerjaan ini, mari kita berdoa menurut agama dan kepercayaan masing-masing eh, maksudnya kita set address-list untuk kita pake sebagai kondisional source dan destination 1. Address List
/ip add add add add firewall address-list address=192.168.0.2-192.168.0.30 comment="" disabled=no list=block-dmz address=192.168.0.34-192.168.0.62 comment="" disabled=no list=block2 address=192.168.0.66-192.168.0.126 comment="" disabled=no list=block3 address=192.168.0.130-192.168.0.254 comment="" disabled=no list=block4

2 of 10

5/1/2011 7:41 PM

Fatah Design, Inc. Mikrotik Dual WAN, DMZ, Shape, Web Proxy

http://fatahdesign.co.cc/mikrotik-dual-wan-dmz-shape-web-proxy/

add add add add add add add

address=192.168.0.34-192.168.0.254 comment="" disabled=no list=block-proxy address=192.168.0.0/24 comment="" disabled=no list=lan-local address=202.155.0.0/30 comment="" disabled=no list=isp02-net address=192.168.0.1 comment="" disabled=no list=routers address=202.155.0.2 comment="" disabled=no list=routers address=192.168.0.0/24 comment="" disabled=no list=local-network address=202.155.0.0/30 comment="" disabled=no list=local-network

Okay, setelah kita buat address-list, mari kita gunakan address-lists ini dengan sebaik-baiknya, gunakan di firewall mangle, nat, dan filter dong. Yang pertama: MANGLE dulu, yang paling susah euy! 2. Paket mark for queue :: Packet mark mangle for Local Network (by pass the queue)
/ip firewall mangle add action=mark-connection chain=prerouting comment=\ "packet mark for Local Network" disabled=no dst-address-list=lan-local \ in-interface=local new-connection-mark=local-traffic-conn passthrough=yes add action=mark-connection chain=prerouting comment="" disabled=no \ dst-address-list=isp02-net in-interface=local new-connection-mark=\ local-traffic-conn passthrough=yes add action=mark-packet chain=prerouting comment="" connection-mark=\ local-traffic-conn disabled=no new-packet-mark=local-traffic passthrough=no add action=mark-packet chain=prerouting comment="" connection-mark=\ local-traffic-conn disabled=no new-packet-mark=local-traffic passthrough=no

:: Packet mark mangle for block DMZ (queue bw = 512k)


/ip firewall mangle add action=mark-connection chain=prerouting comment=\ "packet mark for Block DMZ" disabled=no dst-address-list=!lan-local \ new-connection-mark=block-dmz-conn passthrough=yes src-address-list=block-dmz add action=mark-connection chain=prerouting comment="" disabled=no \ dst-address-list=!isp02-net new-connection-mark=block-dmz-conn \ passthrough=yes src-address-list=block-dmz add action=mark-packet chain=prerouting comment="" connection-mark=\ block-dmz-conn disabled=no new-packet-mark=block-dmz passthrough=no add action=mark-packet chain=output comment="" connection-mark=block-dmz-conn \ disabled=no new-packet-mark=block-dmz passthrough=no

:: Packet mark mangle for Block 2 (queue bw = 256k)


/ip firewall mangle add action=mark-connection chain=prerouting comment="packet mark for Block 2" \ disabled=no dst-address-list=!lan-local new-connection-mark=block2-conn \ passthrough=yes src-address-list=block2 add action=mark-connection chain=prerouting comment="" disabled=no \ dst-address-list=!isp02-net new-connection-mark=block2-conn passthrough=\ yes src-address-list=block2 add action=mark-packet chain=prerouting comment="" connection-mark=\ block2-conn disabled=no new-packet-mark=block2 passthrough=no add action=mark-packet chain=output comment="" connection-mark=block2-conn \ disabled=no new-packet-mark=block2 passthrough=no

:: Packet mark mangle for Block 3 (queue bw = 512k)


/ip firewall mangle add action=mark-connection chain=prerouting comment="packet mark for Block 3" \ disabled=no dst-address-list=!lan-local new-connection-mark=block3-conn \ passthrough=yes src-address-list=block3 add action=mark-connection chain=prerouting comment="" disabled=no \ dst-address-list=!isp02-net new-connection-mark=block3-conn passthrough=\ yes src-address-list=block3 add action=mark-packet chain=prerouting comment="" connection-mark=\ block3-conn disabled=no new-packet-mark=block3 passthrough=no add action=mark-packet chain=output comment="" connection-mark=block3-conn \

3 of 10

5/1/2011 7:41 PM

Fatah Design, Inc. Mikrotik Dual WAN, DMZ, Shape, Web Proxy

http://fatahdesign.co.cc/mikrotik-dual-wan-dmz-shape-web-proxy/

disabled=no new-packet-mark=block3 passthrough=no

:: Packet mark mangle for Block 4 (queue bw = 768k)


/ip firewall mangle add action=mark-connection chain=prerouting comment="packet mark for Block 4" \ disabled=no dst-address-list=!lan-local new-connection-mark=block4-conn \ passthrough=yes src-address-list=block4 add action=mark-connection chain=prerouting comment="" disabled=no \ dst-address-list=!isp02-net new-connection-mark=block4-conn passthrough=\ yes src-address-list=block4 add action=mark-packet chain=prerouting comment="" connection-mark=\ block4-conn disabled=no new-packet-mark=block4 passthrough=no add action=mark-packet chain=output comment="" connection-mark=block4-conn \ disabled=no new-packet-mark=block4 passthrough=no

3. Route mark for Dual WAN (masih di mangle loh) Yuk kita pecah, block2, block3, dan block4 kita mark untuk dilewatkan menuju ke isp01, sedangkan block-dmz kita mark untuk dilewatkan isp02. Berikut perintahnya, masih di firewall mangle.
/ip firewall mangle add action=mark-routing chain=prerouting disabled=no new-routing-mark=isp02-route add action=mark-routing chain=prerouting disabled=no new-routing-mark=isp01-route add action=mark-routing chain=prerouting disabled=no new-routing-mark=isp01-route add action=mark-routing chain=prerouting disabled=no new-routing-mark=isp01-route comment="mark route for Block DMZ" \ passthrough=no src-address-list=block-dmz comment="mark route for Block 2" \ passthrough=no src-address-list=block2 comment="mark route for Block 3" \ passthrough=no src-address-list=block3 comment="mark route for Block 4" \ passthrough=no src-address-list=block4

Hasil perintah tersebut diatas, sebelum terjadi routing, kita kelompokan masing-masing subnetwork yang kita punya menjadi dua buah jalur routing dan kita mark, yaitu: isp01-route dan isp02-route. Setelah memisahkan routing, yuk.. kita tentukan route table nya. Menuju ke TKP! 4. Route table for Dual WAN (also default route for mikrotik router itself) Sebagai default koneksi untuk mesin mikrotik itu sendiri, saya set default gatewaynya menuju ke jalur ISP02.
/ip route add comment="GW via for isp02-route" disabled=no distance=1 dst-address=0.0.0.0/0 \ gateway=202.155.0.1 routing-mark=isp02-route scope=30 target-scope=10 add comment="GW via for isp01-route" disabled=no distance=1 dst-address=0.0.0.0/0 \ gateway=isp01 routing-mark=isp01-route scope=30 target-scope=10 add comment="Default GW for this router" disabled=no distance=1 dst-address=0.0.0.0/0 \ gateway=202.155.0.1 scope=30 target-scope=10

5. Mikrotik Web Proxy Setting (web-proxy nya internal mikrotik, nda ada mesin baru untuk nyoba squid external soale )
/ip proxy set always-from-cache=no cache-administrator=webmaster@barkun.co.cc cache-hit-dscp=4 \ cache-on-disk=no enabled=yes max-cache-size=4096KiB max-client-connections=1024 \ max-fresh-time=1d max-server-connections=1024 parent-proxy=0.0.0.0 parent-proxyport=0 \ port=800 serialize-connections=yes src-address=0.0.0.0

Port listening proxy di set 800, untuk bloking domain, url, content filtering, bisa di tanya simbah Google lah.. contohnya gini, aku mau block fesbuk, youtube, flickr, multiply, twitter, dan semua domain yang mengandung kata-kata proxy, so.. set aja rule seperti ini di proxy acl nya:

4 of 10

5/1/2011 7:41 PM

Fatah Design, Inc. Mikrotik Dual WAN, DMZ, Shape, Web Proxy

http://fatahdesign.co.cc/mikrotik-dual-wan-dmz-shape-web-proxy/

/ip add add add add add add add

proxy access action=deny comment="" action=deny comment="" action=deny comment="" action=deny comment="" action=deny comment="" action=deny comment="" action=deny comment=""

disabled=no disabled=no disabled=no disabled=no disabled=no disabled=no disabled=no

dst-host=*facebook.com dst-host=*fbcdn.net dst-host=*youtube.com dst-host=*flickr.com dst-host=*proxy* dst-host=*multiply.com dst-host=*twitter.com

6. Port forwarding as DNAT, Masquerade as SNAT, and Redirection as Transparent Proxy Port forwarding adalah dimana kita mempunyai beberapa mesin yang bisa diakses dari luar (internet) dan padahal mesin-mesin tersebut mempunyai IP lokal bukan public, kalo IP public sih tinggal assign aja, lalu taruh sejajar dengan router Nah, ini lah yang dinamakan area DMZ (De Militarized Zone). Disini dicontohkan bahwa saya mempunyai webserver dengan IP local 192.168.0.2, server svn dengan IP local 192.168.0.3, database server dengan IP local 192.168.0.4, ftp server dengan IP local 192.168.0.5. Jangan banyak2 ah contohnya.. capek bikinnya .. Nah saya ingin semua DMZ area ini menggunakan traffic dari jalur isp02 (sudah di mark to diatas tadi?) :: port forwarding PUBLIC ISP02:80 > 192.168.0.2:80
/ip firewall nat add action=dst-nat chain=dstnat comment="PortFW isp02:80 --> WEBServer:80" disabled=no \ dst-address=202.155.0.2 dst-port=80 protocol=tcp to-addresses=192.168.0.2 to-ports=80 add action=src-nat chain=srcnat comment="" disabled=no dst-port=80 protocol=tcp \ src-address=192.168.0.0/27 to-addresses=202.155.0.2 to-ports=0-65535

:: port forwarding PUBLIC ISP02:3690 > 192.168.0.3:3690


/ip firewall nat add action=dst-nat chain=dstnat comment="PortFW isp02:3690 --> SVNServer:3690" disabled=no \ dst-address=202.155.0.2 dst-port=3690 protocol=tcp to-addresses=192.168.0.3 to-ports=3690 add action=src-nat chain=srcnat comment="" disabled=no dst-port=3690 protocol=tcp \ src-address=192.168.0.3 to-addresses=202.155.0.2 to-ports=0-65535

:: port forwarding PUBLIC ISP02:1521 > 192.168.0.4:1521


/ip firewall nat add action=dst-nat chain=dstnat comment="PortFW isp02:1521 --> DBServer:1521" disabled=no \ dst-address=202.155.0.2 dst-port=1521 protocol=tcp to-addresses=192.168.0.4 to-ports=1521 add action=src-nat chain=srcnat comment="" disabled=no dst-port=1521 protocol=tcp \ src-address=192.168.0.4 to-addresses=202.155.0.2 to-ports=0-65535

:: port forwarding PUBLIC ISP02:9088 > 192.168.0.4:9088


/ip firewall nat add action=dst-nat chain=dstnat comment="PortFW isp02:9088--> DBServer:9088" disabled=no \ dst-address=202.155.0.2 dst-port=9088 protocol=tcp to-addresses=192.168.0.4 to-ports=9088 add action=src-nat chain=srcnat comment="" disabled=no dst-port=9088 protocol=tcp \ src-address=192.168.0.4 to-addresses=202.155.0.2 to-ports=0-65535

:: port forwarding PUBLIC ISP02:21 > 192.168.0.5:21


/ip firewall nat add action=dst-nat chain=dstnat comment="PortFW isp02:21--> FTPServer:21" disabled=no \ dst-address=202.155.0.2 dst-port=21 protocol=tcp to-addresses=192.168.0.5 to-ports=21 add action=src-nat chain=srcnat comment="" disabled=no dst-port=21 protocol=tcp \

5 of 10

5/1/2011 7:41 PM

Fatah Design, Inc. Mikrotik Dual WAN, DMZ, Shape, Web Proxy

http://fatahdesign.co.cc/mikrotik-dual-wan-dmz-shape-web-proxy/

src-address=192.168.0.5 to-addresses=202.155.0.2 to-ports=0-65535

:: redirection to web-proxy internal mikrotik Untuk koneksi clients atau users, saya lewatkan proxy secara transparent, biar bisa mbatasi content yang mereka buka lewat internet Jadi yang lewat proxy adalah jalur isp01, tapi bandwidth protocol 80 (HTTP) yang dipake adalah jalur isp02, ingat itu loh. Tapi dengan modifikasi tertentu, bisa saja traffic proxy kita lewatkan jalur isp01. Ntar ah nyusul.
/ip firewall nat add action=redirect chain=dstnat comment="Redirect to Web Proxy for Block 2, 3, 4" \ disabled=no dst-port=80 in-interface=local protocol=tcp routing-mark=isp01-route \ src-address-list=block-proxy to-ports=800

:: masquerade all destination to each public interface


/ip firewall nat add action=masquerade chain=srcnat comment="Masquerade Block 2 via ISP01" \ disabled=no out-interface=isp01-pppoe src-address-list=block2 add action=masquerade chain=srcnat comment="Masquerade Block 3 via ISP01" \ disabled=no out-interface=isp01-pppoe src-address-list=block3 add action=masquerade chain=srcnat comment="Masquerade Block 4 via ISP01" \ disabled=no out-interface=isp01-pppoe src-address-list=block4 add action=masquerade chain=srcnat comment="Masquerade Block DMZ via ISP02" \ disabled=no out-interface=isp02 src-address-list=block-dmz

7. Queue as Bandwidth Management (shape yuk, biar jgn ada yg download gila-gilaan) :: buat queue type nya dulu
/queue type add kind=pcq name=PCQ_Upload pcq-classifier=src-address pcq-limit=50 \ pcq-rate=0 pcq-total-limit=2000 add kind=pcq name=PCQ_Download pcq-classifier=dst-address pcq-limit=50 \ pcq-rate=0 pcq-total-limit=2000

:: lalu buat queue tree parent nya, downstream kita jadikan satu, upstream kita pisah berdasarkan route -nya.
/queue tree add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=0 name=total-down parent=local priority=8 add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=0 name=total-up-isp02 parent=isp02 priority=8 add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=0 name=total-up-isp01 parent=isp01 priority=8

:: buat child nya, tentukan bandwidth masing-masing block subnetwork.


/queue tree add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=512k name=block-dmz-down packet-mark=block-dmz parent=\ total-down priority=8 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=512k name=block-dmz-up packet-mark=block-dmz parent=\ total-up-isp02 priority=8 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=256k name=block2-down packet-mark=block2 parent=total-down \ priority=8 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=256k name=block2-up packet-mark=block2 parent=total-up-isp01 \ priority=8 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=512k name=block3-down packet-mark=block3 parent=total-down \ priority=8 queue=default \

6 of 10

5/1/2011 7:41 PM

Fatah Design, Inc. Mikrotik Dual WAN, DMZ, Shape, Web Proxy

http://fatahdesign.co.cc/mikrotik-dual-wan-dmz-shape-web-proxy/

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=512k name=block3-up packet-mark=block3 parent=total-up-isp01 \ priority=8 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=768k name=block4-down packet-mark=block4 parent=total-down \ priority=8 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=768k name=block4-up packet-mark=block4 parent=total-up-isp01 \ priority=8 queue=default

8. Testing, ping, traceroute Untuk pengecekan, coba konek-kan laptop di sisi client, untuk awalan, kita set dulu IP nya secara manual, semisal dapet block DMZ, coba traceroute keluar (internet), caranya buka Start Menu > Run, ketik cmd, setelah masuk cmd nya? ketik tracert -d yahoo.com, lalu coba ganti lagi IP nya, ikutkan ke block 4, lalu tracert -d yahoo.com lagi, hasil yang didapat, seharusnya sudah beda jalur. Testing port forwarding bisa dilakukan begini: suruh temen online juga, habis itu suruh temen tsb buka pake browser: http://barkun.co.cc/ Seharusnya sih bisa, gitu langsung kebuka webserver local nya Untuk test behind proxy atau tidak, langsung aja dari block 2, 3, atau 4, buka http://whatismyipaddress.com nanti langsung kelihatan tu, apakah sumber berada dibelakang proxy atau tidak. 9. Protect the router, firewall filter Untuk melindungi router, banyak sih contoh script yang ada kalo tanya sama simbah Google, coba lihat ini salah satunya:
/ip firewall filter add action=drop chain=input comment="Drop SSH brute forcers" disabled=no \ dst-port=22 protocol=tcp src-address-list=ssh_blacklist add action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=1w3d chain=input comment="" connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3 add action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m chain=input comment="" connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage2 \ address-list-timeout=1m chain=input comment="" connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 \ address-list-timeout=1m chain=input comment="" connection-state=new \ disabled=no dst-port=22 protocol=tcp add action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w chain=input comment="Port Scanners to list" \ disabled=no protocol=tcp psd=21,3s,3,1 add action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w chain=input comment="" disabled=no protocol=tcp \ tcp-flags=fin,!syn,!rst,!psh,!ack,!urg add action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w chain=input comment="" disabled=no protocol=tcp \ tcp-flags=fin,syn add action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w chain=input comment="" disabled=no protocol=tcp \ tcp-flags=syn,rst add action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w chain=input comment="" disabled=no protocol=tcp \ tcp-flags=fin,psh,urg,!syn,!rst,!ack add action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w chain=input comment="" disabled=no protocol=tcp \ tcp-flags=fin,syn,rst,psh,ack,urg add action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w chain=input comment="" disabled=no protocol=tcp \ tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg add action=drop chain=input comment="" disabled=no src-address-list="port scanners" add action=drop chain=input comment="Filter FTP to Box" disabled=no dst-port=21 \ protocol=tcp src-address-list=ftp_blacklist add action=accept chain=output comment="" content="530 Login incorrect" \

7 of 10

5/1/2011 7:41 PM

Fatah Design, Inc. Mikrotik Dual WAN, DMZ, Shape, Web Proxy

http://fatahdesign.co.cc/mikrotik-dual-wan-dmz-shape-web-proxy/

disabled=no dst-limit=1/1m,9,dst-address/1m protocol=tcp add action=add-dst-to-address-list address-list=ftp_blacklist \ address-list-timeout=3h chain=output comment="" content=\ "530 Login incorrect" disabled=no protocol=tcp

Jadi kesimpulan awal dari artikel ini adalah: 1. Dual WAN bisa berjalan, mulus, tracert dari block 2, 3, 4 dan tracert dari block dmz pasti jalurnya beda 2. Bandwidth bisa di manage, test download ke internet dari block 2, 3, 4, bisa ke-limit 3. Bandwidth tujuan local-net/public IP, di by pass queue nya, biar transfer local tidak di-limit, test download dari block 2 ke block 3 atau sebaliknya dan kombinasi, atau download dari webserver local, atau kirim file besar lewat IPM, hasilnya tidak ter-limit 4. Buka http://202.155.0.2 dari sisi client block 2, 3, atau 4 bisa terbuka webserver local nya (portforward) 5. Buka http://192.168.0.1 dari sisi client block 2, 3, atau 4 bisa terbuka webserver local nya (portforward) 6. Buka http://barkun.co.cc (domainnya) dari sisi client block 2, 3, atau 4 bisa terbuka webserver local nya (port-forward) 7. Web-proxy berjalan transparent, buka dari sisi client block 2, 3, atau 4, url ini: http://whatismyipaddress.com, kalo ada url-filtering aktif, coba buka fesbuk, pasti ke-blok deh 8. Diprotek juga dari luar (internet) Okay, ini dah ngantuk berat, besok lanjut lagi diedit ya boleh hehehehehe, thanks for listening. Hiks, huaaaaaaaaaaaa, 2 hari lagi? masa? Aduh, mo gimana ya aku? Bikin nda bisa tidur

4 Responses to Mikrotik Dual WAN, DMZ, Shape, Web Proxy


1. kuli_koding, on May 1st, 2010 at 04:33 Said: ikut baca ya mas Aung, *toel toel hrz belum bangun dia hihihi* hadeuh fb, twitter diblock *tepok jidat* 2. fatah, on May 1st, 2010 at 06:03 Said: yoi, itu hasil karya Haris juga, dah 2 minggu kita kencan lewat YM, remote router bersama, tidur jam 3 tiap hari, xixixixix bangunin tu bilang kalo rejeki datangnya pagi hari 3. kuli_koding, on May 1st, 2010 at 06:15 Said: langsung bangun dia mas Aung, mungkin udah tau rejekinya udah datang dari mimpi. hihihi 4. fatah, on May 1st, 2010 at 06:22 Said: bangun tidur langsung nyuci kayaknya ya?

Leave a Reply
Name (required) Mail (will not be published) (required) Website

8 of 10

5/1/2011 7:41 PM

Fatah Design, Inc. Mikrotik Dual WAN, DMZ, Shape, Web Proxy

http://fatahdesign.co.cc/mikrotik-dual-wan-dmz-shape-web-proxy/

Spam Protection by WP-SpamFree

Note In April 2010 .::.::. Met Milad, Istriku

Photos Portofolio Tentang

cisco (1) coretan (41) games (1) mac os x (5) networking (5) tutorial (7) unix (2) web dev (3)

Simpan, Tunjuk, Mengerti, Maaf, dan Terima Kasih Met Milad, Istriku Mikrotik Dual WAN, DMZ, Shape, Web Proxy Note In April 2010 Development Early 2010 Ada Apa dengan Indosat? Fatah Design, Inc. Istriku, lekas sembuh ya? My BenQ S31VW-419 Laptops, New?

June 2010 May 2010 April 2010 February 2010 December 2009

9 of 10

5/1/2011 7:41 PM

Fatah Design, Inc. Mikrotik Dual WAN, DMZ, Shape, Web Proxy

http://fatahdesign.co.cc/mikrotik-dual-wan-dmz-shape-web-proxy/

December 2007 November 2007 April 2007 January 2007 December 2006 November 2006 October 2006 September 2006 August 2006 July 2006 January 2006 November 2005 October 2005

Arkenoid BlegOS Don! Google MacBook Pro Wordpress

May 2011 M T W T F S S 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Jun Copyright 2009 Fatah Design, Inc.

10 of 10

5/1/2011 7:41 PM