Belajar router mikrotik

[locantop]

Tweet

dns-nya ambil dari isp yg terkoneksi ke router dgn media yg paling kencang saja..
dhcp buat apaan.. static aja.. klo bisa sih modemnya jd bridge.. atau 1-to-1 NAT.. NAT buat PC klien biar mikrotik yg ngatur..
klo yg pernah gw praktekin (pake modem Aztech yg including router);
ip modem 10.0.0.1 (pake NAT, gw gak ngerti setting supaya jd bridge.. lagian ip public cm 1 biji.. );
ip interface mikrotik untuk internasional 10.0.0.2;
iix lewat wireless di gateway 172.16.10.1;
jadi interface kedua (iix only) pake ip 172.16.10.2
dns pake punya wireless.. biar kenceng..

sisanya tinggal setting NAT di mikrotik.. (masquerade)
klo mo pake proxy khusus buat traffic internasional bisa juga..
enaknya sih klo udah pake mikrotik versi 2.9.xx (yg ada fitur address-list)
masukin daftar ip iix ke address-list..
mangle paket" iix only..
dari situ mangle-nya bisa dipake buat redirect (transparent proxy international only)
atau buat bikin queue (bandwidth management) yg terpisah antara iix dan internasional..

gitchuu.. cmiiw..

hehe masih lier eyy hehe ya besok mau di praktekin,thanks berat yah

[tjdykb]

Tweet

Ini how-to-versi gua ya .., sapa tau ada gunanya
Tolong dibenerin kalau ada yg salah...

Melakukan Static Routing 2 koneksi (wireless-adsl) ke 2 tujuan (IIX-intl)..

Sumber = ngoprek, baca2 (gak ada hasil penemuan sendiri)

Asumsi adsl untuk koneksi international, wireless untuk koneksi lokal (IIX)

Asumsi 3 interface (Router OS Box) ..

public -->terhubung dengan lan port router adsl
public-wireless, -->terhubung dengan radio client-infrastructure/ client-bridge yang terasosiasi dengan ap di pihak ISP
local --> terhubung dengan Swicth ke Jaringan Lokal


Asumsi IP Address

public 202.xx.xx.62/30 -->gateway 202.xx.xx.61 (ip lan modem adsl)
public-wireless 172.xx.xx.2/29 --> gateway 172.xx.xx.1 (ip local router isp)
lan 192.168.10.1/24 --> berfungsi sebagai gateway untuk jaringan local..

Kalau gua lebih prefer pakai static-routing, pernah sih coba2 pake routing-mark melalui mangle .. sayangnya tidak berhasil...

Static Routing

Untuk melakukan static routing iix-intl yg pertama harus kita ketahui adalah IP2 apa saja yang termasuk ke dalam IP blok IIX.. daftar lengkapnya terupdate dapat diakses melalui fasilitas looking glass (nice) yg salah satunya bisa diakses di http://lg.mohonmaaf.com , klik submit keluar deh

Code:

  Network          Next Hop            Metric LocPrf Weight Path
*> 58.65.240.0/24   218.100.27.242           0   1000      0 24535 i
*> 58.65.241.0/24   218.100.27.242           0   1000      0 24535 i
*> 58.65.242.0/24   218.100.27.242           0   1000      0 24535 i
*> 58.65.243.0/24   218.100.27.242           0   1000      0 24535 i
*> 58.65.244.0/24   218.100.27.242           0   1000      0 24535 i
*> 58.65.245.0/24   218.100.27.242           0   1000      0 24535 i
*> 58.65.246.0/24   218.100.27.242           0   1000      0 24535 i
*> 58.65.247.0/24   218.100.27.242           0   1000      0 24535 iMasih banyak lagi...

Yang di bawah kolom Network adalah ip blok yang termasuk ke dalam IIX.

Di mikrotik masukkan terlebih dahulu default gatewaynya.. (default routing) dalam kasus ini adalah

Code:

/ ip route add dst-address=0.0.0.0/0 gateway=202.xx.xx.61 comment="Default" disabled=no

kemudian masukkan ip-blok yg tadi di dapat dari nice ke dalam tabel routing, biar gampang pake excel seperti yg bro diatas bilang bisa ...dalam kasus ini seperti berikut;

Code:

/ ip route 
add dst-address=58.65.240.0/24 gateway=172.xx.xx.1 scope=255 target-scope=10 \
    comment="Gateway IIX" disabled=no 
add dst-address=58.65.241.0/24 gateway=172.xx.xx.1 scope=255 target-scope=10 \
    comment="Gateway IIX" disabled=no 
add dst-address=58.65.242.0/24 gateway=172.xx.xx.1 scope=255 target-scope=10 \
    comment="Gateway IIX" disabled=no 
add dst-address=58.65.243.0/24 gateway=172.xx.xx.1 scope=255 target-scope=10 \
    comment="Gateway IIX" disabled=no 
add dst-address=58.65.244.0/24 gateway=172.xx.xx.1 scope=255 target-scope=10 \
    comment="Gateway IIX" disabled=no 
add dst-address=58.65.245.0/24 gateway=172.xx.xx.1 scope=255 target-scope=10 \
    comment="Gateway IIX" disabled=no 
add dst-address=58.65.246.0/24 gateway=172.xx.xx.1 scope=255 target-scope=10 \
    comment="Gateway IIX" disabled=no 

...... dan seterusnya

Dikasih comment Gateway IIX untuk implementasi netwatch kl link wireless putus, akan digambarkan belakangan... skript yg mungkin gak update bisa diliahat di http://indoupload.net/files/1/Router...ix-routing.rsc

Jangan lupa gantikan 172.xx.xx.1 dengan gateway wireless anda
, kalau pake ultraedit Ctrl-R .. find&replace , kopi dan paste di ssh router os atau terminal...

Setelah static routing dimasukkan maka otomatis permintaan ke IIX akan memakai gateway 172.xx.xx.1 dan permintaan ke intl akan memakai gateway 202.xx.xx.61, jika di traceroute dari routernya akan terlihat seperti ini;

Untuk Intl..

Code:

[tjdykb@mt] > /tool traceroute google.com
     ADDRESS                                    STATUS
   1 202.xx.xx.61   2ms 1ms 1ms 
   2 202.xx.xx.33   61ms 85ms 64ms 
   3 202.xx.xx.230  67ms 59ms 67ms 
   4 202.xx.xx.233  57ms 61ms 73ms 
   5 202.xx.xx.1    65ms 68ms 63ms 

.. dan seterusnya ada kira2 20 hop

Untuk IIX

Code:

[tjdykb@mt] > /tool traceroute boleh.com 
     ADDRESS                                    STATUS
   1 172.xx.xx.1     4ms 3ms 2ms 
   2 202.xx.xx.105  15ms 5ms 10ms 
   3 202.xx.xx.1    6ms 10ms 7ms 
   4 202.xx.xx.141  11ms 7ms 7ms 
   5 218.xx.xx.173  7ms 10ms 13ms 
   6 202.xx.xx.6     8ms 6ms 10ms 

ada 6 hop

Apabila koneksi wirelessnya rentan putus, atau link adsl lebih stabil gua menganjurkan untuk melakukan static routing ip2 dns ke gateway adsl (meskipun ip2 tersebut masuk ke golongan lokal)...

Disable Static Routing Gateway IIX

Berhubung koneksi kabel harusnya lebih stabil dari koneksi wireless, artinya ada juga putusnya, maka ada baiknya apabila kita berjaga-jaga agar koneksi lokal tidak ikut terputus apabila link wireless nya putus.

Dalam contoh ini fasilitas yang digunakan adalah /tool netwatch .. melakukan ping ke gateway IIX atau pun IP yg terletak di Cyber (apabila backhaul ISP juga menggunakan wireless yg rentan putus) dalam contoh ini adalah 202.xx.xx.141 (lihat hasil traceroute lokal no.4)..

Ping dilakukan secara periodik misalnya 15 detik sekali dengan batasan time-out 100ms.

Apabila link terputus.. baik link antara kita dengan ISP atau ISP dengan Cyber, maka status di netwatch akan berubah menjadi down, dan akan menjalankan script yang mendisable entry static routing yang memiliki coment "Gateway IIX"...Apabila telah up kembali maka status berubah menjadi up dan akan menjalan script yang mengenable..

Code:

/ tool netwatch 
add host=172.xx.xx.1 timeout=100ms interval=15s \
    up-script="/ip route enable \[/ip route find \
    comment=\"Gateway IIX\"\]" down-script="/ip route \
    disable \[/ip route find comment=\"Gateway IIX\"\]" \
    comment="Ping Gateway IIX" disabled=no

Jangan lupa ganti 172.xx.xx.1 dengan gateway wirelessnya...

Maaf kalau kepanjangan, semoga membantu
Sekian

[battousan]

Tweet

nah iya.. begitu maksud gwa.. wekkekeke..

hayuh rame" pencet kotak ijo di pojok kanan atas postingan oom tjdykb.. ^^

[amdferrari]

Tweet

pengen nyoba...sayang koneksi gw ga bisa dipisah

[ponywaterhousecoopers]

Tweet

gak gtu repot agh.. kan ada excel..
niy gw ada skripnya yg udah jadi..

lagipula di sini ada tutorialnya koq.. (dari forum sebelah.. forum sebelah ngambil dr milis.. ^^)
http://www.datautama.net.id/harijant...tik-Versi2.htm

gw dah ikutin step2 ini..
misalnya kalo gw mo bikin satu pc cuman bisa akses IIX doang gmn yah?
dia ga boleh akses internasional..
(buat game center nih..., biar user ga pada browsing ke luar)

[battousan]

Tweet

pasang firewall aja..
misal:

Code:

add chain=forward in-interface=LAN src-address=!192.168.2.200 \
    src-address-list=client-game dst-address-list=!iix action=reject \
    reject-with=icmp-network-unreachable \
    comment="clientgame-international-direct-block-except-operator" disabled=no

di contoh itu ip 192.168.2.200~215 ada di address-list yg sama (client-game only) dimana 200 adalah ip komputer operator warnet..

EDIT:
oh klo misalnya ada transparent proxy-nya.. pasang rule..

Code:

add chain=input src-address=!192.168.2.0/24 protocol=tcp dst-port=3128 \
    action=drop comment="" disabled=no

ini prosedur standar kale yah.. biar proxy kita ngga dicuri dari luar.. *free proxy* hehe
btw, dst-port=port proxy

Code:

add chain=input src-address=192.168.2.200 protocol=tcp dst-port=3128 \
    action=accept comment="operator-klikgame-browsing-international-allow" \
    disabled=no

ini biar operatornya bisa browsing..

Code:

add chain=input in-interface=LAN protocol=tcp dst-port=3128 \
    src-address-list=client-game action=reject \
    reject-with=icmp-network-unreachable \
    comment="klikgame-browsing-international-block" disabled=no

ini buat blokir address-address yg ada di address-list=client-game, tapi klo udah di-allow di rule sebelumnya maka gak kena.. (# active sorting mode)

cmiiw..

[ponywaterhousecoopers]

Tweet

pasang firewall aja..
misal:

Code:

add chain=forward in-interface=LAN src-address=!192.168.2.200 \
    src-address-list=client-game dst-address-list=!iix action=reject \
    reject-with=icmp-network-unreachable \
    comment="clientgame-international-direct-block-except-operator" disabled=no

di contoh itu ip 192.168.2.200~215 ada di address-list yg sama (client-game only) dimana 200 adalah ip komputer operator warnet..

thanks bangetttt...

bro, itu masukin

Code:

src-address-list=client-game 
dst-address-list=!iix

itu gmn yah?
apa musti masukin IP nya satu2?

[battousan]

Tweet

ya klo rajin sih bisa aja masukin satu"..
tapi klo entry-nya banyak, paling enak pake script bro..
nih buat address-list iixnya..

Code:

/ ip firewall address-list 
add list=iix address=32.234.168.0/21
add list=iix address=61.5.0.0/17
add list=iix address=61.14.0.0/18
add list=iix address=61.94.0.0/16
add list=iix address=141.103.0.0/16
add list=iix address=152.158.240.0/21
add list=iix address=193.47.8.0/23
add list=iix address=202.3.208.0/20
add list=iix address=202.6.208.0/20
add list=iix address=202.6.224.0/20
add list=iix address=202.10.32.0/19
add list=iix address=202.12.20.0/24
add list=iix address=202.43.128.0/17
add list=iix address=202.46.0.0/16
add list=iix address=202.47.64.0/20
add list=iix address=202.47.192.0/19
add list=iix address=202.51.96.0/19
add list=iix address=202.51.224.0/19
add list=iix address=202.53.224.0/19
add list=iix address=202.55.160.0/20
add list=iix address=202.57.0.0/21
add list=iix address=202.57.16.0/20
add list=iix address=202.58.64.0/22
add list=iix address=202.58.68.0/22
add list=iix address=202.58.200.0/22
add list=iix address=202.59.160.0/20
add list=iix address=202.59.192.0/20
add list=iix address=202.65.112.0/21
add list=iix address=202.65.236.0/22
add list=iix address=202.67.32.0/20
add list=iix address=202.69.96.0/20
add list=iix address=202.70.48.0/20
add list=iix address=202.72.192.0/19
add list=iix address=202.73.96.0/19
add list=iix address=202.73.224.0/20
add list=iix address=202.75.16.0/21
add list=iix address=202.75.96.0/20
add list=iix address=202.77.64.0/20
add list=iix address=202.77.96.0/19
add list=iix address=202.78.192.0/20
add list=iix address=202.80.112.0/20
add list=iix address=202.80.208.0/20
add list=iix address=202.81.58.0/23
add list=iix address=202.81.60.0/22
add list=iix address=202.87.176.0/20
add list=iix address=202.92.192.0/23
add list=iix address=202.93.32.0/20
add list=iix address=202.93.112.0/24
add list=iix address=202.95.128.0/19
add list=iix address=202.123.224.0/20
add list=iix address=202.127.96.0/20
add list=iix address=202.134.0.0/22
add list=iix address=202.135.4.0/22
add list=iix address=202.135.23.0/24
add list=iix address=202.135.28.0/24
add list=iix address=202.135.42.0/24
add list=iix address=202.135.54.0/23
add list=iix address=202.135.111.0/24
add list=iix address=202.135.129.0/24
add list=iix address=202.135.132.0/22
add list=iix address=202.135.145.0/24
add list=iix address=202.135.155.0/24
add list=iix address=202.135.161.0/24
add list=iix address=202.135.226.0/24
add list=iix address=202.135.248.0/21
add list=iix address=202.136.64.0/19
add list=iix address=202.137.0.0/19
add list=iix address=202.138.224.0/19
add list=iix address=202.143.32.0/22
add list=iix address=202.143.96.0/20
add list=iix address=202.145.0.0/20
add list=iix address=202.146.0.0/21
add list=iix address=202.146.32.0/22
add list=iix address=202.146.128.0/23
add list=iix address=202.146.224.0/19
add list=iix address=202.147.192.0/20
add list=iix address=202.147.224.0/19
add list=iix address=202.148.0.0/19
add list=iix address=202.149.64.0/20
add list=iix address=202.149.80.0/21
add list=iix address=202.149.88.0/24
add list=iix address=202.149.128.0/19
add list=iix address=202.150.0.0/20
add list=iix address=202.150.32.0/20
add list=iix address=202.150.64.0/19
add list=iix address=202.150.128.0/21
add list=iix address=202.150.224.0/20
add list=iix address=202.150.240.0/21
add list=iix address=202.150.248.0/22
add list=iix address=202.152.0.0/18
add list=iix address=202.152.160.0/20
add list=iix address=202.152.224.0/19
add list=iix address=202.153.128.0/21
add list=iix address=202.153.144.0/20
add list=iix address=202.153.224.0/19
add list=iix address=202.154.0.0/18
add list=iix address=202.154.176.0/20
add list=iix address=202.155.0.0/17
add list=iix address=202.155.128.0/19
add list=iix address=202.158.0.0/17
add list=iix address=152.118.24.0/22
add list=iix address=167.205.0.0/16
add list=iix address=202.159.0.0/17
add list=iix address=202.160.254.0/24
add list=iix address=202.162.32.0/20
add list=iix address=202.162.192.0/19
add list=iix address=202.165.32.0/20
add list=iix address=202.167.97.0/24
add list=iix address=202.169.32.0/19
add list=iix address=202.169.224.0/20
add list=iix address=202.170.224.0/22
add list=iix address=202.171.0.0/20
add list=iix address=202.173.64.0/22
add list=iix address=202.173.91.0/24
add list=iix address=202.173.95.0/24
add list=iix address=202.180.0.0/19
add list=iix address=202.183.0.0/19
add list=iix address=203.77.208.0/22
add list=iix address=203.77.222.0/23
add list=iix address=203.77.224.0/19
add list=iix address=203.83.32.0/21
add list=iix address=203.99.96.0/19
add list=iix address=203.123.224.0/19
add list=iix address=203.128.64.0/19
add list=iix address=203.130.192.0/18
add list=iix address=203.163.66.0/24
add list=iix address=203.163.76.0/24
add list=iix address=203.163.81.0/24
add list=iix address=203.163.88.0/24
add list=iix address=203.163.113.0/24
add list=iix address=203.194.70.0/24
add list=iix address=205.248.57.0/24
add list=iix address=205.248.151.0/24
add list=iix address=205.248.158.0/24
add list=iix address=206.73.80.0/24
add list=iix address=206.73.192.0/18
add list=iix address=206.182.192.0/18
add list=iix address=206.182.36.0/24
add list=iix address=207.83.112.0/20
add list=iix address=207.117.234.0/24
add list=iix address=207.209.192.0/18
add list=iix address=208.35.66.0/23
add list=iix address=208.35.198.0/24
add list=iix address=209.93.224.0/19
add list=iix address=210.23.64.0/22
add list=iix address=210.23.68.0/23
add list=iix address=216.252.165.0/24
add list=iix address=218.100.4.0/24
add list=iix address=218.100.27.0/24
add list=iix address=202.93.0.0/19
add list=iix address=202.67.8.0/21
add list=iix address=210.210.145.0/24
add list=iix address=202.89.208.0/20
add list=iix address=222.124.0.0/16
add list=iix address=219.83.0.0/17
add list=iix address=203.119.13.0/24
add list=iix address=202.58.182.0/23
add list=iix address=203.84.152.0/21
add list=iix address=202.122.168.0/21
add list=iix address=203.89.16.0/20
add list=iix address=58.65.240.0/23
add list=iix address=141.103.0.0/16

kopi-paste ke notepad.. trus save-as iix-address.rsc
upload ke mikrotik via ftp.. trus lewat consolenya tinggal di-import..

btw, itu daftarnya udah agak lama.. mohon di-crosscheck di lg.mohonmaaf.com
langsung klik submit aja.. trus kopi paste ke notepad..
selanjutnya tinggal di buka pake excel buat di pilah"..
tapi hati" banyak address yg overlap..
entry 222.124.0.0/16 itu sudah mewakili entry" dibawahnya (222.124.x.x)
nah ini yg repot.. hehe..

[ponywaterhousecoopers]

Tweet

kalo overlap kaya gini gmn bro?

Code:

125.162.0.0/16
125.162.0.0/21

dipilih yg mana yah?

thanks..

[battousan]

Tweet

125.162.0.0/16 = 125.162.0.1~125.162.255.254
125.162.0.0/21 = 125.162.0.1~125.162.7.254 (udah termasuk diatas kan..)