IP mikrotik kearah modem = 192.168.1.2
IP jaringan lokal = 192.168.2.0/24
IP mesin proxy = 192.168.3.2
-----------------------------------------
interface set ether1 comment="Public Interface" name=Public
interface set ether2 comment="Local Interface" name=Local
interface set ether3 comment="Proxy Interface" name=Proxy
ip address add address=192.168.1.2/24 broadcast=192.168.1.255 comment="" disabled=no interface=Public network=192.168.1.0
ip address add address=192.168.2.1/24 broadcast=192.168.2.255 comment="" disabled=no interface=Local network=192.168.2.0
ip address add address=192.168.3.1/24 broadcast=192.168.3.255 comment="" disabled=no interface=Proxy network=192.168.3.0
ip route add dst-address=0.0.0.0/0 gateway=192.168.1.1 scope=255 target-scope=10 comment="" disabled=no
ip dns set allow-remote-requests=yes cache-max-ttl=1w cache-size=4096KiB max-udp-packet-size=512 servers="192.168.3.2 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220"
ip dns static add name="unbound" address=192.168.3.2 ttl=1d
ip service set telnet address=0.0.0.0/0 disabled=yes port=23
ip service set ftp address=0.0.0.0/0 disabled=yes port=21
ip service set www address=0.0.0.0/0 disabled=no port=80
ip service set ssh address=0.0.0.0/0 disabled=no port=22
ip service set www-ssl address=0.0.0.0/0 certificate=none disabled=yes port=443
ip service set api address=0.0.0.0/0 disabled=yes port=8728
ip service set winbox address=0.0.0.0/0 disabled=no port=8291
system ntp client set primary-ntp=203.160.128.6 secondary-ntp=202.169.224.16 mode=unicast enabled=yes
system clock set time-zone-name=Asia/Jakarta
system identity set name=pasoepatiNET
ip firewall address-list add address=192.168.2.0/24 comment="" disabled=no list=LOCAL-NET
ip firewall address-list add address=192.168.3.0/24 comment="" disabled=no list=PROXY-NET
tool fetch address=ixp.mikrotik.co.id src-path=/download/nice.rsc mode=http;
import nice.rsc;
ip firewall layer7-protocol add comment="" name=Youtube regexp="^.*get.+.c.youtube.com.*\$"
ip firewall layer7-protocol add comment="" name=Download regexp="^.*get.+\\.(exe|rar|zip|7z|cab|msi|asf|mov|wmv|mpg|mpeg|mkv|avi|flv|pdf|wav|rm|mp3|mp4|ram|rmvb|dat|daa|iso|nrg|bin|vcd|mp2|3gp|mpe|qt|raw|wma|ogg|doc|deb|tar|bzip|gzip|gzip2|0[0-9][0-9]).*\$"
ip firewall filter add chain=forward in-interface=Public out-interface=Local dst-address-list=LOCAL-NET action=accept comment="Allow semua akses internet to Local" disabled=no
ip firewall filter add chain=forward in-interface=Public out-interface=Proxy dst-address-list=PROXY-NET action=accept comment="Allow semua akses internet to Proxy" disabled=no
ip firewall filter add chain=input in-interface=Public protocol=tcp dst-port=8291 action=accept comment="Allow Remote winbox dari Publik" disabled=no
ip firewall filter add chain=input in-interface=Public protocol=udp src-port=123 action=accept comment="Allow NTP Traffic" disabled=no
ip firewall filter add chain=input in-interface=Public protocol=udp src-port=53 action=accept comment="Allow DNS Traffic" disabled=no
ip firewall filter add chain=input in-interface=Public protocol=tcp src-port=80,8080,3128 action=accept comment="Allow WEB PROXY Traffic" disabled=no
ip firewall filter add chain=input in-interface=Public protocol=icmp action=accept comment="Allow Ping Traceroute Traffic" disabled=no
ip firewall filter add action=jump chain=forward comment="SYN Flood protect" connection-state=new disabled=no jump-target=SYN-Protect protocol=tcp tcp-flags=syn
ip firewall filter add action=accept chain=SYN-Protect comment="" connection-state=new disabled=no limit=400,5 protocol=tcp tcp-flags=syn
ip firewall filter add action=drop chain=SYN-Protect comment="" connection-state=new disabled=no protocol=tcp tcp-flags=syn
ip firewall filter add chain=input in-interface=Public connection-state=new action=add-src-to-address-list address-list=spam address-list-timeout=30m comment="Log Ip Yang Di Tolak ( SPAM )" disabled=no
ip firewall filter add chain=input in-interface=Public action=drop comment="Drop Semua Akses yang tidak di ijinkan" disabled=no
ip firewall connection tracking set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
ip firewall nat add action=masquerade chain=srcnat out-interface=Public comment="MASQUERADE"
ip firewall nat add action=dst-nat chain=dstnat dst-address-list=!PROXY-NET dst-port=80,8080,3128 in-interface=Local protocol=tcp to-addresses=192.168.3.2 to-ports=3128 comment="TRANSPARENT PROXY" disabled=no
ip firewall nat add action=dst-nat chain=dstnat dst-address-list=!PROXY-NET dst-port=53 in-interface=Local protocol=udp to-addresses=192.168.3.2 to-ports=53 comment="TRANSPARENT UNBOUND" disabled=no
ip firewall nat add action=dst-nat chain=dstnat dst-address-list=!PROXY-NET dst-port=53 in-interface=Local protocol=tcp to-addresses=192.168.3.2 to-ports=53 comment="TRANSPARENT UNBOUND" disabled=no
ip firewall nat add action=dst-nat chain=dstnat dst-port=53 in-interface=Local protocol=udp to-ports=53 comment="TRANSPARENT DNS"
ip firewall nat add action=dst-nat chain=dstnat dst-port=53 in-interface=Local protocol=tcp to-ports=53
ip firewall nat add action=dst-nat chain=dstnat dst-port=53 in-interface=Proxy protocol=udp to-ports=53
ip firewall nat add action=dst-nat chain=dstnat dst-port=53 in-interface=Proxy protocol=tcp to-ports=53
ip firewall nat add action=dst-nat chain=dstnat dst-port=22 protocol=tcp to-ports=22 to-address=192.168.3.2 comment="Remote Proxy"
ip firewall mangle add action=mark-packet new-packet-mark=Local-in chain=Local src-address-list=LOCAL-NET passthrough=yes comment="Mark Packet Local"
ip firewall mangle add action=mark-packet new-packet-mark=Local-out chain=Local dst-address-list=LOCAL-NET passthrough=yes
ip firewall mangle add action=jump jump-target=Local chain=prerouting
ip firewall mangle add action=jump jump-target=Local chain=forward
ip firewall mangle add action=mark-packet new-packet-mark=proxy-hit chain=forward dscp=12 passthrough=no comment=Proxy-HIT-DSCP-12
ip firewall mangle add action=change-dscp chain=postrouting comment=Critical disabled=no new-dscp=1 protocol=icmp
ip firewall mangle add action=change-dscp chain=postrouting comment="" disabled=no dst-port=53 new-dscp=1 protocol=udp
ip firewall mangle add action=change-dscp chain=postrouting comment="" disabled=no dst-port=53 new-dscp=1 protocol=tcp
ip firewall mangle add action=mark-connection chain=postrouting comment="" disabled=no dscp=1 new-connection-mark=critical-conn passthrough=yes
ip firewall mangle add action=mark-packet chain=postrouting comment="" connection-mark=critical-conn disabled=no new-packet-mark=critical passthrough=no
ip firewall mangle add action=mark-connection new-connection-mark=Local-conn chain=prerouting packet-mark=Local-in passthrough=yes comment="All Mark Conn"
ip firewall mangle add action=mark-connection new-connection-mark=Local-conn chain=prerouting packet-mark=Local-in passthrough=yes hotspot=!auth
ip firewall mangle add action=mark-connection new-connection-mark=games-conn connection-mark=Local-conn chain=prerouting protocol=udp dst-port=27017 dst-address-list=nice passthrough=yes comment=CounterStrike
ip firewall mangle add action=mark-connection new-connection-mark=games-conn connection-mark=Local-conn chain=prerouting protocol=tcp dst-port=39100,39110,39220,39190,49100 dst-address-list=nice passthrough=yes comment=PointBlank
ip firewall mangle add action=mark-connection new-connection-mark=games-conn connection-mark=Local-conn chain=prerouting protocol=udp dst-port=40000-40010 dst-address-list=nice passthrough=yes
ip firewall mangle add action=mark-connection new-connection-mark=games-conn connection-mark=Local-conn chain=prerouting protocol=tcp dst-port=10009,13008,16666,28012 dst-address-list=nice passthrough=yes comment=CrossFire
ip firewall mangle add action=mark-connection new-connection-mark=games-conn connection-mark=Local-conn chain=prerouting protocol=udp dst-port=12020-12080 dst-address-list=nice passthrough=yes
ip firewall mangle add action=mark-connection new-connection-mark=games-conn connection-mark=Local-conn chain=prerouting protocol=udp dst-port=13000-13080 dst-address-list=nice passthrough=yes
ip firewall mangle add action=mark-connection new-connection-mark=games-conn connection-mark=Local-conn chain=prerouting protocol=tcp dst-port=27780 dst-address-list=nice passthrough=yes comment=RF
ip firewall mangle add action=mark-connection new-connection-mark=games-conn connection-mark=Local-conn chain=prerouting protocol=tcp dst-port=18901-18909 dst-address-list=nice passthrough=yes comment=AyoDance
ip firewall mangle add action=mark-connection new-connection-mark=games-conn connection-mark=Local-conn chain=prerouting protocol=tcp dst-port=2001 dst-address-list=nice passthrough=yes comment=IdolStreet
ip firewall mangle add action=mark-connection new-connection-mark=games-conn connection-mark=Local-conn chain=prerouting protocol=tcp dst-port=4300 dst-address-list=nice passthrough=yes comment=Atlantica
ip firewall mangle add action=mark-connection new-connection-mark=games-conn connection-mark=Local-conn chain=prerouting protocol=tcp dst-port=7341-7350 dst-address-list=nice passthrough=yes comment=X-Shot
ip firewall mangle add action=mark-connection new-connection-mark=games-conn connection-mark=Local-conn chain=prerouting protocol=tcp dst-port=7451 dst-address-list=nice passthrough=yes
ip firewall mangle add action=mark-connection new-connection-mark=games-conn connection-mark=Local-conn chain=prerouting protocol=tcp dst-port=8421 dst-address-list=nice passthrough=yes
ip firewall mangle add action=mark-connection new-connection-mark=games-conn connection-mark=Local-conn chain=prerouting protocol=udp dst-port=7777-7977 dst-address-list=nice passthrough=yes
ip firewall mangle add action=mark-connection new-connection-mark=games-conn connection-mark=Local-conn chain=prerouting protocol=tcp dst-port=9376-9377 dst-address-list=nice passthrough=yes comment=Avalon
ip firewall mangle add action=mark-connection new-connection-mark=games-conn connection-mark=Local-conn chain=prerouting protocol=tcp dst-port=5340-5352 dst-address-list=nice passthrough=yes comment=WarRock
ip firewall mangle add action=mark-packet new-packet-mark=games connection-mark=games-conn chain=forward packet-mark=!proxy-hit passthrough=no comment="Mark All Games OL"
ip firewall mangle add action=mark-connection new-connection-mark=poker-conn connection-mark=Local-conn chain=prerouting protocol=tcp dst-port=843,9339 passthrough=yes comment=Poker
ip firewall mangle add action=mark-connection new-connection-mark=poker-conn connection-mark=Local-conn chain=prerouting protocol=tcp content=statics.poker.static.zynga.com passthrough=yes
ip firewall mangle add action=mark-packet new-packet-mark=poker connection-mark=poker-conn chain=forward packet-mark=!proxy-hit passthrough=no
ip firewall mangle add action=mark-connection new-connection-mark=FB-conn connection-mark=Local-conn chain=prerouting protocol=tcp content=profile.ak.fbcdn.net passthrough=yes comment=Facebook
ip firewall mangle add action=mark-connection new-connection-mark=FB-conn connection-mark=Local-conn chain=prerouting protocol=tcp content=static.ak.fbcdn.net passthrough=yes
ip firewall mangle add action=mark-packet new-packet-mark=FB connection-mark=FB-conn chain=forward packet-mark=!proxy-hit passthrough=no
ip firewall mangle add action=mark-connection new-connection-mark=upload-conn chain=prerouting src-address-list=PROXY-NET dst-address-list=!LOCAL-NET passthrough=yes comment=Upload
ip firewall mangle add action=mark-packet new-packet-mark=upload connection-mark=upload-conn chain=forward passthrough=no
ip firewall mangle add action=mark-packet new-packet-mark=streaming connection-mark=Local-conn chain=forward layer7-protocol=Youtube packet-mark=!proxy-hit passthrough=no comment=Youtube
ip firewall mangle add action=mark-packet new-packet-mark=download connection-mark=Local-conn chain=forward protocol=tcp layer7-protocol=Download packet-mark=!proxy-hit passthrough=no comment=Download
ip firewall mangle add action=mark-packet new-packet-mark=browsing connection-mark=Local-conn chain=forward protocol=tcp packet-mark=!proxy-hit passthrough=no comment=Browsing
queue type add kind=pcq name=upload pcq-classifier=src-address pcq-limit=50 pcq-rate=0 pcq-total-limit=2000
queue type add kind=pcq name=download pcq-classifier=dst-address pcq-limit=50 pcq-rate=480k pcq-total-limit=2000
queue type add kind=pfifo name=critical pfifo-limit=10
queue type add kind=pcq name=game-up pcq-classifier=src-address,src-port pcq-limit=50 pcq-rate=0 pcq-total-limit=2000
queue type add kind=pcq name=game-down pcq-classifier=dst-address,dst-port pcq-limit=50 pcq-rate=0 pcq-total-limit=2000
queue tree add name=Critical packet-mark=critical parent=Public priority=1 queue=critical
queue tree add name=Total-Download parent=Local
queue tree add name=Total-Upload parent=Public
queue tree add name=1.Proxy-HIT parent=Total-Download packet-mark=proxy-hit priority=1 limit-at=0 max-limit=100M
queue tree add name=2.Games-OL parent=Total-Download packet-mark=games priority=2 limit-at=0 max-limit=0 queue=game-down
queue tree add name=3.Poker parent=Total-Download packet-mark=poker priority=3 limit-at=0 max-limit=0 queue=game-down
queue tree add name=4.FB parent=Total-Download packet-mark=FB priority=5 limit-at=0 max-limit=0 queue=game-down
queue tree add name=5.Limit-Client parent=Total-Download priority=8 limit-at=0 max-limit=480k
queue tree add name=1.Browsing parent=5.Limit-Client packet-mark=browsing priority=1 limit-at=0 max-limit=480k queue=download
queue tree add name=2.Download parent=5.Limit-Client packet-mark=download priority=5 limit-at=0 max-limit=256k queue=download
queue tree add name=3.Streaming parent=5.Limit-Client packet-mark=streaming priority=8 limit-at=0 max-limit=112k queue=download
queue tree add name=1.Games-Up parent=Total-Upload packet-mark=games priority=1 limit-at=0 max-limit=0 queue=game-up
queue tree add name=2.Poker-Up parent=Total-Upload packet-mark=poker priority=2 limit-at=0 max-limit=0 queue=game-up
queue tree add name=3.Upload parent=Total-Upload priority=8 limit-at=0 max-limit=160k
queue tree add name=Http-Up parent=3.Upload packet-mark=upload priority=1 limit-at=0 max-limit=0 queue=upload
tool netwatch add host=192.168.4.2 interval=10s timeout=1000ms
diisi dengan :
up :
/ip firewall nat enable [/ip firewall nat find comment="TRANSPARENT PROXY"]
/ip firewall nat enable [/ip firewall nat find comment="TRANSPARENT UNBOUND"]
Down :
/ip firewall nat disable [/ip firewall nat find comment="TRANSPARENT PROXY"]
/ip firewall nat disable [/ip firewall nat find comment="TRANSPARENT UNBOUND"]
proses update nice.rsc juga dapat dilakukan secara otomatis :
system sched add comment="UPDATE IP NICE" disabled=no interval=1d name="update nice.rsc" start-date=jan/01/1970 start-time=10:00:00 on-event=":if ([:len [/file find name=nice.rsc]] > 0) do={/file remove nice.rsc}; /tool fetch address=ixp.mikrotik.co.id src-path=/download/nice.rsc mode=http; /import nice.rsc;"
Subyek: settingan mikrotik diwarnetku....