Monday, April 15, 2013

Setting mikrotik pakai proxy ubuntu 11.10

 
 Type kabel lan antara proxy ke mikrotik :
A. Jika menggunakan Router Box (RB mikrotik ) ke Proxy , gunakan kabel Straight ------Straight
B. Jika menggunakan Mikrotik versi PC ke Proxy , gunakan kabel Straight --------Cross.

Jika anda mengikuti langkah-langkah di "Install dan Setting Proxy Ubuntu Server 11.10 dengan Squid" dan anda ingin memakai router box (mikrotik) dengan proxy di Ubuntu server.
Maka ikuti langkah2 berikut :
 - Ganti dulu ip proxy. Jalankan putty, login sebagai root . jalan perintah berikut:
$sudo nano /etc/network/interface
Masukkan baris seperti dibawah (sesuaikan alamat ip dengan jaringan anda);

auto lo eth0
iface lo inet loopback
iface eth0 inet static
address 192.168.0.200(masukkan alamat ip anda)
netmask 255.255.255.0
gateway 192.168.0.1(masukkan alamat gateway anda)


tekan CTRL dan O untuk melakukan perubahan kemudian enter. Setelah itu tekan CTRL dan X untuk exit

- Jika ingin merubah dns server diproxy jalankan perintah berikut : 
sudo nano etc/resolv.conf
tambahkan baris;

nameserver 203.130.193.74 (masukkan ip dns primary anda)
nameserver 202.134.1.10 (masukkan ip dns secondary anda)


tekan CTRL dan O untuk melakukan perubahan kemudian enter. Setelah itu tekan CTRL dan X untuk exit

- Restart service jaringan anda
sudo /etc/init.d/networking restart

- Setelah itu Edit dulu Squid.conf di proxy. Ganti line berikut

- acl localnet src 192.168.1.0/24  #------ganti dengan ip jaringan lokal anda (ip network client)
jangan lupa untuk merestart squid setelah diganti

Disini :
- ip proxy adalah 192.168.0.200
- ip lokal mikrotik :192.168.1.1
- ip modem : 172.16.1.1
- ip mikrotik ke modem : 172.16.1.2
- ip mikrotik ke proxy : 192.168.0.1

Jangan lupa mengkosongkan Master port di interfaces jika menggunakan router box
/interface ethernet
set 0 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598 mac-address=00:0C:42:C1:BF:05 master-port=none (jadikan none) mtu=1500 name=ether1-gateway speed=100Mbps
/ip address
add address=192.168.88.1/24 comment="default configuration" disabled=no interface=ether2-local-master network=192.168.88.0
add address=192.168.1.1/24 comment=lan disabled=no interface=ether4-local-slave network=192.168.1.0
add address=172.16.1.2/24 comment=speedy disabled=no interface=ether3-local-slave network=172.16.1.0
add address=192.168.0.1/24 comment=proxy disabled=no interface=ether1-gateway network=192.168.0.0

/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB max-udp-packet-size=512 servers=203.130.193.74,202.134.1.10

/ip firewall address-list
add address=192.168.1.1 disabled=no list=ipwarnet
add address=192.168.1.2 disabled=no list=ipwarnet
add address=192.168.1.3 disabled=no list=ipwarnet
add address=192.168.1.4 disabled=no list=ipwarnet
add address=192.168.1.5 disabled=no list=ipwarnet
add address=192.168.1.6 disabled=no list=ipwarnet
add address=192.168.1.7 disabled=no list=ipwarnet
add address=192.168.1.8 disabled=no list=ipwarnet
add address=192.168.1.9 disabled=no list=ipwarnet
add address=192.168.1.10 disabled=no list=ipwarnet
add address=192.168.1.11 disabled=no list=ipwarnet
add address=192.168.1.12 disabled=no list=ipwarnet
add address=192.168.1.13 disabled=no list=ipwarnet
add address=192.168.1.14 disabled=no list=ipwarnet
add address=192.168.1.15 disabled=no list=ipwarnet
add address=192.168.0.1 disabled=no list=ipwarnet
add address=192.168.0.200 disabled=no list=ipwarnet
add address=192.168.0.0/24 disabled=no list=proxynet

Penjelasan :
Prerouting : koneksi yang datang dari luar dan akan masuk ke router melalui interface in akan diproses ketika masuk sebelum dikeluarkan lagi melalui interface out. Prerouting berguna untuk memark-packet dan sehingga queuenya berjalan. Prerouting juga berguna untuk mark routing sehingga koneksi bisa dirouting oleh mikrotik .Beda dengan chain forward yang kurang berjalan queuenya untuk mark packet.
Karna forward sifatnya hanya melewati router saja. Memang jika forward dipakai untuk me-mark packet pada mangle. packetnya tertangkap oleh chain tersebut. tapi queunya hanya berlaku untuk out saja tidak untuk in. Sehingga data yang masuk tidak terqueue (antri ) dengan baik walaupun data keluarnya terqueue.

/ip firewall mangle

- add action=mark-packet chain=prerouting comment="proxy hit" disabled=no dscp=12 new-packet-mark=proxy-hit passthrough=no

- add action=mark-connection chain=prerouting comment=http_conn disabled=no in-interface=ether4-local-slave(interface ke jaringan lokal) new-connection-mark=http_conn passthrough=no protocol=tcp src-address-list=ipwarnet
- add action=mark-packet chain=prerouting connection-mark=http_conn disabled=no new-packet-mark=http_conn passthrough=no protocol=tcp

 ( ini untuk mark koneksi modem ke proxy )
- add action=mark-connection chain=forward comment="koneksi modem ke proxy" disabled=no in-interface=ether3-local-slave new-connection-mark=proxy_down out-interface=ether1-gateway passthrough=yes protocol=tcp
- add action=mark-packet chain=prerouting connection-mark=proxy_down disabled=no in-interface=ether3-local-slave new-packet-mark=proxy_down passthrough=no protocol=tcp

 - add action=mark-connection chain=forward comment=https_conn connection-state=new disabled=no dst-port=443 new-connection-mark=https_conn passthrough=yes protocol=tcp
- add action=mark-packet chain=prerouting connection-mark=https_conn disabled=no new-packet-mark=https_conn passthrough=no

- add action=mark-connection chain=prerouting comment=dns disabled=no dst-port=123 new-connection-mark=DNS passthrough=yes protocol=udp
- add action=mark-connection chain=prerouting disabled=no dst-port=53 new-connection-mark=DNS passthrough=yes protocol=udp
- add action=mark-packet chain=prerouting connection-mark=DNS disabled=no new-packet-mark=DNS_PACKET passthrough=yes
- add action=change-dscp chain=prerouting packet-mark=DNS_PACKET disabled=no new-dscp=12 passthrough=no

- add action=mark-connection chain=forward comment="YM conn" disabled=no dst-port=5050,5100,5051 new-connection-mark=YM passthrough=no protocol=tcp
- add action=mark-packet chain=prerouting connection-mark=YM disabled=no new-packet-mark=YM_conn passthrough=no

- add action=mark-connection chain=input comment=winbox disabled=no dst-port=8291 new-connection-mark=winbox passthrough=no protocol=tcp
- add action=change-mss chain=forward comment="CHANGE MMS" disabled=no in-interface=ether3-local-slave (interface ke arah modem) new-mss=1440 protocol=tcp tcp-flags=syn tcp-mss=1441-65535

- add action=mark-connection chain=prerouting comment="manipulasi Type of Service untuk ICMP Packet" disabled=no new-connection-mark=ICMP-CM passthrough=yes protocol=icmp src-address=192.168.1.0/24
- add action=mark-packet chain=prerouting connection-mark=ICMP-CM disabled=no new-packet-mark=ICMP-PM passthrough=yes protocol=icmp
- add action=change-dscp chain=prerouting disabled=no new-dscp=16 packet-mark=ICMP-PM passthrough=no

note :
Penjelasan "passthrough" :
yes : setelah action di mangle (a) dilaksanakan, traffik akan di teruskan ke mangle (b) dibawahnya
no : setelah action di mangle (a) dilaksanakan, traffik tidak akan diteruskan ke mangle (b) dibawahnya

 /ip firewall nat
- add action=masquerade chain=srcnat comment="default configuration" disabled=no out-interface=ether3-local-slave src-address-list=ipwarnet
- add action=dst-nat chain=dstnat comment="proxy hit" connection-mark=http_conn disabled=no dst-address-list=!proxynet dst-port=80,8080,3128 protocol=tcp src-address=!192.168.0.200 src-address-list=ipwarnet to-addresses=192.168.0.200 to-ports=3128
-add action=dst-nat chain=dstnat comment=redirect_dns disabled=no dst-port=53 protocol=udp src-address=!192.168.0.200 to-addresses=192.168.0.200 to-ports=53
- add action=dst-nat chain=dstnat comment="Remote SSH from wan" disabled=no dst-address=172.16.1.2( ip mikrotik yg  ke modem) dst-port=22,10000 protocol=tcp to-addresses=192.168.0.200 to-ports=22


Untuk meremote ubuntu lewat putty set dulu virtual server di modem seperti gambar dibawah ini :

kemudian masukkan rule ini ke "/ip firewall nat" di mikrotik :

add action=dst-nat chain=dstnat comment="Remote SSH from wan" disabled=no dst-address=172.16.1.2 ( ip mikrotik yang terhubung ke modem ) dst-port=22,10000 protocol=tcp to-addresses=192.168.0.200 to-ports=22

Jika mikrotik yang melakukan dial-up maka kosongkan "dst-address="

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.16.1.1 scope=30 target-scope=10

/queue type
- add kind=pcq name=downsteam-pcq pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 pcq-dst-address6-mask=128 pcq-limit=50 pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=128 pcq-total-limit=20000
- add kind=pcq name=upstream-pcq pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 pcq-dst-address6-mask=128 pcq-limit=50 pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=128 pcq-total-limit=20000
- add kind=pcq name=proxy_down pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=5s pcq-classifier=src-address pcq-dst-address-mask=32 pcq-dst-address6-mask=128 pcq-limit=50 pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=128 pcq-total-limit=2000
- add kind=pcq name=proxy_up pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=5s pcq-classifier=dst-address pcq-dst-address-mask=32 pcq-dst-address6-mask=128 pcq-limit=50 pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=128 pcq-total-limit=2000
- add kind=pfifo name=PING pfifo-limit=64
-add kind=pcq name=Downloaduser pcq-classifier=dst-address pcq-limit=50 pcq-rate=0 pcq-total-limit=2000

/queue tree
-add burst-limit=0 burst-threshold=0 burst-time=0s comment="turbo proxy" disabled=no limit-at=0 max-limit=0 name=TURBO-PROXY packet-mark=proxy-hit parent=global-out priority=1 queue=downsteam-pcq
- add burst-limit=0 burst-threshold=0 burst-time=0s comment="dns up" disabled=no limit-at=0 max-limit=0 name=DNS-UP packet-mark=DNS_PACKET parent=global-in priority=3 queue=upstream-pcq
- add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=2200k name="Proxy download " packet-mark=proxy_down parent=global-out priority=8 queue=proxy_down
- add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=8k max-limit=16k name="ICMP UP" packet-mark=ICMP-PM parent=global-in priority=3 queue=pfifo-64

/queue simple
- add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s direction=both disabled=no dst-address=0.0.0.0/0 interface=all limit-at=0/0 max-limit=512k/2M name=Ultimatenet parent=none priority=8 queue=upstream-pcq/downsteam-pcq target-addresses=192.168.1.0/24 total-queue=default
- add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s direction=both disabled=yes dst-address=0.0.0.0/0 interface=all limit-at=36k/146k max-limit=256k/400k name=billing parent=Ultimatenet priority=3 queue=upstream-pcq/downsteam-pcq target-addresses=192.168.1.2/32 total-queue=default-small
- add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s direction=both disabled=no dst-address=0.0.0.0/0 interface=all limit-at=36k/146k max-limit=256k/400k name=kom1 parent=Ultimatenet priority=3 queue=upstream-pcq/downsteam-pcq target-addresses=192.168.1.3/32 total-queue=default-small
- add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s direction=both disabled=no dst-address=0.0.0.0/0 interface=all limit-at=36k/146k max-limit=256k/400k name=kom2 parent=Ultimatenet priority=3 queue=upstream-pcq/downsteam-pcq target-addresses=192.168.1.4/32 total-queue=default-small
- add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s direction=both disabled=no dst-address=0.0.0.0/0 interface=all limit-at=36k/146k max-limit=256k/400k name=kom3 parent=Ultimatenet priority=3 queue=upstream-pcq/downsteam-pcq target-addresses=192.168.1.5/32 total-queue=default-small
- add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s direction=both disabled=no dst-address=0.0.0.0/0 interface=all limit-at=36k/146k max-limit=256k/400k name=kom4 parent=Ultimatenet priority=3 queue=upstream-pcq/downsteam-pcq target-addresses=192.168.1.6/32 total-queue=default-small
- add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s direction=both disabled=no dst-address=0.0.0.0/0 interface=all limit-at=36k/146k max-limit=256k/400k name=kom5 parent=Ultimatenet priority=3 queue=upstream-pcq/downsteam-pcq target-addresses=192.168.1.7/32 total-queue=default-small
- add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s direction=both disabled=no dst-address=0.0.0.0/0 interface=all limit-at=36k/146k max-limit=256k/400k name=kom6 parent=Ultimatenet priority=3 queue=upstream-pcq/downsteam-pcq target-addresses=192.168.1.8/32 total-queue=default-small
- add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s direction=both disabled=no dst-address=0.0.0.0/0 interface=all limit-at=36k/146k max-limit=256k/400k name=kom7 parent=Ultimatenet priority=3 queue=upstream-pcq/downsteam-pcq target-addresses=192.168.1.9/32 total-queue=default-small
- add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s direction=both disabled=no dst-address=0.0.0.0/0 interface=all limit-at=36k/146k max-limit=256k/400k name=kom8 parent=Ultimatenet priority=3 queue=upstream-pcq/downsteam-pcq target-addresses=192.168.1.10/32 total-queue=default-small
- add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s direction=both disabled=no dst-address=0.0.0.0/0 interface=all limit-at=36k/146k max-limit=256k/400k name=kom9 parent=Ultimatenet priority=3 queue=upstream-pcq/downsteam-pcq target-addresses=192.168.1.11/32 total-queue=default-small
- add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s direction=both disabled=no dst-address=0.0.0.0/0 interface=all limit-at=36k/146k max-limit=256k/400k name=kom10 parent=Ultimatenet priority=3 queue=upstream-pcq/downsteam-pcq target-addresses=192.168.1.12/32 total-queue=default-small
- add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s direction=both disabled=no dst-address=0.0.0.0/0 interface=all limit-at=36k/146k max-limit=256k/400k name=kom11 parent=Ultimatenet priority=3 queue=upstream-pcq/downsteam-pcq target-addresses=192.168.1.13/32 total-queue=default-small
- add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s direction=both disabled=no dst-address=0.0.0.0/0 interface=all limit-at=36k/146k max-limit=256k/400k name=kom12 parent=Ultimatenet priority=3 queue=upstream-pcq/downsteam-pcq target-addresses=192.168.1.14/32 total-queue=default-small
- add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s direction=both disabled=no dst-address=0.0.0.0/0 interface=all limit-at=36k/146k max-limit=256k/400k name=kom13 parent=Ultimatenet priority=3 queue=upstream-pcq/downsteam-pcq target-addresses=192.168.1.15/32 total-queue=default-small

Setting Waktu di mikrotik ( Khusus buat Router Box bukan buat mikrotik pc )

/system ntp client
set enabled=yes mode=unicast primary-ntp=180.211.88.5 secondary-ntp=202.43.117.10

Settingan Queue Tree lainnya ( Optional bisa anda pilih sendiri) 

Tambahkan rule berikut di /ip firewall mangle 

- add action=mark-connection chain=forward comment=DownloadfromLan disabled=no in-interface=ether3-local-slave new-connection-mark=DownLan out-interface=ether4-local-slave passthrough=yes protocol=tcp
- add action=mark-packet chain=forward comment="" connection-mark=DownLan disabled=no in-interface=ether3-local-slave new-packet-mark=DownloadLan out-interface=ether4-local-slave passthrough=no protocol=tcp

Kemudian tambahkan rule ini di queue tree untuk limit download user per koneksi :
- add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=2000k name=LimitDownloadformLan packet-mark=DownloadLan parent=global-out priority=8 queue=Downloaduser

DNS Flush scheduler
/system script
add name=cacheflush policy=ftp,reboot,read,write,policy,test,winbox,password source=”/ip dns cache flush”

/system scheduler
add disabled=no interval=10s name=”cache flush” on-event=cacheflush policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
start-date=dec/20/2011 start-time=14:00:00
Penjelasan :
Dimulai tanggal 20 desember 2011 jam 14 siang setiap interval 10 detik IP DNS Cache akan di Flush secara otomatis

Source buat limit koneksi proxy ke modem :
http://routerosmikrotik.blogspot.com

14 comments:

  1. kk saya masih newbie banget tolong pencerahannya kenapa di mikrotik saya RB750GL pada /queue simple tidak ada "direction=both" (- add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s direction=both disabled=yes dst-address=0.0.0.0/0 interface=all limit-at=36k/146k max-limit=256k/400k name=billing parent=Ultimatenet priority=3 queue=upstream-pcq/downsteam-pcq target-addresses=192.168.1.2/32 total-queue=default-small)..sehingga saya tidak bisa melanjutkan seting mikrotik yg saya punya .... saya mohon sekali dapat dijelaskan

    ReplyDelete
    Replies
    1. hapus saja "direction=both" karna itu pengaturan default tanpa itupun bisa dimasukkan rulenya

      Delete
    2. This comment has been removed by a blog administrator.

      Delete
  2. ip modem saya 192.168.1.1
    ip proxy : 192.168.2.2
    ip getway proxy : 192.168.2.1
    ip local : 192.168.0.254
    sudah saya rubah dan tidak jalan tolong sekali kalau ada telpon boleh gak saya minta ini lewat e-mail saya ja....
    mohon sekali bantuannya....

    ReplyDelete
    Replies
    1. Tidak jalannya dimana? Apakah mikrotiknya tidak meredirect ke proxy?

      Delete
  3. sepertinya ya tidak redirect atau apa namanya saya tidak tahu karena sebelum saya masukan setingan yang diatas artinya mikrotik masih setingan standar client bisa conenct ke internet tapi setelah saya masukan tidak bisa apa mungkin salah seting di Proxynya ya karena sebelum ikutin langkah diatas saya install proxy ubuntu dari web sebelah milik kk... yaitu "install dan seting proxy ..... "dan sepertinya kalau install proxy sudah benar hanay saya bingung soal setingan mikrotik-nyampunya saya RB750GL, karena saya bingung dengan :
    /ip firewall address-list
    add address=192.168.1.1 disabled=no list=ipwarnet
    add address=192.168.1.2 disabled=no list=ipwarnet
    add address=192.168.1.3 disabled=no list=ipwarnet
    add address=192.168.1.4 disabled=no list=ipwarnet
    add address=192.168.1.5 disabled=no list=ipwarnet
    add address=192.168.1.6 disabled=no list=ipwarnet
    add address=192.168.1.7 disabled=no list=ipwarnet
    add address=192.168.1.8 disabled=no list=ipwarnet
    add address=192.168.1.9 disabled=no list=ipwarnet
    add address=192.168.1.10 disabled=no list=ipwarnet
    add address=192.168.1.11 disabled=no list=ipwarnet
    add address=192.168.1.12 disabled=no list=ipwarnet
    add address=192.168.1.13 disabled=no list=ipwarnet
    add address=192.168.1.14 disabled=no list=ipwarnet
    add address=192.168.1.15 disabled=no list=ipwarnet
    add address=192.168.0.1 disabled=no list=ipwarnet
    add address=192.168.0.200 disabled=no list=ipwarnet
    add address=192.168.0.0/24 disabled=no list=proxynet

    punya saya memakai IP local 192.168.0.1 - 192.168.0.253
    jumlah komputer saya 16 client dan 1 untuk operator jumlahnya 17 kompi
    dengan setingan kk diatas saya harus isikan address-nya berapa ya....
    karena saya masih terlalu newbie .... sorry merepotkan kk......

    ReplyDelete
    Replies
    1. ganti dulu ip address diclient jadi 192.168.1.2 - 192.168.1.19
      jangan lupa gateway client juga ganti jadi 192.168.1.1

      Delete
  4. dan masih bingung lagi nee soal "/ip firewall mangle" : - add action=change-dscp chain=prerouting connection-mark=DNS disabled=no new-dscp=12. tempat kk kok gak da "passthrough=......" harus saya isi apa "NO" atau "YES"

    ReplyDelete
    Replies
    1. karna action=change-dscp tidak ada opsi passthrough..copykan saja sesuai dgn tutorial yang ada..

      Delete
    2. Perlu diperhatikan argumen new_dscp pada mikrotik versi 4 dan 5 sama dgn new_tos di mikrotik versi 2.9

      Delete
  5. akan saya coba kk, terimakasih sudah respon saya........ makasih banget semoga tambah jaya tuk bloknya......

    ReplyDelete
    Replies
    1. saya seharusnya yg berterima kasih karna agan sudah mengunjungi blog saya :)

      Delete
  6. selamat sore kak, saya pakai proxy ubuntu 11.10
    mau tanya:
    # the primary network interface
    auto eth0
    iface eth0 inet static
    address 192.168.35.2
    netmask 255.255.255.0
    network 192.168.0.0
    broadcast 192.168.0.255
    getway 192.168.35.0

    yg mau saya tanya setingan dimikrotiknya bagaimana ya untuk ip address yang menuju ke proxy dari mikrotik

    ReplyDelete
  7. Type kabel lan B itu urutannya corssover mas?

    Kalo posisi proxy sejajar client apakah sama settingnya?

    Oya , pc mikrotiknya pake LB. Makasih dah sharre

    ReplyDelete