Kamis, 30 Agustus 2007

Tiktube (Free Download Video Mikrotik)

Mikrotik membuat free dokumentasi berupa video yang bebas siapa saja untuk upload di situ mirip2 dengan youtube.

Disitu banyak video-video tutorial yang di upload oleh siapa saja dan bebas didoenload oleh siapa saja.

silahkan lihat di http://www.tiktube.com/

MikroTik User Meeting (MUM)

MikroTik User Meeting (MUM) is a conference on MikroTik RouterOS software and RouterBoard hardware. Ask questions, listen to presentations, talk with specialists and see interesting technology demos by MikroTik and the users themselves - all here, at the MUM.

This is your chance to also show YOUR experience and tell others about your company. Sign up as a Presenter or for a Technology demo table space.

Users from around the world are coming to the MUM, in The MUM Europe we had 300 attendants, MUM USA in 2006 had 140 attendants, now it is time for YOU to come and see for your self

To Join please go to http://mum.mikrotik.com/2007/AR/

Jumat, 24 Agustus 2007

Mikrotik Bandwidth Test

Overview

The Bandwidth Tester can be used to monitor the throughput only to a remote MikroTik router (either wired or wireless) and thereby help to discover network ‘bottlenecks’.

The TCP test uses the standard TCP protocol with acknowledgments and follows the TCP algorithm on how many packets to send according to latency, dropped packets, and other features in the TCP algorithm. Please review the TCP protocol for details on its internal speed settings and how to analyze its behavior. Statistics for throughput are calculated using the entire size of the TCP packet. As acknowledgments are an internal working of TCP, their size and usage of the link are not included in the throughput statistics. Therefore this statistic is not as reliable as the UDP statistic when estimating throughput.

The UDP tester sends 110% or more packets than currently reported as received on the other side of the link. To see the maximum throughput of a link, the packet size should be set for the maximum MTU allowed by the links – usually this is 1500 bytes. There is no acknowledgment required by UDP; this implementation means that the closest approximation of the throughput can be seen.

Installation

The Bandwidth Test feature is included in the 'system' package. No installation is needed for this feature

Hardware Resource Usage

!Caution! Bandwidth Test uses all available bandwidth (by default) and may impact network usability.

There is no other significant resource usage.

Bandwidth Test Description

Bandwidth Test Server Configuration

[admin@MikroTik] tool> bandwidth-server
Configure network bandwidth tester service. Use authentication for disabling
unwanted bandwidth wasting. Note that remote router must be MikroTik router in
order to run the test.

session
print
get get value of property
set
export
[admin@MikroTik] tool> bandwidth-server print
enabled: yes
authenticate: no
allocate-udp-ports-from: 2000
max-sessions: 10
[admin@MikroTik] tool>
Setting description:
enable - enable client connections for bandwidth test
authenticate - communicate only with authenticated (by valid username and password) clients
allocate-udp-ports-from - allocate UDP ports from
max-sessions - maximal number of bandwidth-test clients
The list of current connections can be get in session submenu:
[admin@MikroTik] tool> bandwidth-server session

print print values of item properties
remove remove item
[admin@MikroTik] tool> bandwidth-server session print
# FROM PROTOCOL DIRECTION USER
0 10.0.0.202 tcp send
[admin@MikroTik] tool>

Bandwidth Test Client Configuration

Bandwidth Test uses TCP or UDP protocol for test. The test tries to use maximum or partial amount of bandwidth to test link speed. Be aware that default test uses all available bandwidth and may impact network usability.

[admin@MikroTik] tool> bandwidth-test
Run TCP or UDP bandwidth test. Tries to use maximum or partial amount of
bandwidth to test link speed. Note that remote router must be MikroTik router
in order to run the test. Be aware that default test uses all available
bandwidth and may impact network usability.


assume-lost-time
direction Direction of data flow
do
duration
interval
local-tx-speed
once print statistics once and quit
password Password for remote user
protocol Protocol to use for test
remote-tx-speed
size UDP packet size or TCP segment size
user
[admin@MikroTik] tool> bandwidth-test

Descriptions of arguments:

address - IP address of destination host
assume-lost-time - If Bandwidth Server is not responding for that time, assume that connection is lost
direction - specify the direction of the test (receive, transmit, both, default is transmit)
do - Script source
duration - Duration of the test
interval - Delay between messages (in seconds). Default is 1 second. Can be 20ms...5s
local-tx-speed - Transfer test maximum speed (given in bits per second)
password - Password for remote user
protocol - Type of protocol to use (UDP or TCP, default TCP)
remote-tx-speed - Receive test maximum speed (given in bits per second)
size - Packet size in bytes (50..1500, default 512). Works only with UDP protocol
user - Remote user

Bandwidth Test Example

[admin@MikroTik] tool> bandwidth-test 10.0.0.202 user=admin direction=both protocol=udp \
\... size=1500 duration=14s
status: done testing
tx-current: 11.49Mbps
tx-10-second-average: 10.05Mbps
tx-total-average: 7.96Mbps
rx-current: 12.55Mbps
rx-10-second-average: 10.33Mbps
rx-total-average: 8.14Mbps

[admin@MikroTik] tool>

taken from: www.mikrotik.com

Perbandingan Beberapa Wireless MiniPCI

Di pasaran mudah kita temui berbagai wireless minipci card. Mulai dari yang berdaya kecil, hingga yang cukup besar. Manakah yang memiliki performa baik jika digunakan dengan Mikrotik?

Sudah cukup lama kami menggunakan wireless Mikrotik. Mulai dari penggunaan card Atheros dengan chipset 5211, 5212, hingga saat ini card yang biasa dijual oleh Mikrotik adalah CM9 (dengan chipset Atheros 5213) atau R52 (dengan chipset Atheros 5413). Penggunaan card 5211 dan 5212 tidaklah terlalu lama, sampai digantikan dengan card-card baru CM9 dan R52.

Kami kemudian melakukan test dengan beberapa jenis card. Kami memasang sebuah access point dengan menggunanan board RB511 yang dipasangi card SR2 (produksi Ubiquiti Network), yang bekerja di frekuensi 2,4 GHz dan memiliki daya pancar 400 mWatt. Antenna yang digunakan adalah antenna helical indoor 2dbi.



Sebagai station, kami kemudian menggunakan 4 buah minipci card yang beda-beda, yaitu:
  • SR2 (400mWatt)
  • CM9 (65mWatt)
  • OEM Atheros Card (200mWatt)
  • OEM Atheros Card (100mWatt)
Keempat card tersebut dipasang pada sebuah board RB532 yang ditambahi Daughterboard RB564 sehingga secara keseluruhan memiliki 6 buah slot minipci dan 9 buah port ethernet.



Keempat card ini kami set untuk menggunakan power sebesar-besarnya, sesuai dengan spesifikasi power masing-masing card. Keempat-empatnya kami hubungkan secara wireless ke access point yang telah diset. Secara keseluruhan, keempat card dapat terkoneksi dengan mudah pada frekuensi 2,4 GHz.

Besarnya signal level dari masing-masing card bisa dilihat pada screen capture berikut:


Bisa kita lihat bahwa SR2 yang memiliki power terbesar memang memiliki daya signal yang terbaik, lebih baik 15 db dari signal yang didapatkan oleh card CM9. Dari data di atas juga bisa dilihat, bahwa meskipun card Atheros OEM 100 mWatt dan 200 mWatt secara spesifikasi memiliki daya pancar lebih kuat dari CM9, namun signal level CM9 lebih baik ketimbang kedua card ini (selisih 10 dan 18 db).

Memang, signal level tidak selamanya menjamin bahwa kualitas card tersebut baik. Selanjutnya secara bergantian kami melakukan throughput test bagaimana keempat card tersebut melakukan pengiriman dan penerimaan data. Test dilakukan dengan menggunakan bandwidth test yang terdapat pada Mikrotik RouterOS. Dari access point dilakukan bandwidth test, dengan arah data received, dan menggunakan protokol UDP. Pada client, seting data rates menggunakan setting standart.

Hasil bandwidth testnya adalah :
  • SR5 : berkisar antara 8 hingga 15 mbps. Trafiknya tidak rata dan fluktuatif. Ada perkiraan fluktuatifnya SR2 ini dipengaruhi oleh suhu. Namun, jika kita mencoba menjalankan configured data tares, trafik bisa meningkat hingga 17-19 db.
  • CM9 : memiliki traffic cukup stabil di kisaran 22 - 23 mbps!
  • Atheros 100 mWatt : performanya berkisar 10 - 12 mbps
  • Atheros 200 mWatt : meskipun tidak sebesar CM9, kartu ini memiliki kemampuan cukup baik di kisaran 20 - 21 mbps.

Screen capture hasil bandwidth test dan ping menggunakan wireless card CM9

Well, kesemua data di atas tidaklah akurat 100%. Kadang terjadi fluktuatif yang menyebabkan kami harus melakukan bandwidth test berulang-ulang. Karakteristik tiap card sendiri memang berbeda-beda. Ada kartu yang malah bagus saat dipasangi tx-rate, namun ada yang lebih bagus jika tx ratesnya dibuat defaul

ref:www.mikrotik.co.id

Minggu, 12 Agustus 2007

Mikrotik peer to peer traffic control

ebook tutorial mikrotik peer to peer traffic control:
www.mikrotik.com/testdocs/ros/2.8/ip/peer2peer.pdf

Setup DNS Mikrotik

ALTERNATIVE PROCEDURE IF YOU WANT TO INPUT A FIXED IP/GATEWAY/DNS SERVER ADDRESS
(instead of using DHCP on the ether1 port)

Caution:
Use care in selecting the DNS SERVER IP address in the setup below. You MUST select an actual DNS server or a router which provides DNS services. Some routers (such as the Hawking FR24) provide a "DNS RELAY" feature on the gateway address which redirects DNS service requests that are sent to the router Gateway Address to some downstream DNS Server. Such "dns relay" service is not always compatible with the Mikrotik system. Other routers (such as the NexLand 800 Turbo and many other router setups) do provide normal DNS Services on the gateway address. In many routers it may depend on user programming.

The Mikrotik router will NOT resolve DNS properly for the Hotspot unless the pointer to a DNS server source points to a "real" DNS Server or a router which actually provides DNS SERVICES on the Gateway address. The result of no DNS service will be that your hotspot login screen will not be loaded when "any URL" is transmitted to the ether2 (Hotspot) port via your browser. This problem can be very confusing to diagnose.

You can test what DNS address you should setup in the Mikrotik unit by running an ip configuration test on a Windows equipped computer connected to your router that you also intend your Mikrotik to use for internet access. Proceed as follows:

b) In your windows computer, in network settings, select tcp/ip properties, and select "obtain an IP address automatically" and "obtain DNS server address automatically". Click OK and exit and reboot if necessary to activate the new settings. Then execute Setup>Run>
then enter <winipcfg>, click OK, (windows 95/98), or <ipconfig>, (or perhaps wntipcfg), click OK, (windows XP/NT/2000), In Windows , you may have to download the winipcfg.exe (or similar) module from the resources folder on the install disk to get this to work. You will get a display such as the image below when you get the ip configuration display and click

Note in this example, the DNS SERVER reported is 192.168.168.1 which IS the same as the Default Gateway and the downstream router (not Mikrotik) IP address. THIS IS NOT ALWAYS SO! The DNS server found by the DHCP operation of your windows computer may be in an entirely different range from the default gateway IP address. Thus, if you use a fixed IP address/Gateway/DNS Server selection, your Mikrotik router DNS Server setup MUST use the DNS Server found by a computer with DHCP Client operating as above. You cannot assume it is the same as your router's default gateway address.

Once you have the downstream router's Gateway address and DNS Server address defined, select an IP address for your Mikrotik unit and proceed as follows. (Here, we are assuming that your Mikrotik System's IP address and mask is 128.1.1.120/255.255.255.0, Gateway of the downstream router is 128.1.1.1 and that the DNS Server's IP address is 207.69.188.186. Make any changes you deem necessary.)
29a)
[admin@MikroTik] interface>
/ip

(Note: The address 128.1.1.120 (below) represents the PUBLIC INTERNET side IP address of the Mikrotik Router. Change to your own suitable address as may be required.)
(All commands must be all in one continuous string (no carriage returns even if the red command characters are shown on multiple lines) when input and followed at the end by a carriage return. Be careful to look for parts of commands on second and even third lines in the listings below. The /24 after the IP address is equivalent to stating that the mask is 255.255.255.0)
29b) [admin@MikroTik] ip> address add address=128.1.1.120/24 comment="TechNet LAN to Internet" interface=ether1
29c) [admin@MikroTik] ip> route add gateway=128.1.1.1
(The following test will locate your public ethernet port . Proceed as follows. You may PING your gateway address (128.1.1.1 in the example) which pinging will occur out the ether1 NIC port. Notes: You may also ping some other address if you wish. You can stop the PING command by entering at any time.) Now we test to see that we are connected to the internet by pinging "some" known IP address such as:)

(Note: This next command normally sets your system up so that all DNS calls go directly to the ISP's DNS servers. If you are behind another router/firewall you could (probably) use the gateway address of your router (as is done in the example) as many do provide DNS service. However, pointing directly to the ISP's DNS servers is usually faster.)
29d) [admin@MikroTik] ip> /ip dns set primary-dns=128.1.1.1 (Change to YOUR ISPs DNS servers. Or- This may be the gateway IP address of a LAN router (as this actually is) which has DNS services. You may be able to change to YOUR ISP's recommended DNS server IP address if permitted by your router and operation will likely be faster.)
29e) [admin@MikroTik] ip> /ip dns set secondary-dns=207.69.188.186 (Add a secondary DNS server if your ISP has one. This example is one of earthlink's DNS servers.)

IF you wish to install a DNS Cache in your Hotspot router so DNS requests will be handled out of the local cache instead of going to the router (or external ISP) each time, enter the following line.
29f) [admin@MikroTik] ip> /ip dns-cache set primary-server=128.1.1.1 (This sets up the dns-cache to access from the LOCAL ROUTER’s DNS server. You may wish to change the above two IP addresses to your ISP’s DNS IP address if permitted by your router. You can also use the
/ip dns-cache set secondary-server=xxx.xxx.xxx.xxx
to set up a secondary DNS-CACHE server if you wish.
)

29g) [admin@MikroTik] ip> dns print
resolve-mode:
remote-dns
primary-dns: 128.1.1.1 (This should be your primary DNS server IP address.)
secondary-dns: 207.69.188.186 (You should setup a secondary-dns server if you have one.)
and then:
29h) [admin@MikroTik] ip> dns-cache print
enabled: no (You get to enable it later when you setup the hotspot.)
primary-server: 128.1.1.1 (This should be your primary DNS server IP address.)
secondary-dns: 0.0.0.0 (You should setup a secondary-dns server (in step #19) if you have one.)
running: no (It will start running if you enable "use DNS CACHE" when you setup the hotspot.)
usage: 0%
entries: 0

taken from http://www.gpsinformation.org/hotspot/fixedether1ipsetup.html

Jumat, 10 Agustus 2007

Load-balancing & Fail-over di MikroTik

Kondisi : ISP dimana kita bekerja sebagai Administrator menggunakan lebih dari satu gateway untuk terhubung ke Internet. Semuanya harus dapat melayani layanan upstream & downstream. Karena akan beda kasusnya apabila salah satunya hanya dapat melayani downstream, contohnya jika menggunakan VSAT DVB One-way.
Untuk kasus ini dimisalkan ISP memiliki 2 jalur ke Internet. Satu menggunakan akses DSL (256 Kbps) dan lainnya menggunakan Wireless (512 Kbps). Dengan rasio pemakaian DSL:Wireless = 1:2 .

Yang akan dilakukan :

  1. Menggunakan semua jalur gateway yang tersedia dengan teknik load-balancing.
  2. Menjadikan salah satunya sebagai back-up dengan teknik fail-over.

OK, mari saja kita mulai eksperimennya :

  1. IP address untuk akses ke LAN :
    >
    /ip address add address=192.168.0.1/28 interface=LAN
    IP address untuk akses ke jalur DSL :
    >
    /ip address add address=10.32.57.253/29 interface=DSL
    IP address untuk akses ke jalur Wireless :
    >
    /ip address add address=10.9.8.2/29 interface=WIRELESS
    Tentukan gateway dengan rasionya masing-masing :
    >
    /ip route add gateway=10.32.57.254,10.9.8.1,10.9.8.1
  2. Pada kasus untuk teknik fail-over. Diasumsikan jalur utama melalui Wireless dengan jalur DSL sebagai back-up apabila jalur utama tidak dapat dilalui. Untuk mengecek apakah jalur utama dapat dilalui atau tidak, digunakan command ping.
    >
    /ip firewall mangle add chain=prerouting src-address=192.168.0.0/28 action=mark-routing new-routing-mark=SUBNET1-RM
    >
    /ip route add gateway=10.9.8.1 routing-mark=SUBNET1-RM check-gateway=ping
    >
    /ip route add gateway=10.32.57.254
  3. Good Luck!!

PCQ

Dengan menggunakan queue type pcq di Mikrotik, kita bisa membagi bandwidth yang ada secara merata untuk para pelahap-bandwidth™ saat jaringan pada posisi peak.

Contohnya, kita berlangganan 256 Kbps. Kalau ada yang sedang berinternet ria, maka beliau dapat semua itu jatah bandwidth. Tetapi begitu teman-temannya datang, katakanlah 9 orang lagi, maka masing-masingnya dapat sekitar 256/10 Kbps. Yah.. masih cukup layaklah untuk buka-buka situs non-porn atau sekedar cek e-mail & blog .

OK, langsung saja ke caranya :

  1. Asumsi : Network Address 192.168.169.0/28, interface yang mengarah ke pengguna diberi nama LAN, dan interface yang mengarah ke upstream provider diberi nama INTERNET;
  2. Ketikkan di console atau terminal :
    >
    /ip firewall mangle add chain=forward src-address=192.168.169.0/28 action=mark-connection new-connection-mark=NET1-CM
    >
    /ip firewall mangle add connection-mark=NET1-CM action=mark-packet new-packet-mark=NET1-PM chain=forward
    >
    /queue type add name=downsteam-pcq kind=pcq pcq-classifier=dst-address
    >
    /queue type add name=upstream-pcq kind=pcq pcq-classifier=src-address
    >
    /queue tree add parent=LAN queue=DOWNSTREAM packet-mark=NET1-PM
    >
    /queue tree add parent=INTERNET queue=UPSTREAM packet-mark=NET1-PM
  3. Good Luck!!

Memanipulasi ToS ICMP & DNS di MikroTik

Tujuan :

  • Memperkecil delay ping dari sisi klien ke arah Internet.
  • Mempercepat resolving hostname ke ip address.

Asumsi : Klien-klien berada pada subnet 10.10.10.0/28

  1. Memanipulasi Type of Service untuk ICMP Packet :
    >
    ip firewall mangle add chain=prerouting src-address=10.10.10.0/28 protocol=icmp action=mark-connection new-connection-mark=ICMP-CM passthrough=yes
    >
    ip firewall mangle add chain=prerouting connection-mark=ICMP-CM action=mark-packet new-packet-mark=ICMP-PM passthrough=yes
    >
    ip firewall mangle add chain=prerouting packet-mark=ICMP-PM action=change-tos new-tos=min-delay
  2. Memanipulasi Type of Service untuk DNS Resolving :
    >
    ip firewall mangle add chain=prerouting src-address=10.10.10.0/28 protocol=tcp dst-port=53 action=mark-connection new-connection-mark=DNS-CM passthrough=yes
    >
    ip firewall mangle add chain=prerouting src-address=10.10.10.0/28 protocol=udp dst-port=53 action=mark-connection new-connection-mark=DNS-CM passthrough=yes
    >
    ip firewall mangle add chain=prerouting connection-mark=DNS-CM action=mark-packet new-packet-mark=DNS-PM passthrough=yes
    >
    ip firewall mangle add chain=prerouting packet-mark=DNS-PM action=change-tos new-tos=min-delay
  3. Menambahkan Queue Type :
    >
    queue type add name=”PFIFO-64″ kind=pfifo pfifo-limit=64
  4. Mengalokasikan Bandwidth untuk ICMP Packet :
    >
    queue tree add name=ICMP parent=INTERNET packet-mark=ICMP-PM priority=1 limit-at=8000 max-limit=16000 queue=PFIFO-64
  5. Mengalokasikan Bandwidth untuk DNS Resolving :
    >
    queue tree add name=DNS parent=INTERNET packet-mark=DNS-PM priority=1 limit-at=8000 max-limit=16000 queue=PFIFO-64
  6. Good Luck!!

Queue Tree with more than two interfaces

Basic Setup

This page will tak about how to make QUEUE TREE in RouterOS that with Masquerading for more than two interfaces. It’s for sharing internet connection among users on each interfacess. In manual this possibility isn’t writted.

First, let’s set the basic setting first. I’m using a machine with 3 or more network interfaces:

[admin@instaler] > in pr

# NAME TYPE RX-RATE TX-RATE MTU

0 R public ether 0 0 1500

1 R wifi1 wlan 0 0 1500

2 R wifi2 wlan 0 0 1500

3 R wifi3 wlan 0 0 1500

And this is the IP Addresses for each interface:

[admin@instaler] > ip ad pr

Flags: X - disabled, I - invalid, D - dynamic

# ADDRESS NETWORK BROADCAST INTERFACE

0 10.20.1.0/24 10.20.1.0 10.20.1.255 public

1 10.10.2.0/24 10.10.2.0 10.10.2.255 wifi1

2 10.10.3.0/24 10.10.3.0 10.10.3.255 wifi2

3 10.10.4.0/24 10.10.4.0 10.10.4.255 wifi3

On the public you can add NAT or proxy if you want.

Mangle Setup

And now is the most important part in this case.

We need to mark our users. One connectoin for upload and second for download. In this example I add mangle for one user. At the end I add mangle for local transmission because I don’t QoS local trafic emong users. But for user I need to separate upload and download.

[admin@instaler] ip firewall mangle> print

Flags: X - disabled, I - invalid, D - dynamic

disabled=no

0 chain=forward dst-address=10.10.2.36 action=mark-connection

new-connection-mark=users-userU passthrough=yes comment=”” disabled=no

1 chain=forward dst-address=10.10.2.36 action=mark-connection

new-connection-mark=users-userD passthrough=yes comment=”” disabled=no

2 chain=forward connection-mark=users-userU action=mark-packet

new-packet-mark=userU passthrough=yes comment=”” disabled=no

3 chain=forward connection-mark=users-userD action=mark-packet

new-packet-mark=userD passthrough=yes comment=”” disabled=no

98 chain=forward src-address=10.10.0.0/16 dst-address=10.10.0.0/16

action=mark-connection new-connection-mark=users-lokal passthrough=yes

99 chain=forward connection-mark=users-lokal action=mark-packet

new-packet-mark=lokalTrafic passthrough=yes

Queue Tree Setup

And now, the queue tree setting. We need one rule for downlink and one rule for uplink. Be careful when choosing the parent. for downlink traffic, we use parent “global-out”, because we have two or more downloading interfaces. And for uplink, we are using parent “public”, we want QoS uplink traffic. (I’m using pcq-up and download from manual) This example is for 2Mb/1Mb

[admin@instaler] > queue tree pr

Flags: X - disabled, I - invalid

0 name=”Download” parent=global-out packet-mark=”” limit-at=0

queue=pcq-download priority=1 max-limit=2000000 burst-limit=0

burst-threshold=0 burst-time=0s

1 name=”Upload” parent=WGW packet-mark=”” limit-at=0 queue=pcq-upload

priority=1 max-limit=1000000 burst-limit=0 burst-threshold=0

burst-time=0s

Now we add our user:

2 name=”user10D” parent=Download packet-mark=userD limit-at=0

queue=pcq-download priority=5 max-limit=0 burst-limit=0

burst-threshold=0 burst-time=0s

3 name=”user10U” parent=Upload packet-mark=userU limit-at=0

queue=pcq-upload priority=5 max-limit=0 burst-limit=0 burst-threshold=0

burst-time=0s

MAC Address + IP Address Linux

#!/bin/sh

iptables=/sbin/iptables

#definisikan default policy disini
$iptables -F INPUT
$iptables -F OUTPUT
$iptables -P INPUT DROP
$iptables -P OUTPUT DROP #ingat nanti buka policy output yg perlu
$iptables -F FORWARD
$iptables -F -t nat
$iptables -P FORWARD DROP

#definisi default policy dan bikin chain baru bernama maccheck di interface eth1
$iptables -t mangle -F
$iptables -t mangle -F maccheck
$iptables -t mangle -X maccheck
$iptables -t mangle -N maccheck
$iptables -t mangle -I PREROUTING -i eth1 -p all -j maccheck

#self explanatory… ip address + mac
$iptables -t mangle -A maccheck -s 192.168.0.1 -i eth1 -m mac -j RETURN
–mac-source
00:80:11:11:11:11
$iptables -t mangle -A maccheck -s 192.168.0.2 -i eth1 -m mac -j RETURN
–mac-source
00:80:22:22:22:22
$iptables -t mangle -A maccheck -s 192.168.0.3 -i eth1 -m mac -j RETURN
–mac-source
00:80:33:33:33:33

#selain yg terdaftar baik ip maupun mac akan di mark untuk nanti di drop, isi
dengan salah satu
mac yg aktif yg mana saja
#disini contohnya 00:80:11:11:11:11 yg sudah kita definisikan di atas
$iptables -t mangle -A maccheck -s 0/0 -i eth1 -m mac -j MARK –mac-source !
00:80:11:11:11:11
–set-mark 1
$iptables -t mangle -A maccheck -s 0/0 -i eth1 -p all -j MARK –set-mark 1

#drop packet yg di mark
$iptables -A INPUT -i eth1 -m mark –mark 1 -j DROP
$iptables -A OUTPUT -o eth1 -m mark –mark 1 -j DROP
$iptables -A FORWARD -i eth1 -m mark –mark 1 -j DROP

#lanjutkan firewall script anda disini

source = primadonal.com

Create Dota dimesin Mikrotik

DOTA merupakan salah satu games Warcraft untuk versi online. pada gamenet games ini merupakan games terlaris selain games-games online lain seperti ragnarok, sealonline, pangya, deco dan masih banyak lagi. selain games ini gratis alias nda pake pocer, juga sangat asyik dimaenkan. disini saya coba menulis tentang bagaimana create DOTA di mesin mikrotik.

Ikuti langkah-langkah berikut :


[admin@mendem] >ip firewall nat add chain=srcnat action=masquerade out-interface=Public

[admin@mendem] >ip address add address=202.xxx.xxx.xxx/32 interface=Public (xxx diisi sesuai IP public kamu)

[admin@mendem] >ip firewall nat add chain=dstnat dst-address=202.xxx.xxx.xxx action=dst-nat to-addresses=192.168.***.*** (*** diisi sesuai dengan IP lokal yang ingin bisa create game)

[admin@mendem] >ip firewall nat add chain=srcnat src-address=192.168.***.*** action=src-nat to-addresses=202.xxx.xxx.xxx

Agar client yg tergabung dalam LAN atau yang satu network bisa bermain bersama tambahkan perintah :


[admin@mendem] >ip firewall nat add chain=dstnat dst-address=202.xxx.xxx.1-202.xxx.xxx.254 action=netmap to-addresses=192.168.***.1-192.168.***.254

[admin@mendem] >ip firewall nat add chain=srcnat src-address=192.168.***.1-192.168.***.254 action=netmap to-addresses=202.xxx.xxx.1-202.xxx.xxx.254

Sampai disini sudah berhasil , namun ternyata ada masalah yang saya hadapi, yaitu mesin mikrotik tidak dapat saya akses atau remote dari luar jaringan dan masalah lain, port SNMP ikut-ikutan ketutup sehingga untuk menampilkan traffic cacti jadi blank …ada yang bisa membantu

Fix Dota Mik

Sebelumnya saya pernah menulis tentang Rules Create Dota di Mikrotik, namun ada kendala saat rules diaktifkan maka routerbox tidak dapat di remote, diping bahkan tidak bisa menampilkan grafik MRTG/Cacti.

Setelah beberapa kali mencoba dan mencari literatur dari mbah google akhirnya ketemu rules yang cocok untuk kepentingan remote dari luar jaringan, bisa di ping dan tentunya saya bisa melihat grafik pemakaian bandwitdh lewat MRTG/Cacti.

Rules nya seperti ini :

ip firewall nat add chain=dstnat dst-address=202. x . x . x protocol=tcp dst-port=6113 action=dst-nat to-addresses=192.168. x . x to-ports=6113

ip firewall nat add chain=dstnat dst-address=202. x . x . x protocol=udp dst-port=6113 action=dst-nat to-addresses=192.168. x . x to-ports=6113

ip firewall nat add chain=srcnat src-address=192.168. x . x protocol=tcp src-port=6113 action=src-nat to-addresses=202. x . x . x to-ports=6113

ip firewall nat add chain=srcnat src-address=192.168. x . x protocol=udp src-port=6113 action=src-nat to-addresses=202. x . x . x to-ports=6113

ip firewall nat add chain=srcnat src-address=192.168. x . x -192.168. x . x action=netmap to-address=202. x . x . x -202. x . x . x to-ports=0-65535

Mungkin sudah banyak yang tahu tentang rules diatas, harapan saya rules diatas bisa dipakai siapa saja yang memerlukannya, karena dari pengalaman yang ada sungguh sulit mencari literatur atau googling tentang rules create dota di mikrotik.

semoga membantu .

taken from http://harrychanputra.wordpress.com

Selasa, 07 Agustus 2007

Daftar Harga Paket Mikrotik

Harga Lisenci Super Chanel Mikrotik Hanya Rp.150.000,-
Paket 133C Paket 133+1AP HiBox Paket 133+1AP+T Box
Routerboard 133c (MIPS CPU, 16MB DDR RAM, 64MB NAND Storage) + RouterOS Level3 (CPE/CF). Memiliki 1 buah port ethernet untuk PoE, dan 1 slot miniPCI, dengan 1 buah card miniPCI wireless card A+B+G dalam kotak outdoor. Routerboard 133 (MIPS CPU, 32MB DDR RAM, 64MB NAND Storage),RouterOS WISP-AP/CF. Memiliki 3 buah port ethernet (1 untuk PoE), dan 3 slot miniPCI, dengan 1 buah card miniPCI wireless card A+B+G dalam kotak outdoor besar Routerboard 133 (MIPS CPU, 32MB DDR RAM, 64MB NAND Storage) dengan RouterOS WISP-AP/CF. Memiliki 3 buah port ethernet (1 untuk PoE), dan 3 slot miniPCI, dengan 1 buah card miniPCI wireless card A+B+G dalam kotak T Box
Harga Rp.2.050.000,- Harga Rp.2.400.000,- Harga Rp.2.300.000,-


Paket 133+2Bh AP Paket 133+3Bh AP
Routerboard 133 (MIPS CPU, 32MB DDR RAM, 64MB NAND Storage) +RouterOS WISP-AP/CF. Memiliki 3 buah port ethernet (1 untuk PoE), dan 3 slot miniPCI, dengan 2 buah card miniPCI wireless card A+B+G dalam kotak outdoor besar Routerboard 133 (MIPS CPU, 32MB DDR RAM, 64MB NAND Storage) dengan RouterOS WISP-AP/CF. Memiliki 3 buah port ethernet (1 untuk PoE), dan 3 slot miniPCI, dengan 3 buah card miniPCI wireless card A+B+G dalam kotak outdoor besar
Harga Rp.2.850.000,- Harga Rp.3.300.000,-



Paket 112+1AP Paket 112+2AP Info/Keterangan:
Routerboard 112 (MIPS32 4Kc based 175MHz embedded processor) dengan RouterOS WISP-AP. Memiliki 1 buah port ethernet (PoE), dan 2 slot miniPCI, dengan 1 buah card R52 miniPCI wireless card A+B+G. Lisensi Mikrotik RouterOS Level 4 (WISP-AP)-CF. Routerboard 112 (MIPS32 4Kc based 175MHz embedded processor) dengan RouterOS WISP-AP. Memiliki 1 buah port ethernet (PoE), dan 2 slot miniPCI, dengan 2 buah card R52 miniPCI wireless card A+B+G. Lisensi Mikrotik RouterOS Level 4 (WISP-AP)-CF. Harga Belum termasuk lisence superchanel,Kabel Jumper, dan Jika pembelian lebih dari 4 Unit diberikan harga discount
Harga Rp.2.250.000,- Harga Rp.2.700.000,-



Paket 532+1AP Paket 532+2AP Paket 532+3AP
Routerboard 532A (MIPS CPU, 64MB DDR RAM, 128MB NAND Storage) dengan RouterOS WISP-AP/CF. Memiliki 3 buah port ethernet (1 untuk PoE), dan 2 slot miniPCI, dengan 1 buah card miniPCI wireless card A+B+G. Routerboard 532A (MIPS CPU, 64MB DDR RAM, 128MB NAND Storage) dengan RouterOS WISP-AP/CF. Memiliki 3 buah port ethernet (1 untuk PoE), dan 2 slot miniPCI, dengan 2 buah card miniPCI wireless card A+B+G. Routerboard 532A (MIPS CPU, 64MB DDR RAM, 128MB NAND Storage) dengan Daughterboard RB502 dan RouterOS WISP-AP/CF. Memiliki 3 buah port ethernet (1 untuk PoE), dan 4 slot miniPCI, dengan 3 buah card miniPCI wireless card A+B+G.
Harga Rp.3.400.000,- Harga Rp.3.850.000,- Harga Rp.4.650.000,-



Paket 532+4AP Paket 532+DB564+1AP Paket 532+DB564+2AP
Routerboard 532A (MIPS CPU, 64MB DDR RAM, 128MB NAND Storage) dengan Daughterboard RB502 dan RouterOS WISP-AP/CF. Memiliki 3 buah port ethernet (1 untuk PoE), dan 4 slot miniPCI, dengan 4 buah card miniPCI wireless card A+B+G. Routerboard 532A (MIPS CPU, 64MB DDR RAM, 128MB NAND Storage) dengan Daughterboard RB564 dan RouterOS WISP-AP/CF. Memiliki 9 buah port ethernet (1 untuk PoE), dan 6 slot miniPCI, dengan 1 buah card miniPCI wireless card A+B+G. Routerboard 532A (MIPS CPU, 64MB DDR RAM, 128MB NAND Storage) dengan Daughterboard RB564 dan RouterOS WISP-AP/CF. Memiliki 9 buah port ethernet (1 untuk PoE), dan 6 slot miniPCI, dengan 2 buah card miniPCI wireless card A+B+G.
Harga Rp.5.100.000,- Harga Rp.4.600.000,- Harga Rp.5.050.000,-



Paket 532+DB564+3AP Paket 532+DB564+4AP Paket 532+DB564+5AP
Routerboard 532A (MIPS CPU, 64MB DDR RAM, 128MB NAND Storage) dengan Daughterboard RB564 dan RouterOS WISP-AP/CF. Memiliki 9 buah port ethernet (1 untuk PoE), dan 6 slot miniPCI, dengan 3 buah card miniPCI wireless card A+B+G. Routerboard 532A (MIPS CPU, 64MB DDR RAM, 128MB NAND Storage) dengan Daughterboard RB564 dan RouterOS WISP-AP/CF. Memiliki 9 buah port ethernet (1 untuk PoE), dan 6 slot miniPCI, dengan 4 buah card miniPCI wireless card A+B+G. Routerboard 532A (MIPS CPU, 64MB DDR RAM, 128MB NAND Storage) dengan Daughterboard RB564 dan RouterOS WISP-AP/CF. Memiliki 9 buah port ethernet (1 untuk PoE), dan 6 slot miniPCI, dengan 5 buah card miniPCI wireless card A+B+G.
Harga Rp.5.500.000,- Harga Rp.5.950.000,- Harga Rp.6.400.000,-



Paket 532+DB564+6AP Info/Keterangan:
Routerboard 532A (MIPS CPU, 64MB DDR RAM, 128MB NAND Storage) dengan Daughterboard RB564 dan RouterOS WISP-AP/CF. Memiliki 9 buah port ethernet (1 untuk PoE), dan 6 slot miniPCI, dengan 6 buah card miniPCI wireless card A+B+G. Harga Belum termasuk lisence superchanel,Kabel Jumper, dan Jika pembelian lebih dari 4 Unit diberikan harga discount
Harga Rp.6.850.000,-

Keterangan Lengkap Hubungi Team Sales kami:
Dwi at :(021) 7205932 - 7223411
Sofi at: (021)7250439 - 7200986 - 0811144087
e-mail sofi@pc24.co.id
Harga Khusus/ Negotable

taken from www.pc24.co.id

Senin, 06 Agustus 2007

Tutorial Mikrotik VPN : Point to Point Tunnel Protocol (PPTP)

Summary

PPTP (Point to Point Tunnel Protocol) supports encrypted tunnels over IP. The MikroTik RouterOS implementation includes support fot PPTP client and server.

General applications of PPTP tunnels:

* For secure router-to-router tunnels over the Internet
* To link (bridge) local Intranets or LANs (when EoIP is also used)
* For mobile or remote clients to remotely access an Intranet/LAN of a company (see PPTP setup for Windows for more information)

Each PPTP connection is composed of a server and a client. The MikroTik RouterOS may function as a server or client – or, for various configurations, it may be the server for some connections and client for other connections. For example, the client created below could connect to a Windows 2000 server, another MikroTik Router, or another router which supports a PPTP server.
Description
PPTP is a secure tunnel for transporting IP traffic using PPP. PPTP encapsulates PPP in virtual lines that run over IP. PPTP incorporates PPP and MPPE (Microsoft Point to Point Encryption) to make encrypted links. The purpose of this protocol is to make well-managed secure connections between routers as well as between routers and PPTP clients (clients are available for and/or included in almost all OSs including Windows).

PPTP includes PPP authentication and accounting for each PPTP connection. Full authentication and accounting of each connection may be done through a RADIUS client or locally.

MPPE 40bit RC4 and MPPE 128bit RC4 encryption are supported.

PPTP traffic uses TCP port 1723 and IP protocol GRE (Generic Routing Encapsulation, IP protocol ID 47), as assigned by the Internet Assigned Numbers Authority (IANA). PPTP can be used with most firewalls and routers by enabling traffic destined for TCP port 1723 and protocol 47 traffic to be routed through the firewall or router.

PPTP connections may be limited or impossible to setup though a masqueraded/NAT IP connection. Please see the Microsoft and RFC links at the end of this section for more information.
PPTP Client Setup
Submenu level : /interface pptp-client
Property Description
name (name; default: pptp-out1) - interface name for reference
mtu (integer; default: 1460) - Maximum Transmit Unit. The optimal value is the MTU of the interface the tunnel is working over decreased by 40 (so, for 1500-byte ethernet link, set the MTU to 1460 to avoid fragmentation of packets)
mru (integer; default: 1460) - Maximum Receive Unit. The optimal value is the MTU of the interface the tunnel is working over decreased by 40 (so, for 1500-byte ethernet link, set the MRU to 1460 to avoid fragmentation of packets)
connect-to (IP address)- the IP address of the PPTP server to connect to
user (string)- user name to use when logging on to the remote server
password (string; default: "")- user password to use when logging to the remote server
profile (name; default: default) - profile to use when connecting to the remote server
add-default-route (yes | no; default: no) - whether to use the server which this client is connected to as its default router (gateway)
Example
To set up PPTP client named test2 using username john with password john to connect to the 10.1.1.12 PPTP server and use it as the default gateway:

[admin@MikroTik] interface pptp-client> add name=test2 connect-to=10.1.1.12 \
\... user=john add-default-route=yes password=john
[admin@MikroTik] interface pptp-client> print
Flags: X - disabled, R - running
0 X name="test2" mtu=1460 mru=1460 connect-to=10.1.1.12 user="john"
password="john" profile=default add-default-route=yes


[admin@MikroTik] interface pptp-client> enable 0

Monitoring PPTP Client
Command name : /interface pptp-client monitor
Property Description
Statistics:

uptime (time) - connection time displayed in days, hours, minutes, and seconds
encoding (string) - encryption and encoding (if asymmetric, separated with '/') being used in this connection
status (string) - status of the client:
# Dialing – attempting to make a connection
# Verifying password... - connection has been established to the server, password verification in progress
# Connected – self-explanatory
# Terminated – interface is not enabled or the other side will not establish a connection

Example
Example of an established connection:

[admin@MikroTik] interface pptp-client> monitor test2
uptime: 4h35s
encoding: MPPE 128 bit, stateless
status: Connected
[admin@MikroTik] interface pptp-client>

PPTP Server Setup
Submenu level : /interface pptp-server server

[admin@MikroTik] interface pptp-server server> print
enabled: no
mtu: 1460
mru: 1460
authentication: mschap2
default-profile: default
[admin@MikroTik] interface pptp-server server>

Description
The PPTP server supports unlimited connections from clients. For each current connection, a dynamic interface is created.
Property Description
enabled (yes | no; default: no) - defines whether PPTP server is enabled or not
mtu (integer; default: 1460) - Maximum Transmit Unit. The optimal value is the MTU of the interface the tunnel is working over decreased by 40 (so, for 1500-byte ethernet link, set the MTU to 1460 to avoid fragmentation of packets)
mru (integer; default: 1460) - Maximum Receive Unit. The optimal value is the MTU of the interface the tunnel is working over decreased by 40 (so, for 1500-byte ethernet link, set the MTU to 1460 to avoid fragmentation of packets)
authentication (multiple choice: pap | chap | mschap1 | mschap2; default: mschap2) - authentication algorithm
default-profile (name; default: default) - default profile to use
Example
To enable PPTP server:

[admin@MikroTik] interface pptp-server server> set enabled=yes
[admin@MikroTik] interface pptp-server server> print
enabled: yes
mtu: 1460
mru: 1460
authentication: mschap2
default-profile: default
[admin@MikroTik] interface pptp-server server>

PPTP Server Users
Submenu level : /interface pptp-server
Description
There are two types of items in PPTP server configuration - static users and dynamic connections. A dynamic connection can be established if the user database or the default-profile has its local-address and remote-address set correctly. When static users are added, the default profile may be left with its default values and only P2P user (in /ppp secret) should be configured. Note that in both cases P2P users must be configured properly.
Property Description
name - interface name
user - the name of the user that is configured statically or added dynamically

Statistics:

mtu - shows (cannot be set here) client's MTU
client-address - shows (cannot be set here) the IP of the connected client
uptime - shows how long the client is connected
encoding (string) - encryption and encoding (if asymmetric, separated with '/') being used in this connection
Example
To add a static entry for ex1 user:

[admin@MikroTik] interface pptp-server> add user=ex1
[admin@MikroTik] interface pptp-server> print
Flags: X - disabled, D - dynamic, R - running
# NAME USER MTU CLIENT-ADDRESS UPTIME ENC...
0 DR ex 1460 10.0.0.202 6m32s none
1 pptp-in1 ex1
[admin@MikroTik] interface pptp-server>

In this example an already connected user ex is shown besides the one we just added.
PPTP Router-to-Router Secure Tunnel Example
The following is an example of connecting two Intranets using an encrypted PPTP tunnel over the Internet.

There are two routers in this example:

* [HomeOffice]
Interface LocalHomeOffice 10.150.2.254/24
Interface ToInternet 192.168.80.1/24

* [RemoteOffice]
Interface ToInternet 192.168.81.1/24
Interface LocalRemoteOffice 10.150.1.254/24

Each router is connected to a different ISP. One router can access another router through the Internet.

On the PPTP server a user must be set up for the client:

[admin@HomeOffice] ppp secret> add name=ex service=pptp password=lkjrht
local-address=10.0.103.1 remote-address=10.0.103.2
[admin@HomeOffice] ppp secret> print detail
Flags: X - disabled
0 name="ex" service=pptp caller-id="" password="lkjrht" profile=default
local-address=10.0.103.1 remote-address=10.0.103.2 routes==""

[admin@HomeOffice] ppp secret>

Then the user should be added in the PPTP server list:

[admin@HomeOffice] interface pptp-server> add user=ex
[admin@HomeOffice] interface pptp-server> print
Flags: X - disabled, D - dynamic, R - running
# NAME USER MTU CLIENT-ADDRESS UPTIME ENC...
0 pptp-in1 ex
[admin@HomeOffice] interface pptp-server>

And finally, the server must be enabled:

[admin@HomeOffice] interface pptp-server server> set enabled=yes
[admin@HomeOffice] interface pptp-server server> print
enabled: yes
mtu: 1460
mru: 1460
authentication: mschap2
default-profile: default
[admin@HomeOffice] interface pptp-server server>

Add a PPTP client to the RemoteOffice router:

[admin@RemoteOffice] interface pptp-client> add connect-to=192.168.80.1 user=ex \
\... password=lkjrht disabled=no
[admin@RemoteOffice] interface pptp-client> print
Flags: X - disabled, R - running
0 R name="pptp-out1" mtu=1460 mru=1460 connect-to=192.168.80.1 user="ex"
password="lkjrht" profile=default add-default-route=no


[admin@RemoteOffice] interface pptp-client>

Thus, a PPTP tunnel is created between the routers. This tunnel is like an Ethernet point-to-point connection between the routers with IP addresses 10.0.103.1 and 10.0.103.2 at each router. It enables 'direct' communication between the routers over third party networks.

To route the local Intranets over the PPTP tunnel – add these routes:

[admin@HomeOffice] > ip route add dst-address 10.150.1.0/24 gateway 10.0.103.2
[admin@RemoteOffice] > ip route add dst-address 10.150.2.0/24 gateway 10.0.103.1

On the PPTP server it can alternatively be done using routes parameter of the user configuration:

[admin@HomeOffice] ppp secret> print detail
Flags: X - disabled
0 name="ex" service=pptp caller-id="" password="lkjrht" profile=default
local-address=10.0.103.1 remote-address=10.0.103.2 routes==""

[admin@HomeOffice] ppp secret> set 0 routes="10.150.1.0/24 10.0.103.2 1"
[admin@HomeOffice] ppp secret> print detail
Flags: X - disabled
0 name="ex" service=pptp caller-id="" password="lkjrht" profile=default
local-address=10.0.103.1 remote-address=10.0.103.2
routes="10.150.1.0/24 10.0.103.2 1"

[admin@HomeOffice] ppp secret>

Test the PPTP tunnel connection:

[admin@RemoteOffice]> /ping 10.0.103.1
10.0.103.1 pong: ttl=255 time=3 ms
10.0.103.1 pong: ttl=255 time=3 ms
10.0.103.1 pong: ttl=255 time=3 ms
ping interrupted
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 3/3.0/3 ms

Test the connection through the PPTP tunnel to the LocalHomeOffice interface:

[admin@RemoteOffice]> /ping 10.150.2.254
10.150.2.254 pong: ttl=255 time=3 ms
10.150.2.254 pong: ttl=255 time=3 ms
10.150.2.254 pong: ttl=255 time=3 ms
ping interrupted
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 3/3.0/3 ms

To bridge a LAN over this secure tunnel, please see the example in the 'EoIP' section of the manual. To set the maximum speed for traffic over this tunnel, please consult the 'Queues' section.

Connecting a Remote Client via PPTP Tunnel
The following example shows how to connect a computer to a remote office network over PPTP encrypted tunnel giving that computer an IP address from the same network as the remote office has (without need of bridging over eoip tunnels)

Please, consult the respective manual on how to set up a PPTP client with the software You are using.

The router in this example:

* [RemoteOffice]
Interface ToInternet 192.168.81.1/24
Interface Office 10.150.1.254/24

The client computer can access the router through the Internet.

On the PPTP server a user must be set up for the client:

[admin@RemoteOffice] ppp secret> add name=ex service=pptp password=lkjrht
local-address=10.150.1.254 remote-address=10.150.1.2
[admin@RemoteOffice] ppp secret> print detail
Flags: X - disabled
0 name="ex" service=pptp caller-id="" password="lkjrht" profile=default
local-address=10.150.1.254 remote-address=10.150.1.2 routes==""

[admin@RemoteOffice] ppp secret>

Then the user should be added in the PPTP server list:

[admin@RemoteOffice] interface pptp-server> add name=FromLaptop user=ex
[admin@RemoteOffice] interface pptp-server> print
Flags: X - disabled, D - dynamic, R - running
# NAME USER MTU CLIENT-ADDRESS UPTIME ENC...
0 FromLaptop ex
[admin@RemoteOffice] interface pptp-server>

And the server must be enabled:

[admin@RemoteOffice] interface pptp-server server> set enabled=yes
[admin@RemoteOffice] interface pptp-server server> print
enabled: yes
mtu: 1460
mru: 1460
authentication: mschap2
default-profile: default
[admin@RemoteOffice] interface pptp-server server>

Finally, the proxy APR must be enabled on the 'Office' interface:

[admin@RemoteOffice] interface ethernet> set Office arp=proxy-arp
[admin@RemoteOffice] interface ethernet> print
Flags: X - disabled, R - running
# NAME MTU MAC-ADDRESS ARP
0 R ToInternet 1500 00:30:4F:0B:7B:C1 enabled
1 R Office 1500 00:30:4F:06:62:12 proxy-arp
[admin@RemoteOffice] interface ethernet>

ref: http://www.mikrotik.com/documentation//manual_2.7/Interface/PPTP.html

Jumat, 03 Agustus 2007

Mikrotik DHCP Server

Untuk membuat DHCP Server diperlukan langkah-langkah sebagai berikut :

1. Membuat address pool dan menentukan IP Range
2. Mengaktifkan DHCP server.

Sedangkan untuk membuat Internet Gateway Server, inti langkahnya adalah melakukan masquerading yang akan melewatkan paket-paket data ke user.

Berikut ini adalah gambaran dari network dan servernya :

1. Mikrotik di install pada CPU dengan 2 ethernet card, 1 interface utk koneksi ke internet, 1 interface utk konek ke lokal.

2. IP address :
- gateway (mis: ADSL modem) : 192.168.100.100
- DNS : 192.168.100.110
- interface utk internet : 192.168.100.1
- interface utk lokal : 192.168.0.1

Untuk memulainya, kita lihat interface yang ada pada Mikrotik Router

[admin@Mikrotik] > interface print
Flags: X - disabled, D - dynamic, R - running
# NAME TYPE RX-RATE TX-RATE MTU
0 R ether1 ether 0 0 1500
1 R ether2 ether 0 0 1500
[admin@Mikrotik] >


kemudian set IP address pada interface Mikrotik. Misalkan ether1 akan kita gunakan untuk koneksi ke Internet dengan IP 192.168.100.1 dan ether2 akan kita gunakan untuk network local kita dengan IP 192.168.0.1

[admin@mikrotik] > ip address add address=192.168.100.1 netmask=255.255.255.0 interface=ether1

[admin@mikrotik] > ip address add address=192.168.0.1 netmask=255.255.255.0 interface=ether2

[admin@mikrotik] >ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 192.168.100.1/24 192.168.100.0 192.168.100.255 ether1
1 192.168.0.1/24 192.168.0.0 192.168.0.255 ether2
[admin@mikrotik] >


Setelah selesai Barulah kita bisa melakukan setup DHCP server pada Mikrotik.

1. Membuat address pool

/ip pool add name=dhcp-pool ranges=192.168.0.2-192.168.0.100
/ip dhcp-server network add address=192.168.0.0/24 gateway=192.168.0.1

2. Tentukan interface yang dipergunakan dan aktifkan DHCP Server.

/ip dhcp-server add interface=ether2 address-pool=dhcp-pool enable 0

[admin@mikrotik] > ip dhcp-server print
Flags: X - disabled, I - invalid
# NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP
0 dhcp1 ether2

sampai tahap ini, DHCP server telah selesai untuk dipergunakan dan sudah bisa di test dari user.

Langkah Selanjutnya adalah membuat internet gateway, Misalnya IP ADSL Modem sebagai gateway untuk koneksi internet adalah 192.168.100.100 dan DNS Servernya 192.168.100.110, maka lakukan setting default gateway dengan perintah berikut :

[admin@mikrotik] > /ip route add gateway=192.168.100.100

3. Melihat Tabel routing pada Mikrotik Routers

[admin@mikrotik] > ip route print

Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf
# DST-ADDRESS PREFSRC G GATEWAY DISTANCE INTERFACE
0 ADC 192.168.0.0/24 192.168.0.1 ether2
1 ADC 192.168.100.0/24 192.168.100.1 ether1
2 A S 0.0.0.0/0 r 192.168.100.100 ether1
[admin@mikrotik] >


Lanjutkan dengan Setup DNS

[admin@mikrotik] > ip dns set primary-dns=192.168.100.110 allow-remoterequests=no

[admin@mikrotik] > ip dns print

primary-dns: 192.168.100.110
secondary-dns: 0.0.0.0
allow-remote-requests: no
cache-size: 2048KiB
cache-max-ttl: 1w
cache-used: 16KiB

[admin@mikrotik] >

4. Tes untuk akses domain, misalnya dengan ping nama domain

[admin@mikrotik] > ping yahoo.com

216.109.112.135 64 byte ping: ttl=48 time=250 ms
10 packets transmitted, 10 packets received, 0% packet loss
round-trip min/avg/max = 571/571.0/571 ms


[admin@mikrotik] >

Jika sudah berhasil reply berarti seting DNS sudah benar.

5. Setup Masquerading, ini adalah langkah utama untuk menjadikan Mikrotik sebagai gateway server

[admin@mikrotik] > ip firewall nat add action=masquerade outinterface=ether1chain: srcnat

[admin@mikrotik] >

[admin@mikrotik] ip firewall nat print

Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat out-interface=ether1 action=masquerade
[admin@mikrotik] >

Selesai, tinggal test koneksi dari user. seharusnya dengan cara ini user sudah bisa terhubung ke internet.

Cara ini memang cara yang paling mudah untuk membuat user dapat terhubung ke internet, namun tingkat keamanannya masih rendah dan diperlukan pengaturan firewall. Mudah-mudahan saya bisa membahasnya dilain waktu.

taken from http://www.vavai.com