Drop IP Ilegal Dengan MACC di MIkrotik

Ini dibikin buat temen2 yang dipusingkan oleh temen kerja yg sering gonta-ganti IP tanpa sepengengatahuan kita alias mau ambil Ip nya BOS kantor biar bisa browsing dengan kencang dan karyawan yg sok pintar yg sering gonta-ganti ip dengan seenaknya :p oke kita langsung aja ke praktenya ya
1 Buka mikrotik nya pakai winbox aja deh biar rada mudah jadi tinggal klik2
2. IP >>>>>FIREWALL>>>>>FILTER RULE>>>>ADD

3. Langkah Selanjutnya


4. Dan yang terakhir

Drop user leat qouta

Misalkan kita punya script simple queue seperti bawah ini:

Code:

add name="Isp" target-addresses=192.111.111.99/32 dst-address=0.0.0.0/0 \
   interface=all parent=none direction=both priority=8 \
   queue=default-small/share-ni-down limit-at=0/0 max-limit=32000/64000 \
   burst-limit=/128000 burst-threshold=/30000 burst-time=/10s \
   total-queue=default-small disabled=no

dan kita menginginkan membatasi bandwidth-nya jika trafficnya sudah melewati misalkan 500MB dalam satu hari, maka kita bisa membuat script dibawah ini:

Code:

add name="trafwatcher01" source="
/queue simple
:local traf;
:set traf [get [find name="Isp"] total-bytes]
:if ($traf  > 500000000) do = {
set [find name="Isp"] max-limit= 32000/32000
:log info "isp traffic exceeding 500MB"}
policy=ftp,reboot,read,write,policy,test,winbox,password

variabel traf fungsinya untuk menampung sementara nilai total traffic

buat scheduler untuk mengecek traffic script-nya, misalnya dibuat setiap 1/2 jam untuk mengeceknya.

Code:

add name="trafisp" on-event=trafwatcher01 start-date=jan/01/1970 \
   start-time=11:00:00 interval=30m comment="" disabled=no

nah itu untuk script untuk membatasinya, tinggal membuat script satu lagi jika sudah melewati satu hari (misal jam 12 malam), counternya mereset total traffic queue client tsb dan mereset bandwidthnya normal ke 64 kbps lagi.

GOODLUCK

sumber: wiki dan howto-script mikrotik,forummikrotik indonesia

How to do automatic ECMP failover

COMOTAN DARI :
http://wiki.mikrotik.com/wiki/ECMP_Failover_Script

This script demonstrates one method of doing automatic failover using the Netwatch function and using scripting to enable or disable gateways. This is probably not the most efficient way, but it works. I would welcome any input on how it can be improved.

The situation:

You have 2 lines going out to the internet - 10.0.0.12 and 10.0.0.13. You have setup a mangle to mark HTTP traffic (optional) and want to route http along the 2 lines using load balancing.

You setup the mangle:

   /ip firewall mangle add chain=prerouting protocol=tcp dst-port=80 action=mark-routing \
  new-routing-mark=ecmp-http-route passthrough=yes comment=" Route HTTP \
  traffic to ECMP" disabled=no

You set up ECMP (Equal Cost Multipath Routing) by using something like

   /ip route add dst-address=0.0.0.0/0 gateway=10.0.0.12,10.0.0.13 routing-mark=ecmp-http-route comment="ECMP route for HTTP"

Now you have ECMP for HTTP only. This is nice because MSN messenger, banking websites and other programs and problem sites will not be broken in the same way it might be if you used ECMP for all protocols.

What I then do is for example mark SMTP traffic and route this out through 10.0.0.12:

   /ip firewall mangle add chain=prerouting protocol=tcp dst-port=25 action=mark-routing \
  new-routing-mark=smtp-out passthrough=yes comment="SMTP Traffic" disabled=no

   /ip route add dst-address=0.0.0.0/0 gateway=10.0.0.12 routing-mark=smtp-out comment="SMTP Traffic out"

and route all other traffic through 10.0.0.13

   /ip route add dst-address=0.0.0.0/0 gateway=10.0.0.13 comment="Default Route to Internet"

Then I need to setup 2 routes to specific addresses to force the router through specific gateways to "test" the links. These should not be popular addresses with your users! Otherwise when a gateway goes down they will have no access to those sites. The addresses I am using as an example are 1.1.1.12 to test 10.0.0.12, and 1.1.1.13 to test 10.0.0.13.

Next I use the Netwatch Function to switch all traffic to the working gateway should any of the gateways fail:

   / tool netwatch
  add host=1.1.1.13 timeout=2s interval=30s up-script="/ip route set \
  \[find comment=\"Default Route To Internet\"\] gateway=10.0.0.13" \
  down-script="/ip route set \[find comment=\"Default Route To Internet\"\] \
  gateway=10.0.0.12 comment="" disabled=no
  add host=1.1.1.12 timeout=2s interval=30s up-script="/ip route set \
  \[find comment=\"SMTP Traffic out\"\] gateway=1.0.0.12" down-script="/ip \
  \n" \route set \[find comment=\"SMTP Traffic out\"\] gateway=10.0.0.13
  comment="" disabled=no

The problem is that the ECMP http route will still be active, therefore http traffic wont work, so I have 2 scripts to check if both gateways are up or down and take action accordingly:

   / system script
  add name="ecmp-startup" source=":if \(\[/ping 1.1.1.12 count=1\]=1 && \
  \[/ping 1.1.1.13 count=1\]=1 && \[/ip route get \[find \
  comment=\"ECMP Route For HTTP\"\] disabled\]=true\) do={ :log info \"Both gateways up" \
  \n/ip route set \[find routing-mark=ecmp-http-route\] \
  disabled=no}" policy=ftp,reboot,read,write,policy,test,winbox,password
  add name="ecmp-shutdown" source=":if \(\[/ping 1.1.1.12 count=1\]=1 && \
  \[/ping 1.1.1.13 count=1\]=0\) do={ :log info \"Gateway down"\
  \n/ip route set \[find routing-mark=ecmp-http-route\] \
  disabled=yes}" policy=ftp,reboot,read,write,policy,test,winbox,password

   Hi I found this error while trying to use this script, what worked for me was
  ecmp start/shut script. Looks like  in the start and shut script (") are missing
  from the find, well other the script works wonders for me. Thanks a lot savagedavid

   ecmp starthp script
  :if ([/ping 1.1.1.13 count=1]=1 && [/ping 1.1.1.12 count=1]=1 && [/ip route get \
  [find routing-mark="ecmp-http-route"] disabled]=true) do={:log info "Both Gateways are up" \
  /n/ip route set [find routing-mark="ecmp-http-route"] disable=no}

   ecmp shutdown script
  :if ([/ping 1.1.1.13 count=1]=0 || [/ping 1.1.1.12 count=1]=0) do={:log info \
  "Gateway down" /ip route set [find routing-mark="ecmp-http-route"] disabled=yes}

Notice that it first checks to see if the route is enable before trying to re-enable it. Otherwise it will reset the route and users will be dropped momentarily.

Then finally schedule the scripts to check every 30 seconds:

   / system scheduler
  add name="gateway-check" on-event="/system script run ecmp-shutdown
  script run ecmp-startup" start-date=jan/01/1970 start-time=00:00:00 \
  interval=30s comment="" disabled=no

Load Balancing menggunakan Mikrotik

http://wiki.mikrotik.com/wiki/Improved_Load_Balancing_over_Multiple_Gateways

Configuration export from the gateway router:

/ ip address
add address=1.1.1.50/24 network=1.1.1.0 broadcast=1.1.1.255 interface=Local comment="" \
 disabled=no
add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=wlan2 \
 comment="" disabled=no
add address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=wlan1 \
 comment="" disabled=no
/ ip firewall mangle
add chain=prerouting in-interface=Local connection-state=new nth=1,1,0 \
 action=mark-connection new-connection-mark=odd passthrough=yes comment="" \
 disabled=no
add chain=prerouting in-interface=Local connection-mark=odd action=mark-routing \
 new-routing-mark=odd passthrough=no comment="" disabled=no
add chain=prerouting in-interface=Local connection-state=new nth=1,1,1 \
 action=mark-connection new-connection-mark=even passthrough=yes comment="" \
 disabled=no
add chain=prerouting in-interface=Local connection-mark=even action=mark-routing \
 new-routing-mark=even passthrough=no comment="" disabled=no
/ ip firewall nat
add chain=srcnat connection-mark=odd action=src-nat to-addresses=10.111.0.2 \
 to-ports=0-65535 comment="" disabled=no
add chain=srcnat connection-mark=even action=src-nat to-addresses=10.112.0.2 \
 to-ports=0-65535 comment="" disabled=no
/ ip route
add dst-address=0.0.0.0/0 gateway=10.111.0.1 scope=255 target-scope=10 routing-mark=odd \
 comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 routing-mark=even \
 comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 comment="" \
 disabled=no

Explanation

First we give a code snippet and then explain what it actually does.

Mangle

/ ip address
add address=1.1.1.50/24 network=1.1.1.0 broadcast=1.1.1.255 interface=Local comment="" \
 disabled=no
add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=wlan2 \
 comment="" disabled=no
add address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=wlan1 \
 comment="" disabled=no

The router has two upstream (WAN) interfaces with the addresses of 10.111.0.2/24 and 10.112.0.2/24. The LAN interface has the name "Local" and IP address of 1.1.1.50/24.

/ ip firewall mangle

add chain=prerouting in-interface=Local connection-state=new nth=1,1,0 \
 action=mark-connection new-connection-mark=odd passthrough=yes comment="" \
 disabled=no

First we take every second packet that establishes new session (note connection-state=new), and mark it with connection mark "odd". Consequently all successive packets belonging to the same session will carry the connection mark "odd". Note that we are passing these packets to the second rule (passthrough=yes) to place a routing mark on these packets in addition to the connection mark.

add chain=prerouting in-interface=Local connection-mark=odd action=mark-routing \
 new-routing-mark=odd passthrough=no comment="" disabled=no

The rule above places the routing mark "odd" on all packets that belong to the "odd" connection and stops processing all other mangle in prerouting chain rules for these packets.

add chain=prerouting in-interface=Local connection-state=new nth=1,1,1 \
 action=mark-connection new-connection-mark=even passthrough=yes comment="" \
 disabled=no
add chain=prerouting in-interface=Local connection-mark=even action=mark-routing \
 new-routing-mark=even passthrough=no comment="" disabled=no

These rules do the same for the remaining half of the traffic as the first two rules for the first half of the traffic.

The code above effectively means that each new connection initiated through the router from the local network will be marked as either "odd" or "even" with both routing and connection marks.

NAT

/ ip firewall nat
add chain=srcnat connection-mark=odd action=src-nat to-addresses=10.111.0.2 \
 to-ports=0-65535 comment="" disabled=no
add chain=srcnat connection-mark=even action=src-nat to-addresses=10.112.0.2 \
 to-ports=0-65535 comment="" disabled=no

All traffic marked "odd" is being NATted to source IP address of 10.111.0.2, while traffic marked "even" gets "10.112.0.2" source IP address.

Routing

/ ip route
add dst-address=0.0.0.0/0 gateway=10.111.0.1 scope=255 target-scope=10 routing-mark=odd \
 comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 routing-mark=even \
 comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 comment="" \
 disabled=no comment="gateway for the router itself"

For all traffic marked "odd" (consequently having 10.111.0.2 translated source address) we use 10.111.0.1 gateway. In the same manner all traffic marked "even" is routed through the 10.112.0.1 gateway. Finally, we have one additional entry specifying that traffic from the router itself (the traffic without any routing marks) should go to 10.112.0.1 gateway.

Ini cuman comotan klw bagaimana pengertiannya aku juga blm mengerti bener maaf ya, kan saya bilang dari akudan hanya untuk aku :D