Config Rt Rw Net

CONFIG RT RW NET

===setting interface===

/interface ethernet

set 0 comment="Speedy Interface" name=Speedy

set 1 comment="Local Interface" name=Local

set 2 comment="Proxy Interface" name=Proxy

set 3 comment="Rtrwnet Interface" name=Rtrwnet

set 4 comment="hotspot Interface" name=hotspotnet

===setting IP

/ip address

add address=192.168.1.2 netmask=255.255.255.0 inteface=Speedy comment=”ke Speedy”

add address=192.168.10.254 netmask=255.255.255.0 inteface=Local comment=”ke Local”

add address=192.168.100.1 netmask=255.255.255.0 inteface=Proxy comment=”ke Proxy”

add address=192.168.11.1 netmask=255.255.255.0 inteface=Rtrwnet comment=”ke Rtrwnet”

add address=10.10.10.1 netmask=255.255.255.0 inteface=hotspotnet comment=”ke hotspot Internal”

===setting DNS===

/ip dns

set allow-remote-requests=yes cache-max-ttl=1w cache-size=4096KiB \

max-udp-packet-size=512 servers="208.67.220.220,208.67.222.222"

===gateway modem===

/ip route

add gateway=192.168.1.1 comment="" disabled=no

===port service===

/ip service

set telnet address=0.0.0.0/0 disabled=yes port=23

set ftp address=0.0.0.0/0 disabled=yes port=21

set www address=0.0.0.0/0 disabled=no port=80

set ssh address=0.0.0.0/0 disabled=yes port=22

set www-ssl address=0.0.0.0/0 certificate=none disabled=yes port=443

set api address=0.0.0.0/0 disabled=yes port=8728

set winbox address=0.0.0.0/0 disabled=no port=9099

===zone time===

/system ntp client

set enabled=yes mode=unicast primary-ntp=203.160.128.6 secondary-ntp=\

202.169.224.16

===setting IP boleh Lewat===

/ip firewall address-list

add address=192.168.100.1/24 comment="" disabled=no list=ProxyNET

add address=192.168.10.1-192.168.10.254 comment="" disabled=no list=LocalNet

add address=192.168.11.1-192.168.11.50 comment="" disabled=no list=RtrwnetNet

add address=10.10.10.1-10.10.10.254 comment="" disabled=no list=hotspotNet

===setting firewall===

/ip firewall filter

add action=drop chain=input comment="Drop Invalid connections" \

connection-state=invalid disabled=no

add action=add-src-to-address-list address-list="port scanners" \

address-list-timeout=2w chain=input comment="Port scanners to list " \

disabled=no protocol=tcp psd=21,3s,3,1


address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \

disabled=no protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg


address-list-timeout=2w chain=input comment="SYN/FIN scan" disabled=no \

protocol=tcp tcp-flags=fin,syn


address-list-timeout=2w chain=input comment="SYN/RST scan" disabled=no \

protocol=tcp tcp-flags=syn,rst


address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" disabled=\

no protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack


address-list-timeout=2w chain=input comment="ALL/ALL scan" disabled=no \

protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg


address-list-timeout=2w chain=input comment="NMAP NULL scan" disabled=no \

protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg

add action=drop chain=input comment="Dropping port scanners" disabled=no \

src-address-list="port scanners"

add chain=virus protocol=tcp action=drop dst-port=60000 comment="Deep Throat, Foreplay, Sockets des Troie"

add chain=virus protocol=tcp action=drop dst-port=60001 comment="Trinity"

add chain=virus protocol=tcp action=drop dst-port=60068 comment="Xzip 6000068"

add chain=virus protocol=tcp action=drop dst-port=60411 comment="Connection"

add chain=virus protocol=tcp action=drop dst-port=61348 comment="Bunker-Hill"

add chain=virus protocol=tcp action=drop dst-port=61466 comment="TeleCommando"



add chain=virus protocol=tcp action=drop dst-port=64101 comment="Taskman"

add chain=virus protocol=tcp action=drop dst-port=65000 comment="Devil, Sockets des Troie, Stacheldraht"

add chain=virus protocol=tcp action=drop dst-port=65390 comment="Eclypse"

add chain=virus protocol=tcp action=drop dst-port=65421 comment="Jade"

add chain=virus protocol=tcp action=drop dst-port=65432 comment="The Traitor th3tr41t0r"

add chain=virus protocol=udp action=drop dst-port=65432 comment="The Traitor th3tr41t0r"

add chain=virus protocol=tcp action=drop dst-port=65534 comment="sbin initd"

add chain=virus protocol=tcp action=drop dst-port=65535 comment="RC1 trojan"

add chain=forward action=jump jump-target=virus comment="jump to the virus chain"

===firewall filter===

/ip firewall filter

add action=accept chain=input comment="Allow Established connections" \

connection-state=established disabled=no

add action=accept chain=input comment="Allow Related connections" \

connection-state=related disabled=no

add action=accept chain=input comment="Allow ICMP from Local Network" \

disabled=no protocol=icmp src-address-list=LocalNet

add action=accept chain=input comment="Allow ICMP from PROXY Network" \

disabled=no protocol=icmp src-address-list=ProxyNET

add action=accept chain=input comment="Allow ICMP from RT RW NET Network" \

disabled=no protocol=icmp src-address-list=RtrwnetNet

add action=accept chain=input comment="Allow ICMP from HOTSPOT Network" \

disabled=no protocol=icmp src-address-list=hotspotNet

add action=accept chain=input comment="Allow Input from Local Network" \

disabled=no src-address-list=LocalNet

add action=accept chain=input comment="Allow Input from PROXY Network" \

disabled=no src-address-list=ProxyNET

add action=accept chain=input comment="Allow Input from RT RW NET Network" \

disabled=no src-address-list=RtrwnetNet

add action=accept chain=input comment="Allow Input from HOTSPOT Network" \

disabled=no src-address-list=hotspotNet

=== port scanner===

/ip firewall filter

add action=drop chain=input comment="Drop everything else" disabled=no

add action=jump chain=forward comment="Bad packets filtering" disabled=no \

jump-target=tcp protocol=tcp

add action=jump chain=forward comment="" disabled=no jump-target=udp \

protocol=udp

add action=jump chain=forward comment="" disabled=no jump-target=icmp \

protocol=icmp

add action=drop chain=tcp comment="deny SMTP" disabled=no dst-port=25 \

protocol=tcp

add action=drop chain=tcp comment="deny TFTP" disabled=no dst-port=69 \

protocol=tcp

add action=drop chain=tcp comment="deny RPC portmapper" disabled=no dst-port=\

111 protocol=tcp

add action=drop chain=tcp comment="deny RPC portmapper" disabled=no dst-port=\

135 protocol=tcp

add action=drop chain=tcp comment="deny NBT" disabled=no dst-port=137-139 \

protocol=tcp

add action=drop chain=tcp comment="deny cifs" disabled=no dst-port=445 \

protocol=tcp

add action=drop chain=tcp comment="deny NFS" disabled=no dst-port=2049 \

protocol=tcp

add action=drop chain=tcp comment="deny NetBus" disabled=no dst-port=\

12345-12346 protocol=tcp

add action=drop chain=tcp comment="deny NetBus" disabled=no dst-port=20034 \

protocol=tcp

add action=drop chain=tcp comment="deny BackOriffice" disabled=no dst-port=\

3133 protocol=tcp

add action=drop chain=tcp comment="deny DHCP" disabled=no dst-port=67-68 \

protocol=tcp

add action=drop chain=tcp comment="deny P2P" disabled=no p2p=all-p2p

add action=drop chain=udp comment="deny TFTP" disabled=no dst-port=69 \

protocol=udp

add action=drop chain=udp comment="deny PRC portmapper" disabled=no dst-port=\

111 protocol=udp

add action=drop chain=udp comment="deny PRC portmapper" disabled=no dst-port=\

135 protocol=udp

add action=drop chain=udp comment="deny NBT" disabled=no dst-port=137-139 \

protocol=udp

add action=drop chain=udp comment="deny NFS" disabled=no dst-port=2049 \

protocol=udp

add action=drop chain=udp comment="deny BackOriffice" disabled=no dst-port=\

3133 protocol=udp

add action=accept chain=icmp comment="limit packets 5/secs" disabled=no \

icmp-options=0:0-255 limit=5,5 protocol=icmp


icmp-options=3:0 protocol=icmp


icmp-options=3:3 limit=5,5 protocol=icmp


icmp-options=3:4 limit=5,5 protocol=icmp





add action=drop chain=icmp comment="Drop other icmp packets" disabled=no

add action=accept chain=forward comment="Allow Established connections" \

connection-state=established disabled=no

===ijin lewat dari list address===

/ip firewall filter

add action=accept chain=forward comment="Allow Forward from Local Network" \

disabled=no src-address-list=LocalNet

add action=accept chain=forward comment="Allow Forward from PROXY Network" \

disabled=no src-address-list=ProxyNET

add action=accept chain=forward comment="Allow Forward from RT RW NET Network" \

disabled=no src-address-list=RtrwnetNet

add action=accept chain=forward comment="Allow Forward from HOTSPOT Network" \

disabled=no src-address-list=hotspotNet

===NAT===

/ip firewall nat

add action=masquerade src-address-list=LocalNet chain=srcnat comment="NAT-Local" disabled=no \

out-interface=Speedy

add action=masquerade src-address-list=ProxyNet chain=srcnat comment="NAT-PROXY" disabled=no \


add action=masquerade src-address-list=RtrwnetNet chain=srcnat comment="NAT-Rtrwnet" disabled=no \


add action=masquerade src-address-list=hotspotNet chain=srcnat comment="HOTSPOTnet" disabled=no \


===NAT to Proxy===

/ip firewall nat

add action=dst-nat chain=dstnat comment="TRANSPARENT PROXY Local" disabled=no \

src-address=192.168.9.2-192.168.9.30 dst-port=80,8080,3128 in-interface=Local \

protocol=tcp to-addresses=192.168.3.3 to-ports=3128

add action=dst-nat chain=dstnat comment="TRANSPARENT PROXY Rtrwnet" disabled=no \

src-address=192.168.4.1-192.168.4.30 dst-port=80,8080,3128 in-interface=Local \


add action=dst-nat chain=dstnat comment="TRANSPARENT PROXY HOTSPOT" disabled=no \

src-address=192.168.5.1-192.168.5.30 dst-port=80,8080,3128 in-interface=hotspot \


add action=dst-nat chain=dstnat comment="TRANSPARENT DNS LOKAL" disabled=no \

dst-port=53 in-interface=local protocol=udp to-ports=53

add action=dst-nat chain=dstnat comment="" disabled=no dst-port=53 \

in-interface=local protocol=tcp to-ports=53

add action=dst-nat chain=dstnat comment="TRANSPARENT DNS Rtrwnet" disabled=no \

dst-port=53 in-interface=hotspot protocol=udp to-ports=53


in-interface=hotspot protocol=tcp to-ports=53

add action=dst-nat chain=dstnat comment="TRANSPARENT DNS HOTSPOT" disabled=no \

dst-port=53 in-interface=hotspot2 protocol=udp to-ports=53


in-interface=hotspot2 protocol=tcp to-ports=53


in-interface=proxy protocol=udp to-ports=53


in-interface=proxy protocol=tcp to-ports=53

===mangle===

/ip firewall mangle

add action=mark-packet chain=forward comment="PROXY-HIT-DSCP 12" disabled=no \

dscp=12 new-packet-mark=proxy-hit passthrough=no

add action=change-dscp chain=postrouting comment=CRITICAL disabled=no \

new-dscp=1 protocol=icmp

add action=change-dscp chain=postrouting comment="" disabled=no dst-port=53 \

new-dscp=1 protocol=udp

add action=change-dscp chain=postrouting comment="" disabled=no dst-port=53 \

new-dscp=1 protocol=tcp

add action=mark-connection chain=postrouting comment="" disabled=no dscp=1 \

new-connection-mark=critical_conn passthrough=yes

add action=mark-packet chain=postrouting comment="" connection-mark=\

critical_conn disabled=no new-packet-mark=critical_pkt passthrough=no

add action=mark-connection chain=prerouting comment=MARK-ALL-CONN disabled=no \

dst-address-list=!LocalNet in-interface=Local new-connection-mark=\

all.pre_conn passthrough=yes


dst-address-list=!RtrwnetNet in-interface=Rtrwnet new-connection-mark=\



dst-address-list=!hotspotNet in-interface=hotspot new-connection-mark=\


add action=mark-connection chain=forward comment="Local" disabled=no \

new-connection-mark=all.post_conn out-interface=Local passthrough=yes \

src-address-list=!LocalNet

add action=mark-connection chain=forward comment="RT RW NET" disabled=no \

new-connection-mark=all.post_conn out-interface=Rtrwnet passthrough=yes \

src-address-list=!RtrwnetNet

add action=mark-connection chain=forward comment="HOTSPOT" disabled=no \

new-connection-mark=all.post_conn out-interface=hotspot passthrough=yes \

src-address-list=!hotspotNet

add action=mark-packet chain=prerouting comment="" connection-mark=\

all.pre_conn disabled=no new-packet-mark=all.pre_pkt passthrough=yes

add action=mark-packet chain=forward comment="" connection-mark=all.post_conn \

disabled=no new-packet-mark=all.post_pkt passthrough=yes

add action=mark-connection chain=prerouting comment=GAMES connection-mark=\

all.pre_conn disabled=no dst-port=9339,843 new-connection-mark=games_conn \

passthrough=yes protocol=tcp

add action=mark-connection chain=prerouting comment="" connection-mark=\

all.pre_conn disabled=no dst-port=40000-40010 new-connection-mark=\

games_conn passthrough=yes protocol=udp

add action=mark-packet chain=forward comment="" connection-mark=games_conn \

disabled=no new-packet-mark=games_pkt passthrough=no

add action=mark-connection chain=prerouting comment=HTTP-CLIENT \

connection-mark=all.pre_conn disabled=no new-connection-mark=\

browsing_conn packet-size=0-64 passthrough=yes protocol=tcp tcp-flags=ack


all.pre_conn disabled=no dst-port=80,443 new-connection-mark=\

browsing_conn passthrough=yes protocol=tcp

add action=mark-packet chain=forward comment="" connection-bytes=0-131072 \

connection-mark=browsing_conn disabled=no new-packet-mark=browsing_pkt \

passthrough=no protocol=tcp

add action=mark-connection chain=prerouting comment=HTTP-PROXY disabled=no \

dst-address-list=!LocalNet dst-port=80,443 new-connection-mark=proxy_conn \

passthrough=yes protocol=tcp src-address-list=ProxyNET


dst-address-list=!RtrwnetNet dst-port=80,443 new-connection-mark=proxy_conn \



dst-address-list=!hotspotNet dst-port=80,443 new-connection-mark=proxy_conn \


add action=mark-packet chain=forward comment="" connection-mark=proxy_conn \

disabled=no new-packet-mark=proxy_pkt passthrough=no

add action=mark-connection chain=prerouting comment=REALTIME connection-mark=\

all.pre_conn disabled=no dst-port=22,179,110,161,8291 \

new-connection-mark=realtime_conn passthrough=yes protocol=tcp


all.pre_conn disabled=no dst-port=123 new-connection-mark=realtime_conn \

passthrough=yes protocol=udp

add action=mark-packet chain=forward comment="" connection-mark=realtime_conn \

disabled=no new-packet-mark=realtime_pkt passthrough=no

add action=mark-connection chain=prerouting comment=FILETRANSER \

connection-mark=all.pre_conn disabled=no dst-port=20,21,23 \

new-connection-mark=communication_conn passthrough=yes protocol=tcp

add action=mark-packet chain=forward comment="" connection-mark=\

communication_conn disabled=no new-packet-mark=communication_pkt \

passthrough=no

add action=mark-connection chain=prerouting comment=NORMAL connection-mark=\

all.pre_conn disabled=no dst-address-list=!ProxyNET new-connection-mark=\

normal_conn passthrough=yes

add action=mark-packet chain=forward comment="" connection-mark=normal_conn \

disabled=no new-packet-mark=normal_pkt passthrough=no

===mangle jaringan local===

/ip firewall mangle

add action=mark-packet chain=forward comment=DOWNLOAD connection-bytes=\

131072-4294967295 connection-mark=all.post_conn disabled=no dst-address=\

192.168.9.1 new-packet-mark=Billing passthrough=no protocol=tcp

add action=mark-packet chain=forward comment=DOWNLOAD connection-bytes=\


192.168.9.2 new-packet-mark=client1 passthrough=no protocol=tcp

add action=mark-packet chain=forward comment="" connection-bytes=\

















































































===mangle RT/RW net===

/ip firewall mangle



192.168.4.2 new-packet-mark=Rtrwnet2 passthrough=no protocol=tcp





















































































===mangle hotspot internal===

/ip firewall mangle



192.168.5.2 new-packet-mark=hotspot2 passthrough=no protocol=tcp





















































































===bandwidth limit===

/queue type

add kind=pcq name=pcq_up pcq-classifier=src-address pcq-limit=200 pcq-rate=0 \

pcq-total-limit=8000

add kind=pcq name=pcq_down pcq-classifier=dst-address pcq-limit=200 pcq-rate=\

0 pcq-total-limit=8000

add kind=pfifo name=pfifo-critical pfifo-limit=10

add kind=pcq name=pcq_critical.up pcq-classifier=src-address,src-port \

pcq-limit=20 pcq-rate=0 pcq-total-limit=500

add kind=pcq name=pcq_critical.down pcq-classifier=dst-address,dst-port \

pcq-limit=20 pcq-rate=0 pcq-total-limit=500

/queue tree

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \

max-limit=0 name="A. PROXY HIT Local" packet-mark=proxy-hit parent=Local \

priority=1 queue=default


max-limit=0 name="E. PROXY HIT RTRWNET" packet-mark=proxy-hit parent=Rtrwnet \



max-limit=0 name="F. PROXY HIT HOTSPOT" packet-mark=proxy-hit parent=hotspot \



max-limit=0 name="B. CRITICAL" packet-mark=critical_pkt parent=Speedy \

priority=1 queue=pfifo-critical


max-limit=0 name="C. INBOUND" packet-mark=all.post_pkt parent=global-out \

priority=8


max-limit=0 name="D. OUTBOUND" packet-mark=all.pre_pkt parent=Speedy \

priority=8


max-limit=0 name="A. GAMES" packet-mark=games_pkt parent="C. INBOUND" \

priority=2 queue=pcq_critical.down


max-limit=0 name="B. HTTP" packet-mark=browsing_pkt parent="C. INBOUND" \

priority=3 queue=pcq_down

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=64k \

max-limit=128k name="C. REALTIME" packet-mark=realtime_pkt parent=\

"C. INBOUND" priority=4 queue=pcq_critical.down


max-limit=128k name="D. FILETRANS" packet-mark=communication_pkt parent=\

"C. INBOUND" priority=5 queue=pcq_down


max-limit=128k name="E. NORMAL" packet-mark=normal_pkt parent=\

"C. INBOUND" priority=6 queue=pcq_down


max-limit=1024k name="F. DOWNCLIENT 1M" parent="C. INBOUND" priority=8


max-limit=1024k name="F. DOWNRTRW 1M" parent="C. INBOUND" priority=8


max-limit=1024k name="F. DOWNHOTSPOT 1M" parent="C. INBOUND" priority=8


max-limit=0 name="G. DOWN 2M" parent="C. INBOUND" priority=8

===limit jaringan local===

/queue tree


max-limit=256k name=Billing packet-mark=Billing parent=\

"F. DOWNCLIENT 1M" priority=8 queue=pcq_down


max-limit=256k name=Client1 packet-mark=client1 parent=\

























































































===limit jariangan RT/RW net===

/queue tree


max-limit=256k name=Rtrwnet1 packet-mark=Rtrwnet1 parent=\

"F. DOWNRTRW 1M" priority=8 queue=pcq_down
























































































===limit hotspot internal===

/queue tree


max-limit=256k name=hotspot1 packet-mark=hotspot1 parent=\

"F. DOWNHOTSPOT 1M" priority=8 queue=pcq_down
























































































/ip firewall mangle

add action=mark-packet chain=forward comment=DOWNLOAD-NO-LIMIT connection-bytes=\


192.168.4.30 new-packet-mark=APbescomnet passthrough=no protocol=tcp

/queue tree


max-limit=0 name=APbescomnet packet-mark=client16 parent=\

"G. DOWN 2M" priority=8 queue=pcq_down


max-limit=0 name=billing packet-mark=client17 parent=\

"G. DOWN 2M" priority=8 queue=pcq_down


max-limit=0 name="A. GAMES UP" packet-mark=games_pkt parent="D. OUTBOUND" \

priority=2 queue=pcq_critical.up


max-limit=128k name="B. HTTP UP" packet-mark=proxy_pkt parent=\

"D. OUTBOUND" priority=3 queue=pcq_up


max-limit=64k name="C. REALTIME UP" packet-mark=realtime_pkt parent=\

"D. OUTBOUND" priority=4 queue=pcq_critical.up


max-limit=128k name="D. FILETRANS UP" packet-mark=communication_pkt \

parent="D. OUTBOUND" priority=5 queue=pcq_up


max-limit=128k name="E. NORMAL UP" packet-mark=normal_pkt parent=\

"D. OUTBOUND" priority=6 queue=pcq_up

===anti cloning ubnt===

/ip firewall filter

add chain=forward src-address=10.10.10.12 src-mac-address=!DC:9F:DB:54:D7:6E action=drop comment="kunci 10.10.10.12 ke DC:9F:DB:54:D7:6E"

add chain=forward src-address=10.10.10.14 src-mac-address=!DC:9F:DB:54:D7:E5 action=drop comment="kunci 10.10.10.14 ke DC:9F:DB:54:D7:E5"

add chain=forward src-address=10.10.10.15 src-mac-address=!DC:9F:DB:54:D6:CE action=drop comment="kunci 10.10.10.15 ke DC:9F:DB:54:D6:CE"

add chain=forward src-address=10.10.10.17 src-mac-address=!DC:9F:DB:0C:B3:E6 action=drop comment="kunci 10.10.10.17 ke DC:9F:DB:0C:B3:E6"

Documents

Config Rt Rw Net