siang semua

mohon bimbingan agan-agan disini

topologi:

speedy1
|
| |----hotspot
|mikrotik|--proxy
| |----lan
|
speedy2

ether1(speedy1) = 192.168.1.1/24
ether2(speedy2) = 192.168.2.1/24
ether3 (proxy) = 192.168.3.1/24
ether4 (lan) = 192.168.4.1/24
ether5 (Hotspot) = 192.168.5.1/24

proxy(clearOS) = 192.168.3.2

mangle
Code:
/ip firewall mangle
add action=mark-packet chain=forward comment="Cache Hit" disabled=no dscp=12 \
    in-interface=ether3-proxy new-packet-mark=HIT out-interface=ether2-lan \
    passthrough=no protocol=tcp src-port=3128
add action=mark-packet chain=forward disabled=no dscp=12 in-interface=\
    ether3-proxy new-packet-mark=HIT out-interface=ether1-hotspot \
    passthrough=no protocol=tcp src-port=3128
add action=mark-connection chain=prerouting comment=ICMP disabled=no \
    new-connection-mark=ICMP passthrough=yes protocol=icmp
add action=mark-packet chain=prerouting connection-mark=ICMP disabled=no \
    new-packet-mark=ICMP-packet passthrough=no protocol=icmp

|LB proxy|

add action=mark-connection chain=prerouting comment="LB Proxy" \
    connection-state=new disabled=no in-interface=ether3-proxy \
    new-connection-mark=proxy1 nth=2,1 passthrough=yes
add action=mark-connection chain=prerouting connection-state=new disabled=no \
    in-interface=ether3-proxy new-connection-mark=proxy2 nth=2,2 passthrough=\
    yes
add action=mark-routing chain=prerouting connection-mark=proxy1 disabled=no \
    in-interface=ether3-proxy new-routing-mark=jalur1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=proxy2 disabled=no \
    in-interface=ether3-proxy new-routing-mark=jalur2 passthrough=no

|LB Lan|
add action=mark-connection chain=prerouting comment="LB Lan" \
    connection-state=new disabled=no in-interface=ether2-lan \
    new-connection-mark=lan1 nth=2,1 passthrough=yes
add action=mark-connection chain=prerouting connection-state=new disabled=no \
    in-interface=ether2-lan new-connection-mark=lan2 nth=2,2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=lan1 disabled=no \
    in-interface=ether2-lan new-routing-mark=jalur1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=lan2 disabled=no \
    in-interface=ether2-lan new-routing-mark=jalur2 passthrough=no

|LB Hotspot|
add action=mark-connection chain=prerouting comment="LB Hotspot" \
    connection-state=new disabled=no in-interface=ether1-hotspot \
    new-connection-mark=hotspot1 nth=2,1 passthrough=yes
add action=mark-connection chain=prerouting connection-state=new disabled=no \
    in-interface=ether1-hotspot new-connection-mark=hotspot2 nth=2,2 \
    passthrough=yes
add action=mark-routing chain=prerouting connection-mark=hotspot1 disabled=no \
    in-interface=ether1-hotspot new-routing-mark=jalur1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=hotspot2 disabled=no \
    in-interface=ether1-hotspot new-routing-mark=jalur2 passthrough=no
Nat
Code:
/ip firewall nat
add action=masquerade chain=srcnat comment=NAT disabled=no out-interface= ether5-modem1
add action=masquerade chain=srcnat disabled=no out-interface=ether4-modem2
|redirect proxy|
add action=dst-nat chain=dstnat comment="Redirect Proxy" disabled=no \
    dst-port=80,8080,3128 protocol=tcp src-address=!192.168.3.2 to-addresses=\
    192.168.3.2 to-ports=3128
bandwdith saya limit berdasarkan ekstensi

layer 7
Code:
/ip firewall layer7-protocol
add name=mp3 regexp="\\.(mp3)"
add name=mkv regexp="\\.(mkv)"
add name=iso regexp="\\.(iso)"
add name=flv regexp="\\.(flv)"
add name=mp4 regexp="\\.(mp4)"
add name=avi regexp="\\.(avi)"
add name=rar regexp="\\.(rar)"
add name=zip regexp="\\.(zip)"
add name=mpeg regexp="\\.(mpeg)"
add name=exe regexp="\\.(exe)"
add name=youtube regexp="http/(0\\.9|1\\.0|1\\.1)[\\x09-\\x0d ][1-5][0-9][0-9]\
    [\\x09-\\x0d -~]*(content-type: video)"
mangle
Code:
add action=mark-packet chain=prerouting comment="Up Lan" disabled=no \
    in-interface=ether2-lan new-packet-mark=upload-lan passthrough=no \
    src-address=192.168.4.0/24
add action=mark-connection chain=forward comment="browse lan" \
    connection-bytes=0-256000 disabled=no new-connection-mark=\
    "browse lan " out-interface=ether2-lan passthrough=yes protocol=tcp \
    src-port=80,8080,3128
add action=mark-packet chain=forward connection-bytes=0-256000 \
    connection-mark=" browse lan " disabled=no new-packet-mark=browse-lan \
    out-interface=ether2-lan passthrough=no protocol=tcp src-port=\
    80,8080,3128
add action=mark-packet chain=prerouting comment="Up hotspot" disabled=no \
    in-interface=ether1-hotspot new-packet-mark=upload-hotspot passthrough=no \
    src-address=192.168.5.0/24
add action=mark-connection chain=forward comment="browse hotspot" \
    connection-bytes=0-256000 disabled=no new-connection-mark=\
    "browse hotspot" out-interface=ether1-hotspot passthrough=yes protocol=\
    tcp src-port=80,8080,3128
add action=mark-packet chain=forward connection-bytes=0-256000 \
    connection-mark="browse hotspot" disabled=no new-packet-mark=\
    browse-hotspot out-interface=ether1-hotspot passthrough=no protocol=tcp \
    src-port=80,8080,3128
add action=mark-connection chain=forward comment="Extension File" \
    connection-bytes=256001-0 disabled=no new-connection-mark=extension \
    passthrough=yes protocol=tcp src-port=80,8080,3128
add action=mark-packet chain=forward comment=iso connection-bytes=256001-0 \
    connection-mark=extension disabled=no layer7-protocol=iso \
    new-packet-mark=iso passthrough=no protocol=tcp
add action=mark-packet chain=forward comment=mkv connection-bytes=256001-0 \
    connection-mark=extension disabled=no layer7-protocol=mkv \
    new-packet-mark=mkv passthrough=no protocol=tcp
add action=mark-packet chain=forward comment=avi connection-bytes=256001-0 \
    connection-mark=extension disabled=no layer7-protocol=avi \
    new-packet-mark=avi passthrough=no protocol=tcp
add action=mark-packet chain=forward comment=exe connection-bytes=256001-0 \
    connection-mark=extension disabled=no layer7-protocol=exe \
    new-packet-mark=exe passthrough=no protocol=tcp
add action=mark-packet chain=forward comment=flv connection-bytes=256001-0 \
    connection-mark=extension disabled=no layer7-protocol=flv \
    new-packet-mark=flv passthrough=no protocol=tcp
add action=mark-packet chain=forward comment=mp4 connection-bytes=256001-0 \
    connection-mark=extension disabled=no layer7-protocol=mp4 \
    new-packet-mark=mp4 passthrough=no protocol=tcp
add action=mark-packet chain=forward comment=mpeg connection-bytes=256001-0 \
    connection-mark=extension disabled=no layer7-protocol=mpeg \
    new-packet-mark=mpeg passthrough=no protocol=tcp
add action=mark-packet chain=forward comment=rar connection-bytes=256001-0 \
    connection-mark=extension disabled=no layer7-protocol=rar \
    new-packet-mark=rar passthrough=no protocol=tcp
add action=mark-packet chain=forward comment=zip connection-bytes=256001-0 \
    connection-mark=extension disabled=no layer7-protocol=zip \
    new-packet-mark=zip passthrough=no protocol=tcp
add action=mark-packet chain=forward comment=mp3 connection-bytes=256001-0 \
    connection-mark=extension disabled=no layer7-protocol=mp3 \
    new-packet-mark=mp3 passthrough=no protocol=tcp
add action=mark-packet chain=forward comment=youtube connection-bytes=\
    256001-0 connection-mark=extension disabled=no layer7-protocol=youtube \
    new-packet-mark=youtube passthrough=no protocol=tcp
queue tree
Click here to enlarge

ketika saya mengaktifkan redirect ke proxy, dan mendownload salah satu file, kecepatan yang didapat tidak sesuai limit(kurang dari limit), misal saya limit kecepatan downloan 60kB/s maka didapat hanya kisaran 30kB/s, namun apabila NAT redirect proxy saya disable, maka kecepatan download sesuai limit. apakah ada yang salah dengan setingan mikrotik saya atau pada proxy saya (saya menggunakan ClearOS sebagai proxy)

spesifikasi proxy : Ram 1Gb, HD 8GB

squid.conf
Code:

http_port 3128 transparent
cache_mem 16 MB
maximum_object_size 1024 MB
cache_swap_low 98%
cache_swap_high 99%
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF

cache_dir disk /var/spool/squid 500 16 256
cache_access_log /var/log/squid/access.log
cache_log  /var/log/cache.log
cache_store_log /var/log/squid/store.log
mime_table /etc/squid/mime.conf
pid_filename /var/run/squid.pid 

dns_nameservers 222.124.194.11
dns_nameservers 222.124.194.14

acl all src 0.0.0.0/0.0.0.0 
acl manager proto cache_object
acl proxy src 192.168.3.0/24
acl lan src 192.168.4.0/24
acl hotspot src 192.168.5.0/24
acl blacklist url_regex -i "/etc/squid/blacklist.list"
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl purge method PURGE
acl CONNECT method CONNECT

always_direct allow localnet hotspot localhost
always_direct deny all

http_access deny blacklist
http_access allow manager all
http_access deny !Safe_ports
http_access allow purge localhost
http_access deny purge
http_access allowlocalhost
http_access allow proxy
http_access allow lan
http_access allow hotspot
http_access deny all
http_reply_access allow all
icp_access allow all
reply_body_max_size 0 allow all
http_access deny all
http_reply_access allow all

zph_mode tos
zph_local 0x30
zph_parent 0
Zph_option 136