Follow us on...
Follow us on G+ Follow us on Twitter Follow us on Facebook Watch us on YouTube
Register
Results 1 to 10 of 10
  1. #1
    Status
    Offline
    brian's Avatar
    Baru Gabung
    Join Date
    May 2008
    Posts
    10
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0

    Confused.. Policy Routing

    Kakak2 master mohon pencerahannya. Saya punya 2 koneksi internet yang mau di share per group IP LAN sbb:
    CBN : 192.168.1.0/27(A), 192.168.1.32/27(B), 192.168.1.96/28(D)
    FastNet: 162.168.1.67/27(C)

    Maksudnya dibuat grup IP LAN tersebut untuk kedepannya di set bandwith managementnya (mungkin dengan simple queue) dan juga failover (load lebih besar di CBN).

    Saya sudah buat rule2 yang dipelajarin dari forummikrotik ini sama dari wiki tapi akhirnya stuck di policy routing.

    Untuk sementara ini semua /ip route yang saya buat di disable karena bila /ip route dynamic yang dari DHCP client saya delete dan rule yang saya buat di enable malah jadi ga bisa jalan internetnya. Mohon pencerahannya.

    Berikut semua settingan yang sudah saya buat. Thanks in advance Click here to enlarge
    Code:
    / interface ethernet 
    set CBN name="CBN" mtu=1500 mac-address=00:02:1E:F8:09:47 arp=enabled \
        disable-running-check=yes auto-negotiation=yes full-duplex=yes \
        cable-settings=default speed=100Mbps comment="" disabled=no 
    set FastNet name="FastNet" mtu=1500 mac-address=00:01:02:9C:16:BB arp=enabled \
        disable-running-check=yes auto-negotiation=yes full-duplex=yes \
        cable-settings=default speed=100Mbps comment="" disabled=no 
    set LAN name="LAN" mtu=1500 mac-address=00:50:DA:C3:90:71 arp=enabled \
        disable-running-check=yes auto-negotiation=yes full-duplex=yes \
        cable-settings=default speed=100Mbps comment="" disabled=no 
    	
    / ip address 
    add address=202.158.23.164/28 network=202.158.23.160 broadcast=202.158.23.175 \
        interface=CBN comment="" disabled=no 
    add address=192.168.1.254/24 network=192.168.1.0 broadcast=192.168.1.255 \
        interface=LAN comment="" disabled=no
    	
    / ip dhcp-client 
    add interface=FastNet add-default-route=yes use-peer-dns=yes use-peer-ntp=yes \
        comment="" disabled=no
     	
    / ip dns 
    set primary-dns=202.73.99.8 secondary-dns=61.247.0.8 allow-remote-requests=yes \
        cache-size=2048KiB cache-max-ttl=1w 
    	
    / ip firewall mangle 
    add chain=prerouting src-address=192.168.1.0/27 action=mark-connection \
        new-connection-mark=conn-A passthrough=yes comment="A" \
        disabled=no 
    add chain=prerouting connection-mark=conn-A action=mark-routing \
        new-routing-mark=route-A passthrough=no comment="" disabled=no
    	
    add chain=prerouting src-address=192.168.1.32/27 action=mark-connection \
        new-connection-mark=conn-B passthrough=yes comment="B" disabled=no 
    add chain=prerouting connection-mark=conn-B action=mark-routing \
        new-routing-mark=route-B passthrough=no comment="" disabled=no 
    	
    add chain=prerouting src-address=192.168.1.64/27 action=mark-connection \
        new-connection-mark=conn-C passthrough=yes comment="C" \
        disabled=no 
    add chain=prerouting connection-mark=conn-C action=mark-routing \
        new-routing-mark=route-C passthrough=no comment="" disabled=no 
    	
    add chain=prerouting src-address=192.168.1.96/28 action=mark-connection \
        new-connection-mark=conn-D passthrough=yes comment="D" \
        disabled=no 
    add chain=prerouting connection-mark=conn-D action=mark-routing \
        new-routing-mark=route-D passthrough=no comment="" disabled=no 
    
    	
    / ip firewall nat 
    add chain=dstnat protocol=udp src-port=53 dst-port=53 action=redirect \
        to-ports=0-65535 comment="" disabled=no 
    add chain=dstnat src-address=192.168.1.0/25 protocol=tcp dst-port=80 \
        action=redirect to-ports=3128 comment="" disabled=no 
    add chain=srcnat src-address=192.168.1.0/25 action=masquerade comment="" \
        disabled=no
    
    	
    / ip route 
    add dst-address=0.0.0.0/0 gateway=202.158.23.161 check-gateway=ping scope=255 \
        target-scope=10 routing-mark=route-A comment="" disabled=yes 
    add dst-address=0.0.0.0/0 gateway=202.158.23.161 check-gateway=ping scope=255 \
        target-scope=10 routing-mark=route-B comment="" disabled=yes 
    add dst-address=0.0.0.0/0 gateway=202.158.23.161 check-gateway=ping scope=255 \
        target-scope=10 routing-mark=route-D comment="" disabled=yes 
    add dst-address=0.0.0.0/0 gateway=118.136.1.1 check-gateway=ping scope=255 \
        target-scope=10 routing-mark=route-C comment="" disabled=yes
    
    	
    / ip firewall filter 
    add chain=input connection-state=established action=accept comment="Accept \
        established connections" disabled=no 
    add chain=input connection-state=related action=accept comment="Accept related \
        connections" disabled=no 
    add chain=input connection-state=invalid action=drop comment="Drop invalid \
        connections" disabled=no 
    
    add chain=input protocol=udp action=accept comment="UDP" disabled=no 
    add chain=input protocol=icmp limit=50/5s,2 action=accept comment="Allow \
        limited pings" disabled=no 
    add chain=input protocol=icmp action=drop comment="Drop excess pings" \
        disabled=no 
    add chain=input protocol=tcp dst-port=8291 action=accept comment="Winbox" \
        disabled=no 
    
    add chain=input in-interface=FastNet action=accept comment="From FastNet" \
        disabled=no 
    add chain=input in-interface=CBN action=accept comment="From CBN" disabled=no 
    add chain=input in-interface=LAN action=accept comment="From LAN" disabled=no 
    
    add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist \
        action=drop comment="drop ftp brute forcers" disabled=no 
    add chain=output protocol=tcp content="530 Login incorrect" \
        dst-limit=1/1m,9,dst-address/1m action=accept comment="" disabled=no 
    add chain=output protocol=tcp content="530 Login incorrect" \
        action=add-dst-to-address-list address-list=ftp_blacklist \
        address-list-timeout=3h comment="" disabled=no 
    
    add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist \
        action=drop comment="drop ssh brute forcers" disabled=no 
    add chain=input protocol=tcp dst-port=22 connection-state=new \
        src-address-list=ssh_stage3 action=add-src-to-address-list \
        address-list=ssh_blacklist address-list-timeout=1w3d comment="" \
        disabled=no 
    add chain=input protocol=tcp dst-port=22 connection-state=new \
        src-address-list=ssh_stage2 action=add-src-to-address-list \
        address-list=ssh_stage3 address-list-timeout=1m comment="" disabled=no 
    add chain=input protocol=tcp dst-port=22 connection-state=new \
        src-address-list=ssh_stage1 action=add-src-to-address-list \
        address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no 
    add chain=input protocol=tcp dst-port=22 connection-state=new \
        action=add-src-to-address-list address-list=ssh_stage1 \
        address-list-timeout=1m comment="" disabled=no 
    add chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist \
        action=drop comment="drop ssh brute downstream" disabled=no 
    
    add chain=input action=log log-prefix="DROP INPUT" comment="Log everything \
        else" disabled=no 
    add chain=input action=drop comment="Drop everything else" disabled=no 
    
    
    / ip web-proxy 
    set enabled=yes src-address=0.0.0.0 port=3128 hostname="PrimeProxy" \
        transparent-proxy=yes parent-proxy=0.0.0.0:0 cache-administrator="Brian" \
        max-object-size=1200KiB cache-drive=system max-cache-size=2000000KiB \
        max-ram-cache-size=unlimited 
    
    	
    / ip web-proxy access 
    add dst-port=23-25 action=deny comment="block telnet & spam e-mail relaying" \
        disabled=no
    	
    	
    / ip web-proxy cache 
    add url=":cgi-bin \\?" action=deny comment="don't cache dynamic http pages" \
        disabled=no

  2. #2
    Status
    Offline
    Akangage's Avatar
    Administrator
    Join Date
    Aug 2007
    Location
    Daerah Khusus Ibukota Jakarta, Indonesia
    Posts
    4,195
    Reviews
    Read 0 Reviews
    Downloads
    210
    Uploads
    87
    Feedback Score
    0
    Ini maksudnya disuruh bejimana Click here to enlarge

  3. #3
    Status
    Offline
    brian's Avatar
    Baru Gabung
    Join Date
    May 2008
    Posts
    10
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    Tolong di review di bagian /ip route & mangle apa ada yang salah soalnya sekali di coba jalanin routing based on routing mark malah ga bisa connect internet. thanks.
    Last edited by brian; 16-06-2008 at 10:15.

  4. #4
    Status
    Offline
    adeldian's Avatar
    Member Senior
    Join Date
    Nov 2007
    Posts
    411
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    2 (100%)
    / ip firewall nat
    add chain=dstnat protocol=udp src-port=53 dst-port=53 action=redirect \
    to-ports=0-65535 comment="" disabled=no
    dibagian ini maksudnya pa ya?
    apa kalo semua orang pingin request dns di larikan ke mikrotik?kalo ya kok to portnya 0-65535?(wa newbie jangan marah ya) bukannya di redirect ke port 53 juga yah?

    sorry ngaco kali ya?

    terima kasih

  5. #5
    Status
    Offline
    brian's Avatar
    Baru Gabung
    Join Date
    May 2008
    Posts
    10
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    Click here to enlarge Originally Posted by adeldian Click here to enlarge
    dibagian ini maksudnya pa ya?
    apa kalo semua orang pingin request dns di larikan ke mikrotik?kalo ya kok to portnya 0-65535?(wa newbie jangan marah ya) bukannya di redirect ke port 53 juga yah?

    sorry ngaco kali ya?

    terima kasih
    lupa liat di tutorial yang mana, buat handle dns request dari client (client di set dns ke ip mikrotik) tapi pas udah dijalanin ga ada yang hit Click here to enlarge udah dibuang. Tapi itu ga ngefek ke main problem. Thanks for the correction

  6. #6
    Status
    Offline
    d3v4's Avatar
    Forum Guru
    Join Date
    Jul 2007
    Location
    di alam baka
    Posts
    1,015
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    / ip dhcp-client
    add interface=FastNet add-default-route=yes use-peer-dns=yes use-peer-ntp=yes \
    comment="" disabled=no
    kalo ada default route nya nanti ada Dynamic route otomatis.

    dan benar itu dst-nat port 53 harus nya ke 53 juga dan masukkan ip mikrotik nya {192.168.1.254} bukan ke 0-65535 nanti hasil nya couldnot resolve address.


    dan bagian mangle nya setelah di lihat2.. sepertinya nggak berguna.

    mau di apain ? ini ada 2 koneksi tapi mau di apain ?

    internet ke fastnet trus iix ke cbn ? atau jadi 1 loadbalance ? di mangle nya nggak ada yang mengarah atau membagi beban route.

    MAIN PROBLEM nya apa ya ?
    Last edited by d3v4; 17-06-2008 at 12:47.

  7. #7
    Status
    Offline
    brian's Avatar
    Baru Gabung
    Join Date
    May 2008
    Posts
    10
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    Click here to enlarge Originally Posted by d3v4 Click here to enlarge
    kalo ada default route nya nanti ada Dynamic route otomatis.

    dan benar itu dst-nat port 53 harus nya ke 53 juga dan masukkan ip mikrotik nya {192.168.1.254} bukan ke 0-65535 nanti hasil nya couldnot resolve address.


    dan bagian mangle nya setelah di lihat2.. sepertinya nggak berguna.

    mau di apain ? ini ada 2 koneksi tapi mau di apain ?

    internet ke fastnet trus iix ke cbn ? atau jadi 1 loadbalance ? di mangle nya nggak ada yang mengarah atau membagi beban route.

    MAIN PROBLEM nya apa ya ?
    2 koneksi itu mau dipakai oleh group user yg berbeda dengan bandwith limit yg berbeda. sbb:
    CBN : group IP A,B,D
    FastNet: group IP C

    dan juga saling backup bila salah satu down (failover).

    main problemnya waktu di /ip route di enable route berdasarkan route-mark nya malah ga bisa kesambung ke internetnya.

  8. #8
    Status
    Offline
    itik's Avatar
    Member
    Join Date
    Jul 2008
    Posts
    145
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    saya masih perlu belajar rupanya .......Click here to enlarge

  9. #9
    Status
    Offline
    brian's Avatar
    Baru Gabung
    Join Date
    May 2008
    Posts
    10
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    Untuk sementara di closed dulu. Kayanya salah logikanya.. Jadinya dibuat failover aja... Click here to enlarge

  10. #10
    Status
    Offline
    felix_sg's Avatar
    Member Super Senior
    Join Date
    Sep 2007
    Location
    indonesia
    Posts
    607
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    Click here to enlarge Originally Posted by brian Click here to enlarge
    2 koneksi itu mau dipakai oleh group user yg berbeda dengan bandwith limit yg berbeda. sbb:
    CBN : group IP A,B,D
    FastNet: group IP C

    dan juga saling backup bila salah satu down (failover).

    main problemnya waktu di /ip route di enable route berdasarkan route-mark nya malah ga bisa kesambung ke internetnya.
    bukannya dibuat fail over antara cbn dan fastnet aja.

    terus masalah group, kenapa ndak di atur di bagian nat aja. default ABC nat ke cbn, dan default d ke fastnet. kalo salah satu isp down, baru rule fail overnya jalan.
    jadi rule failover dan nat tidak sejajar, failover diatas, nat grup di bawah.

 

 

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 85
    Last Post: 24-07-2015, 08:55
  2. routing mikrotik 2 ISP
    By rizal in forum General Networking
    Replies: 5
    Last Post: 02-05-2008, 10:44
  3. [Ask] Routing Internet (2 ISP) + Routing Inherent
    By dimppkke in forum General Networking
    Replies: 14
    Last Post: 14-02-2008, 23:22
  4. Bikin Routing
    By coekai in forum Beginner Basics
    Replies: 0
    Last Post: 30-01-2008, 18:33
  5. [b]<ask> routing & bgp[/b]
    By edhi_putra in forum General Networking
    Replies: 3
    Last Post: 16-07-2007, 09:35

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •