Follow us on...
Follow us on G+ Follow us on Twitter Follow us on Facebook Watch us on YouTube
Register
Results 1 to 5 of 5
  1. #1
    Status
    Offline
    4dder's Avatar
    Baru Gabung
    Join Date
    Jul 2007
    Posts
    7
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0

    [ask] connection tracking

    juragan, mohon pencerahannya ni
    connection tracking di ip/firewall gunanya buat apa boss?
    mikrotik saya pake setting buat load balancing
    terus connection tracking dienable
    kl di-disable internetnya putus
    terus sudah gitu kalo dah konek ke internet, clientnya misalnya ngehang
    terus dia mau konek ke internet lagi gak mau
    harus di delete dulu semua koneksi dari client tsb di connection tracking
    baru dia bisa konek lagi.
    Kalo kayak kejadian diatas itu karena apa juragan? karena setting mikrotiknya masih gak pas? ato karena timeout koneksinya yang kelamaan? default buat TCP established timeout = 1 hari...
    Terus mau nanya lagi kalo di conection tracking, setting timeoutnya dikecilin ngaruh ke ke koneksi yang dah establish g?
    Maksudnya pas saat donload data yg besar dan lama, terus karena timeoutnya dikecilin jadi suka putus...

  2. The Following User Says Thank You to 4dder For This Useful Post:


  3. #2
    Status
    Offline
    d3v4's Avatar
    Forum Guru
    Join Date
    Jul 2007
    Location
    di alam baka
    Posts
    1,015
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    kek nya punya gw ga gitu deh...

    coba post config nya di sini beserta topologi nya

  4. The Following User Says Thank You to d3v4 For This Useful Post:


  5. #3
    Status
    Offline
    4dder's Avatar
    Baru Gabung
    Join Date
    Jul 2007
    Posts
    7
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    Confignya kayak gini :
    Code:
    / interface ethernet 
    set Local name="Local" mtu=1500 mac-address=00:30:84:9E:EB:79 arp=enabled \
        disable-running-check=yes auto-negotiation=yes full-duplex=yes \
        cable-settings=default speed=100Mbps comment="" disabled=no 
    set speedy name="speedy" mtu=1500 mac-address=00:30:84:0B:BC:13 arp=enabled \
        disable-running-check=yes auto-negotiation=yes full-duplex=yes \
        cable-settings=default speed=100Mbps comment="" disabled=no 
    set astinet name="astinet" mtu=1500 mac-address=00:4A:D8:11:12:41 arp=enabled \
        disable-running-check=yes auto-negotiation=yes full-duplex=yes \
        cable-settings=default speed=100Mbps comment="" disabled=yes 
    
    / ip address 
    add address=192.168.1.200/24 network=192.168.1.0 broadcast=192.168.1.255 \
        interface=Local comment="" disabled=no 
    add address=222.124.19.38/28 network=222.124.19.32 broadcast=222.124.19.47 \
        interface=astinet comment="" disabled=no 
    add address=192.168.11.9/28 network=192.168.11.0 broadcast=192.168.11.15 \
        interface=speedy comment="" disabled=no 
    
    / ip route 
    add dst-address=0.0.0.0/0 gateway=222.124.19.33 check-gateway=ping distance=0 \
        scope=255 target-scope=10 routing-mark=astinet comment="Astinet" \
        disabled=no 
    add dst-address=0.0.0.0/0 gateway=192.168.11.10 check-gateway=ping distance=1 \
        scope=255 target-scope=10 routing-mark=speedy comment="Speedy" disabled=no 
    add dst-address=0.0.0.0/0 gateway=192.168.11.10 check-gateway=ping distance=2 \
        scope=255 target-scope=10 comment="Defaut router" disabled=no 
    add dst-address=0.0.0.0/0 gateway=222.124.19.33 check-gateway=ping distance=2 \
        scope=255 target-scope=10 comment="Defaut router" disabled=yes 
    
    / ip firewall mangle 
    add chain=prerouting in-interface=Local src-address-list=astinet-list \
        action=mark-connection new-connection-mark=astinet passthrough=yes \
        comment="Astinet" disabled=no 
    add chain=prerouting in-interface=Local connection-mark=astinet \
        action=mark-routing new-routing-mark=astinet passthrough=yes comment="" \
        disabled=no 
    add chain=prerouting in-interface=Local connection-mark=astinet \
        action=mark-packet new-packet-mark=astinet-pak passthrough=yes comment="" \
        disabled=no 
    add chain=forward out-interface=astinet dst-address-list=astinet-list \
        action=mark-packet new-packet-mark=astinet-pak passthrough=yes comment="" \
        disabled=no 
    add chain=output out-interface=Local connection-mark=astinet \
        action=mark-packet new-packet-mark=astinet-pak passthrough=no comment="" \
        disabled=no 
    add chain=prerouting in-interface=Local src-address-list=speedy-list \
        action=mark-connection new-connection-mark=speedy passthrough=yes \
        comment="Speedy" disabled=no 
    add chain=prerouting in-interface=Local connection-mark=speedy \
        action=mark-routing new-routing-mark=speedy passthrough=yes comment="" \
        disabled=no 
    add chain=prerouting in-interface=Local connection-mark=speedy \
        action=mark-packet new-packet-mark=speedy-pak passthrough=yes comment="" \
        disabled=no 
    add chain=forward out-interface=speedy dst-address-list=speedy-list \
        action=mark-packet new-packet-mark=speedy-pak passthrough=yes comment="" \
        disabled=no 
    add chain=output out-interface=Local connection-mark=speedy action=mark-packet \
        new-packet-mark=speedy-pak passthrough=yes comment="" disabled=no 
    
    / ip firewall nat 
    add chain=srcnat connection-mark=astinet action=src-nat \
        to-addresses=222.124.19.38 to-ports=0-65535 comment="Astinet NAT" \
        disabled=no 
    add chain=srcnat connection-mark=speedy action=src-nat \
        to-addresses=192.168.11.9 to-ports=0-65535 comment="Speedy NAT" \
        disabled=no 
    
    / ip firewall connection tracking 
    set enabled=yes tcp-syn-sent-timeout=5s tcp-syn-received-timeout=5s \
        tcp-established-timeout=10m tcp-fin-wait-timeout=10s \
        tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s \
        tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s \
        udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m \
        tcp-syncookie=yes 
    
    / ip firewall filter 
    add chain=input connection-state=established action=accept comment="Accept \
        established connections" disabled=no 
    add chain=input connection-state=related action=accept comment="Accept related \
        connections" disabled=no 
    add chain=input connection-state=invalid action=drop comment="Drop invalid \
        connections" disabled=no 
    add chain=input protocol=udp action=accept comment="UDP" disabled=no 
    add chain=input protocol=icmp limit=50/5s,2 action=accept comment="Allow \
        limited pings" disabled=no 
    add chain=input protocol=icmp action=drop comment="Drop excess pings" \
        disabled=no 
    add chain=input protocol=tcp dst-port=22 action=accept comment="SSH for secure \
        shell" disabled=no 
    add chain=input protocol=tcp dst-port=21 action=accept comment="FTP" \
        disabled=no 
    add chain=input protocol=tcp dst-port=8291 action=accept comment="winbox" \
        disabled=no 
    add chain=input src-address-list=astinet-list action=accept comment="Allow \
        from LAN" disabled=no 
    add chain=input src-address-list=speedy-list action=accept comment="Allow from \
        LAN" disabled=no 
    add chain=input src-address-list=mikrotik-user action=accept comment="Allow \
        from LAN - Mikrotik Only" disabled=no 
    add chain=input action=log log-prefix="DROP INPUT" comment="Log everything \
        else" disabled=no 
    add chain=input action=drop comment="Drop everything else" disabled=no 
    add chain=forward protocol=tcp tcp-flags=syn connection-limit=6,32 action=drop \
        comment="" disabled=no 
    
    / ip web-proxy 
    set enabled=yes src-address=0.0.0.0 port=8080 hostname="proxy" \
        transparent-proxy=no parent-proxy=0.0.0.0:0 cache-administrator="admin" \
        max-object-size=4096KiB cache-drive=system max-cache-size=none \
        max-ram-cache-size=unlimited
    Konfigurasinya:

    LAN
    |
    |
    Mikrotik
    | |
    | Astinet
    Speedy

  6. #4
    Status
    Offline
    seaquill's Avatar
    Baru Gabung
    Join Date
    Aug 2007
    Posts
    4
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    connection tracking itu di gunakan untuk firewall, seperti mangle,nat,filter rule

    jadi jika contrack (nadi nya firewall) disable maka firewall tidak berjalan... gimana si fw mau mengenalin ip2/port/paket yang out/in



    nah kalo untuk koneksi ptp / ptmulti , yang tidak memerlukan contrack, disable aja..biar hemat resource.

    kurang lebih begitu lah ...

  7. #5
    Status
    Offline
    maman's Avatar
    Calon Member
    Join Date
    Nov 2007
    Posts
    86
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    coba connection tracking di modif ke:

    Code:
    /ip firewall connection tracking
    set tcp-syn-sent-timeout=1s tcp-syn-received-timeout=1s \
    tcp-fin-wait-timeout=5s tcp-close-wait-timeout=5s \
    tcp-last-ack-timeout=1s tcp-time-wait-timeout=1s \
    tcp-close-timeout=1s udp-timeout=1s \
    udp-stream-timeout=1m icmp-timeout=5s \
    generic-timeout=5m tcp-syncookie=yes \
    enabled=yes
    di jamin koneksi nya bisa lebih cepat.
    apalagi pakai web-proxy-cache bawaan mikrotik
    tambah cepat browsing nya

    lebih-lebih lagi pakai mikrotik ver 3.3
    ygweb-proxy cache nya sudah support HIT TRAFFIC
    seperti contoh di

    Semoga bermanfaat

    | m | a | m | a | n |


    Click here to enlarge Originally Posted by 4dder Click here to enlarge
    juragan, mohon pencerahannya ni
    connection tracking di ip/firewall gunanya buat apa boss?
    mikrotik saya pake setting buat load balancing
    terus connection tracking dienable
    kl di-disable internetnya putus
    terus sudah gitu kalo dah konek ke internet, clientnya misalnya ngehang
    terus dia mau konek ke internet lagi gak mau
    harus di delete dulu semua koneksi dari client tsb di connection tracking
    baru dia bisa konek lagi.
    Kalo kayak kejadian diatas itu karena apa juragan? karena setting mikrotiknya masih gak pas? ato karena timeout koneksinya yang kelamaan? default buat TCP established timeout = 1 hari...
    Terus mau nanya lagi kalo di conection tracking, setting timeoutnya dikecilin ngaruh ke ke koneksi yang dah establish g?
    Maksudnya pas saat donload data yg besar dan lama, terus karena timeoutnya dikecilin jadi suka putus...
    Last edited by maman; 19-02-2008 at 13:10.

  8. The Following User Says Thank You to maman For This Useful Post:


 

 

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Connection Limit
    By daniel in forum General Networking
    Replies: 14
    Last Post: 02-01-2010, 09:54

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •