Follow us on...
Follow us on G+ Follow us on Twitter Follow us on Facebook Watch us on YouTube
Register
Results 1 to 7 of 7
  1. #1
    Status
    Offline
    q-tink's Avatar
    Baru Gabung
    Join Date
    Jun 2009
    Posts
    18
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0

    jalur int + local dipisah + proxy eksternal ada yg sukses?

    Salam sejahtera..Click here to enlarge

    mau tanya ni, pernah ada yang nyoba gak, jalur int + local dipisah + proxy eksternal.

    ane nyoba kok gk bisa2 yah, nanya sama profider katanya musti ditumpangin 2 mikrotik..
    bisa sih bisa pk 1 mikrotik, tp proxynya ikut kelimit, maunya ane proxy gak ikut kelimit gitu.. ane cm gunain RB750

    topologi yg ane buat

    SPEEDY --- Mikrotik --- client
    .....................I
    ISP local ------I
    .....................I
    Proxy Eks -----I

    nah klo ditumpangin 2 mikrotik apa topologi nya musti spt ini ya?

    SPEEDY --- Mikrotik I --- Mikrotik II --- Client
    .....................I..................I
    ISP local ------I..................I--------- Proxy Eksternal


    Jd di mikrotik I dipisah terlebih dahulu jalur local + Internationalnya
    nanti di mikrotik II tinggal dibikin simple queue biar proxy eksternal nya tanpa limit.

    nih percobaan ane yang gagal pake mikrotik sebiji aja..
    eth :

    Flags: D - dynamic, X - disabled, R - running, S - slave
    # NAME TYPE MTU L2MTU
    0 R ether 1 Speedy ether 1500 1526
    1 R ether 2 Lan ether 1500 1524
    2 R ether 3 ISP_Local ether 1500 1524
    3 R ether 4 Proxy ether 1500 1524
    4 R ether 5 Camera ether 1500 1524
    5 R pppoe-speedy pppoe-out 1480

    ip add :

    Flags: X - disabled, I - invalid, D - dynamic
    # ADDRESS NETWORK BROADCAST INTERFACE
    0 188.188.88.187/24 188.188.88.0 188.188.88.255 ether 3 ISP_Local
    1 192.168.0.1/24 192.168.0.0 192.168.0.255 ether 2 Lan
    2 192.168.2.2/24 192.168.2.0 192.168.2.255 ether 1 Speedy
    3 D 199.199.88.88/32 199.199.88.1 0.0.0.0 pppoe-speedy
    4 192.168.3.5/24 192.168.3.0 192.168.3.255 ether 4 Proxy
    5 192.168.5.1/24 192.168.5.0 192.168.5.255 ether 5 Camera

    ip firewall nat :

    0 chain=srcnat action=masquerade out-interface=pppoe-speedy

    1 chain=srcnat action=masquerade out-interface=ether 3 ISP_Local

    2 chain=dstnat action=redirect to-ports=53 protocol=tcp dst-port=53

    3 ;;; DNS resolver
    chain=dstnat action=redirect to-ports=53 protocol=udp dst-port=53

    4 ;;; Untuk IP Cop
    chain=dstnat action=dst-nat to-addresses=192.168.3.1 to-ports=81
    protocol=tcp dst-port=81

    5 chain=dstnat action=dst-nat to-addresses=192.168.3.1 to-ports=445
    protocol=tcp dst-port=445

    6 ;;; Redirect Mik to Squid
    chain=dstnat action=dst-nat to-addresses=192.168.3.1 to-ports=878
    protocol=tcp src-address=!192.168.3.0/24 dst-port=80


    ip firewall mangle :

    Flags: X - disabled, I - invalid, D - dynamic
    0 ;;; Mark Connection
    chain=forward action=mark-connection new-connection-mark=con-iix
    passthrough=yes dst-address-list=nice in-interface=ether 2 Lan

    1 ;;; Mark Connection
    chain=forward action=mark-connection new-connection-mark=con-lan
    passthrough=yes dst-address-list=white-list in-interface=ether 2 Lan

    2 ;;; Mark routing
    chain=prerouting action=mark-routing
    new-routing-mark=routing-winet passthrough=yes
    src-address=192.168.0.0/24 connection-mark=con-iix

    chain=prerouting action=mark-routing
    new-routing-mark=routing-lan passthrough=yes
    src-address=192.168.0.0/24 connection-mark=con-lan

    3 chain=prerouting action=mark-routing new-routing-mark=routing-speedy
    passthrough=yes src-address=192.168.0.0/24
    connection-mark=!con-iix,con-lan

    4 ;;; Packet IXX
    chain=prerouting action=mark-packet new-packet-mark=packet-iix
    passthrough=no connection-mark=con-iix

    5 chain=output action=mark-packet new-packet-mark=packet-iix
    passthrough=no connection-mark=con-iix

    6 ;;; Packet Lan
    chain=prerouting action=mark-packet new-packet-mark=packet-lan
    passthrough=no connection-mark=con-lan

    7 chain=output action=mark-packet new-packet-mark=packet-lan
    passthrough=no connection-mark=con-lan

    8 ;;; Packet INT
    chain=prerouting action=mark-packet new-packet-mark=packet-int
    passthrough=no connection-mark=!con-iix,con-lan

    9 chain=output action=mark-packet new-packet-mark=packet-int
    passthrough=no connection-mark=!con-iix,con-lan

    10 ;;; Mangle Squid
    chain=forward action=mark-connection new-connection-mark=squid_con
    passthrough=yes content=X-Cache: HIT

    11 chain=forward action=mark-packet new-packet-mark=squid_pkt passthrough=no
    connection-mark=squid_con

    12 chain=forward action=mark-packet new-packet-mark=http_pkt passthrough=no
    protocol=tcp src-port=80 connection-mark=!squid_con

    Route :

    1 A S ;;; Normal [ Disable Jika ISP_Local Down ]
    0.0.0.0/0 r 188.188.88.1 1 e
    2 X S ;;; Enable Jika ISP_Local Down
    0.0.0.0/0 199.199.88.1 1
    3 X S ;;; Enable Jika Speedy Down
    0.0.0.0/0 188.188.88.1 1
    4 A S ;;; Normal [ Disable Jika Speedy Down ]
    0.0.0.0/0 r 199.199.88.1 1 p
    5 A S ;;; Normal [ Disable Jika ISP_Local Down ]
    0.0.0.0/0 r 188.188.88.1 1 e
    6 A S 10.5.1.0/29 r 188.188.88.1 1 e
    7 ADC 199.199.88.1/32 199.199.88.88 0 p
    8 ADC 188.188.88.0/24 188.188.88.187 0 e
    9 ADC 192.168.0.0/24 192.168.0.1 0 e
    10 ADC 192.168.2.0/24 192.168.2.2 0 e
    11 ADC 192.168.3.0/24 192.168.3.5 0 e
    12 ADC 192.168.5.0/24 192.168.5.1 0 e

    Queuesimple:

    0 name="IIX" target-addresses=192.168.0.0/24 dst-address=0.0.0.0/0
    interface=all parent=none packet-marks=packet-iix direction=both
    priority=8 queue=default-small/default-small limit-at=0/0
    max-limit=0/0 burst-limit=0/0 burst-threshold=0/0
    burst-time=0s/0s total-queue=default-small

    1 name="INT" target-addresses=192.168.0.0/24 dst-address=0.0.0.0/0
    interface=all parent=none packet-marks=packet-int direction=both
    priority=8 queue=default-small/default-small limit-at=0/0
    max-limit=0/0 burst-limit=0/0 burst-threshold=0/0
    burst-time=0s/0s total-queue=default-small

    2 name="Billing-IIX" target-addresses=192.168.0.2/32
    dst-address=0.0.0.0/0 interface=all parent=IIX
    packet-marks=packet-iix direction=both priority=8
    queue=default-small/default-small limit-at=0/0
    max-limit=256k/256k burst-limit=0/0 burst-threshold=0/0
    burst-time=0s/0s total-queue=default-small

    3 name="Billing-INT" target-addresses=192.168.0.2/32
    dst-address=0.0.0.0/0 interface=all parent=INT
    packet-marks=packet-int direction=both priority=8
    queue=default-small/default-small limit-at=0/0
    max-limit=200k/200k burst-limit=0/0 burst-threshold=0/0
    burst-time=0s/0s total-queue=default-small

    4 name="PC-01-IIX" target-addresses=192.168.0.3/32
    dst-address=0.0.0.0/0 interface=all parent=IIX
    packet-marks=packet-iix direction=both priority=8
    queue=default-small/default-small limit-at=0/0
    max-limit=256k/256k burst-limit=0/0 burst-threshold=0/0
    burst-time=0s/0s total-queue=default-small

    5 name="PC-01-INT" target-addresses=192.168.0.3/32
    dst-address=0.0.0.0/0 interface=all parent=INT
    packet-marks=packet-int direction=both priority=8
    queue=default-small/default-small limit-at=0/0
    max-limit=200k/200k burst-limit=0/0 burst-threshold=0/0
    burst-time=0s/0s total-queue=default-small

    6 name="PC-02-IIX" target-addresses=192.168.0.4/32
    dst-address=0.0.0.0/0 interface=all parent=IIX
    packet-marks=packet-iix direction=both priority=8
    queue=default-small/default-small limit-at=0/0
    max-limit=256k/256k burst-limit=0/0 burst-threshold=0/0
    burst-time=0s/0s total-queue=default-small

    7 name="PC-02-INT" target-addresses=192.168.0.4/32
    dst-address=0.0.0.0/0 interface=all parent=INT
    packet-marks=packet-int direction=both priority=8
    queue=default-small/default-small limit-at=0/0
    max-limit=200k/200k burst-limit=0/0 burst-threshold=0/0
    burst-time=0s/0s total-queue=default-small

    ............................................dst

    queue type :

    0 name="default" kind=pfifo pfifo-limit=50

    1 name="ethernet-default" kind=pfifo pfifo-limit=50

    2 name="wireless-default" kind=sfq sfq-perturb=5 sfq-allot=1514

    3 name="synchronous-default" kind=red red-limit=60 red-min-threshold=10
    red-max-threshold=50 red-burst=20 red-avg-packet=1000

    4 name="hotspot-default" kind=sfq sfq-perturb=5 sfq-allot=1514

    5 name="default-small" kind=pfifo pfifo-limit=10
    Mohon pencerahannya para suhu.. Click here to enlargeClick here to enlarge

    apa udah ada yg pernah berhasil..
    Last edited by q-tink; 16-03-2011 at 09:27.

  2. #2
    Status
    Offline
    adiputrolds's Avatar
    Forum Guru
    Join Date
    Oct 2008
    Posts
    1,485
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    semua bisa dilakukan kok dengan 1 mikrotik

    mungkin karena ISP local mu pakek wireless ya ?
    mungkin pakek RB411 dimana hanya ada 1 ethernet port
    makanya tidak cukup port nya buat LB

  3. #3
    Status
    Offline
    q-tink's Avatar
    Baru Gabung
    Join Date
    Jun 2009
    Posts
    18
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    Click here to enlarge Originally Posted by electrix_85 Click here to enlarge
    semua bisa dilakukan kok dengan 1 mikrotik

    mungkin karena ISP local mu pakek wireless ya ?
    mungkin pakek RB411 dimana hanya ada 1 ethernet port
    makanya tidak cukup port nya buat LB
    Klo jalur wireless diatas memang pake RB411. tapi itu kan ibarat kata mah dapet inet nya udah gitu.. tinggal ngatur di RB750nya..

    tapi kyknya gak bisa gan, soalnya kan tiap client dimangle terus masuk ke markrouting. sedangkan proxynya bisa di gabung keduanya, hanya saja jdnya kelimit.. Click here to enlargeClick here to enlargeClick here to enlarge

  4. #4
    Status
    Offline
    adiputrolds's Avatar
    Forum Guru
    Join Date
    Oct 2008
    Posts
    1,485
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    Click here to enlarge Originally Posted by q-tink Click here to enlarge
    Klo jalur wireless diatas memang pake RB411. tapi itu kan ibarat kata mah dapet inet nya udah gitu.. tinggal ngatur di RB750nya..

    tapi kyknya gak bisa gan, soalnya kan tiap client dimangle terus masuk ke markrouting. sedangkan proxynya bisa di gabung keduanya, hanya saja jdnya kelimit.. Click here to enlargeClick here to enlargeClick here to enlarge
    kalo client di buat mangle masing-masing untuk international dan IIX itu sekedar buat memilah limit BW nya

    kalo tujuan kamu buat mau memisahkan routing antara IIX dan international itu terjadi pada proxy external

    bisa aja di lakukan kok
    karena semua traffic HTTP baik inter ataupun IIX di NAT dulu ke proxy external
    kemudian giliran proxy request ke inet
    disana baru di buat marking connection antara IIX dan IX

  5. The Following User Says Thank You to adiputrolds For This Useful Post:


  6. #5
    Status
    Offline
    oktama's Avatar
    Forum Guru
    Join Date
    Jul 2008
    Location
    Jayapura
    Posts
    1,929
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    Banyak kesalahan pada saat melakukan setting router kl dari sy lihat banyak yg asal setting.

    1. ngapain marking connection buat proxy hit? yang bener tuh markin paket langsung kl connection dimarking akan mengakibatkan yang tidak hit juga ikut loss kenapa? karena connection terjadi sebelum paket, analoginya connection itu jalan-nya paket itu, mobil yang melewati jalan tersebut, kl memarking connection berarti anda menandai jalan bukan mobilnya, sehingga mobil yang tidak punya marking yang ikut melewati jalan tersebut ya dianggap loss

    2. buat NAT juga berantakan Click here to enlarge

    3. mangle routing juga berantakan, sepertinya ini copas2 dari tempat lain dan bukan dari router sendiri karena koq ada rules yang lompat yach?? dari mangle no.2 seharusnya berikutnya 3 tapi ada 1 rules yang tanpa nomer tiba2 dibawah no.2 Click here to enlarge

    ip firewall mangle :

    Flags: X - disabled, I - invalid, D - dynamic
    0 ;;; Mark Connection
    chain=forward action=mark-connection new-connection-mark=con-iix
    passthrough=yes dst-address-list=nice in-interface=ether 2 Lan

    1 ;;; Mark Connection
    chain=forward action=mark-connection new-connection-mark=con-lan
    passthrough=yes dst-address-list=white-list in-interface=ether 2 Lan

    2 ;;; Mark routing
    chain=prerouting action=mark-routing
    new-routing-mark=routing-winet passthrough=yes
    src-address=192.168.0.0/24 connection-mark=con-iix

    chain=prerouting action=mark-routing
    new-routing-mark=routing-lan passthrough=yes
    src-address=192.168.0.0/24 connection-mark=con-lan


    3 chain=prerouting action=mark-routing new-routing-mark=routing-speedy
    passthrough=yes src-address=192.168.0.0/24
    connection-mark=!con-iix,con-lan
    apakah anda mau menguji member2 disini atau hanya sekedar bisa copas dari sana dan sini? Click here to enlarge

  7. The Following User Says Thank You to oktama For This Useful Post:


  8. #6
    Status
    Offline
    adiputrolds's Avatar
    Forum Guru
    Join Date
    Oct 2008
    Posts
    1,485
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    Click here to enlargeClick here to enlargeClick here to enlargeClick here to enlargeClick here to enlargeClick here to enlarge

    ya memang demikian aturan nya
    saya juga gk membuat connection-mark buat HIT proxy
    karena HIT proxy merupakan bagian dari traffik HTTP
    dari con-mark HTTP tersebut baru lah kita pisah antara HIT dan miss
    kemudian bentuk connection-byte dari connection mark tersebut

    pada hakikat nya
    squid merubah tos header adalah packet per packet bukan connection nya
    memang banyak yg salah buat mangle pada mikrotik
    mungkin di pikirnya biar keren kali keliatan connection-mark Proxy-HIT pada connection-tracking

    hakikatnya con-mark menandai 2 arah
    jika proxy-hit di con-mark maka traffic up / upload dari LAN kenak mark juga
    sehingga jika session HIT terjadi maka Upload ikut penuh pada queue tree
    Last edited by adiputrolds; 17-03-2011 at 07:15.

  9. The Following 2 Users Say Thank You to adiputrolds For This Useful Post:


  10. #7
    Status
    Offline
    q-tink's Avatar
    Baru Gabung
    Join Date
    Jun 2009
    Posts
    18
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    Click here to enlarge Originally Posted by oktama Click here to enlarge
    Banyak kesalahan pada saat melakukan setting router kl dari sy lihat banyak yg asal setting.

    1. ngapain marking connection buat proxy hit? yang bener tuh markin paket langsung kl connection dimarking akan mengakibatkan yang tidak hit juga ikut loss kenapa? karena connection terjadi sebelum paket, analoginya connection itu jalan-nya paket itu, mobil yang melewati jalan tersebut, kl memarking connection berarti anda menandai jalan bukan mobilnya, sehingga mobil yang tidak punya marking yang ikut melewati jalan tersebut ya dianggap loss
    Click here to enlarge thx gan pencerahannya.. maklum ane blm paham bgt tentang paket + connecction, ane pikir setiap data yg dikirim musti ada connection + packet datanya..

    Click here to enlarge Originally Posted by oktama Click here to enlarge
    2. buat NAT juga berantakan Click here to enlarge
    iya maap gan, namanya juga lagi belajar, klo ane master mah ane gak bakal nanya gan..

    Click here to enlarge Originally Posted by oktama Click here to enlarge
    3. mangle routing juga berantakan, sepertinya ini copas2 dari tempat lain dan bukan dari router sendiri karena koq ada rules yang lompat yach?? dari mangle no.2 seharusnya berikutnya 3 tapi ada 1 rules yang tanpa nomer tiba2 dibawah no.2 Click here to enlarge

    apakah anda mau menguji member2 disini atau hanya sekedar bisa copas dari sana dan sini? Click here to enlarge
    Sumpah gan, ini settingan ane, kmrn ane cm copas print dr mikrotik. ane juga gak perhatiin ngapa acak2an gitu.. ga ada maksud buat ngetas ngetes master2 dsini.. mau di damprat apa gw..

    Click here to enlarge Originally Posted by electrix_85 Click here to enlarge
    Click here to enlargeClick here to enlargeClick here to enlargeClick here to enlargeClick here to enlargeClick here to enlarge

    ya memang demikian aturan nya
    saya juga gk membuat connection-mark buat HIT proxy
    karena HIT proxy merupakan bagian dari traffik HTTP
    dari con-mark HTTP tersebut baru lah kita pisah antara HIT dan miss
    kemudian bentuk connection-byte dari connection mark tersebut

    pada hakikat nya
    squid merubah tos header adalah packet per packet bukan connection nya
    memang banyak yg salah buat mangle pada mikrotik
    mungkin di pikirnya biar keren kali keliatan connection-mark Proxy-HIT pada connection-tracking

    hakikatnya con-mark menandai 2 arah
    jika proxy-hit di con-mark maka traffic up / upload dari LAN kenak mark juga
    sehingga jika session HIT terjadi maka Upload ikut penuh pada queue tree
    Wow terimakasih infonya guru.. jadi mengerti tentang proxy-hit

    ane gak berani tanya2 lg dah.. Click here to enlarge takut salah nanya.. silent reader aja..

    thq ya gan..

 

 

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. LB 2 isp + pisah iix int + ipcam + proxy eksternal
    By q-tink in forum General Networking
    Replies: 8
    Last Post: 30-11-2011, 22:42
  2. Load balancing dengan proxy eksternal
    By awarmanf in forum General Networking
    Replies: 3
    Last Post: 05-05-2011, 15:41
  3. RB750G dan Proxy Squid Eksternal
    By agusfazri in forum Beginner Basics
    Replies: 3
    Last Post: 30-08-2010, 23:37
  4. ASK:Automatic Disable Rule NAT ke Eksternal Proxy
    By sridjokoonline in forum Scripting @ Mikrotik
    Replies: 4
    Last Post: 06-09-2009, 00:36

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •