Thread: [Trik] Tangkap Content Extention via L7 (Limit Download dgn[L7] & connbyt + Drop IDM

Setelah Newbie keliling2 mikir2 7 keliling akhiryna dapat rule yg pas dan udah tested untuk drop Koneksi IDM + dapat menangkap Koneksi download buat dibuang ke queue agar terlimit dengan rapih menggunakan jasa Layer7
langsung to the point aja deh silahkan terjemahin sendiri rulenya,dipelajari aja ya maksud dan tujuannya hehe..

Mohon koreksi apa bila ada yg kurang or CMIIW

Ros V4.9
sesuaikan ip dijaringan anda
10.0.0.0/24 = ip_local client
192.168.1.100 = ip proxy Ext <-Kalo Ada
10.0.0.30 = ip router


Regex content Layer7

Code:

/ip firewall layer7-protocol
add comment="" name="Extension \" .exe \"" regexp="\\.(exe)"
add comment="" name="Extension \" .rar \"" regexp="\\.(rar)"
add comment="" name="Extension \" .zip \"" regexp="\\.(zip)"
add comment="" name="Extension \" .7z \"" regexp="\\.(7z)"
add comment="" name="Extension \" .cab \"" regexp="\\.(cab)"
add comment="" name="Extension \" .asf \"" regexp="\\.(asf)"
add comment="" name="Extension \" .mov \"" regexp="\\.(mov)"
add comment="" name="Extension \" .wmv \"" regexp="\\.(wmv)"
add comment="" name="Extension \" .mpg \"" regexp="\\.(mpg)"
add comment="" name="Extension \" .mpeg \"" regexp="\\.(mpeg)"
add comment="" name="Extension \" .mkv \"" regexp="\\.(mkv)"
add comment="" name="Extension \" .avi \"" regexp="\\.(avi)"
add comment="" name="Extension \" .flv \"" regexp="\\.(flv)"
add comment="" name="Extension \" .pdf \"" regexp="\\.(pdf)"
add comment="" name="Extension \" .wav \"" regexp="\\.(wav)"
add comment="" name="Extension \" .rm \"" regexp="\\.(rm)"
add comment="" name="Extension \" .mp3 \"" regexp="\\.(mp3)"
add comment="" name="Extension \" .mp4 \"" regexp="\\.(mp4)"
add comment="" name="Extension \" .ram \"" regexp="\\.(ram)"
add comment="" name="Extension \" .rmvb \"" regexp="\\.(rmvb)"
add comment="" name="Extension \" .dat \"" regexp="\\.(dat)"
add comment="" name="Extension \" .daa \"" regexp="\\.(daa)"
add comment="" name="Extension \" .iso \"" regexp="\\.(iso)"
add comment="" name="Extension \" .nrg \"" regexp="\\.(nrg)"
add comment="" name="Extension \" .bin \"" regexp="\\.(bin)"
add comment="" name="Extension \" .vcd \"" regexp="\\.(vcd)"
add comment="" name="Extension \" .mp2 \"" regexp="\\.(mp2)"
add comment="" name="Extension \" .3gp \"" regexp="\\.(3gp)"
add comment="" name="Extension \" .mpe \"" regexp="\\.(mpe)"
add comment="" name="Extension \" .qt \"" regexp="\\.(qt)"
add comment="" name="Extension \" .raw \"" regexp="\\.(raw)"
add comment="" name="Extension \" .wma \"" regexp="\\.(wma)"
add comment="" name="Extension \" .ogg \"" regexp="\\.(ogg)"
add comment="" name="Extension \" .doc \"" regexp="\\.(doc)"

atau bisa disingkat menjadi :

Code:

add comment="" name=Extension regexp="\\.(exe|rar|zip|7z|cab|asf|mov|wmv|mpg|m\
    peg|mkv|avi|flv|pdf|wav|rm|mp3|mp4|ram|rmvb|dat|daa|iso|nrg|bin|vcd|mp2|3g\
    p|mpe|qt|raw|wma|ogg|doc|deb|tar|bzip|gzip|gzip2)"

buat dulu ip di address_list buat pisahin agar tidak ketangkap oleh rule difilter dan mangle

Code:

/ip firewall address-list
add address=10.0.0.30 comment="" disabled=no list=bypass
add address=192.168.1.100 comment="" disabled=no list=bypass
add address=192.168.1.100 comment="" disabled=no list=skip_content_download
add address=10.0.0.0/24 comment="" disabled=no list=skip_content_download

filter buat nangkap ip content L7

Code:

/ip firewall filter
add action=add-dst-to-address-list address-list=content_download address-list-timeout=5s chain=forward comment="" disabled=no dst-address-list=\
    !skip_content_download layer7-protocol="Extension \" .mp3 \"" protocol=tcp
add action=add-dst-to-address-list address-list=content_download address-list-timeout=5s chain=forward comment="" disabled=no dst-address-list=\
    !skip_content_download layer7-protocol="Extension \" .avi \"" protocol=tcp
add action=add-dst-to-address-list address-list=content_download address-list-timeout=5s chain=forward comment="" disabled=no dst-address-list=\
    !skip_content_download layer7-protocol="Extension \" .flv \"" protocol=tcp
add action=add-dst-to-address-list address-list=content_download address-list-timeout=5s chain=forward comment="" disabled=no dst-address-list=\
    !skip_content_download layer7-protocol="Extension \" .iso \"" protocol=tcp
add action=add-dst-to-address-list address-list=content_download address-list-timeout=5s chain=forward comment="" disabled=no dst-address-list=\
    !skip_content_download layer7-protocol="Extension \" .pdf \"" protocol=tcp
add action=add-dst-to-address-list address-list=content_download address-list-timeout=5s chain=forward comment="" disabled=no dst-address-list=\
    !skip_content_download layer7-protocol="Extension \" .mpeg \"" protocol=tcp
add action=add-dst-to-address-list address-list=content_download address-list-timeout=5s chain=forward comment="" disabled=no dst-address-list=\
    !skip_content_download layer7-protocol="Extension \" .exe \"" protocol=tcp
add action=add-dst-to-address-list address-list=content_download address-list-timeout=5s chain=forward comment="" disabled=no dst-address-list=\
    !skip_content_download layer7-protocol="Extension \" .rar \"" protocol=tcp
add action=add-dst-to-address-list address-list=content_download address-list-timeout=5s chain=forward comment="" disabled=no dst-address-list=\
    !skip_content_download layer7-protocol="Extension \" .zip \"" protocol=tcp
add action=add-dst-to-address-list address-list=content_download address-list-timeout=5s chain=forward comment="" disabled=no dst-address-list=\
    !skip_content_download layer7-protocol="Extension \" .mp4 \"" protocol=tcp
add action=add-dst-to-address-list address-list=content_download address-list-timeout=5s chain=forward comment="" disabled=no dst-address-list=\
    !skip_content_download layer7-protocol="Extension \" .mp2 \"" protocol=tcp
add action=add-dst-to-address-list address-list=content_download address-list-timeout=5s chain=forward comment="" disabled=no dst-address-list=\
    !skip_content_download layer7-protocol="Extension \" .3gp \"" protocol=tcp
add action=add-dst-to-address-list address-list=content_download address-list-timeout=5s chain=forward comment="" disabled=no dst-address-list=\
    !skip_content_download layer7-protocol="Extension \" .mov \"" protocol=tcp
add action=add-dst-to-address-list address-list=content_download address-list-timeout=5s chain=forward comment="" disabled=no dst-address-list=\
    !skip_content_download layer7-protocol="Extension \" .mpe \"" protocol=tcp
add action=add-dst-to-address-list address-list=content_download address-list-timeout=5s chain=forward comment="" disabled=no dst-address-list=\
    !skip_content_download layer7-protocol="Extension \" .mpg \"" protocol=tcp
add action=add-dst-to-address-list address-list=content_download address-list-timeout=5s chain=forward comment="" disabled=no dst-address-list=\
    !skip_content_download layer7-protocol="Extension \" .qt \"" protocol=tcp
add action=add-dst-to-address-list address-list=content_download address-list-timeout=5s chain=forward comment="" disabled=no dst-address-list=\
    !skip_content_download layer7-protocol="Extension \" .ram \"" protocol=tcp
add action=add-dst-to-address-list address-list=content_download address-list-timeout=5s chain=forward comment="" disabled=no dst-address-list=\
    !skip_content_download layer7-protocol="Extension \" .rm \"" protocol=tcp
add action=add-dst-to-address-list address-list=content_download address-list-timeout=5s chain=forward comment="" disabled=no dst-address-list=\
    !skip_content_download layer7-protocol="Extension \" .raw \"" protocol=tcp
add action=add-dst-to-address-list address-list=content_download address-list-timeout=5s chain=forward comment="" disabled=no dst-address-list=\
    !skip_content_download layer7-protocol="Extension \" .wav \"" protocol=tcp
add action=add-dst-to-address-list address-list=content_download address-list-timeout=5s chain=forward comment="" disabled=no dst-address-list=\
    !skip_content_download layer7-protocol="Extension \" .wmv \"" protocol=tcp
add action=add-dst-to-address-list address-list=content_download address-list-timeout=5s chain=forward comment="" disabled=no dst-address-list=\
    !skip_content_download layer7-protocol="Extension \" .wma \"" protocol=tcp
add action=add-dst-to-address-list address-list=content_download address-list-timeout=5s chain=forward comment="" disabled=no dst-address-list=\
    !skip_content_download layer7-protocol="Extension \" .ogg \"" protocol=tcp
add action=add-dst-to-address-list address-list=content_download address-list-timeout=5s chain=forward comment="" disabled=no dst-address-list=\
    !skip_content_download layer7-protocol="Extension \" .doc \"" protocol=tcp
add action=add-dst-to-address-list address-list=content_download address-list-timeout=5s chain=forward comment="" disabled=no dst-address-list=\
    !skip_content_download layer7-protocol="Extension \" .7z \"" protocol=tcp
add action=add-dst-to-address-list address-list=content_download address-list-timeout=5s chain=forward comment="" disabled=no dst-address-list=\
    !skip_content_download layer7-protocol="Extension \" .asf \"" protocol=tcp
add action=add-dst-to-address-list address-list=content_download address-list-timeout=5s chain=forward comment="" disabled=no dst-address-list=\
    !skip_content_download layer7-protocol="Extension \" .bin \"" protocol=tcp
add action=add-dst-to-address-list address-list=content_download address-list-timeout=5s chain=forward comment="" disabled=no dst-address-list=\
    !skip_content_download layer7-protocol="Extension \" .cab \"" protocol=tcp
add action=add-dst-to-address-list address-list=content_download address-list-timeout=5s chain=forward comment="" disabled=no dst-address-list=\
    !skip_content_download layer7-protocol="Extension \" .daa \"" protocol=tcp
add action=add-dst-to-address-list address-list=content_download address-list-timeout=5s chain=forward comment="" disabled=no dst-address-list=\
    !skip_content_download layer7-protocol="Extension \" .dat \"" protocol=tcp
add action=add-dst-to-address-list address-list=content_download address-list-timeout=5s chain=forward comment="" disabled=no dst-address-list=\
    !skip_content_download layer7-protocol="Extension \" .mkv \"" protocol=tcp
add action=add-dst-to-address-list address-list=content_download address-list-timeout=5s chain=forward comment="" disabled=no dst-address-list=\
    !skip_content_download layer7-protocol="Extension \" .nrg \"" protocol=tcp
add action=add-dst-to-address-list address-list=content_download address-list-timeout=5s chain=forward comment="" disabled=no dst-address-list=\
    !skip_content_download layer7-protocol="Extension \" .rmvb \"" protocol=tcp
add action=add-dst-to-address-list address-list=content_download address-list-timeout=5s chain=forward comment="" disabled=no dst-address-list=\
    !skip_content_download layer7-protocol="Extension \" .vcd \"" protocol=tcp

Kita buat manglenya buat nandain keneksi download pake connbyte digabungin dgn ip_content L7 yg kita tangkap tadi + nandain koneksi browsing

Code:

/ip firewall mangle
add action=mark-connection chain=prerouting comment=Content_download disabled=no dst-address-list=content_download new-connection-mark=\
    Bw_Download passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="" connection-bytes=262146-4294967295 disabled=no dst-address-list=!bypass new-connection-mark=\
    Bw_Download passthrough=yes protocol=!icmp
add action=mark-packet chain=prerouting comment="" connection-mark=Bw_Download disabled=no dst-address-list=!bypass new-packet-mark=Paket_Download \
    passthrough=no
add action=mark-connection chain=prerouting comment=Content_browsing disabled=no dst-address-list=!bypass new-connection-mark=Bw_Browsing passthrough=yes \
    protocol=!icmp
add action=mark-packet chain=prerouting comment="" connection-mark=Bw_Browsing disabled=no dst-address-list=!bypass new-packet-mark=Paket_Browsing \
    passthrough=no

setelah itu kita buat queue buat batasin downloadnya terserah mau pake simple or tree, disini sy memakai quetree dan sy mengalokasikan BW untuk Download 256kbps aja, silahkan sesuaikan dngn kondisi BW anda

que_typenya

Code:

/queue type
add kind=pcq name=pcq-down pcq-classifier=dst-address pcq-limit=50 pcq-rate=256000 pcq-total-limit=2000
add kind=pcq name=Pcq_Browsing_Down pcq-classifier=dst-address pcq-limit=50 pcq-rate=0 pcq-total-limit=2000

Que_Treenya

Code:

/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=DOWN parent=LOCAL priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=Browsing_Down packet-mark=Paket_Browsing parent=DOWN priority=5 \
    queue=Pcq_Browsing_Down
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no max-limit=256k name=Regular_Down packet-mark=Paket_Download parent=DOWN \
    priority=8 queue=pcq-down

Nah... masalah limit download udah selesai sampai disini, skarang tinggal rule untuk Drop koneksi IDM (tetap nangkapnya memakai content L7)

Langsung Filter aja pake conn_limit trus di Drop (perhatikan in-interfacenya sesuaikan dgn nama interface yg menuju Local client anda

Code:

/ip firewall filter
add action=drop chain=forward comment="" connection-limit=4,32 disabled=no in-interface=LOCAL layer7-protocol="Extension \" .exe \"" protocol=tcp
add action=drop chain=forward comment="" connection-limit=4,32 disabled=no in-interface=LOCAL layer7-protocol="Extension \" .3gp \"" protocol=tcp
add action=drop chain=forward comment="" connection-limit=4,32 disabled=no in-interface=LOCAL layer7-protocol="Extension \" .7z \"" protocol=tcp
add action=drop chain=forward comment="" connection-limit=4,32 disabled=no in-interface=LOCAL layer7-protocol="Extension \" .asf \"" protocol=tcp
add action=drop chain=forward comment="" connection-limit=4,32 disabled=no in-interface=LOCAL layer7-protocol="Extension \" .avi \"" protocol=tcp
add action=drop chain=forward comment="" connection-limit=4,32 disabled=no in-interface=LOCAL layer7-protocol="Extension \" .bin \"" protocol=tcp
add action=drop chain=forward comment="" connection-limit=4,32 disabled=no in-interface=LOCAL layer7-protocol="Extension \" .cab \"" protocol=tcp
add action=drop chain=forward comment="" connection-limit=4,32 disabled=no in-interface=LOCAL layer7-protocol="Extension \" .daa \"" protocol=tcp
add action=drop chain=forward comment="" connection-limit=4,32 disabled=no in-interface=LOCAL layer7-protocol="Extension \" .dat \"" protocol=tcp
add action=drop chain=forward comment="" connection-limit=4,32 disabled=no in-interface=LOCAL layer7-protocol="Extension \" .doc \"" protocol=tcp
add action=drop chain=forward comment="" connection-limit=4,32 disabled=no in-interface=LOCAL layer7-protocol="Extension \" .flv \"" protocol=tcp
add action=drop chain=forward comment="" connection-limit=4,32 disabled=no in-interface=LOCAL layer7-protocol="Extension \" .iso \"" protocol=tcp
add action=drop chain=forward comment="" connection-limit=4,32 disabled=no in-interface=LOCAL layer7-protocol="Extension \" .mkv \"" protocol=tcp
add action=drop chain=forward comment="" connection-limit=4,32 disabled=no in-interface=LOCAL layer7-protocol="Extension \" .mov \"" protocol=tcp
add action=drop chain=forward comment="" connection-limit=4,32 disabled=no in-interface=LOCAL layer7-protocol="Extension \" .mp2 \"" protocol=tcp
add action=drop chain=forward comment="" connection-limit=4,32 disabled=no in-interface=LOCAL layer7-protocol="Extension \" .mp3 \"" protocol=tcp
add action=drop chain=forward comment="" connection-limit=4,32 disabled=no in-interface=LOCAL layer7-protocol="Extension \" .mp4 \"" protocol=tcp
add action=drop chain=forward comment="" connection-limit=4,32 disabled=no in-interface=LOCAL layer7-protocol="Extension \" .mpe \"" protocol=tcp
add action=drop chain=forward comment="" connection-limit=4,32 disabled=no in-interface=LOCAL layer7-protocol="Extension \" .mpeg \"" protocol=tcp
add action=drop chain=forward comment="" connection-limit=4,32 disabled=no in-interface=LOCAL layer7-protocol="Extension \" .mpg \"" protocol=tcp
add action=drop chain=forward comment="" connection-limit=4,32 disabled=no in-interface=LOCAL layer7-protocol="Extension \" .nrg \"" protocol=tcp
add action=drop chain=forward comment="" connection-limit=4,32 disabled=no in-interface=LOCAL layer7-protocol="Extension \" .ogg \"" protocol=tcp
add action=drop chain=forward comment="" connection-limit=4,32 disabled=no in-interface=LOCAL layer7-protocol="Extension \" .pdf \"" protocol=tcp
add action=drop chain=forward comment="" connection-limit=4,32 disabled=no in-interface=LOCAL layer7-protocol="Extension \" .qt \"" protocol=tcp
add action=drop chain=forward comment="" connection-limit=4,32 disabled=no in-interface=LOCAL layer7-protocol="Extension \" .ram \"" protocol=tcp
add action=drop chain=forward comment="" connection-limit=4,32 disabled=no in-interface=LOCAL layer7-protocol="Extension \" .rar \"" protocol=tcp
add action=drop chain=forward comment="" connection-limit=4,32 disabled=no in-interface=LOCAL layer7-protocol="Extension \" .raw \"" protocol=tcp
add action=drop chain=forward comment="" connection-limit=4,32 disabled=no in-interface=LOCAL layer7-protocol="Extension \" .rm \"" protocol=tcp
add action=drop chain=forward comment="" connection-limit=4,32 disabled=no in-interface=LOCAL layer7-protocol="Extension \" .rmvb \"" protocol=tcp
add action=drop chain=forward comment="" connection-limit=4,32 disabled=no in-interface=LOCAL layer7-protocol="Extension \" .vcd \"" protocol=tcp
add action=drop chain=forward comment="" connection-limit=4,32 disabled=no in-interface=LOCAL layer7-protocol="Extension \" .wav \"" protocol=tcp
add action=drop chain=forward comment="" connection-limit=4,32 disabled=no in-interface=LOCAL layer7-protocol="Extension \" .wma \"" protocol=tcp
add action=drop chain=forward comment="" connection-limit=4,32 disabled=no in-interface=LOCAL layer7-protocol="Extension \" .wmv \"" protocol=tcp
add action=drop chain=forward comment="" connection-limit=4,32 disabled=no in-interface=LOCAL layer7-protocol="Extension \" .zip \"" protocol=tcp

Silahkan dicoba.. dan post hasilnya..

Tunggu rule ampuh berikutnya

Br.
HikmahCell

maaf om / mas/ mbah .... kalo ga salah L7 ini bisa dipake buat squid juga kah ..buat nangkep file ekstensi tersebut

@ ^

untuk squid anda bisa menggunakan Delay Pools dengan mendefinisikan ACl nya terlebih dahulu,
L7 mikrotik dipake squid?emang bisa ya?

mas nubie mau tanya..

10.0.0.30 = ip router (mksdnya ip mk/modem) sya msh sdikit blm paham

thanks dah di kirimi ....................................

Boleh di coba nie,,
Thanks

bisa dijelasin ndak maksud connection-limit=4,32 itu?
makasih sebelumnya

makasih sharenya. Bisa dicobain nih.

Maaf gan klo menurut ane.. bisa gan ..
ane pake ini di L7 nya untuk detect download proxy mwpun client
^.*get.+\.(exe|rar|zip|zipx|rpm|7z|cab|asf|mov|wmv |mpg|mpeg|mkv|avi|flv|wav|rm|mp4|ram|rmvb|dat|daa| iso|nrg|bin|vcd|mp2|mpe|qt|raw|wma|ogg|deb|tar|bzi p|gzip|mar|gzip2|0[0-9][0-9]).*$

untuk detect youtubenya ane pake ini juga gan
^.*get.+.c.youtube.com.*$

tp blm tw jg apa 100% ampuhh... untuk limit bw download proxy + streming youtube maklum masih newbee..

mau nanya nih gimana cara limit file yang berekstensi 001,002 dan seterusnya??

heheh sama gan

ane nubi nih gan mw tanya yg ini ( add action=add-dst-to-address-list address-list=content_download ) content_downloadnya buatnya dmn yah gan ? mohon bantuannya

Matabs nih L7 emankk... ga bocor limitnya.. hehehe

saya juga pake L7 tapi extensinya saya gabung sedangkan manglenya saya buat per IP client. Dibuat single connection Kalo buat download macet, ditarget harus bisa download lebih dari 1 file. Nahlo 1 file aja gak jalan alias 0byte. GImana solusinya nih para suhu