Install the Mikrotik OS using a CD

To install the RouterOS using a CD you will need a CD-writer and a blank CD. Burn the CD-
image (an .iso file) to a CD. The archive with image can be downloaded here.

Follow the instructions to install RouterOS using CD-Install:

1. After downloading the CD image from www.mikrotik.com you will have an ISO file on
your computer:

2. Open a CD Writing software, like Ahead NERO as in this example:

3. In the program, choose Burn Image entry from the Recorder menu (there should be
similary named option in all major CD burning programs):
4. Select the recently extracted ISO file and click Open:

5. Finally, click Burn button:

6. Set the first boot device to CDROM in router's BIOS.
7. After booting from CD you will see a menu where to choose packages to install:

Welcome to MikroTik Router Software installation

Move around menu using 'p' and 'n' or arrow keys, select with
'spacebar'.
Select all with 'a', minimum with 'm'. Press 'i' to install locally or
'r' to
install remote router or 'q' to cancel and reboot.

[X] system [ ] isdn [ ] synchronous

[X] ppp [ ] lcd [ ] telephony
[X] dhcp [ ] ntp [ ] ups
[X] advanced-tools [ ] radiolan [ ] web-proxy
[ ] arlan [ ] routerboard [ ] wireless
[ ] gps [X] routing
[ ] hotspot [X] security

Follow the instructions, select needed packages, and press 'i' to install the software.

8. You will be asked for 2 questions:

Warning: all data on the disk will be erased!

Continue? [y/n]

Press [Y] to continue or [N] to abort the installation.

 Do you want to keep old configuration? [y/n]:

You should choose whether you want to keep old configuration (press [Y]) or to erase the
configuration permanently (press [N]) and continue without saving it. For a fresh
installation, press [N].

Creating partition...
Formatting disk...

The system will install selected packages. After that you will be prompted to press
'Enter'. Before doing that, remove the CD from your CD-Drive:

Software installed.
Press ENTER to reboot

Note: ref www.mikrotik.com

Tutorial Mikrotik

Langkah-langkah berikut adalah dasar-dasar setup mikrotik yang dikonfigurasikan untuk

jaringan sederhana sebagai gateway server.

1. Langkah pertama adalah install Mikrotik RouterOS pada PC atau pasang DOM.

2. Login Pada Mikrotik Routers melalui console :

MikroTik v2.9.7
Login: admin <enter>
Password: (kosongkan) <enter>

Sampai langkah ini kita sudah bisa masuk pada mesin Mikrotik. User default adalah admin
dan tanpa password, tinggal ketik admin kemudian tekan tombol enter.

3. Untuk keamanan ganti password default

[admin@Mikrotik] > password
old password: *****
new password: *****
retype new password: *****
[admin@ Mikrotik]] >

4. Mengganti nama Mikrotik Router, pada langkah ini nama server akan diganti menjadi
“XAVIERO” (nama ini sih bebas2 aja mo diganti)
[admin@Mikrotik] > system identity set name=XAVIERO
[admin@XAVIERO] >

5. Melihat interface pada Mikrotik Router

[admin@XAVIERO] > interface print
Flags: X – disabled, D – dynamic, R – running
# NAME TYPE RX-RATE TX-RATE MTU
0 R ether1 ether 0 0 1500
1 R ether2 ether 0 0 1500
[admin@XAVIERO] >

6. Memberikan IP address pada interface Mikrotik. Misalkan ether1 akan kita gunakan untuk
koneksi ke Internet dengan IP 192.168.0.1 dan ether2 akan kita gunakan untuk network local kita
dengan IP 172.16.0.1

[admin@XAVIERO] > ip address add address=192.168.0.1

netmask=255.255.255.0 interface=ether1
[admin@XAVIERO] > ip address add address=172.16.0.1
netmask=255.255.255.0 interface=ether2

7. Melihat konfigurasi IP address yang sudah kita berikan

[admin@XAVIERO] >ip address print
Flags: X – disabled, I – invalid, D – dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 192.168.0.1/24 192.168.0.0 192.168.0.63 ether1
1 172.16.0.1/24 172.16.0.0 172.16.0.255 ether2
[admin@XAVIERO] >

8. Memberikan default Gateway, diasumsikan gateway untuk koneksi internet adalah

192.168.0.254
[admin@XAVIERO] > /ip route add gateway=192.168.0.254

9. Melihat Tabel routing pada Mikrotik Routers

[admin@XAVIERO] > ip route print
Flags: X – disabled, A – active, D – dynamic,
C – connect, S – static, r – rip, b – bgp, o – ospf
# DST-ADDRESS PREFSRC G GATEWAY DISTANCE INTERFACE
0 ADC 172.16.0.0/24 172.16.0.1 ether2
1 ADC 192.168.0.0/26 192.168.0.1 ether1
2 A S 0.0.0.0/0 r 192.168.0.254 ether1
[admin@XAVIERO] >

10. Tes Ping ke Gateway untuk memastikan konfigurasi sudah benar

[admin@XAVIERO] > ping 192.168.0.254
192.168.0.254 64 byte ping: ttl=64 time<1 ms
192.168.0.254 64 byte ping: ttl=64 time<1 ms
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0/0.0/0 ms
[admin@XAVIERO] >

11. Setup DNS pada Mikrotik Routers

[admin@XAVIERO] > ip dns set primary-dns=192.168.0.10 allow-remoterequests=no
[admin@XAVIERO] > ip dns set secondary-dns=192.168.0.11 allow-remoterequests=no

12. Melihat konfigurasi DNS

[admin@XAVIERO] > ip dns print
primary-dns: 192.168.0.10
secondary-dns: 192.168.0.11
allow-remote-requests: no
cache-size: 2048KiB
cache-max-ttl: 1w
cache-used: 16KiB
[admin@XAVIERO] >

13. Tes untuk akses domain, misalnya dengan ping nama domain
[admin@XAVIERO] > ping yahoo.com
216.109.112.135 64 byte ping: ttl=48 time=250 ms
10 packets transmitted, 10 packets received, 0% packet loss
round-trip min/avg/max = 571/571.0/571 ms
[admin@XAVIERO] >

Jika sudah berhasil reply berarti seting DNS sudah benar.

14. Setup Masquerading, Jika Mikrotik akan kita pergunakan sebagai gateway server maka agar
client computer pada network dapat terkoneksi ke internet perlu kita masquerading.
[admin@XAVIERO]> ip firewall nat add action=masquerade outinterface=
ether1 chain:srcnat
[admin@XAVIERO] >

15. Melihat konfigurasi Masquerading

[admin@XAVIERO]ip firewall nat print
Flags: X – disabled, I – invalid, D – dynamic
0 chain=srcnat out-interface=ether1 action=masquerade
[admin@XAVIERO] >

Setelah langkah ini bisa dilakukan pemeriksaan untuk koneksi dari jaringan local. Dan jika
berhasil berarti kita sudah berhasil melakukan instalasi Mikrotik Router sebagai Gateway server.
Setelah terkoneksi dengan jaringan Mikrotik dapat dimanage menggunakan WinBox
yang bisa di download dari Mikrotik.com atau dari server mikrotik kita.

Misal Ip address server

mikrotik kita 192.168.0.1, via browser buka http://192.168.0.1 dan download WinBox dari situ.
Jika kita menginginkan client mendapatkan IP address secara otomatis maka perlu kita setup
dhcp server pada Mikrotik. Berikut langkah-langkahnya :

1.Buat IP address pool

/ip pool add name=dhcp-pool ranges=172.16.0.10-172.16.0.20

2. Tambahkan DHCP Network dan gatewaynya yang akan didistribusikan ke client Pada contoh
ini networknya adalah 172.16.0.0/24 dan gatewaynya 172.16.0.1
/ip dhcp-server network add address=172.16.0.0/24 gateway=172.16.0.1

3. Tambahkan DHCP Server ( pada contoh ini dhcp diterapkan pada interface ether2 )
/ip dhcp-server add interface=ether2 address-pool=dhcp-pool

4. Lihat status DHCP server

[admin@XAVIERO]> ip dhcp-server print
Flags: X – disabled, I – invalid
# NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP
0 X dhcp1 ether2
Tanda X menyatakan bahwa DHCP server belum enable maka perlu dienablekan terlebih dahulu
pada langkah 5.
5. Jangan Lupa dibuat enable dulu dhcp servernya
/ip dhcp-server enable 0

kemudian cek kembali dhcp-server seperti langkah 4, jika tanda X sudah tidak ada berarti sudah
aktif.

6. Tes Dari client

c:\>ping www.yahoo.com

untuk bandwith controller, bisa dengan sistem simple queue ataupun bisa dengan mangle
[admin@XAVIERO] queue simple> add name=Komputer01
interface=ether2 target-address=172.16.0.1/24 max-limit=65536/131072
[admin@XAVIERO] queue simple> add name=Komputer02
interface=ether2 target-address=172.16.0.2/24 max-limit=65536/131072
dan seterusnya…
 SETTING MICROTIK

http://crypt0gr4phy.wordpress.com/2007/02/02/setting-mikrotik/

 pilihlah paket – paket dibawah ini untuk install OS Microtik :

System, dhcp, Advance Tools, RouTing, Security, Web – Proxy.

 ganti nama system sesuai dengan selera anda :

[admin@microtik] > system identity set name=warnet

Selanjutnya promt shell akan berubah menjadi :

Seperti yg anda inginkan :
[admin@warnet] >

 Ubahlah Password OS microtik anda dengan cara :

[admin@warnet] >user set admin password=………………………………

 aktivkan kedua Ethernet pada PC yang telah anda install OS Microtik :

[admin@warnet] >interface ethernet enable ether1

[admin@warnet] >interface ethernet enable ether2

 Berikan nama pada kedua ethernet untuk memudahkan konfigurasi :

[admin@warnet] >interface Ethernet set ether1 name=modem ===== Ethernet yg utk modem
[admin@warnet] >interface ethernet set ether2 name=local === Ethernet yg untuk ke HUB

 Masukan IP pada kedua landcard :

[admin@warnet] >ip address add interface=modem address= ( Diisi IP address dari ISP ) /
netmask
[admin@warnet] >ip address add interface=lokal address= 192.168.0.1/255.255.255.0

 masukkan IP gateway yg di berikan dari ISP :

[admin@warnet] > ip route add gateway=10.11.1.1560

 SETTING DNS :
[admin@warnet] >ip dns set primary-dns=10.11.155.1secondary-dns=10.11.155.2

setelah itu coba ping semua IP yang telah di setting di atas.

[b][font="]KONFIGURASI FIREWALL DAN NETWORK

ip firewall nat add action=masquerade chain=srcnat
ip firewall filter add chain=input connection-state=invalid action=drop
ip firewall filter add chain=input protocol=udp action=accept
ip firewall filter add chain=input protocol=icmp action=accept
[font="]/ip firewall filter add chain=input in-interface=(ethernet card yg ke lan) action=accept
/ip firewall filter add chain=input in-interface=(ethernet card yg ke internet) action=accept

ip firewall filter add chain=input action=drop

ip web-proxy set enabled=yes src-address=0.0.0.0. port=8080 hostname=”" yahuu.net=yes

parent-proxy=0.0.0.0:0 \
cache-administrator=”webmaster” max-object-size=4096KiB cache-drive=system max-cache-
size=unlimited \
max-ram-cache-size=unlimited

ip firewall nat add chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=3128 /ip

firewall nat add in-interface=modem
dst-port=80 protocol=tcp action=redirect
to-ports=3128 chain=dstnat dst-address=!192.168.0.1/24

================================================== ================

yang 3128 semuanya di ganti 8080 : caranya :

ip web-proxy set enable=yes

/ip web-proxy set port=3128
/ip web-proxy set max-cache-size=3145728 ( 3 kali total ram )
/ip web-proxy set hostname=”proxy.prima”
/ip web-proxy set allow-remote-requests=yes
/ip web-proxy set cache-administrator: “primanet.slawi@yahoo.com”
==================================================
================================================== ========
FILTERING :
http://www.mikrotik.com/testdocs/ros/2.9/ip/filter.php/ ip firewall filter
add chain=input connection-state=invalid action=drop \comment=”Drop Invalid connections”
add chain=input connection-state=established action=accept \comment=”Allow Established
connections”
add chain=input protocol=udp action=accept \ comment=”Allow UDP”
add chain=input protocol=icmp action=accept \ comment=”Allow ICMP”
add chain=input src-address=192.168.0.0/24 action=accept \ comment=”Allow access to router
from known network”
add chain=input action=drop comment=”Drop anything else”

ANTI VIRUS UTK MICROTIK :

add chain=forward action=jump jump-target=virus comment=”jump to the virus chain” ++++++
++++++++++++++++++++++++++++++++++++++++++++ +++++

add chain=forward protocol=icmp comment=”allow ping”add chain=forward protocol=udp

comment=”allow udp”add chain=forward action=drop comment=”drop everything
else”================================================== =====

SECURITY ROUTER MICROTIK ANDA :

/ ip firewall filteradd chain=input connection-state=established comment=”Accept established
connections”add chain=input connection-state=related comment=”Accept related
connections”add chain=input connection-state=invalid action=drop comment=”Drop invalid
connections” add chain=input protocol=udp action=accept comment=”UDP” disabled=no add
chain=input protocol=icmp limit=50/5s,2 comment=”Allow limited pings” add chain=input
protocol=icmp action=drop comment=”Drop excess pings” add chain=input protocol=tcp dst-
port=22 comment=”SSH for secure shell”add chain=input protocol=tcp dst-port=8291
comment=”winbox” # Edit these rules to reflect your actual IP addresses! # add chain=input src-
address=159.148.172.192/28 comment=”From Mikrotikls network” add chain=input src-
address=10.0.0.0/8 comment=”From our private LAN”# End of Edit #add chain=input
action=log log-prefix=”DROP INPUT” comment=”Log everything else”add chain=input
action=drop comment=”Drop everything else”
“http://wiki.mikrotik.com/wiki/Securing_your_router“
==================================================
========================================
SETTING KEAMANAN JARINGAN HANYA UNTUK LOKAL AREA ANDA :
/ip firewall filteradd chain=forward connection-state=established comment=”allow established
connections” add chain=forward connection-state=related comment=”allow related
connections”add chain=forward connection-state=invalid action=drop comment=”drop invalid
connections”
add chain=virus protocol=tcp dst-port=135-139 action=drop comment=”Drop Blaster Worm”
add chain=virus protocol=udp dst-port=135-139 action=drop comment=”Drop Messenger
Worm” add chain=virus protocol=tcp dst-port=445 action=drop comment=”Drop Blaster Worm”
add chain=virus protocol=udp dst-port=445 action=drop comment=”Drop Blaster Worm” add
chain=virus protocol=tcp dst-port=593 action=drop comment=”________” add chain=virus
protocol=tcp dst-port=1024-1030 action=drop comment=”________” add chain=virus
protocol=tcp dst-port=1080 action=drop comment=”Drop MyDoom” add chain=virus
protocol=tcp dst-port=1214 action=drop comment=”________” add chain=virus protocol=tcp
dst-port=1363 action=drop comment=”ndm requester” add chain=virus protocol=tcp dst-
port=1364 action=drop comment=”ndm server” add chain=virus protocol=tcp dst-port=1368
action=drop comment=”screen cast” add chain=virus protocol=tcp dst-port=1373 action=drop
comment=”hromgrafx” add chain=virus protocol=tcp dst-port=1377 action=drop
comment=”cichlid” add chain=virus protocol=tcp dst-port=1433-1434 action=drop
comment=”Worm” add chain=virus protocol=tcp dst-port=2745 action=drop comment=”Bagle
Virus” add chain=virus protocol=tcp dst-port=2283 action=drop comment=”Drop Dumaru.Y”
add chain=virus protocol=tcp dst-port=2535 action=drop comment=”Drop Beagle” add
chain=virus protocol=tcp dst-port=2745 action=drop comment=”Drop Beagle.C-K” add
chain=virus protocol=tcp dst-port=3127-3128 action=drop comment=”Drop MyDoom” add
chain=virus protocol=tcp dst-port=3410 action=drop comment=”Drop Backdoor OptixPro”add
chain=virus protocol=tcp dst-port=4444 action=drop comment=”Worm” add chain=virus
protocol=udp dst-port=4444 action=drop comment=”Worm” add chain=virus protocol=tcp dst-
port=5554 action=drop comment=”Drop Sasser” add chain=virus protocol=tcp dst-port=8866
action=drop comment=”Drop Beagle.B” add chain=virus protocol=tcp dst-port=9898
action=drop comment=”Drop Dabber.A-B” add chain=virus protocol=tcp dst-port=10000
action=drop comment=”Drop Dumaru.Y” add chain=virus protocol=tcp dst-port=10080
action=drop comment=”Drop MyDoom.B” add chain=virus protocol=tcp dst-port=12345
action=drop comment=”Drop NetBus” add chain=virus protocol=tcp dst-port=17300
action=drop comment=”Drop Kuang2″ add chain=virus protocol=tcp dst-port=27374
action=drop comment=”Drop SubSeven” add chain=virus protocol=tcp dst-port=65506
action=drop comment=”Drop PhatBot, Agobot, Gaobot”
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++
+++++++++++++++++++++++++++++++++ +++++++++++++++++++++

#MatikanPort yang Biasa di pakai Spam :

/ip firewall filter add chain=forward dst-port=135-139 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=135-139 protocol=udp action=drop
/ip firewall filter add chain=forward dst-port=445 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=445 protocol=udp action=drop
/ip firewall filter add chain=forward dst-port=593 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=4444 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=5554 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=9996 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=995-999 protocol=udp action=drop
/ip firewall filter add chain=forward dst-port=53 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=55 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-p

diatas di cek di websitenya lagi : http://www.mikrotik.com/documentation/manual_2.7/

http://www.mikrotik.com/docs/ros/2.9/ip/webproxy

lihat di system resource

dan 2/3 dari system resource di gunakan atau di alokasikan untuk : system resource print

**************************************************
******************************************
Graphing /tool graphing set store-every=hour[admin@MikroTik] tool graphing> print store-
every: hour[admin@MikroTik] tool graphing> [admin@MikroTik] tool graphing interface> add
interface=ether1 \allow-address=192.168.0.0/24 store-on-disk=yes[admin@MikroTik] tool
graphing interface> printFlags: X – disabled # INTERFACE ALLOW-ADDRESS STORE-ON-
DISK 0 ether1 192.168.0.0/24 yes[admin@MikroTik] tool graphing interface> [admin@VLP
InWay] tool graphing> export
# oct/12/2005 09:51:23 by RouterOS 2.9.5
# software id = 1TLC-xxx
#
/ tool graphing
set store-every=5min
/ tool graphing queue
add simple-queue=all allow-address=10.8.2.99/32 store-on-disk=yes allow-target=yes
disabled=no
/ tool graphing resource
add allow-address=0.0.0.0/0 store-on-disk=yes disabled=no
/ tool graphing interface
add interface=Inway allow-address=0.0.0.0/0 store-on-disk=yes disabled=no
add interface=LAN allow-address=0.0.0.0/0 store-on-disk=yes disabled=no
add interface=DMZ allow-address=0.0.0.0/0 store-on-disk=yes disabled=no
Load-balancing & Fail-over di MikroTik

Kondisi : ISP dimana kita bekerja sebagai Administrator menggunakan lebih dari satu gateway untuk
terhubung ke Internet. Semuanya harus dapat melayani layanan upstream & downstream. Karena akan
beda kasusnya apabila salah satunya hanya dapat melayani downstream, contohnya jika menggunakan
VSAT DVB One-way.
Untuk kasus ini dimisalkan ISP memiliki 2 jalur ke Internet. Satu menggunakan akses DSL (256 Kbps) dan
lainnya menggunakan Wireless (512 Kbps). Dengan rasio pemakaian DSL:Wireless = 1:2 .

Yang akan dilakukan :

1. Menggunakan semua jalur gateway yang tersedia dengan teknik load-balancing.

2. Menjadikan salah satunya sebagai back-up dengan teknik fail-over.

OK, mari saja kita mulai eksperimennya :

1. IP address untuk akses ke LAN :

> /ip address add address=192.168.0.1/28 interface=LAN
IP address untuk akses ke jalur DSL :
> /ip address add address=10.32.57.253/29 interface=DSL
IP address untuk akses ke jalur Wireless :
> /ip address add address=10.9.8.2/29 interface=WIRELESS
Tentukan gateway dengan rasionya masing-masing :
> /ip route add gateway=10.32.57.254,10.9.8.1,10.9.8.1
2. Pada kasus untuk teknik fail-over. Diasumsikan jalur utama melalui Wireless dengan jalur DSL
sebagai back-up apabila jalur utama tidak dapat dilalui. Untuk mengecek apakah jalur utama
dapat dilalui atau tidak, digunakan command ping.
> /ip firewall mangle add chain=prerouting src-
address=192.168.0.0/28 action=mark-routing new-routing-
mark=SUBNET1-RM
> /ip route add gateway=10.9.8.1 routing-mark=SUBNET1-RM check-
gateway=ping
> /ip route add gateway=10.32.57.254

3. Good Luck!!
PCQ

Dengan menggunakan queue type pcq di Mikrotik, kita bisa membagi bandwidth yang ada secara
merata untuk para pelahap-bandwidth™ -->saat jaringan pada posisi peak.

Contohnya, kita berlangganan 256 Kbps. Kalau ada yang sedang berinternet ria, maka beliau dapat
semua itu jatah bandwidth. Tetapi begitu teman-temannya datang, katakanlah 9 orang lagi, maka
masing-masingnya dapat sekitar 256/10 Kbps. Yah.. masih cukup layaklah untuk buka-buka situs non-
porn atau sekedar cek e-mail & blog--> .

OK, langsung saja ke caranya :

1. Asumsi : Network Address 192.168.169.0/28, interface yang mengarah ke pengguna diberi nama
LAN, dan interface yang mengarah ke upstream provider diberi nama INTERNET;
2. Ketikkan di console atau terminal :
> /ip firewall mangle add chain=forward src-
address=192.168.169.0/28 action=mark-connection new-connection-
mark=NET1-CM
> /ip firewall mangle add connection-mark=NET1-CM action=mark-
packet new-packet-mark=NET1-PM chain=forward
> /queue type add name=downsteam-pcq kind=pcq pcq-classifier=dst-
address
> /queue type add name=upstream-pcq kind=pcq pcq-classifier=src-
address
> /queue tree add parent=LAN queue=DOWNSTREAM packet-mark=NET1-PM
> /queue tree add parent=INTERNET queue=UPSTREAM packet-mark=NET1-
PM

3. Good Luck!!
Memanipulasi ToS ICMP & DNS di MikroTik

Tujuan :

 Memperkecil delay ping dari sisi klien ke arah Internet.

 Mempercepat resolving hostname ke ip address.

Asumsi : Klien-klien berada pada subnet 10.10.10.0/28

1. Memanipulasi Type of Service untuk ICMP Packet :

> ip firewall mangle add chain=prerouting src-
address=10.10.10.0/28 protocol=icmp action=mark-connection new-
connection-mark=ICMP-CM passthrough=yes
> ip firewall mangle add chain=prerouting connection-mark=ICMP-CM
action=mark-packet new-packet-mark=ICMP-PM passthrough=yes
> ip firewall mangle add chain=prerouting packet-mark=ICMP-PM
action=change-tos new-tos=min-delay
2. Memanipulasi Type of Service untuk DNS Resolving :
> ip firewall mangle add chain=prerouting src-
address=10.10.10.0/28 protocol=tcp dst-port=53 action=mark-
connection new-connection-mark=DNS-CM passthrough=yes
> ip firewall mangle add chain=prerouting src-
address=10.10.10.0/28 protocol=udp dst-port=53 action=mark-
connection new-connection-mark=DNS-CM passthrough=yes
> ip firewall mangle add chain=prerouting connection-mark=DNS-CM
action=mark-packet new-packet-mark=DNS-PM passthrough=yes
> ip firewall mangle add chain=prerouting packet-mark=DNS-PM
action=change-tos new-tos=min-delay

3. Menambahkan Queue Type :

> queue type add name=”PFIFO-64″ kind=pfifo pfifo-limit=64

4. Mengalokasikan Bandwidth untuk ICMP Packet :

> queue tree add name=ICMP parent=INTERNET packet-mark=ICMP-PM
priority=1 limit-at=8000 max-limit=16000 queue=PFIFO-64

5. Mengalokasikan Bandwidth untuk DNS Resolving :

> queue tree add name=DNS parent=INTERNET packet-mark=DNS-PM
priority=1 limit-at=8000 max-limit=16000 queue=PFIFO-64

6. Good Luck!!

Queue Tree with more than two interfaces

Basic Setup
This page will tak about how to make QUEUE TREE in RouterOS that with Masquerading for more than
two interfaces. It’s for sharing internet connection among users on each interfacess. In manual this
possibility isn’t writted.

First, let’s set the basic setting first. I’m using a machine with 3 or more network interfaces:

[admin@instaler] > in pr

# NAME TYPE RX-RATE TX-RATE MTU

0 R public ether 0 0 1500

1 R wifi1 wlan 0 0 1500

2 R wifi2 wlan 0 0 1500

3 R wifi3 wlan 0 0 1500

And this is the IP Addresses for each interface:

[admin@instaler] > ip ad pr

Flags: X - disabled, I - invalid, D - dynamic

# ADDRESS NETWORK BROADCAST INTERFACE

0 10.20.1.0/24 10.20.1.0 10.20.1.255 public

1 10.10.2.0/24 10.10.2.0 10.10.2.255 wifi1

2 10.10.3.0/24 10.10.3.0 10.10.3.255 wifi2

3 10.10.4.0/24 10.10.4.0 10.10.4.255 wifi3

On the public you can add NAT or proxy if you want.

Mangle Setup

And now is the most important part in this case.

We need to mark our users. One connectoin for upload and second for download. In this example I add
mangle for one user. At the end I add mangle for local transmission because I don’t QoS local trafic
emong users. But for user I need to separate upload and download.
[admin@instaler] ip firewall mangle> print

Flags: X - disabled, I - invalid, D - dynamic

disabled=no

0 chain=forward dst-address=10.10.2.36 action=mark-connection

new-connection-mark=users-userU passthrough=yes comment=”” disabled=no

1 chain=forward dst-address=10.10.2.36 action=mark-connection

new-connection-mark=users-userD passthrough=yes comment=”” disabled=no

2 chain=forward connection-mark=users-userU action=mark-packet

new-packet-mark=userU passthrough=yes comment=”” disabled=no

3 chain=forward connection-mark=users-userD action=mark-packet

new-packet-mark=userD passthrough=yes comment=”” disabled=no

98 chain=forward src-address=10.10.0.0/16 dst-address=10.10.0.0/16

action=mark-connection new-connection-mark=users-lokal passthrough=yes

99 chain=forward connection-mark=users-lokal action=mark-packet

new-packet-mark=lokalTrafic passthrough=yes

Queue Tree Setup

And now, the queue tree setting. We need one rule for downlink and one rule for uplink. Be careful
when choosing the parent. for downlink traffic, we use parent “global-out”, because we have two or
more downloading interfaces. And for uplink, we are using parent “public”, we want QoS uplink traffic.
(I’m using pcq-up and download from manual) This example is for 2Mb/1Mb

[admin@instaler] > queue tree pr

Flags: X - disabled, I - invalid

0 name=”Download” parent=global-out packet-mark=”” limit-at=0

queue=pcq-download priority=1 max-limit=2000000 burst-limit=0

burst-threshold=0 burst-time=0s

1 name=”Upload” parent=WGW packet-mark=”” limit-at=0 queue=pcq-upload

priority=1 max-limit=1000000 burst-limit=0 burst-threshold=0

burst-time=0s

Now we add our user:

2 name=”user10D” parent=Download packet-mark=userD limit-at=0

queue=pcq-download priority=5 max-limit=0 burst-limit=0

burst-threshold=0 burst-time=0s

3 name=”user10U” parent=Upload packet-mark=userU limit-at=0

queue=pcq-upload priority=5 max-limit=0 burst-limit=0 burst-

threshold=0

burst-time=0s

MAC Address + IP Address Linux

#!/bin/sh

iptables=/sbin/iptables

#definisikan default policy disini

$iptables -F INPUT
$iptables -F OUTPUT
$iptables -P INPUT DROP
$iptables -P OUTPUT DROP #ingat nanti buka policy output yg perlu
$iptables -F FORWARD
$iptables -F -t nat
$iptables -P FORWARD DROP

#definisi default policy dan bikin chain baru bernama maccheck di interface eth1
$iptables -t mangle -F
$iptables -t mangle -F maccheck
$iptables -t mangle -X maccheck
$iptables -t mangle -N maccheck
$iptables -t mangle -I PREROUTING -i eth1 -p all -j maccheck
#self explanatory… ip address + mac
$iptables -t mangle -A maccheck -s 192.168.0.1 -i eth1 -m mac -j RETURN
–mac-source
00:80:11:11:11:11
$iptables -t mangle -A maccheck -s 192.168.0.2 -i eth1 -m mac -j RETURN
–mac-source
00:80:22:22:22:22
$iptables -t mangle -A maccheck -s 192.168.0.3 -i eth1 -m mac -j RETURN
–mac-source
00:80:33:33:33:33

#selain yg terdaftar baik ip maupun mac akan di mark untuk nanti di drop, isi
dengan salah satu
mac yg aktif yg mana saja
#disini contohnya 00:80:11:11:11:11 yg sudah kita definisikan di atas
$iptables -t mangle -A maccheck -s 0/0 -i eth1 -m mac -j MARK –mac-source !
00:80:11:11:11:11
–set-mark 1
$iptables -t mangle -A maccheck -s 0/0 -i eth1 -p all -j MARK –set-mark 1

#drop packet yg di mark

$iptables -A INPUT -i eth1 -m mark –mark 1 -j DROP
$iptables -A OUTPUT -o eth1 -m mark –mark 1 -j DROP
$iptables -A FORWARD -i eth1 -m mark –mark 1 -j DROP

#lanjutkan firewall script anda disini

source = primadonal.com
Limit Different Bandwidth In Day and Night

From MikroTik Wiki

Jump to: navigation, search

Limit Different Bandwidth In Day and Night.

There are lot many ways to limit bandwidth for day and Night, but personally I found this is the
easiest way, Here it is.

I have used Simple Queue, Script and Scheduler.

Suppose we have one network 192.168.1.0/24 and want to limit Bandwidth for day and Night
Time.

Network 192.168.1.0/24
Bandwidth = 06:00am – 18:00pm – 1Mbps. <Max-Limit>
Bandwidth = 18:00pm – 06:00am – 2Mbps. <Max-Limit>

Create two simple queues for the same network with different Bandwidth Limit.

/queue simple
#name=”Day” target-addresses=192.168.1.0/24 dst-address=0.0.0.0/0
interface=<ether-x> parent=none direction=both priority=8
queue=default-small/default-small limit-at=512k/512k
max-limit=1M/1M total-queue=default-small

#name=”Night” target-addresses=192.168.1.0/24 dst-address=0.0.0.0/0

interface=<ether-x> parent=none direction=both priority=8
queue=default-small/default-small limit-at=1M/1M
max-limit=2M/2M total-queue=default-small

Now, write scripts

/system script
#name=”Day” source=/queue simple enable Day; /queue simple disable Night

#name=”Night” source=/queue simple enable Night; /queue simple disable Day

Finally, Schedule it

/system scheduler
#name=”Day” on-event=Day start-date=oct/13/2007 start-time=06:00:00
interval=1d

#name=”Night” on-event=Night start-date=oct/13/2007 start-time=18:00:00

interval=1d