http://ictsentani.org/?

p=258
http://opensource.telkomspeedy.com/forum/viewtopic.php?pid=122506
#------------------------------------------------------------------------------E1 Modem1 : 192.168.77.1 -> IP Modem1 : 192.168.77.2
E2 Server : 192.168.88.1 -> IP Server : 192.168.88.2
E3 Hotspot : 192.168.99.1 -> IP Hotspot : 192.168.99.10 - 192.168.99.250
E4 Labkom : 10.10.10.254 -> IP Labkom : 10.10.10.1 - 10.10.10.20
#-----------------------------------------------------------------------------------------------------[ mikrotik routerboard ]
-----------------------E1 E2 E3 E4
| | | |
192.168.77.2
| | | |
10.10.10.x
-------------| | | |
-----------[ modem adsl ]------| | | |------[ labkom ]
-------------| |
-----------| |
-------------| |
------------[ hub/switch ]---------| |---------[ hotspot ]
-------------------------|
192.168.99.x
-------------[ edp server ]
-------------192.168.88.2
-------------------------------------------------------------------------------# Setting Interface
-------------------------------------------------------------------------------/interface
set ether1 name=Modem1
set ether2 name=Server
set ether3 name=Hotspot
set ether4 name=Labkom
print
/ip address
add disabled=no interface=Modem1
7.0 broadcast=192.168.77.255
add disabled=no interface=Server
8.0 broadcast=192.168.88.255
add disabled=no interface=Hotspot
9.0 broadcast=192.168.99.255
add disabled=no interface=Labkom
0
broadcast=10.10.10.255
print

address=192.168.77.1/24 network=192.168.7
address=192.168.88.1/24 network=192.168.8
address=192.168.99.1/24 network=192.168.9
address=10.10.10.254/24 network=10.10.10.

-------------------------------------------------------------------------------# Setting Route & DHCP

-------------------------------------------------------------------------------/ip dns set servers=192.168.88.2,208.67.222.222 allow-remote-requests=yes
/ip route add dst-address=0.0.0.0/0 gateway=192.168.77.2
/ip firewall nat add chain=srcnat action=masquerade out-interface=Modem1
/ip dhcp-server print
/ip dhcp-server enable 0

-------------------------------------------------------------------------------# Setting Hotspot

-------------------------------------------------------------------------------/ip hotspot setup
hotspot interface
: Hotspot
local address of network
: 192.168.99.1/24
masquerade network
: yes
address pool of network
: 192.168.99.10-192.168.99.250
select certificate
: none
ip address of smtp server : 119.235.250.172
dns servers
: 192.168.88.2,208.67.222.222
dns name
: hotspot.pasim
name of local hotspot
: admhotspot
password for the user
: naonwemoaldibejaan
/ip hotspot user
profile add name="EDP" shared-users=2 rate-limit="96k/768k" address-pool=non
e session-timeout=0s idle-timeout=none keepalive-timeout=00:15:00 open-status-pa
ge=always transparent-proxy=yes advertise=no
profile add name="KDM" shared-users=2 rate-limit="64k/200k" address-pool=non
e session-timeout=0s idle-timeout=none keepalive-timeout=00:15:00 open-status-pa
ge=always transparent-proxy=yes advertise=no
-------------------------------------------------------------------------------# Setting Sistem & Security
-------------------------------------------------------------------------------/system ntp client set primary-ntp=203.160.128.178 secondary-ntp=203.89.24.3
4 mode=unicast enabled=yes
/ip service set www port=9090
/ip firewall filter
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list ad
dress-list="port scanners" address-list-timeout=2w comment="Port scanners to lis
t " disabled=no
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=a
dd-src-to-address-list address-list="port scanners" address-list-timeout=2w comm
ent="NMAP FIN Stealth scan"
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-lis
t address-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan"
add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-lis
t address-list="port scanners" address-list-timeout=2w comment="SYN/RST scan"
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add
-src-to-address-list address-list="port scanners" address-list-timeout=2w commen
t="FIN/PSH/URG scan"
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-sr
c-to-address-list address-list="port scanners" address-list-timeout=2w comment="
ALL/ALL scan"
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=
add-src-to-address-list address-list="port scanners" address-list-timeout=2w com
ment="NMAP NULL scan"
add chain=input src-address-list="port scanners" action=drop comment="droppi
ng port scanners" disabled=no
-------------------------------------------------------------------------------# Setting Transparent Proxy
-------------------------------------------------------------------------------/ip proxy
set enabled=yes
set src-address=0.0.0.0
set port=8080
set parent-proxy=0.0.0.0

set
set
set
set
set
set
set
set
set
set

parent-proxy-port=0
cache-administrator="webmaster@stmikpasim.ac.id"
max-cache-size=unlimited
cache-on-disk=yes
max-client-connections=600
max-server-connections=600
max-fresh-time=3d
serialize-connections=no
always-from-cache=no
cache-hit-dscp=4

/ip
add
add
add

firewall nat
chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=8080
chain=dstnat protocol=tcp dst-port=3128 action=redirect to-ports=8080
chain=dstnat protocol=tcp dst-port=8080 action=redirect to-ports=8080

-------------------------------------------------------------------------------# Blok Akses Tertentu

-------------------------------------------------------------------------------/ip proxy access
#------[Blok Situs]-----------------------add dst-host="*porn*.com" action=deny
add dst-host="*sex*.com" action=deny
add dst-host=twitter.com action=deny
add dst-host=facebook.com action=deny
#------[Blok File]-----------------------add path=*.rar action=deny
add path=*.zip action=deny
add path=*.mov action=deny
add path=*.exe action=deny
add path=*.msi action=deny
add path=*.dat action=deny
add path=*.mkv action=deny
add path=*.mp4 action=deny
add path=*.3gp action=deny
add path=*.avi action=deny
add path=*.mp3 action=deny
#------[Blok Keyword]-------------------add dst-host=:sex action=deny
add dst-host=:nude action=deny
add dst-host=:porn action=deny
add dst-host=:adult action=deny
-------------------------------------------------------------------------------# Batasi Speed Download
-------------------------------------------------------------------------------/ip firewall filter
add chain=forward address-list-timeout=00:05:00 content=.mp3 src-address=0.0
.0.0/0 protocol=tcp action=add-dst-to-address-list address-list=downloads
add chain=forward address-list-timeout=00:05:00 content=.mp4 src-address=0.0
.0.0/0 protocol=tcp action=add-dst-to-address-list address-list=downloads
add chain=forward address-list-timeout=00:05:00 content=.3gp src-address=0.0
.0.0/0 protocol=tcp action=add-dst-to-address-list address-list=downloads
add chain=forward address-list-timeout=00:05:00 content=.avi src-address=0.0
.0.0/0 protocol=tcp action=add-dst-to-address-list address-list=downloads
add chain=forward address-list-timeout=00:05:00 content=.mkv src-address=0.0
.0.0/0 protocol=tcp action=add-dst-to-address-list address-list=downloads

add chain=forward address-list-timeout=00:05:00 content=.mov src-address=0.0

.0.0/0 protocol=tcp action=add-dst-to-address-list address-list=downloads
add chain=forward address-list-timeout=00:05:00 content=.exe src-address=0.0
.0.0/0 protocol=tcp action=add-dst-to-address-list address-list=downloads
add chain=forward address-list-timeout=00:05:00 content=.msi src-address=0.0
.0.0/0 protocol=tcp action=add-dst-to-address-list address-list=downloads
add chain=forward address-list-timeout=00:05:00 content=.iso src-address=0.0
.0.0/0 protocol=tcp action=add-dst-to-address-list address-list=downloads
add chain=forward address-list-timeout=00:05:00 content=.zip src-address=0.0
.0.0/0 protocol=tcp action=add-dst-to-address-list address-list=downloads
add chain=forward address-list-timeout=00:05:00 content=.rar src-address=0.0
.0.0/0 protocol=tcp action=add-dst-to-address-list address-list=downloads
/ip firewall mangle add chain=forward protocol=tcp src-address-list=download
s action=mark-packet new-packet-mark=downloads-paket
/queue simple add name=downloads-files max-limit=128000/128000 packet-marks=
downloads-paket
-------------------------------------------------------------------------------# Setting Simple Queue
-------------------------------------------------------------------------------/queue simple
add name=LABKOM-01 target-addresses=10.10.10.1 max-limit=64k/128k interface
=Labkom
add name=LABKOM-02 target-addresses=10.10.10.2 max-limit=64k/128k interface
=Labkom
add name=LABKOM-03 target-addresses=10.10.10.3 max-limit=64k/128k interface
=Labkom
add name=LABKOM-04 target-addresses=10.10.10.4 max-limit=64k/128k interface
=Labkom
add name=LABKOM-05 target-addresses=10.10.10.5 max-limit=64k/128k interface
=Labkom
add name=LABKOM-06 target-addresses=10.10.10.6 max-limit=64k/128k interface
=Labkom
add name=LABKOM-07 target-addresses=10.10.10.7 max-limit=64k/128k interface
=Labkom
add name=LABKOM-08 target-addresses=10.10.10.8 max-limit=64k/128k interface
=Labkom
add name=LABKOM-09 target-addresses=10.10.10.9 max-limit=64k/128k interface
=Labkom
add name=LABKOM-10 target-addresses=10.10.10.10 max-limit=64k/128k interface
=Labkom
add name=LABKOM-11 target-addresses=10.10.10.11 max-limit=64k/128k interface
=Labkom
add name=LABKOM-12 target-addresses=10.10.10.12 max-limit=64k/128k interface
=Labkom
add name=LABKOM-13 target-addresses=10.10.10.13 max-limit=64k/128k interface
=Labkom
add name=LABKOM-14 target-addresses=10.10.10.14 max-limit=64k/128k interface
=Labkom
add name=LABKOM-15 target-addresses=10.10.10.15 max-limit=64k/128k interface
=Labkom
add name=LABKOM-16 target-addresses=10.10.10.16 max-limit=64k/128k interface
=Labkom
add name=LABKOM-17 target-addresses=10.10.10.17 max-limit=64k/128k interface
=Labkom
add name=LABKOM-18 target-addresses=10.10.10.18 max-limit=64k/128k interface
=Labkom
add name=LABKOM-19 target-addresses=10.10.10.19 max-limit=64k/128k interface
=Labkom

add name=LABKOM-20 target-addresses=10.10.10.20 max-limit=64k/128k interface

=Labkom
-------------------------------------------------------------------------------# Instalasi & Setting Proxy
-------------------------------------------------------------------------------# Partisi
/
ext4
40GB
primary
/boot
ext4
100mb
/cache
reiserfs
20GB
swap
---2GB
/home
ext4
~~~~
# Catatan
btrFs
: untuk OS 64bit
reiserFs : untuk OS 32bit
# Ganti Repo & Install paket dasar
mv /etc/apt/sources.list /etc/apt/sources.list.asli
cat > /etc/apt/sources.list <<EOF
deb http://debian.indika.net.id/debian squeeze main non-free contrib
deb http://debian.indika.net.id/debian-security squeeze/updates main non-f
ree contrib
EOF
apt-get update
apt-get install gcc build-essential sharutils libzip-dev automake
# Download paket yang diperlukan
cd /tmp
wget http://lusca-cache.googlecode.com/files/LUSCA_HEAD-r14809.tar.gz
wget http://faisal-sani-project.googlecode.com/files/patch.tar.gz
wget http://faisal-sani-project.googlecode.com/files/storeurl.pl
wget http://xenstack.googlecode.com/files/konfig_squid_lusca.tar.gz
tar xzvf LUSCA_HEAD-r14809.tar.gz
tar xzvf patch.tar.gz
# Copy patch & install patch
cp -r /tmp/patch/* /tmp/LUSCA*/
cd LUSCA*
patch -p0 < luscaVaryrR14697.diff
patch -p0 < 3xx\ loop.diff
patch -p0 < ignore-must-revalidate.diff
patch -p2 < keblux-lusca-gzip.patch
chmod bootstrap.sh
./bootstrap.sh
# Configure & build
./configure --prefix=/usr --exec_prefix=/usr --bindir=/usr/sbin --sbindir=
/usr/sbin --libexecdir=/usr/lib/squid --sysconfdir=/etc/squid \
--localstatedir=/var/spool/squid --datadir=/usr/share/squid --enable-httpgzip --enable-async-io=24 --with-aufs-threads=24 --with-pthreads \
--enable-storeio=aufs --enable-linux-netfilter --enable-arp-acl --enable-e
poll --enable-removal-policies=heap --with-aio --with-dl --enable-snmp \
--enable-delay-pools --enable-htcp --enable-cache-digests --disable-unlink
d --enable-large-cache-files --with-large-files \
--enable-err-languages=English --enable-default-err-language=English --wit
h-maxfd=65536
make && make install
# Setting Squid

mv
mv
mv
mv

/etc/squid/squid.conf.asli
/tmp/storeurl.pl /etc/squid/
/tmp/konfig_squid_lusca/squid.conf /etc/squid/
/tmp/konfig_squid_lusca/squid.conf.pl /etc/squid/

# Buat cache & jalankan squid

squid -f /etc/squid/squid.conf -z
squid -N -d 1 -D
# -------------------------------------------------------------------------# Konfigurasi Firewall di Mikrotik
# -------------------------------------------------------------------------/ip firewall mangle
add chain=forward protocol=tcp src-address-list=downloads action=mark-pack
et new-packet-mark=downloads-paket
add disabled=no chain=prerouting action=mark-packet dscp=12 new-packet-mar
k=proxy-hit passthrough=no
add disabled=no chain=prerouting action=mark-connection dst-port=80 new-co
nnection-mark=http-conn passthrough=no protocol=tcp
add disabled=no chain=prerouting action=mark-packet connection-mark=http-c
onn new-packet-mark=http passthrough=yes
add disabled=no chain=prerouting action=mark-connection connection-state=n
ew dst-port=443 new-connection-mark=https-conn passthrough=yes protocol=tcp
add disabled=no chain=prerouting action=mark-routing connection-mark=https
-conn new-routing-mark=https passthrough=no
add disabled=no chain=prerouting action=mark-connection dst-port=53 new-co
nnection-mark=DNS passthrough=yes protocol=tcp
add disabled=no chain=prerouting action=mark-connection dst-port=53 new-co
nnection-mark=DNS passthrough=yes protocol=udp
add disabled=no chain=prerouting action=change-dscp connection-mark=DNS ne
w-dscp=12
add disabled=no chain=prerouting action=mark-packet connection-mark=DNS ne
w-packet-mark=DNS_PACKET passthrough=no
add disabled=no chain=prerouting action=mark-packet new-packet-mark=DNS_PA
CKET passthrough=yes
add disabled=no chain=forward action=mark-connection dst-port=5050,5100,50
51 new-connection-mark=YM passthrough=no protocol=tcp
add disabled=no chain=forward action=mark-connection connection-mark=YM di
sabled=no new-connection-mark=YM passthrough=yes
add disabled=no chain=forward action=mark-connection dst-port=843,9339,391
00,39110,39220,39190,49100,19101,19000,4300 new-connection-mark=POKER passthroug
h=no protocol=tcp
add disabled=no chain=forward action=mark-connection connection-mark=POKER
new-connection-mark=POKER passthrough=yes
add disabled=no chain=forward action=change-mss comment= CHANGE MMS disabled=no i
n-interface=ether1 new-mss=1440 protocol=tcp tcp-flags=syn tcp-mss=1441-65535
add disabled=no chain=forward action=change-mss new-mss=1440 out-interface
=ether1 protocol=tcp tcp-flags=syn tcp-mss=1441-65535
add disabled=no chain=forward action=accept comment= Total Pemakaian in-interface
=ether1
add disabled=no chain=input action=mark-connection comment=Winbox dst-po
rt=8291 new-connection-mark=winbox passthrough=no protocol=tcp
# Cek log squid
tail f /var/log/squid/access.log |grep HIT