Setting Mikrotik Lengkap jinhos | 07.13 | 4komentar
MIKROTIK
Mikrotik cukup handal digunakan sebagai server, saat ini sudah banyak yang menggunakannya, baik warnet yang bertipe SOHO hingga ISP sampai skala besar dengan client yang banyak. baik mikrotik type Routerboard yang dipasarkan oleh pabrikan maupun Router OS berbentuk PC masing - masing mempunyai kelebihan dan kekurangan, tapi bagi saya, mikrotik PC tetap lebih menjanjikan karena frekwensinya dapat diupgrade sekehendak hati tergantung kesanggupan anda membeli hardware komputernya, hingga penggunaan cache dengan memberdayakan Hardisk dengan kapasitas besar sebagai proxi internal. dari sisi PC, saya cenderung menggunakan DOM Hardisk untuk dijadikan engine dengan menginstal mikrotik ke dalamnya serta menggandengnya dengan hardisk SATA sebagai cache proxi, ketimbang menggunakan hardisk tunggal yang engine dan cache tergabung jadi satu didalamnya. DOM hardisk sendiri terasa lebih aman sebagai engine mengingat biasanya PC mikrotik dihidupkan secara terus menerus, hardisk biasa menggunakan cakram sebagai media read/write sehingga rawan over heating akibat gesekan yang terus menerus, seandainya anda tetap menggunakan hardisk, saya sarankan untuk memasang kipas tambahan dibagian dalam PC untuk menyedot panas berlebih hingga sirkulasi panas terjaga dan suhu tetap stabil.
Menginstal Mikrotik ke PC Bagi yg mau menginstal mikrotik ke PC/Komputer untuk dijadikan router, saya akan berikan tehniknya, mikrotik disini saya bagi dalam 2 versi, untuk Pentium 3 kebawah saya anjurkan menggunakan versi 3.30 agar tidak terlalu berat, dan versi 5.18 untuk Pentium 4, tapi tergantung anda mau makek yg mana atau lebih familiar yang mana, yang penting keduanya udah license level 6 hingga user yg bisa ditangani tidak terbatas alias unlimited unlimited,, perhatikan tahapan sebagai
berikut: MIKROTIK OS v3.30 License Level 6 1. Download file nya disini 2. Setela Setelah h selesai selesai,, extract extract menggun menggunaka akan n winrar winrar 3.
Didalamnya terdapat beberapa file antara lain file mikrotik, file gentoo, tutorial dan key license, cari file dengan extensi ISO, yaitu Mikrotik Iso files dan Gentoo Iso files, silahkan burn keduanya ke 2 CD yang berbeda (untuk burn disini saya sarankan menggunakan aplikasi Magic-ISO Maker, lebih user friendly dengan deteksi bootable yang jelas terlihat, bisa anda download disini disini), ), dan ingat bahwa file key yaitu HU6IXPT.key nanti digunakan untuk u ntuk meregister mikrotik.
4. Tahap pertama, pertama, Masukan Masukan CD Mikrot Mikrotik ik yang sudah sudah di burn td, td, Install Install MikroTik MikroTik 3.30 3.30 terkecuali mpls-test, routing-test, dan xen dan tekan "i" u ntuk melanjutkan "yes" dan "yes", instal sampai selesai. lalu restart komputer, keluarkan CD mikrotik. 5. Masukkan Masukkan CD Gentoo, Gentoo, Booting Booting komputer komputer dengan dengan linux linux livecdlivecd-gentoo gentoo.. - setelah booting selesai ketik ./keyrun dev=/dev/hda id=HU6I-XPT - tunggu sampe proses generate selesai. 6. Mati Matika kan n komp komput uter er.. 7. Hidupkan Hidupkan komputer komputer dan booting booting MikroTik MikroTik (isika (isikan n ip address address pada mikroti mikrotik k untuk remote). 8. Buka Winbox dan remote remote ke mikrotik, mikrotik, System System -> -> licens licensee -> -> Import Import key -> pilih pilih file file HU6I-XPT.key yang ada di folder extract-kan file pertama yang anda download tadi dan kemudian restart Mikrotik 9. Akhirnya Akhirnya MikroTik MikroTik versi versi 3.30 3.30 selesai. selesai. (lihat (lihat system->li system->license) cense)
MIKROTIK OS v5.18 License Level 6 5.18. 1. Download filenya mikrotik 5.20 atau mikrotik 5.18. 2. Extract Extract lalu lalu burn burn file file yang berekstensi berekstensi .ISO ke CD
3. Boot Komputer Komputer dengan dengan CD mikrotik mikrotik iso iso hasil hasil burn td 4. Instal Instal mikrotik mikrotik dengan dengan mencentang mencentang semua semua pilihan pilihan menggunakan menggunakan tombol tombol spasi, spasi, untuk melanjutkan proses instal, klik huruf "i" lalu "yes" dan "yes" jika selesai, komputer akan meminta reboot dengan menekan enter, keluarkan CD mikrotik. 5. Buka winbox, winbox, scan scan dan masuk masuk menggunaka menggunakan n alamat IP Mikroti Mikrotik k atau jika jika ip nya nya 0.0.0.0 dan tidak bisa masuk, maka cobalah masuk dengan alamat Mac address-nya. 6. booting booting mikroti mikrotik, k, username username : admin, admin, passwor password: d: kan>
7. Sekarang Import licence key ke MikroTik yang sudah dinstal tadi. Pada WinBox : System ----> Lincense ------> Import Key 8. Cari file W5EY-LHT9.key lalu "Ok" dan restart mikrotik 9.
Selesai.
INSTALL MIKROTIK OS dengan FLASHDISK 1. Khusus bagi yang males menggunakan CD sebagai bootable, anda bisa menggunakan flashdisk sebagai installer, PC yang dipersyaratkan hanya yang bisa booting dari USB disk. 2. Download file-file mikrotik yang anda butuhkan diatas dan extract. 3.
Download juga file Unetbootin.
4. Klik 2 kali file Unetbootin yang sudah selesai di download lalu pilih Opsi "Disk Image" 5. Klik Open dan Cari file extrakan mikrotik, Terus cari Type, pilih USB Drive, kemudian pilih Drive posisi flashdisk anda, dan klik OK. 6. setelah selesai, gunakan flashdisk untuk booting komputer dengan mode bios first boot USB disk, lakukan tahapan yang sama seperti tutorial diatas layaknya menggunakan CD.
SETTING MIKROTIK
Disini saya berikan sedikit command setting untuk firewall, pengaturan Gateway, DHCP_server, Filter Rules anti virus, anti DDOS, anti netcut dan anti porno, Penggunakan mangle dan Queue tree, tutorial ini langsung saya arahkan untuk menangani bandwidth limiter dengan pola pcqdownload dan upload. hasilnya akan terlihat seperti ini :
Limit diatas bisa anda ubah2 sesuai bandwidth internet anda, caranya langsung klik 2x pada limiter di queue tree nya. oke, langsung aja.... # Bandwidth management by jinho.diaz with mikrotik RouterOs v. 5.18 # firewall sangat kuat, susah ditembus # Script ini dapat berfungsi dengan baik pada mikrotik RouterOS versi 5.18 keatas # Script ini tidak disarankan untuk mikrotik dengan speed processor dibawah 680 Mhz dan memory kurang dari 128 MB # WAN terdapat pada interface ether1-gateway mengarah ke speedy dengan gateway 192.168.1.1 # Lan terdapat pada interface ether2-local-master dengan gateway 192.168.2.254 mengarah ke client # mengandung anti netcut, anti porno, anti proxy luar negeri, anti hotspot shield # mengandung anti vpn luar negeri, anti ultrasurf, anti freedom, anti scan winbox oleh user # mengandung anti virus, anti ARP, nuke dan anti brute force attack # limit IDM dan downloader sejenis, limit youtube dan streaming # limit server akamai yang dapat anda atur sendiri pada queue tree # script ini tidak menggunakan proxy internal, tetapi anda dapat menambahkannya sendiri # pastikan anda didampingi oleh staff yang ahli untuk menghindari kesalahan penggunaaan script. # script ini dapat langsung anda pastekan satu persatu atau sekaligus pada new terminal consol winbox# dengan tanpa membuang tanda pagar (#)
# beri nama pada interface ethernet anda /interface ethernet set 0 name=ether1-gateway set 1 name=ether2-local-master
# tandai setiap paket masuk dengan layer7-protocol /ip firewall layer7-protocol add name=download regexp="\\.(exe|rar|zip|7z|cab|asf|pdf|wav|mp3|ram|msu|msi|n\ up|vdf|rmvb|daa|iso|nrg|bin|vcd|mp2|qt|raw|ogg|doc|xls|ppt|xlxs|mov|wmv|mp\ g|mpeg|mkv|avi|flv|rm|mp4|dat|3gp|mpe|wma|docx|pptx|deb|flv2|tar|bzip|gzip\ |webm|gzip2).*\$" add name=google regexp="google.com|google.co.id|yahoo.com|yahoo.co.id|yahoo|go\ ogle|bing|msn|wordpress|blogspot|blogger|web.id|co.id|net.id|go.id|hotmail\ |twitter" add name=youtube regexp=o-o|youtube.com|webm add name=http-video regexp="mivo.tv|mivotv|imediabiz|imedia|porn|video|stream|\ movie|live|0\\.9|.tv|.0|video|mov|wmv|mpg|mpeg|mkv|avi|flv|rm|mp4|dat|3gp|\ mpe|wma|xhamster|xnxx|fuck|flv2|indostar-tv|nontontv.tv"
add name=bittorent regexp="^(\13bittorrent protocol|azver1\$|get /scrape\\\?in\ fo_hash=)|d1:ad2:id20:|87P\\)[RP]" add name=torrent-wws regexp="^.*(get|GET).+(torrent|info_hash|thepiratebay|iso\ hunt|entertane|demonoid|btjunkie|mininova|flixflux|vertor|h33t|zoozle|bitn\ ova|bitsoup|meganova|fulldls|btbot|fenopy|gpirate|commonbits).*\$" add name=torrent-www regexp="^.+(torrent|thepiratebay|isohunt|entertane|demono\ id|btjunkie|mininova|flixflux|vertor|h33t|zoozle|bitnova|bitsoup|meganova|\ fulldls|btbot|fenopy|gpirate|commonbits).*\$"
# menentukan ip range untuk user /ip pool add name=default-dhcp ranges=192.168.1.1-192.168.1.253 add name=dhcp_pool1 ranges=192.168.1.1-192.168.1.253 add name=dhcp_pool2 ranges=192.168.1.1-192.168.1.253 add name=dhcp_pool3 ranges=192.168.2.1-192.168.2.253
# tentukan DHCP-server /ip dhcp-server add add-arp=yes address-pool=dhcp_pool1 authoritative=after-2sec-delay \ bootp-support=static disabled=no interface=ether1-gateway lease-time=1d \ name=dhcp1 add add-arp=yes address-pool=dhcp_pool3 authoritative=after-2sec-delay \ bootp-support=static disabled=no interface=ether2-local-master \ lease-time=1d name=dhcp_server
# atur bandwidth management /queue tree add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=384k name=3.DOWNLOAD packet-mark="" parent=global-in priority=8 add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=0 name=3.1.Limited packet-mark=users parent=3.DOWNLOAD \ priority=8 add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=1792k name=1.BROWSING packet-mark="" parent=global-out \ priority=3 add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=512k name=6.TUBE-TV packet-mark=users parent=global-out \ priority=8 add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=0 name=2.KONEKSI packet-mark="" parent=global-total priority=2 add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=768k name="4.LIVE VIDEO" packet-mark="" parent=global-in \ priority=8 add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=1M name=5.GAME packet-mark="" parent=global-out priority=3 add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=768k name=7.Chat packet-mark=users parent=global-in priority=8 add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=768k name="8. Bittorent" packet-mark=packet-bittorent parent=\ global-out priority=8
# tentukan jenis limit untuk queue tree /queue type set 0 kind=pfifo name=default pfifo-limit=50 set 1 kind=pfifo name=ethernet-default pfifo-limit=50 set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5 set 3 kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 \ red-limit=60 red-max-threshold=50 red-min-threshold=10 set 4 kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5 add kind=pcq name=PCQ_download pcq-burst-rate=0 pcq-burst-threshold=0 \ pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 \ pcq-dst-address6-mask=128 pcq-limit=50 pcq-rate=0 pcq-src-address-mask=32 \ pcq-src-address6-mask=128 pcq-total-limit=2000 add kind=pcq name=PCQ_upload pcq-burst-rate=0 pcq-burst-threshold=0 \ pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 \ pcq-dst-address6-mask=128 pcq-limit=50 pcq-rate=0 pcq-src-address-mask=32 \ pcq-src-address6-mask=128 pcq-total-limit=2000 add kind=pcq name=pcq-download2 pcq-burst-rate=0 pcq-burst-threshold=0 \ pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 \ pcq-dst-address6-mask=128 pcq-limit=50 pcq-rate=0 pcq-src-address-mask=32 \ pcq-src-address6-mask=128 pcq-total-limit=2000 add kind=pcq name=pcq-upload pcq-burst-rate=0 pcq-burst-threshold=0 \ pcq-burst-time=15s pcq-classifier=src-address pcq-dst-address-mask=32 \ pcq-dst-address6-mask=128 pcq-limit=50 pcq-rate=0 pcq-src-address-mask=32 \ pcq-src-address6-mask=128 pcq-total-limit=2000 add kind=pfifo name=PING pfifo-limit=64 add kind=pcq name=DOWN pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=\ 10s pcq-classifier=dst-address,dst-port pcq-dst-address-mask=32 \ pcq-dst-address6-mask=128 pcq-limit=50 pcq-rate=768k \ pcq-src-address-mask=32 pcq-src-address6-mask=128 pcq-total-limit=2000 add kind=pcq name=torrent pcq-burst-rate=0 pcq-burst-threshold=0 \ pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 \ pcq-dst-address6-mask=128 pcq-limit=50 pcq-rate=128k \ pcq-src-address-mask=32 pcq-src-address6-mask=128 pcq-total-limit=2000 add kind=pcq name=akamai pcq-burst-rate=0 pcq-burst-threshold=0 \
pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 \ pcq-dst-address6-mask=64 pcq-limit=50 pcq-rate=384k pcq-src-address-mask=\ 32 pcq-src-address6-mask=64 pcq-total-limit=2000 add kind=pcq name=limit pcq-burst-rate=0 pcq-burst-threshold=0 \ pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 \ pcq-dst-address6-mask=64 pcq-limit=50 pcq-rate=384k pcq-src-address-mask=\ 32 pcq-src-address6-mask=64 pcq-total-limit=2000 set 14 kind=none name=only-hardware-queue set 15 kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-default set 16 kind=pfifo name=default-small pfifo-limit=10
# pengaturan bandwidth managemen untuk limit ekstensi /queue tree add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=0 name=5.1.Game-Online packet-mark=online parent=5.GAME \ priority=2 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=0 name="5.2.Game FB" packet-mark=gamefb parent=5.GAME priority=\ 2 queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=0 name=3.1.2.Hit packet-mark=hit parent=3.1.Limited priority=8 \ queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=0 name=3.1.1.IDM packet-mark=idm parent=3.1.Limited priority=8 \ queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=0 name=4.1.youtube packet-mark=stream-idm parent="4.LIVE VIDEO" \ priority=8 queue=DOWN add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=1536k name="1.1.http brows" packet-mark=google parent=\ 1.BROWSING priority=3 queue=pcq-upload add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=0 name=2.1.ping-out packet-mark="paket ip" parent=2.KONEKSI \ priority=1 queue=PING add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=0 name=2.2.ping-in packet-mark="paket dp" parent=2.KONEKSI \ priority=1 queue=PING add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=0 name="6.1.Tube Stream" packet-mark=users parent=6.TUBE-TV \ priority=8 queue=pcq-download2 add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=0 name=6.2.Mivo.TV packet-mark=paket-mtc parent=6.TUBE-TV \ priority=8 queue=pcq-upload add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="7.1. Camfrog" packet-mark=camfrog parent=7.Chat \ priority=8 queue=pcq-upload add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=0 name=wws packet-mark=packet-wws parent="8. Bittorent" \ priority=8 queue=torrent add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=0 name=www packet-mark=packet-www parent="8. Bittorent" \ priority=8 queue=torrent add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=0 name=port packet-mark=packet-port parent="8. Bittorent" \ priority=8 queue=torrent add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=0 name=allp2p packet-mark=packet-allp2p parent="8. Bittorent" \ priority=8 queue=torrent add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=1M name=1.2.akamai packet-mark=akamai parent=1.BROWSING \ priority=8 queue=akamai
# menentukan ip address untuk tiap interface ethernet /ip address add address=192.168.2.254/24 comment="default configuration" disabled=no \ interface=ether2-local-master network=192.168.2.0 add address=192.168.1.6/24 disabled=no interface=ether1-gateway network=\ 192.168.1.0
# menentukan dhcp client /ip dhcp-client add add-default-route=yes comment="default configuration" \ default-route-distance=1 disabled=no interface=ether1-gateway \ use-peer-dns=yes use-peer-ntp=yes
# menentukan dhcp server untuk jaringan lokal, pastikan nanti user menggunakan ip obtain /ip dhcp-server network add address=192.168.1.0/24 dhcp-option="" dns-server="" gateway=192.168.1.1 \ ntp-server="" wins-server="" add address=192.168.2.0/24 comment="default configuration" dhcp-option="" \ dns-server="" gateway=192.168.2.254 ntp-server="" wins-server=""
# menentukan dns yang digunakan /ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \ max-udp-packet-size=512 servers=203.130.193.74,203.130.206.250
# menentukan dns static yang digunakan /ip dns static add address=208.67.222.222 disabled=no name=router ttl=1d
# menentukan ip address yang dilarang masuk, ini akan otomatis bertambah setiap diakses sebuah situs yang dilarang /ip firewall address-list add address=65.49.0.0/17 disabled=no list=UltraSurfServers add address=204.107.140.0/24 disabled=no list=UltraSurfServers add address=94.231.80.100 disabled=no list=your-freedom add address=85.214.22.104 disabled=no list=your-freedom add address=94.126.16.7 disabled=no list=your-freedom add address=85.214.151.156 disabled=no list=your-freedom add address=85.214.149.36 disabled=no list=your-freedom add address=85.214.45.166 disabled=no list=your-freedom add address=85.214.149.43 disabled=no list=your-freedom add address=83.170.96.78 disabled=no list=your-freedom add address=193.37.152.232 disabled=no list=your-freedom add address=80.74.137.161 disabled=no list=your-freedom add address=193.164.133.62 disabled=no list=your-freedom add address=95.143.192.144 disabled=no list=your-freedom add address=208.53.158.27 disabled=no list=your-freedom add address=85.214.149.35 disabled=no list=your-freedom add address=76.73.125.131 disabled=no list=your-freedom add address=77.92.78.225 disabled=no list=your-freedom add address=81.169.130.185 disabled=no list=your-freedom add address=217.150.244.92 disabled=no list=your-freedom add address=83.170.105.81 disabled=no list=your-freedom add address=123.108.109.9 disabled=no list=your-freedom add address=85.214.143.29 disabled=no list=your-freedom add address=85.214.116.165 disabled=no list=your-freedom add address=67.212.67.75 disabled=no list=your-freedom add address=67.159.5.116 disabled=no list=your-freedom add address=202.160.120.226 disabled=no list=your-freedom add address=184.154.54.0/24 disabled=no list=Blokir add address=217.114.211.0/24 disabled=no list=Blokir add address=173.213.96.0/24 disabled=no list=Blokir add address=193.200.150.0/24 disabled=no list=Blokir add address=74.50.123.0/24 disabled=no list=Blokir add address=85.17.200.0/24 disabled=no list=Blokir
add address=199.59.163.0/24 disabled=no list=Blokir add address=176.9.204.0/24 disabled=no list=Blokir add address=204.45.137.0/24 disabled=no list=Blokir
# menentukan filter untuk setiap lalu lintas internet /ip firewall filter add action=drop chain=forward comment="Drop Proxy luar negeri" disabled=no \ dst-address-list=proxys protocol=tcp add action=drop chain=forward disabled=no dst-address-list=proxys protocol=\ udp add action=drop chain=forward comment="Drop anonymox" disabled=no \ dst-address-list=anonymox protocol=tcp add action=drop chain=forward disabled=no dst-address-list=anonymox protocol=\ udp add action=drop chain=forward comment="Drop VPN Luar Negeri" disabled=no \ dst-address-list=Blokir protocol=tcp add action=drop chain=forward disabled=no dst-address-list=Blokir protocol=\ udp add action=drop chain=forward comment="Drop Hotspotshield" disabled=no \ dst-port=5345,5938,5245,3398,3451,5265,1755,5050,5396 protocol=tcp add action=drop chain=forward disabled=no dst-port=\ 5345,5938,5245,3398,3451,5265,1755,5050,5396 protocol=udp add action=drop chain=forward disabled=no dst-port=\ 10000-10010,9000,3211,15000-15010,1935,5231,800,989 protocol=tcp add action=drop chain=forward disabled=no dst-port=\ 10000-10010,9000,3211,15000-15010,1935,5231,800,989 protocol=udp add action=drop chain=forward comment="Block UltraSurf" disabled=no protocol=\ tcp src-address-list=UltraSurfUsers add action=drop chain=forward comment="Block Your-Freedom" disabled=no \ protocol=tcp src-address-list=yourfreedomuser add action=drop chain=input comment=\ "ANTI BRUTE FORCE - block ssh brute forcers" disabled=no dst-port=22 \ protocol=tcp src-address-list=ssh_blacklist add action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=1w3d chain=input comment=\ "add ssh brute forcers ip to blacklist" connection-state=new disabled=no \ dst-port=22 protocol=tcp src-address-list=ssh_stage3 add action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m chain=input comment=\ "add ssh brute forcers ip to stage3" connection-state=new disabled=no \ dst-port=22 protocol=tcp src-address-list=ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage2 \ address-list-timeout=1m chain=input comment=\ "add ssh brute forcers ip to stage2" connection-state=new disabled=no \
dst-port=22 protocol=tcp src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 \ address-list-timeout=1m chain=input comment=\ "add ssh brute forcers ip to stage1" connection-state=new disabled=no \ dst-port=22 protocol=tcp src-address=!192.168.2.254 add action=drop chain=forward comment="drop ssh brute downstream" disabled=no \ dst-port=22 protocol=tcp src-address-list=ssh_blacklist add action=accept chain=input comment=\ "Virus Scan, BruteForce, DDOS & anti Netcut, jangan di non aktifkan" \ disabled=no dst-port=8291 protocol=tcp add action=drop chain=forward connection-state=invalid disabled=no add action=drop chain=virus disabled=no dst-port=135-139 protocol=tcp add action=drop chain=virus disabled=no dst-port=1433-1434 protocol=tcp add action=drop chain=virus disabled=no dst-port=445 protocol=tcp add action=drop chain=virus disabled=no dst-port=445 protocol=udp add action=drop chain=virus disabled=no dst-port=593 protocol=tcp add action=drop chain=virus disabled=no dst-port=1024-1030 protocol=tcp add action=drop chain=virus disabled=no dst-port=1080 protocol=tcp add action=drop chain=virus disabled=no dst-port=1214 protocol=tcp add action=drop chain=virus disabled=no dst-port=1363 protocol=tcp add action=drop chain=virus disabled=no dst-port=1364 protocol=tcp add action=drop chain=virus disabled=no dst-port=1368 protocol=tcp add action=drop chain=virus disabled=no dst-port=1373 protocol=tcp add action=drop chain=virus disabled=no dst-port=1377 protocol=tcp add action=drop chain=virus disabled=no dst-port=2745 protocol=tcp add action=drop chain=virus disabled=no dst-port=2283 protocol=tcp add action=drop chain=virus disabled=no dst-port=2535 protocol=tcp add action=drop chain=virus disabled=no dst-port=2745 protocol=tcp add action=drop chain=virus disabled=no dst-port=3127 protocol=tcp add action=drop chain=virus disabled=no dst-port=3410 protocol=tcp add action=drop chain=virus disabled=no dst-port=4444 protocol=tcp add action=drop chain=virus disabled=no dst-port=4444 protocol=udp add action=drop chain=virus disabled=no dst-port=5554 protocol=tcp add action=drop chain=virus disabled=no dst-port=8866 protocol=tcp add action=drop chain=virus disabled=no dst-port=9898 protocol=tcp add action=drop chain=virus disabled=no dst-port=10080 protocol=tcp add action=drop chain=virus disabled=no dst-port=12345 protocol=tcp add action=drop chain=virus disabled=no dst-port=17300 protocol=tcp add action=drop chain=virus disabled=no dst-port=27374 protocol=tcp add action=drop chain=virus disabled=no dst-port=65506 protocol=tcp add action=jump chain=forward disabled=no jump-target=virus add action=drop chain=input connection-state=invalid disabled=no add action=accept chain=input disabled=no protocol=udp add action=accept chain=input disabled=no limit=50/5s,2 protocol=icmp add action=drop chain=input disabled=no protocol=icmp add action=accept chain=input disabled=no dst-port=21 protocol=tcp
add action=accept chain=input disabled=no dst-port=22 protocol=tcp add action=accept chain=input disabled=no dst-port=23 protocol=tcp add action=accept chain=input disabled=no dst-port=80 protocol=tcp add action=accept chain=input disabled=no dst-port=8291 protocol=tcp add action=accept chain=input disabled=no dst-port=1723 protocol=tcp add action=accept chain=input disabled=no dst-port=23 protocol=tcp add action=accept chain=input disabled=no dst-port=80 protocol=tcp add action=accept chain=input disabled=no dst-port=1723 protocol=tcp add action=add-src-to-address-list address-list=DDOS address-list-timeout=15s \ chain=input disabled=no dst-port=1337 protocol=tcp add action=add-src-to-address-list address-list=DDOS address-list-timeout=15m \ chain=input disabled=no dst-port=7331 protocol=tcp src-address-list=knock add action=add-src-to-address-list address-list=port-scanners \ address-list-timeout=2w chain=input comment=port-scanner disabled=no \ protocol=tcp psd=21,3s,3,1 src-address=!192.168.2.254 add action=add-src-to-address-list address-list=port-scanners \ address-list-timeout=2w chain=input comment=SYN/FIN disabled=no protocol=\ tcp tcp-flags=fin,syn add action=add-src-to-address-list address-list=port-scanners \ address-list-timeout=2w chain=input comment=SYN/RST disabled=no protocol=\ tcp tcp-flags=syn,rst add action=add-src-to-address-list address-list=port-scanners \ address-list-timeout=2w chain=input comment=FIN/PSH/URG disabled=no \ protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack add action=add-src-to-address-list address-list=port-scanners \ address-list-timeout=2w chain=input comment="ALL/ALL scan" disabled=no \ protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg add action=add-src-to-address-list address-list=port-scanners \ address-list-timeout=2w chain=input comment=NMAP disabled=no protocol=tcp \ tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg add action=accept chain=input comment=ANTI-NETCUT disabled=no dst-port=\ 0-65535 protocol=tcp src-address=61.213.183.1-61.213.183.254 add action=accept chain=input comment=ANTI-NETCUT disabled=no dst-port=\ 0-65535 protocol=tcp src-address=67.195.134.1-67.195.134.254 add action=accept chain=input comment=ANTI-NETCUT disabled=no dst-port=\ 0-65535 protocol=tcp src-address=68.142.233.1-68.142.233.254 add action=accept chain=input comment=ANTI-NETCUT disabled=no dst-port=\ 0-65535 protocol=tcp src-address=68.180.217.1-68.180.217.254 add action=accept chain=input comment=ANTI-NETCUT disabled=no dst-port=\ 0-65535 protocol=tcp src-address=203.84.204.1-203.84.204.254 add action=accept chain=input comment=ANTI-NETCUT disabled=no dst-port=\ 0-65535 protocol=tcp src-address=69.63.176.1-69.63.176.254 add action=accept chain=input comment=ANTI-NETCUT disabled=no dst-port=\ 0-65535 protocol=tcp src-address=69.63.181.1-69.63.181.254 add action=accept chain=input comment=ANTI-NETCUT disabled=no dst-port=\ 0-65535 protocol=tcp src-address=63.245.209.1-63.245.209.254
add action=accept chain=input comment=ANTI-NETCUT disabled=no dst-port=\ 0-65535 protocol=tcp src-address=63.245.213.1-63.245.213.254 add action=accept chain=output comment="Login Failure Winbox Mikrotik" \ content="530 Login incorrect" disabled=no dst-limit=1/1m,9,dst-address/1m \ protocol=tcp src-address=!192.168.2.254
# untuk menandai setiap paket data yang masuk pada lalu lintas internet /ip firewall mangle add action=add-src-to-address-list address-list=yourfreedomuser \ address-list-timeout=5m chain=prerouting comment="block user freedom" \ disabled=no dst-address-list=your-freedom protocol=tcp add action=add-src-to-address-list address-list=UltraSurfUsers \ address-list-timeout=5m chain=prerouting comment=UltraSurfUsers disabled=\ no dst-address-list=UltraSurfServers protocol=tcp add action=mark-connection chain=prerouting comment="limit akamai" disabled=\ no dst-address-list=akamai new-connection-mark=akamai passthrough=yes \ protocol=tcp src-address=!192.168.2.254 add action=mark-packet chain=prerouting connection-mark=akamai disabled=no \ new-packet-mark=akamai passthrough=no add action=mark-packet chain=postrouting comment=HIT disabled=no dscp=12 \ new-packet-mark=hit passthrough=no add action=mark-packet chain=postrouting content=X-Cache:HIT disabled=no \ new-packet-mark=hit passthrough=no add action=mark-connection chain=prerouting comment=GAME disabled=no \ dst-port=1818,2001,3010,4300,5105,5121,5126,5171,5340-5352,6000-6152,7777 \ new-connection-mark=GAMEONLINE passthrough=yes protocol=tcp add action=mark-connection chain=prerouting disabled=no dst-port=\ 7341-7350,7451,8085,9600,9601-9602,9300,9376-9377,9400,9700,10001-10011 \ new-connection-mark=GAMEONLINE passthrough=yes protocol=tcp add action=mark-connection chain=prerouting disabled=no dst-port="10402,11011-\ 11041,12011,12110,13008,13413,15000-15002,16402-16502,16666,18901-18909,19\ 000" new-connection-mark=GAMEONLINE passthrough=yes protocol=tcp add action=mark-connection chain=prerouting disabled=no dst-port=\ 19101,22100,27780,28012,29000,29200,39100,39110,39220,39190,40000,49100 \ new-connection-mark=GAMEONLINE passthrough=yes protocol=tcp add action=mark-connection chain=prerouting disabled=no dst-port=14009-14010 \ new-connection-mark=GAMEONLINE passthrough=yes protocol=tcp add action=mark-connection chain=prerouting disabled=no dst-port=14009-14010 \ new-connection-mark=GAMEONLINE passthrough=yes protocol=udp add action=mark-connection chain=prerouting disabled=no dst-port="1293,1479,61\ 00-6152,7777-7977,8001,9401,9600-9602,12020-12080,30000,40000-40010" \ new-connection-mark=GAMEONLINE passthrough=yes protocol=udp add action=mark-connection chain=prerouting disabled=no dst-port=\ 42051-42052,11100-11125,11440-11460 new-connection-mark=GAMEONLINE \
passthrough=yes protocol=udp add action=mark-packet chain=prerouting connection-mark=GAMEONLINE disabled=\ no new-packet-mark=online passthrough=no add action=mark-connection chain=prerouting content=facebook.com disabled=no \ new-connection-mark=fb_game passthrough=yes add action=mark-connection chain=prerouting content=fbcdn.net disabled=no \ new-connection-mark=fb_game passthrough=yes add action=mark-connection chain=prerouting content=facebook.net disabled=no \ new-connection-mark=fb_game passthrough=yes add action=mark-connection chain=prerouting content=zynga.com disabled=no \ new-connection-mark=fb_game passthrough=yes add action=mark-connection chain=prerouting content=\ static.ak.connect.facebook.com disabled=no new-connection-mark=fb_game \ passthrough=yes add action=mark-connection chain=prerouting content=\ statics.poker.static.zynga.com disabled=no new-connection-mark=fb_game \ passthrough=yes add action=mark-connection chain=prerouting disabled=no dst-port=9339,843 \ new-connection-mark=fb_game passthrough=yes protocol=tcp add action=mark-packet chain=prerouting connection-mark=fb_game disabled=no \ new-packet-mark=gamefb passthrough=no add action=mark-connection chain=prerouting disabled=no new-connection-mark=\ users-con passthrough=yes src-address=!192.168.2.254 src-address-list=!IP add action=mark-packet chain=prerouting connection-mark=users-con disabled=no \ new-packet-mark=users passthrough=yes add action=mark-connection chain=prerouting comment=IDM disabled=no \ layer7-protocol=download new-connection-mark=idm passthrough=yes \ src-address=!192.168.2.254 src-address-list=!IP add action=mark-packet chain=prerouting connection-mark=idm disabled=no \ new-packet-mark=idm passthrough=no add action=mark-connection chain=prerouting comment=Browsing disabled=no \ layer7-protocol=google new-connection-mark=google passthrough=yes \ src-address=!192.168.2.254 src-address-list=!IP add action=mark-packet chain=forward connection-mark=google disabled=no \ new-packet-mark=google passthrough=no src-address=!192.168.2.254 add action=mark-connection chain=prerouting disabled=no layer7-protocol=\ youtube new-connection-mark=stream-idm passthrough=yes src-address=\ !192.168.2.254 src-address-list=!IP add action=mark-packet chain=prerouting connection-mark=stream-idm disabled=\ no new-packet-mark=stream-idm passthrough=no add action=mark-connection chain=prerouting comment=ICMP disabled=no \ new-connection-mark="paket ic" passthrough=yes protocol=icmp add action=mark-packet chain=prerouting connection-mark="paket ic" disabled=\ no new-packet-mark="paket ip" passthrough=yes add action=change-dscp chain=prerouting disabled=no new-dscp=1 packet-mark=\ "paket ip" passthrough=yes
add action=mark-connection chain=prerouting comment=DNS disabled=no dst-port=\ 53 new-connection-mark="paket dc" passthrough=yes protocol=tcp add action=mark-connection chain=prerouting disabled=no dst-port=53 \ new-connection-mark="paket dc" passthrough=yes protocol=udp add action=mark-packet chain=prerouting connection-mark="paket dc" disabled=\ no new-packet-mark="paket dp" passthrough=yes add action=change-dscp chain=prerouting disabled=no new-dscp=1 packet-mark=\ "paket dp" passthrough=yes add action=mark-connection chain=prerouting comment="MIVO TV" disabled=no \ layer7-protocol=http-video new-connection-mark=paket-mtc passthrough=yes \ src-address=!192.168.2.254 src-address-list=!IP add action=mark-packet chain=forward connection-mark=paket-mtc disabled=no \ new-packet-mark=paket-mtc passthrough=no add action=mark-connection chain=prerouting comment=Camfrog disabled=no \ dst-port=2779,6667 new-connection-mark=camfrog passthrough=yes protocol=\ tcp add action=mark-packet chain=prerouting connection-mark=camfrog disabled=no \ new-packet-mark=camfrog passthrough=no add action=mark-connection chain=forward comment=bittorent disabled=no \ layer7-protocol=bittorent new-connection-mark=bittorent-limit \ passthrough=yes add action=mark-packet chain=forward connection-mark=bittorent-limit \ disabled=no new-packet-mark=packet-bittorent passthrough=no add action=mark-connection chain=forward comment=torrent-wws disabled=no \ layer7-protocol=torrent-wws new-connection-mark=wws-limit passthrough=yes add action=mark-packet chain=forward connection-mark=wws-limit disabled=no \ new-packet-mark=packet-wws passthrough=no add action=mark-connection chain=forward comment=torrent-www disabled=no \ layer7-protocol=torrent-www new-connection-mark=www-limit passthrough=yes add action=mark-packet chain=forward connection-mark=www-limit disabled=no \ new-packet-mark=packet-www passthrough=no add action=mark-connection chain=forward comment=torrent-allp2p disabled=no \ new-connection-mark=allp2p-limit p2p=all-p2p passthrough=yes add action=mark-packet chain=forward connection-mark=allp2p-limit disabled=no \ new-packet-mark=packet-allp2p passthrough=no add action=mark-connection chain=forward comment=torrent-port disabled=no \ new-connection-mark=port-limit passthrough=yes protocol=tcp src-port=\ 58561,58045,14948,58008,58816,59097 add action=mark-packet chain=forward connection-mark=port-limit disabled=no \ new-packet-mark=packet-port passthrough=no
# setting nat untuk menghubungkan gateway user ke internet /ip firewall nat add action=masquerade chain=srcnat comment="default configuration" disabled=\
no out-interface=ether1-gateway src-address=192.168.2.0/24 # setting redirect untuk mengarahkan user menggunakan DNS nawala anti porno, nonaktifkan bila tidak diperlukan add action=redirect chain=dstnat comment=\ "Redirect ke Port 53 untuk nawala anti porno project" disabled=no \ dst-port=53 protocol=tcp src-address=192.168.2.0/24 to-ports=53 add action=redirect chain=dstnat disabled=no dst-port=53 protocol=udp \ src-address=192.168.2.0/24 to-ports=53
# setting disable untuk menghindari scan winbox oleh user /ip neighbor discovery set ether1-gateway disabled=yes set ether2-local-master disabled=yes
# setting route antar gateway /ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 scope=30 \ target-scope=10
# setting queue untuk tiap interface /queue interface set ether1-gateway queue=ethernet-default set ether2-local-master queue=ethernet-default
# pengaturan waktu sesuai zona indonesia /system clock set time-zone-name=Asia/Jakarta
# pengaturan default waktu mikrotik sesuai parameter pabrik /system clock manual set dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start=\ "jan/01/1970 00:00:00" time-zone=+00:00
# pengaturan welcome text untuk consol terminal, bisa diganti dengan identitas anda /system note set note="M" show-at-login=yes
# pengaturan ntp client dengan server lokal / indonesia /system ntp client set enabled=yes mode=unicast primary-ntp=202.71.109.130 secondary-ntp=\ 65.55.21.23 # pengaturan ntp client dengan server lokal / indonesia /system ntp server set broadcast=no broadcast-addresses="" enabled=yes manycast=yes multicast=no
# menentukan jadwal eksekusi script flush cache DNS /system scheduler add disabled=no interval=30m name="cache flush" on-event=cacheflush policy=\ ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive \ start-time=startup # menentukan jadwal eksekusi script penggantian DNS otomatis /system scheduler add disabled=no interval=1d name=dnschange on-event=dnschange policy=\ reboot,read,write,policy,test,password,sniff,sensitive start-time=startup
# menentukan jadwal eksekusi script anti netcut 1 /system scheduler add disabled=no interval=1d name=antinetcut1 on-event=antinetcut1 policy=\ ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \ start-time=startup
# menentukan jadwal eksekusi script anti netcut 2 /system scheduler add disabled=no interval=1d name=antinetcut2 on-event=antinetcut2 policy=\ ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \ start-time=startup
# menentukan jadwal eksekusi script membuat ARP otomatis untuk anti spoofing /system scheduler add disabled=no interval=20m name=leases on-event=lease policy=\ ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \ start-date=jan/25/2013 start-time=04:58:44
# menentukan jadwal eksekusi script pengaturan zona waktu /system scheduler add disabled=no interval=6h name=ntp on-event=ntp policy=\ ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \ start-date=jan/25/2013 start-time=06:57:11
# menentukan jadwal eksekusi script pengaturan zona waktu /system scheduler add disabled=no interval=6h name=ntp2 on-event=ntp2 policy=\ ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \ start-date=jan/25/2013 start-time=06:57:32
# menentukan jadwal eksekusi script menandai paket akamai /system scheduler add disabled=no interval=15m name=akamai on-event=akamai policy=\ ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \ start-time=startup
# menentukan jadwal eksekusi script menandai paket anonymous /system scheduler add disabled=no interval=11m name=anonymox on-event=anonymox policy=\ ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \ start-time=startup
# menentukan jadwal eksekusi script menandai server proxy luar negeri /system scheduler add disabled=no interval=12m name=proxi on-event=proxi policy=\ ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \ start-time=startup
# script untuk refresh dns agar tidak kepenuhan buffernya /system script add name=cacheflush policy=ftp,reboot,read,write,policy,test,winbox,password \ source="/ip dns cache flush"
# script untuk memastikan mikrotik menggunakan dns yg kita tentukan setiap terjadi reboot /system script add name=dnschange policy=ftp,reboot,read,write,policy,test,winbox,password \ source="/ip dns set servers=203.130.193.74,203.130.206.250 allow-remote-re\
quests=yes"
# script anti netcut 1 /system script add name=antinetcut1 policy=\ ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \ source=":local hosts [/ip dhcp-server lease find]\r\ \n:local pcname \"X\"\r\ \n:local pcnum 0\r\ \n:global hacklist \"\"\r\ \n:foreach h in \$hosts do={\r\ \n:local host [/ip dhcp-server lease get \$h host-name]\r\ \n:if ([:len \$host] >0) do {\r\ \n:set pcname (\$pcname . \",\" . \$host)\r\ \n:set pcnum (\$pcnum + 1)\r\ \n}\r\ \n}\r\ \n:foreach h in \$pcname do={\r\ \n:local hh 0\r\ \n:if (!([:find \$hacklist \$h]>=0)) do={\r\ \n:foreach k in \$pcname do={ :if (\$k=\$h) do={:set hh (\$hh + 1) } }\r\ \n:if (\$hh>2) do={\r\ \n:if ([:len \$hacklist] >0) do {:set hacklist (\$hacklist . \",\" . \$h)}\ \_else={:set hacklist \$h}\r\ \n}\r\ \n}\r\ \n}\r\ \n:local timer [:pick [/system clock get time] 3 5]\r\ \n:if ((\$switch > 0) || (\$timer >= \"58\")) do={\r\ \n:log warning (\"New Hacklist: \" . \$hacklist)"
# script anti netcut 2 /system script add name=antinetcut2 policy=\ ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \ source="# use global hacklist variable\r\ \n#:log info (\$hacklist)\r\ \n:foreach host in \$hacklist do={\r\ \n:foreach i in= [/ip dhcp-server lease find host-name \$host] do={\r\ \n:local ipnum [/ip dhcp-server lease get \$i address]\r\ \n:local unum [/ip hotspot active find address \$ipnum]\r\ \n:if ([:len \$unum] >0) do {\r\ \n:local usr [/ip hotspot active get \$unum user]\r\ \n:log warning (\$host . \" \" . \$ipnum . \" \" . \$usr)\r\
\n#next line kick them out right now, could also check pppoe\r\ \n/ip hotspot active remove \$unum\r\ \n#other stuff can do now with the identified IP and USER\r\ \n}\r\ \n}\r\ \n}"
# script penentuan zona waktu /system script add name=ntp policy=\ ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \ source="/system ntp client set enabled=yes mode=unicast primary-ntp=202.71\ .109.130 secondary-ntp=65.55.21.23\r\ \n"
# script penentuan zona waktu /system script add name=ntp2 policy=\ ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \ source="/system clock set time-zone-name=Asia/Jakarta"
# script untuk mengubah arp dinamic menjadi static untuk menghindari spoofing oleh netcut /system script add name=lease policy=\ ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \ source="/ip dhcp-server lease make-static [/ip dhcp-server lease find]"
# script untuk menandai setiap paket yang berasal dari server akamai /system script add name=akamai policy=\ ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \ source=":foreach i in=[/ip dns cache find] do={\r\ \n:local bNew \"true\";\r\ \n:local cacheName [/ip dns cache all get \$i name] ;\r\ \n# :put \$cacheName;\r\ \n\r\ \n:if ([:find \$cacheName \"akamai\"] != 0) do={\r\ \n\r\ \n:local tmpAddress [/ip dns cache get \$i address] ;\r\ \n# :put \$tmpAddress;\r\ \n\r\
\n# if address list is empty do not check\r\ \n:if ( [/ip firewall address-list find ] = \"\") do={\r\ \n:log info (\"added entry: \$[/ip dns cache get \$i name] IP \$tmpAddress\ \");\r\ \n/ip firewall address-list add address=\$tmpAddress list=akamai comment=\ \$cacheName;\r\ \n} else={\r\ \n:foreach j in=[/ip firewall address-list find ] do={\r\ \n:if ( [/ip firewall address-list get \$j address] = \$tmpAddress ) do={\ \r\ \n:set bNew \"false\";\r\ \n}\r\ \n}\r\ \n:if ( \$bNew = \"true\" ) do={\r\ \n:log info (\"added entry: \$[/ip dns cache get \$i name] IP \$tmpAddress\ \");\r\ \n/ip firewall address-list add address=\$tmpAddress list=akamai comment=\ \$cacheName;\r\ \n}\r\ \n}\r\ \n}\r\ \n}\r\ \n}"
# script untuk menandai setiap paket yang berasal dari server anonymous /system script add name=anonymox policy=\ ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \ source=":foreach i in=[/ip dns cache find] do={\r\ \n:local bNew \"true\";\r\ \n:local cacheName [/ip dns cache all get \$i name] ;\r\ \n# :put \$cacheName;\r\ \n\r\ \n:if ([:find \$cacheName \"anony\"] != 0) do={\r\ \n\r\ \n:local tmpAddress [/ip dns cache get \$i address] ;\r\ \n# :put \$tmpAddress;\r\ \n\r\ \n# if address list is empty do not check\r\ \n:if ( [/ip firewall address-list find ] = \"\") do={\r\ \n:log info (\"added entry: \$[/ip dns cache get \$i name] IP \$tmpAddress\ \");\r\ \n/ip firewall address-list add address=\$tmpAddress list=anonymox comment\ =\$cacheName;\r\
\n} else={\r\ \n:foreach j in=[/ip firewall address-list find ] do={\r\ \n:if ( [/ip firewall address-list get \$j address] = \$tmpAddress ) do={\ \r\ \n:set bNew \"false\";\r\ \n}\r\ \n}\r\ \n:if ( \$bNew = \"true\" ) do={\r\ \n:log info (\"added entry: \$[/ip dns cache get \$i name] IP \$tmpAddress\ \");\r\ \n/ip firewall address-list add address=\$tmpAddress list=anonymox comment\ =\$cacheName;\r\ \n}\r\ \n}\r\ \n}\r\ \n}\r\ \n}"
# script untuk menandai setiap paket yang berasal dari server proxy luar negeri /system script add name=proxi policy=\ ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \ source=":foreach i in=[/ip dns cache find] do={\r\ \n:local bNew \"true\";\r\ \n:local cacheName [/ip dns cache all get \$i name] ;\r\ \n# :put \$cacheName;\r\ \n\r\ \n:if (([:find \$cacheName \"proxy\"] != 0) || ([:find \$cacheName \"proxi\ \"] != 0)) do={\r\ \n\r\ \n:local tmpAddress [/ip dns cache get \$i address] ;\r\ \n# :put \$tmpAddress;\r\ \n\r\ \n# if address list is empty do not check\r\ \n:if ( [/ip firewall address-list find ] = \"\") do={\r\ \n:log info (\"added entry: \$[/ip dns cache get \$i name] IP \$tmpAddress\ \");\r\ \n/ip firewall address-list add address=\$tmpAddress list=proxys comment=\ \$cacheName;\r\ \n} else={\r\ \n:foreach j in=[/ip firewall address-list find ] do={\r\ \n:if ( [/ip firewall address-list get \$j address] = \$tmpAddress ) do={\ \r\ \n:set bNew \"false\";\r\
\n}\r\ \n}\r\ \n:if ( \$bNew = \"true\" ) do={\r\ \n:log info (\"added entry: \$[/ip dns cache get \$i name] IP \$tmpAddress\ \");\r\ \n/ip firewall address-list add address=\$tmpAddress list=proxys comment=\ \$cacheName;\r\ \n}\r\ \n}\r\ \n}\r\ \n}"
# pastikan untuk tidak mengubah apapun sebelum anda memahaminya benar-benar untuk menghindari kesalahan # Yups, semua sudah selesai, restart mikrotik anda.
# Nb : seluruh tutorial tersebut sudah saya buktikan sendiri, jika ada tambahan, silahkan komentar dan saran2nya, maaf bila tidak disertakan gambar.