################################################################################

.A.L.P.H.A....A.L.P.H.A....A.L.P.H.A....A.L.P.H.A....A.L.P.H.A.
########## Instalasi Jaringan untuk Warnet dengan Mikrotik dan Proxy ###########
--[0]-- Intro
Instalasi Mikrotik sebagai bandwidth management dengan Squid Proxy Server
Bisa dipergunakan untuk Warnet, Laboratorium Perguruan tinggi atau Sekolah
--[1]-- Persiapan
Percobaan saat dilakukan dengan menggunakan PC, uraian spesifikasinya sbb:
o Spesifikasi Mesin Proxy pake CentOs 4.4
- Prosesor Pentium 4 Cpu Clock 2.4 Ghz
- RAM 512 MB
- Harddis 40 GB
- satu buah Card LAN Dlink
o Spesifikasi Mesin Mikrotik
- Prosesor Pentium III Cpu Clock 1,3 Ghz
- RAM 256 MB
- Harddisk 40 GB
- 2 Card LAN Dlink + 1 prolink
Mesin silahkan disesuaikan sesuai kondisi yang ada.
(a) Skema/topologi jaringan
Asumsi:
Koneksi Internet dengan menggunakan xDSL menggunakan modem, bisa lewat
infrastuktur telkom atau provider lainnya. Untuk koneksi melalui provider
wireless bisa disesuaikan.
_(
o--+
____|
|
/
| Telpon
| _/
-(
+--[_] Splitter
|
| +----+
+---|
| Modem xDSL
+--*-+
(1)|
+---+
|
| | (3)
|
| +|---------+
| +-----+ | |. . . . . |
| a|
| | +--|-|-|-|-+
+---|=====| |
| | | |
|
| |
| | | |
|
|---+
+-|-|-|--[client 1]
+----|
|b
+-|-|------------[client 2]
| c|
|
+-|----------------------[client 3]
|
L-----J
+--------[client n]
|
(2)
d|
+-----+

|
| (4)
|=====|
|
|
|
|
|
|
|
|
L-----J
Keterangan skema
(1) = Modem xDSL (Ip Address : 192.168.1.1/24)
(2) = Mikrotik Box dengan 3 ethernet card yaitu a (publik),
b (local) dan c (Proxy)
(3) = Switch
Untuk sambungan ke Client. Asumsi Client Jumlahnya 20 Client
Range Ip Address : 192.168.0.0/27
Alokasi Ip Client = 192.168.0.1-192.168.0.30
Ip Net ID
: 192.168.0.0/27
Ip Broadcast : 192.168.0.31/27
(4) = Proxy Server Box
(b) Alokasi IP Address
[*] Mikrotik Box
Keterangan Skema
a = ethernet card 1 (Publik) -> Ip Address : 192.168.1.2/24
b = ethernet card 2 (Local) -> Ip Address : 192.168.0.30/27
c = ethernet card 3 (Proxy) -> Ip Address : 192.168.2.1/30
Gateway

: 192.168.1.1 (ke Modem)

[*] Client
Client 1 - Client n, Ip Address : 192.168.0.n .... n (1-30)
Contoh:
Client 6
Ip Address : 192.168.0.6/27
Gateway
: 192.168.0.30 (ke Mikrotik Box)
[*] Linux untuk Proxy
d = ethernet card 4 (Linux) -> Ip Address : 192.168.2.2/30
Gateway : 192.168.2.1/30 (ke ethernet 3 di Mikrotik)
CATATAN :
- Angka dibelakang Ip address ( /27) sama dengan nilai netmasknya
untuk angka (/27) nilainya sama dengan 255.255.255.224.
Untuk Sub Netmask blok ip address Local kelas C, dapat diuraikan
sebagai berikut :
Subnetmask kelas C
------------------255.255.255.0 = 24
..
.128 = 25
..
.192 = 26
..
.224 = 27

->
->
->
->

254
128
64
32

mesin
mesin
mesin
mesin

..
..
..
..
..

.240
.248
.252
.254
.255

=
=
=
=
=

28
29
30
31
32

-> 16 mesin
-> 8 mesin
-> 4 mesin
-> 2 mesin
-> 1 mesin

!! Perlu dikurangin juga untuk 2 Ip adress yang tidak digunakan pada mesin.
Yaitu 1 ip address untuk Network ID dan 1 ip address untuk broadcast
- Susunan kabel UTP antara (2)-Mikrotik Box dengan (4)-Linux Box adalah Cross,
--[2]-- Konfigurasi Dasar
Sebagaimana di gambarkan pada skema jaringan diatas, jenis sistem operasi yang
perlu disiapkan ada Sistem Operasi untuk Router yaitu Mikrotik RouterOS versi
2.9.27 level 6 dan Sistem Operasi Gnu/Linux distro CentOs versi 4.4 yang dipakai
nantinya untuk mesin Proxy.
Informasi untuk mikrotik ini dapat dilihat pada official websitenya di
http://www.mikrotik.com dan http://www.mikrotik.co.id untuk Indonesia.
Silahkan siapkan dulu ISOnya, andaikata pembaca belum mempunyainya, untuk
ISO sample silahkan download di http://mikrotik.co.id/download.php.
Begitu juga untuk Linux CentOsnya, silahkan download dahulu ISOnya di
http://mirror.nsc.liu.se/CentOS/4.4/isos/i386/. CentOS ini versi 4.4.
Sesuaikan saja Sistem Operasinya jika pembaca ingin memamakai Sistem
Operasi yang berbeda dari percobaan yang dilakukan. Misalnya untuk mikrotik
memakai MT Versi 2.8.x atau diatasnya lagi, begitu juga dengan Linux, silahkan
dipilih sendiri Distrobusi yang disukai. Secara konsep konfigurasinya sama.
Nah, di anggap kedua mesin telah siap beroperasi tentu telah di installkan
pada kedua mesin. Sedangkan untuk CentOs, jika pembaca ingin
membuat partisi khusus untuk /cache/ silahkan saja, Memang percobaan kali
ini partisinya dibuat khusus.
Konfigurasi dasar.
(a) Mikrotik
- Instalasi paket SYSTEM, SECURITY, DHCP (optional)
- Set Ip addressnya sesuai dengan Skema, karena memeliki 3 card lan, maka
di set IP address untuk ketiga card tersebut. Sesuaikan nama interfacenya
berdasarkan skema diatas, berarti ada nama interface yaitu:
1. interface Public
2. interface Local
3. interface Proxy
#Interface
------------------------------------------------------------------------------[admin@MikroTik] interface> print
Flags: X - disabled, D - dynamic, R - running
#
NAME
TYPE
RX-RATE
TX-RATE
MTU
0 R public
ether
0
0
1500
1 R proxy
ether
0
0
1500

2 R local
ether
0
0
1500
[admin@MikroTik] interface>
------------------------------------------------------------------------------Tentu saja nama interface boleh tidak sesuai dengan nama diatas, terserah
pembaca. Yang jelas ketiga interface diatas memiliki Subnet Ip address ber
beda, perhatikan skema.
# IP Address
-----------------------------------------------------------------------------[admin@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS
NETWORK
BROADCAST
INTERFACE
0 192.168.1.2/24
192.168.1.0
192.168.1.255 public
1 192.168.0.30/27
192.168.0.0
192.168.0.31
local
2 192.168.2.1/30
192.168.2.0
192.168.2.3
proxy
[admin@MikroTik] >
------------------------------------------------------------------------------ Set Ip Gateway atau routing. Untuk mikrotik gatewaynya ke Modem yaitu 192.168.
1.1
# Ip Gateway
----------------------------------------------------------------------------------[admin@MikroTik] > ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf
#
DST-ADDRESS
PREFSRC
G GATEWAY
DISTANCE INTERFACE
0 ADC 192.168.2.0/30
192.168.2.1
proxy
1 ADC 192.168.0.0/27
192.168.0.30
local
2 ADC 192.168.1.0/24
192.168.1.2
public
3 A S 0.0.0.0/0
r 192.168.1.1
public
[admin@MikroTik] >
----------------------------------------------------------------------------------- Set DNS
#Ip DNS
----------------------------------------------------------------------------------[admin@MikroTik] > [admin@MikroTik] >
invalid command name
[admin@MikroTik] > ip dns print
primary-dns: 203.130.193.74
secondary-dns: 202.134.0.155
allow-remote-requests: yes
cache-size: 10240KiB
cache-max-ttl: 1w
cache-used: 271KiB
[admin@MikroTik] >
----------------------------------------------------------------------------------- Tambahkan rule di /ip firewall nat nya, untuk masquarade.

#Rule Firewall NAT, Redirect ke Web Proxy

-----------------------------------------------------------------------------------[admin@MikroTik] ip firewall nat> pr
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat out-interface=public action=masquerade
1

chain=dstnat src-address=192.168.0.0/27 protocol=tcp dst-port=80

action=dst-nat to-addresses=6n.219.6.110 to-ports=8080

chain=dstnat src-address=192.168.0.0/27 protocol=tcp dst-port=8000

action=dst-nat to-addresses=6n.219.6.110 to-ports=8080

chain=dstnat src-address=192.168.0.0/27 protocol=tcp dst-port=3128

action=dst-nat to-addresses=6n.219.6.110 to-ports=8080
-----------------------------------------------------------------------------------(b) Squid Box
Persiapan
Port : 8080
Space : 3 Giga (3072 M)
alokasi di : /cache/squid (Partisi hdd /cache/
network yang di allowed : 6n.21n.6.96/28 dan 192.168.14.0/27
Anggap squid telah didownload, dinstall, apakah melalui Tarball
(tar zxvf squid-2.6.STABLE6-src.tar.gz) atau melalui RPM (RPM -ivh squid-2.6.STA
BLE6.rpm)
konfigurasi dari root
- cd /etc/squid
- backup konfigurasi squid:
[root@admin]#cp squid.conf squid.conf.org
[root@admin]#cd
- squid proxy server tidak dapat berjalan sebagai super user root, oleh karena
itu, buatlah user yang akan menjalankan squid:
[root@admin]#useradd -d /cache/ -r -s /dev/null squid >/dev/null 2>&1
- buat folder /cache/squid setelah itu ownernya di ganti ke user squid
[root@admin]#mkdir -p /cache/squid
[root@admin]#chown -R squid:squid /cache/squid
- buat folder cache_dir
[root@admin]#mkdir /cache/squid/spool
[root@admin]#chown -R squid:squid /cache/squid
Setelah selesai di konfigurasi, maka disimpan dan dijalankan:
[root@admin]#/etc/init.d/squid start

atau
# service squid start
Tapi kalo udah pernah di nyalain sebelumnya, itu artinya squid itu jalan
dengan config (/etc/squid/squid.conf) secara default
Langkah pertama :
# squid help
# squid -k reconfigure
# squid -z
baru lakukan
# service squid restart atau
# service squid stop (than) start
Testing squid di browser sambil dilihat access log nya
[root@admin]#tail -f /cache/squid/access.log
Untuk transparent proxy dan Keamanan [optional]
iptables -t nat -A PREROUTING -p tcp -s 6n.21n.6.96/28
-j DNAT to-destination 6n.219.6.110:8080

dport 80

bisa di simpan di /etc/rc.d/rc.local kalo bingung nyari config iptablesnya

dan
iptables -t nat -A PREROUTING -p tcp -s 192.168.14.0/27 -d 192.168.14.30/27
dport 8080 -j DNAT to-destination 6n.21n.6.110:8080

squid.conf
---------#============================================================$
#
baratev.sourceforge.net
$
#
SQUID PROXY CACHE
$
#
alpha version
$
#============================================================$
http_port 8080 transparent
icp_port 3130
icp_query_timeout 0
mcast_icp_query_timeout 2000
dead_peer_timeout 10 seconds
#============================================================$
hierarchy_stoplist cgi-bin ? .js .jsp localhost visicom provider.net
acl QUERY urlpath_regex cgi-bin \? .js .jsp localhost visicom provider.net
no_cache deny QUERY
#============================================================$
#============================================================$
# OPTIONS WHICH AFFECT THE CACHE SIZE
#============================================================$
cache_mem 8 MB
maximum_object_size 128 MB
maximum_object_size_in_memory 32 KB

cache_swap_low 98%
cache_swap_high 99%
store_dir_select_algorithm round-robin
ipcache_size 2048
ipcache_low 98
ipcache_high 99
fqdncache_size 2048
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
#============================================================$
# LOGFILE PATHNAMES AND CACHE DIRECTORIES
#============================================================$
cache_dir aufs /cache/squid 4500 18 256
cache_access_log /var/log/squid/access.log
cache_log none
cache_store_log none
mime_table /etc/mime.conf
pid_filename /var/run/squid.pid
log_fqdn off
log_mime_hdrs off
log_ip_on_direct off
logfile_rotate 7
debug_options ALL,1
buffered_logs off
emulate_httpd_log off
#============================================================$
# FTP section
#============================================================$
ftp_user anonymous@
ftp_list_width 32
ftp_passive on
ftp_sanitycheck on
#============================================================$
# DNS resolution section
#============================================================$
cache_dns_program /squid/libexec/dnsserver
dns_children 24
dns_nameservers 127.0.0.1 XXX.XXX.XXX.XXX
#============================================================$
# Refresh Rate
#============================================================$
refresh_pattern -i \.(swf|png|jpg|jpeg|bmp|tiff|png|gif) 43200 90% 129600 overri
de-expire
refresh_pattern -i (.*html$|.*htm|.*shtml|.*aspx|.*asp) 0 90% 1440
refresh_pattern ^ftp: 10080 95% 241920 reload-into-ims override-lastmod
refresh_pattern . 180 95% 120960 reload-into-ims override-lastmod
quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 98
negative_ttl 3 minutes
positive_dns_ttl 53 seconds
negative_dns_ttl 29 seconds

forward_timeout 4 minutes
connect_timeout 2 minutes
peer_connect_timeout 1 minutes
pconn_timeout 120 seconds
shutdown_lifetime 10 seconds
read_timeout 15 minutes
request_timeout 5 minutes
persistent_request_timeout 1 minute
client_lifetime 60 minutes
half_closed_clients off
#============================================================$
# ACL section
#============================================================$
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl skynet src xxx.xxx.xxx.xxx/xx
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
# https, snews
acl Safe_ports port 80
# http
acl Safe_ports port 21
# ftp
acl Safe_ports port 443 563
# https, snews
acl Safe_ports port 70
# gopher
acl Safe_ports port 210
# wais
acl Safe_ports port 1025-65535
# unregistered ports
acl Safe_ports port 280
# http-mgmt
acl Safe_ports port 488
# gss-http
acl Safe_ports port 591
# filemaker
acl Safe_ports port 777
# multiling http
acl Safe_ports port 631
# cups
acl Safe_ports port 873
# rsync
acl Safe_ports port 901
# SWAT
acl purge method PURGE
acl CONNECT method CONNECT
#acl badip url_regex -i "/squid/ip-deny"
#acl badurl url_regex -i "/squid/bad-url"
acl warnet src xxx.xxx.xxx.xxx/xx
acl virus dst 204.177.92.204/32 64.191.99.145/32
acl gator dstdom_regex gator hot_indonesia.exe
acl exploit urlpath_regex winnt/system32/cmd.exe?
acl exploit urlpath_regex splashPages/black.sps?
acl BADPORTS port 7 9 11 19 22 23 25 110 119 513 514
http_access deny virus
http_access deny gator
http_access deny exploit
http_access deny BADPORTS
http_access deny badip
http_access deny badurl
http_access allow manager
http_access allow localhost
http_access allow skynet
http_access allow warnet
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
http_reply_access allow all
icp_access deny all
miss_access allow all

always_direct allow localhost warnet

always_direct deny all
#============================================================$
# Parameter Administratif
$
#============================================================$
cache_mgr support@provider.net
cache_effective_user squid
cache_effective_group _squid
visible_hostname proxy.provider.net
unique_hostname support@provider.net
#============================================================$
# Transparent proxy setting
#============================================================$
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
httpd_accel_no_pmtu_disc on
httpd_accel_single_host off
half_closed_clients off
header_access From deny all
header_access Referer deny all
header_access Server deny all
header_access WWW-Authenticate deny all
header_access Link deny all
header_access Via deny all
header_access X-Forwarded-For deny all
header_access Accept-Encoding deny all
header_access User-Agent deny all
header_replace User-Agent Mozilla/5.0 (compatible; MSIE 6.0)
header_access Accept deny all
header_replace Accept */*
header_access Accept-Language deny all
header_replace Accept-Language id, en
#============================================================$
# ACCELERATOR
#============================================================$
memory_pools off
forwarded_for off
log_icp_queries off
icp_hit_stale on
minimum_direct_hops 4
minimum_direct_rtt 400
store_avg_object_size 13 KB
store_objects_per_bucket 20
client_db on
netdb_low 9900
netdb_high 10000
netdb_ping_period 30 seconds
query_icmp off
pipeline_prefetch on
reload_into_ims on
vary_ignore_expire on
max_open_disk_fds 100
nonhierarchical_direct on
prefer_direct off

#============================================================$
# MISCELLANEOUS
#============================================================$
logfile_rotate 3
store_dir_select_algorithm round-robin
shutdown_lifetime 10 seconds
cachemgr_passwd disable shutdown
cachemgr_passwd all
buffered_logs off
offline_mode off
coredump_dir /squid
ignore_unknown_nameservers on
acl hotmail dstdomain .hotmail.com .msn.com .passport.net .msn.co.id .passport.c
om
header_access Accept-Encoding deny hotmail
#============================================================$
# DELAY POOLS
#============================================================$
acl download url_regex -i ftp .exe .mp3 .vqf .tar.gz .wmv .tar.bz .tar.bz2 .gz
.rpm .zip
acl download url_regex -i .rar .avi .mpeg .mpe .mpg .qt .ram .rm .iso .raw .wav
.tar .doc
acl download url_regex -i .ppt .z .wmf .mov .arj .lzh .gzip .bin .wma
# delay_pools 2
delay_pools 2
delay_class 1 2
delay_parameters 1 8000/8000 6000/8000
delay_access 1 allow download
delay_access 1 deny all
delay_class 2 2
delay_parameters 2 25000/25000 10000/16000 #200kb/200kb 80Kb/128Kb
delay_access 2 allow user
delay_access 2 deny all
# Silahkan diisi
#============================================================$
# DOWNLOAD LIMIT
#============================================================$
#reply_body_max_size 3072000 deny !client> Ganti nilai dengan yang dikehendaki
#============================================================$
# SNMP
#============================================================$
acl snmpcommunity snmp_community public
snmp_port 3401
snmp_access allow snmpcommunity localhost
snmp_access deny all
--[4]-- Evaluasi
--[5]-- Troubleshooting
- Subnetmask Sama, ping dari mikrotik ke mesin linux tidak reply

--[6]-- Referensi
o http://www.squid-cache.org
o http://www.mikrotik.com
########################################################################
Documentation,Editing,Optimization by baratev.sourceforge.net
########################################################################