Anda di halaman 1dari 7

Mikrotik PCC Load Balancing dengan External Proxy

Penjelasan ga usah panjang lebar, saya anggap sudah mengerti maksud load balancing itu apa. Terus terang ini
pengalaman pertama kali ngelbe jaringan PPPOE produk pemerintah pake mikrotik jadi bisa dianggap resiko
tanggung malu kalo sampe ga jalan. hehehe.

Bahan baku :

- Mikrotik RB750G ROS 4.6

- Jaringan PPPOE lebih dari satu*

- Mesin proxy external squid 2.7STABLE9 + zph DSCP 12


*)lha ya namanya ngelbe musti lebih dari satu lah


Topologi jaringan seperti dibawah ini :
wan1 wan2 wan3
| | |
|--------------- Mikrotik ------------|
| |
| proxy
LAN

*)IP pada ilustrasi bukanlah IP yang digunakan untuk tutorial berikut


Sebagai gambarannya mungkin seperti ini : 3 line spidi, 1 line proxy dan 1 line local yang nancep di colokan RB750G
nya


Konfigurasi dasar :


1. Seting Interface yang digunakan


/interface ethernet

set 0 comment="Public Interface 1" name=Public_1
set 1 comment="Public Interface 2" name=Public_2
set 2 comment="Public Interface 3" name=Public_3
set 3 comment="Proxy Interface" name=Proxy
set 3 comment="Local Interface" name=Local
set 4 comment="Proxy Interface" name=Proxy


2. Seting pppoe-client nya, 3 line yang digunakan tanpa default route

/interface pppoe-client

add ac-name="" add-default-route=no allow=pap,chap,mschap1,mschap2 comment=eth01-wan1 dial-on-demand=no
disabled=no interface=Public_1 max-mru=1480 max-mtu=1480 mrru=disabled name=eth01-wan1 password=*********
profile=default service-name="" use-peer-dns=no user=*********@telkom.net

add ac-name="" add-default-route=no allow=pap,chap,mschap1,mschap2 comment=eth02-wan2 dial-on-demand=no
disabled=no interface=Public_2 max-mru=1480 max-mtu=1480 mrru=disabled name=eth02-wan2 password=*********
profile=default service-name="" use-peer-dns=no user=*********@telkom.net

add ac-name="" add-default-route=no allow=pap,chap,mschap1,mschap2 comment=eth03-wan3 dial-on-demand=no
disabled=no interface=Public_3 max-mru=1480 max-mtu=1480 mrru=disabled name=eth03-wan3 password=*********
profile=default service-name="" use-peer-dns=no user=*********@telkom.net


3. IP Address yang dipake masing-masing interface pada RB750G nya

/ip address

add address=192.168.1.12/24 broadcast=192.168.1.255 comment="" disabled=no interface=Public_1
network=192.168.1.0

add address=192.168.2.12/24 broadcast=192.168.2.255 comment="" disabled=no interface=Public_2
network=192.168.2.0

add address=192.168.3.12/24 broadcast=192.168.3.255 comment="" disabled=no interface=Public_3
network=192.168.3.0

add address=10.20.30.200/24 broadcast=10.20.30.255 comment="" disabled=no interface=Local network=10.20.30.0

add address=192.168.10.1/24 broadcast=192.168.10.255 comment="" disabled=no interface=Proxy
network=192.168.10.0

4. DNS yang digunakan

/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB max-udp-packet-size=512
servers=125.160.4.82,203.130.196.155,203.130.196.5,222.124.204.34,202.134.0.61






5. IP route dan routing-mark nya


/ip route

add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=eth01-wan1 routing-mark=eth01-wan1
scope=30 target-scope=10

add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=eth01-wan1 routing-mark=eth01-wan1
scope=30 target-scope=10

add check-gateway=ping disabled=no distance=3 dst-address=0.0.0.0/0 gateway=eth01-wan1 routing-mark=eth01-wan1
scope=30 target-scope=10

add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=eth02-wan2 routing-mark=eth02-wan2
scope=30 target-scope=10

add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=eth02-wan2 routing-mark=eth02-wan2
scope=30 target-scope=10

add check-gateway=ping disabled=no distance=3 dst-address=0.0.0.0/0 gateway=eth02-wan2 routing-mark=eth02-wan2
scope=30 target-scope=10

add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=eth03-wan3 routing-mark=eth03-wan3
scope=30 target-scope=10

add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=eth03-wan3 routing-mark=eth03-wan3
scope=30 target-scope=10

add check-gateway=ping disabled=no distance=3 dst-address=0.0.0.0/0 gateway=eth03-wan3 routing-mark=eth03-wan3
scope=30 target-scope=10

add check-gateway=ping comment="Default Route pppoe1 - Distance 1" disabled=no distance=1 dst-address=0.0.0.0/0
gateway=eth01-wan1 scope=30 target-scope=10

add check-gateway=ping comment="Default Route pppoe2 - Distance 1" disabled=no distance=2 dst-address=0.0.0.0/0
gateway=eth02-wan2 scope=30 target-scope=10

add check-gateway=ping comment="Default Route pppoe3 - Distance 1" disabled=no distance=3 dst-address=0.0.0.0/0
gateway=eth03-wan3 scope=30 target-scope=10




6. Bikin address list dari localnet dan proxynet


/ip firewall address-list

add address=10.20.30.0/24 comment="" disabled=no list=LocalNET
add address=192.168.10.0/24 comment="" disabled=no list=ProxyNET


7. Kemudian bikin NAT nya untuk masquerade pppoe, trasparent dns dan transparent proxy


/ip firewall nat

add action=masquerade chain=srcnat comment=MASQUERADE1 disabled=no out-interface=eth01-wan1
add action=masquerade chain=srcnat comment=MASQUERADE2 disabled=no out-interface=eth02-wan2
add action=masquerade chain=srcnat comment=MASQUERADE3 disabled=no out-interface=eth03-wan3
add action=dst-nat chain=dstnat comment="TRANSPARENT DNS" disabled=no dst-port=53 in-interface=Local
protocol=udp to-ports=53

add action=dst-nat chain=dstnat comment="" disabled=no dst-port=53 in-interface=Local protocol=tcp to-ports=53

add action=dst-nat chain=dstnat comment="" disabled=no dst-port=53 in-interface=Proxy protocol=udp to-ports=53

add action=dst-nat chain=dstnat comment="" disabled=no dst-port=53 in-interface=Proxy protocol=tcp to-ports=53

add action=dst-nat chain=dstnat comment="TRANSPARENT PROXY" disabled=no dst-address-list=!ProxyNET dst-
port=80,8080,3128 in-interface=Local protocol=tcp to-addresses=192.168.10.2 to-ports=3128

Setelah selesai dengan konfigurasi dasar, mulai dengan konfigurasi load balancingnya



8. Seperti biasa, taruh packet-mark proxy-hit pada baris teratas pada mangle


/ip firewall mangle

add action=mark-packet chain=forward comment="PROXY-HIT-DSCP 12" disabled=no dscp=12 new-packet-mark=proxy-
hit passthrough=no


9. Karena dalam pemanfaatan LB-PCC ini untuk membalance http traffic serta penggunaan external proxy, maka
interface yang digunakan adalah Proxy Interface dengan protocol tcp dan dst-port 80. Langkah pertama adalah
menangkap koneksi baru yang masuk pada masing-masing interface pppoe, hal ini untuk menjamin packet yang
masuk akan di reply oleh interface yang sama


add action=mark-connection chain=input comment="-ImeR- PCC RULE ---- MARK ALL PPPoE CONN" connection-
state=new disabled=no in-interface=eth01-wan1 new-connection-mark=pppoe1_conn passthrough=yes

add action=mark-connection chain=input comment="" connection-state=new disabled=no in-interface=eth02-wan2 new-
connection-mark=pppoe2_conn passthrough=yes

add action=mark-connection chain=input comment="" connection-state=new disabled=no in-interface=eth03-wan3 new-
connection-mark=pppoe3_conn passthrough=yes

add action=mark-connection chain=prerouting comment="" connection-state=established disabled=no in-
interface=eth01-wan1 new-connection-mark=pppoe1_conn passthrough=yes

add action=mark-connection chain=prerouting comment="" connection-state=established disabled=no in-
interface=eth02-wan2 new-connection-mark=pppoe2_conn passthrough=yes

add action=mark-connection chain=prerouting comment="" connection-state=established disabled=no in-
interface=eth03-wan3 new-connection-mark=pppoe3_conn passthrough=yes

add action=mark-connection chain=prerouting comment="" connection-state=related disabled=no in-interface=eth01-
wan1 new-connection-mark=pppoe1_conn passthrough=yes

add action=mark-connection chain=prerouting comment="" connection-state=related disabled=no in-interface=eth02-
wan2 new-connection-mark=pppoe2_conn passthrough=yes

add action=mark-connection chain=prerouting comment="" connection-state=related disabled=no in-interface=eth03-
wan3 new-connection-mark=pppoe3_conn passthrough=yes

add action=mark-routing chain=output comment="" connection-mark=pppoe1_conn disabled=no new-routing-
mark=eth01-wan1 passthrough=no

add action=mark-routing chain=output comment="" connection-mark=pppoe2_conn disabled=no new-routing-
mark=eth02-wan2 passthrough=no

add action=mark-routing chain=output comment="" connection-mark=pppoe3_conn disabled=no new-routing-
mark=eth03-wan3 passthrough=no


10. Kemudian acara ngelbe koneksi yang masuk dari interface proxy dengan metode PCC, inget yang di routing adalah
protocol tcp dengan dst-port 80


add action=mark-connection chain=prerouting comment="-ImeR- PCC RULE ---- MARK ALL PROXY CONN" connection-
state=new disabled=no dst-address-type=!local dst-port=80 in-interface=Proxy new-connection-mark=pr_eth01-wan1
passthrough=yes per-connection-classifier=both-addresses-and-ports:3/0 protocol=tcp

add action=mark-connection chain=prerouting comment="" connection-state=new disabled=no dst-address-type=!local
dst-port=80 in-interface=Proxy new-connection-mark=pr_eth02-wan2 passthrough=yes per-connection-classifier=both-
addresses-and-ports:3/1 protocol=tcp

add action=mark-connection chain=prerouting comment="" connection-state=new disabled=no dst-address-type=!local
dst-port=80 in-interface=Proxy new-connection-mark=pr_eth03-wan3 passthrough=yes per-connection-classifier=both-
addresses-and-ports:3/2 protocol=tcp

add action=mark-connection chain=prerouting comment="" connection-state=established disabled=no dst-address-
type=!local dst-port=80 in-interface=Proxy new-connection-mark=pr_eth01-wan1 passthrough=yes per-connection-
classifier=both-addresses-and-ports:3/0 protocol=tcp

add action=mark-connection chain=prerouting comment="" connection-state=established disabled=no dst-address-
type=!local dst-port=80 in-interface=Proxy new-connection-mark=pr_eth02-wan2 passthrough=yes per-connection-
classifier=both-addresses-and-ports:3/1 protocol=tcp

add action=mark-connection chain=prerouting comment="" connection-state=established disabled=no dst-address-
type=!local dst-port=80 in-interface=Proxy new-connection-mark=pr_eth03-wan3 passthrough=yes per-connection-
classifier=both-addresses-and-ports:3/2 protocol=tcp

add action=mark-connection chain=prerouting comment="" connection-state=related disabled=no dst-address-
type=!local dst-port=80 in-interface=Proxy new-connection-mark=pr_eth01-wan1 passthrough=yes per-connection-
classifier=both-addresses-and-ports:3/0 protocol=tcp

add action=mark-connection chain=prerouting comment="" connection-state=related disabled=no dst-address-
type=!local dst-port=80 in-interface=Proxy new-connection-mark=pr_eth02-wan2 passthrough=yes per-connection-
classifier=both-addresses-and-ports:3/1 protocol=tcp

add action=mark-connection chain=prerouting comment="" connection-state=related disabled=no dst-address-
type=!local dst-port=80 in-interface=Proxy new-connection-mark=pr_eth03-wan3 passthrough=yes per-connection-
classifier=both-addresses-and-ports:3/2 protocol=tcp





11. Jangan lupa tandai packetnya, fungsinya untuk memberikan batasan limit pada queue
tree nantinya


add action=mark-packet chain=forward comment="-ImeR- PCC RULE ---- MARK HTTP" connection-
mark=pr_eth01-wan1 disabled=no new-packet-mark=http_pppoe1_pkt passthrough=no

add action=mark-packet chain=forward comment="" connection-mark=pr_eth02-wan2 disabled=no
new-packet-mark=http_pppoe2_pkt passthrough=no

add action=mark-packet chain=forward comment="" connection-mark=pr_eth03-wan3 disabled=no
new-packet-mark=http_pppoe3_pkt passthrough=no


12. Setelah itu mengarahkan routing-marknya

add action=mark-routing chain=prerouting comment="-ImeR- PCC RULE ---- MARK ROUTE"
connection-mark=pr_eth01-wan1 disabled=no new-routing-mark=eth01-wan1 passthrough=yes

add action=mark-routing chain=prerouting comment="" connection-mark= pr_eth02-wan2
disabled=no new-routing-mark=eth02-wan2 passthrough=yes

add action=mark-routing chain=prerouting comment="" connection-mark=pr_eth03-wan3
disabled=no new-routing-mark=eth03-wan3 passthrough=yes




Selesai deh. semua http-traffic dari proxy interface akan terbagi merata keluar masuk pada masing-masing interface
pppoe. Selanjutnya tinggal markconn dari interface lokal aja untuk limit download dan upload nya.


Hasil akhir kira-kira seperti ini :